OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

1179 lines
50 KiB

# Copyright 2012 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import datetime
from unittest import mock
import uuid
import fixtures
import freezegun
import http.client
from oslo_db import exception as oslo_db_exception
from oslo_log import log
from testtools import matchers
from keystone.common import provider_api
from keystone.common import sql
import keystone.conf
from keystone.credential.providers import fernet as credential_fernet
from keystone import exception
from keystone.identity.backends import base as identity_base
from keystone.identity.backends import resource_options as options
from keystone.identity.backends import sql_model as model
from keystone.tests import unit
from keystone.tests.unit import ksfixtures
from keystone.tests.unit.ksfixtures import database
from keystone.tests.unit import mapping_fixtures
from keystone.tests.unit import test_v3
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class IdentityTestCase(test_v3.RestfulTestCase):
"""Test users and groups."""
def setUp(self):
super(IdentityTestCase, self).setUp()
self.useFixture(
ksfixtures.KeyRepository(
self.config_fixture,
'credential',
credential_fernet.MAX_ACTIVE_KEYS
)
)
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = PROVIDERS.identity_api.create_group(self.group)
self.group_id = self.group['id']
self.credential = unit.new_credential_ref(
user_id=self.user['id'],
project_id=self.project_id)
PROVIDERS.credential_api.create_credential(
self.credential['id'], self.credential
)
# user crud tests
def test_create_user(self):
"""Call ``POST /users``."""
ref = unit.new_user_ref(domain_id=self.domain_id)
r = self.post(
'/users',
body={'user': ref})
return self.assertValidUserResponse(r, ref)
def test_create_user_without_domain(self):
"""Call ``POST /users`` without specifying domain.
According to the identity-api specification, if you do not
explicitly specific the domain_id in the entity, it should
take the domain scope of the token as the domain_id.
"""
# Create a user with a role on the domain so we can get a
# domain scoped token
domain = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain['id'], domain)
user = unit.create_user(PROVIDERS.identity_api, domain_id=domain['id'])
PROVIDERS.assignment_api.create_grant(
role_id=self.role_id, user_id=user['id'],
domain_id=domain['id'])
ref = unit.new_user_ref(domain_id=domain['id'])
ref_nd = ref.copy()
ref_nd.pop('domain_id')
auth = self.build_authentication_request(
user_id=user['id'],
password=user['password'],
domain_id=domain['id'])
r = self.post('/users', body={'user': ref_nd}, auth=auth)
self.assertValidUserResponse(r, ref)
# Now try the same thing without a domain token - which should fail
ref = unit.new_user_ref(domain_id=domain['id'])
ref_nd = ref.copy()
ref_nd.pop('domain_id')
auth = self.build_authentication_request(
user_id=self.user['id'],
password=self.user['password'],
project_id=self.project['id'])
# TODO(henry-nash): Due to bug #1283539 we currently automatically
# use the default domain_id if a domain scoped token is not being
# used. For now we just check that a deprecation warning has been
# issued. Change the code below to expect a failure once this bug is
# fixed.
with mock.patch(
'oslo_log.versionutils.report_deprecated_feature') as mock_dep:
r = self.post('/users', body={'user': ref_nd}, auth=auth)
self.assertTrue(mock_dep.called)
ref['domain_id'] = CONF.identity.default_domain_id
return self.assertValidUserResponse(r, ref)
def test_create_user_with_admin_token_and_domain(self):
"""Call ``POST /users`` with admin token and domain id."""
ref = unit.new_user_ref(domain_id=self.domain_id)
self.post('/users', body={'user': ref}, token=self.get_admin_token(),
expected_status=http.client.CREATED)
def test_user_management_normalized_keys(self):
"""Illustrate the inconsistent handling of hyphens in keys.
To quote Morgan in bug 1526244:
the reason this is converted from "domain-id" to "domain_id" is
because of how we process/normalize data. The way we have to handle
specific data types for known columns requires avoiding "-" in the
actual python code since "-" is not valid for attributes in python
w/o significant use of "getattr" etc.
In short, historically we handle some things in conversions. The
use of "extras" has long been a poor design choice that leads to
odd/strange inconsistent behaviors because of other choices made in
handling data from within the body. (In many cases we convert from
"-" to "_" throughout openstack)
Source: https://bugs.launchpad.net/keystone/+bug/1526244/comments/9
"""
# Create two domains to work with.
domain1 = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
domain2 = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
# We can successfully create a normal user without any surprises.
user = unit.new_user_ref(domain_id=domain1['id'])
r = self.post(
'/users',
body={'user': user})
self.assertValidUserResponse(r, user)
user['id'] = r.json['user']['id']
# Query strings are not normalized: so we get all users back (like
# self.user), not just the ones in the specified domain.
r = self.get(
'/users?domain-id=%s' % domain1['id'])
self.assertValidUserListResponse(r, ref=self.user)
self.assertNotEqual(domain1['id'], self.user['domain_id'])
# When creating a new user, if we move the 'domain_id' into the
# 'domain-id' attribute, the server will normalize the request
# attribute, and effectively "move it back" for us.
user = unit.new_user_ref(domain_id=domain1['id'])
user['domain-id'] = user.pop('domain_id')
r = self.post(
'/users',
body={'user': user})
self.assertNotIn('domain-id', r.json['user'])
self.assertEqual(domain1['id'], r.json['user']['domain_id'])
# (move this attribute back so we can use assertValidUserResponse)
user['domain_id'] = user.pop('domain-id')
self.assertValidUserResponse(r, user)
user['id'] = r.json['user']['id']
# If we try updating the user's 'domain_id' by specifying a
# 'domain-id', then it'll be stored into extras rather than normalized,
# and the user's actual 'domain_id' is not affected.
r = self.patch(
'/users/%s' % user['id'],
body={'user': {'domain-id': domain2['id']}})
self.assertEqual(domain2['id'], r.json['user']['domain-id'])
self.assertEqual(user['domain_id'], r.json['user']['domain_id'])
self.assertNotEqual(domain2['id'], user['domain_id'])
self.assertValidUserResponse(r, user)
def test_create_user_bad_request(self):
"""Call ``POST /users``."""
self.post('/users', body={'user': {}},
expected_status=http.client.BAD_REQUEST)
def test_create_user_bad_domain_id(self):
"""Call ``POST /users``."""
# create user with 'DEFaUlT' domain_id instead if 'default'
# and verify it fails
self.post('/users',
body={'user': {"name": "baddomain", "domain_id":
"DEFaUlT"}},
expected_status=http.client.NOT_FOUND)
def test_list_head_users(self):
"""Call ``GET & HEAD /users``."""
resource_url = '/users'
r = self.get(resource_url)
self.assertValidUserListResponse(r, ref=self.user,
resource_url=resource_url)
self.head(resource_url, expected_status=http.client.OK)
def test_list_users_with_multiple_backends(self):
"""Call ``GET /users`` when multiple backends is enabled.
In this scenario, the controller requires a domain to be specified
either as a filter or by using a domain scoped token.
"""
self.config_fixture.config(group='identity',
domain_specific_drivers_enabled=True)
# Create a new domain with a new project and user
domain = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain['id'], domain)
project = unit.new_project_ref(domain_id=domain['id'])
PROVIDERS.resource_api.create_project(project['id'], project)
user = unit.create_user(PROVIDERS.identity_api, domain_id=domain['id'])
# Create both project and domain role grants for the user so we
# can get both project and domain scoped tokens
PROVIDERS.assignment_api.create_grant(
role_id=self.role_id, user_id=user['id'],
domain_id=domain['id'])
PROVIDERS.assignment_api.create_grant(
role_id=self.role_id, user_id=user['id'],
project_id=project['id'])
dom_auth = self.build_authentication_request(
user_id=user['id'],
password=user['password'],
domain_id=domain['id'])
project_auth = self.build_authentication_request(
user_id=user['id'],
password=user['password'],
project_id=project['id'])
# First try using a domain scoped token
resource_url = '/users'
r = self.get(resource_url, auth=dom_auth)
self.assertValidUserListResponse(r, ref=user,
resource_url=resource_url)
# Now try using a project scoped token
resource_url = '/users'
r = self.get(resource_url, auth=project_auth)
self.assertValidUserListResponse(r, ref=user,
resource_url=resource_url)
# Now try with an explicit filter
resource_url = ('/users?domain_id=%(domain_id)s' %
{'domain_id': domain['id']})
r = self.get(resource_url)
self.assertValidUserListResponse(r, ref=user,
resource_url=resource_url)
def test_list_users_no_default_project(self):
"""Call ``GET /users`` making sure no default_project_id."""
user = unit.new_user_ref(self.domain_id)
user = PROVIDERS.identity_api.create_user(user)
resource_url = '/users'
r = self.get(resource_url)
self.assertValidUserListResponse(r, ref=user,
resource_url=resource_url)
def test_get_head_user(self):
"""Call ``GET & HEAD /users/{user_id}``."""
resource_url = '/users/%(user_id)s' % {
'user_id': self.user['id']}
r = self.get(resource_url)
self.assertValidUserResponse(r, self.user)
self.head(resource_url, expected_status=http.client.OK)
def test_get_user_does_not_include_extra_attributes(self):
"""Call ``GET /users/{user_id}`` extra attributes are not included."""
user = unit.new_user_ref(domain_id=self.domain_id,
project_id=self.project_id)
user = PROVIDERS.identity_api.create_user(user)
self.assertNotIn('created_at', user)
self.assertNotIn('last_active_at', user)
def test_get_user_includes_required_attributes(self):
"""Call ``GET /users/{user_id}`` required attributes are included."""
user = unit.new_user_ref(domain_id=self.domain_id,
project_id=self.project_id)
user = PROVIDERS.identity_api.create_user(user)
self.assertIn('id', user)
self.assertIn('name', user)
self.assertIn('enabled', user)
self.assertIn('password_expires_at', user)
r = self.get('/users/%(user_id)s' % {'user_id': user['id']})
self.assertValidUserResponse(r, user)
def test_get_user_with_default_project(self):
"""Call ``GET /users/{user_id}`` making sure of default_project_id."""
user = unit.new_user_ref(domain_id=self.domain_id,
project_id=self.project_id)
user = PROVIDERS.identity_api.create_user(user)
r = self.get('/users/%(user_id)s' % {'user_id': user['id']})
self.assertValidUserResponse(r, user)
def test_add_user_to_group(self):
"""Call ``PUT /groups/{group_id}/users/{user_id}``."""
self.put('/groups/%(group_id)s/users/%(user_id)s' % {
'group_id': self.group_id, 'user_id': self.user['id']})
def test_list_head_groups_for_user(self):
"""Call ``GET & HEAD /users/{user_id}/groups``."""
user1 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
user2 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
self.put('/groups/%(group_id)s/users/%(user_id)s' % {
'group_id': self.group_id, 'user_id': user1['id']})
# Scenarios below are written to test the default policy configuration
# One should be allowed to list one's own groups
auth = self.build_authentication_request(
user_id=user1['id'],
password=user1['password'])
resource_url = ('/users/%(user_id)s/groups' %
{'user_id': user1['id']})
r = self.get(resource_url, auth=auth)
self.assertValidGroupListResponse(r, ref=self.group,
resource_url=resource_url)
self.head(resource_url, auth=auth, expected_status=http.client.OK)
# Administrator is allowed to list others' groups
resource_url = ('/users/%(user_id)s/groups' %
{'user_id': user1['id']})
r = self.get(resource_url)
self.assertValidGroupListResponse(r, ref=self.group,
resource_url=resource_url)
self.head(resource_url, expected_status=http.client.OK)
# Ordinary users should not be allowed to list other's groups
auth = self.build_authentication_request(
user_id=user2['id'],
password=user2['password'])
resource_url = '/users/%(user_id)s/groups' % {
'user_id': user1['id']}
self.get(resource_url, auth=auth,
expected_status=exception.ForbiddenAction.code)
self.head(resource_url, auth=auth,
expected_status=exception.ForbiddenAction.code)
def test_check_user_in_group(self):
"""Call ``HEAD /groups/{group_id}/users/{user_id}``."""
self.put('/groups/%(group_id)s/users/%(user_id)s' % {
'group_id': self.group_id, 'user_id': self.user['id']})
self.head('/groups/%(group_id)s/users/%(user_id)s' % {
'group_id': self.group_id, 'user_id': self.user['id']})
def test_list_head_users_in_group(self):
"""Call ``GET & HEAD /groups/{group_id}/users``."""
self.put('/groups/%(group_id)s/users/%(user_id)s' % {
'group_id': self.group_id, 'user_id': self.user['id']})
resource_url = ('/groups/%(group_id)s/users' %
{'group_id': self.group_id})
r = self.get(resource_url)
self.assertValidUserListResponse(r, ref=self.user,
resource_url=resource_url)
self.assertIn('/groups/%(group_id)s/users' % {
'group_id': self.group_id}, r.result['links']['self'])
self.head(resource_url, expected_status=http.client.OK)
def test_remove_user_from_group(self):
"""Call ``DELETE /groups/{group_id}/users/{user_id}``."""
self.put('/groups/%(group_id)s/users/%(user_id)s' % {
'group_id': self.group_id, 'user_id': self.user['id']})
self.delete('/groups/%(group_id)s/users/%(user_id)s' % {
'group_id': self.group_id, 'user_id': self.user['id']})
def test_update_user(self):
"""Call ``PATCH /users/{user_id}``."""
user = unit.new_user_ref(domain_id=self.domain_id)
del user['id']
r = self.patch('/users/%(user_id)s' % {
'user_id': self.user['id']},
body={'user': user})
self.assertValidUserResponse(r, user)
def test_admin_password_reset(self):
# bootstrap a user as admin
user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
# auth as user should work before a password change
old_password_auth = self.build_authentication_request(
user_id=user_ref['id'],
password=user_ref['password'])
r = self.v3_create_token(old_password_auth)
old_token = r.headers.get('X-Subject-Token')
# auth as user with a token should work before a password change
old_token_auth = self.build_authentication_request(token=old_token)
self.v3_create_token(old_token_auth)
# administrative password reset
new_password = uuid.uuid4().hex
self.patch('/users/%s' % user_ref['id'],
body={'user': {'password': new_password}})
# auth as user with original password should not work after change
self.v3_create_token(old_password_auth,
expected_status=http.client.UNAUTHORIZED)
# auth as user with an old token should not work after change
self.v3_create_token(old_token_auth,
expected_status=http.client.NOT_FOUND)
# new password should work
new_password_auth = self.build_authentication_request(
user_id=user_ref['id'],
password=new_password)
self.v3_create_token(new_password_auth)
def test_admin_password_reset_with_min_password_age_enabled(self):
# enable minimum_password_age, this should have no effect on admin
# password reset
self.config_fixture.config(group='security_compliance',
minimum_password_age=1)
# create user
user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
# administrative password reset
new_password = uuid.uuid4().hex
r = self.patch('/users/%s' % user_ref['id'],
body={'user': {'password': new_password}})
self.assertValidUserResponse(r, user_ref)
# authenticate with new password
new_password_auth = self.build_authentication_request(
user_id=user_ref['id'],
password=new_password)
self.v3_create_token(new_password_auth)
def test_admin_password_reset_with_password_lock(self):
# create user
user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
lock_pw_opt = options.LOCK_PASSWORD_OPT.option_name
update_user_body = {'user': {'options': {lock_pw_opt: True}}}
self.patch('/users/%s' % user_ref['id'], body=update_user_body)
# administrative password reset
new_password = uuid.uuid4().hex
r = self.patch('/users/%s' % user_ref['id'],
body={'user': {'password': new_password}})
self.assertValidUserResponse(r, user_ref)
# authenticate with new password
new_password_auth = self.build_authentication_request(
user_id=user_ref['id'],
password=new_password)
self.v3_create_token(new_password_auth)
def test_update_user_domain_id(self):
"""Call ``PATCH /users/{user_id}`` with domain_id.
A user's `domain_id` is immutable. Ensure that any attempts to update
the `domain_id` of a user fails.
"""
user = unit.new_user_ref(domain_id=self.domain['id'])
user = PROVIDERS.identity_api.create_user(user)
user['domain_id'] = CONF.identity.default_domain_id
self.patch('/users/%(user_id)s' % {
'user_id': user['id']},
body={'user': user},
expected_status=exception.ValidationError.code)
def test_delete_user(self):
"""Call ``DELETE /users/{user_id}``.
As well as making sure the delete succeeds, we ensure
that any credentials that reference this user are
also deleted, while other credentials are unaffected.
In addition, no tokens should remain valid for this user.
"""
# First check the credential for this user is present
r = PROVIDERS.credential_api.get_credential(self.credential['id'])
self.assertDictEqual(self.credential, r)
# Create a second credential with a different user
user2 = unit.new_user_ref(domain_id=self.domain['id'],
project_id=self.project['id'])
user2 = PROVIDERS.identity_api.create_user(user2)
credential2 = unit.new_credential_ref(user_id=user2['id'],
project_id=self.project['id'])
PROVIDERS.credential_api.create_credential(
credential2['id'], credential2
)
# Create a token for this user which we can check later
# gets deleted
auth_data = self.build_authentication_request(
user_id=self.user['id'],
password=self.user['password'],
project_id=self.project['id'])
token = self.get_requested_token(auth_data)
# Confirm token is valid for now
self.head('/auth/tokens',
headers={'X-Subject-Token': token},
expected_status=http.client.OK)
# Now delete the user
self.delete('/users/%(user_id)s' % {
'user_id': self.user['id']})
# Deleting the user should have deleted any credentials
# that reference this project
self.assertRaises(exception.CredentialNotFound,
PROVIDERS.credential_api.get_credential,
self.credential['id'])
# But the credential for user2 is unaffected
r = PROVIDERS.credential_api.get_credential(credential2['id'])
self.assertDictEqual(credential2, r)
def test_delete_user_retries_on_deadlock(self):
patcher = mock.patch('sqlalchemy.orm.query.Query.delete',
autospec=True)
class FakeDeadlock(object):
def __init__(self, mock_patcher):
self.deadlock_count = 2
self.mock_patcher = mock_patcher
self.patched = True
def __call__(self, *args, **kwargs):
if self.deadlock_count > 1:
self.deadlock_count -= 1
else:
self.mock_patcher.stop()
self.patched = False
raise oslo_db_exception.DBDeadlock
sql_delete_mock = patcher.start()
side_effect = FakeDeadlock(patcher)
sql_delete_mock.side_effect = side_effect
user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
try:
PROVIDERS.identity_api.delete_user(user_id=user_ref['id'])
finally:
if side_effect.patched:
patcher.stop()
call_count = sql_delete_mock.call_count
# initial attempt + 1 retry
delete_user_attempt_count = 2
self.assertEqual(call_count, delete_user_attempt_count)
# group crud tests
def test_create_group(self):
"""Call ``POST /groups``."""
# Create a new group to avoid a duplicate check failure
ref = unit.new_group_ref(domain_id=self.domain_id)
r = self.post(
'/groups',
body={'group': ref})
return self.assertValidGroupResponse(r, ref)
def test_create_group_bad_request(self):
"""Call ``POST /groups``."""
self.post('/groups', body={'group': {}},
expected_status=http.client.BAD_REQUEST)
def test_list_head_groups(self):
"""Call ``GET & HEAD /groups``."""
resource_url = '/groups'
r = self.get(resource_url)
self.assertValidGroupListResponse(r, ref=self.group,
resource_url=resource_url)
self.head(resource_url, expected_status=http.client.OK)
def test_get_head_group(self):
"""Call ``GET & HEAD /groups/{group_id}``."""
resource_url = '/groups/%(group_id)s' % {
'group_id': self.group_id}
r = self.get(resource_url)
self.assertValidGroupResponse(r, self.group)
self.head(resource_url, expected_status=http.client.OK)
def test_update_group(self):
"""Call ``PATCH /groups/{group_id}``."""
group = unit.new_group_ref(domain_id=self.domain_id)
del group['id']
r = self.patch('/groups/%(group_id)s' % {
'group_id': self.group_id},
body={'group': group})
self.assertValidGroupResponse(r, group)
def test_update_group_domain_id(self):
"""Call ``PATCH /groups/{group_id}`` with domain_id.
A group's `domain_id` is immutable. Ensure that any attempts to update
the `domain_id` of a group fails.
"""
self.group['domain_id'] = CONF.identity.default_domain_id
self.patch('/groups/%(group_id)s' % {
'group_id': self.group['id']},
body={'group': self.group},
expected_status=exception.ValidationError.code)
def test_delete_group(self):
"""Call ``DELETE /groups/{group_id}``."""
self.delete('/groups/%(group_id)s' % {
'group_id': self.group_id})
def test_create_user_password_not_logged(self):
# When a user is created, the password isn't logged at any level.
log_fix = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
ref = unit.new_user_ref(domain_id=self.domain_id)
self.post(
'/users',
body={'user': ref})
self.assertNotIn(ref['password'], log_fix.output)
def test_update_password_not_logged(self):
# When admin modifies user password, the password isn't logged at any
# level.
log_fix = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
# bootstrap a user as admin
user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
self.assertNotIn(user_ref['password'], log_fix.output)
# administrative password reset
new_password = uuid.uuid4().hex
self.patch('/users/%s' % user_ref['id'],
body={'user': {'password': new_password}})
self.assertNotIn(new_password, log_fix.output)
def test_setting_default_project_id_to_domain_failed(self):
"""Call ``POST and PATCH /users`` default_project_id=domain_id.
Make sure we validate the default_project_id if it is specified.
It cannot be set to a domain_id, even for a project acting as domain
right now. That's because we haven't sort out the issuing
project-scoped token for project acting as domain bit yet. Once we
got that sorted out, we can relax this constraint.
"""
# creating a new user with default_project_id set to a
# domain_id should result in HTTP 400
ref = unit.new_user_ref(domain_id=self.domain_id,
project_id=self.domain_id)
self.post('/users', body={'user': ref}, token=CONF.admin_token,
expected_status=http.client.BAD_REQUEST)
# updating user's default_project_id to a domain_id should result
# in HTTP 400
user = {'default_project_id': self.domain_id}
self.patch('/users/%(user_id)s' % {
'user_id': self.user['id']},
body={'user': user},
token=CONF.admin_token,
expected_status=http.client.BAD_REQUEST)
class ChangePasswordTestCase(test_v3.RestfulTestCase):
def setUp(self):
super(ChangePasswordTestCase, self).setUp()
self.user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
self.token = self.get_request_token(self.user_ref['password'],
http.client.CREATED)
def get_request_token(self, password, expected_status):
auth_data = self.build_authentication_request(
user_id=self.user_ref['id'],
password=password)
r = self.v3_create_token(auth_data,
expected_status=expected_status)
return r.headers.get('X-Subject-Token')
def change_password(self, expected_status, **kwargs):
"""Return a test response for a change password request."""
return self.post('/users/%s/password' % self.user_ref['id'],
body={'user': kwargs},
token=self.token,
expected_status=expected_status)
class UserSelfServiceChangingPasswordsTestCase(ChangePasswordTestCase):
def _create_user_with_expired_password(self):
expire_days = CONF.security_compliance.password_expires_days + 1
time = (
datetime.datetime.utcnow() -
datetime.timedelta(expire_days)
)
password = uuid.uuid4().hex
user_ref = unit.new_user_ref(domain_id=self.domain_id,
password=password)
with freezegun.freeze_time(time):
self.user_ref = PROVIDERS.identity_api.create_user(user_ref)
return password
def test_changing_password(self):
# original password works
token_id = self.get_request_token(self.user_ref['password'],
expected_status=http.client.CREATED)
# original token works
old_token_auth = self.build_authentication_request(token=token_id)
self.v3_create_token(old_token_auth)
# change password
new_password = uuid.uuid4().hex
self.change_password(password=new_password,
original_password=self.user_ref['password'],
expected_status=http.client.NO_CONTENT)
# old password fails
self.get_request_token(self.user_ref['password'],
expected_status=http.client.UNAUTHORIZED)
# old token fails
self.v3_create_token(old_token_auth,
expected_status=http.client.NOT_FOUND)
# new password works
self.get_request_token(new_password,
expected_status=http.client.CREATED)
def test_changing_password_with_min_password_age(self):
time = datetime.datetime.utcnow()
with freezegun.freeze_time(time) as frozen_datetime:
# enable minimum_password_age and attempt to change password
new_password = uuid.uuid4().hex
self.config_fixture.config(group='security_compliance',
minimum_password_age=1)
# able to change password after create user
self.change_password(password=new_password,
original_password=self.user_ref['password'],
expected_status=http.client.NO_CONTENT)
# 2nd change password should fail due to minimum password age and
# make sure we wait one second to avoid race conditions with Fernet
frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
self.token = self.get_request_token(
new_password,
http.client.CREATED
)
self.change_password(password=uuid.uuid4().hex,
original_password=new_password,
expected_status=http.client.BAD_REQUEST)
# disable minimum_password_age and attempt to change password
self.config_fixture.config(group='security_compliance',
minimum_password_age=0)
self.change_password(password=uuid.uuid4().hex,
original_password=new_password,
expected_status=http.client.NO_CONTENT)
def test_changing_password_with_password_lock(self):
password = uuid.uuid4().hex
ref = unit.new_user_ref(domain_id=self.domain_id, password=password)
response = self.post('/users', body={'user': ref})
user_id = response.json_body['user']['id']
time = datetime.datetime.utcnow()
with freezegun.freeze_time(time) as frozen_datetime:
# Lock the user's password
lock_pw_opt = options.LOCK_PASSWORD_OPT.option_name
user_patch = {'user': {'options': {lock_pw_opt: True}}}
self.patch('/users/%s' % user_id, body=user_patch)
# Fail, password is locked
new_password = uuid.uuid4().hex
body = {
'user': {
'original_password': password,
'password': new_password
}
}
path = '/users/%s/password' % user_id
self.post(path, body=body, expected_status=http.client.BAD_REQUEST)
# Unlock the password, and change should work
user_patch['user']['options'][lock_pw_opt] = False
self.patch('/users/%s' % user_id, body=user_patch)
path = '/users/%s/password' % user_id
self.post(path, body=body, expected_status=http.client.NO_CONTENT)
frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
auth_data = self.build_authentication_request(
user_id=user_id,
password=new_password
)
self.v3_create_token(
auth_data, expected_status=http.client.CREATED
)
path = '/users/%s' % user_id
user = self.get(path).json_body['user']
self.assertIn(lock_pw_opt, user['options'])
self.assertFalse(user['options'][lock_pw_opt])
# Completely unset the option from the user's reference
user_patch['user']['options'][lock_pw_opt] = None
self.patch('/users/%s' % user_id, body=user_patch)
path = '/users/%s' % user_id
user = self.get(path).json_body['user']
self.assertNotIn(lock_pw_opt, user['options'])
def test_changing_password_with_missing_original_password_fails(self):
r = self.change_password(password=uuid.uuid4().hex,
expected_status=http.client.BAD_REQUEST)
self.assertThat(r.result['error']['message'],
matchers.Contains('original_password'))
def test_changing_password_with_missing_password_fails(self):
r = self.change_password(original_password=self.user_ref['password'],
expected_status=http.client.BAD_REQUEST)
self.assertThat(r.result['error']['message'],
matchers.Contains('password'))
def test_changing_password_with_incorrect_password_fails(self):
self.change_password(password=uuid.uuid4().hex,
original_password=uuid.uuid4().hex,
expected_status=http.client.UNAUTHORIZED)
def test_changing_password_with_disabled_user_fails(self):
# disable the user account
self.user_ref['enabled'] = False
self.patch('/users/%s' % self.user_ref['id'],
body={'user': self.user_ref})
self.change_password(password=uuid.uuid4().hex,
original_password=self.user_ref['password'],
expected_status=http.client.UNAUTHORIZED)
def test_changing_password_not_logged(self):
# When a user changes their password, the password isn't logged at any
# level.
log_fix = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
# change password
new_password = uuid.uuid4().hex
self.change_password(password=new_password,
original_password=self.user_ref['password'],
expected_status=http.client.NO_CONTENT)
self.assertNotIn(self.user_ref['password'], log_fix.output)
self.assertNotIn(new_password, log_fix.output)
def test_changing_expired_password_succeeds(self):
self.config_fixture.config(group='security_compliance',
password_expires_days=2)
password = self._create_user_with_expired_password()
new_password = uuid.uuid4().hex
self.change_password(password=new_password,
original_password=password,
expected_status=http.client.NO_CONTENT)
# new password works
self.get_request_token(new_password,
expected_status=http.client.CREATED)
def test_changing_expired_password_with_disabled_user_fails(self):
self.config_fixture.config(group='security_compliance',
password_expires_days=2)
password = self._create_user_with_expired_password()
# disable the user account
self.user_ref['enabled'] = False
self.patch('/users/%s' % self.user_ref['id'],
body={'user': self.user_ref})
new_password = uuid.uuid4().hex
self.change_password(password=new_password,
original_password=password,
expected_status=http.client.UNAUTHORIZED)
def test_change_password_required_upon_first_use_for_create(self):
self.config_fixture.config(group='security_compliance',
change_password_upon_first_use=True)
# create user
self.user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
# attempt to authenticate with create user password
self.get_request_token(self.user_ref['password'],
expected_status=http.client.UNAUTHORIZED)
# self-service change password
new_password = uuid.uuid4().hex
self.change_password(password=new_password,
original_password=self.user_ref['password'],
expected_status=http.client.NO_CONTENT)
# authenticate with the new password
self.token = self.get_request_token(new_password, http.client.CREATED)
def test_change_password_required_upon_first_use_for_admin_reset(self):
self.config_fixture.config(group='security_compliance',
change_password_upon_first_use=True)
# admin reset
reset_password = uuid.uuid4().hex
user_password = {'password': reset_password}
PROVIDERS.identity_api.update_user(self.user_ref['id'], user_password)
# attempt to authenticate with admin reset password
self.get_request_token(reset_password,
expected_status=http.client.UNAUTHORIZED)
# self-service change password
new_password = uuid.uuid4().hex
self.change_password(password=new_password,
original_password=reset_password,
expected_status=http.client.NO_CONTENT)
# authenticate with the new password
self.token = self.get_request_token(new_password, http.client.CREATED)
def test_change_password_required_upon_first_use_ignore_user(self):
self.config_fixture.config(group='security_compliance',
change_password_upon_first_use=True)
# ignore user and reset password
reset_password = uuid.uuid4().hex
self.user_ref['password'] = reset_password
ignore_opt_name = options.IGNORE_CHANGE_PASSWORD_OPT.option_name
self.user_ref['options'][ignore_opt_name] = True
PROVIDERS.identity_api.update_user(self.user_ref['id'], self.user_ref)
# authenticate with the reset password
self.token = self.get_request_token(reset_password,
http.client.CREATED)
def test_lockout_exempt(self):
self.config_fixture.config(group='security_compliance',
lockout_failure_attempts=1)
# create user
self.user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
# update the user, mark her as exempt from lockout
ignore_opt_name = options.IGNORE_LOCKOUT_ATTEMPT_OPT.option_name
self.user_ref['options'][ignore_opt_name] = True
PROVIDERS.identity_api.update_user(self.user_ref['id'], self.user_ref)
# fail to auth, this should lockout the user, since we're allowed
# one failure, but we're exempt from lockout!
bad_password = uuid.uuid4().hex
self.token = self.get_request_token(bad_password,
http.client.UNAUTHORIZED)
# attempt to authenticate with correct password
self.get_request_token(self.user_ref['password'],
expected_status=http.client.CREATED)
class PasswordValidationTestCase(ChangePasswordTestCase):
def setUp(self):
super(PasswordValidationTestCase, self).setUp()
# passwords requires: 1 letter, 1 digit, 7 chars
self.config_fixture.config(group='security_compliance',
password_regex=(
'^(?=.*\d)(?=.*[a-zA-Z]).{7,}$'))
def test_create_user_with_invalid_password(self):
user = unit.new_user_ref(domain_id=self.domain_id)
user['password'] = 'simple'
self.post('/users', body={'user': user}, token=self.get_admin_token(),
expected_status=http.client.BAD_REQUEST)
def test_update_user_with_invalid_password(self):
user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
user['password'] = 'simple'
self.patch('/users/%(user_id)s' % {
'user_id': user['id']},
body={'user': user},
expected_status=http.client.BAD_REQUEST)
def test_changing_password_with_simple_password_strength(self):
# password requires: any non-whitespace character
self.config_fixture.config(group='security_compliance',
password_regex='[\S]+')
self.change_password(password='simple',
original_password=self.user_ref['password'],
expected_status=http.client.NO_CONTENT)
def test_changing_password_with_strong_password_strength(self):
self.change_password(password='mypassword2',
original_password=self.user_ref['password'],
expected_status=http.client.NO_CONTENT)
def test_changing_password_with_strong_password_strength_fails(self):
# no digit
self.change_password(password='mypassword',
original_password=self.user_ref['password'],
expected_status=http.client.BAD_REQUEST)
# no letter
self.change_password(password='12345678',
original_password=self.user_ref['password'],
expected_status=http.client.BAD_REQUEST)
# less than 7 chars
self.change_password(password='mypas2',
original_password=self.user_ref['password'],
expected_status=http.client.BAD_REQUEST)
class UserFederatedAttributesTests(test_v3.RestfulTestCase):
def _create_federated_attributes(self):
# Create the idp
idp = {
'id': uuid.uuid4().hex,
'enabled': True,
'description': uuid.uuid4().hex
}
PROVIDERS.federation_api.create_idp(idp['id'], idp)
# Create the mapping
mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
mapping['id'] = uuid.uuid4().hex
PROVIDERS.federation_api.create_mapping(mapping['id'], mapping)
# Create the protocol
protocol = {
'id': uuid.uuid4().hex,
'mapping_id': mapping['id']
}
PROVIDERS.federation_api.create_protocol(
idp['id'], protocol['id'], protocol
)
return idp, protocol
def _create_user_with_federated_user(self, user, fed_dict):
with sql.session_for_write() as session:
federated_ref = model.FederatedUser.from_dict(fed_dict)
user_ref = model.User.from_dict(user)
user_ref.created_at = datetime.datetime.utcnow()
user_ref.federated_users.append(federated_ref)
session.add(user_ref)
return identity_base.filter_user(user_ref.to_dict())
def setUp(self):
super(UserFederatedAttributesTests, self).setUp()
self.useFixture(database.Database())
self.load_backends()
# Create the federated object
idp, protocol = self._create_federated_attributes()
self.fed_dict = unit.new_federated_user_ref()
self.fed_dict['idp_id'] = idp['id']
self.fed_dict['protocol_id'] = protocol['id']
self.fed_dict['unique_id'] = "jdoe"
# Create the domain_id, user, and federated_user relationship
self.domain = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(self.domain['id'], self.domain)
self.fed_user = unit.new_user_ref(domain_id=self.domain['id'])
self.fed_user = self._create_user_with_federated_user(self.fed_user,
self.fed_dict)
# Create two new fed_users which will have the same idp and protocol
# but be completely different from the first fed_user
# Create a new idp and protocol for fed_user2 and 3
idp, protocol = self._create_federated_attributes()
self.fed_dict2 = unit.new_federated_user_ref()
self.fed_dict2['idp_id'] = idp['id']
self.fed_dict2['protocol_id'] = protocol['id']
self.fed_dict2['unique_id'] = "ravelar"
self.fed_user2 = unit.new_user_ref(domain_id=self.domain['id'])
self.fed_user2 = self._create_user_with_federated_user(self.fed_user2,
self.fed_dict2)
self.fed_dict3 = unit.new_federated_user_ref()
self.fed_dict3['idp_id'] = idp['id']
self.fed_dict3['protocol_id'] = protocol['id']
self.fed_dict3['unique_id'] = "jsmith"
self.fed_user3 = unit.new_user_ref(domain_id=self.domain['id'])
self.fed_user3 = self._create_user_with_federated_user(self.fed_user3,
self.fed_dict3)
def _test_list_users_with_federated_parameter(self, parameter):
# construct the resource url based off what's passed in parameter
resource_url = ('/users?%s=%s'
% (parameter[0], self.fed_dict[parameter[0]]))
for attr in parameter[1:]:
resource_url += '&%s=%s' % (attr, self.fed_dict[attr])
r = self.get(resource_url)
# Check that only one out of 3 fed_users is matched by calling the api
# and that it is a valid response
self.assertEqual(1, len(r.result['users']))
self.assertValidUserListResponse(r, ref=self.fed_user,
resource_url=resource_url)
# Since unique_id will always return one user if matching for unique_id
# in the query, we rule out unique_id for the next tests
if not any('unique_id' in x for x in parameter):
# Check that we get two matches here since fed_user2 and fed_user3
# both have the same idp and protocol
resource_url = ('/users?%s=%s'
% (parameter[0], self.fed_dict2[parameter[0]]))
for attr in parameter[1:]:
resource_url += '&%s=%s' % (attr, self.fed_dict2[attr])
r = self.get(resource_url)
self.assertEqual(2, len(r.result['users']))
self.assertValidUserListResponse(r, ref=self.fed_user2,
resource_url=resource_url)
def test_list_users_with_idp_id(self):
attribute = ['idp_id']
self._test_list_users_with_federated_parameter(attribute)
def test_list_users_with_protocol_id(self):
attribute = ['protocol_id']
self._test_list_users_with_federated_parameter(attribute)
def test_list_users_with_unique_id(self):
attribute = ['unique_id']
self._test_list_users_with_federated_parameter(attribute)
def test_list_users_with_idp_id_and_unique_id(self):
attribute = ['idp_id', 'unique_id']
self._test_list_users_with_federated_parameter(attribute)
def test_list_users_with_idp_id_and_protocol_id(self):
attribute = ['idp_id', 'protocol_id']
self._test_list_users_with_federated_parameter(attribute)
def test_list_users_with_protocol_id_and_unique_id(self):
attribute = ['protocol_id', 'unique_id']
self._test_list_users_with_federated_parameter(attribute)
def test_list_users_with_all_federated_attributes(self):
attribute = ['idp_id', 'protocol_id', 'unique_id']
self._test_list_users_with_federated_parameter(attribute)
def test_get_user_includes_required_federated_attributes(self):
user = self.identity_api.get_user(self.fed_user['id'])
self.assertIn('federated', user)
self.assertIn('idp_id', user['federated'][0])
self.assertIn('protocols', user['federated'][0])
self.assertIn('protocol_id', user['federated'][0]['protocols'][0])
self.assertIn('unique_id', user['federated'][0]['protocols'][0])
r = self.get('/users/%(user_id)s' % {'user_id': user['id']})
self.assertValidUserResponse(r, user)