Commit Graph

54 Commits

Author SHA1 Message Date
Yuriy Taraday
a7c6427b50 Fix role delete method in LDAP backend.
It used to delete all roles in all tenants.

Change-Id: I9283a28422559a33b92ee9c975fc7a8e299b8f21
2013-01-22 03:47:50 +04:00
Jenkins
e1abe0fca3 Merge "add database string field length check" 2013-01-15 02:33:15 +00:00
Tony NIU
9c2c4ece64 add database string field length check
Added database string field length check, so when insert to a table, if the length of string field exceed the limit of column when, it will return a 400 error instead of truncating the string.

Change-Id: I7216fe736ea6e5a23b5647b107fcb2699f1fa99d
Fixes: bug #1090247
2013-01-15 08:43:28 +08:00
Zhongyue Luo
9af1d7bebd Fixes import order nits
Change-Id: I5a527e0f5010171a202de5894d124d213d22a073
2013-01-11 09:05:11 +08:00
Henry Nash
4fae928c59 Keystone server support for user groups
This implements the server side of groups of users.  This
set of code provides all the crud functionality for groups as
well as the corresponding support for role assignments.

blueprint user-groups

The following deficiencies existing with the current version and
will be corrected ahead of the final Grizzly release:

1) There is only placeholder support for LDAP (Bug #1092187)
2) Domain role grants are accepted but not yet honored (Bug #1093248)
3) Token invalidation does not occur with group changes (Bug #1093493)

This update also fills in missing v3 grant unit testing and v3 grant
support within the kvs backend.  In addition, there is a fix for
Bug #1092200 (uncaught exception when listing grants)

DocImpact

Change-Id: Ibd1783b04b2d7804eff90312e5ef591dca4d0695
2013-01-08 01:32:46 +00:00
Dolph Mathews
2f851340ee Split endpoint records in SQL by interface
This migrates the SQL backend such that v2 endpoints containing up to 3
URL's (public, internal and admin) stored in 'extra' are split into
unique endpoints.

Because legacy "endpoints" (each having publicUrl, internalUrl and
adminUrl) are no longer conceptually identical to v3's "endpoints" (each
having an interface and a url), new ID's are assigned to each entity and
each API continues to operate using with independent sets of endpoint
ID's.

Endpoints created on the v3 API are not exposed on the v2 API.

Change-Id: I2ba59d55907313ae65e908585fc49be0c4ce899a
2012-12-18 12:11:26 -05:00
Adam Young
1012bd42df normalize identity
modify tables by adding columns, and modify entities
by adding attributes for password, description and enabled

update tests to deal with change from 'False' and 'True' to the
python values False and True

Added a Text type from SQL Alchemy

Bug 1070351
Bug 1023544

Change-Id: I066c788b5d08a8f42a9b5412ea9e29e4fe9ba205
2012-11-27 11:06:11 -05:00
Dolph Mathews
ff669f0da9 v3 Catalog
- v3 catalog tests (bug 1023933)
- v3 catalog implementation (bug 1023938)

Change-Id: Ie118819d25afbff62327ffc8be5b5fda2ef7f4ed
2012-11-20 11:05:17 -06:00
Dolph Mathews
827fc4c731 v3 Policies
- v3 policy (bp rbac-keystone-api)
- v3 policy tests (bug 1023935)
- v3 policy implementation (bug 1023939)

Change-Id: I163fbb67726c295fe9ed09b68cd18d2273345d29
2012-11-19 14:50:26 -06:00
Dolph Mathews
36c880eb28 Reduce total number of fixtures
Fixtures are created before every test, so each fixture adds a
considerable amount of overhead to the overall test suite.

This patch attempts to eliminate fixtures utilized by only a few tests
in favor of re-cycling as many fixtures as possible. As a result, a few
tests are refactored to depend on different fixtures.

Change-Id: Idd4dcef5e38e304d19110c61886887fb64b4d658
2012-11-13 16:17:04 -06:00
Jose Castro Leon
001f708e7d Provide config file fields for enable users in LDAP backend (bug1067516)
DocImpact

Change-Id: I1ee9a1e2505cdd8c9ee8acba5c0e89a4f25c7262
2012-11-13 10:37:17 -06:00
Ionuț Arțăriși
fdcb856b13 don't modify the passed in dict to from_dict
Fixes bug 1066851

Change-Id: Ic1f44ba1e319b9cd7e3f1da535f9d29ae7dc4030
2012-11-01 12:04:11 +01:00
Jose Castro Leon
d05d112849 Delete role does not delete role assignments in tenants (bug 1057436)
Change-Id: I2474c2a74135470162030a243491ced59533c024
2012-10-12 08:49:50 +02:00
Jenkins
b0eb94dbc0 Merge "Unable to delete tenant if contains roles in LDAP backend (bug 1057407)" 2012-10-09 18:51:39 +00:00
Stef T
a225624a67 Unparseable endpoint URL's should raise friendly error
fixes bug #1058494

Change-Id: Id89c530e2f4e7dcf0db03515afb8b2a85fbf8077
2012-10-06 16:41:36 -04:00
Jose Castro Leon
ee48c24184 Unable to delete tenant if contains roles in LDAP backend (bug 1057407)
Change-Id: I5e2746827bd66c6c4aebc28da1b24933fdc261f7
2012-10-05 14:16:37 +02:00
Ralf Haferkamp
c9a4141ab7 Return a meaningful Error when token_id is missing
To make keystone return HTTP 401 Unauthorized instead of 500 Internal Server
Error when processing request that miss the X-Auth-Token Header.

Fixes Bug 1053474

Change-Id: Ib830fce7bb3b29fa1bc385f64c7c0ecdf5cd1644
2012-09-20 17:29:12 +02:00
Jenkins
84f41c2e43 Merge "Limit token revocation to tenant (bug 1050025)" 2012-09-13 21:20:06 +00:00
Dolph Mathews
4e1a0867f9 Limit token revocation to tenant (bug 1050025)
Change-Id: I7ebe0192b4900ad9475119a6d582233b37b31fb4
2012-09-13 12:01:45 -05:00
Dolph Mathews
af8b031e7a Fixed trivally true tests (bug 983304)
Change-Id: I3c66092ce54cab6d972f78857b4c386b69dcabe3
2012-09-13 11:23:00 -05:00
Derek Yarnell
235c4ce3d7 Implementation of tenant,user,role list functions for ldap
Bug 983304

Defines functions for the retrival and return of the tenant, user and
role objects in ldap.  They will return in whatever order LDAP provides
them.

Additional fix for pep8 whitespace violation.

Additional change to add some minimal unit tests for the new functions
Tests have successfully run against a live LDAP server

Change-Id: I368ae4097bb9bcdaab7bca0ccc2f9204d58f69d8
2012-09-10 14:39:11 -04:00
Adam Young
150413cc4b List tokens for memcached backend
Creates and updates an index of tokens in a memcache entry keyed
by the user id

Bug 1046905

Change-Id: If11d6b87b0a8ae5f8349f1ebb31790e943c70fbf
2012-09-06 16:33:17 -04:00
Jenkins
15635261a4 Merge "Removed/fixed unused variable references" 2012-09-04 21:43:58 +00:00
Dolph Mathews
ac95f832d4 Removed/fixed unused variable references
Change-Id: Ifed4fc2158e9eb003561620504d2d35e07cdd3bd
2012-08-30 03:26:30 -05:00
Dolph Mathews
7ad8497063 PEP8 fix
Change-Id: Ic35afaa8f26ed8d6de28106513b4c22252c6e3fa
2012-08-29 15:43:07 -05:00
Andrew Bogott
af52ef1479 Demonstrate that authenticate() returns roles.
This is related to lp 1035428; that bug is fixed in folsom,
but this test is also about to appear in stable/essex.

Change-Id: Iadd4091339aab2c3a8d474b44dcd11f8bfd1d510
2012-08-21 18:00:35 -05:00
Maru Newby
7b70818954 PKI Token revocation
Co-authored-by: Adam Young <ayoung@redhat.com>

Token revocations are captured in the backends,

During upgrade, all previous tickets are defaulted to valid.

Revocation list returned as a signed document and can be fetched in an admin context via HTTP

Change config values for enable diable PKI

In the auth_token middleware,  the revocation list is fetched prior
to validating tokens. Any tokens that are on the revocation list
will be treated as invalid.

Added in PKI token tests that check the same logic as the UUID tests.
Sample data for the tests is read out of the signing directory.

dropped number on sql scripts to pass tests.

Also fixes 1031373

Bug 1037683

Change-Id: Icef2f173e50fe3cce4273c161f69d41259bf5d23
2012-08-16 15:07:31 -04:00
Dolph Mathews
f82c7c22a8 Enabling SQL Catalog tests (bug 958950)
Change-Id: I9d33d95ffa357b88f099a5a37aa4a139d93fd82f
2012-08-01 15:47:41 -05:00
Adam Young
bcc0f6d6fc Cryptographically Signed tokens
Uses CMS to create tokens that can be verified without network calls.

Tokens encapsulate authorization information.
This includes user name and roles in JSON.
The JSON document info is cryptographically signed with a private key
from Keystone, in accordance with the Cryptographic Message Syntax (CMS)
in DER format and then Base64 encoded.  The header, footer, and line breaks
are stripped to minimize the size,  and slashes which are  invalid in Base64
are converted to hyphens.

Since signed tokens are not validated against the Keystone server,  they
continue to be valid until the expiration time.  This means that even if a user
has their roles revoked or their account disabled, those changes will not take
effect until their token times out.  The prototype for this is Kerberos, which
has the same limitation, and has funtioned sucessfully with it for decades.  It
is possible to set the token time out for much shorter than the default of 8
hours, but that may mean that users tokens will time out prior to completion
of long running tasks.

This should be a drop in replacement for the current token production code.
Although  the signed token is longer than the older format, the token is still
a unique stream of Alpha-Numeric characters.

The auth token middle_ware is capable of handling both uuid and signed tokens.

To start with, the PKI functionality is disabled.  This will keep from breaking
the existing deployments.  However,  it can be enabled with the config value:

[signing]
disable_pki = False

The 'id_hash' column is added to the SQL schema because SQL alchemy insists on
each table having a primary key.  However primary keys are limited to roughly
250 Characters (768 Bytes,  but there is more than 1 varchar per byte) so the
ID field cannot be used as the primary key anymore.  id_hash is a hash of the
id column, and should be used for lookups as it is indexed.

middleware/auth_token.py needs to stand alone in the other services, and uses
keystone.common.cms in order to verify tokens.
Token needs to have all of the data from the original authenticate code
contained in the signed document, as the authenticate RPC will no longer
be called in mand cases.

The datetime of expiry is signed in the token.

The certificates are accessible via web APIs.  On the remote service side,
certificates needed to authenitcate tokens are stored in /tmp/keystone-signing
by default.  Remote systems use Paste API to read configuration values.
Certificates are retrieved only if they are not on the local system.

When authenticating in Keystone systems, it still does the Database checks for
token presence.  This allows Keystone to continue to enforce Timeout and
disabled users.

The service catalog has been added to the  signed token.  Although this greatly
increases the size of the token,  it makes it consistant with what is fetched
during the token authenticate checks

This change also fixes time variations in expiry test.  Although unrelated to
the above changes, it was making testing very frustrating.

For the database Upgrade scripts, we now only  bring 'token' up to V1 in 001
script.  This makes it possible to use the same 002 script for both upgrade
and initializing a new database.

Upon upgrade, the current UUID tokens are retained in the id_hash and id fields.
The mechanisms to verify uuid tokens work the same as before.  On downgrade,
token_ids are dropped.

Takes into account changes for "Raise unauthorized if tenant disabled"

    Bug 1003962

Change-Id: I89b5aa609143bbe09a36bfaf64758c5306e86de7
2012-07-26 13:17:44 -04:00
Unmesh Gurjar
28061817ed Added user name validation. Fixes bug 966251.
1. Verified name length while creating/updating user.
2. Disallowed blank user name in create/update.
3. Added unit test coverage.

Change-Id: I55cd5daf34f4f57d4163be403a7a75c5d22baa62
2012-07-19 13:16:12 +05:30
Jenkins
ec9c038ba2 Merge "Fixing pep8 errors in tests/*py" 2012-07-09 19:35:16 +00:00
Derek Higgins
7cdae1bc02 Fixing pep8 errors in tests/*py
Fixes bug 1022575

Making change to tests/*py to pass pep8 tests.
pep8 tests started failing following
39b20acc93 update pep8 to 1.3.3
04df79b64e include tests dir in pep8 tests

Change-Id: I2d7dec0a87f1ae9b5f828d7f321b65bf8c06a421
2012-07-09 16:11:30 +01:00
Vincent Untz
7297afc75d Return a 409 error when adding a second time a role to user/tenant
Fix bug 999594.

When a user/tenant pair already has a role and there is a request to add
the role to the pair, we can choose to either return 200 and let the
client feel it's alright to do so, or return a 409 error (Conflict) to
inform the client of the pre-existing role for the pair. I feel the
latter is a bit more appropriate.

The KVS and the pam backends were simply accepting the request, while
the LDAP backend was raising an error. So be consistent, and always
return 409.

Change-Id: I7328d2932f6907d48e6422674eeeee22dc7a7149
2012-07-04 07:59:47 +02:00
Zhongyue Luo
c79d93bfbc Keystone should use openstack.common.timeutils
Implements blueprint use-common-timeutils

1. Edit openstack-common.conf and import keystone/openstack/common/timeutils.py
2. Replace datetime.utcnow with timeutils.utcnow
3. Replace utils.isotime with timeutils.isotime
4. Remove utils.isotime in common/utils.py and datetime related unittest

Change-Id: I4f5a63a368fde8787a0dc0a817c940de685b9ca2
2012-06-29 06:38:49 +08:00
Dolph Mathews
23ca656927 Refactor 404's into managers & drivers (bug 968519)
The goal is to move the responsibility of reference checks away from
controllers and into the underlying managers & drivers, which can
handle the task with equal or greater efficiency.

- Tenant references from create_user/update_user are NOT tested
  due to inconsistencies between backends
- Additional test coverage improvements

Also fixes bug 999209, bug 999608, bug 1006029, bug 1006055, bug 1006287,
bug 1006334, and bug 1006344.

Change-Id: I7de592e7dd4518038436b9a9fdaab559b00a0537
2012-06-27 11:47:24 -05:00
Unmesh Gurjar
b69dbc2f27 Added tenant name validation. Fixes bug 966249.
1. Verified name length while creating/updating tenant (for all backends).
2. Disallowed blank tenant name in create/update.
3. Added unit test coverage.

Change-Id: Ied1e2707ba16e14d791308fb618ca18effa0245f
2012-05-09 12:10:09 +05:30
Mark McLoughlin
4cd2945740 Fix expired token tests
Fixes bug #983800

The expiration timestamps are expressed in UTC time, so ensure:

 1) The timestamp of the token created by the test is UTC time (i.e.
    utcnow() vs now())

 2) The expiration check in the dummy memcache client properly
    accounts for UTC (i.e. utctimetuple() vs timetuple())

Change-Id: Ie7356456f79ab5a8070a79771bb7d210b1cedd47
2012-04-23 19:48:23 +01:00
Maru Newby
1f3557af59 Switch keystone.test.TestCase to use unittest2
* unittest2 is already a test dependency, and has a large
   number of improvements over unittest.  The switch suggested
   removing TestCase assertions that already existed in unittest2's
   version and updating all subclasses to use the unittest2
   equivalents.

Change-Id: I024134ae7cade3b4951c7508c1ea50070762720f
2012-03-27 13:55:14 -07:00
Yong Sheng Gong
d61aedaf86 unique role name constraint
For SQL identity backend, add unique constraint with column definition;
for kvs and ldap backend, use python code to apply this constraint.
Test cases test_create_duplicate_role_name_fails and test_rename_duplicate_role_name_fails are added to guard it.
python run_tests.py test_backend_ldap test_backend_kvs test_backend_sql pass.

bug 932258.

Change-Id: I990f17a270e84d35c078f215c587a81d6784c192
2012-03-20 18:29:43 -05:00
Chmouel Boudjnah
3a296a458c Spring cleaning, fix PEP8 violations.
Change-Id: Ide832cd64c9b285213e23901eaf81946d504e726
2012-03-20 22:41:40 +00:00
Jenkins
3a70a2f928 Merge "Fixes LP #954089 - Service list templated catalog" 2012-03-20 04:55:46 +00:00
Jay Pipes
193374af38 Fixes LP #954089 - Service list templated catalog
* Adds missing test cases for the TemplatedCatalog
* Adds a base CatalogTest that different backends
  can use
* Updates kvs.Catalog to raise ServiceNotFound where
  appropriate
* Updates the tests.test_keystoneclient_sql to actually
  test the SQL catalog backend
* Removes old test for incorrect endpoints listing
* Removes the keystone.catalog.core.Driver.service_exists
  method since it was only implemented in the SQL driver
  and wasn't required now that get_service and delete_service
  properly raise ServiceNotFound exception.

Change-Id: I35690cc147e56007be27bacf94eeff360e727e5d
2012-03-19 12:08:30 -04:00
Brian Lamar
6f2c858f43 Update get_metadata to return {}
Fixes bug 951093

While the actual issue was encountered in keystone/service.py,
the underlying issue is that all identity backends seems to be
returning None when no metadata is found for a user. I would argue
that returning {} makes it easier on clients.

Change-Id: I06faf755cc0dbe45b5d0a0f86c6235b27c856047
2012-03-09 16:14:58 -05:00
termie
dd35d2afbf standardize ldap and related tests
ldap was accidentally supplying some of its own values rather than using
the built-in fixtures, so it was providing the incorrect interface for a
couple calls.

also adds a test for get_user_by_name (skipped for ldap) and
standardizes the kvs and ldap authenticate calls

fix user authentication live ldap tests
Change-Id: If1ccce1fd9c84622bb89344bc5d5c59b059d03ae
2012-03-01 15:39:22 -05:00
Adam Young
63437e9dca LDAP Identity backend
Bug 933852

Merged over the code from the legacy keystone implementation, updated
style and streamlined the API a bit.

 * Unit tests can be run against a live OpenLDAP server
 * Password hashing done via passlib. Only does salted sha1, which is what simple_bind requires, but is not secure.
 * Added pip dependencies

Change-Id: I5296d94f6b7d0a7c7dbc887cdae872171e34bb5f
2012-02-27 16:51:46 -08:00
Monty Taylor
8d7189f117 Added Apache 2.0 License information.
Fixes bug 932819

Change-Id: I58e0c2ad704e2e8ff1924a01791694a5e02a154b
2012-02-15 17:48:33 -08:00
Brian Waldon
71436dbf18 Add token expiration
* Config option token.expiration defines amount of time tokens should be valid
* Fixes bug 928545

Change-Id: I3dff7a1ebf03bb44fc6e5247f976baea0581de08
2012-02-14 14:18:50 -08:00
Brian Waldon
2c18314e7c Add TokenNotFound exception
* raise TokenNotFound from token backends on get/delete when token doesn't exist

Change-Id: Ic9aba7911088c30c20fe62501a05d75232f2d8b9
2012-02-10 10:20:16 -08:00
Brian Waldon
c680d7ca54 Add SQL token backend
* abstract out common token tests into test_backend
* fixes bug 928052

Change-Id: I75da2f3c8d733b71025bcc1ef02f55e07645327f
2012-02-08 13:27:36 -08:00
Vishvananda Ishaya
f0f8ddeaa8 Ensures duplicate users and tenants can't be made
* adds test for duplicate names and ids for backends
 * also adds test for rename duplicates and changing ids
 * makes kvs backend raise an exception if duplicate is requested
 * ensures kvs backend doesn't allow update of id
 * makes sure that kvs is reset between tests
 * cleans up a few imports
 * fixes bug 927291
 * fixes bug 928659

Change-Id: Ia6eb1961796cbde7ed57a75cd9394d77c88cf655
2012-02-08 00:22:42 -08:00