Merge "Add validation that token method isn't needed in MFARules"
This commit is contained in:
commit
3ace96b96f
|
@ -48,19 +48,38 @@ from keystone.tests.unit import test_v3
|
||||||
CONF = keystone.conf.CONF
|
CONF = keystone.conf.CONF
|
||||||
|
|
||||||
|
|
||||||
class TestMFARules(test_v3.RestfulTestCase, testcase.TestCase):
|
class TestMFARules(test_v3.RestfulTestCase):
|
||||||
def setUp(self):
|
def config_overrides(self):
|
||||||
super(TestMFARules, self).setUp()
|
super(TestMFARules, self).config_overrides()
|
||||||
auth.core.load_auth_methods()
|
self.useFixture(
|
||||||
self.controller = auth.controllers.Auth()
|
ksfixtures.KeyRepository(
|
||||||
self.addCleanup(self.cleanup)
|
self.config_fixture,
|
||||||
|
'fernet_tokens',
|
||||||
|
CONF.fernet_tokens.max_active_keys
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
def cleanup(self):
|
self.useFixture(
|
||||||
totp_creds = self.credential_api.list_credentials_for_user(
|
ksfixtures.KeyRepository(
|
||||||
self.user['id'], type='totp')
|
self.config_fixture,
|
||||||
|
'credential',
|
||||||
|
credential_fernet.MAX_ACTIVE_KEYS
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
for cred in totp_creds:
|
def _create_totp_cred(self):
|
||||||
self.credential_api.delete_credential(cred['id'])
|
totp_cred = unit.new_totp_credential(self.user_id, self.project_id)
|
||||||
|
self.credential_api.create_credential(uuid.uuid4().hex, totp_cred)
|
||||||
|
|
||||||
|
def cleanup(testcase):
|
||||||
|
totp_creds = testcase.credential_api.list_credentials_for_user(
|
||||||
|
testcase.user['id'], type='totp')
|
||||||
|
|
||||||
|
for cred in totp_creds:
|
||||||
|
testcase.credential_api.delete_credential(cred['id'])
|
||||||
|
|
||||||
|
self.addCleanup(cleanup, testcase=self)
|
||||||
|
return totp_cred
|
||||||
|
|
||||||
def auth_plugin_config_override(self, methods=None, **method_classes):
|
def auth_plugin_config_override(self, methods=None, **method_classes):
|
||||||
methods = ['totp', 'token', 'password']
|
methods = ['totp', 'token', 'password']
|
||||||
|
@ -95,8 +114,7 @@ class TestMFARules(test_v3.RestfulTestCase, testcase.TestCase):
|
||||||
# validate that multiple auth-methods function if all are specified
|
# validate that multiple auth-methods function if all are specified
|
||||||
# and the rules requires it
|
# and the rules requires it
|
||||||
rule_list = [['password', 'totp']]
|
rule_list = [['password', 'totp']]
|
||||||
totp_cred = unit.new_totp_credential(self.user_id, self.project_id)
|
totp_cred = self._create_totp_cred()
|
||||||
self.credential_api.create_credential(uuid.uuid4().hex, totp_cred)
|
|
||||||
self._update_user_with_MFA_rules(rule_list=rule_list)
|
self._update_user_with_MFA_rules(rule_list=rule_list)
|
||||||
# NOTE(notmorgan): Step forward in time to ensure we're not causing
|
# NOTE(notmorgan): Step forward in time to ensure we're not causing
|
||||||
# issues with revocation events that occur at the same time as the
|
# issues with revocation events that occur at the same time as the
|
||||||
|
@ -205,6 +223,27 @@ class TestMFARules(test_v3.RestfulTestCase, testcase.TestCase):
|
||||||
user_domain_id=self.domain_id,
|
user_domain_id=self.domain_id,
|
||||||
project_id=self.project_id))
|
project_id=self.project_id))
|
||||||
|
|
||||||
|
def test_MFA_rules_rescope_works_without_token_method_in_rules(self):
|
||||||
|
rule_list = [['password', 'totp']]
|
||||||
|
totp_cred = self._create_totp_cred()
|
||||||
|
self._update_user_with_MFA_rules(rule_list=rule_list)
|
||||||
|
# NOTE(notmorgan): Step forward in time to ensure we're not causing
|
||||||
|
# issues with revocation events that occur at the same time as the
|
||||||
|
# token issuance. This is a bug with the limited resolution that
|
||||||
|
# tokens and revocation events have.
|
||||||
|
time = datetime.datetime.utcnow() + datetime.timedelta(seconds=5)
|
||||||
|
with freezegun.freeze_time(time):
|
||||||
|
auth_data = self.build_authentication_request(
|
||||||
|
user_id=self.user_id,
|
||||||
|
password=self.user['password'],
|
||||||
|
user_domain_id=self.domain_id,
|
||||||
|
passcode=totp._generate_totp_passcode(totp_cred['blob']))
|
||||||
|
r = self.v3_create_token(auth_data)
|
||||||
|
auth_data = self.build_authentication_request(
|
||||||
|
token=r.headers.get('X-Subject-Token'),
|
||||||
|
project_id=self.project_id)
|
||||||
|
self.v3_create_token(auth_data)
|
||||||
|
|
||||||
|
|
||||||
class TestAuthInfo(common_auth.AuthTestMixin, testcase.TestCase):
|
class TestAuthInfo(common_auth.AuthTestMixin, testcase.TestCase):
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
|
|
Loading…
Reference in New Issue