def test_with_alternate_context(self): ctxt1 = context.RequestContext(auth_token='foo', project_id='foo') ctxt2 = context.RequestContext(auth_token='bar', project_id='alternate') obj = MyObj.query(ctxt1) obj.update_test(ctxt2) self.assertEqual('alternate-context', obj.bar)
def before(self, state): headers = state.request.headers # Do not pass any token with context for noauth mode auth_token = (None if cfg.CONF.auth_strategy == 'noauth' else headers.get('X-Auth-Token')) creds = { 'user': headers.get('X-User') or headers.get('X-User-Id'), 'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'), 'domain_id': headers.get('X-User-Domain-Id'), 'domain_name': headers.get('X-User-Domain-Name'), 'auth_token': auth_token, 'roles': headers.get('X-Roles', '').split(','), } # NOTE(adam_g): We also check the previous 'admin' rule to ensure # compat with default juno policy.json. This double check may be # removed in Liberty. is_admin = (policy.enforce('admin_api', creds, creds) or policy.enforce('admin', creds, creds)) is_public_api = state.request.environ.get('is_public_api', False) show_password = policy.enforce('show_password', creds, creds) state.request.context = context.RequestContext( is_admin=is_admin, is_public_api=is_public_api, show_password=show_password, **creds)
def get_client(token=None, context=None): if not context: context = ironic_context.RequestContext(auth_token=token) # NOTE(pas-ha) neutronclient supports passing both session # and the auth to client separately, makes things easier session = _get_neutron_session() service_auth = keystone.get_auth('neutron') # TODO(pas-ha) remove in Rocky, always simply load from config # 'noauth' then would correspond to 'auth_type=none' and # 'endpoint_override' adapter_params = {} if (CONF.neutron.auth_strategy == 'noauth' and CONF.neutron.auth_type is None): CONF.set_override('auth_type', 'none', group='neutron') if not CONF.neutron.endpoint_override: adapter_params['endpoint_override'] = (CONF.neutron.url or DEFAULT_NEUTRON_URL) else: if CONF.neutron.url and not CONF.neutron.endpoint_override: adapter_params['endpoint_override'] = CONF.neutron.url adapter = keystone.get_adapter('neutron', session=session, auth=service_auth, **adapter_params) endpoint = adapter.get_endpoint() user_auth = None if CONF.neutron.auth_type != 'none' and context.auth_token: user_auth = keystone.get_service_auth(context, endpoint, service_auth) return clientv20.Client(session=session, auth=user_auth or service_auth, endpoint_override=endpoint, retries=CONF.neutron.retries, global_request_id=context.global_id)
def test_download_with_retries(self, mock_sleep): tries = [0] class MyGlanceStubClient(stubs.StubGlanceClient): """A client that fails the first time, then succeeds.""" def get(self, image_id): if tries[0] == 0: tries[0] = 1 raise glance_exc.ServiceUnavailable('') else: return {} stub_client = MyGlanceStubClient() stub_context = context.RequestContext(auth_token=True) stub_context.user_id = 'fake' stub_context.project_id = 'fake' stub_service = image_service.GlanceImageService( stub_client, stub_context) image_id = uuidutils.generate_uuid() writer = NullWriter() # When retries are disabled, we should get an exception self.config(num_retries=0, group='glance') self.assertRaises(exception.GlanceConnectionFailed, stub_service.download, image_id, writer) # Now lets enable retries. No exception should happen now. self.config(num_retries=1, group='glance') importlib.reload(image_service) stub_service = image_service.GlanceImageService( stub_client, stub_context) tries = [0] stub_service.download(image_id, writer) self.assertTrue(mock_sleep.called)
def setUp(self): super(TestSwiftTempUrlCache, self).setUp() client = stubs.StubGlanceClient() self.context = context.RequestContext() self.context.auth_token = 'fake' self.config(swift_temp_url_expected_download_start_delay=100, group='glance') self.config(swift_temp_url_key='correcthorsebatterystaple', group='glance') self.config(swift_endpoint_url='https://swift.example.com', group='glance') self.config(swift_account='AUTH_a422b2-91f3-2f46-74b7-d7c9e8958f5d30', group='glance') self.config(swift_api_version='v1', group='glance') self.config(swift_container='glance', group='glance') self.config(swift_temp_url_duration=1200, group='glance') self.config(swift_temp_url_cache_enabled=True, group='glance') self.config(swift_store_multiple_containers_seed=0, group='glance') self.glance_service = service.GlanceImageService(client, version=2, context=self.context)
def before(self, state): headers = state.request.headers # Do not pass any token with context for noauth mode auth_token = (None if cfg.CONF.auth_strategy == 'noauth' else headers.get('X-Auth-Token')) creds = { 'user': headers.get('X-User') or headers.get('X-User-Id'), 'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'), 'domain_id': headers.get('X-User-Domain-Id'), 'domain_name': headers.get('X-User-Domain-Name'), 'auth_token': auth_token, 'roles': headers.get('X-Roles', '').split(','), } is_admin = policy.enforce('admin_api', creds, creds) is_public_api = state.request.environ.get('is_public_api', False) show_password = policy.enforce('show_password', creds, creds) state.request.context = context.RequestContext( is_admin=is_admin, is_public_api=is_public_api, show_password=show_password, **creds)
def setUp(self): super(TestRequestContextSerializer, self).setUp() self.mock_serializer = mock.MagicMock() self.serializer = rpc.RequestContextSerializer(self.mock_serializer) self.context = ironic_context.RequestContext() self.entity = {'foo': 'bar'}
def get_client(token=None, context=None, auth_from_config=False): """Retrieve a neutron client connection. :param context: request context, instance of ironic.common.context.RequestContext :param auth_from_config: (boolean) When True, use auth values from conf parameters :returns: A neutron client. """ if not context: context = ironic_context.RequestContext(auth_token=token) session = _get_neutron_session() service_auth = keystone.get_auth('neutron') endpoint = keystone.get_endpoint('neutron', session=session, auth=service_auth) user_auth = None if (not auth_from_config and CONF.neutron.auth_type != 'none' and context.auth_token): user_auth = keystone.get_service_auth(context, endpoint, service_auth) sess = keystone.get_session('neutron', timeout=CONF.neutron.timeout, auth=user_auth or service_auth) conn = openstack.connection.Connection(session=sess, oslo_conf=CONF) return conn.global_request(context.global_id).network
def setUp(self): super(TestGlanceImageService, self).setUp() self.client = stubs.StubGlanceClient() self.context = context.RequestContext(auth_token=True) self.context.user_id = 'fake' self.context.project_id = 'fake' self.service = service.GlanceImageService(self.client, self.context)
def test_get_service_auth(self, token_mock, service_auth_mock): ctxt = context.RequestContext(auth_token='spam') mock_auth = mock.Mock() self.assertEqual(service_auth_mock.return_value, keystone.get_service_auth(ctxt, 'ham', mock_auth)) token_mock.assert_called_once_with('ham', 'spam') service_auth_mock.assert_called_once_with( user_auth=token_mock.return_value, service_auth=mock_auth)
def setUp(self): super(TestGlanceImageService, self).setUp() client = stubs.StubGlanceClient() self.context = context.RequestContext(auth_token=True) self.context.user_id = 'fake' self.context.project_id = 'fake' self.service = service.GlanceImageService(client, 1, self.context) self.config(glance_api_servers=['http://localhost'], group='glance') self.config(auth_strategy='keystone', group='glance')
def test_create_context(self, context_mock): test_context = context.RequestContext() context_mock.assert_called_once_with( auth_token=None, user=None, tenant=None, is_admin=False, read_only=False, show_deleted=False, request_id=None, overwrite=True) self.assertFalse(test_context.is_public_api) self.assertIsNone(test_context.domain_id) self.assertIsNone(test_context.domain_name) self.assertEqual([], test_context.roles)
def test_to_policy_values(self): ctx = context.RequestContext(**self.context_dict) ctx_dict = ctx.to_policy_values() self.assertEqual('user1', ctx_dict['user']) self.assertEqual('user1', ctx_dict['user_id']) self.assertEqual('tenant1', ctx_dict['tenant']) self.assertEqual('tenant1', ctx_dict['project_id']) self.assertEqual('somename', ctx_dict['project_name']) self.assertTrue(ctx_dict['is_public_api']) self.assertTrue(ctx_dict['is_admin_project']) self.assertEqual('domain_id3', ctx_dict['domain_id']) self.assertEqual('TreeDomain', ctx_dict['domain_name']) self.assertEqual('domain_id3', ctx_dict['user_domain_id']) self.assertEqual('domain_id4', ctx_dict['project_domain_id']) self.assertEqual([], ctx_dict['roles'])
def test_to_dict(self): ctx = context.RequestContext(**self.context_dict) ctx_dict = ctx.to_dict() self.assertEqual('auth_token1', ctx_dict['auth_token']) self.assertEqual('user1', ctx_dict['user']) self.assertEqual('tenant1', ctx_dict['tenant']) self.assertTrue(ctx_dict['is_admin']) self.assertTrue(ctx_dict['read_only']) self.assertTrue(ctx_dict['show_deleted']) self.assertEqual('id1', ctx_dict['request_id']) self.assertTrue(ctx_dict['is_public_api']) self.assertEqual('domain_id3', ctx_dict['domain_id']) self.assertEqual('TreeDomain', ctx_dict['domain_name']) self.assertEqual([], ctx_dict['roles']) self.assertNotIn('overwrite', ctx_dict)
def test_client_httpforbidden_converts_to_imagenotauthed(self): class MyGlanceStubClient(stubs.StubGlanceClient): """A client that raises a HTTPForbidden exception.""" def get(self, image_id): raise glance_exc.HTTPForbidden(image_id) stub_client = MyGlanceStubClient() stub_context = context.RequestContext(auth_token=True) stub_context.user_id = 'fake' stub_context.project_id = 'fake' stub_service = service.GlanceImageService(stub_client, 1, stub_context) image_id = 1 # doesn't matter writer = NullWriter() self.assertRaises(exception.ImageNotAuthorized, stub_service.download, image_id, writer)
def test_client_httpnotfound_converts_to_imagenotfound(self): class MyGlanceStubClient(stubs.StubGlanceClient): """A client that raises a HTTPNotFound exception.""" def get(self, image_id): raise glance_exc.HTTPNotFound(image_id) stub_client = MyGlanceStubClient() stub_context = context.RequestContext(auth_token=True) stub_context.user_id = 'fake' stub_context.project_id = 'fake' stub_service = service.GlanceImageService(stub_client, 1, stub_context) image_id = uuidutils.generate_uuid() writer = NullWriter() self.assertRaises(exception.ImageNotFound, stub_service.download, image_id, writer)
def test_get_neutron_client_with_context(self, mock_client_init, mock_session, mock_adapter, mock_auth, mock_sauth): self.context = context.RequestContext(global_request_id='global', auth_token='test-token-123') mock_adapter.return_value = adapter = mock.Mock() adapter.get_endpoint.return_value = 'neutron_url' self._call_and_assert_client(mock_client_init, 'neutron_url', auth=mock.sentinel.sauth) # testing handling of default url_timeout mock_session.assert_called_once_with('neutron', timeout=10) mock_adapter.assert_called_once_with('neutron', session=mock.sentinel.session, auth=mock.sentinel.auth) mock_sauth.assert_called_once_with(self.context, 'neutron_url', mock.sentinel.auth)
def set_context(self): headers = self.request.headers creds = { 'user': headers.get('X-User') or headers.get('X-User-Id'), 'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'), 'domain_id': headers.get('X-User-Domain-Id'), 'domain_name': headers.get('X-User-Domain-Name'), 'auth_token': headers.get('X-Auth-Token'), 'roles': headers.get('X-Roles', '').split(','), } is_admin = ('admin' in creds['roles'] or 'administrator' in creds['roles']) is_public_api = self.request.environ.get('is_public_api', False) self.request.context = context.RequestContext( is_admin=is_admin, is_public_api=is_public_api, **creds)
def setUp(self): super(TestGlanceSwiftTempURL, self).setUp() client = stubs.StubGlanceClient() self.context = context.RequestContext() self.context.auth_token = 'fake' self.service = image_service.GlanceImageService(client, self.context) self.config(swift_temp_url_key='correcthorsebatterystaple', group='glance') self.config(swift_endpoint_url='https://swift.example.com', group='glance') self.config(swift_account='AUTH_a422b2-91f3-2f46-74b7-d7c9e8958f5d30', group='glance') self.config(swift_api_version='v1', group='glance') self.config(swift_container='glance', group='glance') self.config(swift_temp_url_duration=1200, group='glance') self.config(swift_store_multiple_containers_seed=0, group='glance') self.fake_image = {'id': '757274c4-2856-4bd2-bb20-9a4a231e187b'}
def setUp(self): super(CheckImageServiceTestCase, self).setUp() self.context = context.RequestContext(global_request_id='global') self.service = image_service.GlanceImageService(None, self.context) # NOTE(pas-ha) register keystoneauth dynamic options manually plugin = kaloading.get_plugin_loader('password') opts = kaloading.get_auth_plugin_conf_options(plugin) self.cfg_fixture.register_opts(opts, group='glance') self.config(auth_type='password', auth_url='viking', username='******', password='******', project_name='parrot', service_type='image', region_name='SomeRegion', interface='internal', group='glance') image_service._GLANCE_SESSION = None
def setUp(self): super(TestGlanceImageService, self).setUp() client = stubs.StubGlanceClient() self.context = context.RequestContext(auth_token=True) self.context.user_id = 'fake' self.context.project_id = 'fake' self.service = service.GlanceImageService(client, 1, self.context) self.config(glance_host='localhost', group='glance') try: self.config(auth_strategy='keystone', group='glance') except Exception: opts = [ cfg.StrOpt('auth_strategy', default='keystone'), ] CONF.register_opts(opts) return
def test_to_dict(self): values = { 'auth_token': 'auth_token1', "user": "******", "tenant": "tenant1", 'is_admin': True, 'read_only': True, 'show_deleted': True, 'request_id': 'id1', "is_public_api": True, "domain_id": "domain_id1", "domain_name": "domain_name1", "show_password": False, "roles": None, "overwrite": True } ctx = context.RequestContext(**values) ctx_dict = ctx.to_dict() self.assertIn('auth_token', ctx_dict) self.assertIn('user', ctx_dict) self.assertIn('tenant', ctx_dict) self.assertIn('is_admin', ctx_dict) self.assertIn('read_only', ctx_dict) self.assertIn('show_deleted', ctx_dict) self.assertIn('request_id', ctx_dict) self.assertIn('domain_id', ctx_dict) self.assertIn('roles', ctx_dict) self.assertIn('domain_name', ctx_dict) self.assertIn('show_password', ctx_dict) self.assertIn('is_public_api', ctx_dict) self.assertNotIn('overwrite', ctx_dict) self.assertEqual('auth_token1', ctx_dict['auth_token']) self.assertEqual('user1', ctx_dict['user']) self.assertEqual('tenant1', ctx_dict['tenant']) self.assertTrue(ctx_dict['is_admin']) self.assertTrue(ctx_dict['read_only']) self.assertTrue(ctx_dict['show_deleted']) self.assertEqual('id1', ctx_dict['request_id']) self.assertTrue(ctx_dict['is_public_api']) self.assertEqual('domain_id1', ctx_dict['domain_id']) self.assertEqual('domain_name1', ctx_dict['domain_name']) self.assertFalse(ctx_dict['show_password']) self.assertEqual([], ctx_dict['roles'])
def test_download_file_url(self, mock_getsize, mock_sendfile): # NOTE: only in v2 API class MyGlanceStubClient(stubs.StubGlanceClient): """A client that returns a file url.""" s_tmpfname = '/whatever/source' def get(self, image_id): return type('GlanceTestDirectUrlMeta', (object,), {'direct_url': 'file://%s' + self.s_tmpfname}) stub_context = context.RequestContext(auth_token=True) stub_context.user_id = 'fake' stub_context.project_id = 'fake' stub_client = MyGlanceStubClient() stub_service = service.GlanceImageService(stub_client, context=stub_context, version=2) image_id = uuidutils.generate_uuid() self.config(allowed_direct_url_schemes=['file'], group='glance') # patching open in base_image_service module namespace # to make call-spec assertions with mock.patch('ironic.common.glance_service.base_image_service.open', new=mock.mock_open(), create=True) as mock_ironic_open: with open('/whatever/target', 'w') as mock_target_fd: stub_service.download(image_id, mock_target_fd) # assert the image data was neither read nor written # but rather sendfiled mock_ironic_open.assert_called_once_with(MyGlanceStubClient.s_tmpfname, 'r') mock_source_fd = mock_ironic_open() self.assertFalse(mock_source_fd.read.called) self.assertFalse(mock_target_fd.write.called) mock_sendfile.assert_called_once_with( mock_target_fd.fileno(), mock_source_fd.fileno(), 0, mock_getsize(MyGlanceStubClient.s_tmpfname))
def setUp(self): super(TestNeutronClient, self).setUp() # NOTE(pas-ha) register keystoneauth dynamic options manually plugin = kaloading.get_plugin_loader('password') opts = kaloading.get_auth_plugin_conf_options(plugin) self.cfg_fixture.register_opts(opts, group='neutron') self.config(retries=2, group='neutron') self.config(username='******', project_name='test-admin-tenant', password='******', auth_url='test-auth-uri', auth_type='password', interface='internal', service_type='network', timeout=10, group='neutron') # force-reset the global session object neutron._NEUTRON_SESSION = None self.context = context.RequestContext(global_request_id='global')
def get_client(token=None, context=None): if not context: context = ironic_context.RequestContext(auth_token=token) # NOTE(pas-ha) neutronclient supports passing both session # and the auth to client separately, makes things easier session = _get_neutron_session() service_auth = keystone.get_auth('neutron') endpoint = keystone.get_endpoint('neutron', session=session, auth=service_auth) user_auth = None if CONF.neutron.auth_type != 'none' and context.auth_token: user_auth = keystone.get_service_auth(context, endpoint, service_auth) return clientv20.Client(session=session, auth=user_auth or service_auth, endpoint_override=endpoint, retries=CONF.neutron.retries, global_request_id=context.global_id, timeout=CONF.neutron.request_timeout)
def before(self, state): headers = state.request.headers creds = { 'user': headers.get('X-User') or headers.get('X-User-Id'), 'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'), 'domain_id': headers.get('X-User-Domain-Id'), 'domain_name': headers.get('X-User-Domain-Name'), 'auth_token': headers.get('X-Auth-Token'), 'roles': headers.get('X-Roles', '').split(','), } # NOTE(adam_g): We also check the previous 'admin' rule to ensure # compat with default juno policy.json. This double check may be # removed in L. is_admin = (policy.enforce('admin_api', creds, creds) or policy.enforce('admin', creds, creds)) is_public_api = state.request.environ.get('is_public_api', False) state.request.context = context.RequestContext( is_admin=is_admin, is_public_api=is_public_api, **creds)
def before(self, state): user_id = state.request.headers.get('X-User-Id') user_id = state.request.headers.get('X-User', user_id) tenant = state.request.headers.get('X-Tenant-Id') tenant = state.request.headers.get('X-Tenant', tenant) domain_id = state.request.headers.get('X-User-Domain-Id') domain_name = state.request.headers.get('X-User-Domain-Name') auth_token = state.request.headers.get('X-Auth-Token') creds = {'roles': state.request.headers.get('X-Roles', '').split(',')} is_public_api = state.request.environ.get('is_public_api', False) is_admin = policy.check('admin', state.request.headers, creds) state.request.context = context.RequestContext( auth_token=auth_token, user=user_id, tenant=tenant, domain_id=domain_id, domain_name=domain_name, is_admin=is_admin, is_public_api=is_public_api)
def test_check_image_service__token_auth(self, mock_gclient, mock_sess, mock_adapter, mock_sauth, mock_auth): def func(service, *args, **kwargs): return args, kwargs self.service.context = context.RequestContext( auth_token='token', global_request_id='global') mock_adapter.return_value = adapter = mock.Mock() adapter.get_endpoint.return_value = 'glance_url' uuid = uuidutils.generate_uuid() params = {'image_href': uuid} wrapped_func = image_service.check_image_service(func) self.assertEqual(((), params), wrapped_func(self.service, **params)) self._assert_client_call(mock_gclient, 'glance_url', user=True) mock_sess.assert_called_once_with('glance') mock_adapter.assert_called_once_with('glance', session=mock.sentinel.session, auth=mock.sentinel.auth) mock_sauth.assert_called_once_with(self.service.context, 'glance_url', mock.sentinel.auth) mock_auth.assert_called_once_with('glance')
def test_to_policy_values(self): ctx = context.RequestContext(**self.context_dict) ctx_dict = ctx.to_policy_values() self.assertEqual('somename', ctx_dict['project_name']) self.assertTrue(ctx_dict['is_public_api'])
def test_create_context(self, context_mock): test_context = context.RequestContext() context_mock.assert_called_once_with(mock.ANY) self.assertFalse(test_context.is_public_api)