2 Documentation Test suite: Authentication Support for Keystone
4 ... This feature implements the user management for ODL NBI REST APIs integrated with OpenStack, so that
5 ... the authentication functionality provided by Keystone can be used. This allows consuming ODL NBI REST
6 ... APIs using the same authentication procedures as any OpenStack project, such as Nova, Neutron, etc.
7 ... bringing the benefits of a centralized / unified user management framework.
9 ... As a first step, It shall be possible to authenticate users against Keystone by using passwords
10 ... provided by the users.
11 Suite Setup Init Suite
12 Suite Teardown Cleanup Suite
15 Library OperatingSystem
16 Library RequestsLibrary
17 Resource ../../../libraries/Utils.robot
18 Resource ../../../libraries/TemplatedRequests.robot
19 Resource ../../../libraries/KarafKeywords.robot
20 Resource ../../../libraries/ClusterManagement.robot
21 Resource ../../../variables/Variables.robot
22 Resource ../../../libraries/AAA/DockerKeystone.robot
25 ${URI_CERTIFICATE} /restconf/operations/aaa-cert-rpc:getODLCertificate
26 ${URI_RESTCONF} /restconf/operational/ietf-restconf-monitoring:restconf-state
29 Successful Authentication Including Domain
30 [Documentation] *Test Case: Successful Authentication with user@domain/password credentials*
34 ... - Create an HTTP session with ODL as "sdnadmin" user in "sdn" domain
35 ... - Check that the access to URLs of ODL NBI is allowed \ because "sdnadmin" user is associated to domain "sdn" in Keystone and the provided password is the right one.
39 ... - URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" ia authorized just for "admin" roles according to shiro.ini configuration. As "sdnadmin" has "admin" role in keystone the access is authorized too
41 ... - URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is not specified neither in shiro.ini nor in MDSAL Dynamic Authorization so no specific role is required
42 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_DOMAIN} headers=${HEADERS}
43 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
44 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
45 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
46 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
48 Successful Authentication Without Domain
49 [Documentation] *Test Case: Successful Authentication with user/password credentials. No domain included*
53 ... - Create an HTTP session with ODL as "CSC_user" user without specifying any domain then domain "Default" is considered
54 ... - Check that the access to URLs of ODL NBI is allowed because "CSC_user" user is associated to domain "Default" in Keystone and the provided password is the right one
58 ... - URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" ia authorized just for "admin" roles according to shiro.ini configuration. As "CSC_user" has "admin" role in keystone the access is authorized too
60 ... - URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is not specified neither in shiro.ini nor in MDSAL Dynamic Authorization so no specific role is required
61 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_SDN} headers=${HEADERS}
62 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
63 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
64 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
65 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
67 Unsuccessful Authentication Wrong User
68 [Documentation] *Test Case: UnSuccessful Authentication with worng user/password credentials*
72 ... - Create an HTTP session with ODL as an invalid user
73 ... - Check that the access to URLs of ODL NBI is NOT allowed \ because "invaliduser" user does not exist in Keystone
77 ... Due to authentication fails, authorization is not evaluated
78 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_INVALID} headers=${HEADERS}
79 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
80 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
81 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
82 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
84 UnSuccessful Authentication Without Domain
85 [Documentation] *Test Case: UnSuccessful Authentication without domain*
90 ... - Create an HTTP session with ODL as "sdnadmin" user without specifying any domain then domain "Default" is considered
91 ... - Check that the access to URLs of ODL NBI is NOT allowed because "sdnadmin" user is not associated to domain "Default" in Keystone but to "sdn" which is not included in the credentials
95 ... Due to authentication fails, authorization is not evaluated
96 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN} headers=${HEADERS}
97 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
98 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
99 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
100 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
102 Unsuccessful Authentication Wrong Domain
103 [Documentation] *Test Case: UnSuccessful Authentication with wrong domain*
109 ... - Create an HTTP session with ODL as "sdnadmin" user with "wrong" as domain
110 ... - Check that the access to URLs of ODL NBI is NOT allowed because "sdnadmin" user is not associated to domain "wrong" in Keystone but to "sdn"
114 ... Due to authentication fails, authorization is not evaluated
115 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_WRONG_DOM} headers=${HEADERS}
116 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
117 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
118 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
119 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
121 Unsuccessful Basic Authorization
122 [Documentation] *Test Case: UnSuccessful Basic Authorization*
126 ... - Provision MDSAL so that users with role "admin" or "user" are authorized to access all URIs
127 ... - Create an HTTP session with ODL as "CSC_user_no_admin" user
128 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
129 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is authorized becaiuse that URL is not specified in shiro.ini and in MDSAL Dynamic Authorization access to all URLs is allowed to all user with "user" role
130 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth.json
131 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
132 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_NO_ADMIN} headers=${HEADERS}
133 ${resp_ok}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
134 Should Contain ${ALLOWED_STATUS_CODES} ${resp_ok.status_code}
135 ${resp_nook}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
136 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp_nook.status_code}
138 Unsuccessful Dynamic Authorization
139 [Documentation] *Test Case: UnSuccessful Dynamic Authorization*
143 ... - Provision MDSAL so that just users with role "admin" are authorized to access all URIs
144 ... - Create an HTTP session with ODL as "CSC_user_no_admin" user
145 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
146 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is NOT authorized because although the URL is not specified in shiro.ini, in MDSAL Dynamic Authorization access to all URLs is allowed just for users with "admin" role and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role
147 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth-2.json
148 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
149 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_NO_ADMIN} headers=${HEADERS}
150 ${resp_nook}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
151 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp_nook.status_code}
152 ${resp_nook}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
153 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp_nook.status_code}
155 Unsuccessful Dynamic Authorization 2
156 [Documentation] *Test Case: UnSuccessful Dynamic Authorization 2*
160 ... - Provision MDSAL so that:
161 ... \ \ - URI "/restconf/operations/aaa-cert-rpc:getODLCertificate" is authorized just for users with "user" role
162 ... \ - URI "/restconf/operational/**" is authorized just for users with "user" role
164 ... - Create an HTTP session with ODL as "sdnadmin" user
165 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because although in shiro.ini configuration the access is allowed to "admin" roles and "cscadmin" does have \ "admin" role, \ in MDSAL Dynamic Authorization access to that URL is allowed just for users with "user" role and "cscadmin" does not have \ "user" role in keystone but "admin" role
166 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is NOT authorized because although in shiro.ini configuration that URL is not considered, \ in MDSAL Dynamic Authorization access to that URL is allowed just for users with "user" role and "cscadmin" does not have \ "user" role in keystone but "admin" role
169 ... - Create an HTTP session with ODL as "CSC_user_no_admin" user
170 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
171 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is authorized because the URL is not specified in shiro.ini and in MDSAL Dynamic Authorization access to that URL is allowed just for users with "user" role and "CSC_user_no_admin" does \ have \ "user" role in keystone
172 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth-3.json
173 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
174 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_DOMAIN} headers=${HEADERS}
175 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
176 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
177 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
178 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
179 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_NO_ADMIN} headers=${HEADERS}
180 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
181 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
182 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
183 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
185 Unsuccessful No Keystone Connection
186 [Documentation] *Test Case: Unsuccessful No Keystone Connection*
190 ... - Put down Keystone
191 ... - All accesses are forbidden
193 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN_DOMAIN} headers=${HEADERS}
194 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
195 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
196 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
197 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
198 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_NO_ADMIN} headers=${HEADERS}
199 ${resp}= RequestsLibrary.Get Request session ${URI_RESTCONF} headers=${HEADERS}
200 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
201 ${resp}= RequestsLibrary.Post Request session ${URI_CERTIFICATE} headers=${HEADERS}
202 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
206 [Documentation] The steps included in the Initialization phase are:
208 ... - Run Docker Keystone: Deploy a container in the SYSTEM TOOL node containing the Keystone
210 ... - Configure AAA in Controller: shiro.ini file is modified to add new authentication realm based on Keystone
212 ... - Restart Controller: This restart is needed in order to activate new shiro.ini configuration
214 ... - Provision Keystone: Populate keystone database with the needed users and roles
216 ... - Install Keystone certificate into ODL so that the protocol used in the ODL-Keystone communication is HTTPS with server certificate authentication
217 ${TOOLS_SYSTEM_NAME} Run Command On Remote System ${TOOLS_SYSTEM_IP} hostname -f user=${TOOLS_SYSTEM_USER} password=${TOOLS_SYSTEM_PASSWORD}
219 Configure AAA In Controller ${TOOLS_SYSTEM_NAME}
220 Set Suite Variable ${PUT_KEYSTONE_CERT_FILE} ${CURDIR}/../../../variables/aaa/put-keystone-cert.json
221 Set Keystone Certificate into ODL ${PUT_KEYSTONE_CERT_FILE} ${TOOLS_SYSTEM_NAME}
224 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth.json
225 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
228 [Documentation] Destoy keystone container
229 ${result} Run Keyword And Return Status Set Domain To False ${domain} ${HEADERS_TOKEN}
230 Run Keyword If ${result} == True Delete Keystone Domain ${domain} ${HEADERS_TOKEN}
231 Run Keyword If ${result} == True Destroy Docker Keystone
232 SSHLibrary.Close All Connections
234 Configure AAA In Controller
235 [Arguments] ${TOOLS_SYSTEM_NAME}
236 [Documentation] With this keyword shiro.ini and aaa-cert-config.xml are modified to configure Keystone Authentication Realm using TLS1.2. Here you have the settings:
240 ... keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm
241 ... keystoneAuthRealm.url = https://sandbox-29591-30-docker-0:35357
242 ... keystoneAuthRealm.sslVerification = true
244 ... securityManager.realms = $tokenAuthRealm, $keystoneAuthRealm
249 ... - aaa-cert-config.xml:
250 ... <use-config>true</use-config>
252 ... <tls-protocols>TLSv1.2</tls-protocols>
253 ${shiro_path} Run Command On Controller cmd=cd /;find /|grep shiro.ini|grep etc|grep -v denied
254 ${cert_path} Run Command On Controller cmd=cd /;find /|grep aaa-cert-config.xml|grep etc|grep -v denied
255 ${result} Run Command On Controller cmd=sed -ie 's/#keystoneAuthRealm =.*/keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm/g' ${shiro_path}
256 ${result} Run Command On Controller cmd=sed -ie 's/#keystoneAuthRealm.url =.*/keystoneAuthRealm.url = https:\\/\\/${TOOLS_SYSTEM_NAME}:35357/g' ${shiro_path}
257 ${result} Run Command On Controller cmd=sed -ie 's/securityManager.realms =.*/securityManager.realms = $tokenAuthRealm, $keystoneAuthRealm/g' ${shiro_path}
258 ${result} Run Command On Controller cmd=sed -ie 's/#keystoneAuthRealm.sslVerification =.*/keystoneAuthRealm.sslVerification = true/g' ${shiro_path}
259 ${result} Run Command On Controller cmd=sed -ie 's/\\/operations\\/aaa-cert-rpc.*/\\/operations\\/aaa-cert-rpc** = authcBasic, roles[admin], dynamicAuthorization/g' ${shiro_path}
260 ${result} Run Command On Controller cmd=sed -ie 's/<use-config>.*/<use-config>true<\\/use-config>/g' ${cert_path}
261 ${result} Run Command On Controller cmd=sed -ie 's/<tls-protocols.*/<tls-protocols>TLSv1.2<\\/tls-protocols>/g' ${cert_path}
262 ${result} Run Command On Controller cmd=cat ${shiro_path}
264 ${result} Run Command On Controller cmd=cat ${cert_path}
266 ${result} Run Command On Controller cmd=sudo sed -i "2i${TOOLS_SYSTEM_IP} \ \ ${TOOLS_SYSTEM_NAME}" /etc/hosts
267 ${result} Run Command On Controller cmd=cat /etc/hosts
271 [Documentation] As CSC_user provision:
273 ... - User "sdnadmin"
274 ... - Role "admin" to "sdnadmin" user in "sdn" domain
275 ${result} Create Keystone session ${TOOLS_SYSTEM_IP}
277 Set Suite Variable ${CREATE_TOKEN_FILE} ${CURDIR}/../../../variables/aaa/create-token.json
278 ${token} Get Keystone Token ${TOOLS_SYSTEM_IP} ${CREATE_TOKEN_FILE}
280 &{HEADERS} Create Dictionary X-Auth-Token=${token} Content-Type=application/json
281 Set Suite Variable ${HEADERS_TOKEN} ${HEADERS}
282 ${admin_role_id} Get Admin Role Id ${HEADERS_TOKEN}
283 Set Suite Variable ${CREATE_DOMAIN_FILE} ${CURDIR}/../../../variables/aaa/create-domain.json
284 ${domain_local} Create Keystone Domain ${HEADERS_TOKEN} ${CREATE_DOMAIN_FILE}
285 Set Suite Variable ${domain} ${domain_local}
286 Set Suite Variable ${CREATE_USERS_FILE} ${CURDIR}/../../../variables/aaa/create-user.json
287 ${normalized_file}= OperatingSystem.Normalize Path ${CREATE_USERS_FILE}
288 ${output} OperatingSystem.Run sed -i 's/\"domain_id\".*/\"domain_id\"\: \"${domain}\",/g' ${CREATE_USERS_FILE}
289 ${user} Create Keystone User in a Domain ${HEADERS_TOKEN} ${CREATE_USERS_FILE}
290 Grant Admin Role ${domain} ${user} ${admin_role_id} ${HEADERS_TOKEN}
293 [Arguments] ${PUT_DYNAMIC_AUTH_FILE}
294 Create Session session_admin http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
295 Set Suite Variable ${PUT_DYNAMIC_AUTH_URI} /restconf/config/aaa:http-authorization
296 ${body_dyn} OperatingSystem.Get File ${PUT_DYNAMIC_AUTH_FILE}
297 ${resp} RequestsLibrary.Put Request session_admin ${PUT_DYNAMIC_AUTH_URI} data=${body_dyn} headers=${HEADERS}
298 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
299 Delete Request session_admin http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
302 [Documentation] Controller restart is needed in order the new shiro.ini config takes effect
303 ClusterManagement.ClusterManagement_Setup
304 Wait Until Keyword Succeeds 5x 20 Stop_Single_Member 1
305 Start_Single_Member 1 wait_for_sync=False timeout=120
306 # TODO: the below Get Controller Modules keyword ends up giving a lot of WARN messages in the robot
307 # log as the controller is coming up and the initial requests are failing. This is just cosmetic at this point, but
308 # would be nice to clean up somehow.
309 Wait Until Keyword Succeeds 30x 5s Get Controller Modules
311 Get Controller Modules
312 [Documentation] Get the restconf modules, check 200 status and ietf-restconf presence
313 Create Session session1 http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
314 ${resp} = RequestsLibrary.Get_Request session1 ${MODULES_API}
315 BuiltIn.Log ${resp.content}
316 BuiltIn.Should_Be_Equal ${resp.status_code} ${200}
317 BuiltIn.Should_Contain ${resp.content} ietf-restconf