Exemplo n.º 1
0
    def test_delete_project(self):
        """Call ``DELETE /projects/{project_id}``

        As well as making sure the delete succeeds, we ensure
        that any credentials that reference this projects are
        also deleted, while other credentials are unaffected.

        """
        credential = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id)
        self.credential_api.create_credential(credential["id"], credential)

        # First check the credential for this project is present
        r = self.credential_api.get_credential(credential["id"])
        self.assertDictEqual(credential, r)
        # Create a second credential with a different project
        project2 = unit.new_project_ref(domain_id=self.domain["id"])
        self.resource_api.create_project(project2["id"], project2)
        credential2 = unit.new_credential_ref(user_id=self.user["id"], project_id=project2["id"])
        self.credential_api.create_credential(credential2["id"], credential2)

        # Now delete the project
        self.delete("/projects/%(project_id)s" % {"project_id": self.project_id})

        # Deleting the project should have deleted any credentials
        # that reference this project
        self.assertRaises(
            exception.CredentialNotFound, self.credential_api.get_credential, credential_id=credential["id"]
        )
        # But the credential for project2 is unaffected
        r = self.credential_api.get_credential(credential2["id"])
        self.assertDictEqual(credential2, r)
Exemplo n.º 2
0
    def test_list_credentials_filtered_by_type_and_user_id(self):
        """Call ``GET  /credentials?user_id={user_id}&type={type}``."""
        user1_id = uuid.uuid4().hex
        user2_id = uuid.uuid4().hex

        PROVIDERS.assignment_api.create_system_grant_for_user(
            self.user_id, self.role_id
        )
        token = self.get_system_scoped_token()

        # Creating credentials for two different users
        credential_user1_ec2 = unit.new_credential_ref(user_id=user1_id,
                                                       type=CRED_TYPE_EC2)
        credential_user1_cert = unit.new_credential_ref(user_id=user1_id)
        credential_user2_cert = unit.new_credential_ref(user_id=user2_id)

        PROVIDERS.credential_api.create_credential(
            credential_user1_ec2['id'], credential_user1_ec2)
        PROVIDERS.credential_api.create_credential(
            credential_user1_cert['id'], credential_user1_cert)
        PROVIDERS.credential_api.create_credential(
            credential_user2_cert['id'], credential_user2_cert)

        r = self.get(
            '/credentials?user_id=%s&type=ec2' % user1_id, token=token
        )
        self.assertValidCredentialListResponse(r, ref=credential_user1_ec2)
        self.assertThat(r.result['credentials'], matchers.HasLength(1))
        cred = r.result['credentials'][0]
        self.assertEqual(CRED_TYPE_EC2, cred['type'])
        self.assertEqual(user1_id, cred['user_id'])
Exemplo n.º 3
0
    def test_list_credentials_filtered_by_type(self):
        """Call ``GET  /credentials?type={type}``."""
        # The type ec2 was chosen, instead of a random string,
        # because the type must be in the list of supported types
        ec2_credential = unit.new_credential_ref(user_id=uuid.uuid4().hex,
                                                 project_id=self.project_id,
                                                 type=CRED_TYPE_EC2)

        ec2_resp = self.credential_api.create_credential(
            ec2_credential['id'], ec2_credential)

        # The type cert was chosen for the same reason as ec2
        r = self.get('/credentials?type=cert')

        # Testing the filter for two different types
        self.assertValidCredentialListResponse(r, ref=self.credential)
        for cred in r.result['credentials']:
            self.assertEqual('cert', cred['type'])

        r_ec2 = self.get('/credentials?type=ec2')
        self.assertThat(r_ec2.result['credentials'], matchers.HasLength(1))
        cred_ec2 = r_ec2.result['credentials'][0]

        self.assertValidCredentialListResponse(r_ec2, ref=ec2_resp)
        self.assertEqual(CRED_TYPE_EC2, cred_ec2['type'])
        self.assertEqual(ec2_credential['id'], cred_ec2['id'])
Exemplo n.º 4
0
 def test_create_credential(self):
     """Call ``POST /credentials``."""
     ref = unit.new_credential_ref(user_id=self.user['id'])
     r = self.post(
         '/credentials',
         body={'credential': ref})
     self.assertValidCredentialResponse(r, ref)
Exemplo n.º 5
0
    def setUp(self):

        super(CredentialTestCase, self).setUp()

        self.credential = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id)

        self.credential_api.create_credential(self.credential["id"], self.credential)
Exemplo n.º 6
0
 def test_update_credential(self):
     """Call ``PATCH /credentials/{credential_id}``."""
     ref = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id)
     del ref["id"]
     r = self.patch(
         "/credentials/%(credential_id)s" % {"credential_id": self.credential["id"]}, body={"credential": ref}
     )
     self.assertValidCredentialResponse(r, ref)
Exemplo n.º 7
0
 def test_create_credential_with_admin_token(self):
     # Make sure we can create credential with the static admin token
     ref = unit.new_credential_ref(user_id=self.user['id'])
     r = self.post(
         '/credentials',
         body={'credential': ref},
         token=self.get_admin_token())
     self.assertValidCredentialResponse(r, ref)
Exemplo n.º 8
0
 def _create_credential_with_user_id(self, user_id=None):
     if not user_id:
         user_id = uuid.uuid4().hex
     credential = unit.new_credential_ref(user_id=user_id,
                                          extra=uuid.uuid4().hex,
                                          type=uuid.uuid4().hex)
     self.credential_api.create_credential(credential['id'], credential)
     return credential
Exemplo n.º 9
0
 def _create_credential_with_user_id(self, user_id=uuid.uuid4().hex):
     credential = unit.new_credential_ref(user_id=user_id,
                                          extra=uuid.uuid4().hex,
                                          type=uuid.uuid4().hex)
     PROVIDERS.credential_api.create_credential(
         credential['id'], credential
     )
     return credential
Exemplo n.º 10
0
    def test_list_credentials_filtered_by_user_id(self):
        """Call ``GET  /credentials?user_id={user_id}``."""
        credential = unit.new_credential_ref(user_id=uuid.uuid4().hex)
        self.credential_api.create_credential(credential['id'], credential)

        r = self.get('/credentials?user_id=%s' % self.user['id'])
        self.assertValidCredentialListResponse(r, ref=self.credential)
        for cred in r.result['credentials']:
            self.assertEqual(self.user['id'], cred['user_id'])
Exemplo n.º 11
0
    def setUp(self):
        super(IdentityTestCase, self).setUp()

        self.group = unit.new_group_ref(domain_id=self.domain_id)
        self.group = self.identity_api.create_group(self.group)
        self.group_id = self.group["id"]

        self.credential = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id)

        self.credential_api.create_credential(self.credential["id"], self.credential)
Exemplo n.º 12
0
 def test_update_credential(self):
     """Call ``PATCH /credentials/{credential_id}``."""
     ref = unit.new_credential_ref(user_id=self.user['id'],
                                   project_id=self.project_id)
     del ref['id']
     r = self.patch(
         '/credentials/%(credential_id)s' % {
             'credential_id': self.credential['id']},
         body={'credential': ref})
     self.assertValidCredentialResponse(r, ref)
Exemplo n.º 13
0
 def test_ec2_cannot_get_non_ec2_credential(self):
     access_key = uuid.uuid4().hex
     cred_id = utils.hash_access_key(access_key)
     non_ec2_cred = unit.new_credential_ref(user_id=self.user_id, project_id=self.project_id)
     non_ec2_cred["id"] = cred_id
     self.credential_api.create_credential(cred_id, non_ec2_cred)
     uri = "/".join([self._get_ec2_cred_uri(), access_key])
     # if access_key is not found, ec2 controller raises Unauthorized
     # exception
     self.get(uri, expected_status=http_client.UNAUTHORIZED)
Exemplo n.º 14
0
    def test_create_ec2_credential_with_invalid_blob(self):
        """Test creating ec2 credential with invalid blob.

        Call ``POST /credentials``.
        """
        ref = unit.new_credential_ref(
            user_id=self.user["id"], project_id=self.project_id, blob='{"abc":"def"d}', type=CRED_TYPE_EC2
        )
        # Assert bad request status when request contains invalid blob
        response = self.post("/credentials", body={"credential": ref}, expected_status=http_client.BAD_REQUEST)
        self.assertValidErrorResponse(response)
Exemplo n.º 15
0
    def test_list_credentials_filtered_by_type_and_user_id(self):
        """Call ``GET  /credentials?user_id={user_id}&type={type}``."""
        user1_id = uuid.uuid4().hex
        user2_id = uuid.uuid4().hex

        # Creating credentials for two different users
        credential_user1_ec2 = unit.new_credential_ref(user_id=user1_id, type=CRED_TYPE_EC2)
        credential_user1_cert = unit.new_credential_ref(user_id=user1_id)
        credential_user2_cert = unit.new_credential_ref(user_id=user2_id)

        self.credential_api.create_credential(credential_user1_ec2["id"], credential_user1_ec2)
        self.credential_api.create_credential(credential_user1_cert["id"], credential_user1_cert)
        self.credential_api.create_credential(credential_user2_cert["id"], credential_user2_cert)

        r = self.get("/credentials?user_id=%s&type=ec2" % user1_id)
        self.assertValidCredentialListResponse(r, ref=credential_user1_ec2)
        self.assertThat(r.result["credentials"], matchers.HasLength(1))
        cred = r.result["credentials"][0]
        self.assertEqual(CRED_TYPE_EC2, cred["type"])
        self.assertEqual(user1_id, cred["user_id"])
Exemplo n.º 16
0
 def test_credential_duplicate_conflict_gives_name(self):
     user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
     credential = unit.new_credential_ref(user_id=user['id'])
     self.credential_api.create_credential(credential['id'], credential)
     try:
         self.credential_api.create_credential(credential['id'], credential)
     except exception.Conflict as e:
         self.assertIn("Duplicate entry found with ID %s"
                       % credential['id'], repr(e))
     else:
         self.fail("Create duplicate credential did not raise a conflict")
Exemplo n.º 17
0
 def test_create_ec2_credential_with_invalid_blob(self):
     """Call ``POST /credentials`` for creating ec2 credential with invalid
     blob.
     """
     ref = unit.new_credential_ref(user_id=self.user['id'],
                                   project_id=self.project_id,
                                   blob='{"abc":"def"d}',
                                   type='ec2')
     # Assert bad request status when request contains invalid blob
     response = self.post(
         '/credentials',
         body={'credential': ref}, expected_status=http_client.BAD_REQUEST)
     self.assertValidErrorResponse(response)
    def test_delete_user(self):
        """Call ``DELETE /users/{user_id}``.

        As well as making sure the delete succeeds, we ensure
        that any credentials that reference this user are
        also deleted, while other credentials are unaffected.
        In addition, no tokens should remain valid for this user.

        """
        # First check the credential for this user is present
        r = self.credential_api.get_credential(self.credential['id'])
        self.assertDictEqual(self.credential, r)
        # Create a second credential with a different user

        user2 = unit.new_user_ref(domain_id=self.domain['id'],
                                  project_id=self.project['id'])
        user2 = self.identity_api.create_user(user2)
        credential2 = unit.new_credential_ref(user_id=user2['id'],
                                              project_id=self.project['id'])
        self.credential_api.create_credential(credential2['id'], credential2)

        # Create a token for this user which we can check later
        # gets deleted
        auth_data = self.build_authentication_request(
            user_id=self.user['id'],
            password=self.user['password'],
            project_id=self.project['id'])
        token = self.get_requested_token(auth_data)
        # Confirm token is valid for now
        self.head('/auth/tokens',
                  headers={'X-Subject-Token': token},
                  expected_status=http_client.OK)

        # Now delete the user
        self.delete('/users/%(user_id)s' % {
            'user_id': self.user['id']})

        # Deleting the user should have deleted any credentials
        # that reference this project
        self.assertRaises(exception.CredentialNotFound,
                          self.credential_api.get_credential,
                          self.credential['id'])
        # And the no tokens we remain valid
        tokens = self.token_provider_api._persistence._list_tokens(
            self.user['id'])
        self.assertEqual(0, len(tokens))
        # But the credential for user2 is unaffected
        r = self.credential_api.get_credential(credential2['id'])
        self.assertDictEqual(credential2, r)
Exemplo n.º 19
0
    def test_list_credentials_filtered_by_type_and_user_id(self):
        """Call ``GET  /credentials?user_id={user_id}&type={type}``."""
        user1_id = uuid.uuid4().hex
        user2_id = uuid.uuid4().hex

        # Creating credentials for two different users
        credential_user1_ec2 = unit.new_credential_ref(user_id=user1_id,
                                                       type='ec2')
        credential_user1_cert = unit.new_credential_ref(user_id=user1_id)
        credential_user2_cert = unit.new_credential_ref(user_id=user2_id)

        self.credential_api.create_credential(
            credential_user1_ec2['id'], credential_user1_ec2)
        self.credential_api.create_credential(
            credential_user1_cert['id'], credential_user1_cert)
        self.credential_api.create_credential(
            credential_user2_cert['id'], credential_user2_cert)

        r = self.get('/credentials?user_id=%s&type=ec2' % user1_id)
        self.assertValidCredentialListResponse(r, ref=credential_user1_ec2)
        self.assertThat(r.result['credentials'], matchers.HasLength(1))
        cred = r.result['credentials'][0]
        self.assertEqual('ec2', cred['type'])
        self.assertEqual(user1_id, cred['user_id'])
Exemplo n.º 20
0
    def test_ec2_cannot_get_non_ec2_credential(self):
        access_key = uuid.uuid4().hex
        cred_id = utils.hash_access_key(access_key)
        non_ec2_cred = unit.new_credential_ref(
            user_id=self.user_id,
            project_id=self.project_id)
        non_ec2_cred['id'] = cred_id
        self.credential_api.create_credential(cred_id, non_ec2_cred)

        # if access_key is not found, ec2 controller raises Unauthorized
        # exception
        path = '/'.join([self._get_ec2_cred_uri(), access_key])
        self.public_request(method='GET', token=self.get_scoped_token(),
                            path=path,
                            expected_status=http_client.UNAUTHORIZED)
Exemplo n.º 21
0
    def test_update_credential_to_ec2_type(self):
        """Call ``PATCH /credentials/{credential_id}``."""
        # Create a credential without providing a project_id
        ref = unit.new_credential_ref(user_id=self.user['id'])
        r = self.post(
            '/credentials',
            body={'credential': ref})
        self.assertValidCredentialResponse(r, ref)
        credential_id = r.result.get('credential')['id']

        # Updating the credential to ec2 requires a project_id
        update_ref = {'type': 'ec2', 'project_id': self.project_id}
        self.patch(
            '/credentials/%(credential_id)s' % {
                'credential_id': credential_id},
            body={'credential': update_ref})
Exemplo n.º 22
0
    def test_update_credential_to_ec2_with_previously_set_project_id(self):
        """Call ``PATCH /credentials/{credential_id}``."""
        # Create a credential providing a project_id
        ref = unit.new_credential_ref(user_id=self.user['id'],
                                      project_id=self.project_id)
        r = self.post(
            '/credentials',
            body={'credential': ref})
        self.assertValidCredentialResponse(r, ref)
        credential_id = r.result.get('credential')['id']

        # Since the created credential above already has a project_id, the
        # update request will not fail
        update_ref = {'type': 'ec2'}
        self.patch(
            '/credentials/%(credential_id)s' % {
                'credential_id': credential_id},
            body={'credential': update_ref})
Exemplo n.º 23
0
    def test_update_credential_to_ec2_missing_project_id(self):
        """Call ``PATCH /credentials/{credential_id}``."""
        # Create a credential without providing a project_id
        ref = unit.new_credential_ref(user_id=self.user['id'])
        r = self.post(
            '/credentials',
            body={'credential': ref})
        self.assertValidCredentialResponse(r, ref)
        credential_id = r.result.get('credential')['id']

        # Updating such credential to ec2 type without providing a project_id
        # will fail
        update_ref = {'type': 'ec2'}
        self.patch(
            '/credentials/%(credential_id)s' % {
                'credential_id': credential_id},
            body={'credential': update_ref},
            expected_status=http_client.BAD_REQUEST)
Exemplo n.º 24
0
    def test_ec2_list_credentials(self):
        """Test ec2 credential listing."""
        self._get_ec2_cred()
        uri = self._get_ec2_cred_uri()
        r = self.get(uri)
        cred_list = r.result["credentials"]
        self.assertEqual(1, len(cred_list))
        self.assertThat(r.result["links"]["self"], matchers.EndsWith(uri))

        # non-EC2 credentials won't be fetched
        non_ec2_cred = unit.new_credential_ref(user_id=self.user_id, project_id=self.project_id)
        non_ec2_cred["type"] = uuid.uuid4().hex
        self.credential_api.create_credential(non_ec2_cred["id"], non_ec2_cred)
        r = self.get(uri)
        cred_list_2 = r.result["credentials"]
        # still one element because non-EC2 credentials are not returned.
        self.assertEqual(1, len(cred_list_2))
        self.assertEqual(cred_list[0], cred_list_2[0])
Exemplo n.º 25
0
    def setUp(self):
        super(IdentityTestCase, self).setUp()
        self.useFixture(
            ksfixtures.KeyRepository(
                self.config_fixture,
                'credential',
                credential_fernet.MAX_ACTIVE_KEYS
            )
        )

        self.group = unit.new_group_ref(domain_id=self.domain_id)
        self.group = self.identity_api.create_group(self.group)
        self.group_id = self.group['id']

        self.credential = unit.new_credential_ref(
            user_id=self.user['id'],
            project_id=self.project_id)

        self.credential_api.create_credential(self.credential['id'],
                                              self.credential)
Exemplo n.º 26
0
    def test_ec2_list_credentials(self):
        self._get_ec2_cred()
        uri = self._get_ec2_cred_uri()
        r = self.public_request(method='GET', token=self.get_scoped_token(),
                                path=uri)
        cred_list = r.result['credentials']
        self.assertEqual(1, len(cred_list))

        # non-EC2 credentials won't be fetched
        non_ec2_cred = unit.new_credential_ref(
            user_id=self.user_id,
            project_id=self.project_id)
        non_ec2_cred['type'] = uuid.uuid4().hex
        self.credential_api.create_credential(non_ec2_cred['id'],
                                              non_ec2_cred)
        r = self.public_request(method='GET', token=self.get_scoped_token(),
                                path=uri)
        cred_list_2 = r.result['credentials']
        # still one element because non-EC2 credentials are not returned.
        self.assertEqual(1, len(cred_list_2))
        self.assertEqual(cred_list[0], cred_list_2[0])
Exemplo n.º 27
0
    def test_list_credentials_is_decrypted(self):
        credential = unit.new_credential_ref(user_id=uuid.uuid4().hex)
        credential_id = credential['id']

        created_credential = self.credential_api.create_credential(
            credential_id,
            credential
        )

        # Pull the credential directly from the backend, the `blob` should be
        # encrypted.
        credential_from_backend = self.credential_api.driver.get_credential(
            credential_id
        )
        self.assertNotEqual(
            credential_from_backend['encrypted_blob'],
            credential['blob']
        )

        # Make sure the `blob` values listed from the API are not encrypted.
        listed_credentials = self.credential_api.list_credentials()
        self.assertIn(created_credential, listed_credentials)
Exemplo n.º 28
0
    def test_create_credential_is_encrypted_when_stored(self):
        credential = unit.new_credential_ref(user_id=uuid.uuid4().hex)
        credential_id = credential['id']
        returned_credential = self.credential_api.create_credential(
            credential_id,
            credential
        )

        # Make sure the `blob` is *not* encrypted when returned from the
        # credential API.
        self.assertEqual(returned_credential['blob'], credential['blob'])

        credential_from_backend = self.credential_api.driver.get_credential(
            credential_id
        )

        # Pull the credential directly from the backend, the `blob` should be
        # encrypted.
        self.assertNotEqual(
            credential_from_backend['encrypted_blob'],
            credential['blob']
        )
Exemplo n.º 29
0
 def _create_credential_with_user_id(self, user_id=uuid.uuid4().hex):
     credential = unit.new_credential_ref(user_id=user_id,
                                          extra=uuid.uuid4().hex,
                                          type=uuid.uuid4().hex)
     self.credential_api.create_credential(credential['id'], credential)
     return credential
Exemplo n.º 30
0
 def test_create_credential(self):
     """Call ``POST /credentials``."""
     ref = unit.new_credential_ref(user_id=self.user["id"])
     r = self.post("/credentials", body={"credential": ref})
     self.assertValidCredentialResponse(r, ref)
Exemplo n.º 31
0
 def new_credential_ref(self, user_id, project_id=None, cred_type=None):
     return unit.new_credential_ref(user_id, project_id=project_id,
                                    cred_type=cred_type)
Exemplo n.º 32
0
 def test_create_credential(self):
     """Call ``POST /credentials``."""
     ref = unit.new_credential_ref(user_id=self.user['id'])
     r = self.post('/credentials', body={'credential': ref})
     self.assertValidCredentialResponse(r, ref)