def setUp(self):
# Start container
self._start_container()
self.container.start_rel_from_url('res/deploy/basic.yml')
self.resource_registry = ResourceRegistryServiceClient()
self.identity_management_service = IdentityManagementServiceClient()
self.org_client = OrgManagementServiceClient()
def setUp(self):
self._start_container()
self.container.start_rel_from_url('res/deploy/basic.yml')
self.resource_registry = ResourceRegistryServiceClient()
self.org_client = OrgManagementServiceClient()
self.idm_client = IdentityManagementServiceClient()
self.ui_server_proc = self.container.proc_manager.procs_by_name[
"ui_server"]
self.ui_base_url = self.ui_server_proc.base_url
self.sg_base_url = self.ui_server_proc.gateway_base_url
def setUp(self):
# Start container
self._start_container()
self.container.start_rel_from_url('res/deploy/basic.yml')
self.resource_registry = ResourceRegistryServiceClient()
self.identity_management_service = IdentityManagementServiceClient()
self.org_client = OrgManagementServiceClient()
def setUp(self):
self._start_container()
self.container.start_rel_from_url('res/deploy/basic.yml')
self.resource_registry = ResourceRegistryServiceClient()
self.org_client = OrgManagementServiceClient()
self.idm_client = IdentityManagementServiceClient()
self.ui_server_proc = self.container.proc_manager.procs_by_name["ui_server"]
self.ui_base_url = self.ui_server_proc.base_url
self.sg_base_url = self.ui_server_proc.gateway_base_url
def setUp(self):
self._start_container()
self.patch_alt_cfg('scion.process.preload.preloader.CFG',
{'scion': {'preload': {'enabled': False}}})
self.container.start_rel_from_url('res/deploy/scion.yml')
self.rr = self.container.resource_registry
self.scion_client = ScionManagementClient()
self.idm_client = IdentityManagementServiceClient()
self.system_actor_id = None
self.ui_server_proc = self.container.proc_manager.procs_by_name["ui_server"]
self.scion_proc = self.container.proc_manager.procs_by_name["scion_management"]
self.ui_base_url = self.ui_server_proc.base_url
self.sg_base_url = self.ui_server_proc.gateway_base_url
class TestIdentityManagementServiceInt(IonIntegrationTestCase):
def setUp(self):
# Start container
self._start_container()
self.container.start_rel_from_url('res/deploy/basic.yml')
self.resource_registry = ResourceRegistryServiceClient()
self.identity_management_service = IdentityManagementServiceClient()
self.org_client = OrgManagementServiceClient()
def test_actor_identity(self):
# TEST: Create, Update, Read
actor_identity_obj = ActorIdentity(name="John Doe")
actor_id = self.identity_management_service.create_actor_identity(actor_identity_obj)
actor_identity = self.identity_management_service.read_actor_identity(actor_id)
self.assertEquals(actor_identity_obj.name, actor_identity.name)
actor_identity.name = 'Updated name'
self.identity_management_service.update_actor_identity(actor_identity)
ai = self.identity_management_service.find_actor_identity_by_name(actor_identity.name)
self.assertEquals(ai.name, actor_identity.name)
with self.assertRaises(NotFound):
ai = self.identity_management_service.find_actor_identity_by_name("##FOO USER##")
self.assertEquals(ai.name, actor_identity.name)
# TEST: Actor credentials
self._do_test_credentials(actor_id)
# TEST: Identity details (user profile)
self._do_test_profile(actor_id)
# TEST: Password reset
self._do_test_password_reset(actor_id)
# TEST: Auth tokens
self._do_test_auth_tokens(actor_id)
# TEST: Delete
self.identity_management_service.delete_actor_identity(actor_id)
with self.assertRaises(NotFound) as cm:
self.identity_management_service.read_actor_identity(actor_id)
self.assertTrue("does not exist" in cm.exception.message)
with self.assertRaises(NotFound) as cm:
self.identity_management_service.delete_actor_identity(actor_id)
self.assertTrue("does not exist" in cm.exception.message)
def _do_test_credentials(self, actor_id):
actor_identity = self.identity_management_service.read_actor_identity(actor_id)
self.assertEquals(len(actor_identity.credentials), 0)
actor_cred = Credentials(username="******", password_hash="123", password_salt="foo")
self.identity_management_service.register_credentials(actor_id, actor_cred)
actor_identity = self.identity_management_service.read_actor_identity(actor_id)
self.assertEquals(len(actor_identity.credentials), 1)
self.assertEquals(actor_identity.credentials[0].username, "jdoe")
actor_id1 = self.identity_management_service.find_actor_identity_by_username("jdoe")
self.assertEquals(actor_id1, actor_id)
with self.assertRaises(NotFound):
self.identity_management_service.find_actor_identity_by_username("##FOO USER##")
self.identity_management_service.unregister_credentials(actor_id, "jdoe")
actor_identity = self.identity_management_service.read_actor_identity(actor_id)
self.assertEquals(len(actor_identity.credentials), 0)
self.identity_management_service.set_actor_credentials(actor_id, "jdoe1", "mypasswd")
actor_identity = self.identity_management_service.read_actor_identity(actor_id)
self.assertEquals(len(actor_identity.credentials), 1)
self.assertEquals(actor_identity.credentials[0].username, "jdoe1")
self.assertNotEquals(actor_identity.credentials[0].password_hash, "mypasswd")
actor_id1 = self.identity_management_service.check_actor_credentials("jdoe1", "mypasswd")
self.assertEquals(actor_id1, actor_id)
with self.assertRaises(NotFound):
self.identity_management_service.check_actor_credentials("jdoe1", "mypasswd1")
self.identity_management_service.set_user_password("jdoe1", "mypasswd1")
actor_id1 = self.identity_management_service.check_actor_credentials("jdoe1", "mypasswd1")
self.assertEquals(actor_id1, actor_id)
for i in range(6):
with self.assertRaises(NotFound):
self.identity_management_service.check_actor_credentials("jdoe1", "mypasswd0")
with self.assertRaises(NotFound):
self.identity_management_service.check_actor_credentials("jdoe1", "mypasswd1")
self.identity_management_service.set_actor_auth_status(actor_id, AuthStatusEnum.ENABLED)
actor_id1 = self.identity_management_service.check_actor_credentials("jdoe1", "mypasswd1")
self.assertEquals(actor_id1, actor_id)
def _do_test_profile(self, actor_id):
actor_details1 = self.identity_management_service.read_identity_details(actor_id)
self.assertEquals(actor_details1, None)
actor_details = UserIdentityDetails()
actor_details.contact.individual_names_given = "John"
actor_details.contact.individual_name_family = "Doe"
self.identity_management_service.define_identity_details(actor_id, actor_details)
actor_details1 = self.identity_management_service.read_identity_details(actor_id)
self.assertEquals(actor_details1.contact.individual_names_given, actor_details.contact.individual_names_given)
def _do_test_password_reset(self, actor_id=''):
idm = self.identity_management_service
actor_obj = idm.read_actor_identity(actor_id)
username = actor_obj.credentials[0].username
reset_token = idm.request_password_reset(username=username)
actor_obj = idm.read_actor_identity(actor_id)
self.assertEquals(actor_obj.passwd_reset_token.token_type, TokenTypeEnum.ACTOR_RESET_PASSWD)
self.assertTrue(actor_obj.passwd_reset_token.token_string)
self.assertEquals(reset_token, actor_obj.passwd_reset_token.token_string)
self.assertRaises(Unauthorized, idm.reset_password,
username=username,
token_string='xxx', new_password='******')
idm.reset_password(username=username, token_string=reset_token, new_password='******')
actor_obj = idm.read_actor_identity(actor_id)
self.assertEquals(actor_obj.passwd_reset_token, None)
self.assertRaises(Unauthorized, idm.reset_password,
username=username,
token_string=reset_token, new_password='******')
def _do_test_auth_tokens(self, actor_id):
# Note: test of service gateway token functionality is in SGS test
token_str = self.identity_management_service.create_authentication_token(actor_id, validity=10000)
self.assertIsInstance(token_str, str)
self.assertGreaterEqual(len(token_str), 25)
token_info = self.identity_management_service.check_authentication_token(token_str)
self.assertEquals(token_info["actor_id"], actor_id)
token_info = self.identity_management_service.check_authentication_token(token_str)
self.assertGreaterEqual(int(token_info["expiry"]), get_ion_ts_millis())
with self.assertRaises(BadRequest):
self.identity_management_service.create_authentication_token(actor_id="", validity=10000)
with self.assertRaises(BadRequest):
self.identity_management_service.create_authentication_token(actor_id, validity="FOO")
with self.assertRaises(BadRequest):
self.identity_management_service.create_authentication_token(actor_id, validity=-200)
cur_time = get_ion_ts_millis()
with self.assertRaises(BadRequest):
self.identity_management_service.create_authentication_token(actor_id, start_time=str(cur_time-100000), validity=50)
with self.assertRaises(BadRequest):
self.identity_management_service.create_authentication_token(actor_id, validity=35000000)
with self.assertRaises(NotFound):
self.identity_management_service.check_authentication_token("UNKNOWN")
token_str2 = self.identity_management_service.create_authentication_token(actor_id, validity=1)
token_info = self.identity_management_service.check_authentication_token(token_str2)
gevent.sleep(1.1)
with self.assertRaises(Unauthorized):
self.identity_management_service.check_authentication_token(token_str2)
token = self.identity_management_service.read_authentication_token(token_str2)
token.expires = str(cur_time + 5000)
self.identity_management_service.update_authentication_token(token)
token_info = self.identity_management_service.check_authentication_token(token_str2)
token_str3 = self.identity_management_service.create_authentication_token(actor_id, validity=2)
token_info = self.identity_management_service.check_authentication_token(token_str3)
self.identity_management_service.invalidate_authentication_token(token_str3)
with self.assertRaises(Unauthorized):
self.identity_management_service.check_authentication_token(token_str3)
token = self.identity_management_service.read_authentication_token(token_str3)
self.assertEquals(token.token_string, token_str3)
self.assertIn(token_str3, token._id)
token.status = "OPEN"
self.identity_management_service.update_authentication_token(token)
token_info = self.identity_management_service.check_authentication_token(token_str3)
class TestUIServer(IonIntegrationTestCase):
def setUp(self):
self._start_container()
self.container.start_rel_from_url('res/deploy/basic.yml')
self.resource_registry = ResourceRegistryServiceClient()
self.org_client = OrgManagementServiceClient()
self.idm_client = IdentityManagementServiceClient()
self.ui_server_proc = self.container.proc_manager.procs_by_name["ui_server"]
self.ui_base_url = self.ui_server_proc.base_url
self.sg_base_url = self.ui_server_proc.gateway_base_url
def test_ui_server(self):
actor_identity_obj = ActorIdentity(name="John Doe")
actor_id = self.idm_client.create_actor_identity(actor_identity_obj)
self.idm_client.set_actor_credentials(actor_id, "jdoe", "mypasswd")
actor_details = UserIdentityDetails()
actor_details.contact.individual_names_given = "John"
actor_details.contact.individual_name_family = "Doe"
self.idm_client.define_identity_details(actor_id, actor_details)
# TEST: Authentication
self._do_test_authentication()
# TEST: Service gateway
self._do_test_service_gateway(actor_id)
self.idm_client.delete_actor_identity(actor_id)
def _do_test_authentication(self):
session = requests.session()
# TEST: Login
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEquals("", resp_json["result"]["username"])
resp = session.post(self.ui_base_url + "/auth/login", data=dict(username="******", password="******"))
self._assert_json_response(resp, None, status=404)
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEquals("", resp_json["result"]["username"])
resp = session.post(self.ui_base_url + "/auth/login", data=dict(username="******", password="******"))
resp_json = self._assert_json_response(resp, None)
self.assertIn("actor_id", resp_json["result"])
self.assertIn("username", resp_json["result"])
self.assertIn("full_name", resp_json["result"])
self.assertEquals("jdoe", resp_json["result"]["username"])
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEquals("jdoe", resp_json["result"]["username"])
resp = session.get(self.ui_base_url + "/auth/logout")
self._assert_json_response(resp, "OK")
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEquals("", resp_json["result"]["username"])
def _do_test_service_gateway(self, actor_id):
# We don't want to modify import order during testing, so import here
from ion.services.service_gateway import SG_IDENTIFICATION
session = requests.session()
# TEST: Service gateway available
resp = session.get(self.sg_base_url + "/")
self._assert_json_response(resp, SG_IDENTIFICATION)
# TEST: Login
resp = session.post(self.ui_base_url + "/auth/login", data=dict(username="******", password="******"))
resp_json = self._assert_json_response(resp, None)
self.assertEquals("jdoe", resp_json["result"]["username"])
# TEST: Service access
resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True")
resp_json = self._assert_json_response(resp, None)
self.assertIn(actor_id, resp_json["result"][0])
# Request as POST with JSON data
payload = dict(data=json.dumps(dict(params=dict(restype="ActorIdentity", id_only=True))))
resp = session.post(self.sg_base_url + "/request/resource_registry/find_resources", data=payload)
resp_json = self._assert_json_response(resp, None)
self.assertIn(actor_id, resp_json["result"][0])
# Request as POST with JSON data and no params
payload = dict(data=json.dumps(dict(restype="ActorIdentity", id_only=True)))
resp = session.post(self.sg_base_url + "/request/resource_registry/find_resources", data=payload)
resp_json = self._assert_json_response(resp, None)
self.assertIn(actor_id, resp_json["result"][0])
# Request as POST with params directly as form data
payload = dict(restype="ActorIdentity", id_only=True)
resp = session.post(self.sg_base_url + "/request/resource_registry/find_resources", data=payload)
resp_json = self._assert_json_response(resp, None)
self.assertIn(actor_id, resp_json["result"][0])
resp = session.get(self.sg_base_url + "/request/resource_registry/read/" + actor_id)
resp_json = self._assert_json_response(resp, None)
self.assertIn("type_", resp_json["result"])
# TEST: REST API
resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity")
resp_json = self._assert_json_response(resp, None)
self.assertIn(actor_id, [o["_id"] for o in resp_json["result"]])
num_actors = len(resp_json["result"])
resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity/" + actor_id)
resp_json = self._assert_json_response(resp, None)
self.assertIn("type_", resp_json["result"])
# Form encoded create request
other_actor_obj = ActorIdentity(name="Jane Foo")
other_actor_obj.details = None
other_actor_obj_dict = other_actor_obj.__dict__.copy()
# Remove unseralizable attributes.
del other_actor_obj_dict['passwd_reset_token']
payload = dict(data=json.dumps(other_actor_obj_dict))
resp = session.post(self.sg_base_url + "/rest/identity_management/actor_identity", data=payload)
resp_json = self._assert_json_response(resp, None)
other_actor_id = resp_json["result"]
resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity")
resp_json = self._assert_json_response(resp, None)
self.assertEquals(len(resp_json["result"]), num_actors + 1)
resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id)
resp_json = self._assert_json_response(resp, None)
self.assertIn("type_", resp_json["result"])
self.assertEquals(other_actor_id, resp_json["result"]["_id"])
# Form encoded update request
resp_json["result"]["name"] = "Jane Long"
payload = dict(data=json.dumps(resp_json["result"]))
resp = session.put(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id, data=payload)
resp_json = self._assert_json_response(resp, None)
resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id)
resp_json = self._assert_json_response(resp, None)
self.assertIn("type_", resp_json["result"])
self.assertEquals("Jane Long", resp_json["result"]["name"])
# JSON enconded request
resp_json["result"]["name"] = "Jane Dunn"
payload = json.dumps(resp_json["result"])
resp = session.put(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id, data=payload,
headers={'Content-Type': CONT_TYPE_JSON})
resp_json = self._assert_json_response(resp, None)
resp = session.get(self.sg_base_url + "/rest/identity_management/actor_identity/" + other_actor_id)
resp_json = self._assert_json_response(resp, None)
self.assertIn("type_", resp_json["result"])
self.assertEquals("Jane Dunn", resp_json["result"]["name"])
def _assert_json_response(self, resp, result, status=200):
self.assertIn("application/json", resp.headers["content-type"])
if status:
self.assertEquals(status, resp.status_code)
resp_json = resp.json()
if result is not None:
self.assertIn("result", resp_json)
if type(result) in (str, unicode, int, long, float, bool):
self.assertEquals(result, resp_json["result"])
else:
self.fail("Unsupported result type")
return resp_json
def test_ui_oauth2(self):
actor_identity_obj = ActorIdentity(name="John Doe")
actor_id = self.idm_client.create_actor_identity(actor_identity_obj)
self.idm_client.set_actor_credentials(actor_id, "jdoe", "mypasswd")
actor_details = UserIdentityDetails()
actor_details.contact.individual_names_given = "John"
actor_details.contact.individual_name_family = "Doe"
self.idm_client.define_identity_details(actor_id, actor_details)
client_obj = ActorIdentity(name="UI Client", details=OAuthClientIdentityDetails(default_scopes="scioncc"))
client_actor_id = self.idm_client.create_actor_identity(client_obj)
client_id = "ui"
self.idm_client.set_actor_credentials(client_actor_id, "client:"+client_id, "client_secret")
session = requests.session()
# TEST: OAuth2 authorize
log.info("------------ Get token #1")
auth_params = {"client_id": client_id, "grant_type": "password", "username": "******", "password": "******"}
resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params)
access_token = resp.json()
# TEST: Service access
log.info("------------ Access with token")
resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={"Authorization": "Bearer %s" % access_token["access_token"]})
resp_json = self._assert_json_response(resp, None)
#self.assertIn(actor_id, resp_json["result"][0])
log.info("------------ Access with bad token")
resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={"Authorization": "Bearer FOOBAR"})
resp_json = self._assert_json_response(resp, None, status=401)
# TEST: Get session using token
log.info("------------ Get session using token")
resp = session.get(self.ui_base_url + "/auth/session",
headers={"Authorization": "Bearer %s" % access_token["access_token"]})
resp_json = self._assert_json_response(resp, None)
self.assertEqual(actor_id, resp_json["result"]["actor_id"])
# TEST: Get new access token
log.info("------------ Refresh token")
auth_params = {"client_id": client_id, "grant_type": "refresh_token", "refresh_token": access_token["refresh_token"]}
resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params)
access_token1 = resp.json()
with patch('ion.processes.ui.server.ui_instance.session_timeout', 2):
log.info("Patched server.session_timeout to %s", self.ui_server_proc.session_timeout)
session = requests.session()
log.info("------------ Get token #2 (with short expiration)")
auth_params = {"client_id": client_id, "grant_type": "password", "username": "******", "password": "******"}
resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params)
access_token = resp.json()
# TEST: Service access
log.info("------------ Access before expired")
resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={"Authorization": "Bearer %s" % access_token["access_token"]})
resp_json = self._assert_json_response(resp, None)
gevent.sleep(2)
# TEST: Service access fails after expiration
log.info("------------ Access after token expiration")
resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={"Authorization": "Bearer %s" % access_token["access_token"]})
resp_json = self._assert_json_response(resp, None, status=401)
with patch('ion.processes.ui.server.ui_instance.session_timeout', 2), \
patch('ion.processes.ui.server.ui_instance.extend_session_timeout', True), \
patch('ion.processes.ui.server.ui_instance.max_session_validity', 3):
session = requests.session()
log.info("------------ Get token #3 (with short expiration)")
auth_params = {"client_id": client_id, "grant_type": "password", "username": "******", "password": "******"}
resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params)
access_token = resp.json()
gevent.sleep(1)
# TEST: Service access extends expiration
log.info("------------ Access before expired should extend expiration")
resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={"Authorization": "Bearer %s" % access_token["access_token"]})
resp_json = self._assert_json_response(resp, None)
gevent.sleep(1.1)
# TEST: Service access will fail unless was extended
log.info("------------ Access before expired after extension")
resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={"Authorization": "Bearer %s" % access_token["access_token"]})
resp_json = self._assert_json_response(resp, None)
gevent.sleep(1.5)
# TEST: Service access fails after max validity
log.info("------------ Access after token expiration")
resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={"Authorization": "Bearer %s" % access_token["access_token"]})
resp_json = self._assert_json_response(resp, None, status=401)
# TEST: Remember user from within session
session = requests.session()
log.info("------------ Get token #4")
auth_params = {"client_id": client_id, "grant_type": "password", "username": "******", "password": "******"}
resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params)
access_token = resp.json()
# TEST: Get session without token tests remember user
log.info("------------ Get session without token")
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEqual(actor_id, resp_json["result"]["actor_id"])
# TEST: Logout
log.info("------------ Logout")
resp = session.get(self.ui_base_url + "/auth/logout",
headers={"Authorization": "Bearer %s" % access_token["access_token"]})
resp_json = self._assert_json_response(resp, None)
self.assertEqual(resp_json["result"], "OK")
# TEST: Get session without token after logout
log.info("------------ Get session without token")
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEqual(resp_json["result"]["actor_id"], "")
# TEST: Service access after logout
log.info("------------ Access with token after logout")
resp = session.get(self.sg_base_url + "/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={"Authorization": "Bearer %s" % access_token["access_token"]})
resp_json = self._assert_json_response(resp, None, 401)
with patch('ion.processes.ui.server.ui_instance.remember_user', False):
session = requests.session()
log.info("------------ Get token #5")
auth_params = {"client_id": client_id, "grant_type": "password", "username": "******", "password": "******"}
resp = session.post(self.ui_base_url + "/oauth/token", data=auth_params)
access_token = resp.json()
# TEST: Get session without token fails if remember user is False
log.info("------------ Get session without token")
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEqual(resp_json["result"]["actor_id"], "")
class TestUIServer(IonIntegrationTestCase):
def setUp(self):
self._start_container()
self.container.start_rel_from_url('res/deploy/basic.yml')
self.resource_registry = ResourceRegistryServiceClient()
self.org_client = OrgManagementServiceClient()
self.idm_client = IdentityManagementServiceClient()
self.ui_server_proc = self.container.proc_manager.procs_by_name[
"ui_server"]
self.ui_base_url = self.ui_server_proc.base_url
self.sg_base_url = self.ui_server_proc.gateway_base_url
def test_ui_server(self):
actor_identity_obj = ActorIdentity(name="John Doe")
actor_id = self.idm_client.create_actor_identity(actor_identity_obj)
self.idm_client.set_actor_credentials(actor_id, "jdoe", "mypasswd")
actor_details = UserIdentityDetails()
actor_details.contact.individual_names_given = "John"
actor_details.contact.individual_name_family = "Doe"
self.idm_client.define_identity_details(actor_id, actor_details)
# TEST: Authentication
self._do_test_authentication()
# TEST: Service gateway
self._do_test_service_gateway(actor_id)
self.idm_client.delete_actor_identity(actor_id)
def _do_test_authentication(self):
session = requests.session()
# TEST: Login
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEquals("", resp_json["result"]["username"])
resp = session.post(self.ui_base_url + "/auth/login",
data=dict(username="******", password="******"))
self._assert_json_response(resp, None, status=404)
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEquals("", resp_json["result"]["username"])
resp = session.post(self.ui_base_url + "/auth/login",
data=dict(username="******", password="******"))
resp_json = self._assert_json_response(resp, None)
self.assertIn("actor_id", resp_json["result"])
self.assertIn("username", resp_json["result"])
self.assertIn("full_name", resp_json["result"])
self.assertEquals("jdoe", resp_json["result"]["username"])
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEquals("jdoe", resp_json["result"]["username"])
resp = session.get(self.ui_base_url + "/auth/logout")
self._assert_json_response(resp, "OK")
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEquals("", resp_json["result"]["username"])
def _do_test_service_gateway(self, actor_id):
# We don't want to modify import order during testing, so import here
from ion.service.service_gateway import SG_IDENTIFICATION
session = requests.session()
# TEST: Service gateway available
resp = session.get(self.sg_base_url + "/")
self._assert_json_response(resp, SG_IDENTIFICATION)
# TEST: Login
resp = session.post(self.ui_base_url + "/auth/login",
data=dict(username="******", password="******"))
resp_json = self._assert_json_response(resp, None)
self.assertEquals("jdoe", resp_json["result"]["username"])
# TEST: Service access
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True"
)
resp_json = self._assert_json_response(resp, None)
self.assertIn(actor_id, resp_json["result"][0])
# Request as POST with JSON data
payload = dict(data=json.dumps(
dict(params=dict(restype="ActorIdentity", id_only=True))))
resp = session.post(self.sg_base_url +
"/request/resource_registry/find_resources",
data=payload)
resp_json = self._assert_json_response(resp, None)
self.assertIn(actor_id, resp_json["result"][0])
# Request as POST with JSON data and no params
payload = dict(
data=json.dumps(dict(restype="ActorIdentity", id_only=True)))
resp = session.post(self.sg_base_url +
"/request/resource_registry/find_resources",
data=payload)
resp_json = self._assert_json_response(resp, None)
self.assertIn(actor_id, resp_json["result"][0])
# Request as POST with params directly as form data
payload = dict(restype="ActorIdentity", id_only=True)
resp = session.post(self.sg_base_url +
"/request/resource_registry/find_resources",
data=payload)
resp_json = self._assert_json_response(resp, None)
self.assertIn(actor_id, resp_json["result"][0])
resp = session.get(self.sg_base_url +
"/request/resource_registry/read/" + actor_id)
resp_json = self._assert_json_response(resp, None)
self.assertIn("type_", resp_json["result"])
# Request as POST with params directly as form data with files content
payload = dict(id_only=True)
files = dict(restype=("restype", "ActorIdentity"))
resp = session.post(self.sg_base_url +
"/request/resource_registry/find_resources",
data=payload,
files=files)
resp_json = self._assert_json_response(resp, None)
self.assertIn(actor_id, resp_json["result"][0])
resp = session.get(self.sg_base_url +
"/request/resource_registry/read/" + actor_id)
resp_json = self._assert_json_response(resp, None)
self.assertIn("type_", resp_json["result"])
# TEST: REST API
resp = session.get(self.sg_base_url +
"/rest/identity_management/actor_identity")
resp_json = self._assert_json_response(resp, None)
self.assertIn(actor_id, [o["_id"] for o in resp_json["result"]])
num_actors = len(resp_json["result"])
resp = session.get(self.sg_base_url +
"/rest/identity_management/actor_identity/" +
actor_id)
resp_json = self._assert_json_response(resp, None)
self.assertIn("type_", resp_json["result"])
# Form encoded create request
other_actor_obj = ActorIdentity(name="Jane Foo")
other_actor_obj.details = None
other_actor_obj_dict = other_actor_obj.__dict__.copy()
# Remove unseralizable attributes.
del other_actor_obj_dict['passwd_reset_token']
payload = dict(data=json.dumps(other_actor_obj_dict))
resp = session.post(self.sg_base_url +
"/rest/identity_management/actor_identity",
data=payload)
resp_json = self._assert_json_response(resp, None)
other_actor_id = resp_json["result"]
resp = session.get(self.sg_base_url +
"/rest/identity_management/actor_identity")
resp_json = self._assert_json_response(resp, None)
self.assertEquals(len(resp_json["result"]), num_actors + 1)
resp = session.get(self.sg_base_url +
"/rest/identity_management/actor_identity/" +
other_actor_id)
resp_json = self._assert_json_response(resp, None)
self.assertIn("type_", resp_json["result"])
self.assertEquals(other_actor_id, resp_json["result"]["_id"])
# Form encoded update request
resp_json["result"]["name"] = "Jane Long"
payload = dict(data=json.dumps(resp_json["result"]))
resp = session.put(self.sg_base_url +
"/rest/identity_management/actor_identity/" +
other_actor_id,
data=payload)
resp_json = self._assert_json_response(resp, None)
resp = session.get(self.sg_base_url +
"/rest/identity_management/actor_identity/" +
other_actor_id)
resp_json = self._assert_json_response(resp, None)
self.assertIn("type_", resp_json["result"])
self.assertEquals("Jane Long", resp_json["result"]["name"])
# JSON enconded request
resp_json["result"]["name"] = "Jane Dunn"
payload = json.dumps(resp_json["result"])
resp = session.put(self.sg_base_url +
"/rest/identity_management/actor_identity/" +
other_actor_id,
data=payload,
headers={'Content-Type': CONT_TYPE_JSON})
resp_json = self._assert_json_response(resp, None)
resp = session.get(self.sg_base_url +
"/rest/identity_management/actor_identity/" +
other_actor_id)
resp_json = self._assert_json_response(resp, None)
self.assertIn("type_", resp_json["result"])
self.assertEquals("Jane Dunn", resp_json["result"]["name"])
def _assert_json_response(self, resp, result, status=200):
self.assertIn("application/json", resp.headers["content-type"])
if status:
self.assertEquals(status, resp.status_code)
resp_json = resp.json()
if result is not None:
self.assertIn("result", resp_json)
if type(result) in (str, unicode, int, long, float, bool):
self.assertEquals(result, resp_json["result"])
else:
self.fail("Unsupported result type")
return resp_json
def test_ui_oauth2(self):
actor_identity_obj = ActorIdentity(name="John Doe")
actor_id = self.idm_client.create_actor_identity(actor_identity_obj)
self.idm_client.set_actor_credentials(actor_id, "jdoe", "mypasswd")
actor_details = UserIdentityDetails()
actor_details.contact.individual_names_given = "John"
actor_details.contact.individual_name_family = "Doe"
self.idm_client.define_identity_details(actor_id, actor_details)
client_obj = ActorIdentity(
name="UI Client",
details=OAuthClientIdentityDetails(default_scopes="scioncc"))
client_actor_id = self.idm_client.create_actor_identity(client_obj)
client_id = "ui"
self.idm_client.set_actor_credentials(client_actor_id,
"client:" + client_id,
"client_secret")
session = requests.session()
# TEST: OAuth2 authorize
log.info("------------ Get token #1")
auth_params = {
"client_id": client_id,
"grant_type": "password",
"username": "******",
"password": "******"
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token = resp.json()
# TEST: Service access
log.info("------------ Access with token")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None)
#self.assertIn(actor_id, resp_json["result"][0])
log.info("------------ Access with bad token")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={"Authorization": "Bearer FOOBAR"})
resp_json = self._assert_json_response(resp, None, status=401)
# TEST: Get session using token
log.info("------------ Get session using token")
resp = session.get(self.ui_base_url + "/auth/session",
headers={
"Authorization":
"Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None)
self.assertEqual(actor_id, resp_json["result"]["actor_id"])
# TEST: Get new access token
log.info("------------ Refresh token")
auth_params = {
"client_id": client_id,
"grant_type": "refresh_token",
"refresh_token": access_token["refresh_token"]
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token1 = resp.json()
with patch('ion.process.ui.server.ui_instance.session_timeout', 2):
log.info("Patched server.session_timeout to %s",
self.ui_server_proc.session_timeout)
session = requests.session()
log.info("------------ Get token #2 (with short expiration)")
auth_params = {
"client_id": client_id,
"grant_type": "password",
"username": "******",
"password": "******"
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token = resp.json()
# TEST: Service access
log.info("------------ Access before expired")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None)
gevent.sleep(2)
# TEST: Service access fails after expiration
log.info("------------ Access after token expiration")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None, status=401)
with patch('ion.process.ui.server.ui_instance.session_timeout', 2), \
patch('ion.process.ui.server.ui_instance.extend_session_timeout', True), \
patch('ion.process.ui.server.ui_instance.max_session_validity', 3):
session = requests.session()
log.info("------------ Get token #3 (with short expiration)")
auth_params = {
"client_id": client_id,
"grant_type": "password",
"username": "******",
"password": "******"
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token = resp.json()
gevent.sleep(1)
# TEST: Service access extends expiration
log.info(
"------------ Access before expired should extend expiration")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None)
gevent.sleep(1.1)
# TEST: Service access will fail unless was extended
log.info("------------ Access before expired after extension")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None)
gevent.sleep(1.5)
# TEST: Service access fails after max validity
log.info("------------ Access after token expiration")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None, status=401)
# TEST: Remember user from within session
session = requests.session()
log.info("------------ Get token #4")
auth_params = {
"client_id": client_id,
"grant_type": "password",
"username": "******",
"password": "******"
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token = resp.json()
# TEST: Get session without token tests remember user
log.info("------------ Get session without token")
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEqual(actor_id, resp_json["result"]["actor_id"])
# TEST: Logout
log.info("------------ Logout")
resp = session.get(self.ui_base_url + "/auth/logout",
headers={
"Authorization":
"Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None)
self.assertEqual(resp_json["result"], "OK")
# TEST: Get session without token after logout
log.info("------------ Get session without token")
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEqual(resp_json["result"]["actor_id"], "")
# TEST: Service access after logout
log.info("------------ Access with token after logout")
resp = session.get(
self.sg_base_url +
"/request/resource_registry/find_resources?restype=ActorIdentity&id_only=True",
headers={
"Authorization": "Bearer %s" % access_token["access_token"]
})
resp_json = self._assert_json_response(resp, None, 401)
with patch('ion.process.ui.server.ui_instance.remember_user', False):
session = requests.session()
log.info("------------ Get token #5")
auth_params = {
"client_id": client_id,
"grant_type": "password",
"username": "******",
"password": "******"
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token = resp.json()
# TEST: Get session without token fails if remember user is False
log.info("------------ Get session without token")
resp = session.get(self.ui_base_url + "/auth/session")
resp_json = self._assert_json_response(resp, None)
self.assertEqual(resp_json["result"]["actor_id"], "")
def test_ui_oauth2_refresh_token(self):
actor_identity_obj = ActorIdentity(name="John Doe")
actor_id = self.idm_client.create_actor_identity(actor_identity_obj)
actor_name = "jdoe"
actor_password = "******"
self.idm_client.set_actor_credentials(actor_id, actor_name,
actor_password)
actor_details = UserIdentityDetails()
actor_details.contact.individual_names_given = "John"
actor_details.contact.individual_name_family = "Doe"
self.idm_client.define_identity_details(actor_id, actor_details)
client_obj = ActorIdentity(
name="UI Client",
details=OAuthClientIdentityDetails(default_scopes="scioncc"))
client_actor_id = self.idm_client.create_actor_identity(client_obj)
client_id = "ui"
self.idm_client.set_actor_credentials(client_actor_id,
"client:" + client_id,
"client_secret")
session = requests.session()
log.info("------------ Get token")
auth_params = {
"client_id": client_id,
"grant_type": "password",
"username": actor_name,
"password": actor_password
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
access_token = resp.json()
log.info("------------ Refresh token")
auth_params = {
"client_id": client_id,
"grant_type": "refresh_token",
"refresh_token": access_token["refresh_token"]
}
resp = session.post(self.ui_base_url + "/oauth/token",
data=auth_params)
updated_token = resp.json()
self.assertIsNotNone(updated_token)
self.assertNotIn("error", updated_token)
for item in [
"access_token", "token_type", "expires_in", "refresh_token",
"scope"
]:
self.assertIn(item, updated_token)
class TestIdentityManagementServiceInt(IonIntegrationTestCase):
def setUp(self):
# Start container
self._start_container()
self.container.start_rel_from_url('res/deploy/basic.yml')
self.resource_registry = ResourceRegistryServiceClient()
self.identity_management_service = IdentityManagementServiceClient()
self.org_client = OrgManagementServiceClient()
def test_actor_identity(self):
# TEST: Create, Update, Read
actor_identity_obj = ActorIdentity(name="John Doe")
actor_id = self.identity_management_service.create_actor_identity(
actor_identity_obj)
actor_identity = self.identity_management_service.read_actor_identity(
actor_id)
self.assertEquals(actor_identity_obj.name, actor_identity.name)
actor_identity.name = 'Updated name'
self.identity_management_service.update_actor_identity(actor_identity)
ai = self.identity_management_service.find_actor_identity_by_name(
actor_identity.name)
self.assertEquals(ai.name, actor_identity.name)
with self.assertRaises(NotFound):
ai = self.identity_management_service.find_actor_identity_by_name(
"##FOO USER##")
self.assertEquals(ai.name, actor_identity.name)
# TEST: Actor credentials
self._do_test_credentials(actor_id)
# TEST: Identity details (user profile)
self._do_test_profile(actor_id)
# TEST: Password reset
self._do_test_password_reset(actor_id)
# TEST: Auth tokens
self._do_test_auth_tokens(actor_id)
# TEST: Delete
self.identity_management_service.delete_actor_identity(actor_id)
with self.assertRaises(NotFound) as cm:
self.identity_management_service.read_actor_identity(actor_id)
self.assertTrue("does not exist" in cm.exception.message)
with self.assertRaises(NotFound) as cm:
self.identity_management_service.delete_actor_identity(actor_id)
self.assertTrue("does not exist" in cm.exception.message)
def _do_test_credentials(self, actor_id):
actor_identity = self.identity_management_service.read_actor_identity(
actor_id)
self.assertEquals(len(actor_identity.credentials), 0)
actor_cred = Credentials(username="******",
password_hash="123",
password_salt="foo")
self.identity_management_service.register_credentials(
actor_id, actor_cred)
actor_identity = self.identity_management_service.read_actor_identity(
actor_id)
self.assertEquals(len(actor_identity.credentials), 1)
self.assertEquals(actor_identity.credentials[0].username, "jdoe")
actor_id1 = self.identity_management_service.find_actor_identity_by_username(
"jdoe")
self.assertEquals(actor_id1, actor_id)
with self.assertRaises(NotFound):
self.identity_management_service.find_actor_identity_by_username(
"##FOO USER##")
self.identity_management_service.unregister_credentials(
actor_id, "jdoe")
actor_identity = self.identity_management_service.read_actor_identity(
actor_id)
self.assertEquals(len(actor_identity.credentials), 0)
self.identity_management_service.set_actor_credentials(
actor_id, "jdoe1", "mypasswd")
actor_identity = self.identity_management_service.read_actor_identity(
actor_id)
self.assertEquals(len(actor_identity.credentials), 1)
self.assertEquals(actor_identity.credentials[0].username, "jdoe1")
self.assertNotEquals(actor_identity.credentials[0].password_hash,
"mypasswd")
actor_id1 = self.identity_management_service.check_actor_credentials(
"jdoe1", "mypasswd")
self.assertEquals(actor_id1, actor_id)
with self.assertRaises(NotFound):
self.identity_management_service.check_actor_credentials(
"jdoe1", "mypasswd1")
self.identity_management_service.set_user_password(
"jdoe1", "mypasswd1")
actor_id1 = self.identity_management_service.check_actor_credentials(
"jdoe1", "mypasswd1")
self.assertEquals(actor_id1, actor_id)
for i in range(6):
with self.assertRaises(NotFound):
self.identity_management_service.check_actor_credentials(
"jdoe1", "mypasswd0")
with self.assertRaises(NotFound):
self.identity_management_service.check_actor_credentials(
"jdoe1", "mypasswd1")
self.identity_management_service.set_actor_auth_status(
actor_id, AuthStatusEnum.ENABLED)
actor_id1 = self.identity_management_service.check_actor_credentials(
"jdoe1", "mypasswd1")
self.assertEquals(actor_id1, actor_id)
def _do_test_profile(self, actor_id):
actor_details1 = self.identity_management_service.read_identity_details(
actor_id)
self.assertEquals(actor_details1, None)
actor_details = UserIdentityDetails()
actor_details.contact.individual_names_given = "John"
actor_details.contact.individual_name_family = "Doe"
self.identity_management_service.define_identity_details(
actor_id, actor_details)
actor_details1 = self.identity_management_service.read_identity_details(
actor_id)
self.assertEquals(actor_details1.contact.individual_names_given,
actor_details.contact.individual_names_given)
def _do_test_password_reset(self, actor_id=''):
idm = self.identity_management_service
actor_obj = idm.read_actor_identity(actor_id)
username = actor_obj.credentials[0].username
reset_token = idm.request_password_reset(username=username)
actor_obj = idm.read_actor_identity(actor_id)
self.assertEquals(actor_obj.passwd_reset_token.token_type,
TokenTypeEnum.ACTOR_RESET_PASSWD)
self.assertTrue(actor_obj.passwd_reset_token.token_string)
self.assertEquals(reset_token,
actor_obj.passwd_reset_token.token_string)
self.assertRaises(Unauthorized,
idm.reset_password,
username=username,
token_string='xxx',
new_password='******')
idm.reset_password(username=username,
token_string=reset_token,
new_password='******')
actor_obj = idm.read_actor_identity(actor_id)
self.assertEquals(actor_obj.passwd_reset_token, None)
self.assertRaises(Unauthorized,
idm.reset_password,
username=username,
token_string=reset_token,
new_password='******')
def _do_test_auth_tokens(self, actor_id):
# Note: test of service gateway token functionality is in SGS test
token_str = self.identity_management_service.create_authentication_token(
actor_id, validity=10000)
self.assertIsInstance(token_str, str)
self.assertGreaterEqual(len(token_str), 25)
token_info = self.identity_management_service.check_authentication_token(
token_str)
self.assertEquals(token_info["actor_id"], actor_id)
token_info = self.identity_management_service.check_authentication_token(
token_str)
self.assertGreaterEqual(int(token_info["expiry"]), get_ion_ts_millis())
with self.assertRaises(BadRequest):
self.identity_management_service.create_authentication_token(
actor_id="", validity=10000)
with self.assertRaises(BadRequest):
self.identity_management_service.create_authentication_token(
actor_id, validity="FOO")
with self.assertRaises(BadRequest):
self.identity_management_service.create_authentication_token(
actor_id, validity=-200)
cur_time = get_ion_ts_millis()
with self.assertRaises(BadRequest):
self.identity_management_service.create_authentication_token(
actor_id, start_time=str(cur_time - 100000), validity=50)
with self.assertRaises(BadRequest):
self.identity_management_service.create_authentication_token(
actor_id, validity=35000000)
with self.assertRaises(NotFound):
self.identity_management_service.check_authentication_token(
"UNKNOWN")
token_str2 = self.identity_management_service.create_authentication_token(
actor_id, validity=1)
token_info = self.identity_management_service.check_authentication_token(
token_str2)
gevent.sleep(1.1)
with self.assertRaises(Unauthorized):
self.identity_management_service.check_authentication_token(
token_str2)
token = self.identity_management_service.read_authentication_token(
token_str2)
token.expires = str(cur_time + 5000)
self.identity_management_service.update_authentication_token(token)
token_info = self.identity_management_service.check_authentication_token(
token_str2)
token_str3 = self.identity_management_service.create_authentication_token(
actor_id, validity=2)
token_info = self.identity_management_service.check_authentication_token(
token_str3)
self.identity_management_service.invalidate_authentication_token(
token_str3)
with self.assertRaises(Unauthorized):
self.identity_management_service.check_authentication_token(
token_str3)
token = self.identity_management_service.read_authentication_token(
token_str3)
self.assertEquals(token.token_string, token_str3)
self.assertIn(token_str3, token._id)
token.status = "OPEN"
self.identity_management_service.update_authentication_token(token)
token_info = self.identity_management_service.check_authentication_token(
token_str3)
