Mercurial Mercurial > upstream > oracle > userland-gate / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/keystone/patches/03-CVE-2013-6391.patch
author Drew Fisher <drew.fisher@oracle.com>
Mon, 17 Mar 2014 09:51:44 -0600
changeset 1760 353323c7bdc1
permissions -rw-r--r--
PSARC/2013/350 OpenStack for Solaris (Umbrella) PSARC/2014/007 OpenStack client API components for Grizzly PSARC/2014/054 OpenStack Cinder (OpenStack Block Storage Service) PSARC/2014/055 OpenStack Glance (OpenStack Image Service) PSARC/2014/058 OpenStack Horizon (OpenStack Dashboard) PSARC/2014/048 OpenStack Keystone (OpenStack Identity Service) PSARC/2014/059 OpenStack Neutron (OpenStack Networking Service) PSARC/2014/049 OpenStack Nova (OpenStack Compute Service) 18290089 integrate cinderclient 18290097 integrate glanceclient 18290102 integrate keystoneclient 18290109 integrate neutronclient 18290113 integrate novaclient 18290119 integrate swiftclient 18290125 integrate quantumclient 18307582 Request to integrate Cinder into userland 18307595 Request to integrate Glance into userland 18307626 Request to integrate Horizon into userland 18307641 Request to integrate Keystone into userland 18307650 Request to integrate Neutron into userland 18307659 Request to integrate Nova into userland 18321909 a few Python packages deliver both po and mo files
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
1760
353323c7bdc1 PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff changeset 
     1
 
Upstream patch fixed in Havana 2013.2
353323c7bdc1 PSARC/2013/350 OpenStack for Solaris (Umbrella)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff changeset 
     2
 












353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




     3


commit 8fcc18c42bde2db34e4b29236dc2e971d40f146b













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




     4


Author: Steven Hardy <[email protected]>













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




     5


Date:   Sun Oct 13 10:44:52 2013 +0100













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




     6














353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




     7


    Fix v2 token user ref with trust impersonation=True













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




     8


    













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




     9


    The v2 token controller incorrectly checks for a string instead













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    10


    of a boolean, which results in the wrong user ID (trustee, when













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    11


    it should be the trustor) when impersonation=True.  So fix the













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    12


    comparison and tests, adding a test which illustrates the issue.













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    13


    













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    14


    This patchset also closes the gap that allows EC2 credentials to













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    15


    be issued from trust-scoped tokens, allowing privilege escalation













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    16


    since EC2 tokens have no concept of trust-scoping/role













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    17


    restrictions in the Grizzly release.













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    18


    













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    19


    Change-Id: Ic94f30f2354c9fda20531bb598387368fde8a096













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    20


    Closes-Bug: #1239303













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    21


    Related-Bug: #1242597













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    22














353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    23


diff --git a/keystone/contrib/ec2/core.py b/keystone/contrib/ec2/core.py













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    24


index 246587a..2ef9820 100644













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    25


--- a/keystone/contrib/ec2/core.py













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    26


+++ b/keystone/contrib/ec2/core.py













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    27


@@ -207,6 +207,9 @@ class Ec2Controller(controller.V2Controller):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    28


         if not self._is_admin(context):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    29


             self._assert_identity(context, user_id)













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    30


 













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    31


+        # Disallow trust-scoped tokens from creating credentials.













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    32


+        self._assert_not_trust_scoped(context)













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    33


+













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    34


         self._assert_valid_user_id(context, user_id)













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    35


         self._assert_valid_project_id(context, tenant_id)













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    36


 













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    37


@@ -308,6 +311,22 @@ class Ec2Controller(controller.V2Controller):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    38


         except exception.Forbidden:













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    39


             return False













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    40


 













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    41


+    def _assert_not_trust_scoped(self, context):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    42


+        try:













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    43


+            token_ref = self.token_api.get_token(













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    44


+                context, token_id=context['token_id'])













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    45


+        except exception.TokenNotFound as e:













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    46


+            raise exception.Unauthorized(e)













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    47


+













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    48


+        # NOTE(morganfainberg): In Grizzly, it is not allowed to use a













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    49


+        # trust scoped token to create an EC2 credential, this is due to













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    50


+        # privilege escalation possibility (there is no way to correlate













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    51


+        # the trust to the EC2 credential and limit roles to the trust).













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    52


+        if 'trust' in token_ref:













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    53


+            raise exception.Forbidden()













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    54


+        if 'trust_id' in token_ref.get('metadata', {}):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    55


+            raise exception.Forbidden()













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    56


+













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    57


     def _assert_owner(self, context, user_id, credential_id):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    58


         """Ensure the provided user owns the credential.













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    59


 













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    60


diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    61


index 1ae1d4f..e42ca7d 100644













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    62


--- a/keystone/token/controllers.py













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    63


+++ b/keystone/token/controllers.py













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    64


@@ -201,7 +201,7 @@ class Auth(controller.V2Controller):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    65


                 context, trust_ref['trustee_user_id'])













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    66


             if not trustee_user_ref['enabled']:













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    67


                 raise exception.Forbidden()()













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    68


-            if trust_ref['impersonation'] == 'True':













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    69


+            if trust_ref['impersonation'] is True:













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    70


                 current_user_ref = trustor_user_ref













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    71


             else:













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    72


                 current_user_ref = trustee_user_ref













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    73


diff --git a/tests/test_auth.py b/tests/test_auth.py













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    74


index 3d4ec87..8a810a4 100644













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    75


--- a/tests/test_auth.py













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    76


+++ b/tests/test_auth.py













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    77


@@ -19,6 +19,7 @@ import uuid













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    78


 













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    79


 from keystone import auth













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    80


 from keystone import config













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    81


+from keystone.contrib import ec2













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    82


 from keystone import exception













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    83


 from keystone import identity













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    84


 from keystone.openstack.common import timeutils













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    85


@@ -517,7 +518,7 @@ class AuthWithTrust(AuthTest):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    86


         self.sample_data = {'trustor_user_id': self.trustor['id'],













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    87


                             'trustee_user_id': self.trustee['id'],













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    88


                             'project_id': self.tenant_bar['id'],













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    89


-                            'impersonation': 'True',













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    90


+                            'impersonation': True,













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    91


                             'roles': [{'id': self.role_browser['id']},













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    92


                                       {'name': self.role_member['name']}]}













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    93


         expires_at = timeutils.strtime(timeutils.utcnow() +













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    94


@@ -525,7 +526,7 @@ class AuthWithTrust(AuthTest):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    95


                                        fmt=TIME_FORMAT)













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    96


         self.create_trust(expires_at=expires_at)













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    97


 













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    98


-    def create_trust(self, expires_at=None, impersonation='True'):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




    99


+    def create_trust(self, expires_at=None, impersonation=True):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   100


         username = self.trustor['name'],













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   101


         password = 'foo2'













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   102


         body_dict = _build_user_auth(username=username, password=password)













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   103


@@ -586,20 +587,42 @@ class AuthWithTrust(AuthTest):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   104


             self.assertIn(role['id'], role_ids)













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   105


 













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   106


     def test_create_trust_no_impersonation(self):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   107


-        self.create_trust(expires_at=None, impersonation='False')













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   108


+        self.create_trust(expires_at=None, impersonation=False)













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   109


         self.assertEquals(self.new_trust['trustor_user_id'],













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   110


                           self.trustor['id'])













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   111


         self.assertEquals(self.new_trust['trustee_user_id'],













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   112


                           self.trustee['id'])













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   113


-        self.assertEquals(self.new_trust['impersonation'],













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   114


-                          'False')













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   115


+        self.assertIs(self.new_trust['impersonation'], False)













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   116


         auth_response = self.fetch_v2_token_from_trust()













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   117


         token_user = auth_response['access']['user']













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   118


         self.assertEquals(token_user['id'],













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   119


                           self.new_trust['trustee_user_id'])













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   120


-













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   121


         #TODO Endpoints













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   122


 













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   123


+    def test_create_trust_impersonation(self):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   124


+        self.create_trust(expires_at=None)













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   125


+        self.assertEqual(self.new_trust['trustor_user_id'], self.trustor['id'])













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   126


+        self.assertEqual(self.new_trust['trustee_user_id'], self.trustee['id'])













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   127


+        self.assertIs(self.new_trust['impersonation'], True)













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   128


+        auth_response = self.fetch_v2_token_from_trust()













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   129


+        token_user = auth_response['access']['user']













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   130


+        self.assertEqual(token_user['id'], self.new_trust['trustor_user_id'])













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   131


+













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   132


+    def test_disallow_ec2_credential_from_trust_scoped_token(self):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   133


+        ec2_manager = ec2.Manager()













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   134


+        self.ec2_controller = ec2.Ec2Controller()













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   135


+        self.test_create_trust_impersonation()













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   136


+        auth_response = self.fetch_v2_token_from_trust()













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   137


+        # ensure it is not possible to create an ec2 token from a trust













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   138


+        context = {'token_id': auth_response['access']['token']['id'],













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   139


+                   'is_admin': False}













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   140


+













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   141


+        self.assertRaises(exception.Forbidden,













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   142


+                          self.ec2_controller.create_credential,













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   143


+                          context=context,













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   144


+                          user_id=self.user_foo['id'],













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   145


+                          tenant_id=self.tenant_bar['id'])













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   146


+













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   147


     def test_token_from_trust_wrong_user_fails(self):













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   148


         new_trust = self.create_trust()













353323c7bdc1
PSARC/2013/350 OpenStack for Solaris (Umbrella)



Drew Fisher <drew.fisher@oracle.com>


parents: 

diff
changeset




   149


         request_body = self.build_v2_token_request('FOO', 'foo2')















upstream/oracle/userland-gate