159 super(AdminTokenTests, self).setUp()
160 self.config_fixture.config(admin_token='ADMIN')
161 self.headers = {'X-Auth-Token': 'ADMIN'}
760 minimum_password_age=2)
761 conf.config(group='security_compliance',
762 password_regex=r'^(?=.*\d)(?=.*[a-zA-Z]).{7,}$')
763 conf.config(group='security_compliance',
762 password_regex=r'^(?=.*\d)(?=.*[a-zA-Z]).{7,}$')
763 conf.config(group='security_compliance',
764 password_regex_description='1 letter, 1 digit, 7 chars')
765
856 password = uuid.uuid4().hex 857 invalid_password = '1' 858 regex = CONF.security_compliance.password_regex_description
199 super(TestRBACEnforcerRestAdminAuthToken, self).config_overrides() 200 self.config_fixture.config(admin_token='ADMIN') 201
308 # Check that the auth_context is in-fact decoded as expected. 309 token_path = '/v3/auth/tokens' 310 auth_json = self._auth_json()
329 # environment. 330 token_path = '/v3/auth/tokens' 331 auth_json = self._auth_json()
517 def test_enforce_call_explicit_target_attr(self): 518 token_path = '/v3/auth/tokens' 519 auth_json = self._auth_json()
542 def test_enforce_call_with_subject_token_data(self): 543 token_path = '/v3/auth/tokens' 544 auth_json = self._auth_json()
557 def test_enforce_call_with_member_target_type_and_member_target(self): 558 token_path = '/v3/auth/tokens' 559 auth_json = self._auth_json()
585 586 token_path = '/v3/auth/tokens' 587 auth_json = self._auth_json()
601 def test_enforce_call_with_filter_values(self): 602 token_path = '/v3/auth/tokens' 603 auth_json = self._auth_json()
641 def test_enforce_call_with_pre_instantiated_enforcer(self): 642 token_path = '/v3/auth/tokens' 643 auth_json = self._auth_json()
662 # enforce_call has actually been called 663 token_path = '/v3/auth/tokens' 664 auth_json = self._auth_json()
69 def test_hash(self): 70 password = 'right' 71 wrong = 'wrongwrong' # Two wrongs don't make a right
97 max_length = CONF.identity.max_password_length 98 invalid_password = 'passw0rd' 99 trunc = common_utils.verify_length_and_trunc_password(invalid_password)
104 self.config_fixture.config(group='identity', max_password_length=5) 105 invalid_password = 'passw0rd' 106 self.assertRaises(exception.PasswordVerificationError,
154 def test_hash_user_password_with_empty_password(self): 155 password = '' 156 user = self._create_test_user(password=password)
166 def test_hash_unicode(self): 167 password = u'Comment \xe7a va' 168 wrong = 'Comment ?a va'
801 # called a single time. 802 assert self.__config_overrides_called is False 803 self.__config_overrides_called = True
862 def _assert_config_overrides_called(self): 863 assert self.__config_overrides_called is True 864
26 import re 27 import shelve 28 29 import ldap
252 else: 253 self.db = shelve.open(url[7:]) 254
304 305 db_password = '' 306 if attrs:
543 # performing the real lookup in result3() 544 msgid = random.randint(0, 1000) 545 PendingRequests[msgid] = (base, scope, filterstr, attrlist, attrsonly,
605 else: 606 self.db = shelve.open(self.url[11:]) 607
34 config_fixture_ = self.useFixture(config_fixture.Config()) 35 config_fixture_.config( 36 group='ldap', 37 url='fake://memory', 38 user='cn=Admin', 39 password='password', 40 suffix='cn=example,cn=com') 41
60 super(UserPasswordHashingTestsNoCompat, self).config_overrides() 61 self.config_fixture.config(group='identity', 62 password_hash_algorithm='scrypt') 63
105 with self.make_request(): 106 self.assertRaises(AssertionError, 107 PROVIDERS.identity_api.authenticate, 108 user_id=id_, 109 password='password') 110
388 with self.make_request(): 389 self.assertRaises(AssertionError, 390 PROVIDERS.identity_api.authenticate, 391 user_id=user['id'], 392 password='') 393 self.assertRaises(AssertionError,
405 with self.make_request(): 406 self.assertRaises(AssertionError, 407 PROVIDERS.identity_api.authenticate, 408 user_id=user['id'], 409 password='') 410 self.assertRaises(AssertionError,
277 # Create the thumbprint using all keys in the repository. 278 signature = hashlib.sha1() 279 for key in keys:
77 subsystem = '%s[domain=%s]' % (subsystem, domain)
78 assert expected_cls == observed_cls, msg % {
79 'expected_cls': expected_cls,
80 'observed_cls': observed_cls,
81 'subsystem': subsystem,
82 }
407 408 user['password'] = u'fäképass2' 409 PROVIDERS.identity_api.update_user(user['id'], user)
1139 def test_authenticate_wrong_credentials(self): 1140 self.assertRaises(exception.LDAPInvalidCredentialsError, 1141 PROVIDERS.identity_api.driver.user.get_connection, 1142 user='demo', 1143 password='demo', 1144 end_user_auth=True) 1145
1478 self.load_backends() 1479 user = self.new_user_ref(name='EXTRA_ATTRIBUTES', 1480 password='extra', 1481 domain_id=CONF.identity.default_domain_id) 1482 user = PROVIDERS.identity_api.create_user(user)
188 189 new_password = 'new_password' 190 user_ref['password'] = new_password
1370 # Symptom Detected: Regular expression is invalid 1371 self.config_fixture.config( 1372 group='security_compliance', 1373 password_regex=r'^^(??=.*\d)$') 1374 self.assertTrue(
1378 # No Symptom Detected: Regular expression is valid
1379 self.config_fixture.config(
1380 group='security_compliance',
1381 password_regex=r'^(?=.*\d)(?=.*[a-zA-Z]).{7,}$')
1382 self.assertFalse(
1394 # Symptom Detected: Regular expression is set but description is not
1395 self.config_fixture.config(
1396 group='security_compliance',
1397 password_regex=r'^(?=.*\d)(?=.*[a-zA-Z]).{7,}$')
1398 self.config_fixture.config(
1407 desc = '1 letter, 1 digit, and a minimum length of 7 is required'
1408 self.config_fixture.config(
1409 group='security_compliance',
1410 password_regex=r'^(?=.*\d)(?=.*[a-zA-Z]).{7,}$')
1411 self.config_fixture.config(
14 15 import subprocess 16 17 import ldap.modlist
49 devnull = open('/dev/null', 'w')
50 subprocess.call(['ldapdelete',
51 '-x',
52 '-D', CONF.ldap.user,
53 '-H', CONF.ldap.url,
54 '-w', CONF.ldap.password,
55 '-r', CONF.ldap.suffix],
56 stderr=devnull)
57
49 devnull = open('/dev/null', 'w')
50 subprocess.call(['ldapdelete',
51 '-x',
52 '-D', CONF.ldap.user,
53 '-H', CONF.ldap.url,
54 '-w', CONF.ldap.password,
55 '-r', CONF.ldap.suffix],
56 stderr=devnull)
57
171 auth_pool_connection_lifetime=600) 172 old_password = 'my_password' 173 new_password = 'new_password'
172 old_password = 'my_password' 173 new_password = 'new_password' 174 user = self._do_password_change_for_one_user(old_password,
191 192 old_password = 'my_password' 193 new_password = 'new_password'
192 old_password = 'my_password' 193 new_password = 'new_password' 194 user = self._do_password_change_for_one_user(old_password,
54 55 user = unit.create_user(PROVIDERS.identity_api, 'default', 56 name='fake1', password='fakepass1') 57 user_ref = PROVIDERS.identity_api.get_user(user['id'])
59 60 user['password'] = 'fakepass2' 61 PROVIDERS.identity_api.update_user(user['id'], user)
76
77 user = unit.create_user(PROVIDERS.identity_api, 'default',
78 id='fake1', name='fake1',
79 password='fakepass1')
80 user_ref = PROVIDERS.identity_api.get_user('fake1')
82
83 user['password'] = 'fakepass2'
84 PROVIDERS.identity_api.update_user('fake1', user)
720 def test_admin_token_context(self): 721 self.config_fixture.config(admin_token='ADMIN') 722 log_fix = self.useFixture(fixtures.FakeLogger())
728 def test_request_non_admin(self): 729 self.config_fixture.config( 730 admin_token='ADMIN') 731 log_fix = self.useFixture(fixtures.FakeLogger())
16 import os 17 import subprocess 18 from unittest import mock
239 # will fail and prevent users from generating policy files. 240 ret_val = subprocess.Popen( 241 ['oslopolicy-policy-generator', '--namespace', 'keystone'], 242 stdout=subprocess.PIPE, 243 stderr=subprocess.PIPE 244 )
239 # will fail and prevent users from generating policy files. 240 ret_val = subprocess.Popen( 241 ['oslopolicy-policy-generator', '--namespace', 'keystone'], 242 stdout=subprocess.PIPE, 243 stderr=subprocess.PIPE 244 )
551 consumer = 'consumer' 552 request_token = 'request_token' 553 access_token = 'access_token'
552 request_token = 'request_token' 553 access_token = 'access_token' 554 self.assertTableDoesNotExist(consumer)
739 local_user_table = 'local_user' 740 password_table = 'password' 741 self.upgrade(89)
812 local_user_table_name = 'local_user' 813 password_table_name = 'password' 814 815 # populate current user table 816 self.upgrade(90)
838 LOCAL_USER_TABLE_NAME = 'local_user' 839 PASSWORD_TABLE_NAME = 'password' 840 self.upgrade(90)
1413 session = self.sessionmaker() 1414 password_name = 'password' 1415 # columns before 1416 self.assertTableColumns(password_name,
1445 def test_migration_106_allow_password_column_to_be_nullable(self): 1446 password_table_name = 'password' 1447 self.upgrade(105)
1490 def test_migration_109_add_password_self_service_column(self): 1491 password_table = 'password' 1492 self.upgrade(108)
2377 2378 password_table_name = 'password' 2379 2380 self.assertTableColumns(
3191 3192 password_table = 'password' 3193 self.assertTableColumns(
1026 self.assertValidRole(entity, ref=ref) 1027 except Exception: 1028 # It doesn't match, so let's go onto the next one 1029 pass 1030 else:
1116 self.assertValidRoleAssignment(entity, ref=ref) 1117 except Exception: 1118 # It doesn't match, so let's go onto the next one 1119 pass 1120 else:
72 with self.test_client() as c:
73 secret = 'supersecuresecret'
74 roles = [{'id': self.role_id}]
1214 1215 breadth = random.randint(1, self.MAX_HIERARCHY_BREADTH) 1216
1224 1225 new_parent = subprojects[random.randint(0, breadth - 1)] 1226 create_project_hierarchy(new_parent['id'], depth - 1)
1241 create_project_hierarchy(self.project_id, 1242 random.randint(1, self.MAX_HIERARCHY_DEPTH)) 1243
485 def test_project_name_no_domain(self): 486 auth_data = self.build_authentication_request( 487 username='test', 488 password='test', 489 project_name='abc')['auth'] 490 self.assertRaises(exception.ValidationError,
494 def test_both_project_and_domain_in_scope(self): 495 auth_data = self.build_authentication_request( 496 user_id='test', 497 password='test', 498 project_name='test', 499 domain_name='test')['auth'] 500 self.assertRaises(exception.ValidationError,
504 def test_get_method_names_duplicates(self): 505 auth_data = self.build_authentication_request( 506 token='test', 507 user_id='test', 508 password='test')['auth'] 509 auth_data['identity']['methods'] = ['password', 'token',
515 def test_get_method_data_invalid_method(self): 516 auth_data = self.build_authentication_request( 517 user_id='test', 518 password='test')['auth'] 519 auth_info = auth.core.AuthInfo.create(auth_data)
657 658 auth_data = self.build_authentication_request( 659 user_id=user['id'], 660 password='password') 661
833 # Change user's password 834 self.user['password'] = 'Password1' 835 PROVIDERS.identity_api.update_user(self.user['id'], self.user)
1658 # Update user's password 1659 self.user['password'] = 'Password1' 1660 PROVIDERS.identity_api.update_user(self.user['id'], self.user)
1839 # Change trustee's password 1840 trustee_update_ref = dict(password='Password1') 1841 PROVIDERS.identity_api.update_user(
1873 # Change trustor's password 1874 trustor_update_ref = dict(password='Password1') 1875 PROVIDERS.identity_api.update_user(self.user['id'], trustor_update_ref)
1892 1893 trustor_update_ref = dict(password='Password1') 1894 PROVIDERS.identity_api.update_user(self.user['id'], trustor_update_ref)
2580 app = self.loadapp() 2581 auth_data = self.build_authentication_request( 2582 user_domain_id=self.domain['id'], 2583 username=self.user['name'], 2584 password='badpassword') 2585 with app.test_client() as c:
5553 app_cred) 5554 auth_data = self.build_authentication_request( 5555 app_cred_id=app_cred_ref['id'], secret='badsecret') 5556 self.v3_create_token(auth_data,
16 import re 17 import subprocess 18 from testtools import matchers
24 import http.client 25 from lxml import etree 26 from oslo_serialization import jsonutils
1654 expected_status=http.client.CREATED) 1655 iterations = random.randint(0, 16) 1656 protocol_ids = []
2531 projects = r.result['projects'] 2532 random_project = random.randint(0, len(projects) - 1) 2533 project = projects[random_project]
3093 projects = resp.result['projects'] 3094 random_project = random.randint(0, len(projects) - 1) 3095 project = projects[random_project]
3155 projects = resp.result['projects'] 3156 random_project = random.randint(0, len(projects) - 1) 3157 project = projects[random_project]
3197 projects = r.result['projects'] 3198 random_project = random.randint(0, len(projects) - 1) 3199 project = projects[random_project]
3568 member_role_ref = unit.new_role_ref(name='member') 3569 assert member_role_ref['domain_id'] is None 3570 self.member_role = PROVIDERS.role_api.create_role(
3573 observer_role_ref = unit.new_role_ref(name='observer') 3574 assert observer_role_ref['domain_id'] is None 3575 self.observer_role = PROVIDERS.role_api.create_role(
3827 def _is_xmlsec1_installed(): 3828 p = subprocess.Popen( 3829 ['which', 'xmlsec1'], 3830 stdout=subprocess.PIPE, 3831 stderr=subprocess.PIPE) 3832
3827 def _is_xmlsec1_installed(): 3828 p = subprocess.Popen( 3829 ['which', 'xmlsec1'], 3830 stdout=subprocess.PIPE, 3831 stderr=subprocess.PIPE) 3832
3997 saml_str = response.to_string() 3998 response = etree.fromstring(saml_str) 3999 issuer = response[0]
4161 4162 response = etree.fromstring(http_response.result) 4163 issuer = response[0]
4275 4276 env_response = etree.fromstring(http_response.result) 4277 header = env_response[0]
1020 # passwords requires: 1 letter, 1 digit, 7 chars
1021 self.config_fixture.config(group='security_compliance',
1022 password_regex=(
1023 r'^(?=.*\d)(?=.*[a-zA-Z]).{7,}$'))
1024
1026 user = unit.new_user_ref(domain_id=self.domain_id)
1027 user['password'] = 'simple'
1028 self.post('/users', body={'user': user}, token=self.get_admin_token(),
1033 domain_id=self.domain['id'])
1034 user['password'] = 'simple'
1035 self.patch('/users/%(user_id)s' % {
1041 # password requires: any non-whitespace character 1042 self.config_fixture.config(group='security_compliance', 1043 password_regex=r'[\S]+') 1044 self.change_password(password='simple',
1043 password_regex=r'[\S]+') 1044 self.change_password(password='simple', 1045 original_password=self.user_ref['password'], 1046 expected_status=http.client.NO_CONTENT) 1047
1048 def test_changing_password_with_strong_password_strength(self): 1049 self.change_password(password='mypassword2', 1050 original_password=self.user_ref['password'], 1051 expected_status=http.client.NO_CONTENT) 1052
1054 # no digit 1055 self.change_password(password='mypassword', 1056 original_password=self.user_ref['password'], 1057 expected_status=http.client.BAD_REQUEST) 1058
1059 # no letter 1060 self.change_password(password='12345678', 1061 original_password=self.user_ref['password'], 1062 expected_status=http.client.BAD_REQUEST) 1063
1064 # less than 7 chars 1065 self.change_password(password='mypas2', 1066 original_password=self.user_ref['password'], 1067 expected_status=http.client.BAD_REQUEST) 1068
2515 # passwords requires: 1 letter, 1 digit, 7 chars
2516 self.config_fixture.config(group='security_compliance',
2517 password_regex=(
2518 r'^(?=.*\d)(?=.*[a-zA-Z]).{7,}$'))
2519
2520 def test_password_validate_with_valid_strong_password(self): 2521 password = 'mypassword2' 2522 validators.validate_password(password)
2542 # invalid regular expression, missing beginning '[' 2543 self.config_fixture.config(group='security_compliance', 2544 password_regex=r'\S]+') 2545 password = 'mypassword2'
2544 password_regex=r'\S]+') 2545 password = 'mypassword2' 2546 self.assertRaises(exception.PasswordValidationError,
2549 # fix regular expression and validate 2550 self.config_fixture.config(group='security_compliance', 2551 password_regex=r'[\S]+') 2552 validators.validate_password(password)
134 BASE_ACCESS_TOKEN = (
135 '/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}')
136
137 FEDERATED_AUTH_URL = ('/OS-FEDERATION/identity_providers/{idp_id}'
138 '/protocols/{protocol_id}/auth')
713 self.public_app = self.loadapp('public')
714 self.public_port = random.randint(40000, 60000)
715
900 901 self.public_port = random.randint(40000, 60000) 902
640 # Create the thumbprint using all keys in the repository. 641 signature = hashlib.sha1() 642 for key in keys: