"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/protection/v3/test_tokens.py" (13 May 2020, 22583 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_tokens.py": 16.0.1_vs_17.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 import uuid
   14 
   15 import http.client
   16 
   17 from keystone.common import provider_api
   18 import keystone.conf
   19 from keystone.tests.common import auth as common_auth
   20 from keystone.tests import unit
   21 from keystone.tests.unit import base_classes
   22 from keystone.tests.unit import ksfixtures
   23 
   24 CONF = keystone.conf.CONF
   25 PROVIDERS = provider_api.ProviderAPIs
   26 
   27 
   28 class _SystemUserTokenTests(object):
   29 
   30     def test_user_can_validate_system_scoped_token(self):
   31         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
   32         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
   33 
   34         PROVIDERS.assignment_api.create_system_grant_for_user(
   35             user['id'], self.bootstrapper.reader_role_id
   36         )
   37 
   38         system_auth = self.build_authentication_request(
   39             user_id=user['id'], password=user['password'],
   40             system=True
   41         )
   42 
   43         with self.test_client() as c:
   44             r = c.post('/v3/auth/tokens', json=system_auth)
   45             system_token = r.headers['X-Subject-Token']
   46 
   47         with self.test_client() as c:
   48             self.headers['X-Subject-Token'] = system_token
   49             c.get('/v3/auth/tokens', headers=self.headers)
   50 
   51     def test_user_can_validate_domain_scoped_token(self):
   52         domain = PROVIDERS.resource_api.create_domain(
   53             uuid.uuid4().hex, unit.new_domain_ref()
   54         )
   55 
   56         user = unit.new_user_ref(domain_id=domain['id'])
   57         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
   58 
   59         PROVIDERS.assignment_api.create_grant(
   60             self.bootstrapper.reader_role_id, user_id=user['id'],
   61             domain_id=domain['id']
   62         )
   63 
   64         domain_auth = self.build_authentication_request(
   65             user_id=user['id'], password=user['password'],
   66             domain_id=domain['id']
   67         )
   68 
   69         with self.test_client() as c:
   70             r = c.post('/v3/auth/tokens', json=domain_auth)
   71             domain_token = r.headers['X-Subject-Token']
   72 
   73         with self.test_client() as c:
   74             self.headers['X-Subject-Token'] = domain_token
   75             c.get('/v3/auth/tokens', headers=self.headers)
   76 
   77     def test_user_can_validate_project_scoped_token(self):
   78         project = PROVIDERS.resource_api.create_project(
   79             uuid.uuid4().hex,
   80             unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
   81         )
   82 
   83         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
   84         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
   85 
   86         PROVIDERS.assignment_api.create_grant(
   87             self.bootstrapper.reader_role_id, user_id=user['id'],
   88             project_id=project['id']
   89         )
   90 
   91         project_auth = self.build_authentication_request(
   92             user_id=user['id'], password=user['password'],
   93             project_id=project['id']
   94         )
   95 
   96         with self.test_client() as c:
   97             r = c.post('/v3/auth/tokens', json=project_auth)
   98             project_token = r.headers['X-Subject-Token']
   99 
  100         with self.test_client() as c:
  101             self.headers['X-Subject-Token'] = project_token
  102             c.get('/v3/auth/tokens', headers=self.headers)
  103 
  104 
  105 class _SystemMemberAndReaderTokenTests(object):
  106 
  107     def test_user_cannot_revoke_a_system_scoped_token(self):
  108         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  109         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
  110 
  111         PROVIDERS.assignment_api.create_system_grant_for_user(
  112             user['id'], self.bootstrapper.reader_role_id
  113         )
  114 
  115         system_auth = self.build_authentication_request(
  116             user_id=user['id'], password=user['password'],
  117             system=True
  118         )
  119 
  120         with self.test_client() as c:
  121             r = c.post('/v3/auth/tokens', json=system_auth)
  122             system_token = r.headers['X-Subject-Token']
  123 
  124         with self.test_client() as c:
  125             self.headers['X-Subject-Token'] = system_token
  126             c.delete(
  127                 '/v3/auth/tokens', headers=self.headers,
  128                 expected_status_code=http.client.FORBIDDEN
  129             )
  130 
  131     def test_user_cannot_revoke_a_domain_scoped_token(self):
  132         domain = PROVIDERS.resource_api.create_domain(
  133             uuid.uuid4().hex, unit.new_domain_ref()
  134         )
  135 
  136         user = unit.new_user_ref(domain_id=domain['id'])
  137         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
  138 
  139         PROVIDERS.assignment_api.create_grant(
  140             self.bootstrapper.reader_role_id, user_id=user['id'],
  141             domain_id=domain['id']
  142         )
  143 
  144         domain_auth = self.build_authentication_request(
  145             user_id=user['id'], password=user['password'],
  146             domain_id=domain['id']
  147         )
  148 
  149         with self.test_client() as c:
  150             r = c.post('/v3/auth/tokens', json=domain_auth)
  151             domain_token = r.headers['X-Subject-Token']
  152 
  153         with self.test_client() as c:
  154             self.headers['X-Subject-Token'] = domain_token
  155             c.delete(
  156                 '/v3/auth/tokens', headers=self.headers,
  157                 expected_status_code=http.client.FORBIDDEN
  158             )
  159 
  160     def test_user_cannot_revoke_a_project_scoped_token(self):
  161         project = PROVIDERS.resource_api.create_project(
  162             uuid.uuid4().hex,
  163             unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
  164         )
  165 
  166         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  167         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
  168 
  169         PROVIDERS.assignment_api.create_grant(
  170             self.bootstrapper.reader_role_id, user_id=user['id'],
  171             project_id=project['id']
  172         )
  173 
  174         project_auth = self.build_authentication_request(
  175             user_id=user['id'], password=user['password'],
  176             project_id=project['id']
  177         )
  178 
  179         with self.test_client() as c:
  180             r = c.post('/v3/auth/tokens', json=project_auth)
  181             project_token = r.headers['X-Subject-Token']
  182 
  183         with self.test_client() as c:
  184             self.headers['X-Subject-Token'] = project_token
  185             c.delete(
  186                 '/v3/auth/tokens', headers=self.headers,
  187                 expected_status_code=http.client.FORBIDDEN
  188             )
  189 
  190 
  191 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
  192                         common_auth.AuthTestMixin,
  193                         _SystemUserTokenTests,
  194                         _SystemMemberAndReaderTokenTests):
  195 
  196     def setUp(self):
  197         super(SystemReaderTests, self).setUp()
  198         self.loadapp()
  199         self.useFixture(ksfixtures.Policy(self.config_fixture))
  200         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  201 
  202         system_reader = unit.new_user_ref(
  203             domain_id=CONF.identity.default_domain_id
  204         )
  205         self.user_id = PROVIDERS.identity_api.create_user(
  206             system_reader
  207         )['id']
  208         PROVIDERS.assignment_api.create_system_grant_for_user(
  209             self.user_id, self.bootstrapper.reader_role_id
  210         )
  211 
  212         auth = self.build_authentication_request(
  213             user_id=self.user_id, password=system_reader['password'],
  214             system=True
  215         )
  216 
  217         # Grab a token using the persona we're testing and prepare headers
  218         # for requests we'll be making in the tests.
  219         with self.test_client() as c:
  220             r = c.post('/v3/auth/tokens', json=auth)
  221             self.token_id = r.headers['X-Subject-Token']
  222             self.headers = {'X-Auth-Token': self.token_id}
  223 
  224 
  225 class SystemMemberTests(base_classes.TestCaseWithBootstrap,
  226                         common_auth.AuthTestMixin,
  227                         _SystemUserTokenTests,
  228                         _SystemMemberAndReaderTokenTests):
  229 
  230     def setUp(self):
  231         super(SystemMemberTests, self).setUp()
  232         self.loadapp()
  233         self.useFixture(ksfixtures.Policy(self.config_fixture))
  234         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  235 
  236         system_reader = unit.new_user_ref(
  237             domain_id=CONF.identity.default_domain_id
  238         )
  239         self.user_id = PROVIDERS.identity_api.create_user(
  240             system_reader
  241         )['id']
  242         PROVIDERS.assignment_api.create_system_grant_for_user(
  243             self.user_id, self.bootstrapper.reader_role_id
  244         )
  245 
  246         auth = self.build_authentication_request(
  247             user_id=self.user_id, password=system_reader['password'],
  248             system=True
  249         )
  250 
  251         # Grab a token using the persona we're testing and prepare headers
  252         # for requests we'll be making in the tests.
  253         with self.test_client() as c:
  254             r = c.post('/v3/auth/tokens', json=auth)
  255             self.token_id = r.headers['X-Subject-Token']
  256             self.headers = {'X-Auth-Token': self.token_id}
  257 
  258 
  259 class SystemAdminTests(base_classes.TestCaseWithBootstrap,
  260                        common_auth.AuthTestMixin,
  261                        _SystemUserTokenTests):
  262 
  263     def setUp(self):
  264         super(SystemAdminTests, self).setUp()
  265         self.loadapp()
  266         self.useFixture(ksfixtures.Policy(self.config_fixture))
  267         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  268 
  269         self.user_id = self.bootstrapper.admin_user_id
  270         auth = self.build_authentication_request(
  271             user_id=self.user_id,
  272             password=self.bootstrapper.admin_password,
  273             system=True
  274         )
  275 
  276         # Grab a token using the persona we're testing and prepare headers
  277         # for requests we'll be making in the tests.
  278         with self.test_client() as c:
  279             r = c.post('/v3/auth/tokens', json=auth)
  280             self.token_id = r.headers['X-Subject-Token']
  281             self.headers = {'X-Auth-Token': self.token_id}
  282 
  283     def test_user_can_revoke_a_system_scoped_token(self):
  284         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  285         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
  286 
  287         PROVIDERS.assignment_api.create_system_grant_for_user(
  288             user['id'], self.bootstrapper.reader_role_id
  289         )
  290 
  291         system_auth = self.build_authentication_request(
  292             user_id=user['id'], password=user['password'],
  293             system=True
  294         )
  295 
  296         with self.test_client() as c:
  297             r = c.post('/v3/auth/tokens', json=system_auth)
  298             system_token = r.headers['X-Subject-Token']
  299 
  300         with self.test_client() as c:
  301             self.headers['X-Subject-Token'] = system_token
  302             c.delete('/v3/auth/tokens', headers=self.headers)
  303 
  304     def test_user_can_revoke_a_domain_scoped_token(self):
  305         domain = PROVIDERS.resource_api.create_domain(
  306             uuid.uuid4().hex, unit.new_domain_ref()
  307         )
  308 
  309         user = unit.new_user_ref(domain_id=domain['id'])
  310         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
  311 
  312         PROVIDERS.assignment_api.create_grant(
  313             self.bootstrapper.reader_role_id, user_id=user['id'],
  314             domain_id=domain['id']
  315         )
  316 
  317         domain_auth = self.build_authentication_request(
  318             user_id=user['id'], password=user['password'],
  319             domain_id=domain['id']
  320         )
  321 
  322         with self.test_client() as c:
  323             r = c.post('/v3/auth/tokens', json=domain_auth)
  324             domain_token = r.headers['X-Subject-Token']
  325 
  326         with self.test_client() as c:
  327             self.headers['X-Subject-Token'] = domain_token
  328             c.delete('/v3/auth/tokens', headers=self.headers)
  329 
  330     def test_user_can_revoke_a_project_scoped_token(self):
  331         project = PROVIDERS.resource_api.create_project(
  332             uuid.uuid4().hex,
  333             unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
  334         )
  335 
  336         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  337         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
  338 
  339         PROVIDERS.assignment_api.create_grant(
  340             self.bootstrapper.reader_role_id, user_id=user['id'],
  341             project_id=project['id']
  342         )
  343 
  344         project_auth = self.build_authentication_request(
  345             user_id=user['id'], password=user['password'],
  346             project_id=project['id']
  347         )
  348 
  349         with self.test_client() as c:
  350             r = c.post('/v3/auth/tokens', json=project_auth)
  351             project_token = r.headers['X-Subject-Token']
  352 
  353         with self.test_client() as c:
  354             self.headers['X-Subject-Token'] = project_token
  355             c.delete('/v3/auth/tokens', headers=self.headers)
  356 
  357 
  358 class _DomainAndProjectUserTests(object):
  359 
  360     def test_user_can_validate_their_own_tokens(self):
  361         with self.test_client() as c:
  362             self.headers['X-Subject-Token'] = self.token_id
  363             c.get('/v3/auth/tokens', headers=self.headers)
  364 
  365     def test_user_can_revoke_their_own_tokens(self):
  366         with self.test_client() as c:
  367             self.headers['X-Subject-Token'] = self.token_id
  368             c.delete('/v3/auth/tokens', headers=self.headers)
  369 
  370     def test_user_cannot_validate_system_scoped_token(self):
  371         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  372         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
  373 
  374         PROVIDERS.assignment_api.create_system_grant_for_user(
  375             user['id'], self.bootstrapper.reader_role_id
  376         )
  377 
  378         system_auth = self.build_authentication_request(
  379             user_id=user['id'], password=user['password'],
  380             system=True
  381         )
  382 
  383         with self.test_client() as c:
  384             r = c.post('/v3/auth/tokens', json=system_auth)
  385             system_token = r.headers['X-Subject-Token']
  386 
  387         with self.test_client() as c:
  388             self.headers['X-Subject-Token'] = system_token
  389             c.get(
  390                 '/v3/auth/tokens', headers=self.headers,
  391                 expected_status_code=http.client.FORBIDDEN
  392             )
  393 
  394     def test_user_cannot_revoke_system_scoped_token(self):
  395         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  396         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
  397 
  398         PROVIDERS.assignment_api.create_system_grant_for_user(
  399             user['id'], self.bootstrapper.reader_role_id
  400         )
  401 
  402         system_auth = self.build_authentication_request(
  403             user_id=user['id'], password=user['password'],
  404             system=True
  405         )
  406 
  407         with self.test_client() as c:
  408             r = c.post('/v3/auth/tokens', json=system_auth)
  409             system_token = r.headers['X-Subject-Token']
  410 
  411         with self.test_client() as c:
  412             self.headers['X-Subject-Token'] = system_token
  413             c.delete(
  414                 '/v3/auth/tokens', headers=self.headers,
  415                 expected_status_code=http.client.FORBIDDEN
  416             )
  417 
  418     def test_user_cannot_validate_domain_scoped_token(self):
  419         domain = PROVIDERS.resource_api.create_domain(
  420             uuid.uuid4().hex, unit.new_domain_ref()
  421         )
  422 
  423         user = unit.new_user_ref(domain_id=domain['id'])
  424         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
  425 
  426         PROVIDERS.assignment_api.create_grant(
  427             self.bootstrapper.reader_role_id, user_id=user['id'],
  428             domain_id=domain['id']
  429         )
  430 
  431         domain_auth = self.build_authentication_request(
  432             user_id=user['id'], password=user['password'],
  433             domain_id=domain['id']
  434         )
  435 
  436         with self.test_client() as c:
  437             r = c.post('/v3/auth/tokens', json=domain_auth)
  438             domain_token = r.headers['X-Subject-Token']
  439 
  440         with self.test_client() as c:
  441             self.headers['X-Subject-Token'] = domain_token
  442             c.get(
  443                 '/v3/auth/tokens', headers=self.headers,
  444                 expected_status_code=http.client.FORBIDDEN
  445             )
  446 
  447     def test_user_cannot_revoke_domain_scoped_token(self):
  448         domain = PROVIDERS.resource_api.create_domain(
  449             uuid.uuid4().hex, unit.new_domain_ref()
  450         )
  451 
  452         user = unit.new_user_ref(domain_id=domain['id'])
  453         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
  454 
  455         PROVIDERS.assignment_api.create_grant(
  456             self.bootstrapper.reader_role_id, user_id=user['id'],
  457             domain_id=domain['id']
  458         )
  459 
  460         domain_auth = self.build_authentication_request(
  461             user_id=user['id'], password=user['password'],
  462             domain_id=domain['id']
  463         )
  464 
  465         with self.test_client() as c:
  466             r = c.post('/v3/auth/tokens', json=domain_auth)
  467             domain_token = r.headers['X-Subject-Token']
  468 
  469         with self.test_client() as c:
  470             self.headers['X-Subject-Token'] = domain_token
  471             c.delete(
  472                 '/v3/auth/tokens', headers=self.headers,
  473                 expected_status_code=http.client.FORBIDDEN
  474             )
  475 
  476     def test_user_cannot_validate_project_scoped_token(self):
  477         project = PROVIDERS.resource_api.create_project(
  478             uuid.uuid4().hex,
  479             unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
  480         )
  481 
  482         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  483         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
  484 
  485         PROVIDERS.assignment_api.create_grant(
  486             self.bootstrapper.reader_role_id, user_id=user['id'],
  487             project_id=project['id']
  488         )
  489 
  490         project_auth = self.build_authentication_request(
  491             user_id=user['id'], password=user['password'],
  492             project_id=project['id']
  493         )
  494 
  495         with self.test_client() as c:
  496             r = c.post('/v3/auth/tokens', json=project_auth)
  497             project_token = r.headers['X-Subject-Token']
  498 
  499         with self.test_client() as c:
  500             self.headers['X-Subject-Token'] = project_token
  501             c.get(
  502                 '/v3/auth/tokens', headers=self.headers,
  503                 expected_status_code=http.client.FORBIDDEN
  504             )
  505 
  506     def test_user_cannot_revoke_project_scoped_token(self):
  507         project = PROVIDERS.resource_api.create_project(
  508             uuid.uuid4().hex,
  509             unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
  510         )
  511 
  512         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  513         user['id'] = PROVIDERS.identity_api.create_user(user)['id']
  514 
  515         PROVIDERS.assignment_api.create_grant(
  516             self.bootstrapper.reader_role_id, user_id=user['id'],
  517             project_id=project['id']
  518         )
  519 
  520         project_auth = self.build_authentication_request(
  521             user_id=user['id'], password=user['password'],
  522             project_id=project['id']
  523         )
  524 
  525         with self.test_client() as c:
  526             r = c.post('/v3/auth/tokens', json=project_auth)
  527             project_token = r.headers['X-Subject-Token']
  528 
  529         with self.test_client() as c:
  530             self.headers['X-Subject-Token'] = project_token
  531             c.delete(
  532                 '/v3/auth/tokens', headers=self.headers,
  533                 expected_status_code=http.client.FORBIDDEN
  534             )
  535 
  536 
  537 class DomainUserTests(base_classes.TestCaseWithBootstrap,
  538                       common_auth.AuthTestMixin,
  539                       _DomainAndProjectUserTests):
  540 
  541     def setUp(self):
  542         super(DomainUserTests, self).setUp()
  543         self.loadapp()
  544         self.useFixture(ksfixtures.Policy(self.config_fixture))
  545         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  546 
  547         domain = PROVIDERS.resource_api.create_domain(
  548             uuid.uuid4().hex, unit.new_domain_ref()
  549         )
  550         self.domain_id = domain['id']
  551         domain_user = unit.new_user_ref(domain_id=self.domain_id)
  552         self.domain_user_id = PROVIDERS.identity_api.create_user(
  553             domain_user
  554         )['id']
  555         PROVIDERS.assignment_api.create_grant(
  556             self.bootstrapper.member_role_id, user_id=self.domain_user_id,
  557             domain_id=self.domain_id
  558         )
  559 
  560         auth = self.build_authentication_request(
  561             user_id=self.domain_user_id, password=domain_user['password'],
  562             domain_id=self.domain_id
  563         )
  564 
  565         # Grab a token using the persona we're testing and prepare headers
  566         # for requests we'll be making in the tests.
  567         with self.test_client() as c:
  568             r = c.post('/v3/auth/tokens', json=auth)
  569             self.token_id = r.headers['X-Subject-Token']
  570             self.headers = {'X-Auth-Token': self.token_id}
  571 
  572 
  573 class ProjectUserTests(base_classes.TestCaseWithBootstrap,
  574                        common_auth.AuthTestMixin,
  575                        _DomainAndProjectUserTests):
  576 
  577     def setUp(self):
  578         super(ProjectUserTests, self).setUp()
  579         self.loadapp()
  580         self.useFixture(ksfixtures.Policy(self.config_fixture))
  581         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  582 
  583         domain = PROVIDERS.resource_api.create_domain(
  584             uuid.uuid4().hex, unit.new_domain_ref()
  585         )
  586         self.domain_id = domain['id']
  587 
  588         project_reader = unit.new_user_ref(domain_id=self.domain_id)
  589         project_reader_id = PROVIDERS.identity_api.create_user(
  590             project_reader
  591         )['id']
  592         project = unit.new_project_ref(domain_id=self.domain_id)
  593         project_id = PROVIDERS.resource_api.create_project(
  594             project['id'], project
  595         )['id']
  596 
  597         PROVIDERS.assignment_api.create_grant(
  598             self.bootstrapper.reader_role_id, user_id=project_reader_id,
  599             project_id=project_id
  600         )
  601 
  602         auth = self.build_authentication_request(
  603             user_id=project_reader_id,
  604             password=project_reader['password'],
  605             project_id=project_id
  606         )
  607 
  608         # Grab a token using the persona we're testing and prepare headers
  609         # for requests we'll be making in the tests.
  610         with self.test_client() as c:
  611             r = c.post('/v3/auth/tokens', json=auth)
  612             self.token_id = r.headers['X-Subject-Token']
  613             self.headers = {'X-Auth-Token': self.token_id}