openstack/keystone
Code Issues Proposed changes
a9d53dc93e
keystone/tests/test_backend_ldap.py
Henry Nash 4fae928c59 Keystone server support for user groups 
This implements the server side of groups of users.  This
set of code provides all the crud functionality for groups as
well as the corresponding support for role assignments.

blueprint user-groups

The following deficiencies existing with the current version and
will be corrected ahead of the final Grizzly release:

1) There is only placeholder support for LDAP (Bug #1092187)
2) Domain role grants are accepted but not yet honored (Bug #1093248)
3) Token invalidation does not occur with group changes (Bug #1093493)

This update also fills in missing v3 grant unit testing and v3 grant
support within the kvs backend.  In addition, there is a fix for
Bug #1092200 (uncaught exception when listing grants)

DocImpact

Change-Id: Ibd1783b04b2d7804eff90312e5ef591dca4d0695
2013-01-08 01:32:46 +00:00

445 lines
18 KiB
Python
Raw Blame History

# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright 2012 OpenStack LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import uuid
from keystone.common.ldap import fakeldap
from keystone import config
from keystone import exception
from keystone.identity.backends import ldap as identity_ldap
from keystone import test
import default_fixtures
import test_backend
CONF = config.CONF
def clear_database():
db = fakeldap.FakeShelve().get_instance()
db.clear()
class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
def setUp(self):
super(LDAPIdentity, self).setUp()
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
clear_database()
self.identity_api = identity_ldap.Identity()
self.load_fixtures(default_fixtures)
def test_role_crud(self):
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
self.identity_api.create_role(role['id'], role)
role_ref = self.identity_api.get_role(role['id'])
role_ref_dict = dict((x, role_ref[x]) for x in role_ref)
self.assertDictEqual(role_ref_dict, role)
self.identity_api.delete_role(role['id'])
self.assertRaises(exception.RoleNotFound,
self.identity_api.get_role,
role['id'])
def test_build_tree(self):
"""Regression test for building the tree names
"""
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
user_api = identity_ldap.UserApi(CONF)
self.assertTrue(user_api)
self.assertEquals(user_api.tree_dn, "ou=Users,%s" % CONF.ldap.suffix)
def test_configurable_allowed_user_actions(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
self.identity_api = identity_ldap.Identity()
user = {'id': 'fake1',
'name': 'fake1',
'password': 'fakepass1',
'tenants': ['bar']}
self.identity_api.create_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['id'], 'fake1')
user['password'] = 'fakepass2'
self.identity_api.update_user('fake1', user)
self.identity_api.delete_user('fake1')
self.assertRaises(exception.UserNotFound,
self.identity_api.get_user,
'fake1')
def test_configurable_forbidden_user_actions(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
CONF.ldap.user_allow_create = False
CONF.ldap.user_allow_update = False
CONF.ldap.user_allow_delete = False
self.identity_api = identity_ldap.Identity()
user = {'id': 'fake1',
'name': 'fake1',
'password': 'fakepass1',
'tenants': ['bar']}
self.assertRaises(exception.ForbiddenAction,
self.identity_api.create_user,
'fake1',
user)
self.user_foo['password'] = 'fakepass2'
self.assertRaises(exception.ForbiddenAction,
self.identity_api.update_user,
self.user_foo['id'],
self.user_foo)
self.assertRaises(exception.ForbiddenAction,
self.identity_api.delete_user,
self.user_foo['id'])
def test_configurable_allowed_tenant_actions(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
self.identity_api = identity_ldap.Identity()
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
self.identity_api.create_tenant('fake1', tenant)
tenant_ref = self.identity_api.get_tenant('fake1')
self.assertEqual(tenant_ref['id'], 'fake1')
tenant['enabled'] = 'False'
self.identity_api.update_tenant('fake1', tenant)
self.identity_api.delete_tenant('fake1')
self.assertRaises(exception.TenantNotFound,
self.identity_api.get_tenant,
'fake1')
def test_configurable_forbidden_tenant_actions(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
CONF.ldap.tenant_allow_create = False
CONF.ldap.tenant_allow_update = False
CONF.ldap.tenant_allow_delete = False
self.identity_api = identity_ldap.Identity()
tenant = {'id': 'fake1', 'name': 'fake1'}
self.assertRaises(exception.ForbiddenAction,
self.identity_api.create_tenant,
'fake1',
tenant)
self.tenant_bar['enabled'] = 'False'
self.assertRaises(exception.ForbiddenAction,
self.identity_api.update_tenant,
self.tenant_bar['id'],
self.tenant_bar)
self.assertRaises(exception.ForbiddenAction,
self.identity_api.delete_tenant,
self.tenant_bar['id'])
def test_configurable_allowed_role_actions(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
self.identity_api = identity_ldap.Identity()
role = {'id': 'fake1', 'name': 'fake1'}
self.identity_api.create_role('fake1', role)
role_ref = self.identity_api.get_role('fake1')
self.assertEqual(role_ref['id'], 'fake1')
role['name'] = 'fake2'
self.identity_api.update_role('fake1', role)
self.identity_api.delete_role('fake1')
self.assertRaises(exception.RoleNotFound,
self.identity_api.get_role,
'fake1')
def test_configurable_forbidden_role_actions(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
CONF.ldap.role_allow_create = False
CONF.ldap.role_allow_update = False
CONF.ldap.role_allow_delete = False
self.identity_api = identity_ldap.Identity()
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
self.assertRaises(exception.ForbiddenAction,
self.identity_api.create_role,
role['id'],
role)
self.role_member['name'] = uuid.uuid4().hex
self.assertRaises(exception.ForbiddenAction,
self.identity_api.update_role,
self.role_member['id'],
self.role_member)
self.assertRaises(exception.ForbiddenAction,
self.identity_api.delete_role,
self.role_member['id'])
def test_user_filter(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
user_ref = self.identity_api.get_user(self.user_foo['id'])
self.user_foo.pop('password')
self.assertDictEqual(user_ref, self.user_foo)
CONF.ldap.user_filter = '(CN=DOES_NOT_MATCH)'
self.identity_api = identity_ldap.Identity()
self.assertRaises(exception.UserNotFound,
self.identity_api.get_user,
self.user_foo['id'])
def test_tenant_filter(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
tenant_ref = self.identity_api.get_tenant(self.tenant_bar['id'])
self.assertDictEqual(tenant_ref, self.tenant_bar)
CONF.ldap.tenant_filter = '(CN=DOES_NOT_MATCH)'
self.identity_api = identity_ldap.Identity()
self.assertRaises(exception.TenantNotFound,
self.identity_api.get_tenant,
self.tenant_bar['id'])
def test_role_filter(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
role_ref = self.identity_api.get_role(self.role_member['id'])
self.assertDictEqual(role_ref, self.role_member)
CONF.ldap.role_filter = '(CN=DOES_NOT_MATCH)'
self.identity_api = identity_ldap.Identity()
self.assertRaises(exception.RoleNotFound,
self.identity_api.get_role,
self.role_member['id'])
def test_dumb_member(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
CONF.ldap.use_dumb_member = True
CONF.ldap.dumb_member = 'cn=dumb,cn=example,cn=com'
clear_database()
self.identity_api = identity_ldap.Identity()
self.load_fixtures(default_fixtures)
self.assertRaises(exception.UserNotFound,
self.identity_api.get_user,
'dumb')
def test_user_attribute_mapping(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
CONF.ldap.user_name_attribute = 'sn'
CONF.ldap.user_mail_attribute = 'email'
CONF.ldap.user_enabled_attribute = 'enabled'
clear_database()
self.identity_api = identity_ldap.Identity()
self.load_fixtures(default_fixtures)
user_ref = self.identity_api.get_user(self.user_two['id'])
self.assertEqual(user_ref['id'], self.user_two['id'])
self.assertEqual(user_ref['name'], self.user_two['name'])
self.assertEqual(user_ref['email'], self.user_two['email'])
self.assertEqual(user_ref['enabled'], self.user_two['enabled'])
CONF.ldap.user_name_attribute = 'email'
CONF.ldap.user_mail_attribute = 'sn'
self.identity_api = identity_ldap.Identity()
user_ref = self.identity_api.get_user(self.user_two['id'])
self.assertEqual(user_ref['id'], self.user_two['id'])
self.assertEqual(user_ref['name'], self.user_two['email'])
self.assertEqual(user_ref['email'], self.user_two['name'])
self.assertEqual(user_ref['enabled'], self.user_two['enabled'])
def test_user_attribute_ignore(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
CONF.ldap.user_attribute_ignore = ['name', 'email', 'password',
'tenant_id', 'enabled', 'tenants']
clear_database()
self.identity_api = identity_ldap.Identity()
self.load_fixtures(default_fixtures)
user_ref = self.identity_api.get_user(self.user_two['id'])
self.assertEqual(user_ref['id'], self.user_two['id'])
self.assertNotIn('name', user_ref)
self.assertNotIn('email', user_ref)
self.assertNotIn('password', user_ref)
self.assertNotIn('tenant_id', user_ref)
self.assertNotIn('enabled', user_ref)
self.assertNotIn('tenants', user_ref)
def test_tenant_attribute_mapping(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
CONF.ldap.tenant_name_attribute = 'ou'
CONF.ldap.tenant_desc_attribute = 'desc'
CONF.ldap.tenant_enabled_attribute = 'enabled'
clear_database()
self.identity_api = identity_ldap.Identity()
self.load_fixtures(default_fixtures)
tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertEqual(tenant_ref['name'], self.tenant_baz['name'])
self.assertEqual(
tenant_ref['description'],
self.tenant_baz['description'])
self.assertEqual(tenant_ref['enabled'], self.tenant_baz['enabled'])
CONF.ldap.tenant_name_attribute = 'desc'
CONF.ldap.tenant_desc_attribute = 'ou'
self.identity_api = identity_ldap.Identity()
tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertEqual(tenant_ref['name'], self.tenant_baz['description'])
self.assertEqual(tenant_ref['description'], self.tenant_baz['name'])
self.assertEqual(tenant_ref['enabled'], self.tenant_baz['enabled'])
def test_tenant_attribute_ignore(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
CONF.ldap.tenant_attribute_ignore = ['name',
'description',
'enabled']
clear_database()
self.identity_api = identity_ldap.Identity()
self.load_fixtures(default_fixtures)
tenant_ref = self.identity_api.get_tenant(self.tenant_baz['id'])
self.assertEqual(tenant_ref['id'], self.tenant_baz['id'])
self.assertNotIn('name', tenant_ref)
self.assertNotIn('description', tenant_ref)
self.assertNotIn('enabled', tenant_ref)
def test_role_attribute_mapping(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
CONF.ldap.role_name_attribute = 'ou'
clear_database()
self.identity_api = identity_ldap.Identity()
self.load_fixtures(default_fixtures)
role_ref = self.identity_api.get_role(self.role_member['id'])
self.assertEqual(role_ref['id'], self.role_member['id'])
self.assertEqual(role_ref['name'], self.role_member['name'])
CONF.ldap.role_name_attribute = 'sn'
self.identity_api = identity_ldap.Identity()
role_ref = self.identity_api.get_role(self.role_member['id'])
self.assertEqual(role_ref['id'], self.role_member['id'])
self.assertNotIn('name', role_ref)
def test_role_attribute_ignore(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
CONF.ldap.role_attribute_ignore = ['name']
clear_database()
self.identity_api = identity_ldap.Identity()
self.load_fixtures(default_fixtures)
role_ref = self.identity_api.get_role(self.role_member['id'])
self.assertEqual(role_ref['id'], self.role_member['id'])
self.assertNotIn('name', role_ref)
def test_user_enable_attribute_mask(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
CONF.ldap.user_enabled_attribute = 'enabled'
CONF.ldap.user_enabled_mask = 2
CONF.ldap.user_enabled_default = 512
clear_database()
self.identity_api = identity_ldap.Identity()
user = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
self.identity_api.create_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], True)
user['enabled'] = False
self.identity_api.update_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], False)
user['enabled'] = True
self.identity_api.update_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], True)
# TODO (henry-nash) These need to be removed when the full LDAP implementation
# is submitted - see BugL #1092187
def test_group_crud(self):
pass
def test_add_user_to_group(self):
pass
def test_add_user_to_group_404(self):
pass
def test_check_user_in_group(self):
pass
def test_check_user_not_in_group(self):
pass
def test_list_users_in_group(self):
pass
def test_remove_user_from_group(self):
pass
def test_remove_user_from_group_404(self):
pass
def test_get_role_grant_by_user_and_project(self):
pass
def test_get_role_grants_for_user_and_project_404(self):
pass
def test_add_role_grant_to_user_and_project_404(self):
pass
def test_remove_role_grant_from_user_and_project(self):
pass
def test_get_and_remove_role_grant_by_group_and_project(self):
pass
def test_get_and_remove_role_grant_by_group_and_domain(self):
pass
def test_get_and_remove_role_grant_by_user_and_domain(self):
pass
View Git Blame Copy Permalink