Merge "Expose bug with Fernet tokens and trusts"

This commit is contained in:
Jenkins 2016-07-09 00:48:34 +00:00 committed by Gerrit Code Review
commit 1cae3c42ee
1 changed files with 97 additions and 0 deletions

View File

@ -1062,6 +1062,54 @@ class TokenAPITests(object):
self.token_provider_api.validate_token,
trust_scoped_token)
def test_trust_token_is_invalid_when_trustee_domain_disabled(self):
# create a new domain with new user in that domain
new_domain_ref = unit.new_domain_ref()
self.resource_api.create_domain(new_domain_ref['id'], new_domain_ref)
trustee_ref = unit.create_user(self.identity_api,
domain_id=new_domain_ref['id'])
new_project_ref = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(new_project_ref['id'],
new_project_ref)
# grant the trustor access to the new project
self.assignment_api.create_grant(
self.role['id'],
user_id=self.user_id,
project_id=new_project_ref['id'])
trust_ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=trustee_ref['id'],
expires=dict(minutes=1),
project_id=new_project_ref['id'],
impersonation=True,
role_ids=[self.role['id']])
resp = self.post('/OS-TRUST/trusts', body={'trust': trust_ref})
self.assertValidTrustResponse(resp, trust_ref)
trust_id = resp.json_body['trust']['id']
# get a project-scoped token using the trust
trust_auth_data = self.build_authentication_request(
user_id=trustee_ref['id'],
password=trustee_ref['password'],
trust_id=trust_id)
trust_scoped_token = self.get_requested_token(trust_auth_data)
# ensure the project-scoped token from the trust is valid
self._validate_token(trust_scoped_token)
disable_body = {'domain': {'enabled': False}}
self.patch(
'/domains/%(domain_id)s' % {'domain_id': new_domain_ref['id']},
body=disable_body)
# ensure the project-scoped token from the trust is invalid
self._validate_token(trust_scoped_token,
expected_status=http_client.NOT_FOUND)
def test_trust_scoped_token_invalid_after_changing_trustee_password(self):
trustee_user, trust = self._create_trust()
trust_scoped_token = self._get_trust_scoped_token(trustee_user, trust)
@ -2431,6 +2479,55 @@ class TestFernetTokenAPIs(test_v3.RestfulTestCase, TokenAPITests,
self.v3_create_token(auth_data,
expected_status=http_client.NOT_IMPLEMENTED)
# FIXME(lbragstad): Remove this test from this class and inherit the
# version in TokenAPITest once bug 1532280 is fixed.
def test_trust_token_is_invalid_when_trustee_domain_disabled(self):
# create a new domain with new user in that domain
new_domain_ref = unit.new_domain_ref()
self.resource_api.create_domain(new_domain_ref['id'], new_domain_ref)
trustee_ref = unit.create_user(self.identity_api,
domain_id=new_domain_ref['id'])
new_project_ref = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(new_project_ref['id'],
new_project_ref)
# grant the trustor access to the new project
self.assignment_api.create_grant(
self.role['id'],
user_id=self.user_id,
project_id=new_project_ref['id'])
trust_ref = unit.new_trust_ref(trustor_user_id=self.user_id,
trustee_user_id=trustee_ref['id'],
expires=dict(minutes=1),
project_id=new_project_ref['id'],
impersonation=True,
role_ids=[self.role['id']])
resp = self.post('/OS-TRUST/trusts', body={'trust': trust_ref})
self.assertValidTrustResponse(resp, trust_ref)
trust_id = resp.json_body['trust']['id']
# get a project-scoped token using the trust
trust_auth_data = self.build_authentication_request(
user_id=trustee_ref['id'],
password=trustee_ref['password'],
trust_id=trust_id)
trust_scoped_token = self.get_requested_token(trust_auth_data)
# ensure the project-scoped token from the trust is valid
self._validate_token(trust_scoped_token)
disable_body = {'domain': {'enabled': False}}
self.patch(
'/domains/%(domain_id)s' % {'domain_id': new_domain_ref['id']},
body=disable_body)
# this should return Not Found once bug 1532280 is fixed!
self._validate_token(trust_scoped_token)
class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
"""Test token revoke using v3 Identity API by token owner and admin."""