def test_list_revoked_audit(self):
revocation_backend = sql.Revoke()
# Create a token with audit_id set, revoke it, check it is revoked,
# check to make sure that list_events matches the token to the event we
# just revoked.
first_token = _sample_blank_token()
first_token['audit_id'] = provider.random_urlsafe_str()
PROVIDERS.revoke_api.revoke_by_audit_id(
audit_id=first_token['audit_id'])
self._assertTokenRevoked(first_token)
self.assertEqual(
1, len(revocation_backend.list_events(token=first_token)))
# Create a second token, revoke it, check it is revoked, check to make
# sure that list events only finds 1 match since there are 2 and they
# dont both have different populated audit_id fields
second_token = _sample_blank_token()
second_token['audit_id'] = provider.random_urlsafe_str()
PROVIDERS.revoke_api.revoke_by_audit_id(
audit_id=second_token['audit_id'])
self._assertTokenRevoked(second_token)
self.assertEqual(
1, len(revocation_backend.list_events(token=second_token)))
# Create a third token with audit_id set to None to make sure that
# since there are no events currently revoked with audit_id None this
# finds no matches
third_token = _sample_blank_token()
third_token['audit_id'] = None
self._assertTokenNotRevoked(third_token)
self.assertEqual(
0, len(revocation_backend.list_events(token=third_token)))
def test_list_revoked_audit(self):
revocation_backend = sql.Revoke()
# Create a token with audit_id set, revoke it, check it is revoked,
# check to make sure that list_events matches the token to the event we
# just revoked.
first_token = _sample_blank_token()
first_token['audit_id'] = provider.random_urlsafe_str()
PROVIDERS.revoke_api.revoke_by_audit_id(
audit_id=first_token['audit_id'])
self._assertTokenRevoked(first_token)
self.assertEqual(
1, len(revocation_backend.list_events(token=first_token)))
# Create a second token, revoke it, check it is revoked, check to make
# sure that list events only finds 1 match since there are 2 and they
# dont both have different populated audit_id fields
second_token = _sample_blank_token()
second_token['audit_id'] = provider.random_urlsafe_str()
PROVIDERS.revoke_api.revoke_by_audit_id(
audit_id=second_token['audit_id'])
self._assertTokenRevoked(second_token)
self.assertEqual(
1, len(revocation_backend.list_events(token=second_token)))
# Create a third token with audit_id set to None to make sure that
# since there are no events currently revoked with audit_id None this
# finds no matches
third_token = _sample_blank_token()
third_token['audit_id'] = None
self._assertTokenNotRevoked(third_token)
self.assertEqual(
0, len(revocation_backend.list_events(token=third_token)))
def test_list_revoked_multiple_filters(self):
revocation_backend = sql.Revoke()
events = []
# create token that sets key/value filters in list_revoked
first_token = _sample_blank_token()
first_token['user_id'] = uuid.uuid4().hex
first_token['project_id'] = uuid.uuid4().hex
first_token['audit_id'] = provider.random_urlsafe_str()
# revoke event and then verify that that there is only one revocation
# and verify the only revoked event is the token
add_event(
events,
revoke_model.RevokeEvent(user_id=first_token['user_id'],
project_id=first_token['project_id'],
audit_id=first_token['audit_id']))
self.revoke_api.revoke(
revoke_model.RevokeEvent(user_id=first_token['user_id'],
project_id=first_token['project_id'],
audit_id=first_token['audit_id']))
self._assertTokenRevoked(events, first_token)
self.assertEqual(
1, len(revocation_backend.list_events(token=first_token)))
# If a token has None values which the event contains it shouldn't
# match and not be revoked
second_token = _sample_blank_token()
self._assertTokenNotRevoked(events, second_token)
self.assertEqual(
0, len(revocation_backend.list_events(token=second_token)))
# If an event column and corresponding dict value don't match, Then
# it should not add the event in the list. Demonstrate for project
third_token = _sample_blank_token()
third_token['project_id'] = uuid.uuid4().hex
self._assertTokenNotRevoked(events, third_token)
self.assertEqual(
0, len(revocation_backend.list_events(token=third_token)))
# A revoked event with user_id as null and token user_id non null
# should still be return an event and be revoked if other non null
# event fields match non null token fields
fourth_token = _sample_blank_token()
fourth_token['user_id'] = uuid.uuid4().hex
fourth_token['project_id'] = uuid.uuid4().hex
fourth_token['audit_id'] = provider.random_urlsafe_str()
add_event(
events,
revoke_model.RevokeEvent(project_id=fourth_token['project_id'],
audit_id=fourth_token['audit_id']))
self.revoke_api.revoke(
revoke_model.RevokeEvent(project_id=fourth_token['project_id'],
audit_id=fourth_token['audit_id']))
self._assertTokenRevoked(events, fourth_token)
self.assertEqual(
1, len(revocation_backend.list_events(token=fourth_token)))
def _test_payload(self, payload_class, exp_user_id=None, exp_methods=None,
exp_system=None, exp_project_id=None, exp_domain_id=None,
exp_trust_id=None, exp_federated_group_ids=None,
exp_identity_provider_id=None, exp_protocol_id=None,
exp_access_token_id=None, exp_app_cred_id=None):
exp_user_id = exp_user_id or uuid.uuid4().hex
exp_methods = exp_methods or ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
payload = payload_class.assemble(
exp_user_id, exp_methods, exp_system, exp_project_id,
exp_domain_id, exp_expires_at, exp_audit_ids, exp_trust_id,
exp_federated_group_ids, exp_identity_provider_id, exp_protocol_id,
exp_access_token_id, exp_app_cred_id)
(user_id, methods, system, project_id,
domain_id, expires_at, audit_ids,
trust_id, federated_group_ids, identity_provider_id, protocol_id,
access_token_id, app_cred_id) = payload_class.disassemble(payload)
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertTimestampsEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_system, system)
self.assertEqual(exp_project_id, project_id)
self.assertEqual(exp_domain_id, domain_id)
self.assertEqual(exp_federated_group_ids, federated_group_ids)
self.assertEqual(exp_identity_provider_id, identity_provider_id)
self.assertEqual(exp_protocol_id, protocol_id)
self.assertEqual(exp_trust_id, trust_id)
self.assertEqual(exp_access_token_id, access_token_id)
self.assertEqual(exp_app_cred_id, app_cred_id)
def test_trust_scoped_payload(self):
exp_user_id = uuid.uuid4().hex
exp_methods = ["password"]
exp_project_id = uuid.uuid4().hex
exp_expires_at = timeutils.isotime(timeutils.utcnow())
exp_audit_ids = [provider.random_urlsafe_str()]
exp_trust_id = uuid.uuid4().hex
payload = token_formatters.TrustScopedPayload.assemble(
exp_user_id, exp_methods, exp_project_id, exp_expires_at, exp_audit_ids, exp_trust_id
)
(
user_id,
methods,
project_id,
expires_at,
audit_ids,
trust_id,
) = token_formatters.TrustScopedPayload.disassemble(payload)
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_project_id, project_id)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_trust_id, trust_id)
def test_federated_domain_scoped_payload(self):
exp_user_id = 'someNonUuidUserId'
exp_methods = ['token']
exp_domain_id = uuid.uuid4().hex
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
exp_federated_info = {'group_ids': [{'id': 'someNonUuidGroupId'}],
'idp_id': uuid.uuid4().hex,
'protocol_id': uuid.uuid4().hex}
payload = token_formatters.FederatedDomainScopedPayload.assemble(
exp_user_id, exp_methods, exp_domain_id, exp_expires_at,
exp_audit_ids, exp_federated_info)
(user_id, methods, domain_id, expires_at, audit_ids,
federated_info) = (
token_formatters.FederatedDomainScopedPayload.disassemble(
payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_domain_id, domain_id)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertDictEqual(exp_federated_info, federated_info)
def test_unable_to_verify_token_with_missing_public_key(self):
# create token, signing with private key
token = token_model.TokenModel()
token.methods = ['password']
token.user_id = uuid.uuid4().hex
token.audit_id = provider.random_urlsafe_str()
token.expires_at = utils.isotime(
provider.default_expire_time(), subsecond=True
)
token_id, issued_at = self.provider.generate_id_and_issued_at(token)
# remove the public key for the token we just created
current_pub_key = os.path.join(
CONF.jwt_tokens.jws_public_key_repository, 'public.pem'
)
os.remove(current_pub_key)
# create additional public keys
for _ in range(2):
private_key_path = os.path.join(
CONF.jwt_tokens.jws_private_key_repository,
uuid.uuid4().hex
)
pub_key_path = os.path.join(
CONF.jwt_tokens.jws_public_key_repository,
uuid.uuid4().hex
)
jwt_utils.create_jws_keypair(private_key_path, pub_key_path)
# validate token and ensure it returns a 404
self.assertRaises(
exception.TokenNotFound,
self.provider.validate_token,
token_id
)
def _test_federated_payload_with_ids(self, exp_user_id, exp_group_id):
exp_methods = ["password"]
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
exp_federated_info = {
"group_ids": [{"id": exp_group_id}],
"idp_id": uuid.uuid4().hex,
"protocol_id": uuid.uuid4().hex,
}
project_id = None
domain_id = None
trust_id = None
payload = token_formatters.FederatedUnscopedPayload.assemble(
exp_user_id, exp_methods, project_id, domain_id, exp_expires_at, exp_audit_ids, trust_id, exp_federated_info
)
(
user_id,
methods,
project_id,
domain_id,
expires_at,
audit_ids,
trust_id,
federated_info,
) = token_formatters.FederatedUnscopedPayload.disassemble(payload)
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertTimestampsEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_federated_info["group_ids"][0]["id"], federated_info["group_ids"][0]["id"])
self.assertEqual(exp_federated_info["idp_id"], federated_info["idp_id"])
self.assertEqual(exp_federated_info["protocol_id"], federated_info["protocol_id"])
def test_federated_payload_with_non_uuid_ids(self):
exp_user_id = 'someNonUuidUserId'
exp_methods = ['password']
exp_expires_at = utils.isotime(timeutils.utcnow())
exp_audit_ids = [provider.random_urlsafe_str()]
exp_federated_info = {'group_ids': [{'id': 'someNonUuidGroupId'}],
'idp_id': uuid.uuid4().hex,
'protocol_id': uuid.uuid4().hex}
payload = token_formatters.FederatedPayload.assemble(
exp_user_id, exp_methods, exp_expires_at, exp_audit_ids,
exp_federated_info)
(user_id, methods, expires_at, audit_ids, federated_info) = (
token_formatters.FederatedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_federated_info['group_ids'][0]['id'],
federated_info['group_ids'][0]['id'])
self.assertEqual(exp_federated_info['idp_id'],
federated_info['idp_id'])
self.assertEqual(exp_federated_info['protocol_id'],
federated_info['protocol_id'])
def _test_domain_scoped_payload_with_user_id(self, exp_user_id):
exp_methods = ["password"]
exp_domain_id = uuid.uuid4().hex
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
project_id = None
trust_id = None
federated_info = None
payload = token_formatters.DomainScopedPayload.assemble(
exp_user_id, exp_methods, project_id, exp_domain_id, exp_expires_at, exp_audit_ids, trust_id, federated_info
)
(
user_id,
methods,
project_id,
domain_id,
expires_at,
audit_ids,
trust_id,
federated_info,
) = token_formatters.DomainScopedPayload.disassemble(payload)
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_domain_id, domain_id)
self.assertTimestampsEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
def test_create_validate_federated_scoped_token_non_uuid_user_id(self):
exp_user_id = hashlib.sha256().hexdigest()
exp_methods = ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
exp_federated_group_ids = [{'id': uuid.uuid4().hex}]
exp_idp_id = uuid.uuid4().hex
exp_protocol_id = uuid.uuid4().hex
exp_project_id = uuid.uuid4().hex
token_formatter = token_formatters.TokenFormatter()
token = token_formatter.create_token(user_id=exp_user_id,
expires_at=exp_expires_at,
audit_ids=exp_audit_ids,
payload_class=token_formatters.FederatedProjectScopedPayload,
methods=exp_methods,
federated_group_ids=exp_federated_group_ids,
identity_provider_id=exp_idp_id,
protocol_id=exp_protocol_id,
project_id=exp_project_id)
(user_id, methods, audit_ids, system, domain_id, project_id, trust_id,
federated_group_ids, identity_provider_id, protocol_id,
access_token_id, app_cred_id, issued_at, expires_at) = token_formatter.validate_token(token)
self.assertEqual(exp_user_id, user_id)
self.assertTrue(isinstance(user_id, six.string_types))
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_project_id, project_id)
self.assertEqual(exp_federated_group_ids, federated_group_ids)
self.assertEqual(exp_idp_id, identity_provider_id)
self.assertEqual(exp_protocol_id, protocol_id)
def _test_payload(self, payload_class, exp_user_id=None, exp_methods=None,
exp_project_id=None, exp_domain_id=None,
exp_trust_id=None, exp_federated_info=None,
exp_access_token_id=None):
exp_user_id = exp_user_id or uuid.uuid4().hex
exp_methods = exp_methods or ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
payload = payload_class.assemble(
exp_user_id, exp_methods, exp_project_id, exp_domain_id,
exp_expires_at, exp_audit_ids, exp_trust_id, exp_federated_info,
exp_access_token_id)
(user_id, methods, project_id,
domain_id, expires_at, audit_ids,
trust_id, federated_info,
access_token_id) = payload_class.disassemble(payload)
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertTimestampsEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_project_id, project_id)
self.assertEqual(exp_domain_id, domain_id)
self.assertEqual(exp_trust_id, trust_id)
self.assertEqual(exp_access_token_id, access_token_id)
if exp_federated_info:
self.assertDictEqual(exp_federated_info, federated_info)
else:
self.assertIsNone(federated_info)
def _test_payload(self, payload_class, exp_user_id=None, exp_methods=None,
exp_system=None, exp_project_id=None, exp_domain_id=None,
exp_trust_id=None, exp_federated_group_ids=None,
exp_identity_provider_id=None, exp_protocol_id=None,
exp_access_token_id=None, exp_app_cred_id=None):
exp_user_id = exp_user_id or uuid.uuid4().hex
exp_methods = exp_methods or ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
payload = payload_class.assemble(
exp_user_id, exp_methods, exp_system, exp_project_id,
exp_domain_id, exp_expires_at, exp_audit_ids, exp_trust_id,
exp_federated_group_ids, exp_identity_provider_id, exp_protocol_id,
exp_access_token_id, exp_app_cred_id)
(user_id, methods, system, project_id,
domain_id, expires_at, audit_ids,
trust_id, federated_group_ids, identity_provider_id, protocol_id,
access_token_id, app_cred_id) = payload_class.disassemble(payload)
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertTimestampsEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_system, system)
self.assertEqual(exp_project_id, project_id)
self.assertEqual(exp_domain_id, domain_id)
self.assertEqual(exp_federated_group_ids, federated_group_ids)
self.assertEqual(exp_identity_provider_id, identity_provider_id)
self.assertEqual(exp_protocol_id, protocol_id)
self.assertEqual(exp_trust_id, trust_id)
self.assertEqual(exp_access_token_id, access_token_id)
self.assertEqual(exp_app_cred_id, app_cred_id)
def test_federated_domain_scoped_payload(self):
exp_user_id = 'someNonUuidUserId'
exp_methods = ['token']
exp_domain_id = uuid.uuid4().hex
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
exp_federated_info = {
'group_ids': [{
'id': 'someNonUuidGroupId'
}],
'idp_id': uuid.uuid4().hex,
'protocol_id': uuid.uuid4().hex
}
payload = token_formatters.FederatedDomainScopedPayload.assemble(
exp_user_id, exp_methods, exp_domain_id, exp_expires_at,
exp_audit_ids, exp_federated_info)
(user_id, methods, domain_id, expires_at, audit_ids,
federated_info) = (token_formatters.FederatedDomainScopedPayload.
disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_domain_id, domain_id)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertDictEqual(exp_federated_info, federated_info)
def _test_federated_payload_with_ids(self, exp_user_id, exp_group_id):
exp_methods = ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
exp_federated_info = {
'group_ids': [{
'id': exp_group_id
}],
'idp_id': uuid.uuid4().hex,
'protocol_id': uuid.uuid4().hex
}
payload = token_formatters.FederatedUnscopedPayload.assemble(
exp_user_id, exp_methods, exp_expires_at, exp_audit_ids,
exp_federated_info)
(user_id, methods, expires_at, audit_ids, federated_info) = (
token_formatters.FederatedUnscopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_federated_info['group_ids'][0]['id'],
federated_info['group_ids'][0]['id'])
self.assertEqual(exp_federated_info['idp_id'],
federated_info['idp_id'])
self.assertEqual(exp_federated_info['protocol_id'],
federated_info['protocol_id'])
def _test_federated_payload_with_ids(self, exp_user_id, exp_group_id):
exp_methods = ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
exp_federated_info = {'group_ids': [{'id': exp_group_id}],
'idp_id': uuid.uuid4().hex,
'protocol_id': uuid.uuid4().hex}
payload = token_formatters.FederatedUnscopedPayload.assemble(
exp_user_id, exp_methods, exp_expires_at, exp_audit_ids,
exp_federated_info)
(user_id, methods, expires_at, audit_ids, federated_info) = (
token_formatters.FederatedUnscopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_federated_info['group_ids'][0]['id'],
federated_info['group_ids'][0]['id'])
self.assertEqual(exp_federated_info['idp_id'],
federated_info['idp_id'])
self.assertEqual(exp_federated_info['protocol_id'],
federated_info['protocol_id'])
def test_create_validate_federated_scoped_token_non_uuid_user_id(self):
exp_user_id = hashlib.sha256().hexdigest()
exp_methods = ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
exp_federated_group_ids = [{'id': uuid.uuid4().hex}]
exp_idp_id = uuid.uuid4().hex
exp_protocol_id = uuid.uuid4().hex
exp_project_id = uuid.uuid4().hex
token_formatter = token_formatters.TokenFormatter()
token = token_formatter.create_token(
user_id=exp_user_id,
expires_at=exp_expires_at,
audit_ids=exp_audit_ids,
payload_class=token_formatters.FederatedProjectScopedPayload,
methods=exp_methods,
federated_group_ids=exp_federated_group_ids,
identity_provider_id=exp_idp_id,
protocol_id=exp_protocol_id,
project_id=exp_project_id)
(user_id, methods, audit_ids, system, domain_id, project_id, trust_id,
federated_group_ids, identity_provider_id, protocol_id,
access_token_id, app_cred_id, issued_at,
expires_at) = token_formatter.validate_token(token)
self.assertEqual(exp_user_id, user_id)
self.assertTrue(isinstance(user_id, six.string_types))
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_project_id, project_id)
self.assertEqual(exp_federated_group_ids, federated_group_ids)
self.assertEqual(exp_idp_id, identity_provider_id)
self.assertEqual(exp_protocol_id, protocol_id)
def test_federated_payload_with_non_uuid_ids(self):
exp_user_id = 'someNonUuidUserId'
exp_methods = ['password']
exp_expires_at = utils.isotime(timeutils.utcnow())
exp_audit_ids = [provider.random_urlsafe_str()]
exp_federated_info = {
'group_ids': [{
'id': 'someNonUuidGroupId'
}],
'idp_id': uuid.uuid4().hex,
'protocol_id': uuid.uuid4().hex
}
payload = token_formatters.FederatedPayload.assemble(
exp_user_id, exp_methods, exp_expires_at, exp_audit_ids,
exp_federated_info)
(user_id, methods, expires_at, audit_ids, federated_info) = (
token_formatters.FederatedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_federated_info['group_ids'][0]['id'],
federated_info['group_ids'][0]['id'])
self.assertEqual(exp_federated_info['idp_id'],
federated_info['idp_id'])
self.assertEqual(exp_federated_info['protocol_id'],
federated_info['protocol_id'])
def _test_payload(self, payload_class, exp_user_id=None, exp_methods=None,
exp_project_id=None, exp_domain_id=None,
exp_trust_id=None, exp_federated_info=None,
exp_access_token_id=None):
exp_user_id = exp_user_id or uuid.uuid4().hex
exp_methods = exp_methods or ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
payload = payload_class.assemble(
exp_user_id, exp_methods, exp_project_id, exp_domain_id,
exp_expires_at, exp_audit_ids, exp_trust_id, exp_federated_info,
exp_access_token_id)
(user_id, methods, project_id,
domain_id, expires_at, audit_ids,
trust_id, federated_info,
access_token_id) = payload_class.disassemble(payload)
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertTimestampsEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_project_id, project_id)
self.assertEqual(exp_domain_id, domain_id)
self.assertEqual(exp_trust_id, trust_id)
self.assertEqual(exp_access_token_id, access_token_id)
if exp_federated_info:
self.assertDictEqual(exp_federated_info, federated_info)
else:
self.assertIsNone(federated_info)
def test_list_revoked_multiple_filters(self):
revocation_backend = sql.Revoke()
# create token that sets key/value filters in list_revoked
first_token = _sample_blank_token()
first_token['user_id'] = uuid.uuid4().hex
first_token['project_id'] = uuid.uuid4().hex
first_token['audit_id'] = provider.random_urlsafe_str()
# revoke event and then verify that there is only one revocation
# and verify the only revoked event is the token
PROVIDERS.revoke_api.revoke(revoke_model.RevokeEvent(
user_id=first_token['user_id'],
project_id=first_token['project_id'],
audit_id=first_token['audit_id']))
self._assertTokenRevoked(first_token)
self.assertEqual(
1, len(revocation_backend.list_events(token=first_token)))
# If a token has None values which the event contains it shouldn't
# match and not be revoked
second_token = _sample_blank_token()
self._assertTokenNotRevoked(second_token)
self.assertEqual(
0, len(revocation_backend.list_events(token=second_token)))
# If an event column and corresponding dict value don't match, Then
# it should not add the event in the list. Demonstrate for project
third_token = _sample_blank_token()
third_token['project_id'] = uuid.uuid4().hex
self._assertTokenNotRevoked(third_token)
self.assertEqual(
0, len(revocation_backend.list_events(token=third_token)))
# A revoked event with user_id as null and token user_id non null
# should still be return an event and be revoked if other non null
# event fields match non null token fields
fourth_token = _sample_blank_token()
fourth_token['user_id'] = uuid.uuid4().hex
fourth_token['project_id'] = uuid.uuid4().hex
fourth_token['audit_id'] = provider.random_urlsafe_str()
PROVIDERS.revoke_api.revoke(revoke_model.RevokeEvent(
project_id=fourth_token['project_id'],
audit_id=fourth_token['audit_id']))
self._assertTokenRevoked(fourth_token)
self.assertEqual(
1, len(revocation_backend.list_events(token=fourth_token)))
def _test_payload(self,
payload_class,
exp_user_id=None,
exp_methods=None,
exp_system=None,
exp_project_id=None,
exp_domain_id=None,
exp_trust_id=None,
exp_federated_group_ids=None,
exp_identity_provider_id=None,
exp_protocol_id=None,
exp_access_token_id=None,
exp_app_cred_id=None,
encode_ids=False):
def _encode_id(value):
if value is not None and six.text_type(value) and encode_ids:
return value.encode('utf-8')
return value
exp_user_id = exp_user_id or uuid.uuid4().hex
exp_methods = exp_methods or ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
payload = payload_class.assemble(_encode_id(exp_user_id), exp_methods,
_encode_id(exp_system),
_encode_id(exp_project_id),
exp_domain_id, exp_expires_at,
exp_audit_ids, exp_trust_id,
_encode_id(exp_federated_group_ids),
_encode_id(exp_identity_provider_id),
exp_protocol_id,
_encode_id(exp_access_token_id),
_encode_id(exp_app_cred_id))
(user_id, methods, system, project_id, domain_id, expires_at,
audit_ids, trust_id, federated_group_ids, identity_provider_id,
protocol_id, access_token_id,
app_cred_id) = payload_class.disassemble(payload)
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertTimestampsEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_system, system)
self.assertEqual(exp_project_id, project_id)
self.assertEqual(exp_domain_id, domain_id)
self.assertEqual(exp_federated_group_ids, federated_group_ids)
self.assertEqual(exp_identity_provider_id, identity_provider_id)
self.assertEqual(exp_protocol_id, protocol_id)
self.assertEqual(exp_trust_id, trust_id)
self.assertEqual(exp_access_token_id, access_token_id)
self.assertEqual(exp_app_cred_id, app_cred_id)
def _test_unscoped_payload_with_user_id(self, exp_user_id):
exp_methods = ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
payload = token_formatters.UnscopedPayload.assemble(
exp_user_id, exp_methods, exp_expires_at, exp_audit_ids)
(user_id, methods, expires_at,
audit_ids) = (token_formatters.UnscopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
def _test_unscoped_payload_with_user_id(self, exp_user_id):
exp_methods = ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
payload = token_formatters.UnscopedPayload.assemble(
exp_user_id, exp_methods, exp_expires_at, exp_audit_ids)
(user_id, methods, expires_at, audit_ids) = (
token_formatters.UnscopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
def test_unscoped_payload(self):
exp_user_id = uuid.uuid4().hex
exp_methods = ['password']
exp_expires_at = utils.isotime(timeutils.utcnow())
exp_audit_ids = [provider.random_urlsafe_str()]
payload = token_formatters.UnscopedPayload.assemble(
exp_user_id, exp_methods, exp_expires_at, exp_audit_ids)
(user_id, methods, expires_at, audit_ids) = (
token_formatters.UnscopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
def test_unscoped_payload(self):
exp_user_id = uuid.uuid4().hex
exp_methods = ['password']
exp_expires_at = utils.isotime(timeutils.utcnow())
exp_audit_ids = [provider.random_urlsafe_str()]
payload = token_formatters.UnscopedPayload.assemble(
exp_user_id, exp_methods, exp_expires_at, exp_audit_ids)
(user_id, methods, expires_at,
audit_ids) = (token_formatters.UnscopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
def test_domain_scoped_payload_with_default_domain(self):
exp_user_id = uuid.uuid4().hex
exp_methods = ["password"]
exp_domain_id = CONF.identity.default_domain_id
exp_expires_at = timeutils.isotime(timeutils.utcnow())
exp_audit_ids = [provider.random_urlsafe_str()]
payload = token_formatters.DomainScopedPayload.assemble(
exp_user_id, exp_methods, exp_domain_id, exp_expires_at, exp_audit_ids
)
(user_id, methods, domain_id, expires_at, audit_ids) = token_formatters.DomainScopedPayload.disassemble(payload)
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_domain_id, domain_id)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
def test_revoke_by_audit_chain_id(self):
revocation_backend = sql.Revoke()
# Create our first token with audit_id
audit_id = provider.random_urlsafe_str()
token = _sample_blank_token()
# Audit ID and Audit Chain ID are populated with the same value
# if the token is an original token
token['audit_id'] = audit_id
token['audit_chain_id'] = audit_id
# Check that the token is not revoked
self._assertTokenNotRevoked(token)
self.assertEqual(0, len(revocation_backend.list_events(token=token)))
# Revoked token by audit chain id using the audit_id
PROVIDERS.revoke_api.revoke_by_audit_chain_id(audit_id)
# Check that the token is now revoked
self._assertTokenRevoked(token)
self.assertEqual(1, len(revocation_backend.list_events(token=token)))
def test_revoke_by_audit_chain_id(self):
revocation_backend = sql.Revoke()
# Create our first token with audit_id
audit_id = provider.random_urlsafe_str()
token = _sample_blank_token()
# Audit ID and Audit Chain ID are populated with the same value
# if the token is an original token
token['audit_id'] = audit_id
token['audit_chain_id'] = audit_id
# Check that the token is not revoked
self._assertTokenNotRevoked(token)
self.assertEqual(0, len(revocation_backend.list_events(token=token)))
# Revoked token by audit chain id using the audit_id
PROVIDERS.revoke_api.revoke_by_audit_chain_id(audit_id)
# Check that the token is now revoked
self._assertTokenRevoked(token)
self.assertEqual(1, len(revocation_backend.list_events(token=token)))
def test_domain_scoped_payload_with_non_uuid_user_id(self):
exp_user_id = 'someNonUuidUserId'
exp_methods = ['password']
exp_domain_id = uuid.uuid4().hex
exp_expires_at = utils.isotime(timeutils.utcnow())
exp_audit_ids = [provider.random_urlsafe_str()]
payload = token_formatters.DomainScopedPayload.assemble(
exp_user_id, exp_methods, exp_domain_id, exp_expires_at,
exp_audit_ids)
(user_id, methods, domain_id, expires_at, audit_ids) = (
token_formatters.DomainScopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_domain_id, domain_id)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
def test_project_scoped_payload_with_non_uuid_project_id(self):
exp_user_id = uuid.uuid4().hex
exp_methods = ['password']
exp_project_id = 'someNonUuidProjectId'
exp_expires_at = timeutils.isotime(timeutils.utcnow())
exp_audit_ids = [provider.random_urlsafe_str()]
payload = token_formatters.ProjectScopedPayload.assemble(
exp_user_id, exp_methods, exp_project_id, exp_expires_at,
exp_audit_ids)
(user_id, methods, project_id, expires_at, audit_ids) = (
token_formatters.ProjectScopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_project_id, project_id)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
def _test_trust_scoped_payload_with_ids(self, exp_user_id, exp_project_id):
exp_methods = ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
exp_trust_id = uuid.uuid4().hex
payload = token_formatters.TrustScopedPayload.assemble(
exp_user_id, exp_methods, exp_project_id, exp_expires_at,
exp_audit_ids, exp_trust_id)
(user_id, methods, project_id, expires_at, audit_ids, trust_id) = (
token_formatters.TrustScopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_project_id, project_id)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_trust_id, trust_id)
def _test_trust_scoped_payload_with_ids(self, exp_user_id, exp_project_id):
exp_methods = ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
exp_trust_id = uuid.uuid4().hex
payload = token_formatters.TrustScopedPayload.assemble(
exp_user_id, exp_methods, exp_project_id, exp_expires_at,
exp_audit_ids, exp_trust_id)
(user_id, methods, project_id, expires_at, audit_ids,
trust_id) = (token_formatters.TrustScopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_project_id, project_id)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_trust_id, trust_id)
def test_domain_scoped_payload_with_default_domain(self):
exp_user_id = uuid.uuid4().hex
exp_methods = ['password']
exp_domain_id = CONF.identity.default_domain_id
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
payload = token_formatters.DomainScopedPayload.assemble(
exp_user_id, exp_methods, exp_domain_id, exp_expires_at,
exp_audit_ids)
(user_id, methods, domain_id, expires_at, audit_ids) = (
token_formatters.DomainScopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_domain_id, domain_id)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
def test_domain_scoped_payload_with_non_uuid_user_id(self):
exp_user_id = 'someNonUuidUserId'
exp_methods = ['password']
exp_domain_id = uuid.uuid4().hex
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
payload = token_formatters.DomainScopedPayload.assemble(
exp_user_id, exp_methods, exp_domain_id, exp_expires_at,
exp_audit_ids)
(user_id, methods, domain_id, expires_at, audit_ids) = (
token_formatters.DomainScopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_domain_id, domain_id)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
def test_federated_domain_scoped_payload(self):
exp_user_id = "someNonUuidUserId"
exp_methods = ["token"]
exp_domain_id = uuid.uuid4().hex
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
exp_federated_info = {
"group_ids": [{"id": "someNonUuidGroupId"}],
"idp_id": uuid.uuid4().hex,
"protocol_id": uuid.uuid4().hex,
}
project_id = None
trust_id = None
payload = token_formatters.FederatedDomainScopedPayload.assemble(
exp_user_id,
exp_methods,
project_id,
exp_domain_id,
exp_expires_at,
exp_audit_ids,
trust_id,
exp_federated_info,
)
(
user_id,
methods,
project_id,
domain_id,
expires_at,
audit_ids,
trust_id,
federated_info,
) = token_formatters.FederatedDomainScopedPayload.disassemble(payload)
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_domain_id, domain_id)
self.assertTimestampsEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertDictEqual(exp_federated_info, federated_info)
def _test_unscoped_payload_with_user_id(self, exp_user_id):
exp_methods = ['password']
exp_expires_at = utils.isotime(timeutils.utcnow(), subsecond=True)
exp_audit_ids = [provider.random_urlsafe_str()]
project_id = None
domain_id = None
trust_id = None
federated_info = None
payload = token_formatters.UnscopedPayload.assemble(
exp_user_id, exp_methods, project_id, domain_id, exp_expires_at,
exp_audit_ids, trust_id, federated_info)
(user_id, methods, project_id, domain_id, expires_at, audit_ids,
trust_id, federated_info) = (
token_formatters.UnscopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertTimestampsEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
def test_trust_scoped_payload_with_non_uuid_project_id(self):
exp_user_id = uuid.uuid4().hex
exp_methods = ['password']
exp_project_id = 'someNonUuidProjectId'
exp_expires_at = timeutils.isotime(timeutils.utcnow())
exp_audit_ids = [provider.random_urlsafe_str()]
exp_trust_id = uuid.uuid4().hex
payload = token_formatters.TrustScopedPayload.assemble(
exp_user_id, exp_methods, exp_project_id, exp_expires_at,
exp_audit_ids, exp_trust_id)
(user_id, methods, project_id, expires_at, audit_ids,
trust_id) = (token_formatters.TrustScopedPayload.disassemble(payload))
self.assertEqual(exp_user_id, user_id)
self.assertEqual(exp_methods, methods)
self.assertEqual(exp_project_id, project_id)
self.assertEqual(exp_expires_at, expires_at)
self.assertEqual(exp_audit_ids, audit_ids)
self.assertEqual(exp_trust_id, trust_id)
def test_verify_token_with_multiple_public_keys_present(self):
token = token_model.TokenModel()
token.methods = ['password']
token.user_id = uuid.uuid4().hex
token.audit_id = provider.random_urlsafe_str()
token.expires_at = utils.isotime(
provider.default_expire_time(), subsecond=True
)
token_id, issued_at = self.provider.generate_id_and_issued_at(token)
for _ in range(2):
private_key_path = os.path.join(
CONF.jwt_tokens.jws_private_key_repository,
uuid.uuid4().hex
)
pub_key_path = os.path.join(
CONF.jwt_tokens.jws_public_key_repository,
uuid.uuid4().hex
)
jwt_utils.create_jws_keypair(private_key_path, pub_key_path)
# make sure we iterate through all public keys on disk and we can still
# validate the token
self.provider.validate_token(token_id)
def test_strings_are_url_safe(self):
s = provider.random_urlsafe_str()
self.assertEqual(s, urllib.parse.quote_plus(s))
def test_strings_are_url_safe(self):
s = provider.random_urlsafe_str()
self.assertEqual(s, urllib.parse.quote_plus(s))
def test_strings_can_be_converted_to_bytes(self):
s = provider.random_urlsafe_str()
self.assertIsInstance(s, six.text_type)
b = provider.random_urlsafe_str_to_bytes(s)
self.assertIsInstance(b, six.binary_type)
def test_strings_can_be_converted_to_bytes(self):
s = provider.random_urlsafe_str()
self.assertTrue(isinstance(s, six.string_types))
b = provider.random_urlsafe_str_to_bytes(s)
self.assertTrue(isinstance(b, bytes))
def test_strings_can_be_converted_to_bytes(self):
s = token_provider.random_urlsafe_str()
self.assertIsInstance(s, str)
b = receipt_formatters.ReceiptPayload.random_urlsafe_str_to_bytes(s)
self.assertIsInstance(b, bytes)
def test_strings_can_be_converted_to_bytes(self):
s = provider.random_urlsafe_str()
self.assertIsInstance(s, six.text_type)
b = token_formatters.BasePayload.random_urlsafe_str_to_bytes(s)
self.assertIsInstance(b, six.binary_type)