summaryrefslogtreecommitdiff
path: root/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py
diff options
context:
space:
mode:
Diffstat (limited to 'keystone_tempest_plugin/tests/scenario/test_federated_authentication.py')
-rw-r--r--keystone_tempest_plugin/tests/scenario/test_federated_authentication.py176
1 files changed, 0 insertions, 176 deletions
diff --git a/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py b/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py
deleted file mode 100644
index 24d7416..0000000
--- a/keystone_tempest_plugin/tests/scenario/test_federated_authentication.py
+++ /dev/null
@@ -1,176 +0,0 @@
1# Copyright 2016 Red Hat, Inc.
2#
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
15from lxml import etree
16from six.moves import http_client
17from tempest import config
18from tempest.lib.common.utils import data_utils
19import testtools
20
21from keystone_tempest_plugin.tests import base
22
23
24CONF = config.CONF
25
26
27class TestSaml2EcpFederatedAuthentication(base.BaseIdentityTest):
28
29 ECP_SAML2_NAMESPACES = {
30 'ecp': 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp',
31 'S': 'http://schemas.xmlsoap.org/soap/envelope/',
32 'paos': 'urn:liberty:paos:2003-08'
33 }
34
35 ECP_SERVICE_PROVIDER_CONSUMER_URL = ('/S:Envelope/S:Header/paos:Request/'
36 '@responseConsumerURL')
37
38 ECP_IDP_CONSUMER_URL = ('/S:Envelope/S:Header/ecp:Response/'
39 '@AssertionConsumerServiceURL')
40
41 ECP_RELAY_STATE = '//ecp:RelayState'
42
43 def _setup_settings(self):
44 self.idp_id = CONF.fed_scenario.idp_id
45 self.idp_url = CONF.fed_scenario.idp_ecp_url
46 self.keystone_v3_endpoint = CONF.identity.uri_v3
47 self.password = CONF.fed_scenario.idp_password
48 self.protocol_id = CONF.fed_scenario.protocol_id
49 self.username = CONF.fed_scenario.idp_username
50
51 def _setup_idp(self):
52 remote_ids = CONF.fed_scenario.idp_remote_ids
53 self.idps_client.create_identity_provider(
54 self.idp_id, remote_ids=remote_ids, enabled=True)
55 self.addCleanup(
56 self.idps_client.delete_identity_provider, self.idp_id)
57
58 def _setup_mapping(self):
59 self.mapping_id = data_utils.rand_uuid_hex()
60 mapping_remote_type = CONF.fed_scenario.mapping_remote_type
61 mapping_user_name = CONF.fed_scenario.mapping_user_name
62 mapping_group_name = CONF.fed_scenario.mapping_group_name
63 mapping_group_domain_name = CONF.fed_scenario.mapping_group_domain_name
64
65 rules = [{
66 'local': [
67 {
68 'user': {'name': mapping_user_name}
69 },
70 {
71 'group': {
72 'domain': {'name': mapping_group_domain_name},
73 'name': mapping_group_name
74 }
75 }
76 ],
77 'remote': [
78 {
79 'type': mapping_remote_type
80 }
81 ]
82 }]
83 mapping_ref = {'rules': rules}
84 self.mappings_client.create_mapping_rule(self.mapping_id, mapping_ref)
85 self.addCleanup(
86 self.mappings_client.delete_mapping_rule, self.mapping_id)
87
88 def _setup_protocol(self):
89 self.idps_client.add_protocol_and_mapping(
90 self.idp_id, self.protocol_id, self.mapping_id)
91 self.addCleanup(
92 self.idps_client.delete_protocol_and_mapping,
93 self.idp_id,
94 self.protocol_id)
95
96 def setUp(self):
97 super(TestSaml2EcpFederatedAuthentication, self).setUp()
98 self._setup_settings()
99
100 # Reset client's session to avoid getting garbage from another runs
101 self.saml2_client.reset_session()
102
103 # Setup identity provider, mapping and protocol
104 self._setup_idp()
105 self._setup_mapping()
106 self._setup_protocol()
107
108 def _str_from_xml(self, xml, path):
109 l = xml.xpath(path, namespaces=self.ECP_SAML2_NAMESPACES)
110 self.assertEqual(1, len(l))
111 return l[0]
112
113 def _request_unscoped_token(self):
114 resp = self.saml2_client.send_service_provider_request(
115 self.keystone_v3_endpoint, self.idp_id, self.protocol_id)
116 self.assertEqual(http_client.OK, resp.status_code)
117 saml2_authn_request = etree.XML(resp.content)
118
119 relay_state = self._str_from_xml(
120 saml2_authn_request, self.ECP_RELAY_STATE)
121 sp_consumer_url = self._str_from_xml(
122 saml2_authn_request, self.ECP_SERVICE_PROVIDER_CONSUMER_URL)
123
124 # Perform the authn request to the identity provider
125 resp = self.saml2_client.send_identity_provider_authn_request(
126 saml2_authn_request, self.idp_url, self.username, self.password)
127 self.assertEqual(http_client.OK, resp.status_code)
128 saml2_idp_authn_response = etree.XML(resp.content)
129
130 idp_consumer_url = self._str_from_xml(
131 saml2_idp_authn_response, self.ECP_IDP_CONSUMER_URL)
132
133 # Assert that both saml2_authn_request and saml2_idp_authn_response
134 # have the same consumer URL.
135 self.assertEqual(sp_consumer_url, idp_consumer_url)
136
137 # Present the identity provider authn response to the service provider.
138 resp = self.saml2_client.send_service_provider_saml2_authn_response(
139 saml2_idp_authn_response, relay_state, idp_consumer_url)
140 # Must receive a redirect from service provider to the URL where the
141 # unscoped token can be retrieved.
142 self.assertIn(resp.status_code,
143 [http_client.FOUND, http_client.SEE_OTHER])
144
145 # We can receive multiple types of errors here, the response depends on
146 # the mapping and the username used to authenticate in the Identity
147 # Provider and also in the Identity Provider remote ID validation.
148 # If everything works well, we receive an unscoped token.
149 sp_url = resp.headers['location']
150 resp = (
151 self.saml2_client.send_service_provider_unscoped_token_request(
152 sp_url))
153 self.assertEqual(http_client.CREATED, resp.status_code)
154 self.assertIn('X-Subject-Token', resp.headers)
155 self.assertNotEmpty(resp.json())
156
157 return resp
158
159 @testtools.skipUnless(CONF.identity_feature_enabled.federation,
160 "Federated Identity feature not enabled")
161 def test_request_unscoped_token(self):
162 self._request_unscoped_token()
163
164 @testtools.skipUnless(CONF.identity_feature_enabled.federation,
165 "Federated Identity feature not enabled")
166 def test_request_scoped_token(self):
167 resp = self._request_unscoped_token()
168 token_id = resp.headers['X-Subject-Token']
169
170 projects = self.auth_client.get_available_projects_scopes(
171 self.keystone_v3_endpoint, token_id)['projects']
172 self.assertNotEmpty(projects)
173
174 # Get a scoped token to one of the listed projects
175 self.tokens_client.auth(
176 project_id=projects[0]['id'], token=token_id)