summaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/tests/unit/test_auth.py
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/keystone/tests/unit/test_auth.py')
-rw-r--r--keystone-moon/keystone/tests/unit/test_auth.py115
1 files changed, 99 insertions, 16 deletions
diff --git a/keystone-moon/keystone/tests/unit/test_auth.py b/keystone-moon/keystone/tests/unit/test_auth.py
index 295e028d..f253b02d 100644
--- a/keystone-moon/keystone/tests/unit/test_auth.py
+++ b/keystone-moon/keystone/tests/unit/test_auth.py
@@ -18,7 +18,9 @@ import uuid
import mock
from oslo_config import cfg
+import oslo_utils.fixture
from oslo_utils import timeutils
+import six
from testtools import matchers
from keystone import assignment
@@ -74,6 +76,7 @@ class AuthTest(tests.TestCase):
def setUp(self):
self.useFixture(database.Database())
super(AuthTest, self).setUp()
+ self.time_fixture = self.useFixture(oslo_utils.fixture.TimeFixture())
self.load_backends()
self.load_fixtures(default_fixtures)
@@ -265,12 +268,12 @@ class AuthWithToken(AuthTest):
self.user_foo['id'],
self.tenant_bar['id'],
self.role_member['id'])
- # Get an unscoped tenant
+ # Get an unscoped token
body_dict = _build_user_auth(
username='FOO',
password='foo2')
unscoped_token = self.controller.authenticate({}, body_dict)
- # Get a token on BAR tenant using the unscoped tenant
+ # Get a token on BAR tenant using the unscoped token
body_dict = _build_user_auth(
token=unscoped_token["access"]["token"],
tenant_name="BAR")
@@ -281,6 +284,50 @@ class AuthWithToken(AuthTest):
self.assertEqual(self.tenant_bar['id'], tenant["id"])
self.assertThat(roles, matchers.Contains(self.role_member['id']))
+ def test_auth_scoped_token_bad_project_with_debug(self):
+ """Authenticating with an invalid project fails."""
+ # Bug 1379952 reports poor user feedback, even in debug mode,
+ # when the user accidentally passes a project name as an ID.
+ # This test intentionally does exactly that.
+ body_dict = _build_user_auth(
+ username=self.user_foo['name'],
+ password=self.user_foo['password'],
+ tenant_id=self.tenant_bar['name'])
+
+ # with debug enabled, this produces a friendly exception.
+ self.config_fixture.config(debug=True)
+ e = self.assertRaises(
+ exception.Unauthorized,
+ self.controller.authenticate,
+ {}, body_dict)
+ # explicitly verify that the error message shows that a *name* is
+ # found where an *ID* is expected
+ self.assertIn(
+ 'Project ID not found: %s' % self.tenant_bar['name'],
+ six.text_type(e))
+
+ def test_auth_scoped_token_bad_project_without_debug(self):
+ """Authenticating with an invalid project fails."""
+ # Bug 1379952 reports poor user feedback, even in debug mode,
+ # when the user accidentally passes a project name as an ID.
+ # This test intentionally does exactly that.
+ body_dict = _build_user_auth(
+ username=self.user_foo['name'],
+ password=self.user_foo['password'],
+ tenant_id=self.tenant_bar['name'])
+
+ # with debug disabled, authentication failure details are suppressed.
+ self.config_fixture.config(debug=False)
+ e = self.assertRaises(
+ exception.Unauthorized,
+ self.controller.authenticate,
+ {}, body_dict)
+ # explicitly verify that the error message details above have been
+ # suppressed.
+ self.assertNotIn(
+ 'Project ID not found: %s' % self.tenant_bar['name'],
+ six.text_type(e))
+
def test_auth_token_project_group_role(self):
"""Verify getting a token in a tenant with group roles."""
# Add a v2 style role in so we can check we get this back
@@ -448,10 +495,13 @@ class AuthWithToken(AuthTest):
body_dict = _build_user_auth(username='FOO', password='foo2')
unscoped_token = self.controller.authenticate(context, body_dict)
token_id = unscoped_token['access']['token']['id']
+ self.time_fixture.advance_time_seconds(1)
+
# get a second token
body_dict = _build_user_auth(token=unscoped_token["access"]["token"])
unscoped_token_2 = self.controller.authenticate(context, body_dict)
token_2_id = unscoped_token_2['access']['token']['id']
+ self.time_fixture.advance_time_seconds(1)
self.token_provider_api.revoke_token(token_id, revoke_chain=True)
@@ -470,10 +520,13 @@ class AuthWithToken(AuthTest):
body_dict = _build_user_auth(username='FOO', password='foo2')
unscoped_token = self.controller.authenticate(context, body_dict)
token_id = unscoped_token['access']['token']['id']
+ self.time_fixture.advance_time_seconds(1)
+
# get a second token
body_dict = _build_user_auth(token=unscoped_token["access"]["token"])
unscoped_token_2 = self.controller.authenticate(context, body_dict)
token_2_id = unscoped_token_2['access']['token']['id']
+ self.time_fixture.advance_time_seconds(1)
self.token_provider_api.revoke_token(token_2_id, revoke_chain=True)
@@ -500,13 +553,17 @@ class AuthWithToken(AuthTest):
body_dict = _build_user_auth(username='FOO', password='foo2')
unscoped_token = self.controller.authenticate(context, body_dict)
token_id = unscoped_token['access']['token']['id']
+ self.time_fixture.advance_time_seconds(1)
+
# get a second token
body_dict = _build_user_auth(
token=unscoped_token['access']['token'])
unscoped_token_2 = self.controller.authenticate(context, body_dict)
token_2_id = unscoped_token_2['access']['token']['id']
+ self.time_fixture.advance_time_seconds(1)
self.token_provider_api.revoke_token(token_id, revoke_chain=True)
+ self.time_fixture.advance_time_seconds(1)
revoke_events = self.revoke_api.list_events()
self.assertThat(revoke_events, matchers.HasLength(1))
@@ -526,15 +583,18 @@ class AuthWithToken(AuthTest):
body_dict = _build_user_auth(username='FOO', password='foo2')
unscoped_token = self.controller.authenticate(context, body_dict)
token_id = unscoped_token['access']['token']['id']
+ self.time_fixture.advance_time_seconds(1)
# get a second token
body_dict = _build_user_auth(
token=unscoped_token['access']['token'])
unscoped_token_2 = self.controller.authenticate(context, body_dict)
token_2_id = unscoped_token_2['access']['token']['id']
+ self.time_fixture.advance_time_seconds(1)
# Revoke by audit_id, no audit_info means both parent and child
# token are revoked.
self.token_provider_api.revoke_token(token_id)
+ self.time_fixture.advance_time_seconds(1)
revoke_events = self.revoke_api.list_events()
self.assertThat(revoke_events, matchers.HasLength(2))
@@ -819,9 +879,8 @@ class AuthWithTrust(AuthTest):
context, trust=self.sample_data)
def test_create_trust(self):
- expires_at = timeutils.strtime(timeutils.utcnow() +
- datetime.timedelta(minutes=10),
- fmt=TIME_FORMAT)
+ expires_at = (timeutils.utcnow() +
+ datetime.timedelta(minutes=10)).strftime(TIME_FORMAT)
new_trust = self.create_trust(self.sample_data, self.trustor['name'],
expires_at=expires_at)
self.assertEqual(self.trustor['id'], new_trust['trustor_user_id'])
@@ -848,6 +907,12 @@ class AuthWithTrust(AuthTest):
self.create_trust, self.sample_data,
self.trustor['name'], expires_at="Z")
+ def test_create_trust_expires_older_than_now(self):
+ self.assertRaises(exception.ValidationExpirationError,
+ self.create_trust, self.sample_data,
+ self.trustor['name'],
+ expires_at="2010-06-04T08:44:31.999999Z")
+
def test_create_trust_without_project_id(self):
"""Verify that trust can be created without project id and
token can be generated with that trust.
@@ -868,8 +933,8 @@ class AuthWithTrust(AuthTest):
def test_get_trust(self):
unscoped_token = self.get_unscoped_token(self.trustor['name'])
- context = {'token_id': unscoped_token['access']['token']['id'],
- 'host_url': HOST_URL}
+ context = self._create_auth_context(
+ unscoped_token['access']['token']['id'])
new_trust = self.trust_controller.create_trust(
context, trust=self.sample_data)['trust']
trust = self.trust_controller.get_trust(context,
@@ -880,6 +945,21 @@ class AuthWithTrust(AuthTest):
for role in new_trust['roles']:
self.assertIn(role['id'], role_ids)
+ def test_get_trust_without_auth_context(self):
+ """Verify that a trust cannot be retrieved when the auth context is
+ missing.
+ """
+ unscoped_token = self.get_unscoped_token(self.trustor['name'])
+ context = self._create_auth_context(
+ unscoped_token['access']['token']['id'])
+ new_trust = self.trust_controller.create_trust(
+ context, trust=self.sample_data)['trust']
+ # Delete the auth context before calling get_trust().
+ del context['environment'][authorization.AUTH_CONTEXT_ENV]
+ self.assertRaises(exception.Forbidden,
+ self.trust_controller.get_trust, context,
+ new_trust['id'])
+
def test_create_trust_no_impersonation(self):
new_trust = self.create_trust(self.sample_data, self.trustor['name'],
expires_at=None, impersonation=False)
@@ -1051,13 +1131,18 @@ class AuthWithTrust(AuthTest):
self.controller.authenticate, {}, request_body)
def test_expired_trust_get_token_fails(self):
- expiry = "1999-02-18T10:10:00Z"
+ expires_at = (timeutils.utcnow() +
+ datetime.timedelta(minutes=5)).strftime(TIME_FORMAT)
+ time_expired = timeutils.utcnow() + datetime.timedelta(minutes=10)
new_trust = self.create_trust(self.sample_data, self.trustor['name'],
- expiry)
- request_body = self.build_v2_token_request('TWO', 'two2', new_trust)
- self.assertRaises(
- exception.Forbidden,
- self.controller.authenticate, {}, request_body)
+ expires_at)
+ with mock.patch.object(timeutils, 'utcnow') as mock_now:
+ mock_now.return_value = time_expired
+ request_body = self.build_v2_token_request('TWO', 'two2',
+ new_trust)
+ self.assertRaises(
+ exception.Forbidden,
+ self.controller.authenticate, {}, request_body)
def test_token_from_trust_with_wrong_role_fails(self):
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
@@ -1196,9 +1281,7 @@ class TokenExpirationTest(AuthTest):
self.assertEqual(original_expiration, r['access']['token']['expires'])
def test_maintain_uuid_token_expiration(self):
- self.config_fixture.config(
- group='token',
- provider='keystone.token.providers.uuid.Provider')
+ self.config_fixture.config(group='token', provider='uuid')
self._maintain_token_expiration()