1
import unittest2 as unittest
2
from keystone.test.functional import common
5
class TestAdminAuthentication(common.KeystoneTestCase):
6
"""Test admin-side user authentication"""
9
"""Empty method to prevent KeystoneTestCase from authenticating"""
12
def test_bootstrapped_admin_user(self):
13
"""Bootstrap script should create an 'admin' user with 'Admin' role"""
14
# Authenticate as admin
15
r = self.admin_request(method='POST', path='/tokens',
16
as_json=self.admin_credentials)
18
# Assert we get back a token with an expiration date
19
self.assertTrue(r.json['auth']['token']['id'])
20
self.assertTrue(r.json['auth']['token']['expires'])
23
class TestAdminAuthenticationNegative(common.KeystoneTestCase):
24
"""Negative test admin-side user authentication"""
26
user_id = common.KeystoneTestCase._uuid()
27
user_id2 = common.KeystoneTestCase._uuid()
28
admin_token_backup = None
30
def test_service_token_as_admin_token(self):
31
"""Admin actions should fail for mere service tokens"""
34
self.admin_request(method='PUT', path='/users',
38
'password': 'secrete',
39
'email': self.user_id + '@openstack.org',
42
# User authenticates to get a token
43
r = self.service_request(method='POST', path='/tokens',
45
'passwordCredentials': {
46
'username': self.user_id,
47
'password': 'secrete'}})
49
self.service_token = r.json['auth']['token']['id']
51
# Prepare to use the service token as an admin token
52
self.admin_token_backup = self.admin_token
53
self.admin_token = self.service_token
55
# Try creating another user
56
self.admin_request(method='PUT', path='/users', assert_status=401,
60
'password': 'secrete',
61
'email': self.user_id2 + '@openstack.org',
65
# Restore our admin token so we can clean up
66
self.admin_token = self.admin_token_backup
69
self.admin_request(method='DELETE', path='/users/%s' % self.user_id)
72
class TestServiceAuthentication(common.KeystoneTestCase):
73
"""Test service-side user authentication"""
75
user_id = common.KeystoneTestCase._uuid()
78
super(TestServiceAuthentication, self).setUp()
81
self.admin_request(method='PUT', path='/users',
85
'password': 'secrete',
86
'email': self.user_id + '@openstack.org',
91
self.admin_request(method='DELETE', path='/users/%s' % self.user_id)
93
def test_user_auth(self):
94
"""Admin should be able to validate a user's token"""
95
# Authenticate as user to get a token
96
r = self.service_request(method='POST', path='/tokens',
98
'passwordCredentials': {
99
'username': self.user_id,
100
'password': 'secrete'}})
102
self.service_token = r.json['auth']['token']['id']
104
# In the real world, the service user would then pass his/her token
105
# to some service that depends on keystone, which would then need to
106
# user keystone to validate the provided token.
108
# Admin independently validates the user token
109
r = self.admin_request(path='/tokens/%s' % self.service_token)
110
self.assertTrue(r.json['auth']['token']['expires'])
111
self.assertEqual(r.json['auth']['token']['id'], self.service_token)
112
self.assertEqual(r.json['auth']['user']['username'], self.user_id)
113
self.assertEqual(r.json['auth']['user']['roleRefs'], [])
115
def test_get_request_fails(self):
116
"""GET /tokens should return a 404 (Github issue #5)"""
117
r = self.service_request(method='GET', path='/tokens',
120
'passwordCredentials': {
121
'username': self.user_id,
122
'password': 'secrete'}})
124
def test_user_auth_with_malformed_request_body(self):
125
"""Authenticating with unnexpected json returns a 400"""
126
# Authenticate as user to get a token
127
r = self.service_request(method='POST', path='/tokens',
130
'this-is-completely-wrong': {
131
'username': self.user_id,
132
'password': 'secrete'}})
134
def test_user_auth_with_wrong_name(self):
135
"""Authenticating with an unknown username returns a 401"""
136
# Authenticate as user to get a token
137
r = self.service_request(method='POST', path='/tokens',
140
'passwordCredentials': {
141
'username': 'this-is-completely-wrong',
142
'password': 'secrete'}})
144
def test_user_auth_with_no_name(self):
145
"""Authenticating without a username returns a 401"""
146
# Authenticate as user to get a token
147
r = self.service_request(method='POST', path='/tokens',
150
'passwordCredentials': {
152
'password': 'secrete'}})
154
def test_user_auth_with_wrong_password(self):
155
"""Authenticating with an invalid password returns a 401"""
156
# Authenticate as user to get a token
157
r = self.service_request(method='POST', path='/tokens',
160
'passwordCredentials': {
161
'username': self.user_id,
162
'password': 'this-is-completely-wrong'}})
164
def test_user_auth_with_invalid_tenant(self):
165
"""Authenticating with an invalid password returns a 401"""
166
# Authenticate as user to get a token
167
r = self.service_request(method='POST', path='/tokens',
170
'passwordCredentials': {
171
'username': self.user_id,
172
'password': 'secrete',
173
'tenantId': 'this-is-completely-wrong'}})
176
if __name__ == '__main__':