def setUp(self):
super(V3FederatedPlugin, self).setUp()
self.deprecations.expect_deprecations()
self.unscoped_token = fixture.V3Token()
self.unscoped_token_id = uuid.uuid4().hex
self.scoped_token = copy.deepcopy(self.unscoped_token)
self.scoped_token.set_project_scope()
self.scoped_token.methods.append('token')
self.scoped_token_id = uuid.uuid4().hex
s = self.scoped_token.add_service('compute', name='nova')
s.add_standard_endpoints(public='http://nova/public',
admin='http://nova/admin',
internal='http://nova/internal')
self.idp = uuid.uuid4().hex
self.protocol = uuid.uuid4().hex
self.token_url = ('%s/OS-FEDERATION/identity_providers/%s/protocols/%s'
'/auth' % (self.AUTH_URL, self.idp, self.protocol))
headers = {'X-Subject-Token': self.unscoped_token_id}
self.unscoped_mock = self.requests_mock.post(self.token_url,
json=self.unscoped_token,
headers=headers)
headers = {'X-Subject-Token': self.scoped_token_id}
auth_url = self.AUTH_URL + '/auth/tokens'
self.scoped_mock = self.requests_mock.post(auth_url,
json=self.scoped_token,
headers=headers)
def setUp(self):
super(V3UserPluginTests, self).setUp()
self.service_token_id = uuid.uuid4().hex
self.service_token = fixture.V3Token()
s = self.service_token.add_service('identity', name='keystone')
s.add_standard_endpoints(public=BASE_URI,
admin=BASE_URI,
internal=BASE_URI)
self.configure_middleware(auth_plugin='v3password',
auth_url='%s/v3/' % AUTH_URL,
user_id=self.service_token.user_id,
password=uuid.uuid4().hex,
project_id=self.service_token.project_id)
auth_discovery = fixture.DiscoveryList(href=AUTH_URL)
self.requests_mock.get(AUTH_URL, json=auth_discovery)
base_discovery = fixture.DiscoveryList(href=BASE_URI)
self.requests_mock.get(BASE_URI, json=base_discovery)
self.requests_mock.post(
'%s/v3/auth/tokens' % AUTH_URL,
headers={'X-Subject-Token': self.service_token_id},
json=self.service_token)
def test_catalog(self):
service_type = uuid.uuid4().hex
service_name = uuid.uuid4().hex
region = uuid.uuid4().hex
endpoints = {
'public': uuid.uuid4().hex,
'internal': uuid.uuid4().hex,
'admin': uuid.uuid4().hex
}
token = fixture.V3Token()
svc = token.add_service(type=service_type, name=service_name)
svc.add_standard_endpoints(region=region, **endpoints)
self.assertEqual(1, len(token['token']['catalog']))
service = token['token']['catalog'][0]
self.assertEqual(3, len(service['endpoints']))
self.assertEqual(service_name, service['name'])
self.assertEqual(service_type, service['type'])
for interface, url in six.iteritems(endpoints):
endpoint = {
'interface': interface,
'url': url,
'region': region,
'region_id': region
}
self.assertIn(endpoint, service['endpoints'])
def register_keystone_v3_token_fixture(self, request_mocker):
v3_token = ks_fixture.V3Token()
service = v3_token.add_service('baremetal')
service.add_standard_endpoints(public='http://ironic.example.com')
request_mocker.post('%s/auth/tokens' % V3_URL,
json=v3_token,
headers={'X-Subject-Token': uuid.uuid4().hex})
def test_catalog(self):
service_type = uuid.uuid4().hex
service_name = uuid.uuid4().hex
service_id = uuid.uuid4().hex
region = uuid.uuid4().hex
endpoints = {'public': uuid.uuid4().hex,
'internal': uuid.uuid4().hex,
'admin': uuid.uuid4().hex}
token = fixture.V3Token()
svc = token.add_service(type=service_type,
name=service_name,
id=service_id)
svc.add_standard_endpoints(region=region, **endpoints)
self.assertEqual(1, len(token['token']['catalog']))
service = token['token']['catalog'][0]
self.assertEqual(3, len(service['endpoints']))
self.assertEqual(service_name, service['name'])
self.assertEqual(service_type, service['type'])
self.assertEqual(service_id, service['id'])
for endpoint in service['endpoints']:
# assert an id exists for each endpoint, remove it to make testing
# the endpoint content below easier.
self.assertTrue(endpoint.pop('id'))
for interface, url in six.iteritems(endpoints):
endpoint = {'interface': interface, 'url': url,
'region': region, 'region_id': region}
self.assertIn(endpoint, service['endpoints'])
def test_good_v3_user_token(self):
t = fixture.V3Token()
t.set_project_scope()
role = t.add_role()
token_id = uuid.uuid4().hex
token_dict = {token_id: t}
@webob.dec.wsgify
def _do_cb(req):
self.assertEqual(token_id, req.headers['X-Auth-Token'])
self.assertEqual('Confirmed', req.headers['X-Identity-Status'])
self.assertNotIn('X-Service-Token', req.headers)
p = req.environ['keystone.token_auth']
self.assertTrue(p.has_user_token)
self.assertFalse(p.has_service_token)
self.assertEqual(t.project_id, p.user.project_id)
self.assertEqual(t.project_domain_id, p.user.project_domain_id)
self.assertEqual(t.user_id, p.user.user_id)
self.assertEqual(t.user_domain_id, p.user.user_domain_id)
self.assertIn(role['name'], p.user.role_names)
return webob.Response()
m = FetchingMiddleware(_do_cb, token_dict)
self.call(m, headers={'X-Auth-Token': token_id})
def test_multi_region(self):
token = fixture.V3Token()
s = token.add_service(type='identity')
s.add_endpoint('internal', self.INTERNAL_URL, region=self.REGION_ONE)
s.add_endpoint('public', self.PUBLIC_URL, region=self.REGION_TWO)
s.add_endpoint('admin', self.ADMIN_URL, region=self.REGION_THREE)
auth_ref = access.AccessInfo.factory(body=token)
catalog_data = auth_ref.service_catalog.get_data()
catalog = _request._v3_to_v2_catalog(catalog_data)
self.assertEqual(1, len(catalog))
service = catalog[0]
# the 3 regions will come through as 3 separate endpoints
expected = [{'internalURL': self.INTERNAL_URL,
'region': self.REGION_ONE},
{'publicURL': self.PUBLIC_URL,
'region': self.REGION_TWO},
{'adminURL': self.ADMIN_URL,
'region': self.REGION_THREE}]
self.assertEqual('identity', service['type'])
self.assertEqual(3, len(service['endpoints']))
for e in expected:
self.assertIn(e, expected)
def test_override_auth_token(self):
token = fixture.V3Token()
token.set_project_scope()
new_auth_token = uuid.uuid4().hex
auth_ref = access.AccessInfo.factory(body=token,
auth_token=new_auth_token)
self.assertEqual(new_auth_token, auth_ref.auth_token)
def setUp(self):
super(AuthProjectsTest, self).setUp()
self.v3token = fixture.V3Token()
self.stub_auth(json=self.v3token)
self.stub_url('GET', [],
json={'version': fixture.V3Discovery(self.TEST_URL)})
def _plugin(self, **kwargs):
token = fixture.V3Token()
s = token.add_service('identity')
s.add_standard_endpoints(public=self.TEST_ROOT_URL)
auth_ref = access.AccessInfo.factory(body=token,
auth_token=self.auth_token)
return access_plugin.AccessInfoPlugin(auth_ref, **kwargs)
def test_project_scoped_service_headers(self):
token = fixture.V3Token()
token.set_project_scope()
token_id = uuid.uuid4().hex
auth_ref = access.AccessInfo.factory(token_id=token_id, body=token)
self.request.set_service_headers(auth_ref)
self._test_v3_headers(token, '-Service')
def test_project_scoped_user_headers(self):
token = fixture.V3Token()
token.set_project_scope()
token_id = uuid.uuid4().hex
auth_ref = access.AccessInfo.factory(token_id=token_id, body=token)
self.request.set_user_headers(auth_ref, include_service_catalog=True)
self._test_v3_headers(token, '')
def test_domain_scoped(self):
domain_id = uuid.uuid4().hex
domain_name = uuid.uuid4().hex
token = fixture.V3Token(domain_id=domain_id, domain_name=domain_name)
self.assertEqual(domain_id, token.domain_id)
self.assertEqual(domain_id, token['token']['domain']['id'])
self.assertEqual(domain_name, token.domain_name)
self.assertEqual(domain_name, token['token']['domain']['name'])
def trust_token():
return fixture.V3Token(user_id='0ca8f6',
user_name='exampleuser',
user_domain_id='4e6893b7ba0b4006840c3845660b86ed',
user_domain_name='exampledomain',
expires='2010-11-01T03:32:15-05:00',
trust_id='fe0aef',
trust_impersonation=False,
trustee_user_id='0ca8f6',
trustor_user_id='bd263c')
def setUp(self):
super(GenericPluginTestCase, self).setUp()
self.token_v2 = fixture.V2Token()
self.token_v3 = fixture.V3Token()
self.token_v3_id = uuid.uuid4().hex
self.session = session.Session()
self.stub_url('POST', ['v2.0', 'tokens'], json=self.token_v2)
self.stub_url('POST', ['v3', 'auth', 'tokens'],
headers={'X-Subject-Token': self.token_v3_id},
json=self.token_v3)
def test_roles(self):
role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
role2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
token = fixture.V3Token()
token.add_role(**role1)
token.add_role(**role2)
self.assertEqual(2, len(token['token']['roles']))
self.assertIn(role1, token['token']['roles'])
self.assertIn(role2, token['token']['roles'])
def test_oauth_scoped(self):
access_id = uuid.uuid4().hex
consumer_id = uuid.uuid4().hex
token = fixture.V3Token(oauth_access_token_id=access_id,
oauth_consumer_id=consumer_id)
oauth = token['token']['OS-OAUTH1']
self.assertEqual(access_id, token.oauth_access_token_id)
self.assertEqual(access_id, oauth['access_token_id'])
self.assertEqual(consumer_id, token.oauth_consumer_id)
self.assertEqual(consumer_id, oauth['consumer_id'])
def setUp(self):
super(AuthProjectsTest, self).setUp()
self.v3token = fixture.V3Token()
self.stub_auth(json=self.v3token)
self.stub_url('GET', [],
json={'version': fixture.V3Discovery(self.TEST_URL)})
self.auth = v3.Password(auth_url=self.TEST_URL,
user_id=self.v3token.user_id,
password=uuid.uuid4().hex)
self.session = session.Session(auth=self.auth)
self.client = client.Client(session=self.session)
def get_auth_data(self, **kwargs):
token = fixture.V3Token(**kwargs)
region = 'RegionOne'
svc = token.add_service('identity')
svc.add_standard_endpoints(admin=self.TEST_ADMIN_URL, region=region)
svc = token.add_service('compute')
svc.add_standard_endpoints(admin=self.TEST_COMPUTE_ADMIN,
public=self.TEST_COMPUTE_PUBLIC,
internal=self.TEST_COMPUTE_INTERNAL,
region=region)
return token
def project_scoped_token():
f = fixture.V3Token(user_id='c4da488862bd435c9e6c0275a0d0e49a',
user_name='exampleuser',
user_domain_id='4e6893b7ba0b4006840c3845660b86ed',
user_domain_name='exampledomain',
expires='2010-11-01T03:32:15-05:00',
project_id='225da22d3ce34b15877ea70b2a575f58',
project_name='exampleproject',
project_domain_id='4e6893b7ba0b4006840c3845660b86ed',
project_domain_name='exampledomain',
audit_chain_id=uuid.uuid4().hex)
f.add_role(id='76e72a', name='admin')
f.add_role(id='f4f392', name='member')
region = 'RegionOne'
tenant = '225da22d3ce34b15877ea70b2a575f58'
s = f.add_service('volume')
s.add_standard_endpoints(public='http://public.com:8776/v1/%s' % tenant,
internal='http://internal:8776/v1/%s' % tenant,
admin='http://admin:8776/v1/%s' % tenant,
region=region)
s = f.add_service('image')
s.add_standard_endpoints(public='http://public.com:9292/v1',
internal='http://internal:9292/v1',
admin='http://admin:9292/v1',
region=region)
s = f.add_service('compute')
s.add_standard_endpoints(public='http://public.com:8774/v2/%s' % tenant,
internal='http://internal:8774/v2/%s' % tenant,
admin='http://admin:8774/v2/%s' % tenant,
region=region)
s = f.add_service('ec2')
s.add_standard_endpoints(public='http://public.com:8773/services/Cloud',
internal='http://internal:8773/services/Cloud',
admin='http://admin:8773/services/Admin',
region=region)
s = f.add_service('identity')
s.add_standard_endpoints(public='http://public.com:5000/v3',
internal='http://internal:5000/v3',
admin='http://admin:35357/v3',
region=region)
return f
def test_expired_user_token(self):
t = fixture.V3Token()
t.set_project_scope()
t.expires = datetime.datetime.utcnow() - datetime.timedelta(minutes=10)
token_id = uuid.uuid4().hex
token_dict = {token_id: t}
@webob.dec.wsgify
def _do_cb(req):
self.assertEqual('Invalid', req.headers['X-Identity-Status'])
self.assertEqual(token_id, req.headers['X-Auth-Token'])
return webob.Response()
m = FetchingMiddleware(_do_cb, token_dict=token_dict)
self.call(m, headers={'X-Auth-Token': token_id})
def test_oauth_access(self):
consumer_id = uuid.uuid4().hex
access_token_id = uuid.uuid4().hex
token = fixture.V3Token()
token.set_project_scope()
token.set_oauth(access_token_id=access_token_id,
consumer_id=consumer_id)
auth_ref = access.AccessInfo.factory(body=token)
self.assertEqual(consumer_id, auth_ref.oauth_consumer_id)
self.assertEqual(access_token_id, auth_ref.oauth_access_token_id)
self.assertEqual(consumer_id, auth_ref['OS-OAUTH1']['consumer_id'])
self.assertEqual(access_token_id,
auth_ref['OS-OAUTH1']['access_token_id'])
def domain_scoped_token():
f = fixture.V3Token(user_id='c4da488862bd435c9e6c0275a0d0e49a',
user_name='exampleuser',
user_domain_id='4e6893b7ba0b4006840c3845660b86ed',
user_domain_name='exampledomain',
expires='2010-11-01T03:32:15-05:00',
domain_id='8e9283b7ba0b1038840c3842058b86ab',
domain_name='anotherdomain',
audit_chain_id=uuid.uuid4().hex)
f.add_role(id='76e72a', name='admin')
f.add_role(id='f4f392', name='member')
region = 'RegionOne'
s = f.add_service('volume')
s.add_standard_endpoints(public='http://public.com:8776/v1/None',
internal='http://internal.com:8776/v1/None',
admin='http://admin.com:8776/v1/None',
region=region)
s = f.add_service('image')
s.add_standard_endpoints(public='http://public.com:9292/v1',
internal='http://internal:9292/v1',
admin='http://admin:9292/v1',
region=region)
s = f.add_service('compute')
s.add_standard_endpoints(public='http://public.com:8774/v1.1/None',
internal='http://internal:8774/v1.1/None',
admin='http://admin:8774/v1.1/None',
region=region)
s = f.add_service('ec2')
s.add_standard_endpoints(public='http://public.com:8773/services/Cloud',
internal='http://internal:8773/services/Cloud',
admin='http://admin:8773/services/Admin',
region=region)
s = f.add_service('identity')
s.add_standard_endpoints(public='http://public.com:5000/v3',
internal='http://internal:5000/v3',
admin='http://admin:35357/v3',
region=region)
return f
def get_token(self):
token_id = uuid.uuid4().hex
token = fixture.V3Token()
token.set_project_scope()
token.add_role()
request_headers = {
'X-Auth-Token': self.service_token_id,
'X-Subject-Token': token_id
}
headers = {'X-Subject-Token': token_id}
self.requests_mock.get('%s/v3/auth/tokens' % BASE_URI,
request_headers=request_headers,
headers=headers,
json=token)
return token_id, token
def auth_response_body():
f = fixture.V3Token(user_id='567',
user_name='test',
user_domain_id='1',
user_domain_name='aDomain',
expires='2010-11-01T03:32:15-05:00',
project_domain_id='123',
project_domain_name='aDomain',
project_id='345',
project_name='aTenant',
audit_chain_id=uuid.uuid4().hex)
f.add_role(id='76e72a', name='admin')
f.add_role(id='f4f392', name='member')
s = f.add_service('compute', name='nova')
s.add_standard_endpoints(
public='https://compute.north.host/novapi/public',
internal='https://compute.north.host/novapi/internal',
admin='https://compute.north.host/novapi/admin',
region='North')
s = f.add_service('object-store', name='swift')
s.add_standard_endpoints(
public='http://swift.north.host/swiftapi/public',
internal='http://swift.north.host/swiftapi/internal',
admin='http://swift.north.host/swiftapi/admin',
region='South')
s = f.add_service('image', name='glance')
s.add_standard_endpoints(
public='http://glance.north.host/glanceapi/public',
internal='http://glance.north.host/glanceapi/internal',
admin='http://glance.north.host/glanceapi/admin',
region='North')
s.add_standard_endpoints(
public='http://glance.south.host/glanceapi/public',
internal='http://glance.south.host/glanceapi/internal',
admin='http://glance.south.host/glanceapi/admin',
region='South')
return f
def test_trust_scoped(self):
trust_id = uuid.uuid4().hex
trustee_user_id = uuid.uuid4().hex
trustor_user_id = uuid.uuid4().hex
impersonation = True
token = fixture.V3Token(trust_id=trust_id,
trustee_user_id=trustee_user_id,
trustor_user_id=trustor_user_id,
trust_impersonation=impersonation)
trust = token['token']['OS-TRUST:trust']
self.assertEqual(trust_id, token.trust_id)
self.assertEqual(trust_id, trust['id'])
self.assertEqual(trustee_user_id, token.trustee_user_id)
self.assertEqual(trustee_user_id, trust['trustee_user']['id'])
self.assertEqual(trustor_user_id, token.trustor_user_id)
self.assertEqual(trustor_user_id, trust['trustor_user']['id'])
self.assertEqual(impersonation, token.trust_impersonation)
self.assertEqual(impersonation, trust['impersonation'])
def test_project_scoped(self):
project_id = uuid.uuid4().hex
project_name = uuid.uuid4().hex
project_domain_id = uuid.uuid4().hex
project_domain_name = uuid.uuid4().hex
token = fixture.V3Token(project_id=project_id,
project_name=project_name,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name)
self.assertEqual(project_id, token.project_id)
self.assertEqual(project_id, token['token']['project']['id'])
self.assertEqual(project_name, token.project_name)
self.assertEqual(project_name, token['token']['project']['name'])
project_domain = token['token']['project']['domain']
self.assertEqual(project_domain_id, token.project_domain_id)
self.assertEqual(project_domain_id, project_domain['id'])
self.assertEqual(project_domain_name, token.project_domain_name)
self.assertEqual(project_domain_name, project_domain['name'])
def test_unscoped(self):
user_id = uuid.uuid4().hex
user_name = uuid.uuid4().hex
user_domain_id = uuid.uuid4().hex
user_domain_name = uuid.uuid4().hex
token = fixture.V3Token(user_id=user_id,
user_name=user_name,
user_domain_id=user_domain_id,
user_domain_name=user_domain_name)
self.assertEqual(user_id, token.user_id)
self.assertEqual(user_id, token['token']['user']['id'])
self.assertEqual(user_name, token.user_name)
self.assertEqual(user_name, token['token']['user']['name'])
user_domain = token['token']['user']['domain']
self.assertEqual(user_domain_id, token.user_domain_id)
self.assertEqual(user_domain_id, user_domain['id'])
self.assertEqual(user_domain_name, token.user_domain_name)
self.assertEqual(user_domain_name, user_domain['name'])
def new_client(self):
t = fixture.V3Token(user_id=self.user_id)
t.set_project_scope()
s = t.add_service('identity')
s.add_standard_endpoints(public=self.TEST_URL, admin=self.TEST_URL)
d = fixture.V3Discovery(self.TEST_URL)
headers = {'X-Subject-Token': uuid.uuid4().hex}
self.requests.register_uri('POST',
self.TEST_URL + '/auth/tokens',
headers=headers,
json=t)
self.requests.register_uri('GET', self.TEST_URL, json={'version': d})
a = ksa_identity.V3Password(username=uuid.uuid4().hex,
password=uuid.uuid4().hex,
user_domain_id=uuid.uuid4().hex,
auth_url=self.TEST_URL)
s = ksa_session.Session(auth=a)
return v3_client.Client(session=s)
def setup_keystone_v3(mrequests):
mrequests.register_uri('GET', V3_URL, json=V3_VERSION_ENTRY)
v3_token = ks_fixture.V3Token()
service = v3_token.add_service('network')
service.add_standard_endpoints(public=PUBLIC_ENDPOINT_URL,
admin=ADMIN_ENDPOINT_URL,
internal=INTERNAL_ENDPOINT_URL,
region=REGION)
mrequests.register_uri('POST',
'%s/auth/tokens' % (V3_URL),
text=json.dumps(v3_token),
headers={'X-Subject-Token': TOKENID})
auth_session = session.Session()
auth_plugin = ks_v3_auth.Password(V3_URL,
username='******',
user_id='xx',
user_domain_name='xx',
user_domain_id='xx')
return auth_session, auth_plugin