Пример #1
0
    def test_list_head_groups_for_user(self):
        """Call ``GET & HEAD /users/{user_id}/groups``."""
        user1 = unit.create_user(self.identity_api, domain_id=self.domain["id"])
        user2 = unit.create_user(self.identity_api, domain_id=self.domain["id"])

        self.put("/groups/%(group_id)s/users/%(user_id)s" % {"group_id": self.group_id, "user_id": user1["id"]})

        # Scenarios below are written to test the default policy configuration

        # One should be allowed to list one's own groups
        auth = self.build_authentication_request(user_id=user1["id"], password=user1["password"])
        resource_url = "/users/%(user_id)s/groups" % {"user_id": user1["id"]}
        r = self.get(resource_url, auth=auth)
        self.assertValidGroupListResponse(r, ref=self.group, resource_url=resource_url)
        self.head(resource_url, auth=auth, expected_status=http_client.OK)

        # Administrator is allowed to list others' groups
        resource_url = "/users/%(user_id)s/groups" % {"user_id": user1["id"]}
        r = self.get(resource_url)
        self.assertValidGroupListResponse(r, ref=self.group, resource_url=resource_url)
        self.head(resource_url, expected_status=http_client.OK)

        # Ordinary users should not be allowed to list other's groups
        auth = self.build_authentication_request(user_id=user2["id"], password=user2["password"])
        resource_url = "/users/%(user_id)s/groups" % {"user_id": user1["id"]}
        self.get(resource_url, auth=auth, expected_status=exception.ForbiddenAction.code)
        self.head(resource_url, auth=auth, expected_status=exception.ForbiddenAction.code)
    def setUp(self):
        super(SecurityRequirementsTestCase, self).setUp()

        # Create a user in the default domain
        self.non_admin_user = unit.create_user(self.identity_api,
                                               CONF.identity.default_domain_id)

        # Create an admin in the default domain
        self.admin_user = unit.create_user(self.identity_api,
                                           CONF.identity.default_domain_id)

        # Create a project in the default domain and a non-admin role
        self.project = unit.new_project_ref(
            domain_id=CONF.identity.default_domain_id)
        self.resource_api.create_project(self.project['id'], self.project)
        self.non_admin_role = unit.new_role_ref(name='not_admin')
        self.role_api.create_role(self.non_admin_role['id'],
                                  self.non_admin_role)

        # Give the non-admin user a role on the project
        self.assignment_api.add_role_to_user_and_project(
            self.non_admin_user['id'], self.project['id'], self.role['id'])

        # Give the user the admin role on the project, which is technically
        # `self.role` because RestfulTestCase sets that up for us.
        self.assignment_api.add_role_to_user_and_project(
            self.admin_user['id'], self.project['id'], self.role_id)
Пример #3
0
    def load_sample_data(self):
        self._populate_default_domain()
        self.domain = unit.new_domain_ref()
        self.domain_id = self.domain['id']
        self.resource_api.create_domain(self.domain_id, self.domain)

        self.project = unit.new_project_ref(domain_id=self.domain_id)
        self.project_id = self.project['id']
        self.resource_api.create_project(self.project_id, self.project)

        self.user = unit.create_user(self.identity_api,
                                     domain_id=self.domain_id)
        self.user_id = self.user['id']

        self.default_domain_project_id = uuid.uuid4().hex
        self.default_domain_project = unit.new_project_ref(
            domain_id=DEFAULT_DOMAIN_ID)
        self.default_domain_project['id'] = self.default_domain_project_id
        self.resource_api.create_project(self.default_domain_project_id,
                                         self.default_domain_project)

        self.default_domain_user = unit.create_user(
            self.identity_api,
            domain_id=DEFAULT_DOMAIN_ID)
        self.default_domain_user_id = self.default_domain_user['id']

        # create & grant policy.json's default role for admin_required
        self.role = unit.new_role_ref(name='admin')
        self.role_id = self.role['id']
        self.role_api.create_role(self.role_id, self.role)
        self.assignment_api.add_role_to_user_and_project(
            self.user_id, self.project_id, self.role_id)
        self.assignment_api.add_role_to_user_and_project(
            self.default_domain_user_id, self.default_domain_project_id,
            self.role_id)
        self.assignment_api.add_role_to_user_and_project(
            self.default_domain_user_id, self.project_id,
            self.role_id)

        self.region = unit.new_region_ref()
        self.region_id = self.region['id']
        self.catalog_api.create_region(self.region)

        self.service = unit.new_service_ref()
        self.service_id = self.service['id']
        self.catalog_api.create_service(self.service_id, self.service.copy())

        self.endpoint = unit.new_endpoint_ref(service_id=self.service_id,
                                              interface='public',
                                              region_id=self.region_id)
        self.endpoint_id = self.endpoint['id']
        self.catalog_api.create_endpoint(self.endpoint_id,
                                         self.endpoint.copy())
        # The server adds 'enabled' and defaults to True.
        self.endpoint['enabled'] = True
Пример #4
0
    def test_list_groups_for_user_filtered(self):
        domain = self._get_domain_fixture()
        test_groups = []
        test_users = []
        GROUP_COUNT = 3
        USER_COUNT = 2

        positive_user = unit.create_user(PROVIDERS.identity_api, domain['id'])
        negative_user = unit.create_user(PROVIDERS.identity_api, domain['id'])

        for x in range(0, USER_COUNT):
            group_refs = PROVIDERS.identity_api.list_groups_for_user(
                test_users[x]['id'])
            self.assertEqual(0, len(group_refs))

        for x in range(0, GROUP_COUNT):
            new_group = unit.new_group_ref(domain_id=domain['id'])
            new_group = PROVIDERS.identity_api.create_group(new_group)
            test_groups.append(new_group)

            group_refs = PROVIDERS.identity_api.list_groups_for_user(
                positive_user['id'])
            self.assertEqual(x, len(group_refs))

            PROVIDERS.identity_api.add_user_to_group(
                positive_user['id'],
                new_group['id'])
            group_refs = PROVIDERS.identity_api.list_groups_for_user(
                positive_user['id'])
            self.assertEqual(x + 1, len(group_refs))

            group_refs = PROVIDERS.identity_api.list_groups_for_user(
                negative_user['id'])
            self.assertEqual(0, len(group_refs))

        driver = PROVIDERS.identity_api._select_identity_driver(
            CONF.identity.default_domain_id)
        driver.group.ldap_filter = '(dn=xx)'

        group_refs = PROVIDERS.identity_api.list_groups_for_user(
            positive_user['id'])
        self.assertEqual(0, len(group_refs))
        group_refs = PROVIDERS.identity_api.list_groups_for_user(
            negative_user['id'])
        self.assertEqual(0, len(group_refs))

        driver.group.ldap_filter = '(objectclass=*)'

        group_refs = PROVIDERS.identity_api.list_groups_for_user(
            positive_user['id'])
        self.assertEqual(GROUP_COUNT, len(group_refs))
        group_refs = PROVIDERS.identity_api.list_groups_for_user(
            negative_user['id'])
        self.assertEqual(0, len(group_refs))
Пример #5
0
    def test_list_groups_for_user_filtered(self):
        domain = self._get_domain_fixture()
        test_groups = []
        test_users = []
        GROUP_COUNT = 3
        USER_COUNT = 2

        positive_user = unit.create_user(self.identity_api, domain['id'])
        negative_user = unit.create_user(self.identity_api, domain['id'])

        for x in range(0, USER_COUNT):
            group_refs = self.identity_api.list_groups_for_user(
                test_users[x]['id'])
            self.assertEqual(0, len(group_refs))

        for x in range(0, GROUP_COUNT):
            new_group = unit.new_group_ref(domain_id=domain['id'])
            new_group = self.identity_api.create_group(new_group)
            test_groups.append(new_group)

            group_refs = self.identity_api.list_groups_for_user(
                positive_user['id'])
            self.assertEqual(x, len(group_refs))

            self.identity_api.add_user_to_group(
                positive_user['id'],
                new_group['id'])
            group_refs = self.identity_api.list_groups_for_user(
                positive_user['id'])
            self.assertEqual(x + 1, len(group_refs))

            group_refs = self.identity_api.list_groups_for_user(
                negative_user['id'])
            self.assertEqual(0, len(group_refs))

        driver = self.identity_api._select_identity_driver(
            CONF.identity.default_domain_id)
        driver.group.ldap_filter = '(dn=xx)'

        group_refs = self.identity_api.list_groups_for_user(
            positive_user['id'])
        self.assertEqual(0, len(group_refs))
        group_refs = self.identity_api.list_groups_for_user(
            negative_user['id'])
        self.assertEqual(0, len(group_refs))

        driver.group.ldap_filter = '(objectclass=*)'

        group_refs = self.identity_api.list_groups_for_user(
            positive_user['id'])
        self.assertEqual(GROUP_COUNT, len(group_refs))
        group_refs = self.identity_api.list_groups_for_user(
            negative_user['id'])
        self.assertEqual(0, len(group_refs))
Пример #6
0
    def test_can_get_security_compliance_config_with_user_from_other_domain(self):  # noqa: E501
        domain = unit.new_domain_ref()
        PROVIDERS.resource_api.create_domain(domain['id'], domain)

        # Create a user in the new domain
        user = unit.create_user(PROVIDERS.identity_api, domain['id'])

        # Create a project in the new domain
        project = unit.new_project_ref(domain_id=domain['id'])
        PROVIDERS.resource_api.create_project(project['id'], project)

        role = unit.new_role_ref()
        PROVIDERS.role_api.create_role(role['id'], role)

        # Give the new user a non-admin role on the project
        PROVIDERS.assignment_api.add_role_to_user_and_project(
            user['id'],
            project['id'],
            role['id']
        )
        password_regex = uuid.uuid4().hex
        password_regex_description = uuid.uuid4().hex
        group = 'security_compliance'
        self.config_fixture.config(
            group=group,
            password_regex=password_regex
        )
        self.config_fixture.config(
            group=group,
            password_regex_description=password_regex_description
        )
        with self.test_client() as c:
            c.get('/v3/domains/%s/config/security_compliance'
                  % CONF.identity.default_domain_id, headers=self.headers)
Пример #7
0
    def test_token_revoked_once_domain_disabled(self):
        """Test token from a disabled domain has been invalidated.

        Test that a token that was valid for an enabled domain
        becomes invalid once that domain is disabled.

        """
        domain = unit.new_domain_ref()
        self.resource_api.create_domain(domain["id"], domain)

        user2 = unit.create_user(self.identity_api, domain_id=domain["id"])

        # build a request body
        auth_body = self.build_authentication_request(user_id=user2["id"], password=user2["password"])

        # sends a request for the user's token
        token_resp = self.post("/auth/tokens", body=auth_body)

        subject_token = token_resp.headers.get("x-subject-token")

        # validates the returned token and it should be valid.
        self.head("/auth/tokens", headers={"x-subject-token": subject_token}, expected_status=http_client.OK)

        # now disable the domain
        domain["enabled"] = False
        url = "/domains/%(domain_id)s" % {"domain_id": domain["id"]}
        self.patch(url, body={"domain": {"enabled": False}})

        # validates the same token again and it should be 'not found'
        # as the domain has already been disabled.
        self.head("/auth/tokens", headers={"x-subject-token": subject_token}, expected_status=http_client.NOT_FOUND)
Пример #8
0
 def test_update_user_with_invalid_password(self):
     user = unit.create_user(PROVIDERS.identity_api,
                             domain_id=self.domain['id'])
     user['password'] = '******'
     self.patch('/users/%(user_id)s' % {'user_id': user['id']},
                body={'user': user},
                expected_status=http_client.BAD_REQUEST)
Пример #9
0
    def test_update_credential_non_owner(self):
        """Call ``PATCH /credentials/{credential_id}``."""
        alt_user = unit.create_user(PROVIDERS.identity_api,
                                    domain_id=self.domain_id)
        alt_user_id = alt_user['id']
        alt_project = unit.new_project_ref(domain_id=self.domain_id)
        alt_project_id = alt_project['id']
        PROVIDERS.resource_api.create_project(alt_project['id'], alt_project)
        alt_role = unit.new_role_ref(name='reader')
        alt_role_id = alt_role['id']
        PROVIDERS.role_api.create_role(alt_role_id, alt_role)
        PROVIDERS.assignment_api.add_role_to_user_and_project(
            alt_user_id, alt_project_id, alt_role_id)
        auth = self.build_authentication_request(user_id=alt_user_id,
                                                 password=alt_user['password'],
                                                 project_id=alt_project_id)
        ref = unit.new_credential_ref(user_id=alt_user_id,
                                      project_id=alt_project_id)
        r = self.post('/credentials', auth=auth, body={'credential': ref})
        self.assertValidCredentialResponse(r, ref)
        credential_id = r.result.get('credential')['id']

        # Cannot change the credential to be owned by another user
        update_ref = {'user_id': self.user_id, 'project_id': self.project_id}
        self.patch('/credentials/%(credential_id)s' %
                   {'credential_id': credential_id},
                   expected_status=403,
                   auth=auth,
                   body={'credential': update_ref})
Пример #10
0
    def test_can_handle_missing_certs(self):
        controller = token.controllers.Auth()

        self.config_fixture.config(group="signing", certfile="invalid")
        user = unit.create_user(self.identity_api, domain_id=CONF.identity.default_domain_id)
        body_dict = {"passwordCredentials": {"userId": user["id"], "password": user["password"]}}
        self.assertRaises(exception.UnexpectedError, controller.authenticate, self.make_request(), body_dict)
Пример #11
0
    def test_admin_password_reset(self):
        # bootstrap a user as admin
        user_ref = unit.create_user(self.identity_api,
                                    domain_id=self.domain['id'])

        # auth as user should work before a password change
        old_password_auth = self.build_authentication_request(
            user_id=user_ref['id'],
            password=user_ref['password'])
        r = self.v3_create_token(old_password_auth)
        old_token = r.headers.get('X-Subject-Token')

        # auth as user with a token should work before a password change
        old_token_auth = self.build_authentication_request(token=old_token)
        self.v3_create_token(old_token_auth)

        # administrative password reset
        new_password = uuid.uuid4().hex
        self.patch('/users/%s' % user_ref['id'],
                   body={'user': {'password': new_password}})

        # auth as user with original password should not work after change
        self.v3_create_token(old_password_auth,
                             expected_status=http_client.UNAUTHORIZED)

        # auth as user with an old token should not work after change
        self.v3_create_token(old_token_auth,
                             expected_status=http_client.NOT_FOUND)

        # new password should work
        new_password_auth = self.build_authentication_request(
            user_id=user_ref['id'],
            password=new_password)
        self.v3_create_token(new_password_auth)
 def test_create_application_credential_wrong_user(self):
     wrong_user = unit.create_user(PROVIDERS.identity_api,
                                   test_v3.DEFAULT_DOMAIN_ID)
     roles = [{'id': self.role_id}]
     app_cred_body = self._app_cred_body(roles=roles)
     self.post('/users/%s/application_credentials' % wrong_user['id'],
               body=app_cred_body,
               expected_status=http_client.FORBIDDEN)
Пример #13
0
 def test_create_application_credential_wrong_user(self):
     wrong_user = unit.create_user(PROVIDERS.identity_api,
                                   test_v3.DEFAULT_DOMAIN_ID)
     roles = [{'id': self.role_id}]
     app_cred_body = self._app_cred_body(roles=roles)
     self.post('/users/%s/application_credentials' % wrong_user['id'],
               body=app_cred_body,
               expected_status=http_client.FORBIDDEN)
Пример #14
0
 def test_update_user_with_invalid_password(self):
     user = unit.create_user(self.identity_api,
                             domain_id=self.domain['id'])
     user['password'] = '******'
     self.patch('/users/%(user_id)s' % {
         'user_id': user['id']},
         body={'user': user},
         expected_status=http_client.BAD_REQUEST)
Пример #15
0
    def test_list_users_with_multiple_backends(self):
        """Call ``GET /users`` when multiple backends is enabled.

        In this scenario, the controller requires a domain to be specified
        either as a filter or by using a domain scoped token.

        """
        self.config_fixture.config(group='identity',
                                   domain_specific_drivers_enabled=True)

        # Create a new domain with a new project and user
        domain = unit.new_domain_ref()
        self.resource_api.create_domain(domain['id'], domain)

        project = unit.new_project_ref(domain_id=domain['id'])
        self.resource_api.create_project(project['id'], project)

        user = unit.create_user(self.identity_api, domain_id=domain['id'])

        # Create both project and domain role grants for the user so we
        # can get both project and domain scoped tokens
        self.assignment_api.create_grant(role_id=self.role_id,
                                         user_id=user['id'],
                                         domain_id=domain['id'])
        self.assignment_api.create_grant(role_id=self.role_id,
                                         user_id=user['id'],
                                         project_id=project['id'])

        dom_auth = self.build_authentication_request(user_id=user['id'],
                                                     password=user['password'],
                                                     domain_id=domain['id'])
        project_auth = self.build_authentication_request(
            user_id=user['id'],
            password=user['password'],
            project_id=project['id'])

        # First try using a domain scoped token
        resource_url = '/users'
        r = self.get(resource_url, auth=dom_auth)
        self.assertValidUserListResponse(r,
                                         ref=user,
                                         resource_url=resource_url)

        # Now try using a project scoped token
        resource_url = '/users'
        r = self.get(resource_url, auth=project_auth)
        self.assertValidUserListResponse(r,
                                         ref=user,
                                         resource_url=resource_url)

        # Now try with an explicit filter
        resource_url = ('/users?domain_id=%(domain_id)s' % {
            'domain_id': domain['id']
        })
        r = self.get(resource_url)
        self.assertValidUserListResponse(r,
                                         ref=user,
                                         resource_url=resource_url)
Пример #16
0
    def load_sample_data(self):
        """Create sample data for these tests.

        As well as the usual housekeeping, create a set of domains,
        users, roles and projects for the subsequent tests:

        - Three domains: A,B & C.  C is disabled.
        - DomainA has user1, DomainB has user2 and user3
        - DomainA has group1 and group2, DomainB has group3
        - User1 has a role on DomainA

        Remember that there will also be a fourth domain in existence,
        the default domain.

        """
        # Start by creating a few domains
        self._populate_default_domain()
        self.domainA = unit.new_domain_ref()
        PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA)
        self.domainB = unit.new_domain_ref()
        PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB)
        self.domainC = unit.new_domain_ref()
        self.domainC['enabled'] = False
        PROVIDERS.resource_api.create_domain(self.domainC['id'], self.domainC)

        # Now create some users, one in domainA and two of them in domainB
        self.user1 = unit.create_user(PROVIDERS.identity_api,
                                      domain_id=self.domainA['id'])
        self.user2 = unit.create_user(PROVIDERS.identity_api,
                                      domain_id=self.domainB['id'])
        self.user3 = unit.create_user(PROVIDERS.identity_api,
                                      domain_id=self.domainB['id'])

        self.role = unit.new_role_ref()
        PROVIDERS.role_api.create_role(self.role['id'], self.role)
        PROVIDERS.assignment_api.create_grant(
            self.role['id'], user_id=self.user1['id'],
            domain_id=self.domainA['id']
        )

        # A default auth request we can use - un-scoped user token
        self.auth = self.build_authentication_request(
            user_id=self.user1['id'],
            password=self.user1['password'])
    def test_get_security_compliance_config_with_user_from_other_domain(self):
        """Make sure users from other domains can access password requirements.

        Even though a user is in a separate domain, they should be able to see
        the security requirements for the deployment. This is because security
        compliance is not yet implemented on a per domain basis. Once that
        happens, then this should no longer be possible since a user should
        only care about the security compliance requirements for the domain
        that they are in.
        """
        # Make a new domain
        domain = unit.new_domain_ref()
        self.resource_api.create_domain(domain['id'], domain)

        # Create a user in the new domain
        user = unit.create_user(self.identity_api, domain['id'])

        # Create a project in the new domain
        project = unit.new_project_ref(domain_id=domain['id'])
        self.resource_api.create_project(project['id'], project)

        # Give the new user a non-admin role on the project
        self.assignment_api.add_role_to_user_and_project(
            user['id'], project['id'], self.non_admin_role['id'])

        # Set our security compliance config values, we do this after we've
        # created our test user otherwise password validation will fail with a
        # uuid type regex.
        password_regex = uuid.uuid4().hex
        password_regex_description = uuid.uuid4().hex
        group = 'security_compliance'
        self.config_fixture.config(group=group, password_regex=password_regex)
        self.config_fixture.config(
            group=group, password_regex_description=password_regex_description)

        # Get a token for the newly created user scoped to the project in the
        # non-default domain and use it to get the password security
        # requirements.
        user_token = self.build_authentication_request(
            user_id=user['id'],
            password=user['password'],
            project_id=project['id'])
        user_token = self.get_requested_token(user_token)
        url = ('/domains/%(domain_id)s/config/%(group)s' % {
            'domain_id': CONF.identity.default_domain_id,
            'group': group,
        })
        response = self.get(url, token=user_token)
        self.assertEqual(response.result['config'][group]['password_regex'],
                         password_regex)
        self.assertEqual(
            response.result['config'][group]['password_regex_description'],
            password_regex_description)

        # Ensure HEAD requests behave the same way
        self.head(url, token=user_token, expected_status=http_client.OK)
Пример #18
0
    def _create_user_and_authenticate(self, password):
        user = unit.create_user(PROVIDERS.identity_api,
                                CONF.identity.default_domain_id,
                                password=password)

        with self.make_request():
            PROVIDERS.identity_api.authenticate(user_id=user['id'],
                                                password=password)

        return PROVIDERS.identity_api.get_user(user['id'])
Пример #19
0
    def load_sample_data(self):
        """Create sample data for these tests.

        As well as the usual housekeeping, create a set of domains,
        users, roles and projects for the subsequent tests:

        - Three domains: A,B & C.  C is disabled.
        - DomainA has user1, DomainB has user2 and user3
        - DomainA has group1 and group2, DomainB has group3
        - User1 has a role on DomainA

        Remember that there will also be a fourth domain in existence,
        the default domain.

        """
        # Start by creating a few domains
        self._populate_default_domain()
        self.domainA = unit.new_domain_ref()
        self.resource_api.create_domain(self.domainA['id'], self.domainA)
        self.domainB = unit.new_domain_ref()
        self.resource_api.create_domain(self.domainB['id'], self.domainB)
        self.domainC = unit.new_domain_ref()
        self.domainC['enabled'] = False
        self.resource_api.create_domain(self.domainC['id'], self.domainC)

        # Now create some users, one in domainA and two of them in domainB
        self.user1 = unit.create_user(self.identity_api,
                                      domain_id=self.domainA['id'])
        self.user2 = unit.create_user(self.identity_api,
                                      domain_id=self.domainB['id'])
        self.user3 = unit.create_user(self.identity_api,
                                      domain_id=self.domainB['id'])

        self.role = unit.new_role_ref()
        self.role_api.create_role(self.role['id'], self.role)
        self.assignment_api.create_grant(self.role['id'],
                                         user_id=self.user1['id'],
                                         domain_id=self.domainA['id'])

        # A default auth request we can use - un-scoped user token
        self.auth = self.build_authentication_request(
            user_id=self.user1['id'],
            password=self.user1['password'])
Пример #20
0
    def test_list_users_with_multiple_backends(self):
        """Call ``GET /users`` when multiple backends is enabled.

        In this scenario, the controller requires a domain to be specified
        either as a filter or by using a domain scoped token.

        """
        self.config_fixture.config(group='identity',
                                   domain_specific_drivers_enabled=True)

        # Create a new domain with a new project and user
        domain = unit.new_domain_ref()
        self.resource_api.create_domain(domain['id'], domain)

        project = unit.new_project_ref(domain_id=domain['id'])
        self.resource_api.create_project(project['id'], project)

        user = unit.create_user(self.identity_api, domain_id=domain['id'])

        # Create both project and domain role grants for the user so we
        # can get both project and domain scoped tokens
        self.assignment_api.create_grant(
            role_id=self.role_id, user_id=user['id'],
            domain_id=domain['id'])
        self.assignment_api.create_grant(
            role_id=self.role_id, user_id=user['id'],
            project_id=project['id'])

        dom_auth = self.build_authentication_request(
            user_id=user['id'],
            password=user['password'],
            domain_id=domain['id'])
        project_auth = self.build_authentication_request(
            user_id=user['id'],
            password=user['password'],
            project_id=project['id'])

        # First try using a domain scoped token
        resource_url = '/users'
        r = self.get(resource_url, auth=dom_auth)
        self.assertValidUserListResponse(r, ref=user,
                                         resource_url=resource_url)

        # Now try using a project scoped token
        resource_url = '/users'
        r = self.get(resource_url, auth=project_auth)
        self.assertValidUserListResponse(r, ref=user,
                                         resource_url=resource_url)

        # Now try with an explicit filter
        resource_url = ('/users?domain_id=%(domain_id)s' %
                        {'domain_id': domain['id']})
        r = self.get(resource_url)
        self.assertValidUserListResponse(r, ref=user,
                                         resource_url=resource_url)
Пример #21
0
    def test_list_head_groups_for_user(self):
        """Call ``GET & HEAD /users/{user_id}/groups``."""
        user1 = unit.create_user(self.identity_api,
                                 domain_id=self.domain['id'])
        user2 = unit.create_user(self.identity_api,
                                 domain_id=self.domain['id'])

        self.put('/groups/%(group_id)s/users/%(user_id)s' % {
            'group_id': self.group_id,
            'user_id': user1['id']
        })

        # Scenarios below are written to test the default policy configuration

        # One should be allowed to list one's own groups
        auth = self.build_authentication_request(user_id=user1['id'],
                                                 password=user1['password'])
        resource_url = ('/users/%(user_id)s/groups' % {'user_id': user1['id']})
        r = self.get(resource_url, auth=auth)
        self.assertValidGroupListResponse(r,
                                          ref=self.group,
                                          resource_url=resource_url)
        self.head(resource_url, auth=auth, expected_status=http_client.OK)

        # Administrator is allowed to list others' groups
        resource_url = ('/users/%(user_id)s/groups' % {'user_id': user1['id']})
        r = self.get(resource_url)
        self.assertValidGroupListResponse(r,
                                          ref=self.group,
                                          resource_url=resource_url)
        self.head(resource_url, expected_status=http_client.OK)

        # Ordinary users should not be allowed to list other's groups
        auth = self.build_authentication_request(user_id=user2['id'],
                                                 password=user2['password'])
        resource_url = '/users/%(user_id)s/groups' % {'user_id': user1['id']}
        self.get(resource_url,
                 auth=auth,
                 expected_status=exception.ForbiddenAction.code)
        self.head(resource_url,
                  auth=auth,
                  expected_status=exception.ForbiddenAction.code)
Пример #22
0
 def test_create_application_credential_wrong_user(self):
     wrong_user = unit.create_user(PROVIDERS.identity_api,
                                   test_v3.DEFAULT_DOMAIN_ID)
     with self.test_client() as c:
         roles = [{'id': self.role_id}]
         app_cred_body = self._app_cred_body(roles=roles)
         token = self.get_scoped_token()
         c.post('/v3/users/%s/application_credentials' % wrong_user['id'],
                json=app_cred_body,
                expected_status_code=http.client.FORBIDDEN,
                headers={'X-Auth-Token': token})
 def test_create_application_credential_wrong_user(self):
     wrong_user = unit.create_user(PROVIDERS.identity_api,
                                   test_v3.DEFAULT_DOMAIN_ID)
     with self.test_client() as c:
         roles = [{'id': self.role_id}]
         app_cred_body = self._app_cred_body(roles=roles)
         token = self.get_scoped_token()
         c.post('/v3/users/%s/application_credentials' % wrong_user['id'],
                json=app_cred_body,
                expected_status_code=http_client.FORBIDDEN,
                headers={'X-Auth-Token': token})
    def _create_user_and_authenticate(self, password):
        user = unit.create_user(PROVIDERS.identity_api,
                                CONF.identity.default_domain_id,
                                password=password)

        PROVIDERS.identity_api.authenticate(
            self.make_request(),
            user_id=user['id'],
            password=password)

        return PROVIDERS.identity_api.get_user(user['id'])
Пример #25
0
    def test_disable_domain(self):
        """Call ``PATCH /domains/{domain_id}`` (set enabled=False)."""
        # Create a 2nd set of entities in a 2nd domain
        domain2 = unit.new_domain_ref()
        self.resource_api.create_domain(domain2["id"], domain2)

        project2 = unit.new_project_ref(domain_id=domain2["id"])
        self.resource_api.create_project(project2["id"], project2)

        user2 = unit.create_user(self.identity_api, domain_id=domain2["id"], project_id=project2["id"])

        self.assignment_api.add_user_to_project(project2["id"], user2["id"])

        # First check a user in that domain can authenticate. The v2 user
        # cannot authenticate because they exist outside the default domain.
        body = {
            "auth": {
                "passwordCredentials": {"userId": user2["id"], "password": user2["password"]},
                "tenantId": project2["id"],
            }
        }
        self.admin_request(path="/v2.0/tokens", method="POST", body=body, expected_status=http_client.UNAUTHORIZED)

        auth_data = self.build_authentication_request(
            user_id=user2["id"], password=user2["password"], project_id=project2["id"]
        )
        self.v3_create_token(auth_data)

        # Now disable the domain
        domain2["enabled"] = False
        r = self.patch("/domains/%(domain_id)s" % {"domain_id": domain2["id"]}, body={"domain": {"enabled": False}})
        self.assertValidDomainResponse(r, domain2)

        # Make sure the user can no longer authenticate, via
        # either API
        body = {
            "auth": {
                "passwordCredentials": {"userId": user2["id"], "password": user2["password"]},
                "tenantId": project2["id"],
            }
        }
        self.admin_request(path="/v2.0/tokens", method="POST", body=body, expected_status=http_client.UNAUTHORIZED)

        # Try looking up in v3 by name and id
        auth_data = self.build_authentication_request(
            user_id=user2["id"], password=user2["password"], project_id=project2["id"]
        )
        self.v3_create_token(auth_data, expected_status=http_client.UNAUTHORIZED)

        auth_data = self.build_authentication_request(
            username=user2["name"], user_domain_id=domain2["id"], password=user2["password"], project_id=project2["id"]
        )
        self.v3_create_token(auth_data, expected_status=http_client.UNAUTHORIZED)
Пример #26
0
    def setUp(self):
        super(SecurityRequirementsTestCase, self).setUp()

        # Create a user in the default domain
        self.non_admin_user = unit.create_user(
            self.identity_api,
            CONF.identity.default_domain_id
        )

        # Create an admin in the default domain
        self.admin_user = unit.create_user(
            self.identity_api,
            CONF.identity.default_domain_id
        )

        # Create a project in the default domain and a non-admin role
        self.project = unit.new_project_ref(
            domain_id=CONF.identity.default_domain_id
        )
        self.resource_api.create_project(self.project['id'], self.project)
        self.non_admin_role = unit.new_role_ref(name='not_admin')
        self.role_api.create_role(
            self.non_admin_role['id'],
            self.non_admin_role
        )

        # Give the non-admin user a role on the project
        self.assignment_api.add_role_to_user_and_project(
            self.non_admin_user['id'],
            self.project['id'],
            self.role['id']
        )

        # Give the user the admin role on the project, which is technically
        # `self.role` because RestfulTestCase sets that up for us.
        self.assignment_api.add_role_to_user_and_project(
            self.admin_user['id'],
            self.project['id'],
            self.role_id
        )
Пример #27
0
    def test_can_handle_missing_certs(self):
        controller = token.controllers.Auth()

        self.config_fixture.config(group='signing', certfile='invalid')
        user = unit.create_user(self.identity_api, domain_id=DEFAULT_DOMAIN_ID)
        body_dict = {
            'passwordCredentials': {
                'userId': user['id'],
                'password': user['password'],
            },
        }
        self.assertRaises(exception.UnexpectedError, controller.authenticate,
                          {}, body_dict)
    def test_can_handle_missing_certs(self):
        controller = token.controllers.Auth()

        self.config_fixture.config(group='signing', certfile='invalid')
        user = unit.create_user(self.identity_api, domain_id=DEFAULT_DOMAIN_ID)
        body_dict = {
            'passwordCredentials': {
                'userId': user['id'],
                'password': user['password'],
            },
        }
        self.assertRaises(exception.UnexpectedError,
                          controller.authenticate,
                          {}, body_dict)
Пример #29
0
    def test_list_groups_for_user(self):
        """Call ``GET /users/{user_id}/groups``."""
        user1 = unit.create_user(self.identity_api,
                                 domain_id=self.domain['id'])
        user2 = unit.create_user(self.identity_api,
                                 domain_id=self.domain['id'])

        self.put('/groups/%(group_id)s/users/%(user_id)s' % {
            'group_id': self.group_id, 'user_id': user1['id']})

        # Scenarios below are written to test the default policy configuration

        # One should be allowed to list one's own groups
        auth = self.build_authentication_request(
            user_id=user1['id'],
            password=user1['password'])
        resource_url = ('/users/%(user_id)s/groups' %
                        {'user_id': user1['id']})
        r = self.get(resource_url, auth=auth)
        self.assertValidGroupListResponse(r, ref=self.group,
                                          resource_url=resource_url)

        # Administrator is allowed to list others' groups
        resource_url = ('/users/%(user_id)s/groups' %
                        {'user_id': user1['id']})
        r = self.get(resource_url)
        self.assertValidGroupListResponse(r, ref=self.group,
                                          resource_url=resource_url)

        # Ordinary users should not be allowed to list other's groups
        auth = self.build_authentication_request(
            user_id=user2['id'],
            password=user2['password'])
        r = self.get('/users/%(user_id)s/groups' % {
            'user_id': user1['id']}, auth=auth,
            expected_status=exception.ForbiddenAction.code)
Пример #30
0
    def test_create_user_without_domain(self):
        """Call ``POST /users`` without specifying domain.

        According to the identity-api specification, if you do not
        explicitly specific the domain_id in the entity, it should
        take the domain scope of the token as the domain_id.

        """
        # Create a user with a role on the domain so we can get a
        # domain scoped token
        domain = unit.new_domain_ref()
        self.resource_api.create_domain(domain['id'], domain)
        user = unit.create_user(self.identity_api, domain_id=domain['id'])
        self.assignment_api.create_grant(
            role_id=self.role_id, user_id=user['id'],
            domain_id=domain['id'])

        ref = unit.new_user_ref(domain_id=domain['id'])
        ref_nd = ref.copy()
        ref_nd.pop('domain_id')
        auth = self.build_authentication_request(
            user_id=user['id'],
            password=user['password'],
            domain_id=domain['id'])
        r = self.post('/users', body={'user': ref_nd}, auth=auth)
        self.assertValidUserResponse(r, ref)

        # Now try the same thing without a domain token - which should fail
        ref = unit.new_user_ref(domain_id=domain['id'])
        ref_nd = ref.copy()
        ref_nd.pop('domain_id')
        auth = self.build_authentication_request(
            user_id=self.user['id'],
            password=self.user['password'],
            project_id=self.project['id'])

        # TODO(henry-nash): Due to bug #1283539 we currently automatically
        # use the default domain_id if a domain scoped token is not being
        # used. For now we just check that a deprecation warning has been
        # issued. Change the code below to expect a failure once this bug is
        # fixed.
        with mock.patch(
                'oslo_log.versionutils.report_deprecated_feature') as mock_dep:
            r = self.post('/users', body={'user': ref_nd}, auth=auth)
            self.assertTrue(mock_dep.called)

        ref['domain_id'] = CONF.identity.default_domain_id
        return self.assertValidUserResponse(r, ref)
Пример #31
0
    def test_update_password_not_logged(self):
        # When admin modifies user password, the password isn't logged at any
        # level.

        log_fix = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))

        # bootstrap a user as admin
        user_ref = unit.create_user(self.identity_api, domain_id=self.domain["id"])

        self.assertNotIn(user_ref["password"], log_fix.output)

        # administrative password reset
        new_password = uuid.uuid4().hex
        self.patch("/users/%s" % user_ref["id"], body={"user": {"password": new_password}})

        self.assertNotIn(new_password, log_fix.output)
Пример #32
0
    def test_trust_deleted_when_user_deleted(self):
        # create trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            role_ids=[self.role_id],
            allow_redelegation=True)
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)

        # list all trusts
        r = self.get('/OS-TRUST/trusts')
        self.assertEqual(1, len(r.result['trusts']))

        # delete the trustee will delete the trust
        self.delete(
            '/users/%(user_id)s' % {'user_id': trust['trustee_user_id']})

        self.get(
            '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
            expected_status=http_client.NOT_FOUND)

        # create another user as the new trustee
        trustee_user = unit.create_user(self.identity_api,
                                        domain_id=self.domain_id)
        trustee_user_id = trustee_user['id']
        # create the trust again
        ref['trustee_user_id'] = trustee_user_id
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)
        r = self.get('/OS-TRUST/trusts')
        self.assertEqual(1, len(r.result['trusts']))

        # delete the trustor will delete the trust
        self.delete(
            '/users/%(user_id)s' % {'user_id': trust['trustor_user_id']})

        # call the backend method directly to bypass authentication since the
        # user has been deleted.
        self.assertRaises(exception.TrustNotFound,
                          self.trust_api.get_trust,
                          trust['id'])
Пример #33
0
    def test_trust_deleted_when_user_deleted(self):
        # create trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            role_ids=[self.role_id],
            allow_redelegation=True)
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)

        # list all trusts
        r = self.get('/OS-TRUST/trusts')
        self.assertEqual(1, len(r.result['trusts']))

        # delete the trustee will delete the trust
        self.delete(
            '/users/%(user_id)s' % {'user_id': trust['trustee_user_id']})

        self.get(
            '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
            expected_status=http_client.NOT_FOUND)

        # create another user as the new trustee
        trustee_user = unit.create_user(PROVIDERS.identity_api,
                                        domain_id=self.domain_id)
        trustee_user_id = trustee_user['id']
        # create the trust again
        ref['trustee_user_id'] = trustee_user_id
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)
        r = self.get('/OS-TRUST/trusts')
        self.assertEqual(1, len(r.result['trusts']))

        # delete the trustor will delete the trust
        self.delete(
            '/users/%(user_id)s' % {'user_id': trust['trustor_user_id']})

        # call the backend method directly to bypass authentication since the
        # user has been deleted.
        self.assertRaises(exception.TrustNotFound,
                          PROVIDERS.trust_api.get_trust,
                          trust['id'])
Пример #34
0
    def test_list_users_with_multiple_backends(self):
        """Call ``GET /users`` when multiple backends is enabled.

        In this scenario, the controller requires a domain to be specified
        either as a filter or by using a domain scoped token.

        """
        self.config_fixture.config(group='identity',
                                   domain_specific_drivers_enabled=True)

        # Create a user with a role on the domain so we can get a
        # domain scoped token
        domain = unit.new_domain_ref()
        self.resource_api.create_domain(domain['id'], domain)
        user = unit.create_user(self.identity_api, domain_id=domain['id'])
        self.assignment_api.create_grant(role_id=self.role_id,
                                         user_id=user['id'],
                                         domain_id=domain['id'])

        ref = unit.new_user_ref(domain_id=domain['id'])
        ref_nd = ref.copy()
        ref_nd.pop('domain_id')
        auth = self.build_authentication_request(user_id=user['id'],
                                                 password=user['password'],
                                                 domain_id=domain['id'])

        # First try using a domain scoped token
        resource_url = '/users'
        r = self.get(resource_url, auth=auth)
        self.assertValidUserListResponse(r,
                                         ref=user,
                                         resource_url=resource_url)

        # Now try with an explicit filter
        resource_url = ('/users?domain_id=%(domain_id)s' % {
            'domain_id': domain['id']
        })
        r = self.get(resource_url)
        self.assertValidUserListResponse(r,
                                         ref=user,
                                         resource_url=resource_url)

        # Now try the same thing without a domain token or filter,
        # which should fail
        r = self.get('/users', expected_status=exception.Unauthorized.code)
Пример #35
0
    def test_tls_certfile_demand_option(self):
        self.config_fixture.config(group='ldap',
                                   use_tls=True,
                                   tls_cacertdir=None,
                                   tls_req_cert='demand')
        self.identity_api = identity.backends.ldap.Identity()

        user = unit.create_user(self.identity_api, 'default',
                                name='fake1', password='******')
        user_ref = self.identity_api.get_user(user['id'])
        self.assertEqual(user['id'], user_ref['id'])

        user['password'] = '******'
        self.identity_api.update_user(user['id'], user)

        self.identity_api.delete_user(user['id'])
        self.assertRaises(exception.UserNotFound, self.identity_api.get_user,
                          user['id'])
Пример #36
0
    def test_update_password_not_logged(self):
        # When admin modifies user password, the password isn't logged at any
        # level.

        log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))

        # bootstrap a user as admin
        user_ref = unit.create_user(self.identity_api,
                                    domain_id=self.domain['id'])

        self.assertNotIn(user_ref['password'], log_fix.output)

        # administrative password reset
        new_password = uuid.uuid4().hex
        self.patch('/users/%s' % user_ref['id'],
                   body={'user': {'password': new_password}})

        self.assertNotIn(new_password, log_fix.output)
Пример #37
0
 def test_admin_password_reset_with_min_password_age_enabled(self):
     # enable minimum_password_age, this should have no effect on admin
     # password reset
     self.config_fixture.config(group='security_compliance',
                                minimum_password_age=1)
     # create user
     user_ref = unit.create_user(self.identity_api,
                                 domain_id=self.domain['id'])
     # administrative password reset
     new_password = uuid.uuid4().hex
     r = self.patch('/users/%s' % user_ref['id'],
                    body={'user': {'password': new_password}})
     self.assertValidUserResponse(r, user_ref)
     # authenticate with new password
     new_password_auth = self.build_authentication_request(
         user_id=user_ref['id'],
         password=new_password)
     self.v3_create_token(new_password_auth)
Пример #38
0
 def test_admin_password_reset_with_min_password_age_enabled(self):
     # enable minimum_password_age, this should have no effect on admin
     # password reset
     self.config_fixture.config(group='security_compliance',
                                minimum_password_age=1)
     # create user
     user_ref = unit.create_user(self.identity_api,
                                 domain_id=self.domain['id'])
     # administrative password reset
     new_password = uuid.uuid4().hex
     r = self.patch('/users/%s' % user_ref['id'],
                    body={'user': {'password': new_password}})
     self.assertValidUserResponse(r, user_ref)
     # authenticate with new password
     new_password_auth = self.build_authentication_request(
         user_id=user_ref['id'],
         password=new_password)
     self.v3_create_token(new_password_auth)
Пример #39
0
    def test_list_users_with_multiple_backends(self):
        """Call ``GET /users`` when multiple backends is enabled.

        In this scenario, the controller requires a domain to be specified
        either as a filter or by using a domain scoped token.

        """
        self.config_fixture.config(group='identity',
                                   domain_specific_drivers_enabled=True)

        # Create a user with a role on the domain so we can get a
        # domain scoped token
        domain = unit.new_domain_ref()
        self.resource_api.create_domain(domain['id'], domain)
        user = unit.create_user(self.identity_api, domain_id=domain['id'])
        self.assignment_api.create_grant(
            role_id=self.role_id, user_id=user['id'],
            domain_id=domain['id'])

        ref = unit.new_user_ref(domain_id=domain['id'])
        ref_nd = ref.copy()
        ref_nd.pop('domain_id')
        auth = self.build_authentication_request(
            user_id=user['id'],
            password=user['password'],
            domain_id=domain['id'])

        # First try using a domain scoped token
        resource_url = '/users'
        r = self.get(resource_url, auth=auth)
        self.assertValidUserListResponse(r, ref=user,
                                         resource_url=resource_url)

        # Now try with an explicit filter
        resource_url = ('/users?domain_id=%(domain_id)s' %
                        {'domain_id': domain['id']})
        r = self.get(resource_url)
        self.assertValidUserListResponse(r, ref=user,
                                         resource_url=resource_url)

        # Now try the same thing without a domain token or filter,
        # which should fail
        r = self.get('/users', expected_status=exception.Unauthorized.code)
Пример #40
0
    def test_forbidden_trust_impersonation_in_redelegation(self):
        """Test forbiddance of impersonation in trust redelegation.

        Check that trustee not allowed to create a trust (with impersonation
        set to true) from a redelegated trust (with impersonation set to false)
        """
        # create trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            role_ids=[self.role_id],
            allow_redelegation=True)
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)

        auth_data = self.build_authentication_request(
            user_id=self.trustee_user_id,
            password=self.trustee_user['password'],
            trust_id=trust['id'])
        resp = self.v3_create_token(auth_data)

        # create third-party user, which will be trustee in trust created from
        # redelegated trust
        third_party_trustee = unit.create_user(self.identity_api,
                                               domain_id=self.domain_id)
        third_party_trustee_id = third_party_trustee['id']

        # create trust from redelegated trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.trustee_user_id,
            trustee_user_id=third_party_trustee_id,
            project_id=self.project_id,
            impersonation=True,
            role_ids=[self.role_id])
        ref['redelegated_trust_id'] = trust['id']
        self.admin_request(path='/v3/OS-TRUST/trusts',
                           body={'trust': ref},
                           token=resp.headers.get('X-Subject-Token'),
                           method='POST',
                           expected_status=http_client.FORBIDDEN)
Пример #41
0
    def test_forbidden_trust_impersonation_in_redelegation(self):
        """Test forbiddance of impersonation in trust redelegation.

        Check that trustee not allowed to create a trust (with impersonation
        set to true) from a redelegated trust (with impersonation set to false)
        """
        # create trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            role_ids=[self.role_id],
            allow_redelegation=True)
        resp = self.post('/OS-TRUST/trusts', body={'trust': ref})

        trust = self.assertValidTrustResponse(resp)

        auth_data = self.build_authentication_request(
            user_id=self.trustee_user_id,
            password=self.trustee_user['password'],
            trust_id=trust['id'])
        resp = self.v3_create_token(auth_data)

        # create third-party user, which will be trustee in trust created from
        # redelegated trust
        third_party_trustee = unit.create_user(PROVIDERS.identity_api,
                                               domain_id=self.domain_id)
        third_party_trustee_id = third_party_trustee['id']

        # create trust from redelegated trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.trustee_user_id,
            trustee_user_id=third_party_trustee_id,
            project_id=self.project_id,
            impersonation=True,
            role_ids=[self.role_id])
        ref['redelegated_trust_id'] = trust['id']
        self.admin_request(path='/v3/OS-TRUST/trusts',
                           body={'trust': ref},
                           token=resp.headers.get('X-Subject-Token'),
                           method='POST',
                           expected_status=http_client.FORBIDDEN)
Пример #42
0
    def test_change_password_required_upon_first_use_for_create(self):
        self.config_fixture.config(group='security_compliance',
                                   change_password_upon_first_use=True)

        # create user
        self.user_ref = unit.create_user(self.identity_api,
                                         domain_id=self.domain['id'])

        # attempt to authenticate with create user password
        self.get_request_token(self.user_ref['password'],
                               expected_status=http_client.UNAUTHORIZED)

        # self-service change password
        new_password = uuid.uuid4().hex
        self.change_password(password=new_password,
                             original_password=self.user_ref['password'],
                             expected_status=http_client.NO_CONTENT)

        # authenticate with the new password
        self.token = self.get_request_token(new_password, http_client.CREATED)
Пример #43
0
    def test_tls_certfile_demand_option(self):
        self.config_fixture.config(group='ldap',
                                   use_tls=True,
                                   tls_cacertdir=None,
                                   tls_req_cert='demand')
        PROVIDERS.identity_api = identity.backends.ldap.Identity()

        user = unit.create_user(PROVIDERS.identity_api, 'default',
                                name='fake1', password='******')
        user_ref = PROVIDERS.identity_api.get_user(user['id'])
        self.assertEqual(user['id'], user_ref['id'])

        user['password'] = '******'
        PROVIDERS.identity_api.update_user(user['id'], user)

        PROVIDERS.identity_api.delete_user(user['id'])
        self.assertRaises(
            exception.UserNotFound,
            PROVIDERS.identity_api.get_user,
            user['id']
        )
Пример #44
0
    def test_lockout_exempt(self):
        self.config_fixture.config(group='security_compliance',
                                   lockout_failure_attempts=1)

        # create user
        self.user_ref = unit.create_user(self.identity_api,
                                         domain_id=self.domain['id'])

        # update the user, mark her as exempt from lockout
        ignore_opt_name = options.IGNORE_LOCKOUT_ATTEMPT_OPT.option_name
        self.user_ref['options'][ignore_opt_name] = True
        self.identity_api.update_user(self.user_ref['id'], self.user_ref)

        # fail to auth, this should lockout the user, since we're allowed
        # one failure, but we're exempt from lockout!
        bad_password = uuid.uuid4().hex
        self.token = self.get_request_token(bad_password,
                                            http_client.UNAUTHORIZED)

        # attempt to authenticate with correct password
        self.get_request_token(self.user_ref['password'],
                               expected_status=http_client.CREATED)
Пример #45
0
    def test_v3_v2_intermix_project_not_in_default_domain_failed(self):
        # create a trustee in default domain to delegate stuff to
        trustee_user = unit.create_user(self.identity_api,
                                        domain_id=test_v3.DEFAULT_DOMAIN_ID)
        trustee_user_id = trustee_user['id']

        # create a new trust
        ref = unit.new_trust_ref(
            trustor_user_id=self.default_domain_user_id,
            trustee_user_id=trustee_user_id,
            project_id=self.project_id,
            impersonation=False,
            expires=dict(minutes=1),
            role_ids=[self.role_id])

        # get a project-scoped token as the default_domain_user
        auth_data = self.build_authentication_request(
            user_id=self.default_domain_user['id'],
            password=self.default_domain_user['password'],
            project_id=self.default_domain_project_id)
        token = self.get_requested_token(auth_data)

        r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
        trust = self.assertValidTrustResponse(r)

        # get a trust-scoped token as the trustee
        auth_data = self.build_authentication_request(
            user_id=trustee_user['id'],
            password=trustee_user['password'],
            trust_id=trust['id'])
        r = self.v3_create_token(auth_data)
        self.assertValidProjectScopedTokenResponse(r, trustee_user)
        token = r.headers.get('X-Subject-Token')

        # ensure the token is invalid against v2
        path = '/v2.0/tokens/%s' % (token)
        self.admin_request(
            path=path, token=self.get_admin_token(),
            method='GET', expected_status=http_client.UNAUTHORIZED)
Пример #46
0
    def test_v3_v2_intermix_project_not_in_default_domain_failed(self):
        # create a trustee in default domain to delegate stuff to
        trustee_user = unit.create_user(self.identity_api,
                                        domain_id=test_v3.DEFAULT_DOMAIN_ID)
        trustee_user_id = trustee_user['id']

        # create a new trust
        ref = unit.new_trust_ref(trustor_user_id=self.default_domain_user_id,
                                 trustee_user_id=trustee_user_id,
                                 project_id=self.project_id,
                                 impersonation=False,
                                 expires=dict(minutes=1),
                                 role_ids=[self.role_id])

        # get a project-scoped token as the default_domain_user
        auth_data = self.build_authentication_request(
            user_id=self.default_domain_user['id'],
            password=self.default_domain_user['password'],
            project_id=self.default_domain_project_id)
        token = self.get_requested_token(auth_data)

        r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
        trust = self.assertValidTrustResponse(r)

        # get a trust-scoped token as the trustee
        auth_data = self.build_authentication_request(
            user_id=trustee_user['id'],
            password=trustee_user['password'],
            trust_id=trust['id'])
        r = self.v3_create_token(auth_data)
        self.assertValidProjectScopedTokenResponse(r, trustee_user)
        token = r.headers.get('X-Subject-Token')

        # ensure the token is invalid against v2
        path = '/v2.0/tokens/%s' % (token)
        self.admin_request(path=path,
                           token=self.get_admin_token(),
                           method='GET',
                           expected_status=http_client.UNAUTHORIZED)
Пример #47
0
    def test_token_revoked_once_domain_disabled(self):
        """Test token from a disabled domain has been invalidated.

        Test that a token that was valid for an enabled domain
        becomes invalid once that domain is disabled.

        """
        domain = unit.new_domain_ref()
        self.resource_api.create_domain(domain['id'], domain)

        user2 = unit.create_user(self.identity_api, domain_id=domain['id'])

        # build a request body
        auth_body = self.build_authentication_request(
            user_id=user2['id'], password=user2['password'])

        # sends a request for the user's token
        token_resp = self.post('/auth/tokens', body=auth_body)

        subject_token = token_resp.headers.get('x-subject-token')

        # validates the returned token and it should be valid.
        self.head('/auth/tokens',
                  headers={'x-subject-token': subject_token},
                  expected_status=http_client.OK)

        # now disable the domain
        domain['enabled'] = False
        url = "/domains/%(domain_id)s" % {'domain_id': domain['id']}
        self.patch(url, body={'domain': {'enabled': False}})

        # validates the same token again and it should be 'not found'
        # as the domain has already been disabled.
        self.head('/auth/tokens',
                  headers={'x-subject-token': subject_token},
                  expected_status=http_client.NOT_FOUND)
Пример #48
0
    def test_delete_user_retries_on_deadlock(self):
        patcher = mock.patch('sqlalchemy.orm.query.Query.delete',
                             autospec=True)

        class FakeDeadlock(object):
            def __init__(self, mock_patcher):
                self.deadlock_count = 2
                self.mock_patcher = mock_patcher
                self.patched = True

            def __call__(self, *args, **kwargs):
                if self.deadlock_count > 1:
                    self.deadlock_count -= 1
                else:
                    self.mock_patcher.stop()
                    self.patched = False
                raise oslo_db_exception.DBDeadlock

        sql_delete_mock = patcher.start()
        side_effect = FakeDeadlock(patcher)
        sql_delete_mock.side_effect = side_effect

        user_ref = unit.create_user(self.identity_api,
                                    domain_id=self.domain['id'])

        try:
            self.identity_api.delete_user(user_id=user_ref['id'])
        finally:
            if side_effect.patched:
                patcher.stop()

        call_count = sql_delete_mock.call_count

        # initial attempt + 1 retry
        delete_user_attempt_count = 2
        self.assertEqual(call_count, delete_user_attempt_count)
Пример #49
0
 def setUp(self):
     super(TestTrustOperations, self).setUp()
     # create a trustee to delegate stuff to
     self.trustee_user = unit.create_user(self.identity_api,
                                          domain_id=self.domain_id)
     self.trustee_user_id = self.trustee_user['id']
Пример #50
0
 def setUp(self):
     super(TrustsWithApplicationCredentials, self).setUp()
     self.trustee_user = unit.create_user(PROVIDERS.identity_api,
                                          domain_id=self.domain_id)
     self.trustee_user_id = self.trustee_user['id']
Пример #51
0
    def test_get_security_compliance_config_with_user_from_other_domain(self):
        """Make sure users from other domains can access password requirements.

        Even though a user is in a separate domain, they should be able to see
        the security requirements for the deployment. This is because security
        compliance is not yet implemented on a per domain basis. Once that
        happens, then this should no longer be possible since a user should
        only care about the security compliance requirements for the domain
        that they are in.
        """
        # Make a new domain
        domain = unit.new_domain_ref()
        self.resource_api.create_domain(domain['id'], domain)

        # Create a user in the new domain
        user = unit.create_user(self.identity_api, domain['id'])

        # Create a project in the new domain
        project = unit.new_project_ref(domain_id=domain['id'])
        self.resource_api.create_project(project['id'], project)

        # Give the new user a non-admin role on the project
        self.assignment_api.add_role_to_user_and_project(
            user['id'],
            project['id'],
            self.non_admin_role['id']
        )

        # Set our security compliance config values, we do this after we've
        # created our test user otherwise password validation will fail with a
        # uuid type regex.
        password_regex = uuid.uuid4().hex
        password_regex_description = uuid.uuid4().hex
        group = 'security_compliance'
        self.config_fixture.config(
            group=group,
            password_regex=password_regex
        )
        self.config_fixture.config(
            group=group,
            password_regex_description=password_regex_description
        )

        # Get a token for the newly created user scoped to the project in the
        # non-default domain and use it to get the password security
        # requirements.
        user_token = self.build_authentication_request(
            user_id=user['id'],
            password=user['password'],
            project_id=project['id']
        )
        user_token = self.get_requested_token(user_token)
        url = (
            '/domains/%(domain_id)s/config/%(group)s' %
            {
                'domain_id': CONF.identity.default_domain_id,
                'group': group,
            }
        )
        response = self.get(url, token=user_token)
        self.assertEqual(
            response.result['config'][group]['password_regex'],
            password_regex
        )
        self.assertEqual(
            response.result['config'][group]['password_regex_description'],
            password_regex_description
        )
Пример #52
0
    def test_disable_domain(self):
        """Call ``PATCH /domains/{domain_id}`` (set enabled=False)."""
        # Create a 2nd set of entities in a 2nd domain
        domain2 = unit.new_domain_ref()
        self.resource_api.create_domain(domain2['id'], domain2)

        project2 = unit.new_project_ref(domain_id=domain2['id'])
        self.resource_api.create_project(project2['id'], project2)

        user2 = unit.create_user(self.identity_api,
                                 domain_id=domain2['id'],
                                 project_id=project2['id'])

        self.assignment_api.add_user_to_project(project2['id'], user2['id'])

        # First check a user in that domain can authenticate. The v2 user
        # cannot authenticate because they exist outside the default domain.
        body = {
            'auth': {
                'passwordCredentials': {
                    'userId': user2['id'],
                    'password': user2['password']
                },
                'tenantId': project2['id']
            }
        }
        self.admin_request(path='/v2.0/tokens',
                           method='POST',
                           body=body,
                           expected_status=http_client.UNAUTHORIZED)

        auth_data = self.build_authentication_request(
            user_id=user2['id'],
            password=user2['password'],
            project_id=project2['id'])
        self.v3_create_token(auth_data)

        # Now disable the domain
        domain2['enabled'] = False
        r = self.patch('/domains/%(domain_id)s' % {'domain_id': domain2['id']},
                       body={'domain': {
                           'enabled': False
                       }})
        self.assertValidDomainResponse(r, domain2)

        # Make sure the user can no longer authenticate, via
        # either API
        body = {
            'auth': {
                'passwordCredentials': {
                    'userId': user2['id'],
                    'password': user2['password']
                },
                'tenantId': project2['id']
            }
        }
        self.admin_request(path='/v2.0/tokens',
                           method='POST',
                           body=body,
                           expected_status=http_client.UNAUTHORIZED)

        # Try looking up in v3 by name and id
        auth_data = self.build_authentication_request(
            user_id=user2['id'],
            password=user2['password'],
            project_id=project2['id'])
        self.v3_create_token(auth_data,
                             expected_status=http_client.UNAUTHORIZED)

        auth_data = self.build_authentication_request(
            username=user2['name'],
            user_domain_id=domain2['id'],
            password=user2['password'],
            project_id=project2['id'])
        self.v3_create_token(auth_data,
                             expected_status=http_client.UNAUTHORIZED)
Пример #53
0
    def load_sample_data(self):
        """Create sample data for password expiry tests.

        The test environment will consist of a single domain, containing
        a single project. It will create three users and one group.
        Each user is going to be given a role assignment on the project
        and the domain. Two of the three users are going to be placed into
        the group, which won't have any role assignments to either the
        project or the domain.

        """
        self._populate_default_domain()
        self.domain = unit.new_domain_ref()
        self.resource_api.create_domain(self.domain['id'], self.domain)
        self.domain_id = self.domain['id']
        self.project = unit.new_project_ref(domain_id=self.domain_id)
        self.project_id = self.project['id']
        self.project = self.resource_api.create_project(
            self.project_id, self.project)
        self.group = unit.new_group_ref(domain_id=self.domain_id)
        self.group = self.identity_api.create_group(self.group)
        self.group_id = self.group['id']
        # Creates three users each with password expiration offset
        # by one day, starting with the current time frozen.
        self.starttime = datetime.datetime.utcnow()
        with freezegun.freeze_time(self.starttime):
            self.config_fixture.config(group='security_compliance',
                                       password_expires_days=1)
            self.user = unit.create_user(self.identity_api,
                                         domain_id=self.domain_id)
            self.config_fixture.config(group='security_compliance',
                                       password_expires_days=2)
            self.user2 = unit.create_user(self.identity_api,
                                          domain_id=self.domain_id)
            self.config_fixture.config(group='security_compliance',
                                       password_expires_days=3)
            self.user3 = unit.create_user(self.identity_api,
                                          domain_id=self.domain_id)
        self.role = unit.new_role_ref(name='admin')
        self.role_api.create_role(self.role['id'], self.role)
        self.role_id = self.role['id']
        # Grant admin role to the users created.
        self.assignment_api.create_grant(self.role_id,
                                         user_id=self.user['id'],
                                         domain_id=self.domain_id)
        self.assignment_api.create_grant(self.role_id,
                                         user_id=self.user2['id'],
                                         domain_id=self.domain_id)
        self.assignment_api.create_grant(self.role_id,
                                         user_id=self.user3['id'],
                                         domain_id=self.domain_id)
        self.assignment_api.create_grant(self.role_id,
                                         user_id=self.user['id'],
                                         project_id=self.project_id)
        self.assignment_api.create_grant(self.role_id,
                                         user_id=self.user2['id'],
                                         project_id=self.project_id)
        self.assignment_api.create_grant(self.role_id,
                                         user_id=self.user3['id'],
                                         project_id=self.project_id)
        # Add the last two users to the group.
        self.identity_api.add_user_to_group(self.user2['id'], self.group_id)
        self.identity_api.add_user_to_group(self.user3['id'], self.group_id)
Пример #54
0
 def setUp(self):
     super(UserSelfServiceChangingPasswordsTestCase, self).setUp()
     self.user_ref = unit.create_user(self.identity_api,
                                      domain_id=self.domain['id'])
     self.token = self.get_request_token(self.user_ref['password'],
                                         http_client.CREATED)
Пример #55
0
    def load_sample_data(self):
        """Create sample data for password expiry tests.

        The test environment will consist of a single domain, containing
        a single project. It will create three users and one group.
        Each user is going to be given a role assignment on the project
        and the domain. Two of the three users are going to be placed into
        the group, which won't have any role assignments to either the
        project or the domain.

        """
        self._populate_default_domain()
        self.domain = unit.new_domain_ref()
        self.resource_api.create_domain(self.domain['id'], self.domain)
        self.domain_id = self.domain['id']
        self.project = unit.new_project_ref(domain_id=self.domain_id)
        self.project_id = self.project['id']
        self.project = self.resource_api.create_project(self.project_id,
                                                        self.project)
        self.group = unit.new_group_ref(domain_id=self.domain_id)
        self.group = self.identity_api.create_group(self.group)
        self.group_id = self.group['id']
        # Creates three users each with password expiration offset
        # by one day, starting with the current time frozen.
        self.starttime = datetime.datetime.utcnow()
        with freezegun.freeze_time(self.starttime):
            self.config_fixture.config(group='security_compliance',
                                       password_expires_days=1)
            self.user = unit.create_user(self.identity_api,
                                         domain_id=self.domain_id)
            self.config_fixture.config(group='security_compliance',
                                       password_expires_days=2)
            self.user2 = unit.create_user(self.identity_api,
                                          domain_id=self.domain_id)
            self.config_fixture.config(group='security_compliance',
                                       password_expires_days=3)
            self.user3 = unit.create_user(self.identity_api,
                                          domain_id=self.domain_id)
        self.role = unit.new_role_ref(name='admin')
        self.role_api.create_role(self.role['id'], self.role)
        self.role_id = self.role['id']
        # Grant admin role to the users created.
        self.assignment_api.create_grant(self.role_id,
                                         user_id=self.user['id'],
                                         domain_id=self.domain_id)
        self.assignment_api.create_grant(self.role_id,
                                         user_id=self.user2['id'],
                                         domain_id=self.domain_id)
        self.assignment_api.create_grant(self.role_id,
                                         user_id=self.user3['id'],
                                         domain_id=self.domain_id)
        self.assignment_api.create_grant(self.role_id,
                                         user_id=self.user['id'],
                                         project_id=self.project_id)
        self.assignment_api.create_grant(self.role_id,
                                         user_id=self.user2['id'],
                                         project_id=self.project_id)
        self.assignment_api.create_grant(self.role_id,
                                         user_id=self.user3['id'],
                                         project_id=self.project_id)
        # Add the last two users to the group.
        self.identity_api.add_user_to_group(self.user2['id'],
                                            self.group_id)
        self.identity_api.add_user_to_group(self.user3['id'],
                                            self.group_id)
Пример #56
0
 def setUp(self):
     super(TestTrustOperations, self).setUp()
     # create a trustee to delegate stuff to
     self.trustee_user = unit.create_user(self.identity_api,
                                          domain_id=self.domain_id)
     self.trustee_user_id = self.trustee_user['id']