def test_list_head_groups_for_user(self):
"""Call ``GET & HEAD /users/{user_id}/groups``."""
user1 = unit.create_user(self.identity_api, domain_id=self.domain["id"])
user2 = unit.create_user(self.identity_api, domain_id=self.domain["id"])
self.put("/groups/%(group_id)s/users/%(user_id)s" % {"group_id": self.group_id, "user_id": user1["id"]})
# Scenarios below are written to test the default policy configuration
# One should be allowed to list one's own groups
auth = self.build_authentication_request(user_id=user1["id"], password=user1["password"])
resource_url = "/users/%(user_id)s/groups" % {"user_id": user1["id"]}
r = self.get(resource_url, auth=auth)
self.assertValidGroupListResponse(r, ref=self.group, resource_url=resource_url)
self.head(resource_url, auth=auth, expected_status=http_client.OK)
# Administrator is allowed to list others' groups
resource_url = "/users/%(user_id)s/groups" % {"user_id": user1["id"]}
r = self.get(resource_url)
self.assertValidGroupListResponse(r, ref=self.group, resource_url=resource_url)
self.head(resource_url, expected_status=http_client.OK)
# Ordinary users should not be allowed to list other's groups
auth = self.build_authentication_request(user_id=user2["id"], password=user2["password"])
resource_url = "/users/%(user_id)s/groups" % {"user_id": user1["id"]}
self.get(resource_url, auth=auth, expected_status=exception.ForbiddenAction.code)
self.head(resource_url, auth=auth, expected_status=exception.ForbiddenAction.code)
def setUp(self):
super(SecurityRequirementsTestCase, self).setUp()
# Create a user in the default domain
self.non_admin_user = unit.create_user(self.identity_api,
CONF.identity.default_domain_id)
# Create an admin in the default domain
self.admin_user = unit.create_user(self.identity_api,
CONF.identity.default_domain_id)
# Create a project in the default domain and a non-admin role
self.project = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id)
self.resource_api.create_project(self.project['id'], self.project)
self.non_admin_role = unit.new_role_ref(name='not_admin')
self.role_api.create_role(self.non_admin_role['id'],
self.non_admin_role)
# Give the non-admin user a role on the project
self.assignment_api.add_role_to_user_and_project(
self.non_admin_user['id'], self.project['id'], self.role['id'])
# Give the user the admin role on the project, which is technically
# `self.role` because RestfulTestCase sets that up for us.
self.assignment_api.add_role_to_user_and_project(
self.admin_user['id'], self.project['id'], self.role_id)
def load_sample_data(self):
self._populate_default_domain()
self.domain = unit.new_domain_ref()
self.domain_id = self.domain['id']
self.resource_api.create_domain(self.domain_id, self.domain)
self.project = unit.new_project_ref(domain_id=self.domain_id)
self.project_id = self.project['id']
self.resource_api.create_project(self.project_id, self.project)
self.user = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.user_id = self.user['id']
self.default_domain_project_id = uuid.uuid4().hex
self.default_domain_project = unit.new_project_ref(
domain_id=DEFAULT_DOMAIN_ID)
self.default_domain_project['id'] = self.default_domain_project_id
self.resource_api.create_project(self.default_domain_project_id,
self.default_domain_project)
self.default_domain_user = unit.create_user(
self.identity_api,
domain_id=DEFAULT_DOMAIN_ID)
self.default_domain_user_id = self.default_domain_user['id']
# create & grant policy.json's default role for admin_required
self.role = unit.new_role_ref(name='admin')
self.role_id = self.role['id']
self.role_api.create_role(self.role_id, self.role)
self.assignment_api.add_role_to_user_and_project(
self.user_id, self.project_id, self.role_id)
self.assignment_api.add_role_to_user_and_project(
self.default_domain_user_id, self.default_domain_project_id,
self.role_id)
self.assignment_api.add_role_to_user_and_project(
self.default_domain_user_id, self.project_id,
self.role_id)
self.region = unit.new_region_ref()
self.region_id = self.region['id']
self.catalog_api.create_region(self.region)
self.service = unit.new_service_ref()
self.service_id = self.service['id']
self.catalog_api.create_service(self.service_id, self.service.copy())
self.endpoint = unit.new_endpoint_ref(service_id=self.service_id,
interface='public',
region_id=self.region_id)
self.endpoint_id = self.endpoint['id']
self.catalog_api.create_endpoint(self.endpoint_id,
self.endpoint.copy())
# The server adds 'enabled' and defaults to True.
self.endpoint['enabled'] = True
def test_list_groups_for_user_filtered(self):
domain = self._get_domain_fixture()
test_groups = []
test_users = []
GROUP_COUNT = 3
USER_COUNT = 2
positive_user = unit.create_user(PROVIDERS.identity_api, domain['id'])
negative_user = unit.create_user(PROVIDERS.identity_api, domain['id'])
for x in range(0, USER_COUNT):
group_refs = PROVIDERS.identity_api.list_groups_for_user(
test_users[x]['id'])
self.assertEqual(0, len(group_refs))
for x in range(0, GROUP_COUNT):
new_group = unit.new_group_ref(domain_id=domain['id'])
new_group = PROVIDERS.identity_api.create_group(new_group)
test_groups.append(new_group)
group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(x, len(group_refs))
PROVIDERS.identity_api.add_user_to_group(
positive_user['id'],
new_group['id'])
group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(x + 1, len(group_refs))
group_refs = PROVIDERS.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
driver = PROVIDERS.identity_api._select_identity_driver(
CONF.identity.default_domain_id)
driver.group.ldap_filter = '(dn=xx)'
group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(0, len(group_refs))
group_refs = PROVIDERS.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
driver.group.ldap_filter = '(objectclass=*)'
group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(GROUP_COUNT, len(group_refs))
group_refs = PROVIDERS.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
def test_list_groups_for_user_filtered(self):
domain = self._get_domain_fixture()
test_groups = []
test_users = []
GROUP_COUNT = 3
USER_COUNT = 2
positive_user = unit.create_user(self.identity_api, domain['id'])
negative_user = unit.create_user(self.identity_api, domain['id'])
for x in range(0, USER_COUNT):
group_refs = self.identity_api.list_groups_for_user(
test_users[x]['id'])
self.assertEqual(0, len(group_refs))
for x in range(0, GROUP_COUNT):
new_group = unit.new_group_ref(domain_id=domain['id'])
new_group = self.identity_api.create_group(new_group)
test_groups.append(new_group)
group_refs = self.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(x, len(group_refs))
self.identity_api.add_user_to_group(
positive_user['id'],
new_group['id'])
group_refs = self.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(x + 1, len(group_refs))
group_refs = self.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
driver = self.identity_api._select_identity_driver(
CONF.identity.default_domain_id)
driver.group.ldap_filter = '(dn=xx)'
group_refs = self.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(0, len(group_refs))
group_refs = self.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
driver.group.ldap_filter = '(objectclass=*)'
group_refs = self.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(GROUP_COUNT, len(group_refs))
group_refs = self.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
def test_can_get_security_compliance_config_with_user_from_other_domain(self): # noqa: E501
domain = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain['id'], domain)
# Create a user in the new domain
user = unit.create_user(PROVIDERS.identity_api, domain['id'])
# Create a project in the new domain
project = unit.new_project_ref(domain_id=domain['id'])
PROVIDERS.resource_api.create_project(project['id'], project)
role = unit.new_role_ref()
PROVIDERS.role_api.create_role(role['id'], role)
# Give the new user a non-admin role on the project
PROVIDERS.assignment_api.add_role_to_user_and_project(
user['id'],
project['id'],
role['id']
)
password_regex = uuid.uuid4().hex
password_regex_description = uuid.uuid4().hex
group = 'security_compliance'
self.config_fixture.config(
group=group,
password_regex=password_regex
)
self.config_fixture.config(
group=group,
password_regex_description=password_regex_description
)
with self.test_client() as c:
c.get('/v3/domains/%s/config/security_compliance'
% CONF.identity.default_domain_id, headers=self.headers)
def test_token_revoked_once_domain_disabled(self):
"""Test token from a disabled domain has been invalidated.
Test that a token that was valid for an enabled domain
becomes invalid once that domain is disabled.
"""
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain["id"], domain)
user2 = unit.create_user(self.identity_api, domain_id=domain["id"])
# build a request body
auth_body = self.build_authentication_request(user_id=user2["id"], password=user2["password"])
# sends a request for the user's token
token_resp = self.post("/auth/tokens", body=auth_body)
subject_token = token_resp.headers.get("x-subject-token")
# validates the returned token and it should be valid.
self.head("/auth/tokens", headers={"x-subject-token": subject_token}, expected_status=http_client.OK)
# now disable the domain
domain["enabled"] = False
url = "/domains/%(domain_id)s" % {"domain_id": domain["id"]}
self.patch(url, body={"domain": {"enabled": False}})
# validates the same token again and it should be 'not found'
# as the domain has already been disabled.
self.head("/auth/tokens", headers={"x-subject-token": subject_token}, expected_status=http_client.NOT_FOUND)
def test_update_user_with_invalid_password(self):
user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
user['password'] = '******'
self.patch('/users/%(user_id)s' % {'user_id': user['id']},
body={'user': user},
expected_status=http_client.BAD_REQUEST)
def test_update_credential_non_owner(self):
"""Call ``PATCH /credentials/{credential_id}``."""
alt_user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain_id)
alt_user_id = alt_user['id']
alt_project = unit.new_project_ref(domain_id=self.domain_id)
alt_project_id = alt_project['id']
PROVIDERS.resource_api.create_project(alt_project['id'], alt_project)
alt_role = unit.new_role_ref(name='reader')
alt_role_id = alt_role['id']
PROVIDERS.role_api.create_role(alt_role_id, alt_role)
PROVIDERS.assignment_api.add_role_to_user_and_project(
alt_user_id, alt_project_id, alt_role_id)
auth = self.build_authentication_request(user_id=alt_user_id,
password=alt_user['password'],
project_id=alt_project_id)
ref = unit.new_credential_ref(user_id=alt_user_id,
project_id=alt_project_id)
r = self.post('/credentials', auth=auth, body={'credential': ref})
self.assertValidCredentialResponse(r, ref)
credential_id = r.result.get('credential')['id']
# Cannot change the credential to be owned by another user
update_ref = {'user_id': self.user_id, 'project_id': self.project_id}
self.patch('/credentials/%(credential_id)s' %
{'credential_id': credential_id},
expected_status=403,
auth=auth,
body={'credential': update_ref})
def test_can_handle_missing_certs(self):
controller = token.controllers.Auth()
self.config_fixture.config(group="signing", certfile="invalid")
user = unit.create_user(self.identity_api, domain_id=CONF.identity.default_domain_id)
body_dict = {"passwordCredentials": {"userId": user["id"], "password": user["password"]}}
self.assertRaises(exception.UnexpectedError, controller.authenticate, self.make_request(), body_dict)
def test_admin_password_reset(self):
# bootstrap a user as admin
user_ref = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
# auth as user should work before a password change
old_password_auth = self.build_authentication_request(
user_id=user_ref['id'],
password=user_ref['password'])
r = self.v3_create_token(old_password_auth)
old_token = r.headers.get('X-Subject-Token')
# auth as user with a token should work before a password change
old_token_auth = self.build_authentication_request(token=old_token)
self.v3_create_token(old_token_auth)
# administrative password reset
new_password = uuid.uuid4().hex
self.patch('/users/%s' % user_ref['id'],
body={'user': {'password': new_password}})
# auth as user with original password should not work after change
self.v3_create_token(old_password_auth,
expected_status=http_client.UNAUTHORIZED)
# auth as user with an old token should not work after change
self.v3_create_token(old_token_auth,
expected_status=http_client.NOT_FOUND)
# new password should work
new_password_auth = self.build_authentication_request(
user_id=user_ref['id'],
password=new_password)
self.v3_create_token(new_password_auth)
def test_create_application_credential_wrong_user(self):
wrong_user = unit.create_user(PROVIDERS.identity_api,
test_v3.DEFAULT_DOMAIN_ID)
roles = [{'id': self.role_id}]
app_cred_body = self._app_cred_body(roles=roles)
self.post('/users/%s/application_credentials' % wrong_user['id'],
body=app_cred_body,
expected_status=http_client.FORBIDDEN)
def test_create_application_credential_wrong_user(self):
wrong_user = unit.create_user(PROVIDERS.identity_api,
test_v3.DEFAULT_DOMAIN_ID)
roles = [{'id': self.role_id}]
app_cred_body = self._app_cred_body(roles=roles)
self.post('/users/%s/application_credentials' % wrong_user['id'],
body=app_cred_body,
expected_status=http_client.FORBIDDEN)
def test_update_user_with_invalid_password(self):
user = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
user['password'] = '******'
self.patch('/users/%(user_id)s' % {
'user_id': user['id']},
body={'user': user},
expected_status=http_client.BAD_REQUEST)
def test_list_users_with_multiple_backends(self):
"""Call ``GET /users`` when multiple backends is enabled.
In this scenario, the controller requires a domain to be specified
either as a filter or by using a domain scoped token.
"""
self.config_fixture.config(group='identity',
domain_specific_drivers_enabled=True)
# Create a new domain with a new project and user
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
project = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project['id'], project)
user = unit.create_user(self.identity_api, domain_id=domain['id'])
# Create both project and domain role grants for the user so we
# can get both project and domain scoped tokens
self.assignment_api.create_grant(role_id=self.role_id,
user_id=user['id'],
domain_id=domain['id'])
self.assignment_api.create_grant(role_id=self.role_id,
user_id=user['id'],
project_id=project['id'])
dom_auth = self.build_authentication_request(user_id=user['id'],
password=user['password'],
domain_id=domain['id'])
project_auth = self.build_authentication_request(
user_id=user['id'],
password=user['password'],
project_id=project['id'])
# First try using a domain scoped token
resource_url = '/users'
r = self.get(resource_url, auth=dom_auth)
self.assertValidUserListResponse(r,
ref=user,
resource_url=resource_url)
# Now try using a project scoped token
resource_url = '/users'
r = self.get(resource_url, auth=project_auth)
self.assertValidUserListResponse(r,
ref=user,
resource_url=resource_url)
# Now try with an explicit filter
resource_url = ('/users?domain_id=%(domain_id)s' % {
'domain_id': domain['id']
})
r = self.get(resource_url)
self.assertValidUserListResponse(r,
ref=user,
resource_url=resource_url)
def load_sample_data(self):
"""Create sample data for these tests.
As well as the usual housekeeping, create a set of domains,
users, roles and projects for the subsequent tests:
- Three domains: A,B & C. C is disabled.
- DomainA has user1, DomainB has user2 and user3
- DomainA has group1 and group2, DomainB has group3
- User1 has a role on DomainA
Remember that there will also be a fourth domain in existence,
the default domain.
"""
# Start by creating a few domains
self._populate_default_domain()
self.domainA = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA)
self.domainB = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB)
self.domainC = unit.new_domain_ref()
self.domainC['enabled'] = False
PROVIDERS.resource_api.create_domain(self.domainC['id'], self.domainC)
# Now create some users, one in domainA and two of them in domainB
self.user1 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainA['id'])
self.user2 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainB['id'])
self.user3 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainB['id'])
self.role = unit.new_role_ref()
PROVIDERS.role_api.create_role(self.role['id'], self.role)
PROVIDERS.assignment_api.create_grant(
self.role['id'], user_id=self.user1['id'],
domain_id=self.domainA['id']
)
# A default auth request we can use - un-scoped user token
self.auth = self.build_authentication_request(
user_id=self.user1['id'],
password=self.user1['password'])
def test_get_security_compliance_config_with_user_from_other_domain(self):
"""Make sure users from other domains can access password requirements.
Even though a user is in a separate domain, they should be able to see
the security requirements for the deployment. This is because security
compliance is not yet implemented on a per domain basis. Once that
happens, then this should no longer be possible since a user should
only care about the security compliance requirements for the domain
that they are in.
"""
# Make a new domain
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
# Create a user in the new domain
user = unit.create_user(self.identity_api, domain['id'])
# Create a project in the new domain
project = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project['id'], project)
# Give the new user a non-admin role on the project
self.assignment_api.add_role_to_user_and_project(
user['id'], project['id'], self.non_admin_role['id'])
# Set our security compliance config values, we do this after we've
# created our test user otherwise password validation will fail with a
# uuid type regex.
password_regex = uuid.uuid4().hex
password_regex_description = uuid.uuid4().hex
group = 'security_compliance'
self.config_fixture.config(group=group, password_regex=password_regex)
self.config_fixture.config(
group=group, password_regex_description=password_regex_description)
# Get a token for the newly created user scoped to the project in the
# non-default domain and use it to get the password security
# requirements.
user_token = self.build_authentication_request(
user_id=user['id'],
password=user['password'],
project_id=project['id'])
user_token = self.get_requested_token(user_token)
url = ('/domains/%(domain_id)s/config/%(group)s' % {
'domain_id': CONF.identity.default_domain_id,
'group': group,
})
response = self.get(url, token=user_token)
self.assertEqual(response.result['config'][group]['password_regex'],
password_regex)
self.assertEqual(
response.result['config'][group]['password_regex_description'],
password_regex_description)
# Ensure HEAD requests behave the same way
self.head(url, token=user_token, expected_status=http_client.OK)
def _create_user_and_authenticate(self, password):
user = unit.create_user(PROVIDERS.identity_api,
CONF.identity.default_domain_id,
password=password)
with self.make_request():
PROVIDERS.identity_api.authenticate(user_id=user['id'],
password=password)
return PROVIDERS.identity_api.get_user(user['id'])
def load_sample_data(self):
"""Create sample data for these tests.
As well as the usual housekeeping, create a set of domains,
users, roles and projects for the subsequent tests:
- Three domains: A,B & C. C is disabled.
- DomainA has user1, DomainB has user2 and user3
- DomainA has group1 and group2, DomainB has group3
- User1 has a role on DomainA
Remember that there will also be a fourth domain in existence,
the default domain.
"""
# Start by creating a few domains
self._populate_default_domain()
self.domainA = unit.new_domain_ref()
self.resource_api.create_domain(self.domainA['id'], self.domainA)
self.domainB = unit.new_domain_ref()
self.resource_api.create_domain(self.domainB['id'], self.domainB)
self.domainC = unit.new_domain_ref()
self.domainC['enabled'] = False
self.resource_api.create_domain(self.domainC['id'], self.domainC)
# Now create some users, one in domainA and two of them in domainB
self.user1 = unit.create_user(self.identity_api,
domain_id=self.domainA['id'])
self.user2 = unit.create_user(self.identity_api,
domain_id=self.domainB['id'])
self.user3 = unit.create_user(self.identity_api,
domain_id=self.domainB['id'])
self.role = unit.new_role_ref()
self.role_api.create_role(self.role['id'], self.role)
self.assignment_api.create_grant(self.role['id'],
user_id=self.user1['id'],
domain_id=self.domainA['id'])
# A default auth request we can use - un-scoped user token
self.auth = self.build_authentication_request(
user_id=self.user1['id'],
password=self.user1['password'])
def test_list_users_with_multiple_backends(self):
"""Call ``GET /users`` when multiple backends is enabled.
In this scenario, the controller requires a domain to be specified
either as a filter or by using a domain scoped token.
"""
self.config_fixture.config(group='identity',
domain_specific_drivers_enabled=True)
# Create a new domain with a new project and user
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
project = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project['id'], project)
user = unit.create_user(self.identity_api, domain_id=domain['id'])
# Create both project and domain role grants for the user so we
# can get both project and domain scoped tokens
self.assignment_api.create_grant(
role_id=self.role_id, user_id=user['id'],
domain_id=domain['id'])
self.assignment_api.create_grant(
role_id=self.role_id, user_id=user['id'],
project_id=project['id'])
dom_auth = self.build_authentication_request(
user_id=user['id'],
password=user['password'],
domain_id=domain['id'])
project_auth = self.build_authentication_request(
user_id=user['id'],
password=user['password'],
project_id=project['id'])
# First try using a domain scoped token
resource_url = '/users'
r = self.get(resource_url, auth=dom_auth)
self.assertValidUserListResponse(r, ref=user,
resource_url=resource_url)
# Now try using a project scoped token
resource_url = '/users'
r = self.get(resource_url, auth=project_auth)
self.assertValidUserListResponse(r, ref=user,
resource_url=resource_url)
# Now try with an explicit filter
resource_url = ('/users?domain_id=%(domain_id)s' %
{'domain_id': domain['id']})
r = self.get(resource_url)
self.assertValidUserListResponse(r, ref=user,
resource_url=resource_url)
def test_list_head_groups_for_user(self):
"""Call ``GET & HEAD /users/{user_id}/groups``."""
user1 = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
user2 = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
self.put('/groups/%(group_id)s/users/%(user_id)s' % {
'group_id': self.group_id,
'user_id': user1['id']
})
# Scenarios below are written to test the default policy configuration
# One should be allowed to list one's own groups
auth = self.build_authentication_request(user_id=user1['id'],
password=user1['password'])
resource_url = ('/users/%(user_id)s/groups' % {'user_id': user1['id']})
r = self.get(resource_url, auth=auth)
self.assertValidGroupListResponse(r,
ref=self.group,
resource_url=resource_url)
self.head(resource_url, auth=auth, expected_status=http_client.OK)
# Administrator is allowed to list others' groups
resource_url = ('/users/%(user_id)s/groups' % {'user_id': user1['id']})
r = self.get(resource_url)
self.assertValidGroupListResponse(r,
ref=self.group,
resource_url=resource_url)
self.head(resource_url, expected_status=http_client.OK)
# Ordinary users should not be allowed to list other's groups
auth = self.build_authentication_request(user_id=user2['id'],
password=user2['password'])
resource_url = '/users/%(user_id)s/groups' % {'user_id': user1['id']}
self.get(resource_url,
auth=auth,
expected_status=exception.ForbiddenAction.code)
self.head(resource_url,
auth=auth,
expected_status=exception.ForbiddenAction.code)
def test_create_application_credential_wrong_user(self):
wrong_user = unit.create_user(PROVIDERS.identity_api,
test_v3.DEFAULT_DOMAIN_ID)
with self.test_client() as c:
roles = [{'id': self.role_id}]
app_cred_body = self._app_cred_body(roles=roles)
token = self.get_scoped_token()
c.post('/v3/users/%s/application_credentials' % wrong_user['id'],
json=app_cred_body,
expected_status_code=http.client.FORBIDDEN,
headers={'X-Auth-Token': token})
def test_create_application_credential_wrong_user(self):
wrong_user = unit.create_user(PROVIDERS.identity_api,
test_v3.DEFAULT_DOMAIN_ID)
with self.test_client() as c:
roles = [{'id': self.role_id}]
app_cred_body = self._app_cred_body(roles=roles)
token = self.get_scoped_token()
c.post('/v3/users/%s/application_credentials' % wrong_user['id'],
json=app_cred_body,
expected_status_code=http_client.FORBIDDEN,
headers={'X-Auth-Token': token})
def _create_user_and_authenticate(self, password):
user = unit.create_user(PROVIDERS.identity_api,
CONF.identity.default_domain_id,
password=password)
PROVIDERS.identity_api.authenticate(
self.make_request(),
user_id=user['id'],
password=password)
return PROVIDERS.identity_api.get_user(user['id'])
def test_disable_domain(self):
"""Call ``PATCH /domains/{domain_id}`` (set enabled=False)."""
# Create a 2nd set of entities in a 2nd domain
domain2 = unit.new_domain_ref()
self.resource_api.create_domain(domain2["id"], domain2)
project2 = unit.new_project_ref(domain_id=domain2["id"])
self.resource_api.create_project(project2["id"], project2)
user2 = unit.create_user(self.identity_api, domain_id=domain2["id"], project_id=project2["id"])
self.assignment_api.add_user_to_project(project2["id"], user2["id"])
# First check a user in that domain can authenticate. The v2 user
# cannot authenticate because they exist outside the default domain.
body = {
"auth": {
"passwordCredentials": {"userId": user2["id"], "password": user2["password"]},
"tenantId": project2["id"],
}
}
self.admin_request(path="/v2.0/tokens", method="POST", body=body, expected_status=http_client.UNAUTHORIZED)
auth_data = self.build_authentication_request(
user_id=user2["id"], password=user2["password"], project_id=project2["id"]
)
self.v3_create_token(auth_data)
# Now disable the domain
domain2["enabled"] = False
r = self.patch("/domains/%(domain_id)s" % {"domain_id": domain2["id"]}, body={"domain": {"enabled": False}})
self.assertValidDomainResponse(r, domain2)
# Make sure the user can no longer authenticate, via
# either API
body = {
"auth": {
"passwordCredentials": {"userId": user2["id"], "password": user2["password"]},
"tenantId": project2["id"],
}
}
self.admin_request(path="/v2.0/tokens", method="POST", body=body, expected_status=http_client.UNAUTHORIZED)
# Try looking up in v3 by name and id
auth_data = self.build_authentication_request(
user_id=user2["id"], password=user2["password"], project_id=project2["id"]
)
self.v3_create_token(auth_data, expected_status=http_client.UNAUTHORIZED)
auth_data = self.build_authentication_request(
username=user2["name"], user_domain_id=domain2["id"], password=user2["password"], project_id=project2["id"]
)
self.v3_create_token(auth_data, expected_status=http_client.UNAUTHORIZED)
def setUp(self):
super(SecurityRequirementsTestCase, self).setUp()
# Create a user in the default domain
self.non_admin_user = unit.create_user(
self.identity_api,
CONF.identity.default_domain_id
)
# Create an admin in the default domain
self.admin_user = unit.create_user(
self.identity_api,
CONF.identity.default_domain_id
)
# Create a project in the default domain and a non-admin role
self.project = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
self.resource_api.create_project(self.project['id'], self.project)
self.non_admin_role = unit.new_role_ref(name='not_admin')
self.role_api.create_role(
self.non_admin_role['id'],
self.non_admin_role
)
# Give the non-admin user a role on the project
self.assignment_api.add_role_to_user_and_project(
self.non_admin_user['id'],
self.project['id'],
self.role['id']
)
# Give the user the admin role on the project, which is technically
# `self.role` because RestfulTestCase sets that up for us.
self.assignment_api.add_role_to_user_and_project(
self.admin_user['id'],
self.project['id'],
self.role_id
)
def test_can_handle_missing_certs(self):
controller = token.controllers.Auth()
self.config_fixture.config(group='signing', certfile='invalid')
user = unit.create_user(self.identity_api, domain_id=DEFAULT_DOMAIN_ID)
body_dict = {
'passwordCredentials': {
'userId': user['id'],
'password': user['password'],
},
}
self.assertRaises(exception.UnexpectedError, controller.authenticate,
{}, body_dict)
def test_can_handle_missing_certs(self):
controller = token.controllers.Auth()
self.config_fixture.config(group='signing', certfile='invalid')
user = unit.create_user(self.identity_api, domain_id=DEFAULT_DOMAIN_ID)
body_dict = {
'passwordCredentials': {
'userId': user['id'],
'password': user['password'],
},
}
self.assertRaises(exception.UnexpectedError,
controller.authenticate,
{}, body_dict)
def test_list_groups_for_user(self):
"""Call ``GET /users/{user_id}/groups``."""
user1 = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
user2 = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
self.put('/groups/%(group_id)s/users/%(user_id)s' % {
'group_id': self.group_id, 'user_id': user1['id']})
# Scenarios below are written to test the default policy configuration
# One should be allowed to list one's own groups
auth = self.build_authentication_request(
user_id=user1['id'],
password=user1['password'])
resource_url = ('/users/%(user_id)s/groups' %
{'user_id': user1['id']})
r = self.get(resource_url, auth=auth)
self.assertValidGroupListResponse(r, ref=self.group,
resource_url=resource_url)
# Administrator is allowed to list others' groups
resource_url = ('/users/%(user_id)s/groups' %
{'user_id': user1['id']})
r = self.get(resource_url)
self.assertValidGroupListResponse(r, ref=self.group,
resource_url=resource_url)
# Ordinary users should not be allowed to list other's groups
auth = self.build_authentication_request(
user_id=user2['id'],
password=user2['password'])
r = self.get('/users/%(user_id)s/groups' % {
'user_id': user1['id']}, auth=auth,
expected_status=exception.ForbiddenAction.code)
def test_create_user_without_domain(self):
"""Call ``POST /users`` without specifying domain.
According to the identity-api specification, if you do not
explicitly specific the domain_id in the entity, it should
take the domain scope of the token as the domain_id.
"""
# Create a user with a role on the domain so we can get a
# domain scoped token
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
user = unit.create_user(self.identity_api, domain_id=domain['id'])
self.assignment_api.create_grant(
role_id=self.role_id, user_id=user['id'],
domain_id=domain['id'])
ref = unit.new_user_ref(domain_id=domain['id'])
ref_nd = ref.copy()
ref_nd.pop('domain_id')
auth = self.build_authentication_request(
user_id=user['id'],
password=user['password'],
domain_id=domain['id'])
r = self.post('/users', body={'user': ref_nd}, auth=auth)
self.assertValidUserResponse(r, ref)
# Now try the same thing without a domain token - which should fail
ref = unit.new_user_ref(domain_id=domain['id'])
ref_nd = ref.copy()
ref_nd.pop('domain_id')
auth = self.build_authentication_request(
user_id=self.user['id'],
password=self.user['password'],
project_id=self.project['id'])
# TODO(henry-nash): Due to bug #1283539 we currently automatically
# use the default domain_id if a domain scoped token is not being
# used. For now we just check that a deprecation warning has been
# issued. Change the code below to expect a failure once this bug is
# fixed.
with mock.patch(
'oslo_log.versionutils.report_deprecated_feature') as mock_dep:
r = self.post('/users', body={'user': ref_nd}, auth=auth)
self.assertTrue(mock_dep.called)
ref['domain_id'] = CONF.identity.default_domain_id
return self.assertValidUserResponse(r, ref)
def test_update_password_not_logged(self):
# When admin modifies user password, the password isn't logged at any
# level.
log_fix = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
# bootstrap a user as admin
user_ref = unit.create_user(self.identity_api, domain_id=self.domain["id"])
self.assertNotIn(user_ref["password"], log_fix.output)
# administrative password reset
new_password = uuid.uuid4().hex
self.patch("/users/%s" % user_ref["id"], body={"user": {"password": new_password}})
self.assertNotIn(new_password, log_fix.output)
def test_trust_deleted_when_user_deleted(self):
# create trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
role_ids=[self.role_id],
allow_redelegation=True)
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
# list all trusts
r = self.get('/OS-TRUST/trusts')
self.assertEqual(1, len(r.result['trusts']))
# delete the trustee will delete the trust
self.delete(
'/users/%(user_id)s' % {'user_id': trust['trustee_user_id']})
self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=http_client.NOT_FOUND)
# create another user as the new trustee
trustee_user = unit.create_user(self.identity_api,
domain_id=self.domain_id)
trustee_user_id = trustee_user['id']
# create the trust again
ref['trustee_user_id'] = trustee_user_id
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
r = self.get('/OS-TRUST/trusts')
self.assertEqual(1, len(r.result['trusts']))
# delete the trustor will delete the trust
self.delete(
'/users/%(user_id)s' % {'user_id': trust['trustor_user_id']})
# call the backend method directly to bypass authentication since the
# user has been deleted.
self.assertRaises(exception.TrustNotFound,
self.trust_api.get_trust,
trust['id'])
def test_trust_deleted_when_user_deleted(self):
# create trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
role_ids=[self.role_id],
allow_redelegation=True)
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
# list all trusts
r = self.get('/OS-TRUST/trusts')
self.assertEqual(1, len(r.result['trusts']))
# delete the trustee will delete the trust
self.delete(
'/users/%(user_id)s' % {'user_id': trust['trustee_user_id']})
self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=http_client.NOT_FOUND)
# create another user as the new trustee
trustee_user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain_id)
trustee_user_id = trustee_user['id']
# create the trust again
ref['trustee_user_id'] = trustee_user_id
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
r = self.get('/OS-TRUST/trusts')
self.assertEqual(1, len(r.result['trusts']))
# delete the trustor will delete the trust
self.delete(
'/users/%(user_id)s' % {'user_id': trust['trustor_user_id']})
# call the backend method directly to bypass authentication since the
# user has been deleted.
self.assertRaises(exception.TrustNotFound,
PROVIDERS.trust_api.get_trust,
trust['id'])
def test_list_users_with_multiple_backends(self):
"""Call ``GET /users`` when multiple backends is enabled.
In this scenario, the controller requires a domain to be specified
either as a filter or by using a domain scoped token.
"""
self.config_fixture.config(group='identity',
domain_specific_drivers_enabled=True)
# Create a user with a role on the domain so we can get a
# domain scoped token
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
user = unit.create_user(self.identity_api, domain_id=domain['id'])
self.assignment_api.create_grant(role_id=self.role_id,
user_id=user['id'],
domain_id=domain['id'])
ref = unit.new_user_ref(domain_id=domain['id'])
ref_nd = ref.copy()
ref_nd.pop('domain_id')
auth = self.build_authentication_request(user_id=user['id'],
password=user['password'],
domain_id=domain['id'])
# First try using a domain scoped token
resource_url = '/users'
r = self.get(resource_url, auth=auth)
self.assertValidUserListResponse(r,
ref=user,
resource_url=resource_url)
# Now try with an explicit filter
resource_url = ('/users?domain_id=%(domain_id)s' % {
'domain_id': domain['id']
})
r = self.get(resource_url)
self.assertValidUserListResponse(r,
ref=user,
resource_url=resource_url)
# Now try the same thing without a domain token or filter,
# which should fail
r = self.get('/users', expected_status=exception.Unauthorized.code)
def test_tls_certfile_demand_option(self):
self.config_fixture.config(group='ldap',
use_tls=True,
tls_cacertdir=None,
tls_req_cert='demand')
self.identity_api = identity.backends.ldap.Identity()
user = unit.create_user(self.identity_api, 'default',
name='fake1', password='******')
user_ref = self.identity_api.get_user(user['id'])
self.assertEqual(user['id'], user_ref['id'])
user['password'] = '******'
self.identity_api.update_user(user['id'], user)
self.identity_api.delete_user(user['id'])
self.assertRaises(exception.UserNotFound, self.identity_api.get_user,
user['id'])
def test_update_password_not_logged(self):
# When admin modifies user password, the password isn't logged at any
# level.
log_fix = self.useFixture(fixtures.FakeLogger(level=logging.DEBUG))
# bootstrap a user as admin
user_ref = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
self.assertNotIn(user_ref['password'], log_fix.output)
# administrative password reset
new_password = uuid.uuid4().hex
self.patch('/users/%s' % user_ref['id'],
body={'user': {'password': new_password}})
self.assertNotIn(new_password, log_fix.output)
def test_admin_password_reset_with_min_password_age_enabled(self):
# enable minimum_password_age, this should have no effect on admin
# password reset
self.config_fixture.config(group='security_compliance',
minimum_password_age=1)
# create user
user_ref = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
# administrative password reset
new_password = uuid.uuid4().hex
r = self.patch('/users/%s' % user_ref['id'],
body={'user': {'password': new_password}})
self.assertValidUserResponse(r, user_ref)
# authenticate with new password
new_password_auth = self.build_authentication_request(
user_id=user_ref['id'],
password=new_password)
self.v3_create_token(new_password_auth)
def test_admin_password_reset_with_min_password_age_enabled(self):
# enable minimum_password_age, this should have no effect on admin
# password reset
self.config_fixture.config(group='security_compliance',
minimum_password_age=1)
# create user
user_ref = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
# administrative password reset
new_password = uuid.uuid4().hex
r = self.patch('/users/%s' % user_ref['id'],
body={'user': {'password': new_password}})
self.assertValidUserResponse(r, user_ref)
# authenticate with new password
new_password_auth = self.build_authentication_request(
user_id=user_ref['id'],
password=new_password)
self.v3_create_token(new_password_auth)
def test_list_users_with_multiple_backends(self):
"""Call ``GET /users`` when multiple backends is enabled.
In this scenario, the controller requires a domain to be specified
either as a filter or by using a domain scoped token.
"""
self.config_fixture.config(group='identity',
domain_specific_drivers_enabled=True)
# Create a user with a role on the domain so we can get a
# domain scoped token
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
user = unit.create_user(self.identity_api, domain_id=domain['id'])
self.assignment_api.create_grant(
role_id=self.role_id, user_id=user['id'],
domain_id=domain['id'])
ref = unit.new_user_ref(domain_id=domain['id'])
ref_nd = ref.copy()
ref_nd.pop('domain_id')
auth = self.build_authentication_request(
user_id=user['id'],
password=user['password'],
domain_id=domain['id'])
# First try using a domain scoped token
resource_url = '/users'
r = self.get(resource_url, auth=auth)
self.assertValidUserListResponse(r, ref=user,
resource_url=resource_url)
# Now try with an explicit filter
resource_url = ('/users?domain_id=%(domain_id)s' %
{'domain_id': domain['id']})
r = self.get(resource_url)
self.assertValidUserListResponse(r, ref=user,
resource_url=resource_url)
# Now try the same thing without a domain token or filter,
# which should fail
r = self.get('/users', expected_status=exception.Unauthorized.code)
def test_forbidden_trust_impersonation_in_redelegation(self):
"""Test forbiddance of impersonation in trust redelegation.
Check that trustee not allowed to create a trust (with impersonation
set to true) from a redelegated trust (with impersonation set to false)
"""
# create trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
role_ids=[self.role_id],
allow_redelegation=True)
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
auth_data = self.build_authentication_request(
user_id=self.trustee_user_id,
password=self.trustee_user['password'],
trust_id=trust['id'])
resp = self.v3_create_token(auth_data)
# create third-party user, which will be trustee in trust created from
# redelegated trust
third_party_trustee = unit.create_user(self.identity_api,
domain_id=self.domain_id)
third_party_trustee_id = third_party_trustee['id']
# create trust from redelegated trust
ref = unit.new_trust_ref(
trustor_user_id=self.trustee_user_id,
trustee_user_id=third_party_trustee_id,
project_id=self.project_id,
impersonation=True,
role_ids=[self.role_id])
ref['redelegated_trust_id'] = trust['id']
self.admin_request(path='/v3/OS-TRUST/trusts',
body={'trust': ref},
token=resp.headers.get('X-Subject-Token'),
method='POST',
expected_status=http_client.FORBIDDEN)
def test_forbidden_trust_impersonation_in_redelegation(self):
"""Test forbiddance of impersonation in trust redelegation.
Check that trustee not allowed to create a trust (with impersonation
set to true) from a redelegated trust (with impersonation set to false)
"""
# create trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
role_ids=[self.role_id],
allow_redelegation=True)
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
auth_data = self.build_authentication_request(
user_id=self.trustee_user_id,
password=self.trustee_user['password'],
trust_id=trust['id'])
resp = self.v3_create_token(auth_data)
# create third-party user, which will be trustee in trust created from
# redelegated trust
third_party_trustee = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain_id)
third_party_trustee_id = third_party_trustee['id']
# create trust from redelegated trust
ref = unit.new_trust_ref(
trustor_user_id=self.trustee_user_id,
trustee_user_id=third_party_trustee_id,
project_id=self.project_id,
impersonation=True,
role_ids=[self.role_id])
ref['redelegated_trust_id'] = trust['id']
self.admin_request(path='/v3/OS-TRUST/trusts',
body={'trust': ref},
token=resp.headers.get('X-Subject-Token'),
method='POST',
expected_status=http_client.FORBIDDEN)
def test_change_password_required_upon_first_use_for_create(self):
self.config_fixture.config(group='security_compliance',
change_password_upon_first_use=True)
# create user
self.user_ref = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
# attempt to authenticate with create user password
self.get_request_token(self.user_ref['password'],
expected_status=http_client.UNAUTHORIZED)
# self-service change password
new_password = uuid.uuid4().hex
self.change_password(password=new_password,
original_password=self.user_ref['password'],
expected_status=http_client.NO_CONTENT)
# authenticate with the new password
self.token = self.get_request_token(new_password, http_client.CREATED)
def test_tls_certfile_demand_option(self):
self.config_fixture.config(group='ldap',
use_tls=True,
tls_cacertdir=None,
tls_req_cert='demand')
PROVIDERS.identity_api = identity.backends.ldap.Identity()
user = unit.create_user(PROVIDERS.identity_api, 'default',
name='fake1', password='******')
user_ref = PROVIDERS.identity_api.get_user(user['id'])
self.assertEqual(user['id'], user_ref['id'])
user['password'] = '******'
PROVIDERS.identity_api.update_user(user['id'], user)
PROVIDERS.identity_api.delete_user(user['id'])
self.assertRaises(
exception.UserNotFound,
PROVIDERS.identity_api.get_user,
user['id']
)
def test_lockout_exempt(self):
self.config_fixture.config(group='security_compliance',
lockout_failure_attempts=1)
# create user
self.user_ref = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
# update the user, mark her as exempt from lockout
ignore_opt_name = options.IGNORE_LOCKOUT_ATTEMPT_OPT.option_name
self.user_ref['options'][ignore_opt_name] = True
self.identity_api.update_user(self.user_ref['id'], self.user_ref)
# fail to auth, this should lockout the user, since we're allowed
# one failure, but we're exempt from lockout!
bad_password = uuid.uuid4().hex
self.token = self.get_request_token(bad_password,
http_client.UNAUTHORIZED)
# attempt to authenticate with correct password
self.get_request_token(self.user_ref['password'],
expected_status=http_client.CREATED)
def test_v3_v2_intermix_project_not_in_default_domain_failed(self):
# create a trustee in default domain to delegate stuff to
trustee_user = unit.create_user(self.identity_api,
domain_id=test_v3.DEFAULT_DOMAIN_ID)
trustee_user_id = trustee_user['id']
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.default_domain_user_id,
trustee_user_id=trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
# get a project-scoped token as the default_domain_user
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
project_id=self.default_domain_project_id)
token = self.get_requested_token(auth_data)
r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
# get a trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=trustee_user['id'],
password=trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r, trustee_user)
token = r.headers.get('X-Subject-Token')
# ensure the token is invalid against v2
path = '/v2.0/tokens/%s' % (token)
self.admin_request(
path=path, token=self.get_admin_token(),
method='GET', expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix_project_not_in_default_domain_failed(self):
# create a trustee in default domain to delegate stuff to
trustee_user = unit.create_user(self.identity_api,
domain_id=test_v3.DEFAULT_DOMAIN_ID)
trustee_user_id = trustee_user['id']
# create a new trust
ref = unit.new_trust_ref(trustor_user_id=self.default_domain_user_id,
trustee_user_id=trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
# get a project-scoped token as the default_domain_user
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
project_id=self.default_domain_project_id)
token = self.get_requested_token(auth_data)
r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
# get a trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=trustee_user['id'],
password=trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r, trustee_user)
token = r.headers.get('X-Subject-Token')
# ensure the token is invalid against v2
path = '/v2.0/tokens/%s' % (token)
self.admin_request(path=path,
token=self.get_admin_token(),
method='GET',
expected_status=http_client.UNAUTHORIZED)
def test_token_revoked_once_domain_disabled(self):
"""Test token from a disabled domain has been invalidated.
Test that a token that was valid for an enabled domain
becomes invalid once that domain is disabled.
"""
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
user2 = unit.create_user(self.identity_api, domain_id=domain['id'])
# build a request body
auth_body = self.build_authentication_request(
user_id=user2['id'], password=user2['password'])
# sends a request for the user's token
token_resp = self.post('/auth/tokens', body=auth_body)
subject_token = token_resp.headers.get('x-subject-token')
# validates the returned token and it should be valid.
self.head('/auth/tokens',
headers={'x-subject-token': subject_token},
expected_status=http_client.OK)
# now disable the domain
domain['enabled'] = False
url = "/domains/%(domain_id)s" % {'domain_id': domain['id']}
self.patch(url, body={'domain': {'enabled': False}})
# validates the same token again and it should be 'not found'
# as the domain has already been disabled.
self.head('/auth/tokens',
headers={'x-subject-token': subject_token},
expected_status=http_client.NOT_FOUND)
def test_delete_user_retries_on_deadlock(self):
patcher = mock.patch('sqlalchemy.orm.query.Query.delete',
autospec=True)
class FakeDeadlock(object):
def __init__(self, mock_patcher):
self.deadlock_count = 2
self.mock_patcher = mock_patcher
self.patched = True
def __call__(self, *args, **kwargs):
if self.deadlock_count > 1:
self.deadlock_count -= 1
else:
self.mock_patcher.stop()
self.patched = False
raise oslo_db_exception.DBDeadlock
sql_delete_mock = patcher.start()
side_effect = FakeDeadlock(patcher)
sql_delete_mock.side_effect = side_effect
user_ref = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
try:
self.identity_api.delete_user(user_id=user_ref['id'])
finally:
if side_effect.patched:
patcher.stop()
call_count = sql_delete_mock.call_count
# initial attempt + 1 retry
delete_user_attempt_count = 2
self.assertEqual(call_count, delete_user_attempt_count)
def setUp(self):
super(TestTrustOperations, self).setUp()
# create a trustee to delegate stuff to
self.trustee_user = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.trustee_user_id = self.trustee_user['id']
def setUp(self):
super(TrustsWithApplicationCredentials, self).setUp()
self.trustee_user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain_id)
self.trustee_user_id = self.trustee_user['id']
def test_get_security_compliance_config_with_user_from_other_domain(self):
"""Make sure users from other domains can access password requirements.
Even though a user is in a separate domain, they should be able to see
the security requirements for the deployment. This is because security
compliance is not yet implemented on a per domain basis. Once that
happens, then this should no longer be possible since a user should
only care about the security compliance requirements for the domain
that they are in.
"""
# Make a new domain
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
# Create a user in the new domain
user = unit.create_user(self.identity_api, domain['id'])
# Create a project in the new domain
project = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project['id'], project)
# Give the new user a non-admin role on the project
self.assignment_api.add_role_to_user_and_project(
user['id'],
project['id'],
self.non_admin_role['id']
)
# Set our security compliance config values, we do this after we've
# created our test user otherwise password validation will fail with a
# uuid type regex.
password_regex = uuid.uuid4().hex
password_regex_description = uuid.uuid4().hex
group = 'security_compliance'
self.config_fixture.config(
group=group,
password_regex=password_regex
)
self.config_fixture.config(
group=group,
password_regex_description=password_regex_description
)
# Get a token for the newly created user scoped to the project in the
# non-default domain and use it to get the password security
# requirements.
user_token = self.build_authentication_request(
user_id=user['id'],
password=user['password'],
project_id=project['id']
)
user_token = self.get_requested_token(user_token)
url = (
'/domains/%(domain_id)s/config/%(group)s' %
{
'domain_id': CONF.identity.default_domain_id,
'group': group,
}
)
response = self.get(url, token=user_token)
self.assertEqual(
response.result['config'][group]['password_regex'],
password_regex
)
self.assertEqual(
response.result['config'][group]['password_regex_description'],
password_regex_description
)
def test_disable_domain(self):
"""Call ``PATCH /domains/{domain_id}`` (set enabled=False)."""
# Create a 2nd set of entities in a 2nd domain
domain2 = unit.new_domain_ref()
self.resource_api.create_domain(domain2['id'], domain2)
project2 = unit.new_project_ref(domain_id=domain2['id'])
self.resource_api.create_project(project2['id'], project2)
user2 = unit.create_user(self.identity_api,
domain_id=domain2['id'],
project_id=project2['id'])
self.assignment_api.add_user_to_project(project2['id'], user2['id'])
# First check a user in that domain can authenticate. The v2 user
# cannot authenticate because they exist outside the default domain.
body = {
'auth': {
'passwordCredentials': {
'userId': user2['id'],
'password': user2['password']
},
'tenantId': project2['id']
}
}
self.admin_request(path='/v2.0/tokens',
method='POST',
body=body,
expected_status=http_client.UNAUTHORIZED)
auth_data = self.build_authentication_request(
user_id=user2['id'],
password=user2['password'],
project_id=project2['id'])
self.v3_create_token(auth_data)
# Now disable the domain
domain2['enabled'] = False
r = self.patch('/domains/%(domain_id)s' % {'domain_id': domain2['id']},
body={'domain': {
'enabled': False
}})
self.assertValidDomainResponse(r, domain2)
# Make sure the user can no longer authenticate, via
# either API
body = {
'auth': {
'passwordCredentials': {
'userId': user2['id'],
'password': user2['password']
},
'tenantId': project2['id']
}
}
self.admin_request(path='/v2.0/tokens',
method='POST',
body=body,
expected_status=http_client.UNAUTHORIZED)
# Try looking up in v3 by name and id
auth_data = self.build_authentication_request(
user_id=user2['id'],
password=user2['password'],
project_id=project2['id'])
self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
auth_data = self.build_authentication_request(
username=user2['name'],
user_domain_id=domain2['id'],
password=user2['password'],
project_id=project2['id'])
self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def load_sample_data(self):
"""Create sample data for password expiry tests.
The test environment will consist of a single domain, containing
a single project. It will create three users and one group.
Each user is going to be given a role assignment on the project
and the domain. Two of the three users are going to be placed into
the group, which won't have any role assignments to either the
project or the domain.
"""
self._populate_default_domain()
self.domain = unit.new_domain_ref()
self.resource_api.create_domain(self.domain['id'], self.domain)
self.domain_id = self.domain['id']
self.project = unit.new_project_ref(domain_id=self.domain_id)
self.project_id = self.project['id']
self.project = self.resource_api.create_project(
self.project_id, self.project)
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
self.group_id = self.group['id']
# Creates three users each with password expiration offset
# by one day, starting with the current time frozen.
self.starttime = datetime.datetime.utcnow()
with freezegun.freeze_time(self.starttime):
self.config_fixture.config(group='security_compliance',
password_expires_days=1)
self.user = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.config_fixture.config(group='security_compliance',
password_expires_days=2)
self.user2 = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.config_fixture.config(group='security_compliance',
password_expires_days=3)
self.user3 = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.role = unit.new_role_ref(name='admin')
self.role_api.create_role(self.role['id'], self.role)
self.role_id = self.role['id']
# Grant admin role to the users created.
self.assignment_api.create_grant(self.role_id,
user_id=self.user['id'],
domain_id=self.domain_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user2['id'],
domain_id=self.domain_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user3['id'],
domain_id=self.domain_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user['id'],
project_id=self.project_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user2['id'],
project_id=self.project_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user3['id'],
project_id=self.project_id)
# Add the last two users to the group.
self.identity_api.add_user_to_group(self.user2['id'], self.group_id)
self.identity_api.add_user_to_group(self.user3['id'], self.group_id)
def setUp(self):
super(UserSelfServiceChangingPasswordsTestCase, self).setUp()
self.user_ref = unit.create_user(self.identity_api,
domain_id=self.domain['id'])
self.token = self.get_request_token(self.user_ref['password'],
http_client.CREATED)
def load_sample_data(self):
"""Create sample data for password expiry tests.
The test environment will consist of a single domain, containing
a single project. It will create three users and one group.
Each user is going to be given a role assignment on the project
and the domain. Two of the three users are going to be placed into
the group, which won't have any role assignments to either the
project or the domain.
"""
self._populate_default_domain()
self.domain = unit.new_domain_ref()
self.resource_api.create_domain(self.domain['id'], self.domain)
self.domain_id = self.domain['id']
self.project = unit.new_project_ref(domain_id=self.domain_id)
self.project_id = self.project['id']
self.project = self.resource_api.create_project(self.project_id,
self.project)
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
self.group_id = self.group['id']
# Creates three users each with password expiration offset
# by one day, starting with the current time frozen.
self.starttime = datetime.datetime.utcnow()
with freezegun.freeze_time(self.starttime):
self.config_fixture.config(group='security_compliance',
password_expires_days=1)
self.user = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.config_fixture.config(group='security_compliance',
password_expires_days=2)
self.user2 = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.config_fixture.config(group='security_compliance',
password_expires_days=3)
self.user3 = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.role = unit.new_role_ref(name='admin')
self.role_api.create_role(self.role['id'], self.role)
self.role_id = self.role['id']
# Grant admin role to the users created.
self.assignment_api.create_grant(self.role_id,
user_id=self.user['id'],
domain_id=self.domain_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user2['id'],
domain_id=self.domain_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user3['id'],
domain_id=self.domain_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user['id'],
project_id=self.project_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user2['id'],
project_id=self.project_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user3['id'],
project_id=self.project_id)
# Add the last two users to the group.
self.identity_api.add_user_to_group(self.user2['id'],
self.group_id)
self.identity_api.add_user_to_group(self.user3['id'],
self.group_id)
def setUp(self):
super(TestTrustOperations, self).setUp()
# create a trustee to delegate stuff to
self.trustee_user = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.trustee_user_id = self.trustee_user['id']
