def add_token_data(self, token_id=None, expires=None, user_id=None, user_name=None, user_domain_id=None, user_domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, role_list=None, is_v2=False): """Add token data to the auth_token fixture.""" if not token_id: token_id = uuid.uuid4().hex if not role_list: role_list = [] if is_v2: token = client_fixtures.V2Token( token_id=token_id, expires=expires, tenant_id=project_id, tenant_name=project_name, user_id=user_id, user_name=user_name) else: token = client_fixtures.V3Token( expires=expires, user_id=user_id, user_name=user_name, user_domain_id=user_domain_id, project_id=project_id, project_name=project_name, project_domain_id=project_domain_id, user_domain_name=user_domain_name, project_domain_name=project_domain_name) for role in role_list: token.add_role(name=role) self.add_token(token, token_id=token_id)
def fake_auth_ref(fake_token, fake_service=None): """Create an auth_ref using keystoneauth's fixtures""" token_copy = copy.deepcopy(fake_token) token_id = token_copy.pop('id') token = fixture.V3Token(**token_copy) # An auth_ref is actually an access info object auth_ref = access.create( body=token, auth_token=token_id, ) # Create a service catalog if fake_service: service = token.add_service( fake_service['type'], fake_service['name'], ) # TODO(dtroyer): Add an 'id' element to KSA's _Service fixure service['id'] = fake_service['id'] for e in fake_service['endpoints']: region = e.get('region_id') or e.get('region', '<none>') service.add_endpoint( e['interface'], e['url'], region=region, ) return auth_ref
def mock_auth_success(self, token_id=None, token_body=None, method='POST', url=test_utils.TestCase.TEST_ROOT_URL + 'v3/auth/tokens'): if not token_id: token_id = uuid.uuid4().hex if not token_body: token_body = ks_fixture.V3Token() response_list = [{ 'text': 'Fail', 'status_code': 401, 'headers': { 'WWW-Authenticate': 'Negotiate' } }, { 'headers': { 'X-Subject-Token': token_id, 'Content-Type': 'application/json', 'WWW-Authenticate': self.pass_header }, 'status_code': 200, 'json': token_body }] self.requests_mock.register_uri(method, url, response_list=response_list) return token_id, token_body
def register_keystone_v3_token_fixture(self, request_mocker): v3_token = ks_fixture.V3Token() service = v3_token.add_service('baremetal') service.add_standard_endpoints(public='http://ironic.example.com') request_mocker.post('%s/auth/tokens' % V3_URL, json=v3_token, headers={'X-Subject-Token': uuid.uuid4().hex})
def test_workflow(self): token_id = uuid.uuid4().hex token = ksa_fixtures.V3Token() self.requests_mock.get(self.default_sp_url, response_list=[ dict(headers=PAOS_HEADER, content=utils.make_oneline(saml2_fixtures.SP_SOAP_RESPONSE)), dict(headers={'X-Subject-Token': token_id}, json=token) ]) authm = self.requests_mock.post(self.TEST_IDP_URL, content=saml2_fixtures.SAML2_ASSERTION) self.requests_mock.post( self.TEST_CONSUMER_URL, status_code=302, headers={'Location': self.sp_url()}) auth_ref = self.get_plugin().get_auth_ref(self.session) self.assertEqual(token_id, auth_ref.auth_token) self.assertEqual(self.calls, [self.default_sp_url, self.TEST_IDP_URL, self.TEST_CONSUMER_URL, self.default_sp_url]) self.assertEqual(self.basic_header(), authm.last_request.headers['Authorization']) authn_request = self.requests_mock.request_history[1].text self.assertThat(saml2_fixtures.AUTHN_REQUEST, matchers.XMLEquals(authn_request))
def test_project_as_domain_scoped(self): project_id = uuid.uuid4().hex project_name = uuid.uuid4().hex project_domain_id = uuid.uuid4().hex project_domain_name = uuid.uuid4().hex project_is_domain = True token = fixture.V3Token(project_id=project_id, project_name=project_name, project_domain_id=project_domain_id, project_domain_name=project_domain_name, project_is_domain=project_is_domain) self.assertEqual(project_id, token.project_id) self.assertEqual(project_id, token['token']['project']['id']) self.assertEqual(project_name, token.project_name) self.assertEqual(project_name, token['token']['project']['name']) self.assertEqual(project_is_domain, token['token']['is_domain']) project_domain = token['token']['project']['domain'] self.assertEqual(project_domain_id, token.project_domain_id) self.assertEqual(project_domain_id, project_domain['id']) self.assertEqual(project_domain_name, token.project_domain_name) self.assertEqual(project_domain_name, project_domain['name'])
def setUp(self): super(V3FederatedPlugin, self).setUp() self.unscoped_token = fixture.V3Token() self.unscoped_token_id = uuid.uuid4().hex self.scoped_token = copy.deepcopy(self.unscoped_token) self.scoped_token.set_project_scope() self.scoped_token.methods.insertLast('token') self.scoped_token_id = uuid.uuid4().hex s = self.scoped_token.add_service('compute', name='nova') s.add_standard_endpoints(public='http://nova/public', admin='http://nova/admin', internal='http://nova/internal') self.idp = uuid.uuid4().hex self.protocol = uuid.uuid4().hex self.token_url = ('%s/OS-FEDERATION/identity_providers/%s/protocols/%s' '/auth' % (self.AUTH_URL, self.idp, self.protocol)) headers = {'X-Subject-Token': self.unscoped_token_id} self.unscoped_mock = self.requests_mock.post(self.token_url, json=self.unscoped_token, headers=headers) headers = {'X-Subject-Token': self.scoped_token_id} auth_url = self.AUTH_URL + '/auth/tokens' self.scoped_mock = self.requests_mock.post(auth_url, json=self.scoped_token, headers=headers)
def _plugin(self, **kwargs): token = fixture.V3Token() s = token.add_service('identity') s.add_standard_endpoints(public=self.TEST_ROOT_URL) auth_ref = access.create(body=token, auth_token=self.auth_token) return access_plugin.AccessInfoPlugin(auth_ref, **kwargs)
def test_catalog(self): service_type = uuid.uuid4().hex service_name = uuid.uuid4().hex service_id = uuid.uuid4().hex region = uuid.uuid4().hex endpoints = {'public': uuid.uuid4().hex, 'internal': uuid.uuid4().hex, 'admin': uuid.uuid4().hex} token = fixture.V3Token() svc = token.add_service(type=service_type, name=service_name, id=service_id) svc.add_standard_endpoints(region=region, **endpoints) self.assertEqual(1, len(token['token']['catalog'])) service = token['token']['catalog'][0] self.assertEqual(3, len(service['endpoints'])) self.assertEqual(service_name, service['name']) self.assertEqual(service_type, service['type']) self.assertEqual(service_id, service['id']) for endpoint in service['endpoints']: # assert an id exists for each endpoint, remove it to make testing # the endpoint content below easier. self.assertTrue(endpoint.pop('id')) for interface, url in endpoints.items(): endpoint = {'interface': interface, 'url': url, 'region': region, 'region_id': region} self.assertIn(endpoint, service['endpoints']) token.remove_service(type=service_type) self.assertEqual(0, len(token['token']['catalog']))
def setUp(self): super(V3UserPluginTests, self).setUp() self.service_token_id = uuid.uuid4().hex self.service_token = fixture.V3Token() s = self.service_token.add_service('identity', name='keystone') s.add_standard_endpoints(public=BASE_URI, admin=BASE_URI, internal=BASE_URI) self.configure_middleware(auth_type='v3password', auth_url='%s/v3/' % AUTH_URL, user_id=self.service_token.user_id, password=uuid.uuid4().hex, project_id=self.service_token.project_id) auth_discovery = fixture.DiscoveryList(href=AUTH_URL) self.requests_mock.get(AUTH_URL, json=auth_discovery) base_discovery = fixture.DiscoveryList(href=BASE_URI) self.requests_mock.get(BASE_URI, json=base_discovery) self.requests_mock.post( '%s/v3/auth/tokens' % AUTH_URL, headers={'X-Subject-Token': self.service_token_id}, json=self.service_token)
def test_password_change_auth_state(self): self.stub_auth(json=self.TEST_RESPONSE_DICT) expired = ksa_utils.before_utcnow(days=2) token = fixture.V3Token(expires=expired) token_id = uuid.uuid4().hex state = json.dumps({'auth_token': token_id, 'body': token}) a = v3.Password(self.TEST_URL, username=self.TEST_USER, password=self.TEST_PASS, user_domain_id=self.TEST_DOMAIN_ID, project_id=uuid.uuid4().hex) initial_cache_id = a.get_cache_id() self.assertIsNone(a.get_auth_state()) a.set_auth_state(state) self.assertEqual(token_id, a.auth_ref.auth_token) s = session.Session() self.assertEqual(self.TEST_TOKEN, a.get_token(s)) # updates expired self.assertEqual(initial_cache_id, a.get_cache_id())
def test_authenticate_with_mutual_authentication_required(self): self.kerberos_mock.mock_auth_success(url=self.token_url, method='GET') scoped_id = uuid.uuid4().hex scoped_body = ks_fixture.V3Token() scoped_body.set_project_scope() self.requests_mock.post('%s/auth/tokens' % self.TEST_V3_URL, json=scoped_body, headers={ 'X-Subject-Token': scoped_id, 'Content-Type': 'application/json' }) plugin = kerberos.MappedKerberos( auth_url=self.TEST_V3_URL, protocol=self.protocol, identity_provider=self.identity_provider, project_id=scoped_body.project_id, mutual_auth='required') sess = session.Session() tok = plugin.get_token(sess) proj = plugin.get_project_id(sess) self.assertEqual(scoped_id, tok) self.assertEqual(scoped_body.project_id, proj) self.assertEqual(self.kerberos_mock.called_auth_server, True)
def test_good_v3_user_token(self): t = fixture.V3Token() t.set_project_scope() role = t.add_role() token_id = uuid.uuid4().hex token_dict = {token_id: t} @webob.dec.wsgify def _do_cb(req): self.assertEqual(token_id, req.headers['X-Auth-Token'].strip()) self.assertEqual('Confirmed', req.headers['X-Identity-Status']) self.assertNotIn('X-Service-Token', req.headers) p = req.environ['keystone.token_auth'] self.assertTrue(p.has_user_token) self.assertFalse(p.has_service_token) self.assertEqual(t.project_id, p.user.project_id) self.assertEqual(t.project_domain_id, p.user.project_domain_id) self.assertEqual(t.user_id, p.user.user_id) self.assertEqual(t.user_domain_id, p.user.user_domain_id) self.assertIn(role['name'], p.user.role_names) return webob.Response() m = FetchingMiddleware(_do_cb, token_dict) self.call(m, headers={'X-Auth-Token': token_id}) # also try with whitespace in the token self.call(m, headers={'X-Auth-Token': token_id + ' '}) self.call(m, headers={'X-Auth-Token': token_id + '\r'})
def test_will_expire_soon(self): expires = timeutils.utcnow() + datetime.timedelta(minutes=5) token = fixture.V3Token(expires=expires) auth_ref = access.create(body=token) self.assertFalse(auth_ref.will_expire_soon(stale_duration=120)) self.assertTrue(auth_ref.will_expire_soon(stale_duration=301)) self.assertFalse(auth_ref.will_expire_soon())
def test_multi_region(self): token = fixture.V3Token() s = token.add_service(type='identity') s.add_endpoint('internal', self.INTERNAL_URL, region=self.REGION_ONE) s.add_endpoint('public', self.PUBLIC_URL, region=self.REGION_TWO) s.add_endpoint('admin', self.ADMIN_URL, region=self.REGION_THREE) auth_ref = access.create(body=token) catalog_data = auth_ref.service_catalog.catalog catalog = _request._v3_to_v2_catalog(catalog_data) self.assertEqual(1, len(catalog)) service = catalog[0] # the 3 regions will come through as 3 separate endpoints expected = [{ 'internalURL': self.INTERNAL_URL, 'region': self.REGION_ONE }, { 'publicURL': self.PUBLIC_URL, 'region': self.REGION_TWO }, { 'adminURL': self.ADMIN_URL, 'region': self.REGION_THREE }] self.assertEqual('identity', service['type']) self.assertEqual(3, len(service['endpoints'])) for e in expected: self.assertIn(e, expected)
def test_token_info(self): info = fixture.V3Token() self.assertNotIn('keystone.token_info', self.request.environ) self.request.token_info = info self.assertIs(info, self.request.environ['keystone.token_info']) self.assertIs(info, self.request.token_info)
def new_client(self): t = fixture.V3Token(user_id=self.user_id) t.set_project_scope() s = t.add_service('identity') s.add_standard_endpoints(public=self.TEST_URL, admin=self.TEST_URL) d = fixture.V3Discovery(self.TEST_URL) headers = {'X-Subject-Token': uuid.uuid4().hex} self.requests.register_uri('POST', self.TEST_URL + '/auth/tokens', headers=headers, json=t) self.requests.register_uri('GET', self.TEST_URL, json={'version': d}) with self.deprecations.expect_deprecations_here(): a = ksc_identity.V3Password(username=uuid.uuid4().hex, password=uuid.uuid4().hex, user_domain_id=uuid.uuid4().hex, auth_url=self.TEST_URL) s = ksc_session.Session(auth=a) return v3_client.Client(session=s)
def auth_response_body(): f = fixture.V3Token(audit_chain_id=uuid.uuid4().hex) f.set_project_scope() f.add_role(name='admin') f.add_role(name='member') s = f.add_service('compute', name='nova') s.add_standard_endpoints( public='https://compute.north.host/novapi/public', internal='https://compute.north.host/novapi/internal', admin='https://compute.north.host/novapi/admin', region='North') s = f.add_service('object-store', name='swift') s.add_standard_endpoints( public='http://swift.north.host/swiftapi/public', internal='http://swift.north.host/swiftapi/internal', admin='http://swift.north.host/swiftapi/admin', region='South') s = f.add_service('image', name='glance') s.add_standard_endpoints( public='http://glance.north.host/glanceapi/public', internal='http://glance.north.host/glanceapi/internal', admin='http://glance.north.host/glanceapi/admin', region='North') s.add_standard_endpoints( public='http://glance.south.host/glanceapi/public', internal='http://glance.south.host/glanceapi/internal', admin='http://glance.south.host/glanceapi/admin', region='South') return f
def setUp(self): super(AuthProjectsTest, self).setUp() self.v3token = fixture.V3Token() self.stub_auth(json=self.v3token) self.stub_url('GET', [], json={'version': fixture.V3Discovery(self.TEST_URL)})
def setUp(self): super(K2KAuthPluginTest, self).setUp() self.token_v3 = fixture.V3Token() self.token_v3.add_service_provider(self.SP_ID, self.SP_AUTH_URL, self.SP_URL) self.session = session.Session() self.k2kplugin = self.get_plugin()
def test_override_auth_token(self): token = fixture.V3Token() token.set_project_scope() new_auth_token = uuid.uuid4().hex auth_ref = access.AccessInfo.factory(body=token, auth_token=new_auth_token) self.assertEqual(new_auth_token, auth_ref.auth_token)
def test_project_scoped_service_headers(self): token = fixture.V3Token() token.set_project_scope() token_id = uuid.uuid4().hex auth_ref = access.create(auth_token=token_id, body=token) self.request.set_service_headers(auth_ref) self._test_v3_headers(token, '-Service')
def _plugin(self, **kwargs): token = fixture.V3Token() s = token.add_service('identity') s.add_standard_endpoints(public=self.TEST_ROOT_URL) auth_ref = access.AccessInfo.factory(body=token, auth_token=self.auth_token) with self.deprecations.expect_deprecations_here(): return access_plugin.AccessInfoPlugin(auth_ref, **kwargs)
def test_binding(self): token = fixture.V3Token() principal = uuid.uuid4().hex token.set_bind('kerberos', principal) auth_ref = access.create(body=token) self.assertIsInstance(auth_ref, access.AccessInfoV3) self.assertEqual({'kerberos': principal}, auth_ref.bind)
def setUp(self): super(ServiceTokenTests, self).setUp() self.user_token_id = uuid.uuid4().hex self.user_token = fixture.V3Token() self.user_token.set_project_scope() self.user_auth = identity.V3Password(auth_url=self.USER_URL, user_id=uuid.uuid4().hex, password=uuid.uuid4().hex, project_id=uuid.uuid4().hex) self.service_token_id = uuid.uuid4().hex self.service_token = fixture.V3Token() self.service_token.set_project_scope() self.service_auth = identity.V3Password(auth_url=self.SERVICE_URL, user_id=uuid.uuid4().hex, password=uuid.uuid4().hex, project_id=uuid.uuid4().hex) for t in (self.user_token, self.service_token): s = t.add_service('identity') s.add_standard_endpoints(public='http://keystone.example.com', admin='http://keystone.example.com', internal='http://keystone.example.com') self.test_data = {'data': uuid.uuid4().hex} self.user_mock = self.requests_mock.post( self.USER_URL + '/auth/tokens', json=self.user_token, headers={'X-Subject-Token': self.user_token_id}) self.service_mock = self.requests_mock.post( self.SERVICE_URL + '/auth/tokens', json=self.service_token, headers={'X-Subject-Token': self.service_token_id}) self.requests_mock.get(self.TEST_URL, json=self.test_data) self.combined_auth = service_token.ServiceTokenAuthWrapper( self.user_auth, self.service_auth) self.session = session.Session(auth=self.combined_auth)
def test_domain_scoped(self): domain_id = uuid.uuid4().hex domain_name = uuid.uuid4().hex token = fixture.V3Token(domain_id=domain_id, domain_name=domain_name) self.assertEqual(domain_id, token.domain_id) self.assertEqual(domain_id, token['token']['domain']['id']) self.assertEqual(domain_name, token.domain_name) self.assertEqual(domain_name, token['token']['domain']['name'])
def setUp(self): super(K2KFederatedProjectTests, self).setUp() self.token_v3 = auth_fixture.V3Token() self.token_v3.add_service_provider(self.SP_ID, self.SP_AUTH_URL, self.SP_URL) self.session = session.Session() self.collection_key = 'projects' self.model = projects.Project self.URL = '%s%s' % (self.SP_ROOT_URL, '/auth/projects') self.k2kplugin = self.get_plugin() self._mock_k2k_flow_urls()
def test_token_bind(self): name1 = uuid.uuid4().hex data1 = uuid.uuid4().hex name2 = uuid.uuid4().hex data2 = {uuid.uuid4().hex: uuid.uuid4().hex} token = fixture.V3Token() token.set_bind(name1, data1) token.set_bind(name2, data2) self.assertEqual({name1: data1, name2: data2}, token['token']['bind'])
def setUp(self): super(GenericPluginTestCase, self).setUp() self.token_v2 = fixture.V2Token() self.token_v3 = fixture.V3Token() self.token_v3_id = uuid.uuid4().hex self.session = session.Session() self.stub_url('POST', ['v2.0', 'tokens'], json=self.token_v2) self.stub_url('POST', ['v3', 'auth', 'tokens'], headers={'X-Subject-Token': self.token_v3_id}, json=self.token_v3)
def test_roles(self): role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} role2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} token = fixture.V3Token() token.add_role(**role1) token.add_role(**role2) self.assertEqual(2, len(token['token']['roles'])) self.assertIn(role1, token['token']['roles']) self.assertIn(role2, token['token']['roles'])