Merge "Remove legacy protection tests" into stable/train
This commit is contained in:
commit
55d37716a6
|
@ -362,6 +362,11 @@ class _DomainAndProjectUserTests(object):
|
||||||
self.headers['X-Subject-Token'] = self.token_id
|
self.headers['X-Subject-Token'] = self.token_id
|
||||||
c.get('/v3/auth/tokens', headers=self.headers)
|
c.get('/v3/auth/tokens', headers=self.headers)
|
||||||
|
|
||||||
|
def test_user_can_revoke_their_own_tokens(self):
|
||||||
|
with self.test_client() as c:
|
||||||
|
self.headers['X-Subject-Token'] = self.token_id
|
||||||
|
c.delete('/v3/auth/tokens', headers=self.headers)
|
||||||
|
|
||||||
def test_user_cannot_validate_system_scoped_token(self):
|
def test_user_cannot_validate_system_scoped_token(self):
|
||||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||||
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
|
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
|
||||||
|
@ -386,6 +391,30 @@ class _DomainAndProjectUserTests(object):
|
||||||
expected_status_code=http_client.FORBIDDEN
|
expected_status_code=http_client.FORBIDDEN
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_user_cannot_revoke_system_scoped_token(self):
|
||||||
|
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||||
|
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
|
||||||
|
|
||||||
|
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||||
|
user['id'], self.bootstrapper.reader_role_id
|
||||||
|
)
|
||||||
|
|
||||||
|
system_auth = self.build_authentication_request(
|
||||||
|
user_id=user['id'], password=user['password'],
|
||||||
|
system=True
|
||||||
|
)
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
r = c.post('/v3/auth/tokens', json=system_auth)
|
||||||
|
system_token = r.headers['X-Subject-Token']
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
self.headers['X-Subject-Token'] = system_token
|
||||||
|
c.delete(
|
||||||
|
'/v3/auth/tokens', headers=self.headers,
|
||||||
|
expected_status_code=http_client.FORBIDDEN
|
||||||
|
)
|
||||||
|
|
||||||
def test_user_cannot_validate_domain_scoped_token(self):
|
def test_user_cannot_validate_domain_scoped_token(self):
|
||||||
domain = PROVIDERS.resource_api.create_domain(
|
domain = PROVIDERS.resource_api.create_domain(
|
||||||
uuid.uuid4().hex, unit.new_domain_ref()
|
uuid.uuid4().hex, unit.new_domain_ref()
|
||||||
|
@ -414,7 +443,35 @@ class _DomainAndProjectUserTests(object):
|
||||||
'/v3/auth/tokens', headers=self.headers,
|
'/v3/auth/tokens', headers=self.headers,
|
||||||
expected_status_code=http_client.FORBIDDEN
|
expected_status_code=http_client.FORBIDDEN
|
||||||
)
|
)
|
||||||
pass
|
|
||||||
|
def test_user_cannot_revoke_domain_scoped_token(self):
|
||||||
|
domain = PROVIDERS.resource_api.create_domain(
|
||||||
|
uuid.uuid4().hex, unit.new_domain_ref()
|
||||||
|
)
|
||||||
|
|
||||||
|
user = unit.new_user_ref(domain_id=domain['id'])
|
||||||
|
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
|
||||||
|
|
||||||
|
PROVIDERS.assignment_api.create_grant(
|
||||||
|
self.bootstrapper.reader_role_id, user_id=user['id'],
|
||||||
|
domain_id=domain['id']
|
||||||
|
)
|
||||||
|
|
||||||
|
domain_auth = self.build_authentication_request(
|
||||||
|
user_id=user['id'], password=user['password'],
|
||||||
|
domain_id=domain['id']
|
||||||
|
)
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
r = c.post('/v3/auth/tokens', json=domain_auth)
|
||||||
|
domain_token = r.headers['X-Subject-Token']
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
self.headers['X-Subject-Token'] = domain_token
|
||||||
|
c.delete(
|
||||||
|
'/v3/auth/tokens', headers=self.headers,
|
||||||
|
expected_status_code=http_client.FORBIDDEN
|
||||||
|
)
|
||||||
|
|
||||||
def test_user_cannot_validate_project_scoped_token(self):
|
def test_user_cannot_validate_project_scoped_token(self):
|
||||||
project = PROVIDERS.resource_api.create_project(
|
project = PROVIDERS.resource_api.create_project(
|
||||||
|
@ -446,6 +503,36 @@ class _DomainAndProjectUserTests(object):
|
||||||
expected_status_code=http_client.FORBIDDEN
|
expected_status_code=http_client.FORBIDDEN
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_user_cannot_revoke_project_scoped_token(self):
|
||||||
|
project = PROVIDERS.resource_api.create_project(
|
||||||
|
uuid.uuid4().hex,
|
||||||
|
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
|
||||||
|
)
|
||||||
|
|
||||||
|
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||||
|
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
|
||||||
|
|
||||||
|
PROVIDERS.assignment_api.create_grant(
|
||||||
|
self.bootstrapper.reader_role_id, user_id=user['id'],
|
||||||
|
project_id=project['id']
|
||||||
|
)
|
||||||
|
|
||||||
|
project_auth = self.build_authentication_request(
|
||||||
|
user_id=user['id'], password=user['password'],
|
||||||
|
project_id=project['id']
|
||||||
|
)
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
r = c.post('/v3/auth/tokens', json=project_auth)
|
||||||
|
project_token = r.headers['X-Subject-Token']
|
||||||
|
|
||||||
|
with self.test_client() as c:
|
||||||
|
self.headers['X-Subject-Token'] = project_token
|
||||||
|
c.delete(
|
||||||
|
'/v3/auth/tokens', headers=self.headers,
|
||||||
|
expected_status_code=http_client.FORBIDDEN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
class DomainUserTests(base_classes.TestCaseWithBootstrap,
|
class DomainUserTests(base_classes.TestCaseWithBootstrap,
|
||||||
common_auth.AuthTestMixin,
|
common_auth.AuthTestMixin,
|
||||||
|
|
|
@ -2879,110 +2879,6 @@ class TestJWSTokenAPIs(test_v3.RestfulTestCase, TokenAPITests, TokenDataTests):
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
|
|
||||||
"""Test token revoke using v3 Identity API by token owner and admin."""
|
|
||||||
|
|
||||||
def load_sample_data(self):
|
|
||||||
"""Load Sample Data for Test Cases.
|
|
||||||
|
|
||||||
Two domains, domainA and domainB
|
|
||||||
Two users in domainA, userNormalA and userAdminA
|
|
||||||
One user in domainB, userAdminB
|
|
||||||
|
|
||||||
"""
|
|
||||||
super(TestTokenRevokeSelfAndAdmin, self).load_sample_data()
|
|
||||||
# DomainA setup
|
|
||||||
self.domainA = unit.new_domain_ref()
|
|
||||||
PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA)
|
|
||||||
|
|
||||||
self.userAdminA = unit.create_user(PROVIDERS.identity_api,
|
|
||||||
domain_id=self.domainA['id'])
|
|
||||||
|
|
||||||
self.userNormalA = unit.create_user(PROVIDERS.identity_api,
|
|
||||||
domain_id=self.domainA['id'])
|
|
||||||
|
|
||||||
PROVIDERS.assignment_api.create_grant(
|
|
||||||
self.role['id'], user_id=self.userAdminA['id'],
|
|
||||||
domain_id=self.domainA['id']
|
|
||||||
)
|
|
||||||
|
|
||||||
def test_user_revokes_own_token(self):
|
|
||||||
user_token = self.get_requested_token(
|
|
||||||
self.build_authentication_request(
|
|
||||||
user_id=self.userNormalA['id'],
|
|
||||||
password=self.userNormalA['password'],
|
|
||||||
user_domain_id=self.domainA['id']))
|
|
||||||
self.assertNotEmpty(user_token)
|
|
||||||
headers = {'X-Subject-Token': user_token}
|
|
||||||
|
|
||||||
adminA_token = self.get_requested_token(
|
|
||||||
self.build_authentication_request(
|
|
||||||
user_id=self.userAdminA['id'],
|
|
||||||
password=self.userAdminA['password'],
|
|
||||||
domain_name=self.domainA['name']))
|
|
||||||
|
|
||||||
self.head('/auth/tokens', headers=headers,
|
|
||||||
expected_status=http_client.OK,
|
|
||||||
token=adminA_token)
|
|
||||||
self.head('/auth/tokens', headers=headers,
|
|
||||||
expected_status=http_client.OK,
|
|
||||||
token=user_token)
|
|
||||||
self.delete('/auth/tokens', headers=headers,
|
|
||||||
token=user_token)
|
|
||||||
# invalid X-Auth-Token and invalid X-Subject-Token
|
|
||||||
self.head('/auth/tokens', headers=headers,
|
|
||||||
expected_status=http_client.UNAUTHORIZED,
|
|
||||||
token=user_token)
|
|
||||||
# invalid X-Auth-Token and invalid X-Subject-Token
|
|
||||||
self.delete('/auth/tokens', headers=headers,
|
|
||||||
expected_status=http_client.UNAUTHORIZED,
|
|
||||||
token=user_token)
|
|
||||||
# valid X-Auth-Token and invalid X-Subject-Token
|
|
||||||
self.delete('/auth/tokens', headers=headers,
|
|
||||||
expected_status=http_client.NOT_FOUND,
|
|
||||||
token=adminA_token)
|
|
||||||
# valid X-Auth-Token and invalid X-Subject-Token
|
|
||||||
self.head('/auth/tokens', headers=headers,
|
|
||||||
expected_status=http_client.NOT_FOUND,
|
|
||||||
token=adminA_token)
|
|
||||||
|
|
||||||
def test_adminA_revokes_userA_token(self):
|
|
||||||
user_token = self.get_requested_token(
|
|
||||||
self.build_authentication_request(
|
|
||||||
user_id=self.userNormalA['id'],
|
|
||||||
password=self.userNormalA['password'],
|
|
||||||
user_domain_id=self.domainA['id']))
|
|
||||||
self.assertNotEmpty(user_token)
|
|
||||||
headers = {'X-Subject-Token': user_token}
|
|
||||||
|
|
||||||
adminA_token = self.get_requested_token(
|
|
||||||
self.build_authentication_request(
|
|
||||||
user_id=self.userAdminA['id'],
|
|
||||||
password=self.userAdminA['password'],
|
|
||||||
domain_name=self.domainA['name']))
|
|
||||||
|
|
||||||
self.head('/auth/tokens', headers=headers,
|
|
||||||
expected_status=http_client.OK,
|
|
||||||
token=adminA_token)
|
|
||||||
self.head('/auth/tokens', headers=headers,
|
|
||||||
expected_status=http_client.OK,
|
|
||||||
token=user_token)
|
|
||||||
self.delete('/auth/tokens', headers=headers,
|
|
||||||
token=adminA_token)
|
|
||||||
# invalid X-Auth-Token and invalid X-Subject-Token
|
|
||||||
self.head('/auth/tokens', headers=headers,
|
|
||||||
expected_status=http_client.UNAUTHORIZED,
|
|
||||||
token=user_token)
|
|
||||||
# valid X-Auth-Token and invalid X-Subject-Token
|
|
||||||
self.delete('/auth/tokens', headers=headers,
|
|
||||||
expected_status=http_client.NOT_FOUND,
|
|
||||||
token=adminA_token)
|
|
||||||
# valid X-Auth-Token and invalid X-Subject-Token
|
|
||||||
self.head('/auth/tokens', headers=headers,
|
|
||||||
expected_status=http_client.NOT_FOUND,
|
|
||||||
token=adminA_token)
|
|
||||||
|
|
||||||
|
|
||||||
class TestTokenRevokeById(test_v3.RestfulTestCase):
|
class TestTokenRevokeById(test_v3.RestfulTestCase):
|
||||||
"""Test token revocation on the v3 Identity API."""
|
"""Test token revocation on the v3 Identity API."""
|
||||||
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue