Add a test for revoking a scoped token from an unscoped
There was no test that showed that when a scoped token created from an unscoped token is revoked that the unscoped token also winds up being revoked. Change-Id: I2c1574573488bb60a059c5d7f8747d6a1977aab7 Partial-Bug: #1347318
This commit is contained in:
parent
3e035ebb72
commit
097b9aa039
@ -1231,15 +1231,21 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
|
||||
# Make sure that we get a NotFound(404) when heading that role.
|
||||
self.head(role_path, expected_status=404)
|
||||
|
||||
def get_v2_token(self):
|
||||
body = {
|
||||
'auth': {
|
||||
'passwordCredentials': {
|
||||
'username': self.default_domain_user['name'],
|
||||
'password': self.default_domain_user['password'],
|
||||
}
|
||||
},
|
||||
}
|
||||
def get_v2_token(self, token=None, project_id=None):
|
||||
body = {'auth': {}, }
|
||||
|
||||
if token:
|
||||
body['auth']['token'] = {
|
||||
'id': token
|
||||
}
|
||||
else:
|
||||
body['auth']['passwordCredentials'] = {
|
||||
'username': self.default_domain_user['name'],
|
||||
'password': self.default_domain_user['password'],
|
||||
}
|
||||
|
||||
if project_id:
|
||||
body['auth']['tenantId'] = project_id
|
||||
|
||||
r = self.admin_request(method='POST', path='/v2.0/tokens', body=body)
|
||||
return r.json_body['access']['token']['id']
|
||||
@ -1257,6 +1263,95 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
|
||||
headers={'X-Subject-Token': token},
|
||||
expected_status=404)
|
||||
|
||||
def test_revoke_token_from_token(self):
|
||||
# Test that a scoped token can be requested from an unscoped token,
|
||||
# the scoped token can be revoked, and the unscoped token remains
|
||||
# valid.
|
||||
|
||||
# FIXME(blk-u): This isn't working correctly. The unscoped token should
|
||||
# remain valid. See bug 1347318.
|
||||
|
||||
unscoped_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
user_id=self.user1['id'],
|
||||
password=self.user1['password']))
|
||||
|
||||
# Get a project-scoped token from the unscoped token
|
||||
project_scoped_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
token=unscoped_token,
|
||||
project_id=self.projectA['id']))
|
||||
|
||||
# Get a domain-scoped token from the unscoped token
|
||||
domain_scoped_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
token=unscoped_token,
|
||||
domain_id=self.domainA['id']))
|
||||
|
||||
# revoke the project-scoped token.
|
||||
self.delete('/auth/tokens',
|
||||
headers={'X-Subject-Token': project_scoped_token},
|
||||
expected_status=204)
|
||||
|
||||
# The project-scoped token is invalidated.
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': project_scoped_token},
|
||||
expected_status=404)
|
||||
|
||||
# The unscoped token should still be valid.
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': unscoped_token},
|
||||
expected_status=404) # FIXME(blk-u): This should be 200!
|
||||
|
||||
# The domain-scoped token should still be valid.
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': domain_scoped_token},
|
||||
expected_status=404) # FIXME(blk-u): This should be 200!
|
||||
|
||||
# revoke the domain-scoped token.
|
||||
self.delete('/auth/tokens',
|
||||
headers={'X-Subject-Token': domain_scoped_token},
|
||||
expected_status=204)
|
||||
|
||||
# The domain-scoped token is invalid.
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': domain_scoped_token},
|
||||
expected_status=404)
|
||||
|
||||
# The unscoped token should still be valid.
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': unscoped_token},
|
||||
expected_status=404) # FIXME(blk-u): This should be 200!
|
||||
|
||||
def test_revoke_token_from_token_v2(self):
|
||||
# Test that a scoped token can be requested from an unscoped token,
|
||||
# the scoped token can be revoked, and the unscoped token remains
|
||||
# valid.
|
||||
|
||||
# FIXME(blk-u): This isn't working correctly. The scoped token should
|
||||
# be revoked. See bug 1347318.
|
||||
|
||||
unscoped_token = self.get_v2_token()
|
||||
|
||||
# Get a project-scoped token from the unscoped token
|
||||
project_scoped_token = self.get_v2_token(
|
||||
token=unscoped_token, project_id=self.default_domain_project['id'])
|
||||
|
||||
# revoke the project-scoped token.
|
||||
self.delete('/auth/tokens',
|
||||
headers={'X-Subject-Token': project_scoped_token},
|
||||
expected_status=204)
|
||||
|
||||
# The project-scoped token is invalidated.
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': project_scoped_token},
|
||||
expected_status=404)
|
||||
|
||||
# The unscoped token should still be valid.
|
||||
self.head('/auth/tokens',
|
||||
headers={'X-Subject-Token': unscoped_token},
|
||||
expected_status=404) # FIXME(blk-u): This should be 200!
|
||||
|
||||
|
||||
@dependency.requires('revoke_api')
|
||||
class TestTokenRevokeApi(TestTokenRevokeById):
|
||||
|
Loading…
Reference in New Issue
Block a user