2 Documentation Test suite: Authentication Support for Keystone
4 ... This feature implements the user management for ODL NBI REST APIs integrated with OpenStack, so that
5 ... the authentication functionality provided by Keystone can be used. This allows consuming ODL NBI REST
6 ... APIs using the same authentication procedures as any OpenStack project, such as Nova, Neutron, etc.
7 ... bringing the benefits of a centralized / unified user management framework.
9 ... As a first step, It shall be possible to authenticate users against Keystone by using passwords
10 ... provided by the users.
14 Library OperatingSystem
15 Library RequestsLibrary
16 Resource ../../../libraries/Utils.robot
17 Resource ../../../libraries/TemplatedRequests.robot
18 Resource ../../../libraries/KarafKeywords.robot
19 Resource ../../../libraries/ClusterManagement.robot
20 Resource ../../../variables/Variables.robot
21 Resource ../../../libraries/AAA/DockerKeystone.robot
23 Suite Setup Init Suite
24 Suite Teardown Cleanup Suite
28 ${URI_CERTIFICATE} /restconf/operations/aaa-cert-rpc:getODLCertificate
29 ${URI_RESTCONF} /restconf/operational/ietf-restconf-monitoring:restconf-state
33 Successful Authentication Including Domain
34 [Documentation] *Test Case: Successful Authentication with user@domain/password credentials*
38 ... - Create an HTTP session with ODL as "sdnadmin" user in "sdn" domain
39 ... - Check that the access to URLs of ODL NBI is allowed \ because "sdnadmin" user is associated to domain "sdn" in Keystone and the provided password is the right one.
43 ... - URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" ia authorized just for "admin" roles according to shiro.ini configuration. As "sdnadmin" has "admin" role in keystone the access is authorized too
45 ... - URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is not specified neither in shiro.ini nor in MDSAL Dynamic Authorization so no specific role is required
48 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
49 ... auth=${AUTH_SDN_DOMAIN}
50 ... headers=${HEADERS}
51 ${resp} RequestsLibrary.POST On Session
53 ... url=${URI_CERTIFICATE}
54 ... headers=${HEADERS}
55 ... expected_status=anything
56 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
57 ${resp} RequestsLibrary.GET On Session
59 ... url=${URI_RESTCONF}
60 ... headers=${HEADERS}
61 ... expected_status=anything
62 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
64 Successful Authentication Without Domain
65 [Documentation] *Test Case: Successful Authentication with user/password credentials. No domain included*
69 ... - Create an HTTP session with ODL as "CSC_user" user without specifying any domain then domain "Default" is considered
70 ... - Check that the access to URLs of ODL NBI is allowed because "CSC_user" user is associated to domain "Default" in Keystone and the provided password is the right one
74 ... - URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" ia authorized just for "admin" roles according to shiro.ini configuration. As "CSC_user" has "admin" role in keystone the access is authorized too
76 ... - URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is not specified neither in shiro.ini nor in MDSAL Dynamic Authorization so no specific role is required
77 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_CSC_SDN} headers=${HEADERS}
78 ${resp} RequestsLibrary.POST On Session
80 ... url=${URI_CERTIFICATE}
81 ... headers=${HEADERS}
82 ... expected_status=anything
83 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
84 ${resp} RequestsLibrary.GET On Session
86 ... url=${URI_RESTCONF}
87 ... headers=${HEADERS}
88 ... expected_status=anything
89 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
91 Unsuccessful Authentication Wrong User
92 [Documentation] *Test Case: UnSuccessful Authentication with worng user/password credentials*
96 ... - Create an HTTP session with ODL as an invalid user
97 ... - Check that the access to URLs of ODL NBI is NOT allowed \ because "invaliduser" user does not exist in Keystone
101 ... Due to authentication fails, authorization is not evaluated
102 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_INVALID} headers=${HEADERS}
103 ${resp} RequestsLibrary.POST On Session
105 ... url=${URI_CERTIFICATE}
106 ... headers=${HEADERS}
107 ... expected_status=anything
108 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
109 ${resp} RequestsLibrary.GET On Session
111 ... url=${URI_RESTCONF}
112 ... headers=${HEADERS}
113 ... expected_status=anything
114 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
116 UnSuccessful Authentication Without Domain
117 [Documentation] *Test Case: UnSuccessful Authentication without domain*
122 ... - Create an HTTP session with ODL as "sdnadmin" user without specifying any domain then domain "Default" is considered
123 ... - Check that the access to URLs of ODL NBI is NOT allowed because "sdnadmin" user is not associated to domain "Default" in Keystone but to "sdn" which is not included in the credentials
127 ... Due to authentication fails, authorization is not evaluated
128 Create Session session http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH_SDN} headers=${HEADERS}
129 ${resp} RequestsLibrary.POST On Session
131 ... url=${URI_CERTIFICATE}
132 ... headers=${HEADERS}
133 ... expected_status=anything
134 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
135 ${resp} RequestsLibrary.GET On Session
137 ... url=${URI_RESTCONF}
138 ... headers=${HEADERS}
139 ... expected_status=anything
140 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
142 Unsuccessful Authentication Wrong Domain
143 [Documentation] *Test Case: UnSuccessful Authentication with wrong domain*
149 ... - Create an HTTP session with ODL as "sdnadmin" user with "wrong" as domain
150 ... - Check that the access to URLs of ODL NBI is NOT allowed because "sdnadmin" user is not associated to domain "wrong" in Keystone but to "sdn"
154 ... Due to authentication fails, authorization is not evaluated
157 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
158 ... auth=${AUTH_SDN_WRONG_DOM}
159 ... headers=${HEADERS}
160 ${resp} RequestsLibrary.POST On Session
162 ... url=${URI_CERTIFICATE}
163 ... headers=${HEADERS}
164 ... expected_status=anything
165 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
166 ${resp} RequestsLibrary.GET On Session
168 ... url=${URI_RESTCONF}
169 ... headers=${HEADERS}
170 ... expected_status=anything
171 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
173 Unsuccessful Basic Authorization
174 [Documentation] *Test Case: UnSuccessful Basic Authorization*
178 ... - Provision MDSAL so that users with role "admin" or "user" are authorized to access all URIs
179 ... - Create an HTTP session with ODL as "CSC_user_no_admin" user
180 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
181 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is authorized becaiuse that URL is not specified in shiro.ini and in MDSAL Dynamic Authorization access to all URLs is allowed to all user with "user" role
182 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth.json
183 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
186 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
187 ... auth=${AUTH_CSC_NO_ADMIN}
188 ... headers=${HEADERS}
189 ${resp_ok} RequestsLibrary.GET On Session
191 ... url=${URI_RESTCONF}
192 ... headers=${HEADERS}
193 ... expected_status=anything
194 Should Contain ${ALLOWED_STATUS_CODES} ${resp_ok.status_code}
195 ${resp_nook} RequestsLibrary.POST On Session
197 ... url=${URI_CERTIFICATE}
198 ... headers=${HEADERS}
199 ... expected_status=anything
200 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp_nook.status_code}
202 Unsuccessful Dynamic Authorization
203 [Documentation] *Test Case: UnSuccessful Dynamic Authorization*
207 ... - Provision MDSAL so that just users with role "admin" are authorized to access all URIs
208 ... - Create an HTTP session with ODL as "CSC_user_no_admin" user
209 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
210 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is NOT authorized because although the URL is not specified in shiro.ini, in MDSAL Dynamic Authorization access to all URLs is allowed just for users with "admin" role and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role
211 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth-2.json
212 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
215 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
216 ... auth=${AUTH_CSC_NO_ADMIN}
217 ... headers=${HEADERS}
218 ${resp_nook} RequestsLibrary.GET On Session
220 ... url=${URI_RESTCONF}
221 ... headers=${HEADERS}
222 ... expected_status=anything
223 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp_nook.status_code}
224 ${resp_nook} RequestsLibrary.POST On Session
226 ... url=${URI_CERTIFICATE}
227 ... headers=${HEADERS}
228 ... expected_status=anything
229 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp_nook.status_code}
231 Unsuccessful Dynamic Authorization 2
232 [Documentation] *Test Case: UnSuccessful Dynamic Authorization 2*
236 ... - Provision MDSAL so that:
237 ... \ \ - URI "/restconf/operations/aaa-cert-rpc:getODLCertificate" is authorized just for users with "user" role
238 ... \ - URI "/restconf/operational/**" is authorized just for users with "user" role
240 ... - Create an HTTP session with ODL as "sdnadmin" user
241 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because although in shiro.ini configuration the access is allowed to "admin" roles and "cscadmin" does have \ "admin" role, \ in MDSAL Dynamic Authorization access to that URL is allowed just for users with "user" role and "cscadmin" does not have \ "user" role in keystone but "admin" role
242 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is NOT authorized because although in shiro.ini configuration that URL is not considered, \ in MDSAL Dynamic Authorization access to that URL is allowed just for users with "user" role and "cscadmin" does not have \ "user" role in keystone but "admin" role
245 ... - Create an HTTP session with ODL as "CSC_user_no_admin" user
246 ... - Check that the access to URL "/restconf/operations/aaa-cert-rpc:getODLCertificate" is NOT authorized because in shiro.ini configuration the access is allowed just to "admin" roles and "CSC_user_no_admin" does not have \ "admin" role in keystone but "user" role even though the MDSAL Dynamic Authorization would allow the access, that is, authorization process is an "AND" operation between shiro.ini and MDSAL Dynamic Authorization
247 ... - Check that the access to URL "/restconf/operational/ietf-restconf-monitoring:restconf-state" is authorized because the URL is not specified in shiro.ini and in MDSAL Dynamic Authorization access to that URL is allowed just for users with "user" role and "CSC_user_no_admin" does \ have \ "user" role in keystone
248 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth-3.json
249 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
252 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
253 ... auth=${AUTH_SDN_DOMAIN}
254 ... headers=${HEADERS}
255 ${resp} RequestsLibrary.POST On Session
257 ... url=${URI_CERTIFICATE}
258 ... headers=${HEADERS}
259 ... expected_status=anything
260 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
261 ${resp} RequestsLibrary.GET On Session
263 ... url=${URI_RESTCONF}
264 ... headers=${HEADERS}
265 ... expected_status=anything
266 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
269 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
270 ... auth=${AUTH_CSC_NO_ADMIN}
271 ... headers=${HEADERS}
272 ${resp} RequestsLibrary.GET On Session
274 ... url=${URI_RESTCONF}
275 ... headers=${HEADERS}
276 ... expected_status=anything
277 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
278 ${resp} RequestsLibrary.POST On Session
280 ... url=${URI_CERTIFICATE}
281 ... headers=${HEADERS}
282 ... expected_status=anything
283 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
285 Unsuccessful No Keystone Connection
286 [Documentation] *Test Case: Unsuccessful No Keystone Connection*
290 ... - Put down Keystone
291 ... - All accesses are forbidden
295 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
296 ... auth=${AUTH_SDN_DOMAIN}
297 ... headers=${HEADERS}
298 ${resp} RequestsLibrary.POST On Session
300 ... url=${URI_CERTIFICATE}
301 ... headers=${HEADERS}
302 ... expected_status=anything
303 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
304 ${resp} RequestsLibrary.GET On Session
306 ... url=${URI_RESTCONF}
307 ... headers=${HEADERS}
308 ... expected_status=anything
309 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
312 ... http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
313 ... auth=${AUTH_CSC_NO_ADMIN}
314 ... headers=${HEADERS}
315 ${resp} RequestsLibrary.GET On Session
317 ... url=${URI_RESTCONF}
318 ... headers=${HEADERS}
319 ... expected_status=anything
320 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
321 ${resp} RequestsLibrary.POST On Session session url=${URI_CERTIFICATE} headers=${HEADERS}
322 Should Contain ${UNAUTHORIZED_STATUS_CODES} ${resp.status_code}
327 [Documentation] The steps included in the Initialization phase are:
329 ... - Run Docker Keystone: Deploy a container in the SYSTEM TOOL node containing the Keystone
331 ... - Configure AAA in Controller: shiro.ini file is modified to add new authentication realm based on Keystone
333 ... - Restart Controller: This restart is needed in order to activate new shiro.ini configuration
335 ... - Provision Keystone: Populate keystone database with the needed users and roles
337 ... - Install Keystone certificate into ODL so that the protocol used in the ODL-Keystone communication is HTTPS with server certificate authentication
338 ${TOOLS_SYSTEM_NAME} Run Command On Remote System
339 ... ${TOOLS_SYSTEM_IP}
341 ... user=${TOOLS_SYSTEM_USER}
342 ... password=${TOOLS_SYSTEM_PASSWORD}
344 Configure AAA In Controller ${TOOLS_SYSTEM_NAME}
345 Set Suite Variable ${PUT_KEYSTONE_CERT_FILE} ${CURDIR}/../../../variables/aaa/put-keystone-cert.json
346 Set Keystone Certificate into ODL ${PUT_KEYSTONE_CERT_FILE} ${TOOLS_SYSTEM_NAME}
349 Set Suite Variable ${PUT_DYNAMIC_AUTH_FILE} ${CURDIR}/../../../variables/aaa/put-dynamic-auth.json
350 Provision MDSAL ${PUT_DYNAMIC_AUTH_FILE}
353 [Documentation] Destoy keystone container
354 ${result} Run Keyword And Return Status Set Domain To False ${domain} ${HEADERS_TOKEN}
356 Delete Keystone Domain ${domain} ${HEADERS_TOKEN}
358 IF ${result} == True Destroy Docker Keystone
359 SSHLibrary.Close All Connections
361 Configure AAA In Controller
362 [Documentation] With this keyword shiro.ini and aaa-cert-config.xml are modified to configure Keystone Authentication Realm using TLS1.2. Here you have the settings:
366 ... keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm
367 ... keystoneAuthRealm.url = https://sandbox-29591-30-docker-0:35357
368 ... keystoneAuthRealm.sslVerification = true
370 ... securityManager.realms = $tokenAuthRealm, $keystoneAuthRealm
375 ... - aaa-cert-config.xml:
376 ... <use-config>true</use-config>
378 ... <tls-protocols>TLSv1.2</tls-protocols>
379 [Arguments] ${TOOLS_SYSTEM_NAME}
380 ${shiro_path} Run Command On Controller cmd=cd /;find /|grep shiro.ini|grep etc|grep -v denied
381 ${cert_path} Run Command On Controller cmd=cd /;find /|grep aaa-cert-config.xml|grep etc|grep -v denied
382 ${result} Run Command On Controller
383 ... cmd=sed -ie 's/#keystoneAuthRealm =.*/keystoneAuthRealm = org.opendaylight.aaa.shiro.realm.KeystoneAuthRealm/g' ${shiro_path}
384 ${result} Run Command On Controller
385 ... cmd=sed -ie 's/#keystoneAuthRealm.url =.*/keystoneAuthRealm.url = https:\\/\\/${TOOLS_SYSTEM_NAME}:35357/g' ${shiro_path}
386 ${result} Run Command On Controller
387 ... cmd=sed -ie 's/securityManager.realms =.*/securityManager.realms = $tokenAuthRealm, $keystoneAuthRealm/g' ${shiro_path}
388 ${result} Run Command On Controller
389 ... cmd=sed -ie 's/#keystoneAuthRealm.sslVerification =.*/keystoneAuthRealm.sslVerification = true/g' ${shiro_path}
390 ${result} Run Command On Controller
391 ... cmd=sed -ie 's/\\/operations\\/aaa-cert-rpc.*/\\/operations\\/aaa-cert-rpc** = authcBasic, roles[admin], dynamicAuthorization/g' ${shiro_path}
392 ${result} Run Command On Controller
393 ... cmd=sed -ie 's/<use-config>.*/<use-config>true<\\/use-config>/g' ${cert_path}
394 ${result} Run Command On Controller
395 ... cmd=sed -ie 's/<tls-protocols.*/<tls-protocols>TLSv1.2<\\/tls-protocols>/g' ${cert_path}
396 ${result} Run Command On Controller cmd=cat ${shiro_path}
398 ${result} Run Command On Controller cmd=cat ${cert_path}
400 ${result} Run Command On Controller
401 ... cmd=sudo sed -i "2i${TOOLS_SYSTEM_IP} \ \ ${TOOLS_SYSTEM_NAME}" /etc/hosts
402 ${result} Run Command On Controller cmd=cat /etc/hosts
406 [Documentation] As CSC_user provision:
408 ... - User "sdnadmin"
409 ... - Role "admin" to "sdnadmin" user in "sdn" domain
410 ${result} Create Keystone session ${TOOLS_SYSTEM_IP}
412 Set Suite Variable ${CREATE_TOKEN_FILE} ${CURDIR}/../../../variables/aaa/create-token.json
413 ${token} Get Keystone Token ${TOOLS_SYSTEM_IP} ${CREATE_TOKEN_FILE}
415 &{HEADERS} Create Dictionary X-Auth-Token=${token} Content-Type=application/json
416 Set Suite Variable ${HEADERS_TOKEN} ${HEADERS}
417 ${admin_role_id} Get Admin Role Id ${HEADERS_TOKEN}
418 Set Suite Variable ${CREATE_DOMAIN_FILE} ${CURDIR}/../../../variables/aaa/create-domain.json
419 ${domain_local} Create Keystone Domain ${HEADERS_TOKEN} ${CREATE_DOMAIN_FILE}
420 Set Suite Variable ${domain} ${domain_local}
421 Set Suite Variable ${CREATE_USERS_FILE} ${CURDIR}/../../../variables/aaa/create-user.json
422 ${normalized_file} OperatingSystem.Normalize Path ${CREATE_USERS_FILE}
423 ${output} OperatingSystem.Run
424 ... sed -i 's/\"domain_id\".*/\"domain_id\"\: \"${domain}\",/g' ${CREATE_USERS_FILE}
425 ${user} Create Keystone User in a Domain ${HEADERS_TOKEN} ${CREATE_USERS_FILE}
426 Grant Admin Role ${domain} ${user} ${admin_role_id} ${HEADERS_TOKEN}
429 [Arguments] ${PUT_DYNAMIC_AUTH_FILE}
430 Create Session session_admin http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
431 Set Suite Variable ${PUT_DYNAMIC_AUTH_URI} /restconf/config/aaa:http-authorization
432 ${body_dyn} OperatingSystem.Get File ${PUT_DYNAMIC_AUTH_FILE}
433 ${resp} RequestsLibrary.PUT On Session
435 ... url=${PUT_DYNAMIC_AUTH_URI}
437 ... headers=${HEADERS}
438 ... expected_status=anything
439 Should Contain ${ALLOWED_STATUS_CODES} ${resp.status_code}
440 DELETE On Session session_admin url=http://${ODL_SYSTEM_IP}:${RESTCONFPORT}
443 [Documentation] Controller restart is needed in order the new shiro.ini config takes effect
444 ClusterManagement.ClusterManagement_Setup
445 Wait Until Keyword Succeeds 5x 20 Stop_Single_Member 1
446 Start_Single_Member 1 wait_for_sync=False timeout=120
447 # TODO: the below Get Controller Modules keyword ends up giving a lot of WARN messages in the robot
448 # log as the controller is coming up and the initial requests are failing. This is just cosmetic at this point, but
449 # would be nice to clean up somehow.
450 Wait Until Keyword Succeeds 30x 5s Get Controller Modules
452 Get Controller Modules
453 [Documentation] Get the restconf modules, check 200 status and ietf-restconf presence
454 Create Session session1 http://${ODL_SYSTEM_IP}:${RESTCONFPORT} auth=${AUTH} headers=${HEADERS}
455 ${resp} RequestsLibrary.GET On Session session1 url=${MODULES_API}
456 BuiltIn.Log ${resp.content}
457 BuiltIn.Should_Be_Equal ${resp.status_code} ${200}
458 BuiltIn.Should_Contain ${resp.content} ietf-restconf