Enhance tests for non-default default_domain_id

There were no tests that show what happens when the
default_domain_id is changed from the default. The new tests show
that in some cases the behavior is incorrect, and in other cases
it is correct.

Change-Id: Ia167e153f488617f94afce7fddfc52e1e2c8e79c
Related-Bug: #1265108

keystone/tests/test_backend_ldap.py

@@ -286,6 +286,24 @@ class BaseLDAPIdentity(test_backend.IdentityTests):
             domains,
             [assignment.DEFAULT_DOMAIN])
 
+    def test_list_domains_non_default_domain_id(self):
+        # If change the default_domain_id, the ID of the default domain
+        # returned by list_domains changes is the new default_domain_id.
+
+        orig_default_domain_id = CONF.identity.default_domain_id
+
+        new_domain_id = uuid.uuid4().hex
+        self.opt_in_group('identity', default_domain_id=new_domain_id)
+
+        domains = self.assignment_api.list_domains()
+
+        # TODO(blk-u): The following should be
+        #   self.assertEqual(domains[0]['id'], new_domain_id)
+        # but the domain ID doesn't change because some parts are keeping
+        # references to the old config value. See bug 1265108.
+
+        self.assertEqual(domains[0]['id'], orig_default_domain_id)
+
     def test_authenticate_requires_simple_bind(self):
         user = {
             'id': 'no_meta',
@@ -1036,6 +1054,21 @@ class LdapIdentitySqlAssignment(sql.Base, tests.TestCase, BaseLDAPIdentity):
         domains = self.assignment_api.list_domains()
         self.assertEqual(domains, [assignment.DEFAULT_DOMAIN])
 
+    def test_list_domains_non_default_domain_id(self):
+        # If change the default_domain_id, the ID of the default domain
+        # returned by list_domains doesn't change because the SQL identity
+        # backend reads it from the database, which doesn't get updated by
+        # config change.
+
+        orig_default_domain_id = CONF.identity.default_domain_id
+
+        new_domain_id = uuid.uuid4().hex
+        self.opt_in_group('identity', default_domain_id=new_domain_id)
+
+        domains = self.assignment_api.list_domains()
+
+        self.assertEqual(domains[0]['id'], orig_default_domain_id)
+
     def test_project_filter(self):
         self.skipTest(
             'N/A: Not part of SQL backend')
@@ -1166,6 +1199,10 @@ class MultiLDAPandSQLIdentity(sql.Base, tests.TestCase, BaseLDAPIdentity):
         self.skipTest(
             'N/A: Not relevant for multi ldap testing')
 
+    def test_list_domains_non_default_domain_id(self):
+        self.skipTest(
+            'N/A: Not relevant for multi ldap testing')
+
     def test_domain_segregation(self):
         """Test that separate configs have segregated the domain.
 

keystone/tests/test_v3_auth.py

@@ -146,6 +146,60 @@ class TestPKITokenAPIs(test_v3.RestfulTestCase):
                                   method='GET',
                                   expected_status=401)
 
+    def test_v3_v2_intermix_new_default_domain(self):
+        # If the default_domain_id config option is changed, then should be
+        # able to validate a v3 token with user in the new domain.
+
+        # 1) Create a new domain for the user.
+        new_domain_id = uuid.uuid4().hex
+        new_domain = {
+            'description': uuid.uuid4().hex,
+            'enabled': True,
+            'id': new_domain_id,
+            'name': uuid.uuid4().hex,
+        }
+
+        self.assignment_api.create_domain(new_domain_id, new_domain)
+
+        # 2) Create user in new domain.
+        new_user_id = uuid.uuid4().hex
+        new_user_password = uuid.uuid4().hex
+        new_user = {
+            'id': new_user_id,
+            'name': uuid.uuid4().hex,
+            'domain_id': new_domain_id,
+            'password': new_user_password,
+            'email': uuid.uuid4().hex,
+        }
+
+        self.identity_api.create_user(new_user_id, new_user)
+
+        # 3) Update the default_domain_id config option to the new domain
+
+        self.opt_in_group('identity', default_domain_id=new_domain_id)
+
+        # 4) Get a token using v3 api.
+
+        auth_data = self.build_authentication_request(
+            user_id=new_user_id,
+            password=new_user_password)
+        resp = self.post('/auth/tokens', body=auth_data)
+        token = resp.headers.get('X-Subject-Token')
+
+        # 5) Authenticate token using v2 api.
+
+        # TODO(blk-u): The following should work (remove expected_status=401).
+        # We should not expect Unauthorized because the authorizer code should
+        # be looking up the user in the new default domain, but it's using the
+        # old domain because it's storing the domain_id statically.
+        # See bug 1265108
+
+        path = '/v2.0/tokens/%s' % (token)
+        resp = self.admin_request(path=path,
+                                  token='ADMIN',
+                                  method='GET',
+                                  expected_status=401)
+
     def test_v3_v2_intermix_domain_scoped_token_failed(self):
         # grant the domain role to user
         path = '/domains/%s/users/%s/roles/%s' % (

keystone/tests/test_v3_identity.py

@@ -16,6 +16,7 @@
 
 import uuid
 
+from oslo.config import cfg
 from testtools import matchers
 
 from keystone.common import controller
@@ -24,6 +25,9 @@ from keystone import tests
 from keystone.tests import test_v3
 
 
+CONF = cfg.CONF
+
+
 def _build_role_assignment_url_and_entity(
         role_id, user_id=None, group_id=None, domain_id=None,
         project_id=None, inherited_to_projects=False,
@@ -318,6 +322,64 @@ class IdentityTestCase(test_v3.RestfulTestCase):
         r = self.credential_api.get_credential(self.credential['id'])
         self.assertDictEqual(r, self.credential)
 
+    def test_delete_default_domain_fails(self):
+        # Attempting to delete the default domain results in 403 Forbidden.
+
+        # Need to disable it first.
+        self.patch('/domains/%(domain_id)s' % {
+            'domain_id': CONF.identity.default_domain_id},
+            body={'domain': {'enabled': False}})
+
+        self.delete('/domains/%(domain_id)s' % {
+            'domain_id': CONF.identity.default_domain_id},
+            expected_status=exception.ForbiddenAction.code)
+
+    def test_delete_new_default_domain_fails(self):
+        # If change the default domain ID, deleting the new default domain
+        # results in a 403 Forbidden.
+
+        # Create a new domain that's not the default
+        new_domain = self.new_domain_ref()
+        new_domain_id = new_domain['id']
+        self.assignment_api.create_domain(new_domain_id, new_domain)
+
+        # Disable the new domain so can delete it later.
+        self.patch('/domains/%(domain_id)s' % {
+            'domain_id': new_domain_id},
+            body={'domain': {'enabled': False}})
+
+        # Change the default domain
+        self.opt_in_group('identity', default_domain_id=new_domain_id)
+
+        # Attempt to delete the new domain
+
+        self.delete('/domains/%(domain_id)s' % {'domain_id': new_domain_id},
+                    expected_status=exception.ForbiddenAction.code)
+
+    def test_delete_old_default_domain(self):
+        # If change the default domain ID, deleting the old default domain
+        # works.
+
+        # Create a new domain that's not the default
+        new_domain = self.new_domain_ref()
+        new_domain_id = new_domain['id']
+        self.assignment_api.create_domain(new_domain_id, new_domain)
+
+        old_default_domain_id = CONF.identity.default_domain_id
+
+        # Disable the default domain so we can delete it later.
+        self.patch('/domains/%(domain_id)s' % {
+            'domain_id': old_default_domain_id},
+            body={'domain': {'enabled': False}})
+
+        # Change the default domain
+        self.opt_in_group('identity', default_domain_id=new_domain_id)
+
+        # Delete the old default domain
+
+        self.delete(
+            '/domains/%(domain_id)s' % {'domain_id': old_default_domain_id})
+
     # project crud tests
 
     def test_list_projects(self):