Enhance tests for non-default default_domain_id
There were no tests that show what happens when the default_domain_id is changed from the default. The new tests show that in some cases the behavior is incorrect, and in other cases it is correct. Change-Id: Ia167e153f488617f94afce7fddfc52e1e2c8e79c Related-Bug: #1265108
This commit is contained in:
parent
e54a6a353c
commit
6bd2394bb8
|
@ -286,6 +286,24 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
|
|||
domains,
|
||||
[assignment.DEFAULT_DOMAIN])
|
||||
|
||||
def test_list_domains_non_default_domain_id(self):
|
||||
# If change the default_domain_id, the ID of the default domain
|
||||
# returned by list_domains changes is the new default_domain_id.
|
||||
|
||||
orig_default_domain_id = CONF.identity.default_domain_id
|
||||
|
||||
new_domain_id = uuid.uuid4().hex
|
||||
self.opt_in_group('identity', default_domain_id=new_domain_id)
|
||||
|
||||
domains = self.assignment_api.list_domains()
|
||||
|
||||
# TODO(blk-u): The following should be
|
||||
# self.assertEqual(domains[0]['id'], new_domain_id)
|
||||
# but the domain ID doesn't change because some parts are keeping
|
||||
# references to the old config value. See bug 1265108.
|
||||
|
||||
self.assertEqual(domains[0]['id'], orig_default_domain_id)
|
||||
|
||||
def test_authenticate_requires_simple_bind(self):
|
||||
user = {
|
||||
'id': 'no_meta',
|
||||
|
@ -1036,6 +1054,21 @@ class LdapIdentitySqlAssignment(sql.Base, tests.TestCase, BaseLDAPIdentity):
|
|||
domains = self.assignment_api.list_domains()
|
||||
self.assertEqual(domains, [assignment.DEFAULT_DOMAIN])
|
||||
|
||||
def test_list_domains_non_default_domain_id(self):
|
||||
# If change the default_domain_id, the ID of the default domain
|
||||
# returned by list_domains doesn't change because the SQL identity
|
||||
# backend reads it from the database, which doesn't get updated by
|
||||
# config change.
|
||||
|
||||
orig_default_domain_id = CONF.identity.default_domain_id
|
||||
|
||||
new_domain_id = uuid.uuid4().hex
|
||||
self.opt_in_group('identity', default_domain_id=new_domain_id)
|
||||
|
||||
domains = self.assignment_api.list_domains()
|
||||
|
||||
self.assertEqual(domains[0]['id'], orig_default_domain_id)
|
||||
|
||||
def test_project_filter(self):
|
||||
self.skipTest(
|
||||
'N/A: Not part of SQL backend')
|
||||
|
@ -1166,6 +1199,10 @@ class MultiLDAPandSQLIdentity(sql.Base, tests.TestCase, BaseLDAPIdentity):
|
|||
self.skipTest(
|
||||
'N/A: Not relevant for multi ldap testing')
|
||||
|
||||
def test_list_domains_non_default_domain_id(self):
|
||||
self.skipTest(
|
||||
'N/A: Not relevant for multi ldap testing')
|
||||
|
||||
def test_domain_segregation(self):
|
||||
"""Test that separate configs have segregated the domain.
|
||||
|
||||
|
|
|
@ -146,6 +146,60 @@ class TestPKITokenAPIs(test_v3.RestfulTestCase):
|
|||
method='GET',
|
||||
expected_status=401)
|
||||
|
||||
def test_v3_v2_intermix_new_default_domain(self):
|
||||
# If the default_domain_id config option is changed, then should be
|
||||
# able to validate a v3 token with user in the new domain.
|
||||
|
||||
# 1) Create a new domain for the user.
|
||||
new_domain_id = uuid.uuid4().hex
|
||||
new_domain = {
|
||||
'description': uuid.uuid4().hex,
|
||||
'enabled': True,
|
||||
'id': new_domain_id,
|
||||
'name': uuid.uuid4().hex,
|
||||
}
|
||||
|
||||
self.assignment_api.create_domain(new_domain_id, new_domain)
|
||||
|
||||
# 2) Create user in new domain.
|
||||
new_user_id = uuid.uuid4().hex
|
||||
new_user_password = uuid.uuid4().hex
|
||||
new_user = {
|
||||
'id': new_user_id,
|
||||
'name': uuid.uuid4().hex,
|
||||
'domain_id': new_domain_id,
|
||||
'password': new_user_password,
|
||||
'email': uuid.uuid4().hex,
|
||||
}
|
||||
|
||||
self.identity_api.create_user(new_user_id, new_user)
|
||||
|
||||
# 3) Update the default_domain_id config option to the new domain
|
||||
|
||||
self.opt_in_group('identity', default_domain_id=new_domain_id)
|
||||
|
||||
# 4) Get a token using v3 api.
|
||||
|
||||
auth_data = self.build_authentication_request(
|
||||
user_id=new_user_id,
|
||||
password=new_user_password)
|
||||
resp = self.post('/auth/tokens', body=auth_data)
|
||||
token = resp.headers.get('X-Subject-Token')
|
||||
|
||||
# 5) Authenticate token using v2 api.
|
||||
|
||||
# TODO(blk-u): The following should work (remove expected_status=401).
|
||||
# We should not expect Unauthorized because the authorizer code should
|
||||
# be looking up the user in the new default domain, but it's using the
|
||||
# old domain because it's storing the domain_id statically.
|
||||
# See bug 1265108
|
||||
|
||||
path = '/v2.0/tokens/%s' % (token)
|
||||
resp = self.admin_request(path=path,
|
||||
token='ADMIN',
|
||||
method='GET',
|
||||
expected_status=401)
|
||||
|
||||
def test_v3_v2_intermix_domain_scoped_token_failed(self):
|
||||
# grant the domain role to user
|
||||
path = '/domains/%s/users/%s/roles/%s' % (
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
|
||||
import uuid
|
||||
|
||||
from oslo.config import cfg
|
||||
from testtools import matchers
|
||||
|
||||
from keystone.common import controller
|
||||
|
@ -24,6 +25,9 @@ from keystone import tests
|
|||
from keystone.tests import test_v3
|
||||
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
||||
|
||||
def _build_role_assignment_url_and_entity(
|
||||
role_id, user_id=None, group_id=None, domain_id=None,
|
||||
project_id=None, inherited_to_projects=False,
|
||||
|
@ -318,6 +322,64 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
r = self.credential_api.get_credential(self.credential['id'])
|
||||
self.assertDictEqual(r, self.credential)
|
||||
|
||||
def test_delete_default_domain_fails(self):
|
||||
# Attempting to delete the default domain results in 403 Forbidden.
|
||||
|
||||
# Need to disable it first.
|
||||
self.patch('/domains/%(domain_id)s' % {
|
||||
'domain_id': CONF.identity.default_domain_id},
|
||||
body={'domain': {'enabled': False}})
|
||||
|
||||
self.delete('/domains/%(domain_id)s' % {
|
||||
'domain_id': CONF.identity.default_domain_id},
|
||||
expected_status=exception.ForbiddenAction.code)
|
||||
|
||||
def test_delete_new_default_domain_fails(self):
|
||||
# If change the default domain ID, deleting the new default domain
|
||||
# results in a 403 Forbidden.
|
||||
|
||||
# Create a new domain that's not the default
|
||||
new_domain = self.new_domain_ref()
|
||||
new_domain_id = new_domain['id']
|
||||
self.assignment_api.create_domain(new_domain_id, new_domain)
|
||||
|
||||
# Disable the new domain so can delete it later.
|
||||
self.patch('/domains/%(domain_id)s' % {
|
||||
'domain_id': new_domain_id},
|
||||
body={'domain': {'enabled': False}})
|
||||
|
||||
# Change the default domain
|
||||
self.opt_in_group('identity', default_domain_id=new_domain_id)
|
||||
|
||||
# Attempt to delete the new domain
|
||||
|
||||
self.delete('/domains/%(domain_id)s' % {'domain_id': new_domain_id},
|
||||
expected_status=exception.ForbiddenAction.code)
|
||||
|
||||
def test_delete_old_default_domain(self):
|
||||
# If change the default domain ID, deleting the old default domain
|
||||
# works.
|
||||
|
||||
# Create a new domain that's not the default
|
||||
new_domain = self.new_domain_ref()
|
||||
new_domain_id = new_domain['id']
|
||||
self.assignment_api.create_domain(new_domain_id, new_domain)
|
||||
|
||||
old_default_domain_id = CONF.identity.default_domain_id
|
||||
|
||||
# Disable the default domain so we can delete it later.
|
||||
self.patch('/domains/%(domain_id)s' % {
|
||||
'domain_id': old_default_domain_id},
|
||||
body={'domain': {'enabled': False}})
|
||||
|
||||
# Change the default domain
|
||||
self.opt_in_group('identity', default_domain_id=new_domain_id)
|
||||
|
||||
# Delete the old default domain
|
||||
|
||||
self.delete(
|
||||
'/domains/%(domain_id)s' % {'domain_id': old_default_domain_id})
|
||||
|
||||
# project crud tests
|
||||
|
||||
def test_list_projects(self):
|
||||
|
|
Loading…
Reference in New Issue