This patch adds support for MFA TOTP on openstack dashboard.
A new configuration variable OPENSTACK_KEYSTONE_MFA_TOTP_ENABLED
was added false by default.
If enabled, users needing TOTP are prompted with a new form.
keystone doc: https://docs.openstack.org/keystone/latest/admin/auth-totp.html
Demonstration video : https://youtu.be/prDJJdFoMpM
Change-Id: I1047102a379c8a900a5e6840096bb671da4fd2ff
Blueprint: #totp-support
Closes-Bug: #2030477
Some tests in openstack_auth test_policy explicity calls enable/disable
of settings class. We usually use @override_settings decorator and
it automatically disables setting overriding when existing the decorator.
Let's use it for consistency.
Change-Id: I30cc97798ddf0c55ef4e05c885ffc8ef99a7be81
The scenario configuration in openstack_auth test_auth was ignored
somehow. Perhaps it happened when openstack_auth was merged into
the horizon repo as test runners used in the horizon repo so far
(django test runner, nose and pytest) do not support testscenarios.
This commit tries to recover the original intention of the scenario.
pytest supports several ways to parametrize tests [1]
but there seems no way without changing each test functions.
A quick port of "testscenarios" is explained [2],
but it is just a way to generate tests based on scenarios and
we still need to add scenario parameters to each test function,
so we cannot refer scenario parameters in setUp().
As a result, I chose a way to inherit the original class and
pass different attributes per scenario.
This is not ideal and I hope pytest lovers can improve the situation.
The test classes in test_auth are renamed to more meaningful ones.
Direct overrides of settings in test_auth.py are improved too.
[1] https://docs.pytest.org/en/stable/example/parametrize.html
[2] https://docs.pytest.org/en/stable/example/parametrize.html#a-quick-port-of-testscenarios
Change-Id: I1538ffbc853a2c9328c364f462a27be36c85cc2f
In python3, super() does not always require a class and self reference.
In other words, super() is enough for most cases.
This is much simpler and it is time to switch it to the newer style.
pylint provides a check for this.
Let's enable 'super-with-arguments' check.
NOTE: _prepare_mappings() method of FormRegion in
openstack_dashboard/test/integration_tests/regions/forms.py is refactored.
super() (without explicit class and self referece) does not work when
a subclass method calls a same method in a parent class multiple times.
It looks better to prepare a separate method to provide a common logic.
Change-Id: Id9512a14be9f20dbd5ebd63d446570c7b7c825ff
Kyestone V2 support was removed in Train, so it's safe to do such cleanup.
* Functions which just return horizon settings are dropped and
the settings are referred directly now.
* The service catalog in the sample test data is updated to match
the format of the keystone API v3.
* Related to the above change of the sample service catalog,
openstack_dashboard.test.unit.api.test_keystone.ServiceAPITests is
updated to specify the region name explicitly because 'RegionTwo'
endpoint is no longer the second entry of the endpoint list in the
keystone API v3.
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Change-Id: Ib60f360c96341fa5c618595f4a9bfdfe7ec5ae83
Changes test invocation from `manage.py test` to `pytest`. Adds addtitional
test requirements like pytest, pytest-django, pytest-html. Adds
`pytest.mark` alongside django's test `tag`. Adds posibility to export test
results into xml and html formats.
Depends-On: https://review.opendev.org/#/c/712315/
Related-Bug: #1866666
Co-Authored-By: Ivan Kolodyazhny <e0ne@e0ne.info>
Change-Id: Idb6e63cd23ca2ba8ca56f36eb8b63069bd211944
Now that we no longer support py27, we can use the standard library
unittest.mock module instead of the third party mock lib.
Change-Id: I2de669d8e89b8daeb7ee5405ffab35af6307c40b
This completes Mox removal from Horizon.
Change-Id: I73f7a01b7f655f7c1d0ba704f4417d6fe798a7eb
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
We're going to break this up so it's some bit readable.
Change-Id: Ifaaa674676f9542f32e5cb08c8448f68b97a3162
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Co-Authored-By: Akihiro Motoki <amotoki@gmail.com>
Another step towards the demise of Mox. This makes the move from
mox-style calls to mock ones much easier to grok. We also some 'if'
blocks that were not being used.
Change-Id: I73a741a9b7d80eb0475a07cca13138659a9a31b0
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Turns out we also have to remove these helper functions.
Change-Id: I5fc5d83569c7b74a766942bddaaaac1b10ad54b7
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
These were helpful when flattening test cases. Not so much any more.
Change-Id: I4419f3787a709474fc25512a141c189b8d6cc996
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
As before, we're not actually doing any conversion but rather flattening
things out to allow us easily switch from the Mox style to mock style of
testing.
Change-Id: I37b7944b25ed6fe3a1fc49086c829b75970f248f
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Mox uses a very different style of testing than mock does. In Mox, you
state both the things you want to mock and the expected call order of
these mocks before you call your function under test, while in mock you
do the mocking, call your function under test, and then check the
expected call order. This means extensive use of helper functions is
problematic. Start resolving this by flattening tests, allowing us to
eventually do the conversions.
Change-Id: Id44cda44c7b7a8fa85ef876bf06c2c74922ff241
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
* Use consistent names for arguments of mocked method.
The basic policy is to use "mock_foo" for a method "foo".
* Use IsA in mock assert_called method variants rather than checking
call_args_list directly. It improves the readability a lot.
Change-Id: I25c11e45529327861a6c53e3166fe550ec89581f
Start with the exception cases, which are nice and easy to validate.
Change-Id: I368d489b7d20148d583f1a80eb3351c89c587d2d
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
The keystone doesn't use 5000 port anymore from Newton version. And all
the references should be changed together.
Change-Id: I3f02686ab5b3abf48f129fde92e90427ca148317
Unfortunately the only way we can know the user_id at this point is
by parsing the error message.
I also refactored the exceptions in openstack_auth to make them use
different classes (but one common superclass).
Partially implements blueprint: allow-users-change-expired-password
Change-Id: Ieceee09db21040b96577db19bd195dc3799e3892
Keystone V2 API was deprecated in Stein release in Horizon and
removed from Keystone in Queens release.
Change-Id: I917e273d3174adf0874e516b3d635ccb8ba58a27
This commit also moves descriptions of settings defined in openstack_auth
from openstack_dashboard/settings.py and local_settings.py(.example)
to openstack_auth/settings.py.
Note that if openstack_dashboard has different default settings
from openstack_auth defaults, they are now moved to
openstack_dashboard/defaults.py.
Part of blueprint ini-based-configuration
Change-Id: I59eebc388de0bcbd4d1fe35c6138efbd3e04c5b8
enforcer for policy can be loaded from a single file or from multiple
files (policy_dir). so checking for policy_file is not good enough.
If a policy is loaded it will have some rules, if not loaded then,
oslo_policy rejects all acccess, but it is not saved to the
_ENFORCER object, which is holds the objects used for enforcing
policies. So checking for existance of rules is a better check.
Some refactoring for better logging
added tests: test_nonexisting_policy_file_load
Change-Id: Id1f65058014ef5b14449b502d6741da9d34767b3
Closes-Bug: 1804174
PKI Tokens got removed from Keystone in 2016[1] so this check is no
longer needed.
OPENSTACK_TOKEN_HASH_ALGORITHM setting is dropped
as it is used only in PKI token check.
[1] https://review.openstack.org/#/c/374479/
Change-Id: I2de02fe6fab531842752b03c5e17af2bcf502cd8
Fix the following new errors:
* E305 expected 2 blank lines after class or function definition, found 1
* E126 continuation line over-indented for hanging indent
max_line_length is set to 80 as the default value in pycodestyle is 79
but horizon uses 80 as max_line_length.
Ignore W504 and F405 by configurations.
Reasons of disabling them are explained as comments in tox.ini.
Change-Id: Iee8bcd60c30883fc8c74f08cf20af853cbb5e271
The "request" attribute is not available in
openstack_auth.backend.KeystoneBackend.get_user when session data is restored
and it's the first request to happen after a server restart.
As stated by the function document, the "request" attribute needs to be
monkey-patched by openstack_auth.utils.patch_middleware_get_user
for this function to work properly.
This should happen in openstack_auth.urls at import time. But there is nowhere
in Horizon where this module is imported at startup. It's only introspected
by openstack_dashboard.urls due to AUTHENTICATION_URLS setting.
Without this monkey-patching, the whole authentication mechanism falls back
to "AnonymousUser" and you will get redirected to the login page due
to horizon.exceptions.NotAuthenticated being raised by
horizon.decorators.require_auth as request.user.is_authenticated will be False.
But if a user requests a page under auth/, it will have the side-effect of
monkey-patching django.contrib.auth.middleware as expected. This means that
once this request is completed, all following requests to pages other than
the ones under auth/ will have there sessions properly restored and
you will be properly authenticated.
Therefore this change introduces a dummy middleware which sole purpose is
to perform this monkey-patching as early as possible.
There is also some cleanup to get rid of the previous attempts at
monkeypatching.
Closes-bug: #1764622
Change-Id: Ib9912090a87b716e7f5710f6f360b0df168ec2e3
The redirect for WEBSSO takes its data directly from the request's
POST data, and the format of that data has changed, so now we need
to convert it for it to work correctly.
Change-Id: I5b18e555a9bc6b24be1e59465f07e73e99739e22
closes-bug: #1794710
Add a new optional WEBSSO_KEYSTONE_URL property to facilitate WEBSSO
deployments where network segmentation is used per security requirement.
In this case, the controllers are not reachable from public network.
Therefore, user's browser will not be able to reach OPENSTACK_KEYSTONE_URL
if it is set to the internal endpoint.
If WEBSSO_KEYSTONE_URL is set, it will be used instead of
OPENSTACK_KEYSTONE_URL.
Change-Id: I05ea4227aa4c2cb0a73015ed7fd29cf1a96e696a
Closes-bug: #1544703
Instead of using endpoint URLs to designate regions in the login
form and its cookies, use numbers. This way, if internal URLs are
configured, they won't be exposed to the outside.
Change-Id: Ifed089e7cee3075bf2dc5d1ce77b0e1b1d091ca0
Closes-bug: #1787943
We no longer use port 35357 for keystone v3 API admin operation
and it is recommended to use port 5000.
This commit updates keystone catalog for keystone v3 API.
It also replace keystone v2 URL with v3 one.
Note that keystone v2 data is kept as-is.
Change-Id: Ia152d602b80ae418e0020b3ba30a11016a83da6a
In scenarios where the cloud operators have only a single Identity Provider,
we can have a default redirection to remove unnecessary user clicks and
improve user experience.
Closes-bug: #1784368
Change-Id: I251703dcaeac43174fbcba7e0658c6f92098b2e0