From 7a6c020a549e63fbfebd72e5d945d2b1d5204990 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Fri, 6 Sep 2019 19:03:33 -0700 Subject: [PATCH] Implement system reader for OAUTH1 consumers This change updates the OAUTH1 policies to understand the reader role. This also adds tests for both the system reader and system member users. Change-Id: I330d4d3d7373cdafdce207acb1cbab4e774bac65 Partial-bug: #1805363 --- keystone/common/policies/consumer.py | 32 +++- .../tests/unit/protection/v3/test_consumer.py | 138 ++++++++++++++++++ 2 files changed, 166 insertions(+), 4 deletions(-) create mode 100644 keystone/tests/unit/protection/v3/test_consumer.py diff --git a/keystone/common/policies/consumer.py b/keystone/common/policies/consumer.py index 6f511f2eef..edaf85c0dc 100644 --- a/keystone/common/policies/consumer.py +++ b/keystone/common/policies/consumer.py @@ -10,25 +10,49 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_log import versionutils from oslo_policy import policy from keystone.common.policies import base +deprecated_get_consumer = policy.DeprecatedRule( + name=base.IDENTITY % 'get_consumer', + check_str=base.RULE_ADMIN_REQUIRED +) +deprecated_list_consumers = policy.DeprecatedRule( + name=base.IDENTITY % 'list_consumers', + check_str=base.RULE_ADMIN_REQUIRED +) + +DEPRECATED_REASON = """ +As of the Train release, the OAUTH1 consumer API understands how to +handle system-scoped tokens in addition to project tokens, making the API +more accessible to users without compromising security or manageability for +administrators. The new default policies for this API account for these changes +automatically. +""" + consumer_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_consumer', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_READER, scope_types=['system'], description='Show OAUTH1 consumer details.', operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}', - 'method': 'GET'}]), + 'method': 'GET'}], + deprecated_rule=deprecated_get_consumer, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_consumers', - check_str=base.RULE_ADMIN_REQUIRED, + check_str=base.SYSTEM_READER, scope_types=['system'], description='List OAUTH1 consumers.', operations=[{'path': '/v3/OS-OAUTH1/consumers', - 'method': 'GET'}]), + 'method': 'GET'}], + deprecated_rule=deprecated_list_consumers, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_consumer', check_str=base.RULE_ADMIN_REQUIRED, diff --git a/keystone/tests/unit/protection/v3/test_consumer.py b/keystone/tests/unit/protection/v3/test_consumer.py new file mode 100644 index 0000000000..639b625675 --- /dev/null +++ b/keystone/tests/unit/protection/v3/test_consumer.py @@ -0,0 +1,138 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import uuid + +from six.moves import http_client + +from keystone.common import provider_api +import keystone.conf +from keystone.tests.common import auth as common_auth +from keystone.tests import unit +from keystone.tests.unit import base_classes +from keystone.tests.unit import ksfixtures + +CONF = keystone.conf.CONF +PROVIDERS = provider_api.ProviderAPIs + + +class _SystemUserOauth1ConsumerTests(object): + """Common default functionality for all system users.""" + + def test_user_can_get_consumer(self): + ref = PROVIDERS.oauth_api.create_consumer( + {'id': uuid.uuid4().hex}) + with self.test_client() as c: + c.get('/v3/OS-OAUTH1/consumers/%s' % ref['id'], + headers=self.headers) + + def test_user_can_list_consumers(self): + PROVIDERS.oauth_api.create_consumer( + {'id': uuid.uuid4().hex}) + with self.test_client() as c: + c.get('/v3/OS-OAUTH1/consumers', + headers=self.headers) + + +class _SystemReaderAndMemberOauth1ConsumerTests(object): + + def test_user_cannot_create_consumer(self): + with self.test_client() as c: + c.post('/v3/OS-OAUTH1/consumers', + json={'consumer': {}}, + expected_status_code=http_client.FORBIDDEN, + headers=self.headers) + + def test_user_cannot_update_consumer(self): + ref = PROVIDERS.oauth_api.create_consumer( + {'id': uuid.uuid4().hex}) + with self.test_client() as c: + c.patch('/v3/OS-OAUTH1/consumers/%s' % ref['id'], + json={'consumer': {'description': uuid.uuid4().hex}}, + expected_status_code=http_client.FORBIDDEN, + headers=self.headers) + + def test_user_cannot_delete_consumer(self): + ref = PROVIDERS.oauth_api.create_consumer( + {'id': uuid.uuid4().hex}) + with self.test_client() as c: + c.delete('/v3/OS-OAUTH1/consumers/%s' % ref['id'], + expected_status_code=http_client.FORBIDDEN, + headers=self.headers) + + +class SystemReaderTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserOauth1ConsumerTests, + _SystemReaderAndMemberOauth1ConsumerTests): + + def setUp(self): + super(SystemReaderTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + system_reader = unit.new_user_ref( + domain_id=CONF.identity.default_domain_id + ) + self.user_id = PROVIDERS.identity_api.create_user( + system_reader + )['id'] + PROVIDERS.assignment_api.create_system_grant_for_user( + self.user_id, self.bootstrapper.reader_role_id + ) + + auth = self.build_authentication_request( + user_id=self.user_id, password=system_reader['password'], + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id} + + +class SystemMemberTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserOauth1ConsumerTests, + _SystemReaderAndMemberOauth1ConsumerTests): + + def setUp(self): + super(SystemMemberTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + system_member = unit.new_user_ref( + domain_id=CONF.identity.default_domain_id + ) + self.user_id = PROVIDERS.identity_api.create_user( + system_member + )['id'] + PROVIDERS.assignment_api.create_system_grant_for_user( + self.user_id, self.bootstrapper.member_role_id + ) + + auth = self.build_authentication_request( + user_id=self.user_id, password=system_member['password'], + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id}