def test_tenant_attribute_mapping(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) CONF.ldap.tenant_name_attribute = 'ou' CONF.ldap.tenant_desc_attribute = 'desc' CONF.ldap.tenant_enabled_attribute = 'enabled' clear_database() self.identity_api = identity_ldap.Identity() self.load_fixtures(default_fixtures) tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id']) self.assertEqual(tenant_ref['id'], self.tenant_baz['id']) self.assertEqual(tenant_ref['name'], self.tenant_baz['name']) self.assertEqual(tenant_ref['description'], self.tenant_baz['description']) self.assertEqual(tenant_ref['enabled'], self.tenant_baz['enabled']) CONF.ldap.tenant_name_attribute = 'desc' CONF.ldap.tenant_desc_attribute = 'ou' self.identity_api = identity_ldap.Identity() tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id']) self.assertEqual(tenant_ref['id'], self.tenant_baz['id']) self.assertEqual(tenant_ref['name'], self.tenant_baz['description']) self.assertEqual(tenant_ref['description'], self.tenant_baz['name']) self.assertEqual(tenant_ref['enabled'], self.tenant_baz['enabled'])
def test_user_attribute_mapping(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) CONF.ldap.user_name_attribute = 'sn' CONF.ldap.user_mail_attribute = 'email' CONF.ldap.user_enabled_attribute = 'enabled' clear_database() self.identity_api = identity_ldap.Identity() self.load_fixtures(default_fixtures) user_ref = self.identity_api.get_user(self.user_two['id']) self.assertEqual(user_ref['id'], self.user_two['id']) self.assertEqual(user_ref['name'], self.user_two['name']) self.assertEqual(user_ref['email'], self.user_two['email']) self.assertEqual(user_ref['enabled'], self.user_two['enabled']) CONF.ldap.user_name_attribute = 'email' CONF.ldap.user_mail_attribute = 'sn' self.identity_api = identity_ldap.Identity() user_ref = self.identity_api.get_user(self.user_two['id']) self.assertEqual(user_ref['id'], self.user_two['id']) self.assertEqual(user_ref['name'], self.user_two['email']) self.assertEqual(user_ref['email'], self.user_two['name']) self.assertEqual(user_ref['enabled'], self.user_two['enabled'])
def test_ldap_dereferencing(self): alt_users_ldif = {'objectclass': ['top', 'organizationalUnit'], 'ou': 'alt_users'} alt_fake_user_ldif = {'objectclass': ['person', 'inetOrgPerson'], 'cn': 'alt_fake1', 'sn': 'alt_fake1'} aliased_users_ldif = {'objectclass': ['alias', 'extensibleObject'], 'aliasedobjectname': "ou=alt_users,%s" % CONF.ldap.suffix} create_object("ou=alt_users,%s" % CONF.ldap.suffix, alt_users_ldif) create_object("%s=alt_fake1,ou=alt_users,%s" % (CONF.ldap.user_id_attribute, CONF.ldap.suffix), alt_fake_user_ldif) create_object("ou=alt_users,%s" % CONF.ldap.user_tree_dn, aliased_users_ldif) self.config_fixture.config(group='ldap', query_scope='sub', alias_dereferencing='never') self.identity_api = identity_ldap.Identity() self.assertRaises(exception.UserNotFound, self.identity_api.get_user, 'alt_fake1') self.config_fixture.config(group='ldap', alias_dereferencing='searching') self.identity_api = identity_ldap.Identity() user_ref = self.identity_api.get_user('alt_fake1') self.assertEqual('alt_fake1', user_ref['id']) self.config_fixture.config(group='ldap', alias_dereferencing='always') self.identity_api = identity_ldap.Identity() user_ref = self.identity_api.get_user('alt_fake1') self.assertEqual('alt_fake1', user_ref['id'])
def test_user_enable_attribute_mask(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) CONF.ldap.user_enabled_attribute = 'enabled' CONF.ldap.user_enabled_mask = 2 CONF.ldap.user_enabled_default = 512 clear_database() self.identity_api = identity_ldap.Identity() user = {'id': 'fake1', 'name': 'fake1', 'enabled': True} self.identity_api.create_user('fake1', user) user_ref = self.identity_api.get_user('fake1') self.assertEqual(user_ref['enabled'], True) user['enabled'] = False self.identity_api.update_user('fake1', user) user_ref = self.identity_api.get_user('fake1') self.assertEqual(user_ref['enabled'], False) user['enabled'] = True self.identity_api.update_user('fake1', user) user_ref = self.identity_api.get_user('fake1') self.assertEqual(user_ref['enabled'], True)
def test_configurable_forbidden_user_actions(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) CONF.ldap.user_allow_create = False CONF.ldap.user_allow_update = False CONF.ldap.user_allow_delete = False self.identity_api = identity_ldap.Identity() user = { 'id': 'fake1', 'name': 'fake1', 'password': '******', 'tenants': ['bar'] } self.assertRaises(exception.ForbiddenAction, self.identity_api.create_user, 'fake1', user) self.user_foo['password'] = '******' self.assertRaises(exception.ForbiddenAction, self.identity_api.update_user, self.user_foo['id'], self.user_foo) self.assertRaises(exception.ForbiddenAction, self.identity_api.delete_user, self.user_foo['id'])
def setUp(self): super(LDAPIdentity, self).setUp() CONF(config_files=[test.etcdir('keystone.conf'), test.testsdir('test_overrides.conf'), test.testsdir('backend_liveldap.conf')]) clear_live_database() self.identity_api = identity_ldap.Identity() self.load_fixtures(default_fixtures)
def test_role_attribute_mapping(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) CONF.ldap.role_name_attribute = 'ou' clear_database() self.identity_api = identity_ldap.Identity() self.load_fixtures(default_fixtures) role_ref = self.identity_api.get_role(self.role_member['id']) self.assertEqual(role_ref['id'], self.role_member['id']) self.assertEqual(role_ref['name'], self.role_member['name']) CONF.ldap.role_name_attribute = 'sn' self.identity_api = identity_ldap.Identity() role_ref = self.identity_api.get_role(self.role_member['id']) self.assertEqual(role_ref['id'], self.role_member['id']) self.assertNotIn('name', role_ref)
def test_role_filter(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) role_ref = self.identity_api.get_role(self.role_member['id']) self.assertDictEqual(role_ref, self.role_member) CONF.ldap.role_filter = '(CN=DOES_NOT_MATCH)' self.identity_api = identity_ldap.Identity() self.assertRaises(exception.RoleNotFound, self.identity_api.get_role, self.role_member['id'])
def setUp(self): super(TestIdentityDriver, self).setUp() config_fixture_ = self.useFixture(config_fixture.Config()) config_fixture_.config(group='ldap', url='fake://memory', user='******', password='******', suffix='cn=example,cn=com') self.useFixture(ldapdb.LDAPDatabase()) self.driver = ldap.Identity()
def test_dumb_member(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) CONF.ldap.use_dumb_member = True CONF.ldap.dumb_member = 'cn=dumb,cn=example,cn=com' clear_database() self.identity_api = identity_ldap.Identity() self.load_fixtures(default_fixtures) self.assertRaises(exception.UserNotFound, self.identity_api.get_user, 'dumb')
def test_tenant_filter(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) tenant_ref = self.identity_api.get_tenant(self.tenant_bar['id']) self.assertDictEqual(tenant_ref, self.tenant_bar) CONF.ldap.tenant_filter = '(CN=DOES_NOT_MATCH)' self.identity_api = identity_ldap.Identity() self.assertRaises(exception.TenantNotFound, self.identity_api.get_tenant, self.tenant_bar['id'])
def test_user_filter(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) user_ref = self.identity_api.get_user(self.user_foo['id']) self.user_foo.pop('password') self.assertDictEqual(user_ref, self.user_foo) CONF.ldap.user_filter = '(CN=DOES_NOT_MATCH)' self.identity_api = identity_ldap.Identity() self.assertRaises(exception.UserNotFound, self.identity_api.get_user, self.user_foo['id'])
def test_tenant_attribute_ignore(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) CONF.ldap.tenant_attribute_ignore = ['name', 'description', 'enabled'] clear_database() self.identity_api = identity_ldap.Identity() self.load_fixtures(default_fixtures) tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id']) self.assertEqual(tenant_ref['id'], self.tenant_baz['id']) self.assertNotIn('name', tenant_ref) self.assertNotIn('description', tenant_ref) self.assertNotIn('enabled', tenant_ref)
def test_configurable_allowed_tenant_actions(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) self.identity_api = identity_ldap.Identity() tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True} self.identity_api.create_tenant('fake1', tenant) tenant_ref = self.identity_api.get_tenant('fake1') self.assertEqual(tenant_ref['id'], 'fake1') tenant['enabled'] = 'False' self.identity_api.update_tenant('fake1', tenant) self.identity_api.delete_tenant('fake1') self.assertRaises(exception.TenantNotFound, self.identity_api.get_tenant, 'fake1')
def test_configurable_allowed_role_actions(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) self.identity_api = identity_ldap.Identity() role = {'id': 'fake1', 'name': 'fake1'} self.identity_api.create_role('fake1', role) role_ref = self.identity_api.get_role('fake1') self.assertEqual(role_ref['id'], 'fake1') role['name'] = 'fake2' self.identity_api.update_role('fake1', role) self.identity_api.delete_role('fake1') self.assertRaises(exception.RoleNotFound, self.identity_api.get_role, 'fake1')
def test_user_attribute_ignore(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) CONF.ldap.user_attribute_ignore = [ 'name', 'email', 'password', 'tenant_id', 'enabled', 'tenants' ] clear_database() self.identity_api = identity_ldap.Identity() self.load_fixtures(default_fixtures) user_ref = self.identity_api.get_user(self.user_two['id']) self.assertEqual(user_ref['id'], self.user_two['id']) self.assertNotIn('name', user_ref) self.assertNotIn('email', user_ref) self.assertNotIn('password', user_ref) self.assertNotIn('tenant_id', user_ref) self.assertNotIn('enabled', user_ref) self.assertNotIn('tenants', user_ref)
def test_configurable_forbidden_tenant_actions(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) CONF.ldap.tenant_allow_create = False CONF.ldap.tenant_allow_update = False CONF.ldap.tenant_allow_delete = False self.identity_api = identity_ldap.Identity() tenant = {'id': 'fake1', 'name': 'fake1'} self.assertRaises(exception.ForbiddenAction, self.identity_api.create_tenant, 'fake1', tenant) self.tenant_bar['enabled'] = 'False' self.assertRaises(exception.ForbiddenAction, self.identity_api.update_tenant, self.tenant_bar['id'], self.tenant_bar) self.assertRaises(exception.ForbiddenAction, self.identity_api.delete_tenant, self.tenant_bar['id'])
def test_configurable_forbidden_role_actions(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) CONF.ldap.role_allow_create = False CONF.ldap.role_allow_update = False CONF.ldap.role_allow_delete = False self.identity_api = identity_ldap.Identity() role = {'id': 'fake1', 'name': 'fake1'} self.assertRaises(exception.ForbiddenAction, self.identity_api.create_role, 'fake1', role) self.role_useless['name'] = 'useful' self.assertRaises(exception.ForbiddenAction, self.identity_api.update_role, self.role_useless['id'], self.role_useless) self.assertRaises(exception.ForbiddenAction, self.identity_api.delete_role, self.role_useless['id'])
def test_configurable_forbidden_role_actions(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) CONF.ldap.role_allow_create = False CONF.ldap.role_allow_update = False CONF.ldap.role_allow_delete = False self.identity_api = identity_ldap.Identity() role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} self.assertRaises(exception.ForbiddenAction, self.identity_api.create_role, role['id'], role) self.role_member['name'] = uuid.uuid4().hex self.assertRaises(exception.ForbiddenAction, self.identity_api.update_role, self.role_member['id'], self.role_member) self.assertRaises(exception.ForbiddenAction, self.identity_api.delete_role, self.role_member['id'])
def test_configurable_allowed_user_actions(self): self.config([ test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf') ]) self.identity_api = identity_ldap.Identity() user = { 'id': 'fake1', 'name': 'fake1', 'password': '******', 'tenants': ['bar'] } self.identity_api.create_user('fake1', user) user_ref = self.identity_api.get_user('fake1') self.assertEqual(user_ref['id'], 'fake1') user['password'] = '******' self.identity_api.update_user('fake1', user) self.identity_api.delete_user('fake1') self.assertRaises(exception.UserNotFound, self.identity_api.get_user, 'fake1')
def __init__(self, *args, **kwargs): super(Identity, self).__init__(*args, **kwargs) self.ldap = ldap_backend.Identity(CONF) self.domain_aware = True