예제 #1
0
    def test_trust_deleted_when_project_deleted(self):
        # create trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            role_ids=[self.role_id],
            allow_redelegation=True)
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)

        # list all trusts
        r = self.get('/OS-TRUST/trusts')
        self.assertEqual(1, len(r.result['trusts']))

        # delete the project will delete the trust.
        self.delete(
            '/projects/%(project_id)s' % {'project_id': trust['project_id']})

        # call the backend method directly to bypass authentication since the
        # user no longer has the assignment on the project.
        self.assertRaises(exception.TrustNotFound,
                          self.trust_api.get_trust,
                          trust['id'])
예제 #2
0
    def test_delete_trust_with_application_credential(self):
        ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                 trustee_user_id=self.trustee_user_id,
                                 project_id=self.project_id,
                                 impersonation=False,
                                 expires=dict(minutes=1),
                                 role_ids=[self.role_id])
        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = self.assertValidTrustResponse(r, ref)

        app_cred = {
            'id': uuid.uuid4().hex,
            'user_id': self.user_id,
            'project_id': self.project_id,
            'name': uuid.uuid4().hex,
            'roles': [{
                'id': self.role_id
            }],
            'secret': uuid.uuid4().hex
        }
        app_cred_api = PROVIDERS.application_credential_api
        app_cred_api.create_application_credential(app_cred)
        auth_data = self.build_authentication_request(
            app_cred_id=app_cred['id'], secret=app_cred['secret'])
        token_data = self.v3_create_token(auth_data,
                                          expected_status=http_client.CREATED)
        # delete the trust
        self.delete(path='/OS-TRUST/trusts/%(trust_id)s' %
                    {'trust_id': trust['id']},
                    token=token_data.headers['x-subject-token'],
                    expected_status=http_client.FORBIDDEN)
예제 #3
0
    def test_v3_v2_intermix_trustor_not_in_default_domain_failed(self):
        # get a project-scoped token
        auth_data = self.build_authentication_request(
            user_id=self.default_domain_user['id'],
            password=self.default_domain_user['password'],
            project_id=self.default_domain_project_id)
        token = self.get_requested_token(auth_data)

        # create a new trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.default_domain_user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.default_domain_project_id,
            impersonation=False,
            expires=dict(minutes=1),
            role_ids=[self.role_id])
        r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
        trust = self.assertValidTrustResponse(r)

        # get a trust-scoped token as the trustee
        auth_data = self.build_authentication_request(
            user_id=self.trustee_user['id'],
            password=self.trustee_user['password'],
            trust_id=trust['id'])
        r = self.v3_create_token(auth_data)
        self.assertValidProjectScopedTokenResponse(
            r, self.trustee_user)
        token = r.headers.get('X-Subject-Token')

        # now validate the v3 token with v2 API
        path = '/v2.0/tokens/%s' % (token)
        self.admin_request(
            path=path, token=self.get_admin_token(),
            method='GET', expected_status=http_client.UNAUTHORIZED)
예제 #4
0
    def test_trust_deleted_when_project_deleted(self):
        # create trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            role_ids=[self.role_id],
            allow_redelegation=True)
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)

        # list all trusts
        r = self.get('/OS-TRUST/trusts')
        self.assertEqual(1, len(r.result['trusts']))

        # delete the project will delete the trust.
        self.delete(
            '/projects/%(project_id)s' % {'project_id': trust['project_id']})

        # call the backend method directly to bypass authentication since the
        # user no longer has the assignment on the project.
        self.assertRaises(exception.TrustNotFound,
                          PROVIDERS.trust_api.get_trust,
                          trust['id'])
예제 #5
0
 def test_create_trust_with_application_credential(self):
     app_cred = {
         'id': uuid.uuid4().hex,
         'user_id': self.user_id,
         'project_id': self.project_id,
         'name': uuid.uuid4().hex,
         'roles': [{
             'id': self.role_id
         }],
         'secret': uuid.uuid4().hex
     }
     app_cred_api = PROVIDERS.application_credential_api
     app_cred_api.create_application_credential(app_cred)
     auth_data = self.build_authentication_request(
         app_cred_id=app_cred['id'], secret=app_cred['secret'])
     token_data = self.v3_create_token(auth_data,
                                       expected_status=http_client.CREATED)
     trust_body = unit.new_trust_ref(trustor_user_id=self.user_id,
                                     trustee_user_id=self.trustee_user_id,
                                     project_id=self.project_id,
                                     role_ids=[self.role_id])
     self.post(path='/OS-TRUST/trusts',
               body={'trust': trust_body},
               token=token_data.headers['x-subject-token'],
               expected_status=http_client.FORBIDDEN)
예제 #6
0
    def test_delete_trust_with_application_credential(self):
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            expires=dict(minutes=1),
            role_ids=[self.role_id])
        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = self.assertValidTrustResponse(r, ref)

        app_cred = {
            'id': uuid.uuid4().hex,
            'user_id': self.user_id,
            'project_id': self.project_id,
            'name': uuid.uuid4().hex,
            'roles': [{'id': self.role_id}],
            'secret': uuid.uuid4().hex
        }
        app_cred_api = PROVIDERS.application_credential_api
        app_cred_api.create_application_credential(app_cred)
        auth_data = self.build_authentication_request(
            app_cred_id=app_cred['id'], secret=app_cred['secret'])
        token_data = self.v3_create_token(auth_data,
                                          expected_status=http_client.CREATED)
        # delete the trust
        self.delete(path='/OS-TRUST/trusts/%(trust_id)s' % {
            'trust_id': trust['id']},
            token=token_data.headers['x-subject-token'],
            expected_status=http_client.FORBIDDEN)
예제 #7
0
    def test_create_trust_with_invalid_expiration_fails(self):
        # create a new trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            role_ids=[self.role_id])

        ref['expires_at'] = 'bad'
        self.post(
            '/OS-TRUST/trusts',
            body={'trust': ref},
            expected_status=http_client.BAD_REQUEST
        )

        ref['expires_at'] = ''
        self.post(
            '/OS-TRUST/trusts',
            body={'trust': ref},
            expected_status=http_client.BAD_REQUEST
        )

        ref['expires_at'] = 'Z'
        self.post(
            '/OS-TRUST/trusts',
            body={'trust': ref},
            expected_status=http_client.BAD_REQUEST
        )
예제 #8
0
    def test_v3_v2_intermix_trustor_not_in_default_domain_failed(self):
        # get a project-scoped token
        auth_data = self.build_authentication_request(
            user_id=self.default_domain_user['id'],
            password=self.default_domain_user['password'],
            project_id=self.default_domain_project_id)
        token = self.get_requested_token(auth_data)

        # create a new trust
        ref = unit.new_trust_ref(trustor_user_id=self.default_domain_user_id,
                                 trustee_user_id=self.trustee_user_id,
                                 project_id=self.default_domain_project_id,
                                 impersonation=False,
                                 expires=dict(minutes=1),
                                 role_ids=[self.role_id])
        r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
        trust = self.assertValidTrustResponse(r)

        # get a trust-scoped token as the trustee
        auth_data = self.build_authentication_request(
            user_id=self.trustee_user['id'],
            password=self.trustee_user['password'],
            trust_id=trust['id'])
        r = self.v3_create_token(auth_data)
        self.assertValidProjectScopedTokenResponse(r, self.trustee_user)
        token = r.headers.get('X-Subject-Token')

        # now validate the v3 token with v2 API
        path = '/v2.0/tokens/%s' % (token)
        self.admin_request(path=path,
                           token=self.get_admin_token(),
                           method='GET',
                           expected_status=http_client.UNAUTHORIZED)
예제 #9
0
    def test_exercise_trust_scoped_token_with_impersonation(self):
        # create a new trust
        ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                 trustee_user_id=self.trustee_user_id,
                                 project_id=self.project_id,
                                 impersonation=True,
                                 expires=dict(minutes=1),
                                 role_ids=[self.role_id])
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = self.assertValidTrustResponse(resp)

        # get a trust-scoped token as the trustee
        auth_data = self.build_authentication_request(
            user_id=self.trustee_user['id'],
            password=self.trustee_user['password'],
            trust_id=trust['id'])
        resp = self.v3_create_token(auth_data)
        resp_body = resp.json_body['token']

        self.assertValidProjectScopedTokenResponse(resp, self.user)
        self.assertEqual(self.user['id'], resp_body['user']['id'])
        self.assertEqual(self.user['name'], resp_body['user']['name'])
        self.assertEqual(self.domain['id'], resp_body['user']['domain']['id'])
        self.assertEqual(self.domain['name'],
                         resp_body['user']['domain']['name'])
        self.assertEqual(self.project['id'], resp_body['project']['id'])
        self.assertEqual(self.project['name'], resp_body['project']['name'])
예제 #10
0
    def test_list_trusts(self):
        # create three trusts with the same trustor and trustee
        ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                 trustee_user_id=self.trustee_user_id,
                                 project_id=self.project_id,
                                 impersonation=False,
                                 expires=dict(minutes=1),
                                 role_ids=[self.role_id])
        for i in range(3):
            ref['expires_at'] = datetime.datetime.utcnow().replace(
                year=2032).strftime(unit.TIME_FORMAT)
            r = self.post('/OS-TRUST/trusts', body={'trust': ref})
            self.assertValidTrustResponse(r, ref)

        # list all trusts
        r = self.get('/OS-TRUST/trusts')
        trusts = r.result['trusts']
        self.assertEqual(3, len(trusts))
        self.assertValidTrustListResponse(r)

        # list all trusts for the trustor
        r = self.get('/OS-TRUST/trusts?trustor_user_id=%s' % self.user_id)
        trusts = r.result['trusts']
        self.assertEqual(3, len(trusts))
        self.assertValidTrustListResponse(r)

        # list all trusts as the trustor as the trustee.
        r = self.get('/OS-TRUST/trusts?trustee_user_id=%s' % self.user_id)
        trusts = r.result['trusts']
        self.assertEqual(0, len(trusts))

        # list all trusts as the trustee is forbidden
        r = self.get('/OS-TRUST/trusts?trustee_user_id=%s' %
                     self.trustee_user_id,
                     expected_status=http_client.FORBIDDEN)
예제 #11
0
    def test_exercise_trust_scoped_token_with_impersonation(self):
        # create a new trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=True,
            expires=dict(minutes=1),
            role_ids=[self.role_id])
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = self.assertValidTrustResponse(resp)

        # get a trust-scoped token as the trustee
        auth_data = self.build_authentication_request(
            user_id=self.trustee_user['id'],
            password=self.trustee_user['password'],
            trust_id=trust['id'])
        resp = self.v3_create_token(auth_data)
        resp_body = resp.json_body['token']

        self.assertValidProjectScopedTokenResponse(resp, self.user)
        self.assertEqual(self.user['id'], resp_body['user']['id'])
        self.assertEqual(self.user['name'], resp_body['user']['name'])
        self.assertEqual(self.domain['id'], resp_body['user']['domain']['id'])
        self.assertEqual(self.domain['name'],
                         resp_body['user']['domain']['name'])
        self.assertEqual(self.project['id'], resp_body['project']['id'])
        self.assertEqual(self.project['name'], resp_body['project']['name'])
예제 #12
0
    def test_create_trust_with_invalid_expiration_fails(self):
        # create a new trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            role_ids=[self.role_id])

        ref['expires_at'] = 'bad'
        self.post(
            '/OS-TRUST/trusts',
            body={'trust': ref},
            expected_status=http_client.BAD_REQUEST
        )

        ref['expires_at'] = ''
        self.post(
            '/OS-TRUST/trusts',
            body={'trust': ref},
            expected_status=http_client.BAD_REQUEST
        )

        ref['expires_at'] = 'Z'
        self.post(
            '/OS-TRUST/trusts',
            body={'trust': ref},
            expected_status=http_client.BAD_REQUEST
        )
예제 #13
0
 def test_create_application_credential_with_trust(self):
     second_role = unit.new_role_ref(name='reader')
     PROVIDERS.role_api.create_role(second_role['id'], second_role)
     PROVIDERS.assignment_api.add_role_to_user_and_project(
         self.user_id, self.project_id, second_role['id'])
     with self.test_client() as c:
         pw_token = self.get_scoped_token()
         # create a self-trust - only the roles are important for this test
         trust_ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                        trustee_user_id=self.user_id,
                                        project_id=self.project_id,
                                        role_ids=[second_role['id']])
         resp = c.post('/v3/OS-TRUST/trusts',
                       headers={'X-Auth-Token': pw_token},
                       json={'trust': trust_ref})
         trust_id = resp.json['trust']['id']
         trust_auth = self.build_authentication_request(
             user_id=self.user_id,
             password=self.user['password'],
             trust_id=trust_id)
         trust_token = self.v3_create_token(
             trust_auth).headers['X-Subject-Token']
         app_cred = self._app_cred_body(roles=[{'id': self.role_id}])
         # only the roles from the trust token should be allowed, even if
         # the user has the role assigned on the project
         c.post('/v3/users/%s/application_credentials' % self.user_id,
                headers={'X-Auth-Token': trust_token},
                json=app_cred,
                expected_status_code=http.client.BAD_REQUEST)
예제 #14
0
 def test_create_trust_with_non_existant_role_name_returns_not_found(self):
     ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                              trustee_user_id=self.trustee_user_id,
                              project_id=self.project_id,
                              role_names=[uuid.uuid4().hex])
     self.post('/OS-TRUST/trusts',
               body={'trust': ref},
               expected_status=http_client.NOT_FOUND)
예제 #15
0
 def test_create_trust_with_non_existant_role_name_returns_not_found(self):
     ref = unit.new_trust_ref(
         trustor_user_id=self.user_id,
         trustee_user_id=self.trustee_user_id,
         project_id=self.project_id,
         role_names=[uuid.uuid4().hex])
     self.post('/OS-TRUST/trusts', body={'trust': ref},
               expected_status=http_client.NOT_FOUND)
예제 #16
0
    def test_create_trust_with_extra_attributes_fails(self):
        ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                 trustee_user_id=self.trustee_user_id,
                                 project_id=self.project_id,
                                 role_ids=[self.role_id])
        ref['roles'].append({'fake_key': 'fake_value'})

        self.post('/OS-TRUST/trusts', body={'trust': ref},
                  expected_status=http_client.BAD_REQUEST)
예제 #17
0
    def test_create_trust_with_extra_attributes_fails(self):
        ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                 trustee_user_id=self.trustee_user_id,
                                 project_id=self.project_id,
                                 role_ids=[self.role_id])
        ref['roles'].append({'fake_key': 'fake_value'})

        self.post('/OS-TRUST/trusts',
                  body={'trust': ref},
                  expected_status=http_client.BAD_REQUEST)
예제 #18
0
    def test_forbidden_trust_impersonation_in_redelegation(self):
        """Test forbiddance of impersonation in trust redelegation.

        Check that trustee not allowed to create a trust (with impersonation
        set to true) from a redelegated trust (with impersonation set to false)
        """
        # create trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            role_ids=[self.role_id],
            allow_redelegation=True)
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)

        auth_data = self.build_authentication_request(
            user_id=self.trustee_user_id,
            password=self.trustee_user['password'],
            trust_id=trust['id'])
        resp = self.v3_create_token(auth_data)

        # create third-party user, which will be trustee in trust created from
        # redelegated trust
        third_party_trustee = unit.create_user(PROVIDERS.identity_api,
                                               domain_id=self.domain_id)
        third_party_trustee_id = third_party_trustee['id']

        # create trust from redelegated trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.trustee_user_id,
            trustee_user_id=third_party_trustee_id,
            project_id=self.project_id,
            impersonation=True,
            role_ids=[self.role_id])
        ref['redelegated_trust_id'] = trust['id']
        self.admin_request(path='/v3/OS-TRUST/trusts',
                           body={'trust': ref},
                           token=resp.headers.get('X-Subject-Token'),
                           method='POST',
                           expected_status=http_client.FORBIDDEN)
예제 #19
0
 def test_create_trust_with_trustee_as_trustor_returns_forbidden(self):
     ref = unit.new_trust_ref(
         trustor_user_id=self.trustee_user_id,
         trustee_user_id=self.user_id,
         project_id=self.project_id,
         role_ids=[self.role_id])
     # NOTE(lbragstad): This fails because the user making the request isn't
     # the trustor defined in the request.
     self.post('/OS-TRUST/trusts', body={'trust': ref},
               expected_status=http_client.FORBIDDEN)
예제 #20
0
 def test_create_trust_with_trustee_as_trustor_returns_forbidden(self):
     ref = unit.new_trust_ref(trustor_user_id=self.trustee_user_id,
                              trustee_user_id=self.user_id,
                              project_id=self.project_id,
                              role_ids=[self.role_id])
     # NOTE(lbragstad): This fails because the user making the request isn't
     # the trustor defined in the request.
     self.post('/OS-TRUST/trusts',
               body={'trust': ref},
               expected_status=http_client.FORBIDDEN)
예제 #21
0
    def test_forbidden_trust_impersonation_in_redelegation(self):
        """Test forbiddance of impersonation in trust redelegation.

        Check that trustee not allowed to create a trust (with impersonation
        set to true) from a redelegated trust (with impersonation set to false)
        """
        # create trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            role_ids=[self.role_id],
            allow_redelegation=True)
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)

        auth_data = self.build_authentication_request(
            user_id=self.trustee_user_id,
            password=self.trustee_user['password'],
            trust_id=trust['id'])
        resp = self.v3_create_token(auth_data)

        # create third-party user, which will be trustee in trust created from
        # redelegated trust
        third_party_trustee = unit.create_user(self.identity_api,
                                               domain_id=self.domain_id)
        third_party_trustee_id = third_party_trustee['id']

        # create trust from redelegated trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.trustee_user_id,
            trustee_user_id=third_party_trustee_id,
            project_id=self.project_id,
            impersonation=True,
            role_ids=[self.role_id])
        ref['redelegated_trust_id'] = trust['id']
        self.admin_request(path='/v3/OS-TRUST/trusts',
                           body={'trust': ref},
                           token=resp.headers.get('X-Subject-Token'),
                           method='POST',
                           expected_status=http_client.FORBIDDEN)
    def test_trust_scoped_ec2_credential(self):
        """Call ``POST /credentials`` for creating ec2 credential."""
        # Create the trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=True,
            expires=dict(minutes=1),
            role_ids=[self.role_id])
        del ref['id']
        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = self.assertValidTrustResponse(r)

        # Get a trust scoped token
        auth_data = self.build_authentication_request(
            user_id=self.trustee_user['id'],
            password=self.trustee_user['password'],
            trust_id=trust['id'])
        r = self.v3_create_token(auth_data)
        self.assertValidProjectTrustScopedTokenResponse(r, self.user)
        trust_id = r.result['token']['OS-TRUST:trust']['id']
        token_id = r.headers.get('X-Subject-Token')

        # Create the credential with the trust scoped token
        ref = self.new_credential_ref(user_id=self.user['id'],
                                      project_id=self.project_id)
        blob = {"access": uuid.uuid4().hex,
                "secret": uuid.uuid4().hex}
        ref['blob'] = json.dumps(blob)
        ref['type'] = 'ec2'
        r = self.post(
            '/credentials',
            body={'credential': ref},
            token=token_id)

        # We expect the response blob to contain the trust_id
        ret_ref = ref.copy()
        ret_blob = blob.copy()
        ret_blob['trust_id'] = trust_id
        ret_ref['blob'] = json.dumps(ret_blob)
        self.assertValidCredentialResponse(r, ref=ret_ref)

        # Assert credential id is same as hash of access key id for
        # ec2 credentials
        self.assertEqual(hashlib.sha256(blob['access']).hexdigest(),
                         r.result['credential']['id'])

        # Create second ec2 credential with the same access key id and check
        # for conflict.
        self.post(
            '/credentials',
            body={'credential': ref},
            token=token_id,
            expected_status=http_client.CONFLICT)
    def test_validate_v3_token_trust(self):
        # Check the trust fields in the token result when use validate_v3_token
        # when the token has trust info.

        domain_ref = unit.new_domain_ref()
        domain_ref = PROVIDERS.resource_api.create_domain(
            domain_ref['id'], domain_ref
        )

        user_ref = unit.new_user_ref(domain_ref['id'])
        user_ref = PROVIDERS.identity_api.create_user(user_ref)

        trustor_user_ref = unit.new_user_ref(domain_ref['id'])
        trustor_user_ref = PROVIDERS.identity_api.create_user(trustor_user_ref)

        project_ref = unit.new_project_ref(domain_id=domain_ref['id'])
        project_ref = PROVIDERS.resource_api.create_project(
            project_ref['id'], project_ref
        )

        role_ref = unit.new_role_ref()
        role_ref = PROVIDERS.role_api.create_role(role_ref['id'], role_ref)

        PROVIDERS.assignment_api.create_grant(
            role_ref['id'], user_id=user_ref['id'],
            project_id=project_ref['id'])

        PROVIDERS.assignment_api.create_grant(
            role_ref['id'], user_id=trustor_user_ref['id'],
            project_id=project_ref['id'])

        trustor_user_id = trustor_user_ref['id']
        trustee_user_id = user_ref['id']
        trust_ref = unit.new_trust_ref(
            trustor_user_id, trustee_user_id, project_id=project_ref['id'],
            role_ids=[role_ref['id'], ])
        trust_ref = PROVIDERS.trust_api.create_trust(
            trust_ref['id'], trust_ref, trust_ref['roles']
        )

        method_names = ['password']

        token_id, token_data_ = PROVIDERS.token_provider_api.issue_token(
            user_ref['id'], method_names, project_id=project_ref['id'],
            trust=trust_ref)

        token_data = PROVIDERS.token_provider_api.validate_token(token_id)
        token = token_data['token']
        exp_trust_info = {
            'id': trust_ref['id'],
            'impersonation': False,
            'trustee_user': {'id': user_ref['id'], },
            'trustor_user': {'id': trustor_user_ref['id'], },
        }
        self.assertEqual(exp_trust_info, token['OS-TRUST:trust'])
    def test_validate_v3_token_trust(self):
        # Check the trust fields in the token result when use validate_v3_token
        # when the token has trust info.

        domain_ref = unit.new_domain_ref()
        domain_ref = PROVIDERS.resource_api.create_domain(
            domain_ref['id'], domain_ref
        )

        user_ref = unit.new_user_ref(domain_ref['id'])
        user_ref = PROVIDERS.identity_api.create_user(user_ref)

        trustor_user_ref = unit.new_user_ref(domain_ref['id'])
        trustor_user_ref = PROVIDERS.identity_api.create_user(trustor_user_ref)

        project_ref = unit.new_project_ref(domain_id=domain_ref['id'])
        project_ref = PROVIDERS.resource_api.create_project(
            project_ref['id'], project_ref
        )

        role_ref = unit.new_role_ref()
        role_ref = PROVIDERS.role_api.create_role(role_ref['id'], role_ref)

        PROVIDERS.assignment_api.create_grant(
            role_ref['id'], user_id=user_ref['id'],
            project_id=project_ref['id'])

        PROVIDERS.assignment_api.create_grant(
            role_ref['id'], user_id=trustor_user_ref['id'],
            project_id=project_ref['id'])

        trustor_user_id = trustor_user_ref['id']
        trustee_user_id = user_ref['id']
        trust_ref = unit.new_trust_ref(
            trustor_user_id, trustee_user_id, project_id=project_ref['id'],
            role_ids=[role_ref['id'], ])
        trust_ref = PROVIDERS.trust_api.create_trust(
            trust_ref['id'], trust_ref, trust_ref['roles']
        )

        method_names = ['password']

        token_id, token_data_ = PROVIDERS.token_provider_api.issue_token(
            user_ref['id'], method_names, project_id=project_ref['id'],
            trust=trust_ref)

        token_data = PROVIDERS.token_provider_api.validate_token(token_id)
        token = token_data['token']
        exp_trust_info = {
            'id': trust_ref['id'],
            'impersonation': False,
            'trustee_user': {'id': user_ref['id'], },
            'trustor_user': {'id': trustor_user_ref['id'], },
        }
        self.assertEqual(exp_trust_info, token['OS-TRUST:trust'])
예제 #25
0
    def test_create_trust_with_expiration_in_the_past_fails(self):
        ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                 trustee_user_id=self.trustee_user_id,
                                 project_id=self.project_id,
                                 impersonation=False,
                                 expires='2010-06-04T08:44:31.999999Z',
                                 role_ids=[self.role_id])

        self.post('/OS-TRUST/trusts',
                  body={'trust': ref},
                  expected_status=http_client.BAD_REQUEST)
예제 #26
0
 def test_create_trust_with_bad_remaining_uses_returns_bad_request(self):
     # negative numbers, strings, non-integers, and 0 are not value values
     for value in [-1, 0, "a bad value", 7.2]:
         ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                  trustee_user_id=self.trustee_user_id,
                                  project_id=self.project_id,
                                  remaining_uses=value,
                                  role_ids=[self.role_id])
         self.post('/OS-TRUST/trusts',
                   body={'trust': ref},
                   expected_status=http_client.BAD_REQUEST)
예제 #27
0
    def test_list_trusts(self):
        # create three trusts with the same trustor and trustee
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            expires=dict(minutes=1),
            role_ids=[self.role_id])
        for i in range(3):
            ref['expires_at'] = datetime.datetime.utcnow().replace(
                year=2032).strftime(unit.TIME_FORMAT)
            r = self.post('/OS-TRUST/trusts', body={'trust': ref})
            self.assertValidTrustResponse(r, ref)

        # list all trusts
        list_url = '/OS-TRUST/trusts'
        r = self.get(list_url)
        self.head(list_url, expected_status=http_client.OK)
        trusts = r.result['trusts']
        self.assertEqual(3, len(trusts))
        self.assertValidTrustListResponse(r)

        # list all trusts for the trustor
        list_for_trustor_url = (
            '/OS-TRUST/trusts?trustor_user_id=%s' % self.user_id
        )
        r = self.get(list_for_trustor_url)
        self.head(list_for_trustor_url, expected_status=http_client.OK)
        trusts = r.result['trusts']
        self.assertEqual(3, len(trusts))
        self.assertValidTrustListResponse(r)

        # list all trusts as the trustor as the trustee.
        list_as_trustor_url = (
            '/OS-TRUST/trusts?trustee_user_id=%s' % self.user_id
        )
        r = self.get(list_as_trustor_url)
        self.head(list_as_trustor_url, expected_status=http_client.OK)
        trusts = r.result['trusts']
        self.assertEqual(0, len(trusts))

        # list all trusts as the trustee is forbidden
        list_all_as_trustee_url = (
            '/OS-TRUST/trusts?trustee_user_id=%s' % self.trustee_user_id
        )
        r = self.get(
            list_all_as_trustee_url,
            expected_status=http_client.FORBIDDEN
        )
        self.head(
            list_all_as_trustee_url,
            expected_status=http_client.FORBIDDEN
        )
예제 #28
0
 def test_delete_trust(self):
     trustor = unit.new_user_ref(domain_id=self.domain_id)
     trustor = self.identity_api.create_user(trustor)
     trustee = unit.new_user_ref(domain_id=self.domain_id)
     trustee = self.identity_api.create_user(trustee)
     role_ref = unit.new_role_ref()
     trust_ref = unit.new_trust_ref(trustor["id"], trustee["id"])
     self.trust_api.create_trust(trust_ref["id"], trust_ref, [role_ref])
     self.trust_api.delete_trust(trust_ref["id"])
     self._assert_last_note(trust_ref["id"], DELETED_OPERATION, "OS-TRUST:trust")
     self._assert_last_audit(trust_ref["id"], DELETED_OPERATION, "OS-TRUST:trust", cadftaxonomy.SECURITY_TRUST)
예제 #29
0
 def test_create_trust_with_bad_remaining_uses_returns_bad_request(self):
     # negative numbers, strings, non-integers, and 0 are not value values
     for value in [-1, 0, "a bad value", 7.2]:
         ref = unit.new_trust_ref(
             trustor_user_id=self.user_id,
             trustee_user_id=self.trustee_user_id,
             project_id=self.project_id,
             remaining_uses=value,
             role_ids=[self.role_id])
         self.post('/OS-TRUST/trusts',
                   body={'trust': ref},
                   expected_status=http_client.BAD_REQUEST)
예제 #30
0
    def test_create_trust_without_impersonation_returns_bad_request(self):
        ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                 trustee_user_id=self.trustee_user_id,
                                 project_id=self.project_id,
                                 role_ids=[self.role_id])

        # impersonation is required to create a trust
        del ref['impersonation']

        self.post('/OS-TRUST/trusts',
                  body={'trust': ref},
                  expected_status=http_client.BAD_REQUEST)
예제 #31
0
    def test_trust_scoped_ec2_credential(self):
        """Test creating trust scoped ec2 credential.

        Call ``POST /credentials``.
        """
        # Create the trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=True,
            expires=dict(minutes=1),
            role_ids=[self.role_id])
        del ref['id']
        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = self.assertValidTrustResponse(r)

        # Get a trust scoped token
        auth_data = self.build_authentication_request(
            user_id=self.trustee_user['id'],
            password=self.trustee_user['password'],
            trust_id=trust['id'])
        r = self.v3_create_token(auth_data)
        self.assertValidProjectScopedTokenResponse(r, self.user)
        trust_id = r.result['token']['OS-TRUST:trust']['id']
        token_id = r.headers.get('X-Subject-Token')

        # Create the credential with the trust scoped token
        blob, ref = unit.new_ec2_credential(user_id=self.user['id'],
                                            project_id=self.project_id)
        r = self.post('/credentials', body={'credential': ref}, token=token_id)

        # We expect the response blob to contain the trust_id
        ret_ref = ref.copy()
        ret_blob = blob.copy()
        ret_blob['trust_id'] = trust_id
        ret_ref['blob'] = json.dumps(ret_blob)
        self.assertValidCredentialResponse(r, ref=ret_ref)

        # Assert credential id is same as hash of access key id for
        # ec2 credentials
        access = blob['access'].encode('utf-8')
        self.assertEqual(hashlib.sha256(access).hexdigest(),
                         r.result['credential']['id'])

        # Create second ec2 credential with the same access key id and check
        # for conflict.
        self.post(
            '/credentials',
            body={'credential': ref},
            token=token_id,
            expected_status=http_client.CONFLICT)
예제 #32
0
    def test_create_trust_with_role_name_ambiguous_returns_bad_request(self):
        # Create second role with the same name
        role_ref = unit.new_role_ref(name=self.role['name'],
                                     domain_id=uuid.uuid4().hex)
        self.post('/roles', body={'role': role_ref})

        ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                 trustee_user_id=self.trustee_user_id,
                                 project_id=self.project_id,
                                 role_names=[self.role['name']])
        self.post('/OS-TRUST/trusts',
                  body={'trust': ref},
                  expected_status=http_client.BAD_REQUEST)
예제 #33
0
    def test_create_trust_without_impersonation_returns_bad_request(self):
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            role_ids=[self.role_id])

        # impersonation is required to create a trust
        del ref['impersonation']

        self.post('/OS-TRUST/trusts',
                  body={'trust': ref},
                  expected_status=http_client.BAD_REQUEST)
예제 #34
0
    def test_trust_crud(self):
        # create a new trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            role_ids=[self.role_id])
        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = self.assertValidTrustResponse(r, ref)

        # get the trust
        r = self.get(
            '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})
        self.assertValidTrustResponse(r, ref)

        # validate roles on the trust
        r = self.get(
            '/OS-TRUST/trusts/%(trust_id)s/roles' % {
                'trust_id': trust['id']})
        roles = self.assertValidRoleListResponse(r, self.role)
        self.assertIn(self.role['id'], [x['id'] for x in roles])
        self.head(
            '/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
                'trust_id': trust['id'],
                'role_id': self.role['id']},
            expected_status=http_client.OK)
        r = self.get(
            '/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
                'trust_id': trust['id'],
                'role_id': self.role['id']})
        self.assertValidRoleResponse(r, self.role)

        # list all trusts
        r = self.get('/OS-TRUST/trusts')
        self.assertValidTrustListResponse(r, trust)

        # trusts are immutable
        self.patch(
            '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
            body={'trust': ref},
            expected_status=http_client.NOT_FOUND)

        # delete the trust
        self.delete(
            '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})

        # ensure the trust is not found
        self.get(
            '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
            expected_status=http_client.NOT_FOUND)
예제 #35
0
    def test_create_trust_with_role_name_ambiguous_returns_bad_request(self):
        # Create second role with the same name
        role_ref = unit.new_role_ref(name=self.role['name'],
                                     domain_id=uuid.uuid4().hex)
        self.post('/roles', body={'role': role_ref})

        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            role_names=[self.role['name']]
        )
        self.post('/OS-TRUST/trusts', body={'trust': ref},
                  expected_status=http_client.BAD_REQUEST)
예제 #36
0
    def test_oauth_token_cannot_create_new_trust(self):
        self.test_oauth_flow()
        ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                 trustee_user_id=self.user_id,
                                 project_id=self.project_id,
                                 impersonation=True,
                                 expires=dict(minutes=1),
                                 role_ids=[self.role_id])
        del ref['id']

        self.post('/OS-TRUST/trusts',
                  body={'trust': ref},
                  token=self.keystone_token_id,
                  expected_status=http_client.FORBIDDEN)
예제 #37
0
    def test_trust_crud(self):
        # create a new trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            role_ids=[self.role_id])
        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = self.assertValidTrustResponse(r, ref)

        # get the trust
        r = self.get(
            '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})
        self.assertValidTrustResponse(r, ref)

        # validate roles on the trust
        r = self.get(
            '/OS-TRUST/trusts/%(trust_id)s/roles' % {
                'trust_id': trust['id']})
        roles = self.assertValidRoleListResponse(r, self.role)
        self.assertIn(self.role['id'], [x['id'] for x in roles])
        self.head(
            '/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
                'trust_id': trust['id'],
                'role_id': self.role['id']},
            expected_status=http_client.OK)
        r = self.get(
            '/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
                'trust_id': trust['id'],
                'role_id': self.role['id']})
        self.assertValidRoleResponse(r, self.role)

        # list all trusts
        r = self.get('/OS-TRUST/trusts')
        self.assertValidTrustListResponse(r, trust)

        # trusts are immutable
        self.patch(
            '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
            body={'trust': ref},
            expected_status=http_client.NOT_FOUND)

        # delete the trust
        self.delete(
            '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})

        # ensure the trust is not found
        self.get(
            '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
            expected_status=http_client.NOT_FOUND)
예제 #38
0
    def test_create_trust_with_expiration_in_the_past_fails(self):
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            expires='2010-06-04T08:44:31.999999Z',
            role_ids=[self.role_id]
        )

        self.post(
            '/OS-TRUST/trusts',
            body={'trust': ref},
            expected_status=http_client.BAD_REQUEST
        )
예제 #39
0
    def test_oauth_token_cannot_create_new_trust(self):
        self.test_oauth_flow()
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.user_id,
            project_id=self.project_id,
            impersonation=True,
            expires=dict(minutes=1),
            role_ids=[self.role_id])
        del ref['id']

        self.post('/OS-TRUST/trusts',
                  body={'trust': ref},
                  token=self.keystone_token_id,
                  expected_status=http_client.FORBIDDEN)
예제 #40
0
 def test_trust_duplicate_conflict_gives_name(self):
     trustor = unit.new_user_ref(domain_id=self.domain_id)
     trustor = self.identity_api.create_user(trustor)
     trustee = unit.new_user_ref(domain_id=self.domain_id)
     trustee = self.identity_api.create_user(trustee)
     role_ref = unit.new_role_ref()
     self.role_api.create_role(role_ref['id'], role_ref)
     trust_ref = unit.new_trust_ref(trustor['id'], trustee['id'])
     self.trust_api.create_trust(trust_ref['id'], trust_ref, [role_ref])
     try:
         self.trust_api.create_trust(trust_ref['id'], trust_ref, [role_ref])
     except exception.Conflict as e:
         self.assertIn("Duplicate entry found with ID %s"
                       % trust_ref['id'], repr(e))
     else:
         self.fail("Create duplicate trust did not raise a conflict")
 def test_trust_duplicate_conflict_gives_name(self):
     trustor = unit.new_user_ref(domain_id=self.domain_id)
     trustor = self.identity_api.create_user(trustor)
     trustee = unit.new_user_ref(domain_id=self.domain_id)
     trustee = self.identity_api.create_user(trustee)
     role_ref = unit.new_role_ref()
     self.role_api.create_role(role_ref['id'], role_ref)
     trust_ref = unit.new_trust_ref(trustor['id'], trustee['id'])
     self.trust_api.create_trust(trust_ref['id'], trust_ref, [role_ref])
     try:
         self.trust_api.create_trust(trust_ref['id'], trust_ref, [role_ref])
     except exception.Conflict as e:
         self.assertIn("Duplicate entry found with ID %s" % trust_ref['id'],
                       repr(e))
     else:
         self.fail("Create duplicate trust did not raise a conflict")
예제 #42
0
    def test_trust_scoped_ec2_credential(self):
        """Test creating trust scoped ec2 credential.

        Call ``POST /credentials``.
        """
        # Create the trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=True,
            expires=dict(minutes=1),
            role_ids=[self.role_id],
        )
        del ref["id"]
        r = self.post("/OS-TRUST/trusts", body={"trust": ref})
        trust = self.assertValidTrustResponse(r)

        # Get a trust scoped token
        auth_data = self.build_authentication_request(
            user_id=self.trustee_user["id"], password=self.trustee_user["password"], trust_id=trust["id"]
        )
        r = self.v3_create_token(auth_data)
        self.assertValidProjectScopedTokenResponse(r, self.user)
        trust_id = r.result["token"]["OS-TRUST:trust"]["id"]
        token_id = r.headers.get("X-Subject-Token")

        # Create the credential with the trust scoped token
        blob, ref = unit.new_ec2_credential(user_id=self.user["id"], project_id=self.project_id)
        r = self.post("/credentials", body={"credential": ref}, token=token_id)

        # We expect the response blob to contain the trust_id
        ret_ref = ref.copy()
        ret_blob = blob.copy()
        ret_blob["trust_id"] = trust_id
        ret_ref["blob"] = json.dumps(ret_blob)
        self.assertValidCredentialResponse(r, ref=ret_ref)

        # Assert credential id is same as hash of access key id for
        # ec2 credentials
        access = blob["access"].encode("utf-8")
        self.assertEqual(hashlib.sha256(access).hexdigest(), r.result["credential"]["id"])

        # Create second ec2 credential with the same access key id and check
        # for conflict.
        self.post("/credentials", body={"credential": ref}, token=token_id, expected_status=http_client.CONFLICT)
예제 #43
0
    def test_trust_deleted_when_user_deleted(self):
        # create trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            role_ids=[self.role_id],
            allow_redelegation=True)
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)

        # list all trusts
        r = self.get('/OS-TRUST/trusts')
        self.assertEqual(1, len(r.result['trusts']))

        # delete the trustee will delete the trust
        self.delete(
            '/users/%(user_id)s' % {'user_id': trust['trustee_user_id']})

        self.get(
            '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
            expected_status=http_client.NOT_FOUND)

        # create another user as the new trustee
        trustee_user = unit.create_user(PROVIDERS.identity_api,
                                        domain_id=self.domain_id)
        trustee_user_id = trustee_user['id']
        # create the trust again
        ref['trustee_user_id'] = trustee_user_id
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)
        r = self.get('/OS-TRUST/trusts')
        self.assertEqual(1, len(r.result['trusts']))

        # delete the trustor will delete the trust
        self.delete(
            '/users/%(user_id)s' % {'user_id': trust['trustor_user_id']})

        # call the backend method directly to bypass authentication since the
        # user has been deleted.
        self.assertRaises(exception.TrustNotFound,
                          PROVIDERS.trust_api.get_trust,
                          trust['id'])
예제 #44
0
    def test_trust_deleted_when_user_deleted(self):
        # create trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            role_ids=[self.role_id],
            allow_redelegation=True)
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)

        # list all trusts
        r = self.get('/OS-TRUST/trusts')
        self.assertEqual(1, len(r.result['trusts']))

        # delete the trustee will delete the trust
        self.delete(
            '/users/%(user_id)s' % {'user_id': trust['trustee_user_id']})

        self.get(
            '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
            expected_status=http_client.NOT_FOUND)

        # create another user as the new trustee
        trustee_user = unit.create_user(self.identity_api,
                                        domain_id=self.domain_id)
        trustee_user_id = trustee_user['id']
        # create the trust again
        ref['trustee_user_id'] = trustee_user_id
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)
        r = self.get('/OS-TRUST/trusts')
        self.assertEqual(1, len(r.result['trusts']))

        # delete the trustor will delete the trust
        self.delete(
            '/users/%(user_id)s' % {'user_id': trust['trustor_user_id']})

        # call the backend method directly to bypass authentication since the
        # user has been deleted.
        self.assertRaises(exception.TrustNotFound,
                          self.trust_api.get_trust,
                          trust['id'])
예제 #45
0
    def test_validate_v3_token_trust(self):
        # Check the trust fields in the token result when use validate_v3_token
        # when the token has trust info.

        domain_ref = unit.new_domain_ref()
        domain_ref = self.resource_api.create_domain(domain_ref["id"], domain_ref)

        user_ref = unit.new_user_ref(domain_ref["id"])
        user_ref = self.identity_api.create_user(user_ref)

        trustor_user_ref = unit.new_user_ref(domain_ref["id"])
        trustor_user_ref = self.identity_api.create_user(trustor_user_ref)

        project_ref = unit.new_project_ref(domain_id=domain_ref["id"])
        project_ref = self.resource_api.create_project(project_ref["id"], project_ref)

        role_ref = unit.new_role_ref()
        role_ref = self.role_api.create_role(role_ref["id"], role_ref)

        self.assignment_api.create_grant(role_ref["id"], user_id=user_ref["id"], project_id=project_ref["id"])

        self.assignment_api.create_grant(role_ref["id"], user_id=trustor_user_ref["id"], project_id=project_ref["id"])

        trustor_user_id = trustor_user_ref["id"]
        trustee_user_id = user_ref["id"]
        trust_ref = unit.new_trust_ref(
            trustor_user_id, trustee_user_id, project_id=project_ref["id"], role_ids=[role_ref["id"]]
        )
        trust_ref = self.trust_api.create_trust(trust_ref["id"], trust_ref, trust_ref["roles"])

        method_names = ["password"]

        token_id, token_data_ = self.token_provider_api.issue_v3_token(
            user_ref["id"], method_names, project_id=project_ref["id"], trust=trust_ref
        )

        token_data = self.token_provider_api.validate_v3_token(token_id)
        token = token_data["token"]
        exp_trust_info = {
            "id": trust_ref["id"],
            "impersonation": False,
            "trustee_user": {"id": user_ref["id"]},
            "trustor_user": {"id": trustor_user_ref["id"]},
        }
        self.assertEqual(exp_trust_info, token["OS-TRUST:trust"])
예제 #46
0
    def test_delete_trust(self):
        # create a trust
        ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                 trustee_user_id=self.trustee_user_id,
                                 project_id=self.project_id,
                                 impersonation=False,
                                 expires=dict(minutes=1),
                                 role_ids=[self.role_id])
        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = self.assertValidTrustResponse(r, ref)

        # delete the trust
        self.delete('/OS-TRUST/trusts/%(trust_id)s' %
                    {'trust_id': trust['id']})

        # ensure the trust isn't found
        self.get('/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
                 expected_status=http_client.NOT_FOUND)
예제 #47
0
    def _create_trust_get_token(self):
        ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                 trustee_user_id=self.user_id,
                                 project_id=self.project_id,
                                 impersonation=True,
                                 expires=dict(minutes=1),
                                 role_ids=[self.role_id])
        del ref['id']

        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = self.assertValidTrustResponse(r)

        auth_data = self.build_authentication_request(
            user_id=self.user['id'],
            password=self.user['password'],
            trust_id=trust['id'])

        return self.get_requested_token(auth_data)
예제 #48
0
    def _create_trust_get_token(self):
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.user_id,
            project_id=self.project_id,
            impersonation=True,
            expires=dict(minutes=1),
            role_ids=[self.role_id])
        del ref['id']

        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = self.assertValidTrustResponse(r)

        auth_data = self.build_authentication_request(
            user_id=self.user['id'],
            password=self.user['password'],
            trust_id=trust['id'])

        return self.get_requested_token(auth_data)
예제 #49
0
    def test_delete_trust(self):
        # create a trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            expires=dict(minutes=1),
            role_ids=[self.role_id])
        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = self.assertValidTrustResponse(r, ref)

        # delete the trust
        self.delete('/OS-TRUST/trusts/%(trust_id)s' % {
            'trust_id': trust['id']})

        # ensure the trust isn't found
        self.get('/OS-TRUST/trusts/%(trust_id)s' % {
            'trust_id': trust['id']},
            expected_status=http_client.NOT_FOUND)
예제 #50
0
파일: test_v3_trust.py 프로젝트: Boye-Z/123
 def test_trusts_do_not_implement_updates(self):
     with self.test_client() as c:
         # create a new trust
         token = self.get_scoped_token()
         ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                  trustee_user_id=self.trustee_user_id,
                                  project_id=self.project_id,
                                  role_ids=[self.role_id])
         r = c.post('/v3/OS-TRUST/trusts',
                    json={'trust': ref},
                    headers={'X-Auth-Token': token})
         trust_id = r.json['trust']['id']
         c.patch('/v3/OS-TRUST/trusts/%(trust_id)s' %
                 {'trust_id': trust_id},
                 json={'trust': ref},
                 headers={'X-Auth-Token': token},
                 expected_status_code=http.client.METHOD_NOT_ALLOWED)
         c.put('/v3/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust_id},
               json={'trust': ref},
               headers={'X-Auth-Token': token},
               expected_status_code=http.client.METHOD_NOT_ALLOWED)
예제 #51
0
    def test_validate_trust_scoped_token_against_v2(self):
        # get a project-scoped token
        auth_data = self.build_authentication_request(
            user_id=self.default_domain_user['id'],
            password=self.default_domain_user['password'],
            project_id=self.default_domain_project_id)
        token = self.get_requested_token(auth_data)

        user = unit.new_user_ref(CONF.identity.default_domain_id)
        trustee = self.identity_api.create_user(user)

        # create a new trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.default_domain_user['id'],
            trustee_user_id=trustee['id'],
            project_id=self.default_domain_project_id,
            impersonation=False,
            expires=dict(minutes=1),
            role_ids=[self.role_id])
        r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
        trust = self.assertValidTrustResponse(r)

        # get a v3 trust-scoped token as the trustee
        auth_data = self.build_authentication_request(
            user_id=trustee['id'],
            password=user['password'],
            trust_id=trust['id'])
        r = self.v3_create_token(auth_data)
        self.assertValidProjectScopedTokenResponse(
            r, trustee)
        token = r.headers.get('X-Subject-Token')

        # now validate the v3 token with v2 API
        path = '/v2.0/tokens/%s' % (token)
        self.admin_request(
            path=path,
            token=self.get_admin_token(),
            method='GET'
        )
예제 #52
0
    def test_v3_v2_intermix_project_not_in_default_domain_failed(self):
        # create a trustee in default domain to delegate stuff to
        trustee_user = unit.create_user(self.identity_api,
                                        domain_id=test_v3.DEFAULT_DOMAIN_ID)
        trustee_user_id = trustee_user['id']

        # create a new trust
        ref = unit.new_trust_ref(trustor_user_id=self.default_domain_user_id,
                                 trustee_user_id=trustee_user_id,
                                 project_id=self.project_id,
                                 impersonation=False,
                                 expires=dict(minutes=1),
                                 role_ids=[self.role_id])

        # get a project-scoped token as the default_domain_user
        auth_data = self.build_authentication_request(
            user_id=self.default_domain_user['id'],
            password=self.default_domain_user['password'],
            project_id=self.default_domain_project_id)
        token = self.get_requested_token(auth_data)

        r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
        trust = self.assertValidTrustResponse(r)

        # get a trust-scoped token as the trustee
        auth_data = self.build_authentication_request(
            user_id=trustee_user['id'],
            password=trustee_user['password'],
            trust_id=trust['id'])
        r = self.v3_create_token(auth_data)
        self.assertValidProjectScopedTokenResponse(r, trustee_user)
        token = r.headers.get('X-Subject-Token')

        # ensure the token is invalid against v2
        path = '/v2.0/tokens/%s' % (token)
        self.admin_request(path=path,
                           token=self.get_admin_token(),
                           method='GET',
                           expected_status=http_client.UNAUTHORIZED)
예제 #53
0
    def test_v3_v2_intermix_project_not_in_default_domain_failed(self):
        # create a trustee in default domain to delegate stuff to
        trustee_user = unit.create_user(self.identity_api,
                                        domain_id=test_v3.DEFAULT_DOMAIN_ID)
        trustee_user_id = trustee_user['id']

        # create a new trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.default_domain_user_id,
            trustee_user_id=trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            expires=dict(minutes=1),
            role_ids=[self.role_id])

        # get a project-scoped token as the default_domain_user
        auth_data = self.build_authentication_request(
            user_id=self.default_domain_user['id'],
            password=self.default_domain_user['password'],
            project_id=self.default_domain_project_id)
        token = self.get_requested_token(auth_data)

        r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
        trust = self.assertValidTrustResponse(r)

        # get a trust-scoped token as the trustee
        auth_data = self.build_authentication_request(
            user_id=trustee_user['id'],
            password=trustee_user['password'],
            trust_id=trust['id'])
        r = self.v3_create_token(auth_data)
        self.assertValidProjectScopedTokenResponse(r, trustee_user)
        token = r.headers.get('X-Subject-Token')

        # ensure the token is invalid against v2
        path = '/v2.0/tokens/%s' % (token)
        self.admin_request(
            path=path, token=self.get_admin_token(),
            method='GET', expected_status=http_client.UNAUTHORIZED)
예제 #54
0
파일: test_v3.py 프로젝트: jonnary/keystone
 def new_trust_ref(
     self,
     trustor_user_id,
     trustee_user_id,
     project_id=None,
     impersonation=None,
     expires=None,
     role_ids=None,
     role_names=None,
     remaining_uses=None,
     allow_redelegation=False,
 ):
     return tests.new_trust_ref(
         trustor_user_id,
         trustee_user_id,
         project_id=project_id,
         impersonation=impersonation,
         expires=expires,
         role_ids=role_ids,
         role_names=role_names,
         remaining_uses=remaining_uses,
         allow_redelegation=allow_redelegation,
     )
예제 #55
0
 def test_trusts_do_not_implement_updates(self):
     with self.test_client() as c:
         # create a new trust
         token = self.get_scoped_token()
         ref = unit.new_trust_ref(
             trustor_user_id=self.user_id,
             trustee_user_id=self.trustee_user_id,
             project_id=self.project_id,
             role_ids=[self.role_id])
         r = c.post('/v3/OS-TRUST/trusts',
                    json={'trust': ref},
                    headers={'X-Auth-Token': token})
         trust_id = r.json['trust']['id']
         c.patch(
             '/v3/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust_id},
             json={'trust': ref},
             headers={'X-Auth-Token': token},
             expected_status_code=http_client.METHOD_NOT_ALLOWED)
         c.put(
             '/v3/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust_id},
             json={'trust': ref},
             headers={'X-Auth-Token': token},
             expected_status_code=http_client.METHOD_NOT_ALLOWED)
예제 #56
0
 def test_create_trust_with_application_credential(self):
     app_cred = {
         'id': uuid.uuid4().hex,
         'user_id': self.user_id,
         'project_id': self.project_id,
         'name': uuid.uuid4().hex,
         'roles': [{'id': self.role_id}],
         'secret': uuid.uuid4().hex
     }
     app_cred_api = PROVIDERS.application_credential_api
     app_cred_api.create_application_credential(app_cred)
     auth_data = self.build_authentication_request(
         app_cred_id=app_cred['id'], secret=app_cred['secret'])
     token_data = self.v3_create_token(auth_data,
                                       expected_status=http_client.CREATED)
     trust_body = unit.new_trust_ref(trustor_user_id=self.user_id,
                                     trustee_user_id=self.trustee_user_id,
                                     project_id=self.project_id,
                                     role_ids=[self.role_id])
     self.post(
         path='/OS-TRUST/trusts',
         body={'trust': trust_body},
         token=token_data.headers['x-subject-token'],
         expected_status=http_client.FORBIDDEN)
예제 #57
0
    def test_validate_trust_scoped_token_against_v2(self):
        # get a project-scoped token
        auth_data = self.build_authentication_request(
            user_id=self.default_domain_user['id'],
            password=self.default_domain_user['password'],
            project_id=self.default_domain_project_id)
        token = self.get_requested_token(auth_data)

        user = unit.new_user_ref(CONF.identity.default_domain_id)
        trustee = self.identity_api.create_user(user)

        # create a new trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.default_domain_user['id'],
            trustee_user_id=trustee['id'],
            project_id=self.default_domain_project_id,
            impersonation=False,
            expires=dict(minutes=1),
            role_ids=[self.role_id])
        r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
        trust = self.assertValidTrustResponse(r)

        # get a v3 trust-scoped token as the trustee
        auth_data = self.build_authentication_request(
            user_id=trustee['id'],
            password=user['password'],
            trust_id=trust['id'])
        r = self.v3_create_token(auth_data)
        self.assertValidProjectScopedTokenResponse(r, trustee)
        token = r.headers.get('X-Subject-Token')

        # now validate the v3 token with v2 API
        path = '/v2.0/tokens/%s' % (token)
        self.admin_request(path=path,
                           token=self.get_admin_token(),
                           method='GET')
예제 #58
0
    def test_trust_scoped_ec2_credential(self):
        """Test creating trust scoped ec2 credential.

        Call ``POST /credentials``.
        """
        # Create the trust
        ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                 trustee_user_id=self.trustee_user_id,
                                 project_id=self.project_id,
                                 impersonation=True,
                                 expires=dict(minutes=1),
                                 role_ids=[self.role_id])
        del ref['id']
        r = self.post('/OS-TRUST/trusts', body={'trust': ref})
        trust = self.assertValidTrustResponse(r)

        # Get a trust scoped token
        auth_data = self.build_authentication_request(
            user_id=self.trustee_user['id'],
            password=self.trustee_user['password'],
            trust_id=trust['id'])
        r = self.v3_create_token(auth_data)
        self.assertValidProjectScopedTokenResponse(r, self.user)
        trust_id = r.result['token']['OS-TRUST:trust']['id']
        token_id = r.headers.get('X-Subject-Token')

        # Create the credential with the trust scoped token
        blob, ref = unit.new_ec2_credential(user_id=self.user_id,
                                            project_id=self.project_id)
        r = self.post('/credentials', body={'credential': ref}, token=token_id)

        # We expect the response blob to contain the trust_id
        ret_ref = ref.copy()
        ret_blob = blob.copy()
        ret_blob['trust_id'] = trust_id
        ret_ref['blob'] = json.dumps(ret_blob)
        self.assertValidCredentialResponse(r, ref=ret_ref)

        # Assert credential id is same as hash of access key id for
        # ec2 credentials
        access = blob['access'].encode('utf-8')
        self.assertEqual(
            hashlib.sha256(access).hexdigest(), r.result['credential']['id'])

        # Create a role assignment to ensure that it is ignored and only the
        # trust-delegated roles are used
        role = unit.new_role_ref(name='reader')
        role_id = role['id']
        PROVIDERS.role_api.create_role(role_id, role)
        PROVIDERS.assignment_api.add_role_to_user_and_project(
            self.user_id, self.project_id, role_id)

        ret_blob = json.loads(r.result['credential']['blob'])
        ec2token = self._test_get_token(access=ret_blob['access'],
                                        secret=ret_blob['secret'])
        ec2_roles = [role['id'] for role in ec2token['roles']]
        self.assertIn(self.role_id, ec2_roles)
        self.assertNotIn(role_id, ec2_roles)

        # Create second ec2 credential with the same access key id and check
        # for conflict.
        self.post('/credentials',
                  body={'credential': ref},
                  token=token_id,
                  expected_status=http.client.CONFLICT)