445 lines
18 KiB
Python
445 lines
18 KiB
Python
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
|
|
# Copyright 2012 OpenStack LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import uuid
|
|
|
|
from keystone.common.ldap import fakeldap
|
|
from keystone import config
|
|
from keystone import exception
|
|
from keystone.identity.backends import ldap as identity_ldap
|
|
from keystone import test
|
|
|
|
import default_fixtures
|
|
import test_backend
|
|
|
|
|
|
CONF = config.CONF
|
|
|
|
|
|
def clear_database():
|
|
db = fakeldap.FakeShelve().get_instance()
|
|
db.clear()
|
|
|
|
|
|
class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
|
|
def setUp(self):
|
|
super(LDAPIdentity, self).setUp()
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
clear_database()
|
|
self.identity_api = identity_ldap.Identity()
|
|
self.load_fixtures(default_fixtures)
|
|
|
|
def test_role_crud(self):
|
|
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
|
self.identity_api.create_role(role['id'], role)
|
|
role_ref = self.identity_api.get_role(role['id'])
|
|
role_ref_dict = dict((x, role_ref[x]) for x in role_ref)
|
|
self.assertDictEqual(role_ref_dict, role)
|
|
self.identity_api.delete_role(role['id'])
|
|
self.assertRaises(exception.RoleNotFound,
|
|
self.identity_api.get_role,
|
|
role['id'])
|
|
|
|
def test_build_tree(self):
|
|
"""Regression test for building the tree names
|
|
"""
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
|
|
user_api = identity_ldap.UserApi(CONF)
|
|
self.assertTrue(user_api)
|
|
self.assertEquals(user_api.tree_dn, "ou=Users,%s" % CONF.ldap.suffix)
|
|
|
|
def test_configurable_allowed_user_actions(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
self.identity_api = identity_ldap.Identity()
|
|
|
|
user = {'id': 'fake1',
|
|
'name': 'fake1',
|
|
'password': 'fakepass1',
|
|
'tenants': ['bar']}
|
|
self.identity_api.create_user('fake1', user)
|
|
user_ref = self.identity_api.get_user('fake1')
|
|
self.assertEqual(user_ref['id'], 'fake1')
|
|
|
|
user['password'] = 'fakepass2'
|
|
self.identity_api.update_user('fake1', user)
|
|
|
|
self.identity_api.delete_user('fake1')
|
|
self.assertRaises(exception.UserNotFound,
|
|
self.identity_api.get_user,
|
|
'fake1')
|
|
|
|
def test_configurable_forbidden_user_actions(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
CONF.ldap.user_allow_create = False
|
|
CONF.ldap.user_allow_update = False
|
|
CONF.ldap.user_allow_delete = False
|
|
self.identity_api = identity_ldap.Identity()
|
|
|
|
user = {'id': 'fake1',
|
|
'name': 'fake1',
|
|
'password': 'fakepass1',
|
|
'tenants': ['bar']}
|
|
self.assertRaises(exception.ForbiddenAction,
|
|
self.identity_api.create_user,
|
|
'fake1',
|
|
user)
|
|
|
|
self.user_foo['password'] = 'fakepass2'
|
|
self.assertRaises(exception.ForbiddenAction,
|
|
self.identity_api.update_user,
|
|
self.user_foo['id'],
|
|
self.user_foo)
|
|
|
|
self.assertRaises(exception.ForbiddenAction,
|
|
self.identity_api.delete_user,
|
|
self.user_foo['id'])
|
|
|
|
def test_configurable_allowed_tenant_actions(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
self.identity_api = identity_ldap.Identity()
|
|
|
|
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
|
|
self.identity_api.create_tenant('fake1', tenant)
|
|
tenant_ref = self.identity_api.get_tenant('fake1')
|
|
self.assertEqual(tenant_ref['id'], 'fake1')
|
|
|
|
tenant['enabled'] = 'False'
|
|
self.identity_api.update_tenant('fake1', tenant)
|
|
|
|
self.identity_api.delete_tenant('fake1')
|
|
self.assertRaises(exception.TenantNotFound,
|
|
self.identity_api.get_tenant,
|
|
'fake1')
|
|
|
|
def test_configurable_forbidden_tenant_actions(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
CONF.ldap.tenant_allow_create = False
|
|
CONF.ldap.tenant_allow_update = False
|
|
CONF.ldap.tenant_allow_delete = False
|
|
self.identity_api = identity_ldap.Identity()
|
|
|
|
tenant = {'id': 'fake1', 'name': 'fake1'}
|
|
self.assertRaises(exception.ForbiddenAction,
|
|
self.identity_api.create_tenant,
|
|
'fake1',
|
|
tenant)
|
|
|
|
self.tenant_bar['enabled'] = 'False'
|
|
self.assertRaises(exception.ForbiddenAction,
|
|
self.identity_api.update_tenant,
|
|
self.tenant_bar['id'],
|
|
self.tenant_bar)
|
|
self.assertRaises(exception.ForbiddenAction,
|
|
self.identity_api.delete_tenant,
|
|
self.tenant_bar['id'])
|
|
|
|
def test_configurable_allowed_role_actions(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
self.identity_api = identity_ldap.Identity()
|
|
|
|
role = {'id': 'fake1', 'name': 'fake1'}
|
|
self.identity_api.create_role('fake1', role)
|
|
role_ref = self.identity_api.get_role('fake1')
|
|
self.assertEqual(role_ref['id'], 'fake1')
|
|
|
|
role['name'] = 'fake2'
|
|
self.identity_api.update_role('fake1', role)
|
|
|
|
self.identity_api.delete_role('fake1')
|
|
self.assertRaises(exception.RoleNotFound,
|
|
self.identity_api.get_role,
|
|
'fake1')
|
|
|
|
def test_configurable_forbidden_role_actions(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
CONF.ldap.role_allow_create = False
|
|
CONF.ldap.role_allow_update = False
|
|
CONF.ldap.role_allow_delete = False
|
|
self.identity_api = identity_ldap.Identity()
|
|
|
|
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
|
self.assertRaises(exception.ForbiddenAction,
|
|
self.identity_api.create_role,
|
|
role['id'],
|
|
role)
|
|
|
|
self.role_member['name'] = uuid.uuid4().hex
|
|
self.assertRaises(exception.ForbiddenAction,
|
|
self.identity_api.update_role,
|
|
self.role_member['id'],
|
|
self.role_member)
|
|
|
|
self.assertRaises(exception.ForbiddenAction,
|
|
self.identity_api.delete_role,
|
|
self.role_member['id'])
|
|
|
|
def test_user_filter(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
user_ref = self.identity_api.get_user(self.user_foo['id'])
|
|
self.user_foo.pop('password')
|
|
self.assertDictEqual(user_ref, self.user_foo)
|
|
|
|
CONF.ldap.user_filter = '(CN=DOES_NOT_MATCH)'
|
|
self.identity_api = identity_ldap.Identity()
|
|
self.assertRaises(exception.UserNotFound,
|
|
self.identity_api.get_user,
|
|
self.user_foo['id'])
|
|
|
|
def test_tenant_filter(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
tenant_ref = self.identity_api.get_tenant(self.tenant_bar['id'])
|
|
self.assertDictEqual(tenant_ref, self.tenant_bar)
|
|
|
|
CONF.ldap.tenant_filter = '(CN=DOES_NOT_MATCH)'
|
|
self.identity_api = identity_ldap.Identity()
|
|
self.assertRaises(exception.TenantNotFound,
|
|
self.identity_api.get_tenant,
|
|
self.tenant_bar['id'])
|
|
|
|
def test_role_filter(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
role_ref = self.identity_api.get_role(self.role_member['id'])
|
|
self.assertDictEqual(role_ref, self.role_member)
|
|
|
|
CONF.ldap.role_filter = '(CN=DOES_NOT_MATCH)'
|
|
self.identity_api = identity_ldap.Identity()
|
|
self.assertRaises(exception.RoleNotFound,
|
|
self.identity_api.get_role,
|
|
self.role_member['id'])
|
|
|
|
def test_dumb_member(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
CONF.ldap.use_dumb_member = True
|
|
CONF.ldap.dumb_member = 'cn=dumb,cn=example,cn=com'
|
|
clear_database()
|
|
self.identity_api = identity_ldap.Identity()
|
|
self.load_fixtures(default_fixtures)
|
|
self.assertRaises(exception.UserNotFound,
|
|
self.identity_api.get_user,
|
|
'dumb')
|
|
|
|
def test_user_attribute_mapping(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
CONF.ldap.user_name_attribute = 'sn'
|
|
CONF.ldap.user_mail_attribute = 'email'
|
|
CONF.ldap.user_enabled_attribute = 'enabled'
|
|
clear_database()
|
|
self.identity_api = identity_ldap.Identity()
|
|
self.load_fixtures(default_fixtures)
|
|
user_ref = self.identity_api.get_user(self.user_two['id'])
|
|
self.assertEqual(user_ref['id'], self.user_two['id'])
|
|
self.assertEqual(user_ref['name'], self.user_two['name'])
|
|
self.assertEqual(user_ref['email'], self.user_two['email'])
|
|
self.assertEqual(user_ref['enabled'], self.user_two['enabled'])
|
|
|
|
CONF.ldap.user_name_attribute = 'email'
|
|
CONF.ldap.user_mail_attribute = 'sn'
|
|
self.identity_api = identity_ldap.Identity()
|
|
user_ref = self.identity_api.get_user(self.user_two['id'])
|
|
self.assertEqual(user_ref['id'], self.user_two['id'])
|
|
self.assertEqual(user_ref['name'], self.user_two['email'])
|
|
self.assertEqual(user_ref['email'], self.user_two['name'])
|
|
self.assertEqual(user_ref['enabled'], self.user_two['enabled'])
|
|
|
|
def test_user_attribute_ignore(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
CONF.ldap.user_attribute_ignore = ['name', 'email', 'password',
|
|
'tenant_id', 'enabled', 'tenants']
|
|
clear_database()
|
|
self.identity_api = identity_ldap.Identity()
|
|
self.load_fixtures(default_fixtures)
|
|
user_ref = self.identity_api.get_user(self.user_two['id'])
|
|
self.assertEqual(user_ref['id'], self.user_two['id'])
|
|
self.assertNotIn('name', user_ref)
|
|
self.assertNotIn('email', user_ref)
|
|
self.assertNotIn('password', user_ref)
|
|
self.assertNotIn('tenant_id', user_ref)
|
|
self.assertNotIn('enabled', user_ref)
|
|
self.assertNotIn('tenants', user_ref)
|
|
|
|
def test_tenant_attribute_mapping(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
CONF.ldap.tenant_name_attribute = 'ou'
|
|
CONF.ldap.tenant_desc_attribute = 'desc'
|
|
CONF.ldap.tenant_enabled_attribute = 'enabled'
|
|
clear_database()
|
|
self.identity_api = identity_ldap.Identity()
|
|
self.load_fixtures(default_fixtures)
|
|
tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id'])
|
|
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
|
|
self.assertEqual(tenant_ref['name'], self.tenant_baz['name'])
|
|
self.assertEqual(
|
|
tenant_ref['description'],
|
|
self.tenant_baz['description'])
|
|
self.assertEqual(tenant_ref['enabled'], self.tenant_baz['enabled'])
|
|
|
|
CONF.ldap.tenant_name_attribute = 'desc'
|
|
CONF.ldap.tenant_desc_attribute = 'ou'
|
|
self.identity_api = identity_ldap.Identity()
|
|
tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id'])
|
|
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
|
|
self.assertEqual(tenant_ref['name'], self.tenant_baz['description'])
|
|
self.assertEqual(tenant_ref['description'], self.tenant_baz['name'])
|
|
self.assertEqual(tenant_ref['enabled'], self.tenant_baz['enabled'])
|
|
|
|
def test_tenant_attribute_ignore(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
CONF.ldap.tenant_attribute_ignore = ['name',
|
|
'description',
|
|
'enabled']
|
|
clear_database()
|
|
self.identity_api = identity_ldap.Identity()
|
|
self.load_fixtures(default_fixtures)
|
|
tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id'])
|
|
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
|
|
self.assertNotIn('name', tenant_ref)
|
|
self.assertNotIn('description', tenant_ref)
|
|
self.assertNotIn('enabled', tenant_ref)
|
|
|
|
def test_role_attribute_mapping(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
CONF.ldap.role_name_attribute = 'ou'
|
|
clear_database()
|
|
self.identity_api = identity_ldap.Identity()
|
|
self.load_fixtures(default_fixtures)
|
|
role_ref = self.identity_api.get_role(self.role_member['id'])
|
|
self.assertEqual(role_ref['id'], self.role_member['id'])
|
|
self.assertEqual(role_ref['name'], self.role_member['name'])
|
|
|
|
CONF.ldap.role_name_attribute = 'sn'
|
|
self.identity_api = identity_ldap.Identity()
|
|
role_ref = self.identity_api.get_role(self.role_member['id'])
|
|
self.assertEqual(role_ref['id'], self.role_member['id'])
|
|
self.assertNotIn('name', role_ref)
|
|
|
|
def test_role_attribute_ignore(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
CONF.ldap.role_attribute_ignore = ['name']
|
|
clear_database()
|
|
self.identity_api = identity_ldap.Identity()
|
|
self.load_fixtures(default_fixtures)
|
|
role_ref = self.identity_api.get_role(self.role_member['id'])
|
|
self.assertEqual(role_ref['id'], self.role_member['id'])
|
|
self.assertNotIn('name', role_ref)
|
|
|
|
def test_user_enable_attribute_mask(self):
|
|
self.config([test.etcdir('keystone.conf.sample'),
|
|
test.testsdir('test_overrides.conf'),
|
|
test.testsdir('backend_ldap.conf')])
|
|
CONF.ldap.user_enabled_attribute = 'enabled'
|
|
CONF.ldap.user_enabled_mask = 2
|
|
CONF.ldap.user_enabled_default = 512
|
|
clear_database()
|
|
self.identity_api = identity_ldap.Identity()
|
|
user = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
|
|
self.identity_api.create_user('fake1', user)
|
|
user_ref = self.identity_api.get_user('fake1')
|
|
self.assertEqual(user_ref['enabled'], True)
|
|
|
|
user['enabled'] = False
|
|
self.identity_api.update_user('fake1', user)
|
|
user_ref = self.identity_api.get_user('fake1')
|
|
self.assertEqual(user_ref['enabled'], False)
|
|
|
|
user['enabled'] = True
|
|
self.identity_api.update_user('fake1', user)
|
|
user_ref = self.identity_api.get_user('fake1')
|
|
self.assertEqual(user_ref['enabled'], True)
|
|
|
|
# TODO (henry-nash) These need to be removed when the full LDAP implementation
|
|
# is submitted - see BugL #1092187
|
|
def test_group_crud(self):
|
|
pass
|
|
|
|
def test_add_user_to_group(self):
|
|
pass
|
|
|
|
def test_add_user_to_group_404(self):
|
|
pass
|
|
|
|
def test_check_user_in_group(self):
|
|
pass
|
|
|
|
def test_check_user_not_in_group(self):
|
|
pass
|
|
|
|
def test_list_users_in_group(self):
|
|
pass
|
|
|
|
def test_remove_user_from_group(self):
|
|
pass
|
|
|
|
def test_remove_user_from_group_404(self):
|
|
pass
|
|
|
|
def test_get_role_grant_by_user_and_project(self):
|
|
pass
|
|
|
|
def test_get_role_grants_for_user_and_project_404(self):
|
|
pass
|
|
|
|
def test_add_role_grant_to_user_and_project_404(self):
|
|
pass
|
|
|
|
def test_remove_role_grant_from_user_and_project(self):
|
|
pass
|
|
|
|
def test_get_and_remove_role_grant_by_group_and_project(self):
|
|
pass
|
|
|
|
def test_get_and_remove_role_grant_by_group_and_domain(self):
|
|
pass
|
|
|
|
def test_get_and_remove_role_grant_by_user_and_domain(self):
|
|
pass
|