Exemple #1
0
    def test_password_history_check_self_service_api(self):
        old_pass = self.creds.password
        new_pass1 = data_utils.rand_password()
        new_pass2 = data_utils.rand_password()

        self.addCleanup(self._restore_password, old_pass, new_pass2)

        # Update password
        self._update_password(original_password=old_pass, password=new_pass1)

        if CONF.identity.user_unique_last_password_count > 1:
            # Can not reuse a previously set password
            self.assertRaises(exceptions.BadRequest,
                              self.non_admin_users_client.update_user_password,
                              self.user_id,
                              password=new_pass1,
                              original_password=new_pass1)

            self.assertRaises(exceptions.BadRequest,
                              self.non_admin_users_client.update_user_password,
                              self.user_id,
                              password=old_pass,
                              original_password=new_pass1)

        # A different password can be set
        self._update_password(original_password=new_pass1, password=new_pass2)
Exemple #2
0
 def test_rand_password_with_len(self):
     actual = data_utils.rand_password(8)
     self.assertIsInstance(actual, str)
     self.assertEqual(len(actual), 8)
     self.assertRegexpMatches(actual, "[A-Za-z0-9~!@#$%^&*_=+]{8}")
     actual2 = data_utils.rand_password(8)
     self.assertNotEqual(actual, actual2)
Exemple #3
0
 def test_rand_password_with_len_2(self):
     actual = data_utils.rand_password(2)
     self.assertIsInstance(actual, str)
     self.assertEqual(len(actual), 3)
     self.assertRegex(actual, "[A-Za-z0-9~!@#$%^&*_=+]{3}")
     actual2 = data_utils.rand_password(2)
     self.assertNotEqual(actual, actual2)
Exemple #4
0
 def test_rand_password_with_len_2(self):
     actual = data_utils.rand_password(2)
     self.assertIsInstance(actual, str)
     self.assertEqual(len(actual), 3)
     self.assertRegex(actual, "[A-Za-z0-9~!@#%^&*_=+]{3}")
     actual2 = data_utils.rand_password(2)
     self.assertNotEqual(actual, actual2)
Exemple #5
0
    def test_password_history_check_self_service_api(self):
        old_pass = self.creds.password
        new_pass1 = data_utils.rand_password()
        new_pass2 = data_utils.rand_password()

        self.addCleanup(self._restore_password, old_pass, new_pass2)

        # Update password
        self._update_password(original_password=old_pass, password=new_pass1)

        if CONF.identity.user_unique_last_password_count > 1:
            # Can not reuse a previously set password
            self.assertRaises(exceptions.BadRequest,
                              self.non_admin_users_client.update_user_password,
                              self.user_id,
                              password=new_pass1,
                              original_password=new_pass1)

            self.assertRaises(exceptions.BadRequest,
                              self.non_admin_users_client.update_user_password,
                              self.user_id,
                              password=old_pass,
                              original_password=new_pass1)

        # A different password can be set
        self._update_password(original_password=new_pass1, password=new_pass2)
Exemple #6
0
 def test_update_user_password(self):
     # Creating User to check password updation
     u_name = data_utils.rand_name('user')
     original_password = data_utils.rand_password()
     user = self.users_client.create_user(
         name=u_name, password=original_password)['user']
     # Delete the User at the end all test methods
     self.addCleanup(self.users_client.delete_user, user['id'])
     # Update user with new password
     new_password = data_utils.rand_password()
     self.users_client.update_user_password(
         user['id'],
         password=new_password,
         original_password=original_password)
     # NOTE(morganfainberg): Fernet tokens are not subsecond aware and
     # Keystone should only be precise to the second. Sleep to ensure
     # we are passing the second boundary.
     time.sleep(1)
     resp = self.token.auth(user_id=user['id'],
                            password=new_password).response
     subject_token = resp['x-subject-token']
     # Perform GET Token to verify and confirm password is updated
     token_details = self.client.show_token(subject_token)['token']
     self.assertEqual(token_details['user']['id'], user['id'])
     self.assertEqual(token_details['user']['name'], u_name)
Exemple #7
0
    def test_change_password(self):
        original_password = data_utils.rand_password()
        user = self.setup_test_user(password=original_password)

        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
        self.users_client.update_user_password(
            user['id'],
            original_password=original_password,
            password=data_utils.rand_password())
Exemple #8
0
 def test_rand_password_with_len_2(self):
     actual = data_utils.rand_password(2)
     self.assertIsInstance(actual, str)
     self.assertEqual(len(actual), 3)
     self.assertRegex(actual, "[A-Za-z0-9~!@#%^&*_=+]{3}")
     actual2 = data_utils.rand_password(2)
     # NOTE(masayukig): Originally, we checked that the acutal and actual2
     # are different each other. But only 3 letters can be the same value
     # in a very rare case. So, we just check the length here, too,
     # just in case.
     self.assertEqual(len(actual2), 3)
Exemple #9
0
 def test_rand_password_with_len_2(self):
     actual = data_utils.rand_password(2)
     self.assertIsInstance(actual, str)
     self.assertEqual(len(actual), 3)
     self.assertRegex(actual, "[A-Za-z0-9~!@#%^&*_=+]{3}")
     actual2 = data_utils.rand_password(2)
     # NOTE(masayukig): Originally, we checked that the acutal and actual2
     # are different each other. But only 3 letters can be the same value
     # in a very rare case. So, we just check the length here, too,
     # just in case.
     self.assertEqual(len(actual2), 3)
Exemple #10
0
 def test_create_server_with_personality(self):
     file_contents = 'This is a test file.'
     file_path = '/test.txt'
     personality = [{'path': file_path,
                     'contents': base64.encode_as_text(file_contents)}]
     password = data_utils.rand_password()
     validation_resources = self.get_test_validation_resources(
         self.os_primary)
     created_server = self.create_test_server(
         personality=personality, adminPass=password, wait_until='ACTIVE',
         validatable=True,
         validation_resources=validation_resources)
     self.addCleanup(waiters.wait_for_server_termination,
                     self.servers_client, created_server['id'])
     self.addCleanup(test_utils.call_and_ignore_notfound_exc,
                     self.servers_client.delete_server,
                     created_server['id'])
     server = self.client.show_server(created_server['id'])['server']
     if CONF.validation.run_validation:
         linux_client = remote_client.RemoteClient(
             self.get_server_ip(server, validation_resources),
             self.ssh_user, password,
             validation_resources['keypair']['private_key'],
             server=server,
             servers_client=self.client)
         self.assertEqual(file_contents,
                          linux_client.exec_command(
                              'sudo cat %s' % file_path))
Exemple #11
0
 def test_create_check_get_delete_token(self):
     """Test getting create/check/get/delete token for user via v2 API"""
     # get a token by username and password
     user_name = data_utils.rand_name(name='user')
     user_password = data_utils.rand_password()
     # first:create a tenant
     tenant = self.setup_test_tenant()
     # second:create a user
     user = self.create_test_user(name=user_name,
                                  password=user_password,
                                  tenantId=tenant['id'],
                                  email='')
     # then get a token for the user
     body = self.token_client.auth(user_name,
                                   user_password,
                                   tenant['name'])
     self.assertEqual(body['token']['tenant']['name'],
                      tenant['name'])
     # Perform GET Token
     token_id = body['token']['id']
     self.client.check_token_existence(token_id)
     token_details = self.client.show_token(token_id)['access']
     self.assertEqual(token_id, token_details['token']['id'])
     self.assertEqual(user['id'], token_details['user']['id'])
     self.assertEqual(user_name, token_details['user']['name'])
     self.assertEqual(tenant['name'],
                      token_details['token']['tenant']['name'])
     # then delete the token
     self.client.delete_token(token_id)
     self.assertRaises(lib_exc.NotFound,
                       self.client.check_token_existence,
                       token_id)
Exemple #12
0
 def setUp(self):
     super(TestK2KFederatedAuthentication, self).setUp()
     self._setup_sp()
     self.auth = {'password': data_utils.rand_password()}
     user_id = self.keystone_manager.users_v3_client.create_user(
         name=data_utils.rand_name('user'),
         password=self.auth['password'])['user']['id']
     self.addCleanup(self.keystone_manager.users_v3_client.delete_user,
                     user_id)
     self.auth['user_id'] = user_id
     idp_info = self.idps_client.show_identity_provider(self.idp_id)
     domain_id = idp_info['identity_provider']['domain_id']
     project_id = self.keystone_manager.identity_providers_client.tenant_id
     self.auth['project_id'] = project_id
     group = self.keystone_manager.groups_client.create_group(
         name=data_utils.rand_uuid_hex(), domain_id=domain_id)
     self.addCleanup(self.keystone_manager.groups_client.delete_group,
                     group['group']['id'])
     role = self.keystone_manager.roles_v3_client.create_role(
         name=data_utils.rand_uuid_hex(), project_id=project_id)
     self.addCleanup(self.keystone_manager.roles_v3_client.delete_role,
                     role['role']['id'])
     self.keystone_manager.roles_v3_client.create_group_role_on_project(
         group_id=group['group']['id'],
         project_id=project_id,
         role_id=role['role']['id'])
     self.keystone_manager.groups_client.add_group_user(
         group_id=group['group']['id'], user_id=user_id)
Exemple #13
0
    def test_user_update(self):
        # Test case to check if updating of user attributes is successful.
        # Creating first user
        u_name = data_utils.rand_name('user')
        u_desc = u_name + 'description'
        u_email = u_name + '@testmail.tm'
        u_password = data_utils.rand_password()
        user = self.users_client.create_user(
            name=u_name, description=u_desc, password=u_password,
            email=u_email, enabled=False)['user']
        # Delete the User at the end of this method
        self.addCleanup(self.users_client.delete_user, user['id'])

        # Creating second project for updation
        project = self.setup_test_project()

        # Updating user details with new values
        update_kwargs = {'name': data_utils.rand_name('user2'),
                         'description': data_utils.rand_name('desc2'),
                         'project_id': project['id'],
                         'email': '*****@*****.**',
                         'enabled': False}
        updated_user = self.users_client.update_user(
            user['id'], **update_kwargs)['user']
        for field in update_kwargs:
            self.assertEqual(update_kwargs[field], updated_user[field])

        # GET by id after updating
        new_user_get = self.users_client.show_user(user['id'])['user']
        # Assert response body of GET after updation
        for field in update_kwargs:
            self.assertEqual(update_kwargs[field], new_user_get[field])
Exemple #14
0
    def test_create_transfer_accept_using_invalid_key(self):
        LOG.info('Create a zone')
        zone_name = dns_data_utils.rand_zone_name(
            name="create_transfer_accept_invalid_key", suffix=self.tld_name)
        zone = self.zone_client.create_zone(name=zone_name,
                                            wait_until='ACTIVE')[1]
        self.addCleanup(self.wait_zone_delete, self.zone_client, zone['id'])

        LOG.info('Create a zone transfer_request')
        transfer_request = self.request_client.create_transfer_request(
                                  zone['id'])[1]
        self.addCleanup(
            self.transfer_request_delete,
            self.request_client,
            transfer_request['id']
        )

        data = {"key": data_utils.rand_password(
                len(transfer_request['key'])),
                "zone_transfer_request_id": transfer_request['id']}

        LOG.info('Create a zone transfer_accept using invalid key')
        self.assertRaises(
            lib_exc.Forbidden, self.client.create_transfer_accept,
            transfer_accept_data=data)
Exemple #15
0
    def test_user_account_lockout(self):
        if (CONF.identity.user_lockout_failure_attempts <= 0 or
                CONF.identity.user_lockout_duration <= 0):
            raise self.skipException(
                "Both CONF.identity.user_lockout_failure_attempts and "
                "CONF.identity.user_lockout_duration should be greater than "
                "zero to test this feature")

        password = self.creds.password

        # First, we login using the correct credentials
        self.non_admin_token.auth(user_id=self.user_id, password=password)

        # Lock user account by using the wrong password to login
        bad_password = data_utils.rand_password()
        for _ in range(CONF.identity.user_lockout_failure_attempts):
            self.assertRaises(exceptions.Unauthorized,
                              self.non_admin_token.auth,
                              user_id=self.user_id,
                              password=bad_password)

        # The user account must be locked, so now it is not possible to login
        # even using the correct password
        self.assertRaises(exceptions.Unauthorized,
                          self.non_admin_token.auth,
                          user_id=self.user_id,
                          password=password)

        # If we wait the required time, the user account will be unlocked
        time.sleep(CONF.identity.user_lockout_duration + 1)
        self.non_admin_token.auth(user_id=self.user_id, password=password)
Exemple #16
0
 def test_can_create_server_with_max_number_personality_files(self):
     # Server should be created successfully if maximum allowed number of
     # files is injected into the server during creation.
     file_contents = 'This is a test file.'
     limits = self.user_client.show_limits()['limits']
     max_file_limit = limits['absolute']['maxPersonality']
     if max_file_limit == -1:
         raise self.skipException("No limit for personality files")
     person = []
     for i in range(0, int(max_file_limit)):
         # NOTE(andreaf) The cirros disk image is blank before boot
         # so we can only inject safely to /
         path = '/test' + str(i) + '.txt'
         person.append({
             'path': path,
             'contents': base64.encode_as_text(file_contents + str(i)),
         })
     password = data_utils.rand_password()
     created_server = self.create_test_server(personality=person,
                                              adminPass=password,
                                              wait_until='ACTIVE',
                                              validatable=True)
     server = self.client.show_server(created_server['id'])['server']
     if CONF.validation.run_validation:
         linux_client = remote_client.RemoteClient(
             self.get_server_ip(server),
             self.ssh_user, password,
             self.validation_resources['keypair']['private_key'],
             server=server,
             servers_client=self.client)
         for i in person:
             self.assertEqual(base64.decode_as_text(i['contents']),
                              linux_client.exec_command(
                                  'sudo cat %s' % i['path']))
Exemple #17
0
    def _setup_new_user_client(cls, project_id, role):
        """Create a new tempest.clients.Manager

        Creates a new user with the given roles on the given project,
        and returns an instance of tempest.clients.Manager set up
        for that user.

        Users are cleaned up during class teardown in cls.clear_credentials
        """
        user = {
            'name': data_utils.rand_name('user'),
            'password': data_utils.rand_password()
        }
        user_id = cls.os_system_admin.users_v3_client.create_user(
            **user)['user']['id']
        cls._created_users.append(user_id)
        role_id = cls.os_system_admin.roles_v3_client.list_roles(
            name=role)['roles'][0]['id']
        cls.os_system_admin.roles_v3_client.create_user_role_on_project(
            project_id, user_id, role_id)
        creds = auth.KeystoneV3Credentials(user_id=user_id,
                                           password=user['password'],
                                           project_id=project_id)
        auth_provider = clients.get_auth_provider(creds)
        creds = auth_provider.fill_credentials()
        return clients.Manager(credentials=creds)
Exemple #18
0
 def test_create_get_delete_token(self):
     # get a token by username and password
     user_name = data_utils.rand_name(name='user')
     user_password = data_utils.rand_password()
     # first:create a tenant
     tenant_name = data_utils.rand_name(name='tenant')
     tenant = self.tenants_client.create_tenant(name=tenant_name)['tenant']
     # Delete the tenant at the end of the test
     self.addCleanup(self.tenants_client.delete_tenant, tenant['id'])
     # second:create a user
     user = self.create_test_user(name=user_name,
                                  password=user_password,
                                  tenantId=tenant['id'],
                                  email='')
     # then get a token for the user
     body = self.token_client.auth(user_name, user_password, tenant['name'])
     self.assertEqual(body['token']['tenant']['name'], tenant['name'])
     # Perform GET Token
     token_id = body['token']['id']
     token_details = self.client.show_token(token_id)['access']
     self.assertEqual(token_id, token_details['token']['id'])
     self.assertEqual(user['id'], token_details['user']['id'])
     self.assertEqual(user_name, token_details['user']['name'])
     self.assertEqual(tenant['name'],
                      token_details['token']['tenant']['name'])
     # then delete the token
     self.client.delete_token(token_id)
Exemple #19
0
    def _get_updated_quotas(self):
        # Verify that GET shows the updated quota set of project
        project_name = data_utils.rand_name('cpu_quota_project')
        project_desc = project_name + '-desc'
        project = identity.identity_utils(self.os_admin).create_project(
            name=project_name, description=project_desc)
        project_id = project['id']
        self.addCleanup(identity.identity_utils(self.os_admin).delete_project,
                        project_id)

        self.adm_client.update_quota_set(project_id, ram='5120')
        # Call show_quota_set with detail=true to cover the
        # get_quota_set_details response schema for microversion tests
        quota_set = self.adm_client.show_quota_set(
            project_id, detail=True)['quota_set']
        self.assertEqual(5120, quota_set['ram']['limit'])

        # Verify that GET shows the updated quota set of user
        user_name = data_utils.rand_name('cpu_quota_user')
        password = data_utils.rand_password()
        email = user_name + '@testmail.tm'
        user = identity.identity_utils(self.os_admin).create_user(
            username=user_name, password=password, project=project,
            email=email)
        user_id = user['id']
        self.addCleanup(identity.identity_utils(self.os_admin).delete_user,
                        user_id)

        self.adm_client.update_quota_set(project_id,
                                         user_id=user_id,
                                         ram='2048')
        quota_set = self.adm_client.show_quota_set(
            project_id, user_id=user_id)['quota_set']
        self.assertEqual(2048, quota_set['ram'])
Exemple #20
0
 def test_can_create_server_with_max_number_personality_files(self):
     # Server should be created successfully if maximum allowed number of
     # files is injected into the server during creation.
     file_contents = 'This is a test file.'
     limits = self.user_client.show_limits()['limits']
     max_file_limit = limits['absolute']['maxPersonality']
     if max_file_limit == -1:
         raise self.skipException("No limit for personality files")
     person = []
     for i in range(0, int(max_file_limit)):
         path = '/etc/test' + str(i) + '.txt'
         person.append({
             'path': path,
             'contents': base64.encode_as_text(file_contents),
         })
     password = data_utils.rand_password()
     created_server = self.create_test_server(personality=person,
                                              adminPass=password,
                                              wait_until='ACTIVE',
                                              validatable=True)
     server = self.client.show_server(created_server['id'])['server']
     if CONF.validation.run_validation:
         linux_client = remote_client.RemoteClient(
             self.get_server_ip(server),
             self.ssh_user, password,
             self.validation_resources['keypair']['private_key'],
             server=server,
             servers_client=self.client)
         for i in person:
             self.assertEqual(base64.decode_as_text(i['contents']),
                              linux_client.exec_command(
                                  'sudo cat %s' % i['path']))
Exemple #21
0
    def test_create_server_with_fqdn_name(self):
        """Test to create an instance with FQDN type name scheme"""
        validation_resources = self.get_class_validation_resources(
            self.os_primary)
        self.server_name = 'guest-instance-1.domain.com'
        self.password = data_utils.rand_password()
        self.accessIPv4 = '2.2.2.2'
        test_server = self.create_test_server(
            validatable=True,
            validation_resources=validation_resources,
            wait_until='ACTIVE',
            adminPass=self.password,
            name=self.server_name,
            accessIPv4=self.accessIPv4)
        """Verify the hostname within the instance is sanitized

        Freeform characters in the hostname are replaced with dashes
        """
        linux_client = remote_client.RemoteClient(
            self.get_server_ip(test_server, validation_resources),
            self.ssh_user,
            self.password,
            validation_resources['keypair']['private_key'],
            server=test_server,
            servers_client=self.client)
        hostname = linux_client.exec_command("hostname").rstrip()
        self.assertEqual('guest-instance-1-domain-com', hostname)
Exemple #22
0
    def create_trustor_and_roles(self):
        # create a project that trusts will be granted on
        trustor_project_name = data_utils.rand_name(name='project')
        project = self.projects_client.create_project(
            trustor_project_name,
            domain_id=CONF.identity.default_domain_id)['project']
        self.trustor_project_id = project['id']
        self.assertIsNotNone(self.trustor_project_id)

        # Create a trustor User
        trustor_username = data_utils.rand_name('user')
        u_desc = trustor_username + 'description'
        u_email = trustor_username + '@testmail.xx'
        trustor_password = data_utils.rand_password()
        user = self.users_client.create_user(
            name=trustor_username,
            description=u_desc,
            password=trustor_password,
            email=u_email,
            project_id=self.trustor_project_id,
            domain_id=CONF.identity.default_domain_id)['user']
        self.trustor_user_id = user['id']

        # And two roles, one we'll delegate and one we won't
        self.delegated_role = data_utils.rand_name('DelegatedRole')
        self.not_delegated_role = data_utils.rand_name('NotDelegatedRole')

        role = self.roles_client.create_role(name=self.delegated_role)['role']
        self.delegated_role_id = role['id']

        role = self.roles_client.create_role(
            name=self.not_delegated_role)['role']
        self.not_delegated_role_id = role['id']

        # Assign roles to trustor
        self.roles_client.create_user_role_on_project(
            self.trustor_project_id,
            self.trustor_user_id,
            self.delegated_role_id)
        self.roles_client.create_user_role_on_project(
            self.trustor_project_id,
            self.trustor_user_id,
            self.not_delegated_role_id)

        # Get trustee user ID, use the demo user
        trustee_username = self.non_admin_client.user
        self.trustee_user_id = self.get_user_by_name(trustee_username)['id']
        self.assertIsNotNone(self.trustee_user_id)

        # Initialize a new client with the trustor credentials
        creds = common_creds.get_credentials(
            identity_version='v3',
            username=trustor_username,
            password=trustor_password,
            user_domain_id=CONF.identity.default_domain_id,
            tenant_name=trustor_project_name,
            project_domain_id=CONF.identity.default_domain_id,
            domain_id=CONF.identity.default_domain_id)
        os = clients.Manager(credentials=creds)
        self.trustor_client = os.trusts_client
Exemple #23
0
    def test_get_updated_quotas(self):
        # Verify that GET shows the updated quota set of project
        project_name = data_utils.rand_name('cpu_quota_project')
        project_desc = project_name + '-desc'
        project = self.identity_utils.create_project(name=project_name,
                                                     description=project_desc)
        project_id = project['id']
        self.addCleanup(self.identity_utils.delete_project, project_id)

        self.adm_client.update_quota_set(project_id, ram='5120')
        quota_set = self.adm_client.show_quota_set(project_id)['quota_set']
        self.assertEqual(5120, quota_set['ram'])

        # Verify that GET shows the updated quota set of user
        user_name = data_utils.rand_name('cpu_quota_user')
        password = data_utils.rand_password()
        email = user_name + '@testmail.tm'
        user = self.identity_utils.create_user(username=user_name,
                                               password=password,
                                               project=project,
                                               email=email)
        user_id = user['id']
        self.addCleanup(self.identity_utils.delete_user, user_id)

        self.adm_client.update_quota_set(project_id,
                                         user_id=user_id,
                                         ram='2048')
        quota_set = self.adm_client.show_quota_set(
            project_id, user_id=user_id)['quota_set']
        self.assertEqual(2048, quota_set['ram'])
Exemple #24
0
    def test_user_update(self):
        """Test case to check if updating of user attributes is successful"""
        # Creating first user
        u_name = data_utils.rand_name('user')
        u_desc = u_name + 'description'
        u_email = u_name + '@testmail.tm'
        u_password = data_utils.rand_password()
        user = self.users_client.create_user(
            name=u_name, description=u_desc, password=u_password,
            email=u_email, enabled=False)['user']
        # Delete the User at the end of this method
        self.addCleanup(self.users_client.delete_user, user['id'])

        # Creating second project for updation
        project = self.setup_test_project()

        # Updating user details with new values
        update_kwargs = {'name': data_utils.rand_name('user2'),
                         'description': data_utils.rand_name('desc2'),
                         'project_id': project['id'],
                         'email': '*****@*****.**',
                         'enabled': False}
        updated_user = self.users_client.update_user(
            user['id'], **update_kwargs)['user']
        for field in update_kwargs:
            self.assertEqual(update_kwargs[field], updated_user[field])

        # GET by id after updating
        new_user_get = self.users_client.show_user(user['id'])['user']
        # Assert response body of GET after updation
        for field in update_kwargs:
            self.assertEqual(update_kwargs[field], new_user_get[field])
Exemple #25
0
 def resource_setup(cls):
     admin_client = cls.os_system_admin
     cls.user = {
         'name': data_utils.rand_name('user'),
         'password': data_utils.rand_password(),
     }
     cls.user_id = admin_client.users_v3_client.create_user(
         **cls.user)['user']['id']
     cls.addClassResourceCleanup(admin_client.users_v3_client.delete_user,
                                 user_id=cls.user_id)
     cls.project_id = admin_client.projects_client.create_project(
         name=data_utils.rand_name())['project']['id']
     cls.addClassResourceCleanup(
         admin_client.projects_client.delete_project,
         project_id=cls.project_id)
     cls.domain_id = admin_client.domains_client.create_domain(
         name=data_utils.rand_name())['domain']['id']
     cls.addClassResourceCleanup(admin_client.domains_client.delete_domain,
                                 domain_id=cls.domain_id)
     cls.addClassResourceCleanup(admin_client.domains_client.update_domain,
                                 domain_id=cls.domain_id,
                                 enabled=False)
     role_id = admin_client.roles_v3_client.create_role(
         name=data_utils.rand_name())['role']['id']
     cls.addClassResourceCleanup(admin_client.roles_v3_client.delete_role,
                                 role_id=role_id)
     admin_client.roles_v3_client.create_user_role_on_project(
         project_id=cls.project_id, user_id=cls.user_id, role_id=role_id)
     admin_client.roles_v3_client.create_user_role_on_domain(
         domain_id=cls.domain_id, user_id=cls.user_id, role_id=role_id)
     admin_client.roles_v3_client.create_user_role_on_system(
         user_id=cls.user_id, role_id=role_id)
Exemple #26
0
    def _get_updated_quotas(self):
        # Verify that GET shows the updated quota set of project
        project_name = data_utils.rand_name('cpu_quota_project')
        project_desc = project_name + '-desc'
        project = identity.identity_utils(self.os_admin).create_project(
            name=project_name, description=project_desc)
        project_id = project['id']
        self.addCleanup(identity.identity_utils(self.os_admin).delete_project,
                        project_id)

        self.adm_client.update_quota_set(project_id, ram='5120')
        # Call show_quota_set with detail=true to cover the
        # get_quota_set_details response schema for microversion tests
        quota_set = self.adm_client.show_quota_set(
            project_id, detail=True)['quota_set']
        self.assertEqual(5120, quota_set['ram']['limit'])

        # Verify that GET shows the updated quota set of user
        user_name = data_utils.rand_name('cpu_quota_user')
        password = data_utils.rand_password()
        email = user_name + '@testmail.tm'
        user = identity.identity_utils(self.os_admin).create_user(
            username=user_name, password=password, project=project,
            email=email)
        user_id = user['id']
        self.addCleanup(identity.identity_utils(self.os_admin).delete_user,
                        user_id)

        self.adm_client.update_quota_set(project_id,
                                         user_id=user_id,
                                         ram='2048')
        quota_set = self.adm_client.show_quota_set(
            project_id, user_id=user_id)['quota_set']
        self.assertEqual(2048, quota_set['ram'])
Exemple #27
0
    def recreate_server(cls, server_id, validatable=False, **kwargs):
        """Destroy an existing class level server and creates a new one

        Some test classes use a test server that can be used by multiple
        tests. This is done to optimise runtime and test load.
        If something goes wrong with the test server, it can be rebuilt
        using this helper.

        This helper can also be used for the initial provisioning if no
        server_id is specified.

        :param server_id: UUID of the server to be rebuilt. If None is
            specified, a new server is provisioned.
        :param validatable: whether to the server needs to be
            validatable. When True, validation resources are acquired via
            the `get_class_validation_resources` helper.
        :param kwargs: extra paramaters are passed through to the
            `create_test_server` call.
        :return: the UUID of the created server.
        """
        if server_id:
            cls.delete_server(server_id)

        cls.password = data_utils.rand_password()
        server = cls.create_test_server(
            validatable,
            validation_resources=cls.get_class_validation_resources(
                cls.os_primary),
            wait_until='ACTIVE',
            adminPass=cls.password,
            **kwargs)
        return server['id']
Exemple #28
0
 def resource_setup(cls):
     super(UsersV3TestJSON, cls).resource_setup()
     alt_user = data_utils.rand_name('test_user')
     alt_password = data_utils.rand_password()
     cls.alt_email = alt_user + '@testmail.tm'
     # Create a domain
     cls.domain = cls.create_domain()
     # Create user with Domain
     cls.users = list()
     u1_name = data_utils.rand_name('test_user')
     cls.domain_enabled_user = cls.users_client.create_user(
         name=u1_name,
         password=alt_password,
         email=cls.alt_email,
         domain_id=cls.domain['id'])['user']
     cls.addClassResourceCleanup(cls.users_client.delete_user,
                                 cls.domain_enabled_user['id'])
     cls.users.append(cls.domain_enabled_user)
     # Create default not enabled user
     u2_name = data_utils.rand_name('test_user')
     cls.non_domain_enabled_user = cls.users_client.create_user(
         name=u2_name,
         password=alt_password,
         email=cls.alt_email,
         enabled=False)['user']
     cls.addClassResourceCleanup(cls.users_client.delete_user,
                                 cls.non_domain_enabled_user['id'])
     cls.users.append(cls.non_domain_enabled_user)
Exemple #29
0
 def resource_setup(cls):
     super(InheritsV3TestJSON, cls).resource_setup()
     u_name = data_utils.rand_name('user-')
     u_desc = '%s description' % u_name
     u_email = '*****@*****.**' % u_name
     u_password = data_utils.rand_password()
     cls.domain = cls.create_domain()
     cls.project = cls.projects_client.create_project(
         data_utils.rand_name('project-'),
         description=data_utils.rand_name('project-desc-'),
         domain_id=cls.domain['id'])['project']
     cls.addClassResourceCleanup(cls.projects_client.delete_project,
                                 cls.project['id'])
     cls.group = cls.groups_client.create_group(
         name=data_utils.rand_name('group-'),
         project_id=cls.project['id'],
         domain_id=cls.domain['id'])['group']
     cls.addClassResourceCleanup(cls.groups_client.delete_group,
                                 cls.group['id'])
     if not CONF.identity_feature_enabled.immutable_user_source:
         cls.user = cls.users_client.create_user(
             name=u_name,
             description=u_desc,
             password=u_password,
             email=u_email,
             project_id=cls.project['id'],
             domain_id=cls.domain['id'])['user']
         cls.addClassResourceCleanup(cls.users_client.delete_user,
                                     cls.user['id'])
Exemple #30
0
    def resource_setup(cls):
        super(CredentialsTestJSON, cls).resource_setup()
        cls.projects = list()
        cls.creds_list = [['project_id', 'user_id', 'id'],
                          ['access', 'secret']]
        u_name = data_utils.rand_name('user')
        u_desc = '%s description' % u_name
        u_email = '*****@*****.**' % u_name
        u_password = data_utils.rand_password()
        for _ in range(2):
            project = cls.projects_client.create_project(
                data_utils.rand_name('project'),
                description=data_utils.rand_name('project-desc'))['project']
            cls.addClassResourceCleanup(cls.projects_client.delete_project,
                                        project['id'])
            cls.projects.append(project['id'])

        cls.user_body = cls.users_client.create_user(
            name=u_name,
            description=u_desc,
            password=u_password,
            email=u_email,
            project_id=cls.projects[0])['user']
        cls.addClassResourceCleanup(cls.users_client.delete_user,
                                    cls.user_body['id'])
Exemple #31
0
 def resource_setup(cls):
     super(RolesV3TestJSON, cls).resource_setup()
     cls.roles = list()
     for _ in range(3):
         role_name = data_utils.rand_name(name='role')
         role = cls.roles_client.create_role(name=role_name)['role']
         cls.roles.append(role)
     u_name = data_utils.rand_name('user')
     u_desc = '%s description' % u_name
     u_email = '*****@*****.**' % u_name
     cls.u_password = data_utils.rand_password()
     cls.domain = cls.create_domain()
     cls.project = cls.projects_client.create_project(
         data_utils.rand_name('project'),
         description=data_utils.rand_name('project-desc'),
         domain_id=cls.domain['id'])['project']
     cls.group_body = cls.groups_client.create_group(
         name=data_utils.rand_name('Group'),
         project_id=cls.project['id'],
         domain_id=cls.domain['id'])['group']
     cls.user_body = cls.users_client.create_user(
         name=u_name,
         description=u_desc,
         password=cls.u_password,
         email=u_email,
         project_id=cls.project['id'],
         domain_id=cls.domain['id'])['user']
     cls.role = cls.roles_client.create_role(
         name=data_utils.rand_name('Role'))['role']
Exemple #32
0
 def resource_setup(cls):
     super(InheritsV3TestJSON, cls).resource_setup()
     u_name = data_utils.rand_name('user-')
     u_desc = '%s description' % u_name
     u_email = '*****@*****.**' % u_name
     u_password = data_utils.rand_password()
     cls.domain = cls.create_domain()
     cls.project = cls.projects_client.create_project(
         data_utils.rand_name('project-'),
         description=data_utils.rand_name('project-desc-'),
         domain_id=cls.domain['id'])['project']
     cls.addClassResourceCleanup(cls.projects_client.delete_project,
                                 cls.project['id'])
     cls.group = cls.groups_client.create_group(
         name=data_utils.rand_name('group-'), project_id=cls.project['id'],
         domain_id=cls.domain['id'])['group']
     cls.addClassResourceCleanup(cls.groups_client.delete_group,
                                 cls.group['id'])
     if not CONF.identity_feature_enabled.immutable_user_source:
         cls.user = cls.users_client.create_user(
             name=u_name,
             description=u_desc,
             password=u_password,
             email=u_email,
             project_id=cls.project['id'],
             domain_id=cls.domain['id']
         )['user']
         cls.addClassResourceCleanup(cls.users_client.delete_user,
                                     cls.user['id'])
Exemple #33
0
 def test_create_server_with_personality(self):
     """Test creating server with file injection"""
     file_contents = 'This is a test file.'
     file_path = '/test.txt'
     personality = [{
         'path': file_path,
         'contents': base64.encode_as_text(file_contents)
     }]
     password = data_utils.rand_password()
     validation_resources = self.get_test_validation_resources(
         self.os_primary)
     created_server = self.create_test_server(
         personality=personality,
         adminPass=password,
         wait_until='ACTIVE',
         validatable=True,
         validation_resources=validation_resources)
     self.addCleanup(waiters.wait_for_server_termination,
                     self.servers_client, created_server['id'])
     self.addCleanup(test_utils.call_and_ignore_notfound_exc,
                     self.servers_client.delete_server,
                     created_server['id'])
     server = self.client.show_server(created_server['id'])['server']
     if CONF.validation.run_validation:
         linux_client = remote_client.RemoteClient(
             self.get_server_ip(server, validation_resources),
             self.ssh_user,
             password,
             validation_resources['keypair']['private_key'],
             server=server,
             servers_client=self.client)
         self.assertEqual(
             file_contents,
             linux_client.exec_command('sudo cat %s' % file_path))
Exemple #34
0
    def test_user_account_lockout(self):
        if (CONF.identity.user_lockout_failure_attempts <= 0
                or CONF.identity.user_lockout_duration <= 0):
            raise self.skipException(
                "Both CONF.identity.user_lockout_failure_attempts and "
                "CONF.identity.user_lockout_duration should be greater than "
                "zero to test this feature")

        password = self.creds.password

        # First, we login using the correct credentials
        self.non_admin_token.auth(user_id=self.user_id, password=password)

        # Lock user account by using the wrong password to login
        bad_password = data_utils.rand_password()
        for _ in range(CONF.identity.user_lockout_failure_attempts):
            self.assertRaises(exceptions.Unauthorized,
                              self.non_admin_token.auth,
                              user_id=self.user_id,
                              password=bad_password)

        # The user account must be locked, so now it is not possible to login
        # even using the correct password
        self.assertRaises(exceptions.Unauthorized,
                          self.non_admin_token.auth,
                          user_id=self.user_id,
                          password=password)

        # If we wait the required time, the user account will be unlocked
        time.sleep(CONF.identity.user_lockout_duration + 1)
        self.non_admin_token.auth(user_id=self.user_id, password=password)
Exemple #35
0
    def setup_user_client(self, project_id=None):
        """Set up project user with its own client.

        This is useful for testing protection of resources in separate
        projects.

        Returns a client object and the user's ID.
        """
        user_dict = {
            'name': data_utils.rand_name('user'),
            'password': data_utils.rand_password(),
        }
        user_id = self.os_system_admin.users_v3_client.create_user(
            **user_dict)['user']['id']
        self.addCleanup(self.os_system_admin.users_v3_client.delete_user,
                        user_id)

        if not project_id:
            project_id = self.os_system_admin.projects_client.create_project(
                data_utils.rand_name())['project']['id']
            self.addCleanup(
                self.os_system_admin.projects_client.delete_project,
                project_id)

        member_role_id = self.os_system_admin.roles_v3_client.list_roles(
            name='member')['roles'][0]['id']
        self.os_system_admin.roles_v3_client.create_user_role_on_project(
            project_id, user_id, member_role_id)
        creds = auth.KeystoneV3Credentials(user_id=user_id,
                                           password=user_dict['password'],
                                           project_id=project_id)
        auth_provider = clients.get_auth_provider(creds)
        creds = auth_provider.fill_credentials()
        client = clients.Manager(credentials=creds)
        return client
Exemple #36
0
    def test_associate_user_to_project(self):
        # Associate a user to a project
        # Create a Project
        project = self.setup_test_project()

        # Create a User
        u_name = data_utils.rand_name('user')
        u_desc = u_name + 'description'
        u_email = u_name + '@testmail.tm'
        u_password = data_utils.rand_password()
        user = self.users_client.create_user(name=u_name,
                                             description=u_desc,
                                             password=u_password,
                                             email=u_email,
                                             project_id=project['id'])['user']
        # Delete the User at the end of this method
        self.addCleanup(self.users_client.delete_user, user['id'])

        # Get User To validate the user details
        new_user_get = self.users_client.show_user(user['id'])['user']
        # Assert response body of GET
        self.assertEqual(u_name, new_user_get['name'])
        self.assertEqual(u_desc, new_user_get['description'])
        self.assertEqual(project['id'], new_user_get['project_id'])
        self.assertEqual(u_email, new_user_get['email'])
Exemple #37
0
 def test_authentication_with_invalid_username(self):
     # Non-existent user's token should not get authenticated
     password = data_utils.rand_password()
     user = self.setup_test_user(password)
     tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
     self.assertRaises(lib_exc.Unauthorized, self.token_client.auth,
                       'junkuser123', password, tenant['name'])
Exemple #38
0
    def create_trustor_and_roles(self):
        # create a project that trusts will be granted on
        trustor_project_name = data_utils.rand_name(name='project')
        project = self.projects_client.create_project(
            trustor_project_name,
            domain_id=CONF.identity.default_domain_id)['project']
        self.trustor_project_id = project['id']
        self.assertIsNotNone(self.trustor_project_id)

        # Create a trustor User
        trustor_username = data_utils.rand_name('user')
        u_desc = trustor_username + 'description'
        u_email = trustor_username + '@testmail.xx'
        trustor_password = data_utils.rand_password()
        user = self.users_client.create_user(
            name=trustor_username,
            description=u_desc,
            password=trustor_password,
            email=u_email,
            project_id=self.trustor_project_id,
            domain_id=CONF.identity.default_domain_id)['user']
        self.trustor_user_id = user['id']

        # And two roles, one we'll delegate and one we won't
        self.delegated_role = data_utils.rand_name('DelegatedRole')
        self.not_delegated_role = data_utils.rand_name('NotDelegatedRole')

        role = self.roles_client.create_role(name=self.delegated_role)['role']
        self.delegated_role_id = role['id']

        role = self.roles_client.create_role(
            name=self.not_delegated_role)['role']
        self.not_delegated_role_id = role['id']

        # Assign roles to trustor
        self.roles_client.create_user_role_on_project(
            self.trustor_project_id,
            self.trustor_user_id,
            self.delegated_role_id)
        self.roles_client.create_user_role_on_project(
            self.trustor_project_id,
            self.trustor_user_id,
            self.not_delegated_role_id)

        # Get trustee user ID, use the demo user
        trustee_username = self.non_admin_client.user
        self.trustee_user_id = self.get_user_by_name(trustee_username)['id']
        self.assertIsNotNone(self.trustee_user_id)

        # Initialize a new client with the trustor credentials
        creds = common_creds.get_credentials(
            identity_version='v3',
            username=trustor_username,
            password=trustor_password,
            user_domain_id=CONF.identity.default_domain_id,
            tenant_name=trustor_project_name,
            project_domain_id=CONF.identity.default_domain_id,
            domain_id=CONF.identity.default_domain_id)
        os = clients.Manager(credentials=creds)
        self.trustor_client = os.trusts_client
Exemple #39
0
    def recreate_server(cls, server_id, validatable=False, **kwargs):
        """Destroy an existing class level server and creates a new one

        Some test classes use a test server that can be used by multiple
        tests. This is done to optimise runtime and test load.
        If something goes wrong with the test server, it can be rebuilt
        using this helper.

        This helper can also be used for the initial provisioning if no
        server_id is specified.

        :param server_id: UUID of the server to be rebuilt. If None is
            specified, a new server is provisioned.
        :param validatable: whether to the server needs to be
            validatable. When True, validation resources are acquired via
            the `get_class_validation_resources` helper.
        :param kwargs: extra paramaters are passed through to the
            `create_test_server` call.
        :return: the UUID of the created server.
        """
        if server_id:
            cls.delete_server(server_id)

        cls.password = data_utils.rand_password()
        server = cls.create_test_server(
            validatable,
            validation_resources=cls.get_class_validation_resources(
                cls.os_primary),
            wait_until='ACTIVE',
            adminPass=cls.password,
            **kwargs)
        return server['id']
Exemple #40
0
    def test_user_update_own_password(self):
        """test updating user's own password via v2 API"""
        old_pass = self.creds.password
        old_token = self.non_admin_users_client.token
        new_pass = data_utils.rand_password()
        user_id = self.creds.user_id

        # to change password back. important for use_dynamic_credentials=false
        self.addCleanup(self._restore_password, user_id, old_pass, new_pass)

        # user updates own password
        self._update_password(
            user_id, original_password=old_pass, password=new_pass)

        # authorize with old token should lead to Unauthorized
        self.assertRaises(exceptions.Unauthorized,
                          self.non_admin_token_client.auth_token,
                          old_token)

        # authorize with old password should lead to Unauthorized
        self.assertRaises(exceptions.Unauthorized,
                          self.non_admin_token_client.auth,
                          self.username,
                          old_pass,
                          self.tenant_name)
Exemple #41
0
 def resource_setup(cls):
     super(RolesV3TestJSON, cls).resource_setup()
     cls.roles = list()
     for _ in range(3):
         role_name = data_utils.rand_name(name='role')
         role = cls.roles_client.create_role(name=role_name)['role']
         cls.roles.append(role)
     u_name = data_utils.rand_name('user')
     u_desc = '%s description' % u_name
     u_email = '*****@*****.**' % u_name
     cls.u_password = data_utils.rand_password()
     cls.domain = cls.create_domain()
     cls.project = cls.projects_client.create_project(
         data_utils.rand_name('project'),
         description=data_utils.rand_name('project-desc'),
         domain_id=cls.domain['id'])['project']
     cls.group_body = cls.groups_client.create_group(
         name=data_utils.rand_name('Group'), project_id=cls.project['id'],
         domain_id=cls.domain['id'])['group']
     cls.user_body = cls.users_client.create_user(
         name=u_name, description=u_desc, password=cls.u_password,
         email=u_email, project_id=cls.project['id'],
         domain_id=cls.domain['id'])['user']
     cls.role = cls.roles_client.create_role(
         name=data_utils.rand_name('Role'))['role']
Exemple #42
0
 def test_authentication_with_invalid_tenant(self):
     # User's token for an invalid tenant should not be authenticated
     password = data_utils.rand_password()
     user = self.setup_test_user(password)
     self.assertRaises(lib_exc.Unauthorized, self.token_client.auth,
                       user['name'],
                       password,
                       'junktenant1234')
Exemple #43
0
    def _rebuild_server(self, server_id):
        # Destroy an existing server and creates a new one.
        if server_id:
            self.delete_server(server_id)

        self.password = data_utils.rand_password()
        return self.create_test_server(
            wait_until='ACTIVE', adminPass=self.password)
Exemple #44
0
    def _create_creds(self, admin=False, roles=None):
        """Create credentials with random name.

        Creates project and user. When admin flag is True create user
        with admin role. Assign user with additional roles (for example
        _member_) and roles requested by caller.

        :param admin: Flag if to assign to the user admin role
        :type admin: bool
        :param roles: Roles to assign for the user
        :type roles: list
        :return: Readonly Credentials with network resources
        """
        root = self.name

        project_name = data_utils.rand_name(root, prefix=self.resource_prefix)
        project_desc = project_name + "-desc"
        project = self.creds_client.create_project(
            name=project_name, description=project_desc)

        # NOTE(andreaf) User and project can be distinguished from the context,
        # having the same ID in both makes it easier to match them and debug.
        username = project_name
        user_password = data_utils.rand_password()
        email = data_utils.rand_name(
            root, prefix=self.resource_prefix) + "@example.com"
        user = self.creds_client.create_user(
            username, user_password, project, email)
        role_assigned = False
        if admin:
            self.creds_client.assign_user_role(user, project, self.admin_role)
            role_assigned = True
            if (self.identity_version == 'v3' and
                    self.identity_admin_domain_scope):
                self.creds_client.assign_user_role_on_domain(
                    user, self.identity_admin_role)
        # Add roles specified in config file
        for conf_role in self.extra_roles:
            self.creds_client.assign_user_role(user, project, conf_role)
            role_assigned = True
        # Add roles requested by caller
        if roles:
            for role in roles:
                self.creds_client.assign_user_role(user, project, role)
                role_assigned = True
        # NOTE(mtreinish) For a user to have access to a project with v3 auth
        # it must beassigned a role on the project. So we need to ensure that
        # our newly created user has a role on the newly created project.
        if self.identity_version == 'v3' and not role_assigned:
            try:
                self.creds_client.create_user_role('Member')
            except lib_exc.Conflict:
                LOG.warning('Member role already exists, ignoring conflict.')
            self.creds_client.assign_user_role(user, project, 'Member')

        creds = self.creds_client.get_credentials(user, project, user_password)
        return cred_provider.TestResources(creds)
Exemple #45
0
 def test_authentication_for_disabled_user(self):
     # Attempt to authenticate for disabled user should fail
     password = data_utils.rand_password()
     user = self.setup_test_user(password)
     self.disable_user(user['name'], user['domain_id'])
     self.assertRaises(lib_exc.Unauthorized, self.token.auth,
                       username=user['name'],
                       password=password,
                       user_domain_id=CONF.identity.default_domain_id)
Exemple #46
0
 def test_create_user_for_non_existent_domain(self):
     # Attempt to create a user in a non-existent domain should fail
     u_name = data_utils.rand_name('user')
     u_email = u_name + '@testmail.tm'
     u_password = data_utils.rand_password()
     self.assertRaises(lib_exc.NotFound, self.users_client.create_user,
                       name=u_name, password=u_password,
                       email=u_email,
                       domain_id=data_utils.rand_uuid_hex())
Exemple #47
0
    def resource_setup(cls):
        super(ServerRescueNegativeTestJSON, cls).resource_setup()
        cls.password = data_utils.rand_password()
        rescue_password = data_utils.rand_password()
        # Server for negative tests
        server = cls.create_test_server(adminPass=cls.password,
                                        wait_until='BUILD')
        resc_server = cls.create_test_server(adminPass=rescue_password,
                                             wait_until='ACTIVE')
        cls.server_id = server['id']
        cls.rescue_id = resc_server['id']

        cls.servers_client.rescue_server(
            cls.rescue_id, adminPass=rescue_password)
        waiters.wait_for_server_status(cls.servers_client,
                                       cls.rescue_id, 'RESCUE')
        waiters.wait_for_server_status(cls.servers_client,
                                       cls.server_id, 'ACTIVE')
Exemple #48
0
 def test_create_user_with_duplicate_name(self):
     # Duplicate user should not be created
     password = data_utils.rand_password()
     user = self.setup_test_user(password)
     tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
     self.assertRaises(lib_exc.Conflict, self.users_client.create_user,
                       name=user['name'],
                       password=password,
                       tenantId=tenant['id'],
                       email=user['email'])
Exemple #49
0
 def test_authentication_when_tenant_is_disabled(self):
     # User's token for a disabled tenant should not be authenticated
     password = data_utils.rand_password()
     user = self.setup_test_user(password)
     tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
     self.disable_tenant(tenant['name'])
     self.assertRaises(lib_exc.Unauthorized, self.token_client.auth,
                       user['name'],
                       password,
                       tenant['name'])
Exemple #50
0
    def resource_setup(cls):
        super(ServerRescueTestBase, cls).resource_setup()

        password = data_utils.rand_password()
        server = cls.create_test_server(adminPass=password,
                                        wait_until='ACTIVE')
        cls.servers_client.rescue_server(server['id'], adminPass=password)
        waiters.wait_for_server_status(cls.servers_client, server['id'],
                                       'RESCUE')
        cls.rescued_server_id = server['id']
Exemple #51
0
 def test_rescue_unrescue_instance(self):
     password = data_utils.rand_password()
     server = self.create_test_server(adminPass=password,
                                      wait_until='ACTIVE')
     self.servers_client.rescue_server(server['id'], adminPass=password)
     waiters.wait_for_server_status(self.servers_client, server['id'],
                                    'RESCUE')
     self.servers_client.unrescue_server(server['id'])
     waiters.wait_for_server_status(self.servers_client, server['id'],
                                    'ACTIVE')
Exemple #52
0
    def rebuild_server(cls, server_id, validatable=False, **kwargs):
        # Destroy an existing server and creates a new one
        if server_id:
            cls.delete_server(server_id)

        cls.password = data_utils.rand_password()
        server = cls.create_test_server(
            validatable,
            wait_until='ACTIVE',
            adminPass=cls.password,
            **kwargs)
        return server['id']
Exemple #53
0
 def test_user_authentication(self):
     # Valid user's token is authenticated
     password = data_utils.rand_password()
     user = self.setup_test_user(password)
     tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
     # Get a token
     self.token_client.auth(user['name'],
                            password,
                            tenant['name'])
     # Re-auth
     self.token_client.auth(user['name'],
                            password,
                            tenant['name'])
Exemple #54
0
    def test_default_project_id(self):
        # create a domain
        dom_name = data_utils.rand_name('dom')
        domain_body = self.domains_client.create_domain(
            name=dom_name)['domain']
        dom_id = domain_body['id']
        self.addCleanup(self._delete_domain, dom_id)

        # create a project in the domain
        proj_body = self.setup_test_project(domain_id=dom_id)
        proj_id = proj_body['id']
        self.assertEqual(proj_body['domain_id'], dom_id,
                         "project " + proj_body['name'] +
                         "doesn't have domain id " + dom_id)

        # create a user in the domain, with the previous project as his
        # default project
        user_name = data_utils.rand_name('user')
        user_pass = data_utils.rand_password()
        user_body = self.users_client.create_user(
            name=user_name,
            password=user_pass,
            domain_id=dom_id,
            default_project_id=proj_id)['user']
        user_id = user_body['id']
        self.addCleanup(self.users_client.delete_user, user_id)
        self.assertEqual(user_body['domain_id'], dom_id,
                         "user " + user_name +
                         "doesn't have domain id " + dom_id)

        # get roles and find the admin role
        admin_role = self.get_role_by_name(CONF.identity.admin_role)
        admin_role_id = admin_role['id']

        # grant the admin role to the user on his project
        self.roles_client.create_user_role_on_project(proj_id, user_id,
                                                      admin_role_id)

        # create a new client with user's credentials (NOTE: unscoped token!)
        creds = auth.KeystoneV3Credentials(username=user_name,
                                           password=user_pass,
                                           user_domain_name=dom_name)
        auth_provider = clients.get_auth_provider(creds)
        creds = auth_provider.fill_credentials()
        admin_client = clients.Manager(credentials=creds)

        # verify the user's token and see that it is scoped to the project
        token, _ = admin_client.auth_provider.get_auth()
        result = admin_client.identity_v3_client.show_token(token)['token']
        self.assertEqual(result['project']['domain']['id'], dom_id)
        self.assertEqual(result['project']['id'], proj_id)
Exemple #55
0
    def test_user_update_own_password(self):

        def _restore_password(client, user_id, old_pass, new_pass):
            # Reset auth to get a new token with the new password
            client.auth_provider.clear_auth()
            client.auth_provider.credentials.password = new_pass
            client.update_user_own_password(user_id, password=old_pass,
                                            original_password=new_pass)
            # Reset auth again to verify the password restore does work.
            # Clear auth restores the original credentials and deletes
            # cached auth data
            client.auth_provider.clear_auth()
            # NOTE(lbragstad): Fernet tokens are not subsecond aware and
            # Keystone should only be precise to the second. Sleep to ensure we
            # are passing the second boundary before attempting to
            # authenticate.
            time.sleep(1)
            client.auth_provider.set_auth()

        old_pass = self.creds.password
        new_pass = data_utils.rand_password()
        user_id = self.creds.user_id
        # to change password back. important for allow_tenant_isolation = false
        self.addCleanup(_restore_password, self.non_admin_users_client,
                        user_id, old_pass=old_pass, new_pass=new_pass)

        # user updates own password
        self.non_admin_users_client.update_user_own_password(
            user_id, password=new_pass, original_password=old_pass)
        # NOTE(morganfainberg): Fernet tokens are not subsecond aware and
        # Keystone should only be precise to the second. Sleep to ensure
        # we are passing the second boundary.
        time.sleep(1)

        # check authorization with new password
        self.non_admin_token_client.auth(self.username,
                                         new_pass,
                                         self.tenant_name)

        # authorize with old token should lead to Unauthorized
        self.assertRaises(exceptions.Unauthorized,
                          self.non_admin_token_client.auth_token,
                          self.non_admin_users_client.token)

        # authorize with old password should lead to Unauthorized
        self.assertRaises(exceptions.Unauthorized,
                          self.non_admin_token_client.auth,
                          self.username,
                          old_pass,
                          self.tenant_name)
Exemple #56
0
    def create_test_user(self, **kwargs):
        if kwargs.get('password', None) is None:
            kwargs['password'] = data_utils.rand_password()
        if 'name' not in kwargs:
            kwargs['name'] = data_utils.rand_name('test_user')
        if 'email' not in kwargs:
            kwargs['email'] = kwargs['name'] + '@testmail.tm'

        user = self.users_client.create_user(**kwargs)['user']
        # Delete the user at the end of the test
        self.addCleanup(
            test_utils.call_and_ignore_notfound_exc,
            self.users_client.delete_user, user['id'])
        return user
Exemple #57
0
 def test_update_user_password(self):
     # Creating User to check password updation
     u_name = data_utils.rand_name('user')
     original_password = data_utils.rand_password()
     user = self.users_client.create_user(
         name=u_name, password=original_password)['user']
     # Delete the User at the end all test methods
     self.addCleanup(self.users_client.delete_user, user['id'])
     # Update user with new password
     new_password = data_utils.rand_password()
     self.users_client.update_user_password(
         user['id'], password=new_password,
         original_password=original_password)
     # NOTE(morganfainberg): Fernet tokens are not subsecond aware and
     # Keystone should only be precise to the second. Sleep to ensure
     # we are passing the second boundary.
     time.sleep(1)
     resp = self.token.auth(user_id=user['id'],
                            password=new_password).response
     subject_token = resp['x-subject-token']
     # Perform GET Token to verify and confirm password is updated
     token_details = self.client.show_token(subject_token)['token']
     self.assertEqual(token_details['user']['id'], user['id'])
     self.assertEqual(token_details['user']['name'], u_name)
Exemple #58
0
def generate_resources(opts):
    spec = [{'number': 1,
             'prefix': 'primary',
             'roles': (CONF.auth.tempest_roles +
                       [CONF.object_storage.operator_role])},
            {'number': 1,
             'prefix': 'alt',
             'roles': (CONF.auth.tempest_roles +
                       [CONF.object_storage.operator_role])}]
    if CONF.service_available.swift:
        spec.append({'number': 1,
                     'prefix': 'swift_operator',
                     'roles': (CONF.auth.tempest_roles +
                               [CONF.object_storage.operator_role])})
        spec.append({'number': 1,
                     'prefix': 'swift_reseller_admin',
                     'roles': (CONF.auth.tempest_roles +
                               [CONF.object_storage.reseller_admin_role])})
    if CONF.service_available.heat:
        spec.append({'number': 1,
                     'prefix': 'stack_owner',
                     'roles': (CONF.auth.tempest_roles +
                               [CONF.orchestration.stack_owner_role])})
    if opts.admin:
        spec.append({
            'number': 1,
            'prefix': 'admin',
            'roles': (CONF.auth.tempest_roles +
                      [CONF.identity.admin_role])
        })
    resources = {'tenants': [],
                 'users': []}
    for count in range(opts.concurrency):
        for user_group in spec:
            users = [random_user_name(opts.tag, user_group['prefix'])
                     for _ in range(user_group['number'])]
            for user in users:
                tenant = '-'.join((user, 'tenant'))
                resources['tenants'].append(tenant)
                resources['users'].append({
                    'tenant': tenant,
                    'name': user,
                    'pass': data_utils.rand_password(),
                    'prefix': user_group['prefix'],
                    'roles': user_group['roles']
                })
    return resources