| Chris Hoge | 4f6117a | 2015-03-20 12:39:33 -0500 | [diff] [blame] | 1 | # Copyright 2015 OpenStack Foundation |
| 2 | # All Rights Reserved. |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 5 | # not use this file except in compliance with the License. You may obtain |
| 6 | # a copy of the License at |
| 7 | # |
| 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | # |
| 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 13 | # License for the specific language governing permissions and limitations |
| 14 | # under the License. |
| 15 | |
| Jane Zadorozhna | f7b3973 | 2015-06-10 14:19:33 +0300 | [diff] [blame] | 16 | from oslo_utils import timeutils |
| 17 | import six |
| Megan Guiney | 3a34df7 | 2017-05-23 23:04:17 -0700 | [diff] [blame] | 18 | |
| Chris Hoge | 4f6117a | 2015-03-20 12:39:33 -0500 | [diff] [blame] | 19 | from tempest.api.identity import base |
| Ken'ichi Ohmichi | 44f0127 | 2017-01-27 18:44:14 -0800 | [diff] [blame] | 20 | from tempest.lib import decorators |
| Megan Guiney | 3a34df7 | 2017-05-23 23:04:17 -0700 | [diff] [blame] | 21 | from tempest.lib import exceptions as lib_exc |
| Chris Hoge | 4f6117a | 2015-03-20 12:39:33 -0500 | [diff] [blame] | 22 | |
| 23 | |
| 24 | class TokensV3Test(base.BaseIdentityV3Test): |
| 25 | |
| Megan Guiney | 3a34df7 | 2017-05-23 23:04:17 -0700 | [diff] [blame] | 26 | @decorators.idempotent_id('a9512ac3-3909-48a4-b395-11f438e16260') |
| 27 | def test_validate_token(self): |
| 28 | creds = self.os_primary.credentials |
| 29 | user_id = creds.user_id |
| 30 | username = creds.username |
| 31 | password = creds.password |
| 32 | user_domain_id = creds.user_domain_id |
| 33 | # GET and validate token |
| 34 | subject_token, token_body = self.non_admin_token.get_token( |
| 35 | user_id=user_id, |
| 36 | username=username, |
| 37 | user_domain_id=user_domain_id, |
| 38 | password=password, |
| 39 | auth_data=True) |
| 40 | authenticated_token = self.non_admin_client.show_token( |
| 41 | subject_token)['token'] |
| 42 | # sanity checking to make sure they are indeed the same token |
| 43 | self.assertEqual(authenticated_token, token_body) |
| 44 | # test to see if token has been properly authenticated |
| 45 | self.assertEqual(authenticated_token['user']['id'], user_id) |
| manasa | 4776b13 | 2019-07-12 13:29:39 -0400 | [diff] [blame] | 46 | # NOTE: resource name that are case-sensitive in keystone |
| 47 | # depends on backends such as MySQL or LDAP which are |
| 48 | # case-insensitive, case-preserving. Resource name is |
| 49 | # returned as it is stored in the backend, not as it is |
| 50 | # requested. Verifying the username with both lower-case to |
| 51 | # avoid failure on different backends |
| 52 | self.assertEqual( |
| 53 | authenticated_token['user']['name'].lower(), username.lower()) |
| 54 | |
| Megan Guiney | 3a34df7 | 2017-05-23 23:04:17 -0700 | [diff] [blame] | 55 | self.non_admin_client.delete_token(subject_token) |
| 56 | self.assertRaises( |
| 57 | lib_exc.NotFound, self.non_admin_client.show_token, subject_token) |
| 58 | |
| Ken'ichi Ohmichi | 44f0127 | 2017-01-27 18:44:14 -0800 | [diff] [blame] | 59 | @decorators.idempotent_id('6f8e4436-fc96-4282-8122-e41df57197a9') |
| Chris Hoge | 4f6117a | 2015-03-20 12:39:33 -0500 | [diff] [blame] | 60 | def test_create_token(self): |
| 61 | |
| Jordan Pittier | 8160d31 | 2017-04-18 11:52:23 +0200 | [diff] [blame] | 62 | creds = self.os_primary.credentials |
| Chris Hoge | 4f6117a | 2015-03-20 12:39:33 -0500 | [diff] [blame] | 63 | user_id = creds.user_id |
| 64 | username = creds.username |
| 65 | password = creds.password |
| Tom Cocozzello | 5e3cff1 | 2016-02-23 14:18:56 -0600 | [diff] [blame] | 66 | user_domain_id = creds.user_domain_id |
| Chris Hoge | 4f6117a | 2015-03-20 12:39:33 -0500 | [diff] [blame] | 67 | |
| Marc Koderer | 8afdf6c | 2016-04-28 17:24:15 -0500 | [diff] [blame] | 68 | # 'user_domain_id' needs to be specified otherwise tempest.lib assumes |
| Tom Cocozzello | 5e3cff1 | 2016-02-23 14:18:56 -0600 | [diff] [blame] | 69 | # it to be 'default' |
| 70 | token_id, resp = self.non_admin_token.get_token( |
| 71 | user_id=user_id, |
| Brant Knudson | dd9f805 | 2016-10-21 13:38:10 -0500 | [diff] [blame] | 72 | username=username, |
| Tom Cocozzello | 5e3cff1 | 2016-02-23 14:18:56 -0600 | [diff] [blame] | 73 | user_domain_id=user_domain_id, |
| 74 | password=password, |
| 75 | auth_data=True) |
| Jane Zadorozhna | f7b3973 | 2015-06-10 14:19:33 +0300 | [diff] [blame] | 76 | |
| 77 | self.assertNotEmpty(token_id) |
| 78 | self.assertIsInstance(token_id, six.string_types) |
| 79 | |
| 80 | now = timeutils.utcnow() |
| 81 | expires_at = timeutils.normalize_time( |
| 82 | timeutils.parse_isotime(resp['expires_at'])) |
| 83 | self.assertGreater(resp['expires_at'], |
| 84 | resp['issued_at']) |
| 85 | self.assertGreater(expires_at, now) |
| 86 | |
| 87 | subject_id = resp['user']['id'] |
| Brant Knudson | dd9f805 | 2016-10-21 13:38:10 -0500 | [diff] [blame] | 88 | if user_id: |
| 89 | self.assertEqual(subject_id, user_id) |
| 90 | else: |
| 91 | # Expect a user ID, but don't know what it will be. |
| Masayuki Igawa | f9009b4 | 2017-04-10 14:49:29 +0900 | [diff] [blame] | 92 | self.assertIsNotNone(subject_id, 'Expected user ID in token.') |
| Jane Zadorozhna | f7b3973 | 2015-06-10 14:19:33 +0300 | [diff] [blame] | 93 | |
| 94 | subject_name = resp['user']['name'] |
| manasa | 4776b13 | 2019-07-12 13:29:39 -0400 | [diff] [blame] | 95 | |
| Brant Knudson | dd9f805 | 2016-10-21 13:38:10 -0500 | [diff] [blame] | 96 | if username: |
| manasa | 4776b13 | 2019-07-12 13:29:39 -0400 | [diff] [blame] | 97 | # NOTE: resource name that are case-sensitive in keystone |
| 98 | # depends on backends such as MySQL or LDAP which are |
| 99 | # case-insensitive, case-preserving. Resource name is |
| 100 | # returned as it is stored in the backend, not as it is |
| 101 | # requested. Verifying the username with both lower-case to |
| 102 | # avoid failure on different backends |
| 103 | self.assertEqual(subject_name.lower(), username.lower()) |
| Brant Knudson | dd9f805 | 2016-10-21 13:38:10 -0500 | [diff] [blame] | 104 | else: |
| manasa | 4776b13 | 2019-07-12 13:29:39 -0400 | [diff] [blame] | 105 | # Expect a user name, but don't know what it will be |
| Masayuki Igawa | f9009b4 | 2017-04-10 14:49:29 +0900 | [diff] [blame] | 106 | self.assertIsNotNone(subject_name, 'Expected user name in token.') |
| Jane Zadorozhna | f7b3973 | 2015-06-10 14:19:33 +0300 | [diff] [blame] | 107 | |
| 108 | self.assertEqual(resp['methods'][0], 'password') |
| Trevor McCasland | 285b3f8 | 2017-11-22 13:36:04 -0600 | [diff] [blame] | 109 | |
| 110 | @decorators.idempotent_id('0f9f5a5f-d5cd-4a86-8a5b-c5ded151f212') |
| 111 | def test_token_auth_creation_existence_deletion(self): |
| 112 | # Tests basic token auth functionality in a way that is compatible with |
| 113 | # pre-provisioned credentials. The default user is used for token |
| 114 | # authentication. |
| 115 | |
| 116 | # Valid user's token is authenticated |
| 117 | user = self.os_primary.credentials |
| 118 | # Perform Authentication |
| 119 | resp = self.non_admin_token.auth( |
| 120 | user_id=user.user_id, password=user.password).response |
| 121 | subject_token = resp['x-subject-token'] |
| 122 | self.non_admin_client.check_token_existence(subject_token) |
| 123 | # Perform GET Token |
| 124 | token_details = self.non_admin_client.show_token( |
| 125 | subject_token)['token'] |
| 126 | self.assertEqual(resp['x-subject-token'], subject_token) |
| 127 | self.assertEqual(token_details['user']['id'], user.user_id) |
| manasa | 4776b13 | 2019-07-12 13:29:39 -0400 | [diff] [blame] | 128 | # NOTE: resource name that are case-sensitive in keystone |
| 129 | # depends on backends such as MySQL or LDAP which are |
| 130 | # case-insensitive, case-preserving. Resource name is |
| 131 | # returned as it is stored in the backend, not as it is |
| 132 | # requested. Verifying the username with both lower-case to |
| 133 | # avoid failure on different backends |
| 134 | self.assertEqual( |
| 135 | token_details['user']['name'].lower(), |
| 136 | user.username.lower()) |
| Trevor McCasland | 285b3f8 | 2017-11-22 13:36:04 -0600 | [diff] [blame] | 137 | # Perform Delete Token |
| 138 | self.non_admin_client.delete_token(subject_token) |
| 139 | self.assertRaises(lib_exc.NotFound, |
| 140 | self.non_admin_client.check_token_existence, |
| 141 | subject_token) |