openstack
/
keystone
Code Issues Proposed changes

Merge "Add validity check of 'expires_at' in trust creation"

This commit is contained in:
Jenkins 2015-06-11 11:20:24 +00:00 committed by Gerrit Code Review
parent cc02f994f9 345d5a9f19
commit 2bb4593266
4 changed files with 31 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
keystone/exception.py
View File

@ -99,6 +99,15 @@ class ValidationTimeStampError(Error):
title = 'Bad Request'
class ValidationExpirationError(Error):
message_format = _("The 'expires_at' must not be before now."
" The server could not comply with the request"
" since it is either malformed or otherwise"
" incorrect. The client is assumed to be in error.")
code = 400
title = 'Bad Request'
class StringLengthExceeded(ValidationError):
message_format = _("String length exceeded.The length of"
" string '%(string)s' exceeded the limit"

24
keystone/tests/unit/test_auth.py
View File

@ -893,6 +893,12 @@ class AuthWithTrust(AuthTest):
self.create_trust, self.sample_data,
self.trustor['name'], expires_at="Z")
def test_create_trust_expires_older_than_now(self):
self.assertRaises(exception.ValidationExpirationError,
self.create_trust, self.sample_data,
self.trustor['name'],
expires_at="2010-06-04T08:44:31.999999Z")
def test_create_trust_without_project_id(self):
"""Verify that trust can be created without project id and
token can be generated with that trust.
@ -1096,13 +1102,19 @@ class AuthWithTrust(AuthTest):
self.controller.authenticate, {}, request_body)
def test_expired_trust_get_token_fails(self):
expiry = "1999-02-18T10:10:00Z"
expires_at = timeutils.strtime(timeutils.utcnow() +
datetime.timedelta(minutes=5),
fmt=TIME_FORMAT)
time_expired = timeutils.utcnow() + datetime.timedelta(minutes=10)
new_trust = self.create_trust(self.sample_data, self.trustor['name'],
expiry)
request_body = self.build_v2_token_request('TWO', 'two2', new_trust)
self.assertRaises(
exception.Forbidden,
self.controller.authenticate, {}, request_body)
expires_at)
with mock.patch.object(timeutils, 'utcnow') as mock_now:
mock_now.return_value = time_expired
request_body = self.build_v2_token_request('TWO', 'two2',
new_trust)
self.assertRaises(
exception.Forbidden,
self.controller.authenticate, {}, request_body)
def test_token_from_trust_with_wrong_role_fails(self):
new_trust = self.create_trust(self.sample_data, self.trustor['name'])

20
keystone/tests/unit/test_v3_auth.py
View File

@ -3272,26 +3272,6 @@ class TestTrustAuth(test_v3.RestfulTestCase):
role_names=[uuid.uuid4().hex])
self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=404)
def test_create_expired_trust(self):
ref = self.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
expires=dict(seconds=-1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
self.get('/OS-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']},
expected_status=404)
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
self.v3_authenticate_token(auth_data, expected_status=401)
def test_v3_v2_intermix_trustor_not_in_default_domain_failed(self):
ref = self.new_trust_ref(
trustor_user_id=self.user_id,

5
keystone/trust/controllers.py
View File

@ -205,9 +205,12 @@ class TrustV3(controller.V3Controller):
if not expiration_date.endswith('Z'):
expiration_date += 'Z'
try:
return timeutils.parse_isotime(expiration_date)
expiration_time = timeutils.parse_isotime(expiration_date)
except ValueError:
raise exception.ValidationTimeStampError()
if timeutils.is_older_than(expiration_time, 0):
raise exception.ValidationExpirationError()
return expiration_time
def _check_role_for_trust(self, context, trust_id, role_id):
"""Checks if a role has been assigned to a trust."""