diff --git a/repose-aggregator/functional-tests/spock-functional-test/src/test/configs/features/filters/keystonev2/removetenant/tenantednondelegable/keystone-v2.cfg.xml b/repose-aggregator/functional-tests/spock-functional-test/src/test/configs/features/filters/keystonev2/removetenant/tenantednondelegable/keystone-v2.cfg.xml index 5994e2196d2..4407bfbc225 100644 --- a/repose-aggregator/functional-tests/spock-functional-test/src/test/configs/features/filters/keystonev2/removetenant/tenantednondelegable/keystone-v2.cfg.xml +++ b/repose-aggregator/functional-tests/spock-functional-test/src/test/configs/features/filters/keystonev2/removetenant/tenantednondelegable/keystone-v2.cfg.xml @@ -2,7 +2,7 @@ - 600000 + 0 600000 diff --git a/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/features/filters/clientauthn/tenantvalidation/NonTenantedAuthTest.groovy b/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/features/filters/clientauthn/tenantvalidation/NonTenantedAuthTest.groovy index 4ea00abae4b..9f2f2647c3b 100644 --- a/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/features/filters/clientauthn/tenantvalidation/NonTenantedAuthTest.groovy +++ b/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/features/filters/clientauthn/tenantvalidation/NonTenantedAuthTest.groovy @@ -79,6 +79,26 @@ class NonTenantedAuthTest extends ReposeValveTest { mc.handlings.size() == 1 } + def "Validate RackerSSO token no tenant"() { + given: "client auth with racker user access" + fakeIdentityService.with { + client_token = "rackerSSO" + service_admin_role = "non-admin" + } + + when: "pass request with request tenant" + def mc = + deproxy.makeRequest( + url: reposeEndpoint + "/servers/12345", + method: 'GET', + headers: ['content-type': 'application/json', 'X-Auth-Token': fakeIdentityService.client_token] + ) + + then: "should satisfy the following" + mc.receivedResponse.code == "200" + mc.handlings.size() == 1 + } + def "Fails when a racker token doesn't have the authorized role"() { fakeIdentityService.with { client_token = "rackerFailure" diff --git a/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/features/filters/clientauthn/tenantvalidation/TenantedNonDelegableTest.groovy b/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/features/filters/clientauthn/tenantvalidation/TenantedNonDelegableTest.groovy index 81eec948709..847b6e2059d 100644 --- a/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/features/filters/clientauthn/tenantvalidation/TenantedNonDelegableTest.groovy +++ b/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/features/filters/clientauthn/tenantvalidation/TenantedNonDelegableTest.groovy @@ -60,6 +60,7 @@ class TenantedNonDelegableTest extends ReposeValveTest { def setup() { fakeIdentityService.resetHandlers() + fakeIdentityService.resetDefaultParameters() } @Unroll("tenant: #requestTenant, with return from identity with HTTP code (#authResponseCode), group HTTP code (#groupResponseCode) and response tenant: #responseTenant") @@ -291,4 +292,23 @@ class TenantedNonDelegableTest extends ReposeValveTest { mc.getHandlings().get(0).getRequest().getHeaders().contains("x-tenant-id") mc.getHandlings().get(0).getRequest().getHeaders().getFirstValue("x-tenant-id") == "hybrid:12345" } + + def "Racker token fails with tenanted mode"() { + given: "clientauth with racker user access" + fakeIdentityService.with { + client_token = "rackerSSO" + service_admin_role = "non-admin" + } + + when: "pass request with request tenant" + def mc = + deproxy.makeRequest( + url: reposeEndpoint + "/servers/12345", + method: 'GET', + headers: ['content-type': 'application/json', 'X-Auth-Token': fakeIdentityService.client_token] + ) + + then: "should satisfy the following" + mc.receivedResponse.code == "401" + } } diff --git a/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/features/filters/keystonev2/tenantvalidation/TenantedNonDelegableTest.groovy b/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/features/filters/keystonev2/tenantvalidation/TenantedNonDelegableTest.groovy index f731b5eb553..3ac790e2309 100644 --- a/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/features/filters/keystonev2/tenantvalidation/TenantedNonDelegableTest.groovy +++ b/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/features/filters/keystonev2/tenantvalidation/TenantedNonDelegableTest.groovy @@ -61,6 +61,7 @@ class TenantedNonDelegableTest extends ReposeValveTest { def setup() { fakeIdentityV2Service.resetHandlers() + fakeIdentityV2Service.resetDefaultParameters() } @Unroll("tenant: #requestTenant, with return from identity with HTTP code (#authResponseCode), group HTTP code (#groupResponseCode) and response tenant: #responseTenant") @@ -391,4 +392,23 @@ class TenantedNonDelegableTest extends ReposeValveTest { mc.getHandlings().get(0).getRequest().getHeaders().contains("x-tenant-id") mc.getHandlings().get(0).getRequest().getHeaders().getFirstValue("x-tenant-id") == hybridtenant } + + def "Racker token fails with tenanted mode and non service admin role" () { + given: "keystone v2 with racker user access" + fakeIdentityV2Service.with { + client_token = "rackerSSO" + service_admin_role = "non-admin" + } + + when: "pass request with request tenant" + def mc = + deproxy.makeRequest( + url: reposeEndpoint + "/servers/12345", + method: 'GET', + headers: ['content-type': 'application/json', 'X-Auth-Token': fakeIdentityV2Service.client_token] + ) + + then: "should satisfy the following" + mc.receivedResponse.code == "401" + } } diff --git a/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/framework/mocks/MockIdentityService.groovy b/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/framework/mocks/MockIdentityService.groovy index 1da64b59d6c..51b09917c46 100644 --- a/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/framework/mocks/MockIdentityService.groovy +++ b/repose-aggregator/functional-tests/spock-functional-test/src/test/groovy/framework/mocks/MockIdentityService.groovy @@ -392,6 +392,8 @@ class MockIdentityService { if (xml) { if (tokenId == "rackerButts") { template = rackerTokenXmlTemplate + } else if (tokenId == "rackerSSO") { + template = rackerSuccessfulValidateRespXmlTemplate } else if (tokenId == "failureRacker") { template = rackerTokenWithoutProperRoleXmlTemplate } else if (tokenId == "dedicatedUser") { @@ -404,6 +406,8 @@ class MockIdentityService { } else { if (impersonate_id != "") { template = impersonateSuccessfulJsonRespTemplate + } else if (tokenId == "rackerSSO") { + template = rackerSuccessfulValidateRespJsonTemplate } else if (tokenId == "dedicatedUser") { template = dedicatedUserSuccessfulRespJsonTemplate } else { @@ -1149,7 +1153,59 @@ class MockIdentityService { """ - + def rackerSuccessfulValidateRespXmlTemplate = + """ + + + + + + + + + + + + + +""" + def rackerSuccessfulValidateRespJsonTemplate = + """{ + "access": { + "token": { + "expires": "\${expires}", + "id": "\${token}" + }, + "user": { + "RAX-AUTH:defaultRegion": "", + "roles": [ + { + "name": "\${serviceadmin}", + "description": "Defines a user as being a Racker", + "id": "9", + "serviceId": "18e7a7032733486cd32f472d7bd58f709ac0d221" + }, + { + "name": "test_repose", + "id" : "100", + "description" : "Defines a user a repose dev", + "serviceId": "18e7a7032733486cd32f472d7bd58f709ac0d221" + } + ], + "id": "rackerSSOUsername" + } + } +} +""" def rackerTokenWithoutProperRoleXmlTemplate = """