diff options
Diffstat (limited to 'test')
-rw-r--r-- | test/functional_auth/gswauth/test_gswauth.py | 7 | ||||
-rw-r--r-- | test/functional_auth/gswauth/test_gswauth_cli.py | 72 | ||||
-rw-r--r-- | test/unit/common/middleware/gswauth/swauth/test_middleware.py | 171 |
3 files changed, 237 insertions, 13 deletions
diff --git a/test/functional_auth/gswauth/test_gswauth.py b/test/functional_auth/gswauth/test_gswauth.py index 3ee3f5d..5219f13 100644 --- a/test/functional_auth/gswauth/test_gswauth.py +++ b/test/functional_auth/gswauth/test_gswauth.py @@ -227,15 +227,16 @@ class TestGSWauth(unittest.TestCase): # attempt to change password path = '%sv2/%s/%s' % (config['auth_prefix'], config['account'], config['username']) - headers = self._get_admin_headers() + headers = {'X-Auth-Admin-User': + config['account'] + ':' + config['username'], + 'X-Auth-Admin-Key': config['password']} headers.update({'X-Auth-User-Key': 'newpassword', 'Content-Length': '0', - 'X-Auth-Admin-Key': config['password'], 'X-Auth-User-Admin': 'true'}) conn = http_connect(config['auth_host'], config['auth_port'], 'PUT', path, headers) resp = conn.getresponse() - self.assertTrue(resp.status == 401) + self.assertTrue(resp.status == 201) finally: try: diff --git a/test/functional_auth/gswauth/test_gswauth_cli.py b/test/functional_auth/gswauth/test_gswauth_cli.py index e128b54..8cac619 100644 --- a/test/functional_auth/gswauth/test_gswauth_cli.py +++ b/test/functional_auth/gswauth/test_gswauth_cli.py @@ -278,4 +278,74 @@ class TestUser(unittest.TestCase): #TODO:more testcases? - + def testChangeKey(self): + # Create account and users + (status, output) = Utils.addAccount('test') + self.assertEqual(status, 0, 'Account creation failed: ' + output) + + (status, output) = Utils.addAdminUser('test', 'admin', 'password') + self.assertEqual(status, 0, 'User addition failed: ' + output) + + (status, output) = Utils.addUser('test', 'user', 'password') + self.assertEqual(status, 0, 'User addition failed: ' + output) + + (status, output) = Utils.addResellerAdminUser('test', 'radmin', 'password') + self.assertEqual(status, 0, 'User addition failed: ' + output) + + # Change acccount admin password/key + (status, output) = Utils.addAdminUser('test', 'admin', 'new_password', user='test:admin', key='password') + self.assertEqual(status, 0, 'Update key failed: ' + output) + + # Change regular user password/key + (status, output) = Utils.addUser('test', 'user', 'new_password', user='test:user', key='password') + self.assertEqual(status, 0, 'Update key failed: ' + output) + + # Change reseller admin password/key + (status, output) = Utils.addResellerAdminUser('test', 'radmin', 'new_password', user='test:radmin', key='password') + self.assertEqual(status, 0, 'Update key failed: ' + output) + + # To verify that password was changed for real, re-run the above commands, but with the new password + # Change acccount admin password/key using the new password + (status, output) = Utils.addAdminUser('test', 'admin', 'password', user='test:admin', key='new_password') + self.assertEqual(status, 0, 'Update key failed: ' + output) + + # Change regular user password/key using the new password + (status, output) = Utils.addUser('test', 'user', 'password', user='test:user', key='new_password') + self.assertEqual(status, 0, 'Update key failed: ' + output) + + # Change reseller admin password/key using the new password + (status, output) = Utils.addResellerAdminUser('test', 'radmin', 'password', user='test:radmin', key='new_password') + self.assertEqual(status, 0, 'Update key failed: ' + output) + + # Make sure that regular user cannot upgrade to admin + (status, output) = Utils.addAdminUser('test', 'user', 'password', user='test:user', key='password') + self.assertEqual('User creation failed' in output, True, 'Update key failed: ' + output) + + # Make sure that regular user cannot upgrade to reseller_admin + (status, output) = Utils.addResellerAdminUser('test', 'user', 'password', user='test:user', key='password') + self.assertEqual('User creation failed' in output, True, 'Update key failed: ' + output) + + # Make sure admin cannot update himself to reseller_admin + (status, output) = Utils.addResellerAdminUser('test', 'admin', 'password', user='test:admin', key='password') + self.assertEqual('User creation failed' in output, True, 'Update key failed: ' + output) + + # Account admin changing regular user password/key + (status, output) = Utils.addUser('test', 'user', 'new_password', user='test:admin', key='password') + self.assertEqual(status, 0, 'Update key failed: ' + output) + # Verify by running the command with new password + (status, output) = Utils.addUser('test', 'user', 'password', user='test:user', key='new_password') + self.assertEqual(status, 0, 'Update key failed: ' + output) + + # Reseller admin changing regular user password/key + (status, output) = Utils.addUser('test', 'user', 'new_password', user='test:radmin', key='password') + self.assertEqual(status, 0, 'Update key failed: ' + output) + # Verify by running the command with new password + (status, output) = Utils.addUser('test', 'user', 'password', user='test:user', key='new_password') + self.assertEqual(status, 0, 'Update key failed: ' + output) + + # Reseller admin changing account admin password/key + (status, output) = Utils.addAdminUser('test', 'admin', 'new_password', user='test:radmin', key='password') + self.assertEqual(status, 0, 'Update key failed: ' + output) + # Verify by running the command with new password + (status, output) = Utils.addAdminUser('test', 'admin', 'password', user='test:admin', key='new_password') + self.assertEqual(status, 0, 'Update key failed: ' + output) diff --git a/test/unit/common/middleware/gswauth/swauth/test_middleware.py b/test/unit/common/middleware/gswauth/swauth/test_middleware.py index f01c34f..bce734d 100644 --- a/test/unit/common/middleware/gswauth/swauth/test_middleware.py +++ b/test/unit/common/middleware/gswauth/swauth/test_middleware.py @@ -3242,6 +3242,10 @@ class TestAuth(unittest.TestCase): def test_put_user_reseller_admin_fail_bad_creds(self): self.test_auth.app = FakeApp(iter([ + # Checking if user is changing his own key. This is called. + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:rdm"}, + {"name": "test"}, {"name": ".admin"}, + {"name": ".reseller_admin"}], "auth": "plaintext:key"})), # GET of user object (reseller admin) # This shouldn't actually get called, checked # below @@ -3261,9 +3265,13 @@ class TestAuth(unittest.TestCase): 'X-Auth-User-Reseller-Admin': 'true'} ).get_response(self.test_auth) self.assertEquals(resp.status_int, 401) - self.assertEquals(self.test_auth.app.calls, 0) + self.assertEquals(self.test_auth.app.calls, 1) self.test_auth.app = FakeApp(iter([ + # Checking if user is changing his own key. This is called. + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"})), # GET of user object (account admin, but not reseller admin) # This shouldn't actually get called, checked # below @@ -3283,13 +3291,16 @@ class TestAuth(unittest.TestCase): 'X-Auth-User-Reseller-Admin': 'true'} ).get_response(self.test_auth) self.assertEquals(resp.status_int, 401) - self.assertEquals(self.test_auth.app.calls, 0) + self.assertEquals(self.test_auth.app.calls, 1) self.test_auth.app = FakeApp(iter([ + # Checking if user is changing his own key. This is called. + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"})), # GET of user object (regular user) # This shouldn't actually get called, checked # below - ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, {"name": "test"}], "auth": "plaintext:key"}))])) resp = Request.blank('/auth/v2/act/usr', environ={ @@ -3304,7 +3315,7 @@ class TestAuth(unittest.TestCase): 'X-Auth-User-Reseller-Admin': 'true'} ).get_response(self.test_auth) self.assertEquals(resp.status_int, 401) - self.assertEquals(self.test_auth.app.calls, 0) + self.assertEquals(self.test_auth.app.calls, 1) def test_put_user_account_admin_fail_bad_creds(self): self.test_auth.app = FakeApp(iter([ @@ -3312,6 +3323,10 @@ class TestAuth(unittest.TestCase): # account) ('200 Ok', {}, json.dumps({"groups": [{"name": "act2:adm"}, {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"})), + # Checking if user is changing his own key. + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}], "auth": "plaintext:key"}))])) resp = Request.blank('/auth/v2/act/usr', environ={ @@ -3326,11 +3341,14 @@ class TestAuth(unittest.TestCase): 'X-Auth-User-Admin': 'true'} ).get_response(self.test_auth) self.assertEquals(resp.status_int, 403) - self.assertEquals(self.test_auth.app.calls, 1) + self.assertEquals(self.test_auth.app.calls, 2) self.test_auth.app = FakeApp(iter([ # GET of user object (regular user) ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"})), + # Checking if user is changing his own key. + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, {"name": "test"}], "auth": "plaintext:key"}))])) resp = Request.blank('/auth/v2/act/usr', environ={ @@ -3345,7 +3363,7 @@ class TestAuth(unittest.TestCase): 'X-Auth-User-Admin': 'true'} ).get_response(self.test_auth) self.assertEquals(resp.status_int, 403) - self.assertEquals(self.test_auth.app.calls, 1) + self.assertEquals(self.test_auth.app.calls, 2) def test_put_user_regular_fail_bad_creds(self): self.test_auth.app = FakeApp(iter([ @@ -3353,6 +3371,10 @@ class TestAuth(unittest.TestCase): # account) ('200 Ok', {}, json.dumps({"groups": [{"name": "act2:adm"}, {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"})), + # Checking if user is changing his own key. + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}], "auth": "plaintext:key"}))])) resp = Request.blank('/auth/v2/act/usr', environ={ @@ -3365,13 +3387,16 @@ class TestAuth(unittest.TestCase): 'X-Auth-User-Key': 'key'} ).get_response(self.test_auth) self.assertEquals(resp.status_int, 403) - self.assertEquals(self.test_auth.app.calls, 1) + self.assertEquals(self.test_auth.app.calls, 2) self.test_auth.app = FakeApp(iter([ # GET of user object (regular user) ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"})), + # Checking if user is changing his own key. + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, {"name": "test"}], "auth": "plaintext:key"}))])) - resp = Request.blank('/auth/v2/act/usr', + resp = Request.blank('/auth/v2/act2/usr', environ={ 'REQUEST_METHOD': 'PUT'}, headers={ @@ -3382,7 +3407,7 @@ class TestAuth(unittest.TestCase): 'X-Auth-User-Key': 'key'} ).get_response(self.test_auth) self.assertEquals(resp.status_int, 403) - self.assertEquals(self.test_auth.app.calls, 1) + self.assertEquals(self.test_auth.app.calls, 2) def test_put_user_regular_success(self): self.test_auth.app = FakeApp(iter([ @@ -3941,6 +3966,134 @@ class TestAuth(unittest.TestCase): self.assert_(not self.test_auth.credentials_match( {'auth': 'plaintext:key'}, 'notkey')) + def test_is_user_changing_own_key_err(self): + # User does not exist + self.test_auth.app = FakeApp( + iter([('404 Not Found', {}, '')])) + req = Request.blank('/auth/v2/act/usr', + environ={ + 'REQUEST_METHOD': 'PUT'}, + headers={ + 'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'key'}) + self.assert_( + not self.test_auth.is_user_changing_own_key(req, 'act:usr')) + self.assertEquals(self.test_auth.app.calls, 1) + + # user attempting to escalate himself as admin + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + req = Request.blank('/auth/v2/act/usr', + environ={ + 'REQUEST_METHOD': 'PUT'}, + headers={ + 'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'key', + 'X-Auth-User-Admin': 'true'}) + self.assert_( + not self.test_auth.is_user_changing_own_key(req, 'act:usr')) + self.assertEquals(self.test_auth.app.calls, 1) + + # admin attempting to escalate himself as reseller_admin + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"}))])) + req = Request.blank('/auth/v2/act/adm', + environ={ + 'REQUEST_METHOD': 'PUT'}, + headers={ + 'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'key', + 'X-Auth-User-Reseller-Admin': 'true'}) + self.assert_( + not self.test_auth.is_user_changing_own_key(req, 'act:adm')) + self.assertEquals(self.test_auth.app.calls, 1) + + # different user + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + req = Request.blank('/auth/v2/act/usr2', + environ={ + 'REQUEST_METHOD': 'PUT'}, + headers={ + 'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'key'}) + self.assert_( + not self.test_auth.is_user_changing_own_key(req, 'act:usr2')) + self.assertEquals(self.test_auth.app.calls, 1) + + # wrong key + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + req = Request.blank('/auth/v2/act/usr', + environ={ + 'REQUEST_METHOD': 'PUT'}, + headers={ + 'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'wrongkey', + 'X-Auth-User-Key': 'newkey'}) + self.assert_( + not self.test_auth.is_user_changing_own_key(req, 'act:usr')) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_is_user_changing_own_key_sucess(self): + # regular user + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + req = Request.blank('/auth/v2/act/usr', + environ={ + 'REQUEST_METHOD': 'PUT'}, + headers={ + 'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'newkey'}) + self.assert_( + self.test_auth.is_user_changing_own_key(req, 'act:usr')) + self.assertEquals(self.test_auth.app.calls, 1) + + # account admin + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"}))])) + req = Request.blank('/auth/v2/act/adm', + environ={ + 'REQUEST_METHOD': 'PUT'}, + headers={ + 'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'newkey', + 'X-Auth-User-Admin': 'true'}) + self.assert_( + self.test_auth.is_user_changing_own_key(req, 'act:adm')) + self.assertEquals(self.test_auth.app.calls, 1) + + # reseller admin + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}, + {"name": ".reseller_admin"}], "auth": "plaintext:key"}))])) + req = Request.blank('/auth/v2/act/adm', + environ={ + 'REQUEST_METHOD': 'PUT'}, + headers={ + 'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'newkey', + 'X-Auth-User-Reseller-Admin': 'true'}) + self.assert_( + self.test_auth.is_user_changing_own_key(req, 'act:adm')) + self.assertEquals(self.test_auth.app.calls, 1) + def test_is_super_admin_success(self): self.assert_( self.test_auth.is_super_admin( |