def test_app_cred_ec2_credential(self):
"""Test creating ec2 credential from an application credential.
Call ``POST /credentials``.
"""
# Create the app cred
ref = unit.new_application_credential_ref(roles=[{'id': self.role_id}])
del ref['id']
r = self.post('/users/%s/application_credentials' % self.user_id,
body={'application_credential': ref})
app_cred = r.result['application_credential']
# Get an application credential token
auth_data = self.build_authentication_request(
app_cred_id=app_cred['id'],
secret=app_cred['secret'])
r = self.v3_create_token(auth_data)
token_id = r.headers.get('X-Subject-Token')
# Create the credential with the app cred token
blob, ref = unit.new_ec2_credential(user_id=self.user_id,
project_id=self.project_id)
r = self.post('/credentials', body={'credential': ref}, token=token_id)
# We expect the response blob to contain the app_cred_id
ret_ref = ref.copy()
ret_blob = blob.copy()
ret_blob['app_cred_id'] = app_cred['id']
ret_ref['blob'] = json.dumps(ret_blob)
self.assertValidCredentialResponse(r, ref=ret_ref)
# Assert credential id is same as hash of access key id for
# ec2 credentials
access = blob['access'].encode('utf-8')
self.assertEqual(hashlib.sha256(access).hexdigest(),
r.result['credential']['id'])
# Create a role assignment to ensure that it is ignored and only the
# roles in the app cred are used
role = unit.new_role_ref(name='reader')
role_id = role['id']
PROVIDERS.role_api.create_role(role_id, role)
PROVIDERS.assignment_api.add_role_to_user_and_project(
self.user_id, self.project_id, role_id)
ret_blob = json.loads(r.result['credential']['blob'])
ec2token = self._test_get_token(
access=ret_blob['access'], secret=ret_blob['secret'])
ec2_roles = [role['id'] for role in ec2token['roles']]
self.assertIn(self.role_id, ec2_roles)
self.assertNotIn(role_id, ec2_roles)
# Create second ec2 credential with the same access key id and check
# for conflict.
self.post(
'/credentials',
body={'credential': ref},
token=token_id,
expected_status=http.client.CONFLICT)
def test_create_application_credential_by_owner(self):
app_cred_body = {
'application_credential': unit.new_application_credential_ref()
}
with self.test_client() as c:
c.post(
'/v3/users/%s/application_credentials' % self.user_id,
json=app_cred_body,
expected_status_code=http.client.CREATED,
headers=self.headers)
def test_user_cannot_create_app_credential_for_another_user(self):
# create another user
another_user = unit.new_user_ref(
domain_id=CONF.identity.default_domain_id
)
another_user_id = PROVIDERS.identity_api.create_user(
another_user
)['id']
app_cred_body = {
'application_credential': unit.new_application_credential_ref(
roles=[{'id': self.bootstrapper.member_role_id}])
}
with self.test_client() as c:
c.post(
'/v3/users/%s/application_credentials' % another_user_id,
json=app_cred_body,
expected_status_code=http.client.FORBIDDEN,
headers=self.headers)