openstack
/
keystone
Code Issues Proposed changes

Merge "Remove legacy protection tests" into stable/train

This commit is contained in:
Zuul 2020-01-30 06:10:42 +00:00 committed by Gerrit Code Review
parent 36714664ff 4752cd3fa4
commit 55d37716a6
3 changed files with 88 additions and 1670 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
keystone/tests/protection/v3/test_tokens.py
View File

@ -362,6 +362,11 @@ class _DomainAndProjectUserTests(object):
self.headers['X-Subject-Token'] = self.token_id
c.get('/v3/auth/tokens', headers=self.headers)
def test_user_can_revoke_their_own_tokens(self):
with self.test_client() as c:
self.headers['X-Subject-Token'] = self.token_id
c.delete('/v3/auth/tokens', headers=self.headers)
def test_user_cannot_validate_system_scoped_token(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
@ -386,6 +391,30 @@ class _DomainAndProjectUserTests(object):
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_revoke_system_scoped_token(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
PROVIDERS.assignment_api.create_system_grant_for_user(
user['id'], self.bootstrapper.reader_role_id
)
system_auth = self.build_authentication_request(
user_id=user['id'], password=user['password'],
system=True
)
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=system_auth)
system_token = r.headers['X-Subject-Token']
with self.test_client() as c:
self.headers['X-Subject-Token'] = system_token
c.delete(
'/v3/auth/tokens', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_validate_domain_scoped_token(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
@ -414,7 +443,35 @@ class _DomainAndProjectUserTests(object):
'/v3/auth/tokens', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
pass
def test_user_cannot_revoke_domain_scoped_token(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
user = unit.new_user_ref(domain_id=domain['id'])
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=domain['id']
)
domain_auth = self.build_authentication_request(
user_id=user['id'], password=user['password'],
domain_id=domain['id']
)
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=domain_auth)
domain_token = r.headers['X-Subject-Token']
with self.test_client() as c:
self.headers['X-Subject-Token'] = domain_token
c.delete(
'/v3/auth/tokens', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_validate_project_scoped_token(self):
project = PROVIDERS.resource_api.create_project(
@ -446,6 +503,36 @@ class _DomainAndProjectUserTests(object):
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_revoke_project_scoped_token(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
)
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id']
)
project_auth = self.build_authentication_request(
user_id=user['id'], password=user['password'],
project_id=project['id']
)
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=project_auth)
project_token = r.headers['X-Subject-Token']
with self.test_client() as c:
self.headers['X-Subject-Token'] = project_token
c.delete(
'/v3/auth/tokens', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
class DomainUserTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,

104
keystone/tests/unit/test_v3_auth.py
View File

@ -2879,110 +2879,6 @@ class TestJWSTokenAPIs(test_v3.RestfulTestCase, TokenAPITests, TokenDataTests):
)
class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
"""Test token revoke using v3 Identity API by token owner and admin."""
def load_sample_data(self):
"""Load Sample Data for Test Cases.
Two domains, domainA and domainB
Two users in domainA, userNormalA and userAdminA
One user in domainB, userAdminB
"""
super(TestTokenRevokeSelfAndAdmin, self).load_sample_data()
# DomainA setup
self.domainA = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA)
self.userAdminA = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainA['id'])
self.userNormalA = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainA['id'])
PROVIDERS.assignment_api.create_grant(
self.role['id'], user_id=self.userAdminA['id'],
domain_id=self.domainA['id']
)
def test_user_revokes_own_token(self):
user_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.userNormalA['id'],
password=self.userNormalA['password'],
user_domain_id=self.domainA['id']))
self.assertNotEmpty(user_token)
headers = {'X-Subject-Token': user_token}
adminA_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.userAdminA['id'],
password=self.userAdminA['password'],
domain_name=self.domainA['name']))
self.head('/auth/tokens', headers=headers,
expected_status=http_client.OK,
token=adminA_token)
self.head('/auth/tokens', headers=headers,
expected_status=http_client.OK,
token=user_token)
self.delete('/auth/tokens', headers=headers,
token=user_token)
# invalid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers,
expected_status=http_client.UNAUTHORIZED,
token=user_token)
# invalid X-Auth-Token and invalid X-Subject-Token
self.delete('/auth/tokens', headers=headers,
expected_status=http_client.UNAUTHORIZED,
token=user_token)
# valid X-Auth-Token and invalid X-Subject-Token
self.delete('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token)
# valid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token)
def test_adminA_revokes_userA_token(self):
user_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.userNormalA['id'],
password=self.userNormalA['password'],
user_domain_id=self.domainA['id']))
self.assertNotEmpty(user_token)
headers = {'X-Subject-Token': user_token}
adminA_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.userAdminA['id'],
password=self.userAdminA['password'],
domain_name=self.domainA['name']))
self.head('/auth/tokens', headers=headers,
expected_status=http_client.OK,
token=adminA_token)
self.head('/auth/tokens', headers=headers,
expected_status=http_client.OK,
token=user_token)
self.delete('/auth/tokens', headers=headers,
token=adminA_token)
# invalid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers,
expected_status=http_client.UNAUTHORIZED,
token=user_token)
# valid X-Auth-Token and invalid X-Subject-Token
self.delete('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token)
# valid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token)
class TestTokenRevokeById(test_v3.RestfulTestCase):
"""Test token revocation on the v3 Identity API."""

1565
keystone/tests/unit/test_v3_protection.py
View File

File diff suppressed because it is too large Load Diff