Make AuthWithTrust testable against uuid and fernet

We should make AuthWithTrust something that is tested against both the uuid token provider and the fernet token provider. This helps us move towards making fernet the default token provider. This is an effort to break https://review.openstack.org/#/c/258650 into smaller, more reviewable pieces. Co-Authored-By: Raildo Mascena <raildo@lsd.ufcg.edu.br> Co-Authored-By: Adam Young <ayoung@redhat.com> Change-Id: I0fd2187421fc677e7d422d4b449eec3056a134e9 Partial-Bug: 1561054
2016-07-21 20:38:01 +00:00 · 2016-07-21 20:38:01 +00:00 · b77c5b789f
parent 8a669fabad
commit b77c5b789f
2 changed files with 84 additions and 4 deletions
--- a/keystone/tests/unit/test_auth.py
+++ b/keystone/tests/unit/test_auth.py
@ -18,6 +18,7 @@ import random
 import string
 import uuid

+import freezegun
 import mock
 import oslo_utils.fixture
 from oslo_utils import timeutils
@ -862,7 +863,7 @@ class PKIZAuthWithRemoteUser(AuthWithRemoteUser, AuthTest):
        self.config_fixture.config(group='token', provider='pkiz')


-class AuthWithTrust(AuthTest):
+class AuthWithTrust(object):
    def setUp(self):
        super(AuthWithTrust, self).setUp()

@ -1179,6 +1180,8 @@ class AuthWithTrust(AuthTest):
            self.controller.authenticate, self.make_request(), request_body)

    def test_delete_trust_revokes_token(self):
+        # NOTE(lbragstad): This test doens't really make much sense because we
+        # can't validate trust-scoped tokens against the v2.0 API.
        unscoped_token = self.get_unscoped_token(self.trustor['name'])
        new_trust = self.create_trust(self.sample_data, self.trustor['name'])
        request = self._create_auth_request(
@ -1283,6 +1286,77 @@ class AuthWithTrust(AuthTest):
            self.controller.authenticate, self.make_request(), request_body)


+class UUIDAuthWithTrust(AuthWithTrust, AuthTest):
+
+    def config_overrides(self):
+        super(UUIDAuthWithTrust, self).config_overrides()
+        self.config_fixture.config(group='token', provider='uuid')
+
+    def setUp(self):
+        super(UUIDAuthWithTrust, self).setUp()
+
+
+class FernetAuthWithTrust(AuthWithTrust, AuthTest):
+
+    def config_overrides(self):
+        super(FernetAuthWithTrust, self).config_overrides()
+        self.config_fixture.config(group='token', provider='fernet')
+        self.useFixture(ksfixtures.KeyRepository(self.config_fixture))
+
+    def setUp(self):
+        super(FernetAuthWithTrust, self).setUp()
+
+    def test_delete_tokens_for_user_invalidates_tokens_from_trust(self):
+        # TODO(lbragstad): Rewrite this test to not rely on the persistence
+        # backend. This same test can be exercised through the API.
+        msg = 'The Fernet token provider does not support token persistence'
+        self.skipTest(msg)
+
+    def test_delete_trust_revokes_token(self):
+        # NOTE(lbragstad): This test doens't really make much sense because we
+        # can't validate trust-scoped tokens against the v2.0 API. This was
+        # originally validating that UUID tokens were removed from the backend
+        # when a trust was deleted. Fernet tokens aren't persisted in the
+        # backend, so I guess the equivalent test through the API is to make
+        # sure a trust-scoped token isn't valid after a trust is deleted.
+        unscoped_token = self.get_unscoped_token(self.trustor['name'])
+        new_trust = self.create_trust(self.sample_data, self.trustor['name'])
+        request = self._create_auth_request(
+            unscoped_token['access']['token']['id'])
+        trust_token_resp = self.fetch_v2_token_from_trust(new_trust)
+        trust_scoped_token_id = trust_token_resp['access']['token']['id']
+        # TODO(lbragstad): Make this a valid operation in the future?
+        self.assertRaises(
+            exception.Unauthorized,
+            self.controller.validate_token,
+            self.make_request(is_admin=True),
+            token_id=trust_scoped_token_id
+        )
+        trust_id = new_trust['id']
+        self.trust_controller.delete_trust(request, trust_id=trust_id)
+        self.assertRaises(
+            exception.Unauthorized,
+            self.controller.validate_token,
+            self.make_request(is_admin=True),
+            token_id=trust_scoped_token_id
+        )
+
+    def test_trust_get_token_fails_if_trustee_disabled(self):
+        time = datetime.datetime.utcnow()
+        with freezegun.freeze_time(time) as frozen_time:
+            new_trust = self.create_trust(self.sample_data,
+                                          self.trustor['name'])
+            request_body = self.build_v2_token_request(
+                self.trustee['name'], self.trustee['password'], new_trust)
+            self.disable_user(self.trustee)
+            frozen_time.tick(delta=datetime.timedelta(seconds=1))
+            self.assertRaises(
+                exception.Forbidden,
+                self.controller.authenticate,
+                self.make_request(),
+                request_body)
+
+
 class TokenExpirationTest(AuthTest):

    @mock.patch.object(timeutils, 'utcnow')
@ -1307,7 +1381,10 @@ class TokenExpirationTest(AuthTest):
        r = self.controller.validate_token(
            self.make_request(is_admin=True),
            token_id=unscoped_token_id)
-        self.assertEqual(original_expiration, r['access']['token']['expires'])
+        self.assertEqual(
+            timeutils.parse_isotime(original_expiration),
+            timeutils.parse_isotime(r['access']['token']['expires'])
+        )

        mock_utcnow.return_value = now + datetime.timedelta(seconds=2)

@ -1327,7 +1404,10 @@ class TokenExpirationTest(AuthTest):
        r = self.controller.validate_token(
            self.make_request(is_admin=True),
            token_id=scoped_token_id)
-        self.assertEqual(original_expiration, r['access']['token']['expires'])
+        self.assertEqual(
+            timeutils.parse_isotime(original_expiration),
+            timeutils.parse_isotime(r['access']['token']['expires'])
+        )

    def test_maintain_uuid_token_expiration(self):
        self.config_fixture.config(group='token', provider='uuid')
--- a/keystone/token/providers/fernet/core.py
+++ b/keystone/token/providers/fernet/core.py
@ -168,7 +168,7 @@ class Provider(common.BaseProvider):
            methods.append('token')
        project_id = token_data['access']['token'].get('tenant', {}).get('id')
        domain_id = None
-        trust_id = None
+        trust_id = token_data['access'].get('trust', {}).get('id')
        access_token_id = None
        federated_info = None
        return (user_id, expires_at, audit_ids, methods, domain_id, project_id,