openstack
/
keystone
Code Issues Proposed changes

Merge "Refactor: Don't hard code the error code"

This commit is contained in:
Jenkins 2015-09-14 01:58:49 +00:00 committed by Gerrit Code Review
parent 48ad4b7663 a50e23b9b7
commit 41f9e16eb7
20 changed files with 535 additions and 380 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
keystone/tests/unit/rest.py
View File

@ -13,6 +13,7 @@
# under the License. # under the License.
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
from six.moves import http_client
import webtest import webtest
from keystone.auth import controllers as auth_controllers from keystone.auth import controllers as auth_controllers
@ -125,7 +126,8 @@ class RestfulTestCase(unit.TestCase):
"""Ensures that response headers appear as expected.""" """Ensures that response headers appear as expected."""
self.assertIn('X-Auth-Token', response.headers.get('Vary')) self.assertIn('X-Auth-Token', response.headers.get('Vary'))
def assertValidErrorResponse(self, response, expected_status=400): def assertValidErrorResponse(self, response,
expected_status=http_client.BAD_REQUEST):
"""Verify that the error response is valid. """Verify that the error response is valid.
Subclasses can override this function based on the expected response. Subclasses can override this function based on the expected response.
@ -184,7 +186,8 @@ class RestfulTestCase(unit.TestCase):
self._from_content_type(response, content_type=response_content_type) self._from_content_type(response, content_type=response_content_type)
# we can save some code & improve coverage by always doing this # we can save some code & improve coverage by always doing this
if method != 'HEAD' and response.status_code >= 400: if (method != 'HEAD' and
response.status_code >= http_client.BAD_REQUEST):
self.assertValidErrorResponse(response) self.assertValidErrorResponse(response)
# Contains the decoded response.body # Contains the decoded response.body

50
keystone/tests/unit/test_associate_project_endpoint_extension.py
View File

@ -15,6 +15,7 @@
import copy import copy
import uuid import uuid
from six.moves import http_client
from testtools import matchers from testtools import matchers
from keystone.tests.unit import test_v3 from keystone.tests.unit import test_v3
@ -60,7 +61,7 @@ class EndpointFilterCRUDTestCase(TestExtensionCase):
'/endpoints/%(endpoint_id)s' % { '/endpoints/%(endpoint_id)s' % {
'project_id': uuid.uuid4().hex, 'project_id': uuid.uuid4().hex,
'endpoint_id': self.endpoint_id}, 'endpoint_id': self.endpoint_id},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_create_endpoint_project_association_with_invalid_endpoint(self): def test_create_endpoint_project_association_with_invalid_endpoint(self):
"""PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} """PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
@ -72,7 +73,7 @@ class EndpointFilterCRUDTestCase(TestExtensionCase):
'/endpoints/%(endpoint_id)s' % { '/endpoints/%(endpoint_id)s' % {
'project_id': self.default_domain_project_id, 'project_id': self.default_domain_project_id,
'endpoint_id': uuid.uuid4().hex}, 'endpoint_id': uuid.uuid4().hex},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_create_endpoint_project_association_with_unexpected_body(self): def test_create_endpoint_project_association_with_unexpected_body(self):
"""PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} """PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
@ -109,7 +110,7 @@ class EndpointFilterCRUDTestCase(TestExtensionCase):
'/endpoints/%(endpoint_id)s' % { '/endpoints/%(endpoint_id)s' % {
'project_id': uuid.uuid4().hex, 'project_id': uuid.uuid4().hex,
'endpoint_id': self.endpoint_id}, 'endpoint_id': self.endpoint_id},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_check_endpoint_project_association_with_invalid_endpoint(self): def test_check_endpoint_project_association_with_invalid_endpoint(self):
"""HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} """HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
@ -122,7 +123,7 @@ class EndpointFilterCRUDTestCase(TestExtensionCase):
'/endpoints/%(endpoint_id)s' % { '/endpoints/%(endpoint_id)s' % {
'project_id': self.default_domain_project_id, 'project_id': self.default_domain_project_id,
'endpoint_id': uuid.uuid4().hex}, 'endpoint_id': uuid.uuid4().hex},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_list_endpoints_associated_with_valid_project(self): def test_list_endpoints_associated_with_valid_project(self):
"""GET /OS-EP-FILTER/projects/{project_id}/endpoints """GET /OS-EP-FILTER/projects/{project_id}/endpoints
@ -146,7 +147,7 @@ class EndpointFilterCRUDTestCase(TestExtensionCase):
self.put(self.default_request_url) self.put(self.default_request_url)
self.get('/OS-EP-FILTER/projects/%(project_id)s/endpoints' % { self.get('/OS-EP-FILTER/projects/%(project_id)s/endpoints' % {
'project_id': uuid.uuid4().hex}, 'project_id': uuid.uuid4().hex},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_list_projects_associated_with_endpoint(self): def test_list_projects_associated_with_endpoint(self):
"""GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects """GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects
@ -180,7 +181,7 @@ class EndpointFilterCRUDTestCase(TestExtensionCase):
""" """
self.get('/OS-EP-FILTER/endpoints/%(endpoint_id)s/projects' % self.get('/OS-EP-FILTER/endpoints/%(endpoint_id)s/projects' %
{'endpoint_id': uuid.uuid4().hex}, {'endpoint_id': uuid.uuid4().hex},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_remove_endpoint_project_association(self): def test_remove_endpoint_project_association(self):
"""DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} """DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
@ -206,7 +207,7 @@ class EndpointFilterCRUDTestCase(TestExtensionCase):
'/endpoints/%(endpoint_id)s' % { '/endpoints/%(endpoint_id)s' % {
'project_id': uuid.uuid4().hex, 'project_id': uuid.uuid4().hex,
'endpoint_id': self.endpoint_id}, 'endpoint_id': self.endpoint_id},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_remove_endpoint_project_association_with_invalid_endpoint(self): def test_remove_endpoint_project_association_with_invalid_endpoint(self):
"""DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} """DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
@ -219,7 +220,7 @@ class EndpointFilterCRUDTestCase(TestExtensionCase):
'/endpoints/%(endpoint_id)s' % { '/endpoints/%(endpoint_id)s' % {
'project_id': self.default_domain_project_id, 'project_id': self.default_domain_project_id,
'endpoint_id': uuid.uuid4().hex}, 'endpoint_id': uuid.uuid4().hex},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_endpoint_project_association_cleanup_when_project_deleted(self): def test_endpoint_project_association_cleanup_when_project_deleted(self):
self.put(self.default_request_url) self.put(self.default_request_url)
@ -589,7 +590,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
invalid_body['endpoint_group']['filters'] = {'foobar': 'admin'} invalid_body['endpoint_group']['filters'] = {'foobar': 'admin'}
self.post(self.DEFAULT_ENDPOINT_GROUP_URL, self.post(self.DEFAULT_ENDPOINT_GROUP_URL,
body=invalid_body, body=invalid_body,
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_get_endpoint_group(self): def test_get_endpoint_group(self):
"""GET /OS-EP-FILTER/endpoint_groups/{endpoint_group} """GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}
@ -624,7 +625,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
endpoint_group_id = 'foobar' endpoint_group_id = 'foobar'
url = '/OS-EP-FILTER/endpoint_groups/%(endpoint_group_id)s' % { url = '/OS-EP-FILTER/endpoint_groups/%(endpoint_group_id)s' % {
'endpoint_group_id': endpoint_group_id} 'endpoint_group_id': endpoint_group_id}
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
def test_check_endpoint_group(self): def test_check_endpoint_group(self):
"""HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id} """HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
@ -648,7 +649,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
endpoint_group_id = 'foobar' endpoint_group_id = 'foobar'
url = '/OS-EP-FILTER/endpoint_groups/%(endpoint_group_id)s' % { url = '/OS-EP-FILTER/endpoint_groups/%(endpoint_group_id)s' % {
'endpoint_group_id': endpoint_group_id} 'endpoint_group_id': endpoint_group_id}
self.head(url, expected_status=404) self.head(url, expected_status=http_client.NOT_FOUND)
def test_patch_endpoint_group(self): def test_patch_endpoint_group(self):
"""PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group} """PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}
@ -685,7 +686,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
} }
url = '/OS-EP-FILTER/endpoint_groups/%(endpoint_group_id)s' % { url = '/OS-EP-FILTER/endpoint_groups/%(endpoint_group_id)s' % {
'endpoint_group_id': 'ABC'} 'endpoint_group_id': 'ABC'}
self.patch(url, body=body, expected_status=404) self.patch(url, body=body, expected_status=http_client.NOT_FOUND)
def test_patch_invalid_endpoint_group(self): def test_patch_invalid_endpoint_group(self):
"""PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group} """PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}
@ -707,7 +708,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
self.DEFAULT_ENDPOINT_GROUP_URL, self.DEFAULT_ENDPOINT_GROUP_BODY) self.DEFAULT_ENDPOINT_GROUP_URL, self.DEFAULT_ENDPOINT_GROUP_BODY)
url = '/OS-EP-FILTER/endpoint_groups/%(endpoint_group_id)s' % { url = '/OS-EP-FILTER/endpoint_groups/%(endpoint_group_id)s' % {
'endpoint_group_id': endpoint_group_id} 'endpoint_group_id': endpoint_group_id}
self.patch(url, body=body, expected_status=400) self.patch(url, body=body, expected_status=http_client.BAD_REQUEST)
# Perform a GET call to ensure that the content remains # Perform a GET call to ensure that the content remains
# the same (as DEFAULT_ENDPOINT_GROUP_BODY) after attempting to update # the same (as DEFAULT_ENDPOINT_GROUP_BODY) after attempting to update
@ -731,7 +732,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
url = '/OS-EP-FILTER/endpoint_groups/%(endpoint_group_id)s' % { url = '/OS-EP-FILTER/endpoint_groups/%(endpoint_group_id)s' % {
'endpoint_group_id': endpoint_group_id} 'endpoint_group_id': endpoint_group_id}
self.delete(url) self.delete(url)
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
def test_delete_invalid_endpoint_group(self): def test_delete_invalid_endpoint_group(self):
"""GET /OS-EP-FILTER/endpoint_groups/{endpoint_group} """GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}
@ -742,7 +743,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
endpoint_group_id = 'foobar' endpoint_group_id = 'foobar'
url = '/OS-EP-FILTER/endpoint_groups/%(endpoint_group_id)s' % { url = '/OS-EP-FILTER/endpoint_groups/%(endpoint_group_id)s' % {
'endpoint_group_id': endpoint_group_id} 'endpoint_group_id': endpoint_group_id}
self.delete(url, expected_status=404) self.delete(url, expected_status=http_client.NOT_FOUND)
def test_add_endpoint_group_to_project(self): def test_add_endpoint_group_to_project(self):
"""Create a valid endpoint group and project association.""" """Create a valid endpoint group and project association."""
@ -761,7 +762,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
project_id = uuid.uuid4().hex project_id = uuid.uuid4().hex
url = self._get_project_endpoint_group_url( url = self._get_project_endpoint_group_url(
endpoint_group_id, project_id) endpoint_group_id, project_id)
self.put(url, expected_status=404) self.put(url, expected_status=http_client.NOT_FOUND)
def test_get_endpoint_group_in_project(self): def test_get_endpoint_group_in_project(self):
"""Test retrieving project endpoint group association.""" """Test retrieving project endpoint group association."""
@ -787,7 +788,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
project_id = uuid.uuid4().hex project_id = uuid.uuid4().hex
url = self._get_project_endpoint_group_url( url = self._get_project_endpoint_group_url(
endpoint_group_id, project_id) endpoint_group_id, project_id)
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
def test_list_endpoint_groups_in_project(self): def test_list_endpoint_groups_in_project(self):
"""GET /OS-EP-FILTER/projects/{project_id}/endpoint_groups.""" """GET /OS-EP-FILTER/projects/{project_id}/endpoint_groups."""
@ -813,7 +814,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
project_id = uuid.uuid4().hex project_id = uuid.uuid4().hex
url = ('/OS-EP-FILTER/projects/%(project_id)s/endpoint_groups' % url = ('/OS-EP-FILTER/projects/%(project_id)s/endpoint_groups' %
{'project_id': project_id}) {'project_id': project_id})
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
def test_empty_endpoint_groups_in_project(self): def test_empty_endpoint_groups_in_project(self):
"""Test when no endpoint groups associated with the project.""" """Test when no endpoint groups associated with the project."""
@ -848,7 +849,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
project_id = uuid.uuid4().hex project_id = uuid.uuid4().hex
url = self._get_project_endpoint_group_url( url = self._get_project_endpoint_group_url(
endpoint_group_id, project_id) endpoint_group_id, project_id)
self.head(url, expected_status=404) self.head(url, expected_status=http_client.NOT_FOUND)
def test_list_endpoint_groups(self): def test_list_endpoint_groups(self):
"""GET /OS-EP-FILTER/endpoint_groups.""" """GET /OS-EP-FILTER/endpoint_groups."""
@ -992,7 +993,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
# endpoint group association again # endpoint group association again
self.delete('/projects/%(project_id)s' % { self.delete('/projects/%(project_id)s' % {
'project_id': project['id']}) 'project_id': project['id']})
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
def test_endpoint_group_project_cleanup_with_endpoint_group(self): def test_endpoint_group_project_cleanup_with_endpoint_group(self):
# create endpoint group # create endpoint group
@ -1012,7 +1013,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
# now remove the project endpoint group association # now remove the project endpoint group association
self.delete(url) self.delete(url)
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
def test_removing_an_endpoint_group_project(self): def test_removing_an_endpoint_group_project(self):
# create an endpoint group # create an endpoint group
@ -1026,7 +1027,7 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
# remove the endpoint group project # remove the endpoint group project
self.delete(url) self.delete(url)
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
def test_remove_endpoint_group_with_project_association(self): def test_remove_endpoint_group_with_project_association(self):
# create an endpoint group # create an endpoint group
@ -1044,8 +1045,9 @@ class EndpointGroupCRUDTestCase(TestExtensionCase):
'%(endpoint_group_id)s' '%(endpoint_group_id)s'
% {'endpoint_group_id': endpoint_group_id}) % {'endpoint_group_id': endpoint_group_id})
self.delete(endpoint_group_url) self.delete(endpoint_group_url)
self.get(endpoint_group_url, expected_status=404) self.get(endpoint_group_url, expected_status=http_client.NOT_FOUND)
self.get(project_endpoint_group_url, expected_status=404) self.get(project_endpoint_group_url,
expected_status=http_client.NOT_FOUND)
def _create_valid_endpoint_group(self, url, body): def _create_valid_endpoint_group(self, url, body):
r = self.post(url, body=body) r = self.post(url, body=body)

28
keystone/tests/unit/test_catalog.py
View File

@ -14,6 +14,8 @@
import uuid import uuid
from six.moves import http_client
from keystone import catalog from keystone import catalog
from keystone.tests import unit from keystone.tests import unit
from keystone.tests.unit.ksfixtures import database from keystone.tests.unit.ksfixtures import database
@ -102,16 +104,20 @@ class V2CatalogTestCase(rest.RestfulTestCase):
self.assertNotIn("internalurl", response.result['endpoint']) self.assertNotIn("internalurl", response.result['endpoint'])
def test_endpoint_create_with_null_publicurl(self): def test_endpoint_create_with_null_publicurl(self):
self._endpoint_create(expected_status=400, publicurl=None) self._endpoint_create(expected_status=http_client.BAD_REQUEST,
publicurl=None)
def test_endpoint_create_with_empty_publicurl(self): def test_endpoint_create_with_empty_publicurl(self):
self._endpoint_create(expected_status=400, publicurl='') self._endpoint_create(expected_status=http_client.BAD_REQUEST,
publicurl='')
def test_endpoint_create_with_null_service_id(self): def test_endpoint_create_with_null_service_id(self):
self._endpoint_create(expected_status=400, service_id=None) self._endpoint_create(expected_status=http_client.BAD_REQUEST,
service_id=None)
def test_endpoint_create_with_empty_service_id(self): def test_endpoint_create_with_empty_service_id(self):
self._endpoint_create(expected_status=400, service_id='') self._endpoint_create(expected_status=http_client.BAD_REQUEST,
service_id='')
def test_endpoint_create_with_valid_url(self): def test_endpoint_create_with_valid_url(self):
"""Create endpoint with valid URL should be tested, too.""" """Create endpoint with valid URL should be tested, too."""
@ -146,7 +152,7 @@ class V2CatalogTestCase(rest.RestfulTestCase):
# Case one: publicurl, internalurl and adminurl are # Case one: publicurl, internalurl and adminurl are
# all invalid # all invalid
for invalid_url in invalid_urls: for invalid_url in invalid_urls:
self._endpoint_create(expected_status=400, self._endpoint_create(expected_status=http_client.BAD_REQUEST,
publicurl=invalid_url, publicurl=invalid_url,
internalurl=invalid_url, internalurl=invalid_url,
adminurl=invalid_url) adminurl=invalid_url)
@ -154,7 +160,7 @@ class V2CatalogTestCase(rest.RestfulTestCase):
# Case two: publicurl, internalurl are invalid # Case two: publicurl, internalurl are invalid
# and adminurl is valid # and adminurl is valid
for invalid_url in invalid_urls: for invalid_url in invalid_urls:
self._endpoint_create(expected_status=400, self._endpoint_create(expected_status=http_client.BAD_REQUEST,
publicurl=invalid_url, publicurl=invalid_url,
internalurl=invalid_url, internalurl=invalid_url,
adminurl=valid_url) adminurl=valid_url)
@ -162,7 +168,7 @@ class V2CatalogTestCase(rest.RestfulTestCase):
# Case three: publicurl, adminurl are invalid # Case three: publicurl, adminurl are invalid
# and internalurl is valid # and internalurl is valid
for invalid_url in invalid_urls: for invalid_url in invalid_urls:
self._endpoint_create(expected_status=400, self._endpoint_create(expected_status=http_client.BAD_REQUEST,
publicurl=invalid_url, publicurl=invalid_url,
internalurl=valid_url, internalurl=valid_url,
adminurl=invalid_url) adminurl=invalid_url)
@ -170,7 +176,7 @@ class V2CatalogTestCase(rest.RestfulTestCase):
# Case four: internalurl, adminurl are invalid # Case four: internalurl, adminurl are invalid
# and publicurl is valid # and publicurl is valid
for invalid_url in invalid_urls: for invalid_url in invalid_urls:
self._endpoint_create(expected_status=400, self._endpoint_create(expected_status=http_client.BAD_REQUEST,
publicurl=valid_url, publicurl=valid_url,
internalurl=invalid_url, internalurl=invalid_url,
adminurl=invalid_url) adminurl=invalid_url)
@ -178,7 +184,7 @@ class V2CatalogTestCase(rest.RestfulTestCase):
# Case five: publicurl is invalid, internalurl # Case five: publicurl is invalid, internalurl
# and adminurl are valid # and adminurl are valid
for invalid_url in invalid_urls: for invalid_url in invalid_urls:
self._endpoint_create(expected_status=400, self._endpoint_create(expected_status=http_client.BAD_REQUEST,
publicurl=invalid_url, publicurl=invalid_url,
internalurl=valid_url, internalurl=valid_url,
adminurl=valid_url) adminurl=valid_url)
@ -186,7 +192,7 @@ class V2CatalogTestCase(rest.RestfulTestCase):
# Case six: internalurl is invalid, publicurl # Case six: internalurl is invalid, publicurl
# and adminurl are valid # and adminurl are valid
for invalid_url in invalid_urls: for invalid_url in invalid_urls:
self._endpoint_create(expected_status=400, self._endpoint_create(expected_status=http_client.BAD_REQUEST,
publicurl=valid_url, publicurl=valid_url,
internalurl=invalid_url, internalurl=invalid_url,
adminurl=valid_url) adminurl=valid_url)
@ -194,7 +200,7 @@ class V2CatalogTestCase(rest.RestfulTestCase):
# Case seven: adminurl is invalid, publicurl # Case seven: adminurl is invalid, publicurl
# and internalurl are valid # and internalurl are valid
for invalid_url in invalid_urls: for invalid_url in invalid_urls:
self._endpoint_create(expected_status=400, self._endpoint_create(expected_status=http_client.BAD_REQUEST,
publicurl=valid_url, publicurl=valid_url,
internalurl=valid_url, internalurl=valid_url,
adminurl=invalid_url) adminurl=invalid_url)

7
keystone/tests/unit/test_middleware.py
View File

@ -16,6 +16,7 @@ import hashlib
import uuid import uuid
from oslo_config import cfg from oslo_config import cfg
from six.moves import http_client
import webob import webob
from keystone.common import authorization from keystone.common import authorization
@ -96,14 +97,14 @@ class JsonBodyMiddlewareTest(unit.TestCase):
content_type='application/json', content_type='application/json',
method='POST') method='POST')
resp = middleware.JsonBodyMiddleware(None).process_request(req) resp = middleware.JsonBodyMiddleware(None).process_request(req)
self.assertEqual(400, resp.status_int) self.assertEqual(http_client.BAD_REQUEST, resp.status_int)
def test_not_dict_body(self): def test_not_dict_body(self):
req = make_request(body='42', req = make_request(body='42',
content_type='application/json', content_type='application/json',
method='POST') method='POST')
resp = middleware.JsonBodyMiddleware(None).process_request(req) resp = middleware.JsonBodyMiddleware(None).process_request(req)
self.assertEqual(400, resp.status_int) self.assertEqual(http_client.BAD_REQUEST, resp.status_int)
self.assertTrue('valid JSON object' in resp.json['error']['message']) self.assertTrue('valid JSON object' in resp.json['error']['message'])
def test_no_content_type(self): def test_no_content_type(self):
@ -118,7 +119,7 @@ class JsonBodyMiddlewareTest(unit.TestCase):
content_type='text/plain', content_type='text/plain',
method='POST') method='POST')
resp = middleware.JsonBodyMiddleware(None).process_request(req) resp = middleware.JsonBodyMiddleware(None).process_request(req)
self.assertEqual(400, resp.status_int) self.assertEqual(http_client.BAD_REQUEST, resp.status_int)
def test_unrecognized_content_type_without_body(self): def test_unrecognized_content_type_without_body(self):
req = make_request(content_type='text/plain', req = make_request(content_type='text/plain',

3
keystone/tests/unit/test_no_admin_token_auth.py
View File

@ -14,6 +14,7 @@
import os import os
from six.moves import http_client
import webtest import webtest
from keystone.tests import unit from keystone.tests import unit
@ -56,4 +57,4 @@ class TestNoAdminTokenAuth(unit.TestCase):
# If the following does not raise, then the test is successful. # If the following does not raise, then the test is successful.
self.admin_app.get(REQ_PATH, headers={'X-Auth-Token': 'NotAdminToken'}, self.admin_app.get(REQ_PATH, headers={'X-Auth-Token': 'NotAdminToken'},
status=401) status=http_client.UNAUTHORIZED)

65
keystone/tests/unit/test_v2.py
View File

@ -19,6 +19,7 @@ import uuid
from keystoneclient.common import cms from keystoneclient.common import cms
from oslo_config import cfg from oslo_config import cfg
import six import six
from six.moves import http_client
from testtools import matchers from testtools import matchers
from keystone.common import extension as keystone_extension from keystone.common import extension as keystone_extension
@ -70,13 +71,13 @@ class CoreApiTests(object):
def test_public_not_found(self): def test_public_not_found(self):
r = self.public_request( r = self.public_request(
path='/%s' % uuid.uuid4().hex, path='/%s' % uuid.uuid4().hex,
expected_status=404) expected_status=http_client.NOT_FOUND)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
def test_admin_not_found(self): def test_admin_not_found(self):
r = self.admin_request( r = self.admin_request(
path='/%s' % uuid.uuid4().hex, path='/%s' % uuid.uuid4().hex,
expected_status=404) expected_status=http_client.NOT_FOUND)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
def test_public_multiple_choice(self): def test_public_multiple_choice(self):
@ -107,11 +108,11 @@ class CoreApiTests(object):
def test_admin_extensions_404(self): def test_admin_extensions_404(self):
self.admin_request(path='/v2.0/extensions/invalid-extension', self.admin_request(path='/v2.0/extensions/invalid-extension',
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_public_osksadm_extension_404(self): def test_public_osksadm_extension_404(self):
self.public_request(path='/v2.0/extensions/OS-KSADM', self.public_request(path='/v2.0/extensions/OS-KSADM',
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_admin_osksadm_extension(self): def test_admin_osksadm_extension(self):
r = self.admin_request(path='/v2.0/extensions/OS-KSADM') r = self.admin_request(path='/v2.0/extensions/OS-KSADM')
@ -170,7 +171,7 @@ class CoreApiTests(object):
'token_id': 'invalid', 'token_id': 'invalid',
}, },
token=token, token=token,
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_validate_token_service_role(self): def test_validate_token_service_role(self):
self.md_foobar = self.assignment_api.add_role_to_user_and_project( self.md_foobar = self.assignment_api.add_role_to_user_and_project(
@ -204,7 +205,7 @@ class CoreApiTests(object):
r = self.admin_request( r = self.admin_request(
path='/v2.0/tokens/%s' % token, path='/v2.0/tokens/%s' % token,
token=token, token=token,
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_validate_token_belongs_to(self): def test_validate_token_belongs_to(self):
token = self.get_scoped_token() token = self.get_scoped_token()
@ -306,7 +307,7 @@ class CoreApiTests(object):
}, },
}, },
token=token, token=token,
expected_status=400) expected_status=http_client.BAD_REQUEST)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
r = self.admin_request( r = self.admin_request(
@ -321,7 +322,7 @@ class CoreApiTests(object):
}, },
}, },
token=token, token=token,
expected_status=400) expected_status=http_client.BAD_REQUEST)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
# Test UPDATE request # Test UPDATE request
@ -338,7 +339,7 @@ class CoreApiTests(object):
}, },
}, },
token=token, token=token,
expected_status=400) expected_status=http_client.BAD_REQUEST)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
r = self.admin_request( r = self.admin_request(
@ -351,7 +352,7 @@ class CoreApiTests(object):
}, },
}, },
token=token, token=token,
expected_status=400) expected_status=http_client.BAD_REQUEST)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
def test_create_update_user_valid_enabled_type(self): def test_create_update_user_valid_enabled_type(self):
@ -373,7 +374,8 @@ class CoreApiTests(object):
def test_error_response(self): def test_error_response(self):
"""This triggers assertValidErrorResponse by convention.""" """This triggers assertValidErrorResponse by convention."""
self.public_request(path='/v2.0/tenants', expected_status=401) self.public_request(path='/v2.0/tenants',
expected_status=http_client.UNAUTHORIZED)
def test_invalid_parameter_error_response(self): def test_invalid_parameter_error_response(self):
token = self.get_scoped_token() token = self.get_scoped_token()
@ -387,13 +389,13 @@ class CoreApiTests(object):
path='/v2.0/OS-KSADM/services', path='/v2.0/OS-KSADM/services',
body=bad_body, body=bad_body,
token=token, token=token,
expected_status=400) expected_status=http_client.BAD_REQUEST)
self.assertValidErrorResponse(res) self.assertValidErrorResponse(res)
res = self.admin_request(method='POST', res = self.admin_request(method='POST',
path='/v2.0/users', path='/v2.0/users',
body=bad_body, body=bad_body,
token=token, token=token,
expected_status=400) expected_status=http_client.BAD_REQUEST)
self.assertValidErrorResponse(res) self.assertValidErrorResponse(res)
def _get_user_id(self, r): def _get_user_id(self, r):
@ -552,7 +554,7 @@ class CoreApiTests(object):
}, },
}, },
token=token, token=token,
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_update_user_with_invalid_tenant_no_prev_tenant(self): def test_update_user_with_invalid_tenant_no_prev_tenant(self):
token = self.get_scoped_token() token = self.get_scoped_token()
@ -584,7 +586,7 @@ class CoreApiTests(object):
}, },
}, },
token=token, token=token,
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_update_user_with_old_tenant(self): def test_update_user_with_old_tenant(self):
token = self.get_scoped_token() token = self.get_scoped_token()
@ -669,13 +671,13 @@ class CoreApiTests(object):
}, },
}, },
}, },
expected_status=401) expected_status=http_client.UNAUTHORIZED)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
def test_www_authenticate_header(self): def test_www_authenticate_header(self):
r = self.public_request( r = self.public_request(
path='/v2.0/tenants', path='/v2.0/tenants',
expected_status=401) expected_status=http_client.UNAUTHORIZED)
self.assertEqual('Keystone uri="http://localhost"', self.assertEqual('Keystone uri="http://localhost"',
r.headers.get('WWW-Authenticate')) r.headers.get('WWW-Authenticate'))
@ -684,7 +686,7 @@ class CoreApiTests(object):
self.config_fixture.config(public_endpoint=test_url) self.config_fixture.config(public_endpoint=test_url)
r = self.public_request( r = self.public_request(
path='/v2.0/tenants', path='/v2.0/tenants',
expected_status=401) expected_status=http_client.UNAUTHORIZED)
self.assertEqual('Keystone uri="%s"' % test_url, self.assertEqual('Keystone uri="%s"' % test_url,
r.headers.get('WWW-Authenticate')) r.headers.get('WWW-Authenticate'))
@ -1141,8 +1143,9 @@ class V2TestCase(RestfulTestCase, CoreApiTests, LegacyV2UsernameTests):
return r.result['user'][attribute_name] return r.result['user'][attribute_name]
def test_service_crud_requires_auth(self): def test_service_crud_requires_auth(self):
"""Service CRUD should 401 without an X-Auth-Token (bug 1006822).""" """Service CRUD should return unauthorized without an X-Auth-Token."""
# values here don't matter because we should 401 before they're checked # values here don't matter because it will be unauthorized before
# they're checked (bug 1006822).
service_path = '/v2.0/OS-KSADM/services/%s' % uuid.uuid4().hex service_path = '/v2.0/OS-KSADM/services/%s' % uuid.uuid4().hex
service_body = { service_body = {
'OS-KSADM:service': { 'OS-KSADM:service': {
@ -1153,41 +1156,43 @@ class V2TestCase(RestfulTestCase, CoreApiTests, LegacyV2UsernameTests):
r = self.admin_request(method='GET', r = self.admin_request(method='GET',
path='/v2.0/OS-KSADM/services', path='/v2.0/OS-KSADM/services',
expected_status=401) expected_status=http_client.UNAUTHORIZED)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
r = self.admin_request(method='POST', r = self.admin_request(method='POST',
path='/v2.0/OS-KSADM/services', path='/v2.0/OS-KSADM/services',
body=service_body, body=service_body,
expected_status=401) expected_status=http_client.UNAUTHORIZED)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
r = self.admin_request(method='GET', r = self.admin_request(method='GET',
path=service_path, path=service_path,
expected_status=401) expected_status=http_client.UNAUTHORIZED)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
r = self.admin_request(method='DELETE', r = self.admin_request(method='DELETE',
path=service_path, path=service_path,
expected_status=401) expected_status=http_client.UNAUTHORIZED)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
def test_user_role_list_requires_auth(self): def test_user_role_list_requires_auth(self):
"""User role list should 401 without an X-Auth-Token (bug 1006815).""" """User role list return unauthorized without an X-Auth-Token."""
# values here don't matter because we should 401 before they're checked # values here don't matter because it will be unauthorized before
# they're checked (bug 1006815).
path = '/v2.0/tenants/%(tenant_id)s/users/%(user_id)s/roles' % { path = '/v2.0/tenants/%(tenant_id)s/users/%(user_id)s/roles' % {
'tenant_id': uuid.uuid4().hex, 'tenant_id': uuid.uuid4().hex,
'user_id': uuid.uuid4().hex, 'user_id': uuid.uuid4().hex,
} }
r = self.admin_request(path=path, expected_status=401) r = self.admin_request(path=path,
expected_status=http_client.UNAUTHORIZED)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
def test_fetch_revocation_list_nonadmin_fails(self): def test_fetch_revocation_list_nonadmin_fails(self):
self.admin_request( self.admin_request(
method='GET', method='GET',
path='/v2.0/tokens/revoked', path='/v2.0/tokens/revoked',
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_fetch_revocation_list_admin_200(self): def test_fetch_revocation_list_admin_200(self):
token = self.get_scoped_token() token = self.get_scoped_token()
@ -1278,7 +1283,7 @@ class V2TestCase(RestfulTestCase, CoreApiTests, LegacyV2UsernameTests):
}, },
}, },
token=token, token=token,
expected_status=400) expected_status=http_client.BAD_REQUEST)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
# Test UPDATE request # Test UPDATE request
@ -1294,7 +1299,7 @@ class V2TestCase(RestfulTestCase, CoreApiTests, LegacyV2UsernameTests):
}, },
}, },
token=token, token=token,
expected_status=400) expected_status=http_client.BAD_REQUEST)
self.assertValidErrorResponse(r) self.assertValidErrorResponse(r)
def test_authenticating_a_user_with_an_OSKSADM_password(self): def test_authenticating_a_user_with_an_OSKSADM_password(self):

4
keystone/tests/unit/test_v2_keystoneclient.py
View File

@ -22,6 +22,7 @@ import mock
from oslo_config import cfg from oslo_config import cfg
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
from oslo_utils import timeutils from oslo_utils import timeutils
from six.moves import http_client
from six.moves import range from six.moves import range
import webob import webob
@ -1032,7 +1033,8 @@ class ClientDrivenTestCase(unit.TestCase):
(new_password, self.user_two['password'])) (new_password, self.user_two['password']))
self.public_server.application(req.environ, self.public_server.application(req.environ,
responseobject.start_fake_response) responseobject.start_fake_response)
self.assertEqual(403, responseobject.response_status) self.assertEqual(http_client.FORBIDDEN,
responseobject.response_status)
self.user_two['password'] = new_password self.user_two['password'] = new_password
self.assertRaises(client_exceptions.Unauthorized, self.assertRaises(client_exceptions.Unauthorized,

158
keystone/tests/unit/test_v3_assignment.py
View File

@ -14,6 +14,7 @@ import random
import uuid import uuid
from oslo_config import cfg from oslo_config import cfg
from six.moves import http_client
from six.moves import range from six.moves import range
from keystone.common import controller from keystone.common import controller
@ -75,9 +76,10 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
body={'domain': ref}) body={'domain': ref})
self.assertValidDomainResponse(r, ref) self.assertValidDomainResponse(r, ref)
def test_create_domain_400(self): def test_create_domain_bad_request(self):
"""Call ``POST /domains``.""" """Call ``POST /domains``."""
self.post('/domains', body={'domain': {}}, expected_status=400) self.post('/domains', body={'domain': {}},
expected_status=http_client.BAD_REQUEST)
def test_list_domains(self): def test_list_domains(self):
"""Call ``GET /domains``.""" """Call ``GET /domains``."""
@ -133,7 +135,8 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
} }
} }
self.admin_request( self.admin_request(
path='/v2.0/tokens', method='POST', body=body, expected_status=401) path='/v2.0/tokens', method='POST', body=body,
expected_status=http_client.UNAUTHORIZED)
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user2['id'], user_id=self.user2['id'],
@ -160,21 +163,24 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
} }
} }
self.admin_request( self.admin_request(
path='/v2.0/tokens', method='POST', body=body, expected_status=401) path='/v2.0/tokens', method='POST', body=body,
expected_status=http_client.UNAUTHORIZED)
# Try looking up in v3 by name and id # Try looking up in v3 by name and id
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user2['id'], user_id=self.user2['id'],
password=self.user2['password'], password=self.user2['password'],
project_id=self.project2['id']) project_id=self.project2['id'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
username=self.user2['name'], username=self.user2['name'],
user_domain_id=self.domain2['id'], user_domain_id=self.domain2['id'],
password=self.user2['password'], password=self.user2['password'],
project_id=self.project2['id']) project_id=self.project2['id'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_delete_enabled_domain_fails(self): def test_delete_enabled_domain_fails(self):
"""Call ``DELETE /domains/{domain_id}`` (when domain enabled).""" """Call ``DELETE /domains/{domain_id}`` (when domain enabled)."""
@ -370,7 +376,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
# as the domain has already been disabled. # as the domain has already been disabled.
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'x-subject-token': subject_token}, headers={'x-subject-token': subject_token},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_delete_domain_hierarchy(self): def test_delete_domain_hierarchy(self):
"""Call ``DELETE /domains/{domain_id}``.""" """Call ``DELETE /domains/{domain_id}``."""
@ -485,14 +491,16 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
body={'project': ref}) body={'project': ref})
self.assertValidProjectResponse(r, ref) self.assertValidProjectResponse(r, ref)
def test_create_project_400(self): def test_create_project_bad_request(self):
"""Call ``POST /projects``.""" """Call ``POST /projects``."""
self.post('/projects', body={'project': {}}, expected_status=400) self.post('/projects', body={'project': {}},
expected_status=http_client.BAD_REQUEST)
def test_create_project_invalid_domain_id(self): def test_create_project_invalid_domain_id(self):
"""Call ``POST /projects``.""" """Call ``POST /projects``."""
ref = self.new_project_ref(domain_id=uuid.uuid4().hex) ref = self.new_project_ref(domain_id=uuid.uuid4().hex)
self.post('/projects', body={'project': ref}, expected_status=400) self.post('/projects', body={'project': ref},
expected_status=http_client.BAD_REQUEST)
def test_create_project_is_domain_not_allowed(self): def test_create_project_is_domain_not_allowed(self):
"""Call ``POST /projects``. """Call ``POST /projects``.
@ -644,18 +652,20 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
def test_get_project_with_parents_as_list_with_invalid_id(self): def test_get_project_with_parents_as_list_with_invalid_id(self):
"""Call ``GET /projects/{project_id}?parents_as_list``.""" """Call ``GET /projects/{project_id}?parents_as_list``."""
self.get('/projects/%(project_id)s?parents_as_list' % { self.get('/projects/%(project_id)s?parents_as_list' % {
'project_id': None}, expected_status=404) 'project_id': None}, expected_status=http_client.NOT_FOUND)
self.get('/projects/%(project_id)s?parents_as_list' % { self.get('/projects/%(project_id)s?parents_as_list' % {
'project_id': uuid.uuid4().hex}, expected_status=404) 'project_id': uuid.uuid4().hex},
expected_status=http_client.NOT_FOUND)
def test_get_project_with_subtree_as_list_with_invalid_id(self): def test_get_project_with_subtree_as_list_with_invalid_id(self):
"""Call ``GET /projects/{project_id}?subtree_as_list``.""" """Call ``GET /projects/{project_id}?subtree_as_list``."""
self.get('/projects/%(project_id)s?subtree_as_list' % { self.get('/projects/%(project_id)s?subtree_as_list' % {
'project_id': None}, expected_status=404) 'project_id': None}, expected_status=http_client.NOT_FOUND)
self.get('/projects/%(project_id)s?subtree_as_list' % { self.get('/projects/%(project_id)s?subtree_as_list' % {
'project_id': uuid.uuid4().hex}, expected_status=404) 'project_id': uuid.uuid4().hex},
expected_status=http_client.NOT_FOUND)
def test_get_project_with_parents_as_ids(self): def test_get_project_with_parents_as_ids(self):
"""Call ``GET /projects/{project_id}?parents_as_ids``.""" """Call ``GET /projects/{project_id}?parents_as_ids``."""
@ -766,7 +776,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
self.get( self.get(
'/projects/%(project_id)s?parents_as_list&parents_as_ids' % { '/projects/%(project_id)s?parents_as_list&parents_as_ids' % {
'project_id': projects[1]['project']['id']}, 'project_id': projects[1]['project']['id']},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_get_project_with_subtree_as_ids(self): def test_get_project_with_subtree_as_ids(self):
"""Call ``GET /projects/{project_id}?subtree_as_ids``. """Call ``GET /projects/{project_id}?subtree_as_ids``.
@ -928,7 +938,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
self.get( self.get(
'/projects/%(project_id)s?subtree_as_list&subtree_as_ids' % { '/projects/%(project_id)s?subtree_as_list&subtree_as_ids' % {
'project_id': projects[1]['project']['id']}, 'project_id': projects[1]['project']['id']},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_update_project(self): def test_update_project(self):
"""Call ``PATCH /projects/{project_id}``.""" """Call ``PATCH /projects/{project_id}``."""
@ -965,7 +975,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
'/projects/%(project_id)s' % { '/projects/%(project_id)s' % {
'project_id': leaf_project['id']}, 'project_id': leaf_project['id']},
body={'project': leaf_project}, body={'project': leaf_project},
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_update_project_is_domain_not_allowed(self): def test_update_project_is_domain_not_allowed(self):
"""Call ``PATCH /projects/{project_id}`` with is_domain. """Call ``PATCH /projects/{project_id}`` with is_domain.
@ -981,7 +991,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
self.patch('/projects/%(project_id)s' % { self.patch('/projects/%(project_id)s' % {
'project_id': resp.result['project']['id']}, 'project_id': resp.result['project']['id']},
body={'project': project}, body={'project': project},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_disable_leaf_project(self): def test_disable_leaf_project(self):
"""Call ``PATCH /projects/{project_id}``.""" """Call ``PATCH /projects/{project_id}``."""
@ -1004,7 +1014,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
'/projects/%(project_id)s' % { '/projects/%(project_id)s' % {
'project_id': root_project['id']}, 'project_id': root_project['id']},
body={'project': root_project}, body={'project': root_project},
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_delete_project(self): def test_delete_project(self):
"""Call ``DELETE /projects/{project_id}`` """Call ``DELETE /projects/{project_id}``
@ -1048,7 +1058,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
self.delete( self.delete(
'/projects/%(project_id)s' % { '/projects/%(project_id)s' % {
'project_id': projects[0]['project']['id']}, 'project_id': projects[0]['project']['id']},
expected_status=403) expected_status=http_client.FORBIDDEN)
# Role CRUD tests # Role CRUD tests
@ -1060,9 +1070,10 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
body={'role': ref}) body={'role': ref})
return self.assertValidRoleResponse(r, ref) return self.assertValidRoleResponse(r, ref)
def test_create_role_400(self): def test_create_role_bad_request(self):
"""Call ``POST /roles``.""" """Call ``POST /roles``."""
self.post('/roles', body={'role': {}}, expected_status=400) self.post('/roles', body={'role': {}},
expected_status=http_client.BAD_REQUEST)
def test_list_roles(self): def test_list_roles(self):
"""Call ``GET /roles``.""" """Call ``GET /roles``."""
@ -1132,7 +1143,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
"""Grant role on a project to a user that doesn't exist, 404 result. """Grant role on a project to a user that doesn't exist, 404 result.
When grant a role on a project to a user that doesn't exist, the server When grant a role on a project to a user that doesn't exist, the server
returns 404 Not Found for the user. returns Not Found for the user.
""" """
@ -1145,7 +1156,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
self.put(member_url, expected_status=404) self.put(member_url, expected_status=http_client.NOT_FOUND)
def test_crud_user_domain_role_grants(self): def test_crud_user_domain_role_grants(self):
collection_url = ( collection_url = (
@ -1184,7 +1195,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
self.put(member_url, expected_status=404) self.put(member_url, expected_status=http_client.NOT_FOUND)
def test_crud_group_project_role_grants(self): def test_crud_group_project_role_grants(self):
collection_url = ( collection_url = (
@ -1224,7 +1235,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
self.put(member_url, expected_status=404) self.put(member_url, expected_status=http_client.NOT_FOUND)
def test_crud_group_domain_role_grants(self): def test_crud_group_domain_role_grants(self):
collection_url = ( collection_url = (
@ -1264,7 +1275,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
self.put(member_url, expected_status=404) self.put(member_url, expected_status=http_client.NOT_FOUND)
def _create_new_user_and_assign_role_on_project(self): def _create_new_user_and_assign_role_on_project(self):
"""Create a new user and assign user a role on a project.""" """Create a new user and assign user a role on a project."""
@ -1292,7 +1303,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
# Clean up the role assignment # Clean up the role assignment
self.delete(member_url, expected_status=204) self.delete(member_url, expected_status=204)
# Make sure the role is gone # Make sure the role is gone
self.head(member_url, expected_status=404) self.head(member_url, expected_status=http_client.NOT_FOUND)
def test_delete_user_and_check_role_assignment_fails(self): def test_delete_user_and_check_role_assignment_fails(self):
"""Call ``DELETE`` on the user and check the role assignment.""" """Call ``DELETE`` on the user and check the role assignment."""
@ -1301,7 +1312,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
self.identity_api.delete_user(user['id']) self.identity_api.delete_user(user['id'])
# We should get a 404 when looking for the user in the identity # We should get a 404 when looking for the user in the identity
# backend because we're not performing a delete operation on the role. # backend because we're not performing a delete operation on the role.
self.head(member_url, expected_status=404) self.head(member_url, expected_status=http_client.NOT_FOUND)
def test_token_revoked_once_group_role_grant_revoked(self): def test_token_revoked_once_group_role_grant_revoked(self):
"""Test token is revoked when group role grant is revoked """Test token is revoked when group role grant is revoked
@ -1343,7 +1354,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
# validates the same token again; it should not longer be valid. # validates the same token again; it should not longer be valid.
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'x-subject-token': token}, headers={'x-subject-token': token},
expected_status=404) expected_status=http_client.NOT_FOUND)
# Role Assignments tests # Role Assignments tests
@ -1903,24 +1914,24 @@ class RoleAssignmentFailureTestCase(RoleAssignmentBaseTestCase):
def test_get_role_assignments_by_domain_and_project(self): def test_get_role_assignments_by_domain_and_project(self):
self.get_role_assignments(domain_id=self.domain_id, self.get_role_assignments(domain_id=self.domain_id,
project_id=self.project_id, project_id=self.project_id,
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_get_role_assignments_by_user_and_group(self): def test_get_role_assignments_by_user_and_group(self):
self.get_role_assignments(user_id=self.default_user_id, self.get_role_assignments(user_id=self.default_user_id,
group_id=self.default_group_id, group_id=self.default_group_id,
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_get_role_assignments_by_effective_and_inherited(self): def test_get_role_assignments_by_effective_and_inherited(self):
self.config_fixture.config(group='os_inherit', enabled=True) self.config_fixture.config(group='os_inherit', enabled=True)
self.get_role_assignments(domain_id=self.domain_id, effective=True, self.get_role_assignments(domain_id=self.domain_id, effective=True,
inherited_to_projects=True, inherited_to_projects=True,
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_get_role_assignments_by_effective_and_group(self): def test_get_role_assignments_by_effective_and_group(self):
self.get_role_assignments(effective=True, self.get_role_assignments(effective=True,
group_id=self.default_group_id, group_id=self.default_group_id,
expected_status=400) expected_status=http_client.BAD_REQUEST)
class RoleAssignmentDirectTestCase(RoleAssignmentBaseTestCase): class RoleAssignmentDirectTestCase(RoleAssignmentBaseTestCase):
@ -2193,8 +2204,10 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
project_id=self.project_id) project_id=self.project_id)
# Check the user cannot get a domain nor a project token # Check the user cannot get a domain nor a project token
self.v3_authenticate_token(domain_auth_data, expected_status=401) self.v3_authenticate_token(domain_auth_data,
self.v3_authenticate_token(project_auth_data, expected_status=401) expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED)
# Grant non-inherited role for user on domain # Grant non-inherited role for user on domain
non_inher_ud_link = self.build_role_assignment_link( non_inher_ud_link = self.build_role_assignment_link(
@ -2203,7 +2216,8 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
# Check the user can get only a domain token # Check the user can get only a domain token
self.v3_authenticate_token(domain_auth_data) self.v3_authenticate_token(domain_auth_data)
self.v3_authenticate_token(project_auth_data, expected_status=401) self.v3_authenticate_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED)
# Create inherited role # Create inherited role
inherited_role = {'id': uuid.uuid4().hex, 'name': 'inherited'} inherited_role = {'id': uuid.uuid4().hex, 'name': 'inherited'}
@ -2224,13 +2238,15 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
# Check the user can only get a domain token # Check the user can only get a domain token
self.v3_authenticate_token(domain_auth_data) self.v3_authenticate_token(domain_auth_data)
self.v3_authenticate_token(project_auth_data, expected_status=401) self.v3_authenticate_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED)
# Delete non-inherited grant # Delete non-inherited grant
self.delete(non_inher_ud_link) self.delete(non_inher_ud_link)
# Check the user cannot get a domain token anymore # Check the user cannot get a domain token anymore
self.v3_authenticate_token(domain_auth_data, expected_status=401) self.v3_authenticate_token(domain_auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_get_token_from_inherited_group_domain_role_grants(self): def test_get_token_from_inherited_group_domain_role_grants(self):
# Create a new group and put a new user in it to # Create a new group and put a new user in it to
@ -2255,8 +2271,10 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
project_id=self.project_id) project_id=self.project_id)
# Check the user cannot get a domain nor a project token # Check the user cannot get a domain nor a project token
self.v3_authenticate_token(domain_auth_data, expected_status=401) self.v3_authenticate_token(domain_auth_data,
self.v3_authenticate_token(project_auth_data, expected_status=401) expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED)
# Grant non-inherited role for user on domain # Grant non-inherited role for user on domain
non_inher_gd_link = self.build_role_assignment_link( non_inher_gd_link = self.build_role_assignment_link(
@ -2265,7 +2283,8 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
# Check the user can get only a domain token # Check the user can get only a domain token
self.v3_authenticate_token(domain_auth_data) self.v3_authenticate_token(domain_auth_data)
self.v3_authenticate_token(project_auth_data, expected_status=401) self.v3_authenticate_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED)
# Create inherited role # Create inherited role
inherited_role = {'id': uuid.uuid4().hex, 'name': 'inherited'} inherited_role = {'id': uuid.uuid4().hex, 'name': 'inherited'}
@ -2286,13 +2305,15 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
# Check the user can only get a domain token # Check the user can only get a domain token
self.v3_authenticate_token(domain_auth_data) self.v3_authenticate_token(domain_auth_data)
self.v3_authenticate_token(project_auth_data, expected_status=401) self.v3_authenticate_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED)
# Delete non-inherited grant # Delete non-inherited grant
self.delete(non_inher_gd_link) self.delete(non_inher_gd_link)
# Check the user cannot get a domain token anymore # Check the user cannot get a domain token anymore
self.v3_authenticate_token(domain_auth_data, expected_status=401) self.v3_authenticate_token(domain_auth_data,
expected_status=http_client.UNAUTHORIZED)
def _test_crud_inherited_and_direct_assignment_on_target(self, target_url): def _test_crud_inherited_and_direct_assignment_on_target(self, target_url):
# Create a new role to avoid assignments loaded from sample data # Create a new role to avoid assignments loaded from sample data
@ -2308,7 +2329,7 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.put(direct_url) self.put(direct_url)
# Check the direct assignment exists, but the inherited one does not # Check the direct assignment exists, but the inherited one does not
self.head(direct_url) self.head(direct_url)
self.head(inherited_url, expected_status=404) self.head(inherited_url, expected_status=http_client.NOT_FOUND)
# Now add the inherited assignment # Now add the inherited assignment
self.put(inherited_url) self.put(inherited_url)
@ -2320,13 +2341,13 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.delete(inherited_url) self.delete(inherited_url)
# Check the direct assignment exists, but the inherited one does not # Check the direct assignment exists, but the inherited one does not
self.head(direct_url) self.head(direct_url)
self.head(inherited_url, expected_status=404) self.head(inherited_url, expected_status=http_client.NOT_FOUND)
# Now delete the inherited assignment # Now delete the inherited assignment
self.delete(direct_url) self.delete(direct_url)
# Check that none of them exist # Check that none of them exist
self.head(direct_url, expected_status=404) self.head(direct_url, expected_status=http_client.NOT_FOUND)
self.head(inherited_url, expected_status=404) self.head(inherited_url, expected_status=http_client.NOT_FOUND)
def test_crud_inherited_and_direct_assignment_on_domains(self): def test_crud_inherited_and_direct_assignment_on_domains(self):
self._test_crud_inherited_and_direct_assignment_on_target( self._test_crud_inherited_and_direct_assignment_on_target(
@ -2801,8 +2822,10 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
project_id=leaf_id) project_id=leaf_id)
# Check the user cannot get a token on root nor leaf project # Check the user cannot get a token on root nor leaf project
self.v3_authenticate_token(root_project_auth_data, expected_status=401) self.v3_authenticate_token(root_project_auth_data,
self.v3_authenticate_token(leaf_project_auth_data, expected_status=401) expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data,
expected_status=http_client.UNAUTHORIZED)
# Grant non-inherited role for user on leaf project # Grant non-inherited role for user on leaf project
non_inher_up_link = self.build_role_assignment_link( non_inher_up_link = self.build_role_assignment_link(
@ -2811,7 +2834,8 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.put(non_inher_up_link) self.put(non_inher_up_link)
# Check the user can only get a token on leaf project # Check the user can only get a token on leaf project
self.v3_authenticate_token(root_project_auth_data, expected_status=401) self.v3_authenticate_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data) self.v3_authenticate_token(leaf_project_auth_data)
# Grant inherited role for user on root project # Grant inherited role for user on root project
@ -2821,21 +2845,24 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.put(inher_up_link) self.put(inher_up_link)
# Check the user still can get a token only on leaf project # Check the user still can get a token only on leaf project
self.v3_authenticate_token(root_project_auth_data, expected_status=401) self.v3_authenticate_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data) self.v3_authenticate_token(leaf_project_auth_data)
# Delete non-inherited grant # Delete non-inherited grant
self.delete(non_inher_up_link) self.delete(non_inher_up_link)
# Check the inherited role still applies for leaf project # Check the inherited role still applies for leaf project
self.v3_authenticate_token(root_project_auth_data, expected_status=401) self.v3_authenticate_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data) self.v3_authenticate_token(leaf_project_auth_data)
# Delete inherited grant # Delete inherited grant
self.delete(inher_up_link) self.delete(inher_up_link)
# Check the user cannot get a token on leaf project anymore # Check the user cannot get a token on leaf project anymore
self.v3_authenticate_token(leaf_project_auth_data, expected_status=401) self.v3_authenticate_token(leaf_project_auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_get_token_from_inherited_group_project_role_grants(self): def test_get_token_from_inherited_group_project_role_grants(self):
# Create default scenario # Create default scenario
@ -2858,8 +2885,10 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
project_id=leaf_id) project_id=leaf_id)
# Check the user cannot get a token on root nor leaf project # Check the user cannot get a token on root nor leaf project
self.v3_authenticate_token(root_project_auth_data, expected_status=401) self.v3_authenticate_token(root_project_auth_data,
self.v3_authenticate_token(leaf_project_auth_data, expected_status=401) expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data,
expected_status=http_client.UNAUTHORIZED)
# Grant non-inherited role for group on leaf project # Grant non-inherited role for group on leaf project
non_inher_gp_link = self.build_role_assignment_link( non_inher_gp_link = self.build_role_assignment_link(
@ -2868,7 +2897,8 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.put(non_inher_gp_link) self.put(non_inher_gp_link)
# Check the user can only get a token on leaf project # Check the user can only get a token on leaf project
self.v3_authenticate_token(root_project_auth_data, expected_status=401) self.v3_authenticate_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data) self.v3_authenticate_token(leaf_project_auth_data)
# Grant inherited role for group on root project # Grant inherited role for group on root project
@ -2878,7 +2908,8 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.put(inher_gp_link) self.put(inher_gp_link)
# Check the user still can get a token only on leaf project # Check the user still can get a token only on leaf project
self.v3_authenticate_token(root_project_auth_data, expected_status=401) self.v3_authenticate_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data) self.v3_authenticate_token(leaf_project_auth_data)
# Delete no-inherited grant # Delete no-inherited grant
@ -2891,7 +2922,8 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.delete(inher_gp_link) self.delete(inher_gp_link)
# Check the user cannot get a token on leaf project anymore # Check the user cannot get a token on leaf project anymore
self.v3_authenticate_token(leaf_project_auth_data, expected_status=401) self.v3_authenticate_token(leaf_project_auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_get_role_assignments_for_project_hierarchy(self): def test_get_role_assignments_for_project_hierarchy(self):
"""Call ``GET /role_assignments``. """Call ``GET /role_assignments``.
@ -3069,10 +3101,10 @@ class AssignmentInheritanceDisabledTestCase(test_v3.RestfulTestCase):
'role_id': role['id']} 'role_id': role['id']}
collection_url = base_collection_url + '/inherited_to_projects' collection_url = base_collection_url + '/inherited_to_projects'
self.put(member_url, expected_status=404) self.put(member_url, expected_status=http_client.NOT_FOUND)
self.head(member_url, expected_status=404) self.head(member_url, expected_status=http_client.NOT_FOUND)
self.get(collection_url, expected_status=404) self.get(collection_url, expected_status=http_client.NOT_FOUND)
self.delete(member_url, expected_status=404) self.delete(member_url, expected_status=http_client.NOT_FOUND)
class AssignmentV3toV2MethodsTestCase(unit.TestCase): class AssignmentV3toV2MethodsTestCase(unit.TestCase):

289
keystone/tests/unit/test_v3_auth.py
View File

@ -22,6 +22,7 @@ from keystoneclient.common import cms
import mock import mock
from oslo_config import cfg from oslo_config import cfg
from oslo_utils import timeutils from oslo_utils import timeutils
from six.moves import http_client
from six.moves import range from six.moves import range
from testtools import matchers from testtools import matchers
from testtools import testcase from testtools import testcase
@ -141,7 +142,7 @@ class TokenAPITests(object):
path='/v2.0/tokens/%s' % v3_token, path='/v2.0/tokens/%s' % v3_token,
token=CONF.admin_token, token=CONF.admin_token,
method='GET', method='GET',
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix_new_default_domain(self): def test_v3_v2_intermix_new_default_domain(self):
# If the default_domain_id config option is changed, then should be # If the default_domain_id config option is changed, then should be
@ -199,7 +200,7 @@ class TokenAPITests(object):
method='GET', method='GET',
path='/v2.0/tokens/%s' % v3_token, path='/v2.0/tokens/%s' % v3_token,
token=CONF.admin_token, token=CONF.admin_token,
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix_non_default_project_failed(self): def test_v3_v2_intermix_non_default_project_failed(self):
# self.project is in a non-default domain # self.project is in a non-default domain
@ -213,7 +214,7 @@ class TokenAPITests(object):
method='GET', method='GET',
path='/v2.0/tokens/%s' % v3_token, path='/v2.0/tokens/%s' % v3_token,
token=CONF.admin_token, token=CONF.admin_token,
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix_non_default_user_failed(self): def test_v3_v2_intermix_non_default_user_failed(self):
self.assignment_api.create_grant( self.assignment_api.create_grant(
@ -232,7 +233,7 @@ class TokenAPITests(object):
method='GET', method='GET',
path='/v2.0/tokens/%s' % v3_token, path='/v2.0/tokens/%s' % v3_token,
token=CONF.admin_token, token=CONF.admin_token,
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix_domain_scope_failed(self): def test_v3_v2_intermix_domain_scope_failed(self):
self.assignment_api.create_grant( self.assignment_api.create_grant(
@ -250,7 +251,7 @@ class TokenAPITests(object):
path='/v2.0/tokens/%s' % v3_token, path='/v2.0/tokens/%s' % v3_token,
token=CONF.admin_token, token=CONF.admin_token,
method='GET', method='GET',
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_unscoped_token_intermix(self): def test_v3_v2_unscoped_token_intermix(self):
r = self.v3_authenticate_token(self.build_authentication_request( r = self.v3_authenticate_token(self.build_authentication_request(
@ -390,7 +391,7 @@ class TokenAPITests(object):
# Attempting to use the deleted token on v2 should fail. # Attempting to use the deleted token on v2 should fail.
self.admin_request( self.admin_request(
path='/v2.0/tenants', method='GET', token=v2_token, path='/v2.0/tenants', method='GET', token=v2_token,
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_rescoping_token(self): def test_rescoping_token(self):
expires = self.v3_token_data['token']['expires_at'] expires = self.v3_token_data['token']['expires_at']
@ -434,7 +435,7 @@ class AllowRescopeScopedTokenDisabledTests(test_v3.RestfulTestCase):
self.build_authentication_request( self.build_authentication_request(
token=self.get_scoped_token(), token=self.get_scoped_token(),
project_id=self.project_id), project_id=self.project_id),
expected_status=403) expected_status=http_client.FORBIDDEN)
def _v2_token(self): def _v2_token(self):
body = { body = {
@ -460,7 +461,7 @@ class AllowRescopeScopedTokenDisabledTests(test_v3.RestfulTestCase):
self.admin_request(path='/v2.0/tokens', self.admin_request(path='/v2.0/tokens',
method='POST', method='POST',
body=body, body=body,
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_rescoping_v2_to_v3_disabled(self): def test_rescoping_v2_to_v3_disabled(self):
token = self._v2_token() token = self._v2_token()
@ -468,7 +469,7 @@ class AllowRescopeScopedTokenDisabledTests(test_v3.RestfulTestCase):
self.build_authentication_request( self.build_authentication_request(
token=token['access']['token']['id'], token=token['access']['token']['id'],
project_id=self.project_id), project_id=self.project_id),
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_rescoping_v3_to_v2_disabled(self): def test_rescoping_v3_to_v2_disabled(self):
token = {'id': self.get_scoped_token()} token = {'id': self.get_scoped_token()}
@ -498,7 +499,7 @@ class AllowRescopeScopedTokenDisabledTests(test_v3.RestfulTestCase):
self.build_authentication_request( self.build_authentication_request(
token=domain_scoped_token, token=domain_scoped_token,
project_id=self.project_id), project_id=self.project_id),
expected_status=403) expected_status=http_client.FORBIDDEN)
class TestPKITokenAPIs(test_v3.RestfulTestCase, TokenAPITests): class TestPKITokenAPIs(test_v3.RestfulTestCase, TokenAPITests):
@ -660,17 +661,21 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
token=user_token) token=user_token)
self.delete('/auth/tokens', headers=headers, expected_status=204, self.delete('/auth/tokens', headers=headers, expected_status=204,
token=user_token) token=user_token)
# invalid X-Auth-Token and invalid X-Subject-Token (401) # invalid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers, expected_status=401, self.head('/auth/tokens', headers=headers,
expected_status=http_client.UNAUTHORIZED,
token=user_token) token=user_token)
# invalid X-Auth-Token and invalid X-Subject-Token (401) # invalid X-Auth-Token and invalid X-Subject-Token
self.delete('/auth/tokens', headers=headers, expected_status=401, self.delete('/auth/tokens', headers=headers,
expected_status=http_client.UNAUTHORIZED,
token=user_token) token=user_token)
# valid X-Auth-Token and invalid X-Subject-Token (404) # valid X-Auth-Token and invalid X-Subject-Token
self.delete('/auth/tokens', headers=headers, expected_status=404, self.delete('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token) token=adminA_token)
# valid X-Auth-Token and invalid X-Subject-Token (404) # valid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers, expected_status=404, self.head('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token) token=adminA_token)
def test_adminA_revokes_userA_token(self): def test_adminA_revokes_userA_token(self):
@ -694,14 +699,17 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
token=user_token) token=user_token)
self.delete('/auth/tokens', headers=headers, expected_status=204, self.delete('/auth/tokens', headers=headers, expected_status=204,
token=adminA_token) token=adminA_token)
# invalid X-Auth-Token and invalid X-Subject-Token (401) # invalid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers, expected_status=401, self.head('/auth/tokens', headers=headers,
expected_status=http_client.UNAUTHORIZED,
token=user_token) token=user_token)
# valid X-Auth-Token and invalid X-Subject-Token (404) # valid X-Auth-Token and invalid X-Subject-Token
self.delete('/auth/tokens', headers=headers, expected_status=404, self.delete('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token) token=adminA_token)
# valid X-Auth-Token and invalid X-Subject-Token (404) # valid X-Auth-Token and invalid X-Subject-Token
self.head('/auth/tokens', headers=headers, expected_status=404, self.head('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND,
token=adminA_token) token=adminA_token)
def test_adminB_fails_revoking_userA_token(self): def test_adminB_fails_revoking_userA_token(self):
@ -729,9 +737,11 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
password=self.userAdminB['password'], password=self.userAdminB['password'],
domain_name=self.domainB['name'])) domain_name=self.domainB['name']))
self.head('/auth/tokens', headers=headers, expected_status=403, self.head('/auth/tokens', headers=headers,
expected_status=http_client.FORBIDDEN,
token=adminB_token) token=adminB_token)
self.delete('/auth/tokens', headers=headers, expected_status=403, self.delete('/auth/tokens', headers=headers,
expected_status=http_client.FORBIDDEN,
token=adminB_token) token=adminB_token)
@ -907,7 +917,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
self.delete(grant_url) self.delete(grant_url)
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': token}, headers={'X-Subject-Token': token},
expected_status=404) expected_status=http_client.NOT_FOUND)
def role_data_fixtures(self): def role_data_fixtures(self):
self.projectC = self.new_project_ref(domain_id=self.domainA['id']) self.projectC = self.new_project_ref(domain_id=self.domainA['id'])
@ -1019,16 +1029,16 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
# Check the tokens that used role1 is invalid # Check the tokens that used role1 is invalid
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': tokenA}, headers={'X-Subject-Token': tokenA},
expected_status=404) expected_status=http_client.NOT_FOUND)
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': tokenB}, headers={'X-Subject-Token': tokenB},
expected_status=404) expected_status=http_client.NOT_FOUND)
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': tokenD}, headers={'X-Subject-Token': tokenD},
expected_status=404) expected_status=http_client.NOT_FOUND)
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': tokenE}, headers={'X-Subject-Token': tokenE},
expected_status=404) expected_status=http_client.NOT_FOUND)
# ...but the one using role2 is still valid # ...but the one using role2 is still valid
self.head('/auth/tokens', self.head('/auth/tokens',
@ -1086,13 +1096,13 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
# user should no longer have access to the project # user should no longer have access to the project
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': token}, headers={'X-Subject-Token': token},
expected_status=404) expected_status=http_client.NOT_FOUND)
self.v3_authenticate_token( self.v3_authenticate_token(
self.build_authentication_request( self.build_authentication_request(
user_id=self.user3['id'], user_id=self.user3['id'],
password=self.user3['password'], password=self.user3['password'],
project_id=self.projectA['id']), project_id=self.projectA['id']),
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_deleting_project_revokes_token(self): def test_deleting_project_revokes_token(self):
token = self.get_requested_token( token = self.get_requested_token(
@ -1113,13 +1123,13 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
# user should no longer have access to the project # user should no longer have access to the project
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': token}, headers={'X-Subject-Token': token},
expected_status=404) expected_status=http_client.NOT_FOUND)
self.v3_authenticate_token( self.v3_authenticate_token(
self.build_authentication_request( self.build_authentication_request(
user_id=self.user3['id'], user_id=self.user3['id'],
password=self.user3['password'], password=self.user3['password'],
project_id=self.projectA['id']), project_id=self.projectA['id']),
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_deleting_group_grant_revokes_tokens(self): def test_deleting_group_grant_revokes_tokens(self):
"""Test deleting a group grant revokes tokens. """Test deleting a group grant revokes tokens.
@ -1171,15 +1181,15 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
self.delete(grant_url) self.delete(grant_url)
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': token1}, headers={'X-Subject-Token': token1},
expected_status=404) expected_status=http_client.NOT_FOUND)
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': token2}, headers={'X-Subject-Token': token2},
expected_status=404) expected_status=http_client.NOT_FOUND)
# But user3's token should be invalid too as revocation is done for # But user3's token should be invalid too as revocation is done for
# scope role & project # scope role & project
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': token3}, headers={'X-Subject-Token': token3},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_domain_group_role_assignment_maintains_token(self): def test_domain_group_role_assignment_maintains_token(self):
"""Test domain-group role assignment maintains existing token. """Test domain-group role assignment maintains existing token.
@ -1251,7 +1261,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
'user_id': self.user1['id']}) 'user_id': self.user1['id']})
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': token1}, headers={'X-Subject-Token': token1},
expected_status=404) expected_status=http_client.NOT_FOUND)
# But user2's token should still be valid # But user2's token should still be valid
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': token2}, headers={'X-Subject-Token': token2},
@ -1295,13 +1305,13 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
# authorization for the first user should now fail # authorization for the first user should now fail
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': user1_token}, headers={'X-Subject-Token': user1_token},
expected_status=404) expected_status=http_client.NOT_FOUND)
self.v3_authenticate_token( self.v3_authenticate_token(
self.build_authentication_request( self.build_authentication_request(
user_id=self.user1['id'], user_id=self.user1['id'],
password=self.user1['password'], password=self.user1['password'],
project_id=self.projectA['id']), project_id=self.projectA['id']),
expected_status=401) expected_status=http_client.UNAUTHORIZED)
# authorization for the second user should still succeed # authorization for the second user should still succeed
self.head('/auth/tokens', self.head('/auth/tokens',
@ -1329,7 +1339,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
'/projects/%(project_id)s' % {'project_id': self.projectA['id']}) '/projects/%(project_id)s' % {'project_id': self.projectA['id']})
# Make sure that we get a NotFound(404) when heading that role. # Make sure that we get a NotFound(404) when heading that role.
self.head(role_path, expected_status=404) self.head(role_path, expected_status=http_client.NOT_FOUND)
def get_v2_token(self, token=None, project_id=None): def get_v2_token(self, token=None, project_id=None):
body = {'auth': {}, } body = {'auth': {}, }
@ -1361,7 +1371,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': token}, headers={'X-Subject-Token': token},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_revoke_token_from_token(self): def test_revoke_token_from_token(self):
# Test that a scoped token can be requested from an unscoped token, # Test that a scoped token can be requested from an unscoped token,
@ -1393,7 +1403,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
# The project-scoped token is invalidated. # The project-scoped token is invalidated.
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': project_scoped_token}, headers={'X-Subject-Token': project_scoped_token},
expected_status=404) expected_status=http_client.NOT_FOUND)
# The unscoped token should still be valid. # The unscoped token should still be valid.
self.head('/auth/tokens', self.head('/auth/tokens',
@ -1413,7 +1423,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
# The domain-scoped token is invalid. # The domain-scoped token is invalid.
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': domain_scoped_token}, headers={'X-Subject-Token': domain_scoped_token},
expected_status=404) expected_status=http_client.NOT_FOUND)
# The unscoped token should still be valid. # The unscoped token should still be valid.
self.head('/auth/tokens', self.head('/auth/tokens',
@ -1442,7 +1452,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
# The project-scoped token is invalidated. # The project-scoped token is invalidated.
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': project_scoped_token}, headers={'X-Subject-Token': project_scoped_token},
expected_status=404) expected_status=http_client.NOT_FOUND)
# The unscoped token should still be valid. # The unscoped token should still be valid.
self.head('/auth/tokens', self.head('/auth/tokens',
@ -1495,7 +1505,7 @@ class TestTokenRevokeByAssignment(TestTokenRevokeById):
# while token for the projectB should not # while token for the projectB should not
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': project_token}, headers={'X-Subject-Token': project_token},
expected_status=404) expected_status=http_client.NOT_FOUND)
revoked_tokens = [ revoked_tokens = [
t['id'] for t in self.token_provider_api.list_revoked_tokens()] t['id'] for t in self.token_provider_api.list_revoked_tokens()]
# token is in token revocation list # token is in token revocation list
@ -1557,7 +1567,8 @@ class TestTokenRevokeApi(TestTokenRevokeById):
expected_status=200).json_body['token'] expected_status=200).json_body['token']
self.delete('/auth/tokens', headers=headers, expected_status=204) self.delete('/auth/tokens', headers=headers, expected_status=204)
self.head('/auth/tokens', headers=headers, expected_status=404) self.head('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND)
events_response = self.get('/OS-REVOKE/events', events_response = self.get('/OS-REVOKE/events',
expected_status=200).json_body expected_status=200).json_body
self.assertValidRevokedTokenResponse(events_response, self.assertValidRevokedTokenResponse(events_response,
@ -1569,7 +1580,8 @@ class TestTokenRevokeApi(TestTokenRevokeById):
response = self.get('/auth/tokens', headers=headers, response = self.get('/auth/tokens', headers=headers,
expected_status=200).json_body['token'] expected_status=200).json_body['token']
self.delete('/auth/tokens', headers=headers, expected_status=204) self.delete('/auth/tokens', headers=headers, expected_status=204)
self.head('/auth/tokens', headers=headers, expected_status=404) self.head('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND)
events_response = self.get('/OS-REVOKE/events', events_response = self.get('/OS-REVOKE/events',
expected_status=200).json_body expected_status=200).json_body
@ -1578,7 +1590,8 @@ class TestTokenRevokeApi(TestTokenRevokeById):
audit_id=response['audit_ids'][0]) audit_id=response['audit_ids'][0])
def test_revoke_by_id_false_410(self): def test_revoke_by_id_false_410(self):
self.get('/auth/tokens/OS-PKI/revoked', expected_status=410) self.get('/auth/tokens/OS-PKI/revoked',
expected_status=http_client.GONE)
def test_list_delete_project_shows_in_event_list(self): def test_list_delete_project_shows_in_event_list(self):
self.role_data_fixtures() self.role_data_fixtures()
@ -1662,7 +1675,8 @@ class TestTokenRevokeApi(TestTokenRevokeById):
self.assertEventDataInList( self.assertEventDataInList(
events, events,
audit_id=token2['audit_ids'][1]) audit_id=token2['audit_ids'][1])
self.head('/auth/tokens', headers=headers, expected_status=404) self.head('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND)
self.head('/auth/tokens', headers=headers2, expected_status=200) self.head('/auth/tokens', headers=headers2, expected_status=200)
self.head('/auth/tokens', headers=headers3, expected_status=200) self.head('/auth/tokens', headers=headers3, expected_status=200)
@ -2002,7 +2016,7 @@ class TestAuth(test_v3.RestfulTestCase):
self._check_disabled_endpoint_result(r.result['token']['catalog'], self._check_disabled_endpoint_result(r.result['token']['catalog'],
disabled_endpoint_id) disabled_endpoint_id)
def test_project_id_scoped_token_with_user_id_401(self): def test_project_id_scoped_token_with_user_id_unauthorized(self):
project = self.new_project_ref(domain_id=self.domain_id) project = self.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(project['id'], project) self.resource_api.create_project(project['id'], project)
@ -2010,7 +2024,8 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=project['id']) project_id=project['id'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_user_and_group_roles_scoped_token(self): def test_user_and_group_roles_scoped_token(self):
"""Test correct roles are returned in scoped token. """Test correct roles are returned in scoped token.
@ -2346,7 +2361,8 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
domain_id=self.domain['id']) domain_id=self.domain['id'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_auth_with_id(self): def test_auth_with_id(self):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
@ -2395,34 +2411,39 @@ class TestAuth(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=uuid.uuid4().hex, user_id=uuid.uuid4().hex,
password=self.user['password']) password=self.user['password'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_invalid_user_name(self): def test_invalid_user_name(self):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
username=uuid.uuid4().hex, username=uuid.uuid4().hex,
user_domain_id=self.domain['id'], user_domain_id=self.domain['id'],
password=self.user['password']) password=self.user['password'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_invalid_domain_id(self): def test_invalid_domain_id(self):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
username=self.user['name'], username=self.user['name'],
user_domain_id=uuid.uuid4().hex, user_domain_id=uuid.uuid4().hex,
password=self.user['password']) password=self.user['password'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_invalid_domain_name(self): def test_invalid_domain_name(self):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
username=self.user['name'], username=self.user['name'],
user_domain_name=uuid.uuid4().hex, user_domain_name=uuid.uuid4().hex,
password=self.user['password']) password=self.user['password'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_invalid_password(self): def test_invalid_password(self):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=uuid.uuid4().hex) password=uuid.uuid4().hex)
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_remote_user_no_realm(self): def test_remote_user_no_realm(self):
api = auth.controllers.Auth() api = auth.controllers.Auth()
@ -2588,7 +2609,8 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=user['id'], user_id=user['id'],
password='password') password='password')
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_disabled_default_project_result_in_unscoped_token(self): def test_disabled_default_project_result_in_unscoped_token(self):
# create a disabled project to work with # create a disabled project to work with
@ -2666,7 +2688,8 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=project['id']) project_id=project['id'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
# user should not be able to auth with project_name & domain # user should not be able to auth with project_name & domain
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
@ -2674,7 +2697,8 @@ class TestAuth(test_v3.RestfulTestCase):
password=self.user['password'], password=self.user['password'],
project_name=project['name'], project_name=project['name'],
project_domain_id=domain['id']) project_domain_id=domain['id'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_auth_methods_with_different_identities_fails(self): def test_auth_methods_with_different_identities_fails(self):
# get the token for a user. This is self.user which is different from # get the token for a user. This is self.user which is different from
@ -2686,7 +2710,8 @@ class TestAuth(test_v3.RestfulTestCase):
token=token, token=token,
user_id=self.default_domain_user['id'], user_id=self.default_domain_user['id'],
password=self.default_domain_user['password']) password=self.default_domain_user['password'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
class TestAuthJSONExternal(test_v3.RestfulTestCase): class TestAuthJSONExternal(test_v3.RestfulTestCase):
@ -2712,15 +2737,18 @@ class TestTrustOptional(test_v3.RestfulTestCase):
self.config_fixture.config(group='trust', enabled=False) self.config_fixture.config(group='trust', enabled=False)
def test_trusts_404(self): def test_trusts_404(self):
self.get('/OS-TRUST/trusts', body={'trust': {}}, expected_status=404) self.get('/OS-TRUST/trusts', body={'trust': {}},
self.post('/OS-TRUST/trusts', body={'trust': {}}, expected_status=404) expected_status=http_client.NOT_FOUND)
self.post('/OS-TRUST/trusts', body={'trust': {}},
expected_status=http_client.NOT_FOUND)
def test_auth_with_scope_in_trust_403(self): def test_auth_with_scope_in_trust_forbidden(self):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
trust_id=uuid.uuid4().hex) trust_id=uuid.uuid4().hex)
self.v3_authenticate_token(auth_data, expected_status=403) self.v3_authenticate_token(auth_data,
expected_status=http_client.FORBIDDEN)
class TestTrustRedelegation(test_v3.RestfulTestCase): class TestTrustRedelegation(test_v3.RestfulTestCase):
@ -2804,7 +2832,7 @@ class TestTrustRedelegation(test_v3.RestfulTestCase):
self.post('/OS-TRUST/trusts', self.post('/OS-TRUST/trusts',
body={'trust': self.chained_trust_ref}, body={'trust': self.chained_trust_ref},
token=trust_token, token=trust_token,
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_modified_redelegation_count_error(self): def test_modified_redelegation_count_error(self):
r = self.post('/OS-TRUST/trusts', r = self.post('/OS-TRUST/trusts',
@ -2820,14 +2848,14 @@ class TestTrustRedelegation(test_v3.RestfulTestCase):
self.post('/OS-TRUST/trusts', self.post('/OS-TRUST/trusts',
body={'trust': self.chained_trust_ref}, body={'trust': self.chained_trust_ref},
token=trust_token, token=trust_token,
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_max_redelegation_count_constraint(self): def test_max_redelegation_count_constraint(self):
incorrect = CONF.trust.max_redelegation_count + 1 incorrect = CONF.trust.max_redelegation_count + 1
self.redelegated_trust_ref['redelegation_count'] = incorrect self.redelegated_trust_ref['redelegation_count'] = incorrect
self.post('/OS-TRUST/trusts', self.post('/OS-TRUST/trusts',
body={'trust': self.redelegated_trust_ref}, body={'trust': self.redelegated_trust_ref},
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_redelegation_expiry(self): def test_redelegation_expiry(self):
r = self.post('/OS-TRUST/trusts', r = self.post('/OS-TRUST/trusts',
@ -2847,7 +2875,7 @@ class TestTrustRedelegation(test_v3.RestfulTestCase):
self.post('/OS-TRUST/trusts', self.post('/OS-TRUST/trusts',
body={'trust': too_long_live_chained_trust_ref}, body={'trust': too_long_live_chained_trust_ref},
token=trust_token, token=trust_token,
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_redelegation_remaining_uses(self): def test_redelegation_remaining_uses(self):
r = self.post('/OS-TRUST/trusts', r = self.post('/OS-TRUST/trusts',
@ -2862,7 +2890,7 @@ class TestTrustRedelegation(test_v3.RestfulTestCase):
self.post('/OS-TRUST/trusts', self.post('/OS-TRUST/trusts',
body={'trust': self.chained_trust_ref}, body={'trust': self.chained_trust_ref},
token=trust_token, token=trust_token,
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_roles_subset(self): def test_roles_subset(self):
# Build second role # Build second role
@ -2949,7 +2977,7 @@ class TestTrustRedelegation(test_v3.RestfulTestCase):
self.post('/OS-TRUST/trusts', self.post('/OS-TRUST/trusts',
body={'trust': self.chained_trust_ref}, body={'trust': self.chained_trust_ref},
token=trust_token, token=trust_token,
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_redelegation_terminator(self): def test_redelegation_terminator(self):
r = self.post('/OS-TRUST/trusts', r = self.post('/OS-TRUST/trusts',
@ -2977,7 +3005,7 @@ class TestTrustRedelegation(test_v3.RestfulTestCase):
self.post('/OS-TRUST/trusts', self.post('/OS-TRUST/trusts',
body={'trust': ref}, body={'trust': ref},
token=trust_token, token=trust_token,
expected_status=403) expected_status=http_client.FORBIDDEN)
class TestTrustChain(test_v3.RestfulTestCase): class TestTrustChain(test_v3.RestfulTestCase):
@ -3088,7 +3116,8 @@ class TestTrustChain(test_v3.RestfulTestCase):
expected_status=204) expected_status=204)
headers = {'X-Subject-Token': self.last_token} headers = {'X-Subject-Token': self.last_token}
self.head('/auth/tokens', headers=headers, expected_status=404) self.head('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND)
self.assert_trust_tokens_revoked(self.trust_chain[0]['id']) self.assert_trust_tokens_revoked(self.trust_chain[0]['id'])
def test_delete_broken_chain(self): def test_delete_broken_chain(self):
@ -3111,7 +3140,8 @@ class TestTrustChain(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
token=self.last_token, token=self.last_token,
trust_id=self.trust_chain[-1]['id']) trust_id=self.trust_chain[-1]['id'])
self.v3_authenticate_token(auth_data, expected_status=404) self.v3_authenticate_token(auth_data,
expected_status=http_client.NOT_FOUND)
def test_intermediate_user_disabled(self): def test_intermediate_user_disabled(self):
self.assert_user_authenticate(self.user_chain[0]) self.assert_user_authenticate(self.user_chain[0])
@ -3123,7 +3153,8 @@ class TestTrustChain(test_v3.RestfulTestCase):
# Bypass policy enforcement # Bypass policy enforcement
with mock.patch.object(rules, 'enforce', return_value=True): with mock.patch.object(rules, 'enforce', return_value=True):
headers = {'X-Subject-Token': self.last_token} headers = {'X-Subject-Token': self.last_token}
self.head('/auth/tokens', headers=headers, expected_status=403) self.head('/auth/tokens', headers=headers,
expected_status=http_client.FORBIDDEN)
def test_intermediate_user_deleted(self): def test_intermediate_user_deleted(self):
self.assert_user_authenticate(self.user_chain[0]) self.assert_user_authenticate(self.user_chain[0])
@ -3133,7 +3164,8 @@ class TestTrustChain(test_v3.RestfulTestCase):
# Bypass policy enforcement # Bypass policy enforcement
with mock.patch.object(rules, 'enforce', return_value=True): with mock.patch.object(rules, 'enforce', return_value=True):
headers = {'X-Subject-Token': self.last_token} headers = {'X-Subject-Token': self.last_token}
self.head('/auth/tokens', headers=headers, expected_status=403) self.head('/auth/tokens', headers=headers,
expected_status=http_client.FORBIDDEN)
class TestTrustAuth(test_v3.RestfulTestCase): class TestTrustAuth(test_v3.RestfulTestCase):
@ -3159,9 +3191,10 @@ class TestTrustAuth(test_v3.RestfulTestCase):
self.trustee_user['password'] = password self.trustee_user['password'] = password
self.trustee_user_id = self.trustee_user['id'] self.trustee_user_id = self.trustee_user['id']
def test_create_trust_400(self): def test_create_trust_bad_request(self):
# The server returns a 403 Forbidden rather than a 400, see bug 1133435 # The server returns a 403 Forbidden rather than a 400, see bug 1133435
self.post('/OS-TRUST/trusts', body={'trust': {}}, expected_status=403) self.post('/OS-TRUST/trusts', body={'trust': {}},
expected_status=http_client.FORBIDDEN)
def test_create_unscoped_trust(self): def test_create_unscoped_trust(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3175,7 +3208,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
trustor_user_id=self.user_id, trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id, trustee_user_id=self.trustee_user_id,
project_id=self.project_id) project_id=self.project_id)
self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=403) self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.FORBIDDEN)
def _initialize_test_consume_trust(self, count): def _initialize_test_consume_trust(self, count):
# Make sure remaining_uses is decremented as we consume the trust # Make sure remaining_uses is decremented as we consume the trust
@ -3219,13 +3253,14 @@ class TestTrustAuth(test_v3.RestfulTestCase):
# No more uses, the trust is made unavailable # No more uses, the trust is made unavailable
self.get( self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']}, '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=404) expected_status=http_client.NOT_FOUND)
# this time we can't get a trust token # this time we can't get a trust token
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_create_trust_with_bad_values_for_remaining_uses(self): def test_create_trust_with_bad_values_for_remaining_uses(self):
# negative values for the remaining_uses parameter are forbidden # negative values for the remaining_uses parameter are forbidden
@ -3245,7 +3280,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
role_ids=[self.role_id]) role_ids=[self.role_id])
self.post('/OS-TRUST/trusts', self.post('/OS-TRUST/trusts',
body={'trust': ref}, body={'trust': ref},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_invalid_trust_request_without_impersonation(self): def test_invalid_trust_request_without_impersonation(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3258,7 +3293,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
self.post('/OS-TRUST/trusts', self.post('/OS-TRUST/trusts',
body={'trust': ref}, body={'trust': ref},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_invalid_trust_request_without_trustee(self): def test_invalid_trust_request_without_trustee(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3271,7 +3306,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
self.post('/OS-TRUST/trusts', self.post('/OS-TRUST/trusts',
body={'trust': ref}, body={'trust': ref},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_create_unlimited_use_trust(self): def test_create_unlimited_use_trust(self):
# by default trusts are unlimited in terms of tokens that can be # by default trusts are unlimited in terms of tokens that can be
@ -3343,7 +3378,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
self.patch( self.patch(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']}, '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
body={'trust': ref}, body={'trust': ref},
expected_status=404) expected_status=http_client.NOT_FOUND)
self.delete( self.delete(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']}, '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
@ -3351,7 +3386,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
self.get( self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']}, '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_create_trust_trustee_404(self): def test_create_trust_trustee_404(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3359,7 +3394,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
trustee_user_id=uuid.uuid4().hex, trustee_user_id=uuid.uuid4().hex,
project_id=self.project_id, project_id=self.project_id,
role_ids=[self.role_id]) role_ids=[self.role_id])
self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=404) self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_create_trust_trustor_trustee_backwards(self): def test_create_trust_trustor_trustee_backwards(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3367,7 +3403,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
trustee_user_id=self.user_id, trustee_user_id=self.user_id,
project_id=self.project_id, project_id=self.project_id,
role_ids=[self.role_id]) role_ids=[self.role_id])
self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=403) self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.FORBIDDEN)
def test_create_trust_project_404(self): def test_create_trust_project_404(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3375,7 +3412,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
trustee_user_id=self.trustee_user_id, trustee_user_id=self.trustee_user_id,
project_id=uuid.uuid4().hex, project_id=uuid.uuid4().hex,
role_ids=[self.role_id]) role_ids=[self.role_id])
self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=404) self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_create_trust_role_id_404(self): def test_create_trust_role_id_404(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3383,7 +3421,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
trustee_user_id=self.trustee_user_id, trustee_user_id=self.trustee_user_id,
project_id=self.project_id, project_id=self.project_id,
role_ids=[uuid.uuid4().hex]) role_ids=[uuid.uuid4().hex])
self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=404) self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_create_trust_role_name_404(self): def test_create_trust_role_name_404(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3391,7 +3430,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
trustee_user_id=self.trustee_user_id, trustee_user_id=self.trustee_user_id,
project_id=self.project_id, project_id=self.project_id,
role_names=[uuid.uuid4().hex]) role_names=[uuid.uuid4().hex])
self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=404) self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_v3_v2_intermix_trustor_not_in_default_domain_failed(self): def test_v3_v2_intermix_trustor_not_in_default_domain_failed(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3419,7 +3459,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
path = '/v2.0/tokens/%s' % (token) path = '/v2.0/tokens/%s' % (token)
self.admin_request( self.admin_request(
path=path, token=CONF.admin_token, path=path, token=CONF.admin_token,
method='GET', expected_status=401) method='GET', expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix_trustor_not_in_default_domaini_failed(self): def test_v3_v2_intermix_trustor_not_in_default_domaini_failed(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3452,7 +3492,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
path = '/v2.0/tokens/%s' % (token) path = '/v2.0/tokens/%s' % (token)
self.admin_request( self.admin_request(
path=path, token=CONF.admin_token, path=path, token=CONF.admin_token,
method='GET', expected_status=401) method='GET', expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix_project_not_in_default_domaini_failed(self): def test_v3_v2_intermix_project_not_in_default_domaini_failed(self):
# create a trustee in default domain to delegate stuff to # create a trustee in default domain to delegate stuff to
@ -3492,7 +3532,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
path = '/v2.0/tokens/%s' % (token) path = '/v2.0/tokens/%s' % (token)
self.admin_request( self.admin_request(
path=path, token=CONF.admin_token, path=path, token=CONF.admin_token,
method='GET', expected_status=401) method='GET', expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix(self): def test_v3_v2_intermix(self):
# create a trustee in default domain to delegate stuff to # create a trustee in default domain to delegate stuff to
@ -3624,7 +3664,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
self.post('/OS-TRUST/trusts', self.post('/OS-TRUST/trusts',
body={'trust': ref}, body={'trust': ref},
token=trust_token, token=trust_token,
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_trust_deleted_grant(self): def test_trust_deleted_grant(self):
# create a new role # create a new role
@ -3662,7 +3702,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
r = self.v3_authenticate_token(auth_data, expected_status=403) r = self.v3_authenticate_token(auth_data,
expected_status=http_client.FORBIDDEN)
def test_trust_chained(self): def test_trust_chained(self):
"""Test that a trust token can't be used to execute another trust. """Test that a trust token can't be used to execute another trust.
@ -3730,7 +3771,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
token=trust_token, token=trust_token,
trust_id=trust1['id']) trust_id=trust1['id'])
r = self.v3_authenticate_token(auth_data, expected_status=403) r = self.v3_authenticate_token(auth_data,
expected_status=http_client.FORBIDDEN)
def assertTrustTokensRevoked(self, trust_id): def assertTrustTokensRevoked(self, trust_id):
revocation_response = self.get('/OS-REVOKE/events', revocation_response = self.get('/OS-REVOKE/events',
@ -3766,7 +3808,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
'trust_id': trust_id}, 'trust_id': trust_id},
expected_status=204) expected_status=204)
headers = {'X-Subject-Token': trust_token} headers = {'X-Subject-Token': trust_token}
self.head('/auth/tokens', headers=headers, expected_status=404) self.head('/auth/tokens', headers=headers,
expected_status=http_client.NOT_FOUND)
self.assertTrustTokensRevoked(trust_id) self.assertTrustTokensRevoked(trust_id)
def disable_user(self, user): def disable_user(self, user):
@ -3798,7 +3841,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
self.v3_authenticate_token(auth_data, expected_status=403) self.v3_authenticate_token(auth_data,
expected_status=http_client.FORBIDDEN)
def test_trust_get_token_fails_if_trustee_disabled(self): def test_trust_get_token_fails_if_trustee_disabled(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3825,7 +3869,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_delete_trust(self): def test_delete_trust(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3846,17 +3891,18 @@ class TestTrustAuth(test_v3.RestfulTestCase):
self.get('/OS-TRUST/trusts/%(trust_id)s' % { self.get('/OS-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']}, 'trust_id': trust['id']},
expected_status=404) expected_status=http_client.NOT_FOUND)
self.get('/OS-TRUST/trusts/%(trust_id)s' % { self.get('/OS-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']}, 'trust_id': trust['id']},
expected_status=404) expected_status=http_client.NOT_FOUND)
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
self.v3_authenticate_token(auth_data, expected_status=401) self.v3_authenticate_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_list_trusts(self): def test_list_trusts(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3918,7 +3964,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
expected_status=200)) expected_status=200))
self.get('/OS-TRUST/trusts?trustor_user_id=%s' % self.get('/OS-TRUST/trusts?trustor_user_id=%s' %
self.user_id, expected_status=401, self.user_id, expected_status=http_client.UNAUTHORIZED,
token=trust_token) token=trust_token)
def test_trustee_can_do_role_ops(self): def test_trustee_can_do_role_ops(self):
@ -3977,7 +4023,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.default_domain_user['id'], user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'], password=self.default_domain_user['password'],
trust_id=trust_id) trust_id=trust_id)
self.v3_authenticate_token(auth_data, expected_status=403) self.v3_authenticate_token(auth_data,
expected_status=http_client.FORBIDDEN)
r = self.get('/OS-TRUST/trusts/%s' % trust_id) r = self.get('/OS-TRUST/trusts/%s' % trust_id)
self.assertEqual(3, r.result.get('trust').get('remaining_uses')) self.assertEqual(3, r.result.get('trust').get('remaining_uses'))
@ -4075,7 +4122,7 @@ class TestAuthSpecificData(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
domain_id=self.domain['id']), domain_id=self.domain['id']),
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_get_catalog_unscoped_token(self): def test_get_catalog_unscoped_token(self):
"""Call ``GET /auth/catalog`` with an unscoped token.""" """Call ``GET /auth/catalog`` with an unscoped token."""
@ -4084,14 +4131,14 @@ class TestAuthSpecificData(test_v3.RestfulTestCase):
auth=self.build_authentication_request( auth=self.build_authentication_request(
user_id=self.default_domain_user['id'], user_id=self.default_domain_user['id'],
password=self.default_domain_user['password']), password=self.default_domain_user['password']),
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_get_catalog_no_token(self): def test_get_catalog_no_token(self):
"""Call ``GET /auth/catalog`` without a token.""" """Call ``GET /auth/catalog`` without a token."""
self.get( self.get(
'/auth/catalog', '/auth/catalog',
noauth=True, noauth=True,
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_get_projects_project_scoped_token(self): def test_get_projects_project_scoped_token(self):
r = self.get('/auth/projects', expected_status=200) r = self.get('/auth/projects', expected_status=200)
@ -4190,13 +4237,15 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
unscoped_token = self._get_unscoped_token() unscoped_token = self._get_unscoped_token()
tampered_token = (unscoped_token[:50] + uuid.uuid4().hex + tampered_token = (unscoped_token[:50] + uuid.uuid4().hex +
unscoped_token[50 + 32:]) unscoped_token[50 + 32:])
self._validate_token(tampered_token, expected_status=404) self._validate_token(tampered_token,
expected_status=http_client.NOT_FOUND)
def test_revoke_unscoped_token(self): def test_revoke_unscoped_token(self):
unscoped_token = self._get_unscoped_token() unscoped_token = self._get_unscoped_token()
self._validate_token(unscoped_token) self._validate_token(unscoped_token)
self._revoke_token(unscoped_token) self._revoke_token(unscoped_token)
self._validate_token(unscoped_token, expected_status=404) self._validate_token(unscoped_token,
expected_status=http_client.NOT_FOUND)
def test_unscoped_token_is_invalid_after_disabling_user(self): def test_unscoped_token_is_invalid_after_disabling_user(self):
unscoped_token = self._get_unscoped_token() unscoped_token = self._get_unscoped_token()
@ -4270,13 +4319,15 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
project_scoped_token = self._get_project_scoped_token() project_scoped_token = self._get_project_scoped_token()
tampered_token = (project_scoped_token[:50] + uuid.uuid4().hex + tampered_token = (project_scoped_token[:50] + uuid.uuid4().hex +
project_scoped_token[50 + 32:]) project_scoped_token[50 + 32:])
self._validate_token(tampered_token, expected_status=404) self._validate_token(tampered_token,
expected_status=http_client.NOT_FOUND)
def test_revoke_project_scoped_token(self): def test_revoke_project_scoped_token(self):
project_scoped_token = self._get_project_scoped_token() project_scoped_token = self._get_project_scoped_token()
self._validate_token(project_scoped_token) self._validate_token(project_scoped_token)
self._revoke_token(project_scoped_token) self._revoke_token(project_scoped_token)
self._validate_token(project_scoped_token, expected_status=404) self._validate_token(project_scoped_token,
expected_status=http_client.NOT_FOUND)
def test_project_scoped_token_is_invalid_after_disabling_user(self): def test_project_scoped_token_is_invalid_after_disabling_user(self):
project_scoped_token = self._get_project_scoped_token() project_scoped_token = self._get_project_scoped_token()
@ -4378,7 +4429,8 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
# Get a trust scoped token # Get a trust scoped token
tampered_token = (trust_scoped_token[:50] + uuid.uuid4().hex + tampered_token = (trust_scoped_token[:50] + uuid.uuid4().hex +
trust_scoped_token[50 + 32:]) trust_scoped_token[50 + 32:])
self._validate_token(tampered_token, expected_status=404) self._validate_token(tampered_token,
expected_status=http_client.NOT_FOUND)
def test_revoke_trust_scoped_token(self): def test_revoke_trust_scoped_token(self):
trustee_user, trust = self._create_trust() trustee_user, trust = self._create_trust()
@ -4386,7 +4438,8 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
# Validate a trust scoped token # Validate a trust scoped token
self._validate_token(trust_scoped_token) self._validate_token(trust_scoped_token)
self._revoke_token(trust_scoped_token) self._revoke_token(trust_scoped_token)
self._validate_token(trust_scoped_token, expected_status=404) self._validate_token(trust_scoped_token,
expected_status=http_client.NOT_FOUND)
def test_trust_scoped_token_is_invalid_after_disabling_trustee(self): def test_trust_scoped_token_is_invalid_after_disabling_trustee(self):
trustee_user, trust = self._create_trust() trustee_user, trust = self._create_trust()
@ -4460,7 +4513,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
self.token_provider_api.validate_token, self.token_provider_api.validate_token,
trust_scoped_token) trust_scoped_token)
def test_v2_validate_unscoped_token_returns_401(self): def test_v2_validate_unscoped_token_returns_unauthorized(self):
"""Test raised exception when validating unscoped token. """Test raised exception when validating unscoped token.
Test that validating an unscoped token in v2.0 of a v3 user of a Test that validating an unscoped token in v2.0 of a v3 user of a
@ -4471,7 +4524,7 @@ class TestFernetTokenProvider(test_v3.RestfulTestCase):
self.token_provider_api.validate_v2_token, self.token_provider_api.validate_v2_token,
unscoped_token) unscoped_token)
def test_v2_validate_domain_scoped_token_returns_401(self): def test_v2_validate_domain_scoped_token_returns_unauthorized(self):
"""Test raised exception when validating a domain scoped token. """Test raised exception when validating a domain scoped token.
Test that validating an domain scoped token in v2.0 Test that validating an domain scoped token in v2.0

35
keystone/tests/unit/test_v3_catalog.py
View File

@ -15,6 +15,7 @@
import copy import copy
import uuid import uuid
from six.moves import http_client
from testtools import matchers from testtools import matchers
from keystone import catalog from keystone import catalog
@ -184,7 +185,7 @@ class CatalogTestCase(test_v3.RestfulTestCase):
self.put( self.put(
'/regions/%s' % uuid.uuid4().hex, '/regions/%s' % uuid.uuid4().hex,
body={'region': ref}, body={'region': ref},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_list_regions(self): def test_list_regions(self):
"""Call ``GET /regions``.""" """Call ``GET /regions``."""
@ -326,19 +327,22 @@ class CatalogTestCase(test_v3.RestfulTestCase):
"""Call ``POST /services``.""" """Call ``POST /services``."""
ref = self.new_service_ref() ref = self.new_service_ref()
ref['enabled'] = 'True' ref['enabled'] = 'True'
self.post('/services', body={'service': ref}, expected_status=400) self.post('/services', body={'service': ref},
expected_status=http_client.BAD_REQUEST)
def test_create_service_enabled_str_false(self): def test_create_service_enabled_str_false(self):
"""Call ``POST /services``.""" """Call ``POST /services``."""
ref = self.new_service_ref() ref = self.new_service_ref()
ref['enabled'] = 'False' ref['enabled'] = 'False'
self.post('/services', body={'service': ref}, expected_status=400) self.post('/services', body={'service': ref},
expected_status=http_client.BAD_REQUEST)
def test_create_service_enabled_str_random(self): def test_create_service_enabled_str_random(self):
"""Call ``POST /services``.""" """Call ``POST /services``."""
ref = self.new_service_ref() ref = self.new_service_ref()
ref['enabled'] = 'puppies' ref['enabled'] = 'puppies'
self.post('/services', body={'service': ref}, expected_status=400) self.post('/services', body={'service': ref},
expected_status=http_client.BAD_REQUEST)
def test_list_services(self): def test_list_services(self):
"""Call ``GET /services``.""" """Call ``GET /services``."""
@ -575,7 +579,7 @@ class CatalogTestCase(test_v3.RestfulTestCase):
self.post( self.post(
'/endpoints', '/endpoints',
body={'endpoint': ref}, body={'endpoint': ref},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_create_endpoint_enabled_str_false(self): def test_create_endpoint_enabled_str_false(self):
"""Call ``POST /endpoints`` with enabled: 'False'.""" """Call ``POST /endpoints`` with enabled: 'False'."""
@ -584,7 +588,7 @@ class CatalogTestCase(test_v3.RestfulTestCase):
self.post( self.post(
'/endpoints', '/endpoints',
body={'endpoint': ref}, body={'endpoint': ref},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_create_endpoint_enabled_str_random(self): def test_create_endpoint_enabled_str_random(self):
"""Call ``POST /endpoints`` with enabled: 'puppies'.""" """Call ``POST /endpoints`` with enabled: 'puppies'."""
@ -593,13 +597,14 @@ class CatalogTestCase(test_v3.RestfulTestCase):
self.post( self.post(
'/endpoints', '/endpoints',
body={'endpoint': ref}, body={'endpoint': ref},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_create_endpoint_with_invalid_region_id(self): def test_create_endpoint_with_invalid_region_id(self):
"""Call ``POST /endpoints``.""" """Call ``POST /endpoints``."""
ref = self.new_endpoint_ref(service_id=self.service_id) ref = self.new_endpoint_ref(service_id=self.service_id)
ref["region_id"] = uuid.uuid4().hex ref["region_id"] = uuid.uuid4().hex
self.post('/endpoints', body={'endpoint': ref}, expected_status=400) self.post('/endpoints', body={'endpoint': ref},
expected_status=http_client.BAD_REQUEST)
def test_create_endpoint_with_region(self): def test_create_endpoint_with_region(self):
"""EndpointV3 creates the region before creating the endpoint, if """EndpointV3 creates the region before creating the endpoint, if
@ -623,7 +628,8 @@ class CatalogTestCase(test_v3.RestfulTestCase):
"""Call ``POST /endpoints``.""" """Call ``POST /endpoints``."""
ref = self.new_endpoint_ref(service_id=self.service_id) ref = self.new_endpoint_ref(service_id=self.service_id)
ref["url"] = '' ref["url"] = ''
self.post('/endpoints', body={'endpoint': ref}, expected_status=400) self.post('/endpoints', body={'endpoint': ref},
expected_status=http_client.BAD_REQUEST)
def test_get_endpoint(self): def test_get_endpoint(self):
"""Call ``GET /endpoints/{endpoint_id}``.""" """Call ``GET /endpoints/{endpoint_id}``."""
@ -667,7 +673,7 @@ class CatalogTestCase(test_v3.RestfulTestCase):
'/endpoints/%(endpoint_id)s' % { '/endpoints/%(endpoint_id)s' % {
'endpoint_id': self.endpoint_id}, 'endpoint_id': self.endpoint_id},
body={'endpoint': {'enabled': 'True'}}, body={'endpoint': {'enabled': 'True'}},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_update_endpoint_enabled_str_false(self): def test_update_endpoint_enabled_str_false(self):
"""Call ``PATCH /endpoints/{endpoint_id}`` with enabled: 'False'.""" """Call ``PATCH /endpoints/{endpoint_id}`` with enabled: 'False'."""
@ -675,7 +681,7 @@ class CatalogTestCase(test_v3.RestfulTestCase):
'/endpoints/%(endpoint_id)s' % { '/endpoints/%(endpoint_id)s' % {
'endpoint_id': self.endpoint_id}, 'endpoint_id': self.endpoint_id},
body={'endpoint': {'enabled': 'False'}}, body={'endpoint': {'enabled': 'False'}},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_update_endpoint_enabled_str_random(self): def test_update_endpoint_enabled_str_random(self):
"""Call ``PATCH /endpoints/{endpoint_id}`` with enabled: 'kitties'.""" """Call ``PATCH /endpoints/{endpoint_id}`` with enabled: 'kitties'."""
@ -683,7 +689,7 @@ class CatalogTestCase(test_v3.RestfulTestCase):
'/endpoints/%(endpoint_id)s' % { '/endpoints/%(endpoint_id)s' % {
'endpoint_id': self.endpoint_id}, 'endpoint_id': self.endpoint_id},
body={'endpoint': {'enabled': 'kitties'}}, body={'endpoint': {'enabled': 'kitties'}},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_delete_endpoint(self): def test_delete_endpoint(self):
"""Call ``DELETE /endpoints/{endpoint_id}``.""" """Call ``DELETE /endpoints/{endpoint_id}``."""
@ -762,7 +768,8 @@ class CatalogTestCase(test_v3.RestfulTestCase):
self.delete('/endpoints/%s' % ref['id']) self.delete('/endpoints/%s' % ref['id'])
# make sure it's deleted (GET should return 404) # make sure it's deleted (GET should return 404)
self.get('/endpoints/%s' % ref['id'], expected_status=404) self.get('/endpoints/%s' % ref['id'],
expected_status=http_client.NOT_FOUND)
def test_endpoint_create_with_valid_url(self): def test_endpoint_create_with_valid_url(self):
"""Create endpoint with valid url should be tested,too.""" """Create endpoint with valid url should be tested,too."""
@ -798,7 +805,7 @@ class CatalogTestCase(test_v3.RestfulTestCase):
ref['url'] = invalid_url ref['url'] = invalid_url
self.post('/endpoints', self.post('/endpoints',
body={'endpoint': ref}, body={'endpoint': ref},
expected_status=400) expected_status=http_client.BAD_REQUEST)
class TestCatalogAPISQL(unit.TestCase): class TestCatalogAPISQL(unit.TestCase):

10
keystone/tests/unit/test_v3_credential.py
View File

@ -18,6 +18,7 @@ import uuid
from keystoneclient.contrib.ec2 import utils as ec2_utils from keystoneclient.contrib.ec2 import utils as ec2_utils
from oslo_config import cfg from oslo_config import cfg
from six.moves import http_client
from testtools import matchers from testtools import matchers
from keystone import exception from keystone import exception
@ -252,10 +253,10 @@ class CredentialTestCase(CredentialBaseTestCase):
"secret": uuid.uuid4().hex} "secret": uuid.uuid4().hex}
ref['blob'] = json.dumps(blob) ref['blob'] = json.dumps(blob)
ref['type'] = 'ec2' ref['type'] = 'ec2'
# Assert 400 status for bad request with missing project_id # Assert bad request status when missing project_id
self.post( self.post(
'/credentials', '/credentials',
body={'credential': ref}, expected_status=400) body={'credential': ref}, expected_status=http_client.BAD_REQUEST)
def test_create_ec2_credential_with_invalid_blob(self): def test_create_ec2_credential_with_invalid_blob(self):
"""Call ``POST /credentials`` for creating ec2 """Call ``POST /credentials`` for creating ec2
@ -265,11 +266,10 @@ class CredentialTestCase(CredentialBaseTestCase):
project_id=self.project_id) project_id=self.project_id)
ref['blob'] = '{"abc":"def"d}' ref['blob'] = '{"abc":"def"d}'
ref['type'] = 'ec2' ref['type'] = 'ec2'
# Assert 400 status for bad request containing invalid # Assert bad request status when request contains invalid blob
# blob
response = self.post( response = self.post(
'/credentials', '/credentials',
body={'credential': ref}, expected_status=400) body={'credential': ref}, expected_status=http_client.BAD_REQUEST)
self.assertValidErrorResponse(response) self.assertValidErrorResponse(response)
def test_create_credential_with_admin_token(self): def test_create_credential_with_admin_token(self):

18
keystone/tests/unit/test_v3_domain_config.py
View File

@ -14,6 +14,7 @@ import copy
import uuid import uuid
from oslo_config import cfg from oslo_config import cfg
from six.moves import http_client
from keystone import exception from keystone import exception
from keystone.tests.unit import test_v3 from keystone.tests.unit import test_v3
@ -103,21 +104,24 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
def test_get_non_existant_config(self): def test_get_non_existant_config(self):
"""Call ``GET /domains{domain_id}/config when no config defined``.""" """Call ``GET /domains{domain_id}/config when no config defined``."""
self.get('/domains/%(domain_id)s/config' % { self.get('/domains/%(domain_id)s/config' % {
'domain_id': self.domain['id']}, expected_status=404) 'domain_id': self.domain['id']},
expected_status=http_client.NOT_FOUND)
def test_get_non_existant_config_group(self): def test_get_non_existant_config_group(self):
"""Call ``GET /domains{domain_id}/config/{group_not_exist}``.""" """Call ``GET /domains{domain_id}/config/{group_not_exist}``."""
config = {'ldap': {'url': uuid.uuid4().hex}} config = {'ldap': {'url': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config) self.domain_config_api.create_config(self.domain['id'], config)
self.get('/domains/%(domain_id)s/config/identity' % { self.get('/domains/%(domain_id)s/config/identity' % {
'domain_id': self.domain['id']}, expected_status=404) 'domain_id': self.domain['id']},
expected_status=http_client.NOT_FOUND)
def test_get_non_existant_config_option(self): def test_get_non_existant_config_option(self):
"""Call ``GET /domains{domain_id}/config/group/{option_not_exist}``.""" """Call ``GET /domains{domain_id}/config/group/{option_not_exist}``."""
config = {'ldap': {'url': uuid.uuid4().hex}} config = {'ldap': {'url': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config) self.domain_config_api.create_config(self.domain['id'], config)
self.get('/domains/%(domain_id)s/config/ldap/user_tree_dn' % { self.get('/domains/%(domain_id)s/config/ldap/user_tree_dn' % {
'domain_id': self.domain['id']}, expected_status=404) 'domain_id': self.domain['id']},
expected_status=http_client.NOT_FOUND)
def test_update_config(self): def test_update_config(self):
"""Call ``PATCH /domains/{domain_id}/config``.""" """Call ``PATCH /domains/{domain_id}/config``."""
@ -163,7 +167,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
self.patch('/domains/%(domain_id)s/config/%(invalid_group)s' % { self.patch('/domains/%(domain_id)s/config/%(invalid_group)s' % {
'domain_id': self.domain['id'], 'invalid_group': invalid_group}, 'domain_id': self.domain['id'], 'invalid_group': invalid_group},
body={'config': new_config}, body={'config': new_config},
expected_status=403) expected_status=http_client.FORBIDDEN)
# Trying to update a valid group, but one that is not in the current # Trying to update a valid group, but one that is not in the current
# config should result in NotFound # config should result in NotFound
config = {'ldap': {'suffix': uuid.uuid4().hex}} config = {'ldap': {'suffix': uuid.uuid4().hex}}
@ -172,7 +176,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
self.patch('/domains/%(domain_id)s/config/identity' % { self.patch('/domains/%(domain_id)s/config/identity' % {
'domain_id': self.domain['id']}, 'domain_id': self.domain['id']},
body={'config': new_config}, body={'config': new_config},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_update_config_option(self): def test_update_config_option(self):
"""Call ``PATCH /domains/{domain_id}/config/{group}/{option}``.""" """Call ``PATCH /domains/{domain_id}/config/{group}/{option}``."""
@ -199,7 +203,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
'domain_id': self.domain['id'], 'domain_id': self.domain['id'],
'invalid_option': invalid_option}, 'invalid_option': invalid_option},
body={'config': new_config}, body={'config': new_config},
expected_status=403) expected_status=http_client.FORBIDDEN)
# Trying to update a valid option, but one that is not in the current # Trying to update a valid option, but one that is not in the current
# config should result in NotFound # config should result in NotFound
new_config = {'suffix': uuid.uuid4().hex} new_config = {'suffix': uuid.uuid4().hex}
@ -207,4 +211,4 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
'/domains/%(domain_id)s/config/ldap/suffix' % { '/domains/%(domain_id)s/config/ldap/suffix' % {
'domain_id': self.domain['id']}, 'domain_id': self.domain['id']},
body={'config': new_config}, body={'config': new_config},
expected_status=404) expected_status=http_client.NOT_FOUND)

19
keystone/tests/unit/test_v3_endpoint_policy.py
View File

@ -12,6 +12,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from six.moves import http_client
from testtools import matchers from testtools import matchers
from keystone.tests.unit import test_v3 from keystone.tests.unit import test_v3
@ -48,7 +49,9 @@ class EndpointPolicyTestCase(test_v3.RestfulTestCase):
# Test when the resource does not exist also ensures # Test when the resource does not exist also ensures
# that there is not a false negative after creation. # that there is not a false negative after creation.
self.assert_head_and_get_return_same_response(url, expected_status=404) self.assert_head_and_get_return_same_response(
url,
expected_status=http_client.NOT_FOUND)
self.put(url, expected_status=204) self.put(url, expected_status=204)
@ -58,7 +61,9 @@ class EndpointPolicyTestCase(test_v3.RestfulTestCase):
self.delete(url, expected_status=204) self.delete(url, expected_status=204)
# test that the deleted resource is no longer accessible # test that the deleted resource is no longer accessible
self.assert_head_and_get_return_same_response(url, expected_status=404) self.assert_head_and_get_return_same_response(
url,
expected_status=http_client.NOT_FOUND)
def test_crud_for_policy_for_explicit_endpoint(self): def test_crud_for_policy_for_explicit_endpoint(self):
"""PUT, HEAD and DELETE for explicit endpoint policy.""" """PUT, HEAD and DELETE for explicit endpoint policy."""
@ -136,7 +141,7 @@ class EndpointPolicyTestCase(test_v3.RestfulTestCase):
self.delete('/endpoints/%(endpoint_id)s' % { self.delete('/endpoints/%(endpoint_id)s' % {
'endpoint_id': self.endpoint['id']}) 'endpoint_id': self.endpoint['id']})
self.head(url, expected_status=404) self.head(url, expected_status=http_client.NOT_FOUND)
def test_region_service_association_cleanup_when_region_deleted(self): def test_region_service_association_cleanup_when_region_deleted(self):
url = ('/policies/%(policy_id)s/OS-ENDPOINT-POLICY' url = ('/policies/%(policy_id)s/OS-ENDPOINT-POLICY'
@ -151,7 +156,7 @@ class EndpointPolicyTestCase(test_v3.RestfulTestCase):
self.delete('/regions/%(region_id)s' % { self.delete('/regions/%(region_id)s' % {
'region_id': self.region['id']}) 'region_id': self.region['id']})
self.head(url, expected_status=404) self.head(url, expected_status=http_client.NOT_FOUND)
def test_region_service_association_cleanup_when_service_deleted(self): def test_region_service_association_cleanup_when_service_deleted(self):
url = ('/policies/%(policy_id)s/OS-ENDPOINT-POLICY' url = ('/policies/%(policy_id)s/OS-ENDPOINT-POLICY'
@ -166,7 +171,7 @@ class EndpointPolicyTestCase(test_v3.RestfulTestCase):
self.delete('/services/%(service_id)s' % { self.delete('/services/%(service_id)s' % {
'service_id': self.service['id']}) 'service_id': self.service['id']})
self.head(url, expected_status=404) self.head(url, expected_status=http_client.NOT_FOUND)
def test_service_association_cleanup_when_service_deleted(self): def test_service_association_cleanup_when_service_deleted(self):
url = ('/policies/%(policy_id)s/OS-ENDPOINT-POLICY' url = ('/policies/%(policy_id)s/OS-ENDPOINT-POLICY'
@ -180,7 +185,7 @@ class EndpointPolicyTestCase(test_v3.RestfulTestCase):
self.delete('/policies/%(policy_id)s' % { self.delete('/policies/%(policy_id)s' % {
'policy_id': self.policy['id']}) 'policy_id': self.policy['id']})
self.head(url, expected_status=404) self.head(url, expected_status=http_client.NOT_FOUND)
def test_service_association_cleanup_when_policy_deleted(self): def test_service_association_cleanup_when_policy_deleted(self):
url = ('/policies/%(policy_id)s/OS-ENDPOINT-POLICY' url = ('/policies/%(policy_id)s/OS-ENDPOINT-POLICY'
@ -194,7 +199,7 @@ class EndpointPolicyTestCase(test_v3.RestfulTestCase):
self.delete('/services/%(service_id)s' % { self.delete('/services/%(service_id)s' % {
'service_id': self.service['id']}) 'service_id': self.service['id']})
self.head(url, expected_status=404) self.head(url, expected_status=http_client.NOT_FOUND)
class JsonHomeTests(test_v3.JsonHomeTestMixin): class JsonHomeTests(test_v3.JsonHomeTestMixin):

99
keystone/tests/unit/test_v3_federation.py
View File

@ -26,6 +26,7 @@ from oslotest import mockpatch
import saml2 import saml2
from saml2 import saml from saml2 import saml
from saml2 import sigver from saml2 import sigver
from six.moves import http_client
from six.moves import range, urllib, zip from six.moves import range, urllib, zip
xmldsig = importutils.try_import("saml2.xmldsig") xmldsig = importutils.try_import("saml2.xmldsig")
if not xmldsig: if not xmldsig:
@ -899,7 +900,7 @@ class FederatedIdentityProviderTests(FederationTests):
body['remote_ids'] = [uuid.uuid4().hex, body['remote_ids'] = [uuid.uuid4().hex,
repeated_remote_id] repeated_remote_id]
self.put(url, body={'identity_provider': body}, self.put(url, body={'identity_provider': body},
expected_status=409) expected_status=http_client.CONFLICT)
def test_create_idp_remote_empty(self): def test_create_idp_remote_empty(self):
"""Creates an IdP with empty remote_ids.""" """Creates an IdP with empty remote_ids."""
@ -1026,7 +1027,7 @@ class FederatedIdentityProviderTests(FederationTests):
self.put(url, body={'identity_provider': body}, self.put(url, body={'identity_provider': body},
expected_status=201) expected_status=201)
self.put(url, body={'identity_provider': body}, self.put(url, body={'identity_provider': body},
expected_status=409) expected_status=http_client.CONFLICT)
def test_get_idp(self): def test_get_idp(self):
"""Create and later fetch IdP.""" """Create and later fetch IdP."""
@ -1051,7 +1052,7 @@ class FederatedIdentityProviderTests(FederationTests):
self.assertIsNotNone(idp_id) self.assertIsNotNone(idp_id)
url = self.base_url(suffix=idp_id) url = self.base_url(suffix=idp_id)
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
def test_delete_existing_idp(self): def test_delete_existing_idp(self):
"""Create and later delete IdP. """Create and later delete IdP.
@ -1065,7 +1066,7 @@ class FederatedIdentityProviderTests(FederationTests):
self.assertIsNotNone(idp_id) self.assertIsNotNone(idp_id)
url = self.base_url(suffix=idp_id) url = self.base_url(suffix=idp_id)
self.delete(url) self.delete(url)
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
def test_delete_idp_also_deletes_assigned_protocols(self): def test_delete_idp_also_deletes_assigned_protocols(self):
"""Deleting an IdP will delete its assigned protocol.""" """Deleting an IdP will delete its assigned protocol."""
@ -1091,7 +1092,7 @@ class FederatedIdentityProviderTests(FederationTests):
# removing IdP will remove the assigned protocol as well # removing IdP will remove the assigned protocol as well
self.assertEqual(1, len(self.federation_api.list_protocols(idp_id))) self.assertEqual(1, len(self.federation_api.list_protocols(idp_id)))
self.delete(idp_url) self.delete(idp_url)
self.get(idp_url, expected_status=404) self.get(idp_url, expected_status=http_client.NOT_FOUND)
self.assertEqual(0, len(self.federation_api.list_protocols(idp_id))) self.assertEqual(0, len(self.federation_api.list_protocols(idp_id)))
def test_delete_nonexisting_idp(self): def test_delete_nonexisting_idp(self):
@ -1101,7 +1102,7 @@ class FederatedIdentityProviderTests(FederationTests):
""" """
idp_id = uuid.uuid4().hex idp_id = uuid.uuid4().hex
url = self.base_url(suffix=idp_id) url = self.base_url(suffix=idp_id)
self.delete(url, expected_status=404) self.delete(url, expected_status=http_client.NOT_FOUND)
def test_update_idp_mutable_attributes(self): def test_update_idp_mutable_attributes(self):
"""Update IdP's mutable parameters.""" """Update IdP's mutable parameters."""
@ -1142,7 +1143,7 @@ class FederatedIdentityProviderTests(FederationTests):
def test_update_idp_immutable_attributes(self): def test_update_idp_immutable_attributes(self):
"""Update IdP's immutable parameters. """Update IdP's immutable parameters.
Expect HTTP 403 code. Expect HTTP FORBIDDEN.
""" """
default_resp = self._create_default_idp() default_resp = self._create_default_idp()
@ -1156,7 +1157,8 @@ class FederatedIdentityProviderTests(FederationTests):
body['protocols'] = [uuid.uuid4().hex, uuid.uuid4().hex] body['protocols'] = [uuid.uuid4().hex, uuid.uuid4().hex]
url = self.base_url(suffix=idp_id) url = self.base_url(suffix=idp_id)
self.patch(url, body={'identity_provider': body}, expected_status=403) self.patch(url, body={'identity_provider': body},
expected_status=http_client.FORBIDDEN)
def test_update_nonexistent_idp(self): def test_update_nonexistent_idp(self):
"""Update nonexistent IdP """Update nonexistent IdP
@ -1170,7 +1172,7 @@ class FederatedIdentityProviderTests(FederationTests):
body['enabled'] = False body['enabled'] = False
body = {'identity_provider': body} body = {'identity_provider': body}
self.patch(url, body=body, expected_status=404) self.patch(url, body=body, expected_status=http_client.NOT_FOUND)
def test_assign_protocol_to_idp(self): def test_assign_protocol_to_idp(self):
"""Assign a protocol to existing IdP.""" """Assign a protocol to existing IdP."""
@ -1208,7 +1210,7 @@ class FederatedIdentityProviderTests(FederationTests):
kwargs = {'expected_status': 201} kwargs = {'expected_status': 201}
resp, idp_id, proto = self._assign_protocol_to_idp(proto='saml2', resp, idp_id, proto = self._assign_protocol_to_idp(proto='saml2',
url=url, **kwargs) url=url, **kwargs)
kwargs = {'expected_status': 409} kwargs = {'expected_status': http_client.CONFLICT}
resp, idp_id, proto = self._assign_protocol_to_idp(idp_id=idp_id, resp, idp_id, proto = self._assign_protocol_to_idp(idp_id=idp_id,
proto='saml2', proto='saml2',
validate=False, validate=False,
@ -1222,7 +1224,7 @@ class FederatedIdentityProviderTests(FederationTests):
""" """
idp_id = uuid.uuid4().hex idp_id = uuid.uuid4().hex
kwargs = {'expected_status': 404} kwargs = {'expected_status': http_client.NOT_FOUND}
self._assign_protocol_to_idp(proto='saml2', self._assign_protocol_to_idp(proto='saml2',
idp_id=idp_id, idp_id=idp_id,
validate=False, validate=False,
@ -1299,7 +1301,7 @@ class FederatedIdentityProviderTests(FederationTests):
url = url % {'idp_id': idp_id, url = url % {'idp_id': idp_id,
'protocol_id': proto} 'protocol_id': proto}
self.delete(url) self.delete(url)
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
class MappingCRUDTests(FederationTests): class MappingCRUDTests(FederationTests):
@ -1364,7 +1366,7 @@ class MappingCRUDTests(FederationTests):
url = url % {'mapping_id': str(mapping_id)} url = url % {'mapping_id': str(mapping_id)}
resp = self.delete(url) resp = self.delete(url)
self.assertResponseStatus(resp, 204) self.assertResponseStatus(resp, 204)
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
def test_mapping_get(self): def test_mapping_get(self):
url = self.MAPPING_URL + '%(mapping_id)s' url = self.MAPPING_URL + '%(mapping_id)s'
@ -1387,70 +1389,73 @@ class MappingCRUDTests(FederationTests):
def test_delete_mapping_dne(self): def test_delete_mapping_dne(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
self.delete(url, expected_status=404) self.delete(url, expected_status=http_client.NOT_FOUND)
def test_get_mapping_dne(self): def test_get_mapping_dne(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
def test_create_mapping_bad_requirements(self): def test_create_mapping_bad_requirements(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
self.put(url, expected_status=400, self.put(url, expected_status=http_client.BAD_REQUEST,
body={'mapping': mapping_fixtures.MAPPING_BAD_REQ}) body={'mapping': mapping_fixtures.MAPPING_BAD_REQ})
def test_create_mapping_no_rules(self): def test_create_mapping_no_rules(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
self.put(url, expected_status=400, self.put(url, expected_status=http_client.BAD_REQUEST,
body={'mapping': mapping_fixtures.MAPPING_NO_RULES}) body={'mapping': mapping_fixtures.MAPPING_NO_RULES})
def test_create_mapping_no_remote_objects(self): def test_create_mapping_no_remote_objects(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
self.put(url, expected_status=400, self.put(url, expected_status=http_client.BAD_REQUEST,
body={'mapping': mapping_fixtures.MAPPING_NO_REMOTE}) body={'mapping': mapping_fixtures.MAPPING_NO_REMOTE})
def test_create_mapping_bad_value(self): def test_create_mapping_bad_value(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
self.put(url, expected_status=400, self.put(url, expected_status=http_client.BAD_REQUEST,
body={'mapping': mapping_fixtures.MAPPING_BAD_VALUE}) body={'mapping': mapping_fixtures.MAPPING_BAD_VALUE})
def test_create_mapping_missing_local(self): def test_create_mapping_missing_local(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
self.put(url, expected_status=400, self.put(url, expected_status=http_client.BAD_REQUEST,
body={'mapping': mapping_fixtures.MAPPING_MISSING_LOCAL}) body={'mapping': mapping_fixtures.MAPPING_MISSING_LOCAL})
def test_create_mapping_missing_type(self): def test_create_mapping_missing_type(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
self.put(url, expected_status=400, self.put(url, expected_status=http_client.BAD_REQUEST,
body={'mapping': mapping_fixtures.MAPPING_MISSING_TYPE}) body={'mapping': mapping_fixtures.MAPPING_MISSING_TYPE})
def test_create_mapping_wrong_type(self): def test_create_mapping_wrong_type(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
self.put(url, expected_status=400, self.put(url, expected_status=http_client.BAD_REQUEST,
body={'mapping': mapping_fixtures.MAPPING_WRONG_TYPE}) body={'mapping': mapping_fixtures.MAPPING_WRONG_TYPE})
def test_create_mapping_extra_remote_properties_not_any_of(self): def test_create_mapping_extra_remote_properties_not_any_of(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
mapping = mapping_fixtures.MAPPING_EXTRA_REMOTE_PROPS_NOT_ANY_OF mapping = mapping_fixtures.MAPPING_EXTRA_REMOTE_PROPS_NOT_ANY_OF
self.put(url, expected_status=400, body={'mapping': mapping}) self.put(url, expected_status=http_client.BAD_REQUEST,
body={'mapping': mapping})
def test_create_mapping_extra_remote_properties_any_one_of(self): def test_create_mapping_extra_remote_properties_any_one_of(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
mapping = mapping_fixtures.MAPPING_EXTRA_REMOTE_PROPS_ANY_ONE_OF mapping = mapping_fixtures.MAPPING_EXTRA_REMOTE_PROPS_ANY_ONE_OF
self.put(url, expected_status=400, body={'mapping': mapping}) self.put(url, expected_status=http_client.BAD_REQUEST,
body={'mapping': mapping})
def test_create_mapping_extra_remote_properties_just_type(self): def test_create_mapping_extra_remote_properties_just_type(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
mapping = mapping_fixtures.MAPPING_EXTRA_REMOTE_PROPS_JUST_TYPE mapping = mapping_fixtures.MAPPING_EXTRA_REMOTE_PROPS_JUST_TYPE
self.put(url, expected_status=400, body={'mapping': mapping}) self.put(url, expected_status=http_client.BAD_REQUEST,
body={'mapping': mapping})
def test_create_mapping_empty_map(self): def test_create_mapping_empty_map(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
self.put(url, expected_status=400, self.put(url, expected_status=http_client.BAD_REQUEST,
body={'mapping': {}}) body={'mapping': {}})
def test_create_mapping_extra_rules_properties(self): def test_create_mapping_extra_rules_properties(self):
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
self.put(url, expected_status=400, self.put(url, expected_status=http_client.BAD_REQUEST,
body={'mapping': mapping_fixtures.MAPPING_EXTRA_RULES_PROPS}) body={'mapping': mapping_fixtures.MAPPING_EXTRA_RULES_PROPS})
def test_create_mapping_with_blacklist_and_whitelist(self): def test_create_mapping_with_blacklist_and_whitelist(self):
@ -1462,7 +1467,8 @@ class MappingCRUDTests(FederationTests):
""" """
url = self.MAPPING_URL + uuid.uuid4().hex url = self.MAPPING_URL + uuid.uuid4().hex
mapping = mapping_fixtures.MAPPING_GROUPS_WHITELIST_AND_BLACKLIST mapping = mapping_fixtures.MAPPING_GROUPS_WHITELIST_AND_BLACKLIST
self.put(url, expected_status=400, body={'mapping': mapping}) self.put(url, expected_status=http_client.BAD_REQUEST,
body={'mapping': mapping})
class FederatedTokenTests(FederationTests, FederatedSetupMixin): class FederatedTokenTests(FederationTests, FederatedSetupMixin):
@ -1679,14 +1685,14 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
self.federation_api.update_idp(self.IDP, enabled_false) self.federation_api.update_idp(self.IDP, enabled_false)
self.v3_authenticate_token( self.v3_authenticate_token(
self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_CUSTOMER, self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_CUSTOMER,
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_scope_to_bad_project(self): def test_scope_to_bad_project(self):
"""Scope unscoped token with a project we don't have access to.""" """Scope unscoped token with a project we don't have access to."""
self.v3_authenticate_token( self.v3_authenticate_token(
self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_CUSTOMER, self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_CUSTOMER,
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_scope_to_project_multiple_times(self): def test_scope_to_project_multiple_times(self):
"""Try to scope the unscoped token multiple times. """Try to scope the unscoped token multiple times.
@ -1725,7 +1731,7 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
"""Try to scope token from non-existent unscoped token.""" """Try to scope token from non-existent unscoped token."""
self.v3_authenticate_token( self.v3_authenticate_token(
self.TOKEN_SCOPE_PROJECT_FROM_NONEXISTENT_TOKEN, self.TOKEN_SCOPE_PROJECT_FROM_NONEXISTENT_TOKEN,
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_issue_token_from_rules_without_user(self): def test_issue_token_from_rules_without_user(self):
api = auth_controllers.Auth() api = auth_controllers.Auth()
@ -1779,7 +1785,7 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
"""Try to scope to a domain that has no direct roles.""" """Try to scope to a domain that has no direct roles."""
self.v3_authenticate_token( self.v3_authenticate_token(
self.TOKEN_SCOPE_DOMAIN_D_FROM_CUSTOMER, self.TOKEN_SCOPE_DOMAIN_D_FROM_CUSTOMER,
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_list_projects(self): def test_list_projects(self):
urls = ('/OS-FEDERATION/projects', '/auth/projects') urls = ('/OS-FEDERATION/projects', '/auth/projects')
@ -2729,7 +2735,7 @@ class SAMLGenerationTests(FederationTests):
with mock.patch.object(keystone_idp, '_sign_assertion', with mock.patch.object(keystone_idp, '_sign_assertion',
return_value=self.signed_assertion): return_value=self.signed_assertion):
self.post(self.SAML_GENERATION_ROUTE, body=body, self.post(self.SAML_GENERATION_ROUTE, body=body,
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_generate_saml_route(self): def test_generate_saml_route(self):
"""Test that the SAML generation endpoint produces XML. """Test that the SAML generation endpoint produces XML.
@ -2792,7 +2798,8 @@ class SAMLGenerationTests(FederationTests):
self.SERVICE_PROVDIER_ID) self.SERVICE_PROVDIER_ID)
del body['auth']['scope'] del body['auth']['scope']
self.post(self.SAML_GENERATION_ROUTE, body=body, expected_status=400) self.post(self.SAML_GENERATION_ROUTE, body=body,
expected_status=http_client.BAD_REQUEST)
def test_invalid_token_body(self): def test_invalid_token_body(self):
"""Test that missing the token in request body raises an exception. """Test that missing the token in request body raises an exception.
@ -2806,7 +2813,8 @@ class SAMLGenerationTests(FederationTests):
self.SERVICE_PROVDIER_ID) self.SERVICE_PROVDIER_ID)
del body['auth']['identity']['token'] del body['auth']['identity']['token']
self.post(self.SAML_GENERATION_ROUTE, body=body, expected_status=400) self.post(self.SAML_GENERATION_ROUTE, body=body,
expected_status=http_client.BAD_REQUEST)
def test_sp_not_found(self): def test_sp_not_found(self):
"""Test SAML generation with an invalid service provider ID. """Test SAML generation with an invalid service provider ID.
@ -2817,7 +2825,8 @@ class SAMLGenerationTests(FederationTests):
sp_id = uuid.uuid4().hex sp_id = uuid.uuid4().hex
token_id = self._fetch_valid_token() token_id = self._fetch_valid_token()
body = self._create_generate_saml_request(token_id, sp_id) body = self._create_generate_saml_request(token_id, sp_id)
self.post(self.SAML_GENERATION_ROUTE, body=body, expected_status=404) self.post(self.SAML_GENERATION_ROUTE, body=body,
expected_status=http_client.NOT_FOUND)
def test_sp_disabled(self): def test_sp_disabled(self):
"""Try generating assertion for disabled Service Provider.""" """Try generating assertion for disabled Service Provider."""
@ -2829,7 +2838,8 @@ class SAMLGenerationTests(FederationTests):
token_id = self._fetch_valid_token() token_id = self._fetch_valid_token()
body = self._create_generate_saml_request(token_id, body = self._create_generate_saml_request(token_id,
self.SERVICE_PROVDIER_ID) self.SERVICE_PROVDIER_ID)
self.post(self.SAML_GENERATION_ROUTE, body=body, expected_status=403) self.post(self.SAML_GENERATION_ROUTE, body=body,
expected_status=http_client.FORBIDDEN)
def test_token_not_found(self): def test_token_not_found(self):
"""Test that an invalid token in the request body raises an exception. """Test that an invalid token in the request body raises an exception.
@ -2841,7 +2851,8 @@ class SAMLGenerationTests(FederationTests):
token_id = uuid.uuid4().hex token_id = uuid.uuid4().hex
body = self._create_generate_saml_request(token_id, body = self._create_generate_saml_request(token_id,
self.SERVICE_PROVDIER_ID) self.SERVICE_PROVDIER_ID)
self.post(self.SAML_GENERATION_ROUTE, body=body, expected_status=404) self.post(self.SAML_GENERATION_ROUTE, body=body,
expected_status=http_client.NOT_FOUND)
def test_generate_ecp_route(self): def test_generate_ecp_route(self):
"""Test that the ECP generation endpoint produces XML. """Test that the ECP generation endpoint produces XML.
@ -3113,7 +3124,7 @@ class ServiceProviderTests(FederationTests):
def test_get_service_provider_fail(self): def test_get_service_provider_fail(self):
url = self.base_url(suffix=uuid.uuid4().hex) url = self.base_url(suffix=uuid.uuid4().hex)
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
def test_create_service_provider(self): def test_create_service_provider(self):
url = self.base_url(suffix=uuid.uuid4().hex) url = self.base_url(suffix=uuid.uuid4().hex)
@ -3152,7 +3163,7 @@ class ServiceProviderTests(FederationTests):
sp = self.sp_ref() sp = self.sp_ref()
sp[uuid.uuid4().hex] = uuid.uuid4().hex sp[uuid.uuid4().hex] = uuid.uuid4().hex
self.put(url, body={'service_provider': sp}, self.put(url, body={'service_provider': sp},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_list_service_providers(self): def test_list_service_providers(self):
"""Test listing of service provider objects. """Test listing of service provider objects.
@ -3219,21 +3230,21 @@ class ServiceProviderTests(FederationTests):
new_sp_ref = {'id': uuid.uuid4().hex} new_sp_ref = {'id': uuid.uuid4().hex}
url = self.base_url(suffix=self.SERVICE_PROVIDER_ID) url = self.base_url(suffix=self.SERVICE_PROVIDER_ID)
self.patch(url, body={'service_provider': new_sp_ref}, self.patch(url, body={'service_provider': new_sp_ref},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_update_service_provider_unknown_parameter(self): def test_update_service_provider_unknown_parameter(self):
new_sp_ref = self.sp_ref() new_sp_ref = self.sp_ref()
new_sp_ref[uuid.uuid4().hex] = uuid.uuid4().hex new_sp_ref[uuid.uuid4().hex] = uuid.uuid4().hex
url = self.base_url(suffix=self.SERVICE_PROVIDER_ID) url = self.base_url(suffix=self.SERVICE_PROVIDER_ID)
self.patch(url, body={'service_provider': new_sp_ref}, self.patch(url, body={'service_provider': new_sp_ref},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_update_service_provider_404(self): def test_update_service_provider_404(self):
new_sp_ref = self.sp_ref() new_sp_ref = self.sp_ref()
new_sp_ref['description'] = uuid.uuid4().hex new_sp_ref['description'] = uuid.uuid4().hex
url = self.base_url(suffix=uuid.uuid4().hex) url = self.base_url(suffix=uuid.uuid4().hex)
self.patch(url, body={'service_provider': new_sp_ref}, self.patch(url, body={'service_provider': new_sp_ref},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_update_sp_relay_state(self): def test_update_sp_relay_state(self):
"""Update an SP with custome relay state.""" """Update an SP with custome relay state."""
@ -3253,7 +3264,7 @@ class ServiceProviderTests(FederationTests):
def test_delete_service_provider_404(self): def test_delete_service_provider_404(self):
url = self.base_url(suffix=uuid.uuid4().hex) url = self.base_url(suffix=uuid.uuid4().hex)
self.delete(url, expected_status=404) self.delete(url, expected_status=http_client.NOT_FOUND)
class WebSSOTests(FederatedTokenTests): class WebSSOTests(FederatedTokenTests):

31
keystone/tests/unit/test_v3_identity.py
View File

@ -17,6 +17,7 @@ import uuid
import fixtures import fixtures
from oslo_config import cfg from oslo_config import cfg
from six.moves import http_client
from testtools import matchers from testtools import matchers
from keystone.common import controller from keystone.common import controller
@ -104,9 +105,10 @@ class IdentityTestCase(test_v3.RestfulTestCase):
ref['domain_id'] = CONF.identity.default_domain_id ref['domain_id'] = CONF.identity.default_domain_id
return self.assertValidUserResponse(r, ref) return self.assertValidUserResponse(r, ref)
def test_create_user_400(self): def test_create_user_bad_request(self):
"""Call ``POST /users``.""" """Call ``POST /users``."""
self.post('/users', body={'user': {}}, expected_status=400) self.post('/users', body={'user': {}},
expected_status=http_client.BAD_REQUEST)
def test_list_users(self): def test_list_users(self):
"""Call ``GET /users``.""" """Call ``GET /users``."""
@ -300,10 +302,12 @@ class IdentityTestCase(test_v3.RestfulTestCase):
expected_status=200) expected_status=200)
# auth as user with original password should not work after change # auth as user with original password should not work after change
self.v3_authenticate_token(old_password_auth, expected_status=401) self.v3_authenticate_token(old_password_auth,
expected_status=http_client.UNAUTHORIZED)
# auth as user with an old token should not work after change # auth as user with an old token should not work after change
self.v3_authenticate_token(old_token_auth, expected_status=404) self.v3_authenticate_token(old_token_auth,
expected_status=http_client.NOT_FOUND)
# new password should work # new password should work
new_password_auth = self.build_authentication_request( new_password_auth = self.build_authentication_request(
@ -389,9 +393,10 @@ class IdentityTestCase(test_v3.RestfulTestCase):
body={'group': ref}) body={'group': ref})
return self.assertValidGroupResponse(r, ref) return self.assertValidGroupResponse(r, ref)
def test_create_group_400(self): def test_create_group_bad_request(self):
"""Call ``POST /groups``.""" """Call ``POST /groups``."""
self.post('/groups', body={'group': {}}, expected_status=400) self.post('/groups', body={'group': {}},
expected_status=http_client.BAD_REQUEST)
def test_list_groups(self): def test_list_groups(self):
"""Call ``GET /groups``.""" """Call ``GET /groups``."""
@ -581,30 +586,32 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase):
expected_status=204) expected_status=204)
# old password fails # old password fails
self.get_request_token(self.user_ref['password'], expected_status=401) self.get_request_token(self.user_ref['password'],
expected_status=http_client.UNAUTHORIZED)
# old token fails # old token fails
self.v3_authenticate_token(old_token_auth, expected_status=404) self.v3_authenticate_token(old_token_auth,
expected_status=http_client.NOT_FOUND)
# new password works # new password works
self.get_request_token(new_password, expected_status=201) self.get_request_token(new_password, expected_status=201)
def test_changing_password_with_missing_original_password_fails(self): def test_changing_password_with_missing_original_password_fails(self):
r = self.change_password(password=uuid.uuid4().hex, r = self.change_password(password=uuid.uuid4().hex,
expected_status=400) expected_status=http_client.BAD_REQUEST)
self.assertThat(r.result['error']['message'], self.assertThat(r.result['error']['message'],
matchers.Contains('original_password')) matchers.Contains('original_password'))
def test_changing_password_with_missing_password_fails(self): def test_changing_password_with_missing_password_fails(self):
r = self.change_password(original_password=self.user_ref['password'], r = self.change_password(original_password=self.user_ref['password'],
expected_status=400) expected_status=http_client.BAD_REQUEST)
self.assertThat(r.result['error']['message'], self.assertThat(r.result['error']['message'],
matchers.Contains('password')) matchers.Contains('password'))
def test_changing_password_with_incorrect_password_fails(self): def test_changing_password_with_incorrect_password_fails(self):
self.change_password(password=uuid.uuid4().hex, self.change_password(password=uuid.uuid4().hex,
original_password=uuid.uuid4().hex, original_password=uuid.uuid4().hex,
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_changing_password_with_disabled_user_fails(self): def test_changing_password_with_disabled_user_fails(self):
# disable the user account # disable the user account
@ -614,7 +621,7 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase):
self.change_password(password=uuid.uuid4().hex, self.change_password(password=uuid.uuid4().hex,
original_password=self.user_ref['password'], original_password=self.user_ref['password'],
expected_status=401) expected_status=http_client.UNAUTHORIZED)
def test_changing_password_not_logged(self): def test_changing_password_not_logged(self):
# When a user changes their password, the password isn't logged at any # When a user changes their password, the password isn't logged at any

54
keystone/tests/unit/test_v3_oauth1.py
View File

@ -18,6 +18,7 @@ import uuid
from oslo_config import cfg from oslo_config import cfg
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
from pycadf import cadftaxonomy from pycadf import cadftaxonomy
from six.moves import http_client
from six.moves import urllib from six.moves import urllib
from keystone.contrib import oauth1 from keystone.contrib import oauth1
@ -182,7 +183,7 @@ class ConsumerCRUDTests(OAuth1Tests):
update_ref['secret'] = uuid.uuid4().hex update_ref['secret'] = uuid.uuid4().hex
self.patch(self.CONSUMER_URL + '/%s' % original_id, self.patch(self.CONSUMER_URL + '/%s' % original_id,
body={'consumer': update_ref}, body={'consumer': update_ref},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_consumer_update_bad_id(self): def test_consumer_update_bad_id(self):
consumer = self._create_single_consumer() consumer = self._create_single_consumer()
@ -195,7 +196,7 @@ class ConsumerCRUDTests(OAuth1Tests):
update_ref['id'] = update_description update_ref['id'] = update_description
self.patch(self.CONSUMER_URL + '/%s' % original_id, self.patch(self.CONSUMER_URL + '/%s' % original_id,
body={'consumer': update_ref}, body={'consumer': update_ref},
expected_status=400) expected_status=http_client.BAD_REQUEST)
def test_consumer_update_normalize_field(self): def test_consumer_update_normalize_field(self):
# If update a consumer with a field with : or - in the name, # If update a consumer with a field with : or - in the name,
@ -236,7 +237,7 @@ class ConsumerCRUDTests(OAuth1Tests):
def test_consumer_get_bad_id(self): def test_consumer_get_bad_id(self):
self.get(self.CONSUMER_URL + '/%(consumer_id)s' self.get(self.CONSUMER_URL + '/%(consumer_id)s'
% {'consumer_id': uuid.uuid4().hex}, % {'consumer_id': uuid.uuid4().hex},
expected_status=404) expected_status=http_client.NOT_FOUND)
class OAuthFlowTests(OAuth1Tests): class OAuthFlowTests(OAuth1Tests):
@ -291,7 +292,7 @@ class AccessTokenCRUDTests(OAuthFlowTests):
self.delete('/users/%(user)s/OS-OAUTH1/access_tokens/%(auth)s' self.delete('/users/%(user)s/OS-OAUTH1/access_tokens/%(auth)s'
% {'user': self.user_id, % {'user': self.user_id,
'auth': uuid.uuid4().hex}, 'auth': uuid.uuid4().hex},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_list_no_access_tokens(self): def test_list_no_access_tokens(self):
resp = self.get('/users/%(user_id)s/OS-OAUTH1/access_tokens' resp = self.get('/users/%(user_id)s/OS-OAUTH1/access_tokens'
@ -316,7 +317,7 @@ class AccessTokenCRUDTests(OAuthFlowTests):
self.get('/users/%(user_id)s/OS-OAUTH1/access_tokens/%(key)s' self.get('/users/%(user_id)s/OS-OAUTH1/access_tokens/%(key)s'
% {'user_id': self.user_id, % {'user_id': self.user_id,
'key': uuid.uuid4().hex}, 'key': uuid.uuid4().hex},
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_list_all_roles_in_access_token(self): def test_list_all_roles_in_access_token(self):
self.test_oauth_flow() self.test_oauth_flow()
@ -341,7 +342,7 @@ class AccessTokenCRUDTests(OAuthFlowTests):
url = ('/users/%(id)s/OS-OAUTH1/access_tokens/%(key)s/roles/%(role)s' url = ('/users/%(id)s/OS-OAUTH1/access_tokens/%(key)s/roles/%(role)s'
% {'id': self.user_id, 'key': self.access_token.key, % {'id': self.user_id, 'key': self.access_token.key,
'role': uuid.uuid4().hex}) 'role': uuid.uuid4().hex})
self.get(url, expected_status=404) self.get(url, expected_status=http_client.NOT_FOUND)
def test_list_and_delete_access_tokens(self): def test_list_and_delete_access_tokens(self):
self.test_oauth_flow() self.test_oauth_flow()
@ -405,7 +406,7 @@ class AuthTokenTests(OAuthFlowTests):
headers = {'X-Subject-Token': self.keystone_token_id, headers = {'X-Subject-Token': self.keystone_token_id,
'X-Auth-Token': self.keystone_token_id} 'X-Auth-Token': self.keystone_token_id}
self.get('/auth/tokens', headers=headers, self.get('/auth/tokens', headers=headers,
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_deleting_consumer_also_deletes_tokens(self): def test_deleting_consumer_also_deletes_tokens(self):
self.test_oauth_flow() self.test_oauth_flow()
@ -426,7 +427,7 @@ class AuthTokenTests(OAuthFlowTests):
headers = {'X-Subject-Token': self.keystone_token_id, headers = {'X-Subject-Token': self.keystone_token_id,
'X-Auth-Token': self.keystone_token_id} 'X-Auth-Token': self.keystone_token_id}
self.head('/auth/tokens', headers=headers, self.head('/auth/tokens', headers=headers,
expected_status=404) expected_status=http_client.NOT_FOUND)
def test_change_user_password_also_deletes_tokens(self): def test_change_user_password_also_deletes_tokens(self):
self.test_oauth_flow() self.test_oauth_flow()
@ -445,7 +446,7 @@ class AuthTokenTests(OAuthFlowTests):
headers = {'X-Subject-Token': self.keystone_token_id, headers = {'X-Subject-Token': self.keystone_token_id,
'X-Auth-Token': self.keystone_token_id} 'X-Auth-Token': self.keystone_token_id}
self.admin_request(path='/auth/tokens', headers=headers, self.admin_request(path='/auth/tokens', headers=headers,
method='GET', expected_status=404) method='GET', expected_status=http_client.NOT_FOUND)
def test_deleting_project_also_invalidates_tokens(self): def test_deleting_project_also_invalidates_tokens(self):
self.test_oauth_flow() self.test_oauth_flow()
@ -462,7 +463,7 @@ class AuthTokenTests(OAuthFlowTests):
headers = {'X-Subject-Token': self.keystone_token_id, headers = {'X-Subject-Token': self.keystone_token_id,
'X-Auth-Token': self.keystone_token_id} 'X-Auth-Token': self.keystone_token_id}
self.admin_request(path='/auth/tokens', headers=headers, self.admin_request(path='/auth/tokens', headers=headers,
method='GET', expected_status=404) method='GET', expected_status=http_client.NOT_FOUND)
def test_token_chaining_is_not_allowed(self): def test_token_chaining_is_not_allowed(self):
self.test_oauth_flow() self.test_oauth_flow()
@ -477,7 +478,7 @@ class AuthTokenTests(OAuthFlowTests):
body=auth_data, body=auth_data,
token=self.keystone_token_id, token=self.keystone_token_id,
method='POST', method='POST',
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_delete_keystone_tokens_by_consumer_id(self): def test_delete_keystone_tokens_by_consumer_id(self):
self.test_oauth_flow() self.test_oauth_flow()
@ -545,14 +546,14 @@ class AuthTokenTests(OAuthFlowTests):
self.post('/OS-TRUST/trusts', self.post('/OS-TRUST/trusts',
body={'trust': ref}, body={'trust': ref},
token=self.keystone_token_id, token=self.keystone_token_id,
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_oauth_token_cannot_authorize_request_token(self): def test_oauth_token_cannot_authorize_request_token(self):
self.test_oauth_flow() self.test_oauth_flow()
url = self._approve_request_token_url() url = self._approve_request_token_url()
body = {'roles': [{'id': self.role_id}]} body = {'roles': [{'id': self.role_id}]}
self.put(url, body=body, token=self.keystone_token_id, self.put(url, body=body, token=self.keystone_token_id,
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_oauth_token_cannot_list_request_tokens(self): def test_oauth_token_cannot_list_request_tokens(self):
self._set_policy({"identity:list_access_tokens": [], self._set_policy({"identity:list_access_tokens": [],
@ -561,7 +562,7 @@ class AuthTokenTests(OAuthFlowTests):
self.test_oauth_flow() self.test_oauth_flow()
url = '/users/%s/OS-OAUTH1/access_tokens' % self.user_id url = '/users/%s/OS-OAUTH1/access_tokens' % self.user_id
self.get(url, token=self.keystone_token_id, self.get(url, token=self.keystone_token_id,
expected_status=403) expected_status=http_client.FORBIDDEN)
def _set_policy(self, new_policy): def _set_policy(self, new_policy):
self.tempfile = self.useFixture(temporaryfile.SecureTempFile()) self.tempfile = self.useFixture(temporaryfile.SecureTempFile())
@ -575,14 +576,16 @@ class AuthTokenTests(OAuthFlowTests):
trust_token = self._create_trust_get_token() trust_token = self._create_trust_get_token()
url = self._approve_request_token_url() url = self._approve_request_token_url()
body = {'roles': [{'id': self.role_id}]} body = {'roles': [{'id': self.role_id}]}
self.put(url, body=body, token=trust_token, expected_status=403) self.put(url, body=body, token=trust_token,
expected_status=http_client.FORBIDDEN)
def test_trust_token_cannot_list_request_tokens(self): def test_trust_token_cannot_list_request_tokens(self):
self._set_policy({"identity:list_access_tokens": [], self._set_policy({"identity:list_access_tokens": [],
"identity:create_trust": []}) "identity:create_trust": []})
trust_token = self._create_trust_get_token() trust_token = self._create_trust_get_token()
url = '/users/%s/OS-OAUTH1/access_tokens' % self.user_id url = '/users/%s/OS-OAUTH1/access_tokens' % self.user_id
self.get(url, token=trust_token, expected_status=403) self.get(url, token=trust_token,
expected_status=http_client.FORBIDDEN)
class MaliciousOAuth1Tests(OAuth1Tests): class MaliciousOAuth1Tests(OAuth1Tests):
@ -592,7 +595,8 @@ class MaliciousOAuth1Tests(OAuth1Tests):
consumer_id = consumer['id'] consumer_id = consumer['id']
consumer = {'key': consumer_id, 'secret': uuid.uuid4().hex} consumer = {'key': consumer_id, 'secret': uuid.uuid4().hex}
url, headers = self._create_request_token(consumer, self.project_id) url, headers = self._create_request_token(consumer, self.project_id)
self.post(url, headers=headers, expected_status=401) self.post(url, headers=headers,
expected_status=http_client.UNAUTHORIZED)
def test_bad_request_token_key(self): def test_bad_request_token_key(self):
consumer = self._create_single_consumer() consumer = self._create_single_consumer()
@ -605,7 +609,7 @@ class MaliciousOAuth1Tests(OAuth1Tests):
response_content_type='application/x-www-urlformencoded') response_content_type='application/x-www-urlformencoded')
url = self._authorize_request_token(uuid.uuid4().hex) url = self._authorize_request_token(uuid.uuid4().hex)
body = {'roles': [{'id': self.role_id}]} body = {'roles': [{'id': self.role_id}]}
self.put(url, body=body, expected_status=404) self.put(url, body=body, expected_status=http_client.NOT_FOUND)
def test_bad_consumer_id(self): def test_bad_consumer_id(self):
consumer = self._create_single_consumer() consumer = self._create_single_consumer()
@ -613,7 +617,7 @@ class MaliciousOAuth1Tests(OAuth1Tests):
consumer_secret = consumer['secret'] consumer_secret = consumer['secret']
consumer = {'key': consumer_id, 'secret': consumer_secret} consumer = {'key': consumer_id, 'secret': consumer_secret}
url, headers = self._create_request_token(consumer, self.project_id) url, headers = self._create_request_token(consumer, self.project_id)
self.post(url, headers=headers, expected_status=404) self.post(url, headers=headers, expected_status=http_client.NOT_FOUND)
def test_bad_requested_project_id(self): def test_bad_requested_project_id(self):
consumer = self._create_single_consumer() consumer = self._create_single_consumer()
@ -622,7 +626,7 @@ class MaliciousOAuth1Tests(OAuth1Tests):
consumer = {'key': consumer_id, 'secret': consumer_secret} consumer = {'key': consumer_id, 'secret': consumer_secret}
project_id = uuid.uuid4().hex project_id = uuid.uuid4().hex
url, headers = self._create_request_token(consumer, project_id) url, headers = self._create_request_token(consumer, project_id)
self.post(url, headers=headers, expected_status=404) self.post(url, headers=headers, expected_status=http_client.NOT_FOUND)
def test_bad_verifier(self): def test_bad_verifier(self):
consumer = self._create_single_consumer() consumer = self._create_single_consumer()
@ -647,7 +651,8 @@ class MaliciousOAuth1Tests(OAuth1Tests):
request_token.set_verifier(uuid.uuid4().hex) request_token.set_verifier(uuid.uuid4().hex)
url, headers = self._create_access_token(consumer, request_token) url, headers = self._create_access_token(consumer, request_token)
self.post(url, headers=headers, expected_status=401) self.post(url, headers=headers,
expected_status=http_client.UNAUTHORIZED)
def test_bad_authorizing_roles(self): def test_bad_authorizing_roles(self):
consumer = self._create_single_consumer() consumer = self._create_single_consumer()
@ -667,7 +672,7 @@ class MaliciousOAuth1Tests(OAuth1Tests):
url = self._authorize_request_token(request_key) url = self._authorize_request_token(request_key)
body = {'roles': [{'id': self.role_id}]} body = {'roles': [{'id': self.role_id}]}
self.admin_request(path=url, method='PUT', self.admin_request(path=url, method='PUT',
body=body, expected_status=404) body=body, expected_status=http_client.NOT_FOUND)
def test_expired_authorizing_request_token(self): def test_expired_authorizing_request_token(self):
self.config_fixture.config(group='oauth1', request_token_duration=-1) self.config_fixture.config(group='oauth1', request_token_duration=-1)
@ -691,7 +696,7 @@ class MaliciousOAuth1Tests(OAuth1Tests):
url = self._authorize_request_token(request_key) url = self._authorize_request_token(request_key)
body = {'roles': [{'id': self.role_id}]} body = {'roles': [{'id': self.role_id}]}
self.put(url, body=body, expected_status=401) self.put(url, body=body, expected_status=http_client.UNAUTHORIZED)
def test_expired_creating_keystone_token(self): def test_expired_creating_keystone_token(self):
self.config_fixture.config(group='oauth1', access_token_duration=-1) self.config_fixture.config(group='oauth1', access_token_duration=-1)
@ -731,7 +736,8 @@ class MaliciousOAuth1Tests(OAuth1Tests):
url, headers, body = self._get_oauth_token(self.consumer, url, headers, body = self._get_oauth_token(self.consumer,
self.access_token) self.access_token)
self.post(url, headers=headers, body=body, expected_status=401) self.post(url, headers=headers, body=body,
expected_status=http_client.UNAUTHORIZED)
def test_missing_oauth_headers(self): def test_missing_oauth_headers(self):
endpoint = '/OS-OAUTH1/request_token' endpoint = '/OS-OAUTH1/request_token'

4
keystone/tests/unit/test_v3_os_revoke.py
View File

@ -15,6 +15,7 @@ import uuid
from oslo_utils import timeutils from oslo_utils import timeutils
import six import six
from six.moves import http_client
from testtools import matchers from testtools import matchers
from keystone.common import utils from keystone.common import utils
@ -112,7 +113,8 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
self.assertReportedEventMatchesRecorded(events[0], sample, before_time) self.assertReportedEventMatchesRecorded(events[0], sample, before_time)
def test_list_since_invalid(self): def test_list_since_invalid(self):
self.get('/OS-REVOKE/events?since=blah', expected_status=400) self.get('/OS-REVOKE/events?since=blah',
expected_status=http_client.BAD_REQUEST)
def test_list_since_valid(self): def test_list_since_valid(self):
resp = self.get('/OS-REVOKE/events?since=2013-02-27T18:30:59.999999Z') resp = self.get('/OS-REVOKE/events?since=2013-02-27T18:30:59.999999Z')

24
keystone/tests/unit/test_v3_protection.py
View File

@ -17,6 +17,7 @@ import uuid
from oslo_config import cfg from oslo_config import cfg
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
from six.moves import http_client
from keystone import exception from keystone import exception
from keystone.policy.backends import rules from keystone.policy.backends import rules
@ -428,7 +429,8 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
user2_token = self.get_requested_token(user2_auth) user2_token = self.get_requested_token(user2_auth)
self.get('/auth/tokens', token=user1_token, self.get('/auth/tokens', token=user1_token,
headers={'X-Subject-Token': user2_token}, expected_status=403) headers={'X-Subject-Token': user2_token},
expected_status=http_client.FORBIDDEN)
def test_admin_validate_user_token(self): def test_admin_validate_user_token(self):
# An admin can validate a user's token. # An admin can validate a user's token.
@ -490,7 +492,7 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
self.head('/auth/tokens', token=user1_token, self.head('/auth/tokens', token=user1_token,
headers={'X-Subject-Token': user2_token}, headers={'X-Subject-Token': user2_token},
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_admin_check_user_token(self): def test_admin_check_user_token(self):
# An admin can check a user's token. # An admin can check a user's token.
@ -552,7 +554,7 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
self.delete('/auth/tokens', token=user1_token, self.delete('/auth/tokens', token=user1_token,
headers={'X-Subject-Token': user2_token}, headers={'X-Subject-Token': user2_token},
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_admin_revoke_user_token(self): def test_admin_revoke_user_token(self):
# An admin can revoke a user's token. # An admin can revoke a user's token.
@ -948,7 +950,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
collection_url = self.build_role_assignment_query_url( collection_url = self.build_role_assignment_query_url(
domain_id=self.domainB['id']) domain_id=self.domainB['id'])
self.get(collection_url, auth=self.auth, expected_status=403) self.get(collection_url, auth=self.auth,
expected_status=http_client.FORBIDDEN)
def test_domain_user_list_assignments_of_domain_failed(self): def test_domain_user_list_assignments_of_domain_failed(self):
self.auth = self.build_authentication_request( self.auth = self.build_authentication_request(
@ -958,7 +961,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
collection_url = self.build_role_assignment_query_url( collection_url = self.build_role_assignment_query_url(
domain_id=self.domainA['id']) domain_id=self.domainA['id'])
self.get(collection_url, auth=self.auth, expected_status=403) self.get(collection_url, auth=self.auth,
expected_status=http_client.FORBIDDEN)
def test_cloud_admin_list_assignments_of_project(self): def test_cloud_admin_list_assignments_of_project(self):
self.auth = self.build_authentication_request( self.auth = self.build_authentication_request(
@ -1021,7 +1025,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
collection_url = self.build_role_assignment_query_url( collection_url = self.build_role_assignment_query_url(
project_id=self.project['id']) project_id=self.project['id'])
self.get(collection_url, auth=self.auth, expected_status=403) self.get(collection_url, auth=self.auth,
expected_status=http_client.FORBIDDEN)
def test_cloud_admin(self): def test_cloud_admin(self):
self.auth = self.build_authentication_request( self.auth = self.build_authentication_request(
@ -1145,7 +1150,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
user2_token = self.get_requested_token(user2_auth) user2_token = self.get_requested_token(user2_auth)
self.get('/auth/tokens', token=user1_token, self.get('/auth/tokens', token=user1_token,
headers={'X-Subject-Token': user2_token}, expected_status=403) headers={'X-Subject-Token': user2_token},
expected_status=http_client.FORBIDDEN)
def test_admin_validate_user_token(self): def test_admin_validate_user_token(self):
# An admin can validate a user's token. # An admin can validate a user's token.
@ -1207,7 +1213,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.head('/auth/tokens', token=user1_token, self.head('/auth/tokens', token=user1_token,
headers={'X-Subject-Token': user2_token}, headers={'X-Subject-Token': user2_token},
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_admin_check_user_token(self): def test_admin_check_user_token(self):
# An admin can check a user's token. # An admin can check a user's token.
@ -1269,7 +1275,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.delete('/auth/tokens', token=user1_token, self.delete('/auth/tokens', token=user1_token,
headers={'X-Subject-Token': user2_token}, headers={'X-Subject-Token': user2_token},
expected_status=403) expected_status=http_client.FORBIDDEN)
def test_admin_revoke_user_token(self): def test_admin_revoke_user_token(self):
# An admin can revoke a user's token. # An admin can revoke a user's token.

5
keystone/tests/unit/test_versions.py
View File

@ -20,6 +20,7 @@ import random
import mock import mock
from oslo_config import cfg from oslo_config import cfg
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
from six.moves import http_client
from testtools import matchers as tt_matchers from testtools import matchers as tt_matchers
from keystone.common import json_home from keystone.common import json_home
@ -788,7 +789,7 @@ class VersionTestCase(unit.TestCase):
client = unit.TestClient(self.public_app) client = unit.TestClient(self.public_app)
# request to /v2.0 should fail # request to /v2.0 should fail
resp = client.get('/v2.0/') resp = client.get('/v2.0/')
self.assertEqual(404, resp.status_int) self.assertEqual(http_client.NOT_FOUND, resp.status_int)
# request to /v3 should pass # request to /v3 should pass
resp = client.get('/v3/') resp = client.get('/v3/')
@ -821,7 +822,7 @@ class VersionTestCase(unit.TestCase):
client = unit.TestClient(self.public_app) client = unit.TestClient(self.public_app)
# request to /v3 should fail # request to /v3 should fail
resp = client.get('/v3/') resp = client.get('/v3/')
self.assertEqual(404, resp.status_int) self.assertEqual(http_client.NOT_FOUND, resp.status_int)
# request to /v2.0 should pass # request to /v2.0 should pass
resp = client.get('/v2.0/') resp = client.get('/v2.0/')

5
keystone/tests/unit/test_wsgi.py
View File

@ -23,6 +23,7 @@ import mock
import oslo_i18n import oslo_i18n
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
import six import six
from six.moves import http_client
from testtools import matchers from testtools import matchers
import webob import webob
@ -195,14 +196,14 @@ class ApplicationTest(BaseWSGITest):
def test_render_exception(self): def test_render_exception(self):
e = exception.Unauthorized(message=u'\u7f51\u7edc') e = exception.Unauthorized(message=u'\u7f51\u7edc')
resp = wsgi.render_exception(e) resp = wsgi.render_exception(e)
self.assertEqual(401, resp.status_int) self.assertEqual(http_client.UNAUTHORIZED, resp.status_int)
def test_render_exception_host(self): def test_render_exception_host(self):
e = exception.Unauthorized(message=u'\u7f51\u7edc') e = exception.Unauthorized(message=u'\u7f51\u7edc')
context = {'host_url': 'http://%s:5000' % uuid.uuid4().hex} context = {'host_url': 'http://%s:5000' % uuid.uuid4().hex}
resp = wsgi.render_exception(e, context=context) resp = wsgi.render_exception(e, context=context)
self.assertEqual(401, resp.status_int) self.assertEqual(http_client.UNAUTHORIZED, resp.status_int)
def test_improperly_encoded_params(self): def test_improperly_encoded_params(self):
class FakeApp(wsgi.Application): class FakeApp(wsgi.Application):