Merge "Expose bug with Fernet tokens and trusts"
This commit is contained in:
commit
1cae3c42ee
@ -1062,6 +1062,54 @@ class TokenAPITests(object):
|
||||
self.token_provider_api.validate_token,
|
||||
trust_scoped_token)
|
||||
|
||||
def test_trust_token_is_invalid_when_trustee_domain_disabled(self):
|
||||
# create a new domain with new user in that domain
|
||||
new_domain_ref = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(new_domain_ref['id'], new_domain_ref)
|
||||
|
||||
trustee_ref = unit.create_user(self.identity_api,
|
||||
domain_id=new_domain_ref['id'])
|
||||
|
||||
new_project_ref = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(new_project_ref['id'],
|
||||
new_project_ref)
|
||||
|
||||
# grant the trustor access to the new project
|
||||
self.assignment_api.create_grant(
|
||||
self.role['id'],
|
||||
user_id=self.user_id,
|
||||
project_id=new_project_ref['id'])
|
||||
|
||||
trust_ref = unit.new_trust_ref(trustor_user_id=self.user_id,
|
||||
trustee_user_id=trustee_ref['id'],
|
||||
expires=dict(minutes=1),
|
||||
project_id=new_project_ref['id'],
|
||||
impersonation=True,
|
||||
role_ids=[self.role['id']])
|
||||
|
||||
resp = self.post('/OS-TRUST/trusts', body={'trust': trust_ref})
|
||||
self.assertValidTrustResponse(resp, trust_ref)
|
||||
trust_id = resp.json_body['trust']['id']
|
||||
|
||||
# get a project-scoped token using the trust
|
||||
trust_auth_data = self.build_authentication_request(
|
||||
user_id=trustee_ref['id'],
|
||||
password=trustee_ref['password'],
|
||||
trust_id=trust_id)
|
||||
trust_scoped_token = self.get_requested_token(trust_auth_data)
|
||||
|
||||
# ensure the project-scoped token from the trust is valid
|
||||
self._validate_token(trust_scoped_token)
|
||||
|
||||
disable_body = {'domain': {'enabled': False}}
|
||||
self.patch(
|
||||
'/domains/%(domain_id)s' % {'domain_id': new_domain_ref['id']},
|
||||
body=disable_body)
|
||||
|
||||
# ensure the project-scoped token from the trust is invalid
|
||||
self._validate_token(trust_scoped_token,
|
||||
expected_status=http_client.NOT_FOUND)
|
||||
|
||||
def test_trust_scoped_token_invalid_after_changing_trustee_password(self):
|
||||
trustee_user, trust = self._create_trust()
|
||||
trust_scoped_token = self._get_trust_scoped_token(trustee_user, trust)
|
||||
@ -2431,6 +2479,55 @@ class TestFernetTokenAPIs(test_v3.RestfulTestCase, TokenAPITests,
|
||||
self.v3_create_token(auth_data,
|
||||
expected_status=http_client.NOT_IMPLEMENTED)
|
||||
|
||||
# FIXME(lbragstad): Remove this test from this class and inherit the
|
||||
# version in TokenAPITest once bug 1532280 is fixed.
|
||||
def test_trust_token_is_invalid_when_trustee_domain_disabled(self):
|
||||
# create a new domain with new user in that domain
|
||||
new_domain_ref = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(new_domain_ref['id'], new_domain_ref)
|
||||
|
||||
trustee_ref = unit.create_user(self.identity_api,
|
||||
domain_id=new_domain_ref['id'])
|
||||
|
||||
new_project_ref = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(new_project_ref['id'],
|
||||
new_project_ref)
|
||||
|
||||
# grant the trustor access to the new project
|
||||
self.assignment_api.create_grant(
|
||||
self.role['id'],
|
||||
user_id=self.user_id,
|
||||
project_id=new_project_ref['id'])
|
||||
|
||||
trust_ref = unit.new_trust_ref(trustor_user_id=self.user_id,
|
||||
trustee_user_id=trustee_ref['id'],
|
||||
expires=dict(minutes=1),
|
||||
project_id=new_project_ref['id'],
|
||||
impersonation=True,
|
||||
role_ids=[self.role['id']])
|
||||
|
||||
resp = self.post('/OS-TRUST/trusts', body={'trust': trust_ref})
|
||||
self.assertValidTrustResponse(resp, trust_ref)
|
||||
trust_id = resp.json_body['trust']['id']
|
||||
|
||||
# get a project-scoped token using the trust
|
||||
trust_auth_data = self.build_authentication_request(
|
||||
user_id=trustee_ref['id'],
|
||||
password=trustee_ref['password'],
|
||||
trust_id=trust_id)
|
||||
trust_scoped_token = self.get_requested_token(trust_auth_data)
|
||||
|
||||
# ensure the project-scoped token from the trust is valid
|
||||
self._validate_token(trust_scoped_token)
|
||||
|
||||
disable_body = {'domain': {'enabled': False}}
|
||||
self.patch(
|
||||
'/domains/%(domain_id)s' % {'domain_id': new_domain_ref['id']},
|
||||
body=disable_body)
|
||||
|
||||
# this should return Not Found once bug 1532280 is fixed!
|
||||
self._validate_token(trust_scoped_token)
|
||||
|
||||
|
||||
class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
|
||||
"""Test token revoke using v3 Identity API by token owner and admin."""
|
||||
|
Loading…
Reference in New Issue
Block a user