Browse Source

Re-enable line-length linter

In 09088690 we mistakenly added E501 to the flake8 ignore list. Since
then, many new violations have been introduced. This patch re-enables
the check and corrects all violations, except in some cases like unit
test names where the subunit output would suffer if we attempted to
shorten the function name.

This may appear to be a pointless no-op that messes with
git-blameability, and it is, but the reason to do this is that if PEP8
violations are introduced in master and then backported to a stable
branch, most stable branches will fail the pep8 job since the flake8
ignore list is correct for those branches. Rather than loosening the
check in older branches or requiring those backports to fix the linter
errors independently of what's been merged in master, we should fix it
now so that we don't introduce more errors in the future and patches can
more easily be backported.

Change-Id: I9f71926105eb448bb0200201d1838b67d4963cd6
changes/59/689559/3
Colleen Murphy 2 years ago
parent
commit
e2d83ae95d
35 changed files with 597 additions and 417 deletions
  1. +5
    -5
      keystone/api/credentials.py
  2. +11
    -8
      keystone/api/trusts.py
  3. +6
    -3
      keystone/application_credential/backends/sql.py
  4. +2
    -1
      keystone/cmd/bootstrap.py
  5. +4
    -4
      keystone/common/policies/endpoint_group.py
  6. +19
    -9
      keystone/common/policies/grant.py
  7. +20
    -19
      keystone/common/policies/policy_association.py
  8. +8
    -4
      keystone/common/policies/trust.py
  9. +2
    -1
      keystone/common/sql/expand_repo/versions/056_expand_add_application_credential_access_rules.py
  10. +2
    -1
      keystone/common/sql/expand_repo/versions/064_expand_add_remote_id_attribute_to_federation_protocol_table.py
  11. +3
    -2
      keystone/conf/memcache.py
  12. +7
    -5
      keystone/federation/utils.py
  13. +1
    -1
      keystone/receipt/receipt_formatters.py
  14. +50
    -26
      keystone/tests/protection/v3/test_access_rules.py
  15. +3
    -3
      keystone/tests/protection/v3/test_assignment.py
  16. +78
    -48
      keystone/tests/protection/v3/test_domain_config.py
  17. +6
    -3
      keystone/tests/protection/v3/test_domain_roles.py
  18. +22
    -12
      keystone/tests/protection/v3/test_ec2_credential.py
  19. +82
    -41
      keystone/tests/protection/v3/test_endpoint_group.py
  20. +89
    -88
      keystone/tests/protection/v3/test_grants.py
  21. +2
    -1
      keystone/tests/protection/v3/test_policy.py
  22. +4
    -4
      keystone/tests/protection/v3/test_policy_association.py
  23. +16
    -8
      keystone/tests/protection/v3/test_project_endpoint.py
  24. +2
    -1
      keystone/tests/protection/v3/test_system_assignments.py
  25. +3
    -3
      keystone/tests/protection/v3/test_trusts.py
  26. +6
    -3
      keystone/tests/unit/application_credential/test_backends.py
  27. +2
    -1
      keystone/tests/unit/resource/test_backends.py
  28. +8
    -4
      keystone/tests/unit/test_cli.py
  29. +7
    -7
      keystone/tests/unit/test_sql_upgrade.py
  30. +99
    -78
      keystone/tests/unit/test_v3_application_credential.py
  31. +2
    -1
      keystone/tests/unit/test_v3_auth.py
  32. +23
    -19
      keystone/tests/unit/token/test_fernet_provider.py
  33. +1
    -1
      keystone/token/token_formatters.py
  34. +1
    -1
      tools/fast8.sh
  35. +1
    -1
      tox.ini

+ 5
- 5
keystone/api/credentials.py View File

@ -139,8 +139,8 @@ class CredentialResource(ks_flask.ResourceBase):
trust_id = getattr(self.oslo_context, 'trust_id', None)
ref = self._assign_unique_id(
self._normalize_dict(credential), trust_id=trust_id)
ref = PROVIDERS.credential_api.create_credential(ref['id'], ref,
initiator=self.audit_initiator)
ref = PROVIDERS.credential_api.create_credential(
ref['id'], ref, initiator=self.audit_initiator)
return self.wrap_member(ref), http_client.CREATED
def patch(self, credential_id):
@ -165,9 +165,9 @@ class CredentialResource(ks_flask.ResourceBase):
build_target=_build_target_enforcement
)
return (PROVIDERS.credential_api.delete_credential(credential_id,
initiator=self.audit_initiator),
http_client.NO_CONTENT)
return (PROVIDERS.credential_api.delete_credential(
credential_id, initiator=self.audit_initiator),
http_client.NO_CONTENT)
class CredentialAPI(ks_flask.APIBase):


+ 11
- 8
keystone/api/trusts.py View File

@ -228,12 +228,13 @@ class TrustResource(ks_flask.ResourceBase):
# rule check_str is ""
if isinstance(rules, op_checks.TrueCheck):
LOG.warning(
"The policy check string for rule \"identity:list_trusts\" has been overridden "
"to \"always true\". In the next release, this will cause the "
"\"identity:list_trusts\" action to be fully permissive as hardcoded "
"enforcement will be removed. To correct this issue, either stop overriding the "
"\"identity:list_trusts\" rule in config to accept the defaults, or explicitly "
"set a rule that is not empty."
"The policy check string for rule \"identity:list_trusts\" "
"has been overridden to \"always true\". In the next release, "
"this will cause the \"identity:list_trusts\" action to be "
"fully permissive as hardcoded enforcement will be removed. "
"To correct this issue, either stop overriding the "
"\"identity:list_trusts\" rule in config to accept the "
"defaults, or explicitly set a rule that is not empty."
)
if not flask.request.args:
# NOTE(morgan): Admin can list all trusts.
@ -242,9 +243,11 @@ class TrustResource(ks_flask.ResourceBase):
if not flask.request.args:
trusts += PROVIDERS.trust_api.list_trusts()
elif trustor_user_id:
trusts += PROVIDERS.trust_api.list_trusts_for_trustor(trustor_user_id)
trusts += PROVIDERS.trust_api.list_trusts_for_trustor(
trustor_user_id)
elif trustee_user_id:
trusts += PROVIDERS.trust_api.list_trusts_for_trustee(trustee_user_id)
trusts += PROVIDERS.trust_api.list_trusts_for_trustee(
trustee_user_id)
for trust in trusts:
# get_trust returns roles, list_trusts does not


+ 6
- 3
keystone/application_credential/backends/sql.py View File

@ -143,7 +143,8 @@ class ApplicationCredential(base.ApplicationCredentialDriverBase):
access_rule_ref = session.query(AccessRuleModel).filter_by(
external_id=access_rule['id']).first()
if not access_rule_ref:
access_rule_ref = session.query(AccessRuleModel).filter_by(
query = session.query(AccessRuleModel)
access_rule_ref = query.filter_by(
user_id=app_cred['user_id'],
service=access_rule['service'],
path=access_rule['path'],
@ -154,7 +155,8 @@ class ApplicationCredential(base.ApplicationCredentialDriverBase):
for k, v in access_rule.items()})
access_rule_ref['user_id'] = app_cred['user_id']
session.add(access_rule_ref)
app_cred_access_rule = ApplicationCredentialAccessRuleModel()
app_cred_access_rule = (
ApplicationCredentialAccessRuleModel())
app_cred_access_rule.application_credential = ref
app_cred_access_rule.access_rule = access_rule_ref
session.add(app_cred_access_rule)
@ -253,7 +255,8 @@ class ApplicationCredential(base.ApplicationCredentialDriverBase):
access_rule_id=access_rule_id)
session.delete(ref)
except AssertionError:
raise exception.ForbiddenNotSecurity("May not delete access rule in use")
raise exception.ForbiddenNotSecurity(
"May not delete access rule in use")
def delete_access_rules_for_user(self, user_id):
with sql.session_for_write() as session:


+ 2
- 1
keystone/cmd/bootstrap.py View File

@ -127,7 +127,8 @@ class Bootstrapper(object):
"bootstrap command in the future.You can opt into "
"this behavior by using the --immutable-role "
"flag, or update role %(role)s with the "
"'immutable' resource option.", {'role': role_name})
"'immutable' resource option.",
{'role': role_name})
return role
except exception.Conflict:
LOG.info('Role %s exists, skipping creation.', role_name)


+ 4
- 4
keystone/common/policies/endpoint_group.py View File

@ -25,12 +25,12 @@ deprecated_get_endpoint_group = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_list_projects_associated_with_endpoint_group = policy.DeprecatedRule(
deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule(
name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_list_endpoints_associated_with_endpoint_group = policy.DeprecatedRule(
deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule(
name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
check_str=base.RULE_ADMIN_REQUIRED,
)
@ -142,7 +142,7 @@ group_endpoint_policies = [
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
'{endpoint_group_id}/projects'),
'method': 'GET'}],
deprecated_rule=deprecated_list_projects_associated_with_endpoint_group,
deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
@ -153,7 +153,7 @@ group_endpoint_policies = [
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
'{endpoint_group_id}/endpoints'),
'method': 'GET'}],
deprecated_rule=deprecated_list_endpoints_associated_with_endpoint_group,
deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(


+ 19
- 9
keystone/common/policies/grant.py View File

@ -27,12 +27,18 @@ DOMAIN_MATCHES_USER_DOMAIN = 'domain_id:%(target.user.domain_id)s'
DOMAIN_MATCHES_GROUP_DOMAIN = 'domain_id:%(target.group.domain_id)s'
DOMAIN_MATCHES_PROJECT_DOMAIN = 'domain_id:%(target.project.domain_id)s'
DOMAIN_MATCHES_TARGET_DOMAIN = 'domain_id:%(target.domain.id)s'
DOMAIN_MATCHES_ROLE = 'domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s'
DOMAIN_MATCHES_ROLE = (
'domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s'
)
GRANTS_DOMAIN_READER = (
'(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or '
'(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
'(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or '
'(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
)
SYSTEM_READER_OR_DOMAIN_READER = (
'(' + base.SYSTEM_READER + ') or '
@ -45,10 +51,14 @@ SYSTEM_READER_OR_DOMAIN_READER_LIST = (
)
GRANTS_DOMAIN_ADMIN = (
'(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or '
'(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
'(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or '
'(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
'(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
)
SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
'(' + base.SYSTEM_ADMIN + ') or '


+ 20
- 19
keystone/common/policies/policy_association.py View File

@ -19,17 +19,17 @@ from keystone.common.policies import base
# System-scoped tokens should be required to manage policy associations to
# existing system-level resources.
deprecated_check_policy_association_for_endpoint = policy.DeprecatedRule(
deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule(
name=base.IDENTITY % 'check_policy_association_for_endpoint',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_check_policy_association_for_service = policy.DeprecatedRule(
deprecated_check_policy_assoc_for_service = policy.DeprecatedRule(
name=base.IDENTITY % 'check_policy_association_for_service',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_check_policy_association_for_region_and_service = policy.DeprecatedRule(
deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule(
name=base.IDENTITY % 'check_policy_association_for_region_and_service',
check_str=base.RULE_ADMIN_REQUIRED,
)
@ -44,38 +44,39 @@ deprecated_list_endpoints_for_policy = policy.DeprecatedRule(
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_create_policy_association_for_endpoint = policy.DeprecatedRule(
deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule(
name=base.IDENTITY % 'create_policy_association_for_endpoint',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_delete_policy_association_for_endpoint = policy.DeprecatedRule(
deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_policy_association_for_endpoint',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_create_policy_association_for_service = policy.DeprecatedRule(
deprecated_create_policy_assoc_for_service = policy.DeprecatedRule(
name=base.IDENTITY % 'create_policy_association_for_service',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_delete_policy_association_for_service = policy.DeprecatedRule(
deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_policy_association_for_service',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_create_policy_association_for_region_and_service = policy.DeprecatedRule(
deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule(
name=base.IDENTITY % 'create_policy_association_for_region_and_service',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_delete_policy_association_for_region_and_service = policy.DeprecatedRule(
deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule(
name=base.IDENTITY % 'delete_policy_association_for_region_and_service',
check_str=base.RULE_ADMIN_REQUIRED,
)
DEPRECATED_REASON = (
"The policy association API is now aware of system scope and default roles."
"The policy association API is now aware of system scope and default "
"roles."
)
policy_association_policies = [
@ -87,7 +88,7 @@ policy_association_policies = [
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'endpoints/{endpoint_id}'),
'method': 'PUT'}],
deprecated_rule=deprecated_create_policy_association_for_endpoint,
deprecated_rule=deprecated_create_policy_assoc_for_endpoint,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
@ -101,7 +102,7 @@ policy_association_policies = [
{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'endpoints/{endpoint_id}'),
'method': 'HEAD'}],
deprecated_rule=deprecated_check_policy_association_for_endpoint,
deprecated_rule=deprecated_check_policy_assoc_for_endpoint,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
@ -112,7 +113,7 @@ policy_association_policies = [
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'endpoints/{endpoint_id}'),
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_policy_association_for_endpoint,
deprecated_rule=deprecated_delete_policy_assoc_for_endpoint,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
@ -123,7 +124,7 @@ policy_association_policies = [
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}'),
'method': 'PUT'}],
deprecated_rule=deprecated_create_policy_association_for_service,
deprecated_rule=deprecated_create_policy_assoc_for_service,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
@ -137,7 +138,7 @@ policy_association_policies = [
{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}'),
'method': 'HEAD'}],
deprecated_rule=deprecated_check_policy_association_for_service,
deprecated_rule=deprecated_check_policy_assoc_for_service,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
@ -148,7 +149,7 @@ policy_association_policies = [
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}'),
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_policy_association_for_service,
deprecated_rule=deprecated_delete_policy_assoc_for_service,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
@ -161,7 +162,7 @@ policy_association_policies = [
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}/regions/{region_id}'),
'method': 'PUT'}],
deprecated_rule=deprecated_create_policy_association_for_region_and_service,
deprecated_rule=deprecated_create_policy_assoc_for_region_and_service,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
@ -175,7 +176,7 @@ policy_association_policies = [
{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}/regions/{region_id}'),
'method': 'HEAD'}],
deprecated_rule=deprecated_check_policy_association_for_region_and_service,
deprecated_rule=deprecated_check_policy_assoc_for_region_and_service,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
@ -187,7 +188,7 @@ policy_association_policies = [
operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
'services/{service_id}/regions/{region_id}'),
'method': 'DELETE'}],
deprecated_rule=deprecated_delete_policy_association_for_region_and_service,
deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(


+ 8
- 4
keystone/common/policies/trust.py View File

@ -77,18 +77,22 @@ trust_policies = [
check_str=SYSTEM_READER_OR_TRUSTOR,
scope_types=['system', 'project'],
description='List trusts for trustor.',
operations=[{'path': '/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}',
operations=[{'path': '/v3/OS-TRUST/trusts?'
'trustor_user_id={trustor_user_id}',
'method': 'GET'},
{'path': '/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}',
{'path': '/v3/OS-TRUST/trusts?'
'trustor_user_id={trustor_user_id}',
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_trusts_for_trustee',
check_str=SYSTEM_READER_OR_TRUSTEE,
scope_types=['system', 'project'],
description='List trusts for trustee.',
operations=[{'path': '/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}',
operations=[{'path': '/v3/OS-TRUST/trusts?'
'trustee_user_id={trustee_user_id}',
'method': 'GET'},
{'path': '/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}',
{'path': '/v3/OS-TRUST/trusts?'
'trustee_user_id={trustee_user_id}',
'method': 'HEAD'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_roles_for_trust',


+ 2
- 1
keystone/common/sql/expand_repo/versions/056_expand_add_application_credential_access_rules.py View File

@ -19,7 +19,8 @@ def upgrade(migrate_engine):
meta = sql.MetaData()
meta.bind = migrate_engine
application_credential = sql.Table('application_credential', meta, autoload=True)
application_credential = sql.Table(
'application_credential', meta, autoload=True)
access_rule = sql.Table(
'access_rule', meta,
sql.Column('id', sql.Integer, primary_key=True, nullable=False),


+ 2
- 1
keystone/common/sql/expand_repo/versions/064_expand_add_remote_id_attribute_to_federation_protocol_table.py View File

@ -17,6 +17,7 @@ def upgrade(migrate_engine):
meta = sql.MetaData()
meta.bind = migrate_engine
federation_protocol_table = sql.Table('federation_protocol', meta, autoload=True)
federation_protocol_table = sql.Table(
'federation_protocol', meta, autoload=True)
remote_id_attribute = sql.Column('remote_id_attribute', sql.String(64))
federation_protocol_table.create_column(remote_id_attribute)

+ 3
- 2
keystone/conf/memcache.py View File

@ -29,8 +29,9 @@ socket_timeout = cfg.IntOpt(
default=3,
deprecated_for_removal=True,
deprecated_reason='This option is duplicated with oslo.cache. '
'Configure ``keystone.conf [cache] memcache_socket_timeout`` '
'option to set the socket_timeout of memcached instead. ',
'Configure ``keystone.conf [cache] '
'memcache_socket_timeout`` option to set the '
'socket_timeout of memcached instead. ',
deprecated_since=versionutils.deprecated.TRAIN,
help=utils.fmt("""
Timeout in seconds for every call to a server. This is used by the key value


+ 7
- 5
keystone/federation/utils.py View File

@ -285,15 +285,16 @@ def validate_expiration(token):
def get_remote_id_parameter(idp, protocol):
# NOTE(marco-fargetta): Since we support any protocol ID, we attempt to
# retrieve the remote_id_attribute of the protocol ID. It will look up first
# if the remote_id_attribute exists.
# retrieve the remote_id_attribute of the protocol ID. It will look up
# first if the remote_id_attribute exists.
protocol_ref = PROVIDERS.federation_api.get_protocol(idp['id'], protocol)
remote_id_parameter = protocol_ref.get('remote_id_attribute')
if remote_id_parameter:
return remote_id_parameter
else:
# If it's not registered in the config, then register the option and try again.
# This allows the user to register protocols other than oidc and saml2.
# If it's not registered in the config, then register the option and
# try again. This allows the user to register protocols other than
# oidc and saml2.
try:
remote_id_parameter = CONF[protocol]['remote_id_attribute']
except AttributeError:
@ -303,7 +304,8 @@ def get_remote_id_parameter(idp, protocol):
try:
remote_id_parameter = CONF[protocol]['remote_id_attribute']
except AttributeError: # nosec
# No remote ID attr, will be logged and use the default instead.
# No remote ID attr, will be logged and use the default
# instead.
pass
if not remote_id_parameter:
LOG.debug('Cannot find "remote_id_attribute" in configuration '


+ 1
- 1
keystone/receipt/receipt_formatters.py View File

@ -290,7 +290,7 @@ class ReceiptPayload(object):
@classmethod
def random_urlsafe_str_to_bytes(cls, s):
"""Convert a string from :func:`random_urlsafe_str()` to six.binary_type.
"""Convert string from :func:`random_urlsafe_str()` to six.binary_type.
:type s: six.text_type
:rtype: six.binary_type


+ 50
- 26
keystone/tests/protection/v3/test_access_rules.py View File

@ -44,9 +44,11 @@ class _UserAccessRuleTests(object):
'method': uuid.uuid4().hex[16:]
}]
}
PROVIDERS.application_credential_api.create_application_credential(app_cred)
PROVIDERS.application_credential_api.create_application_credential(
app_cred)
with self.test_client() as c:
path = '/v3/users/%s/access_rules/%s' % (self.user_id, app_cred['access_rules'][0]['id'])
path = '/v3/users/%s/access_rules/%s' % (
self.user_id, app_cred['access_rules'][0]['id'])
c.get(path, headers=self.headers)
def test_user_can_list_their_access_rules(self):
@ -63,9 +65,11 @@ class _UserAccessRuleTests(object):
'method': uuid.uuid4().hex[16:]
}]
}
PROVIDERS.application_credential_api.create_application_credential(app_cred)
PROVIDERS.application_credential_api.create_application_credential(
app_cred)
with self.test_client() as c:
r = c.get('/v3/users/%s/access_rules' % self.user_id, headers=self.headers)
r = c.get('/v3/users/%s/access_rules' % self.user_id,
headers=self.headers)
self.assertEqual(len(r.json['access_rules']), 1)
def test_user_can_delete_their_access_rules(self):
@ -83,10 +87,13 @@ class _UserAccessRuleTests(object):
'method': uuid.uuid4().hex[16:]
}]
}
PROVIDERS.application_credential_api.create_application_credential(app_cred)
PROVIDERS.application_credential_api.delete_application_credential(app_cred['id'])
PROVIDERS.application_credential_api.create_application_credential(
app_cred)
PROVIDERS.application_credential_api.delete_application_credential(
app_cred['id'])
with self.test_client() as c:
path = '/v3/users/%s/access_rules/%s' % (self.user_id, access_rule_id)
path = '/v3/users/%s/access_rules/%s' % (
self.user_id, access_rule_id)
c.delete(path, headers=self.headers)
@ -119,9 +126,11 @@ class _ProjectUsersTests(object):
'method': uuid.uuid4().hex[16:]
}]
}
PROVIDERS.application_credential_api.create_application_credential(app_cred)
PROVIDERS.application_credential_api.create_application_credential(
app_cred)
with self.test_client() as c:
path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id)
path = '/v3/users/%s/access_rules/%s' % (
user['id'], access_rule_id)
c.get(
path, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
@ -136,7 +145,7 @@ class _ProjectUsersTests(object):
expected_status_code=http_client.NOT_FOUND
)
def test_user_cannot_get_non_existent_access_rule_other_user_forbidden(self):
def test_cannot_get_non_existent_access_rule_other_user_forbidden(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user = PROVIDERS.identity_api.create_user(user)
with self.test_client() as c:
@ -171,7 +180,8 @@ class _ProjectUsersTests(object):
'method': uuid.uuid4().hex[16:]
}]
}
PROVIDERS.application_credential_api.create_application_credential(app_cred)
PROVIDERS.application_credential_api.create_application_credential(
app_cred)
with self.test_client() as c:
path = '/v3/users/%s/access_rules' % user['id']
@ -203,16 +213,19 @@ class _ProjectUsersTests(object):
'method': uuid.uuid4().hex[16:]
}]
}
PROVIDERS.application_credential_api.create_application_credential(app_cred)
PROVIDERS.application_credential_api.delete_application_credential(app_cred['id'])
PROVIDERS.application_credential_api.create_application_credential(
app_cred)
PROVIDERS.application_credential_api.delete_application_credential(
app_cred['id'])
with self.test_client() as c:
path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id)
path = '/v3/users/%s/access_rules/%s' % (
user['id'], access_rule_id)
c.delete(
path, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_delete_non_existent_access_rule_other_user_forbidden(self):
def test_cannot_delete_non_existent_access_rule_other_user_forbidden(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user = PROVIDERS.identity_api.create_user(user)
with self.test_client() as c:
@ -252,7 +265,8 @@ class _SystemUserAccessRuleTests(object):
'method': uuid.uuid4().hex[16:]
}]
}
PROVIDERS.application_credential_api.create_application_credential(app_cred)
PROVIDERS.application_credential_api.create_application_credential(
app_cred)
with self.test_client() as c:
r = c.get('/v3/users/%s/access_rules' % user['id'],
@ -329,10 +343,13 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
'method': uuid.uuid4().hex[16:]
}]
}
PROVIDERS.application_credential_api.create_application_credential(app_cred)
PROVIDERS.application_credential_api.delete_application_credential(app_cred['id'])
PROVIDERS.application_credential_api.create_application_credential(
app_cred)
PROVIDERS.application_credential_api.delete_application_credential(
app_cred['id'])
with self.test_client() as c:
path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id)
path = '/v3/users/%s/access_rules/%s' % (
user['id'], access_rule_id)
c.delete(
path, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
@ -408,17 +425,21 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
'method': uuid.uuid4().hex[16:]
}]
}
PROVIDERS.application_credential_api.create_application_credential(app_cred)
PROVIDERS.application_credential_api.delete_application_credential(app_cred['id'])
PROVIDERS.application_credential_api.create_application_credential(
app_cred)
PROVIDERS.application_credential_api.delete_application_credential(
app_cred['id'])
with self.test_client() as c:
path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id)
path = '/v3/users/%s/access_rules/%s' % (
user['id'], access_rule_id)
c.delete(
path, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
with self.test_client() as c:
path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id)
path = '/v3/users/%s/access_rules/%s' % (
user['id'], access_rule_id)
c.delete(
path, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
@ -487,11 +508,14 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
'method': uuid.uuid4().hex[16:]
}]
}
PROVIDERS.application_credential_api.create_application_credential(app_cred)
PROVIDERS.application_credential_api.delete_application_credential(app_cred['id'])
PROVIDERS.application_credential_api.create_application_credential(
app_cred)
PROVIDERS.application_credential_api.delete_application_credential(
app_cred['id'])
with self.test_client() as c:
path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id)
path = '/v3/users/%s/access_rules/%s' % (
user['id'], access_rule_id)
c.delete(path, headers=self.headers)
def test_user_cannot_delete_non_existent_access_rule_not_found(self):


+ 3
- 3
keystone/tests/protection/v3/test_assignment.py View File

@ -1086,9 +1086,9 @@ class _ProjectUserTests(object):
def test_user_cannot_filter_role_assignments_by_other_project_user(self):
assignments = self._setup_test_role_assignments()
# This user doesn't have any role assignments on self.project_id, so the
# project user of self.project_id should only see an empty list of role
# assignments.
# This user doesn't have any role assignments on self.project_id, so
# the project user of self.project_id should only see an empty list of
# role assignments.
user_id = assignments['user_id']
with self.test_client() as c:


+ 78
- 48
keystone/tests/protection/v3/test_domain_config.py View File

@ -50,10 +50,11 @@ class _SystemDomainAndProjectUserDomainConfigTests(object):
password_regex_description=password_regex_description
)
with self.test_client() as c:
c.get('/v3/domains/%s/config/security_compliance/password_regex_description'
c.get('/v3/domains/%s/config/security_compliance'
'/password_regex_description'
% CONF.identity.default_domain_id, headers=self.headers)
def test_user_can_get_security_compliance_config_with_user_from_other_domain(self):
def test_can_get_security_compliance_config_with_user_from_other_domain(self): # noqa: E501
domain = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain['id'], domain)
@ -95,7 +96,8 @@ class _SystemUserDomainConfigTests(object):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
PROVIDERS.domain_config_api.create_config(
domain['id'], unit.new_domain_config_ref())
with self.test_client() as c:
c.get('/v3/domains/%s/config'
% domain['id'], headers=self.headers)
@ -104,7 +106,8 @@ class _SystemUserDomainConfigTests(object):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
PROVIDERS.domain_config_api.create_config(
domain['id'], unit.new_domain_config_ref())
with self.test_client() as c:
c.get('/v3/domains/%s/config/ldap'
% domain['id'], headers=self.headers)
@ -113,7 +116,8 @@ class _SystemUserDomainConfigTests(object):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
PROVIDERS.domain_config_api.create_config(
domain['id'], unit.new_domain_config_ref())
invalid_domain_id = uuid.uuid4().hex
with self.test_client() as c:
c.get('/v3/domains/%s/config/ldap'
@ -144,7 +148,8 @@ class _SystemUserDomainConfigTests(object):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
PROVIDERS.domain_config_api.create_config(
domain['id'], unit.new_domain_config_ref())
with self.test_client() as c:
c.get('/v3/domains/%s/config/ldap/url'
% domain['id'], headers=self.headers)
@ -195,10 +200,11 @@ class _SystemUserDomainConfigTests(object):
password_regex_description=password_regex_description
)
with self.test_client() as c:
c.get('/v3/domains/%s/config/security_compliance/password_regex_description'
c.get('/v3/domains/%s/config/security_compliance'
'/password_regex_description'
% CONF.identity.default_domain_id, headers=self.headers)
def test_user_can_get_security_compliance_config_with_user_from_other_domain(self):
def test_can_get_security_compliance_config_with_user_from_other_domain(self): # noqa: E501
domain = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain['id'], domain)
@ -238,58 +244,70 @@ class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object):
)
with self.test_client() as c:
c.put('/v3/domains/%s/config'
% domain['id'], json={'config': unit.new_domain_config_ref()},
headers=self.headers, expected_status_code=http_client.FORBIDDEN)
% domain['id'],
json={'config': unit.new_domain_config_ref()},
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_update_domain_config(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
PROVIDERS.domain_config_api.create_config(
domain['id'], unit.new_domain_config_ref())
new_config = {'ldap': {'url': uuid.uuid4().hex},
'identity': {'driver': uuid.uuid4().hex}}
with self.test_client() as c:
c.patch('/v3/domains/%s/config'
% domain['id'], json={'config': new_config},
headers=self.headers, expected_status_code=http_client.FORBIDDEN)
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_update_domain_group_config(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
PROVIDERS.domain_config_api.create_config(
domain['id'], unit.new_domain_config_ref())
new_config = {'ldap': {'url': uuid.uuid4().hex,
'user_filter': uuid.uuid4().hex}}
with self.test_client() as c:
c.patch('/v3/domains/%s/config/ldap'
% domain['id'], json={'config': new_config},
headers=self.headers, expected_status_code=http_client.FORBIDDEN)
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_update_domain_config_option(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
new_config = {'url': uuid.uuid4().hex}
PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
PROVIDERS.domain_config_api.create_config(
domain['id'], unit.new_domain_config_ref())
with self.test_client() as c:
c.patch('/v3/domains/%s/config/ldap/url'
% domain['id'], json={'config': new_config},
headers=self.headers, expected_status_code=http_client.FORBIDDEN)
% domain['id'],
json={'config': new_config},
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_delete_domain_config(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
PROVIDERS.domain_config_api.create_config(
domain['id'], unit.new_domain_config_ref())
with self.test_client() as c:
c.delete('/v3/domains/%s/config' % domain['id'],
headers=self.headers, expected_status_code=http_client.FORBIDDEN)
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_delete_domain_group_config(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
PROVIDERS.domain_config_api.create_config(
domain['id'], unit.new_domain_config_ref())
with self.test_client() as c:
c.delete('/v3/domains/%s/config/ldap'
% domain['id'], headers=self.headers,
@ -299,7 +317,8 @@ class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
PROVIDERS.domain_config_api.create_config(
domain['id'], unit.new_domain_config_ref())
with self.test_client() as c:
c.delete('/v3/domains/%s/config/ldap/url'
% domain['id'], headers=self.headers,
@ -312,7 +331,8 @@ class _DomainAndProjectUserDomainConfigTests(object):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
PROVIDERS.domain_config_api.create_config(
domain['id'], unit.new_domain_config_ref())
with self.test_client() as c:
c.get('/v3/domains/%s/config'
% domain['id'], headers=self.headers,
@ -322,7 +342,8 @@ class _DomainAndProjectUserDomainConfigTests(object):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
PROVIDERS.domain_config_api.create_config(
domain['id'], unit.new_domain_config_ref())
with self.test_client() as c:
c.get('/v3/domains/%s/config/ldap'
% domain['id'], headers=self.headers,
@ -340,7 +361,8 @@ class _DomainAndProjectUserDomainConfigTests(object):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
PROVIDERS.domain_config_api.create_config(
domain['id'], unit.new_domain_config_ref())
with self.test_client() as c:
c.get('/v3/domains/%s/config/ldap/url'
% domain['id'], headers=self.headers,
@ -362,11 +384,12 @@ class _DomainAndProjectUserDomainConfigTests(object):
expected_status_code=http_client.FORBIDDEN)
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserDomainConfigTests,
_SystemReaderMemberDomainAndProjectUserDomainConfigTests,
_SystemDomainAndProjectUserDomainConfigTests):
class SystemReaderTests(
base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserDomainConfigTests,
_SystemReaderMemberDomainAndProjectUserDomainConfigTests,
_SystemDomainAndProjectUserDomainConfigTests):
def setUp(self):
super(SystemReaderTests, self).setUp()
@ -397,11 +420,12 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
self.headers = {'X-Auth-Token': self.token_id}
class SystemMemberTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserDomainConfigTests,
_SystemReaderMemberDomainAndProjectUserDomainConfigTests,
_SystemDomainAndProjectUserDomainConfigTests):
class SystemMemberTests(
base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserDomainConfigTests,
_SystemReaderMemberDomainAndProjectUserDomainConfigTests,
_SystemDomainAndProjectUserDomainConfigTests):
def setUp(self):
super(SystemMemberTests, self).setUp()
@ -465,15 +489,19 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
)
with self.test_client() as c:
c.put('/v3/domains/%s/config'
% domain['id'], json={'config': unit.new_domain_config_ref()},
headers=self.headers, expected_status_code=http_client.CREATED)
% domain['id'],
json={'config': unit.new_domain_config_ref()},
headers=self.headers,
expected_status_code=http_client.CREATED)
def test_user_cannot_create_invalid_domain_config(self):
invalid_domain_id = uuid.uuid4().hex
with self.test_client() as c:
c.put('/v3/domains/%s/config'
% invalid_domain_id, json={'config': unit.new_domain_config_ref()},
headers=self.headers, expected_status_code=http_client.NOT_FOUND)
% invalid_domain_id,
json={'config': unit.new_domain_config_ref()},
headers=self.headers,
expected_status_code=http_client.NOT_FOUND)
def test_user_can_update_domain_config(self):
domain = PROVIDERS.resource_api.create_domain(
@ -556,11 +584,12 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
expected_status_code=http_client.NOT_FOUND)
class DomainUserTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemDomainAndProjectUserDomainConfigTests,
_DomainAndProjectUserDomainConfigTests,
_SystemReaderMemberDomainAndProjectUserDomainConfigTests):
class DomainUserTests(
base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemDomainAndProjectUserDomainConfigTests,
_DomainAndProjectUserDomainConfigTests,
_SystemReaderMemberDomainAndProjectUserDomainConfigTests):
def setUp(self):
super(DomainUserTests, self).setUp()
@ -593,11 +622,12 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
self.headers = {'X-Auth-Token': self.token_id}
class ProjectUserTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemDomainAndProjectUserDomainConfigTests,
_DomainAndProjectUserDomainConfigTests,
_SystemReaderMemberDomainAndProjectUserDomainConfigTests):
class ProjectUserTests(
base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemDomainAndProjectUserDomainConfigTests,
_DomainAndProjectUserDomainConfigTests,
_SystemReaderMemberDomainAndProjectUserDomainConfigTests):
def setUp(self):
super(ProjectUserTests, self).setUp()


+ 6
- 3
keystone/tests/protection/v3/test_domain_roles.py View File

@ -248,14 +248,16 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_create_roles(self):
create = {'role': unit.new_role_ref(domain_id=CONF.identity.default_domain_id)}
create = {'role': unit.new_role_ref(
domain_id=CONF.identity.default_domain_id)}
with self.test_client() as c:
c.post('/v3/roles', json=create, headers=self.headers)
def test_user_can_update_roles(self):
role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
uuid.uuid4().hex,
unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
)
update = {'role': {'description': uuid.uuid4().hex}}
@ -267,7 +269,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
def test_user_can_delete_roles(self):
role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
uuid.uuid4().hex,
unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
)
with self.test_client() as c:


+ 22
- 12
keystone/tests/protection/v3/test_ec2_credential.py View File

@ -44,7 +44,8 @@ class _UserEC2CredentialTests(object):
credential_id = r.json['credential']['access']
path = '/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id)
path = '/v3/users/%s/credentials/OS-EC2/%s' % (
self.user_id, credential_id)
r = c.get(path, headers=self.headers)
self.assertEqual(
self.user_id, r.json['credential']['user_id']
@ -101,7 +102,8 @@ class _UserEC2CredentialTests(object):
json={'tenant_id': project['id']}, headers=self.headers)
credential_id = r.json['credential']['access']
c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id),
c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (
self.user_id, credential_id),
headers=self.headers)
def test_user_cannot_create_ec2_credentials_for_others(self):
@ -147,8 +149,10 @@ class _UserEC2CredentialTests(object):
json={'tenant_id': project['id']}, headers=headers)
credential_id = r.json['credential']['access']
c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id),
headers=self.headers, expected_status_code=http_client.FORBIDDEN)
c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (
self.user_id, credential_id),
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
class _SystemUserTests(object):
@ -178,8 +182,10 @@ class _SystemUserTests(object):
json={'tenant_id': project['id']}, headers=headers)
credential_id = r.json['credential']['access']
path = '/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id)
c.get(path, headers=self.headers, expected_status_code=http_client.OK)
path = '/v3/users/%s/credentials/OS-EC2/%s' % (
self.user_id, credential_id)
c.get(path, headers=self.headers,
expected_status_code=http_client.OK)
class _SystemReaderAndMemberTests(object):
@ -377,7 +383,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
json={'tenant_id': project['id']}, headers=headers)
credential_id = r.json['credential']['access']
c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id),
c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (
self.user_id, credential_id),
headers=self.headers)
@ -395,13 +402,16 @@ class ProjectAdminTests(base_classes.TestCaseWithBootstrap,
# update permissions or update policies without breaking users. This
# will cause these specific tests to fail since we're trying to correct
# this broken behavior with better scope checking.
reader_or_cred_owner = bp.SYSTEM_READER_OR_CRED_OWNER
reader_or_owner = bp.RULE_SYSTEM_READER_OR_OWNER
admin_or_cred_owner = bp.SYSTEM_ADMIN_OR_CRED_OWNER
with open(self.policy_file_name, 'w') as f:
overridden_policies = {
'identity:ec2_get_credential': bp.SYSTEM_READER_OR_CRED_OWNER,
'identity:ec2_list_credentials': bp.RULE_SYSTEM_READER_OR_OWNER,
'identity:ec2_create_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER,
'identity:ec2_update_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER,
'identity:ec2_delete_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER
'identity:ec2_get_credential': reader_or_cred_owner,
'identity:ec2_list_credentials': reader_or_owner,
'identity:ec2_create_credential': admin_or_cred_owner,
'identity:ec2_update_credential': admin_or_cred_owner,
'identity:ec2_delete_credential': admin_or_cred_owner
}
f.write(jsonutils.dumps(overridden_policies))


+ 82
- 41
keystone/tests/protection/v3/test_endpoint_group.py View File

@ -29,7 +29,8 @@ class _SystemUserEndpointGroupsTests(object):
"""Common default functionality for all system users."""
def test_user_can_list_endpoint_groups(self):
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
@ -43,7 +44,8 @@ class _SystemUserEndpointGroupsTests(object):
self.assertIn(endpoint_group['id'], endpoint_groups)
def test_user_can_get_an_endpoint_group(self):
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
@ -57,7 +59,8 @@ class _SystemUserEndpointGroupsTests(object):
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
@ -79,7 +82,8 @@ class _SystemUserEndpointGroupsTests(object):
endpoint = PROVIDERS.catalog_api.create_endpoint(
endpoint['id'], endpoint
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
@ -98,7 +102,8 @@ class _SystemUserEndpointGroupsTests(object):
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
@ -115,7 +120,8 @@ class _SystemUserEndpointGroupsTests(object):
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
@ -145,12 +151,14 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):
with self.test_client() as c:
c.post(
'/v3/OS-EP-FILTER/endpoint_groups', json=create, headers=self.headers,
'/v3/OS-EP-FILTER/endpoint_groups', json=create,
headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_update_endpoint_groups(self):
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
@ -159,20 +167,23 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):
with self.test_client() as c:
c.patch(
'/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], json=update,
'/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
json=update,
headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_delete_endpoint_groups(self):
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
with self.test_client() as c:
c.delete(
'/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], headers=self.headers,
'/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
@ -182,7 +193,8 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
@ -199,7 +211,8 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
@ -214,7 +227,8 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):
class _DomainAndProjectUserEndpointGroupTests(object):
def test_user_cannot_list_endpoint_groups(self):
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
@ -224,13 +238,15 @@ class _DomainAndProjectUserEndpointGroupTests(object):
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_get_an_endpoint_group(self):
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
with self.test_client() as c:
c.get('/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
headers=self.headers, expected_status_code=http_client.FORBIDDEN)
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_list_projects_associated_with_endpoint_groups(self):
project = PROVIDERS.resource_api.create_project(
@ -238,15 +254,18 @@ class _DomainAndProjectUserEndpointGroupTests(object):
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
PROVIDERS.catalog_api.add_endpoint_group_to_project(
endpoint_group['id'], project['id'])
with self.test_client() as c:
c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects' % endpoint_group['id'],
headers=self.headers, expected_status_code=http_client.FORBIDDEN)
c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects'
% endpoint_group['id'],
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_list_endpoints_associated_with_endpoint_groups(self):
service = PROVIDERS.catalog_api.create_service(
@ -256,13 +275,16 @@ class _DomainAndProjectUserEndpointGroupTests(object):
endpoint = PROVIDERS.catalog_api.create_endpoint(
endpoint['id'], endpoint
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
with self.test_client() as c:
c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/endpoints' % endpoint_group['id'],
headers=self.headers, expected_status_code=http_client.FORBIDDEN)
c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/endpoints'
% endpoint_group['id'],
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_get_endpoints_associated_with_endpoint_groups(self):
project = PROVIDERS.resource_api.create_project(
@ -270,7 +292,8 @@ class _DomainAndProjectUserEndpointGroupTests(object):
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
@ -279,7 +302,8 @@ class _DomainAndProjectUserEndpointGroupTests(object):
with self.test_client() as c:
c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s'
% (endpoint_group['id'], project['id']),
headers=self.headers, expected_status_code=http_client.FORBIDDEN)
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_list_endpoint_groups_with_their_projects(self):
project = PROVIDERS.resource_api.create_project(
@ -287,15 +311,18 @@ class _DomainAndProjectUserEndpointGroupTests(object):
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
PROVIDERS.catalog_api.add_endpoint_group_to_project(
endpoint_group['id'], project['id'])
with self.test_client() as c:
c.get('/v3/OS-EP-FILTER/projects/%s/endpoint_groups' % project['id'],
headers=self.headers, expected_status_code=http_client.FORBIDDEN)
c.get('/v3/OS-EP-FILTER/projects/%s/endpoint_groups'
% project['id'],
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)