Merge "Add unit tests for token_to_auth_context"

2015-09-28 15:57:17 +00:00 · 2015-09-28 15:57:17 +00:00 · 78cbc072d8
commit 78cbc072d8
parent 3d989e8815 9693a7f044
1 changed files with 131 additions and 0 deletions
--- a/keystone/tests/unit/common/test_authorization.py
+++ b/keystone/tests/unit/common/test_authorization.py
@ -0,0 +1,131 @@
+# Copyright 2015 IBM Corp.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+
+import copy
+import uuid
+
+from keystone.common import authorization
+from keystone.contrib.federation import constants as federation_constants
+from keystone import exception
+from keystone.models import token_model
+from keystone.tests import unit
+from keystone.tests.unit import test_token_provider
+
+
+class TestTokenToAuthContext(unit.BaseTestCase):
+    def test_token_is_project_scoped_with_trust(self):
+        # Check auth_context result when the token is project-scoped and has
+        # trust info.
+
+        # SAMPLE_V3_TOKEN has OS-TRUST:trust in it.
+        token_data = test_token_provider.SAMPLE_V3_TOKEN
+        token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
+                                          token_data=token_data)
+
+        auth_context = authorization.token_to_auth_context(token)
+
+        self.assertEqual(token, auth_context['token'])
+        self.assertTrue(auth_context['is_delegated_auth'])
+        self.assertEqual(token_data['token']['user']['id'],
+                         auth_context['user_id'])
+        self.assertEqual(token_data['token']['project']['id'],
+                         auth_context['project_id'])
+        self.assertNotIn('domain_id', auth_context)
+        self.assertNotIn('domain_name', auth_context)
+        self.assertEqual(token_data['token']['OS-TRUST:trust']['id'],
+                         auth_context['trust_id'])
+        self.assertEqual(
+            token_data['token']['OS-TRUST:trust']['trustor_user_id'],
+            auth_context['trustor_id'])
+        self.assertEqual(
+            token_data['token']['OS-TRUST:trust']['trustee_user_id'],
+            auth_context['trustee_id'])
+        self.assertItemsEqual(
+            [r['name'] for r in token_data['token']['roles']],
+            auth_context['roles'])
+        self.assertIsNone(auth_context['consumer_id'])
+        self.assertIsNone(auth_context['access_token_id'])
+        self.assertNotIn('group_ids', auth_context)
+
+    def test_token_is_domain_scoped(self):
+        # Check contents of auth_context when token is domain-scoped.
+        token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN)
+        del token_data['token']['project']
+
+        domain_id = uuid.uuid4().hex
+        domain_name = uuid.uuid4().hex
+        token_data['token']['domain'] = {'id': domain_id, 'name': domain_name}
+
+        token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
+                                          token_data=token_data)
+
+        auth_context = authorization.token_to_auth_context(token)
+
+        self.assertNotIn('project_id', auth_context)
+
+        self.assertEqual(domain_id, auth_context['domain_id'])
+        self.assertEqual(domain_name, auth_context['domain_name'])
+
+    def test_token_is_unscoped(self):
+        # Check contents of auth_context when the token is unscoped.
+        token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN)
+        del token_data['token']['project']
+
+        token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
+                                          token_data=token_data)
+
+        auth_context = authorization.token_to_auth_context(token)
+
+        self.assertNotIn('project_id', auth_context)
+        self.assertNotIn('domain_id', auth_context)
+        self.assertNotIn('domain_name', auth_context)
+
+    def test_token_is_for_federated_user(self):
+        # When the token is for a federated user then group_ids is in
+        # auth_context.
+        token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN)
+
+        group_ids = [uuid.uuid4().hex for x in range(1, 5)]
+
+        federation_data = {'identity_provider': {'id': uuid.uuid4().hex},
+                           'protocol': {'id': 'saml2'},
+                           'groups': [{'id': gid} for gid in group_ids]}
+        token_data['token']['user'][federation_constants.FEDERATION] = (
+            federation_data)
+
+        token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
+                                          token_data=token_data)
+
+        auth_context = authorization.token_to_auth_context(token)
+
+        self.assertItemsEqual(group_ids, auth_context['group_ids'])
+
+    def test_token_is_not_KeystoneToken_raises_exception(self):
+        # If the token isn't a KeystoneToken then an UnexpectedError exception
+        # is raised.
+        self.assertRaises(exception.UnexpectedError,
+                          authorization.token_to_auth_context, {})
+
+    def test_user_id_missing_in_token_raises_exception(self):
+        # If there's no user ID in the token then an Unauthorized
+        # exception is raised.
+        token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN)
+        del token_data['token']['user']['id']
+
+        token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
+                                          token_data=token_data)
+
+        self.assertRaises(exception.Unauthorized,
+                          authorization.token_to_auth_context, token)