diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py index 82396e06e..9f41aba26 100644 --- a/keystone/tests/test_auth.py +++ b/keystone/tests/test_auth.py @@ -648,10 +648,6 @@ class AuthWithTrust(AuthTest): 'impersonation': True, 'roles': [{'id': self.role_browser['id']}, {'name': self.role_member['name']}]} - expires_at = timeutils.strtime(timeutils.utcnow() + - datetime.timedelta(minutes=10), - fmt=TIME_FORMAT) - self.create_trust(expires_at=expires_at) def config_overrides(self): super(AuthWithTrust, self).config_overrides() @@ -665,32 +661,36 @@ class AuthWithTrust(AuthTest): 'token_id': token_id, 'host_url': HOST_URL} - def create_trust(self, expires_at=None, impersonation=True): - username = self.trustor['name'] + def create_trust(self, trust_data, trustor_name, expires_at=None, + impersonation=True): + username = trustor_name password = 'foo2' - body_dict = _build_user_auth(username=username, password=password) - self.unscoped_token = self.controller.authenticate({}, body_dict) + unscoped_token = self.get_unscoped_token(username, password) context = self._create_auth_context( - self.unscoped_token['access']['token']['id']) - trust_data = copy.deepcopy(self.sample_data) - trust_data['expires_at'] = expires_at - trust_data['impersonation'] = impersonation + unscoped_token['access']['token']['id']) + trust_data_copy = copy.deepcopy(trust_data) + trust_data_copy['expires_at'] = expires_at + trust_data_copy['impersonation'] = impersonation - self.new_trust = self.trust_controller.create_trust( - context, trust=trust_data)['trust'] + return self.trust_controller.create_trust( + context, trust=trust_data_copy)['trust'] - def build_v2_token_request(self, username, password): + def get_unscoped_token(self, username, password='foo2'): body_dict = _build_user_auth(username=username, password=password) - self.unscoped_token = self.controller.authenticate({}, body_dict) - unscoped_token_id = self.unscoped_token['access']['token']['id'] + return self.controller.authenticate({}, body_dict) + + def build_v2_token_request(self, username, password, trust): + unscoped_token = self.get_unscoped_token(username, password) + unscoped_token_id = unscoped_token['access']['token']['id'] request_body = _build_user_auth(token={'id': unscoped_token_id}, - trust_id=self.new_trust['id'], + trust_id=trust['id'], tenant_id=self.tenant_bar['id']) return request_body def test_create_trust_bad_data_fails(self): + unscoped_token = self.get_unscoped_token(self.trustor['name']) context = self._create_auth_context( - self.unscoped_token['access']['token']['id']) + unscoped_token['access']['token']['id']) bad_sample_data = {'trustor_user_id': self.trustor['id'], 'project_id': self.tenant_bar['id'], 'roles': [{'id': self.role_browser['id']}]} @@ -700,108 +700,124 @@ class AuthWithTrust(AuthTest): context, trust=bad_sample_data) def test_create_trust_no_roles(self): - context = {'token_id': self.unscoped_token['access']['token']['id']} + unscoped_token = self.get_unscoped_token(self.trustor['name']) + context = {'token_id': unscoped_token['access']['token']['id']} self.sample_data['roles'] = [] self.assertRaises(exception.Forbidden, self.trust_controller.create_trust, context, trust=self.sample_data) def test_create_trust(self): - self.assertEqual(self.trustor['id'], self.new_trust['trustor_user_id']) - self.assertEqual(self.trustee['id'], self.new_trust['trustee_user_id']) + expires_at = timeutils.strtime(timeutils.utcnow() + + datetime.timedelta(minutes=10), + fmt=TIME_FORMAT) + new_trust = self.create_trust(self.sample_data, self.trustor['name'], + expires_at=expires_at) + self.assertEqual(self.trustor['id'], new_trust['trustor_user_id']) + self.assertEqual(self.trustee['id'], new_trust['trustee_user_id']) role_ids = [self.role_browser['id'], self.role_member['id']] - self.assertTrue(timeutils.parse_strtime(self.new_trust['expires_at'], + self.assertTrue(timeutils.parse_strtime(new_trust['expires_at'], fmt=TIME_FORMAT)) self.assertIn('%s/v3/OS-TRUST/' % HOST_URL, - self.new_trust['links']['self']) + new_trust['links']['self']) self.assertIn('%s/v3/OS-TRUST/' % HOST_URL, - self.new_trust['roles_links']['self']) + new_trust['roles_links']['self']) - for role in self.new_trust['roles']: + for role in new_trust['roles']: self.assertIn(role['id'], role_ids) def test_create_trust_expires_bad(self): self.assertRaises(exception.ValidationTimeStampError, - self.create_trust, - expires_at="bad") + self.create_trust, self.sample_data, + self.trustor['name'], expires_at="bad") self.assertRaises(exception.ValidationTimeStampError, - self.create_trust, - expires_at="") + self.create_trust, self.sample_data, + self.trustor['name'], expires_at="") self.assertRaises(exception.ValidationTimeStampError, - self.create_trust, - expires_at="Z") + self.create_trust, self.sample_data, + self.trustor['name'], expires_at="Z") def test_create_trust_without_project_id(self): """Verify that trust can be created without project id and token can be generated with that trust. """ + unscoped_token = self.get_unscoped_token(self.trustor['name']) context = self._create_auth_context( - self.unscoped_token['access']['token']['id']) + unscoped_token['access']['token']['id']) self.sample_data['project_id'] = None self.sample_data['roles'] = [] - self.new_trust = self.trust_controller.create_trust( + new_trust = self.trust_controller.create_trust( context, trust=self.sample_data)['trust'] - self.assertEqual(self.trustor['id'], self.new_trust['trustor_user_id']) - self.assertEqual(self.trustee['id'], self.new_trust['trustee_user_id']) - self.assertIs(self.new_trust['impersonation'], True) - auth_response = self.fetch_v2_token_from_trust() + self.assertEqual(self.trustor['id'], new_trust['trustor_user_id']) + self.assertEqual(self.trustee['id'], new_trust['trustee_user_id']) + self.assertIs(new_trust['impersonation'], True) + auth_response = self.fetch_v2_token_from_trust(new_trust) token_user = auth_response['access']['user'] - self.assertEqual(token_user['id'], self.new_trust['trustor_user_id']) + self.assertEqual(token_user['id'], new_trust['trustor_user_id']) def test_get_trust(self): - context = {'token_id': self.unscoped_token['access']['token']['id'], + unscoped_token = self.get_unscoped_token(self.trustor['name']) + context = {'token_id': unscoped_token['access']['token']['id'], 'host_url': HOST_URL} + new_trust = self.trust_controller.create_trust( + context, trust=self.sample_data)['trust'] trust = self.trust_controller.get_trust(context, - self.new_trust['id'])['trust'] + new_trust['id'])['trust'] self.assertEqual(self.trustor['id'], trust['trustor_user_id']) self.assertEqual(self.trustee['id'], trust['trustee_user_id']) role_ids = [self.role_browser['id'], self.role_member['id']] - for role in self.new_trust['roles']: + for role in new_trust['roles']: self.assertIn(role['id'], role_ids) def test_create_trust_no_impersonation(self): - self.create_trust(expires_at=None, impersonation=False) - self.assertEqual(self.trustor['id'], self.new_trust['trustor_user_id']) - self.assertEqual(self.trustee['id'], self.new_trust['trustee_user_id']) - self.assertIs(self.new_trust['impersonation'], False) - auth_response = self.fetch_v2_token_from_trust() + new_trust = self.create_trust(self.sample_data, self.trustor['name'], + expires_at=None, impersonation=False) + self.assertEqual(self.trustor['id'], new_trust['trustor_user_id']) + self.assertEqual(self.trustee['id'], new_trust['trustee_user_id']) + self.assertIs(new_trust['impersonation'], False) + auth_response = self.fetch_v2_token_from_trust(new_trust) token_user = auth_response['access']['user'] - self.assertEqual(token_user['id'], self.new_trust['trustee_user_id']) + self.assertEqual(token_user['id'], new_trust['trustee_user_id']) # TODO(ayoung): Endpoints def test_create_trust_impersonation(self): - self.create_trust(expires_at=None) - self.assertEqual(self.trustor['id'], self.new_trust['trustor_user_id']) - self.assertEqual(self.trustee['id'], self.new_trust['trustee_user_id']) - self.assertIs(self.new_trust['impersonation'], True) - auth_response = self.fetch_v2_token_from_trust() + new_trust = self.create_trust(self.sample_data, self.trustor['name']) + self.assertEqual(self.trustor['id'], new_trust['trustor_user_id']) + self.assertEqual(self.trustee['id'], new_trust['trustee_user_id']) + self.assertIs(new_trust['impersonation'], True) + auth_response = self.fetch_v2_token_from_trust(new_trust) token_user = auth_response['access']['user'] - self.assertEqual(token_user['id'], self.new_trust['trustor_user_id']) + self.assertEqual(token_user['id'], new_trust['trustor_user_id']) def test_token_from_trust_wrong_user_fails(self): - request_body = self.build_v2_token_request('FOO', 'foo2') - self.assertRaises( - exception.Forbidden, - self.controller.authenticate, {}, request_body) + new_trust = self.create_trust(self.sample_data, self.trustor['name']) + request_body = self.build_v2_token_request('FOO', 'foo2', new_trust) + self.assertRaises(exception.Forbidden, self.controller.authenticate, + {}, request_body) - def fetch_v2_token_from_trust(self): - request_body = self.build_v2_token_request('TWO', 'two2') + def fetch_v2_token_from_trust(self, trust): + request_body = self.build_v2_token_request('TWO', 'two2', trust) auth_response = self.controller.authenticate({}, request_body) return auth_response - def fetch_v3_token_from_trust(self): + def fetch_v3_token_from_trust(self, trust, trustee): v3_password_data = { 'identity': { "methods": ["password"], "password": { "user": { - "id": self.trustee["id"], - "password": self.trustee["password"]}} + "id": trustee["id"], + "password": trustee["password"] + } + } }, 'scope': { 'project': { - 'id': self.tenant_baz['id']}}} + 'id': self.tenant_baz['id'] + } + } + } auth_response = (self.auth_v3_controller.authenticate_for_token ({'environment': {}, 'query_string': {}}, @@ -813,7 +829,7 @@ class AuthWithTrust(AuthTest): "methods": ["token"], "token": {"id": token}}, "scope": { - "OS-TRUST:trust": {"id": self.new_trust['id']}}} + "OS-TRUST:trust": {"id": trust['id']}}} token_auth_response = (self.auth_v3_controller.authenticate_for_token ({'environment': {}, 'query_string': {}}, @@ -821,13 +837,14 @@ class AuthWithTrust(AuthTest): return token_auth_response def test_create_v3_token_from_trust(self): - auth_response = self.fetch_v3_token_from_trust() + new_trust = self.create_trust(self.sample_data, self.trustor['name']) + auth_response = self.fetch_v3_token_from_trust(new_trust, self.trustee) trust_token_user = auth_response.json['token']['user'] self.assertEqual(self.trustor['id'], trust_token_user['id']) trust_token_trust = auth_response.json['token']['OS-TRUST:trust'] - self.assertEqual(trust_token_trust['id'], self.new_trust['id']) + self.assertEqual(trust_token_trust['id'], new_trust['id']) self.assertEqual(self.trustor['id'], trust_token_trust['trustor_user']['id']) self.assertEqual(self.trustee['id'], @@ -837,7 +854,8 @@ class AuthWithTrust(AuthTest): self.assertEqual(2, len(trust_token_roles)) def test_v3_trust_token_get_token_fails(self): - auth_response = self.fetch_v3_token_from_trust() + new_trust = self.create_trust(self.sample_data, self.trustor['name']) + auth_response = self.fetch_v3_token_from_trust(new_trust, self.trustee) trust_token = auth_response.headers['X-Subject-Token'] v3_token_data = {'identity': { 'methods': ['token'], @@ -850,7 +868,8 @@ class AuthWithTrust(AuthTest): 'query_string': {}}, v3_token_data) def test_token_from_trust(self): - auth_response = self.fetch_v2_token_from_trust() + new_trust = self.create_trust(self.sample_data, self.trustor['name']) + auth_response = self.fetch_v2_token_from_trust(new_trust) self.assertIsNotNone(auth_response) self.assertEqual(2, @@ -858,21 +877,23 @@ class AuthWithTrust(AuthTest): "user_foo has three roles, but the token should" " only get the two roles specified in the trust.") - def assert_token_count_for_trust(self, expected_value): + def assert_token_count_for_trust(self, trust, expected_value): tokens = self.trust_controller.token_api._list_tokens( - self.trustee['id'], trust_id=self.new_trust['id']) + self.trustee['id'], trust_id=trust['id']) token_count = len(tokens) self.assertEqual(expected_value, token_count) def test_delete_tokens_for_user_invalidates_tokens_from_trust(self): - self.assert_token_count_for_trust(0) - self.fetch_v2_token_from_trust() - self.assert_token_count_for_trust(1) + new_trust = self.create_trust(self.sample_data, self.trustor['name']) + self.assert_token_count_for_trust(new_trust, 0) + self.fetch_v2_token_from_trust(new_trust) + self.assert_token_count_for_trust(new_trust, 1) self.token_api.delete_tokens_for_user(self.trustee['id']) - self.assert_token_count_for_trust(0) + self.assert_token_count_for_trust(new_trust, 0) def test_token_from_trust_cant_get_another_token(self): - auth_response = self.fetch_v2_token_from_trust() + new_trust = self.create_trust(self.sample_data, self.trustor['name']) + auth_response = self.fetch_v2_token_from_trust(new_trust) trust_token_id = auth_response['access']['token']['id'] request_body = _build_user_auth(token={'id': trust_token_id}, tenant_id=self.tenant_bar['id']) @@ -881,10 +902,12 @@ class AuthWithTrust(AuthTest): self.controller.authenticate, {}, request_body) def test_delete_trust_revokes_token(self): + unscoped_token = self.get_unscoped_token(self.trustor['name']) + new_trust = self.create_trust(self.sample_data, self.trustor['name']) context = self._create_auth_context( - self.unscoped_token['access']['token']['id']) - self.fetch_v2_token_from_trust() - trust_id = self.new_trust['id'] + unscoped_token['access']['token']['id']) + self.fetch_v2_token_from_trust(new_trust) + trust_id = new_trust['id'] tokens = self.token_api._list_tokens(self.trustor['id'], trust_id=trust_id) self.assertEqual(1, len(tokens)) @@ -894,23 +917,26 @@ class AuthWithTrust(AuthTest): self.assertEqual(0, len(tokens)) def test_token_from_trust_with_no_role_fails(self): + new_trust = self.create_trust(self.sample_data, self.trustor['name']) for assigned_role in self.assigned_roles: self.assignment_api.remove_role_from_user_and_project( self.trustor['id'], self.tenant_bar['id'], assigned_role) - request_body = self.build_v2_token_request('TWO', 'two2') + request_body = self.build_v2_token_request('TWO', 'two2', new_trust) self.assertRaises( exception.Forbidden, self.controller.authenticate, {}, request_body) def test_expired_trust_get_token_fails(self): expiry = "1999-02-18T10:10:00Z" - self.create_trust(expiry) - request_body = self.build_v2_token_request('TWO', 'two2') + new_trust = self.create_trust(self.sample_data, self.trustor['name'], + expiry) + request_body = self.build_v2_token_request('TWO', 'two2', new_trust) self.assertRaises( exception.Forbidden, self.controller.authenticate, {}, request_body) def test_token_from_trust_with_wrong_role_fails(self): + new_trust = self.create_trust(self.sample_data, self.trustor['name']) self.assignment_api.add_role_to_user_and_project( self.trustor['id'], self.tenant_bar['id'], @@ -919,7 +945,7 @@ class AuthWithTrust(AuthTest): self.assignment_api.remove_role_from_user_and_project( self.trustor['id'], self.tenant_bar['id'], assigned_role) - request_body = self.build_v2_token_request('TWO', 'two2') + request_body = self.build_v2_token_request('TWO', 'two2', new_trust) self.assertRaises( exception.Forbidden,