2 Documentation Test suite: Authentication Support for Keystone
4 ... This feature implements the user management for ODL NBI REST APIs integrated with OpenStack, so that
5 ... the authentication functionality provided by Keystone can be used. This allows consuming ODL NBI REST
6 ... APIs using the same authentication procedures as any OpenStack project, such as Nova, Neutron, etc.
7 ... bringing the benefits of a centralized / unified user management framework.
9 ... As a first step, It shall be possible to authenticate users against Keystone by using passwords
10 ... provided by the users.
14 Library OperatingSystem
15 Library RequestsLibrary
16 Resource ../../../libraries/Utils.robot
17 Resource ../../../libraries/TemplatedRequests.robot
18 Resource ../../../libraries/KarafKeywords.robot
19 Resource ../../../libraries/ClusterManagement.robot
20 Resource ../../../variables/Variables.robot
21 Resource ../../../libraries/AAA/DockerKeystone.robot
23 Suite Setup Init Suite
24 Suite Teardown Cleanup Suite
28 ${URI_CERTIFICATE} /restconf/operations/aaa-cert-rpc:getODLCertificate
29 ${URI_RESTCONF} /restconf/operational/ietf-restconf-monitoring:restconf-state
33 Successful Authentication Including Domain
34 [Documentation] *Test Case: Successful Authentication with user@domain/password credentials*
38 ... - Create an HTTP session with ODL as "sdnadmin" user in "sdn" domain
39 ... - Check that the access to URLs of ODL NBI is allowed \ because "sdnadmin" user is associated to domain "sdn" in Keystone and the provided password is the right one.
43 ... - URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" ia authorized just for "admin" roles according to shiro.ini configuration. As "sdnadmin" has "admin" role in keystone the access is authorized too
45 ... - URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is not specified neither in shiro.ini nor in MDSAL Dynamic Authorization so no specific role is required
48 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
49 ... auth=${AUTH_SDN_DOMAIN}
50 ... headers=${HEADERS}
51 ${resp} RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
52 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
53 ${resp} RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
54 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
56 Successful Authentication Without Domain
57 [Documentation] *Test Case: Successful Authentication with user/password credentials. No domain included*
61 ... - Create an HTTP session with ODL as "CSC_user" user without specifying any domain then domain "Default" is considered
62 ... - Check that the access to URLs of ODL NBI is allowed because "CSC_user" user is associated to domain "Default" in Keystone and the provided password is the right one
66 ... - URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" ia authorized just for "admin" roles according to shiro.ini configuration. As "CSC_user" has "admin" role in keystone the access is authorized too
68 ... - URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is not specified neither in shiro.ini nor in MDSAL Dynamic Authorization so no specific role is required
69 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_SDN} headers=${HEADERS}
70 ${resp} RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
71 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
72 ${resp} RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
73 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
75 Unsuccessful Authentication Wrong User
76 [Documentation] *Test Case: UnSuccessful Authentication with worng user/password credentials*
80 ... - Create an HTTP session with ODL as an invalid user
81 ... - Check that the access to URLs of ODL NBI is NOT allowed \ because "invaliduser" user does not exist in Keystone
85 ... Due to authentication fails, authorization is not evaluated
86 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_INVALID} headers=${HEADERS}
87 ${resp} RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
88 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
89 ${resp} RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
90 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
92 UnSuccessful Authentication Without Domain
93 [Documentation] *Test Case: UnSuccessful Authentication without domain*
98 ... - Create an HTTP session with ODL as "sdnadmin" user without specifying any domain then domain "Default" is considered
99 ... - Check that the access to URLs of ODL NBI is NOT allowed because "sdnadmin" user is not associated to domain "Default" in Keystone but to "sdn" which is not included in the credentials
103 ... Due to authentication fails, authorization is not evaluated
104 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN} headers=${HEADERS}
105 ${resp} RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
106 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
107 ${resp} RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
108 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
110 Unsuccessful Authentication Wrong Domain
111 [Documentation] *Test Case: UnSuccessful Authentication with wrong domain*
117 ... - Create an HTTP session with ODL as "sdnadmin" user with "wrong" as domain
118 ... - Check that the access to URLs of ODL NBI is NOT allowed because "sdnadmin" user is not associated to domain "wrong" in Keystone but to "sdn"
122 ... Due to authentication fails, authorization is not evaluated
125 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
126 ... auth=${AUTH_SDN_WRONG_DOM}
127 ... headers=${HEADERS}
128 ${resp} RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
129 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
130 ${resp} RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
131 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
133 Unsuccessful Basic Authorization
134 [Documentation] *Test Case: UnSuccessful Basic Authorization*
138 ... - Provision MDSAL so that users with role "admin" or "user" are authorized to access all URIs
139 ... - Create an HTTP session with ODL as "CSC_user_no_admin" user
140 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
141 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is authorized becaiuse that URL is not specified in shiro.ini and in MDSAL Dynamic Authorization access to all URLs is allowed to all user with "user" role
142 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth.json
143 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
146 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
147 ... auth=${AUTH_CSC_NO_ADMIN}
148 ... headers=${HEADERS}
149 ${resp_ok} RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
150 Should Contain ${ALLOWED_STATUS_CODES} ${resp_ok.status_code}
151 ${resp_nook} RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
152 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp_nook.status_code}
154 Unsuccessful Dynamic Authorization
155 [Documentation] *Test Case: UnSuccessful Dynamic Authorization*
159 ... - Provision MDSAL so that just users with role "admin" are authorized to access all URIs
160 ... - Create an HTTP session with ODL as "CSC_user_no_admin" user
161 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
162 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is NOT authorized because although the URL is not specified in shiro.ini, in MDSAL Dynamic Authorization access to all URLs is allowed just for users with "admin" role and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role
163 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth-2.json
164 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
167 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
168 ... auth=${AUTH_CSC_NO_ADMIN}
169 ... headers=${HEADERS}
170 ${resp_nook} RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
171 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp_nook.status_code}
172 ${resp_nook} RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
173 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp_nook.status_code}
175 Unsuccessful Dynamic Authorization 2
176 [Documentation] *Test Case: UnSuccessful Dynamic Authorization 2*
180 ... - Provision MDSAL so that:
181 ... \ \ - URI "/restconf/operations/aaa-cert-rpc:getODLCertificate" is authorized just for users with "user" role
182 ... \ - URI "/restconf/operational/**" is authorized just for users with "user" role
184 ... - Create an HTTP session with ODL as "sdnadmin" user
185 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because although in shiro.ini configuration the access is allowed to "admin" roles and "cscadmin" does have \ "admin" role, \ in MDSAL Dynamic Authorization access to that URL is allowed just for users with "user" role and "cscadmin" does not have \ "user" role in keystone but "admin" role
186 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is NOT authorized because although in shiro.ini configuration that URL is not considered, \ in MDSAL Dynamic Authorization access to that URL is allowed just for users with "user" role and "cscadmin" does not have \ "user" role in keystone but "admin" role
189 ... - Create an HTTP session with ODL as "CSC_user_no_admin" user
190 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
191 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is authorized because the URL is not specified in shiro.ini and in MDSAL Dynamic Authorization access to that URL is allowed just for users with "user" role and "CSC_user_no_admin" does \ have \ "user" role in keystone
192 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth-3.json
193 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
196 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
197 ... auth=${AUTH_SDN_DOMAIN}
198 ... headers=${HEADERS}
199 ${resp} RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
200 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
201 ${resp} RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
202 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
205 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
206 ... auth=${AUTH_CSC_NO_ADMIN}
207 ... headers=${HEADERS}
208 ${resp} RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
209 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
210 ${resp} RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
211 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
213 Unsuccessful No Keystone Connection
214 [Documentation] *Test Case: Unsuccessful No Keystone Connection*
218 ... - Put down Keystone
219 ... - All accesses are forbidden
223 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
224 ... auth=${AUTH_SDN_DOMAIN}
225 ... headers=${HEADERS}
226 ${resp} RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
227 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
228 ${resp} RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
229 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
232 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
233 ... auth=${AUTH_CSC_NO_ADMIN}
234 ... headers=${HEADERS}
235 ${resp} RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
236 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
237 ${resp} RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
238 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
243 [Documentation] The steps included in the Initialization phase are:
245 ... - Run Docker Keystone: Deploy a container in the SYSTEM TOOL node containing the Keystone
247 ... - Configure AAA in Controller: shiro.ini file is modified to add new authentication realm based on Keystone
249 ... - Restart Controller: This restart is needed in order to activate new shiro.ini configuration
251 ... - Provision Keystone: Populate keystone database with the needed users and roles
253 ... - Install Keystone certificate into ODL so that the protocol used in the ODL-Keystone communication is HTTPS with server certificate authentication
254 ${TOOLS_SYSTEM_NAME} Run Command On Remote System
255 ... ${TOOLS_SYSTEM_IP}
257 ... user=${TOOLS_SYSTEM_USER}
258 ... password=${TOOLS_SYSTEM_PASSWORD}
260 Configure AAA In Controller ${TOOLS_SYSTEM_NAME}
261 Set Suite Variable ${PUT_KEYSTONE_CERT_FILE} ${CURDIR}/../../../variables/aaa/put-keystone-cert.json
262 Set Keystone Certificate into ODL ${PUT_KEYSTONE_CERT_FILE} ${TOOLS_SYSTEM_NAME}
265 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth.json
266 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
269 [Documentation] Destoy keystone container
270 ${result} Run Keyword And Return Status Set Domain To False ${domain} ${HEADERS_TOKEN}
272 Delete Keystone Domain ${domain} ${HEADERS_TOKEN}
274 IF ${result} == True Destroy Docker Keystone
275 SSHLibrary.Close All Connections
277 Configure AAA In Controller
278 [Documentation] With this keyword shiro.ini and aaa-cert-config.xml are modified to configure Keystone Authentication Realm using TLS1.2. Here you have the settings:
282 ... keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm
283 ... keystoneAuthRealm.url = https://sandbox-29591-30-docker-0:35357
284 ... keystoneAuthRealm.sslVerification = true
286 ... securityManager.realms = $tokenAuthRealm, $keystoneAuthRealm
291 ... - aaa-cert-config.xml:
292 ... <use-config>true</use-config>
294 ... <tls-protocols>TLSv1.2</tls-protocols>
295 [Arguments] ${TOOLS_SYSTEM_NAME}
296 ${shiro_path} Run Command On Controller cmd=cd /;find /|grep shiro.ini|grep etc|grep -v denied
297 ${cert_path} Run Command On Controller cmd=cd /;find /|grep aaa-cert-config.xml|grep etc|grep -v denied
298 ${result} Run Command On Controller
299 ... cmd=sed -ie 's/#keystoneAuthRealm =.*/keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm/g' ${shiro_path}
300 ${result} Run Command On Controller
301 ... cmd=sed -ie 's/#keystoneAuthRealm.url =.*/keystoneAuthRealm.url = https:\\/\\/${TOOLS_SYSTEM_NAME}:35357/g' ${shiro_path}
302 ${result} Run Command On Controller
303 ... cmd=sed -ie 's/securityManager.realms =.*/securityManager.realms = $tokenAuthRealm, $keystoneAuthRealm/g' ${shiro_path}
304 ${result} Run Command On Controller
305 ... cmd=sed -ie 's/#keystoneAuthRealm.sslVerification =.*/keystoneAuthRealm.sslVerification = true/g' ${shiro_path}
306 ${result} Run Command On Controller
307 ... cmd=sed -ie 's/\\/operations\\/aaa-cert-rpc.*/\\/operations\\/aaa-cert-rpc** = authcBasic, roles[admin], dynamicAuthorization/g' ${shiro_path}
308 ${result} Run Command On Controller
309 ... cmd=sed -ie 's/<use-config>.*/<use-config>true<\\/use-config>/g' ${cert_path}
310 ${result} Run Command On Controller
311 ... cmd=sed -ie 's/<tls-protocols.*/<tls-protocols>TLSv1.2<\\/tls-protocols>/g' ${cert_path}
312 ${result} Run Command On Controller cmd=cat ${shiro_path}
314 ${result} Run Command On Controller cmd=cat ${cert_path}
316 ${result} Run Command On Controller
317 ... cmd=sudo sed -i "2i${TOOLS_SYSTEM_IP} \ \ ${TOOLS_SYSTEM_NAME}" /etc/hosts
318 ${result} Run Command On Controller cmd=cat /etc/hosts
322 [Documentation] As CSC_user provision:
324 ... - User "sdnadmin"
325 ... - Role "admin" to "sdnadmin" user in "sdn" domain
326 ${result} Create Keystone session ${TOOLS_SYSTEM_IP}
328 Set Suite Variable ${CREATE_TOKEN_FILE} ${CURDIR}/../../../variables/aaa/create-token.json
329 ${token} Get Keystone Token ${TOOLS_SYSTEM_IP} ${CREATE_TOKEN_FILE}
331 &{HEADERS} Create Dictionary X-Auth-Token=${token} Content-Type=application/json
332 Set Suite Variable ${HEADERS_TOKEN} ${HEADERS}
333 ${admin_role_id} Get Admin Role Id ${HEADERS_TOKEN}
334 Set Suite Variable ${CREATE_DOMAIN_FILE} ${CURDIR}/../../../variables/aaa/create-domain.json
335 ${domain_local} Create Keystone Domain ${HEADERS_TOKEN} ${CREATE_DOMAIN_FILE}
336 Set Suite Variable ${domain} ${domain_local}
337 Set Suite Variable ${CREATE_USERS_FILE} ${CURDIR}/../../../variables/aaa/create-user.json
338 ${normalized_file} OperatingSystem.Normalize Path ${CREATE_USERS_FILE}
339 ${output} OperatingSystem.Run
340 ... sed -i 's/\"domain_id\".*/\"domain_id\"\: \"${domain}\",/g' ${CREATE_USERS_FILE}
341 ${user} Create Keystone User in a Domain ${HEADERS_TOKEN} ${CREATE_USERS_FILE}
342 Grant Admin Role ${domain} ${user} ${admin_role_id} ${HEADERS_TOKEN}
345 [Arguments] ${PUT_DYNAMIC_AUTH_FILE}
346 Create Session session_admin http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
347 Set Suite Variable ${PUT_DYNAMIC_AUTH_URI} /restconf/config/aaa:http-authorization
348 ${body_dyn} OperatingSystem.Get File ${PUT_DYNAMIC_AUTH_FILE}
349 ${resp} RequestsLibrary.Put Request
351 ... ${PUT_DYNAMIC_AUTH_URI}
353 ... headers=${HEADERS}
354 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
355 Delete Request session_admin http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
358 [Documentation] Controller restart is needed in order the new shiro.ini config takes effect
359 ClusterManagement.ClusterManagement_Setup
360 Wait Until Keyword Succeeds 5x 20 Stop_Single_Member 1
361 Start_Single_Member 1 wait_for_sync=False timeout=120
362 # TODO: the below Get Controller Modules keyword ends up giving a lot of WARN messages in the robot
363 # log as the controller is coming up and the initial requests are failing. This is just cosmetic at this point, but
364 # would be nice to clean up somehow.
365 Wait Until Keyword Succeeds 30x 5s Get Controller Modules
367 Get Controller Modules
368 [Documentation] Get the restconf modules, check 200 status and ietf-restconf presence
369 Create Session session1 http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
370 ${resp} RequestsLibrary.Get_Request session1 ${MODULES_API}
371 BuiltIn.Log ${resp.content}
372 BuiltIn.Should_Be_Equal ${resp.status_code} ${200}
373 BuiltIn.Should_Contain ${resp.content} ietf-restconf