openstack/keystone
Code Issues Proposed changes

Merge "Add checks for token data creep using jsonschema"

Browse Source
This commit is contained in:
Jenkins 2016-01-22 05:49:45 +00:00 committed by Gerrit Code Review
commit 2bfe207536
2 changed files with 71 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
keystone/tests/unit/test_v3.py
View File

@ -25,6 +25,7 @@ import webtest
from keystone import auth from keystone import auth
from keystone.common import authorization from keystone.common import authorization
from keystone.common import cache from keystone.common import cache
from keystone.common.validation import validators
from keystone import exception from keystone import exception
from keystone import middleware from keystone import middleware
from keystone.policy.backends import rules from keystone.policy.backends import rules
@ -534,10 +535,62 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
def assertValidUnscopedTokenResponse(self, r, *args, **kwargs): def assertValidUnscopedTokenResponse(self, r, *args, **kwargs):
token = self.assertValidTokenResponse(r, *args, **kwargs) token = self.assertValidTokenResponse(r, *args, **kwargs)
self.assertNotIn('roles', token) unscoped_properties = {
self.assertNotIn('catalog', token) 'audit_ids': {
self.assertNotIn('project', token) 'type': 'array',
self.assertNotIn('domain', token) 'items': {
'type': 'string',
},
'minItems': 1,
'maxItems': 2,
},
'bind': {
'type': 'object',
'properties': {
'kerberos': {
'type': 'string',
},
},
'required': ['kerberos', ],
'additionalProperties': False,
},
'expires_at': {'type': 'string'},
'issued_at': {'type': 'string'},
'methods': {
'type': 'array',
'items': {
'type': 'string',
},
},
'user': {
'type': 'object',
'required': ['id', 'name', 'domain'],
'properties': {
'id': {'type': 'string'},
'name': {'type': 'string'},
'domain': {
'type': 'object',
'properties': {
'id': {'type': 'string'},
'name': {'type': 'string'}
},
'required': ['id', 'name'],
'additonalProperties': False,
}
},
'additionalProperties': False,
}
}
unscoped_token_schema = {
'type': 'object',
'properties': unscoped_properties,
'required': ['audit_ids', 'expires_at', 'issued_at', 'methods',
'user'],
'optional': ['bind'],
'additionalProperties': False
}
validator_object = validators.SchemaValidator(unscoped_token_schema)
validator_object.validate(token)
return token return token

17
keystone/tests/unit/test_v3_auth.py
View File

@ -481,6 +481,15 @@ class TokenAPITests(object):
self.assertValidProjectScopedTokenResponse(r, is_admin_project=False) self.assertValidProjectScopedTokenResponse(r, is_admin_project=False)
class TokenDataTests(object):
"""Test the data in specific token types."""
def test_unscoped_token_format(self):
# ensure the unscoped token response contains the appropriate data
r = self.get('/auth/tokens', headers=self.headers)
self.assertValidUnscopedTokenResponse(r)
class AllowRescopeScopedTokenDisabledTests(test_v3.RestfulTestCase): class AllowRescopeScopedTokenDisabledTests(test_v3.RestfulTestCase):
def config_overrides(self): def config_overrides(self):
super(AllowRescopeScopedTokenDisabledTests, self).config_overrides() super(AllowRescopeScopedTokenDisabledTests, self).config_overrides()
@ -560,7 +569,7 @@ class AllowRescopeScopedTokenDisabledTests(test_v3.RestfulTestCase):
expected_status=http_client.FORBIDDEN) expected_status=http_client.FORBIDDEN)
class TestPKITokenAPIs(test_v3.RestfulTestCase, TokenAPITests): class TestPKITokenAPIs(test_v3.RestfulTestCase, TokenAPITests, TokenDataTests):
def config_overrides(self): def config_overrides(self):
super(TestPKITokenAPIs, self).config_overrides() super(TestPKITokenAPIs, self).config_overrides()
self.config_fixture.config(group='token', provider='pki') self.config_fixture.config(group='token', provider='pki')
@ -630,7 +639,8 @@ class TestPKIZTokenAPIs(TestPKITokenAPIs):
return cms.pkiz_verify(*args, **kwargs) return cms.pkiz_verify(*args, **kwargs)
class TestUUIDTokenAPIs(test_v3.RestfulTestCase, TokenAPITests): class TestUUIDTokenAPIs(test_v3.RestfulTestCase, TokenAPITests,
TokenDataTests):
def config_overrides(self): def config_overrides(self):
super(TestUUIDTokenAPIs, self).config_overrides() super(TestUUIDTokenAPIs, self).config_overrides()
self.config_fixture.config(group='token', provider='uuid') self.config_fixture.config(group='token', provider='uuid')
@ -650,7 +660,8 @@ class TestUUIDTokenAPIs(test_v3.RestfulTestCase, TokenAPITests):
self.assertFalse(cms.is_asn1_token(token_id)) self.assertFalse(cms.is_asn1_token(token_id))
class TestFernetTokenAPIs(test_v3.RestfulTestCase, TokenAPITests): class TestFernetTokenAPIs(test_v3.RestfulTestCase, TokenAPITests,
TokenDataTests):
def config_overrides(self): def config_overrides(self):
super(TestFernetTokenAPIs, self).config_overrides() super(TestFernetTokenAPIs, self).config_overrides()
self.config_fixture.config(group='token', provider='fernet') self.config_fixture.config(group='token', provider='fernet')