diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index fcdd88b42b..c17cda8222 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -48,19 +48,38 @@ from keystone.tests.unit import test_v3 CONF = keystone.conf.CONF -class TestMFARules(test_v3.RestfulTestCase, testcase.TestCase): - def setUp(self): - super(TestMFARules, self).setUp() - auth.core.load_auth_methods() - self.controller = auth.controllers.Auth() - self.addCleanup(self.cleanup) +class TestMFARules(test_v3.RestfulTestCase): + def config_overrides(self): + super(TestMFARules, self).config_overrides() + self.useFixture( + ksfixtures.KeyRepository( + self.config_fixture, + 'fernet_tokens', + CONF.fernet_tokens.max_active_keys + ) + ) - def cleanup(self): - totp_creds = self.credential_api.list_credentials_for_user( - self.user['id'], type='totp') + self.useFixture( + ksfixtures.KeyRepository( + self.config_fixture, + 'credential', + credential_fernet.MAX_ACTIVE_KEYS + ) + ) - for cred in totp_creds: - self.credential_api.delete_credential(cred['id']) + def _create_totp_cred(self): + totp_cred = unit.new_totp_credential(self.user_id, self.project_id) + self.credential_api.create_credential(uuid.uuid4().hex, totp_cred) + + def cleanup(testcase): + totp_creds = testcase.credential_api.list_credentials_for_user( + testcase.user['id'], type='totp') + + for cred in totp_creds: + testcase.credential_api.delete_credential(cred['id']) + + self.addCleanup(cleanup, testcase=self) + return totp_cred def auth_plugin_config_override(self, methods=None, **method_classes): methods = ['totp', 'token', 'password'] @@ -95,8 +114,7 @@ class TestMFARules(test_v3.RestfulTestCase, testcase.TestCase): # validate that multiple auth-methods function if all are specified # and the rules requires it rule_list = [['password', 'totp']] - totp_cred = unit.new_totp_credential(self.user_id, self.project_id) - self.credential_api.create_credential(uuid.uuid4().hex, totp_cred) + totp_cred = self._create_totp_cred() self._update_user_with_MFA_rules(rule_list=rule_list) # NOTE(notmorgan): Step forward in time to ensure we're not causing # issues with revocation events that occur at the same time as the @@ -205,6 +223,27 @@ class TestMFARules(test_v3.RestfulTestCase, testcase.TestCase): user_domain_id=self.domain_id, project_id=self.project_id)) + def test_MFA_rules_rescope_works_without_token_method_in_rules(self): + rule_list = [['password', 'totp']] + totp_cred = self._create_totp_cred() + self._update_user_with_MFA_rules(rule_list=rule_list) + # NOTE(notmorgan): Step forward in time to ensure we're not causing + # issues with revocation events that occur at the same time as the + # token issuance. This is a bug with the limited resolution that + # tokens and revocation events have. + time = datetime.datetime.utcnow() + datetime.timedelta(seconds=5) + with freezegun.freeze_time(time): + auth_data = self.build_authentication_request( + user_id=self.user_id, + password=self.user['password'], + user_domain_id=self.domain_id, + passcode=totp._generate_totp_passcode(totp_cred['blob'])) + r = self.v3_create_token(auth_data) + auth_data = self.build_authentication_request( + token=r.headers.get('X-Subject-Token'), + project_id=self.project_id) + self.v3_create_token(auth_data) + class TestAuthInfo(common_auth.AuthTestMixin, testcase.TestCase): def setUp(self):