def test_raise_exception_with_user_not_admin_with_keystone_v2(self, m):
        # Given
        response_with_v2 = {
            "access": {
                "token": {
                    "expires": "2016-02-10T11:16:56Z",
                    "id": "7cd3b96409ef497587c98c8c5f596b8d"
                },
                "user": {
                    "username":
                    "******",
                    "roles": [{
                        "id": "8d27cbfdaf3845b8a5cfc349f0b52bac",
                        "name": "owner"
                    }, {
                        "is_default": True,
                        "id": "a6c6f50bc3ff438ab311a9063610d383",
                        "name": "other"
                    }],
                }
            }
        }

        auth = AuthorizationManager(identity_url='http://fake_url',
                                    api_version=AUTH_API_V2)

        m.get('http://fake_url/tokens/token', json=response_with_v2)

        try:
            # When
            auth.get_info_token(admin_token='admin_token', token='token')
        except Exception as exception:
            # Then
            self.assertEqual('Role is not admin', exception.args[0])
    def __init__(self):
        """
        Contructor of the class region
        """
        # Get the region list
        # GET http://cloud.lab.fiware.org:4730/v3/OS-EP-FILTER/endpoint_groups

        if not self.regions:
            keystone_url = KEYSTONE_URL + '/' + AUTH_API_V2

            a = AuthorizationManager(identity_url=keystone_url, api_version=AUTH_API_V2)

            # Get the Admin token to validate the access_token
            adm_token = a.get_auth_token(username=ADM_USER, password=ADM_PASS, tenant_id=ADM_TENANT_ID,
                                         tenant_name=ADM_TENANT_NAME,
                                         user_domain_name=USER_DOMAIN_NAME)

            s = requests.Session()
            s.headers.update({X_AUTH_TOKEN_HEADER: adm_token})

            keystone_url = KEYSTONE_URL + '/' + AUTH_API_V3 + '/' + REGION_LIST_API_V3
            response = s.get(keystone_url)

            r = json.loads(response.text)

            endpoint_groups = r['endpoint_groups']

            for i in range(0, len(endpoint_groups)):
                # If the specific endpoint_groups has not a filters, it is not a correct
                # region and we discard it.
                region_filter = endpoint_groups[i]['filters']
                if region_filter and 'region_id' in region_filter:
                    self.regions.append(region_filter['region_id'])

            logger_api.debug(self.regions)
    def test_raise_exception_with_user_not_admin_with_keystone_v3(self, m):
        # Given
        response_with_v3 = {
            "token": {
                "roles": [
                    {
                        "id": "8d2767fdak5k45b8a5cfc349f0b52bac",
                        "name": "owner"
                    },
                    {
                        "id": "a6c6f50bc3kkk38ab311a9063610d383",
                        "name": "other"
                    }
                ],
                "expires_at": "2016-02-10T11:16:56.000000Z",
                "project": {
                    "id": "00000000000000000000960090160000", "name": "admin"
                },
                "user": {
                    "id": "5a919b072cac4b02917e785f1898826e", "name": "admin"
                },
                "issued_at": "2016-02-09T11:16:56.440835"
            }
        }

        auth = AuthorizationManager(identity_url='http://fake_url', api_version=AUTH_API_V3)

        m.get('http://fake_url/auth/tokens/', json=response_with_v3)

        try:
            # When
            auth.get_info_token(admin_token='admin_token', token=self.idExpected)
        except Exception as exception:
            # Then
            self.assertEqual('Role is not admin', exception.args[0])
 def test_is_admin_should_return_false_with_empty_roles(self, m):
     # Given
     auth = AuthorizationManager(identity_url='http://fake_url', api_version=AUTH_API_V2)
     roles_list = None
     # When
     result = auth._is_admin(roles_list)
     # Then
     self.assertFalse(result)
 def test_is_admin_should_return_false_with_empty_roles(self, m):
     # Given
     auth = AuthorizationManager(identity_url='http://fake_url',
                                 api_version=AUTH_API_V2)
     roles_list = None
     # When
     result = auth._is_admin(roles_list)
     # Then
     self.assertFalse(result)
    def test_check_token_without_token(self, m):
        auth = AuthorizationManager(identity_url='http://fake_url', api_version=AUTH_API_V2)

        m.get('http://fake_url/tokens/token', json=self.validate_info_v2)

        try:
            auth.check_token(admin_token='admin_token', token=None)
            self.assertFalse(False)
        except Unauthorized as e:
            self.assertEquals(e.message, "Token is empty", 'The expected auth token is not the same')
    def test_is_admin_should_return_true_with_admin_user(self, m):
        # Given
        auth = AuthorizationManager(identity_url='http://fake_url', api_version=AUTH_API_V2)
        roles_list = [
            {u'id': u'8d27cbfdaf3845b8a5cfc349f0b52bac', u'name': u'owner'},
            {u'is_default': True, u'id': u'a6c6f50bc3ff438ab311a9063610d383', u'name': u'admin'}]

        # When
        result = auth._is_admin(roles_list)
        # Then
        self.assertTrue(result)
    def test_check_token_without_token(self, m):
        auth = AuthorizationManager(identity_url='http://fake_url',
                                    api_version=AUTH_API_V2)

        m.get('http://fake_url/tokens/token', json=self.validate_info_v2)

        try:
            auth.check_token(admin_token='admin_token', token=None)
            self.assertFalse(False)
        except Unauthorized as e:
            self.assertEquals(e.message, "Token is empty",
                              'The expected auth token is not the same')
    def test_check_token_and_raise_general_exception(self, m, get_info_token_mock):
        auth = AuthorizationManager(identity_url='http://fake_url', api_version=AUTH_API_V2)

        get_info_token_mock.side_effect = Exception("error message")
        m.get('http://fake_url/tokens/token', json=self.validate_info_v2)

        try:
            auth.check_token(admin_token='admin_token', token='token')
            self.assertFalse(True)
        except Exception as e:
            self.assertEquals(e.message, "error message")
        finally:
            self.assertTrue(get_info_token_mock.called)
            get_info_token_mock.reset_mock()
    def test_check_token_and_raise_general_exception(self, m,
                                                     get_info_token_mock):
        auth = AuthorizationManager(identity_url='http://fake_url',
                                    api_version=AUTH_API_V2)

        get_info_token_mock.side_effect = Exception("error message")
        m.get('http://fake_url/tokens/token', json=self.validate_info_v2)

        try:
            auth.check_token(admin_token='admin_token', token='token')
            self.assertFalse(True)
        except Exception as e:
            self.assertEquals(e.message, "error message")
        finally:
            self.assertTrue(get_info_token_mock.called)
            get_info_token_mock.reset_mock()
    def test_error_from_keystone_v3(self, m):
        """
        Test the procedure to request a wrong information to Kesyone v3.

        :param m: Request mock decorator.
        :return: Nothing
        """
        auth = AuthorizationManager(identity_url='http://fake_url', api_version=AUTH_API_V3)

        m.get('http://fake_url/auth/tokens/', status_code=404)

        try:
            auth.get_info_token(admin_token='admin_token', token='token')
        except AuthorizationFailure as e:
            result = (e.message == 'Cannot authorize API client.' or e.message.status_code == 404)
            self.assertTrue(result, 'The expected error message is not the same')
def validate_token(access_token):
    """
    Verifies that an access-token is valid and meant for this app.

    :param access_token: Access token to be checked in keystone server.
    :return: None on fail, and an e-mail on success
    """

    # Send a request to validate a token
    try:
        keystone_url = build_keystone_url()

        authorization_manager = AuthorizationManager(identity_url=keystone_url,
                                                     api_version=AUTH_API_V2)

        return check_user_token(authorization_manager, access_token)

    except Exception as exception:
        try:
            message = json.loads(exception.args[0])['error']['message']
            if message == 'The request you have made requires authentication.':
                AuthorizationManager.auth_token = None
                return check_user_token(authorization_manager, access_token)
            raise exception
        except:
            raise exception
    def test_is_admin_should_return_true_with_admin_user(self, m):
        # Given
        auth = AuthorizationManager(identity_url='http://fake_url',
                                    api_version=AUTH_API_V2)
        roles_list = [{
            u'id': u'8d27cbfdaf3845b8a5cfc349f0b52bac',
            u'name': u'owner'
        }, {
            u'is_default': True,
            u'id': u'a6c6f50bc3ff438ab311a9063610d383',
            u'name': u'admin'
        }]

        # When
        result = auth._is_admin(roles_list)
        # Then
        self.assertTrue(result)
    def test_get_auth_token_from_keystone_v2(self, m):
        """
        Check the obtention of a authorized token with v2.

        :param m: Request mock decorator.
        :return: Nothing
        """
        auth = AuthorizationManager(identity_url='http://fake_url', api_version=AUTH_API_V2)

        # Make sure that there is no auth token
        AuthorizationManager.auth_token = None

        m.post('http://fake_url/tokens', json=self.validate_info_v2)

        auth_token = auth.get_auth_token(username='******', password='******', tenant_id='fake tenant')

        self.assertEquals(auth_token, self.idExpected, 'The expected auth token is not the same')
    def test_check_token(self, m):
        """
        Test the operation to check is a token is valid or not.

        :param m: Request mock decorator.
        :return: Nothing
        """
        auth = AuthorizationManager(identity_url='http://fake_url', api_version=AUTH_API_V2)

        m.get('http://fake_url/tokens/token', json=self.validate_info_v2)

        tokenExpected = auth.check_token(admin_token='admin_token', token='token')

        self.assertEquals(tokenExpected.expires, self.expiredExpectedv2, 'The expired time expected is not the same')
        self.assertEquals(tokenExpected.id, self.idExpected, 'The token id expected is not the same')
        self.assertEquals(tokenExpected.username, self.usernameExpected, 'The username expected is not the same')
        self.assertEquals(tokenExpected.tenant, self.tenantExpectedv2, 'The tenant expected is not the same')
    def test_receive_correct_data_from_keystone_v3(self, m):
        """
        Test the procedure to read information from catalog and extract the
        correct information from keystone v3.

        :param m: Request mock decorator.
        :return: Nothing
        """
        auth = AuthorizationManager(identity_url='http://fake_url', api_version=AUTH_API_V3)

        m.get('http://fake_url/auth/tokens/', json=self.validate_info_v3)

        tokenExpected = auth.get_info_token(admin_token='admin_token', token=self.idExpected)

        self.assertEquals(tokenExpected.expires, self.expiredExpectedv3, 'The expired time expected is not the same')
        self.assertEquals(tokenExpected.id, self.idExpected, 'The token id expected is not the same')
        self.assertEquals(tokenExpected.username, self.usernameExpected, 'The username expected is not the same')
        self.assertEquals(tokenExpected.tenant, self.tenantExpectedv3, 'The tenant expected is not the same')
    def test_check_token_and_raise_internal_server_error(self, m, get_info_token_mock):
        auth = AuthorizationManager(identity_url='http://fake_url', api_version=AUTH_API_V2)

        get_info_token_mock.side_effect = InternalServerError("internal server message")
        m.get('http://fake_url/tokens/token', json=self.validate_info_v2)

        try:
            auth.check_token(admin_token='admin_token', token='token')
            self.assertFalse(True)
        except AuthorizationFailure as e:
            result = (e.message == 'Cannot authorize API client.' or
                      e.message == 'Token could not have enough permissions to access tenant')

            self.assertTrue(result, 'The expected error message is not the same')

        finally:
            self.assertTrue(get_info_token_mock.called)
            get_info_token_mock.reset_mock()
    def test_error_from_keystone_v3(self, m):
        """
        Test the procedure to request a wrong information to Kesyone v3.

        :param m: Request mock decorator.
        :return: Nothing
        """
        auth = AuthorizationManager(identity_url='http://fake_url',
                                    api_version=AUTH_API_V3)

        m.get('http://fake_url/auth/tokens/', status_code=404)

        try:
            auth.get_info_token(admin_token='admin_token', token='token')
        except AuthorizationFailure as e:
            result = (e.message == 'Cannot authorize API client.'
                      or e.message.status_code == 404)
            self.assertTrue(result,
                            'The expected error message is not the same')
    def test_get_auth_token_from_keystone_v3_without_header(self, m):
        """
        Check the obtention of a authorized token with v3.

        :param m: Request mock decorator.
        :return: Nothing
        """
        auth = AuthorizationManager(identity_url='http://fake_url', api_version=AUTH_API_V3)

        # Make sure that there is no auth token
        AuthorizationManager.auth_token = None

        m.post('http://fake_url/auth/tokens', json=self.validate_info_v3)

        try:
            auth.get_auth_token(username='******', password='******', tenant_id='fake tenant',
                                user_domain_name="Default")
        except KeyError as e:
            self.assertEquals(e.message, "x-subject-token", 'The missing header is not the expected one.')
    def test_get_auth_token_from_keystone_v2(self, m):
        """
        Check the obtention of a authorized token with v2.

        :param m: Request mock decorator.
        :return: Nothing
        """
        auth = AuthorizationManager(identity_url='http://fake_url',
                                    api_version=AUTH_API_V2)

        # Make sure that there is no auth token
        AuthorizationManager.auth_token = None

        m.post('http://fake_url/tokens', json=self.validate_info_v2)

        auth_token = auth.get_auth_token(username='******',
                                         password='******',
                                         tenant_id='fake tenant')

        self.assertEquals(auth_token, self.idExpected,
                          'The expected auth token is not the same')
    def __init__(self):
        """
        Contructor of the class region
        """
        # Get the region list
        # GET http://cloud.lab.fiware.org:4730/v3/OS-EP-FILTER/endpoint_groups

        if not self.regions:
            keystone_url = KEYSTONE_URL + '/' + AUTH_API_V2

            a = AuthorizationManager(identity_url=keystone_url,
                                     api_version=AUTH_API_V2)

            # Get the Admin token to validate the access_token
            adm_token = a.get_auth_token(username=ADM_USER,
                                         password=ADM_PASS,
                                         tenant_id=ADM_TENANT_ID,
                                         tenant_name=ADM_TENANT_NAME,
                                         user_domain_name=USER_DOMAIN_NAME)

            s = requests.Session()
            s.headers.update({X_AUTH_TOKEN_HEADER: adm_token})

            keystone_url = KEYSTONE_URL + '/' + AUTH_API_V3 + '/' + REGION_LIST_API_V3
            response = s.get(keystone_url)

            r = json.loads(response.text)

            endpoint_groups = r['endpoint_groups']

            for i in range(0, len(endpoint_groups)):
                # If the specific endpoint_groups has not a filters, it is not a correct
                # region and we discard it.
                region_filter = endpoint_groups[i]['filters']
                if region_filter and 'region_id' in region_filter:
                    self.regions.append(region_filter['region_id'])

            logger_api.debug(self.regions)
    def test_raise_exception_with_user_not_admin_with_keystone_v3(self, m):
        # Given
        response_with_v3 = {
            "token": {
                "roles": [{
                    "id": "8d2767fdak5k45b8a5cfc349f0b52bac",
                    "name": "owner"
                }, {
                    "id": "a6c6f50bc3kkk38ab311a9063610d383",
                    "name": "other"
                }],
                "expires_at":
                "2016-02-10T11:16:56.000000Z",
                "project": {
                    "id": "00000000000000000000960090160000",
                    "name": "admin"
                },
                "user": {
                    "id": "5a919b072cac4b02917e785f1898826e",
                    "name": "admin"
                },
                "issued_at":
                "2016-02-09T11:16:56.440835"
            }
        }

        auth = AuthorizationManager(identity_url='http://fake_url',
                                    api_version=AUTH_API_V3)

        m.get('http://fake_url/auth/tokens/', json=response_with_v3)

        try:
            # When
            auth.get_info_token(admin_token='admin_token',
                                token=self.idExpected)
        except Exception as exception:
            # Then
            self.assertEqual('Role is not admin', exception.args[0])
    def test_check_creation_with_any_api(self, m):
        """
        Check that we create an object with keystone API fake and catch the exception.

        :param m: Request mock decorator.
        :return: Nothing
        """
        try:
            AuthorizationManager(identity_url='fake_url',
                                 api_version='fake_version')
        except ValueError as e:
            expected_message = 'The allowed values for api version are v2.0 or v3'
            self.assertEqual(e.message, expected_message,
                             'The exception message is not the expected one')
    def test_check_creation_with_v2_api(self, m):
        """
        Check that we create an object with keystone API v2.0.

        :param m: Request mock decorator.
        :return: Nothing
        """
        auth = AuthorizationManager(identity_url='fake_url',
                                    api_version=AUTH_API_V2)

        self.assertEqual(auth.api_version, AUTH_API_V2,
                         'The Authentication API version is not v2')
        self.assertEqual(auth.identity_url, 'fake_url',
                         'The URL of the Keystone is not the expected')
    def test_get_auth_token_from_keystone_v3_without_header(self, m):
        """
        Check the obtention of a authorized token with v3.

        :param m: Request mock decorator.
        :return: Nothing
        """
        auth = AuthorizationManager(identity_url='http://fake_url',
                                    api_version=AUTH_API_V3)

        # Make sure that there is no auth token
        AuthorizationManager.auth_token = None

        m.post('http://fake_url/auth/tokens', json=self.validate_info_v3)

        try:
            auth.get_auth_token(username='******',
                                password='******',
                                tenant_id='fake tenant',
                                user_domain_name="Default")
        except KeyError as e:
            self.assertEquals(e.message, "x-subject-token",
                              'The missing header is not the expected one.')
    def test_check_token_and_raise_internal_server_error(
            self, m, get_info_token_mock):
        auth = AuthorizationManager(identity_url='http://fake_url',
                                    api_version=AUTH_API_V2)

        get_info_token_mock.side_effect = InternalServerError(
            "internal server message")
        m.get('http://fake_url/tokens/token', json=self.validate_info_v2)

        try:
            auth.check_token(admin_token='admin_token', token='token')
            self.assertFalse(True)
        except AuthorizationFailure as e:
            result = (
                e.message == 'Cannot authorize API client.' or e.message
                == 'Token could not have enough permissions to access tenant')

            self.assertTrue(result,
                            'The expected error message is not the same')

        finally:
            self.assertTrue(get_info_token_mock.called)
            get_info_token_mock.reset_mock()
    def test_check_token(self, m):
        """
        Test the operation to check is a token is valid or not.

        :param m: Request mock decorator.
        :return: Nothing
        """
        auth = AuthorizationManager(identity_url='http://fake_url',
                                    api_version=AUTH_API_V2)

        m.get('http://fake_url/tokens/token', json=self.validate_info_v2)

        tokenExpected = auth.check_token(admin_token='admin_token',
                                         token='token')

        self.assertEquals(tokenExpected.expires, self.expiredExpectedv2,
                          'The expired time expected is not the same')
        self.assertEquals(tokenExpected.id, self.idExpected,
                          'The token id expected is not the same')
        self.assertEquals(tokenExpected.username, self.usernameExpected,
                          'The username expected is not the same')
        self.assertEquals(tokenExpected.tenant, self.tenantExpectedv2,
                          'The tenant expected is not the same')
    def test_raise_exception_with_user_not_admin_with_keystone_v2(self, m):
        # Given
        response_with_v2 = {
            "access": {
                "token": {
                    "expires": "2016-02-10T11:16:56Z",
                    "id": "7cd3b96409ef497587c98c8c5f596b8d"
                },
                "user": {
                    "username": "******",
                    "roles": [
                        {
                            "id": "8d27cbfdaf3845b8a5cfc349f0b52bac",
                            "name": "owner"
                        },
                        {
                            "is_default": True,
                            "id": "a6c6f50bc3ff438ab311a9063610d383",
                            "name": "other"
                        }
                    ],

                }
            }
        }

        auth = AuthorizationManager(identity_url='http://fake_url', api_version=AUTH_API_V2)

        m.get('http://fake_url/tokens/token', json=response_with_v2)

        try:
            # When
            auth.get_info_token(admin_token='admin_token', token='token')
        except Exception as exception:
            # Then
            self.assertEqual('Role is not admin', exception.args[0])
    def test_receive_correct_data_from_keystone_v3(self, m):
        """
        Test the procedure to read information from catalog and extract the
        correct information from keystone v3.

        :param m: Request mock decorator.
        :return: Nothing
        """
        auth = AuthorizationManager(identity_url='http://fake_url',
                                    api_version=AUTH_API_V3)

        m.get('http://fake_url/auth/tokens/', json=self.validate_info_v3)

        tokenExpected = auth.get_info_token(admin_token='admin_token',
                                            token=self.idExpected)

        self.assertEquals(tokenExpected.expires, self.expiredExpectedv3,
                          'The expired time expected is not the same')
        self.assertEquals(tokenExpected.id, self.idExpected,
                          'The token id expected is not the same')
        self.assertEquals(tokenExpected.username, self.usernameExpected,
                          'The username expected is not the same')
        self.assertEquals(tokenExpected.tenant, self.tenantExpectedv3,
                          'The tenant expected is not the same')