openstack/deb-keystone
Code Issues Proposed changes

Refactor test_auth trust related tests

Browse Source 
The tests in the AuthWithTrust fixture had many dependencies on global
variables that were not necessarily used; for instance, every time the
setUp function is called, there was a new trust created. This was ran
even for classes that don't need the creation of this initial valid
trust.

This commit gets rid of this behaviour, thus making the test less
dependent on the fixture's state (class variables) in favor of a more
on-demand approach to getting trusts and tokens.

Change-Id: I64752702cc8a328463df15591e3f4c082266ef6d
This commit is contained in:
Juan Antonio Osorio 2014-05-08 14:40:03 +03:00
parent 401294da9a
commit 635d6b2cb2
1 changed files with 109 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

192
keystone/tests/test_auth.py
View File

@ -648,10 +648,6 @@ class AuthWithTrust(AuthTest):
'impersonation': True, 'impersonation': True,
'roles': [{'id': self.role_browser['id']}, 'roles': [{'id': self.role_browser['id']},
{'name': self.role_member['name']}]} {'name': self.role_member['name']}]}
expires_at = timeutils.strtime(timeutils.utcnow() +
datetime.timedelta(minutes=10),
fmt=TIME_FORMAT)
self.create_trust(expires_at=expires_at)
def config_overrides(self): def config_overrides(self):
super(AuthWithTrust, self).config_overrides() super(AuthWithTrust, self).config_overrides()
@ -665,32 +661,36 @@ class AuthWithTrust(AuthTest):
'token_id': token_id, 'token_id': token_id,
'host_url': HOST_URL} 'host_url': HOST_URL}
def create_trust(self, expires_at=None, impersonation=True): def create_trust(self, trust_data, trustor_name, expires_at=None,
username = self.trustor['name'] impersonation=True):
username = trustor_name
password = 'foo2' password = 'foo2'
body_dict = _build_user_auth(username=username, password=password) unscoped_token = self.get_unscoped_token(username, password)
self.unscoped_token = self.controller.authenticate({}, body_dict)
context = self._create_auth_context( context = self._create_auth_context(
self.unscoped_token['access']['token']['id']) unscoped_token['access']['token']['id'])
trust_data = copy.deepcopy(self.sample_data) trust_data_copy = copy.deepcopy(trust_data)
trust_data['expires_at'] = expires_at trust_data_copy['expires_at'] = expires_at
trust_data['impersonation'] = impersonation trust_data_copy['impersonation'] = impersonation
self.new_trust = self.trust_controller.create_trust( return self.trust_controller.create_trust(
context, trust=trust_data)['trust'] context, trust=trust_data_copy)['trust']
def build_v2_token_request(self, username, password): def get_unscoped_token(self, username, password='foo2'):
body_dict = _build_user_auth(username=username, password=password) body_dict = _build_user_auth(username=username, password=password)
self.unscoped_token = self.controller.authenticate({}, body_dict) return self.controller.authenticate({}, body_dict)
unscoped_token_id = self.unscoped_token['access']['token']['id']
def build_v2_token_request(self, username, password, trust):
unscoped_token = self.get_unscoped_token(username, password)
unscoped_token_id = unscoped_token['access']['token']['id']
request_body = _build_user_auth(token={'id': unscoped_token_id}, request_body = _build_user_auth(token={'id': unscoped_token_id},
trust_id=self.new_trust['id'], trust_id=trust['id'],
tenant_id=self.tenant_bar['id']) tenant_id=self.tenant_bar['id'])
return request_body return request_body
def test_create_trust_bad_data_fails(self): def test_create_trust_bad_data_fails(self):
unscoped_token = self.get_unscoped_token(self.trustor['name'])
context = self._create_auth_context( context = self._create_auth_context(
self.unscoped_token['access']['token']['id']) unscoped_token['access']['token']['id'])
bad_sample_data = {'trustor_user_id': self.trustor['id'], bad_sample_data = {'trustor_user_id': self.trustor['id'],
'project_id': self.tenant_bar['id'], 'project_id': self.tenant_bar['id'],
'roles': [{'id': self.role_browser['id']}]} 'roles': [{'id': self.role_browser['id']}]}
@ -700,108 +700,124 @@ class AuthWithTrust(AuthTest):
context, trust=bad_sample_data) context, trust=bad_sample_data)
def test_create_trust_no_roles(self): def test_create_trust_no_roles(self):
context = {'token_id': self.unscoped_token['access']['token']['id']} unscoped_token = self.get_unscoped_token(self.trustor['name'])
context = {'token_id': unscoped_token['access']['token']['id']}
self.sample_data['roles'] = [] self.sample_data['roles'] = []
self.assertRaises(exception.Forbidden, self.assertRaises(exception.Forbidden,
self.trust_controller.create_trust, self.trust_controller.create_trust,
context, trust=self.sample_data) context, trust=self.sample_data)
def test_create_trust(self): def test_create_trust(self):
self.assertEqual(self.trustor['id'], self.new_trust['trustor_user_id']) expires_at = timeutils.strtime(timeutils.utcnow() +
self.assertEqual(self.trustee['id'], self.new_trust['trustee_user_id']) datetime.timedelta(minutes=10),
fmt=TIME_FORMAT)
new_trust = self.create_trust(self.sample_data, self.trustor['name'],
expires_at=expires_at)
self.assertEqual(self.trustor['id'], new_trust['trustor_user_id'])
self.assertEqual(self.trustee['id'], new_trust['trustee_user_id'])
role_ids = [self.role_browser['id'], self.role_member['id']] role_ids = [self.role_browser['id'], self.role_member['id']]
self.assertTrue(timeutils.parse_strtime(self.new_trust['expires_at'], self.assertTrue(timeutils.parse_strtime(new_trust['expires_at'],
fmt=TIME_FORMAT)) fmt=TIME_FORMAT))
self.assertIn('%s/v3/OS-TRUST/' % HOST_URL, self.assertIn('%s/v3/OS-TRUST/' % HOST_URL,
self.new_trust['links']['self']) new_trust['links']['self'])
self.assertIn('%s/v3/OS-TRUST/' % HOST_URL, self.assertIn('%s/v3/OS-TRUST/' % HOST_URL,
self.new_trust['roles_links']['self']) new_trust['roles_links']['self'])
for role in self.new_trust['roles']: for role in new_trust['roles']:
self.assertIn(role['id'], role_ids) self.assertIn(role['id'], role_ids)
def test_create_trust_expires_bad(self): def test_create_trust_expires_bad(self):
self.assertRaises(exception.ValidationTimeStampError, self.assertRaises(exception.ValidationTimeStampError,
self.create_trust, self.create_trust, self.sample_data,
expires_at="bad") self.trustor['name'], expires_at="bad")
self.assertRaises(exception.ValidationTimeStampError, self.assertRaises(exception.ValidationTimeStampError,
self.create_trust, self.create_trust, self.sample_data,
expires_at="") self.trustor['name'], expires_at="")
self.assertRaises(exception.ValidationTimeStampError, self.assertRaises(exception.ValidationTimeStampError,
self.create_trust, self.create_trust, self.sample_data,
expires_at="Z") self.trustor['name'], expires_at="Z")
def test_create_trust_without_project_id(self): def test_create_trust_without_project_id(self):
"""Verify that trust can be created without project id and """Verify that trust can be created without project id and
token can be generated with that trust. token can be generated with that trust.
""" """
unscoped_token = self.get_unscoped_token(self.trustor['name'])
context = self._create_auth_context( context = self._create_auth_context(
self.unscoped_token['access']['token']['id']) unscoped_token['access']['token']['id'])
self.sample_data['project_id'] = None self.sample_data['project_id'] = None
self.sample_data['roles'] = [] self.sample_data['roles'] = []
self.new_trust = self.trust_controller.create_trust( new_trust = self.trust_controller.create_trust(
context, trust=self.sample_data)['trust'] context, trust=self.sample_data)['trust']
self.assertEqual(self.trustor['id'], self.new_trust['trustor_user_id']) self.assertEqual(self.trustor['id'], new_trust['trustor_user_id'])
self.assertEqual(self.trustee['id'], self.new_trust['trustee_user_id']) self.assertEqual(self.trustee['id'], new_trust['trustee_user_id'])
self.assertIs(self.new_trust['impersonation'], True) self.assertIs(new_trust['impersonation'], True)
auth_response = self.fetch_v2_token_from_trust() auth_response = self.fetch_v2_token_from_trust(new_trust)
token_user = auth_response['access']['user'] token_user = auth_response['access']['user']
self.assertEqual(token_user['id'], self.new_trust['trustor_user_id']) self.assertEqual(token_user['id'], new_trust['trustor_user_id'])
def test_get_trust(self): def test_get_trust(self):
context = {'token_id': self.unscoped_token['access']['token']['id'], unscoped_token = self.get_unscoped_token(self.trustor['name'])
context = {'token_id': unscoped_token['access']['token']['id'],
'host_url': HOST_URL} 'host_url': HOST_URL}
new_trust = self.trust_controller.create_trust(
context, trust=self.sample_data)['trust']
trust = self.trust_controller.get_trust(context, trust = self.trust_controller.get_trust(context,
self.new_trust['id'])['trust'] new_trust['id'])['trust']
self.assertEqual(self.trustor['id'], trust['trustor_user_id']) self.assertEqual(self.trustor['id'], trust['trustor_user_id'])
self.assertEqual(self.trustee['id'], trust['trustee_user_id']) self.assertEqual(self.trustee['id'], trust['trustee_user_id'])
role_ids = [self.role_browser['id'], self.role_member['id']] role_ids = [self.role_browser['id'], self.role_member['id']]
for role in self.new_trust['roles']: for role in new_trust['roles']:
self.assertIn(role['id'], role_ids) self.assertIn(role['id'], role_ids)
def test_create_trust_no_impersonation(self): def test_create_trust_no_impersonation(self):
self.create_trust(expires_at=None, impersonation=False) new_trust = self.create_trust(self.sample_data, self.trustor['name'],
self.assertEqual(self.trustor['id'], self.new_trust['trustor_user_id']) expires_at=None, impersonation=False)
self.assertEqual(self.trustee['id'], self.new_trust['trustee_user_id']) self.assertEqual(self.trustor['id'], new_trust['trustor_user_id'])
self.assertIs(self.new_trust['impersonation'], False) self.assertEqual(self.trustee['id'], new_trust['trustee_user_id'])
auth_response = self.fetch_v2_token_from_trust() self.assertIs(new_trust['impersonation'], False)
auth_response = self.fetch_v2_token_from_trust(new_trust)
token_user = auth_response['access']['user'] token_user = auth_response['access']['user']
self.assertEqual(token_user['id'], self.new_trust['trustee_user_id']) self.assertEqual(token_user['id'], new_trust['trustee_user_id'])
# TODO(ayoung): Endpoints # TODO(ayoung): Endpoints
def test_create_trust_impersonation(self): def test_create_trust_impersonation(self):
self.create_trust(expires_at=None) new_trust = self.create_trust(self.sample_data, self.trustor['name'])
self.assertEqual(self.trustor['id'], self.new_trust['trustor_user_id']) self.assertEqual(self.trustor['id'], new_trust['trustor_user_id'])
self.assertEqual(self.trustee['id'], self.new_trust['trustee_user_id']) self.assertEqual(self.trustee['id'], new_trust['trustee_user_id'])
self.assertIs(self.new_trust['impersonation'], True) self.assertIs(new_trust['impersonation'], True)
auth_response = self.fetch_v2_token_from_trust() auth_response = self.fetch_v2_token_from_trust(new_trust)
token_user = auth_response['access']['user'] token_user = auth_response['access']['user']
self.assertEqual(token_user['id'], self.new_trust['trustor_user_id']) self.assertEqual(token_user['id'], new_trust['trustor_user_id'])
def test_token_from_trust_wrong_user_fails(self): def test_token_from_trust_wrong_user_fails(self):
request_body = self.build_v2_token_request('FOO', 'foo2') new_trust = self.create_trust(self.sample_data, self.trustor['name'])
self.assertRaises( request_body = self.build_v2_token_request('FOO', 'foo2', new_trust)
exception.Forbidden, self.assertRaises(exception.Forbidden, self.controller.authenticate,
self.controller.authenticate, {}, request_body) {}, request_body)
def fetch_v2_token_from_trust(self): def fetch_v2_token_from_trust(self, trust):
request_body = self.build_v2_token_request('TWO', 'two2') request_body = self.build_v2_token_request('TWO', 'two2', trust)
auth_response = self.controller.authenticate({}, request_body) auth_response = self.controller.authenticate({}, request_body)
return auth_response return auth_response
def fetch_v3_token_from_trust(self): def fetch_v3_token_from_trust(self, trust, trustee):
v3_password_data = { v3_password_data = {
'identity': { 'identity': {
"methods": ["password"], "methods": ["password"],
"password": { "password": {
"user": { "user": {
"id": self.trustee["id"], "id": trustee["id"],
"password": self.trustee["password"]}} "password": trustee["password"]
}
}
}, },
'scope': { 'scope': {
'project': { 'project': {
'id': self.tenant_baz['id']}}} 'id': self.tenant_baz['id']
}
}
}
auth_response = (self.auth_v3_controller.authenticate_for_token auth_response = (self.auth_v3_controller.authenticate_for_token
({'environment': {}, ({'environment': {},
'query_string': {}}, 'query_string': {}},
@ -813,7 +829,7 @@ class AuthWithTrust(AuthTest):
"methods": ["token"], "methods": ["token"],
"token": {"id": token}}, "token": {"id": token}},
"scope": { "scope": {
"OS-TRUST:trust": {"id": self.new_trust['id']}}} "OS-TRUST:trust": {"id": trust['id']}}}
token_auth_response = (self.auth_v3_controller.authenticate_for_token token_auth_response = (self.auth_v3_controller.authenticate_for_token
({'environment': {}, ({'environment': {},
'query_string': {}}, 'query_string': {}},
@ -821,13 +837,14 @@ class AuthWithTrust(AuthTest):
return token_auth_response return token_auth_response
def test_create_v3_token_from_trust(self): def test_create_v3_token_from_trust(self):
auth_response = self.fetch_v3_token_from_trust() new_trust = self.create_trust(self.sample_data, self.trustor['name'])
auth_response = self.fetch_v3_token_from_trust(new_trust, self.trustee)
trust_token_user = auth_response.json['token']['user'] trust_token_user = auth_response.json['token']['user']
self.assertEqual(self.trustor['id'], trust_token_user['id']) self.assertEqual(self.trustor['id'], trust_token_user['id'])
trust_token_trust = auth_response.json['token']['OS-TRUST:trust'] trust_token_trust = auth_response.json['token']['OS-TRUST:trust']
self.assertEqual(trust_token_trust['id'], self.new_trust['id']) self.assertEqual(trust_token_trust['id'], new_trust['id'])
self.assertEqual(self.trustor['id'], self.assertEqual(self.trustor['id'],
trust_token_trust['trustor_user']['id']) trust_token_trust['trustor_user']['id'])
self.assertEqual(self.trustee['id'], self.assertEqual(self.trustee['id'],
@ -837,7 +854,8 @@ class AuthWithTrust(AuthTest):
self.assertEqual(2, len(trust_token_roles)) self.assertEqual(2, len(trust_token_roles))
def test_v3_trust_token_get_token_fails(self): def test_v3_trust_token_get_token_fails(self):
auth_response = self.fetch_v3_token_from_trust() new_trust = self.create_trust(self.sample_data, self.trustor['name'])
auth_response = self.fetch_v3_token_from_trust(new_trust, self.trustee)
trust_token = auth_response.headers['X-Subject-Token'] trust_token = auth_response.headers['X-Subject-Token']
v3_token_data = {'identity': { v3_token_data = {'identity': {
'methods': ['token'], 'methods': ['token'],
@ -850,7 +868,8 @@ class AuthWithTrust(AuthTest):
'query_string': {}}, v3_token_data) 'query_string': {}}, v3_token_data)
def test_token_from_trust(self): def test_token_from_trust(self):
auth_response = self.fetch_v2_token_from_trust() new_trust = self.create_trust(self.sample_data, self.trustor['name'])
auth_response = self.fetch_v2_token_from_trust(new_trust)
self.assertIsNotNone(auth_response) self.assertIsNotNone(auth_response)
self.assertEqual(2, self.assertEqual(2,
@ -858,21 +877,23 @@ class AuthWithTrust(AuthTest):
"user_foo has three roles, but the token should" "user_foo has three roles, but the token should"
" only get the two roles specified in the trust.") " only get the two roles specified in the trust.")
def assert_token_count_for_trust(self, expected_value): def assert_token_count_for_trust(self, trust, expected_value):
tokens = self.trust_controller.token_api._list_tokens( tokens = self.trust_controller.token_api._list_tokens(
self.trustee['id'], trust_id=self.new_trust['id']) self.trustee['id'], trust_id=trust['id'])
token_count = len(tokens) token_count = len(tokens)
self.assertEqual(expected_value, token_count) self.assertEqual(expected_value, token_count)
def test_delete_tokens_for_user_invalidates_tokens_from_trust(self): def test_delete_tokens_for_user_invalidates_tokens_from_trust(self):
self.assert_token_count_for_trust(0) new_trust = self.create_trust(self.sample_data, self.trustor['name'])
self.fetch_v2_token_from_trust() self.assert_token_count_for_trust(new_trust, 0)
self.assert_token_count_for_trust(1) self.fetch_v2_token_from_trust(new_trust)
self.assert_token_count_for_trust(new_trust, 1)
self.token_api.delete_tokens_for_user(self.trustee['id']) self.token_api.delete_tokens_for_user(self.trustee['id'])
self.assert_token_count_for_trust(0) self.assert_token_count_for_trust(new_trust, 0)
def test_token_from_trust_cant_get_another_token(self): def test_token_from_trust_cant_get_another_token(self):
auth_response = self.fetch_v2_token_from_trust() new_trust = self.create_trust(self.sample_data, self.trustor['name'])
auth_response = self.fetch_v2_token_from_trust(new_trust)
trust_token_id = auth_response['access']['token']['id'] trust_token_id = auth_response['access']['token']['id']
request_body = _build_user_auth(token={'id': trust_token_id}, request_body = _build_user_auth(token={'id': trust_token_id},
tenant_id=self.tenant_bar['id']) tenant_id=self.tenant_bar['id'])
@ -881,10 +902,12 @@ class AuthWithTrust(AuthTest):
self.controller.authenticate, {}, request_body) self.controller.authenticate, {}, request_body)
def test_delete_trust_revokes_token(self): def test_delete_trust_revokes_token(self):
unscoped_token = self.get_unscoped_token(self.trustor['name'])
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
context = self._create_auth_context( context = self._create_auth_context(
self.unscoped_token['access']['token']['id']) unscoped_token['access']['token']['id'])
self.fetch_v2_token_from_trust() self.fetch_v2_token_from_trust(new_trust)
trust_id = self.new_trust['id'] trust_id = new_trust['id']
tokens = self.token_api._list_tokens(self.trustor['id'], tokens = self.token_api._list_tokens(self.trustor['id'],
trust_id=trust_id) trust_id=trust_id)
self.assertEqual(1, len(tokens)) self.assertEqual(1, len(tokens))
@ -894,23 +917,26 @@ class AuthWithTrust(AuthTest):
self.assertEqual(0, len(tokens)) self.assertEqual(0, len(tokens))
def test_token_from_trust_with_no_role_fails(self): def test_token_from_trust_with_no_role_fails(self):
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
for assigned_role in self.assigned_roles: for assigned_role in self.assigned_roles:
self.assignment_api.remove_role_from_user_and_project( self.assignment_api.remove_role_from_user_and_project(
self.trustor['id'], self.tenant_bar['id'], assigned_role) self.trustor['id'], self.tenant_bar['id'], assigned_role)
request_body = self.build_v2_token_request('TWO', 'two2') request_body = self.build_v2_token_request('TWO', 'two2', new_trust)
self.assertRaises( self.assertRaises(
exception.Forbidden, exception.Forbidden,
self.controller.authenticate, {}, request_body) self.controller.authenticate, {}, request_body)
def test_expired_trust_get_token_fails(self): def test_expired_trust_get_token_fails(self):
expiry = "1999-02-18T10:10:00Z" expiry = "1999-02-18T10:10:00Z"
self.create_trust(expiry) new_trust = self.create_trust(self.sample_data, self.trustor['name'],
request_body = self.build_v2_token_request('TWO', 'two2') expiry)
request_body = self.build_v2_token_request('TWO', 'two2', new_trust)
self.assertRaises( self.assertRaises(
exception.Forbidden, exception.Forbidden,
self.controller.authenticate, {}, request_body) self.controller.authenticate, {}, request_body)
def test_token_from_trust_with_wrong_role_fails(self): def test_token_from_trust_with_wrong_role_fails(self):
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
self.assignment_api.add_role_to_user_and_project( self.assignment_api.add_role_to_user_and_project(
self.trustor['id'], self.trustor['id'],
self.tenant_bar['id'], self.tenant_bar['id'],
@ -919,7 +945,7 @@ class AuthWithTrust(AuthTest):
self.assignment_api.remove_role_from_user_and_project( self.assignment_api.remove_role_from_user_and_project(
self.trustor['id'], self.tenant_bar['id'], assigned_role) self.trustor['id'], self.tenant_bar['id'], assigned_role)
request_body = self.build_v2_token_request('TWO', 'two2') request_body = self.build_v2_token_request('TWO', 'two2', new_trust)
self.assertRaises( self.assertRaises(
exception.Forbidden, exception.Forbidden,