def test_delete_project(self): """Call ``DELETE /projects/{project_id}`` As well as making sure the delete succeeds, we ensure that any credentials that reference this projects are also deleted, while other credentials are unaffected. """ credential = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id) self.credential_api.create_credential(credential["id"], credential) # First check the credential for this project is present r = self.credential_api.get_credential(credential["id"]) self.assertDictEqual(credential, r) # Create a second credential with a different project project2 = unit.new_project_ref(domain_id=self.domain["id"]) self.resource_api.create_project(project2["id"], project2) credential2 = unit.new_credential_ref(user_id=self.user["id"], project_id=project2["id"]) self.credential_api.create_credential(credential2["id"], credential2) # Now delete the project self.delete("/projects/%(project_id)s" % {"project_id": self.project_id}) # Deleting the project should have deleted any credentials # that reference this project self.assertRaises( exception.CredentialNotFound, self.credential_api.get_credential, credential_id=credential["id"] ) # But the credential for project2 is unaffected r = self.credential_api.get_credential(credential2["id"]) self.assertDictEqual(credential2, r)
def test_list_credentials_filtered_by_type_and_user_id(self): """Call ``GET /credentials?user_id={user_id}&type={type}``.""" user1_id = uuid.uuid4().hex user2_id = uuid.uuid4().hex PROVIDERS.assignment_api.create_system_grant_for_user( self.user_id, self.role_id ) token = self.get_system_scoped_token() # Creating credentials for two different users credential_user1_ec2 = unit.new_credential_ref(user_id=user1_id, type=CRED_TYPE_EC2) credential_user1_cert = unit.new_credential_ref(user_id=user1_id) credential_user2_cert = unit.new_credential_ref(user_id=user2_id) PROVIDERS.credential_api.create_credential( credential_user1_ec2['id'], credential_user1_ec2) PROVIDERS.credential_api.create_credential( credential_user1_cert['id'], credential_user1_cert) PROVIDERS.credential_api.create_credential( credential_user2_cert['id'], credential_user2_cert) r = self.get( '/credentials?user_id=%s&type=ec2' % user1_id, token=token ) self.assertValidCredentialListResponse(r, ref=credential_user1_ec2) self.assertThat(r.result['credentials'], matchers.HasLength(1)) cred = r.result['credentials'][0] self.assertEqual(CRED_TYPE_EC2, cred['type']) self.assertEqual(user1_id, cred['user_id'])
def test_list_credentials_filtered_by_type(self): """Call ``GET /credentials?type={type}``.""" # The type ec2 was chosen, instead of a random string, # because the type must be in the list of supported types ec2_credential = unit.new_credential_ref(user_id=uuid.uuid4().hex, project_id=self.project_id, type=CRED_TYPE_EC2) ec2_resp = self.credential_api.create_credential( ec2_credential['id'], ec2_credential) # The type cert was chosen for the same reason as ec2 r = self.get('/credentials?type=cert') # Testing the filter for two different types self.assertValidCredentialListResponse(r, ref=self.credential) for cred in r.result['credentials']: self.assertEqual('cert', cred['type']) r_ec2 = self.get('/credentials?type=ec2') self.assertThat(r_ec2.result['credentials'], matchers.HasLength(1)) cred_ec2 = r_ec2.result['credentials'][0] self.assertValidCredentialListResponse(r_ec2, ref=ec2_resp) self.assertEqual(CRED_TYPE_EC2, cred_ec2['type']) self.assertEqual(ec2_credential['id'], cred_ec2['id'])
def test_create_credential(self): """Call ``POST /credentials``.""" ref = unit.new_credential_ref(user_id=self.user['id']) r = self.post( '/credentials', body={'credential': ref}) self.assertValidCredentialResponse(r, ref)
def setUp(self): super(CredentialTestCase, self).setUp() self.credential = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id) self.credential_api.create_credential(self.credential["id"], self.credential)
def test_update_credential(self): """Call ``PATCH /credentials/{credential_id}``.""" ref = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id) del ref["id"] r = self.patch( "/credentials/%(credential_id)s" % {"credential_id": self.credential["id"]}, body={"credential": ref} ) self.assertValidCredentialResponse(r, ref)
def test_create_credential_with_admin_token(self): # Make sure we can create credential with the static admin token ref = unit.new_credential_ref(user_id=self.user['id']) r = self.post( '/credentials', body={'credential': ref}, token=self.get_admin_token()) self.assertValidCredentialResponse(r, ref)
def _create_credential_with_user_id(self, user_id=None): if not user_id: user_id = uuid.uuid4().hex credential = unit.new_credential_ref(user_id=user_id, extra=uuid.uuid4().hex, type=uuid.uuid4().hex) self.credential_api.create_credential(credential['id'], credential) return credential
def _create_credential_with_user_id(self, user_id=uuid.uuid4().hex): credential = unit.new_credential_ref(user_id=user_id, extra=uuid.uuid4().hex, type=uuid.uuid4().hex) PROVIDERS.credential_api.create_credential( credential['id'], credential ) return credential
def test_list_credentials_filtered_by_user_id(self): """Call ``GET /credentials?user_id={user_id}``.""" credential = unit.new_credential_ref(user_id=uuid.uuid4().hex) self.credential_api.create_credential(credential['id'], credential) r = self.get('/credentials?user_id=%s' % self.user['id']) self.assertValidCredentialListResponse(r, ref=self.credential) for cred in r.result['credentials']: self.assertEqual(self.user['id'], cred['user_id'])
def setUp(self): super(IdentityTestCase, self).setUp() self.group = unit.new_group_ref(domain_id=self.domain_id) self.group = self.identity_api.create_group(self.group) self.group_id = self.group["id"] self.credential = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id) self.credential_api.create_credential(self.credential["id"], self.credential)
def test_update_credential(self): """Call ``PATCH /credentials/{credential_id}``.""" ref = unit.new_credential_ref(user_id=self.user['id'], project_id=self.project_id) del ref['id'] r = self.patch( '/credentials/%(credential_id)s' % { 'credential_id': self.credential['id']}, body={'credential': ref}) self.assertValidCredentialResponse(r, ref)
def test_ec2_cannot_get_non_ec2_credential(self): access_key = uuid.uuid4().hex cred_id = utils.hash_access_key(access_key) non_ec2_cred = unit.new_credential_ref(user_id=self.user_id, project_id=self.project_id) non_ec2_cred["id"] = cred_id self.credential_api.create_credential(cred_id, non_ec2_cred) uri = "/".join([self._get_ec2_cred_uri(), access_key]) # if access_key is not found, ec2 controller raises Unauthorized # exception self.get(uri, expected_status=http_client.UNAUTHORIZED)
def test_create_ec2_credential_with_invalid_blob(self): """Test creating ec2 credential with invalid blob. Call ``POST /credentials``. """ ref = unit.new_credential_ref( user_id=self.user["id"], project_id=self.project_id, blob='{"abc":"def"d}', type=CRED_TYPE_EC2 ) # Assert bad request status when request contains invalid blob response = self.post("/credentials", body={"credential": ref}, expected_status=http_client.BAD_REQUEST) self.assertValidErrorResponse(response)
def test_list_credentials_filtered_by_type_and_user_id(self): """Call ``GET /credentials?user_id={user_id}&type={type}``.""" user1_id = uuid.uuid4().hex user2_id = uuid.uuid4().hex # Creating credentials for two different users credential_user1_ec2 = unit.new_credential_ref(user_id=user1_id, type=CRED_TYPE_EC2) credential_user1_cert = unit.new_credential_ref(user_id=user1_id) credential_user2_cert = unit.new_credential_ref(user_id=user2_id) self.credential_api.create_credential(credential_user1_ec2["id"], credential_user1_ec2) self.credential_api.create_credential(credential_user1_cert["id"], credential_user1_cert) self.credential_api.create_credential(credential_user2_cert["id"], credential_user2_cert) r = self.get("/credentials?user_id=%s&type=ec2" % user1_id) self.assertValidCredentialListResponse(r, ref=credential_user1_ec2) self.assertThat(r.result["credentials"], matchers.HasLength(1)) cred = r.result["credentials"][0] self.assertEqual(CRED_TYPE_EC2, cred["type"]) self.assertEqual(user1_id, cred["user_id"])
def test_credential_duplicate_conflict_gives_name(self): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) credential = unit.new_credential_ref(user_id=user['id']) self.credential_api.create_credential(credential['id'], credential) try: self.credential_api.create_credential(credential['id'], credential) except exception.Conflict as e: self.assertIn("Duplicate entry found with ID %s" % credential['id'], repr(e)) else: self.fail("Create duplicate credential did not raise a conflict")
def test_create_ec2_credential_with_invalid_blob(self): """Call ``POST /credentials`` for creating ec2 credential with invalid blob. """ ref = unit.new_credential_ref(user_id=self.user['id'], project_id=self.project_id, blob='{"abc":"def"d}', type='ec2') # Assert bad request status when request contains invalid blob response = self.post( '/credentials', body={'credential': ref}, expected_status=http_client.BAD_REQUEST) self.assertValidErrorResponse(response)
def test_delete_user(self): """Call ``DELETE /users/{user_id}``. As well as making sure the delete succeeds, we ensure that any credentials that reference this user are also deleted, while other credentials are unaffected. In addition, no tokens should remain valid for this user. """ # First check the credential for this user is present r = self.credential_api.get_credential(self.credential['id']) self.assertDictEqual(self.credential, r) # Create a second credential with a different user user2 = unit.new_user_ref(domain_id=self.domain['id'], project_id=self.project['id']) user2 = self.identity_api.create_user(user2) credential2 = unit.new_credential_ref(user_id=user2['id'], project_id=self.project['id']) self.credential_api.create_credential(credential2['id'], credential2) # Create a token for this user which we can check later # gets deleted auth_data = self.build_authentication_request( user_id=self.user['id'], password=self.user['password'], project_id=self.project['id']) token = self.get_requested_token(auth_data) # Confirm token is valid for now self.head('/auth/tokens', headers={'X-Subject-Token': token}, expected_status=http_client.OK) # Now delete the user self.delete('/users/%(user_id)s' % { 'user_id': self.user['id']}) # Deleting the user should have deleted any credentials # that reference this project self.assertRaises(exception.CredentialNotFound, self.credential_api.get_credential, self.credential['id']) # And the no tokens we remain valid tokens = self.token_provider_api._persistence._list_tokens( self.user['id']) self.assertEqual(0, len(tokens)) # But the credential for user2 is unaffected r = self.credential_api.get_credential(credential2['id']) self.assertDictEqual(credential2, r)
def test_list_credentials_filtered_by_type_and_user_id(self): """Call ``GET /credentials?user_id={user_id}&type={type}``.""" user1_id = uuid.uuid4().hex user2_id = uuid.uuid4().hex # Creating credentials for two different users credential_user1_ec2 = unit.new_credential_ref(user_id=user1_id, type='ec2') credential_user1_cert = unit.new_credential_ref(user_id=user1_id) credential_user2_cert = unit.new_credential_ref(user_id=user2_id) self.credential_api.create_credential( credential_user1_ec2['id'], credential_user1_ec2) self.credential_api.create_credential( credential_user1_cert['id'], credential_user1_cert) self.credential_api.create_credential( credential_user2_cert['id'], credential_user2_cert) r = self.get('/credentials?user_id=%s&type=ec2' % user1_id) self.assertValidCredentialListResponse(r, ref=credential_user1_ec2) self.assertThat(r.result['credentials'], matchers.HasLength(1)) cred = r.result['credentials'][0] self.assertEqual('ec2', cred['type']) self.assertEqual(user1_id, cred['user_id'])
def test_ec2_cannot_get_non_ec2_credential(self): access_key = uuid.uuid4().hex cred_id = utils.hash_access_key(access_key) non_ec2_cred = unit.new_credential_ref( user_id=self.user_id, project_id=self.project_id) non_ec2_cred['id'] = cred_id self.credential_api.create_credential(cred_id, non_ec2_cred) # if access_key is not found, ec2 controller raises Unauthorized # exception path = '/'.join([self._get_ec2_cred_uri(), access_key]) self.public_request(method='GET', token=self.get_scoped_token(), path=path, expected_status=http_client.UNAUTHORIZED)
def test_update_credential_to_ec2_type(self): """Call ``PATCH /credentials/{credential_id}``.""" # Create a credential without providing a project_id ref = unit.new_credential_ref(user_id=self.user['id']) r = self.post( '/credentials', body={'credential': ref}) self.assertValidCredentialResponse(r, ref) credential_id = r.result.get('credential')['id'] # Updating the credential to ec2 requires a project_id update_ref = {'type': 'ec2', 'project_id': self.project_id} self.patch( '/credentials/%(credential_id)s' % { 'credential_id': credential_id}, body={'credential': update_ref})
def test_update_credential_to_ec2_with_previously_set_project_id(self): """Call ``PATCH /credentials/{credential_id}``.""" # Create a credential providing a project_id ref = unit.new_credential_ref(user_id=self.user['id'], project_id=self.project_id) r = self.post( '/credentials', body={'credential': ref}) self.assertValidCredentialResponse(r, ref) credential_id = r.result.get('credential')['id'] # Since the created credential above already has a project_id, the # update request will not fail update_ref = {'type': 'ec2'} self.patch( '/credentials/%(credential_id)s' % { 'credential_id': credential_id}, body={'credential': update_ref})
def test_update_credential_to_ec2_missing_project_id(self): """Call ``PATCH /credentials/{credential_id}``.""" # Create a credential without providing a project_id ref = unit.new_credential_ref(user_id=self.user['id']) r = self.post( '/credentials', body={'credential': ref}) self.assertValidCredentialResponse(r, ref) credential_id = r.result.get('credential')['id'] # Updating such credential to ec2 type without providing a project_id # will fail update_ref = {'type': 'ec2'} self.patch( '/credentials/%(credential_id)s' % { 'credential_id': credential_id}, body={'credential': update_ref}, expected_status=http_client.BAD_REQUEST)
def test_ec2_list_credentials(self): """Test ec2 credential listing.""" self._get_ec2_cred() uri = self._get_ec2_cred_uri() r = self.get(uri) cred_list = r.result["credentials"] self.assertEqual(1, len(cred_list)) self.assertThat(r.result["links"]["self"], matchers.EndsWith(uri)) # non-EC2 credentials won't be fetched non_ec2_cred = unit.new_credential_ref(user_id=self.user_id, project_id=self.project_id) non_ec2_cred["type"] = uuid.uuid4().hex self.credential_api.create_credential(non_ec2_cred["id"], non_ec2_cred) r = self.get(uri) cred_list_2 = r.result["credentials"] # still one element because non-EC2 credentials are not returned. self.assertEqual(1, len(cred_list_2)) self.assertEqual(cred_list[0], cred_list_2[0])
def setUp(self): super(IdentityTestCase, self).setUp() self.useFixture( ksfixtures.KeyRepository( self.config_fixture, 'credential', credential_fernet.MAX_ACTIVE_KEYS ) ) self.group = unit.new_group_ref(domain_id=self.domain_id) self.group = self.identity_api.create_group(self.group) self.group_id = self.group['id'] self.credential = unit.new_credential_ref( user_id=self.user['id'], project_id=self.project_id) self.credential_api.create_credential(self.credential['id'], self.credential)
def test_ec2_list_credentials(self): self._get_ec2_cred() uri = self._get_ec2_cred_uri() r = self.public_request(method='GET', token=self.get_scoped_token(), path=uri) cred_list = r.result['credentials'] self.assertEqual(1, len(cred_list)) # non-EC2 credentials won't be fetched non_ec2_cred = unit.new_credential_ref( user_id=self.user_id, project_id=self.project_id) non_ec2_cred['type'] = uuid.uuid4().hex self.credential_api.create_credential(non_ec2_cred['id'], non_ec2_cred) r = self.public_request(method='GET', token=self.get_scoped_token(), path=uri) cred_list_2 = r.result['credentials'] # still one element because non-EC2 credentials are not returned. self.assertEqual(1, len(cred_list_2)) self.assertEqual(cred_list[0], cred_list_2[0])
def test_list_credentials_is_decrypted(self): credential = unit.new_credential_ref(user_id=uuid.uuid4().hex) credential_id = credential['id'] created_credential = self.credential_api.create_credential( credential_id, credential ) # Pull the credential directly from the backend, the `blob` should be # encrypted. credential_from_backend = self.credential_api.driver.get_credential( credential_id ) self.assertNotEqual( credential_from_backend['encrypted_blob'], credential['blob'] ) # Make sure the `blob` values listed from the API are not encrypted. listed_credentials = self.credential_api.list_credentials() self.assertIn(created_credential, listed_credentials)
def test_create_credential_is_encrypted_when_stored(self): credential = unit.new_credential_ref(user_id=uuid.uuid4().hex) credential_id = credential['id'] returned_credential = self.credential_api.create_credential( credential_id, credential ) # Make sure the `blob` is *not* encrypted when returned from the # credential API. self.assertEqual(returned_credential['blob'], credential['blob']) credential_from_backend = self.credential_api.driver.get_credential( credential_id ) # Pull the credential directly from the backend, the `blob` should be # encrypted. self.assertNotEqual( credential_from_backend['encrypted_blob'], credential['blob'] )
def _create_credential_with_user_id(self, user_id=uuid.uuid4().hex): credential = unit.new_credential_ref(user_id=user_id, extra=uuid.uuid4().hex, type=uuid.uuid4().hex) self.credential_api.create_credential(credential['id'], credential) return credential
def test_create_credential(self): """Call ``POST /credentials``.""" ref = unit.new_credential_ref(user_id=self.user["id"]) r = self.post("/credentials", body={"credential": ref}) self.assertValidCredentialResponse(r, ref)
def new_credential_ref(self, user_id, project_id=None, cred_type=None): return unit.new_credential_ref(user_id, project_id=project_id, cred_type=cred_type)
def test_create_credential(self): """Call ``POST /credentials``.""" ref = unit.new_credential_ref(user_id=self.user['id']) r = self.post('/credentials', body={'credential': ref}) self.assertValidCredentialResponse(r, ref)