def setUp(self):
self.useFixture(database.Database())
super(TestCaseWithBootstrap, self).setUp()
self.config_fixture = self.useFixture(config_fixture.Config(CONF))
CONF(args=[], project='keystone')
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens',
CONF.fernet_tokens.max_active_keys))
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'fernet_receipts',
CONF.fernet_receipts.max_active_keys))
self.bootstrapper = bootstrap.Bootstrapper()
self.addCleanup(provider_api.ProviderAPIs._clear_registry_instances)
self.addCleanup(self.clean_default_domain)
self.bootstrapper.admin_password = '******'
self.bootstrapper.admin_username = '******'
self.bootstrapper.project_name = 'admin'
self.bootstrapper.admin_role_name = 'admin'
self.bootstrapper.service_name = 'keystone'
self.bootstrapper.public_url = 'http://localhost/identity/'
self.bootstrapper.immutable_roles = True
try:
PROVIDERS.resource_api.create_domain(
default_fixtures.ROOT_DOMAIN['id'],
default_fixtures.ROOT_DOMAIN)
except exception.Conflict:
pass
self.bootstrapper.bootstrap()
def config_overrides(self):
# NOTE(morganfainberg): enforce config_overrides can only ever be
# called a single time.
assert self.__config_overrides_called is False
self.__config_overrides_called = True
signing_certfile = 'examples/pki/certs/signing_cert.pem'
signing_keyfile = 'examples/pki/private/signing_key.pem'
self.useFixture(self._policy_fixture())
self.config_fixture.config(
# TODO(morganfainberg): Make Cache Testing a separate test case
# in tempest, and move it out of the base unit tests.
group='cache',
backend='dogpile.cache.memory',
enabled=True,
proxies=['oslo_cache.testing.CacheIsolatingProxy'])
self.config_fixture.config(
group='catalog',
driver='sql',
template_file=dirs.tests('default_catalog.templates'))
self.config_fixture.config(group='signing',
certfile=signing_certfile,
keyfile=signing_keyfile,
ca_certs='examples/pki/certs/cacert.pem')
self.config_fixture.config(group='saml',
certfile=signing_certfile,
keyfile=signing_keyfile)
self.config_fixture.config(default_log_levels=[
'amqp=WARN',
'amqplib=WARN',
'boto=WARN',
'qpid=WARN',
'sqlalchemy=WARN',
'suds=INFO',
'oslo.messaging=INFO',
'iso8601=WARN',
'requests.packages.urllib3.connectionpool=WARN',
'routes.middleware=INFO',
'stevedore.extension=INFO',
'keystone.notifications=INFO',
'keystone.identity.backends.ldap.common=INFO',
])
# NOTE(notmorgan): Set password rounds low here to ensure speedy
# tests. This is explicitly set because the tests here are not testing
# the integrity of the password hashing, just that the correct form
# of hashing has been used. Note that 4 is the lowest for bcrypt
# allowed in the `[identity] password_hash_rounds` setting
self.config_fixture.config(group='identity', password_hash_rounds=4)
self.config_fixture.config(crypt_strength=1000)
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens',
CONF.fernet_tokens.max_active_keys))
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'fernet_receipts',
CONF.fernet_receipts.max_active_keys))
def setUp(self):
super(TestFernetCredentialProvider, self).setUp()
self.provider = credential_fernet.Provider()
self.useFixture(database.Database())
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'credential',
credential_fernet.MAX_ACTIVE_KEYS))
def test_rotation(self):
# Initializing a key repository results in this many keys. We don't
# support max_active_keys being set any lower.
min_active_keys = 2
# Simulate every rotation strategy up to "rotating once a week while
# maintaining a year's worth of keys."
for max_active_keys in six.moves.range(min_active_keys, 52 + 1):
self.config_fixture.config(group='fernet_tokens',
max_active_keys=max_active_keys)
# Ensure that resetting the key repository always results in 2
# active keys.
self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
self.assertEqual(min_active_keys, self.key_repository_size)
# Rotate the keys just enough times to fully populate the key
# repository.
for rotation in six.moves.range(max_active_keys - min_active_keys):
fernet_utils.rotate_keys()
self.assertEqual(max_active_keys, self.key_repository_size)
# Rotate an additional number of times to ensure that we maintain
# the desired number of active keys.
for rotation in six.moves.range(10):
fernet_utils.rotate_keys()
self.assertEqual(self.key_repository_size, max_active_keys)
def test_rotation_disk_write_fail(self):
# Init the key repository
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'fernet_tokens',
CONF.fernet_tokens.max_active_keys
)
)
# Make sure that the init key repository contains 2 keys
self.assertRepositoryState(expected_size=2)
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys
)
# Simulate the disk full situation
mock_open = mock.mock_open()
file_handle = mock_open()
file_handle.flush.side_effect = IOError('disk full')
with mock.patch('keystone.common.fernet_utils.open', mock_open):
self.assertRaises(IOError, key_utils.rotate_keys)
# Assert that the key repository is unchanged
self.assertEqual(self.key_repository_size, 2)
def setUp(self):
super(TestTokenProvider, self).setUp()
self.useFixture(database.Database())
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens',
CONF.fernet_tokens.max_active_keys))
self.load_backends()
def setUp(self):
super(V2CredentialEc2TestCase, self).setUp()
self.user_id = self.user_foo['id']
self.project_id = self.tenant_bar['id']
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'credential',
credential_fernet.MAX_ACTIVE_KEYS))
def test_non_numeric_files(self):
self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
evil_file = os.path.join(CONF.fernet_tokens.key_repository, '~1')
with open(evil_file, 'w'):
pass
keys = fernet_utils.load_keys()
self.assertEqual(2, len(keys))
self.assertTrue(len(keys[0]))
def config_overrides(self):
super(FernetSqlRevokeTests, self).config_overrides()
self.config_fixture.config(group='token',
provider='fernet',
revoke_by_id=False)
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens',
CONF.fernet_tokens.max_active_keys))
def config_overrides(self):
# NOTE(morganfainberg): enforce config_overrides can only ever be
# called a single time.
assert self.__config_overrides_called is False
self.__config_overrides_called = True
signing_certfile = 'examples/pki/certs/signing_cert.pem'
signing_keyfile = 'examples/pki/private/signing_key.pem'
self.useFixture(self._policy_fixture())
self.config_fixture.config(
# TODO(morganfainberg): Make Cache Testing a separate test case
# in tempest, and move it out of the base unit tests.
group='cache',
backend='dogpile.cache.memory',
enabled=True,
proxies=['oslo_cache.testing.CacheIsolatingProxy'])
self.config_fixture.config(
group='catalog',
driver='sql',
template_file=dirs.tests('default_catalog.templates'))
self.config_fixture.config(
group='kvs',
backends=[
('keystone.tests.unit.test_kvs.'
'KVSBackendForcedKeyMangleFixture'),
'keystone.tests.unit.test_kvs.KVSBackendFixture'])
self.config_fixture.config(
group='signing', certfile=signing_certfile,
keyfile=signing_keyfile,
ca_certs='examples/pki/certs/cacert.pem')
self.config_fixture.config(
group='saml', certfile=signing_certfile, keyfile=signing_keyfile)
self.config_fixture.config(
default_log_levels=[
'amqp=WARN',
'amqplib=WARN',
'boto=WARN',
'qpid=WARN',
'sqlalchemy=WARN',
'suds=INFO',
'oslo.messaging=INFO',
'iso8601=WARN',
'requests.packages.urllib3.connectionpool=WARN',
'routes.middleware=INFO',
'stevedore.extension=INFO',
'keystone.notifications=INFO',
'keystone.identity.backends.ldap.common=INFO',
])
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'fernet_tokens',
CONF.fernet_tokens.max_active_keys
)
)
def setUp(self):
super(CredentialBaseTestCase, self).setUp()
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'credential',
credential_fernet.MAX_ACTIVE_KEYS
)
)
def setUp(self):
super(TestTokenFormatter, self).setUp()
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'fernet_tokens',
CONF.fernet_tokens.max_active_keys
)
)
def test_rotation(self):
# Initializing a key repository results in this many keys. We don't
# support max_active_keys being set any lower.
min_active_keys = 2
# Simulate every rotation strategy up to "rotating once a week while
# maintaining a year's worth of keys."
for max_active_keys in range(min_active_keys, 52 + 1):
self.config_fixture.config(group='fernet_receipts',
max_active_keys=max_active_keys)
# Ensure that resetting the key repository always results in 2
# active keys.
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture,
'fernet_receipts',
CONF.fernet_receipts.max_active_keys))
# Validate the initial repository state.
self.assertRepositoryState(expected_size=min_active_keys)
# The repository should be initialized with a staged key (0) and a
# primary key (1). The next key is just auto-incremented.
exp_keys = [0, 1]
next_key_number = exp_keys[-1] + 1 # keep track of next key
self.assertEqual(exp_keys, self.keys)
# Rotate the keys just enough times to fully populate the key
# repository.
key_utils = fernet_utils.FernetUtils(
CONF.fernet_receipts.key_repository,
CONF.fernet_receipts.max_active_keys, 'fernet_receipts')
for rotation in range(max_active_keys - min_active_keys):
key_utils.rotate_keys()
self.assertRepositoryState(expected_size=rotation + 3)
exp_keys.append(next_key_number)
next_key_number += 1
self.assertEqual(exp_keys, self.keys)
# We should have a fully populated key repository now.
self.assertEqual(max_active_keys, self.key_repository_size)
# Rotate an additional number of times to ensure that we maintain
# the desired number of active keys.
key_utils = fernet_utils.FernetUtils(
CONF.fernet_receipts.key_repository,
CONF.fernet_receipts.max_active_keys, 'fernet_receipts')
for rotation in range(10):
key_utils.rotate_keys()
self.assertRepositoryState(expected_size=max_active_keys)
exp_keys.pop(1)
exp_keys.append(next_key_number)
next_key_number += 1
self.assertEqual(exp_keys, self.keys)
def setUp(self):
super(TestCredentialAccessToken, self).setUp()
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'credential',
credential_fernet.MAX_ACTIVE_KEYS
)
)
self.base_url = 'http://localhost/v3'
def config_overrides(self):
super(FernetAuthTokenTests, self).config_overrides()
self.config_fixture.config(group='token', provider='fernet')
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'fernet_tokens',
CONF.fernet_tokens.max_active_keys
)
)
def setUp(self):
super(TestFernetTokenProvider, self).setUp()
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'fernet_tokens',
CONF.fernet_tokens.max_active_keys
)
)
self.provider = fernet.Provider()
def setUp(self):
super(TestCredentialTrustScoped, self).setUp()
self.trustee_user = unit.new_user_ref(domain_id=self.domain_id)
password = self.trustee_user['password']
self.trustee_user = self.identity_api.create_user(self.trustee_user)
self.trustee_user['password'] = password
self.trustee_user_id = self.trustee_user['id']
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'credential',
credential_fernet.MAX_ACTIVE_KEYS))
def test_non_numeric_files(self):
self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
evil_file = os.path.join(CONF.fernet_tokens.key_repository, '99.bak')
with open(evil_file, 'w'):
pass
fernet_utils.rotate_keys()
self.assertTrue(os.path.isfile(evil_file))
keys = 0
for x in os.listdir(CONF.fernet_tokens.key_repository):
if x == '99.bak':
continue
keys += 1
self.assertEqual(3, keys)
def test_non_numeric_files(self):
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens',
CONF.fernet_tokens.max_active_keys))
evil_file = os.path.join(CONF.fernet_tokens.key_repository, '~1')
with open(evil_file, 'w'):
pass
key_utils = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys, 'fernet_tokens')
keys = key_utils.load_keys()
self.assertEqual(2, len(keys))
self.assertValidFernetKey(keys)
def setUp(self):
# Make sure the expand and data migration repos are fully
# upgraded, since the contract phase is only run after these are
# upgraded.
super().setUp()
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'credential',
credential_fernet.MAX_ACTIVE_KEYS
)
)
self.expand()
self.migrate()
def config_overrides(self):
super(CertSetupTestCase, self).config_overrides()
ca_certs = os.path.join(CERTDIR, 'ca.pem')
ca_key = os.path.join(CERTDIR, 'cakey.pem')
self.config_fixture.config(
group='signing',
certfile=os.path.join(CERTDIR, 'signing_cert.pem'),
ca_certs=ca_certs,
ca_key=ca_key,
keyfile=os.path.join(KEYDIR, 'signing_key.pem'))
self.config_fixture.config(group='token', provider='fernet')
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens',
CONF.fernet_tokens.max_active_keys))
def setUp(self):
self.useFixture(database.Database())
super(SqlCredential, self).setUp()
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'credential',
credential_provider.MAX_ACTIVE_KEYS))
self.credentials = []
for _ in range(3):
self.credentials.append(self._create_credential_with_user_id())
self.user_credentials = []
for _ in range(3):
cred = self._create_credential_with_user_id(self.user_foo['id'])
self.user_credentials.append(cred)
self.credentials.append(cred)
def setUp(self):
super(IdentityTestCase, self).setUp()
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'credential',
credential_fernet.MAX_ACTIVE_KEYS))
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
self.group_id = self.group['id']
self.credential = unit.new_credential_ref(user_id=self.user['id'],
project_id=self.project_id)
self.credential_api.create_credential(self.credential['id'],
self.credential)
def test_debug_message_not_logged_when_loading_fernet_credential_key(self):
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'credential',
CONF.fernet_tokens.max_active_keys))
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
fernet_utilities = fernet_utils.FernetUtils(
CONF.credential.key_repository, credential_fernet.MAX_ACTIVE_KEYS)
fernet_utilities.load_keys()
debug_message = (
'Loaded 2 Fernet keys from %(dir)s, but `[fernet_tokens] '
'max_active_keys = %(max)d`; perhaps there have not been enough '
'key rotations to reach `max_active_keys` yet?') % {
'dir': CONF.credential.key_repository,
'max': credential_fernet.MAX_ACTIVE_KEYS
}
self.assertNotIn(debug_message, logging_fixture.output)
def setUp(self):
super(V2CredentialEc2Controller, self).setUp()
self.useFixture(database.Database())
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'credential',
credential_fernet.MAX_ACTIVE_KEYS))
self.load_backends()
self.load_fixtures(default_fixtures)
self.user_id = self.user_foo['id']
self.project_id = self.tenant_bar['id']
self.controller = controllers.Ec2Controller()
self.blob, tmp_ref = unit.new_ec2_credential(
user_id=self.user_id, project_id=self.project_id)
self.creds_ref = (
controllers.Ec2Controller._convert_v3_to_ec2_credential(tmp_ref))
def setUp(self):
super(SqlCredential, self).setUp()
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'credential',
credential_provider.MAX_ACTIVE_KEYS))
self.credentials = []
self.user_credentials = []
# setup 3 credentials with random user ids
for _ in range(3):
cred = self._create_credential_with_user_id()
self.user_credentials.append(cred)
self.credentials.append(cred)
# setup 3 credentials with specific user ids
for _ in range(3):
cred = self._create_credential_with_user_id(self.user_foo['id'])
self.user_credentials.append(cred)
self.credentials.append(cred)
def test_debug_message_logged_when_loading_fernet_token_keys(self):
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens',
CONF.fernet_tokens.max_active_keys))
logging_fixture = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
fernet_utilities = fernet_utils.FernetUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys, 'fernet_tokens')
fernet_utilities.load_keys()
expected_debug_message = (
'Loaded 2 Fernet keys from %(dir)s, but `[fernet_tokens] '
'max_active_keys = %(max)d`; perhaps there have not been enough '
'key rotations to reach `max_active_keys` yet?') % {
'dir': CONF.fernet_tokens.key_repository,
'max': CONF.fernet_tokens.max_active_keys
}
self.assertIn(expected_debug_message, logging_fixture.output)
def setUp(self):
self.useFixture(database.Database())
super(TestCaseWithBootstrap, self).setUp()
self.config_fixture = self.useFixture(config_fixture.Config(CONF))
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'fernet_tokens',
CONF.fernet_tokens.max_active_keys))
self.bootstrapper = bootstrap.Bootstrapper()
self.addCleanup(provider_api.ProviderAPIs._clear_registry_instances)
self.addCleanup(self.clean_default_domain)
self.bootstrapper.admin_password = '******'
self.bootstrapper.admin_username = '******'
self.bootstrapper.project_name = 'admin'
self.bootstrapper.admin_role_name = 'admin'
self.bootstrapper.service_name = 'keystone'
self.bootstrapper.public_url = 'http://localhost/identity/'
self.bootstrapper.bootstrap()
def test_rotation_disk_write_fail(self):
# Init the key repository
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'fernet_tokens',
CONF.fernet_tokens.max_active_keys
)
)
# Make sure that the init key repository contains 2 keys
self.assertRepositoryState(expected_size=2)
key_utils = token_utils.TokenUtils(
CONF.fernet_tokens.key_repository,
CONF.fernet_tokens.max_active_keys,
'fernet_tokens'
)
# Simulate the disk full situation
mock_open = mock.mock_open()
file_handle = mock_open()
file_handle.flush.side_effect = IOError('disk full')
with mock.patch('keystone.common.token_utils.open', mock_open):
self.assertRaises(IOError, key_utils.rotate_keys)
# Assert that the key repository is unchanged
self.assertEqual(self.key_repository_size, 2)
with mock.patch('keystone.common.token_utils.open', mock_open):
self.assertRaises(IOError, key_utils.rotate_keys)
# Assert that the key repository is still unchanged, even after
# repeated rotation attempts.
self.assertEqual(self.key_repository_size, 2)
# Rotate the keys normally, without any mocking, to show that the
# system can recover.
key_utils.rotate_keys()
# Assert that the key repository is now expanded.
self.assertEqual(self.key_repository_size, 3)
def config_overrides(self):
super(FernetAuthTokenTests, self).config_overrides()
self.config_fixture.config(group='token', provider='fernet')
self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
