Fix sample policy to allow user to check own token
The sample policy file wouldn't allow a user to check their own token. Change-Id: I8853d2b8c5aabea03564a33df7daddb969fcd4b3 Closes-Bug: 1421825
This commit is contained in:
parent
3c9e2e5c83
commit
6808486135
|
@ -6,6 +6,7 @@
|
||||||
"admin_or_owner": "rule:admin_required or rule:owner",
|
"admin_or_owner": "rule:admin_required or rule:owner",
|
||||||
"token_subject": "user_id:%(target.token.user_id)s",
|
"token_subject": "user_id:%(target.token.user_id)s",
|
||||||
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
|
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
|
||||||
|
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",
|
||||||
|
|
||||||
"default": "rule:admin_required",
|
"default": "rule:admin_required",
|
||||||
|
|
||||||
|
@ -88,8 +89,8 @@
|
||||||
"identity:update_policy": "rule:admin_required",
|
"identity:update_policy": "rule:admin_required",
|
||||||
"identity:delete_policy": "rule:admin_required",
|
"identity:delete_policy": "rule:admin_required",
|
||||||
|
|
||||||
"identity:check_token": "rule:admin_required",
|
"identity:check_token": "rule:admin_or_token_subject",
|
||||||
"identity:validate_token": "rule:service_or_admin",
|
"identity:validate_token": "rule:service_admin_or_token_subject",
|
||||||
"identity:validate_token_head": "rule:service_or_admin",
|
"identity:validate_token_head": "rule:service_or_admin",
|
||||||
"identity:revocation_list": "rule:service_or_admin",
|
"identity:revocation_list": "rule:service_or_admin",
|
||||||
"identity:revoke_token": "rule:admin_or_token_subject",
|
"identity:revoke_token": "rule:admin_or_token_subject",
|
||||||
|
|
|
@ -7,6 +7,7 @@
|
||||||
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
|
||||||
"admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
|
"admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
|
||||||
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
|
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
|
||||||
|
"service_admin_or_owner": "rule:service_or_admin or rule:owner",
|
||||||
|
|
||||||
"default": "rule:admin_required",
|
"default": "rule:admin_required",
|
||||||
|
|
||||||
|
@ -100,7 +101,7 @@
|
||||||
|
|
||||||
"identity:change_password": "rule:owner",
|
"identity:change_password": "rule:owner",
|
||||||
"identity:check_token": "rule:admin_or_owner",
|
"identity:check_token": "rule:admin_or_owner",
|
||||||
"identity:validate_token": "rule:service_or_admin",
|
"identity:validate_token": "rule:service_admin_or_owner",
|
||||||
"identity:validate_token_head": "rule:service_or_admin",
|
"identity:validate_token_head": "rule:service_or_admin",
|
||||||
"identity:revocation_list": "rule:service_or_admin",
|
"identity:revocation_list": "rule:service_or_admin",
|
||||||
"identity:revoke_token": "rule:admin_or_owner",
|
"identity:revoke_token": "rule:admin_or_owner",
|
||||||
|
|
|
@ -224,6 +224,7 @@ class PolicyJsonTestCase(tests.TestCase):
|
||||||
tests.dirs.etc('policy.v3cloudsample.json'))
|
tests.dirs.etc('policy.v3cloudsample.json'))
|
||||||
|
|
||||||
policy_extra_keys = ['admin_or_token_subject',
|
policy_extra_keys = ['admin_or_token_subject',
|
||||||
|
'service_admin_or_token_subject',
|
||||||
'token_subject', ]
|
'token_subject', ]
|
||||||
expected_policy_keys = list(cloud_policy_keys) + policy_extra_keys
|
expected_policy_keys = list(cloud_policy_keys) + policy_extra_keys
|
||||||
diffs = set(policy_keys).difference(set(expected_policy_keys))
|
diffs = set(policy_keys).difference(set(expected_policy_keys))
|
||||||
|
|
|
@ -391,23 +391,18 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
|
||||||
# Given a non-admin user token, the token can be used to validate
|
# Given a non-admin user token, the token can be used to validate
|
||||||
# itself.
|
# itself.
|
||||||
# This is GET /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
|
# This is GET /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
|
||||||
# FIXME(blk-u): This test fails, a user can't validate their own token,
|
|
||||||
# see bug 1421825.
|
|
||||||
|
|
||||||
auth = self.build_authentication_request(
|
auth = self.build_authentication_request(
|
||||||
user_id=self.just_a_user['id'],
|
user_id=self.just_a_user['id'],
|
||||||
password=self.just_a_user['password'])
|
password=self.just_a_user['password'])
|
||||||
token = self.get_requested_token(auth)
|
token = self.get_requested_token(auth)
|
||||||
|
|
||||||
# FIXME(blk-u): remove expected_status=403.
|
|
||||||
self.get('/auth/tokens', token=token,
|
self.get('/auth/tokens', token=token,
|
||||||
headers={'X-Subject-Token': token}, expected_status=403)
|
headers={'X-Subject-Token': token})
|
||||||
|
|
||||||
def test_user_validate_user_token(self):
|
def test_user_validate_user_token(self):
|
||||||
# A user can validate one of their own tokens.
|
# A user can validate one of their own tokens.
|
||||||
# This is GET /v3/auth/tokens
|
# This is GET /v3/auth/tokens
|
||||||
# FIXME(blk-u): This test fails, a user can't validate their own token,
|
|
||||||
# see bug 1421825.
|
|
||||||
|
|
||||||
auth = self.build_authentication_request(
|
auth = self.build_authentication_request(
|
||||||
user_id=self.just_a_user['id'],
|
user_id=self.just_a_user['id'],
|
||||||
|
@ -415,9 +410,8 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
|
||||||
token1 = self.get_requested_token(auth)
|
token1 = self.get_requested_token(auth)
|
||||||
token2 = self.get_requested_token(auth)
|
token2 = self.get_requested_token(auth)
|
||||||
|
|
||||||
# FIXME(blk-u): remove expected_status=403.
|
|
||||||
self.get('/auth/tokens', token=token1,
|
self.get('/auth/tokens', token=token1,
|
||||||
headers={'X-Subject-Token': token2}, expected_status=403)
|
headers={'X-Subject-Token': token2})
|
||||||
|
|
||||||
def test_user_validate_other_user_token_rejected(self):
|
def test_user_validate_other_user_token_rejected(self):
|
||||||
# A user cannot validate another user's token.
|
# A user cannot validate another user's token.
|
||||||
|
@ -458,23 +452,18 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
|
||||||
# Given a non-admin user token, the token can be used to check
|
# Given a non-admin user token, the token can be used to check
|
||||||
# itself.
|
# itself.
|
||||||
# This is HEAD /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
|
# This is HEAD /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
|
||||||
# FIXME(blk-u): This test fails, a user can't check the same token,
|
|
||||||
# see bug 1421825.
|
|
||||||
|
|
||||||
auth = self.build_authentication_request(
|
auth = self.build_authentication_request(
|
||||||
user_id=self.just_a_user['id'],
|
user_id=self.just_a_user['id'],
|
||||||
password=self.just_a_user['password'])
|
password=self.just_a_user['password'])
|
||||||
token = self.get_requested_token(auth)
|
token = self.get_requested_token(auth)
|
||||||
|
|
||||||
# FIXME(blk-u): change to expected_status=200
|
|
||||||
self.head('/auth/tokens', token=token,
|
self.head('/auth/tokens', token=token,
|
||||||
headers={'X-Subject-Token': token}, expected_status=403)
|
headers={'X-Subject-Token': token}, expected_status=200)
|
||||||
|
|
||||||
def test_user_check_user_token(self):
|
def test_user_check_user_token(self):
|
||||||
# A user can check one of their own tokens.
|
# A user can check one of their own tokens.
|
||||||
# This is HEAD /v3/auth/tokens
|
# This is HEAD /v3/auth/tokens
|
||||||
# FIXME(blk-u): This test fails, a user can't check the same token,
|
|
||||||
# see bug 1421825.
|
|
||||||
|
|
||||||
auth = self.build_authentication_request(
|
auth = self.build_authentication_request(
|
||||||
user_id=self.just_a_user['id'],
|
user_id=self.just_a_user['id'],
|
||||||
|
@ -482,9 +471,8 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
|
||||||
token1 = self.get_requested_token(auth)
|
token1 = self.get_requested_token(auth)
|
||||||
token2 = self.get_requested_token(auth)
|
token2 = self.get_requested_token(auth)
|
||||||
|
|
||||||
# FIXME(blk-u): change to expected_status=200
|
|
||||||
self.head('/auth/tokens', token=token1,
|
self.head('/auth/tokens', token=token1,
|
||||||
headers={'X-Subject-Token': token2}, expected_status=403)
|
headers={'X-Subject-Token': token2}, expected_status=200)
|
||||||
|
|
||||||
def test_user_check_other_user_token_rejected(self):
|
def test_user_check_other_user_token_rejected(self):
|
||||||
# A user cannot check another user's token.
|
# A user cannot check another user's token.
|
||||||
|
@ -976,23 +964,18 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
|
||||||
# Given a non-admin user token, the token can be used to validate
|
# Given a non-admin user token, the token can be used to validate
|
||||||
# itself.
|
# itself.
|
||||||
# This is GET /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
|
# This is GET /v3/auth/tokens, with X-Auth-Token == X-Subject-Token
|
||||||
# FIXME(blk-u): This test fails, a user can't validate their own token,
|
|
||||||
# see bug 1421825.
|
|
||||||
|
|
||||||
auth = self.build_authentication_request(
|
auth = self.build_authentication_request(
|
||||||
user_id=self.just_a_user['id'],
|
user_id=self.just_a_user['id'],
|
||||||
password=self.just_a_user['password'])
|
password=self.just_a_user['password'])
|
||||||
token = self.get_requested_token(auth)
|
token = self.get_requested_token(auth)
|
||||||
|
|
||||||
# FIXME(blk-u): remove expected_status=403.
|
|
||||||
self.get('/auth/tokens', token=token,
|
self.get('/auth/tokens', token=token,
|
||||||
headers={'X-Subject-Token': token}, expected_status=403)
|
headers={'X-Subject-Token': token})
|
||||||
|
|
||||||
def test_user_validate_user_token(self):
|
def test_user_validate_user_token(self):
|
||||||
# A user can validate one of their own tokens.
|
# A user can validate one of their own tokens.
|
||||||
# This is GET /v3/auth/tokens
|
# This is GET /v3/auth/tokens
|
||||||
# FIXME(blk-u): This test fails, a user can't validate their own token,
|
|
||||||
# see bug 1421825.
|
|
||||||
|
|
||||||
auth = self.build_authentication_request(
|
auth = self.build_authentication_request(
|
||||||
user_id=self.just_a_user['id'],
|
user_id=self.just_a_user['id'],
|
||||||
|
@ -1000,9 +983,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
|
||||||
token1 = self.get_requested_token(auth)
|
token1 = self.get_requested_token(auth)
|
||||||
token2 = self.get_requested_token(auth)
|
token2 = self.get_requested_token(auth)
|
||||||
|
|
||||||
# FIXME(blk-u): remove expected_status=403.
|
|
||||||
self.get('/auth/tokens', token=token1,
|
self.get('/auth/tokens', token=token1,
|
||||||
headers={'X-Subject-Token': token2}, expected_status=403)
|
headers={'X-Subject-Token': token2})
|
||||||
|
|
||||||
def test_user_validate_other_user_token_rejected(self):
|
def test_user_validate_other_user_token_rejected(self):
|
||||||
# A user cannot validate another user's token.
|
# A user cannot validate another user's token.
|
||||||
|
|
Loading…
Reference in New Issue