def test_modify_settings_append_password(self): """ Test override reset, by changing the reset password blacklisted roles """ user = fake_clients.FakeUser(name="*****@*****.**", password="******", email="*****@*****.**") user2 = fake_clients.FakeUser(name="*****@*****.**", password="******", email="*****@*****.**") project = fake_clients.FakeProject(name="test_project") test_role = fake_clients.FakeRole("test_role") assignments = [ fake_clients.FakeRoleAssignment( scope={'project': { 'id': project.id }}, role_name="test_role", user={'id': user.id}), fake_clients.FakeRoleAssignment( scope={'project': { 'id': project.id }}, role_name="admin", user={'id': user2.id}), ] setup_identity_cache(projects=[project], users=[user, user2], role_assignments=assignments, extra_roles=[test_role]) url = "/v1/actions/ResetPassword" data = {'email': "*****@*****.**"} response = self.client.post(url, data, format='json') self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(0, Token.objects.count()) admin_data = {'email': '*****@*****.**'} response2 = self.client.post(url, admin_data, format='json') self.assertEqual(response2.status_code, status.HTTP_200_OK) self.assertEqual(0, Token.objects.count())
def test_new_user_only_member(self): """ Existing user, valid project, no edit permissions. Action should be invalid. """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) setup_identity_cache(projects=[project], users=[user]) task = Task.objects.create( keystone_user={ "roles": ["member"], "project_id": project.id, "project_domain_id": "default", } ) data = { "email": "*****@*****.**", "project_id": project.id, "roles": ["member"], "inherited_roles": [], "domain_id": "default", } action = NewUserAction(data, task=task, order=1) action.prepare() self.assertFalse(action.valid)
def test_new_user_wrong_project(self): """ Existing user, valid project, project does not match keystone user. Action should be invalid. """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) setup_identity_cache(projects=[project], users=[user]) task = Task.objects.create( keystone_user={ "roles": ["project_mod"], "project_id": "test_project_id", "project_domain_id": "default", } ) data = { "email": "*****@*****.**", "project_id": "test_project_id_1", "roles": ["member"], "inherited_roles": [], "domain_id": "default", } action = NewUserAction(data, task=task, order=1) action.prepare() self.assertEqual(action.valid, False)
def test_set_quota_invalid_region(self): """ Attempts to set a quota on a non-existent region """ project = fake_clients.FakeProject(name="test_project", id="test_project_id") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) setup_identity_cache(projects=[project], users=[user]) headers = { "project_name": "test_project", "project_id": project.id, "roles": "project_admin,member,project_mod", "username": "******", "user_id": "user_id", "authenticated": True, } url = "/v1/openstack/quotas/" data = {"size": "small", "regions": ["RegionThree"]} response = self.client.post(url, data, headers=headers, format="json") self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
def setUp(self) -> None: super().setUp() self.projects = [ fake_clients.FakeProject(name=uuid.uuid4().hex), fake_clients.FakeProject(name=uuid.uuid4().hex), fake_clients.FakeProject(name=uuid.uuid4().hex) ] self.users = [ fake_clients.FakeUser(name='*****@*****.**'), fake_clients.FakeUser(name='*****@*****.**'), fake_clients.FakeUser(name='*****@*****.**') ] fake_clients.setup_identity_cache(projects=self.projects, users=self.users)
def test_calculate_custom_quota_size(self): """ Calculates the best 'fit' quota size from a custom quota. """ project = fake_clients.FakeProject(name="test_project", id="test_project_id") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) setup_identity_cache(projects=[project], users=[user]) admin_headers = { "project_name": "test_project", "project_id": project.id, "roles": "project_admin,member,project_mod", "username": "******", "user_id": user.id, "authenticated": True, } cinderquota = cinder_cache["RegionOne"]["test_project_id"]["quota"] cinderquota["gigabytes"] = 6000 novaquota = nova_cache["RegionOne"]["test_project_id"]["quota"] novaquota["ram"] = 70000 neutronquota = neutron_cache["RegionOne"]["test_project_id"]["quota"] neutronquota["network"] = 4 url = "/v1/openstack/quotas/?regions=RegionOne" response = self.client.get(url, headers=admin_headers) # First check we can actually access the page correctly self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.data["regions"][0]["current_quota_size"], "small")
def test_remove_user_role(self): """ Remove all roles on a user from our project """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) assignment = fake_clients.FakeRoleAssignment( scope={"project": {"id": project.id}}, role_name="member", user={"id": user.id}, ) setup_identity_cache( projects=[project], users=[user], role_assignments=[assignment] ) admin_headers = { "project_name": "test_project", "project_id": project.id, "roles": "project_admin,member,project_mod", "username": "******", "user_id": "test_user_id", "authenticated": True, } # admins removes role from the test user url = "/v1/openstack/users/%s/roles" % user.id data = {"roles": ["member"]} response = self.client.delete(url, data, format="json", headers=admin_headers) self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED) self.assertEqual(response.json(), {"notes": ["task created"]})
def test_set_multi_region_quota(self): """ Sets a quota to all to all regions in a project """ project = fake_clients.FakeProject(name="test_project", id="test_project_id") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) setup_identity_cache(projects=[project], users=[user]) headers = { "project_name": "test_project", "project_id": project.id, "roles": "project_admin,member,project_mod", "username": "******", "user_id": "user_id", "authenticated": True, } url = "/v1/openstack/quotas/" data = {"size": "medium", "regions": ["RegionOne", "RegionTwo"]} response = self.client.post(url, data, headers=headers, format="json") self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED) self.check_quota_cache("RegionOne", "test_project_id", "medium") self.check_quota_cache("RegionTwo", "test_project_id", "medium")
def test_new_user_only_member(self): """ Existing user, valid project, no edit permissions. Action should be invalid. """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser(name="*****@*****.**", password="******", email="*****@*****.**") setup_identity_cache(projects=[project], users=[user]) task = Task.objects.create(ip_address="0.0.0.0", keystone_user={ 'roles': ['_member_'], 'project_id': project.id, 'project_domain_id': 'default', }) data = { 'email': '*****@*****.**', 'project_id': project.id, 'roles': ['_member_'], 'inherited_roles': [], 'domain_id': 'default', } action = NewUserAction(data, task=task, order=1) action.pre_approve() self.assertFalse(action.valid)
def setUp(self) -> None: super().setUp() self.users = [ fake_clients.FakeUser(name='*****@*****.**') ] fake_clients.setup_identity_cache(users=self.users)
def test_update_quota_no_history(self): """ Update the quota size of a project with no history """ project = fake_clients.FakeProject(name="test_project", id="test_project_id") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) setup_identity_cache(projects=[project], users=[user]) admin_headers = { "project_name": "test_project", "project_id": project.id, "roles": "project_admin,member,project_mod", "username": "******", "user_id": "user_id", "authenticated": True, } url = "/v1/openstack/quotas/" data = {"size": "medium", "regions": ["RegionOne"]} response = self.client.post(url, data, headers=admin_headers, format="json") self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED) # Then check to see the quotas have changed self.check_quota_cache("RegionOne", project.id, "medium")
def test_edit_user_roles_modified_config_add(self): """ Tests that the role mappings do come from config and a new role added there will be allowed. """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) assignment = fake_clients.FakeRoleAssignment( scope={"project": {"id": project.id}}, role_name="project_mod", user={"id": user.id}, ) setup_identity_cache( projects=[project], users=[user], role_assignments=[assignment] ) new_role = fake_clients.FakeRole("new_role") fake_clients.identity_cache["roles"][new_role.id] = new_role task = Task.objects.create( keystone_user={ "roles": ["project_mod"], "project_id": project.id, "project_domain_id": "default", } ) data = { "domain_id": "default", "user_id": user.id, "project_id": project.id, "roles": ["new_role"], "inherited_roles": [], "remove": False, } action = EditUserRolesAction(data, task=task, order=1) action.prepare() self.assertEqual(action.valid, True) action.approve() self.assertEqual(action.valid, True) token_data = {} action.submit(token_data) self.assertEqual(action.valid, True) fake_client = fake_clients.FakeManager() roles = fake_client._get_roles_as_names(user, project) self.assertEqual(roles, ["project_mod", "new_role"])
def test_edit_user_roles_modified_settings_add(self): """ Tests that the role mappings do come from settings and a new role added there will be allowed. """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser(name="*****@*****.**", password="******", email="*****@*****.**") assignment = fake_clients.FakeRoleAssignment( scope={'project': { 'id': project.id }}, role_name="project_mod", user={'id': user.id}) setup_identity_cache(projects=[project], users=[user], role_assignments=[assignment]) new_role = fake_clients.FakeRole("new_role") fake_clients.identity_cache['roles'][new_role.id] = new_role task = Task.objects.create(ip_address="0.0.0.0", keystone_user={ 'roles': ['project_mod'], 'project_id': project.id, 'project_domain_id': 'default', }) data = { 'domain_id': 'default', 'user_id': user.id, 'project_id': project.id, 'roles': ['new_role'], 'inherited_roles': [], 'remove': False } action = EditUserRolesAction(data, task=task, order=1) action.pre_approve() self.assertEqual(action.valid, True) action.post_approve() self.assertEqual(action.valid, True) token_data = {} action.submit(token_data) self.assertEqual(action.valid, True) fake_client = fake_clients.FakeManager() roles = fake_client._get_roles_as_names(user, project) self.assertEqual(roles, ['project_mod', 'new_role'])
def test_new_user_existing_role(self): """ Existing user, valid tenant, has role. Should complete the action as if no role, but actually do nothing. """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) assignment = fake_clients.FakeRoleAssignment( scope={"project": {"id": project.id}}, role_name="member", user={"id": user.id}, ) setup_identity_cache( projects=[project], users=[user], role_assignments=[assignment] ) task = Task.objects.create( keystone_user={ "roles": ["admin", "project_mod"], "project_id": project.id, "project_domain_id": "default", } ) data = { "email": "*****@*****.**", "project_id": project.id, "roles": ["member"], "inherited_roles": [], "domain_id": "default", } action = NewUserAction(data, task=task, order=1) action.prepare() self.assertEqual(action.valid, True) action.approve() self.assertEqual(action.valid, True) self.assertEqual(action.action.state, "complete") token_data = {} action.submit(token_data) self.assertEqual(action.valid, True) fake_client = fake_clients.FakeManager() roles = fake_client._get_roles_as_names(user, project) self.assertEqual(roles, ["member"])
def test_new_user_existing_role(self): """ Existing user, valid tenant, has role. Should complete the action as if no role, but actually do nothing. """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser(name="*****@*****.**", password="******", email="*****@*****.**") assignment = fake_clients.FakeRoleAssignment( scope={'project': { 'id': project.id }}, role_name="_member_", user={'id': user.id}) setup_identity_cache(projects=[project], users=[user], role_assignments=[assignment]) task = Task.objects.create(ip_address="0.0.0.0", keystone_user={ 'roles': ['admin', 'project_mod'], 'project_id': project.id, 'project_domain_id': 'default', }) data = { 'email': '*****@*****.**', 'project_id': project.id, 'roles': ['_member_'], 'inherited_roles': [], 'domain_id': 'default', } action = NewUserAction(data, task=task, order=1) action.pre_approve() self.assertEqual(action.valid, True) action.post_approve() self.assertEqual(action.valid, True) self.assertEqual(action.action.state, 'complete') token_data = {} action.submit(token_data) self.assertEqual(action.valid, True) fake_client = fake_clients.FakeManager() roles = fake_client._get_roles_as_names(user, project) self.assertEqual(roles, ['_member_'])
def test_new_project_existing_user(self): """ Create a project for a user that already exists. """ user = fake_clients.FakeUser(name="*****@*****.**", password="******", email="*****@*****.**") setup_identity_cache(users=[user]) task = Task.objects.create(keystone_user={}) data = { "domain_id": "default", "parent_id": None, "email": "*****@*****.**", "project_name": "test_project", } action = NewProjectWithUserAction(data, task=task, order=1) action.prepare() self.assertEqual(action.valid, True) action.approve() self.assertEqual(action.valid, True) new_project = fake_clients.identity_cache["new_projects"][0] self.assertEqual(new_project.name, "test_project") self.assertEqual(len(fake_clients.identity_cache["new_users"]), 0) self.assertEqual( task.cache, { "project_id": new_project.id, "user_id": user.id, "user_state": "existing", }, ) # submit does nothing for existing action.submit({}) self.assertEqual(action.valid, True) self.assertEqual(user.password, "123") fake_client = fake_clients.FakeManager() roles = fake_client._get_roles_as_names(user, new_project) self.assertEqual( sorted(roles), sorted( ["member", "project_admin", "project_mod", "heat_stack_owner"]), )
def test_edit_user_roles_can_manage_all(self): """ Confirm that you cannot edit a user unless all their roles can be managed by you. """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser(name="*****@*****.**", password="******", email="*****@*****.**") assignments = [ fake_clients.FakeRoleAssignment( scope={'project': { 'id': project.id }}, role_name="_member_", user={'id': user.id}), fake_clients.FakeRoleAssignment( scope={'project': { 'id': project.id }}, role_name="project_admin", user={'id': user.id}), ] setup_identity_cache(projects=[project], users=[user], role_assignments=assignments) task = Task.objects.create(ip_address="0.0.0.0", keystone_user={ 'roles': ['project_mod'], 'project_id': project.id, 'project_domain_id': 'default', }) data = { 'domain_id': 'default', 'user_id': user.id, 'project_id': project.id, 'roles': ['project_mod'], 'inherited_roles': [], 'remove': False } action = EditUserRolesAction(data, task=task, order=1) action.pre_approve() self.assertEqual(action.valid, False) fake_client = fake_clients.FakeManager() roles = fake_client._get_roles_as_names(user, project) self.assertEqual(roles, ['_member_', 'project_admin'])
def test_edit_user_roles_remove_complete(self): """ Remove roles from user that does not have them. """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser(name="*****@*****.**", password="******", email="*****@*****.**") assignment = fake_clients.FakeRoleAssignment( scope={'project': { 'id': project.id }}, role_name="_member_", user={'id': user.id}) setup_identity_cache(projects=[project], users=[user], role_assignments=[assignment]) task = Task.objects.create(ip_address="0.0.0.0", keystone_user={ 'roles': ['admin', 'project_mod'], 'project_id': project.id, 'project_domain_id': 'default', }) data = { 'domain_id': 'default', 'user_id': user.id, 'project_id': project.id, 'roles': ['project_mod'], 'inherited_roles': [], 'remove': True } action = EditUserRolesAction(data, task=task, order=1) action.pre_approve() self.assertEqual(action.valid, True) self.assertEqual(action.action.state, "complete") action.post_approve() self.assertEqual(action.valid, True) token_data = {} action.submit(token_data) self.assertEqual(action.valid, True) fake_client = fake_clients.FakeManager() roles = fake_client._get_roles_as_names(user, project) self.assertEqual(roles, ['_member_'])
def test_update_quota_outside_range(self): """ Attempts to update the quota size to a value outside of the project's pre-approved range. """ project = fake_clients.FakeProject(name="test_project", id="test_project_id") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) setup_identity_cache(projects=[project], users=[user]) admin_headers = { "project_name": "test_project", "project_id": project.id, "roles": "project_admin,member,project_mod", "username": "******", "user_id": "user_id", "authenticated": True, } url = "/v1/openstack/quotas/" data = {"size": "large", "regions": ["RegionOne"]} response = self.client.post(url, data, headers=admin_headers, format="json") self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED) # Then check to see the quotas have not changed (stayed small) self.check_quota_cache("RegionOne", project.id, "small") # Approve and test for change # Approve the quota change as admin headers = { "project_name": "admin_project", "project_id": "test_project_id", "roles": "admin,member", "username": "******", "user_id": "admin_id", "authenticated": True, } # Grab the details for the task and approve it new_task = Task.objects.all()[0] url = "/v1/tasks/" + new_task.uuid response = self.client.post( url, {"approved": True}, format="json", headers=headers ) self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.data, {"notes": ["Task completed successfully."]}) self.check_quota_cache("RegionOne", project.id, "large")
def test_new_user_disabled(self): """ Disabled user, valid existing tenant, no role. """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**", enabled=False, ) setup_identity_cache(projects=[project], users=[user]) task = Task.objects.create( keystone_user={ "roles": ["admin", "project_mod"], "project_id": project.id, "project_domain_id": "default", } ) data = { "email": "*****@*****.**", "project_id": project.id, "roles": ["member"], "inherited_roles": [], "domain_id": "default", } action = NewUserAction(data, task=task, order=1) action.prepare() self.assertEqual(action.valid, True) action.approve() self.assertEqual(action.valid, True) token_data = {"password": "******"} action.submit(token_data) self.assertEqual(action.valid, True) self.assertEqual(len(fake_clients.identity_cache["users"]), 2) fake_client = fake_clients.FakeManager() user = fake_client.find_user(name="*****@*****.**", domain="default") self.assertEqual(user.email, "*****@*****.**") self.assertEqual(user.password, "123456") self.assertTrue(user.enabled) roles = fake_client._get_roles_as_names(user, project) self.assertEqual(roles, ["member"])
def test_edit_user_roles_remove_complete(self): """ Remove roles from user that does not have them. """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) assignment = fake_clients.FakeRoleAssignment( scope={"project": {"id": project.id}}, role_name="member", user={"id": user.id}, ) setup_identity_cache( projects=[project], users=[user], role_assignments=[assignment] ) task = Task.objects.create( keystone_user={ "roles": ["admin", "project_mod"], "project_id": project.id, "project_domain_id": "default", } ) data = { "domain_id": "default", "user_id": user.id, "project_id": project.id, "roles": ["project_mod"], "inherited_roles": [], "remove": True, } action = EditUserRolesAction(data, task=task, order=1) action.prepare() self.assertEqual(action.valid, True) self.assertEqual(action.action.state, "complete") action.approve() self.assertEqual(action.valid, True) token_data = {} action.submit(token_data) self.assertEqual(action.valid, True) fake_client = fake_clients.FakeManager() roles = fake_client._get_roles_as_names(user, project) self.assertEqual(roles, ["member"])
def test_calculate_quota_size_zero(self): """ Ensures that a zero quota enabled picks up """ project = fake_clients.FakeProject(name="test_project", id="test_project_id") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) setup_identity_cache(projects=[project], users=[user]) admin_headers = { "project_name": "test_project", "project_id": project.id, "roles": "project_admin,member,project_mod", "username": "******", "user_id": "user_id", "authenticated": True, } setup_quota_cache("RegionOne", project.id, "small") url = "/v1/openstack/quotas/?regions=RegionOne" response = self.client.get(url, headers=admin_headers) self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.data["regions"][0]["current_quota_size"], "small") cinderquota = cinder_cache["RegionOne"][project.id]["quota"] cinderquota["gigabytes"] = 0 # Check that the zero value doesn't interfer with being small response = self.client.get(url, headers=admin_headers) self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.data["regions"][0]["current_quota_size"], "small") setup_quota_cache("RegionOne", project.id, "zero") url = "/v1/openstack/quotas/?regions=RegionOne" response = self.client.get(url, headers=admin_headers) self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.data["regions"][0]["current_quota_size"], "zero") # Check that the zero quota will still be counted even if # one value is not zero cinderquota = cinder_cache["RegionOne"][project.id]["quota"] cinderquota["gigabytes"] = 600 response = self.client.get(url, headers=admin_headers) # First check we can actually access the page correctly self.assertEqual(response.status_code, status.HTTP_200_OK) self.assertEqual(response.data["regions"][0]["current_quota_size"], "zero")
def test_edit_user_roles_can_manage_all(self): """ Confirm that you cannot edit a user unless all their roles can be managed by you. """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) assignments = [ fake_clients.FakeRoleAssignment( scope={"project": {"id": project.id}}, role_name="member", user={"id": user.id}, ), fake_clients.FakeRoleAssignment( scope={"project": {"id": project.id}}, role_name="project_admin", user={"id": user.id}, ), ] setup_identity_cache( projects=[project], users=[user], role_assignments=assignments ) task = Task.objects.create( keystone_user={ "roles": ["project_mod"], "project_id": project.id, "project_domain_id": "default", } ) data = { "domain_id": "default", "user_id": user.id, "project_id": project.id, "roles": ["project_mod"], "inherited_roles": [], "remove": False, } action = EditUserRolesAction(data, task=task, order=1) action.prepare() self.assertEqual(action.valid, False) fake_client = fake_clients.FakeManager() roles = fake_client._get_roles_as_names(user, project) self.assertEqual(roles, ["member", "project_admin"])
def test_new_project_existing_user(self): """ Create a project for a user that already exists. """ user = fake_clients.FakeUser(name="*****@*****.**", password="******", email="*****@*****.**") setup_identity_cache(users=[user]) task = Task.objects.create(ip_address="0.0.0.0", keystone_user={}) data = { 'domain_id': 'default', 'parent_id': None, 'email': '*****@*****.**', 'project_name': 'test_project', } action = NewProjectWithUserAction(data, task=task, order=1) action.pre_approve() self.assertEqual(action.valid, True) action.post_approve() self.assertEqual(action.valid, True) new_project = fake_clients.identity_cache['new_projects'][0] self.assertEqual(new_project.name, 'test_project') self.assertEqual(len(fake_clients.identity_cache['new_users']), 0) self.assertEqual( task.cache, { 'project_id': new_project.id, 'user_id': user.id, 'user_state': 'existing' }) # submit does nothing for existing action.submit({}) self.assertEqual(action.valid, True) self.assertEqual(user.password, '123') fake_client = fake_clients.FakeManager() roles = fake_client._get_roles_as_names(user, new_project) self.assertEqual( sorted(roles), sorted([ '_member_', 'project_admin', 'project_mod', 'heat_stack_owner' ]))
def test_new_user_disabled(self): """ Disabled user, valid existing tenant, no role. """ project = fake_clients.FakeProject(name="test_project") user = fake_clients.FakeUser(name="*****@*****.**", password="******", email="*****@*****.**", enabled=False) setup_identity_cache(projects=[project], users=[user]) task = Task.objects.create(ip_address="0.0.0.0", keystone_user={ 'roles': ['admin', 'project_mod'], 'project_id': project.id, 'project_domain_id': 'default', }) data = { 'email': '*****@*****.**', 'project_id': project.id, 'roles': ['_member_'], 'inherited_roles': [], 'domain_id': 'default', } action = NewUserAction(data, task=task, order=1) action.pre_approve() self.assertEqual(action.valid, True) action.post_approve() self.assertEqual(action.valid, True) token_data = {'password': '******'} action.submit(token_data) self.assertEqual(action.valid, True) self.assertEqual(len(fake_clients.identity_cache['users']), 2) fake_client = fake_clients.FakeManager() user = fake_client.find_user(name="*****@*****.**", domain="default") self.assertEqual(user.email, '*****@*****.**') self.assertEqual(user.password, '123456') self.assertTrue(user.enabled) roles = fake_client._get_roles_as_names(user, project) self.assertEqual(roles, ['_member_'])
def test_update_quota_other_project_history(self): """ Tests that a quota update to another project does not interfer with the 30 days per project limit. """ project = fake_clients.FakeProject(name="test_project", id="test_project_id") project2 = fake_clients.FakeProject(name="second_project") user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**" ) setup_identity_cache(projects=[project, project2], users=[user]) headers = { "project_name": "test_project", "project_id": project.id, "roles": "project_admin,member,project_mod", "username": "******", "user_id": "user_id", "authenticated": True, } setup_mock_caches("RegionOne", project2.id) url = "/v1/openstack/quotas/" data = {"size": "medium", "regions": ["RegionOne"]} response = self.client.post(url, data, headers=headers, format="json") self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED) # Then check to see the quotas have changed self.check_quota_cache("RegionOne", project.id, "medium") headers = { "project_name": "second_project", "project_id": project2.id, "roles": "project_admin,member,project_mod", "username": "******", "user_id": user.id, "authenticated": True, } data = {"regions": ["RegionOne"], "size": "medium", "project_id": project2.id} response = self.client.post(url, data, headers=headers, format="json") # First check we can actually access the page correctly self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED) # Then check to see the quotas have changed self.check_quota_cache("RegionOne", project2.id, "medium")
def test_new_project_action(self): """ Tests the new project action for an existing user. """ project = fake_clients.FakeProject(name="parent_project") user = fake_clients.FakeUser(name="*****@*****.**", password="******", email="*****@*****.**") setup_identity_cache(projects=[project], users=[user]) task = Task.objects.create( keystone_user={ "user_id": user.id, "project_id": project.id, "project_domain_id": "default", }) data = { "domain_id": "default", "parent_id": project.id, "project_name": "test_project", "description": "", } action = NewProjectAction(data, task=task, order=1) action.prepare() self.assertEqual(action.valid, True) action.approve() self.assertEqual(action.valid, True) new_project = fake_clients.identity_cache["new_projects"][0] self.assertEqual(new_project.name, "test_project") self.assertEqual(new_project.parent_id, project.id) fake_client = fake_clients.FakeManager() roles = fake_client._get_roles_as_names(user, new_project) self.assertEqual( sorted(roles), sorted( ["member", "project_admin", "project_mod", "heat_stack_owner"]), ) action.submit({}) self.assertEqual(action.valid, True)
def test_add_mfa_existing(self): """ Attempts to add mfa to a user account with an existing task """ user = fake_clients.FakeUser( name="*****@*****.**", password="******", email="*****@*****.**") setup_identity_cache(users=[user]) headers = { 'project_name': "test_project", 'project_id': "test_project_id", 'roles': "_member_", 'username': "******", 'user_id': user.id, 'authenticated': True } url = "/v1/openstack/edit-mfa" response = self.client.post(url, {}, format='json', headers=headers) self.assertEqual(response.status_code, status.HTTP_200_OK) provisoning_uri = response.data.get('otpauth') token = response.data.get('token_id') self.assertNotEqual(provisoning_uri, None) self.assertEqual(Task.objects.count(), 1) response = self.client.post(url, {}, format='json', headers=headers) self.assertEqual(response.status_code, status.HTTP_200_OK) provisoning_uri2 = response.data.get('otpauth') token2 = response.data.get('token_id') self.assertEqual(token, token2) self.assertEqual(provisoning_uri, provisoning_uri2) self.assertEqual(Task.objects.count(), 1) secret = urlparse.parse_qs( urlparse.urlsplit(provisoning_uri).query).get('secret')[0] manager = FakeManager() creds = manager.list_credentials(user.id, 'totp-draft') server_secret = json.loads(creds[0].blob)['secret'] self.assertEqual(secret, server_secret) self.assertNotEqual(token, None) code = generate_totp_passcode(secret) url = "/v1/tokens/" + token data = {'passcode': code} response = self.client.post(url, data, format='json') self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_new_project_action(self): """ Tests the new project action for an existing user. """ project = fake_clients.FakeProject(name="parent_project") user = fake_clients.FakeUser(name="*****@*****.**", password="******", email="*****@*****.**") setup_identity_cache(projects=[project], users=[user]) task = Task.objects.create(ip_address="0.0.0.0", keystone_user={ "user_id": user.id, "project_id": project.id, "project_domain_id": 'default' }) data = { 'domain_id': 'default', 'parent_id': project.id, 'project_name': 'test_project', 'description': '', } action = NewProjectAction(data, task=task, order=1) action.pre_approve() self.assertEqual(action.valid, True) action.post_approve() self.assertEqual(action.valid, True) new_project = fake_clients.identity_cache['new_projects'][0] self.assertEqual(new_project.name, 'test_project') self.assertEqual(new_project.parent_id, project.id) fake_client = fake_clients.FakeManager() roles = fake_client._get_roles_as_names(user, new_project) self.assertEqual( sorted(roles), sorted([ '_member_', 'project_admin', 'project_mod', 'heat_stack_owner' ])) action.submit({}) self.assertEqual(action.valid, True)
def test_add_mfa_draft_removed(self): """ Existing user, valid tenant, correct passcode, however the draft-totp code is removed between post_approve and token """ user = fake_clients.FakeUser(name="*****@*****.**", password="******", email="*****@*****.**") setup_identity_cache(users=[user]) task = Task.objects.create(ip_address="0.0.0.0", keystone_user={ 'roles': ['admin', 'project_mod'], 'project_id': 'test_project_id', 'project_domain_id': 'default', 'id': user.id }) data = {'user_id': user.id, 'delete': False} action = EditMFAAction(data, task=task, order=1) action.pre_approve() self.assertEqual(action.valid, True) action.post_approve() self.assertEqual(action.valid, True) manager = FakeManager() user_draft = manager.list_credentials(user_id=user.id, cred_type='totp-draft') self.assertEqual(len(user_draft), 1) secret = json.loads(user_draft[0].blob)['secret'] manager.clear_credential_type(user_id=user.id, cred_type='totp-draft') passcode = generate_totp_passcode(secret) token_data = {'passcode': passcode} return_data = action.submit(token_data) self.assertEqual(action.valid, False) self.assertEqual(return_data.get('errors'), 'TOTP Secret Removed') user_draft = manager.list_credentials(user_id=user.id, cred_type='totp-draft') self.assertEqual(len(user_draft), 0)