def setUp(self): # Start container self._start_container() self.container.start_rel_from_url('res/deploy/basic.yml') self.resource_registry = ResourceRegistryServiceClient() self.identity_management_service = IdentityManagementServiceClient() self.org_client = OrgManagementServiceClient()
def setUp(self): self._start_container() self.container.start_rel_from_url('res/deploy/basic.yml') self.resource_registry = ResourceRegistryServiceClient() self.org_client = OrgManagementServiceClient() self.idm_client = IdentityManagementServiceClient() self.ui_server_proc = self.container.proc_manager.procs_by_name[ "ui_server"] self.ui_base_url = self.ui_server_proc.base_url self.sg_base_url = self.ui_server_proc.gateway_base_url
def setUp(self): self._start_container() self.container.start_rel_from_url('res/deploy/basic.yml') self.resource_registry = ResourceRegistryServiceClient() self.org_client = OrgManagementServiceClient() self.idm_client = IdentityManagementServiceClient() self.ui_server_proc = self.container.proc_manager.procs_by_name["ui_server"] self.ui_base_url = self.ui_server_proc.base_url self.sg_base_url = self.ui_server_proc.gateway_base_url
def setUp(self): self._start_container() self.patch_alt_cfg('scion.process.preload.preloader.CFG', {'scion': {'preload': {'enabled': False}}}) self.container.start_rel_from_url('res/deploy/scion.yml') self.rr = self.container.resource_registry self.scion_client = ScionManagementClient() self.idm_client = IdentityManagementServiceClient() self.system_actor_id = None self.ui_server_proc = self.container.proc_manager.procs_by_name["ui_server"] self.scion_proc = self.container.proc_manager.procs_by_name["scion_management"] self.ui_base_url = self.ui_server_proc.base_url self.sg_base_url = self.ui_server_proc.gateway_base_url
class TestIdentityManagementServiceInt(IonIntegrationTestCase): def setUp(self): # Start container self._start_container() self.container.start_rel_from_url('res/deploy/basic.yml') self.resource_registry = ResourceRegistryServiceClient() self.identity_management_service = IdentityManagementServiceClient() self.org_client = OrgManagementServiceClient() def test_actor_identity(self): # TEST: Create, Update, Read actor_identity_obj = ActorIdentity(name="John Doe") actor_id = self.identity_management_service.create_actor_identity(actor_identity_obj) actor_identity = self.identity_management_service.read_actor_identity(actor_id) self.assertEquals(actor_identity_obj.name, actor_identity.name) actor_identity.name = 'Updated name' self.identity_management_service.update_actor_identity(actor_identity) ai = self.identity_management_service.find_actor_identity_by_name(actor_identity.name) self.assertEquals(ai.name, actor_identity.name) with self.assertRaises(NotFound): ai = self.identity_management_service.find_actor_identity_by_name("##FOO USER##") self.assertEquals(ai.name, actor_identity.name) # TEST: Actor credentials self._do_test_credentials(actor_id) # TEST: Identity details (user profile) self._do_test_profile(actor_id) # TEST: Password reset self._do_test_password_reset(actor_id) # TEST: Auth tokens self._do_test_auth_tokens(actor_id) # TEST: Delete self.identity_management_service.delete_actor_identity(actor_id) with self.assertRaises(NotFound) as cm: self.identity_management_service.read_actor_identity(actor_id) self.assertTrue("does not exist" in cm.exception.message) with self.assertRaises(NotFound) as cm: self.identity_management_service.delete_actor_identity(actor_id) self.assertTrue("does not exist" in cm.exception.message) def _do_test_credentials(self, actor_id): actor_identity = self.identity_management_service.read_actor_identity(actor_id) self.assertEquals(len(actor_identity.credentials), 0) actor_cred = Credentials(username="******", password_hash="123", password_salt="foo") self.identity_management_service.register_credentials(actor_id, actor_cred) actor_identity = self.identity_management_service.read_actor_identity(actor_id) self.assertEquals(len(actor_identity.credentials), 1) self.assertEquals(actor_identity.credentials[0].username, "jdoe") actor_id1 = self.identity_management_service.find_actor_identity_by_username("jdoe") self.assertEquals(actor_id1, actor_id) with self.assertRaises(NotFound): self.identity_management_service.find_actor_identity_by_username("##FOO USER##") self.identity_management_service.unregister_credentials(actor_id, "jdoe") actor_identity = self.identity_management_service.read_actor_identity(actor_id) self.assertEquals(len(actor_identity.credentials), 0) self.identity_management_service.set_actor_credentials(actor_id, "jdoe1", "mypasswd") actor_identity = self.identity_management_service.read_actor_identity(actor_id) self.assertEquals(len(actor_identity.credentials), 1) self.assertEquals(actor_identity.credentials[0].username, "jdoe1") self.assertNotEquals(actor_identity.credentials[0].password_hash, "mypasswd") actor_id1 = self.identity_management_service.check_actor_credentials("jdoe1", "mypasswd") self.assertEquals(actor_id1, actor_id) with self.assertRaises(NotFound): self.identity_management_service.check_actor_credentials("jdoe1", "mypasswd1") self.identity_management_service.set_user_password("jdoe1", "mypasswd1") actor_id1 = self.identity_management_service.check_actor_credentials("jdoe1", "mypasswd1") self.assertEquals(actor_id1, actor_id) for i in range(6): with self.assertRaises(NotFound): self.identity_management_service.check_actor_credentials("jdoe1", "mypasswd0") with self.assertRaises(NotFound): self.identity_management_service.check_actor_credentials("jdoe1", "mypasswd1") self.identity_management_service.set_actor_auth_status(actor_id, AuthStatusEnum.ENABLED) actor_id1 = self.identity_management_service.check_actor_credentials("jdoe1", "mypasswd1") self.assertEquals(actor_id1, actor_id) def _do_test_profile(self, actor_id): actor_details1 = self.identity_management_service.read_identity_details(actor_id) self.assertEquals(actor_details1, None) actor_details = UserIdentityDetails() actor_details.contact.individual_names_given = "John" actor_details.contact.individual_name_family = "Doe" self.identity_management_service.define_identity_details(actor_id, actor_details) actor_details1 = self.identity_management_service.read_identity_details(actor_id) self.assertEquals(actor_details1.contact.individual_names_given, actor_details.contact.individual_names_given) def _do_test_password_reset(self, actor_id=''): idm = self.identity_management_service actor_obj = idm.read_actor_identity(actor_id) username = actor_obj.credentials[0].username reset_token = idm.request_password_reset(username=username) actor_obj = idm.read_actor_identity(actor_id) self.assertEquals(actor_obj.passwd_reset_token.token_type, TokenTypeEnum.ACTOR_RESET_PASSWD) self.assertTrue(actor_obj.passwd_reset_token.token_string) self.assertEquals(reset_token, actor_obj.passwd_reset_token.token_string) self.assertRaises(Unauthorized, idm.reset_password, username=username, token_string='xxx', new_password='******') idm.reset_password(username=username, token_string=reset_token, new_password='******') actor_obj = idm.read_actor_identity(actor_id) self.assertEquals(actor_obj.passwd_reset_token, None) self.assertRaises(Unauthorized, idm.reset_password, username=username, token_string=reset_token, new_password='******') def _do_test_auth_tokens(self, actor_id): # Note: test of service gateway token functionality is in SGS test token_str = self.identity_management_service.create_authentication_token(actor_id, validity=10000) self.assertIsInstance(token_str, str) self.assertGreaterEqual(len(token_str), 25) token_info = self.identity_management_service.check_authentication_token(token_str) self.assertEquals(token_info["actor_id"], actor_id) token_info = self.identity_management_service.check_authentication_token(token_str) self.assertGreaterEqual(int(token_info["expiry"]), get_ion_ts_millis()) with self.assertRaises(BadRequest): self.identity_management_service.create_authentication_token(actor_id="", validity=10000) with self.assertRaises(BadRequest): self.identity_management_service.create_authentication_token(actor_id, validity="FOO") with self.assertRaises(BadRequest): self.identity_management_service.create_authentication_token(actor_id, validity=-200) cur_time = get_ion_ts_millis() with self.assertRaises(BadRequest): self.identity_management_service.create_authentication_token(actor_id, start_time=str(cur_time-100000), validity=50) with self.assertRaises(BadRequest): self.identity_management_service.create_authentication_token(actor_id, validity=35000000) with self.assertRaises(NotFound): self.identity_management_service.check_authentication_token("UNKNOWN") token_str2 = self.identity_management_service.create_authentication_token(actor_id, validity=1) token_info = self.identity_management_service.check_authentication_token(token_str2) gevent.sleep(1.1) with self.assertRaises(Unauthorized): self.identity_management_service.check_authentication_token(token_str2) token = self.identity_management_service.read_authentication_token(token_str2) token.expires = str(cur_time + 5000) self.identity_management_service.update_authentication_token(token) token_info = self.identity_management_service.check_authentication_token(token_str2) token_str3 = self.identity_management_service.create_authentication_token(actor_id, validity=2) token_info = self.identity_management_service.check_authentication_token(token_str3) self.identity_management_service.invalidate_authentication_token(token_str3) with self.assertRaises(Unauthorized): self.identity_management_service.check_authentication_token(token_str3) token = self.identity_management_service.read_authentication_token(token_str3) self.assertEquals(token.token_string, token_str3) self.assertIn(token_str3, token._id) token.status = "OPEN" self.identity_management_service.update_authentication_token(token) token_info = self.identity_management_service.check_authentication_token(token_str3)
class TestUIServer(IonIntegrationTestCase): def setUp(self): self._start_container() self.container.start_rel_from_url('res/deploy/basic.yml') self.resource_registry = ResourceRegistryServiceClient() self.org_client = OrgManagementServiceClient() self.idm_client = IdentityManagementServiceClient() self.ui_server_proc = self.container.proc_manager.procs_by_name["ui_server"] self.ui_base_url = self.ui_server_proc.base_url self.sg_base_url = self.ui_server_proc.gateway_base_url def test_ui_server(self): actor_identity_obj = ActorIdentity(name="John Doe") actor_id = self.idm_client.create_actor_identity(actor_identity_obj) self.idm_client.set_actor_credentials(actor_id, "jdoe", "mypasswd") actor_details = UserIdentityDetails() actor_details.contact.individual_names_given = "John" actor_details.contact.individual_name_family = "Doe" self.idm_client.define_identity_details(actor_id, actor_details) # TEST: Authentication self._do_test_authentication() # TEST: Service gateway self._do_test_service_gateway(actor_id) self.idm_client.delete_actor_identity(actor_id) def _do_test_authentication(self): session = requests.session() # TEST: Login resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEquals("", resp_json["result"]["username"]) resp = session.post(self.ui_base_url + "/auth/login", data=dict(username="******", password="******")) self._assert_json_response(resp, None, status=404) resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEquals("", resp_json["result"]["username"]) resp = session.post(self.ui_base_url + "/auth/login", data=dict(username="******", password="******")) resp_json = self._assert_json_response(resp, None) self.assertIn("actor_id", resp_json["result"]) self.assertIn("username", resp_json["result"]) self.assertIn("full_name", resp_json["result"]) self.assertEquals("jdoe", resp_json["result"]["username"]) resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEquals("jdoe", resp_json["result"]["username"]) resp = session.get(self.ui_base_url + "/auth/logout") self._assert_json_response(resp, "OK") resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEquals("", resp_json["result"]["username"]) def _do_test_service_gateway(self, actor_id): # We don't want to modify import order during testing, so import here from ion.services.service_gateway import SG_IDENTIFICATION session = requests.session() # TEST: Service gateway available resp = session.get(self.sg_base_url + "/") self._assert_json_response(resp, SG_IDENTIFICATION) # TEST: Login resp = session.post(self.ui_base_url + "/auth/login", data=dict(username="******", password="******")) resp_json = self._assert_json_response(resp, None) self.assertEquals("jdoe", resp_json["result"]["username"]) # TEST: Service access resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True") resp_json = self._assert_json_response(resp, None) self.assertIn(actor_id, resp_json["result"][0]) # Request as POST with JSON data payload = dict(data=json.dumps(dict(params=dict(restype="ActorIdentity", id_only=True)))) resp = session.post(self.sg_base_url + "/request/resource_registry/find_resources", data=payload) resp_json = self._assert_json_response(resp, None) self.assertIn(actor_id, resp_json["result"][0]) # Request as POST with JSON data and no params payload = dict(data=json.dumps(dict(restype="ActorIdentity", id_only=True))) resp = session.post(self.sg_base_url + "/request/resource_registry/find_resources", data=payload) resp_json = self._assert_json_response(resp, None) self.assertIn(actor_id, resp_json["result"][0]) # Request as POST with params directly as form data payload = dict(restype="ActorIdentity", id_only=True) resp = session.post(self.sg_base_url + "/request/resource_registry/find_resources", data=payload) resp_json = self._assert_json_response(resp, None) self.assertIn(actor_id, resp_json["result"][0]) resp = session.get(self.sg_base_url + "/request/resource_registry/read/" + actor_id) resp_json = self._assert_json_response(resp, None) self.assertIn("type_", resp_json["result"]) # TEST: REST API resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity") resp_json = self._assert_json_response(resp, None) self.assertIn(actor_id, [o["_id"] for o in resp_json["result"]]) num_actors = len(resp_json["result"]) resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity/" + actor_id) resp_json = self._assert_json_response(resp, None) self.assertIn("type_", resp_json["result"]) # Form encoded create request other_actor_obj = ActorIdentity(name="Jane Foo") other_actor_obj.details = None other_actor_obj_dict = other_actor_obj.__dict__.copy() # Remove unseralizable attributes. del other_actor_obj_dict['passwd_reset_token'] payload = dict(data=json.dumps(other_actor_obj_dict)) resp = session.post(self.sg_base_url + "/rest/identity_management/actor_identity", data=payload) resp_json = self._assert_json_response(resp, None) other_actor_id = resp_json["result"] resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity") resp_json = self._assert_json_response(resp, None) self.assertEquals(len(resp_json["result"]), num_actors + 1) resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id) resp_json = self._assert_json_response(resp, None) self.assertIn("type_", resp_json["result"]) self.assertEquals(other_actor_id, resp_json["result"]["_id"]) # Form encoded update request resp_json["result"]["name"] = "Jane Long" payload = dict(data=json.dumps(resp_json["result"])) resp = session.put(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id, data=payload) resp_json = self._assert_json_response(resp, None) resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id) resp_json = self._assert_json_response(resp, None) self.assertIn("type_", resp_json["result"]) self.assertEquals("Jane Long", resp_json["result"]["name"]) # JSON enconded request resp_json["result"]["name"] = "Jane Dunn" payload = json.dumps(resp_json["result"]) resp = session.put(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id, data=payload, headers={'Content-Type': CONT_TYPE_JSON}) resp_json = self._assert_json_response(resp, None) resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id) resp_json = self._assert_json_response(resp, None) self.assertIn("type_", resp_json["result"]) self.assertEquals("Jane Dunn", resp_json["result"]["name"]) def _assert_json_response(self, resp, result, status=200): self.assertIn("application/json", resp.headers["content-type"]) if status: self.assertEquals(status, resp.status_code) resp_json = resp.json() if result is not None: self.assertIn("result", resp_json) if type(result) in (str, unicode, int, long, float, bool): self.assertEquals(result, resp_json["result"]) else: self.fail("Unsupported result type") return resp_json def test_ui_oauth2(self): actor_identity_obj = ActorIdentity(name="John Doe") actor_id = self.idm_client.create_actor_identity(actor_identity_obj) self.idm_client.set_actor_credentials(actor_id, "jdoe", "mypasswd") actor_details = UserIdentityDetails() actor_details.contact.individual_names_given = "John" actor_details.contact.individual_name_family = "Doe" self.idm_client.define_identity_details(actor_id, actor_details) client_obj = ActorIdentity(name="UI Client", details=OAuthClientIdentityDetails(default_scopes="scioncc")) client_actor_id = self.idm_client.create_actor_identity(client_obj) client_id = "ui" self.idm_client.set_actor_credentials(client_actor_id, "client:"+client_id, "client_secret") session = requests.session() # TEST: OAuth2 authorize log.info("------------ Get token #1") auth_params = {"client_id": client_id, "grant_type": "password", "username": "******", "password": "******"} resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) access_token = resp.json() # TEST: Service access log.info("------------ Access with token") resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={"Authorization": "Bearer %s" % access_token["access_token"]}) resp_json = self._assert_json_response(resp, None) #self.assertIn(actor_id, resp_json["result"][0]) log.info("------------ Access with bad token") resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={"Authorization": "Bearer FOOBAR"}) resp_json = self._assert_json_response(resp, None, status=401) # TEST: Get session using token log.info("------------ Get session using token") resp = session.get(self.ui_base_url + "/auth/session", headers={"Authorization": "Bearer %s" % access_token["access_token"]}) resp_json = self._assert_json_response(resp, None) self.assertEqual(actor_id, resp_json["result"]["actor_id"]) # TEST: Get new access token log.info("------------ Refresh token") auth_params = {"client_id": client_id, "grant_type": "refresh_token", "refresh_token": access_token["refresh_token"]} resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) access_token1 = resp.json() with patch('ion.processes.ui.server.ui_instance.session_timeout', 2): log.info("Patched server.session_timeout to %s", self.ui_server_proc.session_timeout) session = requests.session() log.info("------------ Get token #2 (with short expiration)") auth_params = {"client_id": client_id, "grant_type": "password", "username": "******", "password": "******"} resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) access_token = resp.json() # TEST: Service access log.info("------------ Access before expired") resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={"Authorization": "Bearer %s" % access_token["access_token"]}) resp_json = self._assert_json_response(resp, None) gevent.sleep(2) # TEST: Service access fails after expiration log.info("------------ Access after token expiration") resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={"Authorization": "Bearer %s" % access_token["access_token"]}) resp_json = self._assert_json_response(resp, None, status=401) with patch('ion.processes.ui.server.ui_instance.session_timeout', 2), \ patch('ion.processes.ui.server.ui_instance.extend_session_timeout', True), \ patch('ion.processes.ui.server.ui_instance.max_session_validity', 3): session = requests.session() log.info("------------ Get token #3 (with short expiration)") auth_params = {"client_id": client_id, "grant_type": "password", "username": "******", "password": "******"} resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) access_token = resp.json() gevent.sleep(1) # TEST: Service access extends expiration log.info("------------ Access before expired should extend expiration") resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={"Authorization": "Bearer %s" % access_token["access_token"]}) resp_json = self._assert_json_response(resp, None) gevent.sleep(1.1) # TEST: Service access will fail unless was extended log.info("------------ Access before expired after extension") resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={"Authorization": "Bearer %s" % access_token["access_token"]}) resp_json = self._assert_json_response(resp, None) gevent.sleep(1.5) # TEST: Service access fails after max validity log.info("------------ Access after token expiration") resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={"Authorization": "Bearer %s" % access_token["access_token"]}) resp_json = self._assert_json_response(resp, None, status=401) # TEST: Remember user from within session session = requests.session() log.info("------------ Get token #4") auth_params = {"client_id": client_id, "grant_type": "password", "username": "******", "password": "******"} resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) access_token = resp.json() # TEST: Get session without token tests remember user log.info("------------ Get session without token") resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEqual(actor_id, resp_json["result"]["actor_id"]) # TEST: Logout log.info("------------ Logout") resp = session.get(self.ui_base_url + "/auth/logout", headers={"Authorization": "Bearer %s" % access_token["access_token"]}) resp_json = self._assert_json_response(resp, None) self.assertEqual(resp_json["result"], "OK") # TEST: Get session without token after logout log.info("------------ Get session without token") resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEqual(resp_json["result"]["actor_id"], "") # TEST: Service access after logout log.info("------------ Access with token after logout") resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={"Authorization": "Bearer %s" % access_token["access_token"]}) resp_json = self._assert_json_response(resp, None, 401) with patch('ion.processes.ui.server.ui_instance.remember_user', False): session = requests.session() log.info("------------ Get token #5") auth_params = {"client_id": client_id, "grant_type": "password", "username": "******", "password": "******"} resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) access_token = resp.json() # TEST: Get session without token fails if remember user is False log.info("------------ Get session without token") resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEqual(resp_json["result"]["actor_id"], "")
class TestUIServer(IonIntegrationTestCase): def setUp(self): self._start_container() self.container.start_rel_from_url('res/deploy/basic.yml') self.resource_registry = ResourceRegistryServiceClient() self.org_client = OrgManagementServiceClient() self.idm_client = IdentityManagementServiceClient() self.ui_server_proc = self.container.proc_manager.procs_by_name[ "ui_server"] self.ui_base_url = self.ui_server_proc.base_url self.sg_base_url = self.ui_server_proc.gateway_base_url def test_ui_server(self): actor_identity_obj = ActorIdentity(name="John Doe") actor_id = self.idm_client.create_actor_identity(actor_identity_obj) self.idm_client.set_actor_credentials(actor_id, "jdoe", "mypasswd") actor_details = UserIdentityDetails() actor_details.contact.individual_names_given = "John" actor_details.contact.individual_name_family = "Doe" self.idm_client.define_identity_details(actor_id, actor_details) # TEST: Authentication self._do_test_authentication() # TEST: Service gateway self._do_test_service_gateway(actor_id) self.idm_client.delete_actor_identity(actor_id) def _do_test_authentication(self): session = requests.session() # TEST: Login resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEquals("", resp_json["result"]["username"]) resp = session.post(self.ui_base_url + "/auth/login", data=dict(username="******", password="******")) self._assert_json_response(resp, None, status=404) resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEquals("", resp_json["result"]["username"]) resp = session.post(self.ui_base_url + "/auth/login", data=dict(username="******", password="******")) resp_json = self._assert_json_response(resp, None) self.assertIn("actor_id", resp_json["result"]) self.assertIn("username", resp_json["result"]) self.assertIn("full_name", resp_json["result"]) self.assertEquals("jdoe", resp_json["result"]["username"]) resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEquals("jdoe", resp_json["result"]["username"]) resp = session.get(self.ui_base_url + "/auth/logout") self._assert_json_response(resp, "OK") resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEquals("", resp_json["result"]["username"]) def _do_test_service_gateway(self, actor_id): # We don't want to modify import order during testing, so import here from ion.service.service_gateway import SG_IDENTIFICATION session = requests.session() # TEST: Service gateway available resp = session.get(self.sg_base_url + "/") self._assert_json_response(resp, SG_IDENTIFICATION) # TEST: Login resp = session.post(self.ui_base_url + "/auth/login", data=dict(username="******", password="******")) resp_json = self._assert_json_response(resp, None) self.assertEquals("jdoe", resp_json["result"]["username"]) # TEST: Service access resp = session.get( self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True" ) resp_json = self._assert_json_response(resp, None) self.assertIn(actor_id, resp_json["result"][0]) # Request as POST with JSON data payload = dict(data=json.dumps( dict(params=dict(restype="ActorIdentity", id_only=True)))) resp = session.post(self.sg_base_url + "/request/resource_registry/find_resources", data=payload) resp_json = self._assert_json_response(resp, None) self.assertIn(actor_id, resp_json["result"][0]) # Request as POST with JSON data and no params payload = dict( data=json.dumps(dict(restype="ActorIdentity", id_only=True))) resp = session.post(self.sg_base_url + "/request/resource_registry/find_resources", data=payload) resp_json = self._assert_json_response(resp, None) self.assertIn(actor_id, resp_json["result"][0]) # Request as POST with params directly as form data payload = dict(restype="ActorIdentity", id_only=True) resp = session.post(self.sg_base_url + "/request/resource_registry/find_resources", data=payload) resp_json = self._assert_json_response(resp, None) self.assertIn(actor_id, resp_json["result"][0]) resp = session.get(self.sg_base_url + "/request/resource_registry/read/" + actor_id) resp_json = self._assert_json_response(resp, None) self.assertIn("type_", resp_json["result"]) # Request as POST with params directly as form data with files content payload = dict(id_only=True) files = dict(restype=("restype", "ActorIdentity")) resp = session.post(self.sg_base_url + "/request/resource_registry/find_resources", data=payload, files=files) resp_json = self._assert_json_response(resp, None) self.assertIn(actor_id, resp_json["result"][0]) resp = session.get(self.sg_base_url + "/request/resource_registry/read/" + actor_id) resp_json = self._assert_json_response(resp, None) self.assertIn("type_", resp_json["result"]) # TEST: REST API resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity") resp_json = self._assert_json_response(resp, None) self.assertIn(actor_id, [o["_id"] for o in resp_json["result"]]) num_actors = len(resp_json["result"]) resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity/" + actor_id) resp_json = self._assert_json_response(resp, None) self.assertIn("type_", resp_json["result"]) # Form encoded create request other_actor_obj = ActorIdentity(name="Jane Foo") other_actor_obj.details = None other_actor_obj_dict = other_actor_obj.__dict__.copy() # Remove unseralizable attributes. del other_actor_obj_dict['passwd_reset_token'] payload = dict(data=json.dumps(other_actor_obj_dict)) resp = session.post(self.sg_base_url + "/rest/identity_management/actor_identity", data=payload) resp_json = self._assert_json_response(resp, None) other_actor_id = resp_json["result"] resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity") resp_json = self._assert_json_response(resp, None) self.assertEquals(len(resp_json["result"]), num_actors + 1) resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id) resp_json = self._assert_json_response(resp, None) self.assertIn("type_", resp_json["result"]) self.assertEquals(other_actor_id, resp_json["result"]["_id"]) # Form encoded update request resp_json["result"]["name"] = "Jane Long" payload = dict(data=json.dumps(resp_json["result"])) resp = session.put(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id, data=payload) resp_json = self._assert_json_response(resp, None) resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id) resp_json = self._assert_json_response(resp, None) self.assertIn("type_", resp_json["result"]) self.assertEquals("Jane Long", resp_json["result"]["name"]) # JSON enconded request resp_json["result"]["name"] = "Jane Dunn" payload = json.dumps(resp_json["result"]) resp = session.put(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id, data=payload, headers={'Content-Type': CONT_TYPE_JSON}) resp_json = self._assert_json_response(resp, None) resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id) resp_json = self._assert_json_response(resp, None) self.assertIn("type_", resp_json["result"]) self.assertEquals("Jane Dunn", resp_json["result"]["name"]) def _assert_json_response(self, resp, result, status=200): self.assertIn("application/json", resp.headers["content-type"]) if status: self.assertEquals(status, resp.status_code) resp_json = resp.json() if result is not None: self.assertIn("result", resp_json) if type(result) in (str, unicode, int, long, float, bool): self.assertEquals(result, resp_json["result"]) else: self.fail("Unsupported result type") return resp_json def test_ui_oauth2(self): actor_identity_obj = ActorIdentity(name="John Doe") actor_id = self.idm_client.create_actor_identity(actor_identity_obj) self.idm_client.set_actor_credentials(actor_id, "jdoe", "mypasswd") actor_details = UserIdentityDetails() actor_details.contact.individual_names_given = "John" actor_details.contact.individual_name_family = "Doe" self.idm_client.define_identity_details(actor_id, actor_details) client_obj = ActorIdentity( name="UI Client", details=OAuthClientIdentityDetails(default_scopes="scioncc")) client_actor_id = self.idm_client.create_actor_identity(client_obj) client_id = "ui" self.idm_client.set_actor_credentials(client_actor_id, "client:" + client_id, "client_secret") session = requests.session() # TEST: OAuth2 authorize log.info("------------ Get token #1") auth_params = { "client_id": client_id, "grant_type": "password", "username": "******", "password": "******" } resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) access_token = resp.json() # TEST: Service access log.info("------------ Access with token") resp = session.get( self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={ "Authorization": "Bearer %s" % access_token["access_token"] }) resp_json = self._assert_json_response(resp, None) #self.assertIn(actor_id, resp_json["result"][0]) log.info("------------ Access with bad token") resp = session.get( self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={"Authorization": "Bearer FOOBAR"}) resp_json = self._assert_json_response(resp, None, status=401) # TEST: Get session using token log.info("------------ Get session using token") resp = session.get(self.ui_base_url + "/auth/session", headers={ "Authorization": "Bearer %s" % access_token["access_token"] }) resp_json = self._assert_json_response(resp, None) self.assertEqual(actor_id, resp_json["result"]["actor_id"]) # TEST: Get new access token log.info("------------ Refresh token") auth_params = { "client_id": client_id, "grant_type": "refresh_token", "refresh_token": access_token["refresh_token"] } resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) access_token1 = resp.json() with patch('ion.process.ui.server.ui_instance.session_timeout', 2): log.info("Patched server.session_timeout to %s", self.ui_server_proc.session_timeout) session = requests.session() log.info("------------ Get token #2 (with short expiration)") auth_params = { "client_id": client_id, "grant_type": "password", "username": "******", "password": "******" } resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) access_token = resp.json() # TEST: Service access log.info("------------ Access before expired") resp = session.get( self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={ "Authorization": "Bearer %s" % access_token["access_token"] }) resp_json = self._assert_json_response(resp, None) gevent.sleep(2) # TEST: Service access fails after expiration log.info("------------ Access after token expiration") resp = session.get( self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={ "Authorization": "Bearer %s" % access_token["access_token"] }) resp_json = self._assert_json_response(resp, None, status=401) with patch('ion.process.ui.server.ui_instance.session_timeout', 2), \ patch('ion.process.ui.server.ui_instance.extend_session_timeout', True), \ patch('ion.process.ui.server.ui_instance.max_session_validity', 3): session = requests.session() log.info("------------ Get token #3 (with short expiration)") auth_params = { "client_id": client_id, "grant_type": "password", "username": "******", "password": "******" } resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) access_token = resp.json() gevent.sleep(1) # TEST: Service access extends expiration log.info( "------------ Access before expired should extend expiration") resp = session.get( self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={ "Authorization": "Bearer %s" % access_token["access_token"] }) resp_json = self._assert_json_response(resp, None) gevent.sleep(1.1) # TEST: Service access will fail unless was extended log.info("------------ Access before expired after extension") resp = session.get( self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={ "Authorization": "Bearer %s" % access_token["access_token"] }) resp_json = self._assert_json_response(resp, None) gevent.sleep(1.5) # TEST: Service access fails after max validity log.info("------------ Access after token expiration") resp = session.get( self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={ "Authorization": "Bearer %s" % access_token["access_token"] }) resp_json = self._assert_json_response(resp, None, status=401) # TEST: Remember user from within session session = requests.session() log.info("------------ Get token #4") auth_params = { "client_id": client_id, "grant_type": "password", "username": "******", "password": "******" } resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) access_token = resp.json() # TEST: Get session without token tests remember user log.info("------------ Get session without token") resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEqual(actor_id, resp_json["result"]["actor_id"]) # TEST: Logout log.info("------------ Logout") resp = session.get(self.ui_base_url + "/auth/logout", headers={ "Authorization": "Bearer %s" % access_token["access_token"] }) resp_json = self._assert_json_response(resp, None) self.assertEqual(resp_json["result"], "OK") # TEST: Get session without token after logout log.info("------------ Get session without token") resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEqual(resp_json["result"]["actor_id"], "") # TEST: Service access after logout log.info("------------ Access with token after logout") resp = session.get( self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True", headers={ "Authorization": "Bearer %s" % access_token["access_token"] }) resp_json = self._assert_json_response(resp, None, 401) with patch('ion.process.ui.server.ui_instance.remember_user', False): session = requests.session() log.info("------------ Get token #5") auth_params = { "client_id": client_id, "grant_type": "password", "username": "******", "password": "******" } resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) access_token = resp.json() # TEST: Get session without token fails if remember user is False log.info("------------ Get session without token") resp = session.get(self.ui_base_url + "/auth/session") resp_json = self._assert_json_response(resp, None) self.assertEqual(resp_json["result"]["actor_id"], "") def test_ui_oauth2_refresh_token(self): actor_identity_obj = ActorIdentity(name="John Doe") actor_id = self.idm_client.create_actor_identity(actor_identity_obj) actor_name = "jdoe" actor_password = "******" self.idm_client.set_actor_credentials(actor_id, actor_name, actor_password) actor_details = UserIdentityDetails() actor_details.contact.individual_names_given = "John" actor_details.contact.individual_name_family = "Doe" self.idm_client.define_identity_details(actor_id, actor_details) client_obj = ActorIdentity( name="UI Client", details=OAuthClientIdentityDetails(default_scopes="scioncc")) client_actor_id = self.idm_client.create_actor_identity(client_obj) client_id = "ui" self.idm_client.set_actor_credentials(client_actor_id, "client:" + client_id, "client_secret") session = requests.session() log.info("------------ Get token") auth_params = { "client_id": client_id, "grant_type": "password", "username": actor_name, "password": actor_password } resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) access_token = resp.json() log.info("------------ Refresh token") auth_params = { "client_id": client_id, "grant_type": "refresh_token", "refresh_token": access_token["refresh_token"] } resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params) updated_token = resp.json() self.assertIsNotNone(updated_token) self.assertNotIn("error", updated_token) for item in [ "access_token", "token_type", "expires_in", "refresh_token", "scope" ]: self.assertIn(item, updated_token)
class TestIdentityManagementServiceInt(IonIntegrationTestCase): def setUp(self): # Start container self._start_container() self.container.start_rel_from_url('res/deploy/basic.yml') self.resource_registry = ResourceRegistryServiceClient() self.identity_management_service = IdentityManagementServiceClient() self.org_client = OrgManagementServiceClient() def test_actor_identity(self): # TEST: Create, Update, Read actor_identity_obj = ActorIdentity(name="John Doe") actor_id = self.identity_management_service.create_actor_identity( actor_identity_obj) actor_identity = self.identity_management_service.read_actor_identity( actor_id) self.assertEquals(actor_identity_obj.name, actor_identity.name) actor_identity.name = 'Updated name' self.identity_management_service.update_actor_identity(actor_identity) ai = self.identity_management_service.find_actor_identity_by_name( actor_identity.name) self.assertEquals(ai.name, actor_identity.name) with self.assertRaises(NotFound): ai = self.identity_management_service.find_actor_identity_by_name( "##FOO USER##") self.assertEquals(ai.name, actor_identity.name) # TEST: Actor credentials self._do_test_credentials(actor_id) # TEST: Identity details (user profile) self._do_test_profile(actor_id) # TEST: Password reset self._do_test_password_reset(actor_id) # TEST: Auth tokens self._do_test_auth_tokens(actor_id) # TEST: Delete self.identity_management_service.delete_actor_identity(actor_id) with self.assertRaises(NotFound) as cm: self.identity_management_service.read_actor_identity(actor_id) self.assertTrue("does not exist" in cm.exception.message) with self.assertRaises(NotFound) as cm: self.identity_management_service.delete_actor_identity(actor_id) self.assertTrue("does not exist" in cm.exception.message) def _do_test_credentials(self, actor_id): actor_identity = self.identity_management_service.read_actor_identity( actor_id) self.assertEquals(len(actor_identity.credentials), 0) actor_cred = Credentials(username="******", password_hash="123", password_salt="foo") self.identity_management_service.register_credentials( actor_id, actor_cred) actor_identity = self.identity_management_service.read_actor_identity( actor_id) self.assertEquals(len(actor_identity.credentials), 1) self.assertEquals(actor_identity.credentials[0].username, "jdoe") actor_id1 = self.identity_management_service.find_actor_identity_by_username( "jdoe") self.assertEquals(actor_id1, actor_id) with self.assertRaises(NotFound): self.identity_management_service.find_actor_identity_by_username( "##FOO USER##") self.identity_management_service.unregister_credentials( actor_id, "jdoe") actor_identity = self.identity_management_service.read_actor_identity( actor_id) self.assertEquals(len(actor_identity.credentials), 0) self.identity_management_service.set_actor_credentials( actor_id, "jdoe1", "mypasswd") actor_identity = self.identity_management_service.read_actor_identity( actor_id) self.assertEquals(len(actor_identity.credentials), 1) self.assertEquals(actor_identity.credentials[0].username, "jdoe1") self.assertNotEquals(actor_identity.credentials[0].password_hash, "mypasswd") actor_id1 = self.identity_management_service.check_actor_credentials( "jdoe1", "mypasswd") self.assertEquals(actor_id1, actor_id) with self.assertRaises(NotFound): self.identity_management_service.check_actor_credentials( "jdoe1", "mypasswd1") self.identity_management_service.set_user_password( "jdoe1", "mypasswd1") actor_id1 = self.identity_management_service.check_actor_credentials( "jdoe1", "mypasswd1") self.assertEquals(actor_id1, actor_id) for i in range(6): with self.assertRaises(NotFound): self.identity_management_service.check_actor_credentials( "jdoe1", "mypasswd0") with self.assertRaises(NotFound): self.identity_management_service.check_actor_credentials( "jdoe1", "mypasswd1") self.identity_management_service.set_actor_auth_status( actor_id, AuthStatusEnum.ENABLED) actor_id1 = self.identity_management_service.check_actor_credentials( "jdoe1", "mypasswd1") self.assertEquals(actor_id1, actor_id) def _do_test_profile(self, actor_id): actor_details1 = self.identity_management_service.read_identity_details( actor_id) self.assertEquals(actor_details1, None) actor_details = UserIdentityDetails() actor_details.contact.individual_names_given = "John" actor_details.contact.individual_name_family = "Doe" self.identity_management_service.define_identity_details( actor_id, actor_details) actor_details1 = self.identity_management_service.read_identity_details( actor_id) self.assertEquals(actor_details1.contact.individual_names_given, actor_details.contact.individual_names_given) def _do_test_password_reset(self, actor_id=''): idm = self.identity_management_service actor_obj = idm.read_actor_identity(actor_id) username = actor_obj.credentials[0].username reset_token = idm.request_password_reset(username=username) actor_obj = idm.read_actor_identity(actor_id) self.assertEquals(actor_obj.passwd_reset_token.token_type, TokenTypeEnum.ACTOR_RESET_PASSWD) self.assertTrue(actor_obj.passwd_reset_token.token_string) self.assertEquals(reset_token, actor_obj.passwd_reset_token.token_string) self.assertRaises(Unauthorized, idm.reset_password, username=username, token_string='xxx', new_password='******') idm.reset_password(username=username, token_string=reset_token, new_password='******') actor_obj = idm.read_actor_identity(actor_id) self.assertEquals(actor_obj.passwd_reset_token, None) self.assertRaises(Unauthorized, idm.reset_password, username=username, token_string=reset_token, new_password='******') def _do_test_auth_tokens(self, actor_id): # Note: test of service gateway token functionality is in SGS test token_str = self.identity_management_service.create_authentication_token( actor_id, validity=10000) self.assertIsInstance(token_str, str) self.assertGreaterEqual(len(token_str), 25) token_info = self.identity_management_service.check_authentication_token( token_str) self.assertEquals(token_info["actor_id"], actor_id) token_info = self.identity_management_service.check_authentication_token( token_str) self.assertGreaterEqual(int(token_info["expiry"]), get_ion_ts_millis()) with self.assertRaises(BadRequest): self.identity_management_service.create_authentication_token( actor_id="", validity=10000) with self.assertRaises(BadRequest): self.identity_management_service.create_authentication_token( actor_id, validity="FOO") with self.assertRaises(BadRequest): self.identity_management_service.create_authentication_token( actor_id, validity=-200) cur_time = get_ion_ts_millis() with self.assertRaises(BadRequest): self.identity_management_service.create_authentication_token( actor_id, start_time=str(cur_time - 100000), validity=50) with self.assertRaises(BadRequest): self.identity_management_service.create_authentication_token( actor_id, validity=35000000) with self.assertRaises(NotFound): self.identity_management_service.check_authentication_token( "UNKNOWN") token_str2 = self.identity_management_service.create_authentication_token( actor_id, validity=1) token_info = self.identity_management_service.check_authentication_token( token_str2) gevent.sleep(1.1) with self.assertRaises(Unauthorized): self.identity_management_service.check_authentication_token( token_str2) token = self.identity_management_service.read_authentication_token( token_str2) token.expires = str(cur_time + 5000) self.identity_management_service.update_authentication_token(token) token_info = self.identity_management_service.check_authentication_token( token_str2) token_str3 = self.identity_management_service.create_authentication_token( actor_id, validity=2) token_info = self.identity_management_service.check_authentication_token( token_str3) self.identity_management_service.invalidate_authentication_token( token_str3) with self.assertRaises(Unauthorized): self.identity_management_service.check_authentication_token( token_str3) token = self.identity_management_service.read_authentication_token( token_str3) self.assertEquals(token.token_string, token_str3) self.assertIn(token_str3, token._id) token.status = "OPEN" self.identity_management_service.update_authentication_token(token) token_info = self.identity_management_service.check_authentication_token( token_str3)