def test_trust_deleted_when_project_deleted(self):
# create trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
role_ids=[self.role_id],
allow_redelegation=True)
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
# list all trusts
r = self.get('/OS-TRUST/trusts')
self.assertEqual(1, len(r.result['trusts']))
# delete the project will delete the trust.
self.delete(
'/projects/%(project_id)s' % {'project_id': trust['project_id']})
# call the backend method directly to bypass authentication since the
# user no longer has the assignment on the project.
self.assertRaises(exception.TrustNotFound,
self.trust_api.get_trust,
trust['id'])
def test_delete_trust_with_application_credential(self):
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
app_cred = {
'id': uuid.uuid4().hex,
'user_id': self.user_id,
'project_id': self.project_id,
'name': uuid.uuid4().hex,
'roles': [{
'id': self.role_id
}],
'secret': uuid.uuid4().hex
}
app_cred_api = PROVIDERS.application_credential_api
app_cred_api.create_application_credential(app_cred)
auth_data = self.build_authentication_request(
app_cred_id=app_cred['id'], secret=app_cred['secret'])
token_data = self.v3_create_token(auth_data,
expected_status=http_client.CREATED)
# delete the trust
self.delete(path='/OS-TRUST/trusts/%(trust_id)s' %
{'trust_id': trust['id']},
token=token_data.headers['x-subject-token'],
expected_status=http_client.FORBIDDEN)
def test_v3_v2_intermix_trustor_not_in_default_domain_failed(self):
# get a project-scoped token
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
project_id=self.default_domain_project_id)
token = self.get_requested_token(auth_data)
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.default_domain_user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.default_domain_project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
# get a trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(
r, self.trustee_user)
token = r.headers.get('X-Subject-Token')
# now validate the v3 token with v2 API
path = '/v2.0/tokens/%s' % (token)
self.admin_request(
path=path, token=self.get_admin_token(),
method='GET', expected_status=http_client.UNAUTHORIZED)
def test_trust_deleted_when_project_deleted(self):
# create trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
role_ids=[self.role_id],
allow_redelegation=True)
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
# list all trusts
r = self.get('/OS-TRUST/trusts')
self.assertEqual(1, len(r.result['trusts']))
# delete the project will delete the trust.
self.delete(
'/projects/%(project_id)s' % {'project_id': trust['project_id']})
# call the backend method directly to bypass authentication since the
# user no longer has the assignment on the project.
self.assertRaises(exception.TrustNotFound,
PROVIDERS.trust_api.get_trust,
trust['id'])
def test_create_trust_with_application_credential(self):
app_cred = {
'id': uuid.uuid4().hex,
'user_id': self.user_id,
'project_id': self.project_id,
'name': uuid.uuid4().hex,
'roles': [{
'id': self.role_id
}],
'secret': uuid.uuid4().hex
}
app_cred_api = PROVIDERS.application_credential_api
app_cred_api.create_application_credential(app_cred)
auth_data = self.build_authentication_request(
app_cred_id=app_cred['id'], secret=app_cred['secret'])
token_data = self.v3_create_token(auth_data,
expected_status=http_client.CREATED)
trust_body = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
self.post(path='/OS-TRUST/trusts',
body={'trust': trust_body},
token=token_data.headers['x-subject-token'],
expected_status=http_client.FORBIDDEN)
def test_delete_trust_with_application_credential(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
app_cred = {
'id': uuid.uuid4().hex,
'user_id': self.user_id,
'project_id': self.project_id,
'name': uuid.uuid4().hex,
'roles': [{'id': self.role_id}],
'secret': uuid.uuid4().hex
}
app_cred_api = PROVIDERS.application_credential_api
app_cred_api.create_application_credential(app_cred)
auth_data = self.build_authentication_request(
app_cred_id=app_cred['id'], secret=app_cred['secret'])
token_data = self.v3_create_token(auth_data,
expected_status=http_client.CREATED)
# delete the trust
self.delete(path='/OS-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']},
token=token_data.headers['x-subject-token'],
expected_status=http_client.FORBIDDEN)
def test_create_trust_with_invalid_expiration_fails(self):
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
ref['expires_at'] = 'bad'
self.post(
'/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST
)
ref['expires_at'] = ''
self.post(
'/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST
)
ref['expires_at'] = 'Z'
self.post(
'/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST
)
def test_v3_v2_intermix_trustor_not_in_default_domain_failed(self):
# get a project-scoped token
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
project_id=self.default_domain_project_id)
token = self.get_requested_token(auth_data)
# create a new trust
ref = unit.new_trust_ref(trustor_user_id=self.default_domain_user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.default_domain_project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
# get a trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r, self.trustee_user)
token = r.headers.get('X-Subject-Token')
# now validate the v3 token with v2 API
path = '/v2.0/tokens/%s' % (token)
self.admin_request(path=path,
token=self.get_admin_token(),
method='GET',
expected_status=http_client.UNAUTHORIZED)
def test_exercise_trust_scoped_token_with_impersonation(self):
# create a new trust
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
# get a trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
resp = self.v3_create_token(auth_data)
resp_body = resp.json_body['token']
self.assertValidProjectScopedTokenResponse(resp, self.user)
self.assertEqual(self.user['id'], resp_body['user']['id'])
self.assertEqual(self.user['name'], resp_body['user']['name'])
self.assertEqual(self.domain['id'], resp_body['user']['domain']['id'])
self.assertEqual(self.domain['name'],
resp_body['user']['domain']['name'])
self.assertEqual(self.project['id'], resp_body['project']['id'])
self.assertEqual(self.project['name'], resp_body['project']['name'])
def test_list_trusts(self):
# create three trusts with the same trustor and trustee
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
for i in range(3):
ref['expires_at'] = datetime.datetime.utcnow().replace(
year=2032).strftime(unit.TIME_FORMAT)
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
self.assertValidTrustResponse(r, ref)
# list all trusts
r = self.get('/OS-TRUST/trusts')
trusts = r.result['trusts']
self.assertEqual(3, len(trusts))
self.assertValidTrustListResponse(r)
# list all trusts for the trustor
r = self.get('/OS-TRUST/trusts?trustor_user_id=%s' % self.user_id)
trusts = r.result['trusts']
self.assertEqual(3, len(trusts))
self.assertValidTrustListResponse(r)
# list all trusts as the trustor as the trustee.
r = self.get('/OS-TRUST/trusts?trustee_user_id=%s' % self.user_id)
trusts = r.result['trusts']
self.assertEqual(0, len(trusts))
# list all trusts as the trustee is forbidden
r = self.get('/OS-TRUST/trusts?trustee_user_id=%s' %
self.trustee_user_id,
expected_status=http_client.FORBIDDEN)
def test_exercise_trust_scoped_token_with_impersonation(self):
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
# get a trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
resp = self.v3_create_token(auth_data)
resp_body = resp.json_body['token']
self.assertValidProjectScopedTokenResponse(resp, self.user)
self.assertEqual(self.user['id'], resp_body['user']['id'])
self.assertEqual(self.user['name'], resp_body['user']['name'])
self.assertEqual(self.domain['id'], resp_body['user']['domain']['id'])
self.assertEqual(self.domain['name'],
resp_body['user']['domain']['name'])
self.assertEqual(self.project['id'], resp_body['project']['id'])
self.assertEqual(self.project['name'], resp_body['project']['name'])
def test_create_trust_with_invalid_expiration_fails(self):
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
ref['expires_at'] = 'bad'
self.post(
'/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST
)
ref['expires_at'] = ''
self.post(
'/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST
)
ref['expires_at'] = 'Z'
self.post(
'/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST
)
def test_create_application_credential_with_trust(self):
second_role = unit.new_role_ref(name='reader')
PROVIDERS.role_api.create_role(second_role['id'], second_role)
PROVIDERS.assignment_api.add_role_to_user_and_project(
self.user_id, self.project_id, second_role['id'])
with self.test_client() as c:
pw_token = self.get_scoped_token()
# create a self-trust - only the roles are important for this test
trust_ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.user_id,
project_id=self.project_id,
role_ids=[second_role['id']])
resp = c.post('/v3/OS-TRUST/trusts',
headers={'X-Auth-Token': pw_token},
json={'trust': trust_ref})
trust_id = resp.json['trust']['id']
trust_auth = self.build_authentication_request(
user_id=self.user_id,
password=self.user['password'],
trust_id=trust_id)
trust_token = self.v3_create_token(
trust_auth).headers['X-Subject-Token']
app_cred = self._app_cred_body(roles=[{'id': self.role_id}])
# only the roles from the trust token should be allowed, even if
# the user has the role assigned on the project
c.post('/v3/users/%s/application_credentials' % self.user_id,
headers={'X-Auth-Token': trust_token},
json=app_cred,
expected_status_code=http.client.BAD_REQUEST)
def test_create_trust_with_non_existant_role_name_returns_not_found(self):
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_names=[uuid.uuid4().hex])
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_create_trust_with_non_existant_role_name_returns_not_found(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_names=[uuid.uuid4().hex])
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_create_trust_with_extra_attributes_fails(self):
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
ref['roles'].append({'fake_key': 'fake_value'})
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_create_trust_with_extra_attributes_fails(self):
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
ref['roles'].append({'fake_key': 'fake_value'})
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_forbidden_trust_impersonation_in_redelegation(self):
"""Test forbiddance of impersonation in trust redelegation.
Check that trustee not allowed to create a trust (with impersonation
set to true) from a redelegated trust (with impersonation set to false)
"""
# create trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
role_ids=[self.role_id],
allow_redelegation=True)
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
auth_data = self.build_authentication_request(
user_id=self.trustee_user_id,
password=self.trustee_user['password'],
trust_id=trust['id'])
resp = self.v3_create_token(auth_data)
# create third-party user, which will be trustee in trust created from
# redelegated trust
third_party_trustee = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain_id)
third_party_trustee_id = third_party_trustee['id']
# create trust from redelegated trust
ref = unit.new_trust_ref(
trustor_user_id=self.trustee_user_id,
trustee_user_id=third_party_trustee_id,
project_id=self.project_id,
impersonation=True,
role_ids=[self.role_id])
ref['redelegated_trust_id'] = trust['id']
self.admin_request(path='/v3/OS-TRUST/trusts',
body={'trust': ref},
token=resp.headers.get('X-Subject-Token'),
method='POST',
expected_status=http_client.FORBIDDEN)
def test_create_trust_with_trustee_as_trustor_returns_forbidden(self):
ref = unit.new_trust_ref(
trustor_user_id=self.trustee_user_id,
trustee_user_id=self.user_id,
project_id=self.project_id,
role_ids=[self.role_id])
# NOTE(lbragstad): This fails because the user making the request isn't
# the trustor defined in the request.
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.FORBIDDEN)
def test_create_trust_with_trustee_as_trustor_returns_forbidden(self):
ref = unit.new_trust_ref(trustor_user_id=self.trustee_user_id,
trustee_user_id=self.user_id,
project_id=self.project_id,
role_ids=[self.role_id])
# NOTE(lbragstad): This fails because the user making the request isn't
# the trustor defined in the request.
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.FORBIDDEN)
def test_forbidden_trust_impersonation_in_redelegation(self):
"""Test forbiddance of impersonation in trust redelegation.
Check that trustee not allowed to create a trust (with impersonation
set to true) from a redelegated trust (with impersonation set to false)
"""
# create trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
role_ids=[self.role_id],
allow_redelegation=True)
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
auth_data = self.build_authentication_request(
user_id=self.trustee_user_id,
password=self.trustee_user['password'],
trust_id=trust['id'])
resp = self.v3_create_token(auth_data)
# create third-party user, which will be trustee in trust created from
# redelegated trust
third_party_trustee = unit.create_user(self.identity_api,
domain_id=self.domain_id)
third_party_trustee_id = third_party_trustee['id']
# create trust from redelegated trust
ref = unit.new_trust_ref(
trustor_user_id=self.trustee_user_id,
trustee_user_id=third_party_trustee_id,
project_id=self.project_id,
impersonation=True,
role_ids=[self.role_id])
ref['redelegated_trust_id'] = trust['id']
self.admin_request(path='/v3/OS-TRUST/trusts',
body={'trust': ref},
token=resp.headers.get('X-Subject-Token'),
method='POST',
expected_status=http_client.FORBIDDEN)
def test_trust_scoped_ec2_credential(self):
"""Call ``POST /credentials`` for creating ec2 credential."""
# Create the trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
del ref['id']
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
# Get a trust scoped token
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(r, self.user)
trust_id = r.result['token']['OS-TRUST:trust']['id']
token_id = r.headers.get('X-Subject-Token')
# Create the credential with the trust scoped token
ref = self.new_credential_ref(user_id=self.user['id'],
project_id=self.project_id)
blob = {"access": uuid.uuid4().hex,
"secret": uuid.uuid4().hex}
ref['blob'] = json.dumps(blob)
ref['type'] = 'ec2'
r = self.post(
'/credentials',
body={'credential': ref},
token=token_id)
# We expect the response blob to contain the trust_id
ret_ref = ref.copy()
ret_blob = blob.copy()
ret_blob['trust_id'] = trust_id
ret_ref['blob'] = json.dumps(ret_blob)
self.assertValidCredentialResponse(r, ref=ret_ref)
# Assert credential id is same as hash of access key id for
# ec2 credentials
self.assertEqual(hashlib.sha256(blob['access']).hexdigest(),
r.result['credential']['id'])
# Create second ec2 credential with the same access key id and check
# for conflict.
self.post(
'/credentials',
body={'credential': ref},
token=token_id,
expected_status=http_client.CONFLICT)
def test_validate_v3_token_trust(self):
# Check the trust fields in the token result when use validate_v3_token
# when the token has trust info.
domain_ref = unit.new_domain_ref()
domain_ref = PROVIDERS.resource_api.create_domain(
domain_ref['id'], domain_ref
)
user_ref = unit.new_user_ref(domain_ref['id'])
user_ref = PROVIDERS.identity_api.create_user(user_ref)
trustor_user_ref = unit.new_user_ref(domain_ref['id'])
trustor_user_ref = PROVIDERS.identity_api.create_user(trustor_user_ref)
project_ref = unit.new_project_ref(domain_id=domain_ref['id'])
project_ref = PROVIDERS.resource_api.create_project(
project_ref['id'], project_ref
)
role_ref = unit.new_role_ref()
role_ref = PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.assignment_api.create_grant(
role_ref['id'], user_id=user_ref['id'],
project_id=project_ref['id'])
PROVIDERS.assignment_api.create_grant(
role_ref['id'], user_id=trustor_user_ref['id'],
project_id=project_ref['id'])
trustor_user_id = trustor_user_ref['id']
trustee_user_id = user_ref['id']
trust_ref = unit.new_trust_ref(
trustor_user_id, trustee_user_id, project_id=project_ref['id'],
role_ids=[role_ref['id'], ])
trust_ref = PROVIDERS.trust_api.create_trust(
trust_ref['id'], trust_ref, trust_ref['roles']
)
method_names = ['password']
token_id, token_data_ = PROVIDERS.token_provider_api.issue_token(
user_ref['id'], method_names, project_id=project_ref['id'],
trust=trust_ref)
token_data = PROVIDERS.token_provider_api.validate_token(token_id)
token = token_data['token']
exp_trust_info = {
'id': trust_ref['id'],
'impersonation': False,
'trustee_user': {'id': user_ref['id'], },
'trustor_user': {'id': trustor_user_ref['id'], },
}
self.assertEqual(exp_trust_info, token['OS-TRUST:trust'])
def test_validate_v3_token_trust(self):
# Check the trust fields in the token result when use validate_v3_token
# when the token has trust info.
domain_ref = unit.new_domain_ref()
domain_ref = PROVIDERS.resource_api.create_domain(
domain_ref['id'], domain_ref
)
user_ref = unit.new_user_ref(domain_ref['id'])
user_ref = PROVIDERS.identity_api.create_user(user_ref)
trustor_user_ref = unit.new_user_ref(domain_ref['id'])
trustor_user_ref = PROVIDERS.identity_api.create_user(trustor_user_ref)
project_ref = unit.new_project_ref(domain_id=domain_ref['id'])
project_ref = PROVIDERS.resource_api.create_project(
project_ref['id'], project_ref
)
role_ref = unit.new_role_ref()
role_ref = PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.assignment_api.create_grant(
role_ref['id'], user_id=user_ref['id'],
project_id=project_ref['id'])
PROVIDERS.assignment_api.create_grant(
role_ref['id'], user_id=trustor_user_ref['id'],
project_id=project_ref['id'])
trustor_user_id = trustor_user_ref['id']
trustee_user_id = user_ref['id']
trust_ref = unit.new_trust_ref(
trustor_user_id, trustee_user_id, project_id=project_ref['id'],
role_ids=[role_ref['id'], ])
trust_ref = PROVIDERS.trust_api.create_trust(
trust_ref['id'], trust_ref, trust_ref['roles']
)
method_names = ['password']
token_id, token_data_ = PROVIDERS.token_provider_api.issue_token(
user_ref['id'], method_names, project_id=project_ref['id'],
trust=trust_ref)
token_data = PROVIDERS.token_provider_api.validate_token(token_id)
token = token_data['token']
exp_trust_info = {
'id': trust_ref['id'],
'impersonation': False,
'trustee_user': {'id': user_ref['id'], },
'trustor_user': {'id': trustor_user_ref['id'], },
}
self.assertEqual(exp_trust_info, token['OS-TRUST:trust'])
def test_create_trust_with_expiration_in_the_past_fails(self):
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires='2010-06-04T08:44:31.999999Z',
role_ids=[self.role_id])
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_create_trust_with_bad_remaining_uses_returns_bad_request(self):
# negative numbers, strings, non-integers, and 0 are not value values
for value in [-1, 0, "a bad value", 7.2]:
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
remaining_uses=value,
role_ids=[self.role_id])
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_list_trusts(self):
# create three trusts with the same trustor and trustee
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
for i in range(3):
ref['expires_at'] = datetime.datetime.utcnow().replace(
year=2032).strftime(unit.TIME_FORMAT)
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
self.assertValidTrustResponse(r, ref)
# list all trusts
list_url = '/OS-TRUST/trusts'
r = self.get(list_url)
self.head(list_url, expected_status=http_client.OK)
trusts = r.result['trusts']
self.assertEqual(3, len(trusts))
self.assertValidTrustListResponse(r)
# list all trusts for the trustor
list_for_trustor_url = (
'/OS-TRUST/trusts?trustor_user_id=%s' % self.user_id
)
r = self.get(list_for_trustor_url)
self.head(list_for_trustor_url, expected_status=http_client.OK)
trusts = r.result['trusts']
self.assertEqual(3, len(trusts))
self.assertValidTrustListResponse(r)
# list all trusts as the trustor as the trustee.
list_as_trustor_url = (
'/OS-TRUST/trusts?trustee_user_id=%s' % self.user_id
)
r = self.get(list_as_trustor_url)
self.head(list_as_trustor_url, expected_status=http_client.OK)
trusts = r.result['trusts']
self.assertEqual(0, len(trusts))
# list all trusts as the trustee is forbidden
list_all_as_trustee_url = (
'/OS-TRUST/trusts?trustee_user_id=%s' % self.trustee_user_id
)
r = self.get(
list_all_as_trustee_url,
expected_status=http_client.FORBIDDEN
)
self.head(
list_all_as_trustee_url,
expected_status=http_client.FORBIDDEN
)
def test_delete_trust(self):
trustor = unit.new_user_ref(domain_id=self.domain_id)
trustor = self.identity_api.create_user(trustor)
trustee = unit.new_user_ref(domain_id=self.domain_id)
trustee = self.identity_api.create_user(trustee)
role_ref = unit.new_role_ref()
trust_ref = unit.new_trust_ref(trustor["id"], trustee["id"])
self.trust_api.create_trust(trust_ref["id"], trust_ref, [role_ref])
self.trust_api.delete_trust(trust_ref["id"])
self._assert_last_note(trust_ref["id"], DELETED_OPERATION, "OS-TRUST:trust")
self._assert_last_audit(trust_ref["id"], DELETED_OPERATION, "OS-TRUST:trust", cadftaxonomy.SECURITY_TRUST)
def test_create_trust_with_bad_remaining_uses_returns_bad_request(self):
# negative numbers, strings, non-integers, and 0 are not value values
for value in [-1, 0, "a bad value", 7.2]:
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
remaining_uses=value,
role_ids=[self.role_id])
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_create_trust_without_impersonation_returns_bad_request(self):
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
# impersonation is required to create a trust
del ref['impersonation']
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_trust_scoped_ec2_credential(self):
"""Test creating trust scoped ec2 credential.
Call ``POST /credentials``.
"""
# Create the trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
del ref['id']
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
# Get a trust scoped token
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r, self.user)
trust_id = r.result['token']['OS-TRUST:trust']['id']
token_id = r.headers.get('X-Subject-Token')
# Create the credential with the trust scoped token
blob, ref = unit.new_ec2_credential(user_id=self.user['id'],
project_id=self.project_id)
r = self.post('/credentials', body={'credential': ref}, token=token_id)
# We expect the response blob to contain the trust_id
ret_ref = ref.copy()
ret_blob = blob.copy()
ret_blob['trust_id'] = trust_id
ret_ref['blob'] = json.dumps(ret_blob)
self.assertValidCredentialResponse(r, ref=ret_ref)
# Assert credential id is same as hash of access key id for
# ec2 credentials
access = blob['access'].encode('utf-8')
self.assertEqual(hashlib.sha256(access).hexdigest(),
r.result['credential']['id'])
# Create second ec2 credential with the same access key id and check
# for conflict.
self.post(
'/credentials',
body={'credential': ref},
token=token_id,
expected_status=http_client.CONFLICT)
def test_create_trust_with_role_name_ambiguous_returns_bad_request(self):
# Create second role with the same name
role_ref = unit.new_role_ref(name=self.role['name'],
domain_id=uuid.uuid4().hex)
self.post('/roles', body={'role': role_ref})
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_names=[self.role['name']])
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_create_trust_without_impersonation_returns_bad_request(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
# impersonation is required to create a trust
del ref['impersonation']
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_trust_crud(self):
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
# get the trust
r = self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})
self.assertValidTrustResponse(r, ref)
# validate roles on the trust
r = self.get(
'/OS-TRUST/trusts/%(trust_id)s/roles' % {
'trust_id': trust['id']})
roles = self.assertValidRoleListResponse(r, self.role)
self.assertIn(self.role['id'], [x['id'] for x in roles])
self.head(
'/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
'trust_id': trust['id'],
'role_id': self.role['id']},
expected_status=http_client.OK)
r = self.get(
'/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
'trust_id': trust['id'],
'role_id': self.role['id']})
self.assertValidRoleResponse(r, self.role)
# list all trusts
r = self.get('/OS-TRUST/trusts')
self.assertValidTrustListResponse(r, trust)
# trusts are immutable
self.patch(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
body={'trust': ref},
expected_status=http_client.NOT_FOUND)
# delete the trust
self.delete(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})
# ensure the trust is not found
self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=http_client.NOT_FOUND)
def test_create_trust_with_role_name_ambiguous_returns_bad_request(self):
# Create second role with the same name
role_ref = unit.new_role_ref(name=self.role['name'],
domain_id=uuid.uuid4().hex)
self.post('/roles', body={'role': role_ref})
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_names=[self.role['name']]
)
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_oauth_token_cannot_create_new_trust(self):
self.test_oauth_flow()
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
del ref['id']
self.post('/OS-TRUST/trusts',
body={'trust': ref},
token=self.keystone_token_id,
expected_status=http_client.FORBIDDEN)
def test_trust_crud(self):
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
# get the trust
r = self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})
self.assertValidTrustResponse(r, ref)
# validate roles on the trust
r = self.get(
'/OS-TRUST/trusts/%(trust_id)s/roles' % {
'trust_id': trust['id']})
roles = self.assertValidRoleListResponse(r, self.role)
self.assertIn(self.role['id'], [x['id'] for x in roles])
self.head(
'/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
'trust_id': trust['id'],
'role_id': self.role['id']},
expected_status=http_client.OK)
r = self.get(
'/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
'trust_id': trust['id'],
'role_id': self.role['id']})
self.assertValidRoleResponse(r, self.role)
# list all trusts
r = self.get('/OS-TRUST/trusts')
self.assertValidTrustListResponse(r, trust)
# trusts are immutable
self.patch(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
body={'trust': ref},
expected_status=http_client.NOT_FOUND)
# delete the trust
self.delete(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})
# ensure the trust is not found
self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=http_client.NOT_FOUND)
def test_create_trust_with_expiration_in_the_past_fails(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires='2010-06-04T08:44:31.999999Z',
role_ids=[self.role_id]
)
self.post(
'/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST
)
def test_oauth_token_cannot_create_new_trust(self):
self.test_oauth_flow()
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
del ref['id']
self.post('/OS-TRUST/trusts',
body={'trust': ref},
token=self.keystone_token_id,
expected_status=http_client.FORBIDDEN)
def test_trust_duplicate_conflict_gives_name(self):
trustor = unit.new_user_ref(domain_id=self.domain_id)
trustor = self.identity_api.create_user(trustor)
trustee = unit.new_user_ref(domain_id=self.domain_id)
trustee = self.identity_api.create_user(trustee)
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
trust_ref = unit.new_trust_ref(trustor['id'], trustee['id'])
self.trust_api.create_trust(trust_ref['id'], trust_ref, [role_ref])
try:
self.trust_api.create_trust(trust_ref['id'], trust_ref, [role_ref])
except exception.Conflict as e:
self.assertIn("Duplicate entry found with ID %s"
% trust_ref['id'], repr(e))
else:
self.fail("Create duplicate trust did not raise a conflict")
def test_trust_duplicate_conflict_gives_name(self):
trustor = unit.new_user_ref(domain_id=self.domain_id)
trustor = self.identity_api.create_user(trustor)
trustee = unit.new_user_ref(domain_id=self.domain_id)
trustee = self.identity_api.create_user(trustee)
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
trust_ref = unit.new_trust_ref(trustor['id'], trustee['id'])
self.trust_api.create_trust(trust_ref['id'], trust_ref, [role_ref])
try:
self.trust_api.create_trust(trust_ref['id'], trust_ref, [role_ref])
except exception.Conflict as e:
self.assertIn("Duplicate entry found with ID %s" % trust_ref['id'],
repr(e))
else:
self.fail("Create duplicate trust did not raise a conflict")
def test_trust_scoped_ec2_credential(self):
"""Test creating trust scoped ec2 credential.
Call ``POST /credentials``.
"""
# Create the trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id],
)
del ref["id"]
r = self.post("/OS-TRUST/trusts", body={"trust": ref})
trust = self.assertValidTrustResponse(r)
# Get a trust scoped token
auth_data = self.build_authentication_request(
user_id=self.trustee_user["id"], password=self.trustee_user["password"], trust_id=trust["id"]
)
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r, self.user)
trust_id = r.result["token"]["OS-TRUST:trust"]["id"]
token_id = r.headers.get("X-Subject-Token")
# Create the credential with the trust scoped token
blob, ref = unit.new_ec2_credential(user_id=self.user["id"], project_id=self.project_id)
r = self.post("/credentials", body={"credential": ref}, token=token_id)
# We expect the response blob to contain the trust_id
ret_ref = ref.copy()
ret_blob = blob.copy()
ret_blob["trust_id"] = trust_id
ret_ref["blob"] = json.dumps(ret_blob)
self.assertValidCredentialResponse(r, ref=ret_ref)
# Assert credential id is same as hash of access key id for
# ec2 credentials
access = blob["access"].encode("utf-8")
self.assertEqual(hashlib.sha256(access).hexdigest(), r.result["credential"]["id"])
# Create second ec2 credential with the same access key id and check
# for conflict.
self.post("/credentials", body={"credential": ref}, token=token_id, expected_status=http_client.CONFLICT)
def test_trust_deleted_when_user_deleted(self):
# create trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
role_ids=[self.role_id],
allow_redelegation=True)
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
# list all trusts
r = self.get('/OS-TRUST/trusts')
self.assertEqual(1, len(r.result['trusts']))
# delete the trustee will delete the trust
self.delete(
'/users/%(user_id)s' % {'user_id': trust['trustee_user_id']})
self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=http_client.NOT_FOUND)
# create another user as the new trustee
trustee_user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain_id)
trustee_user_id = trustee_user['id']
# create the trust again
ref['trustee_user_id'] = trustee_user_id
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
r = self.get('/OS-TRUST/trusts')
self.assertEqual(1, len(r.result['trusts']))
# delete the trustor will delete the trust
self.delete(
'/users/%(user_id)s' % {'user_id': trust['trustor_user_id']})
# call the backend method directly to bypass authentication since the
# user has been deleted.
self.assertRaises(exception.TrustNotFound,
PROVIDERS.trust_api.get_trust,
trust['id'])
def test_trust_deleted_when_user_deleted(self):
# create trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
role_ids=[self.role_id],
allow_redelegation=True)
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
# list all trusts
r = self.get('/OS-TRUST/trusts')
self.assertEqual(1, len(r.result['trusts']))
# delete the trustee will delete the trust
self.delete(
'/users/%(user_id)s' % {'user_id': trust['trustee_user_id']})
self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=http_client.NOT_FOUND)
# create another user as the new trustee
trustee_user = unit.create_user(self.identity_api,
domain_id=self.domain_id)
trustee_user_id = trustee_user['id']
# create the trust again
ref['trustee_user_id'] = trustee_user_id
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
r = self.get('/OS-TRUST/trusts')
self.assertEqual(1, len(r.result['trusts']))
# delete the trustor will delete the trust
self.delete(
'/users/%(user_id)s' % {'user_id': trust['trustor_user_id']})
# call the backend method directly to bypass authentication since the
# user has been deleted.
self.assertRaises(exception.TrustNotFound,
self.trust_api.get_trust,
trust['id'])
def test_validate_v3_token_trust(self):
# Check the trust fields in the token result when use validate_v3_token
# when the token has trust info.
domain_ref = unit.new_domain_ref()
domain_ref = self.resource_api.create_domain(domain_ref["id"], domain_ref)
user_ref = unit.new_user_ref(domain_ref["id"])
user_ref = self.identity_api.create_user(user_ref)
trustor_user_ref = unit.new_user_ref(domain_ref["id"])
trustor_user_ref = self.identity_api.create_user(trustor_user_ref)
project_ref = unit.new_project_ref(domain_id=domain_ref["id"])
project_ref = self.resource_api.create_project(project_ref["id"], project_ref)
role_ref = unit.new_role_ref()
role_ref = self.role_api.create_role(role_ref["id"], role_ref)
self.assignment_api.create_grant(role_ref["id"], user_id=user_ref["id"], project_id=project_ref["id"])
self.assignment_api.create_grant(role_ref["id"], user_id=trustor_user_ref["id"], project_id=project_ref["id"])
trustor_user_id = trustor_user_ref["id"]
trustee_user_id = user_ref["id"]
trust_ref = unit.new_trust_ref(
trustor_user_id, trustee_user_id, project_id=project_ref["id"], role_ids=[role_ref["id"]]
)
trust_ref = self.trust_api.create_trust(trust_ref["id"], trust_ref, trust_ref["roles"])
method_names = ["password"]
token_id, token_data_ = self.token_provider_api.issue_v3_token(
user_ref["id"], method_names, project_id=project_ref["id"], trust=trust_ref
)
token_data = self.token_provider_api.validate_v3_token(token_id)
token = token_data["token"]
exp_trust_info = {
"id": trust_ref["id"],
"impersonation": False,
"trustee_user": {"id": user_ref["id"]},
"trustor_user": {"id": trustor_user_ref["id"]},
}
self.assertEqual(exp_trust_info, token["OS-TRUST:trust"])
def test_delete_trust(self):
# create a trust
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
# delete the trust
self.delete('/OS-TRUST/trusts/%(trust_id)s' %
{'trust_id': trust['id']})
# ensure the trust isn't found
self.get('/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=http_client.NOT_FOUND)
def _create_trust_get_token(self):
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
del ref['id']
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
user_id=self.user['id'],
password=self.user['password'],
trust_id=trust['id'])
return self.get_requested_token(auth_data)
def _create_trust_get_token(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
del ref['id']
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
user_id=self.user['id'],
password=self.user['password'],
trust_id=trust['id'])
return self.get_requested_token(auth_data)
def test_delete_trust(self):
# create a trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
# delete the trust
self.delete('/OS-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']})
# ensure the trust isn't found
self.get('/OS-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']},
expected_status=http_client.NOT_FOUND)
def test_trusts_do_not_implement_updates(self):
with self.test_client() as c:
# create a new trust
token = self.get_scoped_token()
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
r = c.post('/v3/OS-TRUST/trusts',
json={'trust': ref},
headers={'X-Auth-Token': token})
trust_id = r.json['trust']['id']
c.patch('/v3/OS-TRUST/trusts/%(trust_id)s' %
{'trust_id': trust_id},
json={'trust': ref},
headers={'X-Auth-Token': token},
expected_status_code=http.client.METHOD_NOT_ALLOWED)
c.put('/v3/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust_id},
json={'trust': ref},
headers={'X-Auth-Token': token},
expected_status_code=http.client.METHOD_NOT_ALLOWED)
def test_validate_trust_scoped_token_against_v2(self):
# get a project-scoped token
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
project_id=self.default_domain_project_id)
token = self.get_requested_token(auth_data)
user = unit.new_user_ref(CONF.identity.default_domain_id)
trustee = self.identity_api.create_user(user)
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.default_domain_user['id'],
trustee_user_id=trustee['id'],
project_id=self.default_domain_project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
# get a v3 trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=trustee['id'],
password=user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(
r, trustee)
token = r.headers.get('X-Subject-Token')
# now validate the v3 token with v2 API
path = '/v2.0/tokens/%s' % (token)
self.admin_request(
path=path,
token=self.get_admin_token(),
method='GET'
)
def test_v3_v2_intermix_project_not_in_default_domain_failed(self):
# create a trustee in default domain to delegate stuff to
trustee_user = unit.create_user(self.identity_api,
domain_id=test_v3.DEFAULT_DOMAIN_ID)
trustee_user_id = trustee_user['id']
# create a new trust
ref = unit.new_trust_ref(trustor_user_id=self.default_domain_user_id,
trustee_user_id=trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
# get a project-scoped token as the default_domain_user
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
project_id=self.default_domain_project_id)
token = self.get_requested_token(auth_data)
r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
# get a trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=trustee_user['id'],
password=trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r, trustee_user)
token = r.headers.get('X-Subject-Token')
# ensure the token is invalid against v2
path = '/v2.0/tokens/%s' % (token)
self.admin_request(path=path,
token=self.get_admin_token(),
method='GET',
expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix_project_not_in_default_domain_failed(self):
# create a trustee in default domain to delegate stuff to
trustee_user = unit.create_user(self.identity_api,
domain_id=test_v3.DEFAULT_DOMAIN_ID)
trustee_user_id = trustee_user['id']
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.default_domain_user_id,
trustee_user_id=trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
# get a project-scoped token as the default_domain_user
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
project_id=self.default_domain_project_id)
token = self.get_requested_token(auth_data)
r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
# get a trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=trustee_user['id'],
password=trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r, trustee_user)
token = r.headers.get('X-Subject-Token')
# ensure the token is invalid against v2
path = '/v2.0/tokens/%s' % (token)
self.admin_request(
path=path, token=self.get_admin_token(),
method='GET', expected_status=http_client.UNAUTHORIZED)
def new_trust_ref(
self,
trustor_user_id,
trustee_user_id,
project_id=None,
impersonation=None,
expires=None,
role_ids=None,
role_names=None,
remaining_uses=None,
allow_redelegation=False,
):
return tests.new_trust_ref(
trustor_user_id,
trustee_user_id,
project_id=project_id,
impersonation=impersonation,
expires=expires,
role_ids=role_ids,
role_names=role_names,
remaining_uses=remaining_uses,
allow_redelegation=allow_redelegation,
)
def test_trusts_do_not_implement_updates(self):
with self.test_client() as c:
# create a new trust
token = self.get_scoped_token()
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
r = c.post('/v3/OS-TRUST/trusts',
json={'trust': ref},
headers={'X-Auth-Token': token})
trust_id = r.json['trust']['id']
c.patch(
'/v3/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust_id},
json={'trust': ref},
headers={'X-Auth-Token': token},
expected_status_code=http_client.METHOD_NOT_ALLOWED)
c.put(
'/v3/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust_id},
json={'trust': ref},
headers={'X-Auth-Token': token},
expected_status_code=http_client.METHOD_NOT_ALLOWED)
def test_create_trust_with_application_credential(self):
app_cred = {
'id': uuid.uuid4().hex,
'user_id': self.user_id,
'project_id': self.project_id,
'name': uuid.uuid4().hex,
'roles': [{'id': self.role_id}],
'secret': uuid.uuid4().hex
}
app_cred_api = PROVIDERS.application_credential_api
app_cred_api.create_application_credential(app_cred)
auth_data = self.build_authentication_request(
app_cred_id=app_cred['id'], secret=app_cred['secret'])
token_data = self.v3_create_token(auth_data,
expected_status=http_client.CREATED)
trust_body = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
self.post(
path='/OS-TRUST/trusts',
body={'trust': trust_body},
token=token_data.headers['x-subject-token'],
expected_status=http_client.FORBIDDEN)
def test_validate_trust_scoped_token_against_v2(self):
# get a project-scoped token
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
project_id=self.default_domain_project_id)
token = self.get_requested_token(auth_data)
user = unit.new_user_ref(CONF.identity.default_domain_id)
trustee = self.identity_api.create_user(user)
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.default_domain_user['id'],
trustee_user_id=trustee['id'],
project_id=self.default_domain_project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
# get a v3 trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=trustee['id'],
password=user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r, trustee)
token = r.headers.get('X-Subject-Token')
# now validate the v3 token with v2 API
path = '/v2.0/tokens/%s' % (token)
self.admin_request(path=path,
token=self.get_admin_token(),
method='GET')
def test_trust_scoped_ec2_credential(self):
"""Test creating trust scoped ec2 credential.
Call ``POST /credentials``.
"""
# Create the trust
ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
del ref['id']
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
# Get a trust scoped token
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r, self.user)
trust_id = r.result['token']['OS-TRUST:trust']['id']
token_id = r.headers.get('X-Subject-Token')
# Create the credential with the trust scoped token
blob, ref = unit.new_ec2_credential(user_id=self.user_id,
project_id=self.project_id)
r = self.post('/credentials', body={'credential': ref}, token=token_id)
# We expect the response blob to contain the trust_id
ret_ref = ref.copy()
ret_blob = blob.copy()
ret_blob['trust_id'] = trust_id
ret_ref['blob'] = json.dumps(ret_blob)
self.assertValidCredentialResponse(r, ref=ret_ref)
# Assert credential id is same as hash of access key id for
# ec2 credentials
access = blob['access'].encode('utf-8')
self.assertEqual(
hashlib.sha256(access).hexdigest(), r.result['credential']['id'])
# Create a role assignment to ensure that it is ignored and only the
# trust-delegated roles are used
role = unit.new_role_ref(name='reader')
role_id = role['id']
PROVIDERS.role_api.create_role(role_id, role)
PROVIDERS.assignment_api.add_role_to_user_and_project(
self.user_id, self.project_id, role_id)
ret_blob = json.loads(r.result['credential']['blob'])
ec2token = self._test_get_token(access=ret_blob['access'],
secret=ret_blob['secret'])
ec2_roles = [role['id'] for role in ec2token['roles']]
self.assertIn(self.role_id, ec2_roles)
self.assertNotIn(role_id, ec2_roles)
# Create second ec2 credential with the same access key id and check
# for conflict.
self.post('/credentials',
body={'credential': ref},
token=token_id,
expected_status=http.client.CONFLICT)
