From 35e7819ebc871f7f12f4c0ad074394b41a538201 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Mon, 11 Jan 2016 16:51:23 +0000 Subject: [PATCH] Separate trust crud tests from trust auth tests Previously, all trust specific tests lived in test_v3_auth.py. This patch removes the CRUD-specific tests from test_v3_auth.py and puts them in their own module. This will allow us to simplify the trusts test in general. Change-Id: I50d4d02b4f63e3ad67c71aca9f6199f509ed29d5 --- keystone/tests/unit/test_v3_auth.py | 379 +------------------------ keystone/tests/unit/test_v3_trust.py | 406 +++++++++++++++++++++++++++ 2 files changed, 407 insertions(+), 378 deletions(-) create mode 100644 keystone/tests/unit/test_v3_trust.py diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 29718b0cee..78161ddded 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -3219,12 +3219,6 @@ class TestTrustAuth(test_v3.RestfulTestCase): domain_id=self.domain_id) self.trustee_user_id = self.trustee_user['id'] - def test_create_trust_bad_request(self): - # The server returns a 403 Forbidden rather than a 400 Bad Request, see - # bug 1133435 - self.post('/OS-TRUST/trusts', body={'trust': {}}, - expected_status=http_client.FORBIDDEN) - def test_create_unscoped_trust(self): ref = unit.new_trust_ref( trustor_user_id=self.user_id, @@ -3274,6 +3268,7 @@ class TestTrustAuth(test_v3.RestfulTestCase): trust = r.result.get('trust') self.assertIsNotNone(trust) self.assertEqual(1, trust['remaining_uses']) + # FIXME(lbragstad): Assert the role that is returned is the right role. def test_create_one_time_use_trust(self): trust = self._initialize_test_consume_trust(1) @@ -3289,52 +3284,6 @@ class TestTrustAuth(test_v3.RestfulTestCase): self.v3_create_token(auth_data, expected_status=http_client.UNAUTHORIZED) - def test_create_trust_with_bad_values_for_remaining_uses(self): - # negative values for the remaining_uses parameter are forbidden - self._create_trust_with_bad_remaining_use(bad_value=-1) - # 0 is a forbidden value as well - self._create_trust_with_bad_remaining_use(bad_value=0) - # as are non integer values - self._create_trust_with_bad_remaining_use(bad_value="a bad value") - self._create_trust_with_bad_remaining_use(bad_value=7.2) - - def _create_trust_with_bad_remaining_use(self, bad_value): - ref = unit.new_trust_ref( - trustor_user_id=self.user_id, - trustee_user_id=self.trustee_user_id, - project_id=self.project_id, - remaining_uses=bad_value, - role_ids=[self.role_id]) - self.post('/OS-TRUST/trusts', - body={'trust': ref}, - expected_status=http_client.BAD_REQUEST) - - def test_invalid_trust_request_without_impersonation(self): - ref = unit.new_trust_ref( - trustor_user_id=self.user_id, - trustee_user_id=self.trustee_user_id, - project_id=self.project_id, - role_ids=[self.role_id]) - - del ref['impersonation'] - - self.post('/OS-TRUST/trusts', - body={'trust': ref}, - expected_status=http_client.BAD_REQUEST) - - def test_invalid_trust_request_without_trustee(self): - ref = unit.new_trust_ref( - trustor_user_id=self.user_id, - trustee_user_id=self.trustee_user_id, - project_id=self.project_id, - role_ids=[self.role_id]) - - del ref['trustee_user_id'] - - self.post('/OS-TRUST/trusts', - body={'trust': ref}, - expected_status=http_client.BAD_REQUEST) - def test_create_unlimited_use_trust(self): # by default trusts are unlimited in terms of tokens that can be # generated from them, this test creates such a trust explicitly @@ -3363,293 +3312,6 @@ class TestTrustAuth(test_v3.RestfulTestCase): trust = r.result.get('trust') self.assertIsNone(trust['remaining_uses']) - def test_trust_crud(self): - ref = unit.new_trust_ref( - trustor_user_id=self.user_id, - trustee_user_id=self.trustee_user_id, - project_id=self.project_id, - role_ids=[self.role_id]) - r = self.post('/OS-TRUST/trusts', body={'trust': ref}) - trust = self.assertValidTrustResponse(r, ref) - - r = self.get( - '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']}) - self.assertValidTrustResponse(r, ref) - - # validate roles on the trust - r = self.get( - '/OS-TRUST/trusts/%(trust_id)s/roles' % { - 'trust_id': trust['id']}) - roles = self.assertValidRoleListResponse(r, self.role) - self.assertIn(self.role['id'], [x['id'] for x in roles]) - self.head( - '/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % { - 'trust_id': trust['id'], - 'role_id': self.role['id']}, - expected_status=http_client.OK) - r = self.get( - '/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % { - 'trust_id': trust['id'], - 'role_id': self.role['id']}) - self.assertValidRoleResponse(r, self.role) - - r = self.get('/OS-TRUST/trusts') - self.assertValidTrustListResponse(r, trust) - - # trusts are immutable - self.patch( - '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']}, - body={'trust': ref}, - expected_status=http_client.NOT_FOUND) - - self.delete( - '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']}) - - self.get( - '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']}, - expected_status=http_client.NOT_FOUND) - - def test_create_trust_trustee_returns_not_found(self): - ref = unit.new_trust_ref( - trustor_user_id=self.user_id, - trustee_user_id=uuid.uuid4().hex, - project_id=self.project_id, - role_ids=[self.role_id]) - self.post('/OS-TRUST/trusts', body={'trust': ref}, - expected_status=http_client.NOT_FOUND) - - def test_create_trust_trustor_trustee_backwards(self): - ref = unit.new_trust_ref( - trustor_user_id=self.trustee_user_id, - trustee_user_id=self.user_id, - project_id=self.project_id, - role_ids=[self.role_id]) - self.post('/OS-TRUST/trusts', body={'trust': ref}, - expected_status=http_client.FORBIDDEN) - - def test_create_trust_project_returns_not_found(self): - ref = unit.new_trust_ref( - trustor_user_id=self.user_id, - trustee_user_id=self.trustee_user_id, - project_id=uuid.uuid4().hex, - role_ids=[self.role_id]) - self.post('/OS-TRUST/trusts', body={'trust': ref}, - expected_status=http_client.NOT_FOUND) - - def test_create_trust_role_id_returns_not_found(self): - ref = unit.new_trust_ref( - trustor_user_id=self.user_id, - trustee_user_id=self.trustee_user_id, - project_id=self.project_id, - role_ids=[uuid.uuid4().hex]) - self.post('/OS-TRUST/trusts', body={'trust': ref}, - expected_status=http_client.NOT_FOUND) - - def test_create_trust_role_name_returns_not_found(self): - ref = unit.new_trust_ref( - trustor_user_id=self.user_id, - trustee_user_id=self.trustee_user_id, - project_id=self.project_id, - role_names=[uuid.uuid4().hex]) - self.post('/OS-TRUST/trusts', body={'trust': ref}, - expected_status=http_client.NOT_FOUND) - - def test_v3_v2_intermix_trustor_not_in_default_domain_failed(self): - ref = unit.new_trust_ref( - trustor_user_id=self.user_id, - trustee_user_id=self.default_domain_user_id, - project_id=self.project_id, - impersonation=False, - expires=dict(minutes=1), - role_ids=[self.role_id]) - - r = self.post('/OS-TRUST/trusts', body={'trust': ref}) - trust = self.assertValidTrustResponse(r) - - auth_data = self.build_authentication_request( - user_id=self.default_domain_user['id'], - password=self.default_domain_user['password'], - trust_id=trust['id']) - r = self.v3_create_token(auth_data) - self.assertValidProjectTrustScopedTokenResponse( - r, self.default_domain_user) - - token = r.headers.get('X-Subject-Token') - - # now validate the v3 token with v2 API - path = '/v2.0/tokens/%s' % (token) - self.admin_request( - path=path, token=CONF.admin_token, - method='GET', expected_status=http_client.UNAUTHORIZED) - - def test_v3_v2_intermix_trustor_not_in_default_domaini_failed(self): - ref = unit.new_trust_ref( - trustor_user_id=self.default_domain_user_id, - trustee_user_id=self.trustee_user_id, - project_id=self.default_domain_project_id, - impersonation=False, - expires=dict(minutes=1), - role_ids=[self.role_id]) - - auth_data = self.build_authentication_request( - user_id=self.default_domain_user['id'], - password=self.default_domain_user['password'], - project_id=self.default_domain_project_id) - token = self.get_requested_token(auth_data) - - r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token) - trust = self.assertValidTrustResponse(r) - - auth_data = self.build_authentication_request( - user_id=self.trustee_user['id'], - password=self.trustee_user['password'], - trust_id=trust['id']) - r = self.v3_create_token(auth_data) - self.assertValidProjectTrustScopedTokenResponse( - r, self.trustee_user) - token = r.headers.get('X-Subject-Token') - - # now validate the v3 token with v2 API - path = '/v2.0/tokens/%s' % (token) - self.admin_request( - path=path, token=CONF.admin_token, - method='GET', expected_status=http_client.UNAUTHORIZED) - - def test_v3_v2_intermix_project_not_in_default_domaini_failed(self): - # create a trustee in default domain to delegate stuff to - trustee_user = unit.create_user(self.identity_api, - domain_id=test_v3.DEFAULT_DOMAIN_ID) - trustee_user_id = trustee_user['id'] - - ref = unit.new_trust_ref( - trustor_user_id=self.default_domain_user_id, - trustee_user_id=trustee_user_id, - project_id=self.project_id, - impersonation=False, - expires=dict(minutes=1), - role_ids=[self.role_id]) - - auth_data = self.build_authentication_request( - user_id=self.default_domain_user['id'], - password=self.default_domain_user['password'], - project_id=self.default_domain_project_id) - token = self.get_requested_token(auth_data) - - r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token) - trust = self.assertValidTrustResponse(r) - - auth_data = self.build_authentication_request( - user_id=trustee_user['id'], - password=trustee_user['password'], - trust_id=trust['id']) - r = self.v3_create_token(auth_data) - self.assertValidProjectTrustScopedTokenResponse( - r, trustee_user) - token = r.headers.get('X-Subject-Token') - - # now validate the v3 token with v2 API - path = '/v2.0/tokens/%s' % (token) - self.admin_request( - path=path, token=CONF.admin_token, - method='GET', expected_status=http_client.UNAUTHORIZED) - - def test_v3_v2_intermix(self): - # create a trustee in default domain to delegate stuff to - trustee_user = unit.create_user(self.identity_api, - domain_id=test_v3.DEFAULT_DOMAIN_ID) - trustee_user_id = trustee_user['id'] - - ref = unit.new_trust_ref( - trustor_user_id=self.default_domain_user_id, - trustee_user_id=trustee_user_id, - project_id=self.default_domain_project_id, - impersonation=False, - expires=dict(minutes=1), - role_ids=[self.role_id]) - auth_data = self.build_authentication_request( - user_id=self.default_domain_user['id'], - password=self.default_domain_user['password'], - project_id=self.default_domain_project_id) - token = self.get_requested_token(auth_data) - - r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token) - trust = self.assertValidTrustResponse(r) - - auth_data = self.build_authentication_request( - user_id=trustee_user['id'], - password=trustee_user['password'], - trust_id=trust['id']) - r = self.v3_create_token(auth_data) - self.assertValidProjectTrustScopedTokenResponse( - r, trustee_user) - token = r.headers.get('X-Subject-Token') - - # now validate the v3 token with v2 API - path = '/v2.0/tokens/%s' % (token) - self.admin_request( - path=path, token=CONF.admin_token, - method='GET', expected_status=http_client.OK) - - def test_exercise_trust_scoped_token_without_impersonation(self): - ref = unit.new_trust_ref( - trustor_user_id=self.user_id, - trustee_user_id=self.trustee_user_id, - project_id=self.project_id, - impersonation=False, - expires=dict(minutes=1), - role_ids=[self.role_id]) - - r = self.post('/OS-TRUST/trusts', body={'trust': ref}) - trust = self.assertValidTrustResponse(r) - - auth_data = self.build_authentication_request( - user_id=self.trustee_user['id'], - password=self.trustee_user['password'], - trust_id=trust['id']) - r = self.v3_create_token(auth_data) - self.assertValidProjectTrustScopedTokenResponse(r, self.trustee_user) - self.assertEqual(self.trustee_user['id'], - r.result['token']['user']['id']) - self.assertEqual(self.trustee_user['name'], - r.result['token']['user']['name']) - self.assertEqual(self.domain['id'], - r.result['token']['user']['domain']['id']) - self.assertEqual(self.domain['name'], - r.result['token']['user']['domain']['name']) - self.assertEqual(self.project['id'], - r.result['token']['project']['id']) - self.assertEqual(self.project['name'], - r.result['token']['project']['name']) - - def test_exercise_trust_scoped_token_with_impersonation(self): - ref = unit.new_trust_ref( - trustor_user_id=self.user_id, - trustee_user_id=self.trustee_user_id, - project_id=self.project_id, - impersonation=True, - expires=dict(minutes=1), - role_ids=[self.role_id]) - - r = self.post('/OS-TRUST/trusts', body={'trust': ref}) - trust = self.assertValidTrustResponse(r) - - auth_data = self.build_authentication_request( - user_id=self.trustee_user['id'], - password=self.trustee_user['password'], - trust_id=trust['id']) - r = self.v3_create_token(auth_data) - self.assertValidProjectTrustScopedTokenResponse(r, self.user) - self.assertEqual(self.user['id'], r.result['token']['user']['id']) - self.assertEqual(self.user['name'], r.result['token']['user']['name']) - self.assertEqual(self.domain['id'], - r.result['token']['user']['domain']['id']) - self.assertEqual(self.domain['name'], - r.result['token']['user']['domain']['name']) - self.assertEqual(self.project['id'], - r.result['token']['project']['id']) - self.assertEqual(self.project['name'], - r.result['token']['project']['name']) - def test_impersonation_token_cannot_create_new_trust(self): ref = unit.new_trust_ref( trustor_user_id=self.user_id, @@ -3901,14 +3563,6 @@ class TestTrustAuth(test_v3.RestfulTestCase): self.delete('/OS-TRUST/trusts/%(trust_id)s' % { 'trust_id': trust['id']}) - self.get('/OS-TRUST/trusts/%(trust_id)s' % { - 'trust_id': trust['id']}, - expected_status=http_client.NOT_FOUND) - - self.get('/OS-TRUST/trusts/%(trust_id)s' % { - 'trust_id': trust['id']}, - expected_status=http_client.NOT_FOUND) - auth_data = self.build_authentication_request( user_id=self.trustee_user['id'], password=self.trustee_user['password'], @@ -3916,37 +3570,6 @@ class TestTrustAuth(test_v3.RestfulTestCase): self.v3_create_token(auth_data, expected_status=http_client.UNAUTHORIZED) - def test_list_trusts(self): - ref = unit.new_trust_ref( - trustor_user_id=self.user_id, - trustee_user_id=self.trustee_user_id, - project_id=self.project_id, - impersonation=False, - expires=dict(minutes=1), - role_ids=[self.role_id]) - - for i in range(3): - ref['expires_at'] = datetime.datetime.utcnow().replace( - year=2031).strftime(unit.TIME_FORMAT) - r = self.post('/OS-TRUST/trusts', body={'trust': ref}) - self.assertValidTrustResponse(r, ref) - - r = self.get('/OS-TRUST/trusts') - trusts = r.result['trusts'] - self.assertEqual(3, len(trusts)) - self.assertValidTrustListResponse(r) - - r = self.get('/OS-TRUST/trusts?trustor_user_id=%s' % - self.user_id) - trusts = r.result['trusts'] - self.assertEqual(3, len(trusts)) - self.assertValidTrustListResponse(r) - - r = self.get('/OS-TRUST/trusts?trustee_user_id=%s' % - self.user_id) - trusts = r.result['trusts'] - self.assertEqual(0, len(trusts)) - def test_change_password_invalidates_trust_tokens(self): ref = unit.new_trust_ref( trustor_user_id=self.user_id, diff --git a/keystone/tests/unit/test_v3_trust.py b/keystone/tests/unit/test_v3_trust.py new file mode 100644 index 0000000000..0c560eed87 --- /dev/null +++ b/keystone/tests/unit/test_v3_trust.py @@ -0,0 +1,406 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import datetime +import uuid + +from oslo_config import cfg +from six.moves import http_client + +from keystone.tests import unit +from keystone.tests.unit import test_v3 + +CONF = cfg.CONF + + +class TestTrustOperations(test_v3.RestfulTestCase): + """Test module for create, read, update and delete operations on trusts. + + This module is specific to tests for trust CRUD operations. All other tests + related to trusts that are authentication or authorization specific should + live in in the keystone/tests/unit/test_v3_auth.py module. + + """ + + def setUp(self): + super(TestTrustOperations, self).setUp() + # create a trustee to delegate stuff to + self.trustee_user = unit.create_user(self.identity_api, + domain_id=self.domain_id) + self.trustee_user_id = self.trustee_user['id'] + + def test_create_trust_bad_request(self): + # The server returns a 403 Forbidden rather than a 400 Bad Request, see + # bug 1133435 + self.post('/OS-TRUST/trusts', body={'trust': {}}, + expected_status=http_client.FORBIDDEN) + + def test_trust_crud(self): + # create a new trust + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.project_id, + role_ids=[self.role_id]) + r = self.post('/OS-TRUST/trusts', body={'trust': ref}) + trust = self.assertValidTrustResponse(r, ref) + + # get the trust + r = self.get( + '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']}) + self.assertValidTrustResponse(r, ref) + + # validate roles on the trust + r = self.get( + '/OS-TRUST/trusts/%(trust_id)s/roles' % { + 'trust_id': trust['id']}) + roles = self.assertValidRoleListResponse(r, self.role) + self.assertIn(self.role['id'], [x['id'] for x in roles]) + self.head( + '/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % { + 'trust_id': trust['id'], + 'role_id': self.role['id']}, + expected_status=http_client.OK) + r = self.get( + '/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % { + 'trust_id': trust['id'], + 'role_id': self.role['id']}) + self.assertValidRoleResponse(r, self.role) + + # list all trusts + r = self.get('/OS-TRUST/trusts') + self.assertValidTrustListResponse(r, trust) + + # trusts are immutable + self.patch( + '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']}, + body={'trust': ref}, + expected_status=http_client.NOT_FOUND) + + # delete the trust + self.delete( + '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']}) + + # ensure the trust is not found + self.get( + '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']}, + expected_status=http_client.NOT_FOUND) + + def test_list_trusts(self): + # create three trusts with the same trustor and trustee + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.project_id, + impersonation=False, + expires=dict(minutes=1), + role_ids=[self.role_id]) + for i in range(3): + ref['expires_at'] = datetime.datetime.utcnow().replace( + year=2031).strftime(unit.TIME_FORMAT) + r = self.post('/OS-TRUST/trusts', body={'trust': ref}) + self.assertValidTrustResponse(r, ref) + + # list all trusts + r = self.get('/OS-TRUST/trusts') + trusts = r.result['trusts'] + self.assertEqual(3, len(trusts)) + self.assertValidTrustListResponse(r) + + # list all trusts for the trustor + r = self.get('/OS-TRUST/trusts?trustor_user_id=%s' % + self.user_id) + trusts = r.result['trusts'] + self.assertEqual(3, len(trusts)) + self.assertValidTrustListResponse(r) + + # list all trusts as the trustor as the trustee. + r = self.get('/OS-TRUST/trusts?trustee_user_id=%s' % + self.user_id) + trusts = r.result['trusts'] + self.assertEqual(0, len(trusts)) + + # list all trusts as the trustee is forbidden + r = self.get('/OS-TRUST/trusts?trustee_user_id=%s' % + self.trustee_user_id, + expected_status=http_client.FORBIDDEN) + + def test_delete_trust(self): + # create a trust + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.project_id, + impersonation=False, + expires=dict(minutes=1), + role_ids=[self.role_id]) + r = self.post('/OS-TRUST/trusts', body={'trust': ref}) + trust = self.assertValidTrustResponse(r, ref) + + # delete the trust + self.delete('/OS-TRUST/trusts/%(trust_id)s' % { + 'trust_id': trust['id']}) + + # ensure the trust isn't found + self.get('/OS-TRUST/trusts/%(trust_id)s' % { + 'trust_id': trust['id']}, + expected_status=http_client.NOT_FOUND) + + def test_create_trust_without_trustee_returns_bad_request(self): + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.project_id, + role_ids=[self.role_id]) + + # trustee_user_id is required to create a trust + del ref['trustee_user_id'] + + self.post('/OS-TRUST/trusts', + body={'trust': ref}, + expected_status=http_client.BAD_REQUEST) + + def test_create_trust_without_impersonation_returns_bad_request(self): + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.project_id, + role_ids=[self.role_id]) + + # impersonation is required to create a trust + del ref['impersonation'] + + self.post('/OS-TRUST/trusts', + body={'trust': ref}, + expected_status=http_client.BAD_REQUEST) + + def test_create_trust_with_bad_remaining_uses_returns_bad_request(self): + # negative numbers, strings, non-integers, and 0 are not value values + for value in [-1, 0, "a bad value", 7.2]: + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.project_id, + remaining_uses=value, + role_ids=[self.role_id]) + self.post('/OS-TRUST/trusts', + body={'trust': ref}, + expected_status=http_client.BAD_REQUEST) + + def test_create_trust_with_non_existant_trustee_returns_not_found(self): + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=uuid.uuid4().hex, + project_id=self.project_id, + role_ids=[self.role_id]) + self.post('/OS-TRUST/trusts', body={'trust': ref}, + expected_status=http_client.NOT_FOUND) + + def test_create_trust_with_trustee_as_trustor_returns_forbidden(self): + ref = unit.new_trust_ref( + trustor_user_id=self.trustee_user_id, + trustee_user_id=self.user_id, + project_id=self.project_id, + role_ids=[self.role_id]) + # NOTE(lbragstad): This fails because the user making the request isn't + # the trustor defined in the request. + self.post('/OS-TRUST/trusts', body={'trust': ref}, + expected_status=http_client.FORBIDDEN) + + def test_create_trust_with_non_existant_project_returns_not_found(self): + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.trustee_user_id, + project_id=uuid.uuid4().hex, + role_ids=[self.role_id]) + self.post('/OS-TRUST/trusts', body={'trust': ref}, + expected_status=http_client.NOT_FOUND) + + def test_create_trust_with_non_existant_role_id_returns_not_found(self): + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.project_id, + role_ids=[uuid.uuid4().hex]) + self.post('/OS-TRUST/trusts', body={'trust': ref}, + expected_status=http_client.NOT_FOUND) + + def test_create_trust_with_non_existant_role_name_returns_not_found(self): + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.project_id, + role_names=[uuid.uuid4().hex]) + self.post('/OS-TRUST/trusts', body={'trust': ref}, + expected_status=http_client.NOT_FOUND) + + def test_validate_trust_scoped_token_against_v2_returns_unauthorized(self): + # create a new trust + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.default_domain_user_id, + project_id=self.project_id, + impersonation=False, + expires=dict(minutes=1), + role_ids=[self.role_id]) + r = self.post('/OS-TRUST/trusts', body={'trust': ref}) + trust = self.assertValidTrustResponse(r) + + # get a v3 trust-scoped token as the trustee + auth_data = self.build_authentication_request( + user_id=self.default_domain_user['id'], + password=self.default_domain_user['password'], + trust_id=trust['id']) + r = self.v3_create_token(auth_data) + self.assertValidProjectTrustScopedTokenResponse( + r, self.default_domain_user) + token = r.headers.get('X-Subject-Token') + + # now validate the v3 token with v2 API + path = '/v2.0/tokens/%s' % (token) + self.admin_request( + path=path, token=CONF.admin_token, + method='GET', expected_status=http_client.UNAUTHORIZED) + + def test_v3_v2_intermix_trustor_not_in_default_domain_failed(self): + # get a project-scoped token + auth_data = self.build_authentication_request( + user_id=self.default_domain_user['id'], + password=self.default_domain_user['password'], + project_id=self.default_domain_project_id) + token = self.get_requested_token(auth_data) + + # create a new trust + ref = unit.new_trust_ref( + trustor_user_id=self.default_domain_user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.default_domain_project_id, + impersonation=False, + expires=dict(minutes=1), + role_ids=[self.role_id]) + r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token) + trust = self.assertValidTrustResponse(r) + + # get a trust-scoped token as the trustee + auth_data = self.build_authentication_request( + user_id=self.trustee_user['id'], + password=self.trustee_user['password'], + trust_id=trust['id']) + r = self.v3_create_token(auth_data) + self.assertValidProjectTrustScopedTokenResponse( + r, self.trustee_user) + token = r.headers.get('X-Subject-Token') + + # now validate the v3 token with v2 API + path = '/v2.0/tokens/%s' % (token) + self.admin_request( + path=path, token=CONF.admin_token, + method='GET', expected_status=http_client.UNAUTHORIZED) + + def test_v3_v2_intermix_project_not_in_default_domain_failed(self): + # create a trustee in default domain to delegate stuff to + trustee_user = unit.create_user(self.identity_api, + domain_id=test_v3.DEFAULT_DOMAIN_ID) + trustee_user_id = trustee_user['id'] + + # create a new trust + ref = unit.new_trust_ref( + trustor_user_id=self.default_domain_user_id, + trustee_user_id=trustee_user_id, + project_id=self.project_id, + impersonation=False, + expires=dict(minutes=1), + role_ids=[self.role_id]) + + # get a project-scoped token as the default_domain_user + auth_data = self.build_authentication_request( + user_id=self.default_domain_user['id'], + password=self.default_domain_user['password'], + project_id=self.default_domain_project_id) + token = self.get_requested_token(auth_data) + + r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token) + trust = self.assertValidTrustResponse(r) + + # get a trust-scoped token as the trustee + auth_data = self.build_authentication_request( + user_id=trustee_user['id'], + password=trustee_user['password'], + trust_id=trust['id']) + r = self.v3_create_token(auth_data) + self.assertValidProjectTrustScopedTokenResponse(r, trustee_user) + token = r.headers.get('X-Subject-Token') + + # ensure the token is invalid against v2 + path = '/v2.0/tokens/%s' % (token) + self.admin_request( + path=path, token=CONF.admin_token, + method='GET', expected_status=http_client.UNAUTHORIZED) + + def test_exercise_trust_scoped_token_without_impersonation(self): + # create a new trust + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.project_id, + impersonation=False, + expires=dict(minutes=1), + role_ids=[self.role_id]) + resp = self.post('/OS-TRUST/trusts', body={'trust': ref}) + trust = self.assertValidTrustResponse(resp) + + # get a trust-scoped token as the trustee + auth_data = self.build_authentication_request( + user_id=self.trustee_user['id'], + password=self.trustee_user['password'], + trust_id=trust['id']) + resp = self.v3_create_token(auth_data) + resp_body = resp.json_body['token'] + + self.assertValidProjectTrustScopedTokenResponse(resp, + self.trustee_user) + self.assertEqual(self.trustee_user['id'], resp_body['user']['id']) + self.assertEqual(self.trustee_user['name'], resp_body['user']['name']) + self.assertEqual(self.domain['id'], resp_body['user']['domain']['id']) + self.assertEqual(self.domain['name'], + resp_body['user']['domain']['name']) + self.assertEqual(self.project['id'], resp_body['project']['id']) + self.assertEqual(self.project['name'], resp_body['project']['name']) + + def test_exercise_trust_scoped_token_with_impersonation(self): + # create a new trust + ref = unit.new_trust_ref( + trustor_user_id=self.user_id, + trustee_user_id=self.trustee_user_id, + project_id=self.project_id, + impersonation=True, + expires=dict(minutes=1), + role_ids=[self.role_id]) + resp = self.post('/OS-TRUST/trusts', body={'trust': ref}) + trust = self.assertValidTrustResponse(resp) + + # get a trust-scoped token as the trustee + auth_data = self.build_authentication_request( + user_id=self.trustee_user['id'], + password=self.trustee_user['password'], + trust_id=trust['id']) + resp = self.v3_create_token(auth_data) + resp_body = resp.json_body['token'] + + self.assertValidProjectTrustScopedTokenResponse(resp, self.user) + self.assertEqual(self.user['id'], resp_body['user']['id']) + self.assertEqual(self.user['name'], resp_body['user']['name']) + self.assertEqual(self.domain['id'], resp_body['user']['domain']['id']) + self.assertEqual(self.domain['name'], + resp_body['user']['domain']['name']) + self.assertEqual(self.project['id'], resp_body['project']['id']) + self.assertEqual(self.project['name'], resp_body['project']['name'])