def add_token_data(self, token_id=None, expires=None,
user_id=None, user_name=None,
user_domain_id=None, user_domain_name=None,
project_id=None, project_name=None,
project_domain_id=None, project_domain_name=None,
role_list=None, is_v2=False):
"""Add token data to the auth_token fixture."""
if not token_id:
token_id = uuid.uuid4().hex
if not role_list:
role_list = []
if is_v2:
token = client_fixtures.V2Token(
token_id=token_id, expires=expires, tenant_id=project_id,
tenant_name=project_name, user_id=user_id, user_name=user_name)
else:
token = client_fixtures.V3Token(
expires=expires, user_id=user_id, user_name=user_name,
user_domain_id=user_domain_id, project_id=project_id,
project_name=project_name,
project_domain_id=project_domain_id,
user_domain_name=user_domain_name,
project_domain_name=project_domain_name)
for role in role_list:
token.add_role(name=role)
self.add_token(token, token_id=token_id)
def fake_auth_ref(fake_token, fake_service=None):
"""Create an auth_ref using keystoneauth's fixtures"""
token_copy = copy.deepcopy(fake_token)
token_id = token_copy.pop('id')
token = fixture.V3Token(**token_copy)
# An auth_ref is actually an access info object
auth_ref = access.create(
body=token,
auth_token=token_id,
)
# Create a service catalog
if fake_service:
service = token.add_service(
fake_service['type'],
fake_service['name'],
)
# TODO(dtroyer): Add an 'id' element to KSA's _Service fixure
service['id'] = fake_service['id']
for e in fake_service['endpoints']:
region = e.get('region_id') or e.get('region', '<none>')
service.add_endpoint(
e['interface'],
e['url'],
region=region,
)
return auth_ref
def mock_auth_success(self,
token_id=None,
token_body=None,
method='POST',
url=test_utils.TestCase.TEST_ROOT_URL +
'v3/auth/tokens'):
if not token_id:
token_id = uuid.uuid4().hex
if not token_body:
token_body = ks_fixture.V3Token()
response_list = [{
'text': 'Fail',
'status_code': 401,
'headers': {
'WWW-Authenticate': 'Negotiate'
}
}, {
'headers': {
'X-Subject-Token': token_id,
'Content-Type': 'application/json',
'WWW-Authenticate': self.pass_header
},
'status_code': 200,
'json': token_body
}]
self.requests_mock.register_uri(method,
url,
response_list=response_list)
return token_id, token_body
def register_keystone_v3_token_fixture(self, request_mocker):
v3_token = ks_fixture.V3Token()
service = v3_token.add_service('baremetal')
service.add_standard_endpoints(public='http://ironic.example.com')
request_mocker.post('%s/auth/tokens' % V3_URL,
json=v3_token,
headers={'X-Subject-Token': uuid.uuid4().hex})
def test_workflow(self):
token_id = uuid.uuid4().hex
token = ksa_fixtures.V3Token()
self.requests_mock.get(self.default_sp_url, response_list=[
dict(headers=PAOS_HEADER,
content=utils.make_oneline(saml2_fixtures.SP_SOAP_RESPONSE)),
dict(headers={'X-Subject-Token': token_id}, json=token)
])
authm = self.requests_mock.post(self.TEST_IDP_URL,
content=saml2_fixtures.SAML2_ASSERTION)
self.requests_mock.post(
self.TEST_CONSUMER_URL,
status_code=302,
headers={'Location': self.sp_url()})
auth_ref = self.get_plugin().get_auth_ref(self.session)
self.assertEqual(token_id, auth_ref.auth_token)
self.assertEqual(self.calls, [self.default_sp_url,
self.TEST_IDP_URL,
self.TEST_CONSUMER_URL,
self.default_sp_url])
self.assertEqual(self.basic_header(),
authm.last_request.headers['Authorization'])
authn_request = self.requests_mock.request_history[1].text
self.assertThat(saml2_fixtures.AUTHN_REQUEST,
matchers.XMLEquals(authn_request))
def test_project_as_domain_scoped(self):
project_id = uuid.uuid4().hex
project_name = uuid.uuid4().hex
project_domain_id = uuid.uuid4().hex
project_domain_name = uuid.uuid4().hex
project_is_domain = True
token = fixture.V3Token(project_id=project_id,
project_name=project_name,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name,
project_is_domain=project_is_domain)
self.assertEqual(project_id, token.project_id)
self.assertEqual(project_id, token['token']['project']['id'])
self.assertEqual(project_name, token.project_name)
self.assertEqual(project_name, token['token']['project']['name'])
self.assertEqual(project_is_domain, token['token']['is_domain'])
project_domain = token['token']['project']['domain']
self.assertEqual(project_domain_id, token.project_domain_id)
self.assertEqual(project_domain_id, project_domain['id'])
self.assertEqual(project_domain_name, token.project_domain_name)
self.assertEqual(project_domain_name, project_domain['name'])
def setUp(self):
super(V3FederatedPlugin, self).setUp()
self.unscoped_token = fixture.V3Token()
self.unscoped_token_id = uuid.uuid4().hex
self.scoped_token = copy.deepcopy(self.unscoped_token)
self.scoped_token.set_project_scope()
self.scoped_token.methods.insertLast('token')
self.scoped_token_id = uuid.uuid4().hex
s = self.scoped_token.add_service('compute', name='nova')
s.add_standard_endpoints(public='http://nova/public',
admin='http://nova/admin',
internal='http://nova/internal')
self.idp = uuid.uuid4().hex
self.protocol = uuid.uuid4().hex
self.token_url = ('%s/OS-FEDERATION/identity_providers/%s/protocols/%s'
'/auth' % (self.AUTH_URL, self.idp, self.protocol))
headers = {'X-Subject-Token': self.unscoped_token_id}
self.unscoped_mock = self.requests_mock.post(self.token_url,
json=self.unscoped_token,
headers=headers)
headers = {'X-Subject-Token': self.scoped_token_id}
auth_url = self.AUTH_URL + '/auth/tokens'
self.scoped_mock = self.requests_mock.post(auth_url,
json=self.scoped_token,
headers=headers)
def _plugin(self, **kwargs):
token = fixture.V3Token()
s = token.add_service('identity')
s.add_standard_endpoints(public=self.TEST_ROOT_URL)
auth_ref = access.create(body=token, auth_token=self.auth_token)
return access_plugin.AccessInfoPlugin(auth_ref, **kwargs)
def test_catalog(self):
service_type = uuid.uuid4().hex
service_name = uuid.uuid4().hex
service_id = uuid.uuid4().hex
region = uuid.uuid4().hex
endpoints = {'public': uuid.uuid4().hex,
'internal': uuid.uuid4().hex,
'admin': uuid.uuid4().hex}
token = fixture.V3Token()
svc = token.add_service(type=service_type,
name=service_name,
id=service_id)
svc.add_standard_endpoints(region=region, **endpoints)
self.assertEqual(1, len(token['token']['catalog']))
service = token['token']['catalog'][0]
self.assertEqual(3, len(service['endpoints']))
self.assertEqual(service_name, service['name'])
self.assertEqual(service_type, service['type'])
self.assertEqual(service_id, service['id'])
for endpoint in service['endpoints']:
# assert an id exists for each endpoint, remove it to make testing
# the endpoint content below easier.
self.assertTrue(endpoint.pop('id'))
for interface, url in endpoints.items():
endpoint = {'interface': interface, 'url': url,
'region': region, 'region_id': region}
self.assertIn(endpoint, service['endpoints'])
token.remove_service(type=service_type)
self.assertEqual(0, len(token['token']['catalog']))
def setUp(self):
super(V3UserPluginTests, self).setUp()
self.service_token_id = uuid.uuid4().hex
self.service_token = fixture.V3Token()
s = self.service_token.add_service('identity', name='keystone')
s.add_standard_endpoints(public=BASE_URI,
admin=BASE_URI,
internal=BASE_URI)
self.configure_middleware(auth_type='v3password',
auth_url='%s/v3/' % AUTH_URL,
user_id=self.service_token.user_id,
password=uuid.uuid4().hex,
project_id=self.service_token.project_id)
auth_discovery = fixture.DiscoveryList(href=AUTH_URL)
self.requests_mock.get(AUTH_URL, json=auth_discovery)
base_discovery = fixture.DiscoveryList(href=BASE_URI)
self.requests_mock.get(BASE_URI, json=base_discovery)
self.requests_mock.post(
'%s/v3/auth/tokens' % AUTH_URL,
headers={'X-Subject-Token': self.service_token_id},
json=self.service_token)
def test_password_change_auth_state(self):
self.stub_auth(json=self.TEST_RESPONSE_DICT)
expired = ksa_utils.before_utcnow(days=2)
token = fixture.V3Token(expires=expired)
token_id = uuid.uuid4().hex
state = json.dumps({'auth_token': token_id, 'body': token})
a = v3.Password(self.TEST_URL,
username=self.TEST_USER,
password=self.TEST_PASS,
user_domain_id=self.TEST_DOMAIN_ID,
project_id=uuid.uuid4().hex)
initial_cache_id = a.get_cache_id()
self.assertIsNone(a.get_auth_state())
a.set_auth_state(state)
self.assertEqual(token_id, a.auth_ref.auth_token)
s = session.Session()
self.assertEqual(self.TEST_TOKEN, a.get_token(s)) # updates expired
self.assertEqual(initial_cache_id, a.get_cache_id())
def test_authenticate_with_mutual_authentication_required(self):
self.kerberos_mock.mock_auth_success(url=self.token_url, method='GET')
scoped_id = uuid.uuid4().hex
scoped_body = ks_fixture.V3Token()
scoped_body.set_project_scope()
self.requests_mock.post('%s/auth/tokens' % self.TEST_V3_URL,
json=scoped_body,
headers={
'X-Subject-Token': scoped_id,
'Content-Type': 'application/json'
})
plugin = kerberos.MappedKerberos(
auth_url=self.TEST_V3_URL,
protocol=self.protocol,
identity_provider=self.identity_provider,
project_id=scoped_body.project_id,
mutual_auth='required')
sess = session.Session()
tok = plugin.get_token(sess)
proj = plugin.get_project_id(sess)
self.assertEqual(scoped_id, tok)
self.assertEqual(scoped_body.project_id, proj)
self.assertEqual(self.kerberos_mock.called_auth_server, True)
def test_good_v3_user_token(self):
t = fixture.V3Token()
t.set_project_scope()
role = t.add_role()
token_id = uuid.uuid4().hex
token_dict = {token_id: t}
@webob.dec.wsgify
def _do_cb(req):
self.assertEqual(token_id, req.headers['X-Auth-Token'].strip())
self.assertEqual('Confirmed', req.headers['X-Identity-Status'])
self.assertNotIn('X-Service-Token', req.headers)
p = req.environ['keystone.token_auth']
self.assertTrue(p.has_user_token)
self.assertFalse(p.has_service_token)
self.assertEqual(t.project_id, p.user.project_id)
self.assertEqual(t.project_domain_id, p.user.project_domain_id)
self.assertEqual(t.user_id, p.user.user_id)
self.assertEqual(t.user_domain_id, p.user.user_domain_id)
self.assertIn(role['name'], p.user.role_names)
return webob.Response()
m = FetchingMiddleware(_do_cb, token_dict)
self.call(m, headers={'X-Auth-Token': token_id})
# also try with whitespace in the token
self.call(m, headers={'X-Auth-Token': token_id + ' '})
self.call(m, headers={'X-Auth-Token': token_id + '\r'})
def test_will_expire_soon(self):
expires = timeutils.utcnow() + datetime.timedelta(minutes=5)
token = fixture.V3Token(expires=expires)
auth_ref = access.create(body=token)
self.assertFalse(auth_ref.will_expire_soon(stale_duration=120))
self.assertTrue(auth_ref.will_expire_soon(stale_duration=301))
self.assertFalse(auth_ref.will_expire_soon())
def test_multi_region(self):
token = fixture.V3Token()
s = token.add_service(type='identity')
s.add_endpoint('internal', self.INTERNAL_URL, region=self.REGION_ONE)
s.add_endpoint('public', self.PUBLIC_URL, region=self.REGION_TWO)
s.add_endpoint('admin', self.ADMIN_URL, region=self.REGION_THREE)
auth_ref = access.create(body=token)
catalog_data = auth_ref.service_catalog.catalog
catalog = _request._v3_to_v2_catalog(catalog_data)
self.assertEqual(1, len(catalog))
service = catalog[0]
# the 3 regions will come through as 3 separate endpoints
expected = [{
'internalURL': self.INTERNAL_URL,
'region': self.REGION_ONE
}, {
'publicURL': self.PUBLIC_URL,
'region': self.REGION_TWO
}, {
'adminURL': self.ADMIN_URL,
'region': self.REGION_THREE
}]
self.assertEqual('identity', service['type'])
self.assertEqual(3, len(service['endpoints']))
for e in expected:
self.assertIn(e, expected)
def test_token_info(self):
info = fixture.V3Token()
self.assertNotIn('keystone.token_info', self.request.environ)
self.request.token_info = info
self.assertIs(info, self.request.environ['keystone.token_info'])
self.assertIs(info, self.request.token_info)
def new_client(self):
t = fixture.V3Token(user_id=self.user_id)
t.set_project_scope()
s = t.add_service('identity')
s.add_standard_endpoints(public=self.TEST_URL,
admin=self.TEST_URL)
d = fixture.V3Discovery(self.TEST_URL)
headers = {'X-Subject-Token': uuid.uuid4().hex}
self.requests.register_uri('POST',
self.TEST_URL + '/auth/tokens',
headers=headers,
json=t)
self.requests.register_uri('GET', self.TEST_URL, json={'version': d})
with self.deprecations.expect_deprecations_here():
a = ksc_identity.V3Password(username=uuid.uuid4().hex,
password=uuid.uuid4().hex,
user_domain_id=uuid.uuid4().hex,
auth_url=self.TEST_URL)
s = ksc_session.Session(auth=a)
return v3_client.Client(session=s)
def auth_response_body():
f = fixture.V3Token(audit_chain_id=uuid.uuid4().hex)
f.set_project_scope()
f.add_role(name='admin')
f.add_role(name='member')
s = f.add_service('compute', name='nova')
s.add_standard_endpoints(
public='https://compute.north.host/novapi/public',
internal='https://compute.north.host/novapi/internal',
admin='https://compute.north.host/novapi/admin',
region='North')
s = f.add_service('object-store', name='swift')
s.add_standard_endpoints(
public='http://swift.north.host/swiftapi/public',
internal='http://swift.north.host/swiftapi/internal',
admin='http://swift.north.host/swiftapi/admin',
region='South')
s = f.add_service('image', name='glance')
s.add_standard_endpoints(
public='http://glance.north.host/glanceapi/public',
internal='http://glance.north.host/glanceapi/internal',
admin='http://glance.north.host/glanceapi/admin',
region='North')
s.add_standard_endpoints(
public='http://glance.south.host/glanceapi/public',
internal='http://glance.south.host/glanceapi/internal',
admin='http://glance.south.host/glanceapi/admin',
region='South')
return f
def setUp(self):
super(AuthProjectsTest, self).setUp()
self.v3token = fixture.V3Token()
self.stub_auth(json=self.v3token)
self.stub_url('GET', [],
json={'version': fixture.V3Discovery(self.TEST_URL)})
def setUp(self):
super(K2KAuthPluginTest, self).setUp()
self.token_v3 = fixture.V3Token()
self.token_v3.add_service_provider(self.SP_ID, self.SP_AUTH_URL,
self.SP_URL)
self.session = session.Session()
self.k2kplugin = self.get_plugin()
def test_override_auth_token(self):
token = fixture.V3Token()
token.set_project_scope()
new_auth_token = uuid.uuid4().hex
auth_ref = access.AccessInfo.factory(body=token,
auth_token=new_auth_token)
self.assertEqual(new_auth_token, auth_ref.auth_token)
def test_project_scoped_service_headers(self):
token = fixture.V3Token()
token.set_project_scope()
token_id = uuid.uuid4().hex
auth_ref = access.create(auth_token=token_id, body=token)
self.request.set_service_headers(auth_ref)
self._test_v3_headers(token, '-Service')
def _plugin(self, **kwargs):
token = fixture.V3Token()
s = token.add_service('identity')
s.add_standard_endpoints(public=self.TEST_ROOT_URL)
auth_ref = access.AccessInfo.factory(body=token,
auth_token=self.auth_token)
with self.deprecations.expect_deprecations_here():
return access_plugin.AccessInfoPlugin(auth_ref, **kwargs)
def test_binding(self):
token = fixture.V3Token()
principal = uuid.uuid4().hex
token.set_bind('kerberos', principal)
auth_ref = access.create(body=token)
self.assertIsInstance(auth_ref, access.AccessInfoV3)
self.assertEqual({'kerberos': principal}, auth_ref.bind)
def setUp(self):
super(ServiceTokenTests, self).setUp()
self.user_token_id = uuid.uuid4().hex
self.user_token = fixture.V3Token()
self.user_token.set_project_scope()
self.user_auth = identity.V3Password(auth_url=self.USER_URL,
user_id=uuid.uuid4().hex,
password=uuid.uuid4().hex,
project_id=uuid.uuid4().hex)
self.service_token_id = uuid.uuid4().hex
self.service_token = fixture.V3Token()
self.service_token.set_project_scope()
self.service_auth = identity.V3Password(auth_url=self.SERVICE_URL,
user_id=uuid.uuid4().hex,
password=uuid.uuid4().hex,
project_id=uuid.uuid4().hex)
for t in (self.user_token, self.service_token):
s = t.add_service('identity')
s.add_standard_endpoints(public='http://keystone.example.com',
admin='http://keystone.example.com',
internal='http://keystone.example.com')
self.test_data = {'data': uuid.uuid4().hex}
self.user_mock = self.requests_mock.post(
self.USER_URL + '/auth/tokens',
json=self.user_token,
headers={'X-Subject-Token': self.user_token_id})
self.service_mock = self.requests_mock.post(
self.SERVICE_URL + '/auth/tokens',
json=self.service_token,
headers={'X-Subject-Token': self.service_token_id})
self.requests_mock.get(self.TEST_URL, json=self.test_data)
self.combined_auth = service_token.ServiceTokenAuthWrapper(
self.user_auth,
self.service_auth)
self.session = session.Session(auth=self.combined_auth)
def test_domain_scoped(self):
domain_id = uuid.uuid4().hex
domain_name = uuid.uuid4().hex
token = fixture.V3Token(domain_id=domain_id, domain_name=domain_name)
self.assertEqual(domain_id, token.domain_id)
self.assertEqual(domain_id, token['token']['domain']['id'])
self.assertEqual(domain_name, token.domain_name)
self.assertEqual(domain_name, token['token']['domain']['name'])
def setUp(self):
super(K2KFederatedProjectTests, self).setUp()
self.token_v3 = auth_fixture.V3Token()
self.token_v3.add_service_provider(self.SP_ID, self.SP_AUTH_URL,
self.SP_URL)
self.session = session.Session()
self.collection_key = 'projects'
self.model = projects.Project
self.URL = '%s%s' % (self.SP_ROOT_URL, '/auth/projects')
self.k2kplugin = self.get_plugin()
self._mock_k2k_flow_urls()
def test_token_bind(self):
name1 = uuid.uuid4().hex
data1 = uuid.uuid4().hex
name2 = uuid.uuid4().hex
data2 = {uuid.uuid4().hex: uuid.uuid4().hex}
token = fixture.V3Token()
token.set_bind(name1, data1)
token.set_bind(name2, data2)
self.assertEqual({name1: data1, name2: data2}, token['token']['bind'])
def setUp(self):
super(GenericPluginTestCase, self).setUp()
self.token_v2 = fixture.V2Token()
self.token_v3 = fixture.V3Token()
self.token_v3_id = uuid.uuid4().hex
self.session = session.Session()
self.stub_url('POST', ['v2.0', 'tokens'], json=self.token_v2)
self.stub_url('POST', ['v3', 'auth', 'tokens'],
headers={'X-Subject-Token': self.token_v3_id},
json=self.token_v3)
def test_roles(self):
role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
role2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
token = fixture.V3Token()
token.add_role(**role1)
token.add_role(**role2)
self.assertEqual(2, len(token['token']['roles']))
self.assertIn(role1, token['token']['roles'])
self.assertIn(role2, token['token']['roles'])
