1# Copyright (c) 2015 The Johns Hopkins University/Applied Physics Laboratory 2# All Rights Reserved. 3# 4# Licensed under the Apache License, Version 2.0 (the "License"); you may 5# not use this file except in compliance with the License. You may obtain 6# a copy of the License at 7# 8# http://www.apache.org/licenses/LICENSE-2.0 9# 10# Unless required by applicable law or agreed to in writing, software 11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 13# License for the specific language governing permissions and limitations 14# under the License. 15 16""" 17Functional test cases for the Barbican key manager. 18 19Note: This requires local running instances of Barbican and Keystone. 20""" 21import abc 22 23from keystoneauth1 import identity 24from keystoneauth1 import session 25from oslo_config import cfg 26from oslo_context import context 27from oslo_utils import uuidutils 28from oslotest import base 29from testtools import testcase 30 31from castellan.common.credentials import keystone_password 32from castellan.common.credentials import keystone_token 33from castellan.common import exception 34from castellan.key_manager import barbican_key_manager 35from castellan.tests.functional import config 36from castellan.tests.functional.key_manager import test_key_manager 37 38 39CONF = config.get_config() 40 41 42class BarbicanKeyManagerTestCase(test_key_manager.KeyManagerTestCase): 43 44 def _create_key_manager(self): 45 return barbican_key_manager.BarbicanKeyManager(cfg.CONF) 46 47 @abc.abstractmethod 48 def get_context(self): 49 """Retrieves Context for Authentication""" 50 return 51 52 def setUp(self): 53 super(BarbicanKeyManagerTestCase, self).setUp() 54 try: 55 self.ctxt = self.get_context() 56 self.key_mgr._get_barbican_client(self.ctxt) 57 except Exception as e: 58 # When we run functional-vault target, This test class needs 59 # to be skipped as barbican is not running 60 raise testcase.TestSkipped(str(e)) 61 62 def tearDown(self): 63 super(BarbicanKeyManagerTestCase, self).tearDown() 64 65 def test_create_null_context(self): 66 self.assertRaises(exception.Forbidden, 67 self.key_mgr.create_key, None, 'AES', 256) 68 69 def test_create_key_pair_null_context(self): 70 self.assertRaises(exception.Forbidden, 71 self.key_mgr.create_key_pair, None, 'RSA', 2048) 72 73 def test_delete_null_context(self): 74 key_uuid = self._get_valid_object_uuid( 75 test_key_manager._get_test_symmetric_key()) 76 self.addCleanup(self.key_mgr.delete, self.ctxt, key_uuid) 77 self.assertRaises(exception.Forbidden, 78 self.key_mgr.delete, None, key_uuid) 79 80 def test_delete_null_object(self): 81 self.assertRaises(exception.KeyManagerError, 82 self.key_mgr.delete, self.ctxt, None) 83 84 def test_delete_unknown_object(self): 85 unknown_uuid = uuidutils.generate_uuid() 86 self.assertRaises(exception.ManagedObjectNotFoundError, 87 self.key_mgr.delete, self.ctxt, unknown_uuid) 88 89 def test_get_null_context(self): 90 key_uuid = self._get_valid_object_uuid( 91 test_key_manager._get_test_symmetric_key()) 92 self.addCleanup(self.key_mgr.delete, self.ctxt, key_uuid) 93 self.assertRaises(exception.Forbidden, 94 self.key_mgr.get, None, key_uuid) 95 96 def test_get_null_object(self): 97 self.assertRaises(exception.KeyManagerError, 98 self.key_mgr.get, self.ctxt, None) 99 100 def test_get_unknown_key(self): 101 bad_key_uuid = uuidutils.generate_uuid() 102 self.assertRaises(exception.ManagedObjectNotFoundError, 103 self.key_mgr.get, self.ctxt, bad_key_uuid) 104 105 def test_store_null_context(self): 106 key = test_key_manager._get_test_symmetric_key() 107 108 self.assertRaises(exception.Forbidden, 109 self.key_mgr.store, None, key) 110 111 112class BarbicanKeyManagerOSLOContextTestCase(BarbicanKeyManagerTestCase, 113 base.BaseTestCase): 114 115 def get_context(self): 116 username = CONF.identity.username 117 password = CONF.identity.password 118 project_name = CONF.identity.project_name 119 auth_url = CONF.identity.auth_url 120 user_domain_name = CONF.identity.user_domain_name 121 project_domain_name = CONF.identity.project_domain_name 122 123 auth = identity.V3Password(auth_url=auth_url, 124 username=username, 125 password=password, 126 project_name=project_name, 127 user_domain_name=user_domain_name, 128 project_domain_name=project_domain_name) 129 sess = session.Session(auth=auth) 130 131 return context.RequestContext(auth_token=auth.get_token(sess), 132 tenant=auth.get_project_id(sess)) 133 134 135class BarbicanKeyManagerKSPasswordTestCase(BarbicanKeyManagerTestCase, 136 base.BaseTestCase): 137 138 def get_context(self): 139 auth_url = CONF.identity.auth_url 140 username = CONF.identity.username 141 password = CONF.identity.password 142 project_name = CONF.identity.project_name 143 user_domain_name = CONF.identity.user_domain_name 144 project_domain_name = CONF.identity.project_domain_name 145 146 ctxt = keystone_password.KeystonePassword( 147 auth_url=auth_url, username=username, password=password, 148 project_name=project_name, 149 user_domain_name=user_domain_name, 150 project_domain_name=project_domain_name) 151 152 return ctxt 153 154 155class BarbicanKeyManagerKSTokenTestCase(BarbicanKeyManagerTestCase, 156 base.BaseTestCase): 157 158 def get_context(self): 159 username = CONF.identity.username 160 password = CONF.identity.password 161 project_name = CONF.identity.project_name 162 auth_url = CONF.identity.auth_url 163 user_domain_name = CONF.identity.user_domain_name 164 project_domain_name = CONF.identity.project_domain_name 165 166 auth = identity.V3Password(auth_url=auth_url, 167 username=username, 168 password=password, 169 project_name=project_name, 170 user_domain_name=user_domain_name, 171 project_domain_name=project_domain_name) 172 sess = session.Session() 173 174 return keystone_token.KeystoneToken( 175 token=auth.get_token(sess), 176 auth_url=auth_url, 177 project_id=auth.get_project_id(sess)) 178