def test_v1_auth(self): """Test v1 auth code paths""" def fake_do_request(cls, url, method, headers=None, body=None): if url.find("2.0") != -1: self.fail("Invalid v1.0 token path (%s)" % url) headers = headers or {} resp = webob.Response() if (headers.get('X-Auth-User') != 'user1' or headers.get('X-Auth-Key') != 'pass'): resp.status = 401 else: resp.status = 200 return FakeResponse(resp), "" self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request) unauthorized_creds = [ { 'username': '******', 'auth_url': 'http://localhost/badauthurl/', 'password': '******' }, # wrong username { 'username': '******', 'auth_url': 'http://localhost/badauthurl/', 'password': '******' }, # bad password... ] for creds in unauthorized_creds: try: plugin = auth.KeystoneStrategy(creds) plugin.authenticate() except exception.NotAuthorized: continue # Expected self.fail("Failed to raise NotAuthorized when supplying bad " "credentials: %r" % creds) good_creds = [ { 'username': '******', 'auth_url': 'http://localhost/redirect/', 'password': '******' } ] for creds in good_creds: plugin = auth.KeystoneStrategy(creds) self.assertTrue(plugin.authenticate() is None)
def test_invalid_auth_url(self): """ Test invalid auth URL returns a 404/400 in authenticate(). '404' if an attempt is made to access an invalid url on a server, '400' if an attempt is made to access a url on a non-existent server. """ bad_creds = [ { 'username': '******', 'auth_url': 'http://localhost/badauthurl/', 'password': '******' }, # v1 Keystone { 'username': '******', 'auth_url': 'http://localhost/badauthurl/v2.0/', 'password': '******', 'tenant': 'tenant1' } # v2 Keystone ] for creds in bad_creds: try: plugin = auth.KeystoneStrategy(creds) plugin.authenticate() except exception.AuthUrlNotFound: continue # Expected if web server running except exception.AuthBadRequest: continue # Expected if no web server running self.fail("Failed to raise Exception when supplying bad " "credentials: %r" % creds)
def test_required_creds(self): """ Test that plugin created without required credential pieces raises an exception """ bad_creds = [ {}, # missing everything { 'username': '******', 'password': '******' }, # missing auth_url { 'password': '******', 'auth_url': 'http://localhost/v1' }, # missing username { 'username': '******', 'auth_url': 'http://localhost/v1' }, # missing password { 'username': '******', 'password': '******', 'auth_url': 'http://localhost/v2.0/' } # v2.0: missing tenant ] for creds in bad_creds: try: plugin = auth.KeystoneStrategy(creds) plugin.authenticate() except exception.MissingCredentialError: continue # Expected self.fail("Failed to raise correct exception when supplying bad " "credentials: %r" % creds)
def test_invalid_auth_url_v1(self): """ Test that a 400 during authenticate raises exception.AuthBadRequest """ def fake_do_request(*args, **kwargs): resp = webob.Response() resp.status = 400 return FakeResponse(resp), "" self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request) bad_creds = { 'username': '******', 'auth_url': 'http://localhost/badauthurl/', 'password': '******', 'strategy': 'keystone', 'region': 'RegionOne' } plugin = auth.KeystoneStrategy(bad_creds) self.assertRaises(exception.AuthBadRequest, plugin.authenticate)
def test_v2_auth(self): """Test v2 auth code paths""" mock_token = None def fake_do_request(cls, url, method, headers=None, body=None): if (not url.rstrip('/').endswith('v2.0/tokens') or url.count("2.0") != 1): self.fail("Invalid v2.0 token path (%s)" % url) creds = json.loads(body)['auth'] username = creds['passwordCredentials']['username'] password = creds['passwordCredentials']['password'] tenant = creds['tenantName'] resp = webob.Response() if (username != 'user1' or password != 'pass' or tenant != 'tenant-ok'): resp.status = 401 else: resp.status = 200 body = mock_token.token return FakeResponse(resp), json.dumps(body) mock_token = V2Token() mock_token.add_service('image', ['RegionOne']) self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request) unauthorized_creds = [ { 'username': '******', 'auth_url': 'http://localhost/v2.0', 'password': '******', 'tenant': 'tenant-ok', 'strategy': 'keystone', 'region': 'RegionOne' }, # wrong username { 'username': '******', 'auth_url': 'http://localhost/v2.0', 'password': '******', 'tenant': 'tenant-ok', 'strategy': 'keystone', 'region': 'RegionOne' }, # bad password... { 'username': '******', 'auth_url': 'http://localhost/v2.0', 'password': '******', 'tenant': 'carterhayes', 'strategy': 'keystone', 'region': 'RegionOne' }, # bad tenant... ] for creds in unauthorized_creds: try: plugin = auth.KeystoneStrategy(creds) plugin.authenticate() self.fail("Failed to raise NotAuthenticated when supplying " "bad credentials: %r" % creds) except exception.NotAuthenticated: continue # Expected no_region_creds = { 'username': '******', 'tenant': 'tenant-ok', 'auth_url': 'http://localhost/redirect/v2.0/', 'password': '******', 'strategy': 'keystone' } plugin = auth.KeystoneStrategy(no_region_creds) self.assertTrue(plugin.authenticate() is None) self.assertEquals(plugin.management_url, 'http://localhost:9292') # Add another image service, with a different region mock_token.add_service('image', ['RegionTwo']) try: plugin = auth.KeystoneStrategy(no_region_creds) plugin.authenticate() self.fail("Failed to raise RegionAmbiguity when no region present " "and multiple regions exist: %r" % no_region_creds) except exception.RegionAmbiguity: pass # Expected wrong_region_creds = { 'username': '******', 'tenant': 'tenant-ok', 'auth_url': 'http://localhost/redirect/v2.0/', 'password': '******', 'strategy': 'keystone', 'region': 'NonExistantRegion' } try: plugin = auth.KeystoneStrategy(wrong_region_creds) plugin.authenticate() self.fail("Failed to raise NoServiceEndpoint when supplying " "wrong region: %r" % wrong_region_creds) except exception.NoServiceEndpoint: pass # Expected no_strategy_creds = { 'username': '******', 'tenant': 'tenant-ok', 'auth_url': 'http://localhost/redirect/v2.0/', 'password': '******', 'region': 'RegionOne' } try: plugin = auth.KeystoneStrategy(no_strategy_creds) plugin.authenticate() self.fail("Failed to raise MissingCredentialError when " "supplying no strategy: %r" % no_strategy_creds) except exception.MissingCredentialError: pass # Expected bad_strategy_creds = { 'username': '******', 'tenant': 'tenant-ok', 'auth_url': 'http://localhost/redirect/v2.0/', 'password': '******', 'region': 'RegionOne', 'strategy': 'keypebble' } try: plugin = auth.KeystoneStrategy(bad_strategy_creds) plugin.authenticate() self.fail("Failed to raise BadAuthStrategy when supplying " "bad auth strategy: %r" % bad_strategy_creds) except exception.BadAuthStrategy: pass # Expected mock_token = V2Token() mock_token.add_service('image', ['RegionOne', 'RegionTwo']) good_creds = [ { 'username': '******', 'auth_url': 'http://localhost/v2.0/', 'password': '******', 'tenant': 'tenant-ok', 'strategy': 'keystone', 'region': 'RegionOne' }, # auth_url with trailing '/' { 'username': '******', 'auth_url': 'http://localhost/v2.0', 'password': '******', 'tenant': 'tenant-ok', 'strategy': 'keystone', 'region': 'RegionOne' }, # auth_url without trailing '/' { 'username': '******', 'auth_url': 'http://localhost/v2.0', 'password': '******', 'tenant': 'tenant-ok', 'strategy': 'keystone', 'region': 'RegionTwo' } # Second region ] for creds in good_creds: plugin = auth.KeystoneStrategy(creds) self.assertTrue(plugin.authenticate() is None) self.assertEquals(plugin.management_url, 'http://localhost:9292') ambiguous_region_creds = { 'username': '******', 'auth_url': 'http://localhost/v2.0/', 'password': '******', 'tenant': 'tenant-ok', 'strategy': 'keystone', 'region': 'RegionOne' } mock_token = V2Token() # Add two identical services mock_token.add_service('image', ['RegionOne']) mock_token.add_service('image', ['RegionOne']) try: plugin = auth.KeystoneStrategy(ambiguous_region_creds) plugin.authenticate() self.fail("Failed to raise RegionAmbiguity when " "non-unique regions exist: %r" % ambiguous_region_creds) except exception.RegionAmbiguity: pass mock_token = V2Token() mock_token.add_service('bad-image', ['RegionOne']) good_creds = { 'username': '******', 'auth_url': 'http://localhost/v2.0/', 'password': '******', 'tenant': 'tenant-ok', 'strategy': 'keystone', 'region': 'RegionOne' } try: plugin = auth.KeystoneStrategy(good_creds) plugin.authenticate() self.fail("Failed to raise NoServiceEndpoint when bad service " "type encountered") except exception.NoServiceEndpoint: pass mock_token = V2Token() mock_token.add_service_no_type() try: plugin = auth.KeystoneStrategy(good_creds) plugin.authenticate() self.fail("Failed to raise NoServiceEndpoint when bad service " "type encountered") except exception.NoServiceEndpoint: pass try: plugin = auth.KeystoneStrategy(good_creds, configure_via_auth=False) plugin.authenticate() except exception.NoServiceEndpoint: self.fail("NoServiceEndpoint was raised when authenticate " "should not check for endpoint.")
def test_v1_auth(self): """Test v1 auth code paths""" def fake_do_request(cls, url, method, headers=None, body=None): if url.find("2.0") != -1: self.fail("Invalid v1.0 token path (%s)" % url) headers = headers or {} resp = webob.Response() if (headers.get('X-Auth-User') != 'user1' or headers.get('X-Auth-Key') != 'pass'): resp.status = 401 else: resp.status = 200 resp.headers.update({"x-image-management-url": "example.com"}) return FakeResponse(resp), "" self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request) unauthorized_creds = [ { 'username': '******', 'auth_url': 'http://localhost/badauthurl/', 'strategy': 'keystone', 'region': 'RegionOne', 'password': '******' }, # wrong username { 'username': '******', 'auth_url': 'http://localhost/badauthurl/', 'strategy': 'keystone', 'region': 'RegionOne', 'password': '******' }, # bad password... ] for creds in unauthorized_creds: try: plugin = auth.KeystoneStrategy(creds) plugin.authenticate() self.fail("Failed to raise NotAuthenticated when supplying " "bad credentials: %r" % creds) except exception.NotAuthenticated: continue # Expected no_strategy_creds = { 'username': '******', 'auth_url': 'http://localhost/redirect/', 'password': '******', 'region': 'RegionOne' } try: plugin = auth.KeystoneStrategy(no_strategy_creds) plugin.authenticate() self.fail("Failed to raise MissingCredentialError when " "supplying no strategy: %r" % no_strategy_creds) except exception.MissingCredentialError: pass # Expected good_creds = [ { 'username': '******', 'auth_url': 'http://localhost/redirect/', 'password': '******', 'strategy': 'keystone', 'region': 'RegionOne' } ] for creds in good_creds: plugin = auth.KeystoneStrategy(creds) self.assertTrue(plugin.authenticate() is None) self.assertEqual(plugin.management_url, "example.com") # Assert it does not update management_url via auth response for creds in good_creds: plugin = auth.KeystoneStrategy(creds, configure_via_auth=False) self.assertTrue(plugin.authenticate() is None) self.assertTrue(plugin.management_url is None)
def test_v2_auth(self): """Test v2 auth code paths""" def fake_do_request(cls, url, method, headers=None, body=None): if (not url.rstrip('/').endswith('v2.0/tokens') or url.count("2.0") != 1): self.fail("Invalid v2.0 token path (%s)" % url) creds = json.loads(body)['auth'] username = creds['passwordCredentials']['username'] password = creds['passwordCredentials']['password'] tenant = creds['tenantName'] resp = webob.Response() if (username != 'user1' or password != 'pass' or tenant != 'tenant-ok'): resp.status = 401 else: resp.status = 200 # Mock up a token to satisfy v2 auth body = { "access": { "token": { "expires": "2010-11-23T16:40:53.321584", "id": "5c7f8799-2e54-43e4-851b-31f81871b6c", "tenant": { "id": "1", "name": "tenant-ok" } }, "serviceCatalog": [{ "endpoints": [{ "region": "RegionOne", "adminURL": "http://localhost:9292", "internalURL": "http://localhost:9292", "publicURL": "http://localhost:9292" }], "type": "image", "name": "glance" }], "user": { "id": "2", "roles": [{ "tenantId": "1", "id": "1", "name": "Admin" }], "name": "joeadmin" } } } return FakeResponse(resp), json.dumps(body) self.stubs.Set(auth.KeystoneStrategy, '_do_request', fake_do_request) unauthorized_creds = [ { 'username': '******', 'auth_url': 'http://localhost/v2.0', 'password': '******', 'tenant': 'tenant-ok' }, # wrong username { 'username': '******', 'auth_url': 'http://localhost/v2.0', 'password': '******', 'tenant': 'tenant-ok' }, # bad password... { 'username': '******', 'auth_url': 'http://localhost/v2.0', 'password': '******', 'tenant': 'carterhayes' }, # bad tenant... ] for creds in unauthorized_creds: try: plugin = auth.KeystoneStrategy(creds) plugin.authenticate() except exception.NotAuthorized: continue # Expected self.fail("Failed to raise NotAuthorized when supplying bad " "credentials: %r" % creds) good_creds = [ { 'username': '******', 'auth_url': 'http://localhost/v2.0/', 'password': '******', 'tenant': 'tenant-ok' }, # auth_url with trailing '/' { 'username': '******', 'auth_url': 'http://localhost/v2.0', 'password': '******', 'tenant': 'tenant-ok' } # auth_url without trailing '/' ] for creds in good_creds: plugin = auth.KeystoneStrategy(creds) self.assertTrue(plugin.authenticate() is None)