This patch adds support for MFA TOTP on openstack dashboard.
A new configuration variable OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED
was added false by default.
If enabled, users needing TOTP are prompted with a new form.
keystone doc: https://docs.openstack.org/keystone/latest/admin/auth-totp.html
Demonstration video : https://youtu.be/prDJJdFoMpM
Change-Id: I1047102a379c8a900a5e6840096bb671da4fd2ff
Blueprint: #totp-support
Closes-Bug: #2030477
The scenario configuration in openstack_auth test_auth was ignored
somehow. Perhaps it happened when openstack_auth was merged into
the horizon repo as test runners used in the horizon repo so far
(django test runner, nose and pytest) do not support testscenarios.
This commit tries to recover the original intention of the scenario.
pytest supports several ways to parametrize tests [1]
but there seems no way without changing each test functions.
A quick port of "testscenarios" is explained [2],
but it is just a way to generate tests based on scenarios and
we still need to add scenario parameters to each test function,
so we cannot refer scenario parameters in setUp().
As a result, I chose a way to inherit the original class and
pass different attributes per scenario.
This is not ideal and I hope pytest lovers can improve the situation.
The test classes in test_auth are renamed to more meaningful ones.
Direct overrides of settings in test_auth.py are improved too.
[1] https://docs.pytest.org/en/stable/example/parametrize.html
[2] https://docs.pytest.org/en/stable/example/parametrize.html#a-quick-port-of-testscenarios
Change-Id: I1538ffbc853a2c9328c364f462a27be36c85cc2f
In python3, super() does not always require a class and self reference.
In other words, super() is enough for most cases.
This is much simpler and it is time to switch it to the newer style.
pylint provides a check for this.
Let's enable 'super-with-arguments' check.
NOTE: _prepare_mappings() method of FormRegion in
openstack_dashboard/test/integration_tests/regions/forms.py is refactored.
super() (without explicit class and self referece) does not work when
a subclass method calls a same method in a parent class multiple times.
It looks better to prepare a separate method to provide a common logic.
Change-Id: Id9512a14be9f20dbd5ebd63d446570c7b7c825ff
Kyestone V2 support was removed in Train, so it's safe to do such cleanup.
* Functions which just return horizon settings are dropped and
the settings are referred directly now.
* The service catalog in the sample test data is updated to match
the format of the keystone API v3.
* Related to the above change of the sample service catalog,
openstack_dashboard.test.unit.api.test_keystone.ServiceAPITests is
updated to specify the region name explicitly because 'RegionTwo'
endpoint is no longer the second entry of the endpoint list in the
keystone API v3.
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: Ib60f360c96341fa5c618595f4a9bfdfe7ec5ae83
Changes test invocation from `manage.py test` to `pytest`. Adds addtitional
test requirements like pytest, pytest-django, pytest-html. Adds
`pytest.mark` alongside django's test `tag`. Adds posibility to export test
results into xml and html formats.
Depends-On: https://review.opendev.org/#/c/712315/
Related-Bug: #1866666
Co-Authored-By: Ivan Kolodyazhny <e0ne@e0ne.info>
Change-Id: Idb6e63cd23ca2ba8ca56f36eb8b63069bd211944
Now that we no longer support py27, we can use the standard library
unittest.mock module instead of the third party mock lib.
Change-Id: I2de669d8e89b8daeb7ee5405ffab35af6307c40b
This completes Mox removal from Horizon.
Change-Id: I73f7a01b7f655f7c1d0ba704f4417d6fe798a7eb
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
We're going to break this up so it's some bit readable.
Change-Id: Ifaaa674676f9542f32e5cb08c8448f68b97a3162
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Another step towards the demise of Mox. This makes the move from
mox-style calls to mock ones much easier to grok. We also some 'if'
blocks that were not being used.
Change-Id: I73a741a9b7d80eb0475a07cca13138659a9a31b0
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Turns out we also have to remove these helper functions.
Change-Id: I5fc5d83569c7b74a766942bddaaaac1b10ad54b7
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
These were helpful when flattening test cases. Not so much any more.
Change-Id: I4419f3787a709474fc25512a141c189b8d6cc996
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
As before, we're not actually doing any conversion but rather flattening
things out to allow us easily switch from the Mox style to mock style of
testing.
Change-Id: I37b7944b25ed6fe3a1fc49086c829b75970f248f
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Mox uses a very different style of testing than mock does. In Mox, you
state both the things you want to mock and the expected call order of
these mocks before you call your function under test, while in mock you
do the mocking, call your function under test, and then check the
expected call order. This means extensive use of helper functions is
problematic. Start resolving this by flattening tests, allowing us to
eventually do the conversions.
Change-Id: Id44cda44c7b7a8fa85ef876bf06c2c74922ff241
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
* Use consistent names for arguments of mocked method.
The basic policy is to use "mock_foo" for a method "foo".
* Use IsA in mock assert_called method variants rather than checking
call_args_list directly. It improves the readability a lot.
Change-Id: I25c11e45529327861a6c53e3166fe550ec89581f
Start with the exception cases, which are nice and easy to validate.
Change-Id: I368d489b7d20148d583f1a80eb3351c89c587d2d
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
The keystone doesn't use 5000 port anymore from Newton version. And all
the references should be changed together.
Change-Id: I3f02686ab5b3abf48f129fde92e90427ca148317
Unfortunately the only way we can know the user_id at this point is
by parsing the error message.
I also refactored the exceptions in openstack_auth to make them use
different classes (but one common superclass).
Partially implements blueprint: allow-users-change-expired-password
Change-Id: Ieceee09db21040b96577db19bd195dc3799e3892
Keystone V2 API was deprecated in Stein release in Horizon and
removed from Keystone in Queens release.
Change-Id: I917e273d3174adf0874e516b3d635ccb8ba58a27
Fix the following new errors:
* E305 expected 2 blank lines after class or function definition, found 1
* E126 continuation line over-indented for hanging indent
max_line_length is set to 80 as the default value in pycodestyle is 79
but horizon uses 80 as max_line_length.
Ignore W504 and F405 by configurations.
Reasons of disabling them are explained as comments in tox.ini.
Change-Id: Iee8bcd60c30883fc8c74f08cf20af853cbb5e271
The redirect for WEBSSO takes its data directly from the request's
POST data, and the format of that data has changed, so now we need
to convert it for it to work correctly.
Change-Id: I5b18e555a9bc6b24be1e59465f07e73e99739e22
closes-bug: #1794710
Add a new optional WEBSSO_KEYSTONE_URL property to facilitate WEBSSO
deployments where network segmentation is used per security requirement.
In this case, the controllers are not reachable from public network.
Therefore, user's browser will not be able to reach OPENSTACK_KEYSTONE_URL
if it is set to the internal endpoint.
If WEBSSO_KEYSTONE_URL is set, it will be used instead of
OPENSTACK_KEYSTONE_URL.
Change-Id: I05ea4227aa4c2cb0a73015ed7fd29cf1a96e696a
Closes-bug: #1544703
Instead of using endpoint URLs to designate regions in the login
form and its cookies, use numbers. This way, if internal URLs are
configured, they won't be exposed to the outside.
Change-Id: Ifed089e7cee3075bf2dc5d1ce77b0e1b1d091ca0
Closes-bug: #1787943
In scenarios where the cloud operators have only a single Identity Provider,
we can have a default redirection to remove unnecessary user clicks and
improve user experience.
Closes-bug: #1784368
Change-Id: I251703dcaeac43174fbcba7e0658c6f92098b2e0
After Django 2.0 support, we no longer supports Django 1.10 or older
(Actually Django 1.10 seems to work though).
The current django.VERSION branches are all related to Django 1.10
or older, so we can drop all conditions.
py35dj20 job is now voting.
blueprint django2-support
Change-Id: Iefc0ab1c62c82f2842ec7761a9b981da9351cbd2
(In Django 2.0) The django.core.urlresolvers module is removed
in favor of its new location, django.urls.
It was depreacted in Django 1.10:
https://docs.djangoproject.com/en/2.0/releases/1.10/#id3
blueprint django2-support
Change-Id: I46ab5c325491274b8eaffbf848e5d80f83c2fd26
blueprint relocation-test-codes
This commit relocates test codes in openstack_auth
according to blueprint relocation-test-codes.
Change-Id: I78fcfb72a1522283724126bd95e251b52f294831
Benjamin Lasseye