ceph/qa/workunits/rgw/keystone-fake-server.py
Tobias Urdin 567024d363 rgw/qa: Add QA suite for Keystone service token
This adds a QA suite  for the service token auth in
RGW. The suite runs a workunit that is a bash script
that spawns a fake Keystone server which is then used
as an auth backend for RGW to test the feature.

A python script is then executed that runs a battery
of tests against RadosGW which talks to the fake Keystone
server running in the background.

Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>
2022-09-23 15:10:14 +00:00

209 lines
5.8 KiB
Python
Executable File

#!/usr/bin/env python3
#
# Copyright (C) 2022 Binero
#
# Author: Tobias Urdin <tobias.urdin@binero.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU Library Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Library Public License for more details.
from datetime import datetime, timedelta
import logging
import json
from http.server import BaseHTTPRequestHandler, HTTPServer
DEFAULT_DOMAIN = {
'id': 'default',
'name': 'Default',
}
PROJECTS = {
'admin': {
'domain': DEFAULT_DOMAIN,
'id': 'a6944d763bf64ee6a275f1263fae0352',
'name': 'admin',
},
'deadbeef': {
'domain': DEFAULT_DOMAIN,
'id': 'b4221c214dd64ee6a464g2153fae3813',
'name': 'deadbeef',
},
}
USERS = {
'admin': {
'domain': DEFAULT_DOMAIN,
'id': '51cc68287d524c759f47c811e6463340',
'name': 'admin',
},
'deadbeef': {
'domain': DEFAULT_DOMAIN,
'id': '99gg485738df758349jf8d848g774392',
'name': 'deadbeef',
},
}
USERROLES = {
'admin': [
{
'id': '51cc68287d524c759f47c811e6463340',
'name': 'admin',
}
],
'deadbeef': [
{
'id': '98bd32184f854f393a72b932g5334124',
'name': 'Member',
}
],
}
TOKENS = {
'admin-token-1': {
'username': 'admin',
'project': 'admin',
'expired': False,
},
'user-token-1': {
'username': 'deadbeef',
'project': 'deadbeef',
'expired': False,
},
'user-token-2': {
'username': 'deadbeef',
'project': 'deadbeef',
'expired': True,
},
}
def _generate_token_result(username, project, expired=False):
userdata = USERS[username]
projectdata = PROJECTS[project]
userroles = USERROLES[username]
if expired:
then = datetime.now() - timedelta(hours=2)
issued_at = then.strftime('%Y-%m-%dT%H:%M:%SZ')
expires_at = (then + timedelta(hours=1)).strftime('%Y-%m-%dT%H:%M:%SZ')
else:
now = datetime.now()
issued_at = now.strftime('%Y-%m-%dT%H:%M:%SZ')
expires_at = (now + timedelta(seconds=10)).strftime('%Y-%m-%dT%H:%M:%SZ')
result = {
'token': {
'audit_ids': ['3T2dc1CGQxyJsHdDu1xkcw'],
'catalog': [],
'expires_at': expires_at,
'is_domain': False,
'issued_at': issued_at,
'methods': ['password'],
'project': projectdata,
'roles': userroles,
'user': userdata,
}
}
return result
COUNTERS = {
'get_total': 0,
'post_total': 0,
}
class HTTPRequestHandler(BaseHTTPRequestHandler):
def do_GET(self):
# This is not part of the Keystone API
if self.path == '/stats':
self._handle_stats()
return
if str(self.path).startswith('/v3/auth/tokens'):
self._handle_get_auth()
else:
self.send_response(403)
self.end_headers()
def do_POST(self):
if self.path == '/v3/auth/tokens':
self._handle_post_auth()
else:
self.send_response(400)
self.end_headers()
def _get_data(self):
length = int(self.headers.get('content-length'))
data = self.rfile.read(length).decode('utf8')
return json.loads(data)
def _set_data(self, data):
jdata = json.dumps(data)
self.wfile.write(jdata.encode('utf8'))
def _handle_stats(self):
self.send_response(200)
self.end_headers()
self._set_data(COUNTERS)
def _handle_get_auth(self):
logging.info('Increasing get_total counter from %d -> %d' % (COUNTERS['get_total'], COUNTERS['get_total']+1))
COUNTERS['get_total'] += 1
auth_token = self.headers.get('X-Subject-Token', None)
if auth_token and auth_token in TOKENS:
tokendata = TOKENS[auth_token]
if tokendata['expired'] and 'allow_expired=1' not in self.path:
self.send_response(404)
self.end_headers()
else:
self.send_response(200)
self.send_header('Content-Type', 'application/json')
self.end_headers()
result = _generate_token_result(tokendata['username'], tokendata['project'], tokendata['expired'])
self._set_data(result)
else:
self.send_response(404)
self.end_headers()
def _handle_post_auth(self):
logging.info('Increasing post_total counter from %d -> %d' % (COUNTERS['post_total'], COUNTERS['post_total']+1))
COUNTERS['post_total'] += 1
data = self._get_data()
user = data['auth']['identity']['password']['user']
if user['name'] == 'admin' and user['password'] == 'ADMIN':
self.send_response(201)
self.send_header('Content-Type', 'application/json')
self.send_header('X-Subject-Token', 'admin-token-1')
self.end_headers()
tokendata = TOKENS['admin-token-1']
result = _generate_token_result(tokendata['username'], tokendata['project'], tokendata['expired'])
self._set_data(result)
else:
self.send_response(401)
self.end_headers()
def main():
logging.basicConfig(level=logging.DEBUG)
logging.info('Starting keystone-fake-server')
server = HTTPServer(('localhost', 5000), HTTPRequestHandler)
server.serve_forever()
if __name__ == '__main__':
main()