def test_group_to_role_sync_is_performed_on_successful_auth_no_groups_returned(
self):
# Enable group sync
cfg.CONF.set_override(group='rbac',
name='sync_remote_groups',
override=True)
user_db = self.users['user_1']
h = handlers.StandaloneAuthHandler()
request = {}
# Verify initial state
role_dbs = rbac_service.get_roles_for_user(user_db=user_db,
include_remote=True)
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['mock_local_role_1'])
self.assertEqual(role_dbs[1], self.roles['mock_local_role_2'])
# No groups configured should return early
h._auth_backend.groups = []
token = h.handle_auth(request,
headers={},
remote_addr=None,
remote_user=None,
authorization=('basic', DUMMY_CREDS))
self.assertEqual(token.user, 'auser')
# Verify nothing has changed
role_dbs = rbac_service.get_roles_for_user(user_db=user_db,
include_remote=True)
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['mock_local_role_1'])
self.assertEqual(role_dbs[1], self.roles['mock_local_role_2'])
def test_group_to_role_sync_is_performed_on_successful_auth_single_group_no_mappings(self):
# Enable group sync
cfg.CONF.set_override(group='rbac', name='sync_remote_groups', override=True)
cfg.CONF.set_override(group='rbac', name='sync_remote_groups', override=True)
user_db = self.users['user_1']
h = handlers.StandaloneAuthHandler()
request = {}
# Verify initial state
role_dbs = get_roles_for_user(user_db=user_db, include_remote=True)
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['mock_local_role_1'])
self.assertEqual(role_dbs[1], self.roles['mock_local_role_2'])
# Single group configured but no group mapping in the database
h._auth_backend.groups = [
'CN=stormers,OU=groups,DC=stackstorm,DC=net'
]
token = h.handle_auth(request, headers={}, remote_addr=None, remote_user=None,
authorization=('basic', DUMMY_CREDS))
self.assertEqual(token.user, 'auser')
# Verify nothing has changed
role_dbs = get_roles_for_user(user_db=user_db, include_remote=True)
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['mock_local_role_1'])
self.assertEqual(role_dbs[1], self.roles['mock_local_role_2'])
def test_group_to_role_sync_concurrent_auth(self):
# Verify that there is no race and group sync during concurrent auth works fine
# Enable group sync
cfg.CONF.set_override(group='rbac',
name='sync_remote_groups',
override=True)
cfg.CONF.set_override(group='rbac',
name='sync_remote_groups',
override=True)
h = handlers.StandaloneAuthHandler()
request = {}
def handle_auth():
token = h.handle_auth(request,
headers={},
remote_addr=None,
remote_user=None,
authorization=('basic', DUMMY_CREDS))
self.assertEqual(token.user, 'auser')
thread_pool = eventlet.GreenPool(20)
for i in range(0, 20):
thread_pool.spawn(handle_auth)
thread_pool.waitall()
def test_standalone_handler(self):
h = handlers.StandaloneAuthHandler()
request = {}
token = h.handle_auth(
request, headers={}, remote_addr=None,
remote_user=None, authorization=('basic', DUMMY_CREDS))
self.assertEqual(token.user, 'auser')
def test_standalone_bad_auth_value(self):
h = handlers.StandaloneAuthHandler()
request = {}
with self.assertRaises(exc.HTTPUnauthorized):
h.handle_auth(
request, headers={}, remote_addr=None,
remote_user=None, authorization=('basic', 'gobblegobble'))
def test_standalone_no_auth(self):
h = handlers.StandaloneAuthHandler()
request = {}
with self.assertRaises(exc.HTTPUnauthorized):
h.handle_auth(
request, headers={}, remote_addr=None,
remote_user=None, authorization=None)
def test_standalone_bad_auth_type(self):
h = handlers.StandaloneAuthHandler()
request = {}
with self.assertRaises(exc.HTTPUnauthorized):
h.handle_auth(
request, headers={}, remote_addr=None,
remote_user=None, authorization=('complex', DUMMY_CREDS))
def test_password_contains_colon(self):
h = handlers.StandaloneAuthHandler()
request = MockRequest(60)
authorization = ('Basic', base64.b64encode(b'username:password:password'))
token = h.handle_auth(
request, headers={}, remote_addr=None,
remote_user=None, authorization=authorization)
self.assertEqual(token.user, 'username')
def test_standalone_impersonate_user_no_origin(self):
h = handlers.StandaloneAuthHandler()
request = MockRequest(60)
request.impersonate_user = '******'
with self.assertRaises(exc.HTTPBadRequest):
h.handle_auth(
request, headers={}, remote_addr=None,
remote_user=None, authorization=('basic', DUMMY_CREDS))
def test_standalone_for_user_service(self):
h = handlers.StandaloneAuthHandler()
request = MockRequest(60)
request.user = '******'
token = h.handle_auth(
request, headers={}, remote_addr=None,
remote_user=None, authorization=('basic', DUMMY_CREDS))
self.assertEqual(token.user, 'anotheruser')
def test_standalone_for_user_not_found(self):
h = handlers.StandaloneAuthHandler()
request = MockRequest(60)
request.user = '******'
with self.assertRaises(webob.exc.HTTPBadRequest):
h.handle_auth(
request, headers={}, remote_addr=None,
remote_user=None, authorization=('basic', DUMMY_CREDS))
def test_standalone_impersonate_user_with_nick_origin(self):
h = handlers.StandaloneAuthHandler()
request = MockRequest(60)
request.impersonate_user = '******'
request.nickname_origin = 'slack'
token = h.handle_auth(
request, headers={}, remote_addr=None,
remote_user=None, authorization=('basic', DUMMY_CREDS))
self.assertEqual(token.user, 'anotheruser')
def test_standalone_handler_ttl(self):
h = handlers.StandaloneAuthHandler()
token1 = h.handle_auth(
MockRequest(23), headers={}, remote_addr=None,
remote_user=None, authorization=('basic', DUMMY_CREDS))
token2 = h.handle_auth(
MockRequest(2300), headers={}, remote_addr=None,
remote_user=None, authorization=('basic', DUMMY_CREDS))
self.assertEqual(token1.user, 'auser')
self.assertNotEqual(token1.expiry, token2.expiry)
def test_standalone_for_user_not_service(self):
h = handlers.StandaloneAuthHandler()
request = MockRequest(60)
request.user = "******"
with self.assertRaises(exc.HTTPBadRequest):
h.handle_auth(
request,
headers={},
remote_addr=None,
remote_user=None,
authorization=("basic", DUMMY_CREDS),
)
def test_group_to_role_sync_error_non_fatal_on_succesful_auth(self):
# Enable group sync
cfg.CONF.set_override(group='rbac', name='sync_remote_groups', override=True)
cfg.CONF.set_override(group='rbac', name='sync_remote_groups', override=True)
h = handlers.StandaloneAuthHandler()
request = {}
h._auth_backend.groups = [
'CN=stormers,OU=groups,DC=stackstorm,DC=net'
]
# sync() method called upon successful authentication throwing should not be fatal
token = h.handle_auth(request, headers={}, remote_addr=None, remote_user=None,
authorization=('basic', DUMMY_CREDS))
self.assertEqual(token.user, 'auser')
def test_group_to_role_sync_is_performed_on_successful_auth_with_groups_and_mappings(
self):
# Enable group sync
cfg.CONF.set_override(group='rbac',
name='sync_remote_groups',
override=True)
cfg.CONF.set_override(group='rbac',
name='sync_remote_groups',
override=True)
user_db = self.users['user_1']
h = handlers.StandaloneAuthHandler()
request = {}
# Single mapping, new remote assignment should be created
create_group_to_role_map(
group='CN=stormers,OU=groups,DC=stackstorm,DC=net',
roles=['mock_role_3', 'mock_role_4'],
source='mappings/stormers.yaml')
# Verify initial state
role_dbs = get_roles_for_user(user_db=user_db, include_remote=True)
self.assertEqual(len(role_dbs), 2)
self.assertEqual(role_dbs[0], self.roles['mock_local_role_1'])
self.assertEqual(role_dbs[1], self.roles['mock_local_role_2'])
h._auth_backend.groups = ['CN=stormers,OU=groups,DC=stackstorm,DC=net']
token = h.handle_auth(request,
headers={},
remote_addr=None,
remote_user=None,
authorization=('basic', DUMMY_CREDS))
self.assertEqual(token.user, 'auser')
# Verify a new role assignments based on the group mapping has been created
role_dbs = get_roles_for_user(user_db=user_db, include_remote=True)
self.assertEqual(len(role_dbs), 4)
self.assertEqual(role_dbs[0], self.roles['mock_local_role_1'])
self.assertEqual(role_dbs[1], self.roles['mock_local_role_2'])
self.assertEqual(role_dbs[2], self.roles['mock_role_3'])
self.assertEqual(role_dbs[3], self.roles['mock_role_4'])
