def test_group_to_role_sync_is_performed_on_successful_auth_no_groups_returned( self): # Enable group sync cfg.CONF.set_override(group='rbac', name='sync_remote_groups', override=True) user_db = self.users['user_1'] h = handlers.StandaloneAuthHandler() request = {} # Verify initial state role_dbs = rbac_service.get_roles_for_user(user_db=user_db, include_remote=True) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['mock_local_role_1']) self.assertEqual(role_dbs[1], self.roles['mock_local_role_2']) # No groups configured should return early h._auth_backend.groups = [] token = h.handle_auth(request, headers={}, remote_addr=None, remote_user=None, authorization=('basic', DUMMY_CREDS)) self.assertEqual(token.user, 'auser') # Verify nothing has changed role_dbs = rbac_service.get_roles_for_user(user_db=user_db, include_remote=True) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['mock_local_role_1']) self.assertEqual(role_dbs[1], self.roles['mock_local_role_2'])
def test_group_to_role_sync_is_performed_on_successful_auth_single_group_no_mappings(self): # Enable group sync cfg.CONF.set_override(group='rbac', name='sync_remote_groups', override=True) cfg.CONF.set_override(group='rbac', name='sync_remote_groups', override=True) user_db = self.users['user_1'] h = handlers.StandaloneAuthHandler() request = {} # Verify initial state role_dbs = get_roles_for_user(user_db=user_db, include_remote=True) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['mock_local_role_1']) self.assertEqual(role_dbs[1], self.roles['mock_local_role_2']) # Single group configured but no group mapping in the database h._auth_backend.groups = [ 'CN=stormers,OU=groups,DC=stackstorm,DC=net' ] token = h.handle_auth(request, headers={}, remote_addr=None, remote_user=None, authorization=('basic', DUMMY_CREDS)) self.assertEqual(token.user, 'auser') # Verify nothing has changed role_dbs = get_roles_for_user(user_db=user_db, include_remote=True) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['mock_local_role_1']) self.assertEqual(role_dbs[1], self.roles['mock_local_role_2'])
def test_group_to_role_sync_concurrent_auth(self): # Verify that there is no race and group sync during concurrent auth works fine # Enable group sync cfg.CONF.set_override(group='rbac', name='sync_remote_groups', override=True) cfg.CONF.set_override(group='rbac', name='sync_remote_groups', override=True) h = handlers.StandaloneAuthHandler() request = {} def handle_auth(): token = h.handle_auth(request, headers={}, remote_addr=None, remote_user=None, authorization=('basic', DUMMY_CREDS)) self.assertEqual(token.user, 'auser') thread_pool = eventlet.GreenPool(20) for i in range(0, 20): thread_pool.spawn(handle_auth) thread_pool.waitall()
def test_standalone_handler(self): h = handlers.StandaloneAuthHandler() request = {} token = h.handle_auth( request, headers={}, remote_addr=None, remote_user=None, authorization=('basic', DUMMY_CREDS)) self.assertEqual(token.user, 'auser')
def test_standalone_bad_auth_value(self): h = handlers.StandaloneAuthHandler() request = {} with self.assertRaises(exc.HTTPUnauthorized): h.handle_auth( request, headers={}, remote_addr=None, remote_user=None, authorization=('basic', 'gobblegobble'))
def test_standalone_no_auth(self): h = handlers.StandaloneAuthHandler() request = {} with self.assertRaises(exc.HTTPUnauthorized): h.handle_auth( request, headers={}, remote_addr=None, remote_user=None, authorization=None)
def test_standalone_bad_auth_type(self): h = handlers.StandaloneAuthHandler() request = {} with self.assertRaises(exc.HTTPUnauthorized): h.handle_auth( request, headers={}, remote_addr=None, remote_user=None, authorization=('complex', DUMMY_CREDS))
def test_password_contains_colon(self): h = handlers.StandaloneAuthHandler() request = MockRequest(60) authorization = ('Basic', base64.b64encode(b'username:password:password')) token = h.handle_auth( request, headers={}, remote_addr=None, remote_user=None, authorization=authorization) self.assertEqual(token.user, 'username')
def test_standalone_impersonate_user_no_origin(self): h = handlers.StandaloneAuthHandler() request = MockRequest(60) request.impersonate_user = '******' with self.assertRaises(exc.HTTPBadRequest): h.handle_auth( request, headers={}, remote_addr=None, remote_user=None, authorization=('basic', DUMMY_CREDS))
def test_standalone_for_user_service(self): h = handlers.StandaloneAuthHandler() request = MockRequest(60) request.user = '******' token = h.handle_auth( request, headers={}, remote_addr=None, remote_user=None, authorization=('basic', DUMMY_CREDS)) self.assertEqual(token.user, 'anotheruser')
def test_standalone_for_user_not_found(self): h = handlers.StandaloneAuthHandler() request = MockRequest(60) request.user = '******' with self.assertRaises(webob.exc.HTTPBadRequest): h.handle_auth( request, headers={}, remote_addr=None, remote_user=None, authorization=('basic', DUMMY_CREDS))
def test_standalone_impersonate_user_with_nick_origin(self): h = handlers.StandaloneAuthHandler() request = MockRequest(60) request.impersonate_user = '******' request.nickname_origin = 'slack' token = h.handle_auth( request, headers={}, remote_addr=None, remote_user=None, authorization=('basic', DUMMY_CREDS)) self.assertEqual(token.user, 'anotheruser')
def test_standalone_handler_ttl(self): h = handlers.StandaloneAuthHandler() token1 = h.handle_auth( MockRequest(23), headers={}, remote_addr=None, remote_user=None, authorization=('basic', DUMMY_CREDS)) token2 = h.handle_auth( MockRequest(2300), headers={}, remote_addr=None, remote_user=None, authorization=('basic', DUMMY_CREDS)) self.assertEqual(token1.user, 'auser') self.assertNotEqual(token1.expiry, token2.expiry)
def test_standalone_for_user_not_service(self): h = handlers.StandaloneAuthHandler() request = MockRequest(60) request.user = "******" with self.assertRaises(exc.HTTPBadRequest): h.handle_auth( request, headers={}, remote_addr=None, remote_user=None, authorization=("basic", DUMMY_CREDS), )
def test_group_to_role_sync_error_non_fatal_on_succesful_auth(self): # Enable group sync cfg.CONF.set_override(group='rbac', name='sync_remote_groups', override=True) cfg.CONF.set_override(group='rbac', name='sync_remote_groups', override=True) h = handlers.StandaloneAuthHandler() request = {} h._auth_backend.groups = [ 'CN=stormers,OU=groups,DC=stackstorm,DC=net' ] # sync() method called upon successful authentication throwing should not be fatal token = h.handle_auth(request, headers={}, remote_addr=None, remote_user=None, authorization=('basic', DUMMY_CREDS)) self.assertEqual(token.user, 'auser')
def test_group_to_role_sync_is_performed_on_successful_auth_with_groups_and_mappings( self): # Enable group sync cfg.CONF.set_override(group='rbac', name='sync_remote_groups', override=True) cfg.CONF.set_override(group='rbac', name='sync_remote_groups', override=True) user_db = self.users['user_1'] h = handlers.StandaloneAuthHandler() request = {} # Single mapping, new remote assignment should be created create_group_to_role_map( group='CN=stormers,OU=groups,DC=stackstorm,DC=net', roles=['mock_role_3', 'mock_role_4'], source='mappings/stormers.yaml') # Verify initial state role_dbs = get_roles_for_user(user_db=user_db, include_remote=True) self.assertEqual(len(role_dbs), 2) self.assertEqual(role_dbs[0], self.roles['mock_local_role_1']) self.assertEqual(role_dbs[1], self.roles['mock_local_role_2']) h._auth_backend.groups = ['CN=stormers,OU=groups,DC=stackstorm,DC=net'] token = h.handle_auth(request, headers={}, remote_addr=None, remote_user=None, authorization=('basic', DUMMY_CREDS)) self.assertEqual(token.user, 'auser') # Verify a new role assignments based on the group mapping has been created role_dbs = get_roles_for_user(user_db=user_db, include_remote=True) self.assertEqual(len(role_dbs), 4) self.assertEqual(role_dbs[0], self.roles['mock_local_role_1']) self.assertEqual(role_dbs[1], self.roles['mock_local_role_2']) self.assertEqual(role_dbs[2], self.roles['mock_role_3']) self.assertEqual(role_dbs[3], self.roles['mock_role_4'])