openstack
/
keystone
Code Issues Proposed changes

Add validation that token method isn't needed in MFARules 

Add validation test that token method is not needed explicitly
in the MFA rules to be utilized. Token should work as all previous
methods (prior to the rescope) are included in the token's methods
when token is the authmethod handler.

This change makes some minor restructureing to the test class to
ensure sharing of code when handling TOTP credentials.

Change-Id: Ib1d9f0652600b5eb488ae19fc7671c8d69327c11
bp: per-user-auth-plugin-reqs
This commit is contained in:
Morgan Fainberg 2017-01-30 14:42:13 -08:00
parent a4c226f31a
commit 113055774a
1 changed files with 52 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
keystone/tests/unit/test_v3_auth.py
View File

@ -48,19 +48,38 @@ from keystone.tests.unit import test_v3
CONF = keystone.conf.CONF
class TestMFARules(test_v3.RestfulTestCase, testcase.TestCase):
def setUp(self):
super(TestMFARules, self).setUp()
auth.core.load_auth_methods()
self.controller = auth.controllers.Auth()
self.addCleanup(self.cleanup)
class TestMFARules(test_v3.RestfulTestCase):
def config_overrides(self):
super(TestMFARules, self).config_overrides()
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'fernet_tokens',
CONF.fernet_tokens.max_active_keys
)
)
def cleanup(self):
totp_creds = self.credential_api.list_credentials_for_user(
self.user['id'], type='totp')
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'credential',
credential_fernet.MAX_ACTIVE_KEYS
)
)
for cred in totp_creds:
self.credential_api.delete_credential(cred['id'])
def _create_totp_cred(self):
totp_cred = unit.new_totp_credential(self.user_id, self.project_id)
self.credential_api.create_credential(uuid.uuid4().hex, totp_cred)
def cleanup(testcase):
totp_creds = testcase.credential_api.list_credentials_for_user(
testcase.user['id'], type='totp')
for cred in totp_creds:
testcase.credential_api.delete_credential(cred['id'])
self.addCleanup(cleanup, testcase=self)
return totp_cred
def auth_plugin_config_override(self, methods=None, **method_classes):
methods = ['totp', 'token', 'password']
@ -95,8 +114,7 @@ class TestMFARules(test_v3.RestfulTestCase, testcase.TestCase):
# validate that multiple auth-methods function if all are specified
# and the rules requires it
rule_list = [['password', 'totp']]
totp_cred = unit.new_totp_credential(self.user_id, self.project_id)
self.credential_api.create_credential(uuid.uuid4().hex, totp_cred)
totp_cred = self._create_totp_cred()
self._update_user_with_MFA_rules(rule_list=rule_list)
# NOTE(notmorgan): Step forward in time to ensure we're not causing
# issues with revocation events that occur at the same time as the
@ -205,6 +223,27 @@ class TestMFARules(test_v3.RestfulTestCase, testcase.TestCase):
user_domain_id=self.domain_id,
project_id=self.project_id))
def test_MFA_rules_rescope_works_without_token_method_in_rules(self):
rule_list = [['password', 'totp']]
totp_cred = self._create_totp_cred()
self._update_user_with_MFA_rules(rule_list=rule_list)
# NOTE(notmorgan): Step forward in time to ensure we're not causing
# issues with revocation events that occur at the same time as the
# token issuance. This is a bug with the limited resolution that
# tokens and revocation events have.
time = datetime.datetime.utcnow() + datetime.timedelta(seconds=5)
with freezegun.freeze_time(time):
auth_data = self.build_authentication_request(
user_id=self.user_id,
password=self.user['password'],
user_domain_id=self.domain_id,
passcode=totp._generate_totp_passcode(totp_cred['blob']))
r = self.v3_create_token(auth_data)
auth_data = self.build_authentication_request(
token=r.headers.get('X-Subject-Token'),
project_id=self.project_id)
self.v3_create_token(auth_data)
class TestAuthInfo(common_auth.AuthTestMixin, testcase.TestCase):
def setUp(self):