openstack/barbican
Code Issues Proposed changes

Unauthed tests for Secret & Container ACLs

Browse Source 
These tests will attempt CRUD operations on Secret and Container ACLs
without valid tokens. They should all return HTTP 401s. Also added
PATCH support to the common client, and use_auth parameters to ACL
behaviors.

Change-Id: Ie753b6605ae81202a4bb473dd6f9101919f4eda5
This commit is contained in:
Charles Neill 2015-07-10 11:28:40 -05:00
parent bf0013e282
commit 486a4e2a2b
2 changed files with 94 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
functionaltests/api/v1/behaviors/acl_behaviors.py
View File

@ -21,37 +21,40 @@ from functionaltests.api.v1.models import acl_models
class AclBehaviors(base_behaviors.BaseBehaviors):
def create_acl(self, entity_ref, model, extra_headers=None,
user_name=None):
use_auth=True, user_name=None):
"""Create an acl from the data in the model.
:param entity_ref: ref of secret or container for acl
:param model: The metadata used to create the acl
:param extra_headers: Headers used to create the acl
:param use_auth: Boolean for whether to send authentication headers
:param user_name: The user name used to create the acl
:return: the response from the PUT request
"""
acl_ref = '{0}/acl'.format(entity_ref)
resp = self.client.put(acl_ref, request_model=model,
extra_headers=extra_headers,
extra_headers=extra_headers, use_auth=use_auth,
user_name=user_name)
self.created_entities.append((acl_ref, user_name))
return resp
def get_acl(self, acl_ref, extra_headers=None, user_name=None):
def get_acl(self, acl_ref, extra_headers=None, use_auth=True,
user_name=None):
"""Handles getting a single acl
:param acl_ref: Reference to the acl to be retrieved
:param extra_headers: Headers used to get the acl
:param use_auth: Boolean for whether to send authentication headers
:param user_name: The user name used to get the acl
:return: The response of the GET.
"""
resp = self.client.get(
acl_ref, response_model_type=acl_models.AclModel,
user_name=user_name)
use_auth=use_auth, user_name=user_name)
return resp
def update_acl(self, acl_ref, model, extra_headers=None,
@ -74,7 +77,7 @@ class AclBehaviors(base_behaviors.BaseBehaviors):
return resp
def delete_acl(self, acl_ref, extra_headers=None,
expected_fail=False, user_name=None):
expected_fail=False, use_auth=True, user_name=None):
"""Handles deleting an acl.
:param acl_ref: Reference of the acl to be deleted
@ -82,11 +85,13 @@ class AclBehaviors(base_behaviors.BaseBehaviors):
:param expected_fail: If there is a negative test, this should be
marked true if you are trying to delete an acl that does
not exist.
:param use_auth: Boolean for whether to send authentication headers
:param user_name: The user name used to delete the acl
:return: Response of the delete.
"""
resp = self.client.delete(acl_ref, extra_headers, user_name=user_name)
resp = self.client.delete(acl_ref, extra_headers, use_auth=use_auth,
user_name=user_name)
if not expected_fail:
for item in self.created_entities:

88
functionaltests/api/v1/functional/test_acls.py
View File

@ -12,6 +12,8 @@
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from testtools import testcase
from barbican.tests import utils
from functionaltests.api import base
from functionaltests.api.v1.behaviors import acl_behaviors
@ -210,6 +212,74 @@ class AclTestCase(base.TestCase):
status = self.get_container(container_ref, user_name=user)
self.assertEqual(expected_return, status)
# ----------------------- Secret ACL Tests ---------------------------
@testcase.attr('negative', 'security')
def test_secret_read_acl_no_token(self):
secret_ref = self.store_secret()
acl_ref = '{0}/acl'.format(secret_ref)
resp = self.acl_behaviors.get_acl(acl_ref, use_auth=False)
self.assertEqual(401, resp.status_code)
@testcase.attr('negative', 'security')
def test_secret_set_acl_no_token(self):
secret_ref = self.store_secret()
resp = self.set_secret_acl(secret_ref, get_rbac_only(), use_auth=False)
self.assertEqual(401, resp.status_code)
@testcase.attr('negative', 'security')
def test_secret_delete_acl_no_token(self):
secret_ref = self.store_secret()
acl_ref = '{0}/acl'.format(secret_ref)
resp = self.acl_behaviors.delete_acl(
acl_ref, expected_fail=True, use_auth=False
)
self.assertEqual(401, resp.status_code)
@testcase.attr('negative', 'security')
def test_secret_update_acl_no_token(self):
secret_ref = self.store_secret()
acl_ref = '{0}/acl'.format(secret_ref)
resp = self.set_secret_acl(secret_ref, get_rbac_only())
self.assertEqual(200, resp.status_code)
resp = self.acl_behaviors.update_acl(acl_ref, {}, use_auth=False)
self.assertEqual(401, resp.status_code)
# ----------------------- Container ACL Tests ---------------------------
@testcase.attr('negative', 'security')
def test_container_read_acl_no_token(self):
container_ref = self.store_container()
acl_ref = '{0}/acl'.format(container_ref)
resp = self.acl_behaviors.get_acl(acl_ref, use_auth=False)
self.assertEqual(401, resp.status_code)
@testcase.attr('negative', 'security')
def test_container_set_acl_no_token(self):
container_ref = self.store_container()
resp = self.set_container_acl(
container_ref, get_rbac_only(), use_auth=False
)
self.assertEqual(401, resp.status_code)
@testcase.attr('negative', 'security')
def test_container_delete_acl_no_token(self):
container_ref = self.store_container()
acl_ref = '{0}/acl'.format(container_ref)
resp = self.acl_behaviors.delete_acl(
acl_ref, expected_fail=True, use_auth=False
)
self.assertEqual(401, resp.status_code)
@testcase.attr('negative', 'security')
def test_container_update_acl_no_token(self):
container_ref = self.store_container()
acl_ref = '{0}/acl'.format(container_ref)
resp = self.set_container_acl(container_ref, get_rbac_only())
self.assertEqual(200, resp.status_code)
resp = self.acl_behaviors.update_acl(acl_ref, {}, use_auth=False)
self.assertEqual(401, resp.status_code)
# ----------------------- Helper Functions ---------------------------
def store_secret(self, user_name=creator_a, admin=admin_a):
@ -226,11 +296,14 @@ class AclTestCase(base.TestCase):
user_name=user_name)
return resp.status_code
def set_secret_acl(self, secret_ref, acl, user_name=creator_a):
def set_secret_acl(self, secret_ref, acl, use_auth=True,
user_name=creator_a):
test_model = acl_models.AclModel(**acl)
resp = self.acl_behaviors.create_acl(
secret_ref, test_model, user_name=user_name)
self.assertEqual(200, resp.status_code)
secret_ref, test_model, use_auth=use_auth, user_name=user_name)
if use_auth:
self.assertEqual(200, resp.status_code)
return resp
def store_container(self, user_name=creator_a, admin=admin_a):
secret_ref = self.store_secret(user_name=user_name, admin=admin)
@ -247,11 +320,14 @@ class AclTestCase(base.TestCase):
container_ref, user_name=user_name)
return resp.status_code
def set_container_acl(self, container_ref, acl, user_name=creator_a):
def set_container_acl(self, container_ref, acl, use_auth=True,
user_name=creator_a):
test_model = acl_models.AclModel(**acl)
resp = self.acl_behaviors.create_acl(
container_ref, test_model, user_name=user_name)
self.assertEqual(200, resp.status_code)
container_ref, test_model, use_auth=use_auth, user_name=user_name)
if use_auth:
self.assertEqual(200, resp.status_code)
return resp
# ----------------------- Support Functions ---------------------------