From 097b9aa0395e778b40c2028f45cf8d37663e387a Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Wed, 23 Jul 2014 16:23:20 -0500
Subject: [PATCH] Add a test for revoking a scoped token from an unscoped

There was no test that showed that when a scoped token created from
an unscoped token is revoked that the unscoped token also winds up
being revoked.

Change-Id: I2c1574573488bb60a059c5d7f8747d6a1977aab7
Partial-Bug: #1347318
---
 keystone/tests/test_v3_auth.py | 113 ++++++++++++++++++++++++++++++---
 1 file changed, 104 insertions(+), 9 deletions(-)

diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
index 2e8a804244..d46ba6f875 100644
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@@ -1231,15 +1231,21 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
         # Make sure that we get a NotFound(404) when heading that role.
         self.head(role_path, expected_status=404)
 
-    def get_v2_token(self):
-        body = {
-            'auth': {
-                'passwordCredentials': {
-                    'username': self.default_domain_user['name'],
-                    'password': self.default_domain_user['password'],
-                }
-            },
-        }
+    def get_v2_token(self, token=None, project_id=None):
+        body = {'auth': {}, }
+
+        if token:
+            body['auth']['token'] = {
+                'id': token
+            }
+        else:
+            body['auth']['passwordCredentials'] = {
+                'username': self.default_domain_user['name'],
+                'password': self.default_domain_user['password'],
+            }
+
+        if project_id:
+            body['auth']['tenantId'] = project_id
 
         r = self.admin_request(method='POST', path='/v2.0/tokens', body=body)
         return r.json_body['access']['token']['id']
@@ -1257,6 +1263,95 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
                   headers={'X-Subject-Token': token},
                   expected_status=404)
 
+    def test_revoke_token_from_token(self):
+        # Test that a scoped token can be requested from an unscoped token,
+        # the scoped token can be revoked, and the unscoped token remains
+        # valid.
+
+        # FIXME(blk-u): This isn't working correctly. The unscoped token should
+        # remain valid. See bug 1347318.
+
+        unscoped_token = self.get_requested_token(
+            self.build_authentication_request(
+                user_id=self.user1['id'],
+                password=self.user1['password']))
+
+        # Get a project-scoped token from the unscoped token
+        project_scoped_token = self.get_requested_token(
+            self.build_authentication_request(
+                token=unscoped_token,
+                project_id=self.projectA['id']))
+
+        # Get a domain-scoped token from the unscoped token
+        domain_scoped_token = self.get_requested_token(
+            self.build_authentication_request(
+                token=unscoped_token,
+                domain_id=self.domainA['id']))
+
+        # revoke the project-scoped token.
+        self.delete('/auth/tokens',
+                    headers={'X-Subject-Token': project_scoped_token},
+                    expected_status=204)
+
+        # The project-scoped token is invalidated.
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': project_scoped_token},
+                  expected_status=404)
+
+        # The unscoped token should still be valid.
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': unscoped_token},
+                  expected_status=404)  # FIXME(blk-u): This should be 200!
+
+        # The domain-scoped token should still be valid.
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': domain_scoped_token},
+                  expected_status=404)  # FIXME(blk-u): This should be 200!
+
+        # revoke the domain-scoped token.
+        self.delete('/auth/tokens',
+                    headers={'X-Subject-Token': domain_scoped_token},
+                    expected_status=204)
+
+        # The domain-scoped token is invalid.
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': domain_scoped_token},
+                  expected_status=404)
+
+        # The unscoped token should still be valid.
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': unscoped_token},
+                  expected_status=404)  # FIXME(blk-u): This should be 200!
+
+    def test_revoke_token_from_token_v2(self):
+        # Test that a scoped token can be requested from an unscoped token,
+        # the scoped token can be revoked, and the unscoped token remains
+        # valid.
+
+        # FIXME(blk-u): This isn't working correctly. The scoped token should
+        # be revoked. See bug 1347318.
+
+        unscoped_token = self.get_v2_token()
+
+        # Get a project-scoped token from the unscoped token
+        project_scoped_token = self.get_v2_token(
+            token=unscoped_token, project_id=self.default_domain_project['id'])
+
+        # revoke the project-scoped token.
+        self.delete('/auth/tokens',
+                    headers={'X-Subject-Token': project_scoped_token},
+                    expected_status=204)
+
+        # The project-scoped token is invalidated.
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': project_scoped_token},
+                  expected_status=404)
+
+        # The unscoped token should still be valid.
+        self.head('/auth/tokens',
+                  headers={'X-Subject-Token': unscoped_token},
+                  expected_status=404)  # FIXME(blk-u): This should be 200!
+
 
 @dependency.requires('revoke_api')
 class TestTokenRevokeApi(TestTokenRevokeById):