From cbdb3086a1363cacafdce93968f4af2b98885b14 Mon Sep 17 00:00:00 2001 From: Frode Nordahl Date: Wed, 11 Mar 2020 09:56:30 +0100 Subject: [PATCH 1/2] keystone: expect security check no admin-token to pass Also add test to validate that the domain named ``default`` literally has an ID of ``default``. --- zaza/openstack/charm_tests/keystone/tests.py | 23 ++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/zaza/openstack/charm_tests/keystone/tests.py b/zaza/openstack/charm_tests/keystone/tests.py index e057428..9f1d31d 100644 --- a/zaza/openstack/charm_tests/keystone/tests.py +++ b/zaza/openstack/charm_tests/keystone/tests.py @@ -328,6 +328,21 @@ class AuthenticationAuthorizationTest(BaseKeystoneTest): {'OS_AUTH_URL': 'http://{}:5000/v3'.format(ip)}) _validate_token_data(openrc) + def test_backward_compatible_uuid_for_default_domain(self): + """Check domain named ``default`` literally has ``default`` as ID. + + Some third party software chooses to hard code this value for some + inexplicable reason. + """ + with self.v3_keystone_preferred(): + ks_session = openstack_utils.get_keystone_session( + openstack_utils.get_overcloud_auth()) + ks_client = openstack_utils.get_keystone_session_client( + ks_session) + domain = ks_client.domains.get('default') + logging.info(pprint.pformat(domain)) + assert domain.id == 'default' + class SecurityTests(BaseKeystoneTest): """Keystone security tests tests.""" @@ -343,13 +358,13 @@ class SecurityTests(BaseKeystoneTest): # this initial work to get validation in. There will be bugs targeted # to each one and resolved independently where possible. expected_failures = [ - 'disable-admin-token', ] expected_passes = [ 'check-max-request-body-size', - 'uses-sha256-for-hashing-tokens', - 'uses-fernet-token-after-default', + 'disable-admin-token', 'insecure-debug-is-false', + 'uses-fernet-token-after-default', + 'uses-sha256-for-hashing-tokens', 'validate-file-ownership', 'validate-file-permissions', ] @@ -363,7 +378,7 @@ class SecurityTests(BaseKeystoneTest): action_params={}), expected_passes, expected_failures, - expected_to_pass=False) + expected_to_pass=True) class LdapTests(BaseKeystoneTest): From e28b9e0c48aac07517a435b62c7cdd3153aadb96 Mon Sep 17 00:00:00 2001 From: Frode Nordahl Date: Wed, 11 Mar 2020 13:50:04 +0100 Subject: [PATCH 2/2] policyd: Use different policy for test of Keystone A side effect of migrating to bootstrapping Keystone as opposed to using the admin_token is that the charm credentials is now subject to the Keystone policy. At present the ``list_services`` policy is used as a test of the Policy Override feature, however revoking access to said call will make the charm go into an error state as it attempts to use it as part of managing the Keystone CRUD. Change the test to use the ``list_credentials`` policy for test instead. --- zaza/openstack/charm_tests/policyd/tests.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/zaza/openstack/charm_tests/policyd/tests.py b/zaza/openstack/charm_tests/policyd/tests.py index f332765..703f0af 100644 --- a/zaza/openstack/charm_tests/policyd/tests.py +++ b/zaza/openstack/charm_tests/policyd/tests.py @@ -258,7 +258,7 @@ class BasePolicydSpecialization(PolicydTest, class KeystonePolicydTest(BasePolicydSpecialization): - _rule = {'rule.yaml': "{'identity:list_services': '!'}"} + _rule = {'rule.yaml': "{'identity:list_credentials': '!'}"} def get_client_and_attempt_operation(self, keystone_session): ... etc. @@ -485,7 +485,7 @@ class BasePolicydSpecialization(PolicydTest, class KeystoneTests(BasePolicydSpecialization): """Test the policyd override using the keystone client.""" - _rule = {'rule.yaml': "{'identity:list_services': '!'}"} + _rule = {'rule.yaml': "{'identity:list_credentials': '!'}"} @classmethod def setUpClass(cls, application_name=None): @@ -506,7 +506,7 @@ class KeystoneTests(BasePolicydSpecialization): keystone_client = openstack_utils.get_keystone_session_client( self.get_keystone_session_demo_admin_user(ip)) try: - keystone_client.services.list() + keystone_client.credentials.list() except keystoneauth1.exceptions.http.Forbidden: raise PolicydOperationFailedException()