From bbe2d7ee486acd8c0e18a3beb0bdbfd8ac44e24d Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Fri, 2 Feb 2018 23:49:30 +0000 Subject: [PATCH] Refactor self.*_api out of tests Just like the APIs in keystone, we should be using the `keystone.common.provider_api.ProviderAPIs` to load managers instead of self. This makes those changes for a few of the test modules. Finding occurrences can be done with `grep -R 'self.*_api' keystone/tests/`. Change-Id: Ic2094dca56158d8e4cd843eadff837f3a17ea38f --- .../tests/unit/assignment/test_backends.py | 1850 +++++++++-------- .../tests/unit/credential/test_backend_sql.py | 11 +- ...st_associate_project_endpoint_extension.py | 68 +- keystone/tests/unit/test_backend_ldap_pool.py | 22 +- keystone/tests/unit/test_backend_sql.py | 356 ++-- keystone/tests/unit/test_cli.py | 37 +- keystone/tests/unit/test_ldap_livetest.py | 40 +- keystone/tests/unit/test_ldap_tls_livetest.py | 44 +- keystone/tests/unit/test_revoke.py | 117 +- keystone/tests/unit/test_shadow_users.py | 13 +- keystone/tests/unit/test_v3_catalog.py | 59 +- .../tests/unit/test_v3_endpoint_policy.py | 13 +- keystone/tests/unit/test_v3_filters.py | 116 +- keystone/tests/unit/test_v3_oauth1.py | 18 +- keystone/tests/unit/test_v3_os_revoke.py | 17 +- keystone/tests/unit/test_v3_policy.py | 5 +- keystone/tests/unit/test_v3_protection.py | 245 ++- keystone/tests/unit/token/test_backends.py | 189 +- .../tests/unit/token/test_fernet_provider.py | 60 +- 19 files changed, 1835 insertions(+), 1445 deletions(-) diff --git a/keystone/tests/unit/assignment/test_backends.py b/keystone/tests/unit/assignment/test_backends.py index 6fb045918f..97f098092f 100644 --- a/keystone/tests/unit/assignment/test_backends.py +++ b/keystone/tests/unit/assignment/test_backends.py @@ -16,6 +16,7 @@ import mock from six.moves import range from testtools import matchers +from keystone.common import provider_api import keystone.conf from keystone import exception from keystone.tests import unit @@ -23,6 +24,7 @@ from keystone.tests.unit import default_fixtures CONF = keystone.conf.CONF +PROVIDERS = provider_api.ProviderAPIs class AssignmentTestHelperMixin(object): @@ -152,8 +154,9 @@ class AssignmentTestHelperMixin(object): def _create_project(domain_id, parent_id): new_project = unit.new_project_ref(domain_id=domain_id, parent_id=parent_id) - new_project = self.resource_api.create_project(new_project['id'], - new_project) + new_project = PROVIDERS.resource_api.create_project( + new_project['id'], new_project + ) return new_project if isinstance(project_spec, list): @@ -173,7 +176,7 @@ class AssignmentTestHelperMixin(object): def _create_role(self, domain_id=None): new_role = unit.new_role_ref(domain_id=domain_id) - return self.role_api.create_role(new_role['id'], new_role) + return PROVIDERS.role_api.create_role(new_role['id'], new_role) def _handle_domain_spec(self, test_data, domain_spec): """Handle the creation of domains and their contents. @@ -191,21 +194,22 @@ class AssignmentTestHelperMixin(object): def _create_domain(domain_id=None): if domain_id is None: new_domain = unit.new_domain_ref() - self.resource_api.create_domain(new_domain['id'], - new_domain) + PROVIDERS.resource_api.create_domain( + new_domain['id'], new_domain + ) return new_domain else: # The test plan specified an existing domain to use - return self.resource_api.get_domain(domain_id) + return PROVIDERS.resource_api.get_domain(domain_id) def _create_entity_in_domain(entity_type, domain_id): """Create a user or group entity in the domain.""" if entity_type == 'users': new_entity = unit.new_user_ref(domain_id=domain_id) - new_entity = self.identity_api.create_user(new_entity) + new_entity = PROVIDERS.identity_api.create_user(new_entity) elif entity_type == 'groups': new_entity = unit.new_group_ref(domain_id=domain_id) - new_entity = self.identity_api.create_group(new_entity) + new_entity = PROVIDERS.identity_api.create_group(new_entity) elif entity_type == 'roles': new_entity = self._create_role(domain_id=domain_id) else: @@ -298,11 +302,15 @@ class AssignmentTestHelperMixin(object): if isinstance(implied_spec['implied_roles'], list): for this_role in implied_spec['implied_roles']: implied_role = test_data['roles'][this_role]['id'] - self.role_api.create_implied_role(prior_role, implied_role) + PROVIDERS.role_api.create_implied_role( + prior_role, implied_role + ) else: implied_role = ( test_data['roles'][implied_spec['implied_roles']]['id']) - self.role_api.create_implied_role(prior_role, implied_role) + PROVIDERS.role_api.create_implied_role( + prior_role, implied_role + ) def create_group_memberships(self, group_pattern, test_data): """Create the group memberships specified in the test plan.""" @@ -316,7 +324,9 @@ class AssignmentTestHelperMixin(object): group_value = test_data['groups'][group_spec['group']]['id'] for user_index in group_spec['users']: user_value = test_data['users'][user_index]['id'] - self.identity_api.add_user_to_group(user_value, group_value) + PROVIDERS.identity_api.add_user_to_group( + user_value, group_value + ) return test_data def create_assignments(self, assignment_pattern, test_data): @@ -325,7 +335,7 @@ class AssignmentTestHelperMixin(object): # so during the tests we can check the number of new assignments # created. test_data['initial_assignment_count'] = ( - len(self.assignment_api.list_role_assignments())) + len(PROVIDERS.assignment_api.list_role_assignments())) # Now create the new assignments in the test plan for assignment in assignment_pattern: @@ -348,7 +358,7 @@ class AssignmentTestHelperMixin(object): key, value = self._convert_entity_shorthand( param, assignment, test_data) args[key] = value - self.assignment_api.create_grant(**args) + PROVIDERS.assignment_api.create_grant(**args) return test_data def execute_assignment_cases(self, test_plan, test_data): @@ -415,7 +425,7 @@ class AssignmentTestHelperMixin(object): key, value = self._convert_entity_shorthand( param, test['params'], test_data) args[key] = value - results = self.assignment_api.list_role_assignments(**args) + results = PROVIDERS.assignment_api.list_role_assignments(**args) check_results(test['results'], results, len(args)) def execute_assignment_plan(self, test_plan): @@ -444,28 +454,28 @@ class AssignmentTests(AssignmentTestHelperMixin): def _get_domain_fixture(self): domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) + PROVIDERS.resource_api.create_domain(domain['id'], domain) return domain def test_project_add_and_remove_user_role(self): - user_ids = self.assignment_api.list_user_ids_for_project( + user_ids = PROVIDERS.assignment_api.list_user_ids_for_project( self.tenant_bar['id']) self.assertNotIn(self.user_two['id'], user_ids) - self.assignment_api.add_role_to_user_and_project( + PROVIDERS.assignment_api.add_role_to_user_and_project( tenant_id=self.tenant_bar['id'], user_id=self.user_two['id'], role_id=self.role_other['id']) - user_ids = self.assignment_api.list_user_ids_for_project( + user_ids = PROVIDERS.assignment_api.list_user_ids_for_project( self.tenant_bar['id']) self.assertIn(self.user_two['id'], user_ids) - self.assignment_api.remove_role_from_user_and_project( + PROVIDERS.assignment_api.remove_role_from_user_and_project( tenant_id=self.tenant_bar['id'], user_id=self.user_two['id'], role_id=self.role_other['id']) - user_ids = self.assignment_api.list_user_ids_for_project( + user_ids = PROVIDERS.assignment_api.list_user_ids_for_project( self.tenant_bar['id']) self.assertNotIn(self.user_two['id'], user_ids) @@ -473,14 +483,14 @@ class AssignmentTests(AssignmentTestHelperMixin): # Expect failure if attempt to remove a role that was never assigned to # the user. self.assertRaises(exception.RoleNotFound, - self.assignment_api. + PROVIDERS.assignment_api. remove_role_from_user_and_project, tenant_id=self.tenant_bar['id'], user_id=self.user_two['id'], role_id=self.role_other['id']) def test_list_user_ids_for_project(self): - user_ids = self.assignment_api.list_user_ids_for_project( + user_ids = PROVIDERS.assignment_api.list_user_ids_for_project( self.tenant_baz['id']) self.assertEqual(2, len(user_ids)) self.assertIn(self.user_two['id'], user_ids) @@ -489,29 +499,29 @@ class AssignmentTests(AssignmentTestHelperMixin): def test_list_user_ids_for_project_no_duplicates(self): # Create user user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user_ref = self.identity_api.create_user(user_ref) + user_ref = PROVIDERS.identity_api.create_user(user_ref) # Create project project_ref = unit.new_project_ref( domain_id=CONF.identity.default_domain_id) - self.resource_api.create_project( + PROVIDERS.resource_api.create_project( project_ref['id'], project_ref) # Create 2 roles and give user each role in project for i in range(2): role_ref = unit.new_role_ref() - self.role_api.create_role(role_ref['id'], role_ref) - self.assignment_api.add_role_to_user_and_project( + PROVIDERS.role_api.create_role(role_ref['id'], role_ref) + PROVIDERS.assignment_api.add_role_to_user_and_project( user_id=user_ref['id'], tenant_id=project_ref['id'], role_id=role_ref['id']) # Get the list of user_ids in project - user_ids = self.assignment_api.list_user_ids_for_project( + user_ids = PROVIDERS.assignment_api.list_user_ids_for_project( project_ref['id']) # Ensure the user is only returned once self.assertEqual(1, len(user_ids)) def test_get_project_user_ids_returns_not_found(self): self.assertRaises(exception.ProjectNotFound, - self.assignment_api.list_user_ids_for_project, + PROVIDERS.assignment_api.list_user_ids_for_project, uuid.uuid4().hex) def test_list_role_assignments_unfiltered(self): @@ -575,7 +585,7 @@ class AssignmentTests(AssignmentTestHelperMixin): self.execute_assignment_plan(test_plan) def test_list_role_assignments_bad_role(self): - assignment_list = self.assignment_api.list_role_assignments( + assignment_list = PROVIDERS.assignment_api.list_role_assignments( role_id=uuid.uuid4().hex) self.assertEqual([], assignment_list) @@ -587,9 +597,9 @@ class AssignmentTests(AssignmentTestHelperMixin): # this simulates the possibility of a user being deleted # directly in the backend and still having lingering role # assignments. - with mock.patch.object(self.identity_api, 'get_user', + with mock.patch.object(PROVIDERS.identity_api, 'get_user', _user_not_found): - assignment_list = self.assignment_api.list_role_assignments( + assignment_list = PROVIDERS.assignment_api.list_role_assignments( include_names=True ) @@ -608,33 +618,33 @@ class AssignmentTests(AssignmentTestHelperMixin): # Setup # 1) Remove any pre-existing assignments so we control what's there - for a in self.assignment_api.list_role_assignments(): - self.assignment_api.delete_grant(**a) + for a in PROVIDERS.assignment_api.list_role_assignments(): + PROVIDERS.assignment_api.delete_grant(**a) # 2) create a group and 2 users in that group domain_id = CONF.identity.default_domain_id - group = self.identity_api.create_group( + group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=domain_id)) - user1 = self.identity_api.create_user( + user1 = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=domain_id)) - user2 = self.identity_api.create_user( + user2 = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=domain_id)) - self.identity_api.add_user_to_group(user1['id'], group['id']) - self.identity_api.add_user_to_group(user2['id'], group['id']) + PROVIDERS.identity_api.add_user_to_group(user1['id'], group['id']) + PROVIDERS.identity_api.add_user_to_group(user2['id'], group['id']) # 3) create a role assignment for the group - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( group_id=group['id'], domain_id=domain_id, role_id=default_fixtures.MEMBER_ROLE_ID) - num_assignments = len(self.assignment_api.list_role_assignments()) + num_assignments = len(PROVIDERS.assignment_api.list_role_assignments()) self.assertEqual(1, num_assignments) # Patch get_group to return GroupNotFound, allowing us to confirm # that the exception is handled properly when include_names processing # attempts to lookup a group that has been deleted in the backend - with mock.patch.object(self.identity_api, 'get_group', + with mock.patch.object(PROVIDERS.identity_api, 'get_group', _group_not_found): - assignment_list = self.assignment_api.list_role_assignments( + assignment_list = PROVIDERS.assignment_api.list_role_assignments( include_names=True ) @@ -650,7 +660,7 @@ class AssignmentTests(AssignmentTestHelperMixin): self.assertEqual('', assignment['group_domain_name']) self.assertTrue(includes_group_assignments) - num_effective = len(self.assignment_api.list_role_assignments( + num_effective = len(PROVIDERS.assignment_api.list_role_assignments( effective=True)) self.assertGreater(num_effective, len(assignment_list)) @@ -658,16 +668,16 @@ class AssignmentTests(AssignmentTestHelperMixin): # confirm that the exception is handled properly when effective # processing attempts to lookup users for a group that has been deleted # in the backend - with mock.patch.object(self.identity_api, 'list_users_in_group', + with mock.patch.object(PROVIDERS.identity_api, 'list_users_in_group', _group_not_found): - assignment_list = self.assignment_api.list_role_assignments( + assignment_list = PROVIDERS.assignment_api.list_role_assignments( effective=True ) self.assertGreater(num_effective, len(assignment_list)) # cleanup - self.assignment_api.delete_grant( + PROVIDERS.assignment_api.delete_grant( group_id=group['id'], domain_id=domain_id, role_id=default_fixtures.MEMBER_ROLE_ID) @@ -675,16 +685,18 @@ class AssignmentTests(AssignmentTestHelperMixin): # LDAP read-only issues def test_add_duplicate_role_grant(self): - roles_ref = self.assignment_api.get_roles_for_user_and_project( + roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) self.assertNotIn(self.role_admin['id'], roles_ref) - self.assignment_api.add_role_to_user_and_project( + PROVIDERS.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], self.role_admin['id']) - self.assertRaises(exception.Conflict, - self.assignment_api.add_role_to_user_and_project, - self.user_foo['id'], - self.tenant_bar['id'], - self.role_admin['id']) + self.assertRaises( + exception.Conflict, + PROVIDERS.assignment_api.add_role_to_user_and_project, + self.user_foo['id'], + self.tenant_bar['id'], + self.role_admin['id'] + ) def test_get_role_by_user_and_project_with_user_in_group(self): """Test for get role by user and project, user was added into a group. @@ -697,28 +709,28 @@ class AssignmentTests(AssignmentTestHelperMixin): """ user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user_ref = self.identity_api.create_user(user_ref) + user_ref = PROVIDERS.identity_api.create_user(user_ref) project_ref = unit.new_project_ref( domain_id=CONF.identity.default_domain_id) - self.resource_api.create_project(project_ref['id'], project_ref) + PROVIDERS.resource_api.create_project(project_ref['id'], project_ref) group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id) - group_id = self.identity_api.create_group(group)['id'] - self.identity_api.add_user_to_group(user_ref['id'], group_id) + group_id = PROVIDERS.identity_api.create_group(group)['id'] + PROVIDERS.identity_api.add_user_to_group(user_ref['id'], group_id) role_ref_list = [] for i in range(2): role_ref = unit.new_role_ref() - self.role_api.create_role(role_ref['id'], role_ref) + PROVIDERS.role_api.create_role(role_ref['id'], role_ref) role_ref_list.append(role_ref) - self.assignment_api.add_role_to_user_and_project( + PROVIDERS.assignment_api.add_role_to_user_and_project( user_id=user_ref['id'], tenant_id=project_ref['id'], role_id=role_ref['id']) - role_list = self.assignment_api.get_roles_for_user_and_project( + role_list = PROVIDERS.assignment_api.get_roles_for_user_and_project( user_ref['id'], project_ref['id']) @@ -726,21 +738,21 @@ class AssignmentTests(AssignmentTestHelperMixin): set(role_list)) def test_get_role_by_user_and_project(self): - roles_ref = self.assignment_api.get_roles_for_user_and_project( + roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) self.assertNotIn(self.role_admin['id'], roles_ref) - self.assignment_api.add_role_to_user_and_project( + PROVIDERS.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], self.role_admin['id']) - roles_ref = self.assignment_api.get_roles_for_user_and_project( + roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) self.assertIn(self.role_admin['id'], roles_ref) self.assertNotIn(default_fixtures.MEMBER_ROLE_ID, roles_ref) - self.assignment_api.add_role_to_user_and_project( + PROVIDERS.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], default_fixtures.MEMBER_ROLE_ID) - roles_ref = self.assignment_api.get_roles_for_user_and_project( + roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) self.assertIn(self.role_admin['id'], roles_ref) self.assertIn(default_fixtures.MEMBER_ROLE_ID, roles_ref) @@ -760,45 +772,45 @@ class AssignmentTests(AssignmentTestHelperMixin): """ new_domain = unit.new_domain_ref() - self.resource_api.create_domain(new_domain['id'], new_domain) + PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain) new_user1 = unit.new_user_ref(domain_id=new_domain['id']) - new_user1 = self.identity_api.create_user(new_user1) + new_user1 = PROVIDERS.identity_api.create_user(new_user1) new_user2 = unit.new_user_ref(domain_id=new_domain['id']) - new_user2 = self.identity_api.create_user(new_user2) - roles_ref = self.assignment_api.list_grants( + new_user2 = PROVIDERS.identity_api.create_user(new_user2) + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=new_user1['id'], domain_id=new_domain['id']) self.assertEqual(0, len(roles_ref)) # Now create the grants (roles are defined in default_fixtures) - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( user_id=new_user1['id'], domain_id=new_domain['id'], role_id=default_fixtures.MEMBER_ROLE_ID) - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( user_id=new_user1['id'], domain_id=new_domain['id'], role_id=default_fixtures.OTHER_ROLE_ID) - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( user_id=new_user2['id'], domain_id=new_domain['id'], role_id=default_fixtures.ADMIN_ROLE_ID) # Read back the roles for user1 on domain - roles_ids = self.assignment_api.get_roles_for_user_and_domain( + roles_ids = PROVIDERS.assignment_api.get_roles_for_user_and_domain( new_user1['id'], new_domain['id']) self.assertEqual(2, len(roles_ids)) self.assertIn(self.role_member['id'], roles_ids) self.assertIn(self.role_other['id'], roles_ids) # Now delete both grants for user1 - self.assignment_api.delete_grant( + PROVIDERS.assignment_api.delete_grant( user_id=new_user1['id'], domain_id=new_domain['id'], role_id=default_fixtures.MEMBER_ROLE_ID) - self.assignment_api.delete_grant( + PROVIDERS.assignment_api.delete_grant( user_id=new_user1['id'], domain_id=new_domain['id'], role_id=default_fixtures.OTHER_ROLE_ID) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=new_user1['id'], domain_id=new_domain['id']) self.assertEqual(0, len(roles_ref)) @@ -814,87 +826,100 @@ class AssignmentTests(AssignmentTestHelperMixin): """ new_domain = self._get_domain_fixture() new_user1 = unit.new_user_ref(domain_id=new_domain['id']) - new_user1 = self.identity_api.create_user(new_user1) + new_user1 = PROVIDERS.identity_api.create_user(new_user1) - self.assertRaises(exception.UserNotFound, - self.assignment_api.get_roles_for_user_and_domain, - uuid.uuid4().hex, - new_domain['id']) + self.assertRaises( + exception.UserNotFound, + PROVIDERS.assignment_api.get_roles_for_user_and_domain, + uuid.uuid4().hex, + new_domain['id'] + ) - self.assertRaises(exception.DomainNotFound, - self.assignment_api.get_roles_for_user_and_domain, - new_user1['id'], - uuid.uuid4().hex) + self.assertRaises( + exception.DomainNotFound, + PROVIDERS.assignment_api.get_roles_for_user_and_domain, + new_user1['id'], + uuid.uuid4().hex + ) def test_get_roles_for_user_and_project_returns_not_found(self): - self.assertRaises(exception.UserNotFound, - self.assignment_api.get_roles_for_user_and_project, - uuid.uuid4().hex, - self.tenant_bar['id']) + self.assertRaises( + exception.UserNotFound, + PROVIDERS.assignment_api.get_roles_for_user_and_project, + uuid.uuid4().hex, + self.tenant_bar['id'] + ) - self.assertRaises(exception.ProjectNotFound, - self.assignment_api.get_roles_for_user_and_project, - self.user_foo['id'], - uuid.uuid4().hex) + self.assertRaises( + exception.ProjectNotFound, + PROVIDERS.assignment_api.get_roles_for_user_and_project, + self.user_foo['id'], + uuid.uuid4().hex + ) def test_add_role_to_user_and_project_returns_not_found(self): - self.assertRaises(exception.ProjectNotFound, - self.assignment_api.add_role_to_user_and_project, - self.user_foo['id'], - uuid.uuid4().hex, - self.role_admin['id']) + self.assertRaises( + exception.ProjectNotFound, + PROVIDERS.assignment_api.add_role_to_user_and_project, + self.user_foo['id'], + uuid.uuid4().hex, + self.role_admin['id'] + ) - self.assertRaises(exception.RoleNotFound, - self.assignment_api.add_role_to_user_and_project, - self.user_foo['id'], - self.tenant_bar['id'], - uuid.uuid4().hex) + self.assertRaises( + exception.RoleNotFound, + PROVIDERS.assignment_api.add_role_to_user_and_project, + self.user_foo['id'], + self.tenant_bar['id'], + uuid.uuid4().hex + ) def test_add_role_to_user_and_project_no_user(self): # If add_role_to_user_and_project and the user doesn't exist, then # no error. user_id_not_exist = uuid.uuid4().hex - self.assignment_api.add_role_to_user_and_project( + PROVIDERS.assignment_api.add_role_to_user_and_project( user_id_not_exist, self.tenant_bar['id'], self.role_admin['id']) def test_remove_role_from_user_and_project(self): - self.assignment_api.add_role_to_user_and_project( + PROVIDERS.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], default_fixtures.MEMBER_ROLE_ID) - self.assignment_api.remove_role_from_user_and_project( + PROVIDERS.assignment_api.remove_role_from_user_and_project( self.user_foo['id'], self.tenant_bar['id'], default_fixtures.MEMBER_ROLE_ID) - roles_ref = self.assignment_api.get_roles_for_user_and_project( + roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) self.assertNotIn(default_fixtures.MEMBER_ROLE_ID, roles_ref) self.assertRaises(exception.NotFound, - self.assignment_api. + PROVIDERS.assignment_api. remove_role_from_user_and_project, self.user_foo['id'], self.tenant_bar['id'], default_fixtures.MEMBER_ROLE_ID) def test_get_role_grant_by_user_and_project(self): - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=self.user_foo['id'], project_id=self.tenant_bar['id']) self.assertEqual(1, len(roles_ref)) - self.assignment_api.create_grant(user_id=self.user_foo['id'], - project_id=self.tenant_bar['id'], - role_id=self.role_admin['id']) - roles_ref = self.assignment_api.list_grants( + PROVIDERS.assignment_api.create_grant( + user_id=self.user_foo['id'], project_id=self.tenant_bar['id'], + role_id=self.role_admin['id'] + ) + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=self.user_foo['id'], project_id=self.tenant_bar['id']) self.assertIn(self.role_admin['id'], [role_ref['id'] for role_ref in roles_ref]) - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( user_id=self.user_foo['id'], project_id=self.tenant_bar['id'], role_id=default_fixtures.MEMBER_ROLE_ID) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=self.user_foo['id'], project_id=self.tenant_bar['id']) @@ -905,364 +930,384 @@ class AssignmentTests(AssignmentTestHelperMixin): self.assertIn(default_fixtures.MEMBER_ROLE_ID, roles_ref_ids) def test_remove_role_grant_from_user_and_project(self): - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( user_id=self.user_foo['id'], project_id=self.tenant_baz['id'], role_id=default_fixtures.MEMBER_ROLE_ID) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=self.user_foo['id'], project_id=self.tenant_baz['id']) self.assertDictEqual(self.role_member, roles_ref[0]) - self.assignment_api.delete_grant( + PROVIDERS.assignment_api.delete_grant( user_id=self.user_foo['id'], project_id=self.tenant_baz['id'], role_id=default_fixtures.MEMBER_ROLE_ID) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=self.user_foo['id'], project_id=self.tenant_baz['id']) self.assertEqual(0, len(roles_ref)) self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, user_id=self.user_foo['id'], project_id=self.tenant_baz['id'], role_id=default_fixtures.MEMBER_ROLE_ID) def test_get_role_assignment_by_project_not_found(self): self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.check_grant_role_id, + PROVIDERS.assignment_api.check_grant_role_id, user_id=self.user_foo['id'], project_id=self.tenant_baz['id'], role_id=default_fixtures.MEMBER_ROLE_ID) self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.check_grant_role_id, + PROVIDERS.assignment_api.check_grant_role_id, group_id=uuid.uuid4().hex, project_id=self.tenant_baz['id'], role_id=default_fixtures.MEMBER_ROLE_ID) def test_get_role_assignment_by_domain_not_found(self): self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.check_grant_role_id, + PROVIDERS.assignment_api.check_grant_role_id, user_id=self.user_foo['id'], domain_id=CONF.identity.default_domain_id, role_id=default_fixtures.MEMBER_ROLE_ID) self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.check_grant_role_id, + PROVIDERS.assignment_api.check_grant_role_id, group_id=uuid.uuid4().hex, domain_id=CONF.identity.default_domain_id, role_id=default_fixtures.MEMBER_ROLE_ID) def test_del_role_assignment_by_project_not_found(self): self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, user_id=self.user_foo['id'], project_id=self.tenant_baz['id'], role_id=default_fixtures.MEMBER_ROLE_ID) self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, group_id=uuid.uuid4().hex, project_id=self.tenant_baz['id'], role_id=default_fixtures.MEMBER_ROLE_ID) def test_del_role_assignment_by_domain_not_found(self): self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, user_id=self.user_foo['id'], domain_id=CONF.identity.default_domain_id, role_id=default_fixtures.MEMBER_ROLE_ID) self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, group_id=uuid.uuid4().hex, domain_id=CONF.identity.default_domain_id, role_id=default_fixtures.MEMBER_ROLE_ID) def test_get_and_remove_role_grant_by_group_and_project(self): new_domain = unit.new_domain_ref() - self.resource_api.create_domain(new_domain['id'], new_domain) + PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain) new_group = unit.new_group_ref(domain_id=new_domain['id']) - new_group = self.identity_api.create_group(new_group) + new_group = PROVIDERS.identity_api.create_group(new_group) new_user = unit.new_user_ref(domain_id=new_domain['id']) - new_user = self.identity_api.create_user(new_user) - self.identity_api.add_user_to_group(new_user['id'], - new_group['id']) - roles_ref = self.assignment_api.list_grants( + new_user = PROVIDERS.identity_api.create_user(new_user) + PROVIDERS.identity_api.add_user_to_group( + new_user['id'], new_group['id'] + ) + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=new_group['id'], project_id=self.tenant_bar['id']) self.assertEqual(0, len(roles_ref)) - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( group_id=new_group['id'], project_id=self.tenant_bar['id'], role_id=default_fixtures.MEMBER_ROLE_ID) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=new_group['id'], project_id=self.tenant_bar['id']) self.assertDictEqual(self.role_member, roles_ref[0]) - self.assignment_api.delete_grant( + PROVIDERS.assignment_api.delete_grant( group_id=new_group['id'], project_id=self.tenant_bar['id'], role_id=default_fixtures.MEMBER_ROLE_ID) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=new_group['id'], project_id=self.tenant_bar['id']) self.assertEqual(0, len(roles_ref)) self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, group_id=new_group['id'], project_id=self.tenant_bar['id'], role_id=default_fixtures.MEMBER_ROLE_ID) def test_get_and_remove_role_grant_by_group_and_domain(self): new_domain = unit.new_domain_ref() - self.resource_api.create_domain(new_domain['id'], new_domain) + PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain) new_group = unit.new_group_ref(domain_id=new_domain['id']) - new_group = self.identity_api.create_group(new_group) + new_group = PROVIDERS.identity_api.create_group(new_group) new_user = unit.new_user_ref(domain_id=new_domain['id']) - new_user = self.identity_api.create_user(new_user) - self.identity_api.add_user_to_group(new_user['id'], - new_group['id']) + new_user = PROVIDERS.identity_api.create_user(new_user) + PROVIDERS.identity_api.add_user_to_group( + new_user['id'], new_group['id'] + ) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=new_group['id'], domain_id=new_domain['id']) self.assertEqual(0, len(roles_ref)) - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( group_id=new_group['id'], domain_id=new_domain['id'], role_id=default_fixtures.MEMBER_ROLE_ID) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=new_group['id'], domain_id=new_domain['id']) self.assertDictEqual(self.role_member, roles_ref[0]) - self.assignment_api.delete_grant( + PROVIDERS.assignment_api.delete_grant( group_id=new_group['id'], domain_id=new_domain['id'], role_id=default_fixtures.MEMBER_ROLE_ID) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=new_group['id'], domain_id=new_domain['id']) self.assertEqual(0, len(roles_ref)) self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, group_id=new_group['id'], domain_id=new_domain['id'], role_id=default_fixtures.MEMBER_ROLE_ID) def test_get_and_remove_correct_role_grant_from_a_mix(self): new_domain = unit.new_domain_ref() - self.resource_api.create_domain(new_domain['id'], new_domain) + PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain) new_project = unit.new_project_ref(domain_id=new_domain['id']) - self.resource_api.create_project(new_project['id'], new_project) + PROVIDERS.resource_api.create_project(new_project['id'], new_project) new_group = unit.new_group_ref(domain_id=new_domain['id']) - new_group = self.identity_api.create_group(new_group) + new_group = PROVIDERS.identity_api.create_group(new_group) new_group2 = unit.new_group_ref(domain_id=new_domain['id']) - new_group2 = self.identity_api.create_group(new_group2) + new_group2 = PROVIDERS.identity_api.create_group(new_group2) new_user = unit.new_user_ref(domain_id=new_domain['id']) - new_user = self.identity_api.create_user(new_user) + new_user = PROVIDERS.identity_api.create_user(new_user) new_user2 = unit.new_user_ref(domain_id=new_domain['id']) - new_user2 = self.identity_api.create_user(new_user2) - self.identity_api.add_user_to_group(new_user['id'], - new_group['id']) + new_user2 = PROVIDERS.identity_api.create_user(new_user2) + PROVIDERS.identity_api.add_user_to_group( + new_user['id'], new_group['id'] + ) # First check we have no grants - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=new_group['id'], domain_id=new_domain['id']) self.assertEqual(0, len(roles_ref)) # Now add the grant we are going to test for, and some others as # well just to make sure we get back the right one - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( group_id=new_group['id'], domain_id=new_domain['id'], role_id=default_fixtures.MEMBER_ROLE_ID) - self.assignment_api.create_grant(group_id=new_group2['id'], - domain_id=new_domain['id'], - role_id=self.role_admin['id']) - self.assignment_api.create_grant(user_id=new_user2['id'], - domain_id=new_domain['id'], - role_id=self.role_admin['id']) - self.assignment_api.create_grant(group_id=new_group['id'], - project_id=new_project['id'], - role_id=self.role_admin['id']) + PROVIDERS.assignment_api.create_grant( + group_id=new_group2['id'], domain_id=new_domain['id'], + role_id=self.role_admin['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=new_user2['id'], domain_id=new_domain['id'], + role_id=self.role_admin['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=new_group['id'], project_id=new_project['id'], + role_id=self.role_admin['id'] + ) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=new_group['id'], domain_id=new_domain['id']) self.assertDictEqual(self.role_member, roles_ref[0]) - self.assignment_api.delete_grant( + PROVIDERS.assignment_api.delete_grant( group_id=new_group['id'], domain_id=new_domain['id'], role_id=default_fixtures.MEMBER_ROLE_ID) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=new_group['id'], domain_id=new_domain['id']) self.assertEqual(0, len(roles_ref)) self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, group_id=new_group['id'], domain_id=new_domain['id'], role_id=default_fixtures.MEMBER_ROLE_ID) def test_get_and_remove_role_grant_by_user_and_domain(self): new_domain = unit.new_domain_ref() - self.resource_api.create_domain(new_domain['id'], new_domain) + PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain) new_user = unit.new_user_ref(domain_id=new_domain['id']) - new_user = self.identity_api.create_user(new_user) - roles_ref = self.assignment_api.list_grants( + new_user = PROVIDERS.identity_api.create_user(new_user) + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=new_user['id'], domain_id=new_domain['id']) self.assertEqual(0, len(roles_ref)) - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( user_id=new_user['id'], domain_id=new_domain['id'], role_id=default_fixtures.MEMBER_ROLE_ID) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=new_user['id'], domain_id=new_domain['id']) self.assertDictEqual(self.role_member, roles_ref[0]) - self.assignment_api.delete_grant( + PROVIDERS.assignment_api.delete_grant( user_id=new_user['id'], domain_id=new_domain['id'], role_id=default_fixtures.MEMBER_ROLE_ID) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=new_user['id'], domain_id=new_domain['id']) self.assertEqual(0, len(roles_ref)) self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, user_id=new_user['id'], domain_id=new_domain['id'], role_id=default_fixtures.MEMBER_ROLE_ID) def test_get_and_remove_role_grant_by_group_and_cross_domain(self): group1_domain1_role = unit.new_role_ref() - self.role_api.create_role(group1_domain1_role['id'], - group1_domain1_role) + PROVIDERS.role_api.create_role( + group1_domain1_role['id'], group1_domain1_role + ) group1_domain2_role = unit.new_role_ref() - self.role_api.create_role(group1_domain2_role['id'], - group1_domain2_role) + PROVIDERS.role_api.create_role( + group1_domain2_role['id'], group1_domain2_role + ) domain1 = unit.new_domain_ref() - self.resource_api.create_domain(domain1['id'], domain1) + PROVIDERS.resource_api.create_domain(domain1['id'], domain1) domain2 = unit.new_domain_ref() - self.resource_api.create_domain(domain2['id'], domain2) + PROVIDERS.resource_api.create_domain(domain2['id'], domain2) group1 = unit.new_group_ref(domain_id=domain1['id']) - group1 = self.identity_api.create_group(group1) - roles_ref = self.assignment_api.list_grants( + group1 = PROVIDERS.identity_api.create_group(group1) + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=group1['id'], domain_id=domain1['id']) self.assertEqual(0, len(roles_ref)) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=group1['id'], domain_id=domain2['id']) self.assertEqual(0, len(roles_ref)) - self.assignment_api.create_grant(group_id=group1['id'], - domain_id=domain1['id'], - role_id=group1_domain1_role['id']) - self.assignment_api.create_grant(group_id=group1['id'], - domain_id=domain2['id'], - role_id=group1_domain2_role['id']) - roles_ref = self.assignment_api.list_grants( + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], domain_id=domain1['id'], + role_id=group1_domain1_role['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], domain_id=domain2['id'], + role_id=group1_domain2_role['id'] + ) + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=group1['id'], domain_id=domain1['id']) self.assertDictEqual(group1_domain1_role, roles_ref[0]) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=group1['id'], domain_id=domain2['id']) self.assertDictEqual(group1_domain2_role, roles_ref[0]) - self.assignment_api.delete_grant(group_id=group1['id'], - domain_id=domain2['id'], - role_id=group1_domain2_role['id']) - roles_ref = self.assignment_api.list_grants( + PROVIDERS.assignment_api.delete_grant( + group_id=group1['id'], domain_id=domain2['id'], + role_id=group1_domain2_role['id'] + ) + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=group1['id'], domain_id=domain2['id']) self.assertEqual(0, len(roles_ref)) self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, group_id=group1['id'], domain_id=domain2['id'], role_id=group1_domain2_role['id']) def test_get_and_remove_role_grant_by_user_and_cross_domain(self): user1_domain1_role = unit.new_role_ref() - self.role_api.create_role(user1_domain1_role['id'], user1_domain1_role) + PROVIDERS.role_api.create_role( + user1_domain1_role['id'], user1_domain1_role + ) user1_domain2_role = unit.new_role_ref() - self.role_api.create_role(user1_domain2_role['id'], user1_domain2_role) + PROVIDERS.role_api.create_role( + user1_domain2_role['id'], user1_domain2_role + ) domain1 = unit.new_domain_ref() - self.resource_api.create_domain(domain1['id'], domain1) + PROVIDERS.resource_api.create_domain(domain1['id'], domain1) domain2 = unit.new_domain_ref() - self.resource_api.create_domain(domain2['id'], domain2) + PROVIDERS.resource_api.create_domain(domain2['id'], domain2) user1 = unit.new_user_ref(domain_id=domain1['id']) - user1 = self.identity_api.create_user(user1) - roles_ref = self.assignment_api.list_grants( + user1 = PROVIDERS.identity_api.create_user(user1) + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], domain_id=domain1['id']) self.assertEqual(0, len(roles_ref)) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], domain_id=domain2['id']) self.assertEqual(0, len(roles_ref)) - self.assignment_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=user1_domain1_role['id']) - self.assignment_api.create_grant(user_id=user1['id'], - domain_id=domain2['id'], - role_id=user1_domain2_role['id']) - roles_ref = self.assignment_api.list_grants( + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], domain_id=domain1['id'], + role_id=user1_domain1_role['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], domain_id=domain2['id'], + role_id=user1_domain2_role['id'] + ) + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], domain_id=domain1['id']) self.assertDictEqual(user1_domain1_role, roles_ref[0]) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], domain_id=domain2['id']) self.assertDictEqual(user1_domain2_role, roles_ref[0]) - self.assignment_api.delete_grant(user_id=user1['id'], - domain_id=domain2['id'], - role_id=user1_domain2_role['id']) - roles_ref = self.assignment_api.list_grants( + PROVIDERS.assignment_api.delete_grant( + user_id=user1['id'], domain_id=domain2['id'], + role_id=user1_domain2_role['id'] + ) + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], domain_id=domain2['id']) self.assertEqual(0, len(roles_ref)) self.assertRaises(exception.RoleAssignmentNotFound, - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, user_id=user1['id'], domain_id=domain2['id'], role_id=user1_domain2_role['id']) def test_role_grant_by_group_and_cross_domain_project(self): role1 = unit.new_role_ref() - self.role_api.create_role(role1['id'], role1) + PROVIDERS.role_api.create_role(role1['id'], role1) role2 = unit.new_role_ref() - self.role_api.create_role(role2['id'], role2) + PROVIDERS.role_api.create_role(role2['id'], role2) domain1 = unit.new_domain_ref() - self.resource_api.create_domain(domain1['id'], domain1) + PROVIDERS.resource_api.create_domain(domain1['id'], domain1) domain2 = unit.new_domain_ref() - self.resource_api.create_domain(domain2['id'], domain2) + PROVIDERS.resource_api.create_domain(domain2['id'], domain2) group1 = unit.new_group_ref(domain_id=domain1['id']) - group1 = self.identity_api.create_group(group1) + group1 = PROVIDERS.identity_api.create_group(group1) project1 = unit.new_project_ref(domain_id=domain2['id']) - self.resource_api.create_project(project1['id'], project1) - roles_ref = self.assignment_api.list_grants( + PROVIDERS.resource_api.create_project(project1['id'], project1) + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=group1['id'], project_id=project1['id']) self.assertEqual(0, len(roles_ref)) - self.assignment_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role1['id']) - self.assignment_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role2['id']) - roles_ref = self.assignment_api.list_grants( + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], project_id=project1['id'], + role_id=role1['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], project_id=project1['id'], + role_id=role2['id'] + ) + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=group1['id'], project_id=project1['id']) @@ -1272,10 +1317,11 @@ class AssignmentTests(AssignmentTestHelperMixin): self.assertIn(role1['id'], roles_ref_ids) self.assertIn(role2['id'], roles_ref_ids) - self.assignment_api.delete_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role1['id']) - roles_ref = self.assignment_api.list_grants( + PROVIDERS.assignment_api.delete_grant( + group_id=group1['id'], project_id=project1['id'], + role_id=role1['id'] + ) + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=group1['id'], project_id=project1['id']) self.assertEqual(1, len(roles_ref)) @@ -1283,28 +1329,28 @@ class AssignmentTests(AssignmentTestHelperMixin): def test_role_grant_by_user_and_cross_domain_project(self): role1 = unit.new_role_ref() - self.role_api.create_role(role1['id'], role1) + PROVIDERS.role_api.create_role(role1['id'], role1) role2 = unit.new_role_ref() - self.role_api.create_role(role2['id'], role2) + PROVIDERS.role_api.create_role(role2['id'], role2) domain1 = unit.new_domain_ref() - self.resource_api.create_domain(domain1['id'], domain1) + PROVIDERS.resource_api.create_domain(domain1['id'], domain1) domain2 = unit.new_domain_ref() - self.resource_api.create_domain(domain2['id'], domain2) + PROVIDERS.resource_api.create_domain(domain2['id'], domain2) user1 = unit.new_user_ref(domain_id=domain1['id']) - user1 = self.identity_api.create_user(user1) + user1 = PROVIDERS.identity_api.create_user(user1) project1 = unit.new_project_ref(domain_id=domain2['id']) - self.resource_api.create_project(project1['id'], project1) - roles_ref = self.assignment_api.list_grants( + PROVIDERS.resource_api.create_project(project1['id'], project1) + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(0, len(roles_ref)) - self.assignment_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role1['id']) - self.assignment_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role2['id']) - roles_ref = self.assignment_api.list_grants( + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=project1['id'], role_id=role1['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=project1['id'], role_id=role2['id'] + ) + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) @@ -1314,10 +1360,10 @@ class AssignmentTests(AssignmentTestHelperMixin): self.assertIn(role1['id'], roles_ref_ids) self.assertIn(role2['id'], roles_ref_ids) - self.assignment_api.delete_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role1['id']) - roles_ref = self.assignment_api.list_grants( + PROVIDERS.assignment_api.delete_grant( + user_id=user1['id'], project_id=project1['id'], role_id=role1['id'] + ) + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(1, len(roles_ref)) @@ -1327,29 +1373,33 @@ class AssignmentTests(AssignmentTestHelperMixin): # Can delete a grant where the user doesn't exist. role = unit.new_role_ref() role_id = role['id'] - self.role_api.create_role(role_id, role) + PROVIDERS.role_api.create_role(role_id, role) user_id = uuid.uuid4().hex - self.assignment_api.create_grant(role_id, user_id=user_id, - project_id=self.tenant_bar['id']) + PROVIDERS.assignment_api.create_grant( + role_id, user_id=user_id, project_id=self.tenant_bar['id'] + ) - self.assignment_api.delete_grant(role_id, user_id=user_id, - project_id=self.tenant_bar['id']) + PROVIDERS.assignment_api.delete_grant( + role_id, user_id=user_id, project_id=self.tenant_bar['id'] + ) def test_delete_group_grant_no_group(self): # Can delete a grant where the group doesn't exist. role = unit.new_role_ref() role_id = role['id'] - self.role_api.create_role(role_id, role) + PROVIDERS.role_api.create_role(role_id, role) group_id = uuid.uuid4().hex - self.assignment_api.create_grant(role_id, group_id=group_id, - project_id=self.tenant_bar['id']) + PROVIDERS.assignment_api.create_grant( + role_id, group_id=group_id, project_id=self.tenant_bar['id'] + ) - self.assignment_api.delete_grant(role_id, group_id=group_id, - project_id=self.tenant_bar['id']) + PROVIDERS.assignment_api.delete_grant( + role_id, group_id=group_id, project_id=self.tenant_bar['id'] + ) def test_grant_crud_throws_exception_if_invalid_role(self): """Ensure RoleNotFound thrown if role does not exist.""" @@ -1358,15 +1408,17 @@ class AssignmentTests(AssignmentTestHelperMixin): role_id=uuid.uuid4().hex, **kwargs) user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user_resp = self.identity_api.create_user(user) + user_resp = PROVIDERS.identity_api.create_user(user) group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id) - group_resp = self.identity_api.create_group(group) + group_resp = PROVIDERS.identity_api.create_group(group) project = unit.new_project_ref( domain_id=CONF.identity.default_domain_id) - project_resp = self.resource_api.create_project(project['id'], project) + project_resp = PROVIDERS.resource_api.create_project( + project['id'], project + ) - for manager_call in [self.assignment_api.create_grant, - self.assignment_api.get_grant]: + for manager_call in [PROVIDERS.assignment_api.create_grant, + PROVIDERS.assignment_api.get_grant]: assert_role_not_found_exception( manager_call, user_id=user_resp['id'], project_id=project_resp['id']) @@ -1383,17 +1435,17 @@ class AssignmentTests(AssignmentTestHelperMixin): domain_id=CONF.identity.default_domain_id) assert_role_not_found_exception( - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, user_id=user_resp['id'], project_id=project_resp['id']) assert_role_not_found_exception( - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, group_id=group_resp['id'], project_id=project_resp['id']) assert_role_not_found_exception( - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, user_id=user_resp['id'], domain_id=CONF.identity.default_domain_id) assert_role_not_found_exception( - self.assignment_api.delete_grant, + PROVIDERS.assignment_api.delete_grant, group_id=group_resp['id'], domain_id=CONF.identity.default_domain_id) @@ -1401,69 +1453,83 @@ class AssignmentTests(AssignmentTestHelperMixin): role_list = [] for _ in range(10): role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) + PROVIDERS.role_api.create_role(role['id'], role) role_list.append(role) domain1 = unit.new_domain_ref() - self.resource_api.create_domain(domain1['id'], domain1) + PROVIDERS.resource_api.create_domain(domain1['id'], domain1) user1 = unit.new_user_ref(domain_id=domain1['id']) - user1 = self.identity_api.create_user(user1) + user1 = PROVIDERS.identity_api.create_user(user1) group1 = unit.new_group_ref(domain_id=domain1['id']) - group1 = self.identity_api.create_group(group1) + group1 = PROVIDERS.identity_api.create_group(group1) group2 = unit.new_group_ref(domain_id=domain1['id']) - group2 = self.identity_api.create_group(group2) + group2 = PROVIDERS.identity_api.create_group(group2) project1 = unit.new_project_ref(domain_id=domain1['id']) - self.resource_api.create_project(project1['id'], project1) + PROVIDERS.resource_api.create_project(project1['id'], project1) - self.identity_api.add_user_to_group(user1['id'], - group1['id']) - self.identity_api.add_user_to_group(user1['id'], - group2['id']) + PROVIDERS.identity_api.add_user_to_group( + user1['id'], group1['id'] + ) + PROVIDERS.identity_api.add_user_to_group( + user1['id'], group2['id'] + ) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(0, len(roles_ref)) - self.assignment_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=role_list[0]['id']) - self.assignment_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=role_list[1]['id']) - self.assignment_api.create_grant(group_id=group1['id'], - domain_id=domain1['id'], - role_id=role_list[2]['id']) - self.assignment_api.create_grant(group_id=group1['id'], - domain_id=domain1['id'], - role_id=role_list[3]['id']) - self.assignment_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role_list[4]['id']) - self.assignment_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role_list[5]['id']) - self.assignment_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role_list[6]['id']) - self.assignment_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role_list[7]['id']) - roles_ref = self.assignment_api.list_grants(user_id=user1['id'], - domain_id=domain1['id']) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], domain_id=domain1['id'], + role_id=role_list[0]['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], domain_id=domain1['id'], + role_id=role_list[1]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], domain_id=domain1['id'], + role_id=role_list[2]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], domain_id=domain1['id'], + role_id=role_list[3]['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=project1['id'], + role_id=role_list[4]['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=project1['id'], + role_id=role_list[5]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], project_id=project1['id'], + role_id=role_list[6]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], project_id=project1['id'], + role_id=role_list[7]['id'] + ) + roles_ref = PROVIDERS.assignment_api.list_grants( + user_id=user1['id'], domain_id=domain1['id'] + ) self.assertEqual(2, len(roles_ref)) self.assertIn(role_list[0], roles_ref) self.assertIn(role_list[1], roles_ref) - roles_ref = self.assignment_api.list_grants(group_id=group1['id'], - domain_id=domain1['id']) + roles_ref = PROVIDERS.assignment_api.list_grants( + group_id=group1['id'], domain_id=domain1['id'] + ) self.assertEqual(2, len(roles_ref)) self.assertIn(role_list[2], roles_ref) self.assertIn(role_list[3], roles_ref) - roles_ref = self.assignment_api.list_grants(user_id=user1['id'], - project_id=project1['id']) + roles_ref = PROVIDERS.assignment_api.list_grants( + user_id=user1['id'], project_id=project1['id'] + ) self.assertEqual(2, len(roles_ref)) self.assertIn(role_list[4], roles_ref) self.assertIn(role_list[5], roles_ref) - roles_ref = self.assignment_api.list_grants(group_id=group1['id'], - project_id=project1['id']) + roles_ref = PROVIDERS.assignment_api.list_grants( + group_id=group1['id'], project_id=project1['id'] + ) self.assertEqual(2, len(roles_ref)) self.assertIn(role_list[6], roles_ref) self.assertIn(role_list[7], roles_ref) @@ -1471,16 +1537,22 @@ class AssignmentTests(AssignmentTestHelperMixin): # Now test the alternate way of getting back lists of grants, # where user and group roles are combined. These should match # the above results. - combined_list = self.assignment_api.get_roles_for_user_and_project( - user1['id'], project1['id']) + combined_list = ( + PROVIDERS.assignment_api.get_roles_for_user_and_project( + user1['id'], project1['id'] + ) + ) self.assertEqual(4, len(combined_list)) self.assertIn(role_list[4]['id'], combined_list) self.assertIn(role_list[5]['id'], combined_list) self.assertIn(role_list[6]['id'], combined_list) self.assertIn(role_list[7]['id'], combined_list) - combined_role_list = self.assignment_api.get_roles_for_user_and_domain( - user1['id'], domain1['id']) + combined_role_list = ( + PROVIDERS.assignment_api.get_roles_for_user_and_domain( + user1['id'], domain1['id'] + ) + ) self.assertEqual(4, len(combined_role_list)) self.assertIn(role_list[0]['id'], combined_role_list) self.assertIn(role_list[1]['id'], combined_role_list) @@ -1506,58 +1578,72 @@ class AssignmentTests(AssignmentTestHelperMixin): role_list = [] for _ in range(6): role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) + PROVIDERS.role_api.create_role(role['id'], role) role_list.append(role) domain1 = unit.new_domain_ref() - self.resource_api.create_domain(domain1['id'], domain1) + PROVIDERS.resource_api.create_domain(domain1['id'], domain1) user1 = unit.new_user_ref(domain_id=domain1['id']) - user1 = self.identity_api.create_user(user1) + user1 = PROVIDERS.identity_api.create_user(user1) group1 = unit.new_group_ref(domain_id=domain1['id']) - group1 = self.identity_api.create_group(group1) + group1 = PROVIDERS.identity_api.create_group(group1) group2 = unit.new_group_ref(domain_id=domain1['id']) - group2 = self.identity_api.create_group(group2) + group2 = PROVIDERS.identity_api.create_group(group2) project1 = unit.new_project_ref(domain_id=domain1['id']) - self.resource_api.create_project(project1['id'], project1) + PROVIDERS.resource_api.create_project(project1['id'], project1) - self.identity_api.add_user_to_group(user1['id'], - group1['id']) - self.identity_api.add_user_to_group(user1['id'], - group2['id']) + PROVIDERS.identity_api.add_user_to_group( + user1['id'], group1['id'] + ) + PROVIDERS.identity_api.add_user_to_group( + user1['id'], group2['id'] + ) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(0, len(roles_ref)) - self.assignment_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=role_list[0]['id']) - self.assignment_api.create_grant(group_id=group1['id'], - domain_id=domain1['id'], - role_id=role_list[1]['id']) - self.assignment_api.create_grant(group_id=group2['id'], - domain_id=domain1['id'], - role_id=role_list[2]['id']) - self.assignment_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role_list[3]['id']) - self.assignment_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role_list[4]['id']) - self.assignment_api.create_grant(group_id=group2['id'], - project_id=project1['id'], - role_id=role_list[5]['id']) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], domain_id=domain1['id'], + role_id=role_list[0]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], domain_id=domain1['id'], + role_id=role_list[1]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group2['id'], domain_id=domain1['id'], + role_id=role_list[2]['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=project1['id'], + role_id=role_list[3]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], project_id=project1['id'], + role_id=role_list[4]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group2['id'], project_id=project1['id'], + role_id=role_list[5]['id'] + ) # Read by the roles, ensuring we get the correct 3 roles for # both project and domain - combined_list = self.assignment_api.get_roles_for_user_and_project( - user1['id'], project1['id']) + combined_list = ( + PROVIDERS.assignment_api.get_roles_for_user_and_project( + user1['id'], project1['id'] + ) + ) self.assertEqual(3, len(combined_list)) self.assertIn(role_list[3]['id'], combined_list) self.assertIn(role_list[4]['id'], combined_list) self.assertIn(role_list[5]['id'], combined_list) - combined_role_list = self.assignment_api.get_roles_for_user_and_domain( - user1['id'], domain1['id']) + combined_role_list = ( + PROVIDERS.assignment_api.get_roles_for_user_and_domain( + user1['id'], domain1['id'] + ) + ) self.assertEqual(3, len(combined_role_list)) self.assertIn(role_list[0]['id'], combined_role_list) self.assertIn(role_list[1]['id'], combined_role_list) @@ -1565,57 +1651,58 @@ class AssignmentTests(AssignmentTestHelperMixin): def test_delete_role_with_user_and_group_grants(self): role1 = unit.new_role_ref() - self.role_api.create_role(role1['id'], role1) + PROVIDERS.role_api.create_role(role1['id'], role1) domain1 = unit.new_domain_ref() - self.resource_api.create_domain(domain1['id'], domain1) + PROVIDERS.resource_api.create_domain(domain1['id'], domain1) project1 = unit.new_project_ref(domain_id=domain1['id']) - self.resource_api.create_project(project1['id'], project1) + PROVIDERS.resource_api.create_project(project1['id'], project1) user1 = unit.new_user_ref(domain_id=domain1['id']) - user1 = self.identity_api.create_user(user1) + user1 = PROVIDERS.identity_api.create_user(user1) group1 = unit.new_group_ref(domain_id=domain1['id']) - group1 = self.identity_api.create_group(group1) - self.assignment_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role1['id']) - self.assignment_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=role1['id']) - self.assignment_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role1['id']) - self.assignment_api.create_grant(group_id=group1['id'], - domain_id=domain1['id'], - role_id=role1['id']) - roles_ref = self.assignment_api.list_grants( + group1 = PROVIDERS.identity_api.create_group(group1) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=project1['id'], role_id=role1['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], domain_id=domain1['id'], role_id=role1['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], project_id=project1['id'], + role_id=role1['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], domain_id=domain1['id'], role_id=role1['id'] + ) + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(1, len(roles_ref)) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=group1['id'], project_id=project1['id']) self.assertEqual(1, len(roles_ref)) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], domain_id=domain1['id']) self.assertEqual(1, len(roles_ref)) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=group1['id'], domain_id=domain1['id']) self.assertEqual(1, len(roles_ref)) - self.role_api.delete_role(role1['id']) - roles_ref = self.assignment_api.list_grants( + PROVIDERS.role_api.delete_role(role1['id']) + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(0, len(roles_ref)) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=group1['id'], project_id=project1['id']) self.assertEqual(0, len(roles_ref)) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], domain_id=domain1['id']) self.assertEqual(0, len(roles_ref)) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( group_id=group1['id'], domain_id=domain1['id']) self.assertEqual(0, len(roles_ref)) @@ -1772,90 +1859,96 @@ class AssignmentTests(AssignmentTestHelperMixin): def test_list_role_assignment_fails_with_userid_and_source_groups(self): """Show we trap this unsupported internal combination of params.""" group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id) - group = self.identity_api.create_group(group) + group = PROVIDERS.identity_api.create_group(group) self.assertRaises(exception.UnexpectedError, - self.assignment_api.list_role_assignments, + PROVIDERS.assignment_api.list_role_assignments, effective=True, user_id=self.user_foo['id'], source_from_group_ids=[group['id']]) def test_list_user_project_ids_returns_not_found(self): self.assertRaises(exception.UserNotFound, - self.assignment_api.list_projects_for_user, + PROVIDERS.assignment_api.list_projects_for_user, uuid.uuid4().hex) def test_delete_user_with_project_association(self): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user = self.identity_api.create_user(user) + user = PROVIDERS.identity_api.create_user(user) role_member = unit.new_role_ref() - self.role_api.create_role(role_member['id'], role_member) - self.assignment_api.add_role_to_user_and_project(user['id'], - self.tenant_bar['id'], - role_member['id']) - self.identity_api.delete_user(user['id']) + PROVIDERS.role_api.create_role(role_member['id'], role_member) + PROVIDERS.assignment_api.add_role_to_user_and_project( + user['id'], self.tenant_bar['id'], role_member['id'] + ) + PROVIDERS.identity_api.delete_user(user['id']) self.assertRaises(exception.UserNotFound, - self.assignment_api.list_projects_for_user, + PROVIDERS.assignment_api.list_projects_for_user, user['id']) def test_delete_user_with_project_roles(self): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user = self.identity_api.create_user(user) - self.assignment_api.add_role_to_user_and_project( + user = PROVIDERS.identity_api.create_user(user) + PROVIDERS.assignment_api.add_role_to_user_and_project( user['id'], self.tenant_bar['id'], self.role_member['id']) - self.identity_api.delete_user(user['id']) + PROVIDERS.identity_api.delete_user(user['id']) self.assertRaises(exception.UserNotFound, - self.assignment_api.list_projects_for_user, + PROVIDERS.assignment_api.list_projects_for_user, user['id']) def test_delete_role_returns_not_found(self): self.assertRaises(exception.RoleNotFound, - self.role_api.delete_role, + PROVIDERS.role_api.delete_role, uuid.uuid4().hex) def test_delete_project_with_role_assignments(self): project = unit.new_project_ref( domain_id=CONF.identity.default_domain_id) - self.resource_api.create_project(project['id'], project) - self.assignment_api.add_role_to_user_and_project( + PROVIDERS.resource_api.create_project(project['id'], project) + PROVIDERS.assignment_api.add_role_to_user_and_project( self.user_foo['id'], project['id'], default_fixtures.MEMBER_ROLE_ID) - self.resource_api.delete_project(project['id']) + PROVIDERS.resource_api.delete_project(project['id']) self.assertRaises(exception.ProjectNotFound, - self.assignment_api.list_user_ids_for_project, + PROVIDERS.assignment_api.list_user_ids_for_project, project['id']) def test_delete_role_check_role_grant(self): role = unit.new_role_ref() alt_role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) - self.role_api.create_role(alt_role['id'], alt_role) - self.assignment_api.add_role_to_user_and_project( + PROVIDERS.role_api.create_role(role['id'], role) + PROVIDERS.role_api.create_role(alt_role['id'], alt_role) + PROVIDERS.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], role['id']) - self.assignment_api.add_role_to_user_and_project( + PROVIDERS.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], alt_role['id']) - self.role_api.delete_role(role['id']) - roles_ref = self.assignment_api.get_roles_for_user_and_project( + PROVIDERS.role_api.delete_role(role['id']) + roles_ref = PROVIDERS.assignment_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) self.assertNotIn(role['id'], roles_ref) self.assertIn(alt_role['id'], roles_ref) def test_list_projects_for_user(self): domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) + PROVIDERS.resource_api.create_domain(domain['id'], domain) user1 = unit.new_user_ref(domain_id=domain['id']) - user1 = self.identity_api.create_user(user1) - user_projects = self.assignment_api.list_projects_for_user(user1['id']) + user1 = PROVIDERS.identity_api.create_user(user1) + user_projects = PROVIDERS.assignment_api.list_projects_for_user( + user1['id'] + ) self.assertEqual(0, len(user_projects)) - self.assignment_api.create_grant(user_id=user1['id'], - project_id=self.tenant_bar['id'], - role_id=self.role_member['id']) - self.assignment_api.create_grant(user_id=user1['id'], - project_id=self.tenant_baz['id'], - role_id=self.role_member['id']) - user_projects = self.assignment_api.list_projects_for_user(user1['id']) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=self.tenant_bar['id'], + role_id=self.role_member['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=self.tenant_baz['id'], + role_id=self.role_member['id'] + ) + user_projects = PROVIDERS.assignment_api.list_projects_for_user( + user1['id'] + ) self.assertEqual(2, len(user_projects)) def test_list_projects_for_user_with_grants(self): @@ -1863,43 +1956,48 @@ class AssignmentTests(AssignmentTestHelperMixin): # make user1 a member of both groups. Both these new projects # should now be included, along with any direct user grants. domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) + PROVIDERS.resource_api.create_domain(domain['id'], domain) user1 = unit.new_user_ref(domain_id=domain['id']) - user1 = self.identity_api.create_user(user1) + user1 = PROVIDERS.identity_api.create_user(user1) group1 = unit.new_group_ref(domain_id=domain['id']) - group1 = self.identity_api.create_group(group1) + group1 = PROVIDERS.identity_api.create_group(group1) group2 = unit.new_group_ref(domain_id=domain['id']) - group2 = self.identity_api.create_group(group2) + group2 = PROVIDERS.identity_api.create_group(group2) project1 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project1['id'], project1) + PROVIDERS.resource_api.create_project(project1['id'], project1) project2 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project2['id'], project2) - self.identity_api.add_user_to_group(user1['id'], group1['id']) - self.identity_api.add_user_to_group(user1['id'], group2['id']) + PROVIDERS.resource_api.create_project(project2['id'], project2) + PROVIDERS.identity_api.add_user_to_group(user1['id'], group1['id']) + PROVIDERS.identity_api.add_user_to_group(user1['id'], group2['id']) # Create 3 grants, one user grant, the other two as group grants - self.assignment_api.create_grant(user_id=user1['id'], - project_id=self.tenant_bar['id'], - role_id=self.role_member['id']) - self.assignment_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=self.role_admin['id']) - self.assignment_api.create_grant(group_id=group2['id'], - project_id=project2['id'], - role_id=self.role_admin['id']) - user_projects = self.assignment_api.list_projects_for_user(user1['id']) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=self.tenant_bar['id'], + role_id=self.role_member['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], project_id=project1['id'], + role_id=self.role_admin['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group2['id'], project_id=project2['id'], + role_id=self.role_admin['id'] + ) + user_projects = PROVIDERS.assignment_api.list_projects_for_user( + user1['id'] + ) self.assertEqual(3, len(user_projects)) def test_create_grant_no_user(self): # If call create_grant with a user that doesn't exist, doesn't fail. - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( self.role_other['id'], user_id=uuid.uuid4().hex, project_id=self.tenant_bar['id']) def test_create_grant_no_group(self): # If call create_grant with a group that doesn't exist, doesn't fail. - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( self.role_other['id'], group_id=uuid.uuid4().hex, project_id=self.tenant_bar['id']) @@ -1909,7 +2007,7 @@ class AssignmentTests(AssignmentTestHelperMixin): # removed. def get_member_assignments(): - assignments = self.assignment_api.list_role_assignments() + assignments = PROVIDERS.assignment_api.list_role_assignments() return ([x for x in assignments if x['role_id'] == default_fixtures.MEMBER_ROLE_ID]) @@ -1918,20 +2016,20 @@ class AssignmentTests(AssignmentTestHelperMixin): # Create a group. new_group = unit.new_group_ref( domain_id=CONF.identity.default_domain_id) - new_group = self.identity_api.create_group(new_group) + new_group = PROVIDERS.identity_api.create_group(new_group) # Create a project. new_project = unit.new_project_ref( domain_id=CONF.identity.default_domain_id) - self.resource_api.create_project(new_project['id'], new_project) + PROVIDERS.resource_api.create_project(new_project['id'], new_project) # Assign a role to the group. - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( group_id=new_group['id'], project_id=new_project['id'], role_id=default_fixtures.MEMBER_ROLE_ID) # Delete the group. - self.identity_api.delete_group(new_group['id']) + PROVIDERS.identity_api.delete_group(new_group['id']) # Check that the role assignment for the group is gone member_assignments = get_member_assignments() @@ -1951,36 +2049,38 @@ class AssignmentTests(AssignmentTestHelperMixin): """ domain1 = unit.new_domain_ref() - self.resource_api.create_domain(domain1['id'], domain1) + PROVIDERS.resource_api.create_domain(domain1['id'], domain1) group_list = [] group_id_list = [] role_list = [] for _ in range(3): group = unit.new_group_ref(domain_id=domain1['id']) - group = self.identity_api.create_group(group) + group = PROVIDERS.identity_api.create_group(group) group_list.append(group) group_id_list.append(group['id']) role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) + PROVIDERS.role_api.create_role(role['id'], role) role_list.append(role) # Assign the roles - one is inherited - self.assignment_api.create_grant(group_id=group_list[0]['id'], - domain_id=domain1['id'], - role_id=role_list[0]['id']) - self.assignment_api.create_grant(group_id=group_list[1]['id'], - domain_id=domain1['id'], - role_id=role_list[1]['id']) - self.assignment_api.create_grant(group_id=group_list[2]['id'], - domain_id=domain1['id'], - role_id=role_list[2]['id'], - inherited_to_projects=True) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[0]['id'], domain_id=domain1['id'], + role_id=role_list[0]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[1]['id'], domain_id=domain1['id'], + role_id=role_list[1]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[2]['id'], domain_id=domain1['id'], + role_id=role_list[2]['id'], inherited_to_projects=True + ) # Now get the effective roles for the groups on the domain project. We # shouldn't get back the inherited role. - role_refs = self.assignment_api.get_roles_for_groups( + role_refs = PROVIDERS.assignment_api.get_roles_for_groups( group_id_list, domain_id=domain1['id']) self.assertThat(role_refs, matchers.HasLength(2)) @@ -2003,55 +2103,59 @@ class AssignmentTests(AssignmentTestHelperMixin): """ domain1 = unit.new_domain_ref() - self.resource_api.create_domain(domain1['id'], domain1) + PROVIDERS.resource_api.create_domain(domain1['id'], domain1) domain2 = unit.new_domain_ref() - self.resource_api.create_domain(domain2['id'], domain2) + PROVIDERS.resource_api.create_domain(domain2['id'], domain2) project1 = unit.new_project_ref(domain_id=domain1['id']) - self.resource_api.create_project(project1['id'], project1) + PROVIDERS.resource_api.create_project(project1['id'], project1) project2 = unit.new_project_ref(domain_id=domain2['id']) - self.resource_api.create_project(project2['id'], project2) + PROVIDERS.resource_api.create_project(project2['id'], project2) group_list = [] group_id_list = [] role_list = [] for _ in range(6): group = unit.new_group_ref(domain_id=domain1['id']) - group = self.identity_api.create_group(group) + group = PROVIDERS.identity_api.create_group(group) group_list.append(group) group_id_list.append(group['id']) role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) + PROVIDERS.role_api.create_role(role['id'], role) role_list.append(role) # Assign the roles - one inherited and one non-inherited on Domain1, # plus one on Project1 - self.assignment_api.create_grant(group_id=group_list[0]['id'], - domain_id=domain1['id'], - role_id=role_list[0]['id']) - self.assignment_api.create_grant(group_id=group_list[1]['id'], - domain_id=domain1['id'], - role_id=role_list[1]['id'], - inherited_to_projects=True) - self.assignment_api.create_grant(group_id=group_list[2]['id'], - project_id=project1['id'], - role_id=role_list[2]['id']) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[0]['id'], domain_id=domain1['id'], + role_id=role_list[0]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[1]['id'], domain_id=domain1['id'], + role_id=role_list[1]['id'], inherited_to_projects=True + ) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[2]['id'], project_id=project1['id'], + role_id=role_list[2]['id'] + ) # ...and a duplicate set of spoiler assignments to Domain2/Project2 - self.assignment_api.create_grant(group_id=group_list[3]['id'], - domain_id=domain2['id'], - role_id=role_list[3]['id']) - self.assignment_api.create_grant(group_id=group_list[4]['id'], - domain_id=domain2['id'], - role_id=role_list[4]['id'], - inherited_to_projects=True) - self.assignment_api.create_grant(group_id=group_list[5]['id'], - project_id=project2['id'], - role_id=role_list[5]['id']) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[3]['id'], domain_id=domain2['id'], + role_id=role_list[3]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[4]['id'], domain_id=domain2['id'], + role_id=role_list[4]['id'], inherited_to_projects=True + ) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[5]['id'], project_id=project2['id'], + role_id=role_list[5]['id'] + ) # With inheritance on, we should also get back the inherited role from # its owning domain. - role_refs = self.assignment_api.get_roles_for_groups( + role_refs = PROVIDERS.assignment_api.get_roles_for_groups( group_id_list, project_id=project1['id']) self.assertThat(role_refs, matchers.HasLength(2)) @@ -2074,34 +2178,36 @@ class AssignmentTests(AssignmentTestHelperMixin): group_id_list = [] for _ in range(3): domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) + PROVIDERS.resource_api.create_domain(domain['id'], domain) domain_list.append(domain) group = unit.new_group_ref(domain_id=domain['id']) - group = self.identity_api.create_group(group) + group = PROVIDERS.identity_api.create_group(group) group_list.append(group) group_id_list.append(group['id']) role1 = unit.new_role_ref() - self.role_api.create_role(role1['id'], role1) + PROVIDERS.role_api.create_role(role1['id'], role1) # Assign the roles - one is inherited - self.assignment_api.create_grant(group_id=group_list[0]['id'], - domain_id=domain_list[0]['id'], - role_id=role1['id']) - self.assignment_api.create_grant(group_id=group_list[1]['id'], - domain_id=domain_list[1]['id'], - role_id=role1['id']) - self.assignment_api.create_grant(group_id=group_list[2]['id'], - domain_id=domain_list[2]['id'], - role_id=role1['id'], - inherited_to_projects=True) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[0]['id'], domain_id=domain_list[0]['id'], + role_id=role1['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[1]['id'], domain_id=domain_list[1]['id'], + role_id=role1['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[2]['id'], domain_id=domain_list[2]['id'], + role_id=role1['id'], inherited_to_projects=True + ) # Now list the domains that have roles for any of the 3 groups # We shouldn't get back domain[2] since that had an inherited role. domain_refs = ( - self.assignment_api.list_domains_for_groups(group_id_list)) + PROVIDERS.assignment_api.list_domains_for_groups(group_id_list)) self.assertThat(domain_refs, matchers.HasLength(2)) self.assertIn(domain_list[0], domain_refs) @@ -2125,55 +2231,68 @@ class AssignmentTests(AssignmentTestHelperMixin): """ domain1 = unit.new_domain_ref() - self.resource_api.create_domain(domain1['id'], domain1) + PROVIDERS.resource_api.create_domain(domain1['id'], domain1) domain2 = unit.new_domain_ref() - self.resource_api.create_domain(domain2['id'], domain2) + PROVIDERS.resource_api.create_domain(domain2['id'], domain2) project1 = unit.new_project_ref(domain_id=domain1['id']) - project1 = self.resource_api.create_project(project1['id'], project1) + project1 = PROVIDERS.resource_api.create_project( + project1['id'], project1 + ) project2 = unit.new_project_ref(domain_id=domain1['id']) - project2 = self.resource_api.create_project(project2['id'], project2) + project2 = PROVIDERS.resource_api.create_project( + project2['id'], project2 + ) project3 = unit.new_project_ref(domain_id=domain1['id']) - project3 = self.resource_api.create_project(project3['id'], project3) + project3 = PROVIDERS.resource_api.create_project( + project3['id'], project3 + ) project4 = unit.new_project_ref(domain_id=domain2['id']) - project4 = self.resource_api.create_project(project4['id'], project4) + project4 = PROVIDERS.resource_api.create_project( + project4['id'], project4 + ) group_list = [] role_list = [] for _ in range(7): group = unit.new_group_ref(domain_id=domain1['id']) - group = self.identity_api.create_group(group) + group = PROVIDERS.identity_api.create_group(group) group_list.append(group) role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) + PROVIDERS.role_api.create_role(role['id'], role) role_list.append(role) # Assign the roles - one inherited and one non-inherited on Domain1, # plus one on Project1 and Project2 - self.assignment_api.create_grant(group_id=group_list[0]['id'], - domain_id=domain1['id'], - role_id=role_list[0]['id']) - self.assignment_api.create_grant(group_id=group_list[1]['id'], - domain_id=domain1['id'], - role_id=role_list[1]['id'], - inherited_to_projects=True) - self.assignment_api.create_grant(group_id=group_list[2]['id'], - project_id=project1['id'], - role_id=role_list[2]['id']) - self.assignment_api.create_grant(group_id=group_list[3]['id'], - project_id=project2['id'], - role_id=role_list[3]['id']) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[0]['id'], domain_id=domain1['id'], + role_id=role_list[0]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[1]['id'], domain_id=domain1['id'], + role_id=role_list[1]['id'], inherited_to_projects=True + ) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[2]['id'], project_id=project1['id'], + role_id=role_list[2]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[3]['id'], project_id=project2['id'], + role_id=role_list[3]['id'] + ) # ...and a few of spoiler assignments to Domain2/Project4 - self.assignment_api.create_grant(group_id=group_list[4]['id'], - domain_id=domain2['id'], - role_id=role_list[4]['id']) - self.assignment_api.create_grant(group_id=group_list[5]['id'], - domain_id=domain2['id'], - role_id=role_list[5]['id'], - inherited_to_projects=True) - self.assignment_api.create_grant(group_id=group_list[6]['id'], - project_id=project4['id'], - role_id=role_list[6]['id']) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[4]['id'], domain_id=domain2['id'], + role_id=role_list[4]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[5]['id'], domain_id=domain2['id'], + role_id=role_list[5]['id'], inherited_to_projects=True + ) + PROVIDERS.assignment_api.create_grant( + group_id=group_list[6]['id'], project_id=project4['id'], + role_id=role_list[6]['id'] + ) group_id_list = [group_list[1]['id'], group_list[2]['id'], group_list[3]['id']] @@ -2181,7 +2300,7 @@ class AssignmentTests(AssignmentTestHelperMixin): # With inheritance on, we should also get back the Project3 due to the # inherited role from its owning domain. project_refs = ( - self.assignment_api.list_projects_for_groups(group_id_list)) + PROVIDERS.assignment_api.list_projects_for_groups(group_id_list)) self.assertThat(project_refs, matchers.HasLength(3)) self.assertIn(project1, project_refs) @@ -2192,15 +2311,17 @@ class AssignmentTests(AssignmentTestHelperMixin): # A user can update a role and not include the name. # description is picked just because it's not name. - self.role_api.update_role(self.role_member['id'], - {'description': uuid.uuid4().hex}) + PROVIDERS.role_api.update_role( + self.role_member['id'], {'description': uuid.uuid4().hex} + ) # If the previous line didn't raise an exception then the test passes. def test_update_role_same_name(self): # A user can update a role and set the name to be the same as it was. - self.role_api.update_role(self.role_member['id'], - {'name': self.role_member['name']}) + PROVIDERS.role_api.update_role( + self.role_member['id'], {'name': self.role_member['name']} + ) # If the previous line didn't raise an exception then the test passes. def _test_list_role_assignment_containing_names(self, domain_role=False): @@ -2214,29 +2335,32 @@ class AssignmentTests(AssignmentTestHelperMixin): new_project = unit.new_project_ref(domain_id=new_domain['id']) new_group = unit.new_group_ref(domain_id=new_domain['id']) # Create entities - new_role = self.role_api.create_role(new_role['id'], new_role) - new_user = self.identity_api.create_user(new_user) - new_group = self.identity_api.create_group(new_group) - self.resource_api.create_project(new_project['id'], new_project) - self.assignment_api.create_grant(user_id=new_user['id'], - project_id=new_project['id'], - role_id=new_role['id']) - self.assignment_api.create_grant(group_id=new_group['id'], - project_id=new_project['id'], - role_id=new_role['id']) - self.assignment_api.create_grant(domain_id=new_domain['id'], - user_id=new_user['id'], - role_id=new_role['id']) + new_role = PROVIDERS.role_api.create_role(new_role['id'], new_role) + new_user = PROVIDERS.identity_api.create_user(new_user) + new_group = PROVIDERS.identity_api.create_group(new_group) + PROVIDERS.resource_api.create_project(new_project['id'], new_project) + PROVIDERS.assignment_api.create_grant( + user_id=new_user['id'], project_id=new_project['id'], + role_id=new_role['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=new_group['id'], project_id=new_project['id'], + role_id=new_role['id'] + ) + PROVIDERS.assignment_api.create_grant( + domain_id=new_domain['id'], user_id=new_user['id'], + role_id=new_role['id'] + ) # Get the created assignments with the include_names flag - _asgmt_prj = self.assignment_api.list_role_assignments( + _asgmt_prj = PROVIDERS.assignment_api.list_role_assignments( user_id=new_user['id'], project_id=new_project['id'], include_names=True) - _asgmt_grp = self.assignment_api.list_role_assignments( + _asgmt_grp = PROVIDERS.assignment_api.list_role_assignments( group_id=new_group['id'], project_id=new_project['id'], include_names=True) - _asgmt_dmn = self.assignment_api.list_role_assignments( + _asgmt_dmn = PROVIDERS.assignment_api.list_role_assignments( domain_id=new_domain['id'], user_id=new_user['id'], include_names=True) @@ -2318,22 +2442,28 @@ class AssignmentTests(AssignmentTestHelperMixin): new_user = unit.new_user_ref(domain_id=new_domain['id']) new_project = unit.new_project_ref(domain_id=new_domain['id']) # Create entities - new_role = self.role_api.create_role(new_role['id'], new_role) - new_user = self.identity_api.create_user(new_user) - self.resource_api.create_project(new_project['id'], new_project) - self.assignment_api.create_grant(user_id=new_user['id'], - project_id=new_project['id'], - role_id=new_role['id']) + new_role = PROVIDERS.role_api.create_role(new_role['id'], new_role) + new_user = PROVIDERS.identity_api.create_user(new_user) + PROVIDERS.resource_api.create_project(new_project['id'], new_project) + PROVIDERS.assignment_api.create_grant( + user_id=new_user['id'], project_id=new_project['id'], + role_id=new_role['id'] + ) # Get the created assignments with NO include_names flag - role_assign_without_names = self.assignment_api.list_role_assignments( - user_id=new_user['id'], - project_id=new_project['id']) + role_assign_without_names = ( + PROVIDERS.assignment_api.list_role_assignments( + user_id=new_user['id'], project_id=new_project['id'] + ) + ) assert_does_not_contain_names(role_assign_without_names) # Get the created assignments with include_names=False - role_assign_without_names = self.assignment_api.list_role_assignments( - user_id=new_user['id'], - project_id=new_project['id'], - include_names=False) + role_assign_without_names = ( + PROVIDERS.assignment_api.list_role_assignments( + user_id=new_user['id'], + project_id=new_project['id'], + include_names=False + ) + ) assert_does_not_contain_names(role_assign_without_names) def test_delete_user_assignments_user_same_id_as_group(self): @@ -2353,50 +2483,52 @@ class AssignmentTests(AssignmentTestHelperMixin): # Create a project project = unit.new_project_ref( domain_id=CONF.identity.default_domain_id) - project = self.resource_api.create_project(project['id'], project) + project = PROVIDERS.resource_api.create_project(project['id'], project) # Create a user user = unit.new_user_ref(id=common_id, domain_id=CONF.identity.default_domain_id) - user = self.identity_api.driver.create_user(common_id, user) + user = PROVIDERS.identity_api.driver.create_user(common_id, user) self.assertEqual(common_id, user['id']) # Create a group group = unit.new_group_ref(id=common_id, domain_id=CONF.identity.default_domain_id) - group = self.identity_api.driver.create_group(common_id, group) + group = PROVIDERS.identity_api.driver.create_group(common_id, group) self.assertEqual(common_id, group['id']) # Create four roles roles = [] for _ in range(4): role = unit.new_role_ref() - roles.append(self.role_api.create_role(role['id'], role)) + roles.append(PROVIDERS.role_api.create_role(role['id'], role)) # Assign roles for user - self.assignment_api.driver.create_grant( + PROVIDERS.assignment_api.driver.create_grant( user_id=user['id'], domain_id=CONF.identity.default_domain_id, role_id=roles[0]['id']) - self.assignment_api.driver.create_grant(user_id=user['id'], - project_id=project['id'], - role_id=roles[1]['id']) + PROVIDERS.assignment_api.driver.create_grant( + user_id=user['id'], project_id=project['id'], + role_id=roles[1]['id'] + ) # Assign roles for group - self.assignment_api.driver.create_grant( + PROVIDERS.assignment_api.driver.create_grant( group_id=group['id'], domain_id=CONF.identity.default_domain_id, role_id=roles[2]['id']) - self.assignment_api.driver.create_grant(group_id=group['id'], - project_id=project['id'], - role_id=roles[3]['id']) + PROVIDERS.assignment_api.driver.create_grant( + group_id=group['id'], project_id=project['id'], + role_id=roles[3]['id'] + ) # Make sure they were assigned - user_assignments = self.assignment_api.list_role_assignments( + user_assignments = PROVIDERS.assignment_api.list_role_assignments( user_id=user['id']) self.assertThat(user_assignments, matchers.HasLength(2)) - group_assignments = self.assignment_api.list_role_assignments( + group_assignments = PROVIDERS.assignment_api.list_role_assignments( group_id=group['id']) self.assertThat(group_assignments, matchers.HasLength(2)) # Delete user assignments - self.assignment_api.delete_user_assignments(user_id=user['id']) + PROVIDERS.assignment_api.delete_user_assignments(user_id=user['id']) # Assert only user assignments were deleted - user_assignments = self.assignment_api.list_role_assignments( + user_assignments = PROVIDERS.assignment_api.list_role_assignments( user_id=user['id']) self.assertThat(user_assignments, matchers.HasLength(0)) - group_assignments = self.assignment_api.list_role_assignments( + group_assignments = PROVIDERS.assignment_api.list_role_assignments( group_id=group['id']) self.assertThat(group_assignments, matchers.HasLength(2)) # Make sure these remaining assignments are group-related @@ -2420,50 +2552,52 @@ class AssignmentTests(AssignmentTestHelperMixin): # Create a project project = unit.new_project_ref( domain_id=CONF.identity.default_domain_id) - project = self.resource_api.create_project(project['id'], project) + project = PROVIDERS.resource_api.create_project(project['id'], project) # Create a user user = unit.new_user_ref(id=common_id, domain_id=CONF.identity.default_domain_id) - user = self.identity_api.driver.create_user(common_id, user) + user = PROVIDERS.identity_api.driver.create_user(common_id, user) self.assertEqual(common_id, user['id']) # Create a group group = unit.new_group_ref(id=common_id, domain_id=CONF.identity.default_domain_id) - group = self.identity_api.driver.create_group(common_id, group) + group = PROVIDERS.identity_api.driver.create_group(common_id, group) self.assertEqual(common_id, group['id']) # Create four roles roles = [] for _ in range(4): role = unit.new_role_ref() - roles.append(self.role_api.create_role(role['id'], role)) + roles.append(PROVIDERS.role_api.create_role(role['id'], role)) # Assign roles for user - self.assignment_api.driver.create_grant( + PROVIDERS.assignment_api.driver.create_grant( user_id=user['id'], domain_id=CONF.identity.default_domain_id, role_id=roles[0]['id']) - self.assignment_api.driver.create_grant(user_id=user['id'], - project_id=project['id'], - role_id=roles[1]['id']) + PROVIDERS.assignment_api.driver.create_grant( + user_id=user['id'], project_id=project['id'], + role_id=roles[1]['id'] + ) # Assign roles for group - self.assignment_api.driver.create_grant( + PROVIDERS.assignment_api.driver.create_grant( group_id=group['id'], domain_id=CONF.identity.default_domain_id, role_id=roles[2]['id']) - self.assignment_api.driver.create_grant(group_id=group['id'], - project_id=project['id'], - role_id=roles[3]['id']) + PROVIDERS.assignment_api.driver.create_grant( + group_id=group['id'], project_id=project['id'], + role_id=roles[3]['id'] + ) # Make sure they were assigned - user_assignments = self.assignment_api.list_role_assignments( + user_assignments = PROVIDERS.assignment_api.list_role_assignments( user_id=user['id']) self.assertThat(user_assignments, matchers.HasLength(2)) - group_assignments = self.assignment_api.list_role_assignments( + group_assignments = PROVIDERS.assignment_api.list_role_assignments( group_id=group['id']) self.assertThat(group_assignments, matchers.HasLength(2)) # Delete group assignments - self.assignment_api.delete_group_assignments(group_id=group['id']) + PROVIDERS.assignment_api.delete_group_assignments(group_id=group['id']) # Assert only group assignments were deleted - group_assignments = self.assignment_api.list_role_assignments( + group_assignments = PROVIDERS.assignment_api.list_role_assignments( group_id=group['id']) self.assertThat(group_assignments, matchers.HasLength(0)) - user_assignments = self.assignment_api.list_role_assignments( + user_assignments = PROVIDERS.assignment_api.list_role_assignments( user_id=user['id']) self.assertThat(user_assignments, matchers.HasLength(2)) # Make sure these remaining assignments are user-related @@ -2476,42 +2610,46 @@ class AssignmentTests(AssignmentTestHelperMixin): # domains is deleted, the role assignments for the user and the group # from the default domain are deleted only on that domain. group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id) - group = self.identity_api.create_group(group) + group = PROVIDERS.identity_api.create_group(group) role = unit.new_role_ref() - role = self.role_api.create_role(role['id'], role) + role = PROVIDERS.role_api.create_role(role['id'], role) new_domains = [unit.new_domain_ref(), unit.new_domain_ref()] for new_domain in new_domains: - self.resource_api.create_domain(new_domain['id'], new_domain) + PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain) - self.assignment_api.create_grant(group_id=group['id'], - domain_id=new_domain['id'], - role_id=role['id']) - self.assignment_api.create_grant(user_id=self.user_two['id'], - domain_id=new_domain['id'], - role_id=role['id']) + PROVIDERS.assignment_api.create_grant( + group_id=group['id'], domain_id=new_domain['id'], + role_id=role['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=self.user_two['id'], domain_id=new_domain['id'], + role_id=role['id'] + ) # Check there are 4 role assignments for that role - role_assignments = self.assignment_api.list_role_assignments( + role_assignments = PROVIDERS.assignment_api.list_role_assignments( role_id=role['id']) self.assertThat(role_assignments, matchers.HasLength(4)) # Delete first new domain and check only 2 assignments were left - self.resource_api.update_domain(new_domains[0]['id'], - {'enabled': False}) - self.resource_api.delete_domain(new_domains[0]['id']) + PROVIDERS.resource_api.update_domain( + new_domains[0]['id'], {'enabled': False} + ) + PROVIDERS.resource_api.delete_domain(new_domains[0]['id']) - role_assignments = self.assignment_api.list_role_assignments( + role_assignments = PROVIDERS.assignment_api.list_role_assignments( role_id=role['id']) self.assertThat(role_assignments, matchers.HasLength(2)) # Delete second new domain and check no assignments were left - self.resource_api.update_domain(new_domains[1]['id'], - {'enabled': False}) - self.resource_api.delete_domain(new_domains[1]['id']) + PROVIDERS.resource_api.update_domain( + new_domains[1]['id'], {'enabled': False} + ) + PROVIDERS.resource_api.delete_domain(new_domains[1]['id']) - role_assignments = self.assignment_api.list_role_assignments( + role_assignments = PROVIDERS.assignment_api.list_role_assignments( role_id=role['id']) self.assertEqual([], role_assignments) @@ -2561,7 +2699,7 @@ class InheritanceTests(AssignmentTestHelperMixin): """ # Create a new role to avoid assignments loaded from default fixtures role = unit.new_role_ref() - role = self.role_api.create_role(role['id'], role) + role = PROVIDERS.role_api.create_role(role['id'], role) # Define the common assignment entity assignment_entity = {'role_id': role['id']} @@ -2573,29 +2711,39 @@ class InheritanceTests(AssignmentTestHelperMixin): inherited_assignment_entity['inherited_to_projects'] = 'projects' # Create direct assignment and check grants - self.assignment_api.create_grant(inherited_to_projects=False, - **assignment_entity) + PROVIDERS.assignment_api.create_grant( + inherited_to_projects=False, **assignment_entity + ) - grants = self.assignment_api.list_role_assignments(role_id=role['id']) + grants = PROVIDERS.assignment_api.list_role_assignments( + role_id=role['id'] + ) self.assertThat(grants, matchers.HasLength(1)) self.assertIn(direct_assignment_entity, grants) # Now add inherited assignment and check grants - self.assignment_api.create_grant(inherited_to_projects=True, - **assignment_entity) + PROVIDERS.assignment_api.create_grant( + inherited_to_projects=True, **assignment_entity + ) - grants = self.assignment_api.list_role_assignments(role_id=role['id']) + grants = PROVIDERS.assignment_api.list_role_assignments( + role_id=role['id'] + ) self.assertThat(grants, matchers.HasLength(2)) self.assertIn(direct_assignment_entity, grants) self.assertIn(inherited_assignment_entity, grants) # Delete both and check grants - self.assignment_api.delete_grant(inherited_to_projects=False, - **assignment_entity) - self.assignment_api.delete_grant(inherited_to_projects=True, - **assignment_entity) + PROVIDERS.assignment_api.delete_grant( + inherited_to_projects=False, **assignment_entity + ) + PROVIDERS.assignment_api.delete_grant( + inherited_to_projects=True, **assignment_entity + ) - grants = self.assignment_api.list_role_assignments(role_id=role['id']) + grants = PROVIDERS.assignment_api.list_role_assignments( + role_id=role['id'] + ) self.assertEqual([], grants) def test_crud_inherited_and_direct_assignment_for_user_on_domain(self): @@ -2605,7 +2753,7 @@ class InheritanceTests(AssignmentTestHelperMixin): def test_crud_inherited_and_direct_assignment_for_group_on_domain(self): group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id) - group = self.identity_api.create_group(group) + group = PROVIDERS.identity_api.create_group(group) self._test_crud_inherited_and_direct_assignment( group_id=group['id'], domain_id=CONF.identity.default_domain_id) @@ -2616,7 +2764,7 @@ class InheritanceTests(AssignmentTestHelperMixin): def test_crud_inherited_and_direct_assignment_for_group_on_project(self): group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id) - group = self.identity_api.create_group(group) + group = PROVIDERS.identity_api.create_group(group) self._test_crud_inherited_and_direct_assignment( group_id=group['id'], project_id=self.tenant_baz['id']) @@ -2643,53 +2791,64 @@ class InheritanceTests(AssignmentTestHelperMixin): role_list = [] for _ in range(3): role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) + PROVIDERS.role_api.create_role(role['id'], role) role_list.append(role) domain1 = unit.new_domain_ref() - self.resource_api.create_domain(domain1['id'], domain1) + PROVIDERS.resource_api.create_domain(domain1['id'], domain1) user1 = unit.new_user_ref(domain_id=domain1['id']) - user1 = self.identity_api.create_user(user1) + user1 = PROVIDERS.identity_api.create_user(user1) project1 = unit.new_project_ref(domain_id=domain1['id']) - self.resource_api.create_project(project1['id'], project1) + PROVIDERS.resource_api.create_project(project1['id'], project1) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(0, len(roles_ref)) # Create the first two roles - the domain one is not inherited - self.assignment_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role_list[0]['id']) - self.assignment_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=role_list[1]['id']) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=project1['id'], + role_id=role_list[0]['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], domain_id=domain1['id'], + role_id=role_list[1]['id'] + ) # Now get the effective roles for the user and project, this # should only include the direct role assignment on the project - combined_list = self.assignment_api.get_roles_for_user_and_project( - user1['id'], project1['id']) + combined_list = ( + PROVIDERS.assignment_api.get_roles_for_user_and_project( + user1['id'], project1['id'] + ) + ) self.assertEqual(1, len(combined_list)) self.assertIn(role_list[0]['id'], combined_list) # Now add an inherited role on the domain - self.assignment_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=role_list[2]['id'], - inherited_to_projects=True) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], domain_id=domain1['id'], + role_id=role_list[2]['id'], inherited_to_projects=True + ) # Now get the effective roles for the user and project again, this # should now include the inherited role on the domain - combined_list = self.assignment_api.get_roles_for_user_and_project( - user1['id'], project1['id']) + combined_list = ( + PROVIDERS.assignment_api.get_roles_for_user_and_project( + user1['id'], project1['id'] + ) + ) self.assertEqual(2, len(combined_list)) self.assertIn(role_list[0]['id'], combined_list) self.assertIn(role_list[2]['id'], combined_list) # Finally, check that the inherited role does not appear as a valid # directly assigned role on the domain itself - combined_role_list = self.assignment_api.get_roles_for_user_and_domain( - user1['id'], domain1['id']) + combined_role_list = ( + PROVIDERS.assignment_api.get_roles_for_user_and_domain( + user1['id'], domain1['id'] + ) + ) self.assertEqual(1, len(combined_role_list)) self.assertIn(role_list[1]['id'], combined_role_list) @@ -2750,58 +2909,68 @@ class InheritanceTests(AssignmentTestHelperMixin): role_list = [] for _ in range(4): role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) + PROVIDERS.role_api.create_role(role['id'], role) role_list.append(role) domain1 = unit.new_domain_ref() - self.resource_api.create_domain(domain1['id'], domain1) + PROVIDERS.resource_api.create_domain(domain1['id'], domain1) user1 = unit.new_user_ref(domain_id=domain1['id']) - user1 = self.identity_api.create_user(user1) + user1 = PROVIDERS.identity_api.create_user(user1) group1 = unit.new_group_ref(domain_id=domain1['id']) - group1 = self.identity_api.create_group(group1) + group1 = PROVIDERS.identity_api.create_group(group1) group2 = unit.new_group_ref(domain_id=domain1['id']) - group2 = self.identity_api.create_group(group2) + group2 = PROVIDERS.identity_api.create_group(group2) project1 = unit.new_project_ref(domain_id=domain1['id']) - self.resource_api.create_project(project1['id'], project1) + PROVIDERS.resource_api.create_project(project1['id'], project1) - self.identity_api.add_user_to_group(user1['id'], - group1['id']) - self.identity_api.add_user_to_group(user1['id'], - group2['id']) + PROVIDERS.identity_api.add_user_to_group( + user1['id'], group1['id'] + ) + PROVIDERS.identity_api.add_user_to_group( + user1['id'], group2['id'] + ) - roles_ref = self.assignment_api.list_grants( + roles_ref = PROVIDERS.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(0, len(roles_ref)) # Create two roles - the domain one is not inherited - self.assignment_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role_list[0]['id']) - self.assignment_api.create_grant(group_id=group1['id'], - domain_id=domain1['id'], - role_id=role_list[1]['id']) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=project1['id'], + role_id=role_list[0]['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], domain_id=domain1['id'], + role_id=role_list[1]['id'] + ) # Now get the effective roles for the user and project, this # should only include the direct role assignment on the project - combined_list = self.assignment_api.get_roles_for_user_and_project( - user1['id'], project1['id']) + combined_list = ( + PROVIDERS.assignment_api.get_roles_for_user_and_project( + user1['id'], project1['id'] + ) + ) self.assertEqual(1, len(combined_list)) self.assertIn(role_list[0]['id'], combined_list) # Now add to more group roles, both inherited, to the domain - self.assignment_api.create_grant(group_id=group2['id'], - domain_id=domain1['id'], - role_id=role_list[2]['id'], - inherited_to_projects=True) - self.assignment_api.create_grant(group_id=group2['id'], - domain_id=domain1['id'], - role_id=role_list[3]['id'], - inherited_to_projects=True) + PROVIDERS.assignment_api.create_grant( + group_id=group2['id'], domain_id=domain1['id'], + role_id=role_list[2]['id'], inherited_to_projects=True + ) + PROVIDERS.assignment_api.create_grant( + group_id=group2['id'], domain_id=domain1['id'], + role_id=role_list[3]['id'], inherited_to_projects=True + ) # Now get the effective roles for the user and project again, this # should now include the inherited roles on the domain - combined_list = self.assignment_api.get_roles_for_user_and_project( - user1['id'], project1['id']) + combined_list = ( + PROVIDERS.assignment_api.get_roles_for_user_and_project( + user1['id'], project1['id'] + ) + ) self.assertEqual(3, len(combined_list)) self.assertIn(role_list[0]['id'], combined_list) self.assertIn(role_list[2]['id'], combined_list) @@ -2856,26 +3025,29 @@ class InheritanceTests(AssignmentTestHelperMixin): """ domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) + PROVIDERS.resource_api.create_domain(domain['id'], domain) user1 = unit.new_user_ref(domain_id=domain['id']) - user1 = self.identity_api.create_user(user1) + user1 = PROVIDERS.identity_api.create_user(user1) project1 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project1['id'], project1) + PROVIDERS.resource_api.create_project(project1['id'], project1) project2 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project2['id'], project2) + PROVIDERS.resource_api.create_project(project2['id'], project2) # Create 2 grants, one on a project and one inherited grant # on the domain - self.assignment_api.create_grant(user_id=user1['id'], - project_id=self.tenant_bar['id'], - role_id=self.role_member['id']) - self.assignment_api.create_grant(user_id=user1['id'], - domain_id=domain['id'], - role_id=self.role_admin['id'], - inherited_to_projects=True) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=self.tenant_bar['id'], + role_id=self.role_member['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], domain_id=domain['id'], + role_id=self.role_admin['id'], inherited_to_projects=True + ) # Should get back all three projects, one by virtue of the direct # grant, plus both projects in the domain - user_projects = self.assignment_api.list_projects_for_user(user1['id']) + user_projects = ( + PROVIDERS.assignment_api.list_projects_for_user(user1['id']) + ) self.assertEqual(3, len(user_projects)) # TODO(henry-nash): The test above uses list_projects_for_user @@ -2926,29 +3098,34 @@ class InheritanceTests(AssignmentTestHelperMixin): # Enable OS-INHERIT extension root_project = unit.new_project_ref( domain_id=CONF.identity.default_domain_id) - root_project = self.resource_api.create_project(root_project['id'], - root_project) + root_project = PROVIDERS.resource_api.create_project( + root_project['id'], root_project + ) leaf_project = unit.new_project_ref( domain_id=CONF.identity.default_domain_id, parent_id=root_project['id']) - leaf_project = self.resource_api.create_project(leaf_project['id'], - leaf_project) + leaf_project = PROVIDERS.resource_api.create_project( + leaf_project['id'], leaf_project + ) user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user = self.identity_api.create_user(user) + user = PROVIDERS.identity_api.create_user(user) # Grant inherited user role - self.assignment_api.create_grant(user_id=user['id'], - project_id=root_project['id'], - role_id=self.role_admin['id'], - inherited_to_projects=True) + PROVIDERS.assignment_api.create_grant( + user_id=user['id'], project_id=root_project['id'], + role_id=self.role_admin['id'], inherited_to_projects=True + ) # Grant non-inherited user role - self.assignment_api.create_grant(user_id=user['id'], - project_id=root_project['id'], - role_id=self.role_member['id']) + PROVIDERS.assignment_api.create_grant( + user_id=user['id'], project_id=root_project['id'], + role_id=self.role_member['id'] + ) # Should get back both projects: because the direct role assignment for # the root project and inherited role assignment for leaf project - user_projects = self.assignment_api.list_projects_for_user(user['id']) + user_projects = ( + PROVIDERS.assignment_api.list_projects_for_user(user['id']) + ) self.assertEqual(2, len(user_projects)) self.assertIn(root_project, user_projects) self.assertIn(leaf_project, user_projects) @@ -3000,45 +3177,49 @@ class InheritanceTests(AssignmentTestHelperMixin): """ domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) + PROVIDERS.resource_api.create_domain(domain['id'], domain) domain2 = unit.new_domain_ref() - self.resource_api.create_domain(domain2['id'], domain2) + PROVIDERS.resource_api.create_domain(domain2['id'], domain2) project1 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project1['id'], project1) + PROVIDERS.resource_api.create_project(project1['id'], project1) project2 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project2['id'], project2) + PROVIDERS.resource_api.create_project(project2['id'], project2) project3 = unit.new_project_ref(domain_id=domain2['id']) - self.resource_api.create_project(project3['id'], project3) + PROVIDERS.resource_api.create_project(project3['id'], project3) project4 = unit.new_project_ref(domain_id=domain2['id']) - self.resource_api.create_project(project4['id'], project4) + PROVIDERS.resource_api.create_project(project4['id'], project4) user1 = unit.new_user_ref(domain_id=domain['id']) - user1 = self.identity_api.create_user(user1) + user1 = PROVIDERS.identity_api.create_user(user1) group1 = unit.new_group_ref(domain_id=domain['id']) - group1 = self.identity_api.create_group(group1) - self.identity_api.add_user_to_group(user1['id'], group1['id']) + group1 = PROVIDERS.identity_api.create_group(group1) + PROVIDERS.identity_api.add_user_to_group(user1['id'], group1['id']) # Create 4 grants: # - one user grant on a project in domain2 # - one user grant on a project in the default domain # - one inherited user grant on domain # - one inherited group grant on domain2 - self.assignment_api.create_grant(user_id=user1['id'], - project_id=project3['id'], - role_id=self.role_member['id']) - self.assignment_api.create_grant(user_id=user1['id'], - project_id=self.tenant_bar['id'], - role_id=self.role_member['id']) - self.assignment_api.create_grant(user_id=user1['id'], - domain_id=domain['id'], - role_id=self.role_admin['id'], - inherited_to_projects=True) - self.assignment_api.create_grant(group_id=group1['id'], - domain_id=domain2['id'], - role_id=self.role_admin['id'], - inherited_to_projects=True) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=project3['id'], + role_id=self.role_member['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], project_id=self.tenant_bar['id'], + role_id=self.role_member['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=user1['id'], domain_id=domain['id'], + role_id=self.role_admin['id'], inherited_to_projects=True + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], domain_id=domain2['id'], + role_id=self.role_admin['id'], inherited_to_projects=True + ) # Should get back all five projects, but without a duplicate for # project3 (since it has both a direct user role and an inherited role) - user_projects = self.assignment_api.list_projects_for_user(user1['id']) + user_projects = ( + PROVIDERS.assignment_api.list_projects_for_user(user1['id']) + ) self.assertEqual(5, len(user_projects)) # TODO(henry-nash): The test above uses list_projects_for_user @@ -3099,33 +3280,38 @@ class InheritanceTests(AssignmentTestHelperMixin): """ root_project = unit.new_project_ref( domain_id=CONF.identity.default_domain_id) - root_project = self.resource_api.create_project(root_project['id'], - root_project) + root_project = PROVIDERS.resource_api.create_project( + root_project['id'], root_project + ) leaf_project = unit.new_project_ref( domain_id=CONF.identity.default_domain_id, parent_id=root_project['id']) - leaf_project = self.resource_api.create_project(leaf_project['id'], - leaf_project) + leaf_project = PROVIDERS.resource_api.create_project( + leaf_project['id'], leaf_project + ) user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user = self.identity_api.create_user(user) + user = PROVIDERS.identity_api.create_user(user) group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id) - group = self.identity_api.create_group(group) - self.identity_api.add_user_to_group(user['id'], group['id']) + group = PROVIDERS.identity_api.create_group(group) + PROVIDERS.identity_api.add_user_to_group(user['id'], group['id']) # Grant inherited group role - self.assignment_api.create_grant(group_id=group['id'], - project_id=root_project['id'], - role_id=self.role_admin['id'], - inherited_to_projects=True) + PROVIDERS.assignment_api.create_grant( + group_id=group['id'], project_id=root_project['id'], + role_id=self.role_admin['id'], inherited_to_projects=True + ) # Grant non-inherited group role - self.assignment_api.create_grant(group_id=group['id'], - project_id=root_project['id'], - role_id=self.role_member['id']) + PROVIDERS.assignment_api.create_grant( + group_id=group['id'], project_id=root_project['id'], + role_id=self.role_member['id'] + ) # Should get back both projects: because the direct role assignment for # the root project and inherited role assignment for leaf project - user_projects = self.assignment_api.list_projects_for_user(user['id']) + user_projects = PROVIDERS.assignment_api.list_projects_for_user( + user['id'] + ) self.assertEqual(2, len(user_projects)) self.assertIn(root_project, user_projects) self.assertIn(leaf_project, user_projects) @@ -3416,7 +3602,7 @@ class InheritanceTests(AssignmentTestHelperMixin): # Use assignment plan helper to create all the entities and # assignments - then we'll run our own tests using the data test_data = self.execute_assignment_plan(test_plan) - user_ids = self.assignment_api.list_user_ids_for_project( + user_ids = PROVIDERS.assignment_api.list_user_ids_for_project( test_data['projects'][1]['id']) self.assertThat(user_ids, matchers.HasLength(4)) for x in range(0, 4): @@ -3468,14 +3654,16 @@ class ImpliedRoleTests(AssignmentTestHelperMixin): def test_implied_role_crd(self): prior_role_ref = unit.new_role_ref() - self.role_api.create_role(prior_role_ref['id'], prior_role_ref) + PROVIDERS.role_api.create_role(prior_role_ref['id'], prior_role_ref) implied_role_ref = unit.new_role_ref() - self.role_api.create_role(implied_role_ref['id'], implied_role_ref) + PROVIDERS.role_api.create_role( + implied_role_ref['id'], implied_role_ref + ) - self.role_api.create_implied_role( + PROVIDERS.role_api.create_implied_role( prior_role_ref['id'], implied_role_ref['id']) - implied_role = self.role_api.get_implied_role( + implied_role = PROVIDERS.role_api.get_implied_role( prior_role_ref['id'], implied_role_ref['id']) expected_implied_role_ref = { @@ -3485,17 +3673,17 @@ class ImpliedRoleTests(AssignmentTestHelperMixin): expected_implied_role_ref, implied_role) - self.role_api.delete_implied_role( + PROVIDERS.role_api.delete_implied_role( prior_role_ref['id'], implied_role_ref['id']) self.assertRaises(exception.ImpliedRoleNotFound, - self.role_api.get_implied_role, + PROVIDERS.role_api.get_implied_role, uuid.uuid4().hex, uuid.uuid4().hex) def test_delete_implied_role_returns_not_found(self): self.assertRaises(exception.ImpliedRoleNotFound, - self.role_api.delete_implied_role, + PROVIDERS.role_api.delete_implied_role, uuid.uuid4().hex, uuid.uuid4().hex) @@ -3594,7 +3782,7 @@ class ImpliedRoleTests(AssignmentTestHelperMixin): # We should also be able to get a similar (yet summarized) answer to # the above by calling get_roles_for_user_and_project(), which should # list the role_ids, yet remove any duplicates - role_ids = self.assignment_api.get_roles_for_user_and_project( + role_ids = PROVIDERS.assignment_api.get_roles_for_user_and_project( test_data['users'][0]['id'], test_data['projects'][0]['id']) # We should see 6 entries, not 7, since role index 5 appeared twice in # the answer from list_role_assignments @@ -3715,13 +3903,15 @@ class ImpliedRoleTests(AssignmentTestHelperMixin): class SystemAssignmentTests(AssignmentTestHelperMixin): def test_create_system_grant_for_user(self): user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user_id = self.identity_api.create_user(user_ref)['id'] + user_id = PROVIDERS.identity_api.create_user(user_ref)['id'] role_ref = self._create_role() - self.assignment_api.create_system_grant_for_user( + PROVIDERS.assignment_api.create_system_grant_for_user( user_id, role_ref['id'] ) - system_roles = self.assignment_api.list_system_grants_for_user(user_id) + system_roles = PROVIDERS.assignment_api.list_system_grants_for_user( + user_id + ) self.assertEqual(len(system_roles), 1) self.assertIsNone(system_roles[0]['domain_id']) self.assertEqual(system_roles[0]['id'], role_ref['id']) @@ -3729,57 +3919,73 @@ class SystemAssignmentTests(AssignmentTestHelperMixin): def test_list_system_grants_for_user(self): user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user_id = self.identity_api.create_user(user_ref)['id'] + user_id = PROVIDERS.identity_api.create_user(user_ref)['id'] first_role = self._create_role() second_role = self._create_role() - self.assignment_api.create_system_grant_for_user( + PROVIDERS.assignment_api.create_system_grant_for_user( user_id, first_role['id'] ) - system_roles = self.assignment_api.list_system_grants_for_user(user_id) + system_roles = PROVIDERS.assignment_api.list_system_grants_for_user( + user_id + ) self.assertEqual(len(system_roles), 1) - self.assignment_api.create_system_grant_for_user( + PROVIDERS.assignment_api.create_system_grant_for_user( user_id, second_role['id'] ) - system_roles = self.assignment_api.list_system_grants_for_user(user_id) + system_roles = PROVIDERS.assignment_api.list_system_grants_for_user( + user_id + ) self.assertEqual(len(system_roles), 2) def test_check_system_grant_for_user(self): user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user_id = self.identity_api.create_user(user_ref)['id'] + user_id = PROVIDERS.identity_api.create_user(user_ref)['id'] role = self._create_role() self.assertRaises( exception.RoleAssignmentNotFound, - self.assignment_api.check_system_grant_for_user, + PROVIDERS.assignment_api.check_system_grant_for_user, user_id, role['id'] ) - self.assignment_api.create_system_grant_for_user(user_id, role['id']) - self.assignment_api.check_system_grant_for_user(user_id, role['id']) + PROVIDERS.assignment_api.create_system_grant_for_user( + user_id, role['id'] + ) + PROVIDERS.assignment_api.check_system_grant_for_user( + user_id, role['id'] + ) def test_delete_system_grant_for_user(self): user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user_id = self.identity_api.create_user(user_ref)['id'] + user_id = PROVIDERS.identity_api.create_user(user_ref)['id'] role = self._create_role() - self.assignment_api.create_system_grant_for_user(user_id, role['id']) - system_roles = self.assignment_api.list_system_grants_for_user(user_id) + PROVIDERS.assignment_api.create_system_grant_for_user( + user_id, role['id'] + ) + system_roles = PROVIDERS.assignment_api.list_system_grants_for_user( + user_id + ) self.assertEqual(len(system_roles), 1) - self.assignment_api.delete_system_grant_for_user(user_id, role['id']) - system_roles = self.assignment_api.list_system_grants_for_user(user_id) + PROVIDERS.assignment_api.delete_system_grant_for_user( + user_id, role['id'] + ) + system_roles = PROVIDERS.assignment_api.list_system_grants_for_user( + user_id + ) self.assertEqual(len(system_roles), 0) def test_check_system_grant_for_user_with_invalid_role_fails(self): user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user_id = self.identity_api.create_user(user_ref)['id'] + user_id = PROVIDERS.identity_api.create_user(user_ref)['id'] self.assertRaises( exception.RoleAssignmentNotFound, - self.assignment_api.check_system_grant_for_user, + PROVIDERS.assignment_api.check_system_grant_for_user, user_id, uuid.uuid4().hex ) @@ -3789,65 +3995,71 @@ class SystemAssignmentTests(AssignmentTestHelperMixin): self.assertRaises( exception.RoleAssignmentNotFound, - self.assignment_api.check_system_grant_for_user, + PROVIDERS.assignment_api.check_system_grant_for_user, uuid.uuid4().hex, role['id'] ) def test_delete_system_grant_for_user_with_invalid_role_fails(self): user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user_id = self.identity_api.create_user(user_ref)['id'] + user_id = PROVIDERS.identity_api.create_user(user_ref)['id'] role = self._create_role() - self.assignment_api.create_system_grant_for_user(user_id, role['id']) + PROVIDERS.assignment_api.create_system_grant_for_user( + user_id, role['id'] + ) self.assertRaises( exception.RoleAssignmentNotFound, - self.assignment_api.delete_system_grant_for_user, + PROVIDERS.assignment_api.delete_system_grant_for_user, user_id, uuid.uuid4().hex ) def test_delete_system_grant_for_user_with_invalid_user_fails(self): user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user_id = self.identity_api.create_user(user_ref)['id'] + user_id = PROVIDERS.identity_api.create_user(user_ref)['id'] role = self._create_role() - self.assignment_api.create_system_grant_for_user(user_id, role['id']) + PROVIDERS.assignment_api.create_system_grant_for_user( + user_id, role['id'] + ) self.assertRaises( exception.RoleAssignmentNotFound, - self.assignment_api.delete_system_grant_for_user, + PROVIDERS.assignment_api.delete_system_grant_for_user, uuid.uuid4().hex, role['id'] ) def test_list_system_grants_for_user_returns_empty_list(self): user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user_id = self.identity_api.create_user(user_ref)['id'] + user_id = PROVIDERS.identity_api.create_user(user_ref)['id'] - system_roles = self.assignment_api.list_system_grants_for_user(user_id) + system_roles = PROVIDERS.assignment_api.list_system_grants_for_user( + user_id + ) self.assertFalse(system_roles) def test_create_system_grant_for_user_fails_with_domain_role(self): user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user_id = self.identity_api.create_user(user_ref)['id'] + user_id = PROVIDERS.identity_api.create_user(user_ref)['id'] role = self._create_role(domain_id=CONF.identity.default_domain_id) self.assertRaises( exception.ValidationError, - self.assignment_api.create_system_grant_for_user, + PROVIDERS.assignment_api.create_system_grant_for_user, user_id, role['id'] ) def test_create_system_grant_for_group(self): group_ref = unit.new_group_ref(CONF.identity.default_domain_id) - group_id = self.identity_api.create_group(group_ref)['id'] + group_id = PROVIDERS.identity_api.create_group(group_ref)['id'] role_ref = self._create_role() - self.assignment_api.create_system_grant_for_group( + PROVIDERS.assignment_api.create_system_grant_for_group( group_id, role_ref['id'] ) - system_roles = self.assignment_api.list_system_grants_for_group( + system_roles = PROVIDERS.assignment_api.list_system_grants_for_group( group_id ) self.assertEqual(len(system_roles), 1) @@ -3857,65 +4069,73 @@ class SystemAssignmentTests(AssignmentTestHelperMixin): def test_list_system_grants_for_group(self): group_ref = unit.new_group_ref(CONF.identity.default_domain_id) - group_id = self.identity_api.create_group(group_ref)['id'] + group_id = PROVIDERS.identity_api.create_group(group_ref)['id'] first_role = self._create_role() second_role = self._create_role() - self.assignment_api.create_system_grant_for_group( + PROVIDERS.assignment_api.create_system_grant_for_group( group_id, first_role['id'] ) - system_roles = self.assignment_api.list_system_grants_for_group( + system_roles = PROVIDERS.assignment_api.list_system_grants_for_group( group_id ) self.assertEqual(len(system_roles), 1) - self.assignment_api.create_system_grant_for_group( + PROVIDERS.assignment_api.create_system_grant_for_group( group_id, second_role['id'] ) - system_roles = self.assignment_api.list_system_grants_for_group( + system_roles = PROVIDERS.assignment_api.list_system_grants_for_group( group_id ) self.assertEqual(len(system_roles), 2) def test_check_system_grant_for_group(self): group_ref = unit.new_group_ref(CONF.identity.default_domain_id) - group_id = self.identity_api.create_group(group_ref)['id'] + group_id = PROVIDERS.identity_api.create_group(group_ref)['id'] role = self._create_role() self.assertRaises( exception.RoleAssignmentNotFound, - self.assignment_api.check_system_grant_for_group, + PROVIDERS.assignment_api.check_system_grant_for_group, group_id, role['id'] ) - self.assignment_api.create_system_grant_for_group(group_id, role['id']) - self.assignment_api.check_system_grant_for_group(group_id, role['id']) + PROVIDERS.assignment_api.create_system_grant_for_group( + group_id, role['id'] + ) + PROVIDERS.assignment_api.check_system_grant_for_group( + group_id, role['id'] + ) def test_delete_system_grant_for_group(self): group_ref = unit.new_group_ref(CONF.identity.default_domain_id) - group_id = self.identity_api.create_group(group_ref)['id'] + group_id = PROVIDERS.identity_api.create_group(group_ref)['id'] role = self._create_role() - self.assignment_api.create_system_grant_for_group(group_id, role['id']) - system_roles = self.assignment_api.list_system_grants_for_group( + PROVIDERS.assignment_api.create_system_grant_for_group( + group_id, role['id'] + ) + system_roles = PROVIDERS.assignment_api.list_system_grants_for_group( group_id ) self.assertEqual(len(system_roles), 1) - self.assignment_api.delete_system_grant_for_group(group_id, role['id']) - system_roles = self.assignment_api.list_system_grants_for_group( + PROVIDERS.assignment_api.delete_system_grant_for_group( + group_id, role['id'] + ) + system_roles = PROVIDERS.assignment_api.list_system_grants_for_group( group_id ) self.assertEqual(len(system_roles), 0) def test_check_system_grant_for_group_with_invalid_role_fails(self): group_ref = unit.new_group_ref(CONF.identity.default_domain_id) - group_id = self.identity_api.create_group(group_ref)['id'] + group_id = PROVIDERS.identity_api.create_group(group_ref)['id'] self.assertRaises( exception.RoleAssignmentNotFound, - self.assignment_api.check_system_grant_for_group, + PROVIDERS.assignment_api.check_system_grant_for_group, group_id, uuid.uuid4().hex ) @@ -3925,54 +4145,58 @@ class SystemAssignmentTests(AssignmentTestHelperMixin): self.assertRaises( exception.RoleAssignmentNotFound, - self.assignment_api.check_system_grant_for_group, + PROVIDERS.assignment_api.check_system_grant_for_group, uuid.uuid4().hex, role['id'] ) def test_delete_system_grant_for_group_with_invalid_role_fails(self): group_ref = unit.new_group_ref(CONF.identity.default_domain_id) - group_id = self.identity_api.create_group(group_ref)['id'] + group_id = PROVIDERS.identity_api.create_group(group_ref)['id'] role = self._create_role() - self.assignment_api.create_system_grant_for_group(group_id, role['id']) + PROVIDERS.assignment_api.create_system_grant_for_group( + group_id, role['id'] + ) self.assertRaises( exception.RoleAssignmentNotFound, - self.assignment_api.delete_system_grant_for_group, + PROVIDERS.assignment_api.delete_system_grant_for_group, group_id, uuid.uuid4().hex ) def test_delete_system_grant_for_group_with_invalid_group_fails(self): group_ref = unit.new_group_ref(CONF.identity.default_domain_id) - group_id = self.identity_api.create_group(group_ref)['id'] + group_id = PROVIDERS.identity_api.create_group(group_ref)['id'] role = self._create_role() - self.assignment_api.create_system_grant_for_group(group_id, role['id']) + PROVIDERS.assignment_api.create_system_grant_for_group( + group_id, role['id'] + ) self.assertRaises( exception.RoleAssignmentNotFound, - self.assignment_api.delete_system_grant_for_group, + PROVIDERS.assignment_api.delete_system_grant_for_group, uuid.uuid4().hex, role['id'] ) def test_list_system_grants_for_group_returns_empty_list(self): group_ref = unit.new_group_ref(CONF.identity.default_domain_id) - group_id = self.identity_api.create_group(group_ref)['id'] + group_id = PROVIDERS.identity_api.create_group(group_ref)['id'] - system_roles = self.assignment_api.list_system_grants_for_group( + system_roles = PROVIDERS.assignment_api.list_system_grants_for_group( group_id ) self.assertFalse(system_roles) def test_create_system_grant_for_group_fails_with_domain_role(self): group_ref = unit.new_group_ref(CONF.identity.default_domain_id) - group_id = self.identity_api.create_group(group_ref)['id'] + group_id = PROVIDERS.identity_api.create_group(group_ref)['id'] role = self._create_role(CONF.identity.default_domain_id) self.assertRaises( exception.ValidationError, - self.assignment_api.create_system_grant_for_group, + PROVIDERS.assignment_api.create_system_grant_for_group, group_id, role['id'] ) diff --git a/keystone/tests/unit/credential/test_backend_sql.py b/keystone/tests/unit/credential/test_backend_sql.py index e4bef244ab..c21c871769 100644 --- a/keystone/tests/unit/credential/test_backend_sql.py +++ b/keystone/tests/unit/credential/test_backend_sql.py @@ -14,12 +14,15 @@ import uuid from six.moves import range +from keystone.common import provider_api from keystone.credential.providers import fernet as credential_provider from keystone.tests import unit from keystone.tests.unit import default_fixtures from keystone.tests.unit import ksfixtures from keystone.tests.unit.ksfixtures import database +PROVIDERS = provider_api.ProviderAPIs + class SqlTests(unit.SQLDriverOverrides, unit.TestCase): @@ -46,7 +49,9 @@ class SqlCredential(SqlTests): credential = unit.new_credential_ref(user_id=user_id, extra=uuid.uuid4().hex, type=uuid.uuid4().hex) - self.credential_api.create_credential(credential['id'], credential) + PROVIDERS.credential_api.create_credential( + credential['id'], credential + ) return credential def _validate_credential_list(self, retrieved_credentials, @@ -79,9 +84,9 @@ class SqlCredential(SqlTests): self.credentials.append(cred) def test_backend_credential_sql_hints_none(self): - credentials = self.credential_api.list_credentials(hints=None) + credentials = PROVIDERS.credential_api.list_credentials(hints=None) self._validate_credential_list(credentials, self.user_credentials) def test_backend_credential_sql_no_hints(self): - credentials = self.credential_api.list_credentials() + credentials = PROVIDERS.credential_api.list_credentials() self._validate_credential_list(credentials, self.user_credentials) diff --git a/keystone/tests/unit/test_associate_project_endpoint_extension.py b/keystone/tests/unit/test_associate_project_endpoint_extension.py index 20e909c562..37c3a5d0b8 100644 --- a/keystone/tests/unit/test_associate_project_endpoint_extension.py +++ b/keystone/tests/unit/test_associate_project_endpoint_extension.py @@ -18,9 +18,12 @@ import uuid from six.moves import http_client from testtools import matchers +from keystone.common import provider_api from keystone.tests import unit from keystone.tests.unit import test_v3 +PROVIDERS = provider_api.ProviderAPIs + class EndpointFilterTestCase(test_v3.RestfulTestCase): @@ -296,14 +299,14 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase): region_id=self.region_id, interface='public', id=endpoint_id2) - self.catalog_api.create_endpoint(endpoint_id2, endpoint2.copy()) + PROVIDERS.catalog_api.create_endpoint(endpoint_id2, endpoint2.copy()) # create endpoint project association. self.put(self.default_request_url) # should get back only one endpoint that was just created. user_id = uuid.uuid4().hex - catalog = self.catalog_api.get_v3_catalog( + catalog = PROVIDERS.catalog_api.get_v3_catalog( user_id, self.default_domain_project_id) @@ -313,13 +316,13 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase): # add the second endpoint to default project, bypassing # catalog_api API manager. - self.catalog_api.driver.add_endpoint_to_project( + PROVIDERS.catalog_api.driver.add_endpoint_to_project( endpoint_id2, self.default_domain_project_id) # but, we can just get back one endpoint from the cache, since the # catalog is pulled out from cache and its haven't been invalidated. - catalog = self.catalog_api.get_v3_catalog( + catalog = PROVIDERS.catalog_api.get_v3_catalog( user_id, self.default_domain_project_id) @@ -327,7 +330,7 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase): # remove the endpoint2 from the default project, and add it again via # catalog_api API manager. - self.catalog_api.driver.remove_endpoint_from_project( + PROVIDERS.catalog_api.driver.remove_endpoint_from_project( endpoint_id2, self.default_domain_project_id) @@ -358,7 +361,7 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase): region_id=self.region_id, interface='public', id=endpoint_id2) - self.catalog_api.create_endpoint(endpoint_id2, endpoint2.copy()) + PROVIDERS.catalog_api.create_endpoint(endpoint_id2, endpoint2.copy()) # create endpoint project association. self.put(self.default_request_url) @@ -370,7 +373,7 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase): # should get back only one endpoint that was just created. user_id = uuid.uuid4().hex - catalog = self.catalog_api.get_v3_catalog( + catalog = PROVIDERS.catalog_api.get_v3_catalog( user_id, self.default_domain_project_id) @@ -382,14 +385,14 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase): # remove the endpoint2 from the default project, bypassing # catalog_api API manager. - self.catalog_api.driver.remove_endpoint_from_project( + PROVIDERS.catalog_api.driver.remove_endpoint_from_project( endpoint_id2, self.default_domain_project_id) # but, we can just still get back two endpoints from the cache, # since the catalog is pulled out from cache and its haven't # been invalidated. - catalog = self.catalog_api.get_v3_catalog( + catalog = PROVIDERS.catalog_api.get_v3_catalog( user_id, self.default_domain_project_id) @@ -397,7 +400,7 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase): # add back the endpoint2 to the default project, and remove it by # catalog_api API manage. - self.catalog_api.driver.add_endpoint_to_project( + PROVIDERS.catalog_api.driver.add_endpoint_to_project( endpoint_id2, self.default_domain_project_id) @@ -411,7 +414,7 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase): # should only get back one endpoint since the cache has been # invalidated after the endpoint project association was removed. - catalog = self.catalog_api.get_v3_catalog( + catalog = PROVIDERS.catalog_api.get_v3_catalog( user_id, self.default_domain_project_id) @@ -522,7 +525,7 @@ class EndpointFilterTokenRequestTestCase(EndpointFilterTestCase): region_id=self.region_id, interface='public', id=endpoint_id2) - self.catalog_api.create_endpoint(endpoint_id2, endpoint2.copy()) + PROVIDERS.catalog_api.create_endpoint(endpoint_id2, endpoint2.copy()) # add second endpoint to default project self.put('/OS-EP-FILTER/projects/%(project_id)s' @@ -533,7 +536,7 @@ class EndpointFilterTokenRequestTestCase(EndpointFilterTestCase): # remove the temporary reference # this will create inconsistency in the endpoint filter table # which is fixed during the catalog creation for token request - self.catalog_api.delete_endpoint(endpoint_id2) + PROVIDERS.catalog_api.delete_endpoint(endpoint_id2) auth_data = self.build_authentication_request( user_id=self.user['id'], @@ -566,8 +569,9 @@ class EndpointFilterTokenRequestTestCase(EndpointFilterTestCase): 'enabled': False, 'interface': 'internal' }) - self.catalog_api.create_endpoint(disabled_endpoint_id, - disabled_endpoint_ref) + PROVIDERS.catalog_api.create_endpoint( + disabled_endpoint_id, disabled_endpoint_ref + ) self.put('/OS-EP-FILTER/projects/%(project_id)s' '/endpoints/%(endpoint_id)s' % { @@ -1144,7 +1148,7 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase): # association, this is needed when a project scoped token is issued # and "endpoint_filter.sql" backend driver is in place. user_id = uuid.uuid4().hex - catalog_list = self.catalog_api.get_v3_catalog( + catalog_list = PROVIDERS.catalog_api.get_v3_catalog( user_id, self.default_domain_project_id) self.assertEqual(2, len(catalog_list)) @@ -1163,7 +1167,7 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase): endpoints = self.assertValidEndpointListResponse(r) self.assertEqual(1, len(endpoints)) - catalog_list = self.catalog_api.get_v3_catalog( + catalog_list = PROVIDERS.catalog_api.get_v3_catalog( user_id, self.default_domain_project_id) self.assertEqual(1, len(catalog_list)) @@ -1259,14 +1263,14 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase): region_id=self.region_id, interface='admin', id=endpoint_id2) - self.catalog_api.create_endpoint(endpoint_id2, endpoint2) + PROVIDERS.catalog_api.create_endpoint(endpoint_id2, endpoint2) # create a project and endpoint association. self.put(self.default_request_url) # there is only one endpoint associated with the default project. user_id = uuid.uuid4().hex - catalog = self.catalog_api.get_v3_catalog( + catalog = PROVIDERS.catalog_api.get_v3_catalog( user_id, self.default_domain_project_id) @@ -1278,13 +1282,13 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase): # add the endpoint group to default project, bypassing # catalog_api API manager. - self.catalog_api.driver.add_endpoint_group_to_project( + PROVIDERS.catalog_api.driver.add_endpoint_group_to_project( endpoint_group_id, self.default_domain_project_id) # can get back only one endpoint from the cache, since the catalog # is pulled out from cache. - invalid_catalog = self.catalog_api.get_v3_catalog( + invalid_catalog = PROVIDERS.catalog_api.get_v3_catalog( user_id, self.default_domain_project_id) @@ -1294,16 +1298,16 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase): # remove the endpoint group from default project, and add it again via # catalog_api API manager. - self.catalog_api.driver.remove_endpoint_group_from_project( + PROVIDERS.catalog_api.driver.remove_endpoint_group_from_project( endpoint_group_id, self.default_domain_project_id) # add the endpoint group to default project. - self.catalog_api.add_endpoint_group_to_project( + PROVIDERS.catalog_api.add_endpoint_group_to_project( endpoint_group_id, self.default_domain_project_id) - catalog = self.catalog_api.get_v3_catalog( + catalog = PROVIDERS.catalog_api.get_v3_catalog( user_id, self.default_domain_project_id) @@ -1329,7 +1333,7 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase): region_id=self.region_id, interface='admin', id=endpoint_id2) - self.catalog_api.create_endpoint(endpoint_id2, endpoint2) + PROVIDERS.catalog_api.create_endpoint(endpoint_id2, endpoint2) # create project and endpoint association. self.put(self.default_request_url) @@ -1339,7 +1343,7 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase): self.DEFAULT_ENDPOINT_GROUP_URL, self.DEFAULT_ENDPOINT_GROUP_BODY) # add the endpoint group to default project. - self.catalog_api.add_endpoint_group_to_project( + PROVIDERS.catalog_api.add_endpoint_group_to_project( endpoint_group_id, self.default_domain_project_id) @@ -1347,7 +1351,7 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase): # association, the other one is from endpoint_group project # association. user_id = uuid.uuid4().hex - catalog = self.catalog_api.get_v3_catalog( + catalog = PROVIDERS.catalog_api.get_v3_catalog( user_id, self.default_domain_project_id) @@ -1359,13 +1363,13 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase): # remove endpoint_group project association, bypassing # catalog_api API manager. - self.catalog_api.driver.remove_endpoint_group_from_project( + PROVIDERS.catalog_api.driver.remove_endpoint_group_from_project( endpoint_group_id, self.default_domain_project_id) # still get back two endpoints, since the catalog is pulled out # from cache and the cache haven't been invalidated. - invalid_catalog = self.catalog_api.get_v3_catalog( + invalid_catalog = PROVIDERS.catalog_api.get_v3_catalog( user_id, self.default_domain_project_id) @@ -1375,18 +1379,18 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase): # add back the endpoint_group project association and remove it from # manager. - self.catalog_api.driver.add_endpoint_group_to_project( + PROVIDERS.catalog_api.driver.add_endpoint_group_to_project( endpoint_group_id, self.default_domain_project_id) - self.catalog_api.remove_endpoint_group_from_project( + PROVIDERS.catalog_api.remove_endpoint_group_from_project( endpoint_group_id, self.default_domain_project_id) # should only get back one endpoint since the cache has been # invalidated after the endpoint_group project association was # removed. - catalog = self.catalog_api.get_v3_catalog( + catalog = PROVIDERS.catalog_api.get_v3_catalog( user_id, self.default_domain_project_id) diff --git a/keystone/tests/unit/test_backend_ldap_pool.py b/keystone/tests/unit/test_backend_ldap_pool.py index 939c330315..959872f2a9 100644 --- a/keystone/tests/unit/test_backend_ldap_pool.py +++ b/keystone/tests/unit/test_backend_ldap_pool.py @@ -17,6 +17,7 @@ import fixtures import ldappool import mock +from keystone.common import provider_api import keystone.conf from keystone.identity.backends import ldap from keystone.identity.backends.ldap import common as common_ldap @@ -26,6 +27,7 @@ from keystone.tests.unit import test_backend_ldap CONF = keystone.conf.CONF +PROVIDERS = provider_api.ProviderAPIs class LdapPoolCommonTestMixin(object): @@ -36,7 +38,7 @@ class LdapPoolCommonTestMixin(object): def test_handler_with_use_pool_enabled(self): # by default use_pool and use_auth_pool is enabled in test pool config - user_ref = self.identity_api.get_user(self.user_foo['id']) + user_ref = PROVIDERS.identity_api.get_user(self.user_foo['id']) self.user_foo.pop('password') self.assertDictEqual(self.user_foo, user_ref) @@ -90,7 +92,7 @@ class LdapPoolCommonTestMixin(object): def test_pool_retry_delay_set(self): # just make one identity call to initiate ldap connection if not there - self.identity_api.get_user(self.user_foo['id']) + PROVIDERS.identity_api.get_user(self.user_foo['id']) # get related connection manager instance ldappool_cm = self.conn_pools[CONF.ldap.url] @@ -174,7 +176,7 @@ class LdapPoolCommonTestMixin(object): # authenticate so that connection is added to pool before password # change - user_ref = self.identity_api.authenticate( + user_ref = PROVIDERS.identity_api.authenticate( self.make_request(), user_id=self.user_sna['id'], password=self.user_sna['password']) @@ -185,11 +187,11 @@ class LdapPoolCommonTestMixin(object): new_password = 'new_password' user_ref['password'] = new_password - self.identity_api.update_user(user_ref['id'], user_ref) + PROVIDERS.identity_api.update_user(user_ref['id'], user_ref) # now authenticate again to make sure new password works with # connection pool - user_ref2 = self.identity_api.authenticate( + user_ref2 = PROVIDERS.identity_api.authenticate( self.make_request(), user_id=self.user_sna['id'], password=new_password) @@ -201,7 +203,7 @@ class LdapPoolCommonTestMixin(object): # is only one connection in pool which get bind again with updated # password..so no old bind is maintained in this case. self.assertRaises(AssertionError, - self.identity_api.authenticate, + PROVIDERS.identity_api.authenticate, self.make_request(), user_id=self.user_sna['id'], password=old_password) @@ -223,7 +225,7 @@ class LDAPIdentity(LdapPoolCommonTestMixin, # super class loads db fixtures which establishes ldap connection # so adding dummy call to highlight connection pool initialization # as its not that obvious though its not needed here - self.identity_api.get_user(self.user_foo['id']) + PROVIDERS.identity_api.get_user(self.user_foo['id']) def config_files(self): config_files = super(LDAPIdentity, self).config_files() @@ -236,8 +238,8 @@ class LDAPIdentity(LdapPoolCommonTestMixin, return arg mocked_method.side_effect = side_effect # invalidate the cache to get utf8_encode function called. - self.identity_api.get_user.invalidate(self.identity_api, - self.user_foo['id']) - self.identity_api.get_user(self.user_foo['id']) + PROVIDERS.identity_api.get_user.invalidate(PROVIDERS.identity_api, + self.user_foo['id']) + PROVIDERS.identity_api.get_user(self.user_foo['id']) mocked_method.assert_any_call(CONF.ldap.user) mocked_method.assert_any_call(CONF.ldap.password) diff --git a/keystone/tests/unit/test_backend_sql.py b/keystone/tests/unit/test_backend_sql.py index 735c04871d..c04ba97ab1 100644 --- a/keystone/tests/unit/test_backend_sql.py +++ b/keystone/tests/unit/test_backend_sql.py @@ -242,8 +242,9 @@ class SqlIdentity(SqlTests, resource_tests.ResourceTests): def test_password_hashed(self): with sql.session_for_read() as session: - user_ref = self.identity_api._get_user(session, - self.user_foo['id']) + user_ref = PROVIDERS.identity_api._get_user( + session, self.user_foo['id'] + ) self.assertNotEqual(self.user_foo['password'], user_ref['password']) @@ -251,46 +252,49 @@ class SqlIdentity(SqlTests, user_dict = unit.new_user_ref( domain_id=CONF.identity.default_domain_id) user_dict["password"] = None - new_user_dict = self.identity_api.create_user(user_dict) + new_user_dict = PROVIDERS.identity_api.create_user(user_dict) with sql.session_for_read() as session: - new_user_ref = self.identity_api._get_user(session, - new_user_dict['id']) + new_user_ref = PROVIDERS.identity_api._get_user( + session, new_user_dict['id'] + ) self.assertIsNone(new_user_ref.password) def test_update_user_with_null_password(self): user_dict = unit.new_user_ref( domain_id=CONF.identity.default_domain_id) self.assertTrue(user_dict['password']) - new_user_dict = self.identity_api.create_user(user_dict) + new_user_dict = PROVIDERS.identity_api.create_user(user_dict) new_user_dict["password"] = None - new_user_dict = self.identity_api.update_user(new_user_dict['id'], - new_user_dict) + new_user_dict = PROVIDERS.identity_api.update_user( + new_user_dict['id'], new_user_dict + ) with sql.session_for_read() as session: - new_user_ref = self.identity_api._get_user(session, - new_user_dict['id']) + new_user_ref = PROVIDERS.identity_api._get_user( + session, new_user_dict['id'] + ) self.assertIsNone(new_user_ref.password) def test_delete_user_with_project_association(self): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user = self.identity_api.create_user(user) + user = PROVIDERS.identity_api.create_user(user) role_member = unit.new_role_ref() - self.role_api.create_role(role_member['id'], role_member) - self.assignment_api.add_role_to_user_and_project(user['id'], - self.tenant_bar['id'], - role_member['id']) - self.identity_api.delete_user(user['id']) + PROVIDERS.role_api.create_role(role_member['id'], role_member) + PROVIDERS.assignment_api.add_role_to_user_and_project( + user['id'], self.tenant_bar['id'], role_member['id'] + ) + PROVIDERS.identity_api.delete_user(user['id']) self.assertRaises(exception.UserNotFound, - self.assignment_api.list_projects_for_user, + PROVIDERS.assignment_api.list_projects_for_user, user['id']) def test_create_null_user_name(self): user = unit.new_user_ref(name=None, domain_id=CONF.identity.default_domain_id) self.assertRaises(exception.ValidationError, - self.identity_api.create_user, + PROVIDERS.identity_api.create_user, user) self.assertRaises(exception.UserNotFound, - self.identity_api.get_user_by_name, + PROVIDERS.identity_api.get_user_by_name, user['name'], CONF.identity.default_domain_id) @@ -302,11 +306,11 @@ class SqlIdentity(SqlTests, # create a ref with a lowercase name ref = unit.new_user_ref(name=uuid.uuid4().hex.lower(), domain_id=CONF.identity.default_domain_id) - ref = self.identity_api.create_user(ref) + ref = PROVIDERS.identity_api.create_user(ref) # assign a new ID with the same name, but this time in uppercase ref['name'] = ref['name'].upper() - self.identity_api.create_user(ref) + PROVIDERS.identity_api.create_user(ref) def test_create_project_case_sensitivity(self): # project name case sensitivity is down to the fact that it is marked @@ -315,23 +319,23 @@ class SqlIdentity(SqlTests, # create a ref with a lowercase name ref = unit.new_project_ref(domain_id=CONF.identity.default_domain_id) - self.resource_api.create_project(ref['id'], ref) + PROVIDERS.resource_api.create_project(ref['id'], ref) # assign a new ID with the same name, but this time in uppercase ref['id'] = uuid.uuid4().hex ref['name'] = ref['name'].upper() - self.resource_api.create_project(ref['id'], ref) + PROVIDERS.resource_api.create_project(ref['id'], ref) def test_delete_project_with_user_association(self): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user = self.identity_api.create_user(user) + user = PROVIDERS.identity_api.create_user(user) role_member = unit.new_role_ref() - self.role_api.create_role(role_member['id'], role_member) - self.assignment_api.add_role_to_user_and_project(user['id'], - self.tenant_bar['id'], - role_member['id']) - self.resource_api.delete_project(self.tenant_bar['id']) - tenants = self.assignment_api.list_projects_for_user(user['id']) + PROVIDERS.role_api.create_role(role_member['id'], role_member) + PROVIDERS.assignment_api.add_role_to_user_and_project( + user['id'], self.tenant_bar['id'], role_member['id'] + ) + PROVIDERS.resource_api.delete_project(self.tenant_bar['id']) + tenants = PROVIDERS.assignment_api.list_projects_for_user(user['id']) self.assertEqual([], tenants) def test_update_project_returns_extra(self): @@ -349,12 +353,12 @@ class SqlIdentity(SqlTests, project = unit.new_project_ref( domain_id=CONF.identity.default_domain_id) project[arbitrary_key] = arbitrary_value - ref = self.resource_api.create_project(project['id'], project) + ref = PROVIDERS.resource_api.create_project(project['id'], project) self.assertEqual(arbitrary_value, ref[arbitrary_key]) self.assertIsNone(ref.get('extra')) ref['name'] = uuid.uuid4().hex - ref = self.resource_api.update_project(ref['id'], ref) + ref = PROVIDERS.resource_api.update_project(ref['id'], ref) self.assertEqual(arbitrary_value, ref[arbitrary_key]) self.assertEqual(arbitrary_value, ref['extra'][arbitrary_key]) @@ -373,14 +377,14 @@ class SqlIdentity(SqlTests, user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user[arbitrary_key] = arbitrary_value del user["id"] - ref = self.identity_api.create_user(user) + ref = PROVIDERS.identity_api.create_user(user) self.assertEqual(arbitrary_value, ref[arbitrary_key]) self.assertIsNone(ref.get('password')) self.assertIsNone(ref.get('extra')) user['name'] = uuid.uuid4().hex user['password'] = uuid.uuid4().hex - ref = self.identity_api.update_user(ref['id'], user) + ref = PROVIDERS.identity_api.update_user(ref['id'], user) self.assertIsNone(ref.get('password')) self.assertIsNone(ref['extra'].get('password')) self.assertEqual(arbitrary_value, ref[arbitrary_key]) @@ -388,7 +392,7 @@ class SqlIdentity(SqlTests, def test_sql_user_to_dict_null_default_project_id(self): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - user = self.identity_api.create_user(user) + user = PROVIDERS.identity_api.create_user(user) with sql.session_for_read() as session: query = session.query(identity_sql.User) query = query.filter_by(id=user['id']) @@ -400,24 +404,30 @@ class SqlIdentity(SqlTests, def test_list_domains_for_user(self): domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) + PROVIDERS.resource_api.create_domain(domain['id'], domain) user = unit.new_user_ref(domain_id=domain['id']) test_domain1 = unit.new_domain_ref() - self.resource_api.create_domain(test_domain1['id'], test_domain1) + PROVIDERS.resource_api.create_domain(test_domain1['id'], test_domain1) test_domain2 = unit.new_domain_ref() - self.resource_api.create_domain(test_domain2['id'], test_domain2) + PROVIDERS.resource_api.create_domain(test_domain2['id'], test_domain2) - user = self.identity_api.create_user(user) - user_domains = self.assignment_api.list_domains_for_user(user['id']) + user = PROVIDERS.identity_api.create_user(user) + user_domains = PROVIDERS.assignment_api.list_domains_for_user( + user['id'] + ) self.assertEqual(0, len(user_domains)) - self.assignment_api.create_grant(user_id=user['id'], - domain_id=test_domain1['id'], - role_id=self.role_member['id']) - self.assignment_api.create_grant(user_id=user['id'], - domain_id=test_domain2['id'], - role_id=self.role_member['id']) - user_domains = self.assignment_api.list_domains_for_user(user['id']) + PROVIDERS.assignment_api.create_grant( + user_id=user['id'], domain_id=test_domain1['id'], + role_id=self.role_member['id'] + ) + PROVIDERS.assignment_api.create_grant( + user_id=user['id'], domain_id=test_domain2['id'], + role_id=self.role_member['id'] + ) + user_domains = PROVIDERS.assignment_api.list_domains_for_user( + user['id'] + ) self.assertThat(user_domains, matchers.HasLength(2)) def test_list_domains_for_user_with_grants(self): @@ -425,35 +435,40 @@ class SqlIdentity(SqlTests, # make user1 a member of both groups. Both these new domains # should now be included, along with any direct user grants. domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) + PROVIDERS.resource_api.create_domain(domain['id'], domain) user = unit.new_user_ref(domain_id=domain['id']) - user = self.identity_api.create_user(user) + user = PROVIDERS.identity_api.create_user(user) group1 = unit.new_group_ref(domain_id=domain['id']) - group1 = self.identity_api.create_group(group1) + group1 = PROVIDERS.identity_api.create_group(group1) group2 = unit.new_group_ref(domain_id=domain['id']) - group2 = self.identity_api.create_group(group2) + group2 = PROVIDERS.identity_api.create_group(group2) test_domain1 = unit.new_domain_ref() - self.resource_api.create_domain(test_domain1['id'], test_domain1) + PROVIDERS.resource_api.create_domain(test_domain1['id'], test_domain1) test_domain2 = unit.new_domain_ref() - self.resource_api.create_domain(test_domain2['id'], test_domain2) + PROVIDERS.resource_api.create_domain(test_domain2['id'], test_domain2) test_domain3 = unit.new_domain_ref() - self.resource_api.create_domain(test_domain3['id'], test_domain3) + PROVIDERS.resource_api.create_domain(test_domain3['id'], test_domain3) - self.identity_api.add_user_to_group(user['id'], group1['id']) - self.identity_api.add_user_to_group(user['id'], group2['id']) + PROVIDERS.identity_api.add_user_to_group(user['id'], group1['id']) + PROVIDERS.identity_api.add_user_to_group(user['id'], group2['id']) # Create 3 grants, one user grant, the other two as group grants - self.assignment_api.create_grant(user_id=user['id'], - domain_id=test_domain1['id'], - role_id=self.role_member['id']) - self.assignment_api.create_grant(group_id=group1['id'], - domain_id=test_domain2['id'], - role_id=self.role_admin['id']) - self.assignment_api.create_grant(group_id=group2['id'], - domain_id=test_domain3['id'], - role_id=self.role_admin['id']) - user_domains = self.assignment_api.list_domains_for_user(user['id']) + PROVIDERS.assignment_api.create_grant( + user_id=user['id'], domain_id=test_domain1['id'], + role_id=self.role_member['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group1['id'], domain_id=test_domain2['id'], + role_id=self.role_admin['id'] + ) + PROVIDERS.assignment_api.create_grant( + group_id=group2['id'], domain_id=test_domain3['id'], + role_id=self.role_admin['id'] + ) + user_domains = PROVIDERS.assignment_api.list_domains_for_user( + user['id'] + ) self.assertThat(user_domains, matchers.HasLength(3)) def test_list_domains_for_user_with_inherited_grants(self): @@ -468,29 +483,31 @@ class SqlIdentity(SqlTests, """ domain1 = unit.new_domain_ref() - domain1 = self.resource_api.create_domain(domain1['id'], domain1) + domain1 = PROVIDERS.resource_api.create_domain(domain1['id'], domain1) domain2 = unit.new_domain_ref() - domain2 = self.resource_api.create_domain(domain2['id'], domain2) + domain2 = PROVIDERS.resource_api.create_domain(domain2['id'], domain2) user = unit.new_user_ref(domain_id=domain1['id']) - user = self.identity_api.create_user(user) + user = PROVIDERS.identity_api.create_user(user) group = unit.new_group_ref(domain_id=domain1['id']) - group = self.identity_api.create_group(group) - self.identity_api.add_user_to_group(user['id'], group['id']) + group = PROVIDERS.identity_api.create_group(group) + PROVIDERS.identity_api.add_user_to_group(user['id'], group['id']) role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) + PROVIDERS.role_api.create_role(role['id'], role) # Create a grant on each domain, one user grant, one group grant, # both inherited. - self.assignment_api.create_grant(user_id=user['id'], - domain_id=domain1['id'], - role_id=role['id'], - inherited_to_projects=True) - self.assignment_api.create_grant(group_id=group['id'], - domain_id=domain2['id'], - role_id=role['id'], - inherited_to_projects=True) + PROVIDERS.assignment_api.create_grant( + user_id=user['id'], domain_id=domain1['id'], role_id=role['id'], + inherited_to_projects=True + ) + PROVIDERS.assignment_api.create_grant( + group_id=group['id'], domain_id=domain2['id'], role_id=role['id'], + inherited_to_projects=True + ) - user_domains = self.assignment_api.list_domains_for_user(user['id']) + user_domains = PROVIDERS.assignment_api.list_domains_for_user( + user['id'] + ) # No domains should be returned since both domains have only inherited # roles assignments. self.assertThat(user_domains, matchers.HasLength(0)) @@ -504,13 +521,13 @@ class SqlIdentity(SqlTests, for x in range(0, USER_COUNT): new_user = unit.new_user_ref(domain_id=domain['id']) - new_user = self.identity_api.create_user(new_user) + new_user = PROVIDERS.identity_api.create_user(new_user) test_users.append(new_user) positive_user = test_users[0] negative_user = test_users[1] for x in range(0, USER_COUNT): - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( test_users[x]['id']) self.assertEqual(0, len(group_refs)) @@ -518,23 +535,23 @@ class SqlIdentity(SqlTests, before_count = x after_count = x + 1 new_group = unit.new_group_ref(domain_id=domain['id']) - new_group = self.identity_api.create_group(new_group) + new_group = PROVIDERS.identity_api.create_group(new_group) test_groups.append(new_group) # add the user to the group and ensure that the # group count increases by one for each - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( positive_user['id']) self.assertEqual(before_count, len(group_refs)) - self.identity_api.add_user_to_group( + PROVIDERS.identity_api.add_user_to_group( positive_user['id'], new_group['id']) - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( positive_user['id']) self.assertEqual(after_count, len(group_refs)) # Make sure the group count for the unrelated user did not change - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( negative_user['id']) self.assertEqual(0, len(group_refs)) @@ -543,18 +560,18 @@ class SqlIdentity(SqlTests, for x in range(0, 3): before_count = GROUP_COUNT - x after_count = GROUP_COUNT - x - 1 - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( positive_user['id']) self.assertEqual(before_count, len(group_refs)) - self.identity_api.remove_user_from_group( + PROVIDERS.identity_api.remove_user_from_group( positive_user['id'], test_groups[x]['id']) - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( positive_user['id']) self.assertEqual(after_count, len(group_refs)) # Make sure the group count for the unrelated user # did not change - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( negative_user['id']) self.assertEqual(0, len(group_refs)) @@ -570,43 +587,46 @@ class SqlIdentity(SqlTests, """ spoiler_project = unit.new_project_ref( domain_id=CONF.identity.default_domain_id) - self.resource_api.create_project(spoiler_project['id'], - spoiler_project) + PROVIDERS.resource_api.create_project( + spoiler_project['id'], spoiler_project + ) # First let's create a project with a None domain_id and make sure we # can read it back. project = unit.new_project_ref(domain_id=None, is_domain=True) - project = self.resource_api.create_project(project['id'], project) - ref = self.resource_api.get_project(project['id']) + project = PROVIDERS.resource_api.create_project(project['id'], project) + ref = PROVIDERS.resource_api.get_project(project['id']) self.assertDictEqual(project, ref) # Can we get it by name? - ref = self.resource_api.get_project_by_name(project['name'], None) + ref = PROVIDERS.resource_api.get_project_by_name(project['name'], None) self.assertDictEqual(project, ref) # Can we filter for them - create a second domain to ensure we are # testing the receipt of more than one. project2 = unit.new_project_ref(domain_id=None, is_domain=True) - project2 = self.resource_api.create_project(project2['id'], project2) + project2 = PROVIDERS.resource_api.create_project( + project2['id'], project2 + ) hints = driver_hints.Hints() hints.add_filter('domain_id', None) - refs = self.resource_api.list_projects(hints) + refs = PROVIDERS.resource_api.list_projects(hints) self.assertThat(refs, matchers.HasLength(2 + self.domain_count)) self.assertIn(project, refs) self.assertIn(project2, refs) # Can we update it? project['name'] = uuid.uuid4().hex - self.resource_api.update_project(project['id'], project) - ref = self.resource_api.get_project(project['id']) + PROVIDERS.resource_api.update_project(project['id'], project) + ref = PROVIDERS.resource_api.get_project(project['id']) self.assertDictEqual(project, ref) # Finally, make sure we can delete it project['enabled'] = False - self.resource_api.update_project(project['id'], project) - self.resource_api.delete_project(project['id']) + PROVIDERS.resource_api.update_project(project['id'], project) + PROVIDERS.resource_api.delete_project(project['id']) self.assertRaises(exception.ProjectNotFound, - self.resource_api.get_project, + PROVIDERS.resource_api.get_project, project['id']) def test_hidden_project_domain_root_is_really_hidden(self): @@ -619,7 +639,7 @@ class SqlIdentity(SqlTests, """ def _exercise_project_api(ref_id): - driver = self.resource_api.driver + driver = PROVIDERS.resource_api.driver self.assertRaises(exception.ProjectNotFound, driver.get_project, ref_id) @@ -680,7 +700,7 @@ class SqlIdentity(SqlTests, # create 10 users. 10 is just a random number for i in range(10): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - self.identity_api.create_user(user) + PROVIDERS.identity_api.create_user(user) # sqlalchemy emits various events and allows to listen to them. Here # bound method `query_counter` will be called each time when a query @@ -699,14 +719,14 @@ class SqlIdentity(SqlTests, sqlalchemy.event.listen(sqlalchemy.orm.query.Query, 'before_compile', counter.query_counter) - first_call_users = self.identity_api.list_users() + first_call_users = PROVIDERS.identity_api.list_users() first_call_counter = counter.calls # add 10 more users for i in range(10): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) - self.identity_api.create_user(user) + PROVIDERS.identity_api.create_user(user) counter.reset() - second_call_users = self.identity_api.list_users() + second_call_users = PROVIDERS.identity_api.list_users() # ensure that the number of calls does not depend on the number of # users fetched. self.assertNotEqual(len(first_call_users), len(second_call_users)) @@ -858,27 +878,27 @@ class SqlCatalog(SqlTests, catalog_tests.CatalogTests): def test_catalog_ignored_malformed_urls(self): service = unit.new_service_ref() - self.catalog_api.create_service(service['id'], service) + PROVIDERS.catalog_api.create_service(service['id'], service) malformed_url = "http://192.168.1.104:8774/v2/$(tenant)s" endpoint = unit.new_endpoint_ref(service_id=service['id'], url=malformed_url, region_id=None) - self.catalog_api.create_endpoint(endpoint['id'], endpoint.copy()) + PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint.copy()) # NOTE(dstanek): there are no valid URLs, so nothing is in the catalog - catalog = self.catalog_api.get_catalog('fake-user', 'fake-tenant') + catalog = PROVIDERS.catalog_api.get_catalog('fake-user', 'fake-tenant') self.assertEqual({}, catalog) def test_get_catalog_with_empty_public_url(self): service = unit.new_service_ref() - self.catalog_api.create_service(service['id'], service) + PROVIDERS.catalog_api.create_service(service['id'], service) endpoint = unit.new_endpoint_ref(url='', service_id=service['id'], region_id=None) - self.catalog_api.create_endpoint(endpoint['id'], endpoint.copy()) + PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint.copy()) - catalog = self.catalog_api.get_catalog('user', 'tenant') + catalog = PROVIDERS.catalog_api.get_catalog('user', 'tenant') catalog_endpoint = catalog[endpoint['region_id']][service['type']] self.assertEqual(service['name'], catalog_endpoint['name']) self.assertEqual(endpoint['id'], catalog_endpoint['id']) @@ -888,13 +908,13 @@ class SqlCatalog(SqlTests, catalog_tests.CatalogTests): def test_create_endpoint_region_returns_not_found(self): service = unit.new_service_ref() - self.catalog_api.create_service(service['id'], service) + PROVIDERS.catalog_api.create_service(service['id'], service) endpoint = unit.new_endpoint_ref(region_id=uuid.uuid4().hex, service_id=service['id']) self.assertRaises(exception.ValidationError, - self.catalog_api.create_endpoint, + PROVIDERS.catalog_api.create_endpoint, endpoint['id'], endpoint.copy()) @@ -902,85 +922,92 @@ class SqlCatalog(SqlTests, catalog_tests.CatalogTests): region = unit.new_region_ref(id='0' * 256) self.assertRaises(exception.StringLengthExceeded, - self.catalog_api.create_region, + PROVIDERS.catalog_api.create_region, region) def test_create_region_invalid_parent_id(self): region = unit.new_region_ref(parent_region_id='0' * 256) self.assertRaises(exception.RegionNotFound, - self.catalog_api.create_region, + PROVIDERS.catalog_api.create_region, region) def test_delete_region_with_endpoint(self): # create a region region = unit.new_region_ref() - self.catalog_api.create_region(region) + PROVIDERS.catalog_api.create_region(region) # create a child region child_region = unit.new_region_ref(parent_region_id=region['id']) - self.catalog_api.create_region(child_region) + PROVIDERS.catalog_api.create_region(child_region) # create a service service = unit.new_service_ref() - self.catalog_api.create_service(service['id'], service) + PROVIDERS.catalog_api.create_service(service['id'], service) # create an endpoint attached to the service and child region child_endpoint = unit.new_endpoint_ref(region_id=child_region['id'], service_id=service['id']) - self.catalog_api.create_endpoint(child_endpoint['id'], child_endpoint) + PROVIDERS.catalog_api.create_endpoint( + child_endpoint['id'], child_endpoint + ) self.assertRaises(exception.RegionDeletionError, - self.catalog_api.delete_region, + PROVIDERS.catalog_api.delete_region, child_region['id']) # create an endpoint attached to the service and parent region endpoint = unit.new_endpoint_ref(region_id=region['id'], service_id=service['id']) - self.catalog_api.create_endpoint(endpoint['id'], endpoint) + PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint) self.assertRaises(exception.RegionDeletionError, - self.catalog_api.delete_region, + PROVIDERS.catalog_api.delete_region, region['id']) def test_v3_catalog_domain_scoped_token(self): # test the case that tenant_id is None. srv_1 = unit.new_service_ref() - self.catalog_api.create_service(srv_1['id'], srv_1) + PROVIDERS.catalog_api.create_service(srv_1['id'], srv_1) endpoint_1 = unit.new_endpoint_ref(service_id=srv_1['id'], region_id=None) - self.catalog_api.create_endpoint(endpoint_1['id'], endpoint_1) + PROVIDERS.catalog_api.create_endpoint(endpoint_1['id'], endpoint_1) srv_2 = unit.new_service_ref() - self.catalog_api.create_service(srv_2['id'], srv_2) + PROVIDERS.catalog_api.create_service(srv_2['id'], srv_2) endpoint_2 = unit.new_endpoint_ref(service_id=srv_2['id'], region_id=None) - self.catalog_api.create_endpoint(endpoint_2['id'], endpoint_2) + PROVIDERS.catalog_api.create_endpoint(endpoint_2['id'], endpoint_2) self.config_fixture.config(group='endpoint_filter', return_all_endpoints_if_no_filter=True) - catalog_ref = self.catalog_api.get_v3_catalog(uuid.uuid4().hex, None) + catalog_ref = PROVIDERS.catalog_api.get_v3_catalog( + uuid.uuid4().hex, None + ) self.assertThat(catalog_ref, matchers.HasLength(2)) self.config_fixture.config(group='endpoint_filter', return_all_endpoints_if_no_filter=False) - catalog_ref = self.catalog_api.get_v3_catalog(uuid.uuid4().hex, None) + catalog_ref = PROVIDERS.catalog_api.get_v3_catalog( + uuid.uuid4().hex, None + ) self.assertThat(catalog_ref, matchers.HasLength(0)) def test_v3_catalog_endpoint_filter_enabled(self): srv_1 = unit.new_service_ref() - self.catalog_api.create_service(srv_1['id'], srv_1) + PROVIDERS.catalog_api.create_service(srv_1['id'], srv_1) endpoint_1 = unit.new_endpoint_ref(service_id=srv_1['id'], region_id=None) - self.catalog_api.create_endpoint(endpoint_1['id'], endpoint_1) + PROVIDERS.catalog_api.create_endpoint(endpoint_1['id'], endpoint_1) endpoint_2 = unit.new_endpoint_ref(service_id=srv_1['id'], region_id=None) - self.catalog_api.create_endpoint(endpoint_2['id'], endpoint_2) + PROVIDERS.catalog_api.create_endpoint(endpoint_2['id'], endpoint_2) # create endpoint-project association. - self.catalog_api.add_endpoint_to_project( + PROVIDERS.catalog_api.add_endpoint_to_project( endpoint_1['id'], self.tenant_bar['id']) - catalog_ref = self.catalog_api.get_v3_catalog(uuid.uuid4().hex, - self.tenant_bar['id']) + catalog_ref = PROVIDERS.catalog_api.get_v3_catalog( + uuid.uuid4().hex, self.tenant_bar['id'] + ) self.assertThat(catalog_ref, matchers.HasLength(1)) self.assertThat(catalog_ref[0]['endpoints'], matchers.HasLength(1)) # the endpoint is that defined in the endpoint-project association. @@ -992,16 +1019,17 @@ class SqlCatalog(SqlTests, catalog_tests.CatalogTests): self.config_fixture.config(group='endpoint_filter', return_all_endpoints_if_no_filter=True) srv_1 = unit.new_service_ref() - self.catalog_api.create_service(srv_1['id'], srv_1) + PROVIDERS.catalog_api.create_service(srv_1['id'], srv_1) endpoint_1 = unit.new_endpoint_ref(service_id=srv_1['id'], region_id=None) - self.catalog_api.create_endpoint(endpoint_1['id'], endpoint_1) + PROVIDERS.catalog_api.create_endpoint(endpoint_1['id'], endpoint_1) srv_2 = unit.new_service_ref() - self.catalog_api.create_service(srv_2['id'], srv_2) + PROVIDERS.catalog_api.create_service(srv_2['id'], srv_2) - catalog_ref = self.catalog_api.get_v3_catalog(uuid.uuid4().hex, - self.tenant_bar['id']) + catalog_ref = PROVIDERS.catalog_api.get_v3_catalog( + uuid.uuid4().hex, self.tenant_bar['id'] + ) self.assertThat(catalog_ref, matchers.HasLength(2)) srv_id_list = [catalog_ref[0]['id'], catalog_ref[1]['id']] self.assertItemsEqual([srv_1['id'], srv_2['id']], srv_id_list) @@ -1047,8 +1075,8 @@ class SqlFilterTests(SqlTests, identity_tests.FilterTests): del self.entity_list del self.domain1_entity_list self.domain1['enabled'] = False - self.resource_api.update_domain(self.domain1['id'], self.domain1) - self.resource_api.delete_domain(self.domain1['id']) + PROVIDERS.resource_api.update_domain(self.domain1['id'], self.domain1) + PROVIDERS.resource_api.delete_domain(self.domain1['id']) del self.domain1 def test_list_entities_filtered_by_domain(self): @@ -1058,7 +1086,7 @@ class SqlFilterTests(SqlTests, identity_tests.FilterTests): # the driver level. self.addCleanup(self.clean_up_entities) self.domain1 = unit.new_domain_ref() - self.resource_api.create_domain(self.domain1['id'], self.domain1) + PROVIDERS.resource_api.create_domain(self.domain1['id'], self.domain1) self.entity_list = {} self.domain1_entity_list = {} @@ -1087,25 +1115,25 @@ class SqlFilterTests(SqlTests, identity_tests.FilterTests): """ # Check we have some users - users = self.identity_api.list_users() + users = PROVIDERS.identity_api.list_users() self.assertGreater(len(users), 0) hints = driver_hints.Hints() hints.add_filter('name', "anything' or 'x'='x") - users = self.identity_api.list_users(hints=hints) + users = PROVIDERS.identity_api.list_users(hints=hints) self.assertEqual(0, len(users)) # See if we can add a SQL command...use the group table instead of the # user table since 'user' is reserved word for SQLAlchemy. group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id) - group = self.identity_api.create_group(group) + group = PROVIDERS.identity_api.create_group(group) hints = driver_hints.Hints() hints.add_filter('name', "x'; drop table group") - groups = self.identity_api.list_groups(hints=hints) + groups = PROVIDERS.identity_api.list_groups(hints=hints) self.assertEqual(0, len(groups)) - groups = self.identity_api.list_groups() + groups = PROVIDERS.identity_api.list_groups() self.assertGreater(len(groups), 0) @@ -1167,7 +1195,9 @@ class SqlCredential(SqlTests): credential = unit.new_credential_ref(user_id=user_id, extra=uuid.uuid4().hex, type=uuid.uuid4().hex) - self.credential_api.create_credential(credential['id'], credential) + PROVIDERS.credential_api.create_credential( + credential['id'], credential + ) return credential def _validateCredentialList(self, retrieved_credentials, @@ -1199,29 +1229,29 @@ class SqlCredential(SqlTests): self.credentials.append(cred) def test_list_credentials(self): - credentials = self.credential_api.list_credentials() + credentials = PROVIDERS.credential_api.list_credentials() self._validateCredentialList(credentials, self.credentials) # test filtering using hints hints = driver_hints.Hints() hints.add_filter('user_id', self.user_foo['id']) - credentials = self.credential_api.list_credentials(hints) + credentials = PROVIDERS.credential_api.list_credentials(hints) self._validateCredentialList(credentials, self.user_credentials) def test_list_credentials_for_user(self): - credentials = self.credential_api.list_credentials_for_user( + credentials = PROVIDERS.credential_api.list_credentials_for_user( self.user_foo['id']) self._validateCredentialList(credentials, self.user_credentials) def test_list_credentials_for_user_and_type(self): cred = self.user_credentials[0] - credentials = self.credential_api.list_credentials_for_user( + credentials = PROVIDERS.credential_api.list_credentials_for_user( self.user_foo['id'], type=cred['type']) self._validateCredentialList(credentials, [cred]) def test_create_credential_is_encrypted_when_stored(self): credential = unit.new_credential_ref(user_id=uuid.uuid4().hex) credential_id = credential['id'] - returned_credential = self.credential_api.create_credential( + returned_credential = PROVIDERS.credential_api.create_credential( credential_id, credential ) @@ -1230,8 +1260,8 @@ class SqlCredential(SqlTests): # credential API. self.assertEqual(returned_credential['blob'], credential['blob']) - credential_from_backend = self.credential_api.driver.get_credential( - credential_id + credential_from_backend = ( + PROVIDERS.credential_api.driver.get_credential(credential_id) ) # Pull the credential directly from the backend, the `blob` should be @@ -1245,15 +1275,15 @@ class SqlCredential(SqlTests): credential = unit.new_credential_ref(user_id=uuid.uuid4().hex) credential_id = credential['id'] - created_credential = self.credential_api.create_credential( + created_credential = PROVIDERS.credential_api.create_credential( credential_id, credential ) # Pull the credential directly from the backend, the `blob` should be # encrypted. - credential_from_backend = self.credential_api.driver.get_credential( - credential_id + credential_from_backend = ( + PROVIDERS.credential_api.driver.get_credential(credential_id) ) self.assertNotEqual( credential_from_backend['encrypted_blob'], @@ -1261,7 +1291,7 @@ class SqlCredential(SqlTests): ) # Make sure the `blob` values listed from the API are not encrypted. - listed_credentials = self.credential_api.list_credentials() + listed_credentials = PROVIDERS.credential_api.list_credentials() self.assertIn(created_credential, listed_credentials) diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index 6a69221435..68e4fe10f2 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -50,6 +50,7 @@ from keystone.tests.unit.ksfixtures import ldapdb CONF = keystone.conf.CONF +PROVIDERS = provider_api.ProviderAPIs class CliTestCase(unit.SQLDriverOverrides, unit.TestCase): @@ -396,13 +397,15 @@ class CliDomainConfigAllTestCase(unit.SQLDriverOverrides, unit.TestCase): if domain == 'domain_default': # Not allowed to delete the default domain, but should at least # delete any domain-specific config for it. - self.domain_config_api.delete_config( + PROVIDERS.domain_config_api.delete_config( CONF.identity.default_domain_id) continue this_domain = self.domains[domain] this_domain['enabled'] = False - self.resource_api.update_domain(this_domain['id'], this_domain) - self.resource_api.delete_domain(this_domain['id']) + PROVIDERS.resource_api.update_domain( + this_domain['id'], this_domain + ) + PROVIDERS.resource_api.delete_domain(this_domain['id']) self.domains = {} def config(self, config_files): @@ -412,7 +415,7 @@ class CliDomainConfigAllTestCase(unit.SQLDriverOverrides, unit.TestCase): def setup_initial_domains(self): def create_domain(domain): - return self.resource_api.create_domain(domain['id'], domain) + return PROVIDERS.resource_api.create_domain(domain['id'], domain) self.domains = {} self.addCleanup(self.cleanup_domains) @@ -458,13 +461,13 @@ class CliDomainConfigAllTestCase(unit.SQLDriverOverrides, unit.TestCase): provider_api.ProviderAPIs._clear_registry_instances() cli.DomainConfigUpload.main() - res = self.domain_config_api.get_config_with_sensitive_info( + res = PROVIDERS.domain_config_api.get_config_with_sensitive_info( CONF.identity.default_domain_id) self.assertEqual(default_config, res) - res = self.domain_config_api.get_config_with_sensitive_info( + res = PROVIDERS.domain_config_api.get_config_with_sensitive_info( self.domains['domain1']['id']) self.assertEqual(domain1_config, res) - res = self.domain_config_api.get_config_with_sensitive_info( + res = PROVIDERS.domain_config_api.get_config_with_sensitive_info( self.domains['domain2']['id']) self.assertEqual(domain2_config, res) @@ -490,13 +493,13 @@ class CliDomainConfigSingleDomainTestCase(CliDomainConfigAllTestCase): provider_api.ProviderAPIs._clear_registry_instances() cli.DomainConfigUpload.main() - res = self.domain_config_api.get_config_with_sensitive_info( + res = PROVIDERS.domain_config_api.get_config_with_sensitive_info( CONF.identity.default_domain_id) self.assertEqual(default_config, res) - res = self.domain_config_api.get_config_with_sensitive_info( + res = PROVIDERS.domain_config_api.get_config_with_sensitive_info( self.domains['domain1']['id']) self.assertEqual({}, res) - res = self.domain_config_api.get_config_with_sensitive_info( + res = PROVIDERS.domain_config_api.get_config_with_sensitive_info( self.domains['domain2']['id']) self.assertEqual({}, res) @@ -506,7 +509,7 @@ class CliDomainConfigSingleDomainTestCase(CliDomainConfigAllTestCase): 'ldap': {'url': uuid.uuid4().hex}, 'identity': {'driver': 'ldap'} } - self.domain_config_api.create_config( + PROVIDERS.domain_config_api.create_config( CONF.identity.default_domain_id, default_config) # Now try and upload the settings in the configuration file for the @@ -523,7 +526,7 @@ class CliDomainConfigSingleDomainTestCase(CliDomainConfigAllTestCase): file_name)} mock_print.assert_has_calls([mock.call(error_msg)]) - res = self.domain_config_api.get_config( + res = PROVIDERS.domain_config_api.get_config( CONF.identity.default_domain_id) # The initial config should not have been overwritten self.assertEqual(default_config, res) @@ -724,15 +727,17 @@ class TestMappingPopulate(unit.SQLDriverOverrides, unit.TestCase): # 3. Execute mapping_populate. It should create id mappings # 4. For the same users verify that they have public_id now purge_filter = {} - self.id_mapping_api.purge_mappings(purge_filter) + PROVIDERS.id_mapping_api.purge_mappings(purge_filter) hints = None - users = self.identity_api.driver.list_users(hints) + users = PROVIDERS.identity_api.driver.list_users(hints) for user in users: local_entity = { 'domain_id': CONF.identity.default_domain_id, 'local_id': user['id'], 'entity_type': identity_mapping.EntityType.USER} - self.assertIsNone(self.id_mapping_api.get_public_id(local_entity)) + self.assertIsNone( + PROVIDERS.id_mapping_api.get_public_id(local_entity) + ) # backends are loaded again in the command handler provider_api.ProviderAPIs._clear_registry_instances() @@ -744,7 +749,7 @@ class TestMappingPopulate(unit.SQLDriverOverrides, unit.TestCase): 'local_id': user['id'], 'entity_type': identity_mapping.EntityType.USER} self.assertIsNotNone( - self.id_mapping_api.get_public_id(local_entity)) + PROVIDERS.id_mapping_api.get_public_id(local_entity)) def test_bad_domain_name(self): CONF(args=['mapping_populate', '--domain-name', uuid.uuid4().hex], diff --git a/keystone/tests/unit/test_ldap_livetest.py b/keystone/tests/unit/test_ldap_livetest.py index b31fd39d85..34eb81d5f6 100644 --- a/keystone/tests/unit/test_ldap_livetest.py +++ b/keystone/tests/unit/test_ldap_livetest.py @@ -17,6 +17,7 @@ import subprocess import ldap.modlist from six.moves import range +from keystone.common import provider_api import keystone.conf from keystone import exception from keystone.identity.backends import ldap as identity_ldap @@ -25,6 +26,7 @@ from keystone.tests.unit import test_backend_ldap CONF = keystone.conf.CONF +PROVIDERS = provider_api.ProviderAPIs def create_object(dn, attrs): @@ -100,20 +102,20 @@ class LiveLDAPIdentity(test_backend_ldap.LDAPIdentity): self.config_fixture.config(group='ldap', query_scope='sub', alias_dereferencing='never') - self.identity_api = identity_ldap.Identity() + PROVIDERS.identity_api = identity_ldap.Identity() self.assertRaises(exception.UserNotFound, - self.identity_api.get_user, + PROVIDERS.identity_api.get_user, 'alt_fake1') self.config_fixture.config(group='ldap', alias_dereferencing='searching') - self.identity_api = identity_ldap.Identity() - user_ref = self.identity_api.get_user('alt_fake1') + PROVIDERS.identity_api = identity_ldap.Identity() + user_ref = PROVIDERS.identity_api.get_user('alt_fake1') self.assertEqual('alt_fake1', user_ref['id']) self.config_fixture.config(group='ldap', alias_dereferencing='always') - self.identity_api = identity_ldap.Identity() - user_ref = self.identity_api.get_user('alt_fake1') + PROVIDERS.identity_api = identity_ldap.Identity() + user_ref = PROVIDERS.identity_api.get_user('alt_fake1') self.assertEqual('alt_fake1', user_ref['id']) # FakeLDAP does not correctly process filters, so this test can only be @@ -125,51 +127,51 @@ class LiveLDAPIdentity(test_backend_ldap.LDAPIdentity): GROUP_COUNT = 3 USER_COUNT = 2 - positive_user = unit.create_user(self.identity_api, domain['id']) - negative_user = unit.create_user(self.identity_api, domain['id']) + positive_user = unit.create_user(PROVIDERS.identity_api, domain['id']) + negative_user = unit.create_user(PROVIDERS.identity_api, domain['id']) for x in range(0, USER_COUNT): - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( test_users[x]['id']) self.assertEqual(0, len(group_refs)) for x in range(0, GROUP_COUNT): new_group = unit.new_group_ref(domain_id=domain['id']) - new_group = self.identity_api.create_group(new_group) + new_group = PROVIDERS.identity_api.create_group(new_group) test_groups.append(new_group) - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( positive_user['id']) self.assertEqual(x, len(group_refs)) - self.identity_api.add_user_to_group( + PROVIDERS.identity_api.add_user_to_group( positive_user['id'], new_group['id']) - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( positive_user['id']) self.assertEqual(x + 1, len(group_refs)) - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( negative_user['id']) self.assertEqual(0, len(group_refs)) - driver = self.identity_api._select_identity_driver( + driver = PROVIDERS.identity_api._select_identity_driver( CONF.identity.default_domain_id) driver.group.ldap_filter = '(dn=xx)' - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( positive_user['id']) self.assertEqual(0, len(group_refs)) - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( negative_user['id']) self.assertEqual(0, len(group_refs)) driver.group.ldap_filter = '(objectclass=*)' - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( positive_user['id']) self.assertEqual(GROUP_COUNT, len(group_refs)) - group_refs = self.identity_api.list_groups_for_user( + group_refs = PROVIDERS.identity_api.list_groups_for_user( negative_user['id']) self.assertEqual(0, len(group_refs)) diff --git a/keystone/tests/unit/test_ldap_tls_livetest.py b/keystone/tests/unit/test_ldap_tls_livetest.py index 6e2ef734b9..b1541c5d44 100644 --- a/keystone/tests/unit/test_ldap_tls_livetest.py +++ b/keystone/tests/unit/test_ldap_tls_livetest.py @@ -15,6 +15,7 @@ import ldap.modlist +from keystone.common import provider_api import keystone.conf from keystone import exception from keystone import identity @@ -23,6 +24,7 @@ from keystone.tests.unit import test_ldap_livetest CONF = keystone.conf.CONF +PROVIDERS = provider_api.ProviderAPIs def create_object(dn, attrs): @@ -48,39 +50,45 @@ class LiveTLSLDAPIdentity(test_ldap_livetest.LiveLDAPIdentity): use_tls=True, tls_cacertdir=None, tls_req_cert='demand') - self.identity_api = identity.backends.ldap.Identity() + PROVIDERS.identity_api = identity.backends.ldap.Identity() - user = unit.create_user(self.identity_api, 'default', + user = unit.create_user(PROVIDERS.identity_api, 'default', name='fake1', password='fakepass1') - user_ref = self.identity_api.get_user(user['id']) + user_ref = PROVIDERS.identity_api.get_user(user['id']) self.assertEqual(user['id'], user_ref['id']) user['password'] = 'fakepass2' - self.identity_api.update_user(user['id'], user) + PROVIDERS.identity_api.update_user(user['id'], user) - self.identity_api.delete_user(user['id']) - self.assertRaises(exception.UserNotFound, self.identity_api.get_user, - user['id']) + PROVIDERS.identity_api.delete_user(user['id']) + self.assertRaises( + exception.UserNotFound, + PROVIDERS.identity_api.get_user, + user['id'] + ) def test_tls_certdir_demand_option(self): self.config_fixture.config(group='ldap', use_tls=True, tls_cacertdir=None, tls_req_cert='demand') - self.identity_api = identity.backends.ldap.Identity() + PROVIDERS.identity_api = identity.backends.ldap.Identity() - user = unit.create_user(self.identity_api, 'default', + user = unit.create_user(PROVIDERS.identity_api, 'default', id='fake1', name='fake1', password='fakepass1') - user_ref = self.identity_api.get_user('fake1') + user_ref = PROVIDERS.identity_api.get_user('fake1') self.assertEqual('fake1', user_ref['id']) user['password'] = 'fakepass2' - self.identity_api.update_user('fake1', user) + PROVIDERS.identity_api.update_user('fake1', user) - self.identity_api.delete_user('fake1') - self.assertRaises(exception.UserNotFound, self.identity_api.get_user, - 'fake1') + PROVIDERS.identity_api.delete_user('fake1') + self.assertRaises( + exception.UserNotFound, + PROVIDERS.identity_api.get_user, + 'fake1' + ) def test_tls_bad_certfile(self): self.config_fixture.config( @@ -89,10 +97,10 @@ class LiveTLSLDAPIdentity(test_ldap_livetest.LiveLDAPIdentity): tls_req_cert='demand', tls_cacertfile='/etc/keystone/ssl/certs/mythicalcert.pem', tls_cacertdir=None) - self.identity_api = identity.backends.ldap.Identity() + PROVIDERS.identity_api = identity.backends.ldap.Identity() user = unit.new_user_ref('default') - self.assertRaises(IOError, self.identity_api.create_user, user) + self.assertRaises(IOError, PROVIDERS.identity_api.create_user, user) def test_tls_bad_certdir(self): self.config_fixture.config( @@ -101,7 +109,7 @@ class LiveTLSLDAPIdentity(test_ldap_livetest.LiveLDAPIdentity): tls_cacertfile=None, tls_req_cert='demand', tls_cacertdir='/etc/keystone/ssl/mythicalcertdir') - self.identity_api = identity.backends.ldap.Identity() + PROVIDERS.identity_api = identity.backends.ldap.Identity() user = unit.new_user_ref('default') - self.assertRaises(IOError, self.identity_api.create_user, user) + self.assertRaises(IOError, PROVIDERS.identity_api.create_user, user) diff --git a/keystone/tests/unit/test_revoke.py b/keystone/tests/unit/test_revoke.py index da4e009779..9b30f249e5 100644 --- a/keystone/tests/unit/test_revoke.py +++ b/keystone/tests/unit/test_revoke.py @@ -18,6 +18,7 @@ import mock from oslo_utils import timeutils from testtools import matchers +from keystone.common import provider_api from keystone.common import utils import keystone.conf from keystone import exception @@ -30,6 +31,7 @@ from keystone.token.providers import common CONF = keystone.conf.CONF +PROVIDERS = provider_api.ProviderAPIs def _future_time(): @@ -49,27 +51,30 @@ class RevokeTests(object): def _assertTokenRevoked(self, token_data): self.assertRaises(exception.TokenNotFound, - self.revoke_api.check_token, + PROVIDERS.revoke_api.check_token, token=token_data) def _assertTokenNotRevoked(self, token_data): - self.assertIsNone(self.revoke_api.check_token(token_data)) + self.assertIsNone(PROVIDERS.revoke_api.check_token(token_data)) def test_list(self): - self.revoke_api.revoke_by_user(user_id=1) - self.assertEqual(1, len(self.revoke_api.list_events())) + PROVIDERS.revoke_api.revoke_by_user(user_id=1) + self.assertEqual(1, len(PROVIDERS.revoke_api.list_events())) - self.revoke_api.revoke_by_user(user_id=2) - self.assertEqual(2, len(self.revoke_api.list_events())) + PROVIDERS.revoke_api.revoke_by_user(user_id=2) + self.assertEqual(2, len(PROVIDERS.revoke_api.list_events())) def test_list_since(self): - self.revoke_api.revoke_by_user(user_id=1) - self.revoke_api.revoke_by_user(user_id=2) + PROVIDERS.revoke_api.revoke_by_user(user_id=1) + PROVIDERS.revoke_api.revoke_by_user(user_id=2) past = timeutils.utcnow() - datetime.timedelta(seconds=1000) - self.assertEqual(2, len(self.revoke_api.list_events(last_fetch=past))) + self.assertEqual( + 2, len(PROVIDERS.revoke_api.list_events(last_fetch=past)) + ) future = timeutils.utcnow() + datetime.timedelta(seconds=1000) - self.assertEqual(0, - len(self.revoke_api.list_events(last_fetch=future))) + self.assertEqual( + 0, len(PROVIDERS.revoke_api.list_events(last_fetch=future)) + ) def test_list_revoked_user(self): revocation_backend = sql.Revoke() @@ -80,7 +85,7 @@ class RevokeTests(object): # event in the backend. first_token = _sample_blank_token() first_token['user_id'] = uuid.uuid4().hex - self.revoke_api.revoke_by_user(user_id=first_token['user_id']) + PROVIDERS.revoke_api.revoke_by_user(user_id=first_token['user_id']) self._assertTokenRevoked(first_token) self.assertEqual( 1, len(revocation_backend.list_events(token=first_token)) @@ -92,7 +97,7 @@ class RevokeTests(object): # one should match the values of the second token. second_token = _sample_blank_token() second_token['user_id'] = uuid.uuid4().hex - self.revoke_api.revoke_by_user(user_id=second_token['user_id']) + PROVIDERS.revoke_api.revoke_by_user(user_id=second_token['user_id']) self._assertTokenRevoked(second_token) self.assertEqual( 1, len(revocation_backend.list_events(token=second_token)) @@ -164,7 +169,7 @@ class RevokeTests(object): # just revoked. first_token = _sample_blank_token() first_token['audit_id'] = common.random_urlsafe_str() - self.revoke_api.revoke_by_audit_id( + PROVIDERS.revoke_api.revoke_by_audit_id( audit_id=first_token['audit_id']) self._assertTokenRevoked(first_token) self.assertEqual( @@ -175,7 +180,7 @@ class RevokeTests(object): # dont both have different populated audit_id fields second_token = _sample_blank_token() second_token['audit_id'] = common.random_urlsafe_str() - self.revoke_api.revoke_by_audit_id( + PROVIDERS.revoke_api.revoke_by_audit_id( audit_id=second_token['audit_id']) self._assertTokenRevoked(second_token) self.assertEqual( @@ -193,8 +198,8 @@ class RevokeTests(object): def test_list_revoked_since(self): revocation_backend = sql.Revoke() token = _sample_blank_token() - self.revoke_api.revoke_by_user(user_id=None) - self.revoke_api.revoke_by_user(user_id=None) + PROVIDERS.revoke_api.revoke_by_user(user_id=None) + PROVIDERS.revoke_api.revoke_by_user(user_id=None) self.assertEqual(2, len(revocation_backend.list_events(token=token))) future = timeutils.utcnow() + datetime.timedelta(seconds=1000) token['issued_at'] = future @@ -210,7 +215,7 @@ class RevokeTests(object): first_token['audit_id'] = common.random_urlsafe_str() # revoke event and then verify that there is only one revocation # and verify the only revoked event is the token - self.revoke_api.revoke(revoke_model.RevokeEvent( + PROVIDERS.revoke_api.revoke(revoke_model.RevokeEvent( user_id=first_token['user_id'], project_id=first_token['project_id'], audit_id=first_token['audit_id'])) @@ -237,7 +242,7 @@ class RevokeTests(object): fourth_token['user_id'] = uuid.uuid4().hex fourth_token['project_id'] = uuid.uuid4().hex fourth_token['audit_id'] = common.random_urlsafe_str() - self.revoke_api.revoke(revoke_model.RevokeEvent( + PROVIDERS.revoke_api.revoke(revoke_model.RevokeEvent( project_id=fourth_token['project_id'], audit_id=fourth_token['audit_id'])) self._assertTokenRevoked(fourth_token) @@ -247,7 +252,7 @@ class RevokeTests(object): def _user_field_test(self, field_name): token = _sample_blank_token() token[field_name] = uuid.uuid4().hex - self.revoke_api.revoke_by_user(user_id=token[field_name]) + PROVIDERS.revoke_api.revoke_by_user(user_id=token[field_name]) self._assertTokenRevoked(token) token2 = _sample_blank_token() token2[field_name] = uuid.uuid4().hex @@ -276,7 +281,9 @@ class RevokeTests(object): self.assertEqual( 0, len(revocation_backend.list_events(token=token_data))) - self.revoke_api.revoke(revoke_model.RevokeEvent(domain_id=domain_id)) + PROVIDERS.revoke_api.revoke( + revoke_model.RevokeEvent(domain_id=domain_id) + ) self._assertTokenRevoked(token_data) self.assertEqual( @@ -297,7 +304,7 @@ class RevokeTests(object): # If revoke a domain, then a token scoped to a project in the domain # is revoked. - self.revoke_api.revoke(revoke_model.RevokeEvent( + PROVIDERS.revoke_api.revoke(revoke_model.RevokeEvent( domain_id=token_data['assignment_domain_id'])) self._assertTokenRevoked(token_data) @@ -317,7 +324,7 @@ class RevokeTests(object): 0, len(revocation_backend.list_events(token=token_data))) # If revoke a domain, then a token scoped to the domain is revoked. - self.revoke_api.revoke(revoke_model.RevokeEvent( + PROVIDERS.revoke_api.revoke(revoke_model.RevokeEvent( domain_id=token_data['assignment_domain_id'])) self._assertTokenRevoked(token_data) @@ -344,7 +351,7 @@ class RevokeTests(object): 0, len(revocation_backend.list_events(token=second_token))) # Revoke first_token using user_id and project_id - self.revoke_api.revoke_by_user_and_project( + PROVIDERS.revoke_api.revoke_by_user_and_project( first_token['user_id'], first_token['project_id']) # Check that only first_token has been revoked. @@ -361,7 +368,7 @@ class RevokeTests(object): # if the token is an original token token['audit_id'] = uuid.uuid4().hex token['audit_chain_id'] = token['audit_id'] - self.revoke_api.revoke_by_audit_id(audit_id=token['audit_id']) + PROVIDERS.revoke_api.revoke_by_audit_id(audit_id=token['audit_id']) self._assertTokenRevoked(token) token2 = _sample_blank_token() @@ -384,7 +391,7 @@ class RevokeTests(object): self.assertEqual(0, len(revocation_backend.list_events(token=token))) # Revoked token by audit chain id using the audit_id - self.revoke_api.revoke_by_audit_chain_id(audit_id) + PROVIDERS.revoke_api.revoke_by_audit_chain_id(audit_id) # Check that the token is now revoked self._assertTokenRevoked(token) self.assertEqual(1, len(revocation_backend.list_events(token=token))) @@ -406,67 +413,73 @@ class RevokeTests(object): token_values = _sample_token_values() audit_chain_id = uuid.uuid4().hex - self.revoke_api.revoke_by_audit_chain_id(audit_chain_id) + PROVIDERS.revoke_api.revoke_by_audit_chain_id(audit_chain_id) token_values['audit_chain_id'] = audit_chain_id self.assertRaises(exception.TokenNotFound, - self.revoke_api.check_token, + PROVIDERS.revoke_api.check_token, token_values) # Move our clock forward by 2h, build a new token and validate it. # 'synchronize' should now be exercised and remove old expired events mock_utcnow.return_value = now_plus_2h - self.revoke_api.revoke_by_audit_chain_id(audit_chain_id) + PROVIDERS.revoke_api.revoke_by_audit_chain_id(audit_chain_id) # two hours later, it should still be not found self.assertRaises(exception.TokenNotFound, - self.revoke_api.check_token, + PROVIDERS.revoke_api.check_token, token_values) def test_delete_group_without_role_does_not_revoke_users(self): revocation_backend = sql.Revoke() domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) + PROVIDERS.resource_api.create_domain(domain['id'], domain) # Create two groups. Group1 will be used to test deleting a group, # without role assignments and users in the group, doesn't create # revoked events. Group2 will show that deleting a group with role # assignment and users in the group does create revoked events group1 = unit.new_group_ref(domain_id=domain['id']) - group1 = self.identity_api.create_group(group1) + group1 = PROVIDERS.identity_api.create_group(group1) group2 = unit.new_group_ref(domain_id=domain['id']) - group2 = self.identity_api.create_group(group2) + group2 = PROVIDERS.identity_api.create_group(group2) role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) + PROVIDERS.role_api.create_role(role['id'], role) user1 = unit.new_user_ref(domain_id=domain['id']) - user1 = self.identity_api.create_user(user1) + user1 = PROVIDERS.identity_api.create_user(user1) user2 = unit.new_user_ref(domain_id=domain['id']) - user2 = self.identity_api.create_user(user2) + user2 = PROVIDERS.identity_api.create_user(user2) # Add two users to the group, verify they are added, delete group, and # check that the revocaiton events have not been created - self.identity_api.add_user_to_group(user_id=user1['id'], - group_id=group1['id']) - self.identity_api.add_user_to_group(user_id=user2['id'], - group_id=group1['id']) + PROVIDERS.identity_api.add_user_to_group( + user_id=user1['id'], group_id=group1['id'] + ) + PROVIDERS.identity_api.add_user_to_group( + user_id=user2['id'], group_id=group1['id'] + ) self.assertEqual( - 2, len(self.identity_api.list_users_in_group(group1['id']))) - self.identity_api.delete_group(group1['id']) + 2, len(PROVIDERS.identity_api.list_users_in_group(group1['id']))) + PROVIDERS.identity_api.delete_group(group1['id']) self.assertEqual(0, len(revocation_backend.list_events())) # Assign a role to the group, add two users to the group, verify that # the role has been assigned to the group, verify the users have been # added to the group, delete the group, check that the revocation # events have been created - self.assignment_api.create_grant(group_id=group2['id'], - domain_id=domain['id'], - role_id=role['id']) - grants = self.assignment_api.list_role_assignments(role_id=role['id']) + PROVIDERS.assignment_api.create_grant( + group_id=group2['id'], domain_id=domain['id'], role_id=role['id'] + ) + grants = PROVIDERS.assignment_api.list_role_assignments( + role_id=role['id'] + ) self.assertThat(grants, matchers.HasLength(1)) - self.identity_api.add_user_to_group(user_id=user1['id'], - group_id=group2['id']) - self.identity_api.add_user_to_group(user_id=user2['id'], - group_id=group2['id']) + PROVIDERS.identity_api.add_user_to_group( + user_id=user1['id'], group_id=group2['id'] + ) + PROVIDERS.identity_api.add_user_to_group( + user_id=user2['id'], group_id=group2['id'] + ) self.assertEqual( - 2, len(self.identity_api.list_users_in_group(group2['id']))) - self.identity_api.delete_group(group2['id']) + 2, len(PROVIDERS.identity_api.list_users_in_group(group2['id']))) + PROVIDERS.identity_api.delete_group(group2['id']) self.assertEqual(2, len(revocation_backend.list_events())) diff --git a/keystone/tests/unit/test_shadow_users.py b/keystone/tests/unit/test_shadow_users.py index dd67e44508..d37a5637e2 100644 --- a/keystone/tests/unit/test_shadow_users.py +++ b/keystone/tests/unit/test_shadow_users.py @@ -12,11 +12,14 @@ import uuid +from keystone.common import provider_api from keystone.tests import unit from keystone.tests.unit.identity.shadow_users import test_backend from keystone.tests.unit.identity.shadow_users import test_core from keystone.tests.unit.ksfixtures import database +PROVIDERS = provider_api.ProviderAPIs + class ShadowUsersTests(unit.TestCase, test_backend.ShadowUsersBackendTests, @@ -44,9 +47,11 @@ class ShadowUsersTests(unit.TestCase, 'unique_id': uuid.uuid4().hex, 'display_name': uuid.uuid4().hex } - self.federation_api.create_idp(self.idp['id'], self.idp) - self.federation_api.create_mapping(self.mapping['id'], self.mapping) - self.federation_api.create_protocol( + PROVIDERS.federation_api.create_idp(self.idp['id'], self.idp) + PROVIDERS.federation_api.create_mapping( + self.mapping['id'], self.mapping + ) + PROVIDERS.federation_api.create_protocol( self.idp['id'], self.protocol['id'], self.protocol) self.domain_id = ( - self.federation_api.get_idp(self.idp['id'])['domain_id']) + PROVIDERS.federation_api.get_idp(self.idp['id'])['domain_id']) diff --git a/keystone/tests/unit/test_v3_catalog.py b/keystone/tests/unit/test_v3_catalog.py index 0026fbedeb..12823080dc 100644 --- a/keystone/tests/unit/test_v3_catalog.py +++ b/keystone/tests/unit/test_v3_catalog.py @@ -18,10 +18,13 @@ import uuid from six.moves import http_client from testtools import matchers +from keystone.common import provider_api from keystone.tests import unit from keystone.tests.unit.ksfixtures import database from keystone.tests.unit import test_v3 +PROVIDERS = provider_api.ProviderAPIs + class CatalogTestCase(test_v3.RestfulTestCase): """Test service & endpoint CRUD.""" @@ -690,7 +693,7 @@ class CatalogTestCase(test_v3.RestfulTestCase): url=url_with_space) # add the endpoint to the database - self.catalog_api.create_endpoint(ref['id'], ref) + PROVIDERS.catalog_api.create_endpoint(ref['id'], ref) # delete the endpoint self.delete('/endpoints/%s' % ref['id']) @@ -825,7 +828,7 @@ class TestCatalogAPISQL(unit.TestCase): service = unit.new_service_ref() self.service_id = service['id'] - self.catalog_api.create_service(self.service_id, service) + PROVIDERS.catalog_api.create_service(self.service_id, service) self.create_endpoint(service_id=self.service_id) @@ -833,7 +836,7 @@ class TestCatalogAPISQL(unit.TestCase): endpoint = unit.new_endpoint_ref(service_id=service_id, region_id=None, **kwargs) - self.catalog_api.create_endpoint(endpoint['id'], endpoint) + PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint) return endpoint def config_overrides(self): @@ -847,15 +850,15 @@ class TestCatalogAPISQL(unit.TestCase): # filter the catalog by the project or replace the url with a # valid project id. domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) + PROVIDERS.resource_api.create_domain(domain['id'], domain) project = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project['id'], project) + PROVIDERS.resource_api.create_project(project['id'], project) # the only endpoint in the catalog is the one created in setUp - catalog = self.catalog_api.get_v3_catalog(user_id, project['id']) + catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id']) self.assertEqual(1, len(catalog[0]['endpoints'])) # it's also the only endpoint in the backend - self.assertEqual(1, len(self.catalog_api.list_endpoints())) + self.assertEqual(1, len(PROVIDERS.catalog_api.list_endpoints())) # create a new, invalid endpoint - malformed type declaration self.create_endpoint(self.service_id, @@ -866,23 +869,23 @@ class TestCatalogAPISQL(unit.TestCase): url='http://keystone/%(you_wont_find_me)s') # verify that the invalid endpoints don't appear in the catalog - catalog = self.catalog_api.get_v3_catalog(user_id, project['id']) + catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id']) self.assertEqual(1, len(catalog[0]['endpoints'])) # all three appear in the backend - self.assertEqual(3, len(self.catalog_api.list_endpoints())) + self.assertEqual(3, len(PROVIDERS.catalog_api.list_endpoints())) # create another valid endpoint - project_id will be replaced self.create_endpoint(self.service_id, url='http://keystone/%(project_id)s') # there are two valid endpoints, positive check - catalog = self.catalog_api.get_v3_catalog(user_id, project['id']) + catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id']) self.assertThat(catalog[0]['endpoints'], matchers.HasLength(2)) # If the URL has no 'project_id' to substitute, we will skip the # endpoint which contains this kind of URL, negative check. project_id = None - catalog = self.catalog_api.get_v3_catalog(user_id, project_id) + catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project_id) self.assertThat(catalog[0]['endpoints'], matchers.HasLength(1)) def test_get_catalog_always_returns_service_name(self): @@ -891,22 +894,22 @@ class TestCatalogAPISQL(unit.TestCase): # filter the catalog by the project or replace the url with a # valid project id. domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) + PROVIDERS.resource_api.create_domain(domain['id'], domain) project = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project['id'], project) + PROVIDERS.resource_api.create_project(project['id'], project) # create a service, with a name named_svc = unit.new_service_ref() - self.catalog_api.create_service(named_svc['id'], named_svc) + PROVIDERS.catalog_api.create_service(named_svc['id'], named_svc) self.create_endpoint(service_id=named_svc['id']) # create a service, with no name unnamed_svc = unit.new_service_ref(name=None) del unnamed_svc['name'] - self.catalog_api.create_service(unnamed_svc['id'], unnamed_svc) + PROVIDERS.catalog_api.create_service(unnamed_svc['id'], unnamed_svc) self.create_endpoint(service_id=unnamed_svc['id']) - catalog = self.catalog_api.get_v3_catalog(user_id, project['id']) + catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id']) named_endpoint = [ep for ep in catalog if ep['type'] == named_svc['type']][0] @@ -934,46 +937,46 @@ class TestCatalogAPISQLRegions(unit.TestCase): def test_get_catalog_returns_proper_endpoints_with_no_region(self): service = unit.new_service_ref() service_id = service['id'] - self.catalog_api.create_service(service_id, service) + PROVIDERS.catalog_api.create_service(service_id, service) endpoint = unit.new_endpoint_ref(service_id=service_id, region_id=None) del endpoint['region_id'] - self.catalog_api.create_endpoint(endpoint['id'], endpoint) + PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint) # create a project since the project should exist if we want to # filter the catalog by the project or replace the url with a # valid project id. domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) + PROVIDERS.resource_api.create_domain(domain['id'], domain) project = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project['id'], project) + PROVIDERS.resource_api.create_project(project['id'], project) user_id = uuid.uuid4().hex - catalog = self.catalog_api.get_v3_catalog(user_id, project['id']) + catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id']) self.assertValidCatalogEndpoint( catalog[0]['endpoints'][0], ref=endpoint) def test_get_catalog_returns_proper_endpoints_with_region(self): service = unit.new_service_ref() service_id = service['id'] - self.catalog_api.create_service(service_id, service) + PROVIDERS.catalog_api.create_service(service_id, service) endpoint = unit.new_endpoint_ref(service_id=service_id) region = unit.new_region_ref(id=endpoint['region_id']) - self.catalog_api.create_region(region) - self.catalog_api.create_endpoint(endpoint['id'], endpoint) + PROVIDERS.catalog_api.create_region(region) + PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint) - endpoint = self.catalog_api.get_endpoint(endpoint['id']) + endpoint = PROVIDERS.catalog_api.get_endpoint(endpoint['id']) user_id = uuid.uuid4().hex # create a project since the project should exist if we want to # filter the catalog by the project or replace the url with a # valid project id. domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) + PROVIDERS.resource_api.create_domain(domain['id'], domain) project = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project['id'], project) + PROVIDERS.resource_api.create_project(project['id'], project) - catalog = self.catalog_api.get_v3_catalog(user_id, project['id']) + catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id']) self.assertValidCatalogEndpoint( catalog[0]['endpoints'][0], ref=endpoint) diff --git a/keystone/tests/unit/test_v3_endpoint_policy.py b/keystone/tests/unit/test_v3_endpoint_policy.py index 785db8d50f..691903cfcc 100644 --- a/keystone/tests/unit/test_v3_endpoint_policy.py +++ b/keystone/tests/unit/test_v3_endpoint_policy.py @@ -15,9 +15,12 @@ from six.moves import http_client from testtools import matchers +from keystone.common import provider_api from keystone.tests import unit from keystone.tests.unit import test_v3 +PROVIDERS = provider_api.ProviderAPIs + class EndpointPolicyTestCase(test_v3.RestfulTestCase): """Test endpoint policy CRUD. @@ -33,15 +36,17 @@ class EndpointPolicyTestCase(test_v3.RestfulTestCase): def setUp(self): super(EndpointPolicyTestCase, self).setUp() self.policy = unit.new_policy_ref() - self.policy_api.create_policy(self.policy['id'], self.policy) + PROVIDERS.policy_api.create_policy(self.policy['id'], self.policy) self.service = unit.new_service_ref() - self.catalog_api.create_service(self.service['id'], self.service) + PROVIDERS.catalog_api.create_service(self.service['id'], self.service) self.endpoint = unit.new_endpoint_ref(self.service['id'], enabled=True, interface='public', region_id=self.region_id) - self.catalog_api.create_endpoint(self.endpoint['id'], self.endpoint) + PROVIDERS.catalog_api.create_endpoint( + self.endpoint['id'], self.endpoint + ) self.region = unit.new_region_ref() - self.catalog_api.create_region(self.region) + PROVIDERS.catalog_api.create_region(self.region) def assert_head_and_get_return_same_response(self, url, expected_status): self.get(url, expected_status=expected_status) diff --git a/keystone/tests/unit/test_v3_filters.py b/keystone/tests/unit/test_v3_filters.py index 7fe76917a3..4433adeb9d 100644 --- a/keystone/tests/unit/test_v3_filters.py +++ b/keystone/tests/unit/test_v3_filters.py @@ -21,6 +21,7 @@ from oslo_serialization import jsonutils from six.moves import http_client from six.moves import range +from keystone.common import provider_api import keystone.conf from keystone.tests import unit from keystone.tests.unit import filtering @@ -30,6 +31,7 @@ from keystone.tests.unit import test_v3 CONF = keystone.conf.CONF +PROVIDERS = provider_api.ProviderAPIs class IdentityTestFilteredCase(filtering.FilterTests, @@ -63,26 +65,27 @@ class IdentityTestFilteredCase(filtering.FilterTests, # Start by creating a few domains self._populate_default_domain() self.domainA = unit.new_domain_ref() - self.resource_api.create_domain(self.domainA['id'], self.domainA) + PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA) self.domainB = unit.new_domain_ref() - self.resource_api.create_domain(self.domainB['id'], self.domainB) + PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB) self.domainC = unit.new_domain_ref() self.domainC['enabled'] = False - self.resource_api.create_domain(self.domainC['id'], self.domainC) + PROVIDERS.resource_api.create_domain(self.domainC['id'], self.domainC) # Now create some users, one in domainA and two of them in domainB - self.user1 = unit.create_user(self.identity_api, + self.user1 = unit.create_user(PROVIDERS.identity_api, domain_id=self.domainA['id']) - self.user2 = unit.create_user(self.identity_api, + self.user2 = unit.create_user(PROVIDERS.identity_api, domain_id=self.domainB['id']) - self.user3 = unit.create_user(self.identity_api, + self.user3 = unit.create_user(PROVIDERS.identity_api, domain_id=self.domainB['id']) self.role = unit.new_role_ref() - self.role_api.create_role(self.role['id'], self.role) - self.assignment_api.create_grant(self.role['id'], - user_id=self.user1['id'], - domain_id=self.domainA['id']) + PROVIDERS.role_api.create_role(self.role['id'], self.role) + PROVIDERS.assignment_api.create_grant( + self.role['id'], user_id=self.user1['id'], + domain_id=self.domainA['id'] + ) # A default auth request we can use - un-scoped user token self.auth = self.build_authentication_request( @@ -224,7 +227,7 @@ class IdentityTestFilteredCase(filtering.FilterTests, self._set_policy({"identity:list_users": []}) user = self.user1 user['name'] = '%my%name%' - self.identity_api.update_user(user['id'], user) + PROVIDERS.identity_api.update_user(user['id'], user) frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) @@ -240,23 +243,23 @@ class IdentityTestFilteredCase(filtering.FilterTests, # Set up some names that we can filter on user = user_list[5] user['name'] = 'The' - self.identity_api.update_user(user['id'], user) + PROVIDERS.identity_api.update_user(user['id'], user) user = user_list[6] user['name'] = 'The Ministry' - self.identity_api.update_user(user['id'], user) + PROVIDERS.identity_api.update_user(user['id'], user) user = user_list[7] user['name'] = 'The Ministry of' - self.identity_api.update_user(user['id'], user) + PROVIDERS.identity_api.update_user(user['id'], user) user = user_list[8] user['name'] = 'The Ministry of Silly' - self.identity_api.update_user(user['id'], user) + PROVIDERS.identity_api.update_user(user['id'], user) user = user_list[9] user['name'] = 'The Ministry of Silly Walks' - self.identity_api.update_user(user['id'], user) + PROVIDERS.identity_api.update_user(user['id'], user) # ...and one for useful case insensitivity testing user = user_list[10] user['name'] = 'the ministry of silly walks OF' - self.identity_api.update_user(user['id'], user) + PROVIDERS.identity_api.update_user(user['id'], user) self._set_policy({"identity:list_users": []}) @@ -318,7 +321,7 @@ class IdentityTestFilteredCase(filtering.FilterTests, # See if we can add a SQL command...use the group table instead of the # user table since 'user' is reserved word for SQLAlchemy. group = unit.new_group_ref(domain_id=self.domainB['id']) - group = self.identity_api.create_group(group) + group = PROVIDERS.identity_api.create_group(group) url_by_name = "/users?name=x'; drop table group" r = self.get(url_by_name, auth=self.auth) @@ -351,14 +354,15 @@ class IdentityPasswordExpiryFilteredTestCase(filtering.FilterTests, """ self._populate_default_domain() self.domain = unit.new_domain_ref() - self.resource_api.create_domain(self.domain['id'], self.domain) + PROVIDERS.resource_api.create_domain(self.domain['id'], self.domain) self.domain_id = self.domain['id'] self.project = unit.new_project_ref(domain_id=self.domain_id) self.project_id = self.project['id'] - self.project = self.resource_api.create_project(self.project_id, - self.project) + self.project = PROVIDERS.resource_api.create_project( + self.project_id, self.project + ) self.group = unit.new_group_ref(domain_id=self.domain_id) - self.group = self.identity_api.create_group(self.group) + self.group = PROVIDERS.identity_api.create_group(self.group) self.group_id = self.group['id'] # Creates three users each with password expiration offset # by one day, starting with the current time frozen. @@ -366,43 +370,45 @@ class IdentityPasswordExpiryFilteredTestCase(filtering.FilterTests, with freezegun.freeze_time(self.starttime): self.config_fixture.config(group='security_compliance', password_expires_days=1) - self.user = unit.create_user(self.identity_api, + self.user = unit.create_user(PROVIDERS.identity_api, domain_id=self.domain_id) self.config_fixture.config(group='security_compliance', password_expires_days=2) - self.user2 = unit.create_user(self.identity_api, + self.user2 = unit.create_user(PROVIDERS.identity_api, domain_id=self.domain_id) self.config_fixture.config(group='security_compliance', password_expires_days=3) - self.user3 = unit.create_user(self.identity_api, + self.user3 = unit.create_user(PROVIDERS.identity_api, domain_id=self.domain_id) self.role = unit.new_role_ref(name='admin') - self.role_api.create_role(self.role['id'], self.role) + PROVIDERS.role_api.create_role(self.role['id'], self.role) self.role_id = self.role['id'] # Grant admin role to the users created. - self.assignment_api.create_grant(self.role_id, - user_id=self.user['id'], - domain_id=self.domain_id) - self.assignment_api.create_grant(self.role_id, - user_id=self.user2['id'], - domain_id=self.domain_id) - self.assignment_api.create_grant(self.role_id, - user_id=self.user3['id'], - domain_id=self.domain_id) - self.assignment_api.create_grant(self.role_id, - user_id=self.user['id'], - project_id=self.project_id) - self.assignment_api.create_grant(self.role_id, - user_id=self.user2['id'], - project_id=self.project_id) - self.assignment_api.create_grant(self.role_id, - user_id=self.user3['id'], - project_id=self.project_id) + PROVIDERS.assignment_api.create_grant( + self.role_id, user_id=self.user['id'], domain_id=self.domain_id + ) + PROVIDERS.assignment_api.create_grant( + self.role_id, user_id=self.user2['id'], domain_id=self.domain_id + ) + PROVIDERS.assignment_api.create_grant( + self.role_id, user_id=self.user3['id'], domain_id=self.domain_id + ) + PROVIDERS.assignment_api.create_grant( + self.role_id, user_id=self.user['id'], project_id=self.project_id + ) + PROVIDERS.assignment_api.create_grant( + self.role_id, user_id=self.user2['id'], project_id=self.project_id + ) + PROVIDERS.assignment_api.create_grant( + self.role_id, user_id=self.user3['id'], project_id=self.project_id + ) # Add the last two users to the group. - self.identity_api.add_user_to_group(self.user2['id'], - self.group_id) - self.identity_api.add_user_to_group(self.user3['id'], - self.group_id) + PROVIDERS.identity_api.add_user_to_group( + self.user2['id'], self.group_id + ) + PROVIDERS.identity_api.add_user_to_group( + self.user3['id'], self.group_id + ) def _list_users_by_password_expires_at(self, time, operator=None): """Call `list_users` with `password_expires_at` filter. @@ -741,16 +747,18 @@ class IdentityTestListLimitCase(IdentityTestFilteredCase): self.addCleanup(self.clean_up_service) for _ in range(10): new_entity = unit.new_service_ref() - service = self.catalog_api.create_service(new_entity['id'], - new_entity) + service = PROVIDERS.catalog_api.create_service( + new_entity['id'], new_entity + ) self.service_list.append(service) self.policy_list = [] self.addCleanup(self.clean_up_policy) for _ in range(10): new_entity = unit.new_policy_ref() - policy = self.policy_api.create_policy(new_entity['id'], - new_entity) + policy = PROVIDERS.policy_api.create_policy( + new_entity['id'], new_entity + ) self.policy_list.append(policy) def clean_up_entity(self, entity): @@ -760,12 +768,12 @@ class IdentityTestListLimitCase(IdentityTestFilteredCase): def clean_up_service(self): """Clean up service test data from Identity Limit Test Cases.""" for service in self.service_list: - self.catalog_api.delete_service(service['id']) + PROVIDERS.catalog_api.delete_service(service['id']) def clean_up_policy(self): """Clean up policy test data from Identity Limit Test Cases.""" for policy in self.policy_list: - self.policy_api.delete_policy(policy['id']) + PROVIDERS.policy_api.delete_policy(policy['id']) def _test_entity_list_limit(self, entity, driver): """GET / (limited). diff --git a/keystone/tests/unit/test_v3_oauth1.py b/keystone/tests/unit/test_v3_oauth1.py index cd8b7255a3..0966407872 100644 --- a/keystone/tests/unit/test_v3_oauth1.py +++ b/keystone/tests/unit/test_v3_oauth1.py @@ -25,6 +25,7 @@ from six.moves import http_client from six.moves import urllib from six.moves.urllib import parse as urlparse +from keystone.common import provider_api import keystone.conf from keystone import exception from keystone import oauth1 @@ -38,6 +39,7 @@ from keystone.tests.unit import test_v3 CONF = keystone.conf.CONF +PROVIDERS = provider_api.ProviderAPIs def _urllib_parse_qs_text_keys(content): @@ -535,14 +537,14 @@ class AuthTokenTests(object): def test_delete_keystone_tokens_by_consumer_id(self): self.test_oauth_flow() - self.token_provider_api._persistence.get_token( + PROVIDERS.token_provider_api._persistence.get_token( self.keystone_token_id) - self.token_provider_api._persistence.delete_tokens( + PROVIDERS.token_provider_api._persistence.delete_tokens( self.user_id, consumer_id=self.consumer['key']) self.assertRaises( exception.TokenNotFound, - self.token_provider_api._persistence.get_token, + PROVIDERS.token_provider_api._persistence.get_token, self.keystone_token_id) def _create_trust_get_token(self): @@ -882,7 +884,7 @@ class MaliciousOAuth1Tests(OAuth1Tests): credentials = _urllib_parse_qs_text_keys(content.result) request_key = credentials['oauth_token'][0] - self.assignment_api.remove_role_from_user_and_project( + PROVIDERS.assignment_api.remove_role_from_user_and_project( self.user_id, self.project_id, self.role_id) url = self._authorize_request_token(request_key) body = {'roles': [{'id': self.role_id}]} @@ -927,14 +929,14 @@ class MaliciousOAuth1Tests(OAuth1Tests): resp = self.put(url, body=body, expected_status=http_client.OK) verifier = resp.result['token']['oauth_verifier'] request_token.set_verifier(verifier) - request_token_created = self.oauth_api.get_request_token( + request_token_created = PROVIDERS.oauth_api.get_request_token( request_key.decode('utf-8')) request_token_created.update({'authorizing_user_id': ''}) # Update the request token that is created instead of mocking # the whole token object to focus on what's we want to test # here and avoid any other factors that will result in the same # exception. - with mock.patch.object(self.oauth_api, + with mock.patch.object(PROVIDERS.oauth_api, 'get_request_token') as mock_token: mock_token.return_value = request_token_created url, headers = self._create_access_token(consumer, request_token) @@ -1069,7 +1071,7 @@ class OAuthNotificationTests(OAuth1Tests, def test_update_consumer(self): consumer_ref = self._create_single_consumer() update_ref = {'consumer': {'description': uuid.uuid4().hex}} - self.oauth_api.update_consumer(consumer_ref['id'], update_ref) + PROVIDERS.oauth_api.update_consumer(consumer_ref['id'], update_ref) self._assert_notify_sent(consumer_ref['id'], test_notifications.UPDATED_OPERATION, 'OS-OAUTH1:consumer') @@ -1080,7 +1082,7 @@ class OAuthNotificationTests(OAuth1Tests, def test_delete_consumer(self): consumer_ref = self._create_single_consumer() - self.oauth_api.delete_consumer(consumer_ref['id']) + PROVIDERS.oauth_api.delete_consumer(consumer_ref['id']) self._assert_notify_sent(consumer_ref['id'], test_notifications.DELETED_OPERATION, 'OS-OAUTH1:consumer') diff --git a/keystone/tests/unit/test_v3_os_revoke.py b/keystone/tests/unit/test_v3_os_revoke.py index d60de6baa2..e4e87b308d 100644 --- a/keystone/tests/unit/test_v3_os_revoke.py +++ b/keystone/tests/unit/test_v3_os_revoke.py @@ -21,10 +21,13 @@ import six from six.moves import http_client from testtools import matchers +from keystone.common import provider_api from keystone.common import utils from keystone.models import revoke_model from keystone.tests.unit import test_v3 +PROVIDERS = provider_api.ProviderAPIs + def _future_time_string(): expire_delta = datetime.timedelta(seconds=1000) @@ -79,7 +82,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin): sample = self._blank_event() sample['audit_id'] = six.text_type(audit_id) before_time = timeutils.utcnow().replace(microsecond=0) - self.revoke_api.revoke_by_audit_id(audit_id) + PROVIDERS.revoke_api.revoke_by_audit_id(audit_id) resp = self.get('/OS-REVOKE/events') events = resp.json_body['events'] self.assertEqual(1, len(events)) @@ -90,7 +93,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin): sample = dict() sample['project_id'] = six.text_type(project_id) before_time = timeutils.utcnow().replace(microsecond=0) - self.revoke_api.revoke( + PROVIDERS.revoke_api.revoke( revoke_model.RevokeEvent(project_id=project_id)) resp = self.get('/OS-REVOKE/events') @@ -103,7 +106,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin): sample = dict() sample['domain_id'] = six.text_type(domain_id) before_time = timeutils.utcnow().replace(microsecond=0) - self.revoke_api.revoke( + PROVIDERS.revoke_api.revoke( revoke_model.RevokeEvent(domain_id=domain_id)) resp = self.get('/OS-REVOKE/events') @@ -125,7 +128,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin): sample = dict() sample['domain_id'] = six.text_type(domain_id) - self.revoke_api.revoke( + PROVIDERS.revoke_api.revoke( revoke_model.RevokeEvent(domain_id=domain_id)) resp = self.get('/OS-REVOKE/events') @@ -141,7 +144,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin): with freezegun.freeze_time(time) as frozen_datetime: revoked_at = timeutils.utcnow() # Given or not, `revoked_at` will always be set in the backend. - self.revoke_api.revoke( + PROVIDERS.revoke_api.revoke( revoke_model.RevokeEvent(revoked_at=revoked_at)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) @@ -157,7 +160,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin): ref = {'description': uuid.uuid4().hex} resp = self.post('/OS-OAUTH1/consumers', body={'consumer': ref}) consumer_id = resp.result['consumer']['id'] - self.oauth_api.delete_consumer(consumer_id) + PROVIDERS.oauth_api.delete_consumer(consumer_id) resp = self.get('/OS-REVOKE/events') events = resp.json_body['events'] @@ -194,7 +197,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin): sql_delete_mock.side_effect = side_effect try: - self.revoke_api.revoke(revoke_model.RevokeEvent( + PROVIDERS.revoke_api.revoke(revoke_model.RevokeEvent( user_id=uuid.uuid4().hex)) finally: if side_effect.patched: diff --git a/keystone/tests/unit/test_v3_policy.py b/keystone/tests/unit/test_v3_policy.py index 6146536bac..e2be44af63 100644 --- a/keystone/tests/unit/test_v3_policy.py +++ b/keystone/tests/unit/test_v3_policy.py @@ -17,9 +17,12 @@ import uuid from six.moves import http_client +from keystone.common import provider_api from keystone.tests import unit from keystone.tests.unit import test_v3 +PROVIDERS = provider_api.ProviderAPIs + class PolicyTestCase(test_v3.RestfulTestCase): """Test policy CRUD.""" @@ -28,7 +31,7 @@ class PolicyTestCase(test_v3.RestfulTestCase): super(PolicyTestCase, self).setUp() self.policy = unit.new_policy_ref() self.policy_id = self.policy['id'] - self.policy_api.create_policy( + PROVIDERS.policy_api.create_policy( self.policy_id, self.policy.copy()) diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py index f7ac451025..986b18e702 100644 --- a/keystone/tests/unit/test_v3_protection.py +++ b/keystone/tests/unit/test_v3_protection.py @@ -18,6 +18,7 @@ import uuid from oslo_serialization import jsonutils from six.moves import http_client +from keystone.common import provider_api import keystone.conf from keystone.credential.providers import fernet as credential_fernet from keystone import exception @@ -29,6 +30,7 @@ from keystone.tests.unit import utils CONF = keystone.conf.CONF +PROVIDERS = provider_api.ProviderAPIs class IdentityTestProtectedCase(test_v3.RestfulTestCase): @@ -67,55 +69,64 @@ class IdentityTestProtectedCase(test_v3.RestfulTestCase): # Start by creating a couple of domains self.domainA = unit.new_domain_ref() - self.resource_api.create_domain(self.domainA['id'], self.domainA) + PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA) self.domainB = unit.new_domain_ref() - self.resource_api.create_domain(self.domainB['id'], self.domainB) + PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB) self.domainC = unit.new_domain_ref(enabled=False) - self.resource_api.create_domain(self.domainC['id'], self.domainC) + PROVIDERS.resource_api.create_domain(self.domainC['id'], self.domainC) # Some projects in the domains self.projectA = unit.new_project_ref(domain_id=self.domainA['id']) - self.resource_api.create_project(self.projectA['id'], self.projectA) + PROVIDERS.resource_api.create_project( + self.projectA['id'], self.projectA + ) self.projectB = unit.new_project_ref(domain_id=self.domainB['id']) - self.resource_api.create_project(self.projectB['id'], self.projectB) + PROVIDERS.resource_api.create_project( + self.projectB['id'], self.projectB + ) # Now create some users, one in domainA and two of them in domainB - self.user1 = unit.create_user(self.identity_api, + self.user1 = unit.create_user(PROVIDERS.identity_api, domain_id=self.domainA['id']) - self.user2 = unit.create_user(self.identity_api, + self.user2 = unit.create_user(PROVIDERS.identity_api, domain_id=self.domainB['id']) - self.user3 = unit.create_user(self.identity_api, + self.user3 = unit.create_user(PROVIDERS.identity_api, domain_id=self.domainB['id']) self.group1 = unit.new_group_ref(domain_id=self.domainA['id']) - self.group1 = self.identity_api.create_group(self.group1) + self.group1 = PROVIDERS.identity_api.create_group(self.group1) self.group2 = unit.new_group_ref(domain_id=self.domainA['id']) - self.group2 = self.identity_api.create_group(self.group2) + self.group2 = PROVIDERS.identity_api.create_group(self.group2) self.group3 = unit.new_group_ref(domain_id=self.domainB['id']) - self.group3 = self.identity_api.create_group(self.group3) + self.group3 = PROVIDERS.identity_api.create_group(self.group3) self.role = unit.new_role_ref() - self.role_api.create_role(self.role['id'], self.role) + PROVIDERS.role_api.create_role(self.role['id'], self.role) self.role1 = unit.new_role_ref() - self.role_api.create_role(self.role1['id'], self.role1) + PROVIDERS.role_api.create_role(self.role1['id'], self.role1) - self.assignment_api.create_grant(self.role['id'], - user_id=self.user1['id'], - domain_id=self.domainA['id']) - self.assignment_api.create_grant(self.role['id'], - user_id=self.user2['id'], - domain_id=self.domainA['id']) - self.assignment_api.create_grant(self.role1['id'], - user_id=self.user1['id'], - domain_id=self.domainA['id']) - self.assignment_api.create_grant(self.role['id'], - user_id=self.user1['id'], - project_id=self.projectA['id']) - self.assignment_api.create_grant(self.role['id'], - user_id=self.user2['id'], - project_id=self.projectB['id']) + PROVIDERS.assignment_api.create_grant( + self.role['id'], user_id=self.user1['id'], + domain_id=self.domainA['id'] + ) + PROVIDERS.assignment_api.create_grant( + self.role['id'], user_id=self.user2['id'], + domain_id=self.domainA['id'] + ) + PROVIDERS.assignment_api.create_grant( + self.role1['id'], user_id=self.user1['id'], + domain_id=self.domainA['id'] + ) + PROVIDERS.assignment_api.create_grant( + self.role['id'], user_id=self.user1['id'], + project_id=self.projectA['id'] + ) + PROVIDERS.assignment_api.create_grant( + self.role['id'], user_id=self.user2['id'], + project_id=self.projectB['id'] + ) def _get_id_list_from_ref_list(self, ref_list): result_list = [] @@ -388,33 +399,36 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase): self._populate_default_domain() self.just_a_user = unit.create_user( - self.identity_api, + PROVIDERS.identity_api, domain_id=CONF.identity.default_domain_id) self.another_user = unit.create_user( - self.identity_api, + PROVIDERS.identity_api, domain_id=CONF.identity.default_domain_id) self.admin_user = unit.create_user( - self.identity_api, + PROVIDERS.identity_api, domain_id=CONF.identity.default_domain_id) self.role = unit.new_role_ref() - self.role_api.create_role(self.role['id'], self.role) + PROVIDERS.role_api.create_role(self.role['id'], self.role) self.admin_role = unit.new_role_ref(name='admin') - self.role_api.create_role(self.admin_role['id'], self.admin_role) + PROVIDERS.role_api.create_role(self.admin_role['id'], self.admin_role) # Create and assign roles to the project self.project = unit.new_project_ref( domain_id=CONF.identity.default_domain_id) - self.resource_api.create_project(self.project['id'], self.project) - self.assignment_api.create_grant(self.role['id'], - user_id=self.just_a_user['id'], - project_id=self.project['id']) - self.assignment_api.create_grant(self.role['id'], - user_id=self.another_user['id'], - project_id=self.project['id']) - self.assignment_api.create_grant(self.admin_role['id'], - user_id=self.admin_user['id'], - project_id=self.project['id']) + PROVIDERS.resource_api.create_project(self.project['id'], self.project) + PROVIDERS.assignment_api.create_grant( + self.role['id'], user_id=self.just_a_user['id'], + project_id=self.project['id'] + ) + PROVIDERS.assignment_api.create_grant( + self.role['id'], user_id=self.another_user['id'], + project_id=self.project['id'] + ) + PROVIDERS.assignment_api.create_grant( + self.admin_role['id'], user_id=self.admin_user['id'], + project_id=self.project['id'] + ) def test_user_validate_same_token(self): # Given a non-admin user token, the token can be used to validate @@ -677,85 +691,95 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, # Start by creating a couple of domains self._populate_default_domain() self.domainA = unit.new_domain_ref() - self.resource_api.create_domain(self.domainA['id'], self.domainA) + PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA) self.domainB = unit.new_domain_ref() - self.resource_api.create_domain(self.domainB['id'], self.domainB) + PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB) self.admin_domain = unit.new_domain_ref() - self.resource_api.create_domain(self.admin_domain['id'], - self.admin_domain) + PROVIDERS.resource_api.create_domain( + self.admin_domain['id'], self.admin_domain + ) self.admin_project = unit.new_project_ref( domain_id=self.admin_domain['id']) - self.resource_api.create_project(self.admin_project['id'], - self.admin_project) + PROVIDERS.resource_api.create_project( + self.admin_project['id'], self.admin_project + ) # And our users self.cloud_admin_user = unit.create_user( - self.identity_api, + PROVIDERS.identity_api, domain_id=self.admin_domain['id']) self.just_a_user = unit.create_user( - self.identity_api, + PROVIDERS.identity_api, domain_id=self.domainA['id']) self.domain_admin_user = unit.create_user( - self.identity_api, + PROVIDERS.identity_api, domain_id=self.domainA['id']) self.domainB_admin_user = unit.create_user( - self.identity_api, + PROVIDERS.identity_api, domain_id=self.domainB['id']) self.project_admin_user = unit.create_user( - self.identity_api, + PROVIDERS.identity_api, domain_id=self.domainA['id']) self.project_adminB_user = unit.create_user( - self.identity_api, + PROVIDERS.identity_api, domain_id=self.domainB['id']) # The admin role, a domain specific role and another plain role self.admin_role = unit.new_role_ref(name='admin') - self.role_api.create_role(self.admin_role['id'], self.admin_role) + PROVIDERS.role_api.create_role(self.admin_role['id'], self.admin_role) self.roleA = unit.new_role_ref(domain_id=self.domainA['id']) - self.role_api.create_role(self.roleA['id'], self.roleA) + PROVIDERS.role_api.create_role(self.roleA['id'], self.roleA) self.role = unit.new_role_ref() - self.role_api.create_role(self.role['id'], self.role) + PROVIDERS.role_api.create_role(self.role['id'], self.role) # The cloud admin just gets the admin role on the special admin project - self.assignment_api.create_grant(self.admin_role['id'], - user_id=self.cloud_admin_user['id'], - project_id=self.admin_project['id']) + PROVIDERS.assignment_api.create_grant( + self.admin_role['id'], user_id=self.cloud_admin_user['id'], + project_id=self.admin_project['id'] + ) # Assign roles to the domain - self.assignment_api.create_grant(self.admin_role['id'], - user_id=self.domain_admin_user['id'], - domain_id=self.domainA['id']) - self.assignment_api.create_grant(self.role['id'], - user_id=self.just_a_user['id'], - domain_id=self.domainA['id']) - self.assignment_api.create_grant(self.admin_role['id'], - user_id=self.domainB_admin_user['id'], - domain_id=self.domainB['id']) + PROVIDERS.assignment_api.create_grant( + self.admin_role['id'], user_id=self.domain_admin_user['id'], + domain_id=self.domainA['id'] + ) + PROVIDERS.assignment_api.create_grant( + self.role['id'], user_id=self.just_a_user['id'], + domain_id=self.domainA['id'] + ) + PROVIDERS.assignment_api.create_grant( + self.admin_role['id'], user_id=self.domainB_admin_user['id'], + domain_id=self.domainB['id'] + ) # Create and assign roles to the project self.project = unit.new_project_ref(domain_id=self.domainA['id']) - self.resource_api.create_project(self.project['id'], self.project) + PROVIDERS.resource_api.create_project(self.project['id'], self.project) self.projectB = unit.new_project_ref(domain_id=self.domainB['id']) - self.resource_api.create_project(self.projectB['id'], self.projectB) - self.assignment_api.create_grant(self.admin_role['id'], - user_id=self.project_admin_user['id'], - project_id=self.project['id']) - self.assignment_api.create_grant( + PROVIDERS.resource_api.create_project( + self.projectB['id'], self.projectB + ) + PROVIDERS.assignment_api.create_grant( + self.admin_role['id'], user_id=self.project_admin_user['id'], + project_id=self.project['id'] + ) + PROVIDERS.assignment_api.create_grant( self.admin_role['id'], user_id=self.project_adminB_user['id'], project_id=self.projectB['id']) - self.assignment_api.create_grant(self.role['id'], - user_id=self.just_a_user['id'], - project_id=self.project['id']) + PROVIDERS.assignment_api.create_grant( + self.role['id'], user_id=self.just_a_user['id'], + project_id=self.project['id'] + ) self.group1 = unit.new_group_ref(domain_id=self.domainA['id']) - self.group1 = self.identity_api.create_group(self.group1) + self.group1 = PROVIDERS.identity_api.create_group(self.group1) self.group2 = unit.new_group_ref(domain_id=self.domainA['id']) - self.group2 = self.identity_api.create_group(self.group2) + self.group2 = PROVIDERS.identity_api.create_group(self.group2) self.group3 = unit.new_group_ref(domain_id=self.domainB['id']) - self.group3 = self.identity_api.create_group(self.group3) + self.group3 = PROVIDERS.identity_api.create_group(self.group3) def _stati(self, expected_status): # Return the expected return codes for APIs with and without data @@ -854,7 +878,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, list_status_OK=False, expected=None): status_OK, status_created, status_no_data = self._stati(expected) a_role = unit.new_role_ref(domain_id=role_domain_id) - self.role_api.create_role(a_role['id'], a_role) + PROVIDERS.role_api.create_role(a_role['id'], a_role) collection_url = ( '/%(target)s/%(target_id)s/users/%(user_id)s/roles' % { @@ -1397,7 +1421,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, def test_project_admin_list_assignments_of_another_project_failed(self): projectB = unit.new_project_ref(domain_id=self.domainA['id']) - self.resource_api.create_project(projectB['id'], projectB) + PROVIDERS.resource_api.create_project(projectB['id'], projectB) admin_auth = self.build_authentication_request( user_id=self.project_admin_user['id'], password=self.project_admin_user['password'], @@ -1439,10 +1463,11 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, # Add a child project to the standard test data sub_project = unit.new_project_ref(domain_id=self.domainA['id'], parent_id=self.project['id']) - self.resource_api.create_project(sub_project['id'], sub_project) - self.assignment_api.create_grant(self.role['id'], - user_id=self.just_a_user['id'], - project_id=sub_project['id']) + PROVIDERS.resource_api.create_project(sub_project['id'], sub_project) + PROVIDERS.assignment_api.create_grant( + self.role['id'], user_id=self.just_a_user['id'], + project_id=sub_project['id'] + ) collection_url = self.build_role_assignment_query_url( project_id=self.project['id']) @@ -1469,11 +1494,12 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, # A neither should a domain admin from a different domain domainB_admin_user = unit.create_user( - self.identity_api, + PROVIDERS.identity_api, domain_id=self.domainB['id']) - self.assignment_api.create_grant(self.admin_role['id'], - user_id=domainB_admin_user['id'], - domain_id=self.domainB['id']) + PROVIDERS.assignment_api.create_grant( + self.admin_role['id'], user_id=domainB_admin_user['id'], + domain_id=self.domainB['id'] + ) auth = self.build_authentication_request( user_id=domainB_admin_user['id'], password=domainB_admin_user['password'], @@ -1535,11 +1561,13 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, def test_list_user_credentials(self): credential_user = unit.new_credential_ref(self.just_a_user['id']) - self.credential_api.create_credential(credential_user['id'], - credential_user) + PROVIDERS.credential_api.create_credential( + credential_user['id'], credential_user + ) credential_admin = unit.new_credential_ref(self.cloud_admin_user['id']) - self.credential_api.create_credential(credential_admin['id'], - credential_admin) + PROVIDERS.credential_api.create_credential( + credential_admin['id'], credential_admin + ) self.auth = self.build_authentication_request( user_id=self.just_a_user['id'], @@ -1555,7 +1583,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, def test_get_and_delete_ec2_credentials(self): """Test getting and deleting ec2 credentials through the ec2 API.""" - another_user = unit.create_user(self.identity_api, + another_user = unit.create_user(PROVIDERS.identity_api, domain_id=self.domainA['id']) # create a credential for just_a_user @@ -1826,7 +1854,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, # Test user can not get project for one they don't have a role in, # even if they have a role on another project project2 = unit.new_project_ref(domain_id=self.domainA['id']) - self.resource_api.create_project(project2['id'], project2) + PROVIDERS.resource_api.create_project(project2['id'], project2) self.get('/projects/%s' % project2['id'], auth=user_auth, expected_status=exception.ForbiddenAction.code) @@ -1974,14 +2002,19 @@ class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample): self.admin_token = self.get_requested_token(domain_admin_auth) self.appdev_role = unit.new_role_ref(domain_id=self.domainA['id']) - self.role_api.create_role(self.appdev_role['id'], self.appdev_role) + PROVIDERS.role_api.create_role( + self.appdev_role['id'], self.appdev_role + ) self.appadmin_role = unit.new_role_ref(domain_id=self.domainA['id']) - self.role_api.create_role(self.appadmin_role['id'], self.appadmin_role) + PROVIDERS.role_api.create_role( + self.appadmin_role['id'], self.appadmin_role + ) def _create_implied_role(self): - self.role_api.create_implied_role(self.appadmin_role['id'], - self.appdev_role['id']) + PROVIDERS.role_api.create_implied_role( + self.appadmin_role['id'], self.appdev_role['id'] + ) def test_get(self): # A domain admin should be able to get an existing implied role @@ -2028,10 +2061,10 @@ class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample): def test_forbidden_role_implication_from_different_domain(self): domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex) - self.resource_api.create_domain(domain2['id'], domain2) + PROVIDERS.resource_api.create_domain(domain2['id'], domain2) role2 = unit.new_role_ref(domain_id=domain2['id']) - implied = self.role_api.create_role(role2['id'], role2) + implied = PROVIDERS.role_api.create_role(role2['id'], role2) self.put('/roles/%s/implies/%s' % (self.appdev_role['id'], implied['id']), @@ -2045,10 +2078,10 @@ class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample): project_id=self.admin_project['id']) domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex) - self.resource_api.create_domain(domain2['id'], domain2) + PROVIDERS.resource_api.create_domain(domain2['id'], domain2) role2 = unit.new_role_ref(domain_id=domain2['id']) - implied = self.role_api.create_role(role2['id'], role2) + implied = PROVIDERS.role_api.create_role(role2['id'], role2) self.put('/roles/%s/implies/%s' % (self.appdev_role['id'], implied['id']), diff --git a/keystone/tests/unit/token/test_backends.py b/keystone/tests/unit/token/test_backends.py index e4e5afb918..6124bddf4e 100644 --- a/keystone/tests/unit/token/test_backends.py +++ b/keystone/tests/unit/token/test_backends.py @@ -19,12 +19,14 @@ from oslo_utils import timeutils import six from six.moves import range +from keystone.common import provider_api from keystone import exception from keystone.tests import unit from keystone.token import provider NULL_OBJECT = object() +PROVIDERS = provider_api.ProviderAPIs class TokenTests(object): @@ -37,7 +39,7 @@ class TokenTests(object): # token persistence service persistence_list = [ x['id'] - for x in self.token_provider_api.list_revoked_tokens() + for x in PROVIDERS.token_provider_api.list_revoked_tokens() ] self.assertEqual(persistence_list, revoked_token_id_list) @@ -48,8 +50,9 @@ class TokenTests(object): 'user': {'id': 'testuserid'}, 'token_data': {'access': {'token': { 'audit_ids': [uuid.uuid4().hex]}}}} - data_ref = self.token_provider_api._persistence.create_token(token_id, - data) + data_ref = PROVIDERS.token_provider_api._persistence.create_token( + token_id, data + ) expires = data_ref.pop('expires') data_ref.pop('user_id') self.assertIsInstance(expires, datetime.datetime) @@ -57,7 +60,9 @@ class TokenTests(object): data.pop('id') self.assertDictEqual(data, data_ref) - new_data_ref = self.token_provider_api._persistence.get_token(token_id) + new_data_ref = PROVIDERS.token_provider_api._persistence.get_token( + token_id + ) expires = new_data_ref.pop('expires') self.assertIsInstance(expires, datetime.datetime) new_data_ref.pop('user_id') @@ -65,13 +70,13 @@ class TokenTests(object): self.assertEqual(data, new_data_ref) - self.token_provider_api._persistence.delete_token(token_id) + PROVIDERS.token_provider_api._persistence.delete_token(token_id) self.assertRaises( exception.TokenNotFound, - self.token_provider_api._persistence.get_token, token_id) + PROVIDERS.token_provider_api._persistence.get_token, token_id) self.assertRaises( exception.TokenNotFound, - self.token_provider_api._persistence.delete_token, token_id) + PROVIDERS.token_provider_api._persistence.delete_token, token_id) def create_token_sample_data(self, token_id=None, tenant_id=None, trust_id=None, user_id=None, expires=None): @@ -101,12 +106,13 @@ class TokenTests(object): # Issue token stores a copy of all token data at token['token_data']. # This emulates that assumption as part of the test. data['token_data'] = copy.deepcopy(data) - new_token = self.token_provider_api._persistence.create_token(token_id, - data) + new_token = PROVIDERS.token_provider_api._persistence.create_token( + token_id, data + ) return new_token['id'], data def test_delete_tokens(self): - tokens = self.token_provider_api._persistence._list_tokens( + tokens = PROVIDERS.token_provider_api._persistence._list_tokens( 'testuserid') self.assertEqual(0, len(tokens)) token_id1, data = self.create_token_sample_data( @@ -116,28 +122,28 @@ class TokenTests(object): token_id3, data = self.create_token_sample_data( tenant_id='testtenantid', user_id='testuserid1') - tokens = self.token_provider_api._persistence._list_tokens( + tokens = PROVIDERS.token_provider_api._persistence._list_tokens( 'testuserid') self.assertEqual(2, len(tokens)) self.assertIn(token_id2, tokens) self.assertIn(token_id1, tokens) - self.token_provider_api._persistence.delete_tokens( + PROVIDERS.token_provider_api._persistence.delete_tokens( user_id='testuserid', tenant_id='testtenantid') - tokens = self.token_provider_api._persistence._list_tokens( + tokens = PROVIDERS.token_provider_api._persistence._list_tokens( 'testuserid') self.assertEqual(0, len(tokens)) self.assertRaises(exception.TokenNotFound, - self.token_provider_api._persistence.get_token, + PROVIDERS.token_provider_api._persistence.get_token, token_id1) self.assertRaises(exception.TokenNotFound, - self.token_provider_api._persistence.get_token, + PROVIDERS.token_provider_api._persistence.get_token, token_id2) - self.token_provider_api._persistence.get_token(token_id3) + PROVIDERS.token_provider_api._persistence.get_token(token_id3) def test_delete_tokens_trust(self): - tokens = self.token_provider_api._persistence._list_tokens( + tokens = PROVIDERS.token_provider_api._persistence._list_tokens( user_id='testuserid') self.assertEqual(0, len(tokens)) token_id1, data = self.create_token_sample_data( @@ -147,18 +153,18 @@ class TokenTests(object): tenant_id='testtenantid', user_id='testuserid1', trust_id='testtrustid1') - tokens = self.token_provider_api._persistence._list_tokens( + tokens = PROVIDERS.token_provider_api._persistence._list_tokens( 'testuserid') self.assertEqual(1, len(tokens)) self.assertIn(token_id1, tokens) - self.token_provider_api._persistence.delete_tokens( + PROVIDERS.token_provider_api._persistence.delete_tokens( user_id='testuserid', tenant_id='testtenantid', trust_id='testtrustid') self.assertRaises(exception.TokenNotFound, - self.token_provider_api._persistence.get_token, + PROVIDERS.token_provider_api._persistence.get_token, token_id1) - self.token_provider_api._persistence.get_token(token_id2) + PROVIDERS.token_provider_api._persistence.get_token(token_id2) def _test_token_list(self, token_list_fn): tokens = token_list_fn('testuserid') @@ -172,11 +178,11 @@ class TokenTests(object): self.assertEqual(2, len(tokens)) self.assertIn(token_id2, tokens) self.assertIn(token_id1, tokens) - self.token_provider_api._persistence.delete_token(token_id1) + PROVIDERS.token_provider_api._persistence.delete_token(token_id1) tokens = token_list_fn('testuserid') self.assertIn(token_id2, tokens) self.assertNotIn(token_id1, tokens) - self.token_provider_api._persistence.delete_token(token_id2) + PROVIDERS.token_provider_api._persistence.delete_token(token_id2) tokens = token_list_fn('testuserid') self.assertNotIn(token_id2, tokens) self.assertNotIn(token_id1, tokens) @@ -204,34 +210,39 @@ class TokenTests(object): def test_token_list(self): self._test_token_list( - self.token_provider_api._persistence._list_tokens) + PROVIDERS.token_provider_api._persistence._list_tokens) def test_token_list_trust(self): trust_id = uuid.uuid4().hex token_id5, data = self.create_token_sample_data(trust_id=trust_id) - tokens = self.token_provider_api._persistence._list_tokens( + tokens = PROVIDERS.token_provider_api._persistence._list_tokens( 'testuserid', trust_id=trust_id) self.assertEqual(1, len(tokens)) self.assertIn(token_id5, tokens) def test_get_token_returns_not_found(self): self.assertRaises(exception.TokenNotFound, - self.token_provider_api._persistence.get_token, + PROVIDERS.token_provider_api._persistence.get_token, uuid.uuid4().hex) def test_delete_token_returns_not_found(self): - self.assertRaises(exception.TokenNotFound, - self.token_provider_api._persistence.delete_token, - uuid.uuid4().hex) + self.assertRaises( + exception.TokenNotFound, + PROVIDERS.token_provider_api._persistence.delete_token, + uuid.uuid4().hex + ) def test_null_expires_token(self): token_id = uuid.uuid4().hex data = {'id': token_id, 'id_hash': token_id, 'a': 'b', 'expires': None, 'user': {'id': 'testuserid'}} - data_ref = self.token_provider_api._persistence.create_token(token_id, - data) + data_ref = PROVIDERS.token_provider_api._persistence.create_token( + token_id, data + ) self.assertIsNotNone(data_ref['expires']) - new_data_ref = self.token_provider_api._persistence.get_token(token_id) + new_data_ref = PROVIDERS.token_provider_api._persistence.get_token( + token_id + ) # MySQL doesn't store microseconds, so discard them before testing data_ref['expires'] = data_ref['expires'].replace(microsecond=0) @@ -241,7 +252,7 @@ class TokenTests(object): self.assertEqual(data_ref, new_data_ref) def check_list_revoked_tokens(self, token_infos): - revocation_list = self.token_provider_api.list_revoked_tokens() + revocation_list = PROVIDERS.token_provider_api.list_revoked_tokens() revoked_ids = [x['id'] for x in revocation_list] revoked_audit_ids = [x['audit_id'] for x in revocation_list] self._assert_revoked_token_list_matches_token_persistence(revoked_ids) @@ -255,22 +266,24 @@ class TokenTests(object): data = {'id_hash': token_id, 'id': token_id, 'a': 'b', 'user': {'id': 'testuserid'}, 'token_data': {'token': {'audit_ids': [audit_id]}}} - data_ref = self.token_provider_api._persistence.create_token(token_id, - data) - self.token_provider_api._persistence.delete_token(token_id) + data_ref = PROVIDERS.token_provider_api._persistence.create_token( + token_id, data + ) + PROVIDERS.token_provider_api._persistence.delete_token(token_id) self.assertRaises( exception.TokenNotFound, - self.token_provider_api._persistence.get_token, + PROVIDERS.token_provider_api._persistence.get_token, data_ref['id']) self.assertRaises( exception.TokenNotFound, - self.token_provider_api._persistence.delete_token, + PROVIDERS.token_provider_api._persistence.delete_token, data_ref['id']) return (token_id, audit_id) def test_list_revoked_tokens_returns_empty_list(self): - revoked_ids = [x['id'] - for x in self.token_provider_api.list_revoked_tokens()] + revoked_ids = [ + x['id'] for x in PROVIDERS.token_provider_api.list_revoked_tokens() + ] self._assert_revoked_token_list_matches_token_persistence(revoked_ids) self.assertEqual([], revoked_ids) @@ -289,8 +302,9 @@ class TokenTests(object): 'expires': expire_time, 'trust_id': None, 'user': {'id': 'testuserid'}} - data_ref = self.token_provider_api._persistence.create_token(token_id, - data) + data_ref = PROVIDERS.token_provider_api._persistence.create_token( + token_id, data + ) data_ref.pop('user_id') self.assertDictEqual(data, data_ref) @@ -300,13 +314,14 @@ class TokenTests(object): 'expires': expire_time, 'trust_id': None, 'user': {'id': 'testuserid'}} - data_ref = self.token_provider_api._persistence.create_token(token_id, - data) + data_ref = PROVIDERS.token_provider_api._persistence.create_token( + token_id, data + ) data_ref.pop('user_id') self.assertDictEqual(data, data_ref) - self.token_provider_api._persistence.flush_expired_tokens() - tokens = self.token_provider_api._persistence._list_tokens( + PROVIDERS.token_provider_api._persistence.flush_expired_tokens() + tokens = PROVIDERS.token_provider_api._persistence._list_tokens( 'testuserid') self.assertEqual(1, len(tokens)) self.assertIn(token_id, tokens) @@ -329,31 +344,41 @@ class TokenTests(object): 'token_data': {'token': { 'audit_ids': [uuid.uuid4().hex]}}} # Create 2 Tokens. - self.token_provider_api._persistence.create_token(token_id, - token_data) - self.token_provider_api._persistence.create_token(token2_id, - token2_data) + PROVIDERS.token_provider_api._persistence.create_token( + token_id, token_data + ) + PROVIDERS.token_provider_api._persistence.create_token( + token2_id, token2_data + ) # Verify the revocation list is empty. self.assertEqual( - [], self.token_provider_api._persistence.list_revoked_tokens()) - self.assertEqual([], self.token_provider_api.list_revoked_tokens()) + [], PROVIDERS.token_provider_api._persistence.list_revoked_tokens() + ) + self.assertEqual( + [], PROVIDERS.token_provider_api.list_revoked_tokens() + ) # Delete a token directly, bypassing the manager. - self.token_provider_api._persistence.driver.delete_token(token_id) + PROVIDERS.token_provider_api._persistence.driver.delete_token(token_id) # Verify the revocation list is still empty. self.assertEqual( - [], self.token_provider_api._persistence.list_revoked_tokens()) - self.assertEqual([], self.token_provider_api.list_revoked_tokens()) + [], PROVIDERS.token_provider_api._persistence.list_revoked_tokens() + ) + self.assertEqual( + [], PROVIDERS.token_provider_api.list_revoked_tokens() + ) # Invalidate the revocation list. - self.token_provider_api._persistence.invalidate_revocation_list() + PROVIDERS.token_provider_api._persistence.invalidate_revocation_list() # Verify the deleted token is in the revocation list. - revoked_ids = [x['id'] - for x in self.token_provider_api.list_revoked_tokens()] + revoked_ids = [ + x['id'] for x in PROVIDERS.token_provider_api.list_revoked_tokens() + ] self._assert_revoked_token_list_matches_token_persistence(revoked_ids) self.assertIn(token_id, revoked_ids) # Delete the second token, through the manager - self.token_provider_api._persistence.delete_token(token2_id) - revoked_ids = [x['id'] - for x in self.token_provider_api.list_revoked_tokens()] + PROVIDERS.token_provider_api._persistence.delete_token(token2_id) + revoked_ids = [ + x['id'] for x in PROVIDERS.token_provider_api.list_revoked_tokens() + ] self._assert_revoked_token_list_matches_token_persistence(revoked_ids) # Verify both tokens are in the revocation list. self.assertIn(token_id, revoked_ids) @@ -364,10 +389,10 @@ class TokenTests(object): token = {'user': {'id': uuid.uuid4().hex}, 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}} - self.token_provider_api._persistence.create_token(token_id, token) - self.token_provider_api._persistence.delete_token(token_id) + PROVIDERS.token_provider_api._persistence.create_token(token_id, token) + PROVIDERS.token_provider_api._persistence.delete_token(token_id) - revoked_tokens = self.token_provider_api.list_revoked_tokens() + revoked_tokens = PROVIDERS.token_provider_api.list_revoked_tokens() revoked_ids = [x['id'] for x in revoked_tokens] self._assert_revoked_token_list_matches_token_persistence(revoked_ids) self.assertIn(token_id, revoked_ids) @@ -377,12 +402,12 @@ class TokenTests(object): def test_create_unicode_token_id(self): token_id = six.text_type(self._create_token_id()) self.create_token_sample_data(token_id=token_id) - self.token_provider_api._persistence.get_token(token_id) + PROVIDERS.token_provider_api._persistence.get_token(token_id) def test_create_unicode_user_id(self): user_id = six.text_type(uuid.uuid4().hex) token_id, data = self.create_token_sample_data(user_id=user_id) - self.token_provider_api._persistence.get_token(token_id) + PROVIDERS.token_provider_api._persistence.get_token(token_id) class TokenCacheInvalidation(object): @@ -390,7 +415,7 @@ class TokenCacheInvalidation(object): time = datetime.datetime.utcnow() with freezegun.freeze_time(time) as frozen_datetime: # Create an equivalent of a scoped token - token_id, data = self.token_provider_api.issue_token( + token_id, data = PROVIDERS.token_provider_api.issue_token( self.user_foo['id'], ['password'], project_id=self.tenant_bar['id'] @@ -398,7 +423,7 @@ class TokenCacheInvalidation(object): self.scoped_token_id = token_id # ..and an un-scoped one - token_id, data = self.token_provider_api.issue_token( + token_id, data = PROVIDERS.token_provider_api.issue_token( self.user_foo['id'], ['password'] ) @@ -407,28 +432,28 @@ class TokenCacheInvalidation(object): # Validate them, in the various ways possible - this will load the # responses into the token cache. - self.token_provider_api.validate_token(self.scoped_token_id) - self.token_provider_api.validate_token(self.unscoped_token_id) + PROVIDERS.token_provider_api.validate_token(self.scoped_token_id) + PROVIDERS.token_provider_api.validate_token(self.unscoped_token_id) def test_delete_unscoped_token(self): time = datetime.datetime.utcnow() with freezegun.freeze_time(time) as frozen_datetime: - self.token_provider_api._persistence.delete_token( + PROVIDERS.token_provider_api._persistence.delete_token( self.unscoped_token_id) frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) # Ensure the unscoped token is invalid self.assertRaises( exception.TokenNotFound, - self.token_provider_api.validate_token, + PROVIDERS.token_provider_api.validate_token, self.unscoped_token_id) # Ensure the scoped token is still valid - self.token_provider_api.validate_token(self.scoped_token_id) + PROVIDERS.token_provider_api.validate_token(self.scoped_token_id) def test_delete_scoped_token_by_id(self): time = datetime.datetime.utcnow() with freezegun.freeze_time(time) as frozen_datetime: - self.token_provider_api._persistence.delete_token( + PROVIDERS.token_provider_api._persistence.delete_token( self.scoped_token_id ) frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) @@ -436,15 +461,15 @@ class TokenCacheInvalidation(object): # Ensure the project token is invalid self.assertRaises( exception.TokenNotFound, - self.token_provider_api.validate_token, + PROVIDERS.token_provider_api.validate_token, self.scoped_token_id) # Ensure the unscoped token is still valid - self.token_provider_api.validate_token(self.unscoped_token_id) + PROVIDERS.token_provider_api.validate_token(self.unscoped_token_id) def test_delete_scoped_token_by_user(self): time = datetime.datetime.utcnow() with freezegun.freeze_time(time) as frozen_datetime: - self.token_provider_api._persistence.delete_tokens( + PROVIDERS.token_provider_api._persistence.delete_tokens( self.user_foo['id'] ) frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) @@ -453,17 +478,17 @@ class TokenCacheInvalidation(object): # now be invalid. self.assertRaises( exception.TokenNotFound, - self.token_provider_api.validate_token, + PROVIDERS.token_provider_api.validate_token, self.scoped_token_id) self.assertRaises( exception.TokenNotFound, - self.token_provider_api.validate_token, + PROVIDERS.token_provider_api.validate_token, self.unscoped_token_id) def test_delete_scoped_token_by_user_and_tenant(self): time = datetime.datetime.utcnow() with freezegun.freeze_time(time) as frozen_datetime: - self.token_provider_api._persistence.delete_tokens( + PROVIDERS.token_provider_api._persistence.delete_tokens( self.user_foo['id'], tenant_id=self.tenant_bar['id']) frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) @@ -471,7 +496,7 @@ class TokenCacheInvalidation(object): # Ensure the scoped token is invalid self.assertRaises( exception.TokenNotFound, - self.token_provider_api.validate_token, + PROVIDERS.token_provider_api.validate_token, self.scoped_token_id) # Ensure the unscoped token is still valid - self.token_provider_api.validate_token(self.unscoped_token_id) + PROVIDERS.token_provider_api.validate_token(self.unscoped_token_id) diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py index 7d4fd4257b..38a417b0cb 100644 --- a/keystone/tests/unit/token/test_fernet_provider.py +++ b/keystone/tests/unit/token/test_fernet_provider.py @@ -21,6 +21,7 @@ from oslo_utils import timeutils import six from keystone import auth +from keystone.common import provider_api from keystone.common import token_utils from keystone.common import utils import keystone.conf @@ -35,6 +36,7 @@ from keystone.token import token_formatters CONF = keystone.conf.CONF +PROVIDERS = provider_api.ProviderAPIs class TestFernetTokenProvider(unit.TestCase): @@ -94,17 +96,18 @@ class TestValidate(unit.TestCase): # with a simple token. domain_ref = unit.new_domain_ref() - domain_ref = self.resource_api.create_domain(domain_ref['id'], - domain_ref) + domain_ref = PROVIDERS.resource_api.create_domain( + domain_ref['id'], domain_ref + ) user_ref = unit.new_user_ref(domain_ref['id']) - user_ref = self.identity_api.create_user(user_ref) + user_ref = PROVIDERS.identity_api.create_user(user_ref) method_names = ['password'] - token_id, token_data_ = self.token_provider_api.issue_token( + token_id, token_data_ = PROVIDERS.token_provider_api.issue_token( user_ref['id'], method_names) - token_data = self.token_provider_api.validate_token(token_id) + token_data = PROVIDERS.token_provider_api.validate_token(token_id) token = token_data['token'] self.assertIsInstance(token['audit_ids'], list) self.assertIsInstance(token['expires_at'], str) @@ -126,11 +129,12 @@ class TestValidate(unit.TestCase): # when the token has federated info. domain_ref = unit.new_domain_ref() - domain_ref = self.resource_api.create_domain(domain_ref['id'], - domain_ref) + domain_ref = PROVIDERS.resource_api.create_domain( + domain_ref['id'], domain_ref + ) user_ref = unit.new_user_ref(domain_ref['id']) - user_ref = self.identity_api.create_user(user_ref) + user_ref = PROVIDERS.identity_api.create_user(user_ref) method_names = ['mapped'] @@ -145,10 +149,10 @@ class TestValidate(unit.TestCase): federation_constants.PROTOCOL: protocol, } auth_context = auth.core.AuthContext(**auth_context_params) - token_id, token_data_ = self.token_provider_api.issue_token( + token_id, token_data_ = PROVIDERS.token_provider_api.issue_token( user_ref['id'], method_names, auth_context=auth_context) - token_data = self.token_provider_api.validate_token(token_id) + token_data = PROVIDERS.token_provider_api.validate_token(token_id) token = token_data['token'] exp_user_info = { 'id': user_ref['id'], @@ -168,27 +172,29 @@ class TestValidate(unit.TestCase): # when the token has trust info. domain_ref = unit.new_domain_ref() - domain_ref = self.resource_api.create_domain(domain_ref['id'], - domain_ref) + domain_ref = PROVIDERS.resource_api.create_domain( + domain_ref['id'], domain_ref + ) user_ref = unit.new_user_ref(domain_ref['id']) - user_ref = self.identity_api.create_user(user_ref) + user_ref = PROVIDERS.identity_api.create_user(user_ref) trustor_user_ref = unit.new_user_ref(domain_ref['id']) - trustor_user_ref = self.identity_api.create_user(trustor_user_ref) + trustor_user_ref = PROVIDERS.identity_api.create_user(trustor_user_ref) project_ref = unit.new_project_ref(domain_id=domain_ref['id']) - project_ref = self.resource_api.create_project(project_ref['id'], - project_ref) + project_ref = PROVIDERS.resource_api.create_project( + project_ref['id'], project_ref + ) role_ref = unit.new_role_ref() - role_ref = self.role_api.create_role(role_ref['id'], role_ref) + role_ref = PROVIDERS.role_api.create_role(role_ref['id'], role_ref) - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( role_ref['id'], user_id=user_ref['id'], project_id=project_ref['id']) - self.assignment_api.create_grant( + PROVIDERS.assignment_api.create_grant( role_ref['id'], user_id=trustor_user_ref['id'], project_id=project_ref['id']) @@ -197,16 +203,17 @@ class TestValidate(unit.TestCase): trust_ref = unit.new_trust_ref( trustor_user_id, trustee_user_id, project_id=project_ref['id'], role_ids=[role_ref['id'], ]) - trust_ref = self.trust_api.create_trust(trust_ref['id'], trust_ref, - trust_ref['roles']) + trust_ref = PROVIDERS.trust_api.create_trust( + trust_ref['id'], trust_ref, trust_ref['roles'] + ) method_names = ['password'] - token_id, token_data_ = self.token_provider_api.issue_token( + token_id, token_data_ = PROVIDERS.token_provider_api.issue_token( user_ref['id'], method_names, project_id=project_ref['id'], trust=trust_ref) - token_data = self.token_provider_api.validate_token(token_id) + token_data = PROVIDERS.token_provider_api.validate_token(token_id) token = token_data['token'] exp_trust_info = { 'id': trust_ref['id'], @@ -221,8 +228,11 @@ class TestValidate(unit.TestCase): # A uuid string isn't a valid Fernet token. token_id = uuid.uuid4().hex - self.assertRaises(exception.TokenNotFound, - self.token_provider_api.validate_token, token_id) + self.assertRaises( + exception.TokenNotFound, + PROVIDERS.token_provider_api.validate_token, + token_id + ) class TestTokenFormatter(unit.TestCase):