openstack/keystone
Code Issues Proposed changes

Merge "Add checks for token data creep using jsonschema"

Browse Source
This commit is contained in:
Jenkins 2016-01-22 05:49:45 +00:00 committed by Gerrit Code Review
commit 2bfe207536
2 changed files with 71 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
keystone/tests/unit/test_v3.py
View File

@ -25,6 +25,7 @@ import webtest
from keystone import auth
from keystone.common import authorization
from keystone.common import cache
from keystone.common.validation import validators
from keystone import exception
from keystone import middleware
from keystone.policy.backends import rules
@ -534,10 +535,62 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
def assertValidUnscopedTokenResponse(self, r, *args, **kwargs):
token = self.assertValidTokenResponse(r, *args, **kwargs)
self.assertNotIn('roles', token)
self.assertNotIn('catalog', token)
self.assertNotIn('project', token)
self.assertNotIn('domain', token)
unscoped_properties = {
'audit_ids': {
'type': 'array',
'items': {
'type': 'string',
},
'minItems': 1,
'maxItems': 2,
},
'bind': {
'type': 'object',
'properties': {
'kerberos': {
'type': 'string',
},
},
'required': ['kerberos', ],
'additionalProperties': False,
},
'expires_at': {'type': 'string'},
'issued_at': {'type': 'string'},
'methods': {
'type': 'array',
'items': {
'type': 'string',
},
},
'user': {
'type': 'object',
'required': ['id', 'name', 'domain'],
'properties': {
'id': {'type': 'string'},
'name': {'type': 'string'},
'domain': {
'type': 'object',
'properties': {
'id': {'type': 'string'},
'name': {'type': 'string'}
},
'required': ['id', 'name'],
'additonalProperties': False,
}
},
'additionalProperties': False,
}
}
unscoped_token_schema = {
'type': 'object',
'properties': unscoped_properties,
'required': ['audit_ids', 'expires_at', 'issued_at', 'methods',
'user'],
'optional': ['bind'],
'additionalProperties': False
}
validator_object = validators.SchemaValidator(unscoped_token_schema)
validator_object.validate(token)
return token

17
keystone/tests/unit/test_v3_auth.py
View File

@ -481,6 +481,15 @@ class TokenAPITests(object):
self.assertValidProjectScopedTokenResponse(r, is_admin_project=False)
class TokenDataTests(object):
"""Test the data in specific token types."""
def test_unscoped_token_format(self):
# ensure the unscoped token response contains the appropriate data
r = self.get('/auth/tokens', headers=self.headers)
self.assertValidUnscopedTokenResponse(r)
class AllowRescopeScopedTokenDisabledTests(test_v3.RestfulTestCase):
def config_overrides(self):
super(AllowRescopeScopedTokenDisabledTests, self).config_overrides()
@ -560,7 +569,7 @@ class AllowRescopeScopedTokenDisabledTests(test_v3.RestfulTestCase):
expected_status=http_client.FORBIDDEN)
class TestPKITokenAPIs(test_v3.RestfulTestCase, TokenAPITests):
class TestPKITokenAPIs(test_v3.RestfulTestCase, TokenAPITests, TokenDataTests):
def config_overrides(self):
super(TestPKITokenAPIs, self).config_overrides()
self.config_fixture.config(group='token', provider='pki')
@ -630,7 +639,8 @@ class TestPKIZTokenAPIs(TestPKITokenAPIs):
return cms.pkiz_verify(*args, **kwargs)
class TestUUIDTokenAPIs(test_v3.RestfulTestCase, TokenAPITests):
class TestUUIDTokenAPIs(test_v3.RestfulTestCase, TokenAPITests,
TokenDataTests):
def config_overrides(self):
super(TestUUIDTokenAPIs, self).config_overrides()
self.config_fixture.config(group='token', provider='uuid')
@ -650,7 +660,8 @@ class TestUUIDTokenAPIs(test_v3.RestfulTestCase, TokenAPITests):
self.assertFalse(cms.is_asn1_token(token_id))
class TestFernetTokenAPIs(test_v3.RestfulTestCase, TokenAPITests):
class TestFernetTokenAPIs(test_v3.RestfulTestCase, TokenAPITests,
TokenDataTests):
def config_overrides(self):
super(TestFernetTokenAPIs, self).config_overrides()
self.config_fixture.config(group='token', provider='fernet')