def test_with_alternate_context(self):
ctxt1 = context.RequestContext(auth_token='foo', project_id='foo')
ctxt2 = context.RequestContext(auth_token='bar',
project_id='alternate')
obj = MyObj.query(ctxt1)
obj.update_test(ctxt2)
self.assertEqual('alternate-context', obj.bar)
def before(self, state):
headers = state.request.headers
# Do not pass any token with context for noauth mode
auth_token = (None if cfg.CONF.auth_strategy == 'noauth' else
headers.get('X-Auth-Token'))
creds = {
'user': headers.get('X-User') or headers.get('X-User-Id'),
'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'),
'domain_id': headers.get('X-User-Domain-Id'),
'domain_name': headers.get('X-User-Domain-Name'),
'auth_token': auth_token,
'roles': headers.get('X-Roles', '').split(','),
}
# NOTE(adam_g): We also check the previous 'admin' rule to ensure
# compat with default juno policy.json. This double check may be
# removed in Liberty.
is_admin = (policy.enforce('admin_api', creds, creds)
or policy.enforce('admin', creds, creds))
is_public_api = state.request.environ.get('is_public_api', False)
show_password = policy.enforce('show_password', creds, creds)
state.request.context = context.RequestContext(
is_admin=is_admin,
is_public_api=is_public_api,
show_password=show_password,
**creds)
def get_client(token=None, context=None):
if not context:
context = ironic_context.RequestContext(auth_token=token)
# NOTE(pas-ha) neutronclient supports passing both session
# and the auth to client separately, makes things easier
session = _get_neutron_session()
service_auth = keystone.get_auth('neutron')
# TODO(pas-ha) remove in Rocky, always simply load from config
# 'noauth' then would correspond to 'auth_type=none' and
# 'endpoint_override'
adapter_params = {}
if (CONF.neutron.auth_strategy == 'noauth'
and CONF.neutron.auth_type is None):
CONF.set_override('auth_type', 'none', group='neutron')
if not CONF.neutron.endpoint_override:
adapter_params['endpoint_override'] = (CONF.neutron.url
or DEFAULT_NEUTRON_URL)
else:
if CONF.neutron.url and not CONF.neutron.endpoint_override:
adapter_params['endpoint_override'] = CONF.neutron.url
adapter = keystone.get_adapter('neutron', session=session,
auth=service_auth, **adapter_params)
endpoint = adapter.get_endpoint()
user_auth = None
if CONF.neutron.auth_type != 'none' and context.auth_token:
user_auth = keystone.get_service_auth(context, endpoint, service_auth)
return clientv20.Client(session=session,
auth=user_auth or service_auth,
endpoint_override=endpoint,
retries=CONF.neutron.retries,
global_request_id=context.global_id)
def test_download_with_retries(self, mock_sleep):
tries = [0]
class MyGlanceStubClient(stubs.StubGlanceClient):
"""A client that fails the first time, then succeeds."""
def get(self, image_id):
if tries[0] == 0:
tries[0] = 1
raise glance_exc.ServiceUnavailable('')
else:
return {}
stub_client = MyGlanceStubClient()
stub_context = context.RequestContext(auth_token=True)
stub_context.user_id = 'fake'
stub_context.project_id = 'fake'
stub_service = image_service.GlanceImageService(
stub_client, stub_context)
image_id = uuidutils.generate_uuid()
writer = NullWriter()
# When retries are disabled, we should get an exception
self.config(num_retries=0, group='glance')
self.assertRaises(exception.GlanceConnectionFailed,
stub_service.download, image_id, writer)
# Now lets enable retries. No exception should happen now.
self.config(num_retries=1, group='glance')
importlib.reload(image_service)
stub_service = image_service.GlanceImageService(
stub_client, stub_context)
tries = [0]
stub_service.download(image_id, writer)
self.assertTrue(mock_sleep.called)
def setUp(self):
super(TestSwiftTempUrlCache, self).setUp()
client = stubs.StubGlanceClient()
self.context = context.RequestContext()
self.context.auth_token = 'fake'
self.config(swift_temp_url_expected_download_start_delay=100,
group='glance')
self.config(swift_temp_url_key='correcthorsebatterystaple',
group='glance')
self.config(swift_endpoint_url='https://swift.example.com',
group='glance')
self.config(swift_account='AUTH_a422b2-91f3-2f46-74b7-d7c9e8958f5d30',
group='glance')
self.config(swift_api_version='v1',
group='glance')
self.config(swift_container='glance',
group='glance')
self.config(swift_temp_url_duration=1200,
group='glance')
self.config(swift_temp_url_cache_enabled=True,
group='glance')
self.config(swift_store_multiple_containers_seed=0,
group='glance')
self.glance_service = service.GlanceImageService(client, version=2,
context=self.context)
def before(self, state):
headers = state.request.headers
# Do not pass any token with context for noauth mode
auth_token = (None if cfg.CONF.auth_strategy == 'noauth' else
headers.get('X-Auth-Token'))
creds = {
'user': headers.get('X-User') or headers.get('X-User-Id'),
'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'),
'domain_id': headers.get('X-User-Domain-Id'),
'domain_name': headers.get('X-User-Domain-Name'),
'auth_token': auth_token,
'roles': headers.get('X-Roles', '').split(','),
}
is_admin = policy.enforce('admin_api', creds, creds)
is_public_api = state.request.environ.get('is_public_api', False)
show_password = policy.enforce('show_password', creds, creds)
state.request.context = context.RequestContext(
is_admin=is_admin,
is_public_api=is_public_api,
show_password=show_password,
**creds)
def setUp(self):
super(TestRequestContextSerializer, self).setUp()
self.mock_serializer = mock.MagicMock()
self.serializer = rpc.RequestContextSerializer(self.mock_serializer)
self.context = ironic_context.RequestContext()
self.entity = {'foo': 'bar'}
def get_client(token=None, context=None, auth_from_config=False):
"""Retrieve a neutron client connection.
:param context: request context,
instance of ironic.common.context.RequestContext
:param auth_from_config: (boolean) When True, use auth values from
conf parameters
:returns: A neutron client.
"""
if not context:
context = ironic_context.RequestContext(auth_token=token)
session = _get_neutron_session()
service_auth = keystone.get_auth('neutron')
endpoint = keystone.get_endpoint('neutron',
session=session,
auth=service_auth)
user_auth = None
if (not auth_from_config and CONF.neutron.auth_type != 'none'
and context.auth_token):
user_auth = keystone.get_service_auth(context, endpoint, service_auth)
sess = keystone.get_session('neutron',
timeout=CONF.neutron.timeout,
auth=user_auth or service_auth)
conn = openstack.connection.Connection(session=sess, oslo_conf=CONF)
return conn.global_request(context.global_id).network
def setUp(self):
super(TestGlanceImageService, self).setUp()
self.client = stubs.StubGlanceClient()
self.context = context.RequestContext(auth_token=True)
self.context.user_id = 'fake'
self.context.project_id = 'fake'
self.service = service.GlanceImageService(self.client, self.context)
def test_get_service_auth(self, token_mock, service_auth_mock):
ctxt = context.RequestContext(auth_token='spam')
mock_auth = mock.Mock()
self.assertEqual(service_auth_mock.return_value,
keystone.get_service_auth(ctxt, 'ham', mock_auth))
token_mock.assert_called_once_with('ham', 'spam')
service_auth_mock.assert_called_once_with(
user_auth=token_mock.return_value, service_auth=mock_auth)
def setUp(self):
super(TestGlanceImageService, self).setUp()
client = stubs.StubGlanceClient()
self.context = context.RequestContext(auth_token=True)
self.context.user_id = 'fake'
self.context.project_id = 'fake'
self.service = service.GlanceImageService(client, 1, self.context)
self.config(glance_api_servers=['http://localhost'], group='glance')
self.config(auth_strategy='keystone', group='glance')
def test_create_context(self, context_mock):
test_context = context.RequestContext()
context_mock.assert_called_once_with(
auth_token=None, user=None, tenant=None, is_admin=False,
read_only=False, show_deleted=False, request_id=None,
overwrite=True)
self.assertFalse(test_context.is_public_api)
self.assertIsNone(test_context.domain_id)
self.assertIsNone(test_context.domain_name)
self.assertEqual([], test_context.roles)
def test_to_policy_values(self):
ctx = context.RequestContext(**self.context_dict)
ctx_dict = ctx.to_policy_values()
self.assertEqual('user1', ctx_dict['user'])
self.assertEqual('user1', ctx_dict['user_id'])
self.assertEqual('tenant1', ctx_dict['tenant'])
self.assertEqual('tenant1', ctx_dict['project_id'])
self.assertEqual('somename', ctx_dict['project_name'])
self.assertTrue(ctx_dict['is_public_api'])
self.assertTrue(ctx_dict['is_admin_project'])
self.assertEqual('domain_id3', ctx_dict['domain_id'])
self.assertEqual('TreeDomain', ctx_dict['domain_name'])
self.assertEqual('domain_id3', ctx_dict['user_domain_id'])
self.assertEqual('domain_id4', ctx_dict['project_domain_id'])
self.assertEqual([], ctx_dict['roles'])
def test_to_dict(self):
ctx = context.RequestContext(**self.context_dict)
ctx_dict = ctx.to_dict()
self.assertEqual('auth_token1', ctx_dict['auth_token'])
self.assertEqual('user1', ctx_dict['user'])
self.assertEqual('tenant1', ctx_dict['tenant'])
self.assertTrue(ctx_dict['is_admin'])
self.assertTrue(ctx_dict['read_only'])
self.assertTrue(ctx_dict['show_deleted'])
self.assertEqual('id1', ctx_dict['request_id'])
self.assertTrue(ctx_dict['is_public_api'])
self.assertEqual('domain_id3', ctx_dict['domain_id'])
self.assertEqual('TreeDomain', ctx_dict['domain_name'])
self.assertEqual([], ctx_dict['roles'])
self.assertNotIn('overwrite', ctx_dict)
def test_client_httpforbidden_converts_to_imagenotauthed(self):
class MyGlanceStubClient(stubs.StubGlanceClient):
"""A client that raises a HTTPForbidden exception."""
def get(self, image_id):
raise glance_exc.HTTPForbidden(image_id)
stub_client = MyGlanceStubClient()
stub_context = context.RequestContext(auth_token=True)
stub_context.user_id = 'fake'
stub_context.project_id = 'fake'
stub_service = service.GlanceImageService(stub_client, 1, stub_context)
image_id = 1 # doesn't matter
writer = NullWriter()
self.assertRaises(exception.ImageNotAuthorized, stub_service.download,
image_id, writer)
def test_client_httpnotfound_converts_to_imagenotfound(self):
class MyGlanceStubClient(stubs.StubGlanceClient):
"""A client that raises a HTTPNotFound exception."""
def get(self, image_id):
raise glance_exc.HTTPNotFound(image_id)
stub_client = MyGlanceStubClient()
stub_context = context.RequestContext(auth_token=True)
stub_context.user_id = 'fake'
stub_context.project_id = 'fake'
stub_service = service.GlanceImageService(stub_client, 1, stub_context)
image_id = uuidutils.generate_uuid()
writer = NullWriter()
self.assertRaises(exception.ImageNotFound, stub_service.download,
image_id, writer)
def test_get_neutron_client_with_context(self, mock_client_init,
mock_session, mock_adapter,
mock_auth, mock_sauth):
self.context = context.RequestContext(global_request_id='global',
auth_token='test-token-123')
mock_adapter.return_value = adapter = mock.Mock()
adapter.get_endpoint.return_value = 'neutron_url'
self._call_and_assert_client(mock_client_init, 'neutron_url',
auth=mock.sentinel.sauth)
# testing handling of default url_timeout
mock_session.assert_called_once_with('neutron', timeout=10)
mock_adapter.assert_called_once_with('neutron',
session=mock.sentinel.session,
auth=mock.sentinel.auth)
mock_sauth.assert_called_once_with(self.context, 'neutron_url',
mock.sentinel.auth)
def set_context(self):
headers = self.request.headers
creds = {
'user': headers.get('X-User') or headers.get('X-User-Id'),
'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'),
'domain_id': headers.get('X-User-Domain-Id'),
'domain_name': headers.get('X-User-Domain-Name'),
'auth_token': headers.get('X-Auth-Token'),
'roles': headers.get('X-Roles', '').split(','),
}
is_admin = ('admin' in creds['roles']
or 'administrator' in creds['roles'])
is_public_api = self.request.environ.get('is_public_api', False)
self.request.context = context.RequestContext(
is_admin=is_admin, is_public_api=is_public_api, **creds)
def setUp(self):
super(TestGlanceSwiftTempURL, self).setUp()
client = stubs.StubGlanceClient()
self.context = context.RequestContext()
self.context.auth_token = 'fake'
self.service = image_service.GlanceImageService(client, self.context)
self.config(swift_temp_url_key='correcthorsebatterystaple',
group='glance')
self.config(swift_endpoint_url='https://swift.example.com',
group='glance')
self.config(swift_account='AUTH_a422b2-91f3-2f46-74b7-d7c9e8958f5d30',
group='glance')
self.config(swift_api_version='v1', group='glance')
self.config(swift_container='glance', group='glance')
self.config(swift_temp_url_duration=1200, group='glance')
self.config(swift_store_multiple_containers_seed=0, group='glance')
self.fake_image = {'id': '757274c4-2856-4bd2-bb20-9a4a231e187b'}
def setUp(self):
super(CheckImageServiceTestCase, self).setUp()
self.context = context.RequestContext(global_request_id='global')
self.service = image_service.GlanceImageService(None, self.context)
# NOTE(pas-ha) register keystoneauth dynamic options manually
plugin = kaloading.get_plugin_loader('password')
opts = kaloading.get_auth_plugin_conf_options(plugin)
self.cfg_fixture.register_opts(opts, group='glance')
self.config(auth_type='password',
auth_url='viking',
username='******',
password='******',
project_name='parrot',
service_type='image',
region_name='SomeRegion',
interface='internal',
group='glance')
image_service._GLANCE_SESSION = None
def setUp(self):
super(TestGlanceImageService, self).setUp()
client = stubs.StubGlanceClient()
self.context = context.RequestContext(auth_token=True)
self.context.user_id = 'fake'
self.context.project_id = 'fake'
self.service = service.GlanceImageService(client, 1, self.context)
self.config(glance_host='localhost', group='glance')
try:
self.config(auth_strategy='keystone', group='glance')
except Exception:
opts = [
cfg.StrOpt('auth_strategy', default='keystone'),
]
CONF.register_opts(opts)
return
def test_to_dict(self):
values = {
'auth_token': 'auth_token1',
"user": "******",
"tenant": "tenant1",
'is_admin': True,
'read_only': True,
'show_deleted': True,
'request_id': 'id1',
"is_public_api": True,
"domain_id": "domain_id1",
"domain_name": "domain_name1",
"show_password": False,
"roles": None,
"overwrite": True
}
ctx = context.RequestContext(**values)
ctx_dict = ctx.to_dict()
self.assertIn('auth_token', ctx_dict)
self.assertIn('user', ctx_dict)
self.assertIn('tenant', ctx_dict)
self.assertIn('is_admin', ctx_dict)
self.assertIn('read_only', ctx_dict)
self.assertIn('show_deleted', ctx_dict)
self.assertIn('request_id', ctx_dict)
self.assertIn('domain_id', ctx_dict)
self.assertIn('roles', ctx_dict)
self.assertIn('domain_name', ctx_dict)
self.assertIn('show_password', ctx_dict)
self.assertIn('is_public_api', ctx_dict)
self.assertNotIn('overwrite', ctx_dict)
self.assertEqual('auth_token1', ctx_dict['auth_token'])
self.assertEqual('user1', ctx_dict['user'])
self.assertEqual('tenant1', ctx_dict['tenant'])
self.assertTrue(ctx_dict['is_admin'])
self.assertTrue(ctx_dict['read_only'])
self.assertTrue(ctx_dict['show_deleted'])
self.assertEqual('id1', ctx_dict['request_id'])
self.assertTrue(ctx_dict['is_public_api'])
self.assertEqual('domain_id1', ctx_dict['domain_id'])
self.assertEqual('domain_name1', ctx_dict['domain_name'])
self.assertFalse(ctx_dict['show_password'])
self.assertEqual([], ctx_dict['roles'])
def test_download_file_url(self, mock_getsize, mock_sendfile):
# NOTE: only in v2 API
class MyGlanceStubClient(stubs.StubGlanceClient):
"""A client that returns a file url."""
s_tmpfname = '/whatever/source'
def get(self, image_id):
return type('GlanceTestDirectUrlMeta', (object,),
{'direct_url': 'file://%s' + self.s_tmpfname})
stub_context = context.RequestContext(auth_token=True)
stub_context.user_id = 'fake'
stub_context.project_id = 'fake'
stub_client = MyGlanceStubClient()
stub_service = service.GlanceImageService(stub_client,
context=stub_context,
version=2)
image_id = uuidutils.generate_uuid()
self.config(allowed_direct_url_schemes=['file'], group='glance')
# patching open in base_image_service module namespace
# to make call-spec assertions
with mock.patch('ironic.common.glance_service.base_image_service.open',
new=mock.mock_open(), create=True) as mock_ironic_open:
with open('/whatever/target', 'w') as mock_target_fd:
stub_service.download(image_id, mock_target_fd)
# assert the image data was neither read nor written
# but rather sendfiled
mock_ironic_open.assert_called_once_with(MyGlanceStubClient.s_tmpfname,
'r')
mock_source_fd = mock_ironic_open()
self.assertFalse(mock_source_fd.read.called)
self.assertFalse(mock_target_fd.write.called)
mock_sendfile.assert_called_once_with(
mock_target_fd.fileno(),
mock_source_fd.fileno(),
0,
mock_getsize(MyGlanceStubClient.s_tmpfname))
def setUp(self):
super(TestNeutronClient, self).setUp()
# NOTE(pas-ha) register keystoneauth dynamic options manually
plugin = kaloading.get_plugin_loader('password')
opts = kaloading.get_auth_plugin_conf_options(plugin)
self.cfg_fixture.register_opts(opts, group='neutron')
self.config(retries=2, group='neutron')
self.config(username='******',
project_name='test-admin-tenant',
password='******',
auth_url='test-auth-uri',
auth_type='password',
interface='internal',
service_type='network',
timeout=10,
group='neutron')
# force-reset the global session object
neutron._NEUTRON_SESSION = None
self.context = context.RequestContext(global_request_id='global')
def get_client(token=None, context=None):
if not context:
context = ironic_context.RequestContext(auth_token=token)
# NOTE(pas-ha) neutronclient supports passing both session
# and the auth to client separately, makes things easier
session = _get_neutron_session()
service_auth = keystone.get_auth('neutron')
endpoint = keystone.get_endpoint('neutron', session=session,
auth=service_auth)
user_auth = None
if CONF.neutron.auth_type != 'none' and context.auth_token:
user_auth = keystone.get_service_auth(context, endpoint, service_auth)
return clientv20.Client(session=session,
auth=user_auth or service_auth,
endpoint_override=endpoint,
retries=CONF.neutron.retries,
global_request_id=context.global_id,
timeout=CONF.neutron.request_timeout)
def before(self, state):
headers = state.request.headers
creds = {
'user': headers.get('X-User') or headers.get('X-User-Id'),
'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'),
'domain_id': headers.get('X-User-Domain-Id'),
'domain_name': headers.get('X-User-Domain-Name'),
'auth_token': headers.get('X-Auth-Token'),
'roles': headers.get('X-Roles', '').split(','),
}
# NOTE(adam_g): We also check the previous 'admin' rule to ensure
# compat with default juno policy.json. This double check may be
# removed in L.
is_admin = (policy.enforce('admin_api', creds, creds)
or policy.enforce('admin', creds, creds))
is_public_api = state.request.environ.get('is_public_api', False)
state.request.context = context.RequestContext(
is_admin=is_admin, is_public_api=is_public_api, **creds)
def before(self, state):
user_id = state.request.headers.get('X-User-Id')
user_id = state.request.headers.get('X-User', user_id)
tenant = state.request.headers.get('X-Tenant-Id')
tenant = state.request.headers.get('X-Tenant', tenant)
domain_id = state.request.headers.get('X-User-Domain-Id')
domain_name = state.request.headers.get('X-User-Domain-Name')
auth_token = state.request.headers.get('X-Auth-Token')
creds = {'roles': state.request.headers.get('X-Roles', '').split(',')}
is_public_api = state.request.environ.get('is_public_api', False)
is_admin = policy.check('admin', state.request.headers, creds)
state.request.context = context.RequestContext(
auth_token=auth_token,
user=user_id,
tenant=tenant,
domain_id=domain_id,
domain_name=domain_name,
is_admin=is_admin,
is_public_api=is_public_api)
def test_check_image_service__token_auth(self, mock_gclient, mock_sess,
mock_adapter, mock_sauth,
mock_auth):
def func(service, *args, **kwargs):
return args, kwargs
self.service.context = context.RequestContext(
auth_token='token', global_request_id='global')
mock_adapter.return_value = adapter = mock.Mock()
adapter.get_endpoint.return_value = 'glance_url'
uuid = uuidutils.generate_uuid()
params = {'image_href': uuid}
wrapped_func = image_service.check_image_service(func)
self.assertEqual(((), params), wrapped_func(self.service, **params))
self._assert_client_call(mock_gclient, 'glance_url', user=True)
mock_sess.assert_called_once_with('glance')
mock_adapter.assert_called_once_with('glance',
session=mock.sentinel.session,
auth=mock.sentinel.auth)
mock_sauth.assert_called_once_with(self.service.context, 'glance_url',
mock.sentinel.auth)
mock_auth.assert_called_once_with('glance')
def test_to_policy_values(self):
ctx = context.RequestContext(**self.context_dict)
ctx_dict = ctx.to_policy_values()
self.assertEqual('somename', ctx_dict['project_name'])
self.assertTrue(ctx_dict['is_public_api'])
def test_create_context(self, context_mock):
test_context = context.RequestContext()
context_mock.assert_called_once_with(mock.ANY)
self.assertFalse(test_context.is_public_api)
