openstack
/
puppet-keystone
Code Issues Proposed changes

Merge "keystone_user: Use un-scoped token to verify password"

This commit is contained in:
Zuul 2022-04-12 16:09:47 +00:00 committed by Gerrit Code Review
parent 0954fea1d6 fc9cd07b6b
commit 6e68e8faf4
2 changed files with 7 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/puppet/provider/keystone_user/openstack.rb
View File

@ -122,23 +122,6 @@ Puppet::Type.type(:keystone_user).provide(
# user_id uniquely identifies the user including domain.
credentials.username = resource[:name]
# Need to specify a project id to get a project scoped token. List
# all of the projects for the user, and use the id for the first one
# that is enabled then fallback to domain id only.
projects = self.class.system_request('project', 'list', ['--user', id, '--long'])
first_project = nil
if projects && projects.respond_to?(:each)
first_project = projects.detect { |p| p && p[:id] && p[:enabled] == 'True' }
end
if not first_project.nil?
credentials.project_id = first_project[:id]
else
# last chance - try a domain scoped token
credentials.domain_id = domain_id
end
credentials.identity_api_version = '2' if credentials.auth_url =~ /v2\.0\/?$/
begin
token = Puppet::Provider::Openstack.request('token', 'issue', ['--format', 'value'], credentials)
rescue Puppet::Error::OpenstackUnauthorizedError

81
spec/unit/provider/keystone_user/openstack_spec.rb
View File

@ -147,19 +147,13 @@ username="user1"
it 'checks the password' do
mock_creds = Puppet::Provider::Openstack::CredentialsV3.new
mock_creds.auth_url = 'http://127.0.0.1:5000'
mock_creds.password = 'pass_one'
mock_creds.username = 'user_one'
mock_creds.user_id = 'project1_id'
mock_creds.project_id = 'project-id-1'
mock_creds.auth_url = 'http://127.0.0.1:5000'
mock_creds.password = 'pass_one'
mock_creds.username = 'user_one'
mock_creds.user_id = 'user1_id'
mock_creds.user_domain_name = 'Default'
Puppet::Provider::Openstack::CredentialsV3.expects(:new).returns(mock_creds)
described_class.expects(:openstack)
.with('project', 'list', '--quiet', '--format', 'csv',
['--user', 'user1_id', '--long'])
.returns('"ID","Name","Domain ID","Description","Enabled"
"project-id-1","domain_one","domain1_id","Domain One",True
')
Puppet::Provider::Openstack.expects(:openstack)
.with('token', 'issue', ['--format', 'value'])
.returns('2015-05-14T04:06:05Z
@ -167,80 +161,19 @@ e664a386befa4a30878dcef20e79f167
8dce2ae9ecd34c199d2877bf319a3d06
ac43ec53d5a74a0b9f51523ae41a29f0
')
provider.expects(:id).times(2).returns('user1_id')
password = provider.password
expect(password).to eq('pass_one')
end
it 'checks the password with some projects disabled' do
mock_creds = Puppet::Provider::Openstack::CredentialsV3.new
mock_creds.auth_url = 'http://127.0.0.1:5000'
mock_creds.password = 'pass_one'
mock_creds.username = 'user_one'
mock_creds.user_id = 'project1_id'
mock_creds.project_id = 'project-id-2'
Puppet::Provider::Openstack::CredentialsV3.expects(:new).returns(mock_creds)
described_class.expects(:openstack)
.with('project', 'list', '--quiet', '--format', 'csv',
['--user', 'user1_id', '--long'])
.returns('"ID","Name","Domain ID","Description","Enabled"
"project-id-1","domain_one","domain1_id","Domain One",False
"project-id-2","domain_one","domain1_id","Domain One",True
"project-id-3","domain_one","domain1_id","Domain One",False
')
Puppet::Provider::Openstack.expects(:openstack)
.with('token', 'issue', ['--format', 'value'])
.returns('2015-05-14T04:06:05Z
e664a386befa4a30878dcef20e79f167
8dce2ae9ecd34c199d2877bf319a3d06
ac43ec53d5a74a0b9f51523ae41a29f0
')
provider.expects(:id).times(2).returns('user1_id')
provider.expects(:id).returns('user1_id')
password = provider.password
expect(password).to eq('pass_one')
end
it 'fails the password check' do
described_class.expects(:openstack)
.with('project', 'list', '--quiet', '--format', 'csv',
['--user', 'user1_id', '--long'])
.returns('"ID","Name","Domain ID","Description","Enabled"
"project-id-1","domain_one","domain1_id","Domain One",True
')
Puppet::Provider::Openstack.expects(:openstack)
.with('token', 'issue', ['--format', 'value'])
.raises(Puppet::ExecutionFailure, 'HTTP 401 invalid authentication')
provider.expects(:id).times(2).returns('user1_id')
provider.expects(:id).returns('user1_id')
password = provider.password
expect(password).to eq(nil)
end
it 'checks the password with domain scoped token' do
provider.expects(:id).twice.returns('project1_id')
provider.expects(:domain_id).returns('domain1_id')
mock_creds = Puppet::Provider::Openstack::CredentialsV3.new
mock_creds.auth_url = 'http://127.0.0.1:5000'
mock_creds.password = 'foo'
mock_creds.username = 'foo'
mock_creds.user_id = 'project1_id'
mock_creds.domain_id = 'domain1_id'
Puppet::Provider::Openstack::CredentialsV3.expects(:new).returns(mock_creds)
described_class.expects(:openstack)
.with('project', 'list', '--quiet', '--format', 'csv',
['--user', 'project1_id', '--long'])
.returns('"ID","Name","Domain ID","Description","Enabled"
')
Puppet::Provider::Openstack.expects(:openstack)
.with('token', 'issue', ['--format', 'value'])
.returns('2015-05-14T04:06:05Z
e664a386befa4a30878dcef20e79f167
8dce2ae9ecd34c199d2877bf319a3d06
ac43ec53d5a74a0b9f51523ae41a29f0
')
password = provider.password
expect(password).to eq('pass_one')
end
end
describe 'when updating a user with unmanaged password' do