Add a test for revoking a scoped token from an unscoped

There was no test that showed that when a scoped token created from
an unscoped token is revoked that the unscoped token also winds up
being revoked.

Change-Id: I2c1574573488bb60a059c5d7f8747d6a1977aab7
Partial-Bug: #1347318
This commit is contained in:
Brant Knudson 2014-07-23 16:23:20 -05:00
parent 3e035ebb72
commit 097b9aa039
1 changed files with 104 additions and 9 deletions

View File

@ -1231,15 +1231,21 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
# Make sure that we get a NotFound(404) when heading that role.
self.head(role_path, expected_status=404)
def get_v2_token(self):
body = {
'auth': {
'passwordCredentials': {
'username': self.default_domain_user['name'],
'password': self.default_domain_user['password'],
}
},
}
def get_v2_token(self, token=None, project_id=None):
body = {'auth': {}, }
if token:
body['auth']['token'] = {
'id': token
}
else:
body['auth']['passwordCredentials'] = {
'username': self.default_domain_user['name'],
'password': self.default_domain_user['password'],
}
if project_id:
body['auth']['tenantId'] = project_id
r = self.admin_request(method='POST', path='/v2.0/tokens', body=body)
return r.json_body['access']['token']['id']
@ -1257,6 +1263,95 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
headers={'X-Subject-Token': token},
expected_status=404)
def test_revoke_token_from_token(self):
# Test that a scoped token can be requested from an unscoped token,
# the scoped token can be revoked, and the unscoped token remains
# valid.
# FIXME(blk-u): This isn't working correctly. The unscoped token should
# remain valid. See bug 1347318.
unscoped_token = self.get_requested_token(
self.build_authentication_request(
user_id=self.user1['id'],
password=self.user1['password']))
# Get a project-scoped token from the unscoped token
project_scoped_token = self.get_requested_token(
self.build_authentication_request(
token=unscoped_token,
project_id=self.projectA['id']))
# Get a domain-scoped token from the unscoped token
domain_scoped_token = self.get_requested_token(
self.build_authentication_request(
token=unscoped_token,
domain_id=self.domainA['id']))
# revoke the project-scoped token.
self.delete('/auth/tokens',
headers={'X-Subject-Token': project_scoped_token},
expected_status=204)
# The project-scoped token is invalidated.
self.head('/auth/tokens',
headers={'X-Subject-Token': project_scoped_token},
expected_status=404)
# The unscoped token should still be valid.
self.head('/auth/tokens',
headers={'X-Subject-Token': unscoped_token},
expected_status=404) # FIXME(blk-u): This should be 200!
# The domain-scoped token should still be valid.
self.head('/auth/tokens',
headers={'X-Subject-Token': domain_scoped_token},
expected_status=404) # FIXME(blk-u): This should be 200!
# revoke the domain-scoped token.
self.delete('/auth/tokens',
headers={'X-Subject-Token': domain_scoped_token},
expected_status=204)
# The domain-scoped token is invalid.
self.head('/auth/tokens',
headers={'X-Subject-Token': domain_scoped_token},
expected_status=404)
# The unscoped token should still be valid.
self.head('/auth/tokens',
headers={'X-Subject-Token': unscoped_token},
expected_status=404) # FIXME(blk-u): This should be 200!
def test_revoke_token_from_token_v2(self):
# Test that a scoped token can be requested from an unscoped token,
# the scoped token can be revoked, and the unscoped token remains
# valid.
# FIXME(blk-u): This isn't working correctly. The scoped token should
# be revoked. See bug 1347318.
unscoped_token = self.get_v2_token()
# Get a project-scoped token from the unscoped token
project_scoped_token = self.get_v2_token(
token=unscoped_token, project_id=self.default_domain_project['id'])
# revoke the project-scoped token.
self.delete('/auth/tokens',
headers={'X-Subject-Token': project_scoped_token},
expected_status=204)
# The project-scoped token is invalidated.
self.head('/auth/tokens',
headers={'X-Subject-Token': project_scoped_token},
expected_status=404)
# The unscoped token should still be valid.
self.head('/auth/tokens',
headers={'X-Subject-Token': unscoped_token},
expected_status=404) # FIXME(blk-u): This should be 200!
@dependency.requires('revoke_api')
class TestTokenRevokeApi(TestTokenRevokeById):