Added database string field length check, so when insert to a table, if the length of string field exceed the limit of column when, it will return a 400 error instead of truncating the string.
Change-Id: I7216fe736ea6e5a23b5647b107fcb2699f1fa99d
Fixes: bug #1090247
This implements the server side of groups of users. This
set of code provides all the crud functionality for groups as
well as the corresponding support for role assignments.
blueprint user-groups
The following deficiencies existing with the current version and
will be corrected ahead of the final Grizzly release:
1) There is only placeholder support for LDAP (Bug #1092187)
2) Domain role grants are accepted but not yet honored (Bug #1093248)
3) Token invalidation does not occur with group changes (Bug #1093493)
This update also fills in missing v3 grant unit testing and v3 grant
support within the kvs backend. In addition, there is a fix for
Bug #1092200 (uncaught exception when listing grants)
DocImpact
Change-Id: Ibd1783b04b2d7804eff90312e5ef591dca4d0695
This migrates the SQL backend such that v2 endpoints containing up to 3
URL's (public, internal and admin) stored in 'extra' are split into
unique endpoints.
Because legacy "endpoints" (each having publicUrl, internalUrl and
adminUrl) are no longer conceptually identical to v3's "endpoints" (each
having an interface and a url), new ID's are assigned to each entity and
each API continues to operate using with independent sets of endpoint
ID's.
Endpoints created on the v3 API are not exposed on the v2 API.
Change-Id: I2ba59d55907313ae65e908585fc49be0c4ce899a
modify tables by adding columns, and modify entities
by adding attributes for password, description and enabled
update tests to deal with change from 'False' and 'True' to the
python values False and True
Added a Text type from SQL Alchemy
Bug 1070351
Bug 1023544
Change-Id: I066c788b5d08a8f42a9b5412ea9e29e4fe9ba205
Fixtures are created before every test, so each fixture adds a
considerable amount of overhead to the overall test suite.
This patch attempts to eliminate fixtures utilized by only a few tests
in favor of re-cycling as many fixtures as possible. As a result, a few
tests are refactored to depend on different fixtures.
Change-Id: Idd4dcef5e38e304d19110c61886887fb64b4d658
To make keystone return HTTP 401 Unauthorized instead of 500 Internal Server
Error when processing request that miss the X-Auth-Token Header.
Fixes Bug 1053474
Change-Id: Ib830fce7bb3b29fa1bc385f64c7c0ecdf5cd1644
Bug 983304
Defines functions for the retrival and return of the tenant, user and
role objects in ldap. They will return in whatever order LDAP provides
them.
Additional fix for pep8 whitespace violation.
Additional change to add some minimal unit tests for the new functions
Tests have successfully run against a live LDAP server
Change-Id: I368ae4097bb9bcdaab7bca0ccc2f9204d58f69d8
This is related to lp 1035428; that bug is fixed in folsom,
but this test is also about to appear in stable/essex.
Change-Id: Iadd4091339aab2c3a8d474b44dcd11f8bfd1d510
Co-authored-by: Adam Young <ayoung@redhat.com>
Token revocations are captured in the backends,
During upgrade, all previous tickets are defaulted to valid.
Revocation list returned as a signed document and can be fetched in an admin context via HTTP
Change config values for enable diable PKI
In the auth_token middleware, the revocation list is fetched prior
to validating tokens. Any tokens that are on the revocation list
will be treated as invalid.
Added in PKI token tests that check the same logic as the UUID tests.
Sample data for the tests is read out of the signing directory.
dropped number on sql scripts to pass tests.
Also fixes 1031373
Bug 1037683
Change-Id: Icef2f173e50fe3cce4273c161f69d41259bf5d23
Uses CMS to create tokens that can be verified without network calls.
Tokens encapsulate authorization information.
This includes user name and roles in JSON.
The JSON document info is cryptographically signed with a private key
from Keystone, in accordance with the Cryptographic Message Syntax (CMS)
in DER format and then Base64 encoded. The header, footer, and line breaks
are stripped to minimize the size, and slashes which are invalid in Base64
are converted to hyphens.
Since signed tokens are not validated against the Keystone server, they
continue to be valid until the expiration time. This means that even if a user
has their roles revoked or their account disabled, those changes will not take
effect until their token times out. The prototype for this is Kerberos, which
has the same limitation, and has funtioned sucessfully with it for decades. It
is possible to set the token time out for much shorter than the default of 8
hours, but that may mean that users tokens will time out prior to completion
of long running tasks.
This should be a drop in replacement for the current token production code.
Although the signed token is longer than the older format, the token is still
a unique stream of Alpha-Numeric characters.
The auth token middle_ware is capable of handling both uuid and signed tokens.
To start with, the PKI functionality is disabled. This will keep from breaking
the existing deployments. However, it can be enabled with the config value:
[signing]
disable_pki = False
The 'id_hash' column is added to the SQL schema because SQL alchemy insists on
each table having a primary key. However primary keys are limited to roughly
250 Characters (768 Bytes, but there is more than 1 varchar per byte) so the
ID field cannot be used as the primary key anymore. id_hash is a hash of the
id column, and should be used for lookups as it is indexed.
middleware/auth_token.py needs to stand alone in the other services, and uses
keystone.common.cms in order to verify tokens.
Token needs to have all of the data from the original authenticate code
contained in the signed document, as the authenticate RPC will no longer
be called in mand cases.
The datetime of expiry is signed in the token.
The certificates are accessible via web APIs. On the remote service side,
certificates needed to authenitcate tokens are stored in /tmp/keystone-signing
by default. Remote systems use Paste API to read configuration values.
Certificates are retrieved only if they are not on the local system.
When authenticating in Keystone systems, it still does the Database checks for
token presence. This allows Keystone to continue to enforce Timeout and
disabled users.
The service catalog has been added to the signed token. Although this greatly
increases the size of the token, it makes it consistant with what is fetched
during the token authenticate checks
This change also fixes time variations in expiry test. Although unrelated to
the above changes, it was making testing very frustrating.
For the database Upgrade scripts, we now only bring 'token' up to V1 in 001
script. This makes it possible to use the same 002 script for both upgrade
and initializing a new database.
Upon upgrade, the current UUID tokens are retained in the id_hash and id fields.
The mechanisms to verify uuid tokens work the same as before. On downgrade,
token_ids are dropped.
Takes into account changes for "Raise unauthorized if tenant disabled"
Bug 1003962
Change-Id: I89b5aa609143bbe09a36bfaf64758c5306e86de7
1. Verified name length while creating/updating user.
2. Disallowed blank user name in create/update.
3. Added unit test coverage.
Change-Id: I55cd5daf34f4f57d4163be403a7a75c5d22baa62
Fixes bug 1022575
Making change to tests/*py to pass pep8 tests.
pep8 tests started failing following
39b20acc93 update pep8 to 1.3.3
04df79b64e include tests dir in pep8 tests
Change-Id: I2d7dec0a87f1ae9b5f828d7f321b65bf8c06a421
Fix bug 999594.
When a user/tenant pair already has a role and there is a request to add
the role to the pair, we can choose to either return 200 and let the
client feel it's alright to do so, or return a 409 error (Conflict) to
inform the client of the pre-existing role for the pair. I feel the
latter is a bit more appropriate.
The KVS and the pam backends were simply accepting the request, while
the LDAP backend was raising an error. So be consistent, and always
return 409.
Change-Id: I7328d2932f6907d48e6422674eeeee22dc7a7149
Implements blueprint use-common-timeutils
1. Edit openstack-common.conf and import keystone/openstack/common/timeutils.py
2. Replace datetime.utcnow with timeutils.utcnow
3. Replace utils.isotime with timeutils.isotime
4. Remove utils.isotime in common/utils.py and datetime related unittest
Change-Id: I4f5a63a368fde8787a0dc0a817c940de685b9ca2
The goal is to move the responsibility of reference checks away from
controllers and into the underlying managers & drivers, which can
handle the task with equal or greater efficiency.
- Tenant references from create_user/update_user are NOT tested
due to inconsistencies between backends
- Additional test coverage improvements
Also fixes bug 999209, bug 999608, bug 1006029, bug 1006055, bug 1006287,
bug 1006334, and bug 1006344.
Change-Id: I7de592e7dd4518038436b9a9fdaab559b00a0537
1. Verified name length while creating/updating tenant (for all backends).
2. Disallowed blank tenant name in create/update.
3. Added unit test coverage.
Change-Id: Ied1e2707ba16e14d791308fb618ca18effa0245f
Fixes bug #983800
The expiration timestamps are expressed in UTC time, so ensure:
1) The timestamp of the token created by the test is UTC time (i.e.
utcnow() vs now())
2) The expiration check in the dummy memcache client properly
accounts for UTC (i.e. utctimetuple() vs timetuple())
Change-Id: Ie7356456f79ab5a8070a79771bb7d210b1cedd47
* unittest2 is already a test dependency, and has a large
number of improvements over unittest. The switch suggested
removing TestCase assertions that already existed in unittest2's
version and updating all subclasses to use the unittest2
equivalents.
Change-Id: I024134ae7cade3b4951c7508c1ea50070762720f
For SQL identity backend, add unique constraint with column definition;
for kvs and ldap backend, use python code to apply this constraint.
Test cases test_create_duplicate_role_name_fails and test_rename_duplicate_role_name_fails are added to guard it.
python run_tests.py test_backend_ldap test_backend_kvs test_backend_sql pass.
bug 932258.
Change-Id: I990f17a270e84d35c078f215c587a81d6784c192
* Adds missing test cases for the TemplatedCatalog
* Adds a base CatalogTest that different backends
can use
* Updates kvs.Catalog to raise ServiceNotFound where
appropriate
* Updates the tests.test_keystoneclient_sql to actually
test the SQL catalog backend
* Removes old test for incorrect endpoints listing
* Removes the keystone.catalog.core.Driver.service_exists
method since it was only implemented in the SQL driver
and wasn't required now that get_service and delete_service
properly raise ServiceNotFound exception.
Change-Id: I35690cc147e56007be27bacf94eeff360e727e5d
Fixes bug 951093
While the actual issue was encountered in keystone/service.py,
the underlying issue is that all identity backends seems to be
returning None when no metadata is found for a user. I would argue
that returning {} makes it easier on clients.
Change-Id: I06faf755cc0dbe45b5d0a0f86c6235b27c856047
ldap was accidentally supplying some of its own values rather than using
the built-in fixtures, so it was providing the incorrect interface for a
couple calls.
also adds a test for get_user_by_name (skipped for ldap) and
standardizes the kvs and ldap authenticate calls
fix user authentication live ldap tests
Change-Id: If1ccce1fd9c84622bb89344bc5d5c59b059d03ae
Bug 933852
Merged over the code from the legacy keystone implementation, updated
style and streamlined the API a bit.
* Unit tests can be run against a live OpenLDAP server
* Password hashing done via passlib. Only does salted sha1, which is what simple_bind requires, but is not secure.
* Added pip dependencies
Change-Id: I5296d94f6b7d0a7c7dbc887cdae872171e34bb5f
* adds test for duplicate names and ids for backends
* also adds test for rename duplicates and changing ids
* makes kvs backend raise an exception if duplicate is requested
* ensures kvs backend doesn't allow update of id
* makes sure that kvs is reset between tests
* cleans up a few imports
* fixes bug 927291
* fixes bug 928659
Change-Id: Ia6eb1961796cbde7ed57a75cd9394d77c88cf655