Merge "Remove legacy protection tests" into stable/train
This commit is contained in:
commit
55d37716a6
|
@ -362,6 +362,11 @@ class _DomainAndProjectUserTests(object):
|
|||
self.headers['X-Subject-Token'] = self.token_id
|
||||
c.get('/v3/auth/tokens', headers=self.headers)
|
||||
|
||||
def test_user_can_revoke_their_own_tokens(self):
|
||||
with self.test_client() as c:
|
||||
self.headers['X-Subject-Token'] = self.token_id
|
||||
c.delete('/v3/auth/tokens', headers=self.headers)
|
||||
|
||||
def test_user_cannot_validate_system_scoped_token(self):
|
||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
|
||||
|
@ -386,6 +391,30 @@ class _DomainAndProjectUserTests(object):
|
|||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_revoke_system_scoped_token(self):
|
||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||
user['id'], self.bootstrapper.reader_role_id
|
||||
)
|
||||
|
||||
system_auth = self.build_authentication_request(
|
||||
user_id=user['id'], password=user['password'],
|
||||
system=True
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=system_auth)
|
||||
system_token = r.headers['X-Subject-Token']
|
||||
|
||||
with self.test_client() as c:
|
||||
self.headers['X-Subject-Token'] = system_token
|
||||
c.delete(
|
||||
'/v3/auth/tokens', headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_validate_domain_scoped_token(self):
|
||||
domain = PROVIDERS.resource_api.create_domain(
|
||||
uuid.uuid4().hex, unit.new_domain_ref()
|
||||
|
@ -414,7 +443,35 @@ class _DomainAndProjectUserTests(object):
|
|||
'/v3/auth/tokens', headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
pass
|
||||
|
||||
def test_user_cannot_revoke_domain_scoped_token(self):
|
||||
domain = PROVIDERS.resource_api.create_domain(
|
||||
uuid.uuid4().hex, unit.new_domain_ref()
|
||||
)
|
||||
|
||||
user = unit.new_user_ref(domain_id=domain['id'])
|
||||
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
|
||||
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.bootstrapper.reader_role_id, user_id=user['id'],
|
||||
domain_id=domain['id']
|
||||
)
|
||||
|
||||
domain_auth = self.build_authentication_request(
|
||||
user_id=user['id'], password=user['password'],
|
||||
domain_id=domain['id']
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=domain_auth)
|
||||
domain_token = r.headers['X-Subject-Token']
|
||||
|
||||
with self.test_client() as c:
|
||||
self.headers['X-Subject-Token'] = domain_token
|
||||
c.delete(
|
||||
'/v3/auth/tokens', headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_validate_project_scoped_token(self):
|
||||
project = PROVIDERS.resource_api.create_project(
|
||||
|
@ -446,6 +503,36 @@ class _DomainAndProjectUserTests(object):
|
|||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_revoke_project_scoped_token(self):
|
||||
project = PROVIDERS.resource_api.create_project(
|
||||
uuid.uuid4().hex,
|
||||
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
|
||||
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.bootstrapper.reader_role_id, user_id=user['id'],
|
||||
project_id=project['id']
|
||||
)
|
||||
|
||||
project_auth = self.build_authentication_request(
|
||||
user_id=user['id'], password=user['password'],
|
||||
project_id=project['id']
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=project_auth)
|
||||
project_token = r.headers['X-Subject-Token']
|
||||
|
||||
with self.test_client() as c:
|
||||
self.headers['X-Subject-Token'] = project_token
|
||||
c.delete(
|
||||
'/v3/auth/tokens', headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
|
||||
class DomainUserTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
|
|
|
@ -2879,110 +2879,6 @@ class TestJWSTokenAPIs(test_v3.RestfulTestCase, TokenAPITests, TokenDataTests):
|
|||
)
|
||||
|
||||
|
||||
class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
|
||||
"""Test token revoke using v3 Identity API by token owner and admin."""
|
||||
|
||||
def load_sample_data(self):
|
||||
"""Load Sample Data for Test Cases.
|
||||
|
||||
Two domains, domainA and domainB
|
||||
Two users in domainA, userNormalA and userAdminA
|
||||
One user in domainB, userAdminB
|
||||
|
||||
"""
|
||||
super(TestTokenRevokeSelfAndAdmin, self).load_sample_data()
|
||||
# DomainA setup
|
||||
self.domainA = unit.new_domain_ref()
|
||||
PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA)
|
||||
|
||||
self.userAdminA = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domainA['id'])
|
||||
|
||||
self.userNormalA = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domainA['id'])
|
||||
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role['id'], user_id=self.userAdminA['id'],
|
||||
domain_id=self.domainA['id']
|
||||
)
|
||||
|
||||
def test_user_revokes_own_token(self):
|
||||
user_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
user_id=self.userNormalA['id'],
|
||||
password=self.userNormalA['password'],
|
||||
user_domain_id=self.domainA['id']))
|
||||
self.assertNotEmpty(user_token)
|
||||
headers = {'X-Subject-Token': user_token}
|
||||
|
||||
adminA_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
user_id=self.userAdminA['id'],
|
||||
password=self.userAdminA['password'],
|
||||
domain_name=self.domainA['name']))
|
||||
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.OK,
|
||||
token=adminA_token)
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.OK,
|
||||
token=user_token)
|
||||
self.delete('/auth/tokens', headers=headers,
|
||||
token=user_token)
|
||||
# invalid X-Auth-Token and invalid X-Subject-Token
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.UNAUTHORIZED,
|
||||
token=user_token)
|
||||
# invalid X-Auth-Token and invalid X-Subject-Token
|
||||
self.delete('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.UNAUTHORIZED,
|
||||
token=user_token)
|
||||
# valid X-Auth-Token and invalid X-Subject-Token
|
||||
self.delete('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.NOT_FOUND,
|
||||
token=adminA_token)
|
||||
# valid X-Auth-Token and invalid X-Subject-Token
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.NOT_FOUND,
|
||||
token=adminA_token)
|
||||
|
||||
def test_adminA_revokes_userA_token(self):
|
||||
user_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
user_id=self.userNormalA['id'],
|
||||
password=self.userNormalA['password'],
|
||||
user_domain_id=self.domainA['id']))
|
||||
self.assertNotEmpty(user_token)
|
||||
headers = {'X-Subject-Token': user_token}
|
||||
|
||||
adminA_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
user_id=self.userAdminA['id'],
|
||||
password=self.userAdminA['password'],
|
||||
domain_name=self.domainA['name']))
|
||||
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.OK,
|
||||
token=adminA_token)
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.OK,
|
||||
token=user_token)
|
||||
self.delete('/auth/tokens', headers=headers,
|
||||
token=adminA_token)
|
||||
# invalid X-Auth-Token and invalid X-Subject-Token
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.UNAUTHORIZED,
|
||||
token=user_token)
|
||||
# valid X-Auth-Token and invalid X-Subject-Token
|
||||
self.delete('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.NOT_FOUND,
|
||||
token=adminA_token)
|
||||
# valid X-Auth-Token and invalid X-Subject-Token
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.NOT_FOUND,
|
||||
token=adminA_token)
|
||||
|
||||
|
||||
class TestTokenRevokeById(test_v3.RestfulTestCase):
|
||||
"""Test token revocation on the v3 Identity API."""
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue