Merge "Add validity check of 'expires_at' in trust creation"
This commit is contained in:
commit
2bb4593266
|
@ -99,6 +99,15 @@ class ValidationTimeStampError(Error):
|
|||
title = 'Bad Request'
|
||||
|
||||
|
||||
class ValidationExpirationError(Error):
|
||||
message_format = _("The 'expires_at' must not be before now."
|
||||
" The server could not comply with the request"
|
||||
" since it is either malformed or otherwise"
|
||||
" incorrect. The client is assumed to be in error.")
|
||||
code = 400
|
||||
title = 'Bad Request'
|
||||
|
||||
|
||||
class StringLengthExceeded(ValidationError):
|
||||
message_format = _("String length exceeded.The length of"
|
||||
" string '%(string)s' exceeded the limit"
|
||||
|
|
|
@ -893,6 +893,12 @@ class AuthWithTrust(AuthTest):
|
|||
self.create_trust, self.sample_data,
|
||||
self.trustor['name'], expires_at="Z")
|
||||
|
||||
def test_create_trust_expires_older_than_now(self):
|
||||
self.assertRaises(exception.ValidationExpirationError,
|
||||
self.create_trust, self.sample_data,
|
||||
self.trustor['name'],
|
||||
expires_at="2010-06-04T08:44:31.999999Z")
|
||||
|
||||
def test_create_trust_without_project_id(self):
|
||||
"""Verify that trust can be created without project id and
|
||||
token can be generated with that trust.
|
||||
|
@ -1096,13 +1102,19 @@ class AuthWithTrust(AuthTest):
|
|||
self.controller.authenticate, {}, request_body)
|
||||
|
||||
def test_expired_trust_get_token_fails(self):
|
||||
expiry = "1999-02-18T10:10:00Z"
|
||||
expires_at = timeutils.strtime(timeutils.utcnow() +
|
||||
datetime.timedelta(minutes=5),
|
||||
fmt=TIME_FORMAT)
|
||||
time_expired = timeutils.utcnow() + datetime.timedelta(minutes=10)
|
||||
new_trust = self.create_trust(self.sample_data, self.trustor['name'],
|
||||
expiry)
|
||||
request_body = self.build_v2_token_request('TWO', 'two2', new_trust)
|
||||
self.assertRaises(
|
||||
exception.Forbidden,
|
||||
self.controller.authenticate, {}, request_body)
|
||||
expires_at)
|
||||
with mock.patch.object(timeutils, 'utcnow') as mock_now:
|
||||
mock_now.return_value = time_expired
|
||||
request_body = self.build_v2_token_request('TWO', 'two2',
|
||||
new_trust)
|
||||
self.assertRaises(
|
||||
exception.Forbidden,
|
||||
self.controller.authenticate, {}, request_body)
|
||||
|
||||
def test_token_from_trust_with_wrong_role_fails(self):
|
||||
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
|
||||
|
|
|
@ -3272,26 +3272,6 @@ class TestTrustAuth(test_v3.RestfulTestCase):
|
|||
role_names=[uuid.uuid4().hex])
|
||||
self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=404)
|
||||
|
||||
def test_create_expired_trust(self):
|
||||
ref = self.new_trust_ref(
|
||||
trustor_user_id=self.user_id,
|
||||
trustee_user_id=self.trustee_user_id,
|
||||
project_id=self.project_id,
|
||||
expires=dict(seconds=-1),
|
||||
role_ids=[self.role_id])
|
||||
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
|
||||
trust = self.assertValidTrustResponse(r, ref)
|
||||
|
||||
self.get('/OS-TRUST/trusts/%(trust_id)s' % {
|
||||
'trust_id': trust['id']},
|
||||
expected_status=404)
|
||||
|
||||
auth_data = self.build_authentication_request(
|
||||
user_id=self.trustee_user['id'],
|
||||
password=self.trustee_user['password'],
|
||||
trust_id=trust['id'])
|
||||
self.v3_authenticate_token(auth_data, expected_status=401)
|
||||
|
||||
def test_v3_v2_intermix_trustor_not_in_default_domain_failed(self):
|
||||
ref = self.new_trust_ref(
|
||||
trustor_user_id=self.user_id,
|
||||
|
|
|
@ -205,9 +205,12 @@ class TrustV3(controller.V3Controller):
|
|||
if not expiration_date.endswith('Z'):
|
||||
expiration_date += 'Z'
|
||||
try:
|
||||
return timeutils.parse_isotime(expiration_date)
|
||||
expiration_time = timeutils.parse_isotime(expiration_date)
|
||||
except ValueError:
|
||||
raise exception.ValidationTimeStampError()
|
||||
if timeutils.is_older_than(expiration_time, 0):
|
||||
raise exception.ValidationExpirationError()
|
||||
return expiration_time
|
||||
|
||||
def _check_role_for_trust(self, context, trust_id, role_id):
|
||||
"""Checks if a role has been assigned to a trust."""
|
||||
|
|
Loading…
Reference in New Issue