openstack/keystone
Code Issues Proposed changes

Merge "Refactor self.*_api out of tests"

Browse Source
This commit is contained in:
Zuul 2018-02-05 22:34:16 +00:00 committed by Gerrit Code Review
commit 7fec65fa9a
19 changed files with 1835 additions and 1445 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1850
keystone/tests/unit/assignment/test_backends.py
View File

File diff suppressed because it is too large Load Diff

11
keystone/tests/unit/credential/test_backend_sql.py
View File

@ -14,12 +14,15 @@ import uuid
from six.moves import range from six.moves import range
from keystone.common import provider_api
from keystone.credential.providers import fernet as credential_provider from keystone.credential.providers import fernet as credential_provider
from keystone.tests import unit from keystone.tests import unit
from keystone.tests.unit import default_fixtures from keystone.tests.unit import default_fixtures
from keystone.tests.unit import ksfixtures from keystone.tests.unit import ksfixtures
from keystone.tests.unit.ksfixtures import database from keystone.tests.unit.ksfixtures import database
PROVIDERS = provider_api.ProviderAPIs
class SqlTests(unit.SQLDriverOverrides, unit.TestCase): class SqlTests(unit.SQLDriverOverrides, unit.TestCase):
@ -46,7 +49,9 @@ class SqlCredential(SqlTests):
credential = unit.new_credential_ref(user_id=user_id, credential = unit.new_credential_ref(user_id=user_id,
extra=uuid.uuid4().hex, extra=uuid.uuid4().hex,
type=uuid.uuid4().hex) type=uuid.uuid4().hex)
self.credential_api.create_credential(credential['id'], credential) PROVIDERS.credential_api.create_credential(
credential['id'], credential
)
return credential return credential
def _validate_credential_list(self, retrieved_credentials, def _validate_credential_list(self, retrieved_credentials,
@ -79,9 +84,9 @@ class SqlCredential(SqlTests):
self.credentials.append(cred) self.credentials.append(cred)
def test_backend_credential_sql_hints_none(self): def test_backend_credential_sql_hints_none(self):
credentials = self.credential_api.list_credentials(hints=None) credentials = PROVIDERS.credential_api.list_credentials(hints=None)
self._validate_credential_list(credentials, self.user_credentials) self._validate_credential_list(credentials, self.user_credentials)
def test_backend_credential_sql_no_hints(self): def test_backend_credential_sql_no_hints(self):
credentials = self.credential_api.list_credentials() credentials = PROVIDERS.credential_api.list_credentials()
self._validate_credential_list(credentials, self.user_credentials) self._validate_credential_list(credentials, self.user_credentials)

68
keystone/tests/unit/test_associate_project_endpoint_extension.py
View File

@ -18,9 +18,12 @@ import uuid
from six.moves import http_client from six.moves import http_client
from testtools import matchers from testtools import matchers
from keystone.common import provider_api
from keystone.tests import unit from keystone.tests import unit
from keystone.tests.unit import test_v3 from keystone.tests.unit import test_v3
PROVIDERS = provider_api.ProviderAPIs
class EndpointFilterTestCase(test_v3.RestfulTestCase): class EndpointFilterTestCase(test_v3.RestfulTestCase):
@ -296,14 +299,14 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase):
region_id=self.region_id, region_id=self.region_id,
interface='public', interface='public',
id=endpoint_id2) id=endpoint_id2)
self.catalog_api.create_endpoint(endpoint_id2, endpoint2.copy()) PROVIDERS.catalog_api.create_endpoint(endpoint_id2, endpoint2.copy())
# create endpoint project association. # create endpoint project association.
self.put(self.default_request_url) self.put(self.default_request_url)
# should get back only one endpoint that was just created. # should get back only one endpoint that was just created.
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
catalog = self.catalog_api.get_v3_catalog( catalog = PROVIDERS.catalog_api.get_v3_catalog(
user_id, user_id,
self.default_domain_project_id) self.default_domain_project_id)
@ -313,13 +316,13 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase):
# add the second endpoint to default project, bypassing # add the second endpoint to default project, bypassing
# catalog_api API manager. # catalog_api API manager.
self.catalog_api.driver.add_endpoint_to_project( PROVIDERS.catalog_api.driver.add_endpoint_to_project(
endpoint_id2, endpoint_id2,
self.default_domain_project_id) self.default_domain_project_id)
# but, we can just get back one endpoint from the cache, since the # but, we can just get back one endpoint from the cache, since the
# catalog is pulled out from cache and its haven't been invalidated. # catalog is pulled out from cache and its haven't been invalidated.
catalog = self.catalog_api.get_v3_catalog( catalog = PROVIDERS.catalog_api.get_v3_catalog(
user_id, user_id,
self.default_domain_project_id) self.default_domain_project_id)
@ -327,7 +330,7 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase):
# remove the endpoint2 from the default project, and add it again via # remove the endpoint2 from the default project, and add it again via
# catalog_api API manager. # catalog_api API manager.
self.catalog_api.driver.remove_endpoint_from_project( PROVIDERS.catalog_api.driver.remove_endpoint_from_project(
endpoint_id2, endpoint_id2,
self.default_domain_project_id) self.default_domain_project_id)
@ -358,7 +361,7 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase):
region_id=self.region_id, region_id=self.region_id,
interface='public', interface='public',
id=endpoint_id2) id=endpoint_id2)
self.catalog_api.create_endpoint(endpoint_id2, endpoint2.copy()) PROVIDERS.catalog_api.create_endpoint(endpoint_id2, endpoint2.copy())
# create endpoint project association. # create endpoint project association.
self.put(self.default_request_url) self.put(self.default_request_url)
@ -370,7 +373,7 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase):
# should get back only one endpoint that was just created. # should get back only one endpoint that was just created.
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
catalog = self.catalog_api.get_v3_catalog( catalog = PROVIDERS.catalog_api.get_v3_catalog(
user_id, user_id,
self.default_domain_project_id) self.default_domain_project_id)
@ -382,14 +385,14 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase):
# remove the endpoint2 from the default project, bypassing # remove the endpoint2 from the default project, bypassing
# catalog_api API manager. # catalog_api API manager.
self.catalog_api.driver.remove_endpoint_from_project( PROVIDERS.catalog_api.driver.remove_endpoint_from_project(
endpoint_id2, endpoint_id2,
self.default_domain_project_id) self.default_domain_project_id)
# but, we can just still get back two endpoints from the cache, # but, we can just still get back two endpoints from the cache,
# since the catalog is pulled out from cache and its haven't # since the catalog is pulled out from cache and its haven't
# been invalidated. # been invalidated.
catalog = self.catalog_api.get_v3_catalog( catalog = PROVIDERS.catalog_api.get_v3_catalog(
user_id, user_id,
self.default_domain_project_id) self.default_domain_project_id)
@ -397,7 +400,7 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase):
# add back the endpoint2 to the default project, and remove it by # add back the endpoint2 to the default project, and remove it by
# catalog_api API manage. # catalog_api API manage.
self.catalog_api.driver.add_endpoint_to_project( PROVIDERS.catalog_api.driver.add_endpoint_to_project(
endpoint_id2, endpoint_id2,
self.default_domain_project_id) self.default_domain_project_id)
@ -411,7 +414,7 @@ class EndpointFilterCRUDTestCase(EndpointFilterTestCase):
# should only get back one endpoint since the cache has been # should only get back one endpoint since the cache has been
# invalidated after the endpoint project association was removed. # invalidated after the endpoint project association was removed.
catalog = self.catalog_api.get_v3_catalog( catalog = PROVIDERS.catalog_api.get_v3_catalog(
user_id, user_id,
self.default_domain_project_id) self.default_domain_project_id)
@ -522,7 +525,7 @@ class EndpointFilterTokenRequestTestCase(EndpointFilterTestCase):
region_id=self.region_id, region_id=self.region_id,
interface='public', interface='public',
id=endpoint_id2) id=endpoint_id2)
self.catalog_api.create_endpoint(endpoint_id2, endpoint2.copy()) PROVIDERS.catalog_api.create_endpoint(endpoint_id2, endpoint2.copy())
# add second endpoint to default project # add second endpoint to default project
self.put('/OS-EP-FILTER/projects/%(project_id)s' self.put('/OS-EP-FILTER/projects/%(project_id)s'
@ -533,7 +536,7 @@ class EndpointFilterTokenRequestTestCase(EndpointFilterTestCase):
# remove the temporary reference # remove the temporary reference
# this will create inconsistency in the endpoint filter table # this will create inconsistency in the endpoint filter table
# which is fixed during the catalog creation for token request # which is fixed during the catalog creation for token request
self.catalog_api.delete_endpoint(endpoint_id2) PROVIDERS.catalog_api.delete_endpoint(endpoint_id2)
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
@ -566,8 +569,9 @@ class EndpointFilterTokenRequestTestCase(EndpointFilterTestCase):
'enabled': False, 'enabled': False,
'interface': 'internal' 'interface': 'internal'
}) })
self.catalog_api.create_endpoint(disabled_endpoint_id, PROVIDERS.catalog_api.create_endpoint(
disabled_endpoint_ref) disabled_endpoint_id, disabled_endpoint_ref
)
self.put('/OS-EP-FILTER/projects/%(project_id)s' self.put('/OS-EP-FILTER/projects/%(project_id)s'
'/endpoints/%(endpoint_id)s' % { '/endpoints/%(endpoint_id)s' % {
@ -1144,7 +1148,7 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase):
# association, this is needed when a project scoped token is issued # association, this is needed when a project scoped token is issued
# and "endpoint_filter.sql" backend driver is in place. # and "endpoint_filter.sql" backend driver is in place.
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
catalog_list = self.catalog_api.get_v3_catalog( catalog_list = PROVIDERS.catalog_api.get_v3_catalog(
user_id, user_id,
self.default_domain_project_id) self.default_domain_project_id)
self.assertEqual(2, len(catalog_list)) self.assertEqual(2, len(catalog_list))
@ -1163,7 +1167,7 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase):
endpoints = self.assertValidEndpointListResponse(r) endpoints = self.assertValidEndpointListResponse(r)
self.assertEqual(1, len(endpoints)) self.assertEqual(1, len(endpoints))
catalog_list = self.catalog_api.get_v3_catalog( catalog_list = PROVIDERS.catalog_api.get_v3_catalog(
user_id, user_id,
self.default_domain_project_id) self.default_domain_project_id)
self.assertEqual(1, len(catalog_list)) self.assertEqual(1, len(catalog_list))
@ -1259,14 +1263,14 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase):
region_id=self.region_id, region_id=self.region_id,
interface='admin', interface='admin',
id=endpoint_id2) id=endpoint_id2)
self.catalog_api.create_endpoint(endpoint_id2, endpoint2) PROVIDERS.catalog_api.create_endpoint(endpoint_id2, endpoint2)
# create a project and endpoint association. # create a project and endpoint association.
self.put(self.default_request_url) self.put(self.default_request_url)
# there is only one endpoint associated with the default project. # there is only one endpoint associated with the default project.
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
catalog = self.catalog_api.get_v3_catalog( catalog = PROVIDERS.catalog_api.get_v3_catalog(
user_id, user_id,
self.default_domain_project_id) self.default_domain_project_id)
@ -1278,13 +1282,13 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase):
# add the endpoint group to default project, bypassing # add the endpoint group to default project, bypassing
# catalog_api API manager. # catalog_api API manager.
self.catalog_api.driver.add_endpoint_group_to_project( PROVIDERS.catalog_api.driver.add_endpoint_group_to_project(
endpoint_group_id, endpoint_group_id,
self.default_domain_project_id) self.default_domain_project_id)
# can get back only one endpoint from the cache, since the catalog # can get back only one endpoint from the cache, since the catalog
# is pulled out from cache. # is pulled out from cache.
invalid_catalog = self.catalog_api.get_v3_catalog( invalid_catalog = PROVIDERS.catalog_api.get_v3_catalog(
user_id, user_id,
self.default_domain_project_id) self.default_domain_project_id)
@ -1294,16 +1298,16 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase):
# remove the endpoint group from default project, and add it again via # remove the endpoint group from default project, and add it again via
# catalog_api API manager. # catalog_api API manager.
self.catalog_api.driver.remove_endpoint_group_from_project( PROVIDERS.catalog_api.driver.remove_endpoint_group_from_project(
endpoint_group_id, endpoint_group_id,
self.default_domain_project_id) self.default_domain_project_id)
# add the endpoint group to default project. # add the endpoint group to default project.
self.catalog_api.add_endpoint_group_to_project( PROVIDERS.catalog_api.add_endpoint_group_to_project(
endpoint_group_id, endpoint_group_id,
self.default_domain_project_id) self.default_domain_project_id)
catalog = self.catalog_api.get_v3_catalog( catalog = PROVIDERS.catalog_api.get_v3_catalog(
user_id, user_id,
self.default_domain_project_id) self.default_domain_project_id)
@ -1329,7 +1333,7 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase):
region_id=self.region_id, region_id=self.region_id,
interface='admin', interface='admin',
id=endpoint_id2) id=endpoint_id2)
self.catalog_api.create_endpoint(endpoint_id2, endpoint2) PROVIDERS.catalog_api.create_endpoint(endpoint_id2, endpoint2)
# create project and endpoint association. # create project and endpoint association.
self.put(self.default_request_url) self.put(self.default_request_url)
@ -1339,7 +1343,7 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase):
self.DEFAULT_ENDPOINT_GROUP_URL, self.DEFAULT_ENDPOINT_GROUP_BODY) self.DEFAULT_ENDPOINT_GROUP_URL, self.DEFAULT_ENDPOINT_GROUP_BODY)
# add the endpoint group to default project. # add the endpoint group to default project.
self.catalog_api.add_endpoint_group_to_project( PROVIDERS.catalog_api.add_endpoint_group_to_project(
endpoint_group_id, endpoint_group_id,
self.default_domain_project_id) self.default_domain_project_id)
@ -1347,7 +1351,7 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase):
# association, the other one is from endpoint_group project # association, the other one is from endpoint_group project
# association. # association.
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
catalog = self.catalog_api.get_v3_catalog( catalog = PROVIDERS.catalog_api.get_v3_catalog(
user_id, user_id,
self.default_domain_project_id) self.default_domain_project_id)
@ -1359,13 +1363,13 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase):
# remove endpoint_group project association, bypassing # remove endpoint_group project association, bypassing
# catalog_api API manager. # catalog_api API manager.
self.catalog_api.driver.remove_endpoint_group_from_project( PROVIDERS.catalog_api.driver.remove_endpoint_group_from_project(
endpoint_group_id, endpoint_group_id,
self.default_domain_project_id) self.default_domain_project_id)
# still get back two endpoints, since the catalog is pulled out # still get back two endpoints, since the catalog is pulled out
# from cache and the cache haven't been invalidated. # from cache and the cache haven't been invalidated.
invalid_catalog = self.catalog_api.get_v3_catalog( invalid_catalog = PROVIDERS.catalog_api.get_v3_catalog(
user_id, user_id,
self.default_domain_project_id) self.default_domain_project_id)
@ -1375,18 +1379,18 @@ class EndpointGroupCRUDTestCase(EndpointFilterTestCase):
# add back the endpoint_group project association and remove it from # add back the endpoint_group project association and remove it from
# manager. # manager.
self.catalog_api.driver.add_endpoint_group_to_project( PROVIDERS.catalog_api.driver.add_endpoint_group_to_project(
endpoint_group_id, endpoint_group_id,
self.default_domain_project_id) self.default_domain_project_id)
self.catalog_api.remove_endpoint_group_from_project( PROVIDERS.catalog_api.remove_endpoint_group_from_project(
endpoint_group_id, endpoint_group_id,
self.default_domain_project_id) self.default_domain_project_id)
# should only get back one endpoint since the cache has been # should only get back one endpoint since the cache has been
# invalidated after the endpoint_group project association was # invalidated after the endpoint_group project association was
# removed. # removed.
catalog = self.catalog_api.get_v3_catalog( catalog = PROVIDERS.catalog_api.get_v3_catalog(
user_id, user_id,
self.default_domain_project_id) self.default_domain_project_id)

22
keystone/tests/unit/test_backend_ldap_pool.py
View File

@ -17,6 +17,7 @@ import fixtures
import ldappool import ldappool
import mock import mock
from keystone.common import provider_api
import keystone.conf import keystone.conf
from keystone.identity.backends import ldap from keystone.identity.backends import ldap
from keystone.identity.backends.ldap import common as common_ldap from keystone.identity.backends.ldap import common as common_ldap
@ -26,6 +27,7 @@ from keystone.tests.unit import test_backend_ldap
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class LdapPoolCommonTestMixin(object): class LdapPoolCommonTestMixin(object):
@ -36,7 +38,7 @@ class LdapPoolCommonTestMixin(object):
def test_handler_with_use_pool_enabled(self): def test_handler_with_use_pool_enabled(self):
# by default use_pool and use_auth_pool is enabled in test pool config # by default use_pool and use_auth_pool is enabled in test pool config
user_ref = self.identity_api.get_user(self.user_foo['id']) user_ref = PROVIDERS.identity_api.get_user(self.user_foo['id'])
self.user_foo.pop('password') self.user_foo.pop('password')
self.assertDictEqual(self.user_foo, user_ref) self.assertDictEqual(self.user_foo, user_ref)
@ -90,7 +92,7 @@ class LdapPoolCommonTestMixin(object):
def test_pool_retry_delay_set(self): def test_pool_retry_delay_set(self):
# just make one identity call to initiate ldap connection if not there # just make one identity call to initiate ldap connection if not there
self.identity_api.get_user(self.user_foo['id']) PROVIDERS.identity_api.get_user(self.user_foo['id'])
# get related connection manager instance # get related connection manager instance
ldappool_cm = self.conn_pools[CONF.ldap.url] ldappool_cm = self.conn_pools[CONF.ldap.url]
@ -174,7 +176,7 @@ class LdapPoolCommonTestMixin(object):
# authenticate so that connection is added to pool before password # authenticate so that connection is added to pool before password
# change # change
user_ref = self.identity_api.authenticate( user_ref = PROVIDERS.identity_api.authenticate(
self.make_request(), self.make_request(),
user_id=self.user_sna['id'], user_id=self.user_sna['id'],
password=self.user_sna['password']) password=self.user_sna['password'])
@ -185,11 +187,11 @@ class LdapPoolCommonTestMixin(object):
new_password = 'new_password' new_password = 'new_password'
user_ref['password'] = new_password user_ref['password'] = new_password
self.identity_api.update_user(user_ref['id'], user_ref) PROVIDERS.identity_api.update_user(user_ref['id'], user_ref)
# now authenticate again to make sure new password works with # now authenticate again to make sure new password works with
# connection pool # connection pool
user_ref2 = self.identity_api.authenticate( user_ref2 = PROVIDERS.identity_api.authenticate(
self.make_request(), self.make_request(),
user_id=self.user_sna['id'], user_id=self.user_sna['id'],
password=new_password) password=new_password)
@ -201,7 +203,7 @@ class LdapPoolCommonTestMixin(object):
# is only one connection in pool which get bind again with updated # is only one connection in pool which get bind again with updated
# password..so no old bind is maintained in this case. # password..so no old bind is maintained in this case.
self.assertRaises(AssertionError, self.assertRaises(AssertionError,
self.identity_api.authenticate, PROVIDERS.identity_api.authenticate,
self.make_request(), self.make_request(),
user_id=self.user_sna['id'], user_id=self.user_sna['id'],
password=old_password) password=old_password)
@ -223,7 +225,7 @@ class LDAPIdentity(LdapPoolCommonTestMixin,
# super class loads db fixtures which establishes ldap connection # super class loads db fixtures which establishes ldap connection
# so adding dummy call to highlight connection pool initialization # so adding dummy call to highlight connection pool initialization
# as its not that obvious though its not needed here # as its not that obvious though its not needed here
self.identity_api.get_user(self.user_foo['id']) PROVIDERS.identity_api.get_user(self.user_foo['id'])
def config_files(self): def config_files(self):
config_files = super(LDAPIdentity, self).config_files() config_files = super(LDAPIdentity, self).config_files()
@ -236,8 +238,8 @@ class LDAPIdentity(LdapPoolCommonTestMixin,
return arg return arg
mocked_method.side_effect = side_effect mocked_method.side_effect = side_effect
# invalidate the cache to get utf8_encode function called. # invalidate the cache to get utf8_encode function called.
self.identity_api.get_user.invalidate(self.identity_api, PROVIDERS.identity_api.get_user.invalidate(PROVIDERS.identity_api,
self.user_foo['id']) self.user_foo['id'])
self.identity_api.get_user(self.user_foo['id']) PROVIDERS.identity_api.get_user(self.user_foo['id'])
mocked_method.assert_any_call(CONF.ldap.user) mocked_method.assert_any_call(CONF.ldap.user)
mocked_method.assert_any_call(CONF.ldap.password) mocked_method.assert_any_call(CONF.ldap.password)

356
keystone/tests/unit/test_backend_sql.py
View File

@ -242,8 +242,9 @@ class SqlIdentity(SqlTests,
resource_tests.ResourceTests): resource_tests.ResourceTests):
def test_password_hashed(self): def test_password_hashed(self):
with sql.session_for_read() as session: with sql.session_for_read() as session:
user_ref = self.identity_api._get_user(session, user_ref = PROVIDERS.identity_api._get_user(
self.user_foo['id']) session, self.user_foo['id']
)
self.assertNotEqual(self.user_foo['password'], self.assertNotEqual(self.user_foo['password'],
user_ref['password']) user_ref['password'])
@ -251,46 +252,49 @@ class SqlIdentity(SqlTests,
user_dict = unit.new_user_ref( user_dict = unit.new_user_ref(
domain_id=CONF.identity.default_domain_id) domain_id=CONF.identity.default_domain_id)
user_dict["password"] = None user_dict["password"] = None
new_user_dict = self.identity_api.create_user(user_dict) new_user_dict = PROVIDERS.identity_api.create_user(user_dict)
with sql.session_for_read() as session: with sql.session_for_read() as session:
new_user_ref = self.identity_api._get_user(session, new_user_ref = PROVIDERS.identity_api._get_user(
new_user_dict['id']) session, new_user_dict['id']
)
self.assertIsNone(new_user_ref.password) self.assertIsNone(new_user_ref.password)
def test_update_user_with_null_password(self): def test_update_user_with_null_password(self):
user_dict = unit.new_user_ref( user_dict = unit.new_user_ref(
domain_id=CONF.identity.default_domain_id) domain_id=CONF.identity.default_domain_id)
self.assertTrue(user_dict['password']) self.assertTrue(user_dict['password'])
new_user_dict = self.identity_api.create_user(user_dict) new_user_dict = PROVIDERS.identity_api.create_user(user_dict)
new_user_dict["password"] = None new_user_dict["password"] = None
new_user_dict = self.identity_api.update_user(new_user_dict['id'], new_user_dict = PROVIDERS.identity_api.update_user(
new_user_dict) new_user_dict['id'], new_user_dict
)
with sql.session_for_read() as session: with sql.session_for_read() as session:
new_user_ref = self.identity_api._get_user(session, new_user_ref = PROVIDERS.identity_api._get_user(
new_user_dict['id']) session, new_user_dict['id']
)
self.assertIsNone(new_user_ref.password) self.assertIsNone(new_user_ref.password)
def test_delete_user_with_project_association(self): def test_delete_user_with_project_association(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user = self.identity_api.create_user(user) user = PROVIDERS.identity_api.create_user(user)
role_member = unit.new_role_ref() role_member = unit.new_role_ref()
self.role_api.create_role(role_member['id'], role_member) PROVIDERS.role_api.create_role(role_member['id'], role_member)
self.assignment_api.add_role_to_user_and_project(user['id'], PROVIDERS.assignment_api.add_role_to_user_and_project(
self.tenant_bar['id'], user['id'], self.tenant_bar['id'], role_member['id']
role_member['id']) )
self.identity_api.delete_user(user['id']) PROVIDERS.identity_api.delete_user(user['id'])
self.assertRaises(exception.UserNotFound, self.assertRaises(exception.UserNotFound,
self.assignment_api.list_projects_for_user, PROVIDERS.assignment_api.list_projects_for_user,
user['id']) user['id'])
def test_create_null_user_name(self): def test_create_null_user_name(self):
user = unit.new_user_ref(name=None, user = unit.new_user_ref(name=None,
domain_id=CONF.identity.default_domain_id) domain_id=CONF.identity.default_domain_id)
self.assertRaises(exception.ValidationError, self.assertRaises(exception.ValidationError,
self.identity_api.create_user, PROVIDERS.identity_api.create_user,
user) user)
self.assertRaises(exception.UserNotFound, self.assertRaises(exception.UserNotFound,
self.identity_api.get_user_by_name, PROVIDERS.identity_api.get_user_by_name,
user['name'], user['name'],
CONF.identity.default_domain_id) CONF.identity.default_domain_id)
@ -302,11 +306,11 @@ class SqlIdentity(SqlTests,
# create a ref with a lowercase name # create a ref with a lowercase name
ref = unit.new_user_ref(name=uuid.uuid4().hex.lower(), ref = unit.new_user_ref(name=uuid.uuid4().hex.lower(),
domain_id=CONF.identity.default_domain_id) domain_id=CONF.identity.default_domain_id)
ref = self.identity_api.create_user(ref) ref = PROVIDERS.identity_api.create_user(ref)
# assign a new ID with the same name, but this time in uppercase # assign a new ID with the same name, but this time in uppercase
ref['name'] = ref['name'].upper() ref['name'] = ref['name'].upper()
self.identity_api.create_user(ref) PROVIDERS.identity_api.create_user(ref)
def test_create_project_case_sensitivity(self): def test_create_project_case_sensitivity(self):
# project name case sensitivity is down to the fact that it is marked # project name case sensitivity is down to the fact that it is marked
@ -315,23 +319,23 @@ class SqlIdentity(SqlTests,
# create a ref with a lowercase name # create a ref with a lowercase name
ref = unit.new_project_ref(domain_id=CONF.identity.default_domain_id) ref = unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
self.resource_api.create_project(ref['id'], ref) PROVIDERS.resource_api.create_project(ref['id'], ref)
# assign a new ID with the same name, but this time in uppercase # assign a new ID with the same name, but this time in uppercase
ref['id'] = uuid.uuid4().hex ref['id'] = uuid.uuid4().hex
ref['name'] = ref['name'].upper() ref['name'] = ref['name'].upper()
self.resource_api.create_project(ref['id'], ref) PROVIDERS.resource_api.create_project(ref['id'], ref)
def test_delete_project_with_user_association(self): def test_delete_project_with_user_association(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user = self.identity_api.create_user(user) user = PROVIDERS.identity_api.create_user(user)
role_member = unit.new_role_ref() role_member = unit.new_role_ref()
self.role_api.create_role(role_member['id'], role_member) PROVIDERS.role_api.create_role(role_member['id'], role_member)
self.assignment_api.add_role_to_user_and_project(user['id'], PROVIDERS.assignment_api.add_role_to_user_and_project(
self.tenant_bar['id'], user['id'], self.tenant_bar['id'], role_member['id']
role_member['id']) )
self.resource_api.delete_project(self.tenant_bar['id']) PROVIDERS.resource_api.delete_project(self.tenant_bar['id'])
tenants = self.assignment_api.list_projects_for_user(user['id']) tenants = PROVIDERS.assignment_api.list_projects_for_user(user['id'])
self.assertEqual([], tenants) self.assertEqual([], tenants)
def test_update_project_returns_extra(self): def test_update_project_returns_extra(self):
@ -349,12 +353,12 @@ class SqlIdentity(SqlTests,
project = unit.new_project_ref( project = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id) domain_id=CONF.identity.default_domain_id)
project[arbitrary_key] = arbitrary_value project[arbitrary_key] = arbitrary_value
ref = self.resource_api.create_project(project['id'], project) ref = PROVIDERS.resource_api.create_project(project['id'], project)
self.assertEqual(arbitrary_value, ref[arbitrary_key]) self.assertEqual(arbitrary_value, ref[arbitrary_key])
self.assertIsNone(ref.get('extra')) self.assertIsNone(ref.get('extra'))
ref['name'] = uuid.uuid4().hex ref['name'] = uuid.uuid4().hex
ref = self.resource_api.update_project(ref['id'], ref) ref = PROVIDERS.resource_api.update_project(ref['id'], ref)
self.assertEqual(arbitrary_value, ref[arbitrary_key]) self.assertEqual(arbitrary_value, ref[arbitrary_key])
self.assertEqual(arbitrary_value, ref['extra'][arbitrary_key]) self.assertEqual(arbitrary_value, ref['extra'][arbitrary_key])
@ -373,14 +377,14 @@ class SqlIdentity(SqlTests,
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user[arbitrary_key] = arbitrary_value user[arbitrary_key] = arbitrary_value
del user["id"] del user["id"]
ref = self.identity_api.create_user(user) ref = PROVIDERS.identity_api.create_user(user)
self.assertEqual(arbitrary_value, ref[arbitrary_key]) self.assertEqual(arbitrary_value, ref[arbitrary_key])
self.assertIsNone(ref.get('password')) self.assertIsNone(ref.get('password'))
self.assertIsNone(ref.get('extra')) self.assertIsNone(ref.get('extra'))
user['name'] = uuid.uuid4().hex user['name'] = uuid.uuid4().hex
user['password'] = uuid.uuid4().hex user['password'] = uuid.uuid4().hex
ref = self.identity_api.update_user(ref['id'], user) ref = PROVIDERS.identity_api.update_user(ref['id'], user)
self.assertIsNone(ref.get('password')) self.assertIsNone(ref.get('password'))
self.assertIsNone(ref['extra'].get('password')) self.assertIsNone(ref['extra'].get('password'))
self.assertEqual(arbitrary_value, ref[arbitrary_key]) self.assertEqual(arbitrary_value, ref[arbitrary_key])
@ -388,7 +392,7 @@ class SqlIdentity(SqlTests,
def test_sql_user_to_dict_null_default_project_id(self): def test_sql_user_to_dict_null_default_project_id(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user = self.identity_api.create_user(user) user = PROVIDERS.identity_api.create_user(user)
with sql.session_for_read() as session: with sql.session_for_read() as session:
query = session.query(identity_sql.User) query = session.query(identity_sql.User)
query = query.filter_by(id=user['id']) query = query.filter_by(id=user['id'])
@ -400,24 +404,30 @@ class SqlIdentity(SqlTests,
def test_list_domains_for_user(self): def test_list_domains_for_user(self):
domain = unit.new_domain_ref() domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain) PROVIDERS.resource_api.create_domain(domain['id'], domain)
user = unit.new_user_ref(domain_id=domain['id']) user = unit.new_user_ref(domain_id=domain['id'])
test_domain1 = unit.new_domain_ref() test_domain1 = unit.new_domain_ref()
self.resource_api.create_domain(test_domain1['id'], test_domain1) PROVIDERS.resource_api.create_domain(test_domain1['id'], test_domain1)
test_domain2 = unit.new_domain_ref() test_domain2 = unit.new_domain_ref()
self.resource_api.create_domain(test_domain2['id'], test_domain2) PROVIDERS.resource_api.create_domain(test_domain2['id'], test_domain2)
user = self.identity_api.create_user(user) user = PROVIDERS.identity_api.create_user(user)
user_domains = self.assignment_api.list_domains_for_user(user['id']) user_domains = PROVIDERS.assignment_api.list_domains_for_user(
user['id']
)
self.assertEqual(0, len(user_domains)) self.assertEqual(0, len(user_domains))
self.assignment_api.create_grant(user_id=user['id'], PROVIDERS.assignment_api.create_grant(
domain_id=test_domain1['id'], user_id=user['id'], domain_id=test_domain1['id'],
role_id=self.role_member['id']) role_id=self.role_member['id']
self.assignment_api.create_grant(user_id=user['id'], )
domain_id=test_domain2['id'], PROVIDERS.assignment_api.create_grant(
role_id=self.role_member['id']) user_id=user['id'], domain_id=test_domain2['id'],
user_domains = self.assignment_api.list_domains_for_user(user['id']) role_id=self.role_member['id']
)
user_domains = PROVIDERS.assignment_api.list_domains_for_user(
user['id']
)
self.assertThat(user_domains, matchers.HasLength(2)) self.assertThat(user_domains, matchers.HasLength(2))
def test_list_domains_for_user_with_grants(self): def test_list_domains_for_user_with_grants(self):
@ -425,35 +435,40 @@ class SqlIdentity(SqlTests,
# make user1 a member of both groups. Both these new domains # make user1 a member of both groups. Both these new domains
# should now be included, along with any direct user grants. # should now be included, along with any direct user grants.
domain = unit.new_domain_ref() domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain) PROVIDERS.resource_api.create_domain(domain['id'], domain)
user = unit.new_user_ref(domain_id=domain['id']) user = unit.new_user_ref(domain_id=domain['id'])
user = self.identity_api.create_user(user) user = PROVIDERS.identity_api.create_user(user)
group1 = unit.new_group_ref(domain_id=domain['id']) group1 = unit.new_group_ref(domain_id=domain['id'])
group1 = self.identity_api.create_group(group1) group1 = PROVIDERS.identity_api.create_group(group1)
group2 = unit.new_group_ref(domain_id=domain['id']) group2 = unit.new_group_ref(domain_id=domain['id'])
group2 = self.identity_api.create_group(group2) group2 = PROVIDERS.identity_api.create_group(group2)
test_domain1 = unit.new_domain_ref() test_domain1 = unit.new_domain_ref()
self.resource_api.create_domain(test_domain1['id'], test_domain1) PROVIDERS.resource_api.create_domain(test_domain1['id'], test_domain1)
test_domain2 = unit.new_domain_ref() test_domain2 = unit.new_domain_ref()
self.resource_api.create_domain(test_domain2['id'], test_domain2) PROVIDERS.resource_api.create_domain(test_domain2['id'], test_domain2)
test_domain3 = unit.new_domain_ref() test_domain3 = unit.new_domain_ref()
self.resource_api.create_domain(test_domain3['id'], test_domain3) PROVIDERS.resource_api.create_domain(test_domain3['id'], test_domain3)
self.identity_api.add_user_to_group(user['id'], group1['id']) PROVIDERS.identity_api.add_user_to_group(user['id'], group1['id'])
self.identity_api.add_user_to_group(user['id'], group2['id']) PROVIDERS.identity_api.add_user_to_group(user['id'], group2['id'])
# Create 3 grants, one user grant, the other two as group grants # Create 3 grants, one user grant, the other two as group grants
self.assignment_api.create_grant(user_id=user['id'], PROVIDERS.assignment_api.create_grant(
domain_id=test_domain1['id'], user_id=user['id'], domain_id=test_domain1['id'],
role_id=self.role_member['id']) role_id=self.role_member['id']
self.assignment_api.create_grant(group_id=group1['id'], )
domain_id=test_domain2['id'], PROVIDERS.assignment_api.create_grant(
role_id=self.role_admin['id']) group_id=group1['id'], domain_id=test_domain2['id'],
self.assignment_api.create_grant(group_id=group2['id'], role_id=self.role_admin['id']
domain_id=test_domain3['id'], )
role_id=self.role_admin['id']) PROVIDERS.assignment_api.create_grant(
user_domains = self.assignment_api.list_domains_for_user(user['id']) group_id=group2['id'], domain_id=test_domain3['id'],
role_id=self.role_admin['id']
)
user_domains = PROVIDERS.assignment_api.list_domains_for_user(
user['id']
)
self.assertThat(user_domains, matchers.HasLength(3)) self.assertThat(user_domains, matchers.HasLength(3))
def test_list_domains_for_user_with_inherited_grants(self): def test_list_domains_for_user_with_inherited_grants(self):
@ -468,29 +483,31 @@ class SqlIdentity(SqlTests,
""" """
domain1 = unit.new_domain_ref() domain1 = unit.new_domain_ref()
domain1 = self.resource_api.create_domain(domain1['id'], domain1) domain1 = PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
domain2 = unit.new_domain_ref() domain2 = unit.new_domain_ref()
domain2 = self.resource_api.create_domain(domain2['id'], domain2) domain2 = PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
user = unit.new_user_ref(domain_id=domain1['id']) user = unit.new_user_ref(domain_id=domain1['id'])
user = self.identity_api.create_user(user) user = PROVIDERS.identity_api.create_user(user)
group = unit.new_group_ref(domain_id=domain1['id']) group = unit.new_group_ref(domain_id=domain1['id'])
group = self.identity_api.create_group(group) group = PROVIDERS.identity_api.create_group(group)
self.identity_api.add_user_to_group(user['id'], group['id']) PROVIDERS.identity_api.add_user_to_group(user['id'], group['id'])
role = unit.new_role_ref() role = unit.new_role_ref()
self.role_api.create_role(role['id'], role) PROVIDERS.role_api.create_role(role['id'], role)
# Create a grant on each domain, one user grant, one group grant, # Create a grant on each domain, one user grant, one group grant,
# both inherited. # both inherited.
self.assignment_api.create_grant(user_id=user['id'], PROVIDERS.assignment_api.create_grant(
domain_id=domain1['id'], user_id=user['id'], domain_id=domain1['id'], role_id=role['id'],
role_id=role['id'], inherited_to_projects=True
inherited_to_projects=True) )
self.assignment_api.create_grant(group_id=group['id'], PROVIDERS.assignment_api.create_grant(
domain_id=domain2['id'], group_id=group['id'], domain_id=domain2['id'], role_id=role['id'],
role_id=role['id'], inherited_to_projects=True
inherited_to_projects=True) )
user_domains = self.assignment_api.list_domains_for_user(user['id']) user_domains = PROVIDERS.assignment_api.list_domains_for_user(
user['id']
)
# No domains should be returned since both domains have only inherited # No domains should be returned since both domains have only inherited
# roles assignments. # roles assignments.
self.assertThat(user_domains, matchers.HasLength(0)) self.assertThat(user_domains, matchers.HasLength(0))
@ -504,13 +521,13 @@ class SqlIdentity(SqlTests,
for x in range(0, USER_COUNT): for x in range(0, USER_COUNT):
new_user = unit.new_user_ref(domain_id=domain['id']) new_user = unit.new_user_ref(domain_id=domain['id'])
new_user = self.identity_api.create_user(new_user) new_user = PROVIDERS.identity_api.create_user(new_user)
test_users.append(new_user) test_users.append(new_user)
positive_user = test_users[0] positive_user = test_users[0]
negative_user = test_users[1] negative_user = test_users[1]
for x in range(0, USER_COUNT): for x in range(0, USER_COUNT):
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
test_users[x]['id']) test_users[x]['id'])
self.assertEqual(0, len(group_refs)) self.assertEqual(0, len(group_refs))
@ -518,23 +535,23 @@ class SqlIdentity(SqlTests,
before_count = x before_count = x
after_count = x + 1 after_count = x + 1
new_group = unit.new_group_ref(domain_id=domain['id']) new_group = unit.new_group_ref(domain_id=domain['id'])
new_group = self.identity_api.create_group(new_group) new_group = PROVIDERS.identity_api.create_group(new_group)
test_groups.append(new_group) test_groups.append(new_group)
# add the user to the group and ensure that the # add the user to the group and ensure that the
# group count increases by one for each # group count increases by one for each
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id']) positive_user['id'])
self.assertEqual(before_count, len(group_refs)) self.assertEqual(before_count, len(group_refs))
self.identity_api.add_user_to_group( PROVIDERS.identity_api.add_user_to_group(
positive_user['id'], positive_user['id'],
new_group['id']) new_group['id'])
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id']) positive_user['id'])
self.assertEqual(after_count, len(group_refs)) self.assertEqual(after_count, len(group_refs))
# Make sure the group count for the unrelated user did not change # Make sure the group count for the unrelated user did not change
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
negative_user['id']) negative_user['id'])
self.assertEqual(0, len(group_refs)) self.assertEqual(0, len(group_refs))
@ -543,18 +560,18 @@ class SqlIdentity(SqlTests,
for x in range(0, 3): for x in range(0, 3):
before_count = GROUP_COUNT - x before_count = GROUP_COUNT - x
after_count = GROUP_COUNT - x - 1 after_count = GROUP_COUNT - x - 1
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id']) positive_user['id'])
self.assertEqual(before_count, len(group_refs)) self.assertEqual(before_count, len(group_refs))
self.identity_api.remove_user_from_group( PROVIDERS.identity_api.remove_user_from_group(
positive_user['id'], positive_user['id'],
test_groups[x]['id']) test_groups[x]['id'])
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id']) positive_user['id'])
self.assertEqual(after_count, len(group_refs)) self.assertEqual(after_count, len(group_refs))
# Make sure the group count for the unrelated user # Make sure the group count for the unrelated user
# did not change # did not change
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
negative_user['id']) negative_user['id'])
self.assertEqual(0, len(group_refs)) self.assertEqual(0, len(group_refs))
@ -570,43 +587,46 @@ class SqlIdentity(SqlTests,
""" """
spoiler_project = unit.new_project_ref( spoiler_project = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id) domain_id=CONF.identity.default_domain_id)
self.resource_api.create_project(spoiler_project['id'], PROVIDERS.resource_api.create_project(
spoiler_project) spoiler_project['id'], spoiler_project
)
# First let's create a project with a None domain_id and make sure we # First let's create a project with a None domain_id and make sure we
# can read it back. # can read it back.
project = unit.new_project_ref(domain_id=None, is_domain=True) project = unit.new_project_ref(domain_id=None, is_domain=True)
project = self.resource_api.create_project(project['id'], project) project = PROVIDERS.resource_api.create_project(project['id'], project)
ref = self.resource_api.get_project(project['id']) ref = PROVIDERS.resource_api.get_project(project['id'])
self.assertDictEqual(project, ref) self.assertDictEqual(project, ref)
# Can we get it by name? # Can we get it by name?
ref = self.resource_api.get_project_by_name(project['name'], None) ref = PROVIDERS.resource_api.get_project_by_name(project['name'], None)
self.assertDictEqual(project, ref) self.assertDictEqual(project, ref)
# Can we filter for them - create a second domain to ensure we are # Can we filter for them - create a second domain to ensure we are
# testing the receipt of more than one. # testing the receipt of more than one.
project2 = unit.new_project_ref(domain_id=None, is_domain=True) project2 = unit.new_project_ref(domain_id=None, is_domain=True)
project2 = self.resource_api.create_project(project2['id'], project2) project2 = PROVIDERS.resource_api.create_project(
project2['id'], project2
)
hints = driver_hints.Hints() hints = driver_hints.Hints()
hints.add_filter('domain_id', None) hints.add_filter('domain_id', None)
refs = self.resource_api.list_projects(hints) refs = PROVIDERS.resource_api.list_projects(hints)
self.assertThat(refs, matchers.HasLength(2 + self.domain_count)) self.assertThat(refs, matchers.HasLength(2 + self.domain_count))
self.assertIn(project, refs) self.assertIn(project, refs)
self.assertIn(project2, refs) self.assertIn(project2, refs)
# Can we update it? # Can we update it?
project['name'] = uuid.uuid4().hex project['name'] = uuid.uuid4().hex
self.resource_api.update_project(project['id'], project) PROVIDERS.resource_api.update_project(project['id'], project)
ref = self.resource_api.get_project(project['id']) ref = PROVIDERS.resource_api.get_project(project['id'])
self.assertDictEqual(project, ref) self.assertDictEqual(project, ref)
# Finally, make sure we can delete it # Finally, make sure we can delete it
project['enabled'] = False project['enabled'] = False
self.resource_api.update_project(project['id'], project) PROVIDERS.resource_api.update_project(project['id'], project)
self.resource_api.delete_project(project['id']) PROVIDERS.resource_api.delete_project(project['id'])
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
self.resource_api.get_project, PROVIDERS.resource_api.get_project,
project['id']) project['id'])
def test_hidden_project_domain_root_is_really_hidden(self): def test_hidden_project_domain_root_is_really_hidden(self):
@ -619,7 +639,7 @@ class SqlIdentity(SqlTests,
""" """
def _exercise_project_api(ref_id): def _exercise_project_api(ref_id):
driver = self.resource_api.driver driver = PROVIDERS.resource_api.driver
self.assertRaises(exception.ProjectNotFound, self.assertRaises(exception.ProjectNotFound,
driver.get_project, driver.get_project,
ref_id) ref_id)
@ -680,7 +700,7 @@ class SqlIdentity(SqlTests,
# create 10 users. 10 is just a random number # create 10 users. 10 is just a random number
for i in range(10): for i in range(10):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
self.identity_api.create_user(user) PROVIDERS.identity_api.create_user(user)
# sqlalchemy emits various events and allows to listen to them. Here # sqlalchemy emits various events and allows to listen to them. Here
# bound method `query_counter` will be called each time when a query # bound method `query_counter` will be called each time when a query
@ -699,14 +719,14 @@ class SqlIdentity(SqlTests,
sqlalchemy.event.listen(sqlalchemy.orm.query.Query, 'before_compile', sqlalchemy.event.listen(sqlalchemy.orm.query.Query, 'before_compile',
counter.query_counter) counter.query_counter)
first_call_users = self.identity_api.list_users() first_call_users = PROVIDERS.identity_api.list_users()
first_call_counter = counter.calls first_call_counter = counter.calls
# add 10 more users # add 10 more users
for i in range(10): for i in range(10):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
self.identity_api.create_user(user) PROVIDERS.identity_api.create_user(user)
counter.reset() counter.reset()
second_call_users = self.identity_api.list_users() second_call_users = PROVIDERS.identity_api.list_users()
# ensure that the number of calls does not depend on the number of # ensure that the number of calls does not depend on the number of
# users fetched. # users fetched.
self.assertNotEqual(len(first_call_users), len(second_call_users)) self.assertNotEqual(len(first_call_users), len(second_call_users))
@ -858,27 +878,27 @@ class SqlCatalog(SqlTests, catalog_tests.CatalogTests):
def test_catalog_ignored_malformed_urls(self): def test_catalog_ignored_malformed_urls(self):
service = unit.new_service_ref() service = unit.new_service_ref()
self.catalog_api.create_service(service['id'], service) PROVIDERS.catalog_api.create_service(service['id'], service)
malformed_url = "http://192.168.1.104:8774/v2/$(tenant)s" malformed_url = "http://192.168.1.104:8774/v2/$(tenant)s"
endpoint = unit.new_endpoint_ref(service_id=service['id'], endpoint = unit.new_endpoint_ref(service_id=service['id'],
url=malformed_url, url=malformed_url,
region_id=None) region_id=None)
self.catalog_api.create_endpoint(endpoint['id'], endpoint.copy()) PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint.copy())
# NOTE(dstanek): there are no valid URLs, so nothing is in the catalog # NOTE(dstanek): there are no valid URLs, so nothing is in the catalog
catalog = self.catalog_api.get_catalog('fake-user', 'fake-tenant') catalog = PROVIDERS.catalog_api.get_catalog('fake-user', 'fake-tenant')
self.assertEqual({}, catalog) self.assertEqual({}, catalog)
def test_get_catalog_with_empty_public_url(self): def test_get_catalog_with_empty_public_url(self):
service = unit.new_service_ref() service = unit.new_service_ref()
self.catalog_api.create_service(service['id'], service) PROVIDERS.catalog_api.create_service(service['id'], service)
endpoint = unit.new_endpoint_ref(url='', service_id=service['id'], endpoint = unit.new_endpoint_ref(url='', service_id=service['id'],
region_id=None) region_id=None)
self.catalog_api.create_endpoint(endpoint['id'], endpoint.copy()) PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint.copy())
catalog = self.catalog_api.get_catalog('user', 'tenant') catalog = PROVIDERS.catalog_api.get_catalog('user', 'tenant')
catalog_endpoint = catalog[endpoint['region_id']][service['type']] catalog_endpoint = catalog[endpoint['region_id']][service['type']]
self.assertEqual(service['name'], catalog_endpoint['name']) self.assertEqual(service['name'], catalog_endpoint['name'])
self.assertEqual(endpoint['id'], catalog_endpoint['id']) self.assertEqual(endpoint['id'], catalog_endpoint['id'])
@ -888,13 +908,13 @@ class SqlCatalog(SqlTests, catalog_tests.CatalogTests):
def test_create_endpoint_region_returns_not_found(self): def test_create_endpoint_region_returns_not_found(self):
service = unit.new_service_ref() service = unit.new_service_ref()
self.catalog_api.create_service(service['id'], service) PROVIDERS.catalog_api.create_service(service['id'], service)
endpoint = unit.new_endpoint_ref(region_id=uuid.uuid4().hex, endpoint = unit.new_endpoint_ref(region_id=uuid.uuid4().hex,
service_id=service['id']) service_id=service['id'])
self.assertRaises(exception.ValidationError, self.assertRaises(exception.ValidationError,
self.catalog_api.create_endpoint, PROVIDERS.catalog_api.create_endpoint,
endpoint['id'], endpoint['id'],
endpoint.copy()) endpoint.copy())
@ -902,85 +922,92 @@ class SqlCatalog(SqlTests, catalog_tests.CatalogTests):
region = unit.new_region_ref(id='0' * 256) region = unit.new_region_ref(id='0' * 256)
self.assertRaises(exception.StringLengthExceeded, self.assertRaises(exception.StringLengthExceeded,
self.catalog_api.create_region, PROVIDERS.catalog_api.create_region,
region) region)
def test_create_region_invalid_parent_id(self): def test_create_region_invalid_parent_id(self):
region = unit.new_region_ref(parent_region_id='0' * 256) region = unit.new_region_ref(parent_region_id='0' * 256)
self.assertRaises(exception.RegionNotFound, self.assertRaises(exception.RegionNotFound,
self.catalog_api.create_region, PROVIDERS.catalog_api.create_region,
region) region)
def test_delete_region_with_endpoint(self): def test_delete_region_with_endpoint(self):
# create a region # create a region
region = unit.new_region_ref() region = unit.new_region_ref()
self.catalog_api.create_region(region) PROVIDERS.catalog_api.create_region(region)
# create a child region # create a child region
child_region = unit.new_region_ref(parent_region_id=region['id']) child_region = unit.new_region_ref(parent_region_id=region['id'])
self.catalog_api.create_region(child_region) PROVIDERS.catalog_api.create_region(child_region)
# create a service # create a service
service = unit.new_service_ref() service = unit.new_service_ref()
self.catalog_api.create_service(service['id'], service) PROVIDERS.catalog_api.create_service(service['id'], service)
# create an endpoint attached to the service and child region # create an endpoint attached to the service and child region
child_endpoint = unit.new_endpoint_ref(region_id=child_region['id'], child_endpoint = unit.new_endpoint_ref(region_id=child_region['id'],
service_id=service['id']) service_id=service['id'])
self.catalog_api.create_endpoint(child_endpoint['id'], child_endpoint) PROVIDERS.catalog_api.create_endpoint(
child_endpoint['id'], child_endpoint
)
self.assertRaises(exception.RegionDeletionError, self.assertRaises(exception.RegionDeletionError,
self.catalog_api.delete_region, PROVIDERS.catalog_api.delete_region,
child_region['id']) child_region['id'])
# create an endpoint attached to the service and parent region # create an endpoint attached to the service and parent region
endpoint = unit.new_endpoint_ref(region_id=region['id'], endpoint = unit.new_endpoint_ref(region_id=region['id'],
service_id=service['id']) service_id=service['id'])
self.catalog_api.create_endpoint(endpoint['id'], endpoint) PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
self.assertRaises(exception.RegionDeletionError, self.assertRaises(exception.RegionDeletionError,
self.catalog_api.delete_region, PROVIDERS.catalog_api.delete_region,
region['id']) region['id'])
def test_v3_catalog_domain_scoped_token(self): def test_v3_catalog_domain_scoped_token(self):
# test the case that tenant_id is None. # test the case that tenant_id is None.
srv_1 = unit.new_service_ref() srv_1 = unit.new_service_ref()
self.catalog_api.create_service(srv_1['id'], srv_1) PROVIDERS.catalog_api.create_service(srv_1['id'], srv_1)
endpoint_1 = unit.new_endpoint_ref(service_id=srv_1['id'], endpoint_1 = unit.new_endpoint_ref(service_id=srv_1['id'],
region_id=None) region_id=None)
self.catalog_api.create_endpoint(endpoint_1['id'], endpoint_1) PROVIDERS.catalog_api.create_endpoint(endpoint_1['id'], endpoint_1)
srv_2 = unit.new_service_ref() srv_2 = unit.new_service_ref()
self.catalog_api.create_service(srv_2['id'], srv_2) PROVIDERS.catalog_api.create_service(srv_2['id'], srv_2)
endpoint_2 = unit.new_endpoint_ref(service_id=srv_2['id'], endpoint_2 = unit.new_endpoint_ref(service_id=srv_2['id'],
region_id=None) region_id=None)
self.catalog_api.create_endpoint(endpoint_2['id'], endpoint_2) PROVIDERS.catalog_api.create_endpoint(endpoint_2['id'], endpoint_2)
self.config_fixture.config(group='endpoint_filter', self.config_fixture.config(group='endpoint_filter',
return_all_endpoints_if_no_filter=True) return_all_endpoints_if_no_filter=True)
catalog_ref = self.catalog_api.get_v3_catalog(uuid.uuid4().hex, None) catalog_ref = PROVIDERS.catalog_api.get_v3_catalog(
uuid.uuid4().hex, None
)
self.assertThat(catalog_ref, matchers.HasLength(2)) self.assertThat(catalog_ref, matchers.HasLength(2))
self.config_fixture.config(group='endpoint_filter', self.config_fixture.config(group='endpoint_filter',
return_all_endpoints_if_no_filter=False) return_all_endpoints_if_no_filter=False)
catalog_ref = self.catalog_api.get_v3_catalog(uuid.uuid4().hex, None) catalog_ref = PROVIDERS.catalog_api.get_v3_catalog(
uuid.uuid4().hex, None
)
self.assertThat(catalog_ref, matchers.HasLength(0)) self.assertThat(catalog_ref, matchers.HasLength(0))
def test_v3_catalog_endpoint_filter_enabled(self): def test_v3_catalog_endpoint_filter_enabled(self):
srv_1 = unit.new_service_ref() srv_1 = unit.new_service_ref()
self.catalog_api.create_service(srv_1['id'], srv_1) PROVIDERS.catalog_api.create_service(srv_1['id'], srv_1)
endpoint_1 = unit.new_endpoint_ref(service_id=srv_1['id'], endpoint_1 = unit.new_endpoint_ref(service_id=srv_1['id'],
region_id=None) region_id=None)
self.catalog_api.create_endpoint(endpoint_1['id'], endpoint_1) PROVIDERS.catalog_api.create_endpoint(endpoint_1['id'], endpoint_1)
endpoint_2 = unit.new_endpoint_ref(service_id=srv_1['id'], endpoint_2 = unit.new_endpoint_ref(service_id=srv_1['id'],
region_id=None) region_id=None)
self.catalog_api.create_endpoint(endpoint_2['id'], endpoint_2) PROVIDERS.catalog_api.create_endpoint(endpoint_2['id'], endpoint_2)
# create endpoint-project association. # create endpoint-project association.
self.catalog_api.add_endpoint_to_project( PROVIDERS.catalog_api.add_endpoint_to_project(
endpoint_1['id'], endpoint_1['id'],
self.tenant_bar['id']) self.tenant_bar['id'])
catalog_ref = self.catalog_api.get_v3_catalog(uuid.uuid4().hex, catalog_ref = PROVIDERS.catalog_api.get_v3_catalog(
self.tenant_bar['id']) uuid.uuid4().hex, self.tenant_bar['id']
)
self.assertThat(catalog_ref, matchers.HasLength(1)) self.assertThat(catalog_ref, matchers.HasLength(1))
self.assertThat(catalog_ref[0]['endpoints'], matchers.HasLength(1)) self.assertThat(catalog_ref[0]['endpoints'], matchers.HasLength(1))
# the endpoint is that defined in the endpoint-project association. # the endpoint is that defined in the endpoint-project association.
@ -992,16 +1019,17 @@ class SqlCatalog(SqlTests, catalog_tests.CatalogTests):
self.config_fixture.config(group='endpoint_filter', self.config_fixture.config(group='endpoint_filter',
return_all_endpoints_if_no_filter=True) return_all_endpoints_if_no_filter=True)
srv_1 = unit.new_service_ref() srv_1 = unit.new_service_ref()
self.catalog_api.create_service(srv_1['id'], srv_1) PROVIDERS.catalog_api.create_service(srv_1['id'], srv_1)
endpoint_1 = unit.new_endpoint_ref(service_id=srv_1['id'], endpoint_1 = unit.new_endpoint_ref(service_id=srv_1['id'],
region_id=None) region_id=None)
self.catalog_api.create_endpoint(endpoint_1['id'], endpoint_1) PROVIDERS.catalog_api.create_endpoint(endpoint_1['id'], endpoint_1)
srv_2 = unit.new_service_ref() srv_2 = unit.new_service_ref()
self.catalog_api.create_service(srv_2['id'], srv_2) PROVIDERS.catalog_api.create_service(srv_2['id'], srv_2)
catalog_ref = self.catalog_api.get_v3_catalog(uuid.uuid4().hex, catalog_ref = PROVIDERS.catalog_api.get_v3_catalog(
self.tenant_bar['id']) uuid.uuid4().hex, self.tenant_bar['id']
)
self.assertThat(catalog_ref, matchers.HasLength(2)) self.assertThat(catalog_ref, matchers.HasLength(2))
srv_id_list = [catalog_ref[0]['id'], catalog_ref[1]['id']] srv_id_list = [catalog_ref[0]['id'], catalog_ref[1]['id']]
self.assertItemsEqual([srv_1['id'], srv_2['id']], srv_id_list) self.assertItemsEqual([srv_1['id'], srv_2['id']], srv_id_list)
@ -1047,8 +1075,8 @@ class SqlFilterTests(SqlTests, identity_tests.FilterTests):
del self.entity_list del self.entity_list
del self.domain1_entity_list del self.domain1_entity_list
self.domain1['enabled'] = False self.domain1['enabled'] = False
self.resource_api.update_domain(self.domain1['id'], self.domain1) PROVIDERS.resource_api.update_domain(self.domain1['id'], self.domain1)
self.resource_api.delete_domain(self.domain1['id']) PROVIDERS.resource_api.delete_domain(self.domain1['id'])
del self.domain1 del self.domain1
def test_list_entities_filtered_by_domain(self): def test_list_entities_filtered_by_domain(self):
@ -1058,7 +1086,7 @@ class SqlFilterTests(SqlTests, identity_tests.FilterTests):
# the driver level. # the driver level.
self.addCleanup(self.clean_up_entities) self.addCleanup(self.clean_up_entities)
self.domain1 = unit.new_domain_ref() self.domain1 = unit.new_domain_ref()
self.resource_api.create_domain(self.domain1['id'], self.domain1) PROVIDERS.resource_api.create_domain(self.domain1['id'], self.domain1)
self.entity_list = {} self.entity_list = {}
self.domain1_entity_list = {} self.domain1_entity_list = {}
@ -1087,25 +1115,25 @@ class SqlFilterTests(SqlTests, identity_tests.FilterTests):
""" """
# Check we have some users # Check we have some users
users = self.identity_api.list_users() users = PROVIDERS.identity_api.list_users()
self.assertGreater(len(users), 0) self.assertGreater(len(users), 0)
hints = driver_hints.Hints() hints = driver_hints.Hints()
hints.add_filter('name', "anything' or 'x'='x") hints.add_filter('name', "anything' or 'x'='x")
users = self.identity_api.list_users(hints=hints) users = PROVIDERS.identity_api.list_users(hints=hints)
self.assertEqual(0, len(users)) self.assertEqual(0, len(users))
# See if we can add a SQL command...use the group table instead of the # See if we can add a SQL command...use the group table instead of the
# user table since 'user' is reserved word for SQLAlchemy. # user table since 'user' is reserved word for SQLAlchemy.
group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id) group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
group = self.identity_api.create_group(group) group = PROVIDERS.identity_api.create_group(group)
hints = driver_hints.Hints() hints = driver_hints.Hints()
hints.add_filter('name', "x'; drop table group") hints.add_filter('name', "x'; drop table group")
groups = self.identity_api.list_groups(hints=hints) groups = PROVIDERS.identity_api.list_groups(hints=hints)
self.assertEqual(0, len(groups)) self.assertEqual(0, len(groups))
groups = self.identity_api.list_groups() groups = PROVIDERS.identity_api.list_groups()
self.assertGreater(len(groups), 0) self.assertGreater(len(groups), 0)
@ -1167,7 +1195,9 @@ class SqlCredential(SqlTests):
credential = unit.new_credential_ref(user_id=user_id, credential = unit.new_credential_ref(user_id=user_id,
extra=uuid.uuid4().hex, extra=uuid.uuid4().hex,
type=uuid.uuid4().hex) type=uuid.uuid4().hex)
self.credential_api.create_credential(credential['id'], credential) PROVIDERS.credential_api.create_credential(
credential['id'], credential
)
return credential return credential
def _validateCredentialList(self, retrieved_credentials, def _validateCredentialList(self, retrieved_credentials,
@ -1199,29 +1229,29 @@ class SqlCredential(SqlTests):
self.credentials.append(cred) self.credentials.append(cred)
def test_list_credentials(self): def test_list_credentials(self):
credentials = self.credential_api.list_credentials() credentials = PROVIDERS.credential_api.list_credentials()
self._validateCredentialList(credentials, self.credentials) self._validateCredentialList(credentials, self.credentials)
# test filtering using hints # test filtering using hints
hints = driver_hints.Hints() hints = driver_hints.Hints()
hints.add_filter('user_id', self.user_foo['id']) hints.add_filter('user_id', self.user_foo['id'])
credentials = self.credential_api.list_credentials(hints) credentials = PROVIDERS.credential_api.list_credentials(hints)
self._validateCredentialList(credentials, self.user_credentials) self._validateCredentialList(credentials, self.user_credentials)
def test_list_credentials_for_user(self): def test_list_credentials_for_user(self):
credentials = self.credential_api.list_credentials_for_user( credentials = PROVIDERS.credential_api.list_credentials_for_user(
self.user_foo['id']) self.user_foo['id'])
self._validateCredentialList(credentials, self.user_credentials) self._validateCredentialList(credentials, self.user_credentials)
def test_list_credentials_for_user_and_type(self): def test_list_credentials_for_user_and_type(self):
cred = self.user_credentials[0] cred = self.user_credentials[0]
credentials = self.credential_api.list_credentials_for_user( credentials = PROVIDERS.credential_api.list_credentials_for_user(
self.user_foo['id'], type=cred['type']) self.user_foo['id'], type=cred['type'])
self._validateCredentialList(credentials, [cred]) self._validateCredentialList(credentials, [cred])
def test_create_credential_is_encrypted_when_stored(self): def test_create_credential_is_encrypted_when_stored(self):
credential = unit.new_credential_ref(user_id=uuid.uuid4().hex) credential = unit.new_credential_ref(user_id=uuid.uuid4().hex)
credential_id = credential['id'] credential_id = credential['id']
returned_credential = self.credential_api.create_credential( returned_credential = PROVIDERS.credential_api.create_credential(
credential_id, credential_id,
credential credential
) )
@ -1230,8 +1260,8 @@ class SqlCredential(SqlTests):
# credential API. # credential API.
self.assertEqual(returned_credential['blob'], credential['blob']) self.assertEqual(returned_credential['blob'], credential['blob'])
credential_from_backend = self.credential_api.driver.get_credential( credential_from_backend = (
credential_id PROVIDERS.credential_api.driver.get_credential(credential_id)
) )
# Pull the credential directly from the backend, the `blob` should be # Pull the credential directly from the backend, the `blob` should be
@ -1245,15 +1275,15 @@ class SqlCredential(SqlTests):
credential = unit.new_credential_ref(user_id=uuid.uuid4().hex) credential = unit.new_credential_ref(user_id=uuid.uuid4().hex)
credential_id = credential['id'] credential_id = credential['id']
created_credential = self.credential_api.create_credential( created_credential = PROVIDERS.credential_api.create_credential(
credential_id, credential_id,
credential credential
) )
# Pull the credential directly from the backend, the `blob` should be # Pull the credential directly from the backend, the `blob` should be
# encrypted. # encrypted.
credential_from_backend = self.credential_api.driver.get_credential( credential_from_backend = (
credential_id PROVIDERS.credential_api.driver.get_credential(credential_id)
) )
self.assertNotEqual( self.assertNotEqual(
credential_from_backend['encrypted_blob'], credential_from_backend['encrypted_blob'],
@ -1261,7 +1291,7 @@ class SqlCredential(SqlTests):
) )
# Make sure the `blob` values listed from the API are not encrypted. # Make sure the `blob` values listed from the API are not encrypted.
listed_credentials = self.credential_api.list_credentials() listed_credentials = PROVIDERS.credential_api.list_credentials()
self.assertIn(created_credential, listed_credentials) self.assertIn(created_credential, listed_credentials)

37
keystone/tests/unit/test_cli.py
View File

@ -50,6 +50,7 @@ from keystone.tests.unit.ksfixtures import ldapdb
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class CliTestCase(unit.SQLDriverOverrides, unit.TestCase): class CliTestCase(unit.SQLDriverOverrides, unit.TestCase):
@ -396,13 +397,15 @@ class CliDomainConfigAllTestCase(unit.SQLDriverOverrides, unit.TestCase):
if domain == 'domain_default': if domain == 'domain_default':
# Not allowed to delete the default domain, but should at least # Not allowed to delete the default domain, but should at least
# delete any domain-specific config for it. # delete any domain-specific config for it.
self.domain_config_api.delete_config( PROVIDERS.domain_config_api.delete_config(
CONF.identity.default_domain_id) CONF.identity.default_domain_id)
continue continue
this_domain = self.domains[domain] this_domain = self.domains[domain]
this_domain['enabled'] = False this_domain['enabled'] = False
self.resource_api.update_domain(this_domain['id'], this_domain) PROVIDERS.resource_api.update_domain(
self.resource_api.delete_domain(this_domain['id']) this_domain['id'], this_domain
)
PROVIDERS.resource_api.delete_domain(this_domain['id'])
self.domains = {} self.domains = {}
def config(self, config_files): def config(self, config_files):
@ -412,7 +415,7 @@ class CliDomainConfigAllTestCase(unit.SQLDriverOverrides, unit.TestCase):
def setup_initial_domains(self): def setup_initial_domains(self):
def create_domain(domain): def create_domain(domain):
return self.resource_api.create_domain(domain['id'], domain) return PROVIDERS.resource_api.create_domain(domain['id'], domain)
self.domains = {} self.domains = {}
self.addCleanup(self.cleanup_domains) self.addCleanup(self.cleanup_domains)
@ -458,13 +461,13 @@ class CliDomainConfigAllTestCase(unit.SQLDriverOverrides, unit.TestCase):
provider_api.ProviderAPIs._clear_registry_instances() provider_api.ProviderAPIs._clear_registry_instances()
cli.DomainConfigUpload.main() cli.DomainConfigUpload.main()
res = self.domain_config_api.get_config_with_sensitive_info( res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
CONF.identity.default_domain_id) CONF.identity.default_domain_id)
self.assertEqual(default_config, res) self.assertEqual(default_config, res)
res = self.domain_config_api.get_config_with_sensitive_info( res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domains['domain1']['id']) self.domains['domain1']['id'])
self.assertEqual(domain1_config, res) self.assertEqual(domain1_config, res)
res = self.domain_config_api.get_config_with_sensitive_info( res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domains['domain2']['id']) self.domains['domain2']['id'])
self.assertEqual(domain2_config, res) self.assertEqual(domain2_config, res)
@ -490,13 +493,13 @@ class CliDomainConfigSingleDomainTestCase(CliDomainConfigAllTestCase):
provider_api.ProviderAPIs._clear_registry_instances() provider_api.ProviderAPIs._clear_registry_instances()
cli.DomainConfigUpload.main() cli.DomainConfigUpload.main()
res = self.domain_config_api.get_config_with_sensitive_info( res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
CONF.identity.default_domain_id) CONF.identity.default_domain_id)
self.assertEqual(default_config, res) self.assertEqual(default_config, res)
res = self.domain_config_api.get_config_with_sensitive_info( res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domains['domain1']['id']) self.domains['domain1']['id'])
self.assertEqual({}, res) self.assertEqual({}, res)
res = self.domain_config_api.get_config_with_sensitive_info( res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domains['domain2']['id']) self.domains['domain2']['id'])
self.assertEqual({}, res) self.assertEqual({}, res)
@ -506,7 +509,7 @@ class CliDomainConfigSingleDomainTestCase(CliDomainConfigAllTestCase):
'ldap': {'url': uuid.uuid4().hex}, 'ldap': {'url': uuid.uuid4().hex},
'identity': {'driver': 'ldap'} 'identity': {'driver': 'ldap'}
} }
self.domain_config_api.create_config( PROVIDERS.domain_config_api.create_config(
CONF.identity.default_domain_id, default_config) CONF.identity.default_domain_id, default_config)
# Now try and upload the settings in the configuration file for the # Now try and upload the settings in the configuration file for the
@ -523,7 +526,7 @@ class CliDomainConfigSingleDomainTestCase(CliDomainConfigAllTestCase):
file_name)} file_name)}
mock_print.assert_has_calls([mock.call(error_msg)]) mock_print.assert_has_calls([mock.call(error_msg)])
res = self.domain_config_api.get_config( res = PROVIDERS.domain_config_api.get_config(
CONF.identity.default_domain_id) CONF.identity.default_domain_id)
# The initial config should not have been overwritten # The initial config should not have been overwritten
self.assertEqual(default_config, res) self.assertEqual(default_config, res)
@ -724,15 +727,17 @@ class TestMappingPopulate(unit.SQLDriverOverrides, unit.TestCase):
# 3. Execute mapping_populate. It should create id mappings # 3. Execute mapping_populate. It should create id mappings
# 4. For the same users verify that they have public_id now # 4. For the same users verify that they have public_id now
purge_filter = {} purge_filter = {}
self.id_mapping_api.purge_mappings(purge_filter) PROVIDERS.id_mapping_api.purge_mappings(purge_filter)
hints = None hints = None
users = self.identity_api.driver.list_users(hints) users = PROVIDERS.identity_api.driver.list_users(hints)
for user in users: for user in users:
local_entity = { local_entity = {
'domain_id': CONF.identity.default_domain_id, 'domain_id': CONF.identity.default_domain_id,
'local_id': user['id'], 'local_id': user['id'],
'entity_type': identity_mapping.EntityType.USER} 'entity_type': identity_mapping.EntityType.USER}
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity)) self.assertIsNone(
PROVIDERS.id_mapping_api.get_public_id(local_entity)
)
# backends are loaded again in the command handler # backends are loaded again in the command handler
provider_api.ProviderAPIs._clear_registry_instances() provider_api.ProviderAPIs._clear_registry_instances()
@ -744,7 +749,7 @@ class TestMappingPopulate(unit.SQLDriverOverrides, unit.TestCase):
'local_id': user['id'], 'local_id': user['id'],
'entity_type': identity_mapping.EntityType.USER} 'entity_type': identity_mapping.EntityType.USER}
self.assertIsNotNone( self.assertIsNotNone(
self.id_mapping_api.get_public_id(local_entity)) PROVIDERS.id_mapping_api.get_public_id(local_entity))
def test_bad_domain_name(self): def test_bad_domain_name(self):
CONF(args=['mapping_populate', '--domain-name', uuid.uuid4().hex], CONF(args=['mapping_populate', '--domain-name', uuid.uuid4().hex],

40
keystone/tests/unit/test_ldap_livetest.py
View File

@ -17,6 +17,7 @@ import subprocess
import ldap.modlist import ldap.modlist
from six.moves import range from six.moves import range
from keystone.common import provider_api
import keystone.conf import keystone.conf
from keystone import exception from keystone import exception
from keystone.identity.backends import ldap as identity_ldap from keystone.identity.backends import ldap as identity_ldap
@ -25,6 +26,7 @@ from keystone.tests.unit import test_backend_ldap
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
def create_object(dn, attrs): def create_object(dn, attrs):
@ -100,20 +102,20 @@ class LiveLDAPIdentity(test_backend_ldap.LDAPIdentity):
self.config_fixture.config(group='ldap', self.config_fixture.config(group='ldap',
query_scope='sub', query_scope='sub',
alias_dereferencing='never') alias_dereferencing='never')
self.identity_api = identity_ldap.Identity() PROVIDERS.identity_api = identity_ldap.Identity()
self.assertRaises(exception.UserNotFound, self.assertRaises(exception.UserNotFound,
self.identity_api.get_user, PROVIDERS.identity_api.get_user,
'alt_fake1') 'alt_fake1')
self.config_fixture.config(group='ldap', self.config_fixture.config(group='ldap',
alias_dereferencing='searching') alias_dereferencing='searching')
self.identity_api = identity_ldap.Identity() PROVIDERS.identity_api = identity_ldap.Identity()
user_ref = self.identity_api.get_user('alt_fake1') user_ref = PROVIDERS.identity_api.get_user('alt_fake1')
self.assertEqual('alt_fake1', user_ref['id']) self.assertEqual('alt_fake1', user_ref['id'])
self.config_fixture.config(group='ldap', alias_dereferencing='always') self.config_fixture.config(group='ldap', alias_dereferencing='always')
self.identity_api = identity_ldap.Identity() PROVIDERS.identity_api = identity_ldap.Identity()
user_ref = self.identity_api.get_user('alt_fake1') user_ref = PROVIDERS.identity_api.get_user('alt_fake1')
self.assertEqual('alt_fake1', user_ref['id']) self.assertEqual('alt_fake1', user_ref['id'])
# FakeLDAP does not correctly process filters, so this test can only be # FakeLDAP does not correctly process filters, so this test can only be
@ -125,51 +127,51 @@ class LiveLDAPIdentity(test_backend_ldap.LDAPIdentity):
GROUP_COUNT = 3 GROUP_COUNT = 3
USER_COUNT = 2 USER_COUNT = 2
positive_user = unit.create_user(self.identity_api, domain['id']) positive_user = unit.create_user(PROVIDERS.identity_api, domain['id'])
negative_user = unit.create_user(self.identity_api, domain['id']) negative_user = unit.create_user(PROVIDERS.identity_api, domain['id'])
for x in range(0, USER_COUNT): for x in range(0, USER_COUNT):
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
test_users[x]['id']) test_users[x]['id'])
self.assertEqual(0, len(group_refs)) self.assertEqual(0, len(group_refs))
for x in range(0, GROUP_COUNT): for x in range(0, GROUP_COUNT):
new_group = unit.new_group_ref(domain_id=domain['id']) new_group = unit.new_group_ref(domain_id=domain['id'])
new_group = self.identity_api.create_group(new_group) new_group = PROVIDERS.identity_api.create_group(new_group)
test_groups.append(new_group) test_groups.append(new_group)
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id']) positive_user['id'])
self.assertEqual(x, len(group_refs)) self.assertEqual(x, len(group_refs))
self.identity_api.add_user_to_group( PROVIDERS.identity_api.add_user_to_group(
positive_user['id'], positive_user['id'],
new_group['id']) new_group['id'])
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id']) positive_user['id'])
self.assertEqual(x + 1, len(group_refs)) self.assertEqual(x + 1, len(group_refs))
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
negative_user['id']) negative_user['id'])
self.assertEqual(0, len(group_refs)) self.assertEqual(0, len(group_refs))
driver = self.identity_api._select_identity_driver( driver = PROVIDERS.identity_api._select_identity_driver(
CONF.identity.default_domain_id) CONF.identity.default_domain_id)
driver.group.ldap_filter = '(dn=xx)' driver.group.ldap_filter = '(dn=xx)'
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id']) positive_user['id'])
self.assertEqual(0, len(group_refs)) self.assertEqual(0, len(group_refs))
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
negative_user['id']) negative_user['id'])
self.assertEqual(0, len(group_refs)) self.assertEqual(0, len(group_refs))
driver.group.ldap_filter = '(objectclass=*)' driver.group.ldap_filter = '(objectclass=*)'
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id']) positive_user['id'])
self.assertEqual(GROUP_COUNT, len(group_refs)) self.assertEqual(GROUP_COUNT, len(group_refs))
group_refs = self.identity_api.list_groups_for_user( group_refs = PROVIDERS.identity_api.list_groups_for_user(
negative_user['id']) negative_user['id'])
self.assertEqual(0, len(group_refs)) self.assertEqual(0, len(group_refs))

44
keystone/tests/unit/test_ldap_tls_livetest.py
View File

@ -15,6 +15,7 @@
import ldap.modlist import ldap.modlist
from keystone.common import provider_api
import keystone.conf import keystone.conf
from keystone import exception from keystone import exception
from keystone import identity from keystone import identity
@ -23,6 +24,7 @@ from keystone.tests.unit import test_ldap_livetest
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
def create_object(dn, attrs): def create_object(dn, attrs):
@ -48,39 +50,45 @@ class LiveTLSLDAPIdentity(test_ldap_livetest.LiveLDAPIdentity):
use_tls=True, use_tls=True,
tls_cacertdir=None, tls_cacertdir=None,
tls_req_cert='demand') tls_req_cert='demand')
self.identity_api = identity.backends.ldap.Identity() PROVIDERS.identity_api = identity.backends.ldap.Identity()
user = unit.create_user(self.identity_api, 'default', user = unit.create_user(PROVIDERS.identity_api, 'default',
name='fake1', password='fakepass1') name='fake1', password='fakepass1')
user_ref = self.identity_api.get_user(user['id']) user_ref = PROVIDERS.identity_api.get_user(user['id'])
self.assertEqual(user['id'], user_ref['id']) self.assertEqual(user['id'], user_ref['id'])
user['password'] = 'fakepass2' user['password'] = 'fakepass2'
self.identity_api.update_user(user['id'], user) PROVIDERS.identity_api.update_user(user['id'], user)
self.identity_api.delete_user(user['id']) PROVIDERS.identity_api.delete_user(user['id'])
self.assertRaises(exception.UserNotFound, self.identity_api.get_user, self.assertRaises(
user['id']) exception.UserNotFound,
PROVIDERS.identity_api.get_user,
user['id']
)
def test_tls_certdir_demand_option(self): def test_tls_certdir_demand_option(self):
self.config_fixture.config(group='ldap', self.config_fixture.config(group='ldap',
use_tls=True, use_tls=True,
tls_cacertdir=None, tls_cacertdir=None,
tls_req_cert='demand') tls_req_cert='demand')
self.identity_api = identity.backends.ldap.Identity() PROVIDERS.identity_api = identity.backends.ldap.Identity()
user = unit.create_user(self.identity_api, 'default', user = unit.create_user(PROVIDERS.identity_api, 'default',
id='fake1', name='fake1', id='fake1', name='fake1',
password='fakepass1') password='fakepass1')
user_ref = self.identity_api.get_user('fake1') user_ref = PROVIDERS.identity_api.get_user('fake1')
self.assertEqual('fake1', user_ref['id']) self.assertEqual('fake1', user_ref['id'])
user['password'] = 'fakepass2' user['password'] = 'fakepass2'
self.identity_api.update_user('fake1', user) PROVIDERS.identity_api.update_user('fake1', user)
self.identity_api.delete_user('fake1') PROVIDERS.identity_api.delete_user('fake1')
self.assertRaises(exception.UserNotFound, self.identity_api.get_user, self.assertRaises(
'fake1') exception.UserNotFound,
PROVIDERS.identity_api.get_user,
'fake1'
)
def test_tls_bad_certfile(self): def test_tls_bad_certfile(self):
self.config_fixture.config( self.config_fixture.config(
@ -89,10 +97,10 @@ class LiveTLSLDAPIdentity(test_ldap_livetest.LiveLDAPIdentity):
tls_req_cert='demand', tls_req_cert='demand',
tls_cacertfile='/etc/keystone/ssl/certs/mythicalcert.pem', tls_cacertfile='/etc/keystone/ssl/certs/mythicalcert.pem',
tls_cacertdir=None) tls_cacertdir=None)
self.identity_api = identity.backends.ldap.Identity() PROVIDERS.identity_api = identity.backends.ldap.Identity()
user = unit.new_user_ref('default') user = unit.new_user_ref('default')
self.assertRaises(IOError, self.identity_api.create_user, user) self.assertRaises(IOError, PROVIDERS.identity_api.create_user, user)
def test_tls_bad_certdir(self): def test_tls_bad_certdir(self):
self.config_fixture.config( self.config_fixture.config(
@ -101,7 +109,7 @@ class LiveTLSLDAPIdentity(test_ldap_livetest.LiveLDAPIdentity):
tls_cacertfile=None, tls_cacertfile=None,
tls_req_cert='demand', tls_req_cert='demand',
tls_cacertdir='/etc/keystone/ssl/mythicalcertdir') tls_cacertdir='/etc/keystone/ssl/mythicalcertdir')
self.identity_api = identity.backends.ldap.Identity() PROVIDERS.identity_api = identity.backends.ldap.Identity()
user = unit.new_user_ref('default') user = unit.new_user_ref('default')
self.assertRaises(IOError, self.identity_api.create_user, user) self.assertRaises(IOError, PROVIDERS.identity_api.create_user, user)

117
keystone/tests/unit/test_revoke.py
View File

@ -18,6 +18,7 @@ import mock
from oslo_utils import timeutils from oslo_utils import timeutils
from testtools import matchers from testtools import matchers
from keystone.common import provider_api
from keystone.common import utils from keystone.common import utils
import keystone.conf import keystone.conf
from keystone import exception from keystone import exception
@ -30,6 +31,7 @@ from keystone.token.providers import common
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
def _future_time(): def _future_time():
@ -49,27 +51,30 @@ class RevokeTests(object):
def _assertTokenRevoked(self, token_data): def _assertTokenRevoked(self, token_data):
self.assertRaises(exception.TokenNotFound, self.assertRaises(exception.TokenNotFound,
self.revoke_api.check_token, PROVIDERS.revoke_api.check_token,
token=token_data) token=token_data)
def _assertTokenNotRevoked(self, token_data): def _assertTokenNotRevoked(self, token_data):
self.assertIsNone(self.revoke_api.check_token(token_data)) self.assertIsNone(PROVIDERS.revoke_api.check_token(token_data))
def test_list(self): def test_list(self):
self.revoke_api.revoke_by_user(user_id=1) PROVIDERS.revoke_api.revoke_by_user(user_id=1)
self.assertEqual(1, len(self.revoke_api.list_events())) self.assertEqual(1, len(PROVIDERS.revoke_api.list_events()))
self.revoke_api.revoke_by_user(user_id=2) PROVIDERS.revoke_api.revoke_by_user(user_id=2)
self.assertEqual(2, len(self.revoke_api.list_events())) self.assertEqual(2, len(PROVIDERS.revoke_api.list_events()))
def test_list_since(self): def test_list_since(self):
self.revoke_api.revoke_by_user(user_id=1) PROVIDERS.revoke_api.revoke_by_user(user_id=1)
self.revoke_api.revoke_by_user(user_id=2) PROVIDERS.revoke_api.revoke_by_user(user_id=2)
past = timeutils.utcnow() - datetime.timedelta(seconds=1000) past = timeutils.utcnow() - datetime.timedelta(seconds=1000)
self.assertEqual(2, len(self.revoke_api.list_events(last_fetch=past))) self.assertEqual(
2, len(PROVIDERS.revoke_api.list_events(last_fetch=past))
)
future = timeutils.utcnow() + datetime.timedelta(seconds=1000) future = timeutils.utcnow() + datetime.timedelta(seconds=1000)
self.assertEqual(0, self.assertEqual(
len(self.revoke_api.list_events(last_fetch=future))) 0, len(PROVIDERS.revoke_api.list_events(last_fetch=future))
)
def test_list_revoked_user(self): def test_list_revoked_user(self):
revocation_backend = sql.Revoke() revocation_backend = sql.Revoke()
@ -80,7 +85,7 @@ class RevokeTests(object):
# event in the backend. # event in the backend.
first_token = _sample_blank_token() first_token = _sample_blank_token()
first_token['user_id'] = uuid.uuid4().hex first_token['user_id'] = uuid.uuid4().hex
self.revoke_api.revoke_by_user(user_id=first_token['user_id']) PROVIDERS.revoke_api.revoke_by_user(user_id=first_token['user_id'])
self._assertTokenRevoked(first_token) self._assertTokenRevoked(first_token)
self.assertEqual( self.assertEqual(
1, len(revocation_backend.list_events(token=first_token)) 1, len(revocation_backend.list_events(token=first_token))
@ -92,7 +97,7 @@ class RevokeTests(object):
# one should match the values of the second token. # one should match the values of the second token.
second_token = _sample_blank_token() second_token = _sample_blank_token()
second_token['user_id'] = uuid.uuid4().hex second_token['user_id'] = uuid.uuid4().hex
self.revoke_api.revoke_by_user(user_id=second_token['user_id']) PROVIDERS.revoke_api.revoke_by_user(user_id=second_token['user_id'])
self._assertTokenRevoked(second_token) self._assertTokenRevoked(second_token)
self.assertEqual( self.assertEqual(
1, len(revocation_backend.list_events(token=second_token)) 1, len(revocation_backend.list_events(token=second_token))
@ -164,7 +169,7 @@ class RevokeTests(object):
# just revoked. # just revoked.
first_token = _sample_blank_token() first_token = _sample_blank_token()
first_token['audit_id'] = common.random_urlsafe_str() first_token['audit_id'] = common.random_urlsafe_str()
self.revoke_api.revoke_by_audit_id( PROVIDERS.revoke_api.revoke_by_audit_id(
audit_id=first_token['audit_id']) audit_id=first_token['audit_id'])
self._assertTokenRevoked(first_token) self._assertTokenRevoked(first_token)
self.assertEqual( self.assertEqual(
@ -175,7 +180,7 @@ class RevokeTests(object):
# dont both have different populated audit_id fields # dont both have different populated audit_id fields
second_token = _sample_blank_token() second_token = _sample_blank_token()
second_token['audit_id'] = common.random_urlsafe_str() second_token['audit_id'] = common.random_urlsafe_str()
self.revoke_api.revoke_by_audit_id( PROVIDERS.revoke_api.revoke_by_audit_id(
audit_id=second_token['audit_id']) audit_id=second_token['audit_id'])
self._assertTokenRevoked(second_token) self._assertTokenRevoked(second_token)
self.assertEqual( self.assertEqual(
@ -193,8 +198,8 @@ class RevokeTests(object):
def test_list_revoked_since(self): def test_list_revoked_since(self):
revocation_backend = sql.Revoke() revocation_backend = sql.Revoke()
token = _sample_blank_token() token = _sample_blank_token()
self.revoke_api.revoke_by_user(user_id=None) PROVIDERS.revoke_api.revoke_by_user(user_id=None)
self.revoke_api.revoke_by_user(user_id=None) PROVIDERS.revoke_api.revoke_by_user(user_id=None)
self.assertEqual(2, len(revocation_backend.list_events(token=token))) self.assertEqual(2, len(revocation_backend.list_events(token=token)))
future = timeutils.utcnow() + datetime.timedelta(seconds=1000) future = timeutils.utcnow() + datetime.timedelta(seconds=1000)
token['issued_at'] = future token['issued_at'] = future
@ -210,7 +215,7 @@ class RevokeTests(object):
first_token['audit_id'] = common.random_urlsafe_str() first_token['audit_id'] = common.random_urlsafe_str()
# revoke event and then verify that there is only one revocation # revoke event and then verify that there is only one revocation
# and verify the only revoked event is the token # and verify the only revoked event is the token
self.revoke_api.revoke(revoke_model.RevokeEvent( PROVIDERS.revoke_api.revoke(revoke_model.RevokeEvent(
user_id=first_token['user_id'], user_id=first_token['user_id'],
project_id=first_token['project_id'], project_id=first_token['project_id'],
audit_id=first_token['audit_id'])) audit_id=first_token['audit_id']))
@ -237,7 +242,7 @@ class RevokeTests(object):
fourth_token['user_id'] = uuid.uuid4().hex fourth_token['user_id'] = uuid.uuid4().hex
fourth_token['project_id'] = uuid.uuid4().hex fourth_token['project_id'] = uuid.uuid4().hex
fourth_token['audit_id'] = common.random_urlsafe_str() fourth_token['audit_id'] = common.random_urlsafe_str()
self.revoke_api.revoke(revoke_model.RevokeEvent( PROVIDERS.revoke_api.revoke(revoke_model.RevokeEvent(
project_id=fourth_token['project_id'], project_id=fourth_token['project_id'],
audit_id=fourth_token['audit_id'])) audit_id=fourth_token['audit_id']))
self._assertTokenRevoked(fourth_token) self._assertTokenRevoked(fourth_token)
@ -247,7 +252,7 @@ class RevokeTests(object):
def _user_field_test(self, field_name): def _user_field_test(self, field_name):
token = _sample_blank_token() token = _sample_blank_token()
token[field_name] = uuid.uuid4().hex token[field_name] = uuid.uuid4().hex
self.revoke_api.revoke_by_user(user_id=token[field_name]) PROVIDERS.revoke_api.revoke_by_user(user_id=token[field_name])
self._assertTokenRevoked(token) self._assertTokenRevoked(token)
token2 = _sample_blank_token() token2 = _sample_blank_token()
token2[field_name] = uuid.uuid4().hex token2[field_name] = uuid.uuid4().hex
@ -276,7 +281,9 @@ class RevokeTests(object):
self.assertEqual( self.assertEqual(
0, len(revocation_backend.list_events(token=token_data))) 0, len(revocation_backend.list_events(token=token_data)))
self.revoke_api.revoke(revoke_model.RevokeEvent(domain_id=domain_id)) PROVIDERS.revoke_api.revoke(
revoke_model.RevokeEvent(domain_id=domain_id)
)
self._assertTokenRevoked(token_data) self._assertTokenRevoked(token_data)
self.assertEqual( self.assertEqual(
@ -297,7 +304,7 @@ class RevokeTests(object):
# If revoke a domain, then a token scoped to a project in the domain # If revoke a domain, then a token scoped to a project in the domain
# is revoked. # is revoked.
self.revoke_api.revoke(revoke_model.RevokeEvent( PROVIDERS.revoke_api.revoke(revoke_model.RevokeEvent(
domain_id=token_data['assignment_domain_id'])) domain_id=token_data['assignment_domain_id']))
self._assertTokenRevoked(token_data) self._assertTokenRevoked(token_data)
@ -317,7 +324,7 @@ class RevokeTests(object):
0, len(revocation_backend.list_events(token=token_data))) 0, len(revocation_backend.list_events(token=token_data)))
# If revoke a domain, then a token scoped to the domain is revoked. # If revoke a domain, then a token scoped to the domain is revoked.
self.revoke_api.revoke(revoke_model.RevokeEvent( PROVIDERS.revoke_api.revoke(revoke_model.RevokeEvent(
domain_id=token_data['assignment_domain_id'])) domain_id=token_data['assignment_domain_id']))
self._assertTokenRevoked(token_data) self._assertTokenRevoked(token_data)
@ -344,7 +351,7 @@ class RevokeTests(object):
0, len(revocation_backend.list_events(token=second_token))) 0, len(revocation_backend.list_events(token=second_token)))
# Revoke first_token using user_id and project_id # Revoke first_token using user_id and project_id
self.revoke_api.revoke_by_user_and_project( PROVIDERS.revoke_api.revoke_by_user_and_project(
first_token['user_id'], first_token['project_id']) first_token['user_id'], first_token['project_id'])
# Check that only first_token has been revoked. # Check that only first_token has been revoked.
@ -361,7 +368,7 @@ class RevokeTests(object):
# if the token is an original token # if the token is an original token
token['audit_id'] = uuid.uuid4().hex token['audit_id'] = uuid.uuid4().hex
token['audit_chain_id'] = token['audit_id'] token['audit_chain_id'] = token['audit_id']
self.revoke_api.revoke_by_audit_id(audit_id=token['audit_id']) PROVIDERS.revoke_api.revoke_by_audit_id(audit_id=token['audit_id'])
self._assertTokenRevoked(token) self._assertTokenRevoked(token)
token2 = _sample_blank_token() token2 = _sample_blank_token()
@ -384,7 +391,7 @@ class RevokeTests(object):
self.assertEqual(0, len(revocation_backend.list_events(token=token))) self.assertEqual(0, len(revocation_backend.list_events(token=token)))
# Revoked token by audit chain id using the audit_id # Revoked token by audit chain id using the audit_id
self.revoke_api.revoke_by_audit_chain_id(audit_id) PROVIDERS.revoke_api.revoke_by_audit_chain_id(audit_id)
# Check that the token is now revoked # Check that the token is now revoked
self._assertTokenRevoked(token) self._assertTokenRevoked(token)
self.assertEqual(1, len(revocation_backend.list_events(token=token))) self.assertEqual(1, len(revocation_backend.list_events(token=token)))
@ -406,67 +413,73 @@ class RevokeTests(object):
token_values = _sample_token_values() token_values = _sample_token_values()
audit_chain_id = uuid.uuid4().hex audit_chain_id = uuid.uuid4().hex
self.revoke_api.revoke_by_audit_chain_id(audit_chain_id) PROVIDERS.revoke_api.revoke_by_audit_chain_id(audit_chain_id)
token_values['audit_chain_id'] = audit_chain_id token_values['audit_chain_id'] = audit_chain_id
self.assertRaises(exception.TokenNotFound, self.assertRaises(exception.TokenNotFound,
self.revoke_api.check_token, PROVIDERS.revoke_api.check_token,
token_values) token_values)
# Move our clock forward by 2h, build a new token and validate it. # Move our clock forward by 2h, build a new token and validate it.
# 'synchronize' should now be exercised and remove old expired events # 'synchronize' should now be exercised and remove old expired events
mock_utcnow.return_value = now_plus_2h mock_utcnow.return_value = now_plus_2h
self.revoke_api.revoke_by_audit_chain_id(audit_chain_id) PROVIDERS.revoke_api.revoke_by_audit_chain_id(audit_chain_id)
# two hours later, it should still be not found # two hours later, it should still be not found
self.assertRaises(exception.TokenNotFound, self.assertRaises(exception.TokenNotFound,
self.revoke_api.check_token, PROVIDERS.revoke_api.check_token,
token_values) token_values)
def test_delete_group_without_role_does_not_revoke_users(self): def test_delete_group_without_role_does_not_revoke_users(self):
revocation_backend = sql.Revoke() revocation_backend = sql.Revoke()
domain = unit.new_domain_ref() domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain) PROVIDERS.resource_api.create_domain(domain['id'], domain)
# Create two groups. Group1 will be used to test deleting a group, # Create two groups. Group1 will be used to test deleting a group,
# without role assignments and users in the group, doesn't create # without role assignments and users in the group, doesn't create
# revoked events. Group2 will show that deleting a group with role # revoked events. Group2 will show that deleting a group with role
# assignment and users in the group does create revoked events # assignment and users in the group does create revoked events
group1 = unit.new_group_ref(domain_id=domain['id']) group1 = unit.new_group_ref(domain_id=domain['id'])
group1 = self.identity_api.create_group(group1) group1 = PROVIDERS.identity_api.create_group(group1)
group2 = unit.new_group_ref(domain_id=domain['id']) group2 = unit.new_group_ref(domain_id=domain['id'])
group2 = self.identity_api.create_group(group2) group2 = PROVIDERS.identity_api.create_group(group2)
role = unit.new_role_ref() role = unit.new_role_ref()
self.role_api.create_role(role['id'], role) PROVIDERS.role_api.create_role(role['id'], role)
user1 = unit.new_user_ref(domain_id=domain['id']) user1 = unit.new_user_ref(domain_id=domain['id'])
user1 = self.identity_api.create_user(user1) user1 = PROVIDERS.identity_api.create_user(user1)
user2 = unit.new_user_ref(domain_id=domain['id']) user2 = unit.new_user_ref(domain_id=domain['id'])
user2 = self.identity_api.create_user(user2) user2 = PROVIDERS.identity_api.create_user(user2)
# Add two users to the group, verify they are added, delete group, and # Add two users to the group, verify they are added, delete group, and
# check that the revocaiton events have not been created # check that the revocaiton events have not been created
self.identity_api.add_user_to_group(user_id=user1['id'], PROVIDERS.identity_api.add_user_to_group(
group_id=group1['id']) user_id=user1['id'], group_id=group1['id']
self.identity_api.add_user_to_group(user_id=user2['id'], )
group_id=group1['id']) PROVIDERS.identity_api.add_user_to_group(
user_id=user2['id'], group_id=group1['id']
)
self.assertEqual( self.assertEqual(
2, len(self.identity_api.list_users_in_group(group1['id']))) 2, len(PROVIDERS.identity_api.list_users_in_group(group1['id'])))
self.identity_api.delete_group(group1['id']) PROVIDERS.identity_api.delete_group(group1['id'])
self.assertEqual(0, len(revocation_backend.list_events())) self.assertEqual(0, len(revocation_backend.list_events()))
# Assign a role to the group, add two users to the group, verify that # Assign a role to the group, add two users to the group, verify that
# the role has been assigned to the group, verify the users have been # the role has been assigned to the group, verify the users have been
# added to the group, delete the group, check that the revocation # added to the group, delete the group, check that the revocation
# events have been created # events have been created
self.assignment_api.create_grant(group_id=group2['id'], PROVIDERS.assignment_api.create_grant(
domain_id=domain['id'], group_id=group2['id'], domain_id=domain['id'], role_id=role['id']
role_id=role['id']) )
grants = self.assignment_api.list_role_assignments(role_id=role['id']) grants = PROVIDERS.assignment_api.list_role_assignments(
role_id=role['id']
)
self.assertThat(grants, matchers.HasLength(1)) self.assertThat(grants, matchers.HasLength(1))
self.identity_api.add_user_to_group(user_id=user1['id'], PROVIDERS.identity_api.add_user_to_group(
group_id=group2['id']) user_id=user1['id'], group_id=group2['id']
self.identity_api.add_user_to_group(user_id=user2['id'], )
group_id=group2['id']) PROVIDERS.identity_api.add_user_to_group(
user_id=user2['id'], group_id=group2['id']
)
self.assertEqual( self.assertEqual(
2, len(self.identity_api.list_users_in_group(group2['id']))) 2, len(PROVIDERS.identity_api.list_users_in_group(group2['id'])))
self.identity_api.delete_group(group2['id']) PROVIDERS.identity_api.delete_group(group2['id'])
self.assertEqual(2, len(revocation_backend.list_events())) self.assertEqual(2, len(revocation_backend.list_events()))

13
keystone/tests/unit/test_shadow_users.py
View File

@ -12,11 +12,14 @@
import uuid import uuid
from keystone.common import provider_api
from keystone.tests import unit from keystone.tests import unit
from keystone.tests.unit.identity.shadow_users import test_backend from keystone.tests.unit.identity.shadow_users import test_backend
from keystone.tests.unit.identity.shadow_users import test_core from keystone.tests.unit.identity.shadow_users import test_core
from keystone.tests.unit.ksfixtures import database from keystone.tests.unit.ksfixtures import database
PROVIDERS = provider_api.ProviderAPIs
class ShadowUsersTests(unit.TestCase, class ShadowUsersTests(unit.TestCase,
test_backend.ShadowUsersBackendTests, test_backend.ShadowUsersBackendTests,
@ -44,9 +47,11 @@ class ShadowUsersTests(unit.TestCase,
'unique_id': uuid.uuid4().hex, 'unique_id': uuid.uuid4().hex,
'display_name': uuid.uuid4().hex 'display_name': uuid.uuid4().hex
} }
self.federation_api.create_idp(self.idp['id'], self.idp) PROVIDERS.federation_api.create_idp(self.idp['id'], self.idp)
self.federation_api.create_mapping(self.mapping['id'], self.mapping) PROVIDERS.federation_api.create_mapping(
self.federation_api.create_protocol( self.mapping['id'], self.mapping
)
PROVIDERS.federation_api.create_protocol(
self.idp['id'], self.protocol['id'], self.protocol) self.idp['id'], self.protocol['id'], self.protocol)
self.domain_id = ( self.domain_id = (
self.federation_api.get_idp(self.idp['id'])['domain_id']) PROVIDERS.federation_api.get_idp(self.idp['id'])['domain_id'])

59
keystone/tests/unit/test_v3_catalog.py
View File

@ -18,10 +18,13 @@ import uuid
from six.moves import http_client from six.moves import http_client
from testtools import matchers from testtools import matchers
from keystone.common import provider_api
from keystone.tests import unit from keystone.tests import unit
from keystone.tests.unit.ksfixtures import database from keystone.tests.unit.ksfixtures import database
from keystone.tests.unit import test_v3 from keystone.tests.unit import test_v3
PROVIDERS = provider_api.ProviderAPIs
class CatalogTestCase(test_v3.RestfulTestCase): class CatalogTestCase(test_v3.RestfulTestCase):
"""Test service & endpoint CRUD.""" """Test service & endpoint CRUD."""
@ -690,7 +693,7 @@ class CatalogTestCase(test_v3.RestfulTestCase):
url=url_with_space) url=url_with_space)
# add the endpoint to the database # add the endpoint to the database
self.catalog_api.create_endpoint(ref['id'], ref) PROVIDERS.catalog_api.create_endpoint(ref['id'], ref)
# delete the endpoint # delete the endpoint
self.delete('/endpoints/%s' % ref['id']) self.delete('/endpoints/%s' % ref['id'])
@ -825,7 +828,7 @@ class TestCatalogAPISQL(unit.TestCase):
service = unit.new_service_ref() service = unit.new_service_ref()
self.service_id = service['id'] self.service_id = service['id']
self.catalog_api.create_service(self.service_id, service) PROVIDERS.catalog_api.create_service(self.service_id, service)
self.create_endpoint(service_id=self.service_id) self.create_endpoint(service_id=self.service_id)
@ -833,7 +836,7 @@ class TestCatalogAPISQL(unit.TestCase):
endpoint = unit.new_endpoint_ref(service_id=service_id, endpoint = unit.new_endpoint_ref(service_id=service_id,
region_id=None, **kwargs) region_id=None, **kwargs)
self.catalog_api.create_endpoint(endpoint['id'], endpoint) PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
return endpoint return endpoint
def config_overrides(self): def config_overrides(self):
@ -847,15 +850,15 @@ class TestCatalogAPISQL(unit.TestCase):
# filter the catalog by the project or replace the url with a # filter the catalog by the project or replace the url with a
# valid project id. # valid project id.
domain = unit.new_domain_ref() domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain) PROVIDERS.resource_api.create_domain(domain['id'], domain)
project = unit.new_project_ref(domain_id=domain['id']) project = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project['id'], project) PROVIDERS.resource_api.create_project(project['id'], project)
# the only endpoint in the catalog is the one created in setUp # the only endpoint in the catalog is the one created in setUp
catalog = self.catalog_api.get_v3_catalog(user_id, project['id']) catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id'])
self.assertEqual(1, len(catalog[0]['endpoints'])) self.assertEqual(1, len(catalog[0]['endpoints']))
# it's also the only endpoint in the backend # it's also the only endpoint in the backend
self.assertEqual(1, len(self.catalog_api.list_endpoints())) self.assertEqual(1, len(PROVIDERS.catalog_api.list_endpoints()))
# create a new, invalid endpoint - malformed type declaration # create a new, invalid endpoint - malformed type declaration
self.create_endpoint(self.service_id, self.create_endpoint(self.service_id,
@ -866,23 +869,23 @@ class TestCatalogAPISQL(unit.TestCase):
url='http://keystone/%(you_wont_find_me)s') url='http://keystone/%(you_wont_find_me)s')
# verify that the invalid endpoints don't appear in the catalog # verify that the invalid endpoints don't appear in the catalog
catalog = self.catalog_api.get_v3_catalog(user_id, project['id']) catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id'])
self.assertEqual(1, len(catalog[0]['endpoints'])) self.assertEqual(1, len(catalog[0]['endpoints']))
# all three appear in the backend # all three appear in the backend
self.assertEqual(3, len(self.catalog_api.list_endpoints())) self.assertEqual(3, len(PROVIDERS.catalog_api.list_endpoints()))
# create another valid endpoint - project_id will be replaced # create another valid endpoint - project_id will be replaced
self.create_endpoint(self.service_id, self.create_endpoint(self.service_id,
url='http://keystone/%(project_id)s') url='http://keystone/%(project_id)s')
# there are two valid endpoints, positive check # there are two valid endpoints, positive check
catalog = self.catalog_api.get_v3_catalog(user_id, project['id']) catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id'])
self.assertThat(catalog[0]['endpoints'], matchers.HasLength(2)) self.assertThat(catalog[0]['endpoints'], matchers.HasLength(2))
# If the URL has no 'project_id' to substitute, we will skip the # If the URL has no 'project_id' to substitute, we will skip the
# endpoint which contains this kind of URL, negative check. # endpoint which contains this kind of URL, negative check.
project_id = None project_id = None
catalog = self.catalog_api.get_v3_catalog(user_id, project_id) catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project_id)
self.assertThat(catalog[0]['endpoints'], matchers.HasLength(1)) self.assertThat(catalog[0]['endpoints'], matchers.HasLength(1))
def test_get_catalog_always_returns_service_name(self): def test_get_catalog_always_returns_service_name(self):
@ -891,22 +894,22 @@ class TestCatalogAPISQL(unit.TestCase):
# filter the catalog by the project or replace the url with a # filter the catalog by the project or replace the url with a
# valid project id. # valid project id.
domain = unit.new_domain_ref() domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain) PROVIDERS.resource_api.create_domain(domain['id'], domain)
project = unit.new_project_ref(domain_id=domain['id']) project = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project['id'], project) PROVIDERS.resource_api.create_project(project['id'], project)
# create a service, with a name # create a service, with a name
named_svc = unit.new_service_ref() named_svc = unit.new_service_ref()
self.catalog_api.create_service(named_svc['id'], named_svc) PROVIDERS.catalog_api.create_service(named_svc['id'], named_svc)
self.create_endpoint(service_id=named_svc['id']) self.create_endpoint(service_id=named_svc['id'])
# create a service, with no name # create a service, with no name
unnamed_svc = unit.new_service_ref(name=None) unnamed_svc = unit.new_service_ref(name=None)
del unnamed_svc['name'] del unnamed_svc['name']
self.catalog_api.create_service(unnamed_svc['id'], unnamed_svc) PROVIDERS.catalog_api.create_service(unnamed_svc['id'], unnamed_svc)
self.create_endpoint(service_id=unnamed_svc['id']) self.create_endpoint(service_id=unnamed_svc['id'])
catalog = self.catalog_api.get_v3_catalog(user_id, project['id']) catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id'])
named_endpoint = [ep for ep in catalog named_endpoint = [ep for ep in catalog
if ep['type'] == named_svc['type']][0] if ep['type'] == named_svc['type']][0]
@ -934,46 +937,46 @@ class TestCatalogAPISQLRegions(unit.TestCase):
def test_get_catalog_returns_proper_endpoints_with_no_region(self): def test_get_catalog_returns_proper_endpoints_with_no_region(self):
service = unit.new_service_ref() service = unit.new_service_ref()
service_id = service['id'] service_id = service['id']
self.catalog_api.create_service(service_id, service) PROVIDERS.catalog_api.create_service(service_id, service)
endpoint = unit.new_endpoint_ref(service_id=service_id, endpoint = unit.new_endpoint_ref(service_id=service_id,
region_id=None) region_id=None)
del endpoint['region_id'] del endpoint['region_id']
self.catalog_api.create_endpoint(endpoint['id'], endpoint) PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
# create a project since the project should exist if we want to # create a project since the project should exist if we want to
# filter the catalog by the project or replace the url with a # filter the catalog by the project or replace the url with a
# valid project id. # valid project id.
domain = unit.new_domain_ref() domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain) PROVIDERS.resource_api.create_domain(domain['id'], domain)
project = unit.new_project_ref(domain_id=domain['id']) project = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project['id'], project) PROVIDERS.resource_api.create_project(project['id'], project)
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
catalog = self.catalog_api.get_v3_catalog(user_id, project['id']) catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id'])
self.assertValidCatalogEndpoint( self.assertValidCatalogEndpoint(
catalog[0]['endpoints'][0], ref=endpoint) catalog[0]['endpoints'][0], ref=endpoint)
def test_get_catalog_returns_proper_endpoints_with_region(self): def test_get_catalog_returns_proper_endpoints_with_region(self):
service = unit.new_service_ref() service = unit.new_service_ref()
service_id = service['id'] service_id = service['id']
self.catalog_api.create_service(service_id, service) PROVIDERS.catalog_api.create_service(service_id, service)
endpoint = unit.new_endpoint_ref(service_id=service_id) endpoint = unit.new_endpoint_ref(service_id=service_id)
region = unit.new_region_ref(id=endpoint['region_id']) region = unit.new_region_ref(id=endpoint['region_id'])
self.catalog_api.create_region(region) PROVIDERS.catalog_api.create_region(region)
self.catalog_api.create_endpoint(endpoint['id'], endpoint) PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
endpoint = self.catalog_api.get_endpoint(endpoint['id']) endpoint = PROVIDERS.catalog_api.get_endpoint(endpoint['id'])
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
# create a project since the project should exist if we want to # create a project since the project should exist if we want to
# filter the catalog by the project or replace the url with a # filter the catalog by the project or replace the url with a
# valid project id. # valid project id.
domain = unit.new_domain_ref() domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain) PROVIDERS.resource_api.create_domain(domain['id'], domain)
project = unit.new_project_ref(domain_id=domain['id']) project = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project['id'], project) PROVIDERS.resource_api.create_project(project['id'], project)
catalog = self.catalog_api.get_v3_catalog(user_id, project['id']) catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id'])
self.assertValidCatalogEndpoint( self.assertValidCatalogEndpoint(
catalog[0]['endpoints'][0], ref=endpoint) catalog[0]['endpoints'][0], ref=endpoint)

13
keystone/tests/unit/test_v3_endpoint_policy.py
View File

@ -15,9 +15,12 @@
from six.moves import http_client from six.moves import http_client
from testtools import matchers from testtools import matchers
from keystone.common import provider_api
from keystone.tests import unit from keystone.tests import unit
from keystone.tests.unit import test_v3 from keystone.tests.unit import test_v3
PROVIDERS = provider_api.ProviderAPIs
class EndpointPolicyTestCase(test_v3.RestfulTestCase): class EndpointPolicyTestCase(test_v3.RestfulTestCase):
"""Test endpoint policy CRUD. """Test endpoint policy CRUD.
@ -33,15 +36,17 @@ class EndpointPolicyTestCase(test_v3.RestfulTestCase):
def setUp(self): def setUp(self):
super(EndpointPolicyTestCase, self).setUp() super(EndpointPolicyTestCase, self).setUp()
self.policy = unit.new_policy_ref() self.policy = unit.new_policy_ref()
self.policy_api.create_policy(self.policy['id'], self.policy) PROVIDERS.policy_api.create_policy(self.policy['id'], self.policy)
self.service = unit.new_service_ref() self.service = unit.new_service_ref()
self.catalog_api.create_service(self.service['id'], self.service) PROVIDERS.catalog_api.create_service(self.service['id'], self.service)
self.endpoint = unit.new_endpoint_ref(self.service['id'], enabled=True, self.endpoint = unit.new_endpoint_ref(self.service['id'], enabled=True,
interface='public', interface='public',
region_id=self.region_id) region_id=self.region_id)
self.catalog_api.create_endpoint(self.endpoint['id'], self.endpoint) PROVIDERS.catalog_api.create_endpoint(
self.endpoint['id'], self.endpoint
)
self.region = unit.new_region_ref() self.region = unit.new_region_ref()
self.catalog_api.create_region(self.region) PROVIDERS.catalog_api.create_region(self.region)
def assert_head_and_get_return_same_response(self, url, expected_status): def assert_head_and_get_return_same_response(self, url, expected_status):
self.get(url, expected_status=expected_status) self.get(url, expected_status=expected_status)

116
keystone/tests/unit/test_v3_filters.py
View File

@ -21,6 +21,7 @@ from oslo_serialization import jsonutils
from six.moves import http_client from six.moves import http_client
from six.moves import range from six.moves import range
from keystone.common import provider_api
import keystone.conf import keystone.conf
from keystone.tests import unit from keystone.tests import unit
from keystone.tests.unit import filtering from keystone.tests.unit import filtering
@ -30,6 +31,7 @@ from keystone.tests.unit import test_v3
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class IdentityTestFilteredCase(filtering.FilterTests, class IdentityTestFilteredCase(filtering.FilterTests,
@ -63,26 +65,27 @@ class IdentityTestFilteredCase(filtering.FilterTests,
# Start by creating a few domains # Start by creating a few domains
self._populate_default_domain() self._populate_default_domain()
self.domainA = unit.new_domain_ref() self.domainA = unit.new_domain_ref()
self.resource_api.create_domain(self.domainA['id'], self.domainA) PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA)
self.domainB = unit.new_domain_ref() self.domainB = unit.new_domain_ref()
self.resource_api.create_domain(self.domainB['id'], self.domainB) PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB)
self.domainC = unit.new_domain_ref() self.domainC = unit.new_domain_ref()
self.domainC['enabled'] = False self.domainC['enabled'] = False
self.resource_api.create_domain(self.domainC['id'], self.domainC) PROVIDERS.resource_api.create_domain(self.domainC['id'], self.domainC)
# Now create some users, one in domainA and two of them in domainB # Now create some users, one in domainA and two of them in domainB
self.user1 = unit.create_user(self.identity_api, self.user1 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainA['id']) domain_id=self.domainA['id'])
self.user2 = unit.create_user(self.identity_api, self.user2 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainB['id']) domain_id=self.domainB['id'])
self.user3 = unit.create_user(self.identity_api, self.user3 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainB['id']) domain_id=self.domainB['id'])
self.role = unit.new_role_ref() self.role = unit.new_role_ref()
self.role_api.create_role(self.role['id'], self.role) PROVIDERS.role_api.create_role(self.role['id'], self.role)
self.assignment_api.create_grant(self.role['id'], PROVIDERS.assignment_api.create_grant(
user_id=self.user1['id'], self.role['id'], user_id=self.user1['id'],
domain_id=self.domainA['id']) domain_id=self.domainA['id']
)
# A default auth request we can use - un-scoped user token # A default auth request we can use - un-scoped user token
self.auth = self.build_authentication_request( self.auth = self.build_authentication_request(
@ -224,7 +227,7 @@ class IdentityTestFilteredCase(filtering.FilterTests,
self._set_policy({"identity:list_users": []}) self._set_policy({"identity:list_users": []})
user = self.user1 user = self.user1
user['name'] = '%my%name%' user['name'] = '%my%name%'
self.identity_api.update_user(user['id'], user) PROVIDERS.identity_api.update_user(user['id'], user)
frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
@ -240,23 +243,23 @@ class IdentityTestFilteredCase(filtering.FilterTests,
# Set up some names that we can filter on # Set up some names that we can filter on
user = user_list[5] user = user_list[5]
user['name'] = 'The' user['name'] = 'The'
self.identity_api.update_user(user['id'], user) PROVIDERS.identity_api.update_user(user['id'], user)
user = user_list[6] user = user_list[6]
user['name'] = 'The Ministry' user['name'] = 'The Ministry'
self.identity_api.update_user(user['id'], user) PROVIDERS.identity_api.update_user(user['id'], user)
user = user_list[7] user = user_list[7]
user['name'] = 'The Ministry of' user['name'] = 'The Ministry of'
self.identity_api.update_user(user['id'], user) PROVIDERS.identity_api.update_user(user['id'], user)
user = user_list[8] user = user_list[8]
user['name'] = 'The Ministry of Silly' user['name'] = 'The Ministry of Silly'
self.identity_api.update_user(user['id'], user) PROVIDERS.identity_api.update_user(user['id'], user)
user = user_list[9] user = user_list[9]
user['name'] = 'The Ministry of Silly Walks' user['name'] = 'The Ministry of Silly Walks'
self.identity_api.update_user(user['id'], user) PROVIDERS.identity_api.update_user(user['id'], user)
# ...and one for useful case insensitivity testing # ...and one for useful case insensitivity testing
user = user_list[10] user = user_list[10]
user['name'] = 'the ministry of silly walks OF' user['name'] = 'the ministry of silly walks OF'
self.identity_api.update_user(user['id'], user) PROVIDERS.identity_api.update_user(user['id'], user)
self._set_policy({"identity:list_users": []}) self._set_policy({"identity:list_users": []})
@ -318,7 +321,7 @@ class IdentityTestFilteredCase(filtering.FilterTests,
# See if we can add a SQL command...use the group table instead of the # See if we can add a SQL command...use the group table instead of the
# user table since 'user' is reserved word for SQLAlchemy. # user table since 'user' is reserved word for SQLAlchemy.
group = unit.new_group_ref(domain_id=self.domainB['id']) group = unit.new_group_ref(domain_id=self.domainB['id'])
group = self.identity_api.create_group(group) group = PROVIDERS.identity_api.create_group(group)
url_by_name = "/users?name=x'; drop table group" url_by_name = "/users?name=x'; drop table group"
r = self.get(url_by_name, auth=self.auth) r = self.get(url_by_name, auth=self.auth)
@ -351,14 +354,15 @@ class IdentityPasswordExpiryFilteredTestCase(filtering.FilterTests,
""" """
self._populate_default_domain() self._populate_default_domain()
self.domain = unit.new_domain_ref() self.domain = unit.new_domain_ref()
self.resource_api.create_domain(self.domain['id'], self.domain) PROVIDERS.resource_api.create_domain(self.domain['id'], self.domain)
self.domain_id = self.domain['id'] self.domain_id = self.domain['id']
self.project = unit.new_project_ref(domain_id=self.domain_id) self.project = unit.new_project_ref(domain_id=self.domain_id)
self.project_id = self.project['id'] self.project_id = self.project['id']
self.project = self.resource_api.create_project(self.project_id, self.project = PROVIDERS.resource_api.create_project(
self.project) self.project_id, self.project
)
self.group = unit.new_group_ref(domain_id=self.domain_id) self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group) self.group = PROVIDERS.identity_api.create_group(self.group)
self.group_id = self.group['id'] self.group_id = self.group['id']
# Creates three users each with password expiration offset # Creates three users each with password expiration offset
# by one day, starting with the current time frozen. # by one day, starting with the current time frozen.
@ -366,43 +370,45 @@ class IdentityPasswordExpiryFilteredTestCase(filtering.FilterTests,
with freezegun.freeze_time(self.starttime): with freezegun.freeze_time(self.starttime):
self.config_fixture.config(group='security_compliance', self.config_fixture.config(group='security_compliance',
password_expires_days=1) password_expires_days=1)
self.user = unit.create_user(self.identity_api, self.user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain_id) domain_id=self.domain_id)
self.config_fixture.config(group='security_compliance', self.config_fixture.config(group='security_compliance',
password_expires_days=2) password_expires_days=2)
self.user2 = unit.create_user(self.identity_api, self.user2 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain_id) domain_id=self.domain_id)
self.config_fixture.config(group='security_compliance', self.config_fixture.config(group='security_compliance',
password_expires_days=3) password_expires_days=3)
self.user3 = unit.create_user(self.identity_api, self.user3 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain_id) domain_id=self.domain_id)
self.role = unit.new_role_ref(name='admin') self.role = unit.new_role_ref(name='admin')
self.role_api.create_role(self.role['id'], self.role) PROVIDERS.role_api.create_role(self.role['id'], self.role)
self.role_id = self.role['id'] self.role_id = self.role['id']
# Grant admin role to the users created. # Grant admin role to the users created.
self.assignment_api.create_grant(self.role_id, PROVIDERS.assignment_api.create_grant(
user_id=self.user['id'], self.role_id, user_id=self.user['id'], domain_id=self.domain_id
domain_id=self.domain_id) )
self.assignment_api.create_grant(self.role_id, PROVIDERS.assignment_api.create_grant(
user_id=self.user2['id'], self.role_id, user_id=self.user2['id'], domain_id=self.domain_id
domain_id=self.domain_id) )
self.assignment_api.create_grant(self.role_id, PROVIDERS.assignment_api.create_grant(
user_id=self.user3['id'], self.role_id, user_id=self.user3['id'], domain_id=self.domain_id
domain_id=self.domain_id) )
self.assignment_api.create_grant(self.role_id, PROVIDERS.assignment_api.create_grant(
user_id=self.user['id'], self.role_id, user_id=self.user['id'], project_id=self.project_id
project_id=self.project_id) )
self.assignment_api.create_grant(self.role_id, PROVIDERS.assignment_api.create_grant(
user_id=self.user2['id'], self.role_id, user_id=self.user2['id'], project_id=self.project_id
project_id=self.project_id) )
self.assignment_api.create_grant(self.role_id, PROVIDERS.assignment_api.create_grant(
user_id=self.user3['id'], self.role_id, user_id=self.user3['id'], project_id=self.project_id
project_id=self.project_id) )
# Add the last two users to the group. # Add the last two users to the group.
self.identity_api.add_user_to_group(self.user2['id'], PROVIDERS.identity_api.add_user_to_group(
self.group_id) self.user2['id'], self.group_id
self.identity_api.add_user_to_group(self.user3['id'], )
self.group_id) PROVIDERS.identity_api.add_user_to_group(
self.user3['id'], self.group_id
)
def _list_users_by_password_expires_at(self, time, operator=None): def _list_users_by_password_expires_at(self, time, operator=None):
"""Call `list_users` with `password_expires_at` filter. """Call `list_users` with `password_expires_at` filter.
@ -741,16 +747,18 @@ class IdentityTestListLimitCase(IdentityTestFilteredCase):
self.addCleanup(self.clean_up_service) self.addCleanup(self.clean_up_service)
for _ in range(10): for _ in range(10):
new_entity = unit.new_service_ref() new_entity = unit.new_service_ref()
service = self.catalog_api.create_service(new_entity['id'], service = PROVIDERS.catalog_api.create_service(
new_entity) new_entity['id'], new_entity
)
self.service_list.append(service) self.service_list.append(service)
self.policy_list = [] self.policy_list = []
self.addCleanup(self.clean_up_policy) self.addCleanup(self.clean_up_policy)
for _ in range(10): for _ in range(10):
new_entity = unit.new_policy_ref() new_entity = unit.new_policy_ref()
policy = self.policy_api.create_policy(new_entity['id'], policy = PROVIDERS.policy_api.create_policy(
new_entity) new_entity['id'], new_entity
)
self.policy_list.append(policy) self.policy_list.append(policy)
def clean_up_entity(self, entity): def clean_up_entity(self, entity):
@ -760,12 +768,12 @@ class IdentityTestListLimitCase(IdentityTestFilteredCase):
def clean_up_service(self): def clean_up_service(self):
"""Clean up service test data from Identity Limit Test Cases.""" """Clean up service test data from Identity Limit Test Cases."""
for service in self.service_list: for service in self.service_list:
self.catalog_api.delete_service(service['id']) PROVIDERS.catalog_api.delete_service(service['id'])
def clean_up_policy(self): def clean_up_policy(self):
"""Clean up policy test data from Identity Limit Test Cases.""" """Clean up policy test data from Identity Limit Test Cases."""
for policy in self.policy_list: for policy in self.policy_list:
self.policy_api.delete_policy(policy['id']) PROVIDERS.policy_api.delete_policy(policy['id'])
def _test_entity_list_limit(self, entity, driver): def _test_entity_list_limit(self, entity, driver):
"""GET /<entities> (limited). """GET /<entities> (limited).

18
keystone/tests/unit/test_v3_oauth1.py
View File

@ -25,6 +25,7 @@ from six.moves import http_client
from six.moves import urllib from six.moves import urllib
from six.moves.urllib import parse as urlparse from six.moves.urllib import parse as urlparse
from keystone.common import provider_api
import keystone.conf import keystone.conf
from keystone import exception from keystone import exception
from keystone import oauth1 from keystone import oauth1
@ -38,6 +39,7 @@ from keystone.tests.unit import test_v3
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
def _urllib_parse_qs_text_keys(content): def _urllib_parse_qs_text_keys(content):
@ -535,14 +537,14 @@ class AuthTokenTests(object):
def test_delete_keystone_tokens_by_consumer_id(self): def test_delete_keystone_tokens_by_consumer_id(self):
self.test_oauth_flow() self.test_oauth_flow()
self.token_provider_api._persistence.get_token( PROVIDERS.token_provider_api._persistence.get_token(
self.keystone_token_id) self.keystone_token_id)
self.token_provider_api._persistence.delete_tokens( PROVIDERS.token_provider_api._persistence.delete_tokens(
self.user_id, self.user_id,
consumer_id=self.consumer['key']) consumer_id=self.consumer['key'])
self.assertRaises( self.assertRaises(
exception.TokenNotFound, exception.TokenNotFound,
self.token_provider_api._persistence.get_token, PROVIDERS.token_provider_api._persistence.get_token,
self.keystone_token_id) self.keystone_token_id)
def _create_trust_get_token(self): def _create_trust_get_token(self):
@ -882,7 +884,7 @@ class MaliciousOAuth1Tests(OAuth1Tests):
credentials = _urllib_parse_qs_text_keys(content.result) credentials = _urllib_parse_qs_text_keys(content.result)
request_key = credentials['oauth_token'][0] request_key = credentials['oauth_token'][0]
self.assignment_api.remove_role_from_user_and_project( PROVIDERS.assignment_api.remove_role_from_user_and_project(
self.user_id, self.project_id, self.role_id) self.user_id, self.project_id, self.role_id)
url = self._authorize_request_token(request_key) url = self._authorize_request_token(request_key)
body = {'roles': [{'id': self.role_id}]} body = {'roles': [{'id': self.role_id}]}
@ -927,14 +929,14 @@ class MaliciousOAuth1Tests(OAuth1Tests):
resp = self.put(url, body=body, expected_status=http_client.OK) resp = self.put(url, body=body, expected_status=http_client.OK)
verifier = resp.result['token']['oauth_verifier'] verifier = resp.result['token']['oauth_verifier']
request_token.set_verifier(verifier) request_token.set_verifier(verifier)
request_token_created = self.oauth_api.get_request_token( request_token_created = PROVIDERS.oauth_api.get_request_token(
request_key.decode('utf-8')) request_key.decode('utf-8'))
request_token_created.update({'authorizing_user_id': ''}) request_token_created.update({'authorizing_user_id': ''})
# Update the request token that is created instead of mocking # Update the request token that is created instead of mocking
# the whole token object to focus on what's we want to test # the whole token object to focus on what's we want to test
# here and avoid any other factors that will result in the same # here and avoid any other factors that will result in the same
# exception. # exception.
with mock.patch.object(self.oauth_api, with mock.patch.object(PROVIDERS.oauth_api,
'get_request_token') as mock_token: 'get_request_token') as mock_token:
mock_token.return_value = request_token_created mock_token.return_value = request_token_created
url, headers = self._create_access_token(consumer, request_token) url, headers = self._create_access_token(consumer, request_token)
@ -1069,7 +1071,7 @@ class OAuthNotificationTests(OAuth1Tests,
def test_update_consumer(self): def test_update_consumer(self):
consumer_ref = self._create_single_consumer() consumer_ref = self._create_single_consumer()
update_ref = {'consumer': {'description': uuid.uuid4().hex}} update_ref = {'consumer': {'description': uuid.uuid4().hex}}
self.oauth_api.update_consumer(consumer_ref['id'], update_ref) PROVIDERS.oauth_api.update_consumer(consumer_ref['id'], update_ref)
self._assert_notify_sent(consumer_ref['id'], self._assert_notify_sent(consumer_ref['id'],
test_notifications.UPDATED_OPERATION, test_notifications.UPDATED_OPERATION,
'OS-OAUTH1:consumer') 'OS-OAUTH1:consumer')
@ -1080,7 +1082,7 @@ class OAuthNotificationTests(OAuth1Tests,
def test_delete_consumer(self): def test_delete_consumer(self):
consumer_ref = self._create_single_consumer() consumer_ref = self._create_single_consumer()
self.oauth_api.delete_consumer(consumer_ref['id']) PROVIDERS.oauth_api.delete_consumer(consumer_ref['id'])
self._assert_notify_sent(consumer_ref['id'], self._assert_notify_sent(consumer_ref['id'],
test_notifications.DELETED_OPERATION, test_notifications.DELETED_OPERATION,
'OS-OAUTH1:consumer') 'OS-OAUTH1:consumer')

17
keystone/tests/unit/test_v3_os_revoke.py
View File

@ -21,10 +21,13 @@ import six
from six.moves import http_client from six.moves import http_client
from testtools import matchers from testtools import matchers
from keystone.common import provider_api
from keystone.common import utils from keystone.common import utils
from keystone.models import revoke_model from keystone.models import revoke_model
from keystone.tests.unit import test_v3 from keystone.tests.unit import test_v3
PROVIDERS = provider_api.ProviderAPIs
def _future_time_string(): def _future_time_string():
expire_delta = datetime.timedelta(seconds=1000) expire_delta = datetime.timedelta(seconds=1000)
@ -79,7 +82,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
sample = self._blank_event() sample = self._blank_event()
sample['audit_id'] = six.text_type(audit_id) sample['audit_id'] = six.text_type(audit_id)
before_time = timeutils.utcnow().replace(microsecond=0) before_time = timeutils.utcnow().replace(microsecond=0)
self.revoke_api.revoke_by_audit_id(audit_id) PROVIDERS.revoke_api.revoke_by_audit_id(audit_id)
resp = self.get('/OS-REVOKE/events') resp = self.get('/OS-REVOKE/events')
events = resp.json_body['events'] events = resp.json_body['events']
self.assertEqual(1, len(events)) self.assertEqual(1, len(events))
@ -90,7 +93,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
sample = dict() sample = dict()
sample['project_id'] = six.text_type(project_id) sample['project_id'] = six.text_type(project_id)
before_time = timeutils.utcnow().replace(microsecond=0) before_time = timeutils.utcnow().replace(microsecond=0)
self.revoke_api.revoke( PROVIDERS.revoke_api.revoke(
revoke_model.RevokeEvent(project_id=project_id)) revoke_model.RevokeEvent(project_id=project_id))
resp = self.get('/OS-REVOKE/events') resp = self.get('/OS-REVOKE/events')
@ -103,7 +106,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
sample = dict() sample = dict()
sample['domain_id'] = six.text_type(domain_id) sample['domain_id'] = six.text_type(domain_id)
before_time = timeutils.utcnow().replace(microsecond=0) before_time = timeutils.utcnow().replace(microsecond=0)
self.revoke_api.revoke( PROVIDERS.revoke_api.revoke(
revoke_model.RevokeEvent(domain_id=domain_id)) revoke_model.RevokeEvent(domain_id=domain_id))
resp = self.get('/OS-REVOKE/events') resp = self.get('/OS-REVOKE/events')
@ -125,7 +128,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
sample = dict() sample = dict()
sample['domain_id'] = six.text_type(domain_id) sample['domain_id'] = six.text_type(domain_id)
self.revoke_api.revoke( PROVIDERS.revoke_api.revoke(
revoke_model.RevokeEvent(domain_id=domain_id)) revoke_model.RevokeEvent(domain_id=domain_id))
resp = self.get('/OS-REVOKE/events') resp = self.get('/OS-REVOKE/events')
@ -141,7 +144,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
with freezegun.freeze_time(time) as frozen_datetime: with freezegun.freeze_time(time) as frozen_datetime:
revoked_at = timeutils.utcnow() revoked_at = timeutils.utcnow()
# Given or not, `revoked_at` will always be set in the backend. # Given or not, `revoked_at` will always be set in the backend.
self.revoke_api.revoke( PROVIDERS.revoke_api.revoke(
revoke_model.RevokeEvent(revoked_at=revoked_at)) revoke_model.RevokeEvent(revoked_at=revoked_at))
frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
@ -157,7 +160,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
ref = {'description': uuid.uuid4().hex} ref = {'description': uuid.uuid4().hex}
resp = self.post('/OS-OAUTH1/consumers', body={'consumer': ref}) resp = self.post('/OS-OAUTH1/consumers', body={'consumer': ref})
consumer_id = resp.result['consumer']['id'] consumer_id = resp.result['consumer']['id']
self.oauth_api.delete_consumer(consumer_id) PROVIDERS.oauth_api.delete_consumer(consumer_id)
resp = self.get('/OS-REVOKE/events') resp = self.get('/OS-REVOKE/events')
events = resp.json_body['events'] events = resp.json_body['events']
@ -194,7 +197,7 @@ class OSRevokeTests(test_v3.RestfulTestCase, test_v3.JsonHomeTestMixin):
sql_delete_mock.side_effect = side_effect sql_delete_mock.side_effect = side_effect
try: try:
self.revoke_api.revoke(revoke_model.RevokeEvent( PROVIDERS.revoke_api.revoke(revoke_model.RevokeEvent(
user_id=uuid.uuid4().hex)) user_id=uuid.uuid4().hex))
finally: finally:
if side_effect.patched: if side_effect.patched:

5
keystone/tests/unit/test_v3_policy.py
View File

@ -17,9 +17,12 @@ import uuid
from six.moves import http_client from six.moves import http_client
from keystone.common import provider_api
from keystone.tests import unit from keystone.tests import unit
from keystone.tests.unit import test_v3 from keystone.tests.unit import test_v3
PROVIDERS = provider_api.ProviderAPIs
class PolicyTestCase(test_v3.RestfulTestCase): class PolicyTestCase(test_v3.RestfulTestCase):
"""Test policy CRUD.""" """Test policy CRUD."""
@ -28,7 +31,7 @@ class PolicyTestCase(test_v3.RestfulTestCase):
super(PolicyTestCase, self).setUp() super(PolicyTestCase, self).setUp()
self.policy = unit.new_policy_ref() self.policy = unit.new_policy_ref()
self.policy_id = self.policy['id'] self.policy_id = self.policy['id']
self.policy_api.create_policy( PROVIDERS.policy_api.create_policy(
self.policy_id, self.policy_id,
self.policy.copy()) self.policy.copy())

245
keystone/tests/unit/test_v3_protection.py
View File

@ -18,6 +18,7 @@ import uuid
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
from six.moves import http_client from six.moves import http_client
from keystone.common import provider_api
import keystone.conf import keystone.conf
from keystone.credential.providers import fernet as credential_fernet from keystone.credential.providers import fernet as credential_fernet
from keystone import exception from keystone import exception
@ -29,6 +30,7 @@ from keystone.tests.unit import utils
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class IdentityTestProtectedCase(test_v3.RestfulTestCase): class IdentityTestProtectedCase(test_v3.RestfulTestCase):
@ -67,55 +69,64 @@ class IdentityTestProtectedCase(test_v3.RestfulTestCase):
# Start by creating a couple of domains # Start by creating a couple of domains
self.domainA = unit.new_domain_ref() self.domainA = unit.new_domain_ref()
self.resource_api.create_domain(self.domainA['id'], self.domainA) PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA)
self.domainB = unit.new_domain_ref() self.domainB = unit.new_domain_ref()
self.resource_api.create_domain(self.domainB['id'], self.domainB) PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB)
self.domainC = unit.new_domain_ref(enabled=False) self.domainC = unit.new_domain_ref(enabled=False)
self.resource_api.create_domain(self.domainC['id'], self.domainC) PROVIDERS.resource_api.create_domain(self.domainC['id'], self.domainC)
# Some projects in the domains # Some projects in the domains
self.projectA = unit.new_project_ref(domain_id=self.domainA['id']) self.projectA = unit.new_project_ref(domain_id=self.domainA['id'])
self.resource_api.create_project(self.projectA['id'], self.projectA) PROVIDERS.resource_api.create_project(
self.projectA['id'], self.projectA
)
self.projectB = unit.new_project_ref(domain_id=self.domainB['id']) self.projectB = unit.new_project_ref(domain_id=self.domainB['id'])
self.resource_api.create_project(self.projectB['id'], self.projectB) PROVIDERS.resource_api.create_project(
self.projectB['id'], self.projectB
)
# Now create some users, one in domainA and two of them in domainB # Now create some users, one in domainA and two of them in domainB
self.user1 = unit.create_user(self.identity_api, self.user1 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainA['id']) domain_id=self.domainA['id'])
self.user2 = unit.create_user(self.identity_api, self.user2 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainB['id']) domain_id=self.domainB['id'])
self.user3 = unit.create_user(self.identity_api, self.user3 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainB['id']) domain_id=self.domainB['id'])
self.group1 = unit.new_group_ref(domain_id=self.domainA['id']) self.group1 = unit.new_group_ref(domain_id=self.domainA['id'])
self.group1 = self.identity_api.create_group(self.group1) self.group1 = PROVIDERS.identity_api.create_group(self.group1)
self.group2 = unit.new_group_ref(domain_id=self.domainA['id']) self.group2 = unit.new_group_ref(domain_id=self.domainA['id'])
self.group2 = self.identity_api.create_group(self.group2) self.group2 = PROVIDERS.identity_api.create_group(self.group2)
self.group3 = unit.new_group_ref(domain_id=self.domainB['id']) self.group3 = unit.new_group_ref(domain_id=self.domainB['id'])
self.group3 = self.identity_api.create_group(self.group3) self.group3 = PROVIDERS.identity_api.create_group(self.group3)
self.role = unit.new_role_ref() self.role = unit.new_role_ref()
self.role_api.create_role(self.role['id'], self.role) PROVIDERS.role_api.create_role(self.role['id'], self.role)
self.role1 = unit.new_role_ref() self.role1 = unit.new_role_ref()
self.role_api.create_role(self.role1['id'], self.role1) PROVIDERS.role_api.create_role(self.role1['id'], self.role1)
self.assignment_api.create_grant(self.role['id'], PROVIDERS.assignment_api.create_grant(
user_id=self.user1['id'], self.role['id'], user_id=self.user1['id'],
domain_id=self.domainA['id']) domain_id=self.domainA['id']
self.assignment_api.create_grant(self.role['id'], )
user_id=self.user2['id'], PROVIDERS.assignment_api.create_grant(
domain_id=self.domainA['id']) self.role['id'], user_id=self.user2['id'],
self.assignment_api.create_grant(self.role1['id'], domain_id=self.domainA['id']
user_id=self.user1['id'], )
domain_id=self.domainA['id']) PROVIDERS.assignment_api.create_grant(
self.assignment_api.create_grant(self.role['id'], self.role1['id'], user_id=self.user1['id'],
user_id=self.user1['id'], domain_id=self.domainA['id']
project_id=self.projectA['id']) )
self.assignment_api.create_grant(self.role['id'], PROVIDERS.assignment_api.create_grant(
user_id=self.user2['id'], self.role['id'], user_id=self.user1['id'],
project_id=self.projectB['id']) project_id=self.projectA['id']
)
PROVIDERS.assignment_api.create_grant(
self.role['id'], user_id=self.user2['id'],
project_id=self.projectB['id']
)
def _get_id_list_from_ref_list(self, ref_list): def _get_id_list_from_ref_list(self, ref_list):
result_list = [] result_list = []
@ -388,33 +399,36 @@ class IdentityTestPolicySample(test_v3.RestfulTestCase):
self._populate_default_domain() self._populate_default_domain()
self.just_a_user = unit.create_user( self.just_a_user = unit.create_user(
self.identity_api, PROVIDERS.identity_api,
domain_id=CONF.identity.default_domain_id) domain_id=CONF.identity.default_domain_id)
self.another_user = unit.create_user( self.another_user = unit.create_user(
self.identity_api, PROVIDERS.identity_api,
domain_id=CONF.identity.default_domain_id) domain_id=CONF.identity.default_domain_id)
self.admin_user = unit.create_user( self.admin_user = unit.create_user(
self.identity_api, PROVIDERS.identity_api,
domain_id=CONF.identity.default_domain_id) domain_id=CONF.identity.default_domain_id)
self.role = unit.new_role_ref() self.role = unit.new_role_ref()
self.role_api.create_role(self.role['id'], self.role) PROVIDERS.role_api.create_role(self.role['id'], self.role)
self.admin_role = unit.new_role_ref(name='admin') self.admin_role = unit.new_role_ref(name='admin')
self.role_api.create_role(self.admin_role['id'], self.admin_role) PROVIDERS.role_api.create_role(self.admin_role['id'], self.admin_role)
# Create and assign roles to the project # Create and assign roles to the project
self.project = unit.new_project_ref( self.project = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id) domain_id=CONF.identity.default_domain_id)
self.resource_api.create_project(self.project['id'], self.project) PROVIDERS.resource_api.create_project(self.project['id'], self.project)
self.assignment_api.create_grant(self.role['id'], PROVIDERS.assignment_api.create_grant(
user_id=self.just_a_user['id'], self.role['id'], user_id=self.just_a_user['id'],
project_id=self.project['id']) project_id=self.project['id']
self.assignment_api.create_grant(self.role['id'], )
user_id=self.another_user['id'], PROVIDERS.assignment_api.create_grant(
project_id=self.project['id']) self.role['id'], user_id=self.another_user['id'],
self.assignment_api.create_grant(self.admin_role['id'], project_id=self.project['id']
user_id=self.admin_user['id'], )
project_id=self.project['id']) PROVIDERS.assignment_api.create_grant(
self.admin_role['id'], user_id=self.admin_user['id'],
project_id=self.project['id']
)
def test_user_validate_same_token(self): def test_user_validate_same_token(self):
# Given a non-admin user token, the token can be used to validate # Given a non-admin user token, the token can be used to validate
@ -677,85 +691,95 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
# Start by creating a couple of domains # Start by creating a couple of domains
self._populate_default_domain() self._populate_default_domain()
self.domainA = unit.new_domain_ref() self.domainA = unit.new_domain_ref()
self.resource_api.create_domain(self.domainA['id'], self.domainA) PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA)
self.domainB = unit.new_domain_ref() self.domainB = unit.new_domain_ref()
self.resource_api.create_domain(self.domainB['id'], self.domainB) PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB)
self.admin_domain = unit.new_domain_ref() self.admin_domain = unit.new_domain_ref()
self.resource_api.create_domain(self.admin_domain['id'], PROVIDERS.resource_api.create_domain(
self.admin_domain) self.admin_domain['id'], self.admin_domain
)
self.admin_project = unit.new_project_ref( self.admin_project = unit.new_project_ref(
domain_id=self.admin_domain['id']) domain_id=self.admin_domain['id'])
self.resource_api.create_project(self.admin_project['id'], PROVIDERS.resource_api.create_project(
self.admin_project) self.admin_project['id'], self.admin_project
)
# And our users # And our users
self.cloud_admin_user = unit.create_user( self.cloud_admin_user = unit.create_user(
self.identity_api, PROVIDERS.identity_api,
domain_id=self.admin_domain['id']) domain_id=self.admin_domain['id'])
self.just_a_user = unit.create_user( self.just_a_user = unit.create_user(
self.identity_api, PROVIDERS.identity_api,
domain_id=self.domainA['id']) domain_id=self.domainA['id'])
self.domain_admin_user = unit.create_user( self.domain_admin_user = unit.create_user(
self.identity_api, PROVIDERS.identity_api,
domain_id=self.domainA['id']) domain_id=self.domainA['id'])
self.domainB_admin_user = unit.create_user( self.domainB_admin_user = unit.create_user(
self.identity_api, PROVIDERS.identity_api,
domain_id=self.domainB['id']) domain_id=self.domainB['id'])
self.project_admin_user = unit.create_user( self.project_admin_user = unit.create_user(
self.identity_api, PROVIDERS.identity_api,
domain_id=self.domainA['id']) domain_id=self.domainA['id'])
self.project_adminB_user = unit.create_user( self.project_adminB_user = unit.create_user(
self.identity_api, PROVIDERS.identity_api,
domain_id=self.domainB['id']) domain_id=self.domainB['id'])
# The admin role, a domain specific role and another plain role # The admin role, a domain specific role and another plain role
self.admin_role = unit.new_role_ref(name='admin') self.admin_role = unit.new_role_ref(name='admin')
self.role_api.create_role(self.admin_role['id'], self.admin_role) PROVIDERS.role_api.create_role(self.admin_role['id'], self.admin_role)
self.roleA = unit.new_role_ref(domain_id=self.domainA['id']) self.roleA = unit.new_role_ref(domain_id=self.domainA['id'])
self.role_api.create_role(self.roleA['id'], self.roleA) PROVIDERS.role_api.create_role(self.roleA['id'], self.roleA)
self.role = unit.new_role_ref() self.role = unit.new_role_ref()
self.role_api.create_role(self.role['id'], self.role) PROVIDERS.role_api.create_role(self.role['id'], self.role)
# The cloud admin just gets the admin role on the special admin project # The cloud admin just gets the admin role on the special admin project
self.assignment_api.create_grant(self.admin_role['id'], PROVIDERS.assignment_api.create_grant(
user_id=self.cloud_admin_user['id'], self.admin_role['id'], user_id=self.cloud_admin_user['id'],
project_id=self.admin_project['id']) project_id=self.admin_project['id']
)
# Assign roles to the domain # Assign roles to the domain
self.assignment_api.create_grant(self.admin_role['id'], PROVIDERS.assignment_api.create_grant(
user_id=self.domain_admin_user['id'], self.admin_role['id'], user_id=self.domain_admin_user['id'],
domain_id=self.domainA['id']) domain_id=self.domainA['id']
self.assignment_api.create_grant(self.role['id'], )
user_id=self.just_a_user['id'], PROVIDERS.assignment_api.create_grant(
domain_id=self.domainA['id']) self.role['id'], user_id=self.just_a_user['id'],
self.assignment_api.create_grant(self.admin_role['id'], domain_id=self.domainA['id']
user_id=self.domainB_admin_user['id'], )
domain_id=self.domainB['id']) PROVIDERS.assignment_api.create_grant(
self.admin_role['id'], user_id=self.domainB_admin_user['id'],
domain_id=self.domainB['id']
)
# Create and assign roles to the project # Create and assign roles to the project
self.project = unit.new_project_ref(domain_id=self.domainA['id']) self.project = unit.new_project_ref(domain_id=self.domainA['id'])
self.resource_api.create_project(self.project['id'], self.project) PROVIDERS.resource_api.create_project(self.project['id'], self.project)
self.projectB = unit.new_project_ref(domain_id=self.domainB['id']) self.projectB = unit.new_project_ref(domain_id=self.domainB['id'])
self.resource_api.create_project(self.projectB['id'], self.projectB) PROVIDERS.resource_api.create_project(
self.assignment_api.create_grant(self.admin_role['id'], self.projectB['id'], self.projectB
user_id=self.project_admin_user['id'], )
project_id=self.project['id']) PROVIDERS.assignment_api.create_grant(
self.assignment_api.create_grant( self.admin_role['id'], user_id=self.project_admin_user['id'],
project_id=self.project['id']
)
PROVIDERS.assignment_api.create_grant(
self.admin_role['id'], user_id=self.project_adminB_user['id'], self.admin_role['id'], user_id=self.project_adminB_user['id'],
project_id=self.projectB['id']) project_id=self.projectB['id'])
self.assignment_api.create_grant(self.role['id'], PROVIDERS.assignment_api.create_grant(
user_id=self.just_a_user['id'], self.role['id'], user_id=self.just_a_user['id'],
project_id=self.project['id']) project_id=self.project['id']
)
self.group1 = unit.new_group_ref(domain_id=self.domainA['id']) self.group1 = unit.new_group_ref(domain_id=self.domainA['id'])
self.group1 = self.identity_api.create_group(self.group1) self.group1 = PROVIDERS.identity_api.create_group(self.group1)
self.group2 = unit.new_group_ref(domain_id=self.domainA['id']) self.group2 = unit.new_group_ref(domain_id=self.domainA['id'])
self.group2 = self.identity_api.create_group(self.group2) self.group2 = PROVIDERS.identity_api.create_group(self.group2)
self.group3 = unit.new_group_ref(domain_id=self.domainB['id']) self.group3 = unit.new_group_ref(domain_id=self.domainB['id'])
self.group3 = self.identity_api.create_group(self.group3) self.group3 = PROVIDERS.identity_api.create_group(self.group3)
def _stati(self, expected_status): def _stati(self, expected_status):
# Return the expected return codes for APIs with and without data # Return the expected return codes for APIs with and without data
@ -854,7 +878,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
list_status_OK=False, expected=None): list_status_OK=False, expected=None):
status_OK, status_created, status_no_data = self._stati(expected) status_OK, status_created, status_no_data = self._stati(expected)
a_role = unit.new_role_ref(domain_id=role_domain_id) a_role = unit.new_role_ref(domain_id=role_domain_id)
self.role_api.create_role(a_role['id'], a_role) PROVIDERS.role_api.create_role(a_role['id'], a_role)
collection_url = ( collection_url = (
'/%(target)s/%(target_id)s/users/%(user_id)s/roles' % { '/%(target)s/%(target_id)s/users/%(user_id)s/roles' % {
@ -1397,7 +1421,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
def test_project_admin_list_assignments_of_another_project_failed(self): def test_project_admin_list_assignments_of_another_project_failed(self):
projectB = unit.new_project_ref(domain_id=self.domainA['id']) projectB = unit.new_project_ref(domain_id=self.domainA['id'])
self.resource_api.create_project(projectB['id'], projectB) PROVIDERS.resource_api.create_project(projectB['id'], projectB)
admin_auth = self.build_authentication_request( admin_auth = self.build_authentication_request(
user_id=self.project_admin_user['id'], user_id=self.project_admin_user['id'],
password=self.project_admin_user['password'], password=self.project_admin_user['password'],
@ -1439,10 +1463,11 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
# Add a child project to the standard test data # Add a child project to the standard test data
sub_project = unit.new_project_ref(domain_id=self.domainA['id'], sub_project = unit.new_project_ref(domain_id=self.domainA['id'],
parent_id=self.project['id']) parent_id=self.project['id'])
self.resource_api.create_project(sub_project['id'], sub_project) PROVIDERS.resource_api.create_project(sub_project['id'], sub_project)
self.assignment_api.create_grant(self.role['id'], PROVIDERS.assignment_api.create_grant(
user_id=self.just_a_user['id'], self.role['id'], user_id=self.just_a_user['id'],
project_id=sub_project['id']) project_id=sub_project['id']
)
collection_url = self.build_role_assignment_query_url( collection_url = self.build_role_assignment_query_url(
project_id=self.project['id']) project_id=self.project['id'])
@ -1469,11 +1494,12 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
# A neither should a domain admin from a different domain # A neither should a domain admin from a different domain
domainB_admin_user = unit.create_user( domainB_admin_user = unit.create_user(
self.identity_api, PROVIDERS.identity_api,
domain_id=self.domainB['id']) domain_id=self.domainB['id'])
self.assignment_api.create_grant(self.admin_role['id'], PROVIDERS.assignment_api.create_grant(
user_id=domainB_admin_user['id'], self.admin_role['id'], user_id=domainB_admin_user['id'],
domain_id=self.domainB['id']) domain_id=self.domainB['id']
)
auth = self.build_authentication_request( auth = self.build_authentication_request(
user_id=domainB_admin_user['id'], user_id=domainB_admin_user['id'],
password=domainB_admin_user['password'], password=domainB_admin_user['password'],
@ -1535,11 +1561,13 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
def test_list_user_credentials(self): def test_list_user_credentials(self):
credential_user = unit.new_credential_ref(self.just_a_user['id']) credential_user = unit.new_credential_ref(self.just_a_user['id'])
self.credential_api.create_credential(credential_user['id'], PROVIDERS.credential_api.create_credential(
credential_user) credential_user['id'], credential_user
)
credential_admin = unit.new_credential_ref(self.cloud_admin_user['id']) credential_admin = unit.new_credential_ref(self.cloud_admin_user['id'])
self.credential_api.create_credential(credential_admin['id'], PROVIDERS.credential_api.create_credential(
credential_admin) credential_admin['id'], credential_admin
)
self.auth = self.build_authentication_request( self.auth = self.build_authentication_request(
user_id=self.just_a_user['id'], user_id=self.just_a_user['id'],
@ -1555,7 +1583,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
def test_get_and_delete_ec2_credentials(self): def test_get_and_delete_ec2_credentials(self):
"""Test getting and deleting ec2 credentials through the ec2 API.""" """Test getting and deleting ec2 credentials through the ec2 API."""
another_user = unit.create_user(self.identity_api, another_user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainA['id']) domain_id=self.domainA['id'])
# create a credential for just_a_user # create a credential for just_a_user
@ -1826,7 +1854,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
# Test user can not get project for one they don't have a role in, # Test user can not get project for one they don't have a role in,
# even if they have a role on another project # even if they have a role on another project
project2 = unit.new_project_ref(domain_id=self.domainA['id']) project2 = unit.new_project_ref(domain_id=self.domainA['id'])
self.resource_api.create_project(project2['id'], project2) PROVIDERS.resource_api.create_project(project2['id'], project2)
self.get('/projects/%s' % project2['id'], auth=user_auth, self.get('/projects/%s' % project2['id'], auth=user_auth,
expected_status=exception.ForbiddenAction.code) expected_status=exception.ForbiddenAction.code)
@ -1974,14 +2002,19 @@ class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample):
self.admin_token = self.get_requested_token(domain_admin_auth) self.admin_token = self.get_requested_token(domain_admin_auth)
self.appdev_role = unit.new_role_ref(domain_id=self.domainA['id']) self.appdev_role = unit.new_role_ref(domain_id=self.domainA['id'])
self.role_api.create_role(self.appdev_role['id'], self.appdev_role) PROVIDERS.role_api.create_role(
self.appdev_role['id'], self.appdev_role
)
self.appadmin_role = unit.new_role_ref(domain_id=self.domainA['id']) self.appadmin_role = unit.new_role_ref(domain_id=self.domainA['id'])
self.role_api.create_role(self.appadmin_role['id'], self.appadmin_role) PROVIDERS.role_api.create_role(
self.appadmin_role['id'], self.appadmin_role
)
def _create_implied_role(self): def _create_implied_role(self):
self.role_api.create_implied_role(self.appadmin_role['id'], PROVIDERS.role_api.create_implied_role(
self.appdev_role['id']) self.appadmin_role['id'], self.appdev_role['id']
)
def test_get(self): def test_get(self):
# A domain admin should be able to get an existing implied role # A domain admin should be able to get an existing implied role
@ -2028,10 +2061,10 @@ class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample):
def test_forbidden_role_implication_from_different_domain(self): def test_forbidden_role_implication_from_different_domain(self):
domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex) domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex)
self.resource_api.create_domain(domain2['id'], domain2) PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
role2 = unit.new_role_ref(domain_id=domain2['id']) role2 = unit.new_role_ref(domain_id=domain2['id'])
implied = self.role_api.create_role(role2['id'], role2) implied = PROVIDERS.role_api.create_role(role2['id'], role2)
self.put('/roles/%s/implies/%s' self.put('/roles/%s/implies/%s'
% (self.appdev_role['id'], implied['id']), % (self.appdev_role['id'], implied['id']),
@ -2045,10 +2078,10 @@ class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample):
project_id=self.admin_project['id']) project_id=self.admin_project['id'])
domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex) domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex)
self.resource_api.create_domain(domain2['id'], domain2) PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
role2 = unit.new_role_ref(domain_id=domain2['id']) role2 = unit.new_role_ref(domain_id=domain2['id'])
implied = self.role_api.create_role(role2['id'], role2) implied = PROVIDERS.role_api.create_role(role2['id'], role2)
self.put('/roles/%s/implies/%s' self.put('/roles/%s/implies/%s'
% (self.appdev_role['id'], implied['id']), % (self.appdev_role['id'], implied['id']),

189
keystone/tests/unit/token/test_backends.py
View File

@ -19,12 +19,14 @@ from oslo_utils import timeutils
import six import six
from six.moves import range from six.moves import range
from keystone.common import provider_api
from keystone import exception from keystone import exception
from keystone.tests import unit from keystone.tests import unit
from keystone.token import provider from keystone.token import provider
NULL_OBJECT = object() NULL_OBJECT = object()
PROVIDERS = provider_api.ProviderAPIs
class TokenTests(object): class TokenTests(object):
@ -37,7 +39,7 @@ class TokenTests(object):
# token persistence service # token persistence service
persistence_list = [ persistence_list = [
x['id'] x['id']
for x in self.token_provider_api.list_revoked_tokens() for x in PROVIDERS.token_provider_api.list_revoked_tokens()
] ]
self.assertEqual(persistence_list, revoked_token_id_list) self.assertEqual(persistence_list, revoked_token_id_list)
@ -48,8 +50,9 @@ class TokenTests(object):
'user': {'id': 'testuserid'}, 'user': {'id': 'testuserid'},
'token_data': {'access': {'token': { 'token_data': {'access': {'token': {
'audit_ids': [uuid.uuid4().hex]}}}} 'audit_ids': [uuid.uuid4().hex]}}}}
data_ref = self.token_provider_api._persistence.create_token(token_id, data_ref = PROVIDERS.token_provider_api._persistence.create_token(
data) token_id, data
)
expires = data_ref.pop('expires') expires = data_ref.pop('expires')
data_ref.pop('user_id') data_ref.pop('user_id')
self.assertIsInstance(expires, datetime.datetime) self.assertIsInstance(expires, datetime.datetime)
@ -57,7 +60,9 @@ class TokenTests(object):
data.pop('id') data.pop('id')
self.assertDictEqual(data, data_ref) self.assertDictEqual(data, data_ref)
new_data_ref = self.token_provider_api._persistence.get_token(token_id) new_data_ref = PROVIDERS.token_provider_api._persistence.get_token(
token_id
)
expires = new_data_ref.pop('expires') expires = new_data_ref.pop('expires')
self.assertIsInstance(expires, datetime.datetime) self.assertIsInstance(expires, datetime.datetime)
new_data_ref.pop('user_id') new_data_ref.pop('user_id')
@ -65,13 +70,13 @@ class TokenTests(object):
self.assertEqual(data, new_data_ref) self.assertEqual(data, new_data_ref)
self.token_provider_api._persistence.delete_token(token_id) PROVIDERS.token_provider_api._persistence.delete_token(token_id)
self.assertRaises( self.assertRaises(
exception.TokenNotFound, exception.TokenNotFound,
self.token_provider_api._persistence.get_token, token_id) PROVIDERS.token_provider_api._persistence.get_token, token_id)
self.assertRaises( self.assertRaises(
exception.TokenNotFound, exception.TokenNotFound,
self.token_provider_api._persistence.delete_token, token_id) PROVIDERS.token_provider_api._persistence.delete_token, token_id)
def create_token_sample_data(self, token_id=None, tenant_id=None, def create_token_sample_data(self, token_id=None, tenant_id=None,
trust_id=None, user_id=None, expires=None): trust_id=None, user_id=None, expires=None):
@ -101,12 +106,13 @@ class TokenTests(object):
# Issue token stores a copy of all token data at token['token_data']. # Issue token stores a copy of all token data at token['token_data'].
# This emulates that assumption as part of the test. # This emulates that assumption as part of the test.
data['token_data'] = copy.deepcopy(data) data['token_data'] = copy.deepcopy(data)
new_token = self.token_provider_api._persistence.create_token(token_id, new_token = PROVIDERS.token_provider_api._persistence.create_token(
data) token_id, data
)
return new_token['id'], data return new_token['id'], data
def test_delete_tokens(self): def test_delete_tokens(self):
tokens = self.token_provider_api._persistence._list_tokens( tokens = PROVIDERS.token_provider_api._persistence._list_tokens(
'testuserid') 'testuserid')
self.assertEqual(0, len(tokens)) self.assertEqual(0, len(tokens))
token_id1, data = self.create_token_sample_data( token_id1, data = self.create_token_sample_data(
@ -116,28 +122,28 @@ class TokenTests(object):
token_id3, data = self.create_token_sample_data( token_id3, data = self.create_token_sample_data(
tenant_id='testtenantid', tenant_id='testtenantid',
user_id='testuserid1') user_id='testuserid1')
tokens = self.token_provider_api._persistence._list_tokens( tokens = PROVIDERS.token_provider_api._persistence._list_tokens(
'testuserid') 'testuserid')
self.assertEqual(2, len(tokens)) self.assertEqual(2, len(tokens))
self.assertIn(token_id2, tokens) self.assertIn(token_id2, tokens)
self.assertIn(token_id1, tokens) self.assertIn(token_id1, tokens)
self.token_provider_api._persistence.delete_tokens( PROVIDERS.token_provider_api._persistence.delete_tokens(
user_id='testuserid', user_id='testuserid',
tenant_id='testtenantid') tenant_id='testtenantid')
tokens = self.token_provider_api._persistence._list_tokens( tokens = PROVIDERS.token_provider_api._persistence._list_tokens(
'testuserid') 'testuserid')
self.assertEqual(0, len(tokens)) self.assertEqual(0, len(tokens))
self.assertRaises(exception.TokenNotFound, self.assertRaises(exception.TokenNotFound,
self.token_provider_api._persistence.get_token, PROVIDERS.token_provider_api._persistence.get_token,
token_id1) token_id1)
self.assertRaises(exception.TokenNotFound, self.assertRaises(exception.TokenNotFound,
self.token_provider_api._persistence.get_token, PROVIDERS.token_provider_api._persistence.get_token,
token_id2) token_id2)
self.token_provider_api._persistence.get_token(token_id3) PROVIDERS.token_provider_api._persistence.get_token(token_id3)
def test_delete_tokens_trust(self): def test_delete_tokens_trust(self):
tokens = self.token_provider_api._persistence._list_tokens( tokens = PROVIDERS.token_provider_api._persistence._list_tokens(
user_id='testuserid') user_id='testuserid')
self.assertEqual(0, len(tokens)) self.assertEqual(0, len(tokens))
token_id1, data = self.create_token_sample_data( token_id1, data = self.create_token_sample_data(
@ -147,18 +153,18 @@ class TokenTests(object):
tenant_id='testtenantid', tenant_id='testtenantid',
user_id='testuserid1', user_id='testuserid1',
trust_id='testtrustid1') trust_id='testtrustid1')
tokens = self.token_provider_api._persistence._list_tokens( tokens = PROVIDERS.token_provider_api._persistence._list_tokens(
'testuserid') 'testuserid')
self.assertEqual(1, len(tokens)) self.assertEqual(1, len(tokens))
self.assertIn(token_id1, tokens) self.assertIn(token_id1, tokens)
self.token_provider_api._persistence.delete_tokens( PROVIDERS.token_provider_api._persistence.delete_tokens(
user_id='testuserid', user_id='testuserid',
tenant_id='testtenantid', tenant_id='testtenantid',
trust_id='testtrustid') trust_id='testtrustid')
self.assertRaises(exception.TokenNotFound, self.assertRaises(exception.TokenNotFound,
self.token_provider_api._persistence.get_token, PROVIDERS.token_provider_api._persistence.get_token,
token_id1) token_id1)
self.token_provider_api._persistence.get_token(token_id2) PROVIDERS.token_provider_api._persistence.get_token(token_id2)
def _test_token_list(self, token_list_fn): def _test_token_list(self, token_list_fn):
tokens = token_list_fn('testuserid') tokens = token_list_fn('testuserid')
@ -172,11 +178,11 @@ class TokenTests(object):
self.assertEqual(2, len(tokens)) self.assertEqual(2, len(tokens))
self.assertIn(token_id2, tokens) self.assertIn(token_id2, tokens)
self.assertIn(token_id1, tokens) self.assertIn(token_id1, tokens)
self.token_provider_api._persistence.delete_token(token_id1) PROVIDERS.token_provider_api._persistence.delete_token(token_id1)
tokens = token_list_fn('testuserid') tokens = token_list_fn('testuserid')
self.assertIn(token_id2, tokens) self.assertIn(token_id2, tokens)
self.assertNotIn(token_id1, tokens) self.assertNotIn(token_id1, tokens)
self.token_provider_api._persistence.delete_token(token_id2) PROVIDERS.token_provider_api._persistence.delete_token(token_id2)
tokens = token_list_fn('testuserid') tokens = token_list_fn('testuserid')
self.assertNotIn(token_id2, tokens) self.assertNotIn(token_id2, tokens)
self.assertNotIn(token_id1, tokens) self.assertNotIn(token_id1, tokens)
@ -204,34 +210,39 @@ class TokenTests(object):
def test_token_list(self): def test_token_list(self):
self._test_token_list( self._test_token_list(
self.token_provider_api._persistence._list_tokens) PROVIDERS.token_provider_api._persistence._list_tokens)
def test_token_list_trust(self): def test_token_list_trust(self):
trust_id = uuid.uuid4().hex trust_id = uuid.uuid4().hex
token_id5, data = self.create_token_sample_data(trust_id=trust_id) token_id5, data = self.create_token_sample_data(trust_id=trust_id)
tokens = self.token_provider_api._persistence._list_tokens( tokens = PROVIDERS.token_provider_api._persistence._list_tokens(
'testuserid', trust_id=trust_id) 'testuserid', trust_id=trust_id)
self.assertEqual(1, len(tokens)) self.assertEqual(1, len(tokens))
self.assertIn(token_id5, tokens) self.assertIn(token_id5, tokens)
def test_get_token_returns_not_found(self): def test_get_token_returns_not_found(self):
self.assertRaises(exception.TokenNotFound, self.assertRaises(exception.TokenNotFound,
self.token_provider_api._persistence.get_token, PROVIDERS.token_provider_api._persistence.get_token,
uuid.uuid4().hex) uuid.uuid4().hex)
def test_delete_token_returns_not_found(self): def test_delete_token_returns_not_found(self):
self.assertRaises(exception.TokenNotFound, self.assertRaises(
self.token_provider_api._persistence.delete_token, exception.TokenNotFound,
uuid.uuid4().hex) PROVIDERS.token_provider_api._persistence.delete_token,
uuid.uuid4().hex
)
def test_null_expires_token(self): def test_null_expires_token(self):
token_id = uuid.uuid4().hex token_id = uuid.uuid4().hex
data = {'id': token_id, 'id_hash': token_id, 'a': 'b', 'expires': None, data = {'id': token_id, 'id_hash': token_id, 'a': 'b', 'expires': None,
'user': {'id': 'testuserid'}} 'user': {'id': 'testuserid'}}
data_ref = self.token_provider_api._persistence.create_token(token_id, data_ref = PROVIDERS.token_provider_api._persistence.create_token(
data) token_id, data
)
self.assertIsNotNone(data_ref['expires']) self.assertIsNotNone(data_ref['expires'])
new_data_ref = self.token_provider_api._persistence.get_token(token_id) new_data_ref = PROVIDERS.token_provider_api._persistence.get_token(
token_id
)
# MySQL doesn't store microseconds, so discard them before testing # MySQL doesn't store microseconds, so discard them before testing
data_ref['expires'] = data_ref['expires'].replace(microsecond=0) data_ref['expires'] = data_ref['expires'].replace(microsecond=0)
@ -241,7 +252,7 @@ class TokenTests(object):
self.assertEqual(data_ref, new_data_ref) self.assertEqual(data_ref, new_data_ref)
def check_list_revoked_tokens(self, token_infos): def check_list_revoked_tokens(self, token_infos):
revocation_list = self.token_provider_api.list_revoked_tokens() revocation_list = PROVIDERS.token_provider_api.list_revoked_tokens()
revoked_ids = [x['id'] for x in revocation_list] revoked_ids = [x['id'] for x in revocation_list]
revoked_audit_ids = [x['audit_id'] for x in revocation_list] revoked_audit_ids = [x['audit_id'] for x in revocation_list]
self._assert_revoked_token_list_matches_token_persistence(revoked_ids) self._assert_revoked_token_list_matches_token_persistence(revoked_ids)
@ -255,22 +266,24 @@ class TokenTests(object):
data = {'id_hash': token_id, 'id': token_id, 'a': 'b', data = {'id_hash': token_id, 'id': token_id, 'a': 'b',
'user': {'id': 'testuserid'}, 'user': {'id': 'testuserid'},
'token_data': {'token': {'audit_ids': [audit_id]}}} 'token_data': {'token': {'audit_ids': [audit_id]}}}
data_ref = self.token_provider_api._persistence.create_token(token_id, data_ref = PROVIDERS.token_provider_api._persistence.create_token(
data) token_id, data
self.token_provider_api._persistence.delete_token(token_id) )
PROVIDERS.token_provider_api._persistence.delete_token(token_id)
self.assertRaises( self.assertRaises(
exception.TokenNotFound, exception.TokenNotFound,
self.token_provider_api._persistence.get_token, PROVIDERS.token_provider_api._persistence.get_token,
data_ref['id']) data_ref['id'])
self.assertRaises( self.assertRaises(
exception.TokenNotFound, exception.TokenNotFound,
self.token_provider_api._persistence.delete_token, PROVIDERS.token_provider_api._persistence.delete_token,
data_ref['id']) data_ref['id'])
return (token_id, audit_id) return (token_id, audit_id)
def test_list_revoked_tokens_returns_empty_list(self): def test_list_revoked_tokens_returns_empty_list(self):
revoked_ids = [x['id'] revoked_ids = [
for x in self.token_provider_api.list_revoked_tokens()] x['id'] for x in PROVIDERS.token_provider_api.list_revoked_tokens()
]
self._assert_revoked_token_list_matches_token_persistence(revoked_ids) self._assert_revoked_token_list_matches_token_persistence(revoked_ids)
self.assertEqual([], revoked_ids) self.assertEqual([], revoked_ids)
@ -289,8 +302,9 @@ class TokenTests(object):
'expires': expire_time, 'expires': expire_time,
'trust_id': None, 'trust_id': None,
'user': {'id': 'testuserid'}} 'user': {'id': 'testuserid'}}
data_ref = self.token_provider_api._persistence.create_token(token_id, data_ref = PROVIDERS.token_provider_api._persistence.create_token(
data) token_id, data
)
data_ref.pop('user_id') data_ref.pop('user_id')
self.assertDictEqual(data, data_ref) self.assertDictEqual(data, data_ref)
@ -300,13 +314,14 @@ class TokenTests(object):
'expires': expire_time, 'expires': expire_time,
'trust_id': None, 'trust_id': None,
'user': {'id': 'testuserid'}} 'user': {'id': 'testuserid'}}
data_ref = self.token_provider_api._persistence.create_token(token_id, data_ref = PROVIDERS.token_provider_api._persistence.create_token(
data) token_id, data
)
data_ref.pop('user_id') data_ref.pop('user_id')
self.assertDictEqual(data, data_ref) self.assertDictEqual(data, data_ref)
self.token_provider_api._persistence.flush_expired_tokens() PROVIDERS.token_provider_api._persistence.flush_expired_tokens()
tokens = self.token_provider_api._persistence._list_tokens( tokens = PROVIDERS.token_provider_api._persistence._list_tokens(
'testuserid') 'testuserid')
self.assertEqual(1, len(tokens)) self.assertEqual(1, len(tokens))
self.assertIn(token_id, tokens) self.assertIn(token_id, tokens)
@ -329,31 +344,41 @@ class TokenTests(object):
'token_data': {'token': { 'token_data': {'token': {
'audit_ids': [uuid.uuid4().hex]}}} 'audit_ids': [uuid.uuid4().hex]}}}
# Create 2 Tokens. # Create 2 Tokens.
self.token_provider_api._persistence.create_token(token_id, PROVIDERS.token_provider_api._persistence.create_token(
token_data) token_id, token_data
self.token_provider_api._persistence.create_token(token2_id, )
token2_data) PROVIDERS.token_provider_api._persistence.create_token(
token2_id, token2_data
)
# Verify the revocation list is empty. # Verify the revocation list is empty.
self.assertEqual( self.assertEqual(
[], self.token_provider_api._persistence.list_revoked_tokens()) [], PROVIDERS.token_provider_api._persistence.list_revoked_tokens()
self.assertEqual([], self.token_provider_api.list_revoked_tokens()) )
self.assertEqual(
[], PROVIDERS.token_provider_api.list_revoked_tokens()
)
# Delete a token directly, bypassing the manager. # Delete a token directly, bypassing the manager.
self.token_provider_api._persistence.driver.delete_token(token_id) PROVIDERS.token_provider_api._persistence.driver.delete_token(token_id)
# Verify the revocation list is still empty. # Verify the revocation list is still empty.
self.assertEqual( self.assertEqual(
[], self.token_provider_api._persistence.list_revoked_tokens()) [], PROVIDERS.token_provider_api._persistence.list_revoked_tokens()
self.assertEqual([], self.token_provider_api.list_revoked_tokens()) )
self.assertEqual(
[], PROVIDERS.token_provider_api.list_revoked_tokens()
)
# Invalidate the revocation list. # Invalidate the revocation list.
self.token_provider_api._persistence.invalidate_revocation_list() PROVIDERS.token_provider_api._persistence.invalidate_revocation_list()
# Verify the deleted token is in the revocation list. # Verify the deleted token is in the revocation list.
revoked_ids = [x['id'] revoked_ids = [
for x in self.token_provider_api.list_revoked_tokens()] x['id'] for x in PROVIDERS.token_provider_api.list_revoked_tokens()
]
self._assert_revoked_token_list_matches_token_persistence(revoked_ids) self._assert_revoked_token_list_matches_token_persistence(revoked_ids)
self.assertIn(token_id, revoked_ids) self.assertIn(token_id, revoked_ids)
# Delete the second token, through the manager # Delete the second token, through the manager
self.token_provider_api._persistence.delete_token(token2_id) PROVIDERS.token_provider_api._persistence.delete_token(token2_id)
revoked_ids = [x['id'] revoked_ids = [
for x in self.token_provider_api.list_revoked_tokens()] x['id'] for x in PROVIDERS.token_provider_api.list_revoked_tokens()
]
self._assert_revoked_token_list_matches_token_persistence(revoked_ids) self._assert_revoked_token_list_matches_token_persistence(revoked_ids)
# Verify both tokens are in the revocation list. # Verify both tokens are in the revocation list.
self.assertIn(token_id, revoked_ids) self.assertIn(token_id, revoked_ids)
@ -364,10 +389,10 @@ class TokenTests(object):
token = {'user': {'id': uuid.uuid4().hex}, token = {'user': {'id': uuid.uuid4().hex},
'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}} 'token_data': {'token': {'audit_ids': [uuid.uuid4().hex]}}}
self.token_provider_api._persistence.create_token(token_id, token) PROVIDERS.token_provider_api._persistence.create_token(token_id, token)
self.token_provider_api._persistence.delete_token(token_id) PROVIDERS.token_provider_api._persistence.delete_token(token_id)
revoked_tokens = self.token_provider_api.list_revoked_tokens() revoked_tokens = PROVIDERS.token_provider_api.list_revoked_tokens()
revoked_ids = [x['id'] for x in revoked_tokens] revoked_ids = [x['id'] for x in revoked_tokens]
self._assert_revoked_token_list_matches_token_persistence(revoked_ids) self._assert_revoked_token_list_matches_token_persistence(revoked_ids)
self.assertIn(token_id, revoked_ids) self.assertIn(token_id, revoked_ids)
@ -377,12 +402,12 @@ class TokenTests(object):
def test_create_unicode_token_id(self): def test_create_unicode_token_id(self):
token_id = six.text_type(self._create_token_id()) token_id = six.text_type(self._create_token_id())
self.create_token_sample_data(token_id=token_id) self.create_token_sample_data(token_id=token_id)
self.token_provider_api._persistence.get_token(token_id) PROVIDERS.token_provider_api._persistence.get_token(token_id)
def test_create_unicode_user_id(self): def test_create_unicode_user_id(self):
user_id = six.text_type(uuid.uuid4().hex) user_id = six.text_type(uuid.uuid4().hex)
token_id, data = self.create_token_sample_data(user_id=user_id) token_id, data = self.create_token_sample_data(user_id=user_id)
self.token_provider_api._persistence.get_token(token_id) PROVIDERS.token_provider_api._persistence.get_token(token_id)
class TokenCacheInvalidation(object): class TokenCacheInvalidation(object):
@ -390,7 +415,7 @@ class TokenCacheInvalidation(object):
time = datetime.datetime.utcnow() time = datetime.datetime.utcnow()
with freezegun.freeze_time(time) as frozen_datetime: with freezegun.freeze_time(time) as frozen_datetime:
# Create an equivalent of a scoped token # Create an equivalent of a scoped token
token_id, data = self.token_provider_api.issue_token( token_id, data = PROVIDERS.token_provider_api.issue_token(
self.user_foo['id'], self.user_foo['id'],
['password'], ['password'],
project_id=self.tenant_bar['id'] project_id=self.tenant_bar['id']
@ -398,7 +423,7 @@ class TokenCacheInvalidation(object):
self.scoped_token_id = token_id self.scoped_token_id = token_id
# ..and an un-scoped one # ..and an un-scoped one
token_id, data = self.token_provider_api.issue_token( token_id, data = PROVIDERS.token_provider_api.issue_token(
self.user_foo['id'], self.user_foo['id'],
['password'] ['password']
) )
@ -407,28 +432,28 @@ class TokenCacheInvalidation(object):
# Validate them, in the various ways possible - this will load the # Validate them, in the various ways possible - this will load the
# responses into the token cache. # responses into the token cache.
self.token_provider_api.validate_token(self.scoped_token_id) PROVIDERS.token_provider_api.validate_token(self.scoped_token_id)
self.token_provider_api.validate_token(self.unscoped_token_id) PROVIDERS.token_provider_api.validate_token(self.unscoped_token_id)
def test_delete_unscoped_token(self): def test_delete_unscoped_token(self):
time = datetime.datetime.utcnow() time = datetime.datetime.utcnow()
with freezegun.freeze_time(time) as frozen_datetime: with freezegun.freeze_time(time) as frozen_datetime:
self.token_provider_api._persistence.delete_token( PROVIDERS.token_provider_api._persistence.delete_token(
self.unscoped_token_id) self.unscoped_token_id)
frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
# Ensure the unscoped token is invalid # Ensure the unscoped token is invalid
self.assertRaises( self.assertRaises(
exception.TokenNotFound, exception.TokenNotFound,
self.token_provider_api.validate_token, PROVIDERS.token_provider_api.validate_token,
self.unscoped_token_id) self.unscoped_token_id)
# Ensure the scoped token is still valid # Ensure the scoped token is still valid
self.token_provider_api.validate_token(self.scoped_token_id) PROVIDERS.token_provider_api.validate_token(self.scoped_token_id)
def test_delete_scoped_token_by_id(self): def test_delete_scoped_token_by_id(self):
time = datetime.datetime.utcnow() time = datetime.datetime.utcnow()
with freezegun.freeze_time(time) as frozen_datetime: with freezegun.freeze_time(time) as frozen_datetime:
self.token_provider_api._persistence.delete_token( PROVIDERS.token_provider_api._persistence.delete_token(
self.scoped_token_id self.scoped_token_id
) )
frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
@ -436,15 +461,15 @@ class TokenCacheInvalidation(object):
# Ensure the project token is invalid # Ensure the project token is invalid
self.assertRaises( self.assertRaises(
exception.TokenNotFound, exception.TokenNotFound,
self.token_provider_api.validate_token, PROVIDERS.token_provider_api.validate_token,
self.scoped_token_id) self.scoped_token_id)
# Ensure the unscoped token is still valid # Ensure the unscoped token is still valid
self.token_provider_api.validate_token(self.unscoped_token_id) PROVIDERS.token_provider_api.validate_token(self.unscoped_token_id)
def test_delete_scoped_token_by_user(self): def test_delete_scoped_token_by_user(self):
time = datetime.datetime.utcnow() time = datetime.datetime.utcnow()
with freezegun.freeze_time(time) as frozen_datetime: with freezegun.freeze_time(time) as frozen_datetime:
self.token_provider_api._persistence.delete_tokens( PROVIDERS.token_provider_api._persistence.delete_tokens(
self.user_foo['id'] self.user_foo['id']
) )
frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
@ -453,17 +478,17 @@ class TokenCacheInvalidation(object):
# now be invalid. # now be invalid.
self.assertRaises( self.assertRaises(
exception.TokenNotFound, exception.TokenNotFound,
self.token_provider_api.validate_token, PROVIDERS.token_provider_api.validate_token,
self.scoped_token_id) self.scoped_token_id)
self.assertRaises( self.assertRaises(
exception.TokenNotFound, exception.TokenNotFound,
self.token_provider_api.validate_token, PROVIDERS.token_provider_api.validate_token,
self.unscoped_token_id) self.unscoped_token_id)
def test_delete_scoped_token_by_user_and_tenant(self): def test_delete_scoped_token_by_user_and_tenant(self):
time = datetime.datetime.utcnow() time = datetime.datetime.utcnow()
with freezegun.freeze_time(time) as frozen_datetime: with freezegun.freeze_time(time) as frozen_datetime:
self.token_provider_api._persistence.delete_tokens( PROVIDERS.token_provider_api._persistence.delete_tokens(
self.user_foo['id'], self.user_foo['id'],
tenant_id=self.tenant_bar['id']) tenant_id=self.tenant_bar['id'])
frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
@ -471,7 +496,7 @@ class TokenCacheInvalidation(object):
# Ensure the scoped token is invalid # Ensure the scoped token is invalid
self.assertRaises( self.assertRaises(
exception.TokenNotFound, exception.TokenNotFound,
self.token_provider_api.validate_token, PROVIDERS.token_provider_api.validate_token,
self.scoped_token_id) self.scoped_token_id)
# Ensure the unscoped token is still valid # Ensure the unscoped token is still valid
self.token_provider_api.validate_token(self.unscoped_token_id) PROVIDERS.token_provider_api.validate_token(self.unscoped_token_id)

60
keystone/tests/unit/token/test_fernet_provider.py
View File

@ -21,6 +21,7 @@ from oslo_utils import timeutils
import six import six
from keystone import auth from keystone import auth
from keystone.common import provider_api
from keystone.common import token_utils from keystone.common import token_utils
from keystone.common import utils from keystone.common import utils
import keystone.conf import keystone.conf
@ -35,6 +36,7 @@ from keystone.token import token_formatters
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class TestFernetTokenProvider(unit.TestCase): class TestFernetTokenProvider(unit.TestCase):
@ -94,17 +96,18 @@ class TestValidate(unit.TestCase):
# with a simple token. # with a simple token.
domain_ref = unit.new_domain_ref() domain_ref = unit.new_domain_ref()
domain_ref = self.resource_api.create_domain(domain_ref['id'], domain_ref = PROVIDERS.resource_api.create_domain(
domain_ref) domain_ref['id'], domain_ref
)
user_ref = unit.new_user_ref(domain_ref['id']) user_ref = unit.new_user_ref(domain_ref['id'])
user_ref = self.identity_api.create_user(user_ref) user_ref = PROVIDERS.identity_api.create_user(user_ref)
method_names = ['password'] method_names = ['password']
token_id, token_data_ = self.token_provider_api.issue_token( token_id, token_data_ = PROVIDERS.token_provider_api.issue_token(
user_ref['id'], method_names) user_ref['id'], method_names)
token_data = self.token_provider_api.validate_token(token_id) token_data = PROVIDERS.token_provider_api.validate_token(token_id)
token = token_data['token'] token = token_data['token']
self.assertIsInstance(token['audit_ids'], list) self.assertIsInstance(token['audit_ids'], list)
self.assertIsInstance(token['expires_at'], str) self.assertIsInstance(token['expires_at'], str)
@ -126,11 +129,12 @@ class TestValidate(unit.TestCase):
# when the token has federated info. # when the token has federated info.
domain_ref = unit.new_domain_ref() domain_ref = unit.new_domain_ref()
domain_ref = self.resource_api.create_domain(domain_ref['id'], domain_ref = PROVIDERS.resource_api.create_domain(
domain_ref) domain_ref['id'], domain_ref
)
user_ref = unit.new_user_ref(domain_ref['id']) user_ref = unit.new_user_ref(domain_ref['id'])
user_ref = self.identity_api.create_user(user_ref) user_ref = PROVIDERS.identity_api.create_user(user_ref)
method_names = ['mapped'] method_names = ['mapped']
@ -145,10 +149,10 @@ class TestValidate(unit.TestCase):
federation_constants.PROTOCOL: protocol, federation_constants.PROTOCOL: protocol,
} }
auth_context = auth.core.AuthContext(**auth_context_params) auth_context = auth.core.AuthContext(**auth_context_params)
token_id, token_data_ = self.token_provider_api.issue_token( token_id, token_data_ = PROVIDERS.token_provider_api.issue_token(
user_ref['id'], method_names, auth_context=auth_context) user_ref['id'], method_names, auth_context=auth_context)
token_data = self.token_provider_api.validate_token(token_id) token_data = PROVIDERS.token_provider_api.validate_token(token_id)
token = token_data['token'] token = token_data['token']
exp_user_info = { exp_user_info = {
'id': user_ref['id'], 'id': user_ref['id'],
@ -168,27 +172,29 @@ class TestValidate(unit.TestCase):
# when the token has trust info. # when the token has trust info.
domain_ref = unit.new_domain_ref() domain_ref = unit.new_domain_ref()
domain_ref = self.resource_api.create_domain(domain_ref['id'], domain_ref = PROVIDERS.resource_api.create_domain(
domain_ref) domain_ref['id'], domain_ref
)
user_ref = unit.new_user_ref(domain_ref['id']) user_ref = unit.new_user_ref(domain_ref['id'])
user_ref = self.identity_api.create_user(user_ref) user_ref = PROVIDERS.identity_api.create_user(user_ref)
trustor_user_ref = unit.new_user_ref(domain_ref['id']) trustor_user_ref = unit.new_user_ref(domain_ref['id'])
trustor_user_ref = self.identity_api.create_user(trustor_user_ref) trustor_user_ref = PROVIDERS.identity_api.create_user(trustor_user_ref)
project_ref = unit.new_project_ref(domain_id=domain_ref['id']) project_ref = unit.new_project_ref(domain_id=domain_ref['id'])
project_ref = self.resource_api.create_project(project_ref['id'], project_ref = PROVIDERS.resource_api.create_project(
project_ref) project_ref['id'], project_ref
)
role_ref = unit.new_role_ref() role_ref = unit.new_role_ref()
role_ref = self.role_api.create_role(role_ref['id'], role_ref) role_ref = PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
self.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
role_ref['id'], user_id=user_ref['id'], role_ref['id'], user_id=user_ref['id'],
project_id=project_ref['id']) project_id=project_ref['id'])
self.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
role_ref['id'], user_id=trustor_user_ref['id'], role_ref['id'], user_id=trustor_user_ref['id'],
project_id=project_ref['id']) project_id=project_ref['id'])
@ -197,16 +203,17 @@ class TestValidate(unit.TestCase):
trust_ref = unit.new_trust_ref( trust_ref = unit.new_trust_ref(
trustor_user_id, trustee_user_id, project_id=project_ref['id'], trustor_user_id, trustee_user_id, project_id=project_ref['id'],
role_ids=[role_ref['id'], ]) role_ids=[role_ref['id'], ])
trust_ref = self.trust_api.create_trust(trust_ref['id'], trust_ref, trust_ref = PROVIDERS.trust_api.create_trust(
trust_ref['roles']) trust_ref['id'], trust_ref, trust_ref['roles']
)
method_names = ['password'] method_names = ['password']
token_id, token_data_ = self.token_provider_api.issue_token( token_id, token_data_ = PROVIDERS.token_provider_api.issue_token(
user_ref['id'], method_names, project_id=project_ref['id'], user_ref['id'], method_names, project_id=project_ref['id'],
trust=trust_ref) trust=trust_ref)
token_data = self.token_provider_api.validate_token(token_id) token_data = PROVIDERS.token_provider_api.validate_token(token_id)
token = token_data['token'] token = token_data['token']
exp_trust_info = { exp_trust_info = {
'id': trust_ref['id'], 'id': trust_ref['id'],
@ -221,8 +228,11 @@ class TestValidate(unit.TestCase):
# A uuid string isn't a valid Fernet token. # A uuid string isn't a valid Fernet token.
token_id = uuid.uuid4().hex token_id = uuid.uuid4().hex
self.assertRaises(exception.TokenNotFound, self.assertRaises(
self.token_provider_api.validate_token, token_id) exception.TokenNotFound,
PROVIDERS.token_provider_api.validate_token,
token_id
)
class TestTokenFormatter(unit.TestCase): class TestTokenFormatter(unit.TestCase):