]>
git.proxmox.com Git - ceph.git/blob - ceph/qa/tasks/mgr/dashboard/test_auth.py
e1c9b8e63e62eb42aabd4271fb0784ff964d25bf
1 # -*- coding: utf-8 -*-
3 from __future__
import absolute_import
9 from .helper
import DashboardTestCase
, JObj
, JLeaf
12 class AuthTest(DashboardTestCase
):
14 AUTO_AUTHENTICATE
= False
17 super(AuthTest
, self
).setUp()
20 def _validate_jwt_token(self
, token
, username
, permissions
):
21 payload
= jwt
.decode(token
, verify
=False)
22 self
.assertIn('username', payload
)
23 self
.assertEqual(payload
['username'], username
)
25 for scope
, perms
in permissions
.items():
26 self
.assertIsNotNone(scope
)
27 self
.assertIn('read', perms
)
28 self
.assertIn('update', perms
)
29 self
.assertIn('create', perms
)
30 self
.assertIn('delete', perms
)
32 def test_a_set_login_credentials(self
):
33 # test with Authorization header
34 self
.create_user('admin2', 'admin2', ['administrator'])
35 self
._post
("/api/auth", {'username': 'admin2', 'password': 'admin2'})
36 self
.assertStatus(201)
37 data
= self
.jsonBody()
38 self
._validate
_jwt
_token
(data
['token'], "admin2", data
['permissions'])
39 self
.delete_user('admin2')
41 # test with Cookies set
42 self
.create_user('admin2', 'admin2', ['administrator'])
43 self
._post
("/api/auth", {'username': 'admin2', 'password': 'admin2'}, set_cookies
=True)
44 self
.assertStatus(201)
45 data
= self
.jsonBody()
46 self
._validate
_jwt
_token
(data
['token'], "admin2", data
['permissions'])
47 self
.delete_user('admin2')
49 def test_login_valid(self
):
50 # test with Authorization header
51 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'})
52 self
.assertStatus(201)
53 data
= self
.jsonBody()
54 self
.assertSchema(data
, JObj(sub_elems
={
56 'username': JLeaf(str),
57 'permissions': JObj(sub_elems
={}, allow_unknown
=True),
59 'pwdExpirationDate': JLeaf(int, none
=True),
60 'pwdUpdateRequired': JLeaf(bool)
61 }, allow_unknown
=False))
62 self
._validate
_jwt
_token
(data
['token'], "admin", data
['permissions'])
64 # test with Cookies set
65 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'}, set_cookies
=True)
66 self
.assertStatus(201)
67 data
= self
.jsonBody()
68 self
.assertSchema(data
, JObj(sub_elems
={
70 'username': JLeaf(str),
71 'permissions': JObj(sub_elems
={}, allow_unknown
=True),
73 'pwdExpirationDate': JLeaf(int, none
=True),
74 'pwdUpdateRequired': JLeaf(bool)
75 }, allow_unknown
=False))
76 self
._validate
_jwt
_token
(data
['token'], "admin", data
['permissions'])
78 def test_login_invalid(self
):
79 # test with Authorization header
80 self
._post
("/api/auth", {'username': 'admin', 'password': 'inval'})
81 self
.assertStatus(400)
84 "code": "invalid_credentials",
85 "detail": "Invalid credentials"
88 # test with Cookies set
89 self
._post
("/api/auth", {'username': 'admin', 'password': 'inval'}, set_cookies
=True)
90 self
.assertStatus(400)
93 "code": "invalid_credentials",
94 "detail": "Invalid credentials"
97 def test_login_without_password(self
):
98 # test with Authorization header
99 self
.create_user('admin2', '', ['administrator'])
100 self
._post
("/api/auth", {'username': 'admin2', 'password': ''})
101 self
.assertStatus(400)
102 self
.assertJsonBody({
104 "code": "invalid_credentials",
105 "detail": "Invalid credentials"
107 self
.delete_user('admin2')
109 # test with Cookies set
110 self
.create_user('admin2', '', ['administrator'])
111 self
._post
("/api/auth", {'username': 'admin2', 'password': ''}, set_cookies
=True)
112 self
.assertStatus(400)
113 self
.assertJsonBody({
115 "code": "invalid_credentials",
116 "detail": "Invalid credentials"
118 self
.delete_user('admin2')
120 def test_lockout_user(self
):
121 # test with Authorization header
122 self
._ceph
_cmd
(['dashboard', 'set-account-lockout-attempts', '3'])
124 self
._post
("/api/auth", {'username': 'admin', 'password': 'inval'})
125 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'})
126 self
.assertStatus(400)
127 self
.assertJsonBody({
129 "code": "invalid_credentials",
130 "detail": "Invalid credentials"
132 self
._ceph
_cmd
(['dashboard', 'ac-user-enable', 'admin'])
133 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'})
134 self
.assertStatus(201)
135 data
= self
.jsonBody()
136 self
.assertSchema(data
, JObj(sub_elems
={
138 'username': JLeaf(str),
139 'permissions': JObj(sub_elems
={}, allow_unknown
=True),
141 'pwdExpirationDate': JLeaf(int, none
=True),
142 'pwdUpdateRequired': JLeaf(bool)
143 }, allow_unknown
=False))
144 self
._validate
_jwt
_token
(data
['token'], "admin", data
['permissions'])
146 # test with Cookies set
147 self
._ceph
_cmd
(['dashboard', 'set-account-lockout-attempts', '3'])
149 self
._post
("/api/auth", {'username': 'admin', 'password': 'inval'}, set_cookies
=True)
150 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'}, set_cookies
=True)
151 self
.assertStatus(400)
152 self
.assertJsonBody({
154 "code": "invalid_credentials",
155 "detail": "Invalid credentials"
157 self
._ceph
_cmd
(['dashboard', 'ac-user-enable', 'admin'])
158 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'}, set_cookies
=True)
159 self
.assertStatus(201)
160 data
= self
.jsonBody()
161 self
.assertSchema(data
, JObj(sub_elems
={
163 'username': JLeaf(str),
164 'permissions': JObj(sub_elems
={}, allow_unknown
=True),
166 'pwdExpirationDate': JLeaf(int, none
=True),
167 'pwdUpdateRequired': JLeaf(bool)
168 }, allow_unknown
=False))
169 self
._validate
_jwt
_token
(data
['token'], "admin", data
['permissions'])
171 def test_logout(self
):
172 # test with Authorization header
173 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'})
174 self
.assertStatus(201)
175 data
= self
.jsonBody()
176 self
._validate
_jwt
_token
(data
['token'], "admin", data
['permissions'])
177 self
.set_jwt_token(data
['token'])
178 self
._post
("/api/auth/logout")
179 self
.assertStatus(200)
180 self
.assertJsonBody({
181 "redirect_url": "#/login"
183 self
._get
("/api/host")
184 self
.assertStatus(401)
185 self
.set_jwt_token(None)
187 # test with Cookies set
188 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'}, set_cookies
=True)
189 self
.assertStatus(201)
190 data
= self
.jsonBody()
191 self
._validate
_jwt
_token
(data
['token'], "admin", data
['permissions'])
192 self
.set_jwt_token(data
['token'])
193 self
._post
("/api/auth/logout", set_cookies
=True)
194 self
.assertStatus(200)
195 self
.assertJsonBody({
196 "redirect_url": "#/login"
198 self
._get
("/api/host", set_cookies
=True)
199 self
.assertStatus(401)
200 self
.set_jwt_token(None)
202 def test_token_ttl(self
):
203 # test with Authorization header
204 self
._ceph
_cmd
(['dashboard', 'set-jwt-token-ttl', '5'])
205 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'})
206 self
.assertStatus(201)
207 self
.set_jwt_token(self
.jsonBody()['token'])
208 self
._get
("/api/host")
209 self
.assertStatus(200)
211 self
._get
("/api/host")
212 self
.assertStatus(401)
213 self
._ceph
_cmd
(['dashboard', 'set-jwt-token-ttl', '28800'])
214 self
.set_jwt_token(None)
216 # test with Cookies set
217 self
._ceph
_cmd
(['dashboard', 'set-jwt-token-ttl', '5'])
218 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'}, set_cookies
=True)
219 self
.assertStatus(201)
220 self
.set_jwt_token(self
.jsonBody()['token'])
221 self
._get
("/api/host", set_cookies
=True)
222 self
.assertStatus(200)
224 self
._get
("/api/host", set_cookies
=True)
225 self
.assertStatus(401)
226 self
._ceph
_cmd
(['dashboard', 'set-jwt-token-ttl', '28800'])
227 self
.set_jwt_token(None)
229 def test_remove_from_blacklist(self
):
230 # test with Authorization header
231 self
._ceph
_cmd
(['dashboard', 'set-jwt-token-ttl', '5'])
232 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'})
233 self
.assertStatus(201)
234 self
.set_jwt_token(self
.jsonBody()['token'])
235 # the following call adds the token to the blacklist
236 self
._post
("/api/auth/logout")
237 self
.assertStatus(200)
238 self
._get
("/api/host")
239 self
.assertStatus(401)
241 self
._ceph
_cmd
(['dashboard', 'set-jwt-token-ttl', '28800'])
242 self
.set_jwt_token(None)
243 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'})
244 self
.assertStatus(201)
245 self
.set_jwt_token(self
.jsonBody()['token'])
246 # the following call removes expired tokens from the blacklist
247 self
._post
("/api/auth/logout")
248 self
.assertStatus(200)
250 # test with Cookies set
251 self
._ceph
_cmd
(['dashboard', 'set-jwt-token-ttl', '5'])
252 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'}, set_cookies
=True)
253 self
.assertStatus(201)
254 self
.set_jwt_token(self
.jsonBody()['token'])
255 # the following call adds the token to the blocklist
256 self
._post
("/api/auth/logout", set_cookies
=True)
257 self
.assertStatus(200)
258 self
._get
("/api/host", set_cookies
=True)
259 self
.assertStatus(401)
261 self
._ceph
_cmd
(['dashboard', 'set-jwt-token-ttl', '28800'])
262 self
.set_jwt_token(None)
263 self
._post
("/api/auth", {'username': 'admin', 'password': 'admin'}, set_cookies
=True)
264 self
.assertStatus(201)
265 self
.set_jwt_token(self
.jsonBody()['token'])
266 # the following call removes expired tokens from the blocklist
267 self
._post
("/api/auth/logout", set_cookies
=True)
268 self
.assertStatus(200)
270 def test_unauthorized(self
):
271 # test with Authorization header
272 self
._get
("/api/host")
273 self
.assertStatus(401)
275 # test with Cookies set
276 self
._get
("/api/host", set_cookies
=True)
277 self
.assertStatus(401)
279 def test_invalidate_token_by_admin(self
):
280 # test with Authorization header
281 self
._get
("/api/host")
282 self
.assertStatus(401)
283 self
.create_user('user', 'user', ['read-only'])
285 self
._post
("/api/auth", {'username': 'user', 'password': 'user'})
286 self
.assertStatus(201)
287 self
.set_jwt_token(self
.jsonBody()['token'])
288 self
._get
("/api/host")
289 self
.assertStatus(200)
291 self
._ceph
_cmd
(['dashboard', 'ac-user-set-password', '--force-password',
294 self
._get
("/api/host")
295 self
.assertStatus(401)
296 self
.set_jwt_token(None)
297 self
._post
("/api/auth", {'username': 'user', 'password': 'user2'})
298 self
.assertStatus(201)
299 self
.set_jwt_token(self
.jsonBody()['token'])
300 self
._get
("/api/host")
301 self
.assertStatus(200)
302 self
.delete_user("user")
304 # test with Cookies set
305 self
._get
("/api/host", set_cookies
=True)
306 self
.assertStatus(401)
307 self
.create_user('user', 'user', ['read-only'])
309 self
._post
("/api/auth", {'username': 'user', 'password': 'user'}, set_cookies
=True)
310 self
.assertStatus(201)
311 self
.set_jwt_token(self
.jsonBody()['token'])
312 self
._get
("/api/host", set_cookies
=True)
313 self
.assertStatus(200)
315 self
._ceph
_cmd
(['dashboard', 'ac-user-set-password', '--force-password',
318 self
._get
("/api/host", set_cookies
=True)
319 self
.assertStatus(401)
320 self
.set_jwt_token(None)
321 self
._post
("/api/auth", {'username': 'user', 'password': 'user2'}, set_cookies
=True)
322 self
.assertStatus(201)
323 self
.set_jwt_token(self
.jsonBody()['token'])
324 self
._get
("/api/host", set_cookies
=True)
325 self
.assertStatus(200)
326 self
.delete_user("user")
328 def test_check_token(self
):
329 # test with Authorization header
330 self
.login("admin", "admin")
331 self
._post
("/api/auth/check", {"token": self
.jsonBody()["token"]})
332 self
.assertStatus(200)
333 data
= self
.jsonBody()
334 self
.assertSchema(data
, JObj(sub_elems
={
335 "username": JLeaf(str),
336 "permissions": JObj(sub_elems
={}, allow_unknown
=True),
338 "pwdUpdateRequired": JLeaf(bool)
339 }, allow_unknown
=False))
342 # test with Cookies set
343 self
.login("admin", "admin", set_cookies
=True)
344 self
._post
("/api/auth/check", {"token": self
.jsonBody()["token"]}, set_cookies
=True)
345 self
.assertStatus(200)
346 data
= self
.jsonBody()
347 self
.assertSchema(data
, JObj(sub_elems
={
348 "username": JLeaf(str),
349 "permissions": JObj(sub_elems
={}, allow_unknown
=True),
351 "pwdUpdateRequired": JLeaf(bool)
352 }, allow_unknown
=False))
353 self
.logout(set_cookies
=True)
355 def test_check_wo_token(self
):
356 # test with Authorization header
357 self
.login("admin", "admin")
358 self
._post
("/api/auth/check", {"token": ""})
359 self
.assertStatus(200)
360 data
= self
.jsonBody()
361 self
.assertSchema(data
, JObj(sub_elems
={
362 "login_url": JLeaf(str)
363 }, allow_unknown
=False))
366 # test with Cookies set
367 self
.login("admin", "admin", set_cookies
=True)
368 self
._post
("/api/auth/check", {"token": ""}, set_cookies
=True)
369 self
.assertStatus(200)
370 data
= self
.jsonBody()
371 self
.assertSchema(data
, JObj(sub_elems
={
372 "login_url": JLeaf(str)
373 }, allow_unknown
=False))
374 self
.logout(set_cookies
=True)