| Jane Zadorozhna | 9c938c6 | 2015-07-01 17:06:16 +0300 | [diff] [blame] | 1 | # Copyright 2015 OpenStack Foundation |
| 2 | # All Rights Reserved. |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 5 | # not use this file except in compliance with the License. You may obtain |
| 6 | # a copy of the License at |
| 7 | # |
| 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | # |
| 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 12 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 13 | # License for the specific language governing permissions and limitations |
| 14 | # under the License. |
| 15 | |
| Lance Bragstad | a2c4ebc | 2015-10-05 20:34:39 +0000 | [diff] [blame] | 16 | import time |
| Jane Zadorozhna | 9c938c6 | 2015-07-01 17:06:16 +0300 | [diff] [blame] | 17 | |
| nicolas | c98a325 | 2018-12-17 13:06:02 -0800 | [diff] [blame] | 18 | import testtools |
| 19 | |
| Jane Zadorozhna | 9c938c6 | 2015-07-01 17:06:16 +0300 | [diff] [blame] | 20 | from tempest.api.identity import base |
| Rodrigo Duarte Sousa | 2d78e8e | 2016-09-28 10:38:08 -0300 | [diff] [blame] | 21 | from tempest import config |
| Andrea Frittoli (andreaf) | db9672e | 2016-02-23 14:07:24 -0500 | [diff] [blame] | 22 | from tempest.lib.common.utils import data_utils |
| Ken'ichi Ohmichi | eeabdd2 | 2017-01-27 17:46:00 -0800 | [diff] [blame] | 23 | from tempest.lib import decorators |
| Andrea Frittoli (andreaf) | db9672e | 2016-02-23 14:07:24 -0500 | [diff] [blame] | 24 | from tempest.lib import exceptions |
| Jane Zadorozhna | 9c938c6 | 2015-07-01 17:06:16 +0300 | [diff] [blame] | 25 | |
| 26 | |
| Rodrigo Duarte Sousa | 2d78e8e | 2016-09-28 10:38:08 -0300 | [diff] [blame] | 27 | CONF = config.CONF |
| 28 | |
| 29 | |
| Jane Zadorozhna | 9c938c6 | 2015-07-01 17:06:16 +0300 | [diff] [blame] | 30 | class IdentityUsersTest(base.BaseIdentityV2Test): |
| zhufl | 8e3aacd | 2020-04-27 14:46:46 +0800 | [diff] [blame] | 31 | """Test user password in identity v2 API""" |
| Jane Zadorozhna | 9c938c6 | 2015-07-01 17:06:16 +0300 | [diff] [blame] | 32 | |
| 33 | @classmethod |
| 34 | def resource_setup(cls): |
| 35 | super(IdentityUsersTest, cls).resource_setup() |
| Jordan Pittier | 8160d31 | 2017-04-18 11:52:23 +0200 | [diff] [blame] | 36 | cls.creds = cls.os_primary.credentials |
| Jane Zadorozhna | 9c938c6 | 2015-07-01 17:06:16 +0300 | [diff] [blame] | 37 | cls.username = cls.creds.username |
| 38 | cls.password = cls.creds.password |
| 39 | cls.tenant_name = cls.creds.tenant_name |
| 40 | |
| Rodrigo Duarte Sousa | 2d78e8e | 2016-09-28 10:38:08 -0300 | [diff] [blame] | 41 | def _update_password(self, user_id, original_password, password): |
| Daniel Mellado | 82c83a5 | 2015-12-09 15:16:49 +0000 | [diff] [blame] | 42 | self.non_admin_users_client.update_user_own_password( |
| Rodrigo Duarte Sousa | 2d78e8e | 2016-09-28 10:38:08 -0300 | [diff] [blame] | 43 | user_id, password=password, original_password=original_password) |
| 44 | |
| Morgan Fainberg | 5b2c745 | 2016-02-02 20:15:47 -0800 | [diff] [blame] | 45 | # NOTE(morganfainberg): Fernet tokens are not subsecond aware and |
| 46 | # Keystone should only be precise to the second. Sleep to ensure |
| Yaroslav Lobankov | cbcb611 | 2016-03-08 12:30:01 -0600 | [diff] [blame] | 47 | # we are passing the second boundary. |
| Lance Bragstad | a2c4ebc | 2015-10-05 20:34:39 +0000 | [diff] [blame] | 48 | time.sleep(1) |
| 49 | |
| Jane Zadorozhna | 9c938c6 | 2015-07-01 17:06:16 +0300 | [diff] [blame] | 50 | # check authorization with new password |
| 51 | self.non_admin_token_client.auth(self.username, |
| Rodrigo Duarte Sousa | 2d78e8e | 2016-09-28 10:38:08 -0300 | [diff] [blame] | 52 | password, |
| Jane Zadorozhna | 9c938c6 | 2015-07-01 17:06:16 +0300 | [diff] [blame] | 53 | self.tenant_name) |
| 54 | |
| Rodrigo Duarte Sousa | 2d78e8e | 2016-09-28 10:38:08 -0300 | [diff] [blame] | 55 | # Reset auth to get a new token with the new password |
| 56 | self.non_admin_users_client.auth_provider.clear_auth() |
| 57 | self.non_admin_users_client.auth_provider.credentials.password = ( |
| 58 | password) |
| 59 | |
| 60 | def _restore_password(self, user_id, old_pass, new_pass): |
| 61 | if CONF.identity_feature_enabled.security_compliance: |
| 62 | # First we need to clear the password history |
| 63 | unique_count = CONF.identity.user_unique_last_password_count |
| zhufl | 8e9a073 | 2017-01-26 16:15:21 +0800 | [diff] [blame] | 64 | for _ in range(unique_count): |
| Rodrigo Duarte Sousa | 2d78e8e | 2016-09-28 10:38:08 -0300 | [diff] [blame] | 65 | random_pass = data_utils.rand_password() |
| 66 | self._update_password( |
| 67 | user_id, original_password=new_pass, password=random_pass) |
| 68 | new_pass = random_pass |
| 69 | |
| 70 | self._update_password( |
| 71 | user_id, original_password=new_pass, password=old_pass) |
| 72 | # Reset auth again to verify the password restore does work. |
| 73 | # Clear auth restores the original credentials and deletes |
| 74 | # cached auth data |
| 75 | self.non_admin_users_client.auth_provider.clear_auth() |
| 76 | # NOTE(lbragstad): Fernet tokens are not subsecond aware and |
| 77 | # Keystone should only be precise to the second. Sleep to ensure we |
| 78 | # are passing the second boundary before attempting to |
| 79 | # authenticate. |
| 80 | time.sleep(1) |
| 81 | self.non_admin_users_client.auth_provider.set_auth() |
| 82 | |
| Ken'ichi Ohmichi | eeabdd2 | 2017-01-27 17:46:00 -0800 | [diff] [blame] | 83 | @decorators.idempotent_id('165859c9-277f-4124-9479-a7d1627b0ca7') |
| nicolas | c98a325 | 2018-12-17 13:06:02 -0800 | [diff] [blame] | 84 | @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source, |
| 85 | 'Skipped because environment has an ' |
| 86 | 'immutable user source and solely ' |
| 87 | 'provides read-only access to users.') |
| Rodrigo Duarte Sousa | 2d78e8e | 2016-09-28 10:38:08 -0300 | [diff] [blame] | 88 | def test_user_update_own_password(self): |
| zhufl | 8e3aacd | 2020-04-27 14:46:46 +0800 | [diff] [blame] | 89 | """test updating user's own password via v2 API""" |
| Rodrigo Duarte Sousa | 2d78e8e | 2016-09-28 10:38:08 -0300 | [diff] [blame] | 90 | old_pass = self.creds.password |
| 91 | old_token = self.non_admin_users_client.token |
| 92 | new_pass = data_utils.rand_password() |
| 93 | user_id = self.creds.user_id |
| 94 | |
| Ken'ichi Ohmichi | 553d7cb | 2018-07-13 22:53:03 +0000 | [diff] [blame] | 95 | # to change password back. important for use_dynamic_credentials=false |
| Rodrigo Duarte Sousa | 2d78e8e | 2016-09-28 10:38:08 -0300 | [diff] [blame] | 96 | self.addCleanup(self._restore_password, user_id, old_pass, new_pass) |
| 97 | |
| 98 | # user updates own password |
| 99 | self._update_password( |
| 100 | user_id, original_password=old_pass, password=new_pass) |
| 101 | |
| Jane Zadorozhna | 9c938c6 | 2015-07-01 17:06:16 +0300 | [diff] [blame] | 102 | # authorize with old token should lead to Unauthorized |
| 103 | self.assertRaises(exceptions.Unauthorized, |
| 104 | self.non_admin_token_client.auth_token, |
| Rodrigo Duarte Sousa | 2d78e8e | 2016-09-28 10:38:08 -0300 | [diff] [blame] | 105 | old_token) |
| Jane Zadorozhna | 9c938c6 | 2015-07-01 17:06:16 +0300 | [diff] [blame] | 106 | |
| 107 | # authorize with old password should lead to Unauthorized |
| 108 | self.assertRaises(exceptions.Unauthorized, |
| 109 | self.non_admin_token_client.auth, |
| 110 | self.username, |
| 111 | old_pass, |
| 112 | self.tenant_name) |