diff options
-rw-r--r-- | ironic/tests/unit/api/test_acl.py | 65 | ||||
-rw-r--r-- | ironic/tests/unit/api/test_acl_basic.yaml | 19 | ||||
-rw-r--r-- | ironic/tests/unit/api/utils.py | 30 |
3 files changed, 89 insertions, 25 deletions
diff --git a/ironic/tests/unit/api/test_acl.py b/ironic/tests/unit/api/test_acl.py index 7aa0d500a..61c6addf8 100644 --- a/ironic/tests/unit/api/test_acl.py +++ b/ironic/tests/unit/api/test_acl.py @@ -17,30 +17,57 @@ are blocked or allowed to be processed. """ import abc +from unittest import mock +import uuid import ddt +from keystoneauth1.fixture import v3 as v3_token +from keystonemiddleware import auth_token from oslo_config import cfg +from oslo_context import context as oslo_context from ironic.tests.unit.api import base -from ironic.tests.unit.api import utils from ironic.tests.unit.db import utils as db_utils cfg.CONF.import_opt('cache', 'keystonemiddleware.auth_token', group='keystone_authtoken') +ADMIN_TOKEN = uuid.uuid4().hex +MEMBER_TOKEN = uuid.uuid4().hex + +admin_context = oslo_context.RequestContext( + user_id=ADMIN_TOKEN, + roles=['admin', 'member', 'reader'], +) + +member_context = oslo_context.RequestContext( + user_id=MEMBER_TOKEN, + roles=['member', 'reader'], +) + +USERS = { + ADMIN_TOKEN: admin_context.to_dict(), + MEMBER_TOKEN: member_context.to_dict(), +} + + class TestACLBase(base.BaseApiTest): def setUp(self): super(TestACLBase, self).setUp() - self.environ = {'fake.cache': utils.FakeMemcache()} + self.environ = {} self.format_data = {} self._create_test_data() + self.fake_token = None + mock_auth = mock.patch.object( + auth_token.AuthProtocol, 'process_request', + autospec=True) + self.mock_auth = mock_auth.start() + self.addCleanup(mock_auth.stop) def _make_app(self): - cfg.CONF.set_override('cache', 'fake.cache', - group='keystone_authtoken') cfg.CONF.set_override('auth_strategy', 'keystone') return super(TestACLBase, self)._make_app() @@ -48,9 +75,36 @@ class TestACLBase(base.BaseApiTest): def _create_test_data(self): pass + def _check_skip(self, **kwargs): + if kwargs.get('skip_reason'): + self.skipTest(kwargs.get('skip_reason')) + + def _fake_process_request(self, request, meow): + if self.fake_token: + request.user_token_valid = True + request.user_token = True + # is this right?!? + request.token_info = self.fake_token + request.auth_token = v3_token.Token( + user_id=self.fake_token['user']) + else: + # Because of this, the user will always get a 403 in testing, even + # if the API would normally return a 401 if a token is valid + request.user_token_valid = False + def _test_request(self, path, params=None, headers=None, method='get', assert_status=None, assert_dict_contains=None): path = path.format(**self.format_data) + self.mock_auth.side_effect = self._fake_process_request + if headers: + auth_token = headers.get('X-Auth-Token') + if auth_token: + auth_token = self.format_data[auth_token] + headers['X-Auth-Token'] = auth_token + self.fake_token = USERS[auth_token] + headers['X_ROLES'] = ','.join(USERS[auth_token]['roles']) + self.mock_auth.side_effect = self._fake_process_request + expect_errors = bool(assert_status) if method == 'get': response = self.get_json( @@ -78,8 +132,11 @@ class TestACLBasic(TestACLBase): def _create_test_data(self): fake_db_node = db_utils.create_test_node(chassis_id=None) self.format_data['node_uuid'] = fake_db_node['uuid'] + self.format_data['admin_token'] = ADMIN_TOKEN + self.format_data['member_token'] = MEMBER_TOKEN @ddt.file_data('test_acl_basic.yaml') @ddt.unpack def test_basic(self, **kwargs): + self._check_skip(**kwargs) self._test_request(**kwargs) diff --git a/ironic/tests/unit/api/test_acl_basic.yaml b/ironic/tests/unit/api/test_acl_basic.yaml index 739b858d4..08741c449 100644 --- a/ironic/tests/unit/api/test_acl_basic.yaml +++ b/ironic/tests/unit/api/test_acl_basic.yaml @@ -1,25 +1,30 @@ +values: + skip_reason: For value storage + admin_headers: &admin_headers + X-Auth-Token: 'admin_token' + member_headers: &member_headers + X-Auth-Token: 'member_token' + non_authenticated: path: &node_path '/v1/nodes/{node_uuid}' - assert_status: 401 + assert_status: 403 authenticated: path: *node_path - headers: - X-Auth-Token: &admin_token '4562138218392831' + headers: *admin_headers assert_dict_contains: uuid: '{node_uuid}' driver: 'fake-hardware' non_admin: path: *node_path - headers: - X-Auth-Token: &member_token '4562138218392832' + headers: *member_headers assert_status: 403 non_admin_with_admin_header: path: *node_path headers: - X-Auth-Token: *member_token + X-Auth-Token: 'member_token' X-Roles: admin assert_status: 403 @@ -41,4 +46,4 @@ public_api_v1_json: public_api_v1_xml: path: /v1.xml - assert_status: 404
\ No newline at end of file + assert_status: 404 diff --git a/ironic/tests/unit/api/utils.py b/ironic/tests/unit/api/utils.py index 4e22688c7..58970f2b3 100644 --- a/ironic/tests/unit/api/utils.py +++ b/ironic/tests/unit/api/utils.py @@ -33,9 +33,6 @@ from ironic.tests.unit.db import utils as db_utils ADMIN_TOKEN = '4562138218392831' MEMBER_TOKEN = '4562138218392832' -ADMIN_TOKEN_HASH = hashlib.sha256(ADMIN_TOKEN.encode()).hexdigest() -MEMBER_TOKEN_HASH = hashlib.sha256(MEMBER_TOKEN.encode()).hexdigest() - ADMIN_BODY = { 'access': { 'token': {'id': ADMIN_TOKEN, @@ -60,21 +57,26 @@ MEMBER_BODY = { } } +DEFAULT_CACHE_VALUES = { + ADMIN_TOKEN: ADMIN_BODY, + MEMBER_TOKEN: MEMBER_BODY +} + class FakeMemcache(object): """Fake cache that is used for keystone tokens lookup.""" - # NOTE(lucasagomes): keystonemiddleware >= 2.0.0 the token cache - # keys are sha256 hashes of the token key. This was introduced in - # https://review.opendev.org/#/c/186971 - _cache = { - 'tokens/%s' % ADMIN_TOKEN: ADMIN_BODY, - 'tokens/%s' % ADMIN_TOKEN_HASH: ADMIN_BODY, - 'tokens/%s' % MEMBER_TOKEN: MEMBER_BODY, - 'tokens/%s' % MEMBER_TOKEN_HASH: MEMBER_BODY, - } - - def __init__(self): + def __init__(self, cache_values=None): + if not cache_values: + cache_values = DEFAULT_CACHE_VALUES + self._cache = {} + for k, v in cache_values.items(): + self._cache['tokens/%s' % k] = v + # NOTE(lucasagomes): keystonemiddleware >= 2.0.0 the token cache + # keys are sha256 hashes of the token key. This was introduced in + # https://review.opendev.org/#/c/186971 + self._cache['tokens/%s' % + hashlib.sha256(k.encode()).hexdigest()] = v self.set_key = None self.set_value = None self.token_expiration = None |