Fix sample policy to allow user to check own token
The sample policy file wouldn't allow a user to check their own token. Change-Id: I8853d2b8c5aabea03564a33df7daddb969fcd4b3 Closes-Bug: 1421825
This commit is contained in:
Brant Knudson
parent
3c9e2e5c83
commit
6808486135
|
|
@ -6,6 +6,7 @@
|
|||
"admin_or_owner": "rule:admin_required or rule:owner",
|
||||
"token_subject": "user_id:%(target.token.user_id)s",
|
||||
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
|
||||
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
|
|
@ -88,8 +89,8 @@
|
|||
"identity:update_policy": "rule:admin_required",
|
||||
"identity:delete_policy": "rule:admin_required",
|
||||
|
||||
"identity:check_token": "rule:admin_required",
|
||||
"identity:validate_token": "rule:service_or_admin",
|
||||
"identity:check_token": "rule:admin_or_token_subject",
|
||||
"identity:validate_token": "rule:service_admin_or_token_subject",
|
||||
"identity:validate_token_head": "rule:service_or_admin",
|
||||
"identity:revocation_list": "rule:service_or_admin",
|
||||
"identity:revoke_token": "rule:admin_or_token_subject",
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@
|
|||
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
||||
"admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
|
||||
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
|
||||
"service_admin_or_owner": "rule:service_or_admin or rule:owner",
|
||||
|
||||
"default": "rule:admin_required",
|
||||
|
||||
|
|
@ -100,7 +101,7 @@
|
|||
|
||||
"identity:change_password": "rule:owner",
|
||||
"identity:check_token": "rule:admin_or_owner",
|
||||
"identity:validate_token": "rule:service_or_admin",
|
||||
"identity:validate_token": "rule:service_admin_or_owner",
|
||||
"identity:validate_token_head": "rule:service_or_admin",
|
||||
"identity:revocation_list": "rule:service_or_admin",
|
||||
"identity:revoke_token": "rule:admin_or_owner",
|
||||
|
|
|
|||
|
|
@ -224,6 +224,7 @@ class PolicyJsonTestCase(tests.TestCase):
|
|||
tests.dirs.etc('policy.v3cloudsample.json'))
|
||||
|
||||
policy_extra_keys = ['admin_or_token_subject',
|
||||
'service_admin_or_token_subject',
|
||||
'token_subject', ]
|
||||
expected_policy_keys = list(cloud_policy_keys) + policy_extra_keys
|
||||
diffs = set(policy_keys).difference(set(expected_policy_keys))
|
||||
|
|
|
|||
|
|
@ -391,23 +391,18 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
|
|||
# Given a non-admin user token, the token can be used to validate
|
||||
# itself.
|
||||
# This is GET /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
|
||||
# FIXME(blk-u): This test fails, a user can't validate their own token,
|
||||
# see bug 1421825.
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.just_a_user['id'],
|
||||
password=self.just_a_user['password'])
|
||||
token = self.get_requested_token(auth)
|
||||
|
||||
# FIXME(blk-u): remove expected_status=403.
|
||||
self.get('/auth/tokens', token=token,
|
||||
headers={'X-Subject-Token': token}, expected_status=403)
|
||||
headers={'X-Subject-Token': token})
|
||||
|
||||
def test_user_validate_user_token(self):
|
||||
# A user can validate one of their own tokens.
|
||||
# This is GET /v3/auth/tokens
|
||||
# FIXME(blk-u): This test fails, a user can't validate their own token,
|
||||
# see bug 1421825.
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.just_a_user['id'],
|
||||
|
|
@ -415,9 +410,8 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
|
|||
token1 = self.get_requested_token(auth)
|
||||
token2 = self.get_requested_token(auth)
|
||||
|
||||
# FIXME(blk-u): remove expected_status=403.
|
||||
self.get('/auth/tokens', token=token1,
|
||||
headers={'X-Subject-Token': token2}, expected_status=403)
|
||||
headers={'X-Subject-Token': token2})
|
||||
|
||||
def test_user_validate_other_user_token_rejected(self):
|
||||
# A user cannot validate another user's token.
|
||||
|
|
@ -458,23 +452,18 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
|
|||
# Given a non-admin user token, the token can be used to check
|
||||
# itself.
|
||||
# This is HEAD /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
|
||||
# FIXME(blk-u): This test fails, a user can't check the same token,
|
||||
# see bug 1421825.
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.just_a_user['id'],
|
||||
password=self.just_a_user['password'])
|
||||
token = self.get_requested_token(auth)
|
||||
|
||||
# FIXME(blk-u): change to expected_status=200
|
||||
self.head('/auth/tokens', token=token,
|
||||
headers={'X-Subject-Token': token}, expected_status=403)
|
||||
headers={'X-Subject-Token': token}, expected_status=200)
|
||||
|
||||
def test_user_check_user_token(self):
|
||||
# A user can check one of their own tokens.
|
||||
# This is HEAD /v3/auth/tokens
|
||||
# FIXME(blk-u): This test fails, a user can't check the same token,
|
||||
# see bug 1421825.
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.just_a_user['id'],
|
||||
|
|
@ -482,9 +471,8 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
|
|||
token1 = self.get_requested_token(auth)
|
||||
token2 = self.get_requested_token(auth)
|
||||
|
||||
# FIXME(blk-u): change to expected_status=200
|
||||
self.head('/auth/tokens', token=token1,
|
||||
headers={'X-Subject-Token': token2}, expected_status=403)
|
||||
headers={'X-Subject-Token': token2}, expected_status=200)
|
||||
|
||||
def test_user_check_other_user_token_rejected(self):
|
||||
# A user cannot check another user's token.
|
||||
|
|
@ -976,23 +964,18 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
|
|||
# Given a non-admin user token, the token can be used to validate
|
||||
# itself.
|
||||
# This is GET /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
|
||||
# FIXME(blk-u): This test fails, a user can't validate their own token,
|
||||
# see bug 1421825.
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.just_a_user['id'],
|
||||
password=self.just_a_user['password'])
|
||||
token = self.get_requested_token(auth)
|
||||
|
||||
# FIXME(blk-u): remove expected_status=403.
|
||||
self.get('/auth/tokens', token=token,
|
||||
headers={'X-Subject-Token': token}, expected_status=403)
|
||||
headers={'X-Subject-Token': token})
|
||||
|
||||
def test_user_validate_user_token(self):
|
||||
# A user can validate one of their own tokens.
|
||||
# This is GET /v3/auth/tokens
|
||||
# FIXME(blk-u): This test fails, a user can't validate their own token,
|
||||
# see bug 1421825.
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.just_a_user['id'],
|
||||
|
|
@ -1000,9 +983,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
|
|||
token1 = self.get_requested_token(auth)
|
||||
token2 = self.get_requested_token(auth)
|
||||
|
||||
# FIXME(blk-u): remove expected_status=403.
|
||||
self.get('/auth/tokens', token=token1,
|
||||
headers={'X-Subject-Token': token2}, expected_status=403)
|
||||
headers={'X-Subject-Token': token2})
|
||||
|
||||
def test_user_validate_other_user_token_rejected(self):
|
||||
# A user cannot validate another user's token.
|
||||
|
|
|
|||
Loading…
Reference in New Issue