author | Drew Fisher <drew.fisher@oracle.com> |
Mon, 17 Mar 2014 09:51:44 -0600 | |
changeset 1760 | 353323c7bdc1 |
permissions | -rw-r--r-- |
1760
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
1 |
Upstream patch fixed in Havana 2013.2 |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
2 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
3 |
commit 8fcc18c42bde2db34e4b29236dc2e971d40f146b |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
4 |
Author: Steven Hardy <[email protected]> |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
5 |
Date: Sun Oct 13 10:44:52 2013 +0100 |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
6 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
7 |
Fix v2 token user ref with trust impersonation=True |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
8 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
9 |
The v2 token controller incorrectly checks for a string instead |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
10 |
of a boolean, which results in the wrong user ID (trustee, when |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
11 |
it should be the trustor) when impersonation=True. So fix the |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
12 |
comparison and tests, adding a test which illustrates the issue. |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
13 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
14 |
This patchset also closes the gap that allows EC2 credentials to |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
15 |
be issued from trust-scoped tokens, allowing privilege escalation |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
16 |
since EC2 tokens have no concept of trust-scoping/role |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
17 |
restrictions in the Grizzly release. |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
18 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
19 |
Change-Id: Ic94f30f2354c9fda20531bb598387368fde8a096 |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
20 |
Closes-Bug: #1239303 |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
21 |
Related-Bug: #1242597 |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
22 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
23 |
diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
24 |
index 246587a..2ef9820 100644 |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
25 |
--- a/keystone/contrib/ec2/core.py |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
26 |
+++ b/keystone/contrib/ec2/core.py |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
27 |
@@ -207,6 +207,9 @@ class Ec2Controller(controller.V2Controller): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
28 |
if not self._is_admin(context): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
29 |
self._assert_identity(context, user_id) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
30 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
31 |
+ # Disallow trust-scoped tokens from creating credentials. |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
32 |
+ self._assert_not_trust_scoped(context) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
33 |
+ |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
34 |
self._assert_valid_user_id(context, user_id) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
35 |
self._assert_valid_project_id(context, tenant_id) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
36 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
37 |
@@ -308,6 +311,22 @@ class Ec2Controller(controller.V2Controller): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
38 |
except exception.Forbidden: |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
39 |
return False |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
40 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
41 |
+ def _assert_not_trust_scoped(self, context): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
42 |
+ try: |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
43 |
+ token_ref = self.token_api.get_token( |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
44 |
+ context, token_id=context['token_id']) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
45 |
+ except exception.TokenNotFound as e: |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
46 |
+ raise exception.Unauthorized(e) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
47 |
+ |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
48 |
+ # NOTE(morganfainberg): In Grizzly, it is not allowed to use a |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
49 |
+ # trust scoped token to create an EC2 credential, this is due to |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
50 |
+ # privilege escalation possibility (there is no way to correlate |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
51 |
+ # the trust to the EC2 credential and limit roles to the trust). |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
52 |
+ if 'trust' in token_ref: |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
53 |
+ raise exception.Forbidden() |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
54 |
+ if 'trust_id' in token_ref.get('metadata', {}): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
55 |
+ raise exception.Forbidden() |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
56 |
+ |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
57 |
def _assert_owner(self, context, user_id, credential_id): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
58 |
"""Ensure the provided user owns the credential. |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
59 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
60 |
diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
61 |
index 1ae1d4f..e42ca7d 100644 |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
62 |
--- a/keystone/token/controllers.py |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
63 |
+++ b/keystone/token/controllers.py |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
64 |
@@ -201,7 +201,7 @@ class Auth(controller.V2Controller): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
65 |
context, trust_ref['trustee_user_id']) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
66 |
if not trustee_user_ref['enabled']: |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
67 |
raise exception.Forbidden()() |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
68 |
- if trust_ref['impersonation'] == 'True': |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
69 |
+ if trust_ref['impersonation'] is True: |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
70 |
current_user_ref = trustor_user_ref |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
71 |
else: |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
72 |
current_user_ref = trustee_user_ref |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
73 |
diff --git a/tests/test_auth.py b/tests/test_auth.py |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
74 |
index 3d4ec87..8a810a4 100644 |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
75 |
--- a/tests/test_auth.py |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
76 |
+++ b/tests/test_auth.py |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
77 |
@@ -19,6 +19,7 @@ import uuid |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
78 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
79 |
from keystone import auth |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
80 |
from keystone import config |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
81 |
+from keystone.contrib import ec2 |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
82 |
from keystone import exception |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
83 |
from keystone import identity |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
84 |
from keystone.openstack.common import timeutils |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
85 |
@@ -517,7 +518,7 @@ class AuthWithTrust(AuthTest): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
86 |
self.sample_data = {'trustor_user_id': self.trustor['id'], |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
87 |
'trustee_user_id': self.trustee['id'], |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
88 |
'project_id': self.tenant_bar['id'], |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
89 |
- 'impersonation': 'True', |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
90 |
+ 'impersonation': True, |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
91 |
'roles': [{'id': self.role_browser['id']}, |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
92 |
{'name': self.role_member['name']}]} |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
93 |
expires_at = timeutils.strtime(timeutils.utcnow() + |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
94 |
@@ -525,7 +526,7 @@ class AuthWithTrust(AuthTest): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
95 |
fmt=TIME_FORMAT) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
96 |
self.create_trust(expires_at=expires_at) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
97 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
98 |
- def create_trust(self, expires_at=None, impersonation='True'): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
99 |
+ def create_trust(self, expires_at=None, impersonation=True): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
100 |
username = self.trustor['name'], |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
101 |
password = 'foo2' |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
102 |
body_dict = _build_user_auth(username=username, password=password) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
103 |
@@ -586,20 +587,42 @@ class AuthWithTrust(AuthTest): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
104 |
self.assertIn(role['id'], role_ids) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
105 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
106 |
def test_create_trust_no_impersonation(self): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
107 |
- self.create_trust(expires_at=None, impersonation='False') |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
108 |
+ self.create_trust(expires_at=None, impersonation=False) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
109 |
self.assertEquals(self.new_trust['trustor_user_id'], |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
110 |
self.trustor['id']) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
111 |
self.assertEquals(self.new_trust['trustee_user_id'], |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
112 |
self.trustee['id']) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
113 |
- self.assertEquals(self.new_trust['impersonation'], |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
114 |
- 'False') |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
115 |
+ self.assertIs(self.new_trust['impersonation'], False) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
116 |
auth_response = self.fetch_v2_token_from_trust() |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
117 |
token_user = auth_response['access']['user'] |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
118 |
self.assertEquals(token_user['id'], |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
119 |
self.new_trust['trustee_user_id']) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
120 |
- |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
121 |
#TODO Endpoints |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
122 |
|
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
123 |
+ def test_create_trust_impersonation(self): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
124 |
+ self.create_trust(expires_at=None) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
125 |
+ self.assertEqual(self.new_trust['trustor_user_id'], self.trustor['id']) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
126 |
+ self.assertEqual(self.new_trust['trustee_user_id'], self.trustee['id']) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
127 |
+ self.assertIs(self.new_trust['impersonation'], True) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
128 |
+ auth_response = self.fetch_v2_token_from_trust() |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
129 |
+ token_user = auth_response['access']['user'] |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
130 |
+ self.assertEqual(token_user['id'], self.new_trust['trustor_user_id']) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
131 |
+ |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
132 |
+ def test_disallow_ec2_credential_from_trust_scoped_token(self): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
133 |
+ ec2_manager = ec2.Manager() |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
134 |
+ self.ec2_controller = ec2.Ec2Controller() |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
135 |
+ self.test_create_trust_impersonation() |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
136 |
+ auth_response = self.fetch_v2_token_from_trust() |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
137 |
+ # ensure it is not possible to create an ec2 token from a trust |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
138 |
+ context = {'token_id': auth_response['access']['token']['id'], |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
139 |
+ 'is_admin': False} |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
140 |
+ |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
141 |
+ self.assertRaises(exception.Forbidden, |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
142 |
+ self.ec2_controller.create_credential, |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
143 |
+ context=context, |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
144 |
+ user_id=self.user_foo['id'], |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
145 |
+ tenant_id=self.tenant_bar['id']) |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
146 |
+ |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
147 |
def test_token_from_trust_wrong_user_fails(self): |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
148 |
new_trust = self.create_trust() |
353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
149 |
request_body = self.build_v2_token_request('FOO', 'foo2') |