Browse Source

Merge "Remove legacy protection tests" into stable/train

changes/34/705334/1
Zuul Gerrit Code Review 3 weeks ago
parent
commit
55d37716a6
3 changed files with 88 additions and 1670 deletions
  1. +88
    -1
      keystone/tests/protection/v3/test_tokens.py
  2. +0
    -104
      keystone/tests/unit/test_v3_auth.py
  3. +0
    -1565
      keystone/tests/unit/test_v3_protection.py

+ 88
- 1
keystone/tests/protection/v3/test_tokens.py View File

@@ -362,6 +362,11 @@ class _DomainAndProjectUserTests(object):
self.headers['X-Subject-Token'] = self.token_id
c.get('/v3/auth/tokens', headers=self.headers)

def test_user_can_revoke_their_own_tokens(self):
with self.test_client() as c:
self.headers['X-Subject-Token'] = self.token_id
c.delete('/v3/auth/tokens', headers=self.headers)

def test_user_cannot_validate_system_scoped_token(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
@@ -386,6 +391,30 @@ class _DomainAndProjectUserTests(object):
expected_status_code=http_client.FORBIDDEN
)

def test_user_cannot_revoke_system_scoped_token(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user['id'] = PROVIDERS.identity_api.create_user(user)['id']

PROVIDERS.assignment_api.create_system_grant_for_user(
user['id'], self.bootstrapper.reader_role_id
)

system_auth = self.build_authentication_request(
user_id=user['id'], password=user['password'],
system=True
)

with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=system_auth)
system_token = r.headers['X-Subject-Token']

with self.test_client() as c:
self.headers['X-Subject-Token'] = system_token
c.delete(
'/v3/auth/tokens', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)

def test_user_cannot_validate_domain_scoped_token(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
@@ -414,7 +443,35 @@ class _DomainAndProjectUserTests(object):
'/v3/auth/tokens', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
pass

def test_user_cannot_revoke_domain_scoped_token(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)

user = unit.new_user_ref(domain_id=domain['id'])
user['id'] = PROVIDERS.identity_api.create_user(user)['id']

PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=domain['id']
)

domain_auth = self.build_authentication_request(
user_id=user['id'], password=user['password'],
domain_id=domain['id']
)

with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=domain_auth)
domain_token = r.headers['X-Subject-Token']

with self.test_client() as c:
self.headers['X-Subject-Token'] = domain_token
c.delete(
'/v3/auth/tokens', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)

def test_user_cannot_validate_project_scoped_token(self):
project = PROVIDERS.resource_api.create_project(
@@ -446,6 +503,36 @@ class _DomainAndProjectUserTests(object):
expected_status_code=http_client.FORBIDDEN
)

def test_user_cannot_revoke_project_scoped_token(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
)

user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user['id'] = PROVIDERS.identity_api.create_user(user)['id']

PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id']
)

project_auth = self.build_authentication_request(
user_id=user['id'], password=user['password'],
project_id=project['id']
)

with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=project_auth)
project_token = r.headers['X-Subject-Token']

with self.test_client() as c:
self.headers['X-Subject-Token'] = project_token
c.delete(
'/v3/auth/tokens', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)


class DomainUserTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,


+ 0
- 104
keystone/tests/unit/test_v3_auth.py View File

@@ -2879,110 +2879,6 @@ class TestJWSTokenAPIs(test_v3.RestfulTestCase, TokenAPITests, TokenDataTests):
)


class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
"""Test token revoke using v3 Identity API by token owner and admin."""

def load_sample_data(self):
"""Load Sample Data for Test Cases.

Two domains, domainA and domainB
Two users in domainA, userNormalA and userAdminA
One user in domainB, userAdminB

"""
super(TestTokenRevokeSelfAndAdmin, self).load_sample_data()
# DomainA setup
self.domainA = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA)

self.userAdminA = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainA['id'])

self.userNormalA = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainA['id'])

PROVIDERS.assignment_api.create_grant(
self.role['id'], user_id=self.userAdminA['id'],
domain_id=self.domainA['id']
)

def test_user_revokes_own_token(self):
user_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.userNormalA['id'],
password=self.userNormalA['password'],
user_domain_id=self.domainA['id']))
self.assertNotEmpty(user_token)
headers = {'X-Subject-Token': user_token}

adminA_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.userAdminA['id'],
password=self.userAdminA['password'],
domain_name=self.domainA['name']))

self.head('/auth/tokens', headers=headers,
expected_status=http_client.OK,
token=adminA_token)
self.head('/auth/tokens', headers=headers,
expected_status=http_client.OK,
token=user_token)
self.delete('/auth/tokens', headers=headers,
token=user_token)
# invalid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers,
expected_status=http_client.UNAUTHORIZED,
token=user_token)
# invalid X-Auth-Token and invalid X-Subject-Token
self.delete('/auth/tokens', headers=headers,
expected_status=http_client.UNAUTHORIZED,
token=user_token)
# valid X-Auth-Token and invalid X-Subject-Token
self.delete('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token)
# valid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token)

def test_adminA_revokes_userA_token(self):
user_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.userNormalA['id'],
password=self.userNormalA['password'],
user_domain_id=self.domainA['id']))
self.assertNotEmpty(user_token)
headers = {'X-Subject-Token': user_token}

adminA_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.userAdminA['id'],
password=self.userAdminA['password'],
domain_name=self.domainA['name']))

self.head('/auth/tokens', headers=headers,
expected_status=http_client.OK,
token=adminA_token)
self.head('/auth/tokens', headers=headers,
expected_status=http_client.OK,
token=user_token)
self.delete('/auth/tokens', headers=headers,
token=adminA_token)
# invalid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers,
expected_status=http_client.UNAUTHORIZED,
token=user_token)
# valid X-Auth-Token and invalid X-Subject-Token
self.delete('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token)
# valid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token)


class TestTokenRevokeById(test_v3.RestfulTestCase):
"""Test token revocation on the v3 Identity API."""



+ 0
- 1565
keystone/tests/unit/test_v3_protection.py
File diff suppressed because it is too large
View File


Loading…
Cancel
Save