2012-02-08 20:31:25 +00:00
|
|
|
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
|
|
|
2012-02-15 17:26:54 +00:00
|
|
|
# Copyright 2012 OpenStack LLC
|
|
|
|
#
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
|
|
# not use this file except in compliance with the License. You may obtain
|
|
|
|
# a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
|
|
# License for the specific language governing permissions and limitations
|
|
|
|
# under the License.
|
|
|
|
|
2012-02-09 00:08:08 +00:00
|
|
|
import datetime
|
2012-04-16 19:23:12 +00:00
|
|
|
import default_fixtures
|
2013-01-03 09:58:48 +00:00
|
|
|
import uuid
|
2012-02-08 20:31:25 +00:00
|
|
|
|
2012-10-06 01:18:43 +00:00
|
|
|
from keystone.catalog import core
|
2012-02-09 17:53:03 +00:00
|
|
|
from keystone import exception
|
2012-06-05 01:11:44 +00:00
|
|
|
from keystone.openstack.common import timeutils
|
2013-01-03 09:58:48 +00:00
|
|
|
from keystone import test
|
2012-02-09 17:53:03 +00:00
|
|
|
|
|
|
|
|
2012-01-07 01:03:19 +00:00
|
|
|
class IdentityTests(object):
|
2012-02-08 07:07:10 +00:00
|
|
|
def test_authenticate_bad_user(self):
|
|
|
|
self.assertRaises(AssertionError,
|
|
|
|
self.identity_api.authenticate,
|
2012-03-28 17:37:16 +00:00
|
|
|
user_id=uuid.uuid4().hex,
|
2012-02-08 07:07:10 +00:00
|
|
|
tenant_id=self.tenant_bar['id'],
|
|
|
|
password=self.user_foo['password'])
|
|
|
|
|
|
|
|
def test_authenticate_bad_password(self):
|
|
|
|
self.assertRaises(AssertionError,
|
|
|
|
self.identity_api.authenticate,
|
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
tenant_id=self.tenant_bar['id'],
|
2012-03-28 17:37:16 +00:00
|
|
|
password=uuid.uuid4().hex)
|
2012-02-08 07:07:10 +00:00
|
|
|
|
2012-03-28 17:37:16 +00:00
|
|
|
def test_authenticate_bad_tenant(self):
|
2012-02-08 07:07:10 +00:00
|
|
|
self.assertRaises(AssertionError,
|
|
|
|
self.identity_api.authenticate,
|
|
|
|
user_id=self.user_foo['id'],
|
2012-03-28 17:37:16 +00:00
|
|
|
tenant_id=uuid.uuid4().hex,
|
2012-02-08 07:07:10 +00:00
|
|
|
password=self.user_foo['password'])
|
|
|
|
|
|
|
|
def test_authenticate_no_tenant(self):
|
|
|
|
user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
|
2012-07-09 15:05:59 +00:00
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
password=self.user_foo['password'])
|
2012-03-20 10:09:25 +00:00
|
|
|
# NOTE(termie): the password field is left in user_foo to make
|
|
|
|
# it easier to authenticate in tests, but should
|
|
|
|
# not be returned by the api
|
2012-02-08 07:07:10 +00:00
|
|
|
self.user_foo.pop('password')
|
2012-03-22 21:11:18 +00:00
|
|
|
self.assertDictEqual(user_ref, self.user_foo)
|
2012-02-08 07:07:10 +00:00
|
|
|
self.assert_(tenant_ref is None)
|
|
|
|
self.assert_(not metadata_ref)
|
|
|
|
|
|
|
|
def test_authenticate(self):
|
|
|
|
user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
|
2012-07-09 15:05:59 +00:00
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
tenant_id=self.tenant_bar['id'],
|
|
|
|
password=self.user_foo['password'])
|
2012-03-20 10:09:25 +00:00
|
|
|
# NOTE(termie): the password field is left in user_foo to make
|
|
|
|
# it easier to authenticate in tests, but should
|
|
|
|
# not be returned by the api
|
2012-02-08 07:07:10 +00:00
|
|
|
self.user_foo.pop('password')
|
2012-03-22 21:11:18 +00:00
|
|
|
self.assertDictEqual(user_ref, self.user_foo)
|
|
|
|
self.assertDictEqual(tenant_ref, self.tenant_bar)
|
|
|
|
self.assertDictEqual(metadata_ref, self.metadata_foobar)
|
2012-02-08 07:07:10 +00:00
|
|
|
|
2012-08-21 22:52:58 +00:00
|
|
|
def test_authenticate_role_return(self):
|
|
|
|
self.identity_api.add_role_to_user_and_tenant(
|
|
|
|
self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin')
|
|
|
|
user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
|
2012-08-29 20:40:09 +00:00
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
tenant_id=self.tenant_bar['id'],
|
|
|
|
password=self.user_foo['password'])
|
2012-08-21 22:52:58 +00:00
|
|
|
self.assertIn('roles', metadata_ref)
|
|
|
|
self.assertIn('keystone_admin', metadata_ref['roles'])
|
|
|
|
|
2012-03-09 20:24:25 +00:00
|
|
|
def test_authenticate_no_metadata(self):
|
2012-11-13 16:22:01 +00:00
|
|
|
user = {
|
|
|
|
'id': 'no_meta',
|
|
|
|
'name': 'NO_META',
|
|
|
|
'password': 'no_meta2',
|
|
|
|
}
|
|
|
|
self.identity_api.create_user(user['id'], user)
|
|
|
|
self.identity_api.add_user_to_tenant(self.tenant_baz['id'], user['id'])
|
2012-03-09 20:24:25 +00:00
|
|
|
user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
|
2012-07-09 15:05:59 +00:00
|
|
|
user_id=user['id'],
|
2012-11-13 16:22:01 +00:00
|
|
|
tenant_id=self.tenant_baz['id'],
|
2012-07-09 15:05:59 +00:00
|
|
|
password=user['password'])
|
2012-03-20 10:09:25 +00:00
|
|
|
# NOTE(termie): the password field is left in user_foo to make
|
|
|
|
# it easier to authenticate in tests, but should
|
|
|
|
# not be returned by the api
|
2012-03-09 20:24:25 +00:00
|
|
|
user.pop('password')
|
|
|
|
self.assertEquals(metadata_ref, {})
|
2012-03-22 21:11:18 +00:00
|
|
|
self.assertDictEqual(user_ref, user)
|
2012-11-13 16:22:01 +00:00
|
|
|
self.assertDictEqual(tenant_ref, self.tenant_baz)
|
2012-03-09 20:24:25 +00:00
|
|
|
|
2012-02-08 07:07:10 +00:00
|
|
|
def test_password_hashed(self):
|
|
|
|
user_ref = self.identity_api._get_user(self.user_foo['id'])
|
|
|
|
self.assertNotEqual(user_ref['password'], self.user_foo['password'])
|
|
|
|
|
|
|
|
def test_get_tenant(self):
|
2012-02-07 02:21:46 +00:00
|
|
|
tenant_ref = self.identity_api.get_tenant(
|
|
|
|
tenant_id=self.tenant_bar['id'])
|
2012-03-22 21:11:18 +00:00
|
|
|
self.assertDictEqual(tenant_ref, self.tenant_bar)
|
2012-02-08 07:07:10 +00:00
|
|
|
|
2012-03-28 17:37:16 +00:00
|
|
|
def test_get_tenant_404(self):
|
|
|
|
self.assertRaises(exception.TenantNotFound,
|
|
|
|
self.identity_api.get_tenant,
|
|
|
|
tenant_id=uuid.uuid4().hex)
|
2012-02-08 07:07:10 +00:00
|
|
|
|
|
|
|
def test_get_tenant_by_name(self):
|
|
|
|
tenant_ref = self.identity_api.get_tenant_by_name(
|
2012-07-09 15:05:59 +00:00
|
|
|
tenant_name=self.tenant_bar['name'])
|
2012-03-22 21:11:18 +00:00
|
|
|
self.assertDictEqual(tenant_ref, self.tenant_bar)
|
2012-02-08 07:07:10 +00:00
|
|
|
|
2012-03-28 17:37:16 +00:00
|
|
|
def test_get_tenant_by_name_404(self):
|
|
|
|
self.assertRaises(exception.TenantNotFound,
|
|
|
|
self.identity_api.get_tenant,
|
|
|
|
tenant_id=uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_get_tenant_users_404(self):
|
|
|
|
self.assertRaises(exception.TenantNotFound,
|
|
|
|
self.identity_api.get_tenant_users,
|
|
|
|
tenant_id=uuid.uuid4().hex)
|
2012-02-08 07:07:10 +00:00
|
|
|
|
|
|
|
def test_get_user(self):
|
|
|
|
user_ref = self.identity_api.get_user(user_id=self.user_foo['id'])
|
2012-03-20 10:09:25 +00:00
|
|
|
# NOTE(termie): the password field is left in user_foo to make
|
|
|
|
# it easier to authenticate in tests, but should
|
|
|
|
# not be returned by the api
|
2012-02-08 07:07:10 +00:00
|
|
|
self.user_foo.pop('password')
|
2012-03-22 21:11:18 +00:00
|
|
|
self.assertDictEqual(user_ref, self.user_foo)
|
2012-02-08 07:07:10 +00:00
|
|
|
|
2012-03-28 17:37:16 +00:00
|
|
|
def test_get_user_404(self):
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.get_user,
|
|
|
|
user_id=uuid.uuid4().hex)
|
|
|
|
|
2012-03-01 19:27:06 +00:00
|
|
|
def test_get_user_by_name(self):
|
|
|
|
user_ref = self.identity_api.get_user_by_name(
|
2012-07-09 15:05:59 +00:00
|
|
|
user_name=self.user_foo['name'])
|
2012-03-20 10:09:25 +00:00
|
|
|
# NOTE(termie): the password field is left in user_foo to make
|
|
|
|
# it easier to authenticate in tests, but should
|
|
|
|
# not be returned by the api
|
2012-03-01 19:27:06 +00:00
|
|
|
self.user_foo.pop('password')
|
2012-03-22 21:11:18 +00:00
|
|
|
self.assertDictEqual(user_ref, self.user_foo)
|
2012-03-01 19:27:06 +00:00
|
|
|
|
2012-03-28 17:37:16 +00:00
|
|
|
def test_get_user_by_name_404(self):
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.get_user_by_name,
|
|
|
|
user_name=uuid.uuid4().hex)
|
2012-02-08 07:07:10 +00:00
|
|
|
|
|
|
|
def test_get_metadata(self):
|
|
|
|
metadata_ref = self.identity_api.get_metadata(
|
2012-07-09 15:05:59 +00:00
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
tenant_id=self.tenant_bar['id'])
|
2012-03-22 21:11:18 +00:00
|
|
|
self.assertDictEqual(metadata_ref, self.metadata_foobar)
|
2012-02-08 07:07:10 +00:00
|
|
|
|
2012-03-28 17:37:16 +00:00
|
|
|
def test_get_metadata_404(self):
|
|
|
|
# FIXME(dolph): these exceptions could be more specific
|
|
|
|
self.assertRaises(exception.NotFound,
|
|
|
|
self.identity_api.get_metadata,
|
|
|
|
user_id=uuid.uuid4().hex,
|
|
|
|
tenant_id=self.tenant_bar['id'])
|
|
|
|
|
|
|
|
self.assertRaises(exception.NotFound,
|
|
|
|
self.identity_api.get_metadata,
|
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
tenant_id=uuid.uuid4().hex)
|
|
|
|
|
2012-02-08 07:07:10 +00:00
|
|
|
def test_get_role(self):
|
|
|
|
role_ref = self.identity_api.get_role(
|
2012-07-09 15:05:59 +00:00
|
|
|
role_id=self.role_keystone_admin['id'])
|
2012-03-22 21:11:18 +00:00
|
|
|
role_ref_dict = dict((x, role_ref[x]) for x in role_ref)
|
|
|
|
self.assertDictEqual(role_ref_dict, self.role_keystone_admin)
|
2012-02-08 07:07:10 +00:00
|
|
|
|
2012-03-28 17:37:16 +00:00
|
|
|
def test_get_role_404(self):
|
|
|
|
self.assertRaises(exception.RoleNotFound,
|
|
|
|
self.identity_api.get_role,
|
|
|
|
role_id=uuid.uuid4().hex)
|
|
|
|
|
2012-03-18 15:56:35 +00:00
|
|
|
def test_create_duplicate_role_name_fails(self):
|
|
|
|
role = {'id': 'fake1',
|
|
|
|
'name': 'fake1name'}
|
|
|
|
self.identity_api.create_role('fake1', role)
|
|
|
|
role['id'] = 'fake2'
|
|
|
|
self.assertRaises(exception.Conflict,
|
|
|
|
self.identity_api.create_role,
|
|
|
|
'fake2',
|
|
|
|
role)
|
|
|
|
|
|
|
|
def test_rename_duplicate_role_name_fails(self):
|
2012-07-09 15:05:59 +00:00
|
|
|
role1 = {
|
|
|
|
'id': 'fake1',
|
|
|
|
'name': 'fake1name'
|
|
|
|
}
|
|
|
|
role2 = {
|
|
|
|
'id': 'fake2',
|
|
|
|
'name': 'fake2name'
|
|
|
|
}
|
2012-03-18 15:56:35 +00:00
|
|
|
self.identity_api.create_role('fake1', role1)
|
|
|
|
self.identity_api.create_role('fake2', role2)
|
|
|
|
role1['name'] = 'fake2name'
|
2012-03-28 17:37:16 +00:00
|
|
|
self.assertRaises(exception.Conflict,
|
2012-03-18 15:56:35 +00:00
|
|
|
self.identity_api.update_role,
|
|
|
|
'fake1',
|
|
|
|
role1)
|
|
|
|
|
2012-02-08 07:07:10 +00:00
|
|
|
def test_create_duplicate_user_id_fails(self):
|
|
|
|
user = {'id': 'fake1',
|
|
|
|
'name': 'fake1',
|
|
|
|
'password': 'fakepass',
|
2012-03-20 10:09:25 +00:00
|
|
|
'tenants': ['bar']}
|
2012-02-08 07:07:10 +00:00
|
|
|
self.identity_api.create_user('fake1', user)
|
|
|
|
user['name'] = 'fake2'
|
2012-03-18 15:56:35 +00:00
|
|
|
self.assertRaises(exception.Conflict,
|
2012-02-08 07:07:10 +00:00
|
|
|
self.identity_api.create_user,
|
|
|
|
'fake1',
|
|
|
|
user)
|
|
|
|
|
|
|
|
def test_create_duplicate_user_name_fails(self):
|
|
|
|
user = {'id': 'fake1',
|
|
|
|
'name': 'fake1',
|
|
|
|
'password': 'fakepass',
|
2012-03-20 10:09:25 +00:00
|
|
|
'tenants': ['bar']}
|
2012-02-08 07:07:10 +00:00
|
|
|
self.identity_api.create_user('fake1', user)
|
|
|
|
user['id'] = 'fake2'
|
2012-03-18 15:56:35 +00:00
|
|
|
self.assertRaises(exception.Conflict,
|
2012-02-08 07:07:10 +00:00
|
|
|
self.identity_api.create_user,
|
|
|
|
'fake2',
|
|
|
|
user)
|
|
|
|
|
|
|
|
def test_rename_duplicate_user_name_fails(self):
|
|
|
|
user1 = {'id': 'fake1',
|
|
|
|
'name': 'fake1',
|
|
|
|
'password': 'fakepass',
|
2012-03-20 10:09:25 +00:00
|
|
|
'tenants': ['bar']}
|
2012-02-08 07:07:10 +00:00
|
|
|
user2 = {'id': 'fake2',
|
|
|
|
'name': 'fake2',
|
|
|
|
'password': 'fakepass',
|
2012-03-20 10:09:25 +00:00
|
|
|
'tenants': ['bar']}
|
2012-02-08 07:07:10 +00:00
|
|
|
self.identity_api.create_user('fake1', user1)
|
|
|
|
self.identity_api.create_user('fake2', user2)
|
|
|
|
user2['name'] = 'fake1'
|
2012-03-28 17:37:16 +00:00
|
|
|
self.assertRaises(exception.Conflict,
|
2012-02-08 07:07:10 +00:00
|
|
|
self.identity_api.update_user,
|
|
|
|
'fake2',
|
|
|
|
user2)
|
|
|
|
|
2012-03-28 17:37:16 +00:00
|
|
|
def test_update_user_id_fails(self):
|
2012-02-08 07:07:10 +00:00
|
|
|
user = {'id': 'fake1',
|
|
|
|
'name': 'fake1',
|
|
|
|
'password': 'fakepass',
|
2012-03-20 10:09:25 +00:00
|
|
|
'tenants': ['bar']}
|
2012-02-08 07:07:10 +00:00
|
|
|
self.identity_api.create_user('fake1', user)
|
|
|
|
user['id'] = 'fake2'
|
2012-03-28 17:37:16 +00:00
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.update_user,
|
|
|
|
'fake1',
|
|
|
|
user)
|
2012-02-08 07:07:10 +00:00
|
|
|
user_ref = self.identity_api.get_user('fake1')
|
|
|
|
self.assertEqual(user_ref['id'], 'fake1')
|
2012-03-28 17:37:16 +00:00
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.get_user,
|
|
|
|
'fake2')
|
2012-02-08 07:07:10 +00:00
|
|
|
|
|
|
|
def test_create_duplicate_tenant_id_fails(self):
|
|
|
|
tenant = {'id': 'fake1', 'name': 'fake1'}
|
|
|
|
self.identity_api.create_tenant('fake1', tenant)
|
|
|
|
tenant['name'] = 'fake2'
|
2012-03-18 15:56:35 +00:00
|
|
|
self.assertRaises(exception.Conflict,
|
2012-02-08 07:07:10 +00:00
|
|
|
self.identity_api.create_tenant,
|
|
|
|
'fake1',
|
|
|
|
tenant)
|
|
|
|
|
|
|
|
def test_create_duplicate_tenant_name_fails(self):
|
|
|
|
tenant = {'id': 'fake1', 'name': 'fake'}
|
|
|
|
self.identity_api.create_tenant('fake1', tenant)
|
|
|
|
tenant['id'] = 'fake2'
|
2012-03-18 15:56:35 +00:00
|
|
|
self.assertRaises(exception.Conflict,
|
2012-02-08 07:07:10 +00:00
|
|
|
self.identity_api.create_tenant,
|
|
|
|
'fake1',
|
|
|
|
tenant)
|
|
|
|
|
|
|
|
def test_rename_duplicate_tenant_name_fails(self):
|
|
|
|
tenant1 = {'id': 'fake1', 'name': 'fake1'}
|
|
|
|
tenant2 = {'id': 'fake2', 'name': 'fake2'}
|
|
|
|
self.identity_api.create_tenant('fake1', tenant1)
|
|
|
|
self.identity_api.create_tenant('fake2', tenant2)
|
|
|
|
tenant2['name'] = 'fake1'
|
2012-03-18 15:56:35 +00:00
|
|
|
self.assertRaises(exception.Error,
|
2012-02-08 07:07:10 +00:00
|
|
|
self.identity_api.update_tenant,
|
|
|
|
'fake2',
|
|
|
|
tenant2)
|
|
|
|
|
|
|
|
def test_update_tenant_id_does_nothing(self):
|
|
|
|
tenant = {'id': 'fake1', 'name': 'fake1'}
|
|
|
|
self.identity_api.create_tenant('fake1', tenant)
|
|
|
|
tenant['id'] = 'fake2'
|
|
|
|
self.identity_api.update_tenant('fake1', tenant)
|
|
|
|
tenant_ref = self.identity_api.get_tenant('fake1')
|
|
|
|
self.assertEqual(tenant_ref['id'], 'fake1')
|
2012-03-28 17:37:16 +00:00
|
|
|
self.assertRaises(exception.TenantNotFound,
|
|
|
|
self.identity_api.get_tenant,
|
|
|
|
'fake2')
|
2012-02-08 20:31:25 +00:00
|
|
|
|
2012-06-26 15:04:08 +00:00
|
|
|
def test_add_duplicate_role_grant(self):
|
|
|
|
roles_ref = self.identity_api.get_roles_for_user_and_tenant(
|
|
|
|
self.user_foo['id'], self.tenant_bar['id'])
|
|
|
|
self.assertNotIn('keystone_admin', roles_ref)
|
|
|
|
self.identity_api.add_role_to_user_and_tenant(
|
|
|
|
self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin')
|
|
|
|
self.assertRaises(exception.Conflict,
|
|
|
|
self.identity_api.add_role_to_user_and_tenant,
|
|
|
|
self.user_foo['id'],
|
|
|
|
self.tenant_bar['id'],
|
|
|
|
'keystone_admin')
|
|
|
|
|
2012-02-07 02:21:46 +00:00
|
|
|
def test_get_role_by_user_and_tenant(self):
|
|
|
|
roles_ref = self.identity_api.get_roles_for_user_and_tenant(
|
2012-03-20 10:09:25 +00:00
|
|
|
self.user_foo['id'], self.tenant_bar['id'])
|
2012-02-07 02:21:46 +00:00
|
|
|
self.assertNotIn('keystone_admin', roles_ref)
|
|
|
|
self.identity_api.add_role_to_user_and_tenant(
|
2012-03-20 10:09:25 +00:00
|
|
|
self.user_foo['id'], self.tenant_bar['id'], 'keystone_admin')
|
2012-02-07 02:21:46 +00:00
|
|
|
roles_ref = self.identity_api.get_roles_for_user_and_tenant(
|
2012-03-20 10:09:25 +00:00
|
|
|
self.user_foo['id'], self.tenant_bar['id'])
|
2012-02-07 02:21:46 +00:00
|
|
|
self.assertIn('keystone_admin', roles_ref)
|
2012-11-13 16:22:01 +00:00
|
|
|
self.assertNotIn('member', roles_ref)
|
2012-02-07 02:21:46 +00:00
|
|
|
|
|
|
|
self.identity_api.add_role_to_user_and_tenant(
|
2012-11-13 16:22:01 +00:00
|
|
|
self.user_foo['id'], self.tenant_bar['id'], 'member')
|
2012-02-07 02:21:46 +00:00
|
|
|
roles_ref = self.identity_api.get_roles_for_user_and_tenant(
|
2012-03-20 10:09:25 +00:00
|
|
|
self.user_foo['id'], self.tenant_bar['id'])
|
2012-02-07 02:21:46 +00:00
|
|
|
self.assertIn('keystone_admin', roles_ref)
|
2012-11-13 16:22:01 +00:00
|
|
|
self.assertIn('member', roles_ref)
|
2012-02-07 02:21:46 +00:00
|
|
|
|
2012-03-28 17:37:16 +00:00
|
|
|
def test_get_roles_for_user_and_tenant_404(self):
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.get_roles_for_user_and_tenant,
|
|
|
|
uuid.uuid4().hex,
|
|
|
|
self.tenant_bar['id'])
|
|
|
|
|
|
|
|
self.assertRaises(exception.TenantNotFound,
|
|
|
|
self.identity_api.get_roles_for_user_and_tenant,
|
|
|
|
self.user_foo['id'],
|
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_add_role_to_user_and_tenant_404(self):
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.add_role_to_user_and_tenant,
|
|
|
|
uuid.uuid4().hex,
|
|
|
|
self.tenant_bar['id'],
|
|
|
|
'keystone_admin')
|
|
|
|
|
|
|
|
self.assertRaises(exception.TenantNotFound,
|
|
|
|
self.identity_api.add_role_to_user_and_tenant,
|
|
|
|
self.user_foo['id'],
|
|
|
|
uuid.uuid4().hex,
|
|
|
|
'keystone_admin')
|
|
|
|
|
|
|
|
self.assertRaises(exception.RoleNotFound,
|
|
|
|
self.identity_api.add_role_to_user_and_tenant,
|
|
|
|
self.user_foo['id'],
|
|
|
|
self.tenant_bar['id'],
|
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_remove_role_from_user_and_tenant(self):
|
|
|
|
self.identity_api.add_role_to_user_and_tenant(
|
2012-11-13 16:22:01 +00:00
|
|
|
self.user_foo['id'], self.tenant_bar['id'], 'member')
|
2012-03-28 17:37:16 +00:00
|
|
|
self.identity_api.remove_role_from_user_and_tenant(
|
2012-11-13 16:22:01 +00:00
|
|
|
self.user_foo['id'], self.tenant_bar['id'], 'member')
|
2012-03-28 17:37:16 +00:00
|
|
|
roles_ref = self.identity_api.get_roles_for_user_and_tenant(
|
|
|
|
self.user_foo['id'], self.tenant_bar['id'])
|
2012-11-13 16:22:01 +00:00
|
|
|
self.assertNotIn('member', roles_ref)
|
2012-03-28 17:37:16 +00:00
|
|
|
self.assertRaises(exception.NotFound,
|
|
|
|
self.identity_api.remove_role_from_user_and_tenant,
|
|
|
|
self.user_foo['id'],
|
|
|
|
self.tenant_bar['id'],
|
2012-11-13 16:22:01 +00:00
|
|
|
'member')
|
2012-03-28 17:37:16 +00:00
|
|
|
|
2012-12-13 16:48:13 +00:00
|
|
|
def test_get_role_grant_by_user_and_project(self):
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
project_id=self.tenant_bar['id'])
|
|
|
|
self.assertEquals(len(roles_ref), 0)
|
|
|
|
self.identity_api.create_grant(user_id=self.user_foo['id'],
|
|
|
|
project_id=self.tenant_bar['id'],
|
|
|
|
role_id='keystone_admin')
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
project_id=self.tenant_bar['id'])
|
|
|
|
self.assertDictEqual(roles_ref[0], self.role_keystone_admin)
|
|
|
|
|
|
|
|
self.identity_api.create_grant(user_id=self.user_foo['id'],
|
|
|
|
project_id=self.tenant_bar['id'],
|
|
|
|
role_id='member')
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
project_id=self.tenant_bar['id'])
|
|
|
|
|
|
|
|
roles_ref_ids = []
|
|
|
|
for i, ref in enumerate(roles_ref):
|
|
|
|
roles_ref_ids.append(ref['id'])
|
|
|
|
self.assertIn('keystone_admin', roles_ref_ids)
|
|
|
|
self.assertIn('member', roles_ref_ids)
|
|
|
|
|
|
|
|
def test_get_role_grants_for_user_and_project_404(self):
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.list_grants,
|
|
|
|
user_id=uuid.uuid4().hex,
|
|
|
|
project_id=self.tenant_bar['id'])
|
|
|
|
|
|
|
|
self.assertRaises(exception.TenantNotFound,
|
|
|
|
self.identity_api.list_grants,
|
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
project_id=uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_add_role_grant_to_user_and_project_404(self):
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.create_grant,
|
|
|
|
user_id=uuid.uuid4().hex,
|
|
|
|
project_id=self.tenant_bar['id'],
|
|
|
|
role_id='keystone_admin')
|
|
|
|
|
|
|
|
self.assertRaises(exception.TenantNotFound,
|
|
|
|
self.identity_api.create_grant,
|
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
project_id=uuid.uuid4().hex,
|
|
|
|
role_id='keystone_admin')
|
|
|
|
|
|
|
|
self.assertRaises(exception.RoleNotFound,
|
|
|
|
self.identity_api.create_grant,
|
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
project_id=self.tenant_bar['id'],
|
|
|
|
role_id=uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_remove_role_grant_from_user_and_project(self):
|
|
|
|
self.identity_api.create_grant(user_id=self.user_foo['id'],
|
|
|
|
project_id=self.tenant_bar['id'],
|
|
|
|
role_id='member')
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
project_id=self.tenant_bar['id'])
|
|
|
|
self.assertDictEqual(roles_ref[0], self.role_member)
|
|
|
|
|
|
|
|
self.identity_api.delete_grant(user_id=self.user_foo['id'],
|
|
|
|
project_id=self.tenant_bar['id'],
|
|
|
|
role_id='member')
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
project_id=self.tenant_bar['id'])
|
|
|
|
self.assertEquals(len(roles_ref), 0)
|
|
|
|
self.assertRaises(exception.NotFound,
|
|
|
|
self.identity_api.delete_grant,
|
|
|
|
user_id=self.user_foo['id'],
|
|
|
|
project_id=self.tenant_bar['id'],
|
|
|
|
role_id='member')
|
|
|
|
|
|
|
|
def test_get_and_remove_role_grant_by_group_and_project(self):
|
|
|
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
|
|
|
'name': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_group(new_group['id'], new_group)
|
|
|
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
|
|
|
'password': 'secret', 'enabled': True}
|
|
|
|
self.identity_api.create_user(new_user['id'], new_user)
|
|
|
|
self.identity_api.add_user_to_group(new_user['id'],
|
|
|
|
new_group['id'])
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
group_id=new_group['id'],
|
|
|
|
project_id=self.tenant_bar['id'])
|
|
|
|
self.assertEquals(len(roles_ref), 0)
|
|
|
|
self.identity_api.create_grant(group_id=new_group['id'],
|
|
|
|
project_id=self.tenant_bar['id'],
|
|
|
|
role_id='member')
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
group_id=new_group['id'],
|
|
|
|
project_id=self.tenant_bar['id'])
|
|
|
|
self.assertDictEqual(roles_ref[0], self.role_member)
|
|
|
|
|
|
|
|
self.identity_api.delete_grant(group_id=new_group['id'],
|
|
|
|
project_id=self.tenant_bar['id'],
|
|
|
|
role_id='member')
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
group_id=new_group['id'],
|
|
|
|
project_id=self.tenant_bar['id'])
|
|
|
|
self.assertEquals(len(roles_ref), 0)
|
|
|
|
self.assertRaises(exception.NotFound,
|
|
|
|
self.identity_api.delete_grant,
|
|
|
|
group_id=new_group['id'],
|
|
|
|
project_id=self.tenant_bar['id'],
|
|
|
|
role_id='member')
|
|
|
|
|
|
|
|
def test_get_and_remove_role_grant_by_group_and_domain(self):
|
|
|
|
new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_domain(new_domain['id'], new_domain)
|
|
|
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
|
|
|
|
'name': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_group(new_group['id'], new_group)
|
|
|
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
|
|
|
'password': 'secret', 'enabled': True}
|
|
|
|
self.identity_api.create_user(new_user['id'], new_user)
|
|
|
|
self.identity_api.add_user_to_group(new_user['id'],
|
|
|
|
new_group['id'])
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
group_id=new_group['id'],
|
|
|
|
domain_id=new_domain['id'])
|
|
|
|
self.assertEquals(len(roles_ref), 0)
|
|
|
|
self.identity_api.create_grant(group_id=new_group['id'],
|
|
|
|
domain_id=new_domain['id'],
|
|
|
|
role_id='member')
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
group_id=new_group['id'],
|
|
|
|
domain_id=new_domain['id'])
|
|
|
|
self.assertDictEqual(roles_ref[0], self.role_member)
|
|
|
|
|
|
|
|
self.identity_api.delete_grant(group_id=new_group['id'],
|
|
|
|
domain_id=new_domain['id'],
|
|
|
|
role_id='member')
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
group_id=new_group['id'],
|
|
|
|
domain_id=new_domain['id'])
|
|
|
|
self.assertEquals(len(roles_ref), 0)
|
|
|
|
self.assertRaises(exception.NotFound,
|
|
|
|
self.identity_api.delete_grant,
|
|
|
|
group_id=new_group['id'],
|
|
|
|
domain_id=new_domain['id'],
|
|
|
|
role_id='member')
|
|
|
|
|
|
|
|
def test_get_and_remove_role_grant_by_user_and_domain(self):
|
|
|
|
new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_domain(new_domain['id'], new_domain)
|
|
|
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
|
|
|
'password': 'secret', 'enabled': True}
|
|
|
|
self.identity_api.create_user(new_user['id'], new_user)
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
user_id=new_user['id'],
|
|
|
|
domain_id=new_domain['id'])
|
|
|
|
self.assertEquals(len(roles_ref), 0)
|
|
|
|
self.identity_api.create_grant(user_id=new_user['id'],
|
|
|
|
domain_id=new_domain['id'],
|
|
|
|
role_id='member')
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
user_id=new_user['id'],
|
|
|
|
domain_id=new_domain['id'])
|
|
|
|
self.assertDictEqual(roles_ref[0], self.role_member)
|
|
|
|
|
|
|
|
self.identity_api.delete_grant(user_id=new_user['id'],
|
|
|
|
domain_id=new_domain['id'],
|
|
|
|
role_id='member')
|
|
|
|
roles_ref = self.identity_api.list_grants(
|
|
|
|
user_id=new_user['id'],
|
|
|
|
domain_id=new_domain['id'])
|
|
|
|
self.assertEquals(len(roles_ref), 0)
|
|
|
|
self.assertRaises(exception.NotFound,
|
|
|
|
self.identity_api.delete_grant,
|
|
|
|
user_id=new_user['id'],
|
|
|
|
domain_id=new_domain['id'],
|
|
|
|
role_id='member')
|
|
|
|
|
2012-03-28 17:37:16 +00:00
|
|
|
def test_role_crud(self):
|
|
|
|
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_role(role['id'], role)
|
|
|
|
role_ref = self.identity_api.get_role(role['id'])
|
2012-03-22 21:11:18 +00:00
|
|
|
role_ref_dict = dict((x, role_ref[x]) for x in role_ref)
|
2012-03-28 17:37:16 +00:00
|
|
|
self.assertDictEqual(role_ref_dict, role)
|
|
|
|
|
|
|
|
role['name'] = uuid.uuid4().hex
|
|
|
|
self.identity_api.update_role(role['id'], role)
|
|
|
|
role_ref = self.identity_api.get_role(role['id'])
|
|
|
|
role_ref_dict = dict((x, role_ref[x]) for x in role_ref)
|
|
|
|
self.assertDictEqual(role_ref_dict, role)
|
|
|
|
|
|
|
|
self.identity_api.delete_role(role['id'])
|
|
|
|
self.assertRaises(exception.RoleNotFound,
|
|
|
|
self.identity_api.get_role,
|
|
|
|
role['id'])
|
|
|
|
|
|
|
|
def test_update_role_404(self):
|
|
|
|
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
|
|
|
self.assertRaises(exception.RoleNotFound,
|
|
|
|
self.identity_api.update_role,
|
|
|
|
role['id'],
|
|
|
|
role)
|
2012-02-07 02:21:46 +00:00
|
|
|
|
|
|
|
def test_add_user_to_tenant(self):
|
2012-03-28 17:37:16 +00:00
|
|
|
self.identity_api.add_user_to_tenant(self.tenant_bar['id'],
|
|
|
|
self.user_foo['id'])
|
|
|
|
tenants = self.identity_api.get_tenants_for_user(self.user_foo['id'])
|
|
|
|
self.assertIn(self.tenant_bar['id'], tenants)
|
|
|
|
|
|
|
|
def test_add_user_to_tenant_404(self):
|
|
|
|
self.assertRaises(exception.TenantNotFound,
|
|
|
|
self.identity_api.add_user_to_tenant,
|
|
|
|
uuid.uuid4().hex,
|
|
|
|
self.user_foo['id'])
|
|
|
|
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.add_user_to_tenant,
|
|
|
|
self.tenant_bar['id'],
|
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_remove_user_from_tenant(self):
|
|
|
|
self.identity_api.add_user_to_tenant(self.tenant_bar['id'],
|
|
|
|
self.user_foo['id'])
|
|
|
|
self.identity_api.remove_user_from_tenant(self.tenant_bar['id'],
|
|
|
|
self.user_foo['id'])
|
|
|
|
tenants = self.identity_api.get_tenants_for_user(self.user_foo['id'])
|
|
|
|
self.assertNotIn(self.tenant_bar['id'], tenants)
|
|
|
|
|
|
|
|
def test_remove_user_from_tenant_404(self):
|
|
|
|
self.assertRaises(exception.TenantNotFound,
|
|
|
|
self.identity_api.remove_user_from_tenant,
|
|
|
|
uuid.uuid4().hex,
|
|
|
|
self.user_foo['id'])
|
|
|
|
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.remove_user_from_tenant,
|
|
|
|
self.tenant_bar['id'],
|
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
self.assertRaises(exception.NotFound,
|
|
|
|
self.identity_api.remove_user_from_tenant,
|
|
|
|
self.tenant_baz['id'],
|
|
|
|
self.user_foo['id'])
|
|
|
|
|
|
|
|
def test_get_tenants_for_user_404(self):
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.get_tenants_for_user,
|
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_update_tenant_404(self):
|
|
|
|
self.assertRaises(exception.TenantNotFound,
|
|
|
|
self.identity_api.update_tenant,
|
|
|
|
uuid.uuid4().hex,
|
|
|
|
dict())
|
|
|
|
|
|
|
|
def test_delete_tenant_404(self):
|
|
|
|
self.assertRaises(exception.TenantNotFound,
|
|
|
|
self.identity_api.delete_tenant,
|
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_update_user_404(self):
|
|
|
|
user_id = uuid.uuid4().hex
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.update_user,
|
|
|
|
user_id,
|
|
|
|
{'id': user_id})
|
|
|
|
|
|
|
|
def test_delete_user_with_tenant_association(self):
|
|
|
|
user = {'id': uuid.uuid4().hex,
|
|
|
|
'name': uuid.uuid4().hex,
|
|
|
|
'password': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_user(user['id'], user)
|
|
|
|
self.identity_api.add_user_to_tenant(self.tenant_bar['id'],
|
|
|
|
user['id'])
|
|
|
|
self.identity_api.delete_user(user['id'])
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.get_tenants_for_user,
|
|
|
|
user['id'])
|
|
|
|
|
|
|
|
def test_delete_user_404(self):
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.delete_user,
|
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_delete_role_404(self):
|
|
|
|
self.assertRaises(exception.RoleNotFound,
|
|
|
|
self.identity_api.delete_role,
|
|
|
|
uuid.uuid4().hex)
|
2012-02-07 02:21:46 +00:00
|
|
|
|
2012-04-03 06:15:22 +00:00
|
|
|
def test_create_tenant_long_name_fails(self):
|
|
|
|
tenant = {'id': 'fake1', 'name': 'a' * 65}
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.create_tenant,
|
|
|
|
tenant['id'],
|
|
|
|
tenant)
|
|
|
|
|
|
|
|
def test_create_tenant_blank_name_fails(self):
|
|
|
|
tenant = {'id': 'fake1', 'name': ''}
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.create_tenant,
|
|
|
|
tenant['id'],
|
|
|
|
tenant)
|
|
|
|
|
|
|
|
def test_create_tenant_invalid_name_fails(self):
|
|
|
|
tenant = {'id': 'fake1', 'name': None}
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.create_tenant,
|
|
|
|
tenant['id'],
|
|
|
|
tenant)
|
|
|
|
tenant = {'id': 'fake1', 'name': 123}
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.create_tenant,
|
|
|
|
tenant['id'],
|
|
|
|
tenant)
|
|
|
|
|
|
|
|
def test_update_tenant_blank_name_fails(self):
|
|
|
|
tenant = {'id': 'fake1', 'name': 'fake1'}
|
|
|
|
self.identity_api.create_tenant('fake1', tenant)
|
|
|
|
tenant['name'] = ''
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.update_tenant,
|
|
|
|
tenant['id'],
|
|
|
|
tenant)
|
|
|
|
|
|
|
|
def test_update_tenant_long_name_fails(self):
|
|
|
|
tenant = {'id': 'fake1', 'name': 'fake1'}
|
|
|
|
self.identity_api.create_tenant('fake1', tenant)
|
|
|
|
tenant['name'] = 'a' * 65
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.update_tenant,
|
|
|
|
tenant['id'],
|
|
|
|
tenant)
|
|
|
|
|
|
|
|
def test_update_tenant_invalid_name_fails(self):
|
|
|
|
tenant = {'id': 'fake1', 'name': 'fake1'}
|
|
|
|
self.identity_api.create_tenant('fake1', tenant)
|
|
|
|
tenant['name'] = None
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.update_tenant,
|
|
|
|
tenant['id'],
|
|
|
|
tenant)
|
|
|
|
|
|
|
|
tenant['name'] = 123
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.update_tenant,
|
|
|
|
tenant['id'],
|
|
|
|
tenant)
|
|
|
|
|
2012-07-19 07:46:12 +00:00
|
|
|
def test_create_user_long_name_fails(self):
|
|
|
|
user = {'id': 'fake1', 'name': 'a' * 65}
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.create_user,
|
|
|
|
'fake1',
|
|
|
|
user)
|
|
|
|
|
|
|
|
def test_create_user_blank_name_fails(self):
|
|
|
|
user = {'id': 'fake1', 'name': ''}
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.create_user,
|
|
|
|
'fake1',
|
|
|
|
user)
|
|
|
|
|
|
|
|
def test_create_user_invalid_name_fails(self):
|
|
|
|
user = {'id': 'fake1', 'name': None}
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.create_user,
|
|
|
|
'fake1',
|
|
|
|
user)
|
|
|
|
|
|
|
|
user = {'id': 'fake1', 'name': 123}
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.create_user,
|
|
|
|
'fake1',
|
|
|
|
user)
|
|
|
|
|
|
|
|
def test_update_user_long_name_fails(self):
|
|
|
|
user = {'id': 'fake1', 'name': 'fake1'}
|
|
|
|
self.identity_api.create_user('fake1', user)
|
|
|
|
user['name'] = 'a' * 65
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.update_user,
|
|
|
|
'fake1',
|
|
|
|
user)
|
|
|
|
|
|
|
|
def test_update_user_blank_name_fails(self):
|
|
|
|
user = {'id': 'fake1', 'name': 'fake1'}
|
|
|
|
self.identity_api.create_user('fake1', user)
|
|
|
|
user['name'] = ''
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.update_user,
|
|
|
|
'fake1',
|
|
|
|
user)
|
|
|
|
|
|
|
|
def test_update_user_invalid_name_fails(self):
|
|
|
|
user = {'id': 'fake1', 'name': 'fake1'}
|
|
|
|
self.identity_api.create_user('fake1', user)
|
|
|
|
|
|
|
|
user['name'] = None
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.update_user,
|
|
|
|
'fake1',
|
|
|
|
user)
|
|
|
|
|
|
|
|
user['name'] = 123
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.identity_api.update_user,
|
|
|
|
'fake1',
|
|
|
|
user)
|
|
|
|
|
2012-04-16 19:23:12 +00:00
|
|
|
def test_list_users(self):
|
|
|
|
users = self.identity_api.list_users()
|
|
|
|
for test_user in default_fixtures.USERS:
|
2012-09-13 16:22:59 +00:00
|
|
|
self.assertTrue(x for x in users if x['id'] == test_user['id'])
|
2012-04-16 19:23:12 +00:00
|
|
|
|
|
|
|
def test_list_roles(self):
|
|
|
|
roles = self.identity_api.list_roles()
|
|
|
|
for test_role in default_fixtures.ROLES:
|
2012-09-13 16:22:59 +00:00
|
|
|
self.assertTrue(x for x in roles if x['id'] == test_role['id'])
|
2012-04-16 19:23:12 +00:00
|
|
|
|
|
|
|
def test_get_tenants(self):
|
|
|
|
tenants = self.identity_api.get_tenants()
|
|
|
|
for test_tenant in default_fixtures.TENANTS:
|
2012-09-13 16:22:59 +00:00
|
|
|
self.assertTrue(x for x in tenants if x['id'] == test_tenant['id'])
|
2012-04-16 19:23:12 +00:00
|
|
|
|
2012-09-27 11:53:54 +00:00
|
|
|
def test_delete_tenant_with_role_assignments(self):
|
|
|
|
tenant = {'id': 'fake1', 'name': 'fake1'}
|
|
|
|
self.identity_api.create_tenant('fake1', tenant)
|
|
|
|
self.identity_api.add_role_to_user_and_tenant(
|
2012-11-13 16:22:01 +00:00
|
|
|
self.user_foo['id'], tenant['id'], 'member')
|
2012-09-27 11:53:54 +00:00
|
|
|
self.identity_api.delete_tenant(tenant['id'])
|
|
|
|
self.assertRaises(exception.NotFound,
|
|
|
|
self.identity_api.get_tenant,
|
|
|
|
tenant['id'])
|
|
|
|
|
2012-10-12 06:49:50 +00:00
|
|
|
def test_delete_role_check_role_grant(self):
|
|
|
|
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
2013-01-16 14:29:37 +00:00
|
|
|
alt_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
2012-10-12 06:49:50 +00:00
|
|
|
self.identity_api.create_role(role['id'], role)
|
2013-01-16 14:29:37 +00:00
|
|
|
self.identity_api.create_role(alt_role['id'], alt_role)
|
2012-10-12 06:49:50 +00:00
|
|
|
self.identity_api.add_role_to_user_and_tenant(
|
|
|
|
self.user_foo['id'], self.tenant_bar['id'], role['id'])
|
2013-01-16 14:29:37 +00:00
|
|
|
self.identity_api.add_role_to_user_and_tenant(
|
|
|
|
self.user_foo['id'], self.tenant_bar['id'], alt_role['id'])
|
2012-10-12 06:49:50 +00:00
|
|
|
self.identity_api.delete_role(role['id'])
|
|
|
|
roles_ref = self.identity_api.get_roles_for_user_and_tenant(
|
|
|
|
self.user_foo['id'], self.tenant_bar['id'])
|
|
|
|
self.assertNotIn(role['id'], roles_ref)
|
2013-01-16 14:29:37 +00:00
|
|
|
self.assertIn(alt_role['id'], roles_ref)
|
2012-10-12 06:49:50 +00:00
|
|
|
|
2012-10-16 08:58:50 +00:00
|
|
|
def test_create_tenant_doesnt_modify_passed_in_dict(self):
|
|
|
|
new_tenant = {'id': 'tenant_id', 'name': 'new_tenant'}
|
|
|
|
original_tenant = new_tenant.copy()
|
|
|
|
self.identity_api.create_tenant('tenant_id', new_tenant)
|
|
|
|
self.assertDictEqual(original_tenant, new_tenant)
|
|
|
|
|
|
|
|
def test_create_user_doesnt_modify_passed_in_dict(self):
|
|
|
|
new_user = {'id': 'user_id', 'name': 'new_user',
|
2012-11-06 22:16:56 +00:00
|
|
|
'password': 'secret', 'enabled': True}
|
2012-10-16 08:58:50 +00:00
|
|
|
original_user = new_user.copy()
|
|
|
|
self.identity_api.create_user('user_id', new_user)
|
|
|
|
self.assertDictEqual(original_user, new_user)
|
|
|
|
|
2012-10-29 14:07:58 +00:00
|
|
|
def test_update_user_enable(self):
|
2012-11-06 22:16:56 +00:00
|
|
|
user = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
|
2012-10-29 14:07:58 +00:00
|
|
|
self.identity_api.create_user('fake1', user)
|
|
|
|
user_ref = self.identity_api.get_user('fake1')
|
2012-11-06 22:16:56 +00:00
|
|
|
self.assertEqual(user_ref['enabled'], True)
|
2012-10-29 14:07:58 +00:00
|
|
|
|
2012-11-06 22:16:56 +00:00
|
|
|
user['enabled'] = False
|
2012-10-29 14:07:58 +00:00
|
|
|
self.identity_api.update_user('fake1', user)
|
|
|
|
user_ref = self.identity_api.get_user('fake1')
|
|
|
|
self.assertEqual(user_ref['enabled'], user['enabled'])
|
|
|
|
|
2012-11-06 22:16:56 +00:00
|
|
|
user['enabled'] = True
|
2012-10-29 14:07:58 +00:00
|
|
|
self.identity_api.update_user('fake1', user)
|
|
|
|
user_ref = self.identity_api.get_user('fake1')
|
|
|
|
self.assertEqual(user_ref['enabled'], user['enabled'])
|
|
|
|
|
|
|
|
def test_update_tenant_enable(self):
|
2012-11-06 22:16:56 +00:00
|
|
|
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
|
2012-10-29 14:07:58 +00:00
|
|
|
self.identity_api.create_tenant('fake1', tenant)
|
|
|
|
tenant_ref = self.identity_api.get_tenant('fake1')
|
2012-11-06 22:16:56 +00:00
|
|
|
self.assertEqual(tenant_ref['enabled'], True)
|
2012-10-29 14:07:58 +00:00
|
|
|
|
2012-11-06 22:16:56 +00:00
|
|
|
tenant['enabled'] = False
|
2012-10-29 14:07:58 +00:00
|
|
|
self.identity_api.update_tenant('fake1', tenant)
|
|
|
|
tenant_ref = self.identity_api.get_tenant('fake1')
|
|
|
|
self.assertEqual(tenant_ref['enabled'], tenant['enabled'])
|
|
|
|
|
2012-11-06 22:16:56 +00:00
|
|
|
tenant['enabled'] = True
|
2012-10-29 14:07:58 +00:00
|
|
|
self.identity_api.update_tenant('fake1', tenant)
|
|
|
|
tenant_ref = self.identity_api.get_tenant('fake1')
|
|
|
|
self.assertEqual(tenant_ref['enabled'], tenant['enabled'])
|
|
|
|
|
2012-12-13 16:48:13 +00:00
|
|
|
def test_add_user_to_group(self):
|
|
|
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
|
|
|
'name': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_group(new_group['id'], new_group)
|
|
|
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
|
|
|
'password': 'secret', 'enabled': True}
|
|
|
|
self.identity_api.create_user(new_user['id'], new_user)
|
|
|
|
self.identity_api.add_user_to_group(new_user['id'],
|
|
|
|
new_group['id'])
|
|
|
|
groups = self.identity_api.list_groups_for_user(new_user['id'])
|
|
|
|
|
|
|
|
found = False
|
|
|
|
for x in groups:
|
|
|
|
if (x['id'] == new_group['id']):
|
|
|
|
found = True
|
|
|
|
self.assertTrue(found)
|
|
|
|
|
|
|
|
def test_add_user_to_group_404(self):
|
|
|
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
|
|
|
'password': 'secret', 'enabled': True}
|
|
|
|
self.identity_api.create_user(new_user['id'], new_user)
|
|
|
|
self.assertRaises(exception.GroupNotFound,
|
|
|
|
self.identity_api.add_user_to_group,
|
|
|
|
new_user['id'],
|
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
|
|
|
'name': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_group(new_group['id'], new_group)
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.add_user_to_group,
|
|
|
|
uuid.uuid4().hex,
|
|
|
|
new_group['id'])
|
|
|
|
|
|
|
|
def test_check_user_in_group(self):
|
|
|
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
|
|
|
'name': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_group(new_group['id'], new_group)
|
|
|
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
|
|
|
'password': 'secret', 'enabled': True}
|
|
|
|
self.identity_api.create_user(new_user['id'], new_user)
|
|
|
|
self.identity_api.add_user_to_group(new_user['id'],
|
|
|
|
new_group['id'])
|
|
|
|
self.identity_api.check_user_in_group(new_user['id'], new_group['id'])
|
|
|
|
|
|
|
|
def test_check_user_not_in_group(self):
|
|
|
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
|
|
|
'name': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_group(new_group['id'], new_group)
|
|
|
|
self.assertRaises(exception.UserNotFound,
|
|
|
|
self.identity_api.check_user_in_group,
|
|
|
|
uuid.uuid4().hex,
|
|
|
|
new_group['id'])
|
|
|
|
|
|
|
|
def test_list_users_in_group(self):
|
|
|
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
|
|
|
'name': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_group(new_group['id'], new_group)
|
|
|
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
|
|
|
'password': 'secret', 'enabled': True}
|
|
|
|
self.identity_api.create_user(new_user['id'], new_user)
|
|
|
|
self.identity_api.add_user_to_group(new_user['id'],
|
|
|
|
new_group['id'])
|
|
|
|
user_refs = self.identity_api.list_users_in_group(new_group['id'])
|
|
|
|
found = False
|
|
|
|
for x in user_refs:
|
|
|
|
if (x['id'] == new_user['id']):
|
|
|
|
found = True
|
|
|
|
self.assertTrue(found)
|
|
|
|
|
|
|
|
def test_remove_user_from_group(self):
|
|
|
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
|
|
|
'name': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_group(new_group['id'], new_group)
|
|
|
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
|
|
|
'password': 'secret', 'enabled': True}
|
|
|
|
self.identity_api.create_user(new_user['id'], new_user)
|
|
|
|
self.identity_api.add_user_to_group(new_user['id'],
|
|
|
|
new_group['id'])
|
|
|
|
agroups = self.identity_api.list_groups_for_user(new_user['id'])
|
|
|
|
self.identity_api.remove_user_from_group(new_user['id'],
|
|
|
|
new_group['id'])
|
|
|
|
groups = self.identity_api.list_groups_for_user(new_user['id'])
|
|
|
|
for x in groups:
|
|
|
|
self.assertFalse(x['id'] == new_group['id'])
|
|
|
|
|
|
|
|
def test_remove_user_from_group_404(self):
|
|
|
|
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
|
|
|
|
'password': 'secret', 'enabled': True}
|
|
|
|
self.identity_api.create_user(new_user['id'], new_user)
|
|
|
|
new_group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
|
|
|
'name': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_group(new_group['id'], new_group)
|
|
|
|
self.assertRaises(exception.NotFound,
|
|
|
|
self.identity_api.remove_user_from_group,
|
|
|
|
new_user['id'],
|
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
self.assertRaises(exception.NotFound,
|
|
|
|
self.identity_api.remove_user_from_group,
|
|
|
|
uuid.uuid4().hex,
|
|
|
|
new_group['id'])
|
|
|
|
|
|
|
|
self.assertRaises(exception.NotFound,
|
|
|
|
self.identity_api.remove_user_from_group,
|
|
|
|
uuid.uuid4().hex,
|
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_group_crud(self):
|
|
|
|
group = {'id': uuid.uuid4().hex, 'domain_id': uuid.uuid4().hex,
|
|
|
|
'name': uuid.uuid4().hex}
|
|
|
|
self.identity_api.create_group(group['id'], group)
|
|
|
|
group_ref = self.identity_api.get_group(group['id'])
|
|
|
|
group_ref_dict = dict((x, group_ref[x]) for x in group_ref)
|
|
|
|
self.assertDictEqual(group_ref_dict, group)
|
|
|
|
|
|
|
|
group['name'] = uuid.uuid4().hex
|
|
|
|
self.identity_api.update_group(group['id'], group)
|
|
|
|
group_ref = self.identity_api.get_group(group['id'])
|
|
|
|
group_ref_dict = dict((x, group_ref[x]) for x in group_ref)
|
|
|
|
self.assertDictEqual(group_ref_dict, group)
|
|
|
|
|
|
|
|
self.identity_api.delete_group(group['id'])
|
|
|
|
self.assertRaises(exception.GroupNotFound,
|
|
|
|
self.identity_api.get_group,
|
|
|
|
group['id'])
|
|
|
|
|
2012-02-07 02:21:46 +00:00
|
|
|
|
2012-02-08 20:31:25 +00:00
|
|
|
class TokenTests(object):
|
|
|
|
def test_token_crud(self):
|
|
|
|
token_id = uuid.uuid4().hex
|
2012-09-06 15:54:04 +00:00
|
|
|
data = {'id': token_id, 'a': 'b',
|
|
|
|
'user': {'id': 'testuserid'}}
|
2012-02-08 20:31:25 +00:00
|
|
|
data_ref = self.token_api.create_token(token_id, data)
|
2012-02-09 00:08:08 +00:00
|
|
|
expires = data_ref.pop('expires')
|
|
|
|
self.assertTrue(isinstance(expires, datetime.datetime))
|
2012-03-22 21:11:18 +00:00
|
|
|
self.assertDictEqual(data_ref, data)
|
2012-02-08 20:31:25 +00:00
|
|
|
|
|
|
|
new_data_ref = self.token_api.get_token(token_id)
|
2012-02-09 00:08:08 +00:00
|
|
|
expires = new_data_ref.pop('expires')
|
|
|
|
self.assertTrue(isinstance(expires, datetime.datetime))
|
2012-02-08 20:31:25 +00:00
|
|
|
self.assertEquals(new_data_ref, data)
|
|
|
|
|
|
|
|
self.token_api.delete_token(token_id)
|
2012-03-28 17:37:16 +00:00
|
|
|
self.assertRaises(exception.TokenNotFound,
|
2012-07-09 15:05:59 +00:00
|
|
|
self.token_api.get_token, token_id)
|
2012-02-09 17:53:03 +00:00
|
|
|
self.assertRaises(exception.TokenNotFound,
|
2012-07-09 15:05:59 +00:00
|
|
|
self.token_api.delete_token, token_id)
|
2012-03-28 17:37:16 +00:00
|
|
|
|
2012-09-13 16:59:11 +00:00
|
|
|
def create_token_sample_data(self, tenant_id=None):
|
2012-09-06 15:54:04 +00:00
|
|
|
token_id = uuid.uuid4().hex
|
|
|
|
data = {'id': token_id, 'a': 'b',
|
|
|
|
'user': {'id': 'testuserid'}}
|
2012-09-13 16:59:11 +00:00
|
|
|
if tenant_id is not None:
|
|
|
|
data['tenant'] = {'id': tenant_id, 'name': tenant_id}
|
2012-09-06 15:54:04 +00:00
|
|
|
self.token_api.create_token(token_id, data)
|
|
|
|
return token_id
|
|
|
|
|
|
|
|
def test_token_list(self):
|
|
|
|
tokens = self.token_api.list_tokens('testuserid')
|
|
|
|
self.assertEquals(len(tokens), 0)
|
|
|
|
token_id1 = self.create_token_sample_data()
|
|
|
|
tokens = self.token_api.list_tokens('testuserid')
|
|
|
|
self.assertEquals(len(tokens), 1)
|
|
|
|
self.assertIn(token_id1, tokens)
|
|
|
|
token_id2 = self.create_token_sample_data()
|
|
|
|
tokens = self.token_api.list_tokens('testuserid')
|
|
|
|
self.assertEquals(len(tokens), 2)
|
|
|
|
self.assertIn(token_id2, tokens)
|
|
|
|
self.assertIn(token_id1, tokens)
|
|
|
|
self.token_api.delete_token(token_id1)
|
|
|
|
tokens = self.token_api.list_tokens('testuserid')
|
|
|
|
self.assertIn(token_id2, tokens)
|
|
|
|
self.assertNotIn(token_id1, tokens)
|
|
|
|
self.token_api.delete_token(token_id2)
|
|
|
|
tokens = self.token_api.list_tokens('testuserid')
|
|
|
|
self.assertNotIn(token_id2, tokens)
|
|
|
|
self.assertNotIn(token_id1, tokens)
|
|
|
|
|
2012-09-13 16:59:11 +00:00
|
|
|
# tenant-specific tokens
|
|
|
|
tenant1 = uuid.uuid4().hex
|
|
|
|
tenant2 = uuid.uuid4().hex
|
|
|
|
token_id3 = self.create_token_sample_data(tenant_id=tenant1)
|
|
|
|
token_id4 = self.create_token_sample_data(tenant_id=tenant2)
|
|
|
|
tokens = self.token_api.list_tokens('testuserid')
|
|
|
|
self.assertEquals(len(tokens), 2)
|
|
|
|
self.assertNotIn(token_id1, tokens)
|
|
|
|
self.assertNotIn(token_id2, tokens)
|
|
|
|
self.assertIn(token_id3, tokens)
|
|
|
|
self.assertIn(token_id4, tokens)
|
|
|
|
tokens = self.token_api.list_tokens('testuserid', tenant2)
|
|
|
|
self.assertEquals(len(tokens), 1)
|
|
|
|
self.assertNotIn(token_id1, tokens)
|
|
|
|
self.assertNotIn(token_id2, tokens)
|
|
|
|
self.assertNotIn(token_id3, tokens)
|
|
|
|
self.assertIn(token_id4, tokens)
|
|
|
|
|
2012-03-28 17:37:16 +00:00
|
|
|
def test_get_token_404(self):
|
2012-02-09 17:53:03 +00:00
|
|
|
self.assertRaises(exception.TokenNotFound,
|
2012-03-28 17:37:16 +00:00
|
|
|
self.token_api.get_token,
|
|
|
|
uuid.uuid4().hex)
|
2012-09-20 15:29:12 +00:00
|
|
|
self.assertRaises(exception.TokenNotFound,
|
|
|
|
self.token_api.get_token,
|
|
|
|
None)
|
2012-03-28 17:37:16 +00:00
|
|
|
|
|
|
|
def test_delete_token_404(self):
|
|
|
|
self.assertRaises(exception.TokenNotFound,
|
|
|
|
self.token_api.delete_token,
|
|
|
|
uuid.uuid4().hex)
|
2012-02-09 00:08:08 +00:00
|
|
|
|
|
|
|
def test_expired_token(self):
|
|
|
|
token_id = uuid.uuid4().hex
|
2012-06-05 01:11:44 +00:00
|
|
|
expire_time = timeutils.utcnow() - datetime.timedelta(minutes=1)
|
Cryptographically Signed tokens
Uses CMS to create tokens that can be verified without network calls.
Tokens encapsulate authorization information.
This includes user name and roles in JSON.
The JSON document info is cryptographically signed with a private key
from Keystone, in accordance with the Cryptographic Message Syntax (CMS)
in DER format and then Base64 encoded. The header, footer, and line breaks
are stripped to minimize the size, and slashes which are invalid in Base64
are converted to hyphens.
Since signed tokens are not validated against the Keystone server, they
continue to be valid until the expiration time. This means that even if a user
has their roles revoked or their account disabled, those changes will not take
effect until their token times out. The prototype for this is Kerberos, which
has the same limitation, and has funtioned sucessfully with it for decades. It
is possible to set the token time out for much shorter than the default of 8
hours, but that may mean that users tokens will time out prior to completion
of long running tasks.
This should be a drop in replacement for the current token production code.
Although the signed token is longer than the older format, the token is still
a unique stream of Alpha-Numeric characters.
The auth token middle_ware is capable of handling both uuid and signed tokens.
To start with, the PKI functionality is disabled. This will keep from breaking
the existing deployments. However, it can be enabled with the config value:
[signing]
disable_pki = False
The 'id_hash' column is added to the SQL schema because SQL alchemy insists on
each table having a primary key. However primary keys are limited to roughly
250 Characters (768 Bytes, but there is more than 1 varchar per byte) so the
ID field cannot be used as the primary key anymore. id_hash is a hash of the
id column, and should be used for lookups as it is indexed.
middleware/auth_token.py needs to stand alone in the other services, and uses
keystone.common.cms in order to verify tokens.
Token needs to have all of the data from the original authenticate code
contained in the signed document, as the authenticate RPC will no longer
be called in mand cases.
The datetime of expiry is signed in the token.
The certificates are accessible via web APIs. On the remote service side,
certificates needed to authenitcate tokens are stored in /tmp/keystone-signing
by default. Remote systems use Paste API to read configuration values.
Certificates are retrieved only if they are not on the local system.
When authenticating in Keystone systems, it still does the Database checks for
token presence. This allows Keystone to continue to enforce Timeout and
disabled users.
The service catalog has been added to the signed token. Although this greatly
increases the size of the token, it makes it consistant with what is fetched
during the token authenticate checks
This change also fixes time variations in expiry test. Although unrelated to
the above changes, it was making testing very frustrating.
For the database Upgrade scripts, we now only bring 'token' up to V1 in 001
script. This makes it possible to use the same 002 script for both upgrade
and initializing a new database.
Upon upgrade, the current UUID tokens are retained in the id_hash and id fields.
The mechanisms to verify uuid tokens work the same as before. On downgrade,
token_ids are dropped.
Takes into account changes for "Raise unauthorized if tenant disabled"
Bug 1003962
Change-Id: I89b5aa609143bbe09a36bfaf64758c5306e86de7
2012-07-03 02:18:36 +00:00
|
|
|
data = {'id_hash': token_id, 'id': token_id, 'a': 'b',
|
2012-09-06 15:54:04 +00:00
|
|
|
'expires': expire_time,
|
|
|
|
'user': {'id': 'testuserid'}}
|
2012-02-09 00:08:08 +00:00
|
|
|
data_ref = self.token_api.create_token(token_id, data)
|
2012-03-22 21:11:18 +00:00
|
|
|
self.assertDictEqual(data_ref, data)
|
2012-02-09 00:08:08 +00:00
|
|
|
self.assertRaises(exception.TokenNotFound,
|
2012-07-09 15:05:59 +00:00
|
|
|
self.token_api.get_token, token_id)
|
2012-02-09 00:08:08 +00:00
|
|
|
|
|
|
|
def test_null_expires_token(self):
|
|
|
|
token_id = uuid.uuid4().hex
|
2012-09-06 15:54:04 +00:00
|
|
|
data = {'id': token_id, 'id_hash': token_id, 'a': 'b', 'expires': None,
|
|
|
|
'user': {'id': 'testuserid'}}
|
2012-02-09 00:08:08 +00:00
|
|
|
data_ref = self.token_api.create_token(token_id, data)
|
2012-03-22 21:11:18 +00:00
|
|
|
self.assertDictEqual(data_ref, data)
|
2012-02-09 00:08:08 +00:00
|
|
|
new_data_ref = self.token_api.get_token(token_id)
|
|
|
|
self.assertEqual(data_ref, new_data_ref)
|
2012-03-13 21:30:07 +00:00
|
|
|
|
2012-08-09 00:49:23 +00:00
|
|
|
def check_list_revoked_tokens(self, token_ids):
|
|
|
|
revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
|
|
|
|
for token_id in token_ids:
|
|
|
|
self.assertIn(token_id, revoked_ids)
|
|
|
|
|
|
|
|
def delete_token(self):
|
|
|
|
token_id = uuid.uuid4().hex
|
2012-09-06 15:54:04 +00:00
|
|
|
data = {'id_hash': token_id, 'id': token_id, 'a': 'b',
|
|
|
|
'user': {'id': 'testuserid'}}
|
2012-08-09 00:49:23 +00:00
|
|
|
data_ref = self.token_api.create_token(token_id, data)
|
|
|
|
self.token_api.delete_token(token_id)
|
2012-08-30 08:26:30 +00:00
|
|
|
self.assertRaises(
|
|
|
|
exception.TokenNotFound,
|
|
|
|
self.token_api.get_token,
|
|
|
|
data_ref['id'])
|
|
|
|
self.assertRaises(
|
|
|
|
exception.TokenNotFound,
|
|
|
|
self.token_api.delete_token,
|
|
|
|
data_ref['id'])
|
2012-08-09 00:49:23 +00:00
|
|
|
return token_id
|
|
|
|
|
|
|
|
def test_list_revoked_tokens_returns_empty_list(self):
|
|
|
|
revoked_ids = [x['id'] for x in self.token_api.list_revoked_tokens()]
|
|
|
|
self.assertEqual(revoked_ids, [])
|
|
|
|
|
|
|
|
def test_list_revoked_tokens_for_single_token(self):
|
|
|
|
self.check_list_revoked_tokens([self.delete_token()])
|
|
|
|
|
|
|
|
def test_list_revoked_tokens_for_multiple_tokens(self):
|
|
|
|
self.check_list_revoked_tokens([self.delete_token()
|
|
|
|
for x in xrange(2)])
|
|
|
|
|
2012-03-13 21:30:07 +00:00
|
|
|
|
2012-10-06 01:18:43 +00:00
|
|
|
class CommonHelperTests(test.TestCase):
|
|
|
|
def test_format_helper_raises_malformed_on_missing_key(self):
|
|
|
|
with self.assertRaises(exception.MalformedEndpoint):
|
|
|
|
core.format_url("http://%(foo)s/%(bar)s", {"foo": "1"})
|
|
|
|
|
|
|
|
def test_format_helper_raises_malformed_on_wrong_type(self):
|
|
|
|
with self.assertRaises(exception.MalformedEndpoint):
|
|
|
|
core.format_url("http://%foo%s", {"foo": "1"})
|
|
|
|
|
|
|
|
def test_format_helper_raises_malformed_on_incomplete_format(self):
|
|
|
|
with self.assertRaises(exception.MalformedEndpoint):
|
|
|
|
core.format_url("http://%(foo)", {"foo": "1"})
|
|
|
|
|
|
|
|
|
2012-03-13 21:30:07 +00:00
|
|
|
class CatalogTests(object):
|
|
|
|
def test_service_crud(self):
|
2012-11-13 16:22:01 +00:00
|
|
|
# create
|
|
|
|
service_id = uuid.uuid4().hex
|
2012-07-09 15:05:59 +00:00
|
|
|
new_service = {
|
2012-11-13 16:22:01 +00:00
|
|
|
'id': service_id,
|
2012-08-01 19:02:22 +00:00
|
|
|
'type': uuid.uuid4().hex,
|
|
|
|
'name': uuid.uuid4().hex,
|
|
|
|
'description': uuid.uuid4().hex,
|
2012-07-09 15:05:59 +00:00
|
|
|
}
|
2012-08-01 19:02:22 +00:00
|
|
|
res = self.catalog_api.create_service(
|
2012-11-13 16:22:01 +00:00
|
|
|
service_id,
|
2012-08-01 19:02:22 +00:00
|
|
|
new_service.copy())
|
2012-03-22 21:11:18 +00:00
|
|
|
self.assertDictEqual(res, new_service)
|
2012-03-13 21:30:07 +00:00
|
|
|
|
2012-11-13 16:22:01 +00:00
|
|
|
# list
|
|
|
|
services = self.catalog_api.list_services()
|
2012-11-20 16:28:26 +00:00
|
|
|
self.assertIn(service_id, [x['id'] for x in services])
|
2012-11-13 16:22:01 +00:00
|
|
|
|
|
|
|
# delete
|
2012-03-13 21:30:07 +00:00
|
|
|
self.catalog_api.delete_service(service_id)
|
|
|
|
self.assertRaises(exception.ServiceNotFound,
|
2012-07-09 15:05:59 +00:00
|
|
|
self.catalog_man.delete_service, {}, service_id)
|
2012-03-28 17:37:16 +00:00
|
|
|
self.assertRaises(exception.ServiceNotFound,
|
2012-07-09 15:05:59 +00:00
|
|
|
self.catalog_man.get_service, {}, service_id)
|
2012-03-28 17:37:16 +00:00
|
|
|
|
2012-11-20 16:28:26 +00:00
|
|
|
def test_delete_service_with_endpoint(self):
|
|
|
|
# create a service
|
|
|
|
service = {
|
|
|
|
'id': uuid.uuid4().hex,
|
|
|
|
'type': uuid.uuid4().hex,
|
|
|
|
'name': uuid.uuid4().hex,
|
|
|
|
'description': uuid.uuid4().hex,
|
|
|
|
}
|
|
|
|
self.catalog_api.create_service(service['id'], service)
|
|
|
|
|
|
|
|
# create an endpoint attached to the service
|
|
|
|
endpoint = {
|
|
|
|
'id': uuid.uuid4().hex,
|
2012-11-30 18:52:26 +00:00
|
|
|
'region': uuid.uuid4().hex,
|
2013-01-09 12:09:40 +00:00
|
|
|
'interface': uuid.uuid4().hex[:8],
|
2012-11-30 18:52:26 +00:00
|
|
|
'url': uuid.uuid4().hex,
|
2012-11-20 16:28:26 +00:00
|
|
|
'service_id': service['id'],
|
|
|
|
}
|
|
|
|
self.catalog_api.create_endpoint(endpoint['id'], endpoint)
|
|
|
|
|
|
|
|
# deleting the service should also delete the endpoint
|
|
|
|
self.catalog_api.delete_service(service['id'])
|
|
|
|
self.assertRaises(exception.EndpointNotFound,
|
|
|
|
self.catalog_man.get_endpoint, {}, endpoint['id'])
|
|
|
|
self.assertRaises(exception.EndpointNotFound,
|
|
|
|
self.catalog_man.delete_endpoint, {}, endpoint['id'])
|
|
|
|
|
2012-03-28 17:37:16 +00:00
|
|
|
def test_get_service_404(self):
|
|
|
|
self.assertRaises(exception.ServiceNotFound,
|
|
|
|
self.catalog_man.get_service,
|
|
|
|
{},
|
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_delete_service_404(self):
|
|
|
|
self.assertRaises(exception.ServiceNotFound,
|
|
|
|
self.catalog_man.delete_service,
|
|
|
|
{},
|
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_create_endpoint_404(self):
|
|
|
|
endpoint = {
|
2012-07-09 15:05:59 +00:00
|
|
|
'id': uuid.uuid4().hex,
|
|
|
|
'service_id': uuid.uuid4().hex,
|
2012-03-28 17:37:16 +00:00
|
|
|
}
|
2012-03-13 21:30:07 +00:00
|
|
|
self.assertRaises(exception.ServiceNotFound,
|
2012-11-20 16:28:26 +00:00
|
|
|
self.catalog_man.create_endpoint,
|
|
|
|
{},
|
2012-03-28 17:37:16 +00:00
|
|
|
endpoint['id'],
|
|
|
|
endpoint)
|
|
|
|
|
|
|
|
def test_get_endpoint_404(self):
|
|
|
|
self.assertRaises(exception.EndpointNotFound,
|
2012-11-20 16:28:26 +00:00
|
|
|
self.catalog_man.get_endpoint,
|
|
|
|
{},
|
2012-03-28 17:37:16 +00:00
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_delete_endpoint_404(self):
|
|
|
|
self.assertRaises(exception.EndpointNotFound,
|
2012-11-20 16:28:26 +00:00
|
|
|
self.catalog_man.delete_endpoint,
|
|
|
|
{},
|
2012-03-28 17:37:16 +00:00
|
|
|
uuid.uuid4().hex)
|
2012-08-29 07:57:38 +00:00
|
|
|
|
2013-01-09 12:09:40 +00:00
|
|
|
def test_create_endpoint(self):
|
|
|
|
service = {
|
|
|
|
'id': uuid.uuid4().hex,
|
|
|
|
'type': uuid.uuid4().hex,
|
|
|
|
'name': uuid.uuid4().hex,
|
|
|
|
'description': uuid.uuid4().hex,
|
|
|
|
}
|
|
|
|
self.catalog_api.create_service(service['id'], service.copy())
|
|
|
|
|
|
|
|
endpoint = {
|
|
|
|
'id': uuid.uuid4().hex,
|
|
|
|
'region': "0" * 255,
|
|
|
|
'service_id': service['id'],
|
|
|
|
'interface': 'public',
|
|
|
|
'url': uuid.uuid4().hex,
|
|
|
|
}
|
|
|
|
self.catalog_api.create_endpoint(endpoint['id'], endpoint.copy())
|
|
|
|
|
2012-08-29 07:57:38 +00:00
|
|
|
|
|
|
|
class PolicyTests(object):
|
|
|
|
def _new_policy_ref(self):
|
|
|
|
return {
|
|
|
|
'id': uuid.uuid4().hex,
|
|
|
|
'policy': uuid.uuid4().hex,
|
|
|
|
'type': uuid.uuid4().hex,
|
|
|
|
'endpoint_id': uuid.uuid4().hex,
|
|
|
|
}
|
|
|
|
|
|
|
|
def assertEqualPolicies(self, a, b):
|
|
|
|
self.assertEqual(a['id'], b['id'])
|
|
|
|
self.assertEqual(a['endpoint_id'], b['endpoint_id'])
|
|
|
|
self.assertEqual(a['policy'], b['policy'])
|
|
|
|
self.assertEqual(a['type'], b['type'])
|
|
|
|
|
|
|
|
def test_create(self):
|
|
|
|
ref = self._new_policy_ref()
|
|
|
|
res = self.policy_api.create_policy(ref['id'], ref)
|
|
|
|
self.assertEqualPolicies(ref, res)
|
|
|
|
|
|
|
|
def test_get(self):
|
|
|
|
ref = self._new_policy_ref()
|
|
|
|
res = self.policy_api.create_policy(ref['id'], ref)
|
|
|
|
|
|
|
|
res = self.policy_api.get_policy(ref['id'])
|
|
|
|
self.assertEqualPolicies(ref, res)
|
|
|
|
|
|
|
|
def test_list(self):
|
|
|
|
ref = self._new_policy_ref()
|
|
|
|
self.policy_api.create_policy(ref['id'], ref)
|
|
|
|
|
|
|
|
res = self.policy_api.list_policies()
|
|
|
|
res = [x for x in res if x['id'] == ref['id']][0]
|
|
|
|
self.assertEqualPolicies(ref, res)
|
|
|
|
|
|
|
|
def test_update(self):
|
|
|
|
ref = self._new_policy_ref()
|
|
|
|
self.policy_api.create_policy(ref['id'], ref)
|
|
|
|
orig = ref
|
|
|
|
|
|
|
|
ref = self._new_policy_ref()
|
|
|
|
|
|
|
|
# (cannot change policy ID)
|
|
|
|
self.assertRaises(exception.ValidationError,
|
|
|
|
self.policy_man.update_policy,
|
|
|
|
{},
|
|
|
|
orig['id'],
|
|
|
|
ref)
|
|
|
|
|
|
|
|
ref['id'] = orig['id']
|
|
|
|
res = self.policy_api.update_policy(orig['id'], ref)
|
|
|
|
self.assertEqualPolicies(ref, res)
|
|
|
|
|
|
|
|
def test_delete(self):
|
|
|
|
ref = self._new_policy_ref()
|
|
|
|
self.policy_api.create_policy(ref['id'], ref)
|
|
|
|
|
|
|
|
self.policy_api.delete_policy(ref['id'])
|
|
|
|
self.assertRaises(exception.PolicyNotFound,
|
|
|
|
self.policy_man.delete_policy, {}, ref['id'])
|
|
|
|
self.assertRaises(exception.PolicyNotFound,
|
|
|
|
self.policy_man.get_policy, {}, ref['id'])
|
|
|
|
res = self.policy_api.list_policies()
|
|
|
|
self.assertFalse(len([x for x in res if x['id'] == ref['id']]))
|
|
|
|
|
|
|
|
def test_get_policy_404(self):
|
|
|
|
self.assertRaises(exception.PolicyNotFound,
|
|
|
|
self.policy_man.get_policy,
|
|
|
|
{},
|
|
|
|
uuid.uuid4().hex)
|
|
|
|
|
|
|
|
def test_update_policy_404(self):
|
|
|
|
self.assertRaises(exception.PolicyNotFound,
|
|
|
|
self.policy_man.update_policy,
|
|
|
|
{},
|
|
|
|
uuid.uuid4().hex,
|
|
|
|
{})
|
|
|
|
|
|
|
|
def test_delete_policy_404(self):
|
|
|
|
self.assertRaises(exception.PolicyNotFound,
|
|
|
|
self.policy_man.delete_policy,
|
|
|
|
{},
|
|
|
|
uuid.uuid4().hex)
|