openstack
/
keystone
Code Issues Proposed changes

Remove legacy protection tests 

This commit removes a bunch of tests that were originally written to
test the policy.v3cloudsample.json policy file. Now that we've
implemented system-scope, default roles, and removed the
policy.v3cloudsample.json policy file, we can remove these tests.

This commit also ports some token revocation tests over to the
protection test suite so we have full coverage from
TestTokenRevokeSelfAndAdmin.

Change-Id: Ie0c0b48d240b118f7b491d164e5c1a203ebb31e8
This commit is contained in:
Lance Bragstad 2019-10-02 21:07:27 +00:00
parent d4a6023de5
commit 5f5f10630c
3 changed files with 88 additions and 1670 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
keystone/tests/protection/v3/test_tokens.py
View File

@ -362,6 +362,11 @@ class _DomainAndProjectUserTests(object):
self.headers['X-Subject-Token'] = self.token_id
c.get('/v3/auth/tokens', headers=self.headers)
def test_user_can_revoke_their_own_tokens(self):
with self.test_client() as c:
self.headers['X-Subject-Token'] = self.token_id
c.delete('/v3/auth/tokens', headers=self.headers)
def test_user_cannot_validate_system_scoped_token(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
@ -386,6 +391,30 @@ class _DomainAndProjectUserTests(object):
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_revoke_system_scoped_token(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
PROVIDERS.assignment_api.create_system_grant_for_user(
user['id'], self.bootstrapper.reader_role_id
)
system_auth = self.build_authentication_request(
user_id=user['id'], password=user['password'],
system=True
)
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=system_auth)
system_token = r.headers['X-Subject-Token']
with self.test_client() as c:
self.headers['X-Subject-Token'] = system_token
c.delete(
'/v3/auth/tokens', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_validate_domain_scoped_token(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
@ -414,7 +443,35 @@ class _DomainAndProjectUserTests(object):
'/v3/auth/tokens', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
pass
def test_user_cannot_revoke_domain_scoped_token(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
user = unit.new_user_ref(domain_id=domain['id'])
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=domain['id']
)
domain_auth = self.build_authentication_request(
user_id=user['id'], password=user['password'],
domain_id=domain['id']
)
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=domain_auth)
domain_token = r.headers['X-Subject-Token']
with self.test_client() as c:
self.headers['X-Subject-Token'] = domain_token
c.delete(
'/v3/auth/tokens', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_validate_project_scoped_token(self):
project = PROVIDERS.resource_api.create_project(
@ -446,6 +503,36 @@ class _DomainAndProjectUserTests(object):
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_revoke_project_scoped_token(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
)
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id']
)
project_auth = self.build_authentication_request(
user_id=user['id'], password=user['password'],
project_id=project['id']
)
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=project_auth)
project_token = r.headers['X-Subject-Token']
with self.test_client() as c:
self.headers['X-Subject-Token'] = project_token
c.delete(
'/v3/auth/tokens', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
class DomainUserTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,

104
keystone/tests/unit/test_v3_auth.py
View File

@ -2879,110 +2879,6 @@ class TestJWSTokenAPIs(test_v3.RestfulTestCase, TokenAPITests, TokenDataTests):
)
class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
"""Test token revoke using v3 Identity API by token owner and admin."""
def load_sample_data(self):
"""Load Sample Data for Test Cases.
Two domains, domainA and domainB
Two users in domainA, userNormalA and userAdminA
One user in domainB, userAdminB
"""
super(TestTokenRevokeSelfAndAdmin, self).load_sample_data()
# DomainA setup
self.domainA = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA)
self.userAdminA = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainA['id'])
self.userNormalA = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainA['id'])
PROVIDERS.assignment_api.create_grant(
self.role['id'], user_id=self.userAdminA['id'],
domain_id=self.domainA['id']
)
def test_user_revokes_own_token(self):
user_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.userNormalA['id'],
password=self.userNormalA['password'],
user_domain_id=self.domainA['id']))
self.assertNotEmpty(user_token)
headers = {'X-Subject-Token': user_token}
adminA_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.userAdminA['id'],
password=self.userAdminA['password'],
domain_name=self.domainA['name']))
self.head('/auth/tokens', headers=headers,
expected_status=http_client.OK,
token=adminA_token)
self.head('/auth/tokens', headers=headers,
expected_status=http_client.OK,
token=user_token)
self.delete('/auth/tokens', headers=headers,
token=user_token)
# invalid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers,
expected_status=http_client.UNAUTHORIZED,
token=user_token)
# invalid X-Auth-Token and invalid X-Subject-Token
self.delete('/auth/tokens', headers=headers,
expected_status=http_client.UNAUTHORIZED,
token=user_token)
# valid X-Auth-Token and invalid X-Subject-Token
self.delete('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token)
# valid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token)
def test_adminA_revokes_userA_token(self):
user_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.userNormalA['id'],
password=self.userNormalA['password'],
user_domain_id=self.domainA['id']))
self.assertNotEmpty(user_token)
headers = {'X-Subject-Token': user_token}
adminA_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.userAdminA['id'],
password=self.userAdminA['password'],
domain_name=self.domainA['name']))
self.head('/auth/tokens', headers=headers,
expected_status=http_client.OK,
token=adminA_token)
self.head('/auth/tokens', headers=headers,
expected_status=http_client.OK,
token=user_token)
self.delete('/auth/tokens', headers=headers,
token=adminA_token)
# invalid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers,
expected_status=http_client.UNAUTHORIZED,
token=user_token)
# valid X-Auth-Token and invalid X-Subject-Token
self.delete('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token)
# valid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token)
class TestTokenRevokeById(test_v3.RestfulTestCase):
"""Test token revocation on the v3 Identity API."""

1565
keystone/tests/unit/test_v3_protection.py
View File

File diff suppressed because it is too large Load Diff