Finish refactoring self.*_api out of tests

A previous change started remove the self magic:

  Ic2094dca56158d8e4cd843eadff837f3a17ea38f

This commit finishes that work. A subsequent patch will remove the
self manager logic all together and we'll fix up any trivial test
infrastructure then.

Change-Id: Iedbde34ef5aa84905fd6b5f2297bf7f46dd7d278
This commit is contained in:
Lance Bragstad 2018-02-05 23:12:10 +00:00
parent bbe2d7ee48
commit 8761066260
38 changed files with 3373 additions and 2702 deletions

View File

@ -12,12 +12,15 @@
import uuid
from keystone.common import provider_api
from keystone.common import sql
from keystone import exception
from keystone.tests import unit
from keystone.tests.unit.assignment import test_core
from keystone.tests.unit.backend import core_sql
PROVIDERS = provider_api.ProviderAPIs
class SqlRoleModels(core_sql.BaseBackendSqlModels):
@ -33,80 +36,80 @@ class SqlRole(core_sql.BaseBackendSqlTests, test_core.RoleTests):
def test_create_null_role_name(self):
role = unit.new_role_ref(name=None)
self.assertRaises(exception.UnexpectedError,
self.role_api.create_role,
PROVIDERS.role_api.create_role,
role['id'],
role)
self.assertRaises(exception.RoleNotFound,
self.role_api.get_role,
PROVIDERS.role_api.get_role,
role['id'])
def test_create_duplicate_role_domain_specific_name_fails(self):
domain = unit.new_domain_ref()
role1 = unit.new_role_ref(domain_id=domain['id'])
self.role_api.create_role(role1['id'], role1)
PROVIDERS.role_api.create_role(role1['id'], role1)
role2 = unit.new_role_ref(name=role1['name'],
domain_id=domain['id'])
self.assertRaises(exception.Conflict,
self.role_api.create_role,
PROVIDERS.role_api.create_role,
role2['id'],
role2)
def test_update_domain_id_of_role_fails(self):
# Create a global role
role1 = unit.new_role_ref()
role1 = self.role_api.create_role(role1['id'], role1)
role1 = PROVIDERS.role_api.create_role(role1['id'], role1)
# Try and update it to be domain specific
domainA = unit.new_domain_ref()
role1['domain_id'] = domainA['id']
self.assertRaises(exception.ValidationError,
self.role_api.update_role,
PROVIDERS.role_api.update_role,
role1['id'],
role1)
# Create a domain specific role from scratch
role2 = unit.new_role_ref(domain_id=domainA['id'])
self.role_api.create_role(role2['id'], role2)
PROVIDERS.role_api.create_role(role2['id'], role2)
# Try to "move" it to another domain
domainB = unit.new_domain_ref()
role2['domain_id'] = domainB['id']
self.assertRaises(exception.ValidationError,
self.role_api.update_role,
PROVIDERS.role_api.update_role,
role2['id'],
role2)
# Now try to make it global
role2['domain_id'] = None
self.assertRaises(exception.ValidationError,
self.role_api.update_role,
PROVIDERS.role_api.update_role,
role2['id'],
role2)
def test_domain_specific_separation(self):
domain1 = unit.new_domain_ref()
role1 = unit.new_role_ref(domain_id=domain1['id'])
role_ref1 = self.role_api.create_role(role1['id'], role1)
role_ref1 = PROVIDERS.role_api.create_role(role1['id'], role1)
self.assertDictEqual(role1, role_ref1)
# Check we can have the same named role in a different domain
domain2 = unit.new_domain_ref()
role2 = unit.new_role_ref(name=role1['name'], domain_id=domain2['id'])
role_ref2 = self.role_api.create_role(role2['id'], role2)
role_ref2 = PROVIDERS.role_api.create_role(role2['id'], role2)
self.assertDictEqual(role2, role_ref2)
# ...and in fact that you can have the same named role as a global role
role3 = unit.new_role_ref(name=role1['name'])
role_ref3 = self.role_api.create_role(role3['id'], role3)
role_ref3 = PROVIDERS.role_api.create_role(role3['id'], role3)
self.assertDictEqual(role3, role_ref3)
# Check that updating one doesn't change the others
role1['name'] = uuid.uuid4().hex
self.role_api.update_role(role1['id'], role1)
role_ref1 = self.role_api.get_role(role1['id'])
PROVIDERS.role_api.update_role(role1['id'], role1)
role_ref1 = PROVIDERS.role_api.get_role(role1['id'])
self.assertDictEqual(role1, role_ref1)
role_ref2 = self.role_api.get_role(role2['id'])
role_ref2 = PROVIDERS.role_api.get_role(role2['id'])
self.assertDictEqual(role2, role_ref2)
role_ref3 = self.role_api.get_role(role3['id'])
role_ref3 = PROVIDERS.role_api.get_role(role3['id'])
self.assertDictEqual(role3, role_ref3)
# Check that deleting one of these, doesn't affect the others
self.role_api.delete_role(role1['id'])
PROVIDERS.role_api.delete_role(role1['id'])
self.assertRaises(exception.RoleNotFound,
self.role_api.get_role,
PROVIDERS.role_api.get_role,
role1['id'])
self.role_api.get_role(role2['id'])
self.role_api.get_role(role3['id'])
PROVIDERS.role_api.get_role(role2['id'])
PROVIDERS.role_api.get_role(role3['id'])

View File

@ -15,31 +15,34 @@
import copy
import uuid
from keystone.common import provider_api
from keystone import exception
from keystone.tests import unit
from keystone.tests.unit import default_fixtures
PROVIDERS = provider_api.ProviderAPIs
class RoleTests(object):
def test_get_role_returns_not_found(self):
self.assertRaises(exception.RoleNotFound,
self.role_api.get_role,
PROVIDERS.role_api.get_role,
uuid.uuid4().hex)
def test_get_unique_role_by_name_returns_not_found(self):
self.assertRaises(exception.RoleNotFound,
self.role_api.get_unique_role_by_name,
PROVIDERS.role_api.get_unique_role_by_name,
uuid.uuid4().hex)
def test_create_duplicate_role_name_fails(self):
role_id = uuid.uuid4().hex
role = unit.new_role_ref(id=role_id, name='fake1name')
self.role_api.create_role(role_id, role)
PROVIDERS.role_api.create_role(role_id, role)
new_role_id = uuid.uuid4().hex
role['id'] = new_role_id
self.assertRaises(exception.Conflict,
self.role_api.create_role,
PROVIDERS.role_api.create_role,
new_role_id,
role)
@ -48,46 +51,46 @@ class RoleTests(object):
role_id2 = uuid.uuid4().hex
role1 = unit.new_role_ref(id=role_id1, name='fake1name')
role2 = unit.new_role_ref(id=role_id2, name='fake2name')
self.role_api.create_role(role_id1, role1)
self.role_api.create_role(role_id2, role2)
PROVIDERS.role_api.create_role(role_id1, role1)
PROVIDERS.role_api.create_role(role_id2, role2)
role1['name'] = 'fake2name'
self.assertRaises(exception.Conflict,
self.role_api.update_role,
PROVIDERS.role_api.update_role,
role_id1,
role1)
def test_role_crud(self):
role = unit.new_role_ref()
role_name = role['name']
self.role_api.create_role(role['id'], role)
role_ref = self.role_api.get_role(role['id'])
PROVIDERS.role_api.create_role(role['id'], role)
role_ref = PROVIDERS.role_api.get_role(role['id'])
role_ref_dict = {x: role_ref[x] for x in role_ref}
self.assertDictEqual(role, role_ref_dict)
role_ref = self.role_api.get_unique_role_by_name(role_name)
role_ref = PROVIDERS.role_api.get_unique_role_by_name(role_name)
self.assertEqual(role['id'], role_ref['id'])
role['name'] = uuid.uuid4().hex
updated_role_ref = self.role_api.update_role(role['id'], role)
role_ref = self.role_api.get_role(role['id'])
updated_role_ref = PROVIDERS.role_api.update_role(role['id'], role)
role_ref = PROVIDERS.role_api.get_role(role['id'])
role_ref_dict = {x: role_ref[x] for x in role_ref}
self.assertDictEqual(role, role_ref_dict)
self.assertDictEqual(role_ref_dict, updated_role_ref)
self.role_api.delete_role(role['id'])
PROVIDERS.role_api.delete_role(role['id'])
self.assertRaises(exception.RoleNotFound,
self.role_api.get_role,
PROVIDERS.role_api.get_role,
role['id'])
def test_update_role_returns_not_found(self):
role = unit.new_role_ref()
self.assertRaises(exception.RoleNotFound,
self.role_api.update_role,
PROVIDERS.role_api.update_role,
role['id'],
role)
def test_list_roles(self):
roles = self.role_api.list_roles()
roles = PROVIDERS.role_api.list_roles()
self.assertEqual(len(default_fixtures.ROLES), len(roles))
role_ids = set(role['id'] for role in roles)
expected_role_ids = set(role['id'] for role in default_fixtures.ROLES)
@ -98,39 +101,39 @@ class RoleTests(object):
role = unit.new_role_ref()
role_id = role['id']
# Create role
self.role_api.create_role(role_id, role)
role_ref = self.role_api.get_role(role_id)
PROVIDERS.role_api.create_role(role_id, role)
role_ref = PROVIDERS.role_api.get_role(role_id)
updated_role_ref = copy.deepcopy(role_ref)
updated_role_ref['name'] = uuid.uuid4().hex
# Update role, bypassing the role api manager
self.role_api.driver.update_role(role_id, updated_role_ref)
PROVIDERS.role_api.driver.update_role(role_id, updated_role_ref)
# Verify get_role still returns old ref
self.assertDictEqual(role_ref, self.role_api.get_role(role_id))
self.assertDictEqual(role_ref, PROVIDERS.role_api.get_role(role_id))
# Invalidate Cache
self.role_api.get_role.invalidate(self.role_api, role_id)
PROVIDERS.role_api.get_role.invalidate(PROVIDERS.role_api, role_id)
# Verify get_role returns the new role_ref
self.assertDictEqual(updated_role_ref,
self.role_api.get_role(role_id))
PROVIDERS.role_api.get_role(role_id))
# Update role back to original via the assignment api manager
self.role_api.update_role(role_id, role_ref)
PROVIDERS.role_api.update_role(role_id, role_ref)
# Verify get_role returns the original role ref
self.assertDictEqual(role_ref, self.role_api.get_role(role_id))
self.assertDictEqual(role_ref, PROVIDERS.role_api.get_role(role_id))
# Delete role bypassing the role api manager
self.role_api.driver.delete_role(role_id)
PROVIDERS.role_api.driver.delete_role(role_id)
# Verify get_role still returns the role_ref
self.assertDictEqual(role_ref, self.role_api.get_role(role_id))
self.assertDictEqual(role_ref, PROVIDERS.role_api.get_role(role_id))
# Invalidate cache
self.role_api.get_role.invalidate(self.role_api, role_id)
PROVIDERS.role_api.get_role.invalidate(PROVIDERS.role_api, role_id)
# Verify RoleNotFound is now raised
self.assertRaises(exception.RoleNotFound,
self.role_api.get_role,
PROVIDERS.role_api.get_role,
role_id)
# recreate role
self.role_api.create_role(role_id, role)
self.role_api.get_role(role_id)
PROVIDERS.role_api.create_role(role_id, role)
PROVIDERS.role_api.get_role(role_id)
# delete role via the assignment api manager
self.role_api.delete_role(role_id)
PROVIDERS.role_api.delete_role(role_id)
# verity RoleNotFound is now raised
self.assertRaises(exception.RoleNotFound,
self.role_api.get_role,
PROVIDERS.role_api.get_role,
role_id)

View File

@ -14,6 +14,7 @@ import ldap
from keystone.common import cache
from keystone.common import provider_api
import keystone.conf
from keystone.tests import unit
from keystone.tests.unit import default_fixtures
@ -22,6 +23,7 @@ from keystone.tests.unit.ksfixtures import ldapdb
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
def create_group_container(identity_api):
@ -45,7 +47,9 @@ class BaseBackendLdapCommon(object):
def _get_domain_fixture(self):
"""Return the static domain, since domains in LDAP are read-only."""
return self.resource_api.get_domain(CONF.identity.default_domain_id)
return PROVIDERS.resource_api.get_domain(
CONF.identity.default_domain_id
)
def get_config(self, domain_id):
# Only one conf structure unless we are using separate domain backends
@ -62,10 +66,13 @@ class BaseBackendLdapCommon(object):
def get_user_enabled_vals(self, user):
user_dn = (
self.identity_api.driver.user._id_to_dn_string(user['id']))
PROVIDERS.identity_api.driver.user._id_to_dn_string(
user['id']
)
)
enabled_attr_name = CONF.ldap.user_enabled_attribute
ldap_ = self.identity_api.driver.user.get_connection()
ldap_ = PROVIDERS.identity_api.driver.user.get_connection()
res = ldap_.search_s(user_dn,
ldap.SCOPE_BASE,
u'(sn=%s)' % user['name'])
@ -87,7 +94,7 @@ class BaseBackendLdap(object):
def load_fixtures(self, fixtures):
# Override super impl since need to create group container.
create_group_container(self.identity_api)
create_group_container(PROVIDERS.identity_api)
super(BaseBackendLdap, self).load_fixtures(fixtures)

View File

@ -19,9 +19,12 @@ from testtools import matchers
from keystone.catalog.backends import base
from keystone.common import driver_hints
from keystone.common import provider_api
from keystone import exception
from keystone.tests import unit
PROVIDERS = provider_api.ProviderAPIs
class CatalogTests(object):
@ -32,7 +35,7 @@ class CatalogTests(object):
# create
region_id = 'default'
new_region = unit.new_region_ref(id=region_id)
res = self.catalog_api.create_region(new_region)
res = PROVIDERS.catalog_api.create_region(new_region)
# Ensure that we don't need to have a
# parent_region_id in the original supplied
@ -48,11 +51,11 @@ class CatalogTests(object):
parent_region_id = region_id
new_region = unit.new_region_ref(parent_region_id=parent_region_id)
region_id = new_region['id']
res = self.catalog_api.create_region(new_region)
res = PROVIDERS.catalog_api.create_region(new_region)
self.assertDictEqual(new_region, res)
# list
regions = self.catalog_api.list_regions()
regions = PROVIDERS.catalog_api.list_regions()
self.assertThat(regions, matchers.HasLength(2))
region_ids = [x['id'] for x in regions]
self.assertIn(parent_region_id, region_ids)
@ -60,27 +63,29 @@ class CatalogTests(object):
# update
region_desc_update = {'description': uuid.uuid4().hex}
res = self.catalog_api.update_region(region_id, region_desc_update)
res = PROVIDERS.catalog_api.update_region(
region_id, region_desc_update
)
expected_region = new_region.copy()
expected_region['description'] = region_desc_update['description']
self.assertDictEqual(expected_region, res)
# delete
self.catalog_api.delete_region(parent_region_id)
PROVIDERS.catalog_api.delete_region(parent_region_id)
self.assertRaises(exception.RegionNotFound,
self.catalog_api.delete_region,
PROVIDERS.catalog_api.delete_region,
parent_region_id)
self.assertRaises(exception.RegionNotFound,
self.catalog_api.get_region,
PROVIDERS.catalog_api.get_region,
parent_region_id)
# Ensure the child is also gone...
self.assertRaises(exception.RegionNotFound,
self.catalog_api.get_region,
PROVIDERS.catalog_api.get_region,
region_id)
def _create_region_with_parent_id(self, parent_id=None):
new_region = unit.new_region_ref(parent_region_id=parent_id)
self.catalog_api.create_region(new_region)
PROVIDERS.catalog_api.create_region(new_region)
return new_region
def test_list_regions_filtered_by_parent_region_id(self):
@ -92,7 +97,7 @@ class CatalogTests(object):
# filter by parent_region_id
hints = driver_hints.Hints()
hints.add_filter('parent_region_id', parent_id)
regions = self.catalog_api.list_regions(hints)
regions = PROVIDERS.catalog_api.list_regions(hints)
for region in regions:
self.assertEqual(parent_id, region['parent_region_id'])
@ -100,67 +105,74 @@ class CatalogTests(object):
def test_cache_layer_region_crud(self):
new_region = unit.new_region_ref()
region_id = new_region['id']
self.catalog_api.create_region(new_region.copy())
PROVIDERS.catalog_api.create_region(new_region.copy())
updated_region = copy.deepcopy(new_region)
updated_region['description'] = uuid.uuid4().hex
# cache the result
self.catalog_api.get_region(region_id)
PROVIDERS.catalog_api.get_region(region_id)
# update the region bypassing catalog_api
self.catalog_api.driver.update_region(region_id, updated_region)
self.assertDictContainsSubset(new_region,
self.catalog_api.get_region(region_id))
self.catalog_api.get_region.invalidate(self.catalog_api, region_id)
self.assertDictContainsSubset(updated_region,
self.catalog_api.get_region(region_id))
PROVIDERS.catalog_api.driver.update_region(region_id, updated_region)
self.assertDictContainsSubset(
new_region, PROVIDERS.catalog_api.get_region(region_id)
)
PROVIDERS.catalog_api.get_region.invalidate(
PROVIDERS.catalog_api, region_id
)
self.assertDictContainsSubset(
updated_region, PROVIDERS.catalog_api.get_region(region_id)
)
# delete the region
self.catalog_api.driver.delete_region(region_id)
PROVIDERS.catalog_api.driver.delete_region(region_id)
# still get the old region
self.assertDictContainsSubset(updated_region,
self.catalog_api.get_region(region_id))
self.catalog_api.get_region.invalidate(self.catalog_api, region_id)
self.assertDictContainsSubset(
updated_region, PROVIDERS.catalog_api.get_region(region_id)
)
PROVIDERS.catalog_api.get_region.invalidate(
PROVIDERS.catalog_api, region_id
)
self.assertRaises(exception.RegionNotFound,
self.catalog_api.get_region, region_id)
PROVIDERS.catalog_api.get_region, region_id)
@unit.skip_if_cache_disabled('catalog')
def test_invalidate_cache_when_updating_region(self):
new_region = unit.new_region_ref()
region_id = new_region['id']
self.catalog_api.create_region(new_region)
PROVIDERS.catalog_api.create_region(new_region)
# cache the region
self.catalog_api.get_region(region_id)
PROVIDERS.catalog_api.get_region(region_id)
# update the region via catalog_api
new_description = {'description': uuid.uuid4().hex}
self.catalog_api.update_region(region_id, new_description)
PROVIDERS.catalog_api.update_region(region_id, new_description)
# assert that we can get the new region
current_region = self.catalog_api.get_region(region_id)
current_region = PROVIDERS.catalog_api.get_region(region_id)
self.assertEqual(new_description['description'],
current_region['description'])
def test_create_region_with_duplicate_id(self):
new_region = unit.new_region_ref()
self.catalog_api.create_region(new_region)
PROVIDERS.catalog_api.create_region(new_region)
# Create region again with duplicate id
self.assertRaises(exception.Conflict,
self.catalog_api.create_region,
PROVIDERS.catalog_api.create_region,
new_region)
def test_get_region_returns_not_found(self):
self.assertRaises(exception.RegionNotFound,
self.catalog_api.get_region,
PROVIDERS.catalog_api.get_region,
uuid.uuid4().hex)
def test_delete_region_returns_not_found(self):
self.assertRaises(exception.RegionNotFound,
self.catalog_api.delete_region,
PROVIDERS.catalog_api.delete_region,
uuid.uuid4().hex)
def test_create_region_invalid_parent_region_returns_not_found(self):
new_region = unit.new_region_ref(parent_region_id=uuid.uuid4().hex)
self.assertRaises(exception.RegionNotFound,
self.catalog_api.create_region,
PROVIDERS.catalog_api.create_region,
new_region)
def test_avoid_creating_circular_references_in_regions_update(self):
@ -168,14 +180,14 @@ class CatalogTests(object):
# self circle: region_one->region_one
self.assertRaises(exception.CircularRegionHierarchyError,
self.catalog_api.update_region,
PROVIDERS.catalog_api.update_region,
region_one['id'],
{'parent_region_id': region_one['id']})
# region_one->region_two->region_one
region_two = self._create_region_with_parent_id(region_one['id'])
self.assertRaises(exception.CircularRegionHierarchyError,
self.catalog_api.update_region,
PROVIDERS.catalog_api.update_region,
region_one['id'],
{'parent_region_id': region_two['id']})
@ -183,7 +195,7 @@ class CatalogTests(object):
region_three = self._create_region_with_parent_id(region_two['id'])
region_four = self._create_region_with_parent_id(region_three['id'])
self.assertRaises(exception.CircularRegionHierarchyError,
self.catalog_api.update_region,
PROVIDERS.catalog_api.update_region,
region_two['id'],
{'parent_region_id': region_four['id']})
@ -196,77 +208,79 @@ class CatalogTests(object):
region_one = self._create_region_with_parent_id()
# self circle: region_one->region_one
self.catalog_api.update_region(
PROVIDERS.catalog_api.update_region(
region_one['id'],
{'parent_region_id': region_one['id']})
self.catalog_api.delete_region(region_one['id'])
PROVIDERS.catalog_api.delete_region(region_one['id'])
self.assertRaises(exception.RegionNotFound,
self.catalog_api.get_region,
PROVIDERS.catalog_api.get_region,
region_one['id'])
# region_one->region_two->region_one
region_one = self._create_region_with_parent_id()
region_two = self._create_region_with_parent_id(region_one['id'])
self.catalog_api.update_region(
PROVIDERS.catalog_api.update_region(
region_one['id'],
{'parent_region_id': region_two['id']})
self.catalog_api.delete_region(region_one['id'])
PROVIDERS.catalog_api.delete_region(region_one['id'])
self.assertRaises(exception.RegionNotFound,
self.catalog_api.get_region,
PROVIDERS.catalog_api.get_region,
region_one['id'])
self.assertRaises(exception.RegionNotFound,
self.catalog_api.get_region,
PROVIDERS.catalog_api.get_region,
region_two['id'])
# region_one->region_two->region_three->region_one
region_one = self._create_region_with_parent_id()
region_two = self._create_region_with_parent_id(region_one['id'])
region_three = self._create_region_with_parent_id(region_two['id'])
self.catalog_api.update_region(
PROVIDERS.catalog_api.update_region(
region_one['id'],
{'parent_region_id': region_three['id']})
self.catalog_api.delete_region(region_two['id'])
PROVIDERS.catalog_api.delete_region(region_two['id'])
self.assertRaises(exception.RegionNotFound,
self.catalog_api.get_region,
PROVIDERS.catalog_api.get_region,
region_two['id'])
self.assertRaises(exception.RegionNotFound,
self.catalog_api.get_region,
PROVIDERS.catalog_api.get_region,
region_one['id'])
self.assertRaises(exception.RegionNotFound,
self.catalog_api.get_region,
PROVIDERS.catalog_api.get_region,
region_three['id'])
def test_service_crud(self):
# create
new_service = unit.new_service_ref()
service_id = new_service['id']
res = self.catalog_api.create_service(service_id, new_service)
res = PROVIDERS.catalog_api.create_service(service_id, new_service)
self.assertDictEqual(new_service, res)
# list
services = self.catalog_api.list_services()
services = PROVIDERS.catalog_api.list_services()
self.assertIn(service_id, [x['id'] for x in services])
# update
service_name_update = {'name': uuid.uuid4().hex}
res = self.catalog_api.update_service(service_id, service_name_update)
res = PROVIDERS.catalog_api.update_service(
service_id, service_name_update
)
expected_service = new_service.copy()
expected_service['name'] = service_name_update['name']
self.assertDictEqual(expected_service, res)
# delete
self.catalog_api.delete_service(service_id)
PROVIDERS.catalog_api.delete_service(service_id)
self.assertRaises(exception.ServiceNotFound,
self.catalog_api.delete_service,
PROVIDERS.catalog_api.delete_service,
service_id)
self.assertRaises(exception.ServiceNotFound,
self.catalog_api.get_service,
PROVIDERS.catalog_api.get_service,
service_id)
def _create_random_service(self):
new_service = unit.new_service_ref()
service_id = new_service['id']
return self.catalog_api.create_service(service_id, new_service)
return PROVIDERS.catalog_api.create_service(service_id, new_service)
def test_service_filtering(self):
target_service = self._create_random_service()
@ -276,7 +290,7 @@ class CatalogTests(object):
# filter by type
hint_for_type = driver_hints.Hints()
hint_for_type.add_filter(name="type", value=target_service['type'])
services = self.catalog_api.list_services(hint_for_type)
services = PROVIDERS.catalog_api.list_services(hint_for_type)
self.assertEqual(1, len(services))
filtered_service = services[0]
@ -291,145 +305,156 @@ class CatalogTests(object):
# front end
hint_for_name = driver_hints.Hints()
hint_for_name.add_filter(name="name", value=target_service['name'])
services = self.catalog_api.list_services(hint_for_name)
services = PROVIDERS.catalog_api.list_services(hint_for_name)
self.assertEqual(3, len(services))
# filter should still be there, since it wasn't used by the backend
self.assertEqual(1, len(hint_for_name.filters))
self.catalog_api.delete_service(target_service['id'])
self.catalog_api.delete_service(unrelated_service1['id'])
self.catalog_api.delete_service(unrelated_service2['id'])
PROVIDERS.catalog_api.delete_service(target_service['id'])
PROVIDERS.catalog_api.delete_service(unrelated_service1['id'])
PROVIDERS.catalog_api.delete_service(unrelated_service2['id'])
@unit.skip_if_cache_disabled('catalog')
def test_cache_layer_service_crud(self):
new_service = unit.new_service_ref()
service_id = new_service['id']
res = self.catalog_api.create_service(service_id, new_service)
res = PROVIDERS.catalog_api.create_service(service_id, new_service)
self.assertDictEqual(new_service, res)
self.catalog_api.get_service(service_id)
PROVIDERS.catalog_api.get_service(service_id)
updated_service = copy.deepcopy(new_service)
updated_service['description'] = uuid.uuid4().hex
# update bypassing catalog api
self.catalog_api.driver.update_service(service_id, updated_service)
self.assertDictContainsSubset(new_service,
self.catalog_api.get_service(service_id))
self.catalog_api.get_service.invalidate(self.catalog_api, service_id)
self.assertDictContainsSubset(updated_service,
self.catalog_api.get_service(service_id))
PROVIDERS.catalog_api.driver.update_service(
service_id, updated_service
)
self.assertDictContainsSubset(
new_service, PROVIDERS.catalog_api.get_service(service_id)
)
PROVIDERS.catalog_api.get_service.invalidate(
PROVIDERS.catalog_api, service_id
)
self.assertDictContainsSubset(
updated_service, PROVIDERS.catalog_api.get_service(service_id)
)
# delete bypassing catalog api
self.catalog_api.driver.delete_service(service_id)
self.assertDictContainsSubset(updated_service,
self.catalog_api.get_service(service_id))
self.catalog_api.get_service.invalidate(self.catalog_api, service_id)
PROVIDERS.catalog_api.driver.delete_service(service_id)
self.assertDictContainsSubset(
updated_service, PROVIDERS.catalog_api.get_service(service_id)
)
PROVIDERS.catalog_api.get_service.invalidate(
PROVIDERS.catalog_api, service_id
)
self.assertRaises(exception.ServiceNotFound,
self.catalog_api.delete_service,
PROVIDERS.catalog_api.delete_service,
service_id)
self.assertRaises(exception.ServiceNotFound,
self.catalog_api.get_service,
PROVIDERS.catalog_api.get_service,
service_id)
@unit.skip_if_cache_disabled('catalog')
def test_invalidate_cache_when_updating_service(self):
new_service = unit.new_service_ref()
service_id = new_service['id']
self.catalog_api.create_service(service_id, new_service)
PROVIDERS.catalog_api.create_service(service_id, new_service)
# cache the service
self.catalog_api.get_service(service_id)
PROVIDERS.catalog_api.get_service(service_id)
# update the service via catalog api
new_type = {'type': uuid.uuid4().hex}
self.catalog_api.update_service(service_id, new_type)
PROVIDERS.catalog_api.update_service(service_id, new_type)
# assert that we can get the new service
current_service = self.catalog_api.get_service(service_id)
current_service = PROVIDERS.catalog_api.get_service(service_id)
self.assertEqual(new_type['type'], current_service['type'])
def test_delete_service_with_endpoint(self):
# create a service
service = unit.new_service_ref()
self.catalog_api.create_service(service['id'], service)
PROVIDERS.catalog_api.create_service(service['id'], service)
# create an endpoint attached to the service
endpoint = unit.new_endpoint_ref(service_id=service['id'],
region_id=None)
self.catalog_api.create_endpoint(endpoint['id'], endpoint)
PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
# deleting the service should also delete the endpoint
self.catalog_api.delete_service(service['id'])
PROVIDERS.catalog_api.delete_service(service['id'])
self.assertRaises(exception.EndpointNotFound,
self.catalog_api.get_endpoint,
PROVIDERS.catalog_api.get_endpoint,
endpoint['id'])
self.assertRaises(exception.EndpointNotFound,
self.catalog_api.delete_endpoint,
PROVIDERS.catalog_api.delete_endpoint,
endpoint['id'])
def test_cache_layer_delete_service_with_endpoint(self):
service = unit.new_service_ref()
self.catalog_api.create_service(service['id'], service)
PROVIDERS.catalog_api.create_service(service['id'], service)
# create an endpoint attached to the service
endpoint = unit.new_endpoint_ref(service_id=service['id'],
region_id=None)
self.catalog_api.create_endpoint(endpoint['id'], endpoint)
PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
# cache the result
self.catalog_api.get_service(service['id'])
self.catalog_api.get_endpoint(endpoint['id'])
PROVIDERS.catalog_api.get_service(service['id'])
PROVIDERS.catalog_api.get_endpoint(endpoint['id'])
# delete the service bypassing catalog api
self.catalog_api.driver.delete_service(service['id'])
PROVIDERS.catalog_api.driver.delete_service(service['id'])
self.assertDictContainsSubset(endpoint,
self.catalog_api.
PROVIDERS.catalog_api.
get_endpoint(endpoint['id']))
self.assertDictContainsSubset(service,
self.catalog_api.
PROVIDERS.catalog_api.
get_service(service['id']))
self.catalog_api.get_endpoint.invalidate(self.catalog_api,
endpoint['id'])
PROVIDERS.catalog_api.get_endpoint.invalidate(
PROVIDERS.catalog_api, endpoint['id']
)
self.assertRaises(exception.EndpointNotFound,
self.catalog_api.get_endpoint,
PROVIDERS.catalog_api.get_endpoint,
endpoint['id'])
self.assertRaises(exception.EndpointNotFound,
self.catalog_api.delete_endpoint,
PROVIDERS.catalog_api.delete_endpoint,
endpoint['id'])
# multiple endpoints associated with a service
second_endpoint = unit.new_endpoint_ref(service_id=service['id'],
region_id=None)
self.catalog_api.create_service(service['id'], service)
self.catalog_api.create_endpoint(endpoint['id'], endpoint)
self.catalog_api.create_endpoint(second_endpoint['id'],
second_endpoint)
self.catalog_api.delete_service(service['id'])
PROVIDERS.catalog_api.create_service(service['id'], service)
PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
PROVIDERS.catalog_api.create_endpoint(
second_endpoint['id'], second_endpoint
)
PROVIDERS.catalog_api.delete_service(service['id'])
self.assertRaises(exception.EndpointNotFound,
self.catalog_api.get_endpoint,
PROVIDERS.catalog_api.get_endpoint,
endpoint['id'])
self.assertRaises(exception.EndpointNotFound,
self.catalog_api.delete_endpoint,
PROVIDERS.catalog_api.delete_endpoint,
endpoint['id'])
self.assertRaises(exception.EndpointNotFound,
self.catalog_api.get_endpoint,
PROVIDERS.catalog_api.get_endpoint,
second_endpoint['id'])
self.assertRaises(exception.EndpointNotFound,
self.catalog_api.delete_endpoint,
PROVIDERS.catalog_api.delete_endpoint,
second_endpoint['id'])
def test_get_service_returns_not_found(self):
self.assertRaises(exception.ServiceNotFound,
self.catalog_api.get_service,
PROVIDERS.catalog_api.get_service,
uuid.uuid4().hex)
def test_delete_service_returns_not_found(self):
self.assertRaises(exception.ServiceNotFound,
self.catalog_api.delete_service,
PROVIDERS.catalog_api.delete_service,
uuid.uuid4().hex)
def test_create_endpoint_nonexistent_service(self):
endpoint = unit.new_endpoint_ref(service_id=uuid.uuid4().hex,
region_id=None)
self.assertRaises(exception.ValidationError,
self.catalog_api.create_endpoint,
PROVIDERS.catalog_api.create_endpoint,
endpoint['id'],
endpoint)
@ -438,17 +463,17 @@ class CatalogTests(object):
self._create_endpoints())
new_endpoint = unit.new_endpoint_ref(service_id=uuid.uuid4().hex)
self.assertRaises(exception.ValidationError,
self.catalog_api.update_endpoint,
PROVIDERS.catalog_api.update_endpoint,
enabled_endpoint['id'],
new_endpoint)
def test_create_endpoint_nonexistent_region(self):
service = unit.new_service_ref()
self.catalog_api.create_service(service['id'], service)
PROVIDERS.catalog_api.create_service(service['id'], service)
endpoint = unit.new_endpoint_ref(service_id=service['id'])
self.assertRaises(exception.ValidationError,
self.catalog_api.create_endpoint,
PROVIDERS.catalog_api.create_endpoint,
endpoint['id'],
endpoint)
@ -457,33 +482,34 @@ class CatalogTests(object):
self._create_endpoints())
new_endpoint = unit.new_endpoint_ref(service_id=uuid.uuid4().hex)
self.assertRaises(exception.ValidationError,
self.catalog_api.update_endpoint,
PROVIDERS.catalog_api.update_endpoint,
enabled_endpoint['id'],
new_endpoint)
def test_get_endpoint_returns_not_found(self):
self.assertRaises(exception.EndpointNotFound,
self.catalog_api.get_endpoint,
PROVIDERS.catalog_api.get_endpoint,
uuid.uuid4().hex)
def test_delete_endpoint_returns_not_found(self):
self.assertRaises(exception.EndpointNotFound,
self.catalog_api.delete_endpoint,
PROVIDERS.catalog_api.delete_endpoint,
uuid.uuid4().hex)
def test_create_endpoint(self):
service = unit.new_service_ref()
self.catalog_api.create_service(service['id'], service)
PROVIDERS.catalog_api.create_service(service['id'], service)
endpoint = unit.new_endpoint_ref(service_id=service['id'],
region_id=None)
self.catalog_api.create_endpoint(endpoint['id'], endpoint.copy())
PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint.copy())
def test_update_endpoint(self):
dummy_service_ref, endpoint_ref, dummy_disabled_endpoint_ref = (
self._create_endpoints())
res = self.catalog_api.update_endpoint(endpoint_ref['id'],
{'interface': 'private'})
res = PROVIDERS.catalog_api.update_endpoint(
endpoint_ref['id'], {'interface': 'private'}
)
expected_endpoint = endpoint_ref.copy()
expected_endpoint['enabled'] = True
expected_endpoint['interface'] = 'private'
@ -505,16 +531,16 @@ class CatalogTests(object):
url='http://localhost/%s' % uuid.uuid4().hex,
**kwargs)
self.catalog_api.create_endpoint(ref['id'], ref)
PROVIDERS.catalog_api.create_endpoint(ref['id'], ref)
return ref
# Create a service for use with the endpoints.
service_ref = unit.new_service_ref()
service_id = service_ref['id']
self.catalog_api.create_service(service_id, service_ref)
PROVIDERS.catalog_api.create_service(service_id, service_ref)
region = unit.new_region_ref()
self.catalog_api.create_region(region)
PROVIDERS.catalog_api.create_region(region)
# Create endpoints
enabled_endpoint_ref = create_endpoint(service_id, region['id'])
@ -525,16 +551,16 @@ class CatalogTests(object):
def test_list_endpoints(self):
service = unit.new_service_ref()
self.catalog_api.create_service(service['id'], service)
PROVIDERS.catalog_api.create_service(service['id'], service)
expected_ids = set([uuid.uuid4().hex for _ in range(3)])
for endpoint_id in expected_ids:
endpoint = unit.new_endpoint_ref(service_id=service['id'],
id=endpoint_id,
region_id=None)
self.catalog_api.create_endpoint(endpoint['id'], endpoint)
PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
endpoints = self.catalog_api.list_endpoints()
endpoints = PROVIDERS.catalog_api.list_endpoints()
self.assertEqual(expected_ids, set(e['id'] for e in endpoints))
def test_get_v3_catalog_endpoint_disabled(self):
@ -545,8 +571,9 @@ class CatalogTests(object):
# Use the project created by the default fixture since the project
# should exist if we want to filter the catalog by the project or
# replace the url with a valid project id.
catalog = self.catalog_api.get_v3_catalog(user_id,
self.tenant_bar['id'])
catalog = PROVIDERS.catalog_api.get_v3_catalog(
user_id, self.tenant_bar['id']
)
endpoint_ids = [x['id'] for x in catalog[0]['endpoints']]
self.assertEqual([enabled_endpoint_ref['id']], endpoint_ids)
@ -554,20 +581,20 @@ class CatalogTests(object):
@unit.skip_if_cache_disabled('catalog')
def test_invalidate_cache_when_updating_endpoint(self):
service = unit.new_service_ref()
self.catalog_api.create_service(service['id'], service)
PROVIDERS.catalog_api.create_service(service['id'], service)
# create an endpoint attached to the service
endpoint = unit.new_endpoint_ref(service_id=service['id'],
region_id=None)
self.catalog_api.create_endpoint(endpoint['id'], endpoint)
PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
# cache the endpoint
self.catalog_api.get_endpoint(endpoint['id'])
PROVIDERS.catalog_api.get_endpoint(endpoint['id'])
# update the endpoint via catalog api
new_url = {'url': uuid.uuid4().hex}
self.catalog_api.update_endpoint(endpoint['id'], new_url)
PROVIDERS.catalog_api.update_endpoint(endpoint['id'], new_url)
# assert that we can get the new endpoint
current_endpoint = self.catalog_api.get_endpoint(endpoint['id'])
current_endpoint = PROVIDERS.catalog_api.get_endpoint(endpoint['id'])
self.assertEqual(new_url['url'], current_endpoint['url'])

View File

@ -12,6 +12,7 @@
import uuid
from keystone.common import provider_api
import keystone.conf
from keystone import exception
from keystone.tests import unit
@ -20,6 +21,7 @@ from keystone.tests.unit import test_v3
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class DuplicateTestCase(test_v3.RestfulTestCase):
@ -34,10 +36,10 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
def test_domain_duplicate_conflict_gives_name(self):
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
domain['id'] = uuid.uuid4().hex
try:
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
except exception.Conflict as e:
self.assertIn("%s" % domain['name'], repr(e))
else:
@ -45,10 +47,10 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
def test_project_duplicate_conflict_gives_name(self):
project = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(project['id'], project)
PROVIDERS.resource_api.create_project(project['id'], project)
project['id'] = uuid.uuid4().hex
try:
self.resource_api.create_project(project['id'], project)
PROVIDERS.resource_api.create_project(project['id'], project)
except exception.Conflict as e:
self.assertIn("%s" % project['name'], repr(e))
else:
@ -56,10 +58,10 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
def test_user_duplicate_conflict_gives_name(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user = self.identity_api.create_user(user)
user = PROVIDERS.identity_api.create_user(user)
user['id'] = uuid.uuid4().hex
try:
self.identity_api.create_user(user)
PROVIDERS.identity_api.create_user(user)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with name %s" % user['name'],
repr(e))
@ -68,10 +70,10 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
def test_role_duplicate_conflict_gives_name(self):
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
role['id'] = uuid.uuid4().hex
try:
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with name %s" % role['name'],
repr(e))
@ -80,9 +82,9 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
def test_group_duplicate_conflict_gives_name(self):
group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
group = self.identity_api.create_group(group)
group = PROVIDERS.identity_api.create_group(group)
try:
self.identity_api.create_group(group)
PROVIDERS.identity_api.create_group(group)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with name %s"
% group['name'], repr(e))
@ -91,9 +93,9 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
def test_policy_duplicate_conflict_gives_name(self):
policy_ref = unit.new_policy_ref()
self.policy_api.create_policy(policy_ref['id'], policy_ref)
PROVIDERS.policy_api.create_policy(policy_ref['id'], policy_ref)
try:
self.policy_api.create_policy(policy_ref['id'], policy_ref)
PROVIDERS.policy_api.create_policy(policy_ref['id'], policy_ref)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with name %s"
% policy_ref['name'], repr(e))
@ -103,9 +105,13 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
def test_credential_duplicate_conflict_gives_name(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
credential = unit.new_credential_ref(user_id=user['id'])
self.credential_api.create_credential(credential['id'], credential)
PROVIDERS.credential_api.create_credential(
credential['id'], credential
)
try:
self.credential_api.create_credential(credential['id'], credential)
PROVIDERS.credential_api.create_credential(
credential['id'], credential
)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with ID %s"
% credential['id'], repr(e))
@ -114,15 +120,19 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
def test_trust_duplicate_conflict_gives_name(self):
trustor = unit.new_user_ref(domain_id=self.domain_id)
trustor = self.identity_api.create_user(trustor)
trustor = PROVIDERS.identity_api.create_user(trustor)
trustee = unit.new_user_ref(domain_id=self.domain_id)
trustee = self.identity_api.create_user(trustee)
trustee = PROVIDERS.identity_api.create_user(trustee)
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
trust_ref = unit.new_trust_ref(trustor['id'], trustee['id'])
self.trust_api.create_trust(trust_ref['id'], trust_ref, [role_ref])
PROVIDERS.trust_api.create_trust(
trust_ref['id'], trust_ref, [role_ref]
)
try:
self.trust_api.create_trust(trust_ref['id'], trust_ref, [role_ref])
PROVIDERS.trust_api.create_trust(
trust_ref['id'], trust_ref, [role_ref]
)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with ID %s"
% trust_ref['id'], repr(e))
@ -132,11 +142,13 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
def test_mapping_duplicate_conflict_gives_name(self):
self.mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
self.mapping['id'] = uuid.uuid4().hex
self.federation_api.create_mapping(self.mapping['id'],
self.mapping)
PROVIDERS.federation_api.create_mapping(
self.mapping['id'], self.mapping
)
try:
self.federation_api.create_mapping(self.mapping['id'],
self.mapping)
PROVIDERS.federation_api.create_mapping(
self.mapping['id'], self.mapping
)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with ID %s"
% self.mapping['id'], repr(e))
@ -146,11 +158,13 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
def test_mapping_duplicate_conflict_with_id_in_id(self):
self.mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
self.mapping['id'] = 'mapping_with_id_in_the_id'
self.federation_api.create_mapping(self.mapping['id'],
self.mapping)
PROVIDERS.federation_api.create_mapping(
self.mapping['id'], self.mapping
)
try:
self.federation_api.create_mapping(self.mapping['id'],
self.mapping)
PROVIDERS.federation_api.create_mapping(
self.mapping['id'], self.mapping
)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with ID %s"
% self.mapping['id'], repr(e))
@ -158,9 +172,9 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
def test_region_duplicate_conflict_gives_name(self):
region_ref = unit.new_region_ref()
self.catalog_api.create_region(region_ref)
PROVIDERS.catalog_api.create_region(region_ref)
try:
self.catalog_api.create_region(region_ref)
PROVIDERS.catalog_api.create_region(region_ref)
except exception.Conflict as e:
self.assertIn("Duplicate ID, %s" % region_ref['id'], repr(e))
else:
@ -172,22 +186,23 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
'enabled': True,
'description': uuid.uuid4().hex
}
self.federation_api.create_idp(self.idp['id'], self.idp)
PROVIDERS.federation_api.create_idp(self.idp['id'], self.idp)
self.mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
self.mapping['id'] = uuid.uuid4().hex
self.federation_api.create_mapping(self.mapping['id'],
self.mapping)
PROVIDERS.federation_api.create_mapping(
self.mapping['id'], self.mapping
)
protocol = {
'id': uuid.uuid4().hex,
'mapping_id': self.mapping['id']
}
protocol_ret = self.federation_api.create_protocol(self.idp['id'],
protocol['id'],
protocol)
protocol_ret = PROVIDERS.federation_api.create_protocol(
self.idp['id'], protocol['id'], protocol
)
try:
self.federation_api.create_protocol(self.idp['id'],
protocol['id'],
protocol)
PROVIDERS.federation_api.create_protocol(
self.idp['id'], protocol['id'], protocol
)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with ID %s"
% protocol_ret['id'], repr(e))
@ -201,22 +216,23 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
'enabled': True,
'description': uuid.uuid4().hex
}
self.federation_api.create_idp(self.idp['id'], self.idp)
PROVIDERS.federation_api.create_idp(self.idp['id'], self.idp)
self.mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
self.mapping['id'] = uuid.uuid4().hex
self.federation_api.create_mapping(self.mapping['id'],
self.mapping)
PROVIDERS.federation_api.create_mapping(
self.mapping['id'], self.mapping
)
protocol = {
'id': 'federation_protocol_with_id_in_the_id',
'mapping_id': self.mapping['id']
}
protocol_ret = self.federation_api.create_protocol(self.idp['id'],
protocol['id'],
protocol)
protocol_ret = PROVIDERS.federation_api.create_protocol(
self.idp['id'], protocol['id'], protocol
)
try:
self.federation_api.create_protocol(self.idp['id'],
protocol['id'],
protocol)
PROVIDERS.federation_api.create_protocol(
self.idp['id'], protocol['id'], protocol
)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with ID %s"
% protocol_ret['id'], repr(e))
@ -228,22 +244,23 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
'enabled': True,
'description': uuid.uuid4().hex
}
self.federation_api.create_idp(self.idp['id'], self.idp)
PROVIDERS.federation_api.create_idp(self.idp['id'], self.idp)
self.mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
self.mapping['id'] = uuid.uuid4().hex
self.federation_api.create_mapping(self.mapping['id'],
self.mapping)
PROVIDERS.federation_api.create_mapping(
self.mapping['id'], self.mapping
)
protocol = {
'id': uuid.uuid4().hex,
'mapping_id': self.mapping['id']
}
protocol_ret = self.federation_api.create_protocol(self.idp['id'],
protocol['id'],
protocol)
protocol_ret = PROVIDERS.federation_api.create_protocol(
self.idp['id'], protocol['id'], protocol
)
try:
self.federation_api.create_protocol(self.idp['id'],
protocol['id'],
protocol)
PROVIDERS.federation_api.create_protocol(
self.idp['id'], protocol['id'], protocol
)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with ID %s"
% protocol_ret['id'], repr(e))
@ -257,9 +274,9 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
'sp_url': uuid.uuid4().hex,
'relay_state_prefix': CONF.saml.relay_state_prefix,
}
service_ref = self.federation_api.create_sp('SP1', sp)
service_ref = PROVIDERS.federation_api.create_sp('SP1', sp)
try:
self.federation_api.create_sp('SP1', sp)
PROVIDERS.federation_api.create_sp('SP1', sp)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with ID %s"
% service_ref['id'], repr(e))

View File

@ -25,6 +25,7 @@ from pycadf import cadftype
from pycadf import eventfactory
from pycadf import resource as cadfresource
from keystone.common import provider_api
import keystone.conf
from keystone import exception
from keystone import notifications
@ -33,6 +34,7 @@ from keystone.tests.unit import test_v3
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
EXP_RESOURCE_TYPE = uuid.uuid4().hex
CREATED_OPERATION = notifications.ACTIONS.created
@ -363,14 +365,14 @@ class NotificationsForEntities(BaseNotificationTest):
def test_create_group(self):
group_ref = unit.new_group_ref(domain_id=self.domain_id)
group_ref = self.identity_api.create_group(group_ref)
group_ref = PROVIDERS.identity_api.create_group(group_ref)
self._assert_last_note(group_ref['id'], CREATED_OPERATION, 'group')
self._assert_last_audit(group_ref['id'], CREATED_OPERATION, 'group',
cadftaxonomy.SECURITY_GROUP)
def test_create_project(self):
project_ref = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
self._assert_last_note(
project_ref['id'], CREATED_OPERATION, 'project')
self._assert_last_audit(project_ref['id'], CREATED_OPERATION,
@ -378,30 +380,30 @@ class NotificationsForEntities(BaseNotificationTest):
def test_create_role(self):
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
self._assert_last_note(role_ref['id'], CREATED_OPERATION, 'role')
self._assert_last_audit(role_ref['id'], CREATED_OPERATION, 'role',
cadftaxonomy.SECURITY_ROLE)
def test_create_user(self):
user_ref = unit.new_user_ref(domain_id=self.domain_id)
user_ref = self.identity_api.create_user(user_ref)
user_ref = PROVIDERS.identity_api.create_user(user_ref)
self._assert_last_note(user_ref['id'], CREATED_OPERATION, 'user')
self._assert_last_audit(user_ref['id'], CREATED_OPERATION, 'user',
cadftaxonomy.SECURITY_ACCOUNT_USER)
def test_create_trust(self):
trustor = unit.new_user_ref(domain_id=self.domain_id)
trustor = self.identity_api.create_user(trustor)
trustor = PROVIDERS.identity_api.create_user(trustor)
trustee = unit.new_user_ref(domain_id=self.domain_id)
trustee = self.identity_api.create_user(trustee)
trustee = PROVIDERS.identity_api.create_user(trustee)
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
trust_ref = unit.new_trust_ref(trustor['id'],
trustee['id'])
self.trust_api.create_trust(trust_ref['id'],
trust_ref,
[role_ref])
PROVIDERS.trust_api.create_trust(
trust_ref['id'], trust_ref, [role_ref]
)
self._assert_last_note(
trust_ref['id'], CREATED_OPERATION, 'OS-TRUST:trust')
self._assert_last_audit(trust_ref['id'], CREATED_OPERATION,
@ -409,16 +411,16 @@ class NotificationsForEntities(BaseNotificationTest):
def test_delete_group(self):
group_ref = unit.new_group_ref(domain_id=self.domain_id)
group_ref = self.identity_api.create_group(group_ref)
self.identity_api.delete_group(group_ref['id'])
group_ref = PROVIDERS.identity_api.create_group(group_ref)
PROVIDERS.identity_api.delete_group(group_ref['id'])
self._assert_last_note(group_ref['id'], DELETED_OPERATION, 'group')
self._assert_last_audit(group_ref['id'], DELETED_OPERATION, 'group',
cadftaxonomy.SECURITY_GROUP)
def test_delete_project(self):
project_ref = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(project_ref['id'], project_ref)
self.resource_api.delete_project(project_ref['id'])
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.delete_project(project_ref['id'])
self._assert_last_note(
project_ref['id'], DELETED_OPERATION, 'project')
self._assert_last_audit(project_ref['id'], DELETED_OPERATION,
@ -426,57 +428,57 @@ class NotificationsForEntities(BaseNotificationTest):
def test_delete_role(self):
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
self.role_api.delete_role(role_ref['id'])
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.delete_role(role_ref['id'])
self._assert_last_note(role_ref['id'], DELETED_OPERATION, 'role')
self._assert_last_audit(role_ref['id'], DELETED_OPERATION, 'role',
cadftaxonomy.SECURITY_ROLE)
def test_delete_user(self):
user_ref = unit.new_user_ref(domain_id=self.domain_id)
user_ref = self.identity_api.create_user(user_ref)
self.identity_api.delete_user(user_ref['id'])
user_ref = PROVIDERS.identity_api.create_user(user_ref)
PROVIDERS.identity_api.delete_user(user_ref['id'])
self._assert_last_note(user_ref['id'], DELETED_OPERATION, 'user')
self._assert_last_audit(user_ref['id'], DELETED_OPERATION, 'user',
cadftaxonomy.SECURITY_ACCOUNT_USER)
def test_create_domain(self):
domain_ref = unit.new_domain_ref()
self.resource_api.create_domain(domain_ref['id'], domain_ref)
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
self._assert_last_note(domain_ref['id'], CREATED_OPERATION, 'domain')
self._assert_last_audit(domain_ref['id'], CREATED_OPERATION, 'domain',
cadftaxonomy.SECURITY_DOMAIN)
def test_update_domain(self):
domain_ref = unit.new_domain_ref()
self.resource_api.create_domain(domain_ref['id'], domain_ref)
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
domain_ref['description'] = uuid.uuid4().hex
self.resource_api.update_domain(domain_ref['id'], domain_ref)
PROVIDERS.resource_api.update_domain(domain_ref['id'], domain_ref)
self._assert_last_note(domain_ref['id'], UPDATED_OPERATION, 'domain')
self._assert_last_audit(domain_ref['id'], UPDATED_OPERATION, 'domain',
cadftaxonomy.SECURITY_DOMAIN)
def test_delete_domain(self):
domain_ref = unit.new_domain_ref()
self.resource_api.create_domain(domain_ref['id'], domain_ref)
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
domain_ref['enabled'] = False
self.resource_api.update_domain(domain_ref['id'], domain_ref)
self.resource_api.delete_domain(domain_ref['id'])
PROVIDERS.resource_api.update_domain(domain_ref['id'], domain_ref)
PROVIDERS.resource_api.delete_domain(domain_ref['id'])
self._assert_last_note(domain_ref['id'], DELETED_OPERATION, 'domain')
self._assert_last_audit(domain_ref['id'], DELETED_OPERATION, 'domain',
cadftaxonomy.SECURITY_DOMAIN)
def test_delete_trust(self):
trustor = unit.new_user_ref(domain_id=self.domain_id)
trustor = self.identity_api.create_user(trustor)
trustor = PROVIDERS.identity_api.create_user(trustor)
trustee = unit.new_user_ref(domain_id=self.domain_id)
trustee = self.identity_api.create_user(trustee)
trustee = PROVIDERS.identity_api.create_user(trustee)
role_ref = unit.new_role_ref()
trust_ref = unit.new_trust_ref(trustor['id'], trustee['id'])
self.trust_api.create_trust(trust_ref['id'],
trust_ref,
[role_ref])
self.trust_api.delete_trust(trust_ref['id'])
PROVIDERS.trust_api.create_trust(
trust_ref['id'], trust_ref, [role_ref]
)
PROVIDERS.trust_api.delete_trust(trust_ref['id'])
self._assert_last_note(
trust_ref['id'], DELETED_OPERATION, 'OS-TRUST:trust')
self._assert_last_audit(trust_ref['id'], DELETED_OPERATION,
@ -486,7 +488,7 @@ class NotificationsForEntities(BaseNotificationTest):
endpoint_ref = unit.new_endpoint_ref(service_id=self.service_id,
interface='public',
region_id=self.region_id)
self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
PROVIDERS.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
self._assert_notify_sent(endpoint_ref['id'], CREATED_OPERATION,
'endpoint')
self._assert_last_audit(endpoint_ref['id'], CREATED_OPERATION,
@ -496,8 +498,8 @@ class NotificationsForEntities(BaseNotificationTest):
endpoint_ref = unit.new_endpoint_ref(service_id=self.service_id,
interface='public',
region_id=self.region_id)
self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
self.catalog_api.update_endpoint(endpoint_ref['id'], endpoint_ref)
PROVIDERS.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
PROVIDERS.catalog_api.update_endpoint(endpoint_ref['id'], endpoint_ref)
self._assert_notify_sent(endpoint_ref['id'], UPDATED_OPERATION,
'endpoint')
self._assert_last_audit(endpoint_ref['id'], UPDATED_OPERATION,
@ -507,8 +509,8 @@ class NotificationsForEntities(BaseNotificationTest):
endpoint_ref = unit.new_endpoint_ref(service_id=self.service_id,
interface='public',
region_id=self.region_id)
self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
self.catalog_api.delete_endpoint(endpoint_ref['id'])
PROVIDERS.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
PROVIDERS.catalog_api.delete_endpoint(endpoint_ref['id'])
self._assert_notify_sent(endpoint_ref['id'], DELETED_OPERATION,
'endpoint')
self._assert_last_audit(endpoint_ref['id'], DELETED_OPERATION,
@ -516,7 +518,7 @@ class NotificationsForEntities(BaseNotificationTest):
def test_create_service(self):
service_ref = unit.new_service_ref()
self.catalog_api.create_service(service_ref['id'], service_ref)
PROVIDERS.catalog_api.create_service(service_ref['id'], service_ref)
self._assert_notify_sent(service_ref['id'], CREATED_OPERATION,
'service')
self._assert_last_audit(service_ref['id'], CREATED_OPERATION,
@ -524,8 +526,8 @@ class NotificationsForEntities(BaseNotificationTest):
def test_update_service(self):
service_ref = unit.new_service_ref()
self.catalog_api.create_service(service_ref['id'], service_ref)
self.catalog_api.update_service(service_ref['id'], service_ref)
PROVIDERS.catalog_api.create_service(service_ref['id'], service_ref)
PROVIDERS.catalog_api.update_service(service_ref['id'], service_ref)
self._assert_notify_sent(service_ref['id'], UPDATED_OPERATION,
'service')
self._assert_last_audit(service_ref['id'], UPDATED_OPERATION,
@ -533,8 +535,8 @@ class NotificationsForEntities(BaseNotificationTest):
def test_delete_service(self):
service_ref = unit.new_service_ref()
self.catalog_api.create_service(service_ref['id'], service_ref)
self.catalog_api.delete_service(service_ref['id'])
PROVIDERS.catalog_api.create_service(service_ref['id'], service_ref)
PROVIDERS.catalog_api.delete_service(service_ref['id'])
self._assert_notify_sent(service_ref['id'], DELETED_OPERATION,
'service')
self._assert_last_audit(service_ref['id'], DELETED_OPERATION,
@ -542,7 +544,7 @@ class NotificationsForEntities(BaseNotificationTest):
def test_create_region(self):
region_ref = unit.new_region_ref()
self.catalog_api.create_region(region_ref)
PROVIDERS.catalog_api.create_region(region_ref)
self._assert_notify_sent(region_ref['id'], CREATED_OPERATION,
'region')
self._assert_last_audit(region_ref['id'], CREATED_OPERATION,
@ -550,8 +552,8 @@ class NotificationsForEntities(BaseNotificationTest):
def test_update_region(self):
region_ref = unit.new_region_ref()
self.catalog_api.create_region(region_ref)
self.catalog_api.update_region(region_ref['id'], region_ref)
PROVIDERS.catalog_api.create_region(region_ref)
PROVIDERS.catalog_api.update_region(region_ref['id'], region_ref)
self._assert_notify_sent(region_ref['id'], UPDATED_OPERATION,
'region')
self._assert_last_audit(region_ref['id'], UPDATED_OPERATION,
@ -559,8 +561,8 @@ class NotificationsForEntities(BaseNotificationTest):
def test_delete_region(self):
region_ref = unit.new_region_ref()
self.catalog_api.create_region(region_ref)
self.catalog_api.delete_region(region_ref['id'])
PROVIDERS.catalog_api.create_region(region_ref)
PROVIDERS.catalog_api.delete_region(region_ref['id'])
self._assert_notify_sent(region_ref['id'], DELETED_OPERATION,
'region')
self._assert_last_audit(region_ref['id'], DELETED_OPERATION,
@ -568,7 +570,7 @@ class NotificationsForEntities(BaseNotificationTest):
def test_create_policy(self):
policy_ref = unit.new_policy_ref()
self.policy_api.create_policy(policy_ref['id'], policy_ref)
PROVIDERS.policy_api.create_policy(policy_ref['id'], policy_ref)
self._assert_notify_sent(policy_ref['id'], CREATED_OPERATION,
'policy')
self._assert_last_audit(policy_ref['id'], CREATED_OPERATION,
@ -576,8 +578,8 @@ class NotificationsForEntities(BaseNotificationTest):
def test_update_policy(self):
policy_ref = unit.new_policy_ref()
self.policy_api.create_policy(policy_ref['id'], policy_ref)
self.policy_api.update_policy(policy_ref['id'], policy_ref)
PROVIDERS.policy_api.create_policy(policy_ref['id'], policy_ref)
PROVIDERS.policy_api.update_policy(policy_ref['id'], policy_ref)
self._assert_notify_sent(policy_ref['id'], UPDATED_OPERATION,
'policy')
self._assert_last_audit(policy_ref['id'], UPDATED_OPERATION,
@ -585,8 +587,8 @@ class NotificationsForEntities(BaseNotificationTest):
def test_delete_policy(self):
policy_ref = unit.new_policy_ref()
self.policy_api.create_policy(policy_ref['id'], policy_ref)
self.policy_api.delete_policy(policy_ref['id'])
PROVIDERS.policy_api.create_policy(policy_ref['id'], policy_ref)
PROVIDERS.policy_api.delete_policy(policy_ref['id'])
self._assert_notify_sent(policy_ref['id'], DELETED_OPERATION,
'policy')
self._assert_last_audit(policy_ref['id'], DELETED_OPERATION,
@ -594,33 +596,33 @@ class NotificationsForEntities(BaseNotificationTest):
def test_disable_domain(self):
domain_ref = unit.new_domain_ref()
self.resource_api.create_domain(domain_ref['id'], domain_ref)
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
domain_ref['enabled'] = False
self.resource_api.update_domain(domain_ref['id'], domain_ref)
PROVIDERS.resource_api.update_domain(domain_ref['id'], domain_ref)
self._assert_notify_sent(domain_ref['id'], 'disabled', 'domain',
public=False)
def test_disable_of_disabled_domain_does_not_notify(self):
domain_ref = unit.new_domain_ref(enabled=False)
self.resource_api.create_domain(domain_ref['id'], domain_ref)
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
# The domain_ref above is not changed during the create process. We
# can use the same ref to perform the update.
self.resource_api.update_domain(domain_ref['id'], domain_ref)
PROVIDERS.resource_api.update_domain(domain_ref['id'], domain_ref)
self._assert_notify_not_sent(domain_ref['id'], 'disabled', 'domain',
public=False)
def test_update_group(self):
group_ref = unit.new_group_ref(domain_id=self.domain_id)
group_ref = self.identity_api.create_group(group_ref)
self.identity_api.update_group(group_ref['id'], group_ref)
group_ref = PROVIDERS.identity_api.create_group(group_ref)
PROVIDERS.identity_api.update_group(group_ref['id'], group_ref)
self._assert_last_note(group_ref['id'], UPDATED_OPERATION, 'group')
self._assert_last_audit(group_ref['id'], UPDATED_OPERATION, 'group',
cadftaxonomy.SECURITY_GROUP)
def test_update_project(self):
project_ref = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(project_ref['id'], project_ref)
self.resource_api.update_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.update_project(project_ref['id'], project_ref)
self._assert_notify_sent(
project_ref['id'], UPDATED_OPERATION, 'project', public=True)
self._assert_last_audit(project_ref['id'], UPDATED_OPERATION,
@ -628,43 +630,43 @@ class NotificationsForEntities(BaseNotificationTest):
def test_disable_project(self):
project_ref = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
project_ref['enabled'] = False
self.resource_api.update_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.update_project(project_ref['id'], project_ref)
self._assert_notify_sent(project_ref['id'], 'disabled', 'project',
public=False)
def test_disable_of_disabled_project_does_not_notify(self):
project_ref = unit.new_project_ref(domain_id=self.domain_id,
enabled=False)
self.resource_api.create_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
# The project_ref above is not changed during the create process. We
# can use the same ref to perform the update.
self.resource_api.update_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.update_project(project_ref['id'], project_ref)
self._assert_notify_not_sent(project_ref['id'], 'disabled', 'project',
public=False)
def test_update_project_does_not_send_disable(self):
project_ref = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
project_ref['enabled'] = True
self.resource_api.update_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.update_project(project_ref['id'], project_ref)
self._assert_last_note(
project_ref['id'], UPDATED_OPERATION, 'project')
self._assert_notify_not_sent(project_ref['id'], 'disabled', 'project')
def test_update_role(self):
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
self.role_api.update_role(role_ref['id'], role_ref)
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.update_role(role_ref['id'], role_ref)
self._assert_last_note(role_ref['id'], UPDATED_OPERATION, 'role')
self._assert_last_audit(role_ref['id'], UPDATED_OPERATION, 'role',
cadftaxonomy.SECURITY_ROLE)
def test_update_user(self):
user_ref = unit.new_user_ref(domain_id=self.domain_id)
user_ref = self.identity_api.create_user(user_ref)
self.identity_api.update_user(user_ref['id'], user_ref)
user_ref = PROVIDERS.identity_api.create_user(user_ref)
PROVIDERS.identity_api.update_user(user_ref['id'], user_ref)
self._assert_last_note(user_ref['id'], UPDATED_OPERATION, 'user')
self._assert_last_audit(user_ref['id'], UPDATED_OPERATION, 'user',
cadftaxonomy.SECURITY_ACCOUNT_USER)
@ -672,7 +674,7 @@ class NotificationsForEntities(BaseNotificationTest):
def test_config_option_no_events(self):
self.config_fixture.config(notification_format='basic')
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
# The regular notifications will still be emitted, since they are
# used for callback handling.
self._assert_last_note(role_ref['id'], CREATED_OPERATION, 'role')
@ -681,22 +683,27 @@ class NotificationsForEntities(BaseNotificationTest):
def test_add_user_to_group(self):
user_ref = unit.new_user_ref(domain_id=self.domain_id)
user_ref = self.identity_api.create_user(user_ref)
user_ref = PROVIDERS.identity_api.create_user(user_ref)
group_ref = unit.new_group_ref(domain_id=self.domain_id)
group_ref = self.identity_api.create_group(group_ref)
self.identity_api.add_user_to_group(user_ref['id'], group_ref['id'])
group_ref = PROVIDERS.identity_api.create_group(group_ref)
PROVIDERS.identity_api.add_user_to_group(
user_ref['id'], group_ref['id']
)
self._assert_last_note(group_ref['id'], UPDATED_OPERATION, 'group',
actor_id=user_ref['id'], actor_type='user',
actor_operation='added')
def test_remove_user_from_group(self):
user_ref = unit.new_user_ref(domain_id=self.domain_id)
user_ref = self.identity_api.create_user(user_ref)
user_ref = PROVIDERS.identity_api.create_user(user_ref)
group_ref = unit.new_group_ref(domain_id=self.domain_id)
group_ref = self.identity_api.create_group(group_ref)
self.identity_api.add_user_to_group(user_ref['id'], group_ref['id'])
self.identity_api.remove_user_from_group(user_ref['id'],
group_ref['id'])
group_ref = PROVIDERS.identity_api.create_group(group_ref)
PROVIDERS.identity_api.add_user_to_group(
user_ref['id'], group_ref['id']
)
PROVIDERS.identity_api.remove_user_from_group(
user_ref['id'], group_ref['id']
)
self._assert_last_note(group_ref['id'], UPDATED_OPERATION, 'group',
actor_id=user_ref['id'], actor_type='user',
actor_operation='removed')
@ -738,9 +745,10 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
freezer.start()
user_ref = unit.new_user_ref(domain_id=self.domain_id,
password=password)
user_ref = self.identity_api.create_user(user_ref)
self.identity_api.authenticate(self.make_request(),
user_ref['id'], password)
user_ref = PROVIDERS.identity_api.create_user(user_ref)
PROVIDERS.identity_api.authenticate(
self.make_request(), user_ref['id'], password
)
freezer.stop()
reason_type = (exception.PasswordExpired.message_format %
@ -748,7 +756,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
expected_reason = {'reasonCode': '401',
'reasonType': reason_type}
self.assertRaises(exception.PasswordExpired,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=user_ref['id'],
password=password)
@ -763,14 +771,14 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
exception.AccountLocked]
user_ref = unit.new_user_ref(domain_id=self.domain_id,
password=password)
user_ref = self.identity_api.create_user(user_ref)
user_ref = PROVIDERS.identity_api.create_user(user_ref)
reason_type = (exception.AccountLocked.message_format %
{'user_id': user_ref['id']})
expected_reason = {'reasonCode': '401',
'reasonType': reason_type}
for ex in expected_responses:
self.assertRaises(ex,
self.identity_api.change_password,
PROVIDERS.identity_api.change_password,
self.make_request(),
user_id=user_ref['id'],
original_password=new_password,
@ -793,13 +801,13 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
'reasonType': reason_type}
user_ref = unit.new_user_ref(domain_id=self.domain_id,
password=password)
user_ref = self.identity_api.create_user(user_ref)
self.identity_api.change_password(self.make_request(),
user_id=user_ref['id'],
original_password=password,
new_password=new_password)
user_ref = PROVIDERS.identity_api.create_user(user_ref)
PROVIDERS.identity_api.change_password(
self.make_request(), user_id=user_ref['id'],
original_password=password, new_password=new_password
)
self.assertRaises(exception.PasswordValidationError,
self.identity_api.change_password,
PROVIDERS.identity_api.change_password,
self.make_request(),
user_id=user_ref['id'],
original_password=new_password,
@ -820,9 +828,9 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
'reasonType': reason_type}
user_ref = unit.new_user_ref(domain_id=self.domain_id,
password=password)
user_ref = self.identity_api.create_user(user_ref)
user_ref = PROVIDERS.identity_api.create_user(user_ref)
self.assertRaises(exception.PasswordValidationError,
self.identity_api.change_password,
PROVIDERS.identity_api.change_password,
self.make_request(),
user_id=user_ref['id'],
original_password=password,
@ -841,7 +849,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
password=password,
password_created_at=(
datetime.datetime.utcnow()))
user_ref = self.identity_api.create_user(user_ref)
user_ref = PROVIDERS.identity_api.create_user(user_ref)
min_days = CONF.security_compliance.minimum_password_age
min_age = (user_ref['password_created_at'] +
@ -851,12 +859,12 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
{'min_age_days': min_days, 'days_left': days_left})
expected_reason = {'reasonCode': '400',
'reasonType': reason_type}
self.identity_api.change_password(self.make_request(),
user_id=user_ref['id'],
original_password=password,
new_password=new_password)
PROVIDERS.identity_api.change_password(
self.make_request(), user_id=user_ref['id'],
original_password=password, new_password=new_password
)
self.assertRaises(exception.PasswordValidationError,
self.identity_api.change_password,
PROVIDERS.identity_api.change_password,
self.make_request(),
user_id=user_ref['id'],
original_password=new_password,
@ -895,7 +903,7 @@ class TestEventCallbacks(test_v3.RestfulTestCase):
def test_notification_received(self):
callback = register_callback(CREATED_OPERATION, 'project')
project_ref = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
self.assertTrue(callback.called)
def test_notification_method_not_callable(self):
@ -946,7 +954,7 @@ class TestEventCallbacks(test_v3.RestfulTestCase):
Foo()
project_ref = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
self.assertEqual([True], callback_called)
def test_provider_event_callbacks_subscription(self):
@ -969,7 +977,7 @@ class TestEventCallbacks(test_v3.RestfulTestCase):
Foo()
project_ref = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
self.assertItemsEqual(['cb1', 'cb0'], callback_called)
def test_invalid_event_callbacks(self):
@ -1011,7 +1019,7 @@ class TestEventCallbacks(test_v3.RestfulTestCase):
# self.assertRaises(TypeError, Foo)
Foo()
project_ref = unit.new_project_ref(domain_id=self.domain_id)
self.assertRaises(TypeError, self.resource_api.create_project,
self.assertRaises(TypeError, PROVIDERS.resource_api.create_project,
project_ref['id'], project_ref)
@ -1165,8 +1173,8 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
def test_group_domain_grant(self):
group_ref = unit.new_group_ref(domain_id=self.domain_id)
group = self.identity_api.create_group(group_ref)
self.identity_api.add_user_to_group(self.user_id, group['id'])
group = PROVIDERS.identity_api.create_group(group_ref)
PROVIDERS.identity_api.add_user_to_group(self.user_id, group['id'])
url = ('/domains/%s/groups/%s/roles/%s' %
(self.domain_id, group['id'], self.role_id))
self._test_role_assignment(url, self.role_id,
@ -1178,11 +1186,11 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
# the assignment manager.
project_ref = unit.new_project_ref(self.domain_id)
project = self.resource_api.create_project(
project = PROVIDERS.resource_api.create_project(
project_ref['id'], project_ref)
tenant_id = project['id']
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
self.user_id, tenant_id, self.role_id)
self.assertTrue(self._notifications)
@ -1196,7 +1204,7 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
# A notification is sent when remove_role_from_user_and_project is
# called on the assignment manager.
self.assignment_api.remove_role_from_user_and_project(
PROVIDERS.assignment_api.remove_role_from_user_and_project(
self.user_id, self.project_id, self.role_id)
self.assertTrue(self._notifications)
@ -1312,7 +1320,7 @@ class CADFNotificationsDataTestCase(test_v3.RestfulTestCase):
ref = unit.new_service_ref()
ref['type'] = 'identity'
self.catalog_api.create_service(ref['id'], ref.copy())
PROVIDERS.catalog_api.create_service(ref['id'], ref.copy())
action = CREATED_OPERATION + '.' + resource_type
initiator = notifications._get_request_audit_info(self.user_id)

View File

@ -74,6 +74,7 @@ def _calc_tmpdir():
TMPDIR = _calc_tmpdir()
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
log.register_options(CONF)
IN_MEM_DB_CONN_STRING = 'sqlite://'
@ -737,20 +738,20 @@ class TestCase(BaseTestCase):
hasattr(self, 'assignment_api') and
hasattr(self, 'resource_api')):
for domain in fixtures.DOMAINS:
rv = self.resource_api.create_domain(domain['id'], domain)
rv = PROVIDERS.resource_api.create_domain(domain['id'], domain)
attrname = 'domain_%s' % domain['id']
setattr(self, attrname, rv)
fixtures_to_cleanup.append(attrname)
for tenant in fixtures.TENANTS:
tenant_attr_name = 'tenant_%s' % tenant['name'].lower()
rv = self.resource_api.create_project(
rv = PROVIDERS.resource_api.create_project(
tenant['id'], tenant)
setattr(self, tenant_attr_name, rv)
fixtures_to_cleanup.append(tenant_attr_name)
for role in fixtures.ROLES:
rv = self.role_api.create_role(role['id'], role)
rv = PROVIDERS.role_api.create_role(role['id'], role)
attrname = 'role_%s' % role['name']
setattr(self, attrname, rv)
fixtures_to_cleanup.append(attrname)
@ -760,7 +761,7 @@ class TestCase(BaseTestCase):
tenants = user_copy.pop('tenants')
# For users, the manager layer will generate the ID
user_copy = self.identity_api.create_user(user_copy)
user_copy = PROVIDERS.identity_api.create_user(user_copy)
# Our tests expect that the password is still in the user
# record so that they can reference it, so put it back into
# the dict returned.
@ -768,7 +769,7 @@ class TestCase(BaseTestCase):
# fixtures.ROLES[2] is the _member_ role.
for tenant_id in tenants:
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user_copy['id'], tenant_id, fixtures.ROLES[2]['id'])
# Use the ID from the fixture as the attribute name, so
@ -783,7 +784,7 @@ class TestCase(BaseTestCase):
user = role_assignment['user']
tenant_id = role_assignment['tenant_id']
user_id = getattr(self, 'user_%s' % user)['id']
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user_id, tenant_id, role_id)
self.addCleanup(self.cleanup_instance(*fixtures_to_cleanup))

View File

@ -12,11 +12,14 @@
import uuid
from keystone.common import provider_api
from keystone import exception
from keystone.tests import unit
from keystone.tests.unit.ksfixtures import database
from keystone.tests.unit import mapping_fixtures
PROVIDERS = provider_api.ProviderAPIs
class TestFederationProtocol(unit.TestCase):
@ -29,20 +32,21 @@ class TestFederationProtocol(unit.TestCase):
'enabled': True,
'description': uuid.uuid4().hex
}
self.federation_api.create_idp(self.idp['id'], self.idp)
PROVIDERS.federation_api.create_idp(self.idp['id'], self.idp)
self.mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
self.mapping['id'] = uuid.uuid4().hex
self.federation_api.create_mapping(self.mapping['id'],
self.mapping)
PROVIDERS.federation_api.create_mapping(
self.mapping['id'], self.mapping
)
def test_create_protocol(self):
protocol = {
'id': uuid.uuid4().hex,
'mapping_id': self.mapping['id']
}
protocol_ret = self.federation_api.create_protocol(self.idp['id'],
protocol['id'],
protocol)
protocol_ret = PROVIDERS.federation_api.create_protocol(
self.idp['id'], protocol['id'], protocol
)
self.assertEqual(protocol['id'], protocol_ret['id'])
def test_create_protocol_with_invalid_mapping_id(self):
@ -51,7 +55,7 @@ class TestFederationProtocol(unit.TestCase):
'mapping_id': uuid.uuid4().hex
}
self.assertRaises(exception.ValidationError,
self.federation_api.create_protocol,
PROVIDERS.federation_api.create_protocol,
self.idp['id'],
protocol['id'],
protocol)
@ -61,17 +65,17 @@ class TestFederationProtocol(unit.TestCase):
'id': uuid.uuid4().hex,
'mapping_id': self.mapping['id']
}
protocol_ret = self.federation_api.create_protocol(self.idp['id'],
protocol['id'],
protocol)
protocol_ret = PROVIDERS.federation_api.create_protocol(
self.idp['id'], protocol['id'], protocol
)
self.assertEqual(protocol['id'], protocol_ret['id'])
new_mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
new_mapping['id'] = uuid.uuid4().hex
self.federation_api.create_mapping(new_mapping['id'], new_mapping)
PROVIDERS.federation_api.create_mapping(new_mapping['id'], new_mapping)
protocol['mapping_id'] = new_mapping['id']
protocol_ret = self.federation_api.update_protocol(self.idp['id'],
protocol['id'],
protocol)
protocol_ret = PROVIDERS.federation_api.update_protocol(
self.idp['id'], protocol['id'], protocol
)
self.assertEqual(protocol['id'], protocol_ret['id'])
self.assertEqual(new_mapping['id'], protocol_ret['mapping_id'])
@ -80,13 +84,13 @@ class TestFederationProtocol(unit.TestCase):
'id': uuid.uuid4().hex,
'mapping_id': self.mapping['id']
}
protocol_ret = self.federation_api.create_protocol(self.idp['id'],
protocol['id'],
protocol)
protocol_ret = PROVIDERS.federation_api.create_protocol(
self.idp['id'], protocol['id'], protocol
)
self.assertEqual(protocol['id'], protocol_ret['id'])
protocol['mapping_id'] = uuid.uuid4().hex
self.assertRaises(exception.ValidationError,
self.federation_api.update_protocol,
PROVIDERS.federation_api.update_protocol,
self.idp['id'],
protocol['id'],
protocol)

View File

@ -16,10 +16,12 @@ import uuid
from six.moves import range
from keystone.common import provider_api
import keystone.conf
from keystone import exception
PROVIDERS = provider_api.ProviderAPIs
CONF = keystone.conf.CONF
@ -51,11 +53,13 @@ class FilterTests(object):
one.
"""
f = getattr(self.identity_api, 'create_%s' % entity_type, None)
f = getattr(PROVIDERS.identity_api, 'create_%s' % entity_type, None)
if f is None:
f = getattr(self.resource_api, 'create_%s' % entity_type, None)
f = getattr(
PROVIDERS.resource_api, 'create_%s' % entity_type, None
)
if f is None:
f = getattr(self.assignment_api, 'create_%s' % entity_type)
f = getattr(PROVIDERS.assignment_api, 'create_%s' % entity_type)
return f
def _delete_entity(self, entity_type):
@ -66,11 +70,13 @@ class FilterTests(object):
one.
"""
f = getattr(self.identity_api, 'delete_%s' % entity_type, None)
f = getattr(PROVIDERS.identity_api, 'delete_%s' % entity_type, None)
if f is None:
f = getattr(self.resource_api, 'delete_%s' % entity_type, None)
f = getattr(
PROVIDERS.resource_api, 'delete_%s' % entity_type, None
)
if f is None:
f = getattr(self.assignment_api, 'delete_%s' % entity_type)
f = getattr(PROVIDERS.assignment_api, 'delete_%s' % entity_type)
return f
def _list_entities(self, entity_type):
@ -81,11 +87,11 @@ class FilterTests(object):
one.
"""
f = getattr(self.identity_api, 'list_%ss' % entity_type, None)
f = getattr(PROVIDERS.identity_api, 'list_%ss' % entity_type, None)
if f is None:
f = getattr(self.resource_api, 'list_%ss' % entity_type, None)
f = getattr(PROVIDERS.resource_api, 'list_%ss' % entity_type, None)
if f is None:
f = getattr(self.assignment_api, 'list_%ss' % entity_type)
f = getattr(PROVIDERS.assignment_api, 'list_%ss' % entity_type)
return f
def _create_one_entity(self, entity_type, domain_id, name):

View File

@ -21,6 +21,7 @@ import mock
from oslo_config import fixture as config_fixture
from keystone.common import driver_hints
from keystone.common import provider_api
import keystone.conf
from keystone import exception as ks_exception
from keystone.identity.backends.ldap import common as common_ldap
@ -32,6 +33,7 @@ from keystone.tests.unit.ksfixtures import ldapdb
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class DnCompareTest(unit.BaseTestCase):
@ -399,7 +401,7 @@ class LDAPPagedResultsTest(unit.TestCase):
self.config_fixture.config(group='ldap',
page_size=1)
conn = self.identity_api.user.get_connection()
conn = PROVIDERS.identity_api.user.get_connection()
conn._paged_search_s('dc=example,dc=test',
ldap.SCOPE_SUBTREE,
'objectclass=*')
@ -602,7 +604,7 @@ class LDAPSizeLimitTest(unit.TestCase):
@mock.patch.object(fakeldap.FakeLdap, 'search_s')
def test_search_s_sizelimit_exceeded(self, mock_search_s):
mock_search_s.side_effect = ldap.SIZELIMIT_EXCEEDED
conn = self.identity_api.user.get_connection()
conn = PROVIDERS.identity_api.user.get_connection()
self.assertRaises(ks_exception.LDAPSizeLimitExceeded,
conn.search_s,
'dc=example,dc=test',

View File

@ -13,6 +13,7 @@
import datetime
import uuid
from keystone.common import provider_api
from keystone.common import sql
import keystone.conf
from keystone import exception
@ -21,12 +22,13 @@ from keystone.tests import unit
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class ShadowUsersBackendTests(object):
def test_create_nonlocal_user_unique_constraint(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user_created = self.shadow_users_api.create_nonlocal_user(user)
user_created = PROVIDERS.shadow_users_api.create_nonlocal_user(user)
self.assertNotIn('password', user_created)
self.assertEqual(user_created['id'], user['id'])
self.assertEqual(user_created['domain_id'], user['domain_id'])
@ -34,18 +36,20 @@ class ShadowUsersBackendTests(object):
new_user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
new_user['name'] = user['name']
self.assertRaises(exception.Conflict,
self.shadow_users_api.create_nonlocal_user,
PROVIDERS.shadow_users_api.create_nonlocal_user,
new_user)
def test_create_nonlocal_user_does_not_create_local_user(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
new_nonlocal_user = self.shadow_users_api.create_nonlocal_user(user)
new_nonlocal_user = PROVIDERS.shadow_users_api.create_nonlocal_user(
user
)
user_ref = self._get_user_ref(new_nonlocal_user['id'])
self.assertIsNone(user_ref.local_user)
def test_nonlocal_user_unique_user_id_constraint(self):
user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user = self.shadow_users_api.create_nonlocal_user(user_ref)
user = PROVIDERS.shadow_users_api.create_nonlocal_user(user_ref)
# attempt to create a nonlocal_user with the same user_id
nonlocal_user = {
'domain_id': CONF.identity.default_domain_id,
@ -59,30 +63,30 @@ class ShadowUsersBackendTests(object):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user.pop('email')
user.pop('password')
user_created = self.shadow_users_api.create_nonlocal_user(user)
user_created = PROVIDERS.shadow_users_api.create_nonlocal_user(user)
self.assertEqual(user_created['id'], user['id'])
user_found = self.shadow_users_api.get_user(user_created['id'])
user_found = PROVIDERS.shadow_users_api.get_user(user_created['id'])
self.assertItemsEqual(user_created, user_found)
def test_create_federated_user_unique_constraint(self):
user_dict = self.shadow_users_api.create_federated_user(
user_dict = PROVIDERS.shadow_users_api.create_federated_user(
self.domain_id, self.federated_user)
user_dict = self.shadow_users_api.get_user(user_dict["id"])
user_dict = PROVIDERS.shadow_users_api.get_user(user_dict["id"])
self.assertIsNotNone(user_dict["id"])
self.assertRaises(exception.Conflict,
self.shadow_users_api.create_federated_user,
PROVIDERS.shadow_users_api.create_federated_user,
self.domain_id,
self.federated_user)
def test_create_federated_user_domain(self):
user = self.shadow_users_api.create_federated_user(
user = PROVIDERS.shadow_users_api.create_federated_user(
self.domain_id, self.federated_user)
self.assertEqual(user['domain_id'], self.domain_id)
def test_get_federated_user(self):
user_dict_create = self.shadow_users_api.create_federated_user(
user_dict_create = PROVIDERS.shadow_users_api.create_federated_user(
self.domain_id, self.federated_user)
user_dict_get = self.shadow_users_api.get_federated_user(
user_dict_get = PROVIDERS.shadow_users_api.get_federated_user(
self.federated_user["idp_id"],
self.federated_user["protocol_id"],
self.federated_user["unique_id"])
@ -90,15 +94,15 @@ class ShadowUsersBackendTests(object):
self.assertEqual(user_dict_create["id"], user_dict_get["id"])
def test_update_federated_user_display_name(self):
user_dict_create = self.shadow_users_api.create_federated_user(
user_dict_create = PROVIDERS.shadow_users_api.create_federated_user(
self.domain_id, self.federated_user)
new_display_name = uuid.uuid4().hex
self.shadow_users_api.update_federated_user_display_name(
PROVIDERS.shadow_users_api.update_federated_user_display_name(
self.federated_user["idp_id"],
self.federated_user["protocol_id"],
self.federated_user["unique_id"],
new_display_name)
user_ref = self.shadow_users_api._get_federated_user(
user_ref = PROVIDERS.shadow_users_api._get_federated_user(
self.federated_user["idp_id"],
self.federated_user["protocol_id"],
self.federated_user["unique_id"])
@ -112,7 +116,7 @@ class ShadowUsersBackendTests(object):
now = datetime.datetime.utcnow().date()
password = uuid.uuid4().hex
user = self._create_user(password)
user_auth = self.identity_api.authenticate(
user_auth = PROVIDERS.identity_api.authenticate(
self.make_request(),
user_id=user['id'],
password=password)
@ -124,7 +128,7 @@ class ShadowUsersBackendTests(object):
disable_user_account_days_inactive=None)
password = uuid.uuid4().hex
user = self._create_user(password)
user_auth = self.identity_api.authenticate(
user_auth = PROVIDERS.identity_api.authenticate(
self.make_request(),
user_id=user['id'],
password=password)
@ -143,7 +147,7 @@ class ShadowUsersBackendTests(object):
'enabled': True,
'password': password
}
return self.identity_api.create_user(user)
return PROVIDERS.identity_api.create_user(user)
def _get_user_ref(self, user_id):
with sql.session_for_read() as session:

View File

@ -12,10 +12,14 @@
import uuid
from keystone.common import provider_api
PROVIDERS = provider_api.ProviderAPIs
class ShadowUsersCoreTests(object):
def test_shadow_federated_user(self):
user = self.identity_api.shadow_federated_user(
user = PROVIDERS.identity_api.shadow_federated_user(
self.federated_user['idp_id'],
self.federated_user['protocol_id'],
self.federated_user['unique_id'],
@ -33,7 +37,7 @@ class ShadowUsersCoreTests(object):
def test_shadow_existing_federated_user(self):
# introduce the user to keystone for the first time
shadow_user1 = self.identity_api.shadow_federated_user(
shadow_user1 = PROVIDERS.identity_api.shadow_federated_user(
self.federated_user['idp_id'],
self.federated_user['protocol_id'],
self.federated_user['unique_id'],
@ -45,7 +49,7 @@ class ShadowUsersCoreTests(object):
# internally, this operation causes request to the driver. It should
# not fail.
self.federated_user['display_name'] = uuid.uuid4().hex
shadow_user2 = self.identity_api.shadow_federated_user(
shadow_user2 = PROVIDERS.identity_api.shadow_federated_user(
self.federated_user['idp_id'],
self.federated_user['protocol_id'],
self.federated_user['unique_id'],

View File

@ -17,6 +17,7 @@ import freezegun
import passlib.hash
from keystone.common import password_hashing
from keystone.common import provider_api
from keystone.common import resource_options
from keystone.common import sql
import keystone.conf
@ -28,6 +29,7 @@ from keystone.tests.unit import test_backend_sql
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class UserPasswordCreatedAtIntTests(test_backend_sql.SqlTests):
@ -38,8 +40,9 @@ class UserPasswordCreatedAtIntTests(test_backend_sql.SqlTests):
def test_user_password_created_expired_at_int_matches_created_at(self):
with sql.session_for_read() as session:
user_ref = self.identity_api._get_user(session,
self.user_foo['id'])
user_ref = PROVIDERS.identity_api._get_user(
session, self.user_foo['id']
)
self.assertIsNotNone(user_ref.password_ref._created_at)
self.assertIsNotNone(user_ref.password_ref._expires_at)
self.assertEqual(user_ref.password_ref._created_at,
@ -60,8 +63,9 @@ class UserPasswordHashingTestsNoCompat(test_backend_sql.SqlTests):
def test_password_hashing_compat_not_set_used(self):
with sql.session_for_read() as session:
user_ref = self.identity_api._get_user(session,
self.user_foo['id'])
user_ref = PROVIDERS.identity_api._get_user(
session, self.user_foo['id']
)
self.assertIsNone(user_ref.password_ref.password)
self.assertIsNotNone(user_ref.password_ref.password_hash)
self.assertEqual(user_ref.password,
@ -71,8 +75,9 @@ class UserPasswordHashingTestsNoCompat(test_backend_sql.SqlTests):
def test_configured_algorithm_used(self):
with sql.session_for_read() as session:
user_ref = self.identity_api._get_user(session,
self.user_foo['id'])
user_ref = PROVIDERS.identity_api._get_user(
session, self.user_foo['id']
)
self.assertEqual(
passlib.hash.scrypt,
password_hashing._get_hasher_from_ident(user_ref.password))
@ -97,7 +102,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
user = self._create_user(self._get_user_dict())
opt_value = uuid.uuid4().hex
user['options'][self.option1.option_name] = opt_value
new_ref = self.identity_api.update_user(user['id'], user)
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
self.assertEqual(opt_value,
new_ref['options'][self.option1.option_name])
raw_ref = self._get_user_ref(user['id'])
@ -106,7 +111,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
opt_value,
raw_ref._resource_option_mapper[
self.option1.option_id].option_value)
api_get_ref = self.identity_api.get_user(user['id'])
api_get_ref = PROVIDERS.identity_api.get_user(user['id'])
# Ensure options are properly set in a .get_user call.
self.assertEqual(opt_value,
api_get_ref['options'][self.option1.option_name])
@ -119,19 +124,19 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
# Update user to add the new value option
user['options'][self.option1.option_name] = opt_value
new_ref = self.identity_api.update_user(user['id'], user)
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
self.assertEqual(opt_value,
new_ref['options'][self.option1.option_name])
# Update the option Value and confirm it is updated
user['options'][self.option1.option_name] = new_opt_value
new_ref = self.identity_api.update_user(user['id'], user)
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
self.assertEqual(new_opt_value,
new_ref['options'][self.option1.option_name])
# Set the option value to None, meaning delete the option
user['options'][self.option1.option_name] = None
new_ref = self.identity_api.update_user(user['id'], user)
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
self.assertNotIn(self.option1.option_name, new_ref['options'])
def test_user_add_delete_resource_option_existing_option_values(self):
@ -142,7 +147,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
# Update user to add the new value option
user['options'][self.option1.option_name] = opt_value
new_ref = self.identity_api.update_user(user['id'], user)
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
self.assertEqual(opt_value,
new_ref['options'][self.option1.option_name])
@ -151,7 +156,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
# updated user ref.
del user['options'][self.option1.option_name]
user['options'][self.option2.option_name] = opt2_value
new_ref = self.identity_api.update_user(user['id'], user)
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
self.assertEqual(opt_value,
new_ref['options'][self.option1.option_name])
self.assertEqual(opt2_value,
@ -169,7 +174,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
# Set the option value to None, meaning delete the option, ensure
# option 2 still remains and has the right value
user['options'][self.option1.option_name] = None
new_ref = self.identity_api.update_user(user['id'], user)
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
self.assertNotIn(self.option1.option_name, new_ref['options'])
self.assertEqual(opt2_value,
new_ref['options'][self.option2.option_name])
@ -189,7 +194,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
# Update user to add the new value option
user['options'][self.option1.option_name] = opt_value
new_ref = self.identity_api.update_user(user['id'], user)
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
self.assertEqual(opt_value,
new_ref['options'][self.option1.option_name])
@ -198,7 +203,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
# updated user ref.
del user['options'][self.option1.option_name]
user['options'][self.option2.option_name] = opt2_value
new_ref = self.identity_api.update_user(user['id'], user)
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
self.assertEqual(opt_value,
new_ref['options'][self.option1.option_name])
self.assertEqual(opt2_value,
@ -218,7 +223,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
iro.USER_OPTIONS_REGISTRY._registered_options.clear()
iro.USER_OPTIONS_REGISTRY.register_option(self.option1)
user['name'] = uuid.uuid4().hex
new_ref = self.identity_api.update_user(user['id'], user)
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
self.assertNotIn(self.option2.option_name, new_ref['options'])
self.assertEqual(opt_value,
new_ref['options'][self.option1.option_name])
@ -268,19 +273,19 @@ class DisableInactiveUserTests(test_backend_sql.SqlTests):
datetime.timedelta(days=self.max_inactive_days + 1))
user = self._create_user(self.user_dict, last_active_at.date())
self.assertRaises(exception.UserDisabled,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=user['id'],
password=self.password)
# verify that the user is actually disabled
user = self.identity_api.get_user(user['id'])
user = PROVIDERS.identity_api.get_user(user['id'])
self.assertFalse(user['enabled'])
# set the user to enabled and authenticate
user['enabled'] = True
self.identity_api.update_user(user['id'], user)
user = self.identity_api.authenticate(self.make_request(),
user_id=user['id'],
password=self.password)
PROVIDERS.identity_api.update_user(user['id'], user)
user = PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=user['id'], password=self.password
)
self.assertTrue(user['enabled'])
def test_authenticate_user_not_disabled_due_to_inactivity(self):
@ -289,29 +294,29 @@ class DisableInactiveUserTests(test_backend_sql.SqlTests):
datetime.datetime.utcnow() -
datetime.timedelta(days=self.max_inactive_days - 1)).date()
user = self._create_user(self.user_dict, last_active_at)
user = self.identity_api.authenticate(self.make_request(),
user_id=user['id'],
password=self.password)
user = PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=user['id'], password=self.password
)
self.assertTrue(user['enabled'])
def test_get_user_disabled_due_to_inactivity(self):
user = self.identity_api.create_user(self.user_dict)
user = PROVIDERS.identity_api.create_user(self.user_dict)
# set last_active_at just beyond the max
last_active_at = (
datetime.datetime.utcnow() -
datetime.timedelta(self.max_inactive_days + 1)).date()
self._update_user_last_active_at(user['id'], last_active_at)
# get user and verify that the user is actually disabled
user = self.identity_api.get_user(user['id'])
user = PROVIDERS.identity_api.get_user(user['id'])
self.assertFalse(user['enabled'])
# set enabled and test
user['enabled'] = True
self.identity_api.update_user(user['id'], user)
user = self.identity_api.get_user(user['id'])
PROVIDERS.identity_api.update_user(user['id'], user)
user = PROVIDERS.identity_api.get_user(user['id'])
self.assertTrue(user['enabled'])
def test_get_user_not_disabled_due_to_inactivity(self):
user = self.identity_api.create_user(self.user_dict)
user = PROVIDERS.identity_api.create_user(self.user_dict)
self.assertTrue(user['enabled'])
# set last_active_at just below the max
last_active_at = (
@ -319,7 +324,7 @@ class DisableInactiveUserTests(test_backend_sql.SqlTests):
datetime.timedelta(self.max_inactive_days - 1)).date()
self._update_user_last_active_at(user['id'], last_active_at)
# get user and verify that the user is still enabled
user = self.identity_api.get_user(user['id'])
user = PROVIDERS.identity_api.get_user(user['id'])
self.assertTrue(user['enabled'])
def test_enabled_after_create_update_user(self):
@ -327,24 +332,24 @@ class DisableInactiveUserTests(test_backend_sql.SqlTests):
disable_user_account_days_inactive=90)
# create user without enabled; assert enabled
del self.user_dict['enabled']
user = self.identity_api.create_user(self.user_dict)
user = PROVIDERS.identity_api.create_user(self.user_dict)
user_ref = self._get_user_ref(user['id'])
self.assertTrue(user_ref.enabled)
now = datetime.datetime.utcnow().date()
self.assertGreaterEqual(now, user_ref.last_active_at)
# set enabled and test
user['enabled'] = True
self.identity_api.update_user(user['id'], user)
PROVIDERS.identity_api.update_user(user['id'], user)
user_ref = self._get_user_ref(user['id'])
self.assertTrue(user_ref.enabled)
# set disabled and test
user['enabled'] = False
self.identity_api.update_user(user['id'], user)
PROVIDERS.identity_api.update_user(user['id'], user)
user_ref = self._get_user_ref(user['id'])
self.assertFalse(user_ref.enabled)
# re-enable user and test
user['enabled'] = True
self.identity_api.update_user(user['id'], user)
PROVIDERS.identity_api.update_user(user['id'], user)
user_ref = self._get_user_ref(user['id'])
self.assertTrue(user_ref.enabled)
@ -388,7 +393,7 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
user = self._create_user(password)
# Attempt to change to the same password
self.assertRaises(exception.PasswordValidationError,
self.identity_api.change_password,
PROVIDERS.identity_api.change_password,
self.make_request(),
user_id=user['id'],
original_password=password,
@ -398,7 +403,7 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
self.assertValidChangePassword(user['id'], password, new_password)
# Attempt to change back to the initial password
self.assertRaises(exception.PasswordValidationError,
self.identity_api.change_password,
PROVIDERS.identity_api.change_password,
self.make_request(),
user_id=user['id'],
original_password=new_password,
@ -424,12 +429,12 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
self.assertIsNone(user_ref.password)
# Admin password reset
user['password'] = passwords[0]
self.identity_api.update_user(user['id'], user)
PROVIDERS.identity_api.update_user(user['id'], user)
# Self-service change password
self.assertValidChangePassword(user['id'], passwords[0], passwords[1])
# Attempt to update with a previous password
self.assertRaises(exception.PasswordValidationError,
self.identity_api.change_password,
PROVIDERS.identity_api.change_password,
self.make_request(),
user_id=user['id'],
original_password=passwords[1],
@ -449,22 +454,22 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
user = self._create_user(passwords[0])
# Attempt to change password to a unique password
user['password'] = passwords[1]
self.identity_api.update_user(user['id'], user)
self.identity_api.authenticate(self.make_request(),
user_id=user['id'],
password=passwords[1])
PROVIDERS.identity_api.update_user(user['id'], user)
PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=user['id'], password=passwords[1]
)
# Attempt to change password with the same password
user['password'] = passwords[1]
self.identity_api.update_user(user['id'], user)
self.identity_api.authenticate(self.make_request(),
user_id=user['id'],
password=passwords[1])
PROVIDERS.identity_api.update_user(user['id'], user)
PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=user['id'], password=passwords[1]
)
# Attempt to change password with the initial password
user['password'] = passwords[0]
self.identity_api.update_user(user['id'], user)
self.identity_api.authenticate(self.make_request(),
user_id=user['id'],
password=passwords[0])
PROVIDERS.identity_api.update_user(user['id'], user)
PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=user['id'], password=passwords[0]
)
def test_truncate_passwords(self):
user = self._create_user(uuid.uuid4().hex)
@ -507,7 +512,7 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
'domain_id': 'default',
'enabled': True,
}
user = self.identity_api.create_user(user)
user = PROVIDERS.identity_api.create_user(user)
self._add_passwords_to_history(user, n=1)
user_ref = self._get_user_ref(user['id'])
self.assertEqual(len(user_ref.local_user.passwords), expected_length)
@ -519,25 +524,25 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
'enabled': True,
'password': password
}
return self.identity_api.create_user(user)
return PROVIDERS.identity_api.create_user(user)
def assertValidChangePassword(self, user_id, password, new_password):
self.identity_api.change_password(self.make_request(),
user_id=user_id,
original_password=password,
new_password=new_password)
self.identity_api.authenticate(self.make_request(),
user_id=user_id,
password=new_password)
PROVIDERS.identity_api.change_password(
self.make_request(), user_id=user_id, original_password=password,
new_password=new_password
)
PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=user_id, password=new_password
)
def _add_passwords_to_history(self, user, n):
for _ in range(n):
user['password'] = uuid.uuid4().hex
self.identity_api.update_user(user['id'], user)
PROVIDERS.identity_api.update_user(user['id'], user)
def _get_user_ref(self, user_id):
with sql.session_for_read() as session:
return self.identity_api._get_user(session, user_id)
return PROVIDERS.identity_api._get_user(session, user_id)
class LockingOutUserTests(test_backend_sql.SqlTests):
@ -557,23 +562,24 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
'enabled': True,
'password': self.password
}
self.user = self.identity_api.create_user(user_dict)
self.user = PROVIDERS.identity_api.create_user(user_dict)
def test_locking_out_user_after_max_failed_attempts(self):
# authenticate with wrong password
self.assertRaises(AssertionError,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=self.user['id'],
password=uuid.uuid4().hex)
# authenticate with correct password
self.identity_api.authenticate(self.make_request(),
user_id=self.user['id'],
password=self.password)
PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=self.user['id'],
password=self.password
)
# test locking out user after max failed attempts
self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=self.user['id'],
password=uuid.uuid4().hex)
@ -582,35 +588,37 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
# mark the user as exempt from failed password attempts
# ignore user and reset password, password not expired
self.user['options'][iro.IGNORE_LOCKOUT_ATTEMPT_OPT.option_name] = True
self.identity_api.update_user(self.user['id'], self.user)
PROVIDERS.identity_api.update_user(self.user['id'], self.user)
# fail authentication repeatedly the max number of times
self._fail_auth_repeatedly(self.user['id'])
# authenticate with wrong password, account should not be locked
self.assertRaises(AssertionError,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=self.user['id'],
password=uuid.uuid4().hex)
# authenticate with correct password, account should not be locked
self.identity_api.authenticate(self.make_request(),
user_id=self.user['id'],
password=self.password)
PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=self.user['id'],
password=self.password
)
def test_set_enabled_unlocks_user(self):
# lockout user
self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=self.user['id'],
password=uuid.uuid4().hex)
# set enabled, user should be unlocked
self.user['enabled'] = True
self.identity_api.update_user(self.user['id'], self.user)
user_ret = self.identity_api.authenticate(self.make_request(),
user_id=self.user['id'],
password=self.password)
PROVIDERS.identity_api.update_user(self.user['id'], self.user)
user_ret = PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=self.user['id'],
password=self.password
)
self.assertTrue(user_ret['enabled'])
def test_lockout_duration(self):
@ -619,7 +627,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
# lockout user
self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=self.user['id'],
password=uuid.uuid4().hex)
@ -627,13 +635,14 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
# auth count should get reset
frozen_time.tick(delta=datetime.timedelta(
seconds=CONF.security_compliance.lockout_duration + 1))
self.identity_api.authenticate(self.make_request(),
user_id=self.user['id'],
password=self.password)
PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=self.user['id'],
password=self.password
)
# test failed auth count was reset by authenticating with the wrong
# password, should raise an assertion error and not account locked
self.assertRaises(AssertionError,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=self.user['id'],
password=uuid.uuid4().hex)
@ -644,7 +653,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
# lockout user
self._fail_auth_repeatedly(self.user['id'])
self.assertRaises(exception.AccountLocked,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=self.user['id'],
password=uuid.uuid4().hex)
@ -655,7 +664,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
self._fail_auth_repeatedly(self.user['id'])
# test user account is locked
self.assertRaises(exception.AccountLocked,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=self.user['id'],
password=uuid.uuid4().hex)
@ -664,7 +673,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
wrong_password = uuid.uuid4().hex
for _ in range(CONF.security_compliance.lockout_failure_attempts):
self.assertRaises(AssertionError,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=user_id,
password=wrong_password)
@ -689,7 +698,7 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests):
user = self._create_user(self.user_dict, password_created_at)
# test password is expired
self.assertRaises(exception.PasswordExpired,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=user['id'],
password=self.password)
@ -703,9 +712,9 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests):
)
user = self._create_user(self.user_dict, password_created_at)
# test password is not expired
self.identity_api.authenticate(self.make_request(),
user_id=user['id'],
password=self.password)
PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=user['id'], password=self.password
)
def test_authenticate_with_expired_password_for_ignore_user_option(self):
# set user to have the 'ignore_password_expiry' option set to False
@ -719,7 +728,7 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests):
)
user = self._create_user(self.user_dict, password_created_at)
self.assertRaises(exception.PasswordExpired,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=user['id'],
password=self.password)
@ -727,12 +736,13 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests):
# update user to explicitly have the expiry option to True
user['options'][
iro.IGNORE_PASSWORD_EXPIRY_OPT.option_name] = True
user = self.identity_api.update_user(user['id'],
user)
user = PROVIDERS.identity_api.update_user(
user['id'], user
)
# test password is not expired due to ignore option
self.identity_api.authenticate(self.make_request(),
user_id=user['id'],
password=self.password)
PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=user['id'], password=self.password
)
def _get_test_user_dict(self, password):
test_user_dict = {
@ -747,7 +757,7 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests):
def _create_user(self, user_dict, password_created_at):
# Bypass business logic and go straight for the identity driver
# (SQL in this case)
driver = self.identity_api.driver
driver = PROVIDERS.identity_api.driver
driver.create_user(user_dict['id'], user_dict)
with sql.session_for_write() as session:
user_ref = session.query(model.User).get(user_dict['id'])
@ -773,7 +783,7 @@ class MinimumPasswordAgeTests(test_backend_sql.SqlTests):
new_password)
# user cannot change password before min age
self.assertRaises(exception.PasswordAgeValidationError,
self.identity_api.change_password,
PROVIDERS.identity_api.change_password,
self.make_request(),
user_id=self.user['id'],
original_password=new_password,
@ -801,7 +811,7 @@ class MinimumPasswordAgeTests(test_backend_sql.SqlTests):
new_password)
# user cannot change password before min age
self.assertRaises(exception.PasswordAgeValidationError,
self.identity_api.change_password,
PROVIDERS.identity_api.change_password,
self.make_request(),
user_id=self.user['id'],
original_password=new_password,
@ -809,19 +819,19 @@ class MinimumPasswordAgeTests(test_backend_sql.SqlTests):
# admin reset
new_password = uuid.uuid4().hex
self.user['password'] = new_password
self.identity_api.update_user(self.user['id'], self.user)
PROVIDERS.identity_api.update_user(self.user['id'], self.user)
# user can change password after admin reset
self.assertValidChangePassword(self.user['id'], new_password,
uuid.uuid4().hex)
def assertValidChangePassword(self, user_id, password, new_password):
self.identity_api.change_password(self.make_request(),
user_id=user_id,
original_password=password,
new_password=new_password)
self.identity_api.authenticate(self.make_request(),
user_id=user_id,
password=new_password)
PROVIDERS.identity_api.change_password(
self.make_request(), user_id=user_id, original_password=password,
new_password=new_password
)
PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=user_id, password=new_password
)
def _create_new_user(self, password):
user = {
@ -830,7 +840,7 @@ class MinimumPasswordAgeTests(test_backend_sql.SqlTests):
'enabled': True,
'password': password
}
return self.identity_api.create_user(user)
return PROVIDERS.identity_api.create_user(user)
def _update_password_created_at(self, user_id, password_create_at):
# User instance has an attribute password_ref. This attribute is used
@ -860,19 +870,19 @@ class ChangePasswordRequiredAfterFirstUse(test_backend_sql.SqlTests):
'enabled': True,
'password': password
}
return self.identity_api.create_user(user_dict)
return PROVIDERS.identity_api.create_user(user_dict)
def assertPasswordIsExpired(self, user_id, password):
self.assertRaises(exception.PasswordExpired,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
self.make_request(),
user_id=user_id,
password=password)
def assertPasswordIsNotExpired(self, user_id, password):
self.identity_api.authenticate(self.make_request(),
user_id=user_id,
password=password)
PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=user_id, password=password
)
def test_password_expired_after_create(self):
# create user, password expired
@ -881,10 +891,9 @@ class ChangePasswordRequiredAfterFirstUse(test_backend_sql.SqlTests):
self.assertPasswordIsExpired(user['id'], initial_password)
# change password (self-service), password not expired
new_password = uuid.uuid4().hex
self.identity_api.change_password(self.make_request(),
user['id'],
initial_password,
new_password)
PROVIDERS.identity_api.change_password(
self.make_request(), user['id'], initial_password, new_password
)
self.assertPasswordIsNotExpired(user['id'], new_password)
def test_password_expired_after_reset(self):
@ -899,14 +908,13 @@ class ChangePasswordRequiredAfterFirstUse(test_backend_sql.SqlTests):
# admin reset, password expired
admin_password = uuid.uuid4().hex
user['password'] = admin_password
self.identity_api.update_user(user['id'], user)
PROVIDERS.identity_api.update_user(user['id'], user)
self.assertPasswordIsExpired(user['id'], admin_password)
# change password (self-service), password not expired
new_password = uuid.uuid4().hex
self.identity_api.change_password(self.make_request(),
user['id'],
admin_password,
new_password)
PROVIDERS.identity_api.change_password(
self.make_request(), user['id'], admin_password, new_password
)
self.assertPasswordIsNotExpired(user['id'], new_password)
def test_password_not_expired_when_feature_disabled(self):
@ -917,7 +925,7 @@ class ChangePasswordRequiredAfterFirstUse(test_backend_sql.SqlTests):
# admin reset
admin_password = uuid.uuid4().hex
user['password'] = admin_password
self.identity_api.update_user(user['id'], user)
PROVIDERS.identity_api.update_user(user['id'], user)
self.assertPasswordIsNotExpired(user['id'], admin_password)
def test_password_not_expired_for_ignore_user(self):
@ -933,11 +941,11 @@ class ChangePasswordRequiredAfterFirstUse(test_backend_sql.SqlTests):
user['options'][iro.IGNORE_CHANGE_PASSWORD_OPT.option_name] = True
admin_password = uuid.uuid4().hex
user['password'] = admin_password
self.identity_api.update_user(user['id'], user)
PROVIDERS.identity_api.update_user(user['id'], user)
self.assertPasswordIsNotExpired(user['id'], admin_password)
# set ignore user to false and reset password, password is expired
user['options'][iro.IGNORE_CHANGE_PASSWORD_OPT.option_name] = False
admin_password = uuid.uuid4().hex
user['password'] = admin_password
self.identity_api.update_user(user['id'], user)
PROVIDERS.identity_api.update_user(user['id'], user)
self.assertPasswordIsExpired(user['id'], admin_password)

File diff suppressed because it is too large Load Diff

View File

@ -19,6 +19,7 @@ import uuid
import mock
from oslo_config import fixture as config_fixture
from keystone.common import provider_api
import keystone.conf
from keystone import exception
from keystone import identity
@ -27,6 +28,7 @@ from keystone.tests.unit.ksfixtures import database
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class TestDomainConfigs(unit.BaseTestCase):
@ -139,18 +141,18 @@ class TestDatabaseDomainConfigs(unit.TestCase):
self.config_fixture.config(domain_configurations_from_database=True,
group='identity')
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
# Override two config options for our domain
conf = {'ldap': {'url': uuid.uuid4().hex,
'suffix': uuid.uuid4().hex,
'use_tls': True},
'identity': {
'driver': 'ldap'}}
self.domain_config_api.create_config(domain['id'], conf)
PROVIDERS.domain_config_api.create_config(domain['id'], conf)
fake_standard_driver = None
domain_config = identity.DomainConfigs()
domain_config.setup_domain_drivers(fake_standard_driver,
self.resource_api)
PROVIDERS.resource_api)
# Make sure our two overrides are in place, and others are not affected
res = domain_config.get_domain_conf(domain['id'])
self.assertEqual(conf['ldap']['url'], res.ldap.url)
@ -170,7 +172,7 @@ class TestDatabaseDomainConfigs(unit.TestCase):
domain_config = identity.DomainConfigs()
domain_config.setup_domain_drivers(fake_standard_driver,
self.resource_api)
PROVIDERS.resource_api)
res = domain_config.get_domain_conf(domain['id'])
self.assertEqual(CONF.ldap.url, res.ldap.url)
self.assertEqual(CONF.ldap.suffix, res.ldap.suffix)

View File

@ -12,75 +12,78 @@
import uuid
from keystone.common import provider_api
from keystone import exception
from keystone.tests import unit
PROVIDERS = provider_api.ProviderAPIs
class PolicyTests(object):
def test_create(self):
ref = unit.new_policy_ref()
res = self.policy_api.create_policy(ref['id'], ref)
res = PROVIDERS.policy_api.create_policy(ref['id'], ref)
self.assertDictEqual(ref, res)
def test_get(self):
ref = unit.new_policy_ref()
res = self.policy_api.create_policy(ref['id'], ref)
res = PROVIDERS.policy_api.create_policy(ref['id'], ref)
res = self.policy_api.get_policy(ref['id'])
res = PROVIDERS.policy_api.get_policy(ref['id'])
self.assertDictEqual(ref, res)
def test_list(self):
ref = unit.new_policy_ref()
self.policy_api.create_policy(ref['id'], ref)
PROVIDERS.policy_api.create_policy(ref['id'], ref)
res = self.policy_api.list_policies()
res = PROVIDERS.policy_api.list_policies()
res = [x for x in res if x['id'] == ref['id']][0]
self.assertDictEqual(ref, res)
def test_update(self):
ref = unit.new_policy_ref()
self.policy_api.create_policy(ref['id'], ref)
PROVIDERS.policy_api.create_policy(ref['id'], ref)
orig = ref
ref = unit.new_policy_ref()
# (cannot change policy ID)
self.assertRaises(exception.ValidationError,
self.policy_api.update_policy,
PROVIDERS.policy_api.update_policy,
orig['id'],
ref)
ref['id'] = orig['id']
res = self.policy_api.update_policy(orig['id'], ref)
res = PROVIDERS.policy_api.update_policy(orig['id'], ref)
self.assertDictEqual(ref, res)
def test_delete(self):
ref = unit.new_policy_ref()
self.policy_api.create_policy(ref['id'], ref)
PROVIDERS.policy_api.create_policy(ref['id'], ref)
self.policy_api.delete_policy(ref['id'])
PROVIDERS.policy_api.delete_policy(ref['id'])
self.assertRaises(exception.PolicyNotFound,
self.policy_api.delete_policy,
PROVIDERS.policy_api.delete_policy,
ref['id'])
self.assertRaises(exception.PolicyNotFound,
self.policy_api.get_policy,
PROVIDERS.policy_api.get_policy,
ref['id'])
res = self.policy_api.list_policies()
res = PROVIDERS.policy_api.list_policies()
self.assertFalse(len([x for x in res if x['id'] == ref['id']]))
def test_get_policy_returns_not_found(self):
self.assertRaises(exception.PolicyNotFound,
self.policy_api.get_policy,
PROVIDERS.policy_api.get_policy,
uuid.uuid4().hex)
def test_update_policy_returns_not_found(self):
ref = unit.new_policy_ref()
self.assertRaises(exception.PolicyNotFound,
self.policy_api.update_policy,
PROVIDERS.policy_api.update_policy,
ref['id'],
ref)
def test_delete_policy_returns_not_found(self):
self.assertRaises(exception.PolicyNotFound,
self.policy_api.delete_policy,
PROVIDERS.policy_api.delete_policy,
uuid.uuid4().hex)

File diff suppressed because it is too large Load Diff

View File

@ -17,6 +17,7 @@ import mock
from oslo_config import cfg
from testtools import matchers
from keystone.common import provider_api
import keystone.conf
from keystone import exception
from keystone.tests import unit
@ -24,6 +25,7 @@ from keystone.tests.unit.ksfixtures import database
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class TestResourceManagerNoFixtures(unit.SQLDriverOverrides, unit.TestCase):
@ -41,17 +43,19 @@ class TestResourceManagerNoFixtures(unit.SQLDriverOverrides, unit.TestCase):
'name': name,
'description': description,
}
domain = self.resource_api.create_domain(
domain = PROVIDERS.resource_api.create_domain(
CONF.identity.default_domain_id, domain_attrs)
project1 = unit.new_project_ref(domain_id=domain['id'],
name=uuid.uuid4().hex)
self.resource_api.create_project(project1['id'], project1)
PROVIDERS.resource_api.create_project(project1['id'], project1)
project2 = unit.new_project_ref(domain_id=domain['id'],
name=uuid.uuid4().hex)
project = self.resource_api.create_project(project2['id'], project2)
project = PROVIDERS.resource_api.create_project(
project2['id'], project2
)
self.assertRaises(exception.Conflict,
self.resource_api.update_project,
PROVIDERS.resource_api.update_project,
project['id'], {'name': project1['name']})
@ -204,35 +208,35 @@ class DomainConfigTests(object):
def setUp(self):
self.domain = unit.new_domain_ref()
self.resource_api.create_domain(self.domain['id'], self.domain)
PROVIDERS.resource_api.create_domain(self.domain['id'], self.domain)
self.addCleanup(self.clean_up_domain)
def clean_up_domain(self):
# NOTE(henry-nash): Deleting the domain will also delete any domain
# configs for this domain.
self.domain['enabled'] = False
self.resource_api.update_domain(self.domain['id'], self.domain)
self.resource_api.delete_domain(self.domain['id'])
PROVIDERS.resource_api.update_domain(self.domain['id'], self.domain)
PROVIDERS.resource_api.delete_domain(self.domain['id'])
del self.domain
def test_create_domain_config_including_sensitive_option(self):
config = {'ldap': {'url': uuid.uuid4().hex,
'user_tree_dn': uuid.uuid4().hex,
'password': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
# password is sensitive, so check that the whitelisted portion and
# the sensitive piece have been stored in the appropriate locations.
res = self.domain_config_api.get_config(self.domain['id'])
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
config_whitelisted = copy.deepcopy(config)
config_whitelisted['ldap'].pop('password')
self.assertEqual(config_whitelisted, res)
res = self.domain_config_api.driver.get_config_option(
res = PROVIDERS.domain_config_api.driver.get_config_option(
self.domain['id'], 'ldap', 'password', sensitive=True)
self.assertEqual(config['ldap']['password'], res['value'])
# Finally, use the non-public API to get back the whole config
res = self.domain_config_api.get_config_with_sensitive_info(
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domain['id'])
self.assertEqual(config, res)
@ -241,67 +245,82 @@ class DomainConfigTests(object):
'user_tree_dn': uuid.uuid4().hex,
'password': uuid.uuid4().hex},
'identity': {'driver': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
res = self.domain_config_api.get_config(self.domain['id'],
group='identity')
res = PROVIDERS.domain_config_api.get_config(
self.domain['id'], group='identity'
)
config_partial = copy.deepcopy(config)
config_partial.pop('ldap')
self.assertEqual(config_partial, res)
res = self.domain_config_api.get_config(
res = PROVIDERS.domain_config_api.get_config(
self.domain['id'], group='ldap', option='user_tree_dn')
self.assertEqual({'user_tree_dn': config['ldap']['user_tree_dn']}, res)
# ...but we should fail to get a sensitive option
self.assertRaises(exception.DomainConfigNotFound,
self.domain_config_api.get_config, self.domain['id'],
group='ldap', option='password')
self.assertRaises(
exception.DomainConfigNotFound,
PROVIDERS.domain_config_api.get_config,
self.domain['id'],
group='ldap',
option='password'
)
def test_delete_partial_domain_config(self):
config = {'ldap': {'url': uuid.uuid4().hex,
'user_tree_dn': uuid.uuid4().hex,
'password': uuid.uuid4().hex},
'identity': {'driver': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
self.domain_config_api.delete_config(
PROVIDERS.domain_config_api.delete_config(
self.domain['id'], group='identity')
config_partial = copy.deepcopy(config)
config_partial.pop('identity')
config_partial['ldap'].pop('password')
res = self.domain_config_api.get_config(self.domain['id'])
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
self.assertEqual(config_partial, res)
self.domain_config_api.delete_config(
PROVIDERS.domain_config_api.delete_config(
self.domain['id'], group='ldap', option='url')
config_partial = copy.deepcopy(config_partial)
config_partial['ldap'].pop('url')
res = self.domain_config_api.get_config(self.domain['id'])
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
self.assertEqual(config_partial, res)
def test_get_options_not_in_domain_config(self):
self.assertRaises(exception.DomainConfigNotFound,
self.domain_config_api.get_config, self.domain['id'])
self.assertRaises(
exception.DomainConfigNotFound,
PROVIDERS.domain_config_api.get_config,
self.domain['id']
)
config = {'ldap': {'url': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
self.assertRaises(exception.DomainConfigNotFound,
self.domain_config_api.get_config, self.domain['id'],
group='identity')
self.assertRaises(exception.DomainConfigNotFound,
self.domain_config_api.get_config, self.domain['id'],
group='ldap', option='user_tree_dn')
self.assertRaises(
exception.DomainConfigNotFound,
PROVIDERS.domain_config_api.get_config,
self.domain['id'],
group='identity'
)
self.assertRaises(
exception.DomainConfigNotFound,
PROVIDERS.domain_config_api.get_config,
self.domain['id'],
group='ldap',
option='user_tree_dn'
)
def test_get_sensitive_config(self):
config = {'ldap': {'url': uuid.uuid4().hex,
'user_tree_dn': uuid.uuid4().hex,
'password': uuid.uuid4().hex},
'identity': {'driver': uuid.uuid4().hex}}
res = self.domain_config_api.get_config_with_sensitive_info(
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domain['id'])
self.assertEqual({}, res)
self.domain_config_api.create_config(self.domain['id'], config)
res = self.domain_config_api.get_config_with_sensitive_info(
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domain['id'])
self.assertEqual(config, res)
@ -310,12 +329,12 @@ class DomainConfigTests(object):
'user_tree_dn': uuid.uuid4().hex,
'password': uuid.uuid4().hex},
'identity': {'driver': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
# Try updating a group
new_config = {'ldap': {'url': uuid.uuid4().hex,
'user_filter': uuid.uuid4().hex}}
res = self.domain_config_api.update_config(
res = PROVIDERS.domain_config_api.update_config(
self.domain['id'], new_config, group='ldap')
expected_config = copy.deepcopy(config)
expected_config['ldap']['url'] = new_config['ldap']['url']
@ -323,18 +342,18 @@ class DomainConfigTests(object):
new_config['ldap']['user_filter'])
expected_full_config = copy.deepcopy(expected_config)
expected_config['ldap'].pop('password')
res = self.domain_config_api.get_config(self.domain['id'])
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
self.assertEqual(expected_config, res)
# The sensitive option should still exist
res = self.domain_config_api.get_config_with_sensitive_info(
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domain['id'])
self.assertEqual(expected_full_config, res)
# Try updating a single whitelisted option
self.domain_config_api.delete_config(self.domain['id'])
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.delete_config(self.domain['id'])
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
new_config = {'url': uuid.uuid4().hex}
res = self.domain_config_api.update_config(
res = PROVIDERS.domain_config_api.update_config(
self.domain['id'], new_config, group='ldap', option='url')
# Make sure whitelisted and full config is updated
@ -343,27 +362,27 @@ class DomainConfigTests(object):
expected_full_config = copy.deepcopy(expected_whitelisted_config)
expected_whitelisted_config['ldap'].pop('password')
self.assertEqual(expected_whitelisted_config, res)
res = self.domain_config_api.get_config(self.domain['id'])
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
self.assertEqual(expected_whitelisted_config, res)
res = self.domain_config_api.get_config_with_sensitive_info(
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domain['id'])
self.assertEqual(expected_full_config, res)
# Try updating a single sensitive option
self.domain_config_api.delete_config(self.domain['id'])
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.delete_config(self.domain['id'])
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
new_config = {'password': uuid.uuid4().hex}
res = self.domain_config_api.update_config(
res = PROVIDERS.domain_config_api.update_config(
self.domain['id'], new_config, group='ldap', option='password')
# The whitelisted config should not have changed...
expected_whitelisted_config = copy.deepcopy(config)
expected_full_config = copy.deepcopy(config)
expected_whitelisted_config['ldap'].pop('password')
self.assertEqual(expected_whitelisted_config, res)
res = self.domain_config_api.get_config(self.domain['id'])
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
self.assertEqual(expected_whitelisted_config, res)
expected_full_config['ldap']['password'] = new_config['password']
res = self.domain_config_api.get_config_with_sensitive_info(
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domain['id'])
# ...but the sensitive piece should have.
self.assertEqual(expected_full_config, res)
@ -375,11 +394,11 @@ class DomainConfigTests(object):
'identity': {'driver': uuid.uuid4().hex}}
# An extra group, when specifying one group should fail
self.assertRaises(exception.InvalidDomainConfig,
self.domain_config_api.update_config,
PROVIDERS.domain_config_api.update_config,
self.domain['id'], config, group='ldap')
# An extra option, when specifying one option should fail
self.assertRaises(exception.InvalidDomainConfig,
self.domain_config_api.update_config,
PROVIDERS.domain_config_api.update_config,
self.domain['id'], config['ldap'],
group='ldap', option='url')
@ -387,25 +406,25 @@ class DomainConfigTests(object):
# ones that are in the config provided
config = {'ldap': {'user_tree_dn': uuid.uuid4().hex}}
self.assertRaises(exception.InvalidDomainConfig,
self.domain_config_api.update_config,
PROVIDERS.domain_config_api.update_config,
self.domain['id'], config, group='identity')
self.assertRaises(exception.InvalidDomainConfig,
self.domain_config_api.update_config,
PROVIDERS.domain_config_api.update_config,
self.domain['id'], config['ldap'], group='ldap',
option='url')
# Now some valid groups/options, but just not ones that are in the
# existing config
config = {'ldap': {'user_tree_dn': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
config_wrong_group = {'identity': {'driver': uuid.uuid4().hex}}
self.assertRaises(exception.DomainConfigNotFound,
self.domain_config_api.update_config,
PROVIDERS.domain_config_api.update_config,
self.domain['id'], config_wrong_group,
group='identity')
config_wrong_option = {'url': uuid.uuid4().hex}
self.assertRaises(exception.DomainConfigNotFound,
self.domain_config_api.update_config,
PROVIDERS.domain_config_api.update_config,
self.domain['id'], config_wrong_option,
group='ldap', option='url')
@ -413,49 +432,49 @@ class DomainConfigTests(object):
bad_group = uuid.uuid4().hex
config = {bad_group: {'user': uuid.uuid4().hex}}
self.assertRaises(exception.InvalidDomainConfig,
self.domain_config_api.update_config,
PROVIDERS.domain_config_api.update_config,
self.domain['id'], config, group=bad_group,
option='user')
bad_option = uuid.uuid4().hex
config = {'ldap': {bad_option: uuid.uuid4().hex}}
self.assertRaises(exception.InvalidDomainConfig,
self.domain_config_api.update_config,
PROVIDERS.domain_config_api.update_config,
self.domain['id'], config, group='ldap',
option=bad_option)
def test_create_invalid_domain_config(self):
self.assertRaises(exception.InvalidDomainConfig,
self.domain_config_api.create_config,
PROVIDERS.domain_config_api.create_config,
self.domain['id'], {})
config = {uuid.uuid4().hex: uuid.uuid4().hex}
self.assertRaises(exception.InvalidDomainConfig,
self.domain_config_api.create_config,
PROVIDERS.domain_config_api.create_config,
self.domain['id'], config)
config = {uuid.uuid4().hex: {uuid.uuid4().hex: uuid.uuid4().hex}}
self.assertRaises(exception.InvalidDomainConfig,
self.domain_config_api.create_config,
PROVIDERS.domain_config_api.create_config,
self.domain['id'], config)
config = {'ldap': {uuid.uuid4().hex: uuid.uuid4().hex}}
self.assertRaises(exception.InvalidDomainConfig,
self.domain_config_api.create_config,
PROVIDERS.domain_config_api.create_config,
self.domain['id'], config)
# Try an option that IS in the standard conf, but neither whitelisted
# or marked as sensitive
config = {'identity': {'user_tree_dn': uuid.uuid4().hex}}
self.assertRaises(exception.InvalidDomainConfig,
self.domain_config_api.create_config,
PROVIDERS.domain_config_api.create_config,
self.domain['id'], config)
def test_delete_invalid_partial_domain_config(self):
config = {'ldap': {'url': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
# Try deleting a group not in the config
self.assertRaises(exception.DomainConfigNotFound,
self.domain_config_api.delete_config,
PROVIDERS.domain_config_api.delete_config,
self.domain['id'], group='identity')
# Try deleting an option not in the config
self.assertRaises(exception.DomainConfigNotFound,
self.domain_config_api.delete_config,
PROVIDERS.domain_config_api.delete_config,
self.domain['id'],
group='ldap', option='user_tree_dn')
@ -466,11 +485,11 @@ class DomainConfigTests(object):
'user_tree_dn': uuid.uuid4().hex,
'password': uuid.uuid4().hex},
'identity': {'driver': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
# Read back the config with the internal method and ensure that the
# substitution has taken place.
res = self.domain_config_api.get_config_with_sensitive_info(
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domain['id'])
expected_url = (
config['ldap']['url'] % {'password': config['ldap']['password']})
@ -490,12 +509,15 @@ class DomainConfigTests(object):
'my_url/%(password)',
'my_url/%(password)d']:
invalid_option_config['ldap']['url'] = invalid_option
self.domain_config_api.create_config(
PROVIDERS.domain_config_api.create_config(
self.domain['id'], invalid_option_config)
with mock.patch('keystone.resource.core.LOG', mock_log):
res = self.domain_config_api.get_config_with_sensitive_info(
self.domain['id'])
res = (
PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domain['id']
)
)
mock_log.warning.assert_any_call(mock.ANY, mock.ANY)
self.assertEqual(
invalid_option_config['ldap']['url'], res['ldap']['url'])
@ -510,11 +532,11 @@ class DomainConfigTests(object):
'password': uuid.uuid4().hex},
'identity': {'driver': uuid.uuid4().hex}}
self.domain_config_api.create_config(
PROVIDERS.domain_config_api.create_config(
self.domain['id'], escaped_option_config)
with mock.patch('keystone.resource.core.LOG', mock_log):
res = self.domain_config_api.get_config_with_sensitive_info(
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domain['id'])
self.assertFalse(mock_log.warn.called)
# The escaping '%' should have been removed
@ -526,100 +548,100 @@ class DomainConfigTests(object):
'user_tree_dn': uuid.uuid4().hex,
'password': uuid.uuid4().hex},
'identity': {'driver': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
# cache the result
res = self.domain_config_api.get_config_with_sensitive_info(
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domain['id'])
self.assertEqual(config, res)
# delete, bypassing domain config manager api
self.domain_config_api.delete_config_options(self.domain['id'])
PROVIDERS.domain_config_api.delete_config_options(self.domain['id'])
self.assertDictEqual(
res, self.domain_config_api.get_config_with_sensitive_info(
res, PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domain['id']))
self.domain_config_api.get_config_with_sensitive_info.invalidate(
self.domain_config_api, self.domain['id'])
PROVIDERS.domain_config_api.get_config_with_sensitive_info.invalidate(
PROVIDERS.domain_config_api, self.domain['id'])
self.assertDictEqual(
{},
self.domain_config_api.get_config_with_sensitive_info(
PROVIDERS.domain_config_api.get_config_with_sensitive_info(
self.domain['id']))
def test_delete_domain_deletes_configs(self):
"""Test domain deletion clears the domain configs."""
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
config = {'ldap': {'url': uuid.uuid4().hex,
'user_tree_dn': uuid.uuid4().hex,
'password': uuid.uuid4().hex}}
self.domain_config_api.create_config(domain['id'], config)
PROVIDERS.domain_config_api.create_config(domain['id'], config)
# Now delete the domain
domain['enabled'] = False
self.resource_api.update_domain(domain['id'], domain)
self.resource_api.delete_domain(domain['id'])
PROVIDERS.resource_api.update_domain(domain['id'], domain)
PROVIDERS.resource_api.delete_domain(domain['id'])
# Check domain configs have also been deleted
self.assertRaises(
exception.DomainConfigNotFound,
self.domain_config_api.get_config,
PROVIDERS.domain_config_api.get_config,
domain['id'])
# The get_config_with_sensitive_info does not throw an exception if
# the config is empty, it just returns an empty dict
self.assertDictEqual(
{},
self.domain_config_api.get_config_with_sensitive_info(
PROVIDERS.domain_config_api.get_config_with_sensitive_info(
domain['id']))
def test_config_registration(self):
type = uuid.uuid4().hex
self.domain_config_api.obtain_registration(
PROVIDERS.domain_config_api.obtain_registration(
self.domain['id'], type)
self.domain_config_api.release_registration(
PROVIDERS.domain_config_api.release_registration(
self.domain['id'], type=type)
# Make sure that once someone has it, nobody else can get it.
# This includes the domain who already has it.
self.domain_config_api.obtain_registration(
PROVIDERS.domain_config_api.obtain_registration(
self.domain['id'], type)
self.assertFalse(
self.domain_config_api.obtain_registration(
PROVIDERS.domain_config_api.obtain_registration(
self.domain['id'], type))
# Make sure we can read who does have it
self.assertEqual(
self.domain['id'],
self.domain_config_api.read_registration(type))
PROVIDERS.domain_config_api.read_registration(type))
# Make sure releasing it is silent if the domain specified doesn't
# have the registration
domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
self.resource_api.create_domain(domain2['id'], domain2)
self.domain_config_api.release_registration(
PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
PROVIDERS.domain_config_api.release_registration(
domain2['id'], type=type)
# If nobody has the type registered, then trying to read it should
# raise ConfigRegistrationNotFound
self.domain_config_api.release_registration(
PROVIDERS.domain_config_api.release_registration(
self.domain['id'], type=type)
self.assertRaises(exception.ConfigRegistrationNotFound,
self.domain_config_api.read_registration,
PROVIDERS.domain_config_api.read_registration,
type)
# Finally check multiple registrations are cleared if you free the
# registration without specifying the type
type2 = uuid.uuid4().hex
self.domain_config_api.obtain_registration(
PROVIDERS.domain_config_api.obtain_registration(
self.domain['id'], type)
self.domain_config_api.obtain_registration(
PROVIDERS.domain_config_api.obtain_registration(
self.domain['id'], type2)
self.domain_config_api.release_registration(self.domain['id'])
PROVIDERS.domain_config_api.release_registration(self.domain['id'])
self.assertRaises(exception.ConfigRegistrationNotFound,
self.domain_config_api.read_registration,
PROVIDERS.domain_config_api.read_registration,
type)
self.assertRaises(exception.ConfigRegistrationNotFound,
self.domain_config_api.read_registration,
PROVIDERS.domain_config_api.read_registration,
type2)
def test_option_dict_fails_when_group_is_none(self):
@ -627,7 +649,7 @@ class DomainConfigTests(object):
option = 'bar'
self.assertRaises(
cfg.NoSuchOptError,
self.domain_config_api._option_dict,
PROVIDERS.domain_config_api._option_dict,
group,
option
)
@ -642,7 +664,7 @@ class DomainConfigTests(object):
'option': 'password_regex',
'value': regex
}
option_dict = self.domain_config_api._option_dict(
option_dict = PROVIDERS.domain_config_api._option_dict(
'security_compliance', 'password_regex'
)
self.assertEqual(option_dict, expected_dict)

View File

@ -17,21 +17,30 @@ import uuid
from six.moves import range
from testtools import matchers
from keystone.common import provider_api
from keystone import exception
from keystone.tests import unit
PROVIDERS = provider_api.ProviderAPIs
class PolicyAssociationTests(object):
def _assert_correct_policy(self, endpoint, policy):
ref = (
self.endpoint_policy_api.get_policy_for_endpoint(endpoint['id']))
PROVIDERS.endpoint_policy_api.get_policy_for_endpoint(
endpoint['id']
)
)
self.assertEqual(policy['id'], ref['id'])
def _assert_correct_endpoints(self, policy, endpoint_list):
endpoint_id_list = [ep['id'] for ep in endpoint_list]
endpoints = (
self.endpoint_policy_api.list_endpoints_for_policy(policy['id']))
PROVIDERS.endpoint_policy_api.list_endpoints_for_policy(
policy['id']
)
)
self.assertThat(endpoints, matchers.HasLength(len(endpoint_list)))
for endpoint in endpoints:
self.assertIn(endpoint['id'], endpoint_id_list)
@ -57,7 +66,7 @@ class PolicyAssociationTests(object):
region_id=region_id,
service_id=service_id,
url='/url')
self.endpoint.append(self.catalog_api.create_endpoint(
self.endpoint.append(PROVIDERS.catalog_api.create_endpoint(
endpoint['id'], endpoint))
self.policy = []
@ -68,15 +77,18 @@ class PolicyAssociationTests(object):
parent_region_id = None
for i in range(3):
policy = unit.new_policy_ref()
self.policy.append(self.policy_api.create_policy(policy['id'],
policy))
self.policy.append(
PROVIDERS.policy_api.create_policy(policy['id'], policy)
)
service = unit.new_service_ref()
self.service.append(self.catalog_api.create_service(service['id'],
service))
self.service.append(
PROVIDERS.catalog_api.create_service(service['id'], service)
)
region = unit.new_region_ref(parent_region_id=parent_region_id)
# Link the regions together as a hierarchy, [0] at the top
parent_region_id = region['id']
self.region.append(self.catalog_api.create_region(region))
self.region.append(PROVIDERS.catalog_api.create_region(region))
new_endpoint(self.region[0]['id'], self.service[0]['id'])
new_endpoint(self.region[0]['id'], self.service[1]['id'])
@ -86,62 +98,76 @@ class PolicyAssociationTests(object):
new_endpoint(self.region[2]['id'], self.service[0]['id'])
def test_policy_to_endpoint_association_crud(self):
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[0]['id'], endpoint_id=self.endpoint[0]['id'])
self.endpoint_policy_api.check_policy_association(
PROVIDERS.endpoint_policy_api.check_policy_association(
self.policy[0]['id'], endpoint_id=self.endpoint[0]['id'])
self.endpoint_policy_api.delete_policy_association(
PROVIDERS.endpoint_policy_api.delete_policy_association(
self.policy[0]['id'], endpoint_id=self.endpoint[0]['id'])
self.assertRaises(exception.NotFound,
self.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
endpoint_id=self.endpoint[0]['id'])
self.assertRaises(
exception.NotFound,
PROVIDERS.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
endpoint_id=self.endpoint[0]['id']
)
def test_overwriting_policy_to_endpoint_association(self):
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[0]['id'], endpoint_id=self.endpoint[0]['id'])
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[1]['id'], endpoint_id=self.endpoint[0]['id'])
self.assertRaises(exception.NotFound,
self.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
endpoint_id=self.endpoint[0]['id'])
self.endpoint_policy_api.check_policy_association(
self.assertRaises(
exception.NotFound,
PROVIDERS.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
endpoint_id=self.endpoint[0]['id']
)
PROVIDERS.endpoint_policy_api.check_policy_association(
self.policy[1]['id'], endpoint_id=self.endpoint[0]['id'])
def test_invalid_policy_to_endpoint_association(self):
self.assertRaises(exception.InvalidPolicyAssociation,
self.endpoint_policy_api.create_policy_association,
self.policy[0]['id'])
self.assertRaises(exception.InvalidPolicyAssociation,
self.endpoint_policy_api.create_policy_association,
self.policy[0]['id'],
endpoint_id=self.endpoint[0]['id'],
region_id=self.region[0]['id'])
self.assertRaises(exception.InvalidPolicyAssociation,
self.endpoint_policy_api.create_policy_association,
self.policy[0]['id'],
endpoint_id=self.endpoint[0]['id'],
service_id=self.service[0]['id'])
self.assertRaises(exception.InvalidPolicyAssociation,
self.endpoint_policy_api.create_policy_association,
self.policy[0]['id'],
region_id=self.region[0]['id'])
self.assertRaises(
exception.InvalidPolicyAssociation,
PROVIDERS.endpoint_policy_api.create_policy_association,
self.policy[0]['id']
)
self.assertRaises(
exception.InvalidPolicyAssociation,
PROVIDERS.endpoint_policy_api.create_policy_association,
self.policy[0]['id'],
endpoint_id=self.endpoint[0]['id'],
region_id=self.region[0]['id']
)
self.assertRaises(
exception.InvalidPolicyAssociation,
PROVIDERS.endpoint_policy_api.create_policy_association,
self.policy[0]['id'],
endpoint_id=self.endpoint[0]['id'],
service_id=self.service[0]['id']
)
self.assertRaises(
exception.InvalidPolicyAssociation,
PROVIDERS.endpoint_policy_api.create_policy_association,
self.policy[0]['id'],
region_id=self.region[0]['id']
)
def test_policy_to_explicit_endpoint_association(self):
# Associate policy 0 with endpoint 0
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[0]['id'], endpoint_id=self.endpoint[0]['id'])
self._assert_correct_policy(self.endpoint[0], self.policy[0])
self._assert_correct_endpoints(self.policy[0], [self.endpoint[0]])
self.assertRaises(exception.NotFound,
self.endpoint_policy_api.get_policy_for_endpoint,
uuid.uuid4().hex)
self.assertRaises(
exception.NotFound,
PROVIDERS.endpoint_policy_api.get_policy_for_endpoint,
uuid.uuid4().hex
)
def test_policy_to_service_association(self):
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[0]['id'], service_id=self.service[0]['id'])
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[1]['id'], service_id=self.service[1]['id'])
# Endpoints 0 and 5 are part of service 0
@ -157,13 +183,13 @@ class PolicyAssociationTests(object):
self.policy[1], [self.endpoint[1], self.endpoint[2]])
def test_policy_to_region_and_service_association(self):
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[0]['id'], service_id=self.service[0]['id'],
region_id=self.region[0]['id'])
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[1]['id'], service_id=self.service[1]['id'],
region_id=self.region[1]['id'])
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[2]['id'], service_id=self.service[2]['id'],
region_id=self.region[2]['id'])
@ -188,62 +214,74 @@ class PolicyAssociationTests(object):
self.policy[0], [self.endpoint[0], self.endpoint[5]])
def test_delete_association_by_entity(self):
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[0]['id'], endpoint_id=self.endpoint[0]['id'])
self.endpoint_policy_api.delete_association_by_endpoint(
PROVIDERS.endpoint_policy_api.delete_association_by_endpoint(
self.endpoint[0]['id'])
self.assertRaises(exception.NotFound,
self.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
endpoint_id=self.endpoint[0]['id'])
self.assertRaises(
exception.NotFound,
PROVIDERS.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
endpoint_id=self.endpoint[0]['id']
)
# Make sure deleting it again is silent - since this method is used
# in response to notifications by the controller.
self.endpoint_policy_api.delete_association_by_endpoint(
PROVIDERS.endpoint_policy_api.delete_association_by_endpoint(
self.endpoint[0]['id'])
# Now try with service - ensure both combined region & service
# associations and explicit service ones are removed
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[0]['id'], service_id=self.service[0]['id'],
region_id=self.region[0]['id'])
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[1]['id'], service_id=self.service[0]['id'],
region_id=self.region[1]['id'])
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[0]['id'], service_id=self.service[0]['id'])
self.endpoint_policy_api.delete_association_by_service(
PROVIDERS.endpoint_policy_api.delete_association_by_service(
self.service[0]['id'])
self.assertRaises(exception.NotFound,
self.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
service_id=self.service[0]['id'],
region_id=self.region[0]['id'])
self.assertRaises(exception.NotFound,
self.endpoint_policy_api.check_policy_association,
self.policy[1]['id'],
service_id=self.service[0]['id'],
region_id=self.region[1]['id'])
self.assertRaises(exception.NotFound,
self.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
service_id=self.service[0]['id'])
self.assertRaises(
exception.NotFound,
PROVIDERS.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
service_id=self.service[0]['id'],
region_id=self.region[0]['id']
)
self.assertRaises(
exception.NotFound,
PROVIDERS.endpoint_policy_api.check_policy_association,
self.policy[1]['id'],
service_id=self.service[0]['id'],
region_id=self.region[1]['id']
)
self.assertRaises(
exception.NotFound,
PROVIDERS.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
service_id=self.service[0]['id']
)
# Finally, check delete by region
self.endpoint_policy_api.create_policy_association(
PROVIDERS.endpoint_policy_api.create_policy_association(
self.policy[0]['id'], service_id=self.service[0]['id'],
region_id=self.region[0]['id'])
self.endpoint_policy_api.delete_association_by_region(
PROVIDERS.endpoint_policy_api.delete_association_by_region(
self.region[0]['id'])
self.assertRaises(exception.NotFound,
self.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
service_id=self.service[0]['id'],
region_id=self.region[0]['id'])
self.assertRaises(exception.NotFound,
self.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
service_id=self.service[0]['id'])
self.assertRaises(
exception.NotFound,
PROVIDERS.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
service_id=self.service[0]['id'],
region_id=self.region[0]['id']
)
self.assertRaises(
exception.NotFound,
PROVIDERS.endpoint_policy_api.check_policy_association,
self.policy[0]['id'],
service_id=self.service[0]['id']
)

View File

@ -17,12 +17,15 @@ import uuid
from testtools import matchers
from keystone.common import provider_api
from keystone.common import sql
from keystone.identity.mapping_backends import mapping
from keystone.tests import unit
from keystone.tests.unit import identity_mapping as mapping_sql
from keystone.tests.unit import test_backend_sql
PROVIDERS = provider_api.ProviderAPIs
class SqlIDMappingTable(test_backend_sql.SqlModels):
"""Set of tests for checking SQL Identity ID Mapping."""
@ -44,22 +47,32 @@ class SqlIDMapping(test_backend_sql.SqlTests):
def load_sample_data(self):
self.addCleanup(self.clean_sample_data)
domainA = unit.new_domain_ref()
self.domainA = self.resource_api.create_domain(domainA['id'], domainA)
self.domainA = PROVIDERS.resource_api.create_domain(
domainA['id'], domainA
)
domainB = unit.new_domain_ref()
self.domainB = self.resource_api.create_domain(domainB['id'], domainB)
self.domainB = PROVIDERS.resource_api.create_domain(
domainB['id'], domainB
)
def clean_sample_data(self):
if hasattr(self, 'domainA'):
self.domainA['enabled'] = False
self.resource_api.update_domain(self.domainA['id'], self.domainA)
self.resource_api.delete_domain(self.domainA['id'])
PROVIDERS.resource_api.update_domain(
self.domainA['id'], self.domainA
)
PROVIDERS.resource_api.delete_domain(self.domainA['id'])
if hasattr(self, 'domainB'):
self.domainB['enabled'] = False
self.resource_api.update_domain(self.domainB['id'], self.domainB)
self.resource_api.delete_domain(self.domainB['id'])
PROVIDERS.resource_api.update_domain(
self.domainB['id'], self.domainB
)
PROVIDERS.resource_api.delete_domain(self.domainB['id'])
def test_invalid_public_key(self):
self.assertIsNone(self.id_mapping_api.get_id_mapping(uuid.uuid4().hex))
self.assertIsNone(
PROVIDERS.id_mapping_api.get_id_mapping(uuid.uuid4().hex)
)
def test_id_mapping_crud(self):
initial_mappings = len(mapping_sql.list_id_mappings())
@ -73,27 +86,31 @@ class SqlIDMapping(test_backend_sql.SqlTests):
'entity_type': mapping.EntityType.GROUP}
# Check no mappings for the new local entities
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity1))
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity2))
self.assertIsNone(
PROVIDERS.id_mapping_api.get_public_id(local_entity1)
)
self.assertIsNone(
PROVIDERS.id_mapping_api.get_public_id(local_entity2)
)
# Create the new mappings and then read them back
public_id1 = self.id_mapping_api.create_id_mapping(local_entity1)
public_id2 = self.id_mapping_api.create_id_mapping(local_entity2)
public_id1 = PROVIDERS.id_mapping_api.create_id_mapping(local_entity1)
public_id2 = PROVIDERS.id_mapping_api.create_id_mapping(local_entity2)
self.assertThat(mapping_sql.list_id_mappings(),
matchers.HasLength(initial_mappings + 2))
self.assertEqual(
public_id1, self.id_mapping_api.get_public_id(local_entity1))
public_id1, PROVIDERS.id_mapping_api.get_public_id(local_entity1))
self.assertEqual(
public_id2, self.id_mapping_api.get_public_id(local_entity2))
public_id2, PROVIDERS.id_mapping_api.get_public_id(local_entity2))
local_id_ref = self.id_mapping_api.get_id_mapping(public_id1)
local_id_ref = PROVIDERS.id_mapping_api.get_id_mapping(public_id1)
self.assertEqual(self.domainA['id'], local_id_ref['domain_id'])
self.assertEqual(local_id1, local_id_ref['local_id'])
self.assertEqual(mapping.EntityType.USER, local_id_ref['entity_type'])
# Check we have really created a new external ID
self.assertNotEqual(local_id1, public_id1)
local_id_ref = self.id_mapping_api.get_id_mapping(public_id2)
local_id_ref = PROVIDERS.id_mapping_api.get_id_mapping(public_id2)
self.assertEqual(self.domainB['id'], local_id_ref['domain_id'])
self.assertEqual(local_id2, local_id_ref['local_id'])
self.assertEqual(mapping.EntityType.GROUP, local_id_ref['entity_type'])
@ -102,7 +119,7 @@ class SqlIDMapping(test_backend_sql.SqlTests):
# Create another mappings, this time specifying a public ID to use
new_public_id = uuid.uuid4().hex
public_id3 = self.id_mapping_api.create_id_mapping(
public_id3 = PROVIDERS.id_mapping_api.create_id_mapping(
{'domain_id': self.domainB['id'], 'local_id': local_id2,
'entity_type': mapping.EntityType.USER},
public_id=new_public_id)
@ -112,9 +129,9 @@ class SqlIDMapping(test_backend_sql.SqlTests):
# Delete the mappings we created, and make sure the mapping count
# goes back to where it was
self.id_mapping_api.delete_id_mapping(public_id1)
self.id_mapping_api.delete_id_mapping(public_id2)
self.id_mapping_api.delete_id_mapping(public_id3)
PROVIDERS.id_mapping_api.delete_id_mapping(public_id1)
PROVIDERS.id_mapping_api.delete_id_mapping(public_id2)
PROVIDERS.id_mapping_api.delete_id_mapping(public_id3)
self.assertThat(mapping_sql.list_id_mappings(),
matchers.HasLength(initial_mappings))
@ -126,18 +143,18 @@ class SqlIDMapping(test_backend_sql.SqlTests):
'entity_type': mapping.EntityType.USER}
# Check no mappings for the new local entity
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity))
self.assertIsNone(PROVIDERS.id_mapping_api.get_public_id(local_entity))
# Create the new mapping and then read it back
public_id = self.id_mapping_api.create_id_mapping(local_entity)
public_id = PROVIDERS.id_mapping_api.create_id_mapping(local_entity)
self.assertThat(mapping_sql.list_id_mappings(),
matchers.HasLength(initial_mappings + 1))
self.assertEqual(
public_id, self.id_mapping_api.get_public_id(local_entity))
public_id, PROVIDERS.id_mapping_api.get_public_id(local_entity))
def test_delete_public_id_is_silent(self):
# Test that deleting an invalid public key is silent
self.id_mapping_api.delete_id_mapping(uuid.uuid4().hex)
PROVIDERS.id_mapping_api.delete_id_mapping(uuid.uuid4().hex)
def test_purge_mappings(self):
initial_mappings = len(mapping_sql.list_id_mappings())
@ -148,19 +165,19 @@ class SqlIDMapping(test_backend_sql.SqlTests):
local_id5 = uuid.uuid4().hex
# Create five mappings,two in domainA, three in domainB
self.id_mapping_api.create_id_mapping(
PROVIDERS.id_mapping_api.create_id_mapping(
{'domain_id': self.domainA['id'], 'local_id': local_id1,
'entity_type': mapping.EntityType.USER})
self.id_mapping_api.create_id_mapping(
PROVIDERS.id_mapping_api.create_id_mapping(
{'domain_id': self.domainA['id'], 'local_id': local_id2,
'entity_type': mapping.EntityType.USER})
public_id3 = self.id_mapping_api.create_id_mapping(
public_id3 = PROVIDERS.id_mapping_api.create_id_mapping(
{'domain_id': self.domainB['id'], 'local_id': local_id3,
'entity_type': mapping.EntityType.GROUP})
public_id4 = self.id_mapping_api.create_id_mapping(
public_id4 = PROVIDERS.id_mapping_api.create_id_mapping(
{'domain_id': self.domainB['id'], 'local_id': local_id4,
'entity_type': mapping.EntityType.USER})
public_id5 = self.id_mapping_api.create_id_mapping(
public_id5 = PROVIDERS.id_mapping_api.create_id_mapping(
{'domain_id': self.domainB['id'], 'local_id': local_id5,
'entity_type': mapping.EntityType.USER})
@ -168,32 +185,32 @@ class SqlIDMapping(test_backend_sql.SqlTests):
matchers.HasLength(initial_mappings + 5))
# Purge mappings for domainA, should be left with those in B
self.id_mapping_api.purge_mappings(
PROVIDERS.id_mapping_api.purge_mappings(
{'domain_id': self.domainA['id']})
self.assertThat(mapping_sql.list_id_mappings(),
matchers.HasLength(initial_mappings + 3))
self.id_mapping_api.get_id_mapping(public_id3)
self.id_mapping_api.get_id_mapping(public_id4)
self.id_mapping_api.get_id_mapping(public_id5)
PROVIDERS.id_mapping_api.get_id_mapping(public_id3)
PROVIDERS.id_mapping_api.get_id_mapping(public_id4)
PROVIDERS.id_mapping_api.get_id_mapping(public_id5)
# Purge mappings for type Group, should purge one more
self.id_mapping_api.purge_mappings(
PROVIDERS.id_mapping_api.purge_mappings(
{'entity_type': mapping.EntityType.GROUP})
self.assertThat(mapping_sql.list_id_mappings(),
matchers.HasLength(initial_mappings + 2))
self.id_mapping_api.get_id_mapping(public_id4)
self.id_mapping_api.get_id_mapping(public_id5)
PROVIDERS.id_mapping_api.get_id_mapping(public_id4)
PROVIDERS.id_mapping_api.get_id_mapping(public_id5)
# Purge mapping for a specific local identifier
self.id_mapping_api.purge_mappings(
PROVIDERS.id_mapping_api.purge_mappings(
{'domain_id': self.domainB['id'], 'local_id': local_id4,
'entity_type': mapping.EntityType.USER})
self.assertThat(mapping_sql.list_id_mappings(),
matchers.HasLength(initial_mappings + 1))
self.id_mapping_api.get_id_mapping(public_id5)
PROVIDERS.id_mapping_api.get_id_mapping(public_id5)
# Purge mappings the remaining mappings
self.id_mapping_api.purge_mappings({})
PROVIDERS.id_mapping_api.purge_mappings({})
self.assertThat(mapping_sql.list_id_mappings(),
matchers.HasLength(initial_mappings))
@ -202,16 +219,16 @@ class SqlIDMapping(test_backend_sql.SqlTests):
'domain_id': self.domainA['id'],
'local_id': uuid.uuid4().hex,
'entity_type': mapping.EntityType.USER}
public_id1 = self.id_mapping_api.create_id_mapping(local_entity)
public_id1 = PROVIDERS.id_mapping_api.create_id_mapping(local_entity)
# second call should be successful and return the same
# public_id as above
public_id2 = self.id_mapping_api.create_id_mapping(local_entity)
public_id2 = PROVIDERS.id_mapping_api.create_id_mapping(local_entity)
self.assertEqual(public_id1, public_id2)
# even if public_id was specified, it should not be used,
# and still the same public_id should be returned
public_id3 = self.id_mapping_api.create_id_mapping(
public_id3 = PROVIDERS.id_mapping_api.create_id_mapping(
local_entity, public_id=uuid.uuid4().hex)
self.assertEqual(public_id1, public_id3)
@ -223,21 +240,21 @@ class SqlIDMapping(test_backend_sql.SqlTests):
'entity_type': mapping.EntityType.USER}
# Check no mappings for the new local entity
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity))
self.assertIsNone(PROVIDERS.id_mapping_api.get_public_id(local_entity))
# Create new mappings, and it should be in the cache after created
public_id = self.id_mapping_api.create_id_mapping(local_entity)
public_id = PROVIDERS.id_mapping_api.create_id_mapping(local_entity)
self.assertEqual(
public_id, self.id_mapping_api.get_public_id(local_entity))
local_id_ref = self.id_mapping_api.get_id_mapping(public_id)
public_id, PROVIDERS.id_mapping_api.get_public_id(local_entity))
local_id_ref = PROVIDERS.id_mapping_api.get_id_mapping(public_id)
self.assertEqual(self.domainA['id'], local_id_ref['domain_id'])
self.assertEqual(local_id, local_id_ref['local_id'])
self.assertEqual(mapping.EntityType.USER, local_id_ref['entity_type'])
# After delete the mapping, should be deleted from cache too
self.id_mapping_api.delete_id_mapping(public_id)
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity))
self.assertIsNone(self.id_mapping_api.get_id_mapping(public_id))
PROVIDERS.id_mapping_api.delete_id_mapping(public_id)
self.assertIsNone(PROVIDERS.id_mapping_api.get_public_id(local_entity))
self.assertIsNone(PROVIDERS.id_mapping_api.get_id_mapping(public_id))
@unit.skip_if_cache_disabled('identity')
def test_invalidate_cache_when_purge_mappings(self):
@ -264,32 +281,42 @@ class SqlIDMapping(test_backend_sql.SqlTests):
'local_id': local_id5,
'entity_type': mapping.EntityType.USER}
self.id_mapping_api.create_id_mapping(local_entity1)
self.id_mapping_api.create_id_mapping(local_entity2)
self.id_mapping_api.create_id_mapping(local_entity3)
self.id_mapping_api.create_id_mapping(local_entity4)
self.id_mapping_api.create_id_mapping(local_entity5)
PROVIDERS.id_mapping_api.create_id_mapping(local_entity1)
PROVIDERS.id_mapping_api.create_id_mapping(local_entity2)
PROVIDERS.id_mapping_api.create_id_mapping(local_entity3)
PROVIDERS.id_mapping_api.create_id_mapping(local_entity4)
PROVIDERS.id_mapping_api.create_id_mapping(local_entity5)
# Purge mappings for domainA, should be left with those in B
self.id_mapping_api.purge_mappings(
PROVIDERS.id_mapping_api.purge_mappings(
{'domain_id': self.domainA['id']})
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity1))
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity2))
self.assertIsNone(
PROVIDERS.id_mapping_api.get_public_id(local_entity1)
)
self.assertIsNone(
PROVIDERS.id_mapping_api.get_public_id(local_entity2)
)
# Purge mappings for type Group, should purge one more
self.id_mapping_api.purge_mappings(
PROVIDERS.id_mapping_api.purge_mappings(
{'entity_type': mapping.EntityType.GROUP})
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity3))
self.assertIsNone(
PROVIDERS.id_mapping_api.get_public_id(local_entity3)
)
# Purge mapping for a specific local identifier
self.id_mapping_api.purge_mappings(
PROVIDERS.id_mapping_api.purge_mappings(
{'domain_id': self.domainB['id'], 'local_id': local_id4,
'entity_type': mapping.EntityType.USER})
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity4))
self.assertIsNone(
PROVIDERS.id_mapping_api.get_public_id(local_entity4)
)
# Purge mappings the remaining mappings
self.id_mapping_api.purge_mappings({})
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity5))
PROVIDERS.id_mapping_api.purge_mappings({})
self.assertIsNone(
PROVIDERS.id_mapping_api.get_public_id(local_entity5)
)
def test_get_domain_mapping_list(self):
local_id1 = uuid.uuid4().hex
@ -315,24 +342,32 @@ class SqlIDMapping(test_backend_sql.SqlTests):
'local_id': local_id5,
'entity_type': mapping.EntityType.USER}
local_entity1['public_id'] = self.id_mapping_api.create_id_mapping(
local_entity1)
local_entity2['public_id'] = self.id_mapping_api.create_id_mapping(
local_entity2)
local_entity3['public_id'] = self.id_mapping_api.create_id_mapping(
local_entity3)
local_entity4['public_id'] = self.id_mapping_api.create_id_mapping(
local_entity4)
local_entity5['public_id'] = self.id_mapping_api.create_id_mapping(
local_entity5)
local_entity1['public_id'] = (
PROVIDERS.id_mapping_api.create_id_mapping(local_entity1)
)
local_entity2['public_id'] = (
PROVIDERS.id_mapping_api.create_id_mapping(local_entity2)
)
local_entity3['public_id'] = (
PROVIDERS.id_mapping_api.create_id_mapping(local_entity3)
)
local_entity4['public_id'] = (
PROVIDERS.id_mapping_api.create_id_mapping(local_entity4)
)
local_entity5['public_id'] = (
PROVIDERS.id_mapping_api.create_id_mapping(local_entity5)
)
# NOTE(notmorgan): Always call to_dict in an active session context to
# ensure that lazy-loaded relationships succeed. Edge cases could cause
# issues especially in attribute mappers.
with sql.session_for_read():
# list mappings for domainA
domain_a_mappings = self.id_mapping_api.get_domain_mapping_list(
self.domainA['id'])
domain_a_mappings = (
PROVIDERS.id_mapping_api.get_domain_mapping_list(
self.domainA['id']
)
)
domain_a_mappings = [m.to_dict() for m in domain_a_mappings]
self.assertItemsEqual([local_entity1, local_entity2],
domain_a_mappings)

File diff suppressed because it is too large Load Diff

View File

@ -18,12 +18,14 @@ import mock
from six.moves import zip
from keystone.catalog.backends import base as catalog_base
from keystone.common import provider_api
from keystone.tests import unit
from keystone.tests.unit.catalog import test_backends as catalog_tests
from keystone.tests.unit import default_fixtures
from keystone.tests.unit.ksfixtures import database
PROVIDERS = provider_api.ProviderAPIs
BROKEN_WRITE_FUNCTIONALITY_MSG = ("Templated backend doesn't correctly "
"implement write operations")
@ -63,7 +65,7 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
template_file=unit.dirs.tests('default_catalog.templates'))
def test_get_catalog(self):
catalog_ref = self.catalog_api.get_catalog('foo', 'bar')
catalog_ref = PROVIDERS.catalog_api.get_catalog('foo', 'bar')
self.assertDictEqual(self.DEFAULT_FIXTURE, catalog_ref)
# NOTE(lbragstad): This test is skipped because the catalog is being
@ -71,14 +73,14 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
@unit.skip_if_cache_is_enabled('catalog')
def test_catalog_ignored_malformed_urls(self):
# both endpoints are in the catalog
catalog_ref = self.catalog_api.get_catalog('foo', 'bar')
catalog_ref = PROVIDERS.catalog_api.get_catalog('foo', 'bar')
self.assertEqual(2, len(catalog_ref['RegionOne']))
region = self.catalog_api.driver.templates['RegionOne']
region = PROVIDERS.catalog_api.driver.templates['RegionOne']
region['compute']['adminURL'] = 'http://localhost:8774/v1.1/$(tenant)s'
# the malformed one has been removed
catalog_ref = self.catalog_api.get_catalog('foo', 'bar')
catalog_ref = PROVIDERS.catalog_api.get_catalog('foo', 'bar')
self.assertEqual(1, len(catalog_ref['RegionOne']))
def test_get_v3_catalog_endpoint_disabled(self):
@ -97,7 +99,7 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
def test_get_v3_catalog(self):
user_id = uuid.uuid4().hex
project_id = uuid.uuid4().hex
catalog_ref = self.catalog_api.get_v3_catalog(user_id, project_id)
catalog_ref = PROVIDERS.catalog_api.get_v3_catalog(user_id, project_id)
exp_catalog = [
{'endpoints': [
{'interface': 'admin',
@ -132,7 +134,7 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
project_id = None
# If the URL has no 'project_id' to substitute, we will skip the
# endpoint which contains this kind of URL.
catalog_ref = self.catalog_api.get_v3_catalog(user_id, project_id)
catalog_ref = PROVIDERS.catalog_api.get_v3_catalog(user_id, project_id)
exp_catalog = [
{'endpoints': [],
'type': 'compute',
@ -161,7 +163,7 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
def test_list_services_with_hints(self):
hints = {}
services = self.catalog_api.list_services(hints=hints)
services = PROVIDERS.catalog_api.list_services(hints=hints)
exp_services = [
{'type': 'compute',
'description': '',
@ -252,7 +254,7 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
expected_urls = set(['http://localhost:$(public_port)s/v3',
'http://localhost:$(admin_port)s/v3',
'http://localhost:8774/v1.1/$(tenant_id)s'])
endpoints = self.catalog_api.list_endpoints()
endpoints = PROVIDERS.catalog_api.list_endpoints()
self.assertEqual(expected_urls, set(e['url'] for e in endpoints))
@unit.skip_if_cache_disabled('catalog')
@ -262,17 +264,17 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
def test_delete_endpoint_group_association_by_project(self):
# Deleting endpoint group association is not supported by the templated
# driver, but it should be silent about it and not raise an error.
self.catalog_api.delete_endpoint_group_association_by_project(
PROVIDERS.catalog_api.delete_endpoint_group_association_by_project(
uuid.uuid4().hex)
def test_delete_association_by_endpoint(self):
# Deleting endpoint association is not supported by the templated
# driver, but it should be silent about it and not raise an error.
self.catalog_api.delete_association_by_endpoint(
PROVIDERS.catalog_api.delete_association_by_endpoint(
uuid.uuid4().hex)
def test_delete_association_by_project(self):
# Deleting endpoint association is not supported by the templated
# driver, but it should be silent about it and not raise an error.
self.catalog_api.delete_association_by_project(
PROVIDERS.catalog_api.delete_association_by_project(
uuid.uuid4().hex)

View File

@ -15,11 +15,14 @@
from keystoneclient.contrib.ec2 import utils as ec2_utils
from six.moves import http_client
from keystone.common import provider_api
from keystone.contrib.ec2 import controllers
from keystone.tests import unit
from keystone.tests.unit import rest
from keystone.tests.unit import test_v3
PROVIDERS = provider_api.ProviderAPIs
class EC2ContribCoreV2(rest.RestfulTestCase):
def config_overrides(self):
@ -55,7 +58,7 @@ class EC2ContribCoreV2(rest.RestfulTestCase):
cred_blob, credential = unit.new_ec2_credential(
self.user_foo['id'], self.tenant_bar['id'])
self.credential_api.create_credential(
PROVIDERS.credential_api.create_credential(
credential['id'], credential)
signer = ec2_utils.Ec2Signer(cred_blob['secret'])
@ -103,7 +106,7 @@ class EC2ContribCoreV2(rest.RestfulTestCase):
cred_blob, credential = unit.new_ec2_credential(
self.user_foo['id'], self.tenant_bar['id'])
self.credential_api.create_credential(
PROVIDERS.credential_api.create_credential(
credential['id'], credential)
signer = ec2_utils.Ec2Signer('totally not the secret')
@ -133,7 +136,7 @@ class EC2ContribCoreV3(test_v3.RestfulTestCase):
self.cred_blob, self.credential = unit.new_ec2_credential(
self.user['id'], self.project_id)
self.credential_api.create_credential(
PROVIDERS.credential_api.create_credential(
self.credential['id'], self.credential)
self.controller = controllers.Ec2ControllerV3

View File

@ -19,11 +19,14 @@ import uuid
from six.moves import http_client
from keystone.common import provider_api
from keystone.contrib import s3
from keystone import exception
from keystone.tests import unit
from keystone.tests.unit import test_v3
PROVIDERS = provider_api.ProviderAPIs
class S3ContribCore(test_v3.RestfulTestCase):
def setUp(self):
@ -33,7 +36,7 @@ class S3ContribCore(test_v3.RestfulTestCase):
self.cred_blob, self.credential = unit.new_ec2_credential(
self.user['id'], self.project_id)
self.credential_api.create_credential(
PROVIDERS.credential_api.create_credential(
self.credential['id'], self.credential)
self.controller = s3.S3Controller()

View File

@ -18,6 +18,7 @@ from keystoneclient.contrib.ec2 import utils as ec2_utils
from six.moves import http_client
from keystone.common import context
from keystone.common import provider_api
from keystone.common import request
from keystone.common import utils
from keystone.contrib.ec2 import controllers
@ -30,6 +31,7 @@ from keystone.tests.unit.ksfixtures import database
from keystone.tests.unit import test_v3 as rest
CRED_TYPE_EC2 = controllers.CRED_TYPE_EC2
PROVIDERS = provider_api.ProviderAPIs
class V2CredentialEc2TestCase(rest.RestfulTestCase):
@ -52,7 +54,7 @@ class V2CredentialEc2TestCase(rest.RestfulTestCase):
user_id=self.user_id,
project_id=self.project_id)
non_ec2_cred['id'] = cred_id
self.credential_api.create_credential(cred_id, non_ec2_cred)
PROVIDERS.credential_api.create_credential(cred_id, non_ec2_cred)
# if access_key is not found, ec2 controller raises Unauthorized
# exception
@ -87,8 +89,9 @@ class V2CredentialEc2TestCase(rest.RestfulTestCase):
user_id=self.user_id,
project_id=self.project_id)
non_ec2_cred['type'] = uuid.uuid4().hex
self.credential_api.create_credential(non_ec2_cred['id'],
non_ec2_cred)
PROVIDERS.credential_api.create_credential(
non_ec2_cred['id'], non_ec2_cred
)
r = self.public_request(method='GET', token=self.get_scoped_token(),
path=uri)
cred_list_2 = r.result['credentials']

View File

@ -14,6 +14,7 @@
import ldappool
from keystone.common import provider_api
import keystone.conf
from keystone.identity.backends import ldap
from keystone.identity.backends.ldap import common as ldap_common
@ -24,6 +25,7 @@ from keystone.tests.unit import test_ldap_livetest
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class LiveLDAPPoolIdentity(test_backend_ldap_pool.LdapPoolCommonTestMixin,
@ -97,22 +99,22 @@ class LiveLDAPPoolIdentity(test_backend_ldap_pool.LdapPoolCommonTestMixin,
self.test_password_change_with_pool()
self.assertRaises(AssertionError,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
context={},
user_id=self.user_sna['id'],
password=old_password)
def _create_user_and_authenticate(self, password):
user = unit.create_user(self.identity_api,
user = unit.create_user(PROVIDERS.identity_api,
CONF.identity.default_domain_id,
password=password)
self.identity_api.authenticate(
PROVIDERS.identity_api.authenticate(
self.make_request(),
user_id=user['id'],
password=password)
return self.identity_api.get_user(user['id'])
return PROVIDERS.identity_api.get_user(user['id'])
def _get_auth_conn_pool_cm(self):
pool_url = (
@ -160,7 +162,7 @@ class LiveLDAPPoolIdentity(test_backend_ldap_pool.LdapPoolCommonTestMixin,
_.unbind_s()
user3['password'] = new_password
self.identity_api.update_user(user3['id'], user3)
PROVIDERS.identity_api.update_user(user3['id'], user3)
return user3
@ -177,7 +179,7 @@ class LiveLDAPPoolIdentity(test_backend_ldap_pool.LdapPoolCommonTestMixin,
# successfully which is not desired if password change is frequent
# use case in a deployment.
# This can happen in multiple concurrent connections case only.
user_ref = self.identity_api.authenticate(
user_ref = PROVIDERS.identity_api.authenticate(
self.make_request(), user_id=user['id'], password=old_password)
self.assertDictEqual(user, user_ref)
@ -193,6 +195,6 @@ class LiveLDAPPoolIdentity(test_backend_ldap_pool.LdapPoolCommonTestMixin,
# now as connection lifetime is zero, so authentication
# with old password will always fail.
self.assertRaises(AssertionError,
self.identity_api.authenticate,
PROVIDERS.identity_api.authenticate,
context={}, user_id=user['id'],
password=old_password)

View File

@ -21,6 +21,7 @@ from six.moves import http_client
import webtest
from keystone.common import authorization
from keystone.common import provider_api
from keystone.common import tokenless_auth
from keystone.common import wsgi
import keystone.conf
@ -33,6 +34,7 @@ from keystone.tests.unit import test_backend_sql
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class MiddlewareRequestTestBase(unit.TestCase):
@ -190,44 +192,45 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests,
self.domain = unit.new_domain_ref()
self.domain_id = self.domain['id']
self.domain_name = self.domain['name']
self.resource_api.create_domain(self.domain_id, self.domain)
PROVIDERS.resource_api.create_domain(self.domain_id, self.domain)
# 2) Create a project for the user.
self.project = unit.new_project_ref(domain_id=self.domain_id)
self.project_id = self.project['id']
self.project_name = self.project['name']
self.resource_api.create_project(self.project_id, self.project)
PROVIDERS.resource_api.create_project(self.project_id, self.project)
# 3) Create a user in new domain.
self.user = unit.new_user_ref(domain_id=self.domain_id,
project_id=self.project_id)
self.user = self.identity_api.create_user(self.user)
self.user = PROVIDERS.identity_api.create_user(self.user)
# Add IDP
self.idp = self._idp_ref(id=self.idp_id)
self.federation_api.create_idp(self.idp['id'],
self.idp)
PROVIDERS.federation_api.create_idp(
self.idp['id'], self.idp
)
# Add a role
self.role = unit.new_role_ref()
self.role_id = self.role['id']
self.role_name = self.role['name']
self.role_api.create_role(self.role_id, self.role)
PROVIDERS.role_api.create_role(self.role_id, self.role)
# Add a group
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
self.group = PROVIDERS.identity_api.create_group(self.group)
# Assign a role to the user on a project
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user_id=self.user['id'],
tenant_id=self.project_id,
role_id=self.role_id)
# Assign a role to the group on a project
self.assignment_api.create_grant(
PROVIDERS.assignment_api.create_grant(
role_id=self.role_id,
group_id=self.group['id'],
project_id=self.project_id)
@ -235,14 +238,15 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests,
def _load_mapping_rules(self, rules):
# Add a mapping
self.mapping = self._mapping_ref(rules=rules)
self.federation_api.create_mapping(self.mapping['id'],
self.mapping)
PROVIDERS.federation_api.create_mapping(
self.mapping['id'], self.mapping
)
# Add protocols
self.proto_x509 = self._proto_ref(mapping_id=self.mapping['id'])
self.proto_x509['id'] = self.protocol_id
self.federation_api.create_protocol(self.idp['id'],
self.proto_x509['id'],
self.proto_x509)
PROVIDERS.federation_api.create_protocol(
self.idp['id'], self.proto_x509['id'], self.proto_x509
)
def _idp_ref(self, id=None):
idp = {
@ -543,7 +547,7 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests,
env['SSL_CLIENT_DOMAIN_ID'] = self.domain_id
self.domain['enabled'] = False
self.domain = self.resource_api.update_domain(
self.domain = PROVIDERS.resource_api.update_domain(
self.domain['id'], self.domain)
self._load_mapping_rules(
@ -561,7 +565,9 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests,
env['SSL_CLIENT_DOMAIN_ID'] = self.domain_id
self.user['enabled'] = False
self.user = self.identity_api.update_user(self.user['id'], self.user)
self.user = PROVIDERS.identity_api.update_user(
self.user['id'], self.user
)
self._load_mapping_rules(
mapping_fixtures.MAPPING_WITH_USERNAME_AND_DOMAINID)

View File

@ -16,6 +16,7 @@ import datetime
from oslo_utils import timeutils
from keystone.common import provider_api
from keystone.common import utils
import keystone.conf
from keystone import exception
@ -26,6 +27,7 @@ from keystone import token
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
FUTURE_DELTA = datetime.timedelta(seconds=CONF.token.expiration)
CURRENT_DATE = timeutils.utcnow()
@ -452,13 +454,13 @@ class TestTokenProvider(unit.TestCase):
def test_get_token_version(self):
self.assertEqual(
token.provider.V3,
self.token_provider_api.get_token_version(SAMPLE_V3_TOKEN))
PROVIDERS.token_provider_api.get_token_version(SAMPLE_V3_TOKEN))
self.assertEqual(
token.provider.V3,
self.token_provider_api.get_token_version(
PROVIDERS.token_provider_api.get_token_version(
SAMPLE_V3_TOKEN_WITH_EMBEDED_VERSION))
self.assertRaises(exception.UnsupportedTokenVersionException,
self.token_provider_api.get_token_version,
PROVIDERS.token_provider_api.get_token_version,
'bogus')
def test_unsupported_token_provider(self):
@ -469,16 +471,16 @@ class TestTokenProvider(unit.TestCase):
def test_provider_token_expiration_validation(self):
self.assertRaises(exception.TokenNotFound,
self.token_provider_api._is_valid_token,
PROVIDERS.token_provider_api._is_valid_token,
SAMPLE_V3_TOKEN_EXPIRED)
self.assertRaises(exception.TokenNotFound,
self.token_provider_api._is_valid_token,
PROVIDERS.token_provider_api._is_valid_token,
SAMPLE_MALFORMED_TOKEN)
self.assertIsNone(
self.token_provider_api._is_valid_token(create_v3_token()))
PROVIDERS.token_provider_api._is_valid_token(create_v3_token()))
def test_validate_v3_token_with_no_token_raises_token_not_found(self):
self.assertRaises(
exception.TokenNotFound,
self.token_provider_api.validate_token,
PROVIDERS.token_provider_api.validate_token,
None)

View File

@ -24,6 +24,7 @@ import webtest
from keystone import auth
from keystone.common import authorization
from keystone.common import cache
from keystone.common import provider_api
from keystone.common.validation import validators
from keystone import exception
from keystone import middleware
@ -32,6 +33,7 @@ from keystone.tests import unit
from keystone.tests.unit import rest
PROVIDERS = provider_api.ProviderAPIs
DEFAULT_DOMAIN_ID = 'default'
TIME_FORMAT = unit.TIME_FORMAT
@ -215,26 +217,27 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
def _populate_default_domain(self):
try:
self.resource_api.get_domain(DEFAULT_DOMAIN_ID)
PROVIDERS.resource_api.get_domain(DEFAULT_DOMAIN_ID)
except exception.DomainNotFound:
domain = unit.new_domain_ref(
description=(u'The default domain'),
id=DEFAULT_DOMAIN_ID,
name=u'Default')
self.resource_api.create_domain(DEFAULT_DOMAIN_ID, domain)
PROVIDERS.resource_api.create_domain(DEFAULT_DOMAIN_ID, domain)
def load_sample_data(self, create_region_and_endpoints=True):
self._populate_default_domain()
self.domain = unit.new_domain_ref()
self.domain_id = self.domain['id']
self.resource_api.create_domain(self.domain_id, self.domain)
PROVIDERS.resource_api.create_domain(self.domain_id, self.domain)
self.project = unit.new_project_ref(domain_id=self.domain_id)
self.project_id = self.project['id']
self.project = self.resource_api.create_project(self.project_id,
self.project)
self.project = PROVIDERS.resource_api.create_project(
self.project_id, self.project
)
self.user = unit.create_user(self.identity_api,
self.user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain_id)
self.user_id = self.user['id']
@ -242,32 +245,33 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
self.default_domain_project = unit.new_project_ref(
domain_id=DEFAULT_DOMAIN_ID)
self.default_domain_project['id'] = self.default_domain_project_id
self.resource_api.create_project(self.default_domain_project_id,
self.default_domain_project)
PROVIDERS.resource_api.create_project(
self.default_domain_project_id, self.default_domain_project
)
self.default_domain_user = unit.create_user(
self.identity_api,
PROVIDERS.identity_api,
domain_id=DEFAULT_DOMAIN_ID)
self.default_domain_user_id = self.default_domain_user['id']
# create & grant policy.json's default role for admin_required
self.role = unit.new_role_ref(name='admin')
self.role_id = self.role['id']
self.role_api.create_role(self.role_id, self.role)
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.role_api.create_role(self.role_id, self.role)
PROVIDERS.assignment_api.add_role_to_user_and_project(
self.user_id, self.project_id, self.role_id)
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
self.default_domain_user_id, self.default_domain_project_id,
self.role_id)
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
self.default_domain_user_id, self.project_id,
self.role_id)
# Create "req_admin" user for simulating a real user instead of the
# admin_token_auth middleware
self.user_reqadmin = unit.create_user(self.identity_api,
self.user_reqadmin = unit.create_user(PROVIDERS.identity_api,
DEFAULT_DOMAIN_ID)
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
self.user_reqadmin['id'],
self.default_domain_project_id,
self.role_id)
@ -275,19 +279,21 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
if create_region_and_endpoints:
self.region = unit.new_region_ref()
self.region_id = self.region['id']
self.catalog_api.create_region(self.region)
PROVIDERS.catalog_api.create_region(self.region)
self.service = unit.new_service_ref()
self.service_id = self.service['id']
self.catalog_api.create_service(self.service_id,
self.service.copy())
PROVIDERS.catalog_api.create_service(
self.service_id, self.service.copy()
)
self.endpoint = unit.new_endpoint_ref(service_id=self.service_id,
interface='public',
region_id=self.region_id)
self.endpoint_id = self.endpoint['id']
self.catalog_api.create_endpoint(self.endpoint_id,
self.endpoint.copy())
PROVIDERS.catalog_api.create_endpoint(
self.endpoint_id, self.endpoint.copy()
)
# The server adds 'enabled' and defaults to True.
self.endpoint['enabled'] = True
@ -1484,7 +1490,7 @@ class AssignmentTestMixin(object):
entity = {'links': {}}
attributes_for_links = {}
if project_ref:
dmn_name = self.resource_api.get_domain(
dmn_name = PROVIDERS.resource_api.get_domain(
project_ref['domain_id'])['name']
entity['scope'] = {'project': {
@ -1499,7 +1505,7 @@ class AssignmentTestMixin(object):
'name': domain_ref['name']}}
attributes_for_links['domain_id'] = domain_ref['id']
if user_ref:
dmn_name = self.resource_api.get_domain(
dmn_name = PROVIDERS.resource_api.get_domain(
user_ref['domain_id'])['name']
entity['user'] = {'id': user_ref['id'],
'name': user_ref['name'],
@ -1507,7 +1513,7 @@ class AssignmentTestMixin(object):
'name': dmn_name}}
attributes_for_links['user_id'] = user_ref['id']
else:
dmn_name = self.resource_api.get_domain(
dmn_name = PROVIDERS.resource_api.get_domain(
group_ref['domain_id'])['name']
entity['group'] = {'id': group_ref['id'],
'name': group_ref['name'],
@ -1520,7 +1526,7 @@ class AssignmentTestMixin(object):
entity['role'] = {'id': role_ref['id'],
'name': role_ref['name']}
if role_ref['domain_id']:
dmn_name = self.resource_api.get_domain(
dmn_name = PROVIDERS.resource_api.get_domain(
role_ref['domain_id'])['name']
entity['role']['domain'] = {'id': role_ref['domain_id'],
'name': dmn_name}

View File

@ -19,6 +19,7 @@ from six.moves import http_client
from six.moves import range
from testtools import matchers
from keystone.common import provider_api
import keystone.conf
from keystone import exception
from keystone.tests import unit
@ -26,6 +27,7 @@ from keystone.tests.unit import test_v3
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class SystemRoleAssignmentMixin(object):
@ -68,7 +70,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
super(AssignmentTestCase, self).setUp()
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
self.group = PROVIDERS.identity_api.create_group(self.group)
self.group_id = self.group['id']
# Role CRUD tests
@ -132,7 +134,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
def test_crud_user_project_role_grants(self):
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
collection_url = (
'/projects/%(project_id)s/users/%(user_id)s/roles' % {
@ -338,7 +340,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
"""Create a new user and assign user a role on a project."""
# Create a new user
new_user = unit.new_user_ref(domain_id=self.domain_id)
user_ref = self.identity_api.create_user(new_user)
user_ref = PROVIDERS.identity_api.create_user(new_user)
# Assign the user a role on the project
collection_url = (
'/projects/%(project_id)s/users/%(user_id)s/roles' % {
@ -357,7 +359,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
"""Call ``DELETE`` on the user before the role assignment."""
member_url, user = self._create_new_user_and_assign_role_on_project()
# Delete the user from identity backend
self.identity_api.driver.delete_user(user['id'])
PROVIDERS.identity_api.driver.delete_user(user['id'])
# Clean up the role assignment
self.delete(member_url)
# Make sure the role is gone
@ -367,7 +369,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
"""Call ``DELETE`` on the user and check the role assignment."""
member_url, user = self._create_new_user_and_assign_role_on_project()
# Delete the user from identity backend
self.identity_api.delete_user(user['id'])
PROVIDERS.identity_api.delete_user(user['id'])
# We should get a 404 Not Found when looking for the user in the
# identity backend because we're not performing a delete operation on
# the role.
@ -384,13 +386,15 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
time = datetime.datetime.utcnow()
with freezegun.freeze_time(time) as frozen_datetime:
# creates grant from group on project.
self.assignment_api.create_grant(role_id=self.role['id'],
project_id=self.project['id'],
group_id=self.group['id'])
PROVIDERS.assignment_api.create_grant(
role_id=self.role['id'], project_id=self.project['id'],
group_id=self.group['id']
)
# adds user to the group.
self.identity_api.add_user_to_group(user_id=self.user['id'],
group_id=self.group['id'])
PROVIDERS.identity_api.add_user_to_group(
user_id=self.user['id'], group_id=self.group['id']
)
# creates a token for the user
auth_body = self.build_authentication_request(
@ -407,13 +411,14 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
# revokes the grant from group on project.
self.assignment_api.delete_grant(role_id=self.role['id'],
project_id=self.project['id'],
group_id=self.group['id'])
PROVIDERS.assignment_api.delete_grant(
role_id=self.role['id'], project_id=self.project['id'],
group_id=self.group['id'])
# revokes the direct role form user on project
self.assignment_api.delete_grant(role_id=self.role['id'],
project_id=self.project['id'],
user_id=self.user['id'])
PROVIDERS.assignment_api.delete_grant(
role_id=self.role['id'], project_id=self.project['id'],
user_id=self.user['id']
)
frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
# validates the same token again; it should not longer be valid.
@ -424,7 +429,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
def test_delete_grant_from_user_and_project_invalidate_cache(self):
# create a new project
new_project = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(new_project['id'], new_project)
PROVIDERS.resource_api.create_project(new_project['id'], new_project)
collection_url = (
'/projects/%(project_id)s/users/%(user_id)s/roles' % {
@ -455,7 +460,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
def test_delete_grant_from_user_and_domain_invalidates_cache(self):
# create a new domain
new_domain = unit.new_domain_ref()
self.resource_api.create_domain(new_domain['id'], new_domain)
PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
collection_url = (
'/domains/%(domain_id)s/users/%(user_id)s/roles' % {
@ -486,7 +491,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
def test_delete_grant_from_group_and_project_invalidates_cache(self):
# create a new project
new_project = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(new_project['id'], new_project)
PROVIDERS.resource_api.create_project(new_project['id'], new_project)
collection_url = (
'/projects/%(project_id)s/groups/%(group_id)s/roles' % {
@ -517,7 +522,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
def test_delete_grant_from_group_and_domain_invalidates_cache(self):
# create a new domain
new_domain = unit.new_domain_ref()
self.resource_api.create_domain(new_domain['id'], new_domain)
PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
collection_url = (
'/domains/%(domain_id)s/groups/%(group_id)s/roles' % {
@ -578,10 +583,10 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
# user it creates, we also need a new user that will not have any
# existing assignments
user1 = unit.new_user_ref(domain_id=self.domain['id'])
user1 = self.identity_api.create_user(user1)
user1 = PROVIDERS.identity_api.create_user(user1)
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
collection_url = '/role_assignments'
r = self.get(collection_url)
@ -675,13 +680,13 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
for each of the group members.
"""
user1 = unit.create_user(self.identity_api,
user1 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
user2 = unit.create_user(self.identity_api,
user2 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
self.identity_api.add_user_to_group(user1['id'], self.group['id'])
self.identity_api.add_user_to_group(user2['id'], self.group['id'])
PROVIDERS.identity_api.add_user_to_group(user1['id'], self.group['id'])
PROVIDERS.identity_api.add_user_to_group(user2['id'], self.group['id'])
collection_url = '/role_assignments'
r = self.get(collection_url)
@ -744,13 +749,13 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
know if we are getting effective roles or not
"""
user1 = unit.create_user(self.identity_api,
user1 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
user2 = unit.create_user(self.identity_api,
user2 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
self.identity_api.add_user_to_group(user1['id'], self.group['id'])
self.identity_api.add_user_to_group(user2['id'], self.group['id'])
PROVIDERS.identity_api.add_user_to_group(user1['id'], self.group['id'])
PROVIDERS.identity_api.add_user_to_group(user2['id'], self.group['id'])
collection_url = '/role_assignments'
r = self.get(collection_url, expected_status=http_client.OK)
@ -832,21 +837,21 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
# Since the default fixtures already assign some roles to the
# user it creates, we also need a new user that will not have any
# existing assignments
user1 = unit.create_user(self.identity_api,
user1 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
user2 = unit.create_user(self.identity_api,
user2 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
group1 = unit.new_group_ref(domain_id=self.domain['id'])
group1 = self.identity_api.create_group(group1)
self.identity_api.add_user_to_group(user1['id'], group1['id'])
self.identity_api.add_user_to_group(user2['id'], group1['id'])
group1 = PROVIDERS.identity_api.create_group(group1)
PROVIDERS.identity_api.add_user_to_group(user1['id'], group1['id'])
PROVIDERS.identity_api.add_user_to_group(user2['id'], group1['id'])
project1 = unit.new_project_ref(domain_id=self.domain['id'])
self.resource_api.create_project(project1['id'], project1)
PROVIDERS.resource_api.create_project(project1['id'], project1)
self.role1 = unit.new_role_ref()
self.role_api.create_role(self.role1['id'], self.role1)
PROVIDERS.role_api.create_role(self.role1['id'], self.role1)
self.role2 = unit.new_role_ref()
self.role_api.create_role(self.role2['id'], self.role2)
PROVIDERS.role_api.create_role(self.role2['id'], self.role2)
# Now add one of each of the four types of assignment
@ -1121,8 +1126,9 @@ class RoleAssignmentBaseTestCase(test_v3.RestfulTestCase,
for i in range(breadth):
subprojects.append(unit.new_project_ref(
domain_id=self.domain_id, parent_id=parent_id))
self.resource_api.create_project(subprojects[-1]['id'],
subprojects[-1])
PROVIDERS.resource_api.create_project(
subprojects[-1]['id'], subprojects[-1]
)
new_parent = subprojects[random.randint(0, breadth - 1)]
create_project_hierarchy(new_parent['id'], depth - 1)
@ -1132,12 +1138,12 @@ class RoleAssignmentBaseTestCase(test_v3.RestfulTestCase,
# Create a domain
self.domain = unit.new_domain_ref()
self.domain_id = self.domain['id']
self.resource_api.create_domain(self.domain_id, self.domain)
PROVIDERS.resource_api.create_domain(self.domain_id, self.domain)
# Create a project hierarchy
self.project = unit.new_project_ref(domain_id=self.domain_id)
self.project_id = self.project['id']
self.resource_api.create_project(self.project_id, self.project)
PROVIDERS.resource_api.create_project(self.project_id, self.project)
# Create a random project hierarchy
create_project_hierarchy(self.project_id,
@ -1147,30 +1153,33 @@ class RoleAssignmentBaseTestCase(test_v3.RestfulTestCase,
self.user_ids = []
for i in range(3):
user = unit.new_user_ref(domain_id=self.domain_id)
user = self.identity_api.create_user(user)
user = PROVIDERS.identity_api.create_user(user)
self.user_ids.append(user['id'])
# Create 3 groups
self.group_ids = []
for i in range(3):
group = unit.new_group_ref(domain_id=self.domain_id)
group = self.identity_api.create_group(group)
group = PROVIDERS.identity_api.create_group(group)
self.group_ids.append(group['id'])
# Put 2 members on each group
self.identity_api.add_user_to_group(user_id=self.user_ids[i],
group_id=group['id'])
self.identity_api.add_user_to_group(user_id=self.user_ids[i % 2],
group_id=group['id'])
PROVIDERS.identity_api.add_user_to_group(
user_id=self.user_ids[i], group_id=group['id']
)
PROVIDERS.identity_api.add_user_to_group(
user_id=self.user_ids[i % 2], group_id=group['id']
)
self.assignment_api.create_grant(user_id=self.user_id,
project_id=self.project_id,
role_id=self.role_id)
PROVIDERS.assignment_api.create_grant(
user_id=self.user_id, project_id=self.project_id,
role_id=self.role_id
)
# Create a role
self.role = unit.new_role_ref()
self.role_id = self.role['id']
self.role_api.create_role(self.role_id, self.role)
PROVIDERS.role_api.create_role(self.role_id, self.role)
# Set default user and group to be used on tests
self.default_user_id = self.user_ids[0]
@ -1267,7 +1276,7 @@ class RoleAssignmentDirectTestCase(RoleAssignmentBaseTestCase):
test_assignment = self._set_default_assignment_attributes(**filters)
# Create new role assignment for this test
self.assignment_api.create_grant(**test_assignment)
PROVIDERS.assignment_api.create_grant(**test_assignment)
# Get expected role assignments
expected_assignments = self._list_expected_role_assignments(
@ -1285,7 +1294,7 @@ class RoleAssignmentDirectTestCase(RoleAssignmentBaseTestCase):
self.assertRoleAssignmentInListResponse(response, assignment)
# Delete created role assignment
self.assignment_api.delete_grant(**test_assignment)
PROVIDERS.assignment_api.delete_grant(**test_assignment)
def _set_default_assignment_attributes(self, **attribs):
"""Insert default values for missing attributes of role assignment.
@ -1449,7 +1458,7 @@ class RoleAssignmentEffectiveTestCase(RoleAssignmentInheritedTestCase):
user_ids = [None]
if filters.get('group_id'):
user_ids = [user['id'] for user in
self.identity_api.list_users_in_group(
PROVIDERS.identity_api.list_users_in_group(
filters['group_id'])]
else:
user_ids = [self.default_user_id]
@ -1458,11 +1467,11 @@ class RoleAssignmentEffectiveTestCase(RoleAssignmentInheritedTestCase):
project_ids = [None]
if filters.get('domain_id'):
project_ids = [project['id'] for project in
self.resource_api.list_projects_in_domain(
PROVIDERS.resource_api.list_projects_in_domain(
filters.pop('domain_id'))]
else:
project_ids = [project['id'] for project in
self.resource_api.list_projects_in_subtree(
PROVIDERS.resource_api.list_projects_in_subtree(
self.project_id)]
# Compute expected role assignments
@ -1483,7 +1492,9 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
def test_get_token_from_inherited_user_domain_role_grants(self):
# Create a new user to ensure that no grant is loaded from sample data
user = unit.create_user(self.identity_api, domain_id=self.domain_id)
user = unit.create_user(
PROVIDERS.identity_api, domain_id=self.domain_id
)
# Define domain and project authentication data
domain_auth_data = self.build_authentication_request(
@ -1513,7 +1524,7 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
# Create inherited role
inherited_role = unit.new_role_ref(name='inherited')
self.role_api.create_role(inherited_role['id'], inherited_role)
PROVIDERS.role_api.create_role(inherited_role['id'], inherited_role)
# Grant inherited role for user on domain
inher_ud_link = self.build_role_assignment_link(
@ -1543,11 +1554,13 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
def test_get_token_from_inherited_group_domain_role_grants(self):
# Create a new group and put a new user in it to
# ensure that no grant is loaded from sample data
user = unit.create_user(self.identity_api, domain_id=self.domain_id)
user = unit.create_user(
PROVIDERS.identity_api, domain_id=self.domain_id
)
group = unit.new_group_ref(domain_id=self.domain['id'])
group = self.identity_api.create_group(group)
self.identity_api.add_user_to_group(user['id'], group['id'])
group = PROVIDERS.identity_api.create_group(group)
PROVIDERS.identity_api.add_user_to_group(user['id'], group['id'])
# Define domain and project authentication data
domain_auth_data = self.build_authentication_request(
@ -1577,7 +1590,7 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
# Create inherited role
inherited_role = unit.new_role_ref(name='inherited')
self.role_api.create_role(inherited_role['id'], inherited_role)
PROVIDERS.role_api.create_role(inherited_role['id'], inherited_role)
# Grant inherited role for user on domain
inher_gd_link = self.build_role_assignment_link(
@ -1609,7 +1622,7 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
with freezegun.freeze_time(time) as frozen_datetime:
# Create a new role to avoid assignments loaded from sample data
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
# Define URLs
direct_url = '%s/users/%s/roles/%s' % (
@ -1655,11 +1668,11 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
role_list = []
for _ in range(2):
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
role_list.append(role)
# Create a non-inherited role as a spoiler
self.assignment_api.create_grant(
PROVIDERS.assignment_api.create_grant(
role_list[1]['id'], user_id=self.user['id'],
domain_id=self.domain_id)
@ -1705,23 +1718,25 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
role_list = []
for _ in range(4):
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
role_list.append(role)
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
user1 = unit.create_user(self.identity_api, domain_id=domain['id'])
PROVIDERS.resource_api.create_domain(domain['id'], domain)
user1 = unit.create_user(
PROVIDERS.identity_api, domain_id=domain['id']
)
project1 = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project1['id'], project1)
PROVIDERS.resource_api.create_project(project1['id'], project1)
project2 = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project2['id'], project2)
PROVIDERS.resource_api.create_project(project2['id'], project2)
# Add some roles to the project
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user1['id'], project1['id'], role_list[0]['id'])
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user1['id'], project1['id'], role_list[1]['id'])
# ..and one on a different project as a spoiler
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user1['id'], project2['id'], role_list[2]['id'])
# Now create our inherited role on the domain
@ -1790,12 +1805,14 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
"""
role1 = unit.new_role_ref()
self.role_api.create_role(role1['id'], role1)
user1 = unit.create_user(self.identity_api, domain_id=self.domain_id)
PROVIDERS.role_api.create_role(role1['id'], role1)
user1 = unit.create_user(
PROVIDERS.identity_api, domain_id=self.domain_id
)
group = unit.new_group_ref(domain_id=self.domain_id)
group = self.identity_api.create_group(group)
group = PROVIDERS.identity_api.create_group(group)
project1 = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(project1['id'], project1)
PROVIDERS.resource_api.create_project(project1['id'], project1)
expected_entity1 = self.build_role_assignment_entity_include_names(
role_ref=role1,
@ -1874,13 +1891,13 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
def test_list_role_assignments_include_names_global_role(self):
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
self._test_list_role_assignments_include_names(role)
def test_list_role_assignments_include_names_domain_role(self):
role = unit.new_role_ref(domain_id=self.domain['id'])
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
self._test_list_role_assignments_include_names(role)
@ -1898,10 +1915,10 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
"""
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
user = unit.create_user(self.identity_api, domain_id=domain['id'])
PROVIDERS.resource_api.create_domain(domain['id'], domain)
user = unit.create_user(PROVIDERS.identity_api, domain_id=domain['id'])
# Create and store expected assignment refs
assignment = self.build_role_assignment_entity(
@ -1951,23 +1968,25 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
role_list = []
for _ in range(4):
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
role_list.append(role)
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
user1 = unit.create_user(self.identity_api, domain_id=domain['id'])
PROVIDERS.resource_api.create_domain(domain['id'], domain)
user1 = unit.create_user(
PROVIDERS.identity_api, domain_id=domain['id']
)
project1 = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project1['id'], project1)
PROVIDERS.resource_api.create_project(project1['id'], project1)
project2 = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project2['id'], project2)
PROVIDERS.resource_api.create_project(project2['id'], project2)
# Add some roles to the project
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user1['id'], project1['id'], role_list[0]['id'])
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user1['id'], project1['id'], role_list[1]['id'])
# ..and one on a different project as a spoiler
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user1['id'], project2['id'], role_list[2]['id'])
# Now create our inherited role on the domain
@ -2028,30 +2047,36 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
role_list = []
for _ in range(4):
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
role_list.append(role)
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
user1 = unit.create_user(self.identity_api, domain_id=domain['id'])
user2 = unit.create_user(self.identity_api, domain_id=domain['id'])
PROVIDERS.resource_api.create_domain(domain['id'], domain)
user1 = unit.create_user(
PROVIDERS.identity_api, domain_id=domain['id']
)
user2 = unit.create_user(
PROVIDERS.identity_api, domain_id=domain['id']
)
group1 = unit.new_group_ref(domain_id=domain['id'])
group1 = self.identity_api.create_group(group1)
self.identity_api.add_user_to_group(user1['id'],
group1['id'])
self.identity_api.add_user_to_group(user2['id'],
group1['id'])
group1 = PROVIDERS.identity_api.create_group(group1)
PROVIDERS.identity_api.add_user_to_group(
user1['id'], group1['id']
)
PROVIDERS.identity_api.add_user_to_group(
user2['id'], group1['id']
)
project1 = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project1['id'], project1)
PROVIDERS.resource_api.create_project(project1['id'], project1)
project2 = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project2['id'], project2)
PROVIDERS.resource_api.create_project(project2['id'], project2)
# Add some roles to the project
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user1['id'], project1['id'], role_list[0]['id'])
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user1['id'], project1['id'], role_list[1]['id'])
# ..and one on a different project as a spoiler
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user1['id'], project2['id'], role_list[2]['id'])
# Now create our inherited role on the domain
@ -2124,25 +2149,27 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
role_list = []
for _ in range(5):
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
role_list.append(role)
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
user1 = unit.create_user(self.identity_api, domain_id=domain['id'])
PROVIDERS.resource_api.create_domain(domain['id'], domain)
user1 = unit.create_user(
PROVIDERS.identity_api, domain_id=domain['id']
)
group1 = unit.new_group_ref(domain_id=domain['id'])
group1 = self.identity_api.create_group(group1)
group1 = PROVIDERS.identity_api.create_group(group1)
project1 = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project1['id'], project1)
PROVIDERS.resource_api.create_project(project1['id'], project1)
project2 = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project2['id'], project2)
PROVIDERS.resource_api.create_project(project2['id'], project2)
# Add some spoiler roles to the projects
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user1['id'], project1['id'], role_list[0]['id'])
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user1['id'], project2['id'], role_list[1]['id'])
# Create a non-inherited role as a spoiler
self.assignment_api.create_grant(
PROVIDERS.assignment_api.create_grant(
role_list[2]['id'], user_id=user1['id'], domain_id=domain['id'])
# Now create two inherited roles on the domain, one for a user
@ -2208,14 +2235,16 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
leaf = unit.new_project_ref(domain_id=self.domain['id'],
parent_id=root['id'])
self.resource_api.create_project(root['id'], root)
self.resource_api.create_project(leaf['id'], leaf)
PROVIDERS.resource_api.create_project(root['id'], root)
PROVIDERS.resource_api.create_project(leaf['id'], leaf)
# Create 'non-inherited' and 'inherited' roles
non_inherited_role = unit.new_role_ref(name='non-inherited')
self.role_api.create_role(non_inherited_role['id'], non_inherited_role)
PROVIDERS.role_api.create_role(
non_inherited_role['id'], non_inherited_role
)
inherited_role = unit.new_role_ref(name='inherited')
self.role_api.create_role(inherited_role['id'], inherited_role)
PROVIDERS.role_api.create_role(inherited_role['id'], inherited_role)
return (root['id'], leaf['id'],
non_inherited_role['id'], inherited_role['id'])
@ -2285,8 +2314,8 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
# Create group and add user to it
group = unit.new_group_ref(domain_id=self.domain['id'])
group = self.identity_api.create_group(group)
self.identity_api.add_user_to_group(self.user['id'], group['id'])
group = PROVIDERS.identity_api.create_group(group)
PROVIDERS.identity_api.add_user_to_group(self.user['id'], group['id'])
# Define root and leaf projects authentication data
root_project_auth_data = self.build_authentication_request(
@ -2545,9 +2574,9 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
parent_id=level2['id'])
level4 = unit.new_project_ref(domain_id=self.domain['id'],
parent_id=level3['id'])
self.resource_api.create_project(level2['id'], level2)
self.resource_api.create_project(level3['id'], level3)
self.resource_api.create_project(level4['id'], level4)
PROVIDERS.resource_api.create_project(level2['id'], level2)
PROVIDERS.resource_api.create_project(level3['id'], level3)
PROVIDERS.resource_api.create_project(level4['id'], level4)
# Grant non-inherited role to root (as a spoiler) and to
# the level 1 (leaf) project
@ -2768,19 +2797,19 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
self.role_list = []
for _ in range(3):
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
self.role_list.append(role)
def _create_test_domain_user_project(self):
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
user = unit.create_user(self.identity_api, domain_id=domain['id'])
PROVIDERS.resource_api.create_domain(domain['id'], domain)
user = unit.create_user(PROVIDERS.identity_api, domain_id=domain['id'])
project = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project['id'], project)
PROVIDERS.resource_api.create_project(project['id'], project)
return domain, user, project
def _assign_top_role_to_user_on_project(self, user, project):
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user['id'], project['id'], self.role_list[0]['id'])
def _build_effective_role_assignments_url(self, user):
@ -2853,7 +2882,7 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
def _create_named_role(self, name):
role = unit.new_role_ref()
role['name'] = name
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
return role
def test_root_role_as_implied_role_forbidden(self):
@ -2901,7 +2930,9 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
self._assign_top_role_to_user_on_project(self.user, self.project)
# Create a trustee and assign the prior role to her
trustee = unit.create_user(self.identity_api, domain_id=self.domain_id)
trustee = unit.create_user(
PROVIDERS.identity_api, domain_id=self.domain_id
)
ref = unit.new_trust_ref(
trustor_user_id=self.user['id'],
trustee_user_id=trustee['id'],
@ -2932,13 +2963,15 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
self._create_three_roles()
# Overwrite the first role with a domain specific role
role = unit.new_role_ref(domain_id=self.domain_id)
self.role_list[0] = self.role_api.create_role(role['id'], role)
self.role_list[0] = PROVIDERS.role_api.create_role(role['id'], role)
self._create_implied_role(self.role_list[0], self.role_list[1])
self._create_implied_role(self.role_list[1], self.role_list[2])
self._assign_top_role_to_user_on_project(self.user, self.project)
# Create a trustee and assign the prior role to her
trustee = unit.create_user(self.identity_api, domain_id=self.domain_id)
trustee = unit.create_user(
PROVIDERS.identity_api, domain_id=self.domain_id
)
ref = unit.new_trust_ref(
trustor_user_id=self.user['id'],
trustee_user_id=trustee['id'],
@ -2971,14 +3004,16 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
def test_global_role_cannot_imply_domain_specific_role(self):
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
domain_role_ref = unit.new_role_ref(domain_id=domain['id'])
domain_role = self.role_api.create_role(domain_role_ref['id'],
domain_role_ref)
domain_role = PROVIDERS.role_api.create_role(
domain_role_ref['id'], domain_role_ref
)
global_role_ref = unit.new_role_ref()
global_role = self.role_api.create_role(global_role_ref['id'],
global_role_ref)
global_role = PROVIDERS.role_api.create_role(
global_role_ref['id'], global_role_ref
)
self.put('/roles/%s/implies/%s' % (global_role['id'],
domain_role['id']),
@ -2997,9 +3032,9 @@ class DomainSpecificRoleTests(test_v3.RestfulTestCase, unit.TestCase):
super(DomainSpecificRoleTests, self).setUp()
self.domainA = unit.new_domain_ref()
self.resource_api.create_domain(self.domainA['id'], self.domainA)
PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA)
self.domainB = unit.new_domain_ref()
self.resource_api.create_domain(self.domainB['id'], self.domainB)
PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB)
self.global_role1 = create_role()
self.global_role2 = create_role()
@ -3057,52 +3092,54 @@ class DomainSpecificRoleTests(test_v3.RestfulTestCase, unit.TestCase):
self.assertRoleInListResponse(r, self.domainA_role2)
def test_same_domain_assignment(self):
user = unit.create_user(self.identity_api,
user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainA['id'])
projectA = unit.new_project_ref(domain_id=self.domainA['id'])
self.resource_api.create_project(projectA['id'], projectA)
PROVIDERS.resource_api.create_project(projectA['id'], projectA)
self.assignment_api.create_grant(self.domainA_role1['id'],
user_id=user['id'],
project_id=projectA['id'])
PROVIDERS.assignment_api.create_grant(
self.domainA_role1['id'], user_id=user['id'],
project_id=projectA['id']
)
def test_cross_domain_assignment_valid(self):
user = unit.create_user(self.identity_api,
user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainB['id'])
projectA = unit.new_project_ref(domain_id=self.domainA['id'])
self.resource_api.create_project(projectA['id'], projectA)
PROVIDERS.resource_api.create_project(projectA['id'], projectA)
# Positive: a role on domainA can be assigned to a user from domainB
# but only for use on a project from domainA
self.assignment_api.create_grant(self.domainA_role1['id'],
user_id=user['id'],
project_id=projectA['id'])
PROVIDERS.assignment_api.create_grant(
self.domainA_role1['id'], user_id=user['id'],
project_id=projectA['id']
)
def test_cross_domain_assignment_invalid(self):
user = unit.create_user(self.identity_api,
user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainB['id'])
projectB = unit.new_project_ref(domain_id=self.domainB['id'])
self.resource_api.create_project(projectB['id'], projectB)
PROVIDERS.resource_api.create_project(projectB['id'], projectB)
# Negative: a role on domainA can be assigned to a user from domainB
# only for a project from domainA
self.assertRaises(exception.DomainSpecificRoleMismatch,
self.assignment_api.create_grant,
PROVIDERS.assignment_api.create_grant,
self.domainA_role1['id'],
user_id=user['id'],
project_id=projectB['id'])
def test_cross_domain_implied_roles_authentication(self):
# Create a user in domainB
user = unit.create_user(self.identity_api,
user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainB['id'])
# Create project in domainA
projectA = unit.new_project_ref(domain_id=self.domainA['id'])
self.resource_api.create_project(projectA['id'], projectA)
PROVIDERS.resource_api.create_project(projectA['id'], projectA)
# Now we create an implied rule from a role in domainA to a
# role in domainB
@ -3112,13 +3149,14 @@ class DomainSpecificRoleTests(test_v3.RestfulTestCase, unit.TestCase):
# A role in domainA can be assigned to a user from domainB
# only for a project from domainA
self.assignment_api.create_grant(self.domainA_role1['id'],
user_id=user['id'],
project_id=projectA['id'])
PROVIDERS.assignment_api.create_grant(
self.domainA_role1['id'], user_id=user['id'],
project_id=projectA['id']
)
# The role assignments should return an empty list since domain roles
# can only be used to imply another roles
assignments = self.assignment_api.list_role_assignments(
assignments = PROVIDERS.assignment_api.list_role_assignments(
user_id=user['id'], effective=True)
self.assertEqual([], assignments)
@ -3149,23 +3187,25 @@ class ListUserProjectsTestCase(test_v3.RestfulTestCase):
for _ in range(3):
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
user = unit.create_user(self.identity_api, domain_id=domain['id'])
user = unit.create_user(
PROVIDERS.identity_api, domain_id=domain['id']
)
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
self.assignment_api.create_grant(role['id'],
user_id=user['id'],
domain_id=domain['id'])
PROVIDERS.assignment_api.create_grant(
role['id'], user_id=user['id'], domain_id=domain['id']
)
project = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project['id'], project)
PROVIDERS.resource_api.create_project(project['id'], project)
self.assignment_api.create_grant(role['id'],
user_id=user['id'],
project_id=project['id'])
PROVIDERS.assignment_api.create_grant(
role['id'], user_id=user['id'], project_id=project['id']
)
auth = self.build_authentication_request(
user_id=user['id'],
@ -3215,7 +3255,7 @@ class ListUserProjectsTestCase(test_v3.RestfulTestCase):
# disable this one and check again
project['enabled'] = False
self.resource_api.update_project(project['id'], project)
PROVIDERS.resource_api.update_project(project['id'], project)
result = self.get(url, auth=auth)
projects_result = result.json['projects']
self.assertEqual(1, len(projects_result))

File diff suppressed because it is too large Load Diff

View File

@ -20,6 +20,7 @@ from keystoneclient.contrib.ec2 import utils as ec2_utils
from six.moves import http_client
from testtools import matchers
from keystone.common import provider_api
from keystone.common import utils
from keystone.contrib.ec2 import controllers
from keystone.credential.providers import fernet as credential_fernet
@ -29,6 +30,7 @@ from keystone.tests.unit import ksfixtures
from keystone.tests.unit import test_v3
PROVIDERS = provider_api.ProviderAPIs
CRED_TYPE_EC2 = controllers.CRED_TYPE_EC2
@ -55,7 +57,7 @@ class CredentialBaseTestCase(test_v3.RestfulTestCase):
credential_id = credential['id']
# Create direct via the DB API to avoid validation failure
self.credential_api.create_credential(credential_id, credential)
PROVIDERS.credential_api.create_credential(credential_id, credential)
return json.dumps(blob), credential_id
@ -70,24 +72,26 @@ class CredentialTestCase(CredentialBaseTestCase):
self.credential = unit.new_credential_ref(user_id=self.user['id'],
project_id=self.project_id)
self.credential_api.create_credential(
PROVIDERS.credential_api.create_credential(
self.credential['id'],
self.credential)
def test_credential_api_delete_credentials_for_project(self):
self.credential_api.delete_credentials_for_project(self.project_id)
PROVIDERS.credential_api.delete_credentials_for_project(
self.project_id
)
# Test that the credential that we created in .setUp no longer exists
# once we delete all credentials for self.project_id
self.assertRaises(exception.CredentialNotFound,
self.credential_api.get_credential,
PROVIDERS.credential_api.get_credential,
credential_id=self.credential['id'])
def test_credential_api_delete_credentials_for_user(self):
self.credential_api.delete_credentials_for_user(self.user_id)
PROVIDERS.credential_api.delete_credentials_for_user(self.user_id)
# Test that the credential that we created in .setUp no longer exists
# once we delete all credentials for self.user_id
self.assertRaises(exception.CredentialNotFound,
self.credential_api.get_credential,
PROVIDERS.credential_api.get_credential,
credential_id=self.credential['id'])
def test_list_credentials(self):
@ -98,7 +102,9 @@ class CredentialTestCase(CredentialBaseTestCase):
def test_list_credentials_filtered_by_user_id(self):
"""Call ``GET /credentials?user_id={user_id}``."""
credential = unit.new_credential_ref(user_id=uuid.uuid4().hex)
self.credential_api.create_credential(credential['id'], credential)
PROVIDERS.credential_api.create_credential(
credential['id'], credential
)
r = self.get('/credentials?user_id=%s' % self.user['id'])
self.assertValidCredentialListResponse(r, ref=self.credential)
@ -113,7 +119,7 @@ class CredentialTestCase(CredentialBaseTestCase):
project_id=self.project_id,
type=CRED_TYPE_EC2)
ec2_resp = self.credential_api.create_credential(
ec2_resp = PROVIDERS.credential_api.create_credential(
ec2_credential['id'], ec2_credential)
# The type cert was chosen for the same reason as ec2
@ -143,11 +149,11 @@ class CredentialTestCase(CredentialBaseTestCase):
credential_user1_cert = unit.new_credential_ref(user_id=user1_id)
credential_user2_cert = unit.new_credential_ref(user_id=user2_id)
self.credential_api.create_credential(
PROVIDERS.credential_api.create_credential(
credential_user1_ec2['id'], credential_user1_ec2)
self.credential_api.create_credential(
PROVIDERS.credential_api.create_credential(
credential_user1_cert['id'], credential_user1_cert)
self.credential_api.create_credential(
PROVIDERS.credential_api.create_credential(
credential_user2_cert['id'], credential_user2_cert)
r = self.get('/credentials?user_id=%s&type=ec2' % user1_id)
@ -349,7 +355,9 @@ class TestCredentialTrustScoped(test_v3.RestfulTestCase):
self.trustee_user = unit.new_user_ref(domain_id=self.domain_id)
password = self.trustee_user['password']
self.trustee_user = self.identity_api.create_user(self.trustee_user)
self.trustee_user = PROVIDERS.identity_api.create_user(
self.trustee_user
)
self.trustee_user['password'] = password
self.trustee_user_id = self.trustee_user['id']
self.useFixture(
@ -505,7 +513,7 @@ class TestCredentialEc2(CredentialBaseTestCase):
user_id=self.user_id,
project_id=self.project_id)
non_ec2_cred['id'] = cred_id
self.credential_api.create_credential(cred_id, non_ec2_cred)
PROVIDERS.credential_api.create_credential(cred_id, non_ec2_cred)
uri = '/'.join([self._get_ec2_cred_uri(), access_key])
# if access_key is not found, ec2 controller raises Unauthorized
# exception
@ -526,8 +534,9 @@ class TestCredentialEc2(CredentialBaseTestCase):
user_id=self.user_id,
project_id=self.project_id)
non_ec2_cred['type'] = uuid.uuid4().hex
self.credential_api.create_credential(non_ec2_cred['id'],
non_ec2_cred)
PROVIDERS.credential_api.create_credential(
non_ec2_cred['id'], non_ec2_cred
)
r = self.get(uri)
cred_list_2 = r.result['credentials']
# still one element because non-EC2 credentials are not returned.
@ -539,10 +548,10 @@ class TestCredentialEc2(CredentialBaseTestCase):
ec2_cred = self._get_ec2_cred()
uri = '/'.join([self._get_ec2_cred_uri(), ec2_cred['access']])
cred_from_credential_api = (
self.credential_api
PROVIDERS.credential_api
.list_credentials_for_user(self.user_id, type=CRED_TYPE_EC2))
self.assertEqual(1, len(cred_from_credential_api))
self.delete(uri)
self.assertRaises(exception.CredentialNotFound,
self.credential_api.get_credential,
PROVIDERS.credential_api.get_credential,
cred_from_credential_api[0]['id'])

View File

@ -15,6 +15,7 @@ import uuid
from six.moves import http_client
from keystone.common import provider_api
import keystone.conf
from keystone import exception
from keystone.tests import unit
@ -22,6 +23,7 @@ from keystone.tests.unit import test_v3
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class DomainConfigTestCase(test_v3.RestfulTestCase):
@ -31,7 +33,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
super(DomainConfigTestCase, self).setUp()
self.domain = unit.new_domain_ref()
self.resource_api.create_domain(self.domain['id'], self.domain)
PROVIDERS.resource_api.create_domain(self.domain['id'], self.domain)
self.config = {'ldap': {'url': uuid.uuid4().hex,
'user_tree_dn': uuid.uuid4().hex},
'identity': {'driver': uuid.uuid4().hex}}
@ -42,7 +44,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
'domain_id': self.domain['id']}
r = self.put(url, body={'config': self.config},
expected_status=http_client.CREATED)
res = self.domain_config_api.get_config(self.domain['id'])
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
self.assertEqual(self.config, r.result['config'])
self.assertEqual(self.config, res)
@ -72,7 +74,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
def test_delete_config(self):
"""Call ``DELETE /domains{domain_id}/config``."""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
self.delete('/domains/%(domain_id)s/config' % {
'domain_id': self.domain['id']})
self.get('/domains/%(domain_id)s/config' % {
@ -86,7 +90,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
id provided, the request shall be rejected with a response, 404 domain
not found.
"""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
invalid_domain_id = uuid.uuid4().hex
self.delete('/domains/%(domain_id)s/config' % {
'domain_id': invalid_domain_id},
@ -94,10 +100,12 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
def test_delete_config_by_group(self):
"""Call ``DELETE /domains{domain_id}/config/{group}``."""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
self.delete('/domains/%(domain_id)s/config/ldap' % {
'domain_id': self.domain['id']})
res = self.domain_config_api.get_config(self.domain['id'])
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
self.assertNotIn('ldap', res)
def test_delete_config_by_group_invalid_domain(self):
@ -107,7 +115,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
invalid domain id provided, the request shall be rejected with a
response 404 domain not found.
"""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
invalid_domain_id = uuid.uuid4().hex
self.delete('/domains/%(domain_id)s/config/ldap' % {
'domain_id': invalid_domain_id},
@ -115,7 +125,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
def test_get_head_config(self):
"""Call ``GET & HEAD for /domains{domain_id}/config``."""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
url = '/domains/%(domain_id)s/config' % {
'domain_id': self.domain['id']}
r = self.get(url)
@ -124,7 +136,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
def test_get_head_config_by_group(self):
"""Call ``GET & HEAD /domains{domain_id}/config/{group}``."""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
url = '/domains/%(domain_id)s/config/ldap' % {
'domain_id': self.domain['id']}
r = self.get(url)
@ -138,7 +152,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
invalid domain id provided, the request shall be rejected with a
response 404 domain not found.
"""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
invalid_domain_id = uuid.uuid4().hex
url = ('/domains/%(domain_id)s/config/ldap' % {
'domain_id': invalid_domain_id}
@ -148,7 +164,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
def test_get_head_config_by_option(self):
"""Call ``GET & HEAD /domains{domain_id}/config/{group}/{option}``."""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
url = '/domains/%(domain_id)s/config/ldap/url' % {
'domain_id': self.domain['id']}
r = self.get(url)
@ -163,7 +181,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
invalid domain id provided, the request shall be rejected with a
response 404 domain not found.
"""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
invalid_domain_id = uuid.uuid4().hex
url = ('/domains/%(domain_id)s/config/ldap/url' % {
'domain_id': invalid_domain_id}
@ -196,7 +216,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
def test_get_head_non_existant_config_group(self):
"""Call ``GET /domains/{domain_id}/config/{group_not_exist}``."""
config = {'ldap': {'url': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
url = ('/domains/%(domain_id)s/config/identity' % {
'domain_id': self.domain['id']}
)
@ -211,7 +231,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
a response, 404 domain not found.
"""
config = {'ldap': {'url': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
invalid_domain_id = uuid.uuid4().hex
url = ('/domains/%(domain_id)s/config/identity' % {
'domain_id': invalid_domain_id}
@ -227,7 +247,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
within the group.
"""
config = {'ldap': {'url': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
url = ('/domains/%(domain_id)s/config/ldap/user_tree_dn' % {
'domain_id': self.domain['id']}
)
@ -244,7 +264,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
a response, 404 domain not found.
"""
config = {'ldap': {'url': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
invalid_domain_id = uuid.uuid4().hex
url = ('/domains/%(domain_id)s/config/ldap/user_tree_dn' % {
'domain_id': invalid_domain_id}
@ -254,13 +274,15 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
def test_update_config(self):
"""Call ``PATCH /domains/{domain_id}/config``."""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
new_config = {'ldap': {'url': uuid.uuid4().hex},
'identity': {'driver': uuid.uuid4().hex}}
r = self.patch('/domains/%(domain_id)s/config' % {
'domain_id': self.domain['id']},
body={'config': new_config})
res = self.domain_config_api.get_config(self.domain['id'])
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
expected_config = copy.deepcopy(self.config)
expected_config['ldap']['url'] = new_config['ldap']['url']
expected_config['identity']['driver'] = (
@ -275,7 +297,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
id provided, the request shall be rejected with a response, 404 domain
not found.
"""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
new_config = {'ldap': {'url': uuid.uuid4().hex},
'identity': {'driver': uuid.uuid4().hex}}
invalid_domain_id = uuid.uuid4().hex
@ -286,13 +310,15 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
def test_update_config_group(self):
"""Call ``PATCH /domains/{domain_id}/config/{group}``."""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
new_config = {'ldap': {'url': uuid.uuid4().hex,
'user_filter': uuid.uuid4().hex}}
r = self.patch('/domains/%(domain_id)s/config/ldap' % {
'domain_id': self.domain['id']},
body={'config': new_config})
res = self.domain_config_api.get_config(self.domain['id'])
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
expected_config = copy.deepcopy(self.config)
expected_config['ldap']['url'] = new_config['ldap']['url']
expected_config['ldap']['user_filter'] = (
@ -307,7 +333,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
domain id provided, the request shall be rejected with a response,
404 domain not found.
"""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
new_config = {'ldap': {'url': uuid.uuid4().hex,
'user_filter': uuid.uuid4().hex}}
invalid_domain_id = uuid.uuid4().hex
@ -318,7 +346,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
def test_update_config_invalid_group(self):
"""Call ``PATCH /domains/{domain_id}/config/{invalid_group}``."""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
# Trying to update a group that is neither whitelisted or sensitive
# should result in Forbidden.
@ -332,7 +362,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
# Trying to update a valid group, but one that is not in the current
# config should result in NotFound
config = {'ldap': {'suffix': uuid.uuid4().hex}}
self.domain_config_api.create_config(self.domain['id'], config)
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
new_config = {'identity': {'driver': uuid.uuid4().hex}}
self.patch('/domains/%(domain_id)s/config/identity' % {
'domain_id': self.domain['id']},
@ -346,7 +376,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
and an invalid domain id provided, the request shall be rejected
with a response, 404 domain not found.
"""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
invalid_group = uuid.uuid4().hex
new_config = {invalid_group: {'url': uuid.uuid4().hex,
'user_filter': uuid.uuid4().hex}}
@ -359,12 +391,14 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
def test_update_config_option(self):
"""Call ``PATCH /domains/{domain_id}/config/{group}/{option}``."""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
new_config = {'url': uuid.uuid4().hex}
r = self.patch('/domains/%(domain_id)s/config/ldap/url' % {
'domain_id': self.domain['id']},
body={'config': new_config})
res = self.domain_config_api.get_config(self.domain['id'])
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
expected_config = copy.deepcopy(self.config)
expected_config['ldap']['url'] = new_config['url']
self.assertEqual(expected_config, r.result['config'])
@ -377,7 +411,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
domain id provided, the request shall be rejected with a response, 404
domain not found.
"""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
new_config = {'url': uuid.uuid4().hex}
invalid_domain_id = uuid.uuid4().hex
self.patch('/domains/%(domain_id)s/config/ldap/url' % {
@ -387,7 +423,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
def test_update_config_invalid_option(self):
"""Call ``PATCH /domains/{domain_id}/config/{group}/{invalid}``."""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
invalid_option = uuid.uuid4().hex
new_config = {'ldap': {invalid_option: uuid.uuid4().hex}}
# Trying to update an option that is neither whitelisted or sensitive
@ -414,7 +452,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
and an invalid domain id provided, the request shall be rejected
with a response, 404 domain not found.
"""
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
invalid_option = uuid.uuid4().hex
new_config = {'ldap': {invalid_option: uuid.uuid4().hex}}
invalid_domain_id = uuid.uuid4().hex
@ -429,7 +469,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
"""Call ``GET & HEAD /domains/config/default``."""
# Create a config that overrides a few of the options so that we can
# check that only the defaults are returned.
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
url = '/domains/config/default'
r = self.get(url)
default_config = r.result['config']
@ -443,7 +485,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
"""Call ``GET & HEAD /domains/config/{group}/default``."""
# Create a config that overrides a few of the options so that we can
# check that only the defaults are returned.
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
url = '/domains/config/ldap/default'
r = self.get(url)
default_config = r.result['config']
@ -456,7 +500,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
"""Call ``GET & HEAD /domains/config/{group}/{option}/default``."""
# Create a config that overrides a few of the options so that we can
# check that only the defaults are returned.
self.domain_config_api.create_config(self.domain['id'], self.config)
PROVIDERS.domain_config_api.create_config(
self.domain['id'], self.config
)
url = '/domains/config/ldap/url/default'
r = self.get(url)
default_config = r.result['config']
@ -500,13 +546,13 @@ class SecurityRequirementsTestCase(test_v3.RestfulTestCase):
# Create a user in the default domain
self.non_admin_user = unit.create_user(
self.identity_api,
PROVIDERS.identity_api,
CONF.identity.default_domain_id
)
# Create an admin in the default domain
self.admin_user = unit.create_user(
self.identity_api,
PROVIDERS.identity_api,
CONF.identity.default_domain_id
)
@ -514,15 +560,15 @@ class SecurityRequirementsTestCase(test_v3.RestfulTestCase):
self.project = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
self.resource_api.create_project(self.project['id'], self.project)
PROVIDERS.resource_api.create_project(self.project['id'], self.project)
self.non_admin_role = unit.new_role_ref(name='not_admin')
self.role_api.create_role(
PROVIDERS.role_api.create_role(
self.non_admin_role['id'],
self.non_admin_role
)
# Give the non-admin user a role on the project
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
self.non_admin_user['id'],
self.project['id'],
self.role['id']
@ -530,7 +576,7 @@ class SecurityRequirementsTestCase(test_v3.RestfulTestCase):
# Give the user the admin role on the project, which is technically
# `self.role` because RestfulTestCase sets that up for us.
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
self.admin_user['id'],
self.project['id'],
self.role_id
@ -612,7 +658,7 @@ class SecurityRequirementsTestCase(test_v3.RestfulTestCase):
"""
# Create a new domain that is not the default domain
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
# Set the security compliance configuration options
password_regex = uuid.uuid4().hex
@ -868,17 +914,17 @@ class SecurityRequirementsTestCase(test_v3.RestfulTestCase):
"""
# Make a new domain
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
# Create a user in the new domain
user = unit.create_user(self.identity_api, domain['id'])
user = unit.create_user(PROVIDERS.identity_api, domain['id'])
# Create a project in the new domain
project = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project['id'], project)
PROVIDERS.resource_api.create_project(project['id'], project)
# Give the new user a non-admin role on the project
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user['id'],
project['id'],
self.non_admin_role['id']

View File

@ -32,6 +32,7 @@ if not xmldsig:
xmldsig = importutils.try_import("xmldsig")
from keystone.auth import controllers as auth_controllers
from keystone.common import provider_api
import keystone.conf
from keystone import exception
from keystone.federation import controllers as federation_controllers
@ -48,6 +49,7 @@ from keystone.token.providers import common as token_common
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
ROOTDIR = os.path.dirname(os.path.abspath(__file__))
XMLDIR = os.path.join(ROOTDIR, 'saml2/')
@ -203,129 +205,155 @@ class FederatedSetupMixin(object):
"""Inject additional data."""
# Create and add domains
self.domainA = unit.new_domain_ref()
self.resource_api.create_domain(self.domainA['id'],
self.domainA)
PROVIDERS.resource_api.create_domain(
self.domainA['id'], self.domainA
)
self.domainB = unit.new_domain_ref()
self.resource_api.create_domain(self.domainB['id'],
self.domainB)
PROVIDERS.resource_api.create_domain(
self.domainB['id'], self.domainB
)
self.domainC = unit.new_domain_ref()
self.resource_api.create_domain(self.domainC['id'],
self.domainC)
PROVIDERS.resource_api.create_domain(
self.domainC['id'], self.domainC
)
self.domainD = unit.new_domain_ref()
self.resource_api.create_domain(self.domainD['id'],
self.domainD)
PROVIDERS.resource_api.create_domain(
self.domainD['id'], self.domainD
)
# Create and add projects
self.proj_employees = unit.new_project_ref(
domain_id=self.domainA['id'])
self.resource_api.create_project(self.proj_employees['id'],
self.proj_employees)
PROVIDERS.resource_api.create_project(
self.proj_employees['id'], self.proj_employees
)
self.proj_customers = unit.new_project_ref(
domain_id=self.domainA['id'])
self.resource_api.create_project(self.proj_customers['id'],
self.proj_customers)
PROVIDERS.resource_api.create_project(
self.proj_customers['id'], self.proj_customers
)
self.project_all = unit.new_project_ref(
domain_id=self.domainA['id'])
self.resource_api.create_project(self.project_all['id'],
self.project_all)
PROVIDERS.resource_api.create_project(
self.project_all['id'], self.project_all
)
self.project_inherited = unit.new_project_ref(
domain_id=self.domainD['id'])
self.resource_api.create_project(self.project_inherited['id'],
self.project_inherited)
PROVIDERS.resource_api.create_project(
self.project_inherited['id'], self.project_inherited
)
# Create and add groups
self.group_employees = unit.new_group_ref(domain_id=self.domainA['id'])
self.group_employees = (
self.identity_api.create_group(self.group_employees))
PROVIDERS.identity_api.create_group(self.group_employees))
self.group_customers = unit.new_group_ref(domain_id=self.domainA['id'])
self.group_customers = (
self.identity_api.create_group(self.group_customers))
PROVIDERS.identity_api.create_group(self.group_customers))
self.group_admins = unit.new_group_ref(domain_id=self.domainA['id'])
self.group_admins = self.identity_api.create_group(self.group_admins)
self.group_admins = PROVIDERS.identity_api.create_group(
self.group_admins
)
# Create and add roles
self.role_employee = unit.new_role_ref()
self.role_api.create_role(self.role_employee['id'], self.role_employee)
PROVIDERS.role_api.create_role(
self.role_employee['id'], self.role_employee
)
self.role_customer = unit.new_role_ref()
self.role_api.create_role(self.role_customer['id'], self.role_customer)
PROVIDERS.role_api.create_role(
self.role_customer['id'], self.role_customer
)
self.role_admin = unit.new_role_ref()
self.role_api.create_role(self.role_admin['id'], self.role_admin)
PROVIDERS.role_api.create_role(self.role_admin['id'], self.role_admin)
# Employees can access
# * proj_employees
# * project_all
self.assignment_api.create_grant(self.role_employee['id'],
group_id=self.group_employees['id'],
project_id=self.proj_employees['id'])
self.assignment_api.create_grant(self.role_employee['id'],
group_id=self.group_employees['id'],
project_id=self.project_all['id'])
PROVIDERS.assignment_api.create_grant(
self.role_employee['id'], group_id=self.group_employees['id'],
project_id=self.proj_employees['id']
)
PROVIDERS.assignment_api.create_grant(
self.role_employee['id'], group_id=self.group_employees['id'],
project_id=self.project_all['id']
)
# Customers can access
# * proj_customers
self.assignment_api.create_grant(self.role_customer['id'],
group_id=self.group_customers['id'],
project_id=self.proj_customers['id'])
PROVIDERS.assignment_api.create_grant(
self.role_customer['id'], group_id=self.group_customers['id'],
project_id=self.proj_customers['id']
)
# Admins can access:
# * proj_customers
# * proj_employees
# * project_all
self.assignment_api.create_grant(self.role_admin['id'],
group_id=self.group_admins['id'],
project_id=self.proj_customers['id'])
self.assignment_api.create_grant(self.role_admin['id'],
group_id=self.group_admins['id'],
project_id=self.proj_employees['id'])
self.assignment_api.create_grant(self.role_admin['id'],
group_id=self.group_admins['id'],
project_id=self.project_all['id'])
PROVIDERS.assignment_api.create_grant(
self.role_admin['id'], group_id=self.group_admins['id'],
project_id=self.proj_customers['id']
)
PROVIDERS.assignment_api.create_grant(
self.role_admin['id'], group_id=self.group_admins['id'],
project_id=self.proj_employees['id']
)
PROVIDERS.assignment_api.create_grant(
self.role_admin['id'], group_id=self.group_admins['id'],
project_id=self.project_all['id']
)
# Customers can access:
# * domain A
self.assignment_api.create_grant(self.role_customer['id'],
group_id=self.group_customers['id'],
domain_id=self.domainA['id'])
PROVIDERS.assignment_api.create_grant(
self.role_customer['id'], group_id=self.group_customers['id'],
domain_id=self.domainA['id']
)
# Customers can access projects via inheritance:
# * domain D
self.assignment_api.create_grant(self.role_customer['id'],
group_id=self.group_customers['id'],
domain_id=self.domainD['id'],
inherited_to_projects=True)
PROVIDERS.assignment_api.create_grant(
self.role_customer['id'], group_id=self.group_customers['id'],
domain_id=self.domainD['id'], inherited_to_projects=True
)
# Employees can access:
# * domain A
# * domain B
self.assignment_api.create_grant(self.role_employee['id'],
group_id=self.group_employees['id'],
domain_id=self.domainA['id'])
self.assignment_api.create_grant(self.role_employee['id'],
group_id=self.group_employees['id'],
domain_id=self.domainB['id'])
PROVIDERS.assignment_api.create_grant(
self.role_employee['id'], group_id=self.group_employees['id'],
domain_id=self.domainA['id']
)
PROVIDERS.assignment_api.create_grant(
self.role_employee['id'], group_id=self.group_employees['id'],
domain_id=self.domainB['id']
)
# Admins can access:
# * domain A
# * domain B
# * domain C
self.assignment_api.create_grant(self.role_admin['id'],
group_id=self.group_admins['id'],
domain_id=self.domainA['id'])
self.assignment_api.create_grant(self.role_admin['id'],
group_id=self.group_admins['id'],
domain_id=self.domainB['id'])
PROVIDERS.assignment_api.create_grant(
self.role_admin['id'], group_id=self.group_admins['id'],
domain_id=self.domainA['id']
)
PROVIDERS.assignment_api.create_grant(
self.role_admin['id'], group_id=self.group_admins['id'],
domain_id=self.domainB['id']
)
self.assignment_api.create_grant(self.role_admin['id'],
group_id=self.group_admins['id'],
domain_id=self.domainC['id'])
PROVIDERS.assignment_api.create_grant(
self.role_admin['id'], group_id=self.group_admins['id'],
domain_id=self.domainC['id']
)
self.rules = {
'rules': [
{
@ -706,27 +734,30 @@ class FederatedSetupMixin(object):
# Add IDP
self.idp = self.idp_ref(id=self.IDP)
self.federation_api.create_idp(self.idp['id'],
self.idp)
PROVIDERS.federation_api.create_idp(
self.idp['id'], self.idp
)
# Add IDP with remote
self.idp_with_remote = self.idp_ref(id=self.IDP_WITH_REMOTE)
self.idp_with_remote['remote_ids'] = self.REMOTE_IDS
self.federation_api.create_idp(self.idp_with_remote['id'],
self.idp_with_remote)
PROVIDERS.federation_api.create_idp(
self.idp_with_remote['id'], self.idp_with_remote
)
# Add a mapping
self.mapping = self.mapping_ref()
self.federation_api.create_mapping(self.mapping['id'],
self.mapping)
PROVIDERS.federation_api.create_mapping(
self.mapping['id'], self.mapping
)
# Add protocols
self.proto_saml = self.proto_ref(mapping_id=self.mapping['id'])
self.proto_saml['id'] = self.PROTOCOL
self.federation_api.create_protocol(self.idp['id'],
self.proto_saml['id'],
self.proto_saml)
PROVIDERS.federation_api.create_protocol(
self.idp['id'], self.proto_saml['id'], self.proto_saml
)
# Add protocols IDP with remote
self.federation_api.create_protocol(self.idp_with_remote['id'],
self.proto_saml['id'],
self.proto_saml)
PROVIDERS.federation_api.create_protocol(
self.idp_with_remote['id'], self.proto_saml['id'], self.proto_saml
)
# Generate fake tokens
request = self.make_request()
@ -870,7 +901,7 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
expected_status=http_client.CREATED)
def assertIdpDomainCreated(self, idp_id, domain_id):
domain = self.resource_api.get_domain(domain_id)
domain = PROVIDERS.resource_api.get_domain(domain_id)
self.assertEqual(domain_id, domain['name'])
self.assertIn(idp_id, domain['description'])
@ -892,7 +923,7 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
body = self.default_body.copy()
body['description'] = uuid.uuid4().hex
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
body['domain_id'] = domain['id']
resp = self._create_default_idp(body=body)
self.assertValidResponse(resp, 'identity_provider', dummy_validator,
@ -916,7 +947,7 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
# the number of domains.
resp = self._create_default_idp()
idp_id = resp.json_body['identity_provider']['id']
domains = self.resource_api.list_domains()
domains = PROVIDERS.resource_api.list_domains()
number_of_domains = len(domains)
# Create an identity provider with the same ID to intentionally cause a
@ -930,13 +961,13 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
body={'identity_provider': self.default_body.copy()},
expected_status=http_client.CONFLICT
)
domains = self.resource_api.list_domains()
domains = PROVIDERS.resource_api.list_domains()
self.assertEqual(number_of_domains, len(domains))
def test_conflicting_idp_does_not_delete_existing_domain(self):
# Create a new domain
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
# Create an identity provider and specify the domain
body = self.default_body.copy()
@ -960,12 +991,12 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
# Make sure the domain specified in the second request was not deleted,
# since it wasn't auto-generated
self.assertIsNotNone(self.resource_api.get_domain(domain['id']))
self.assertIsNotNone(PROVIDERS.resource_api.get_domain(domain['id']))
def test_create_idp_domain_id_unique_constraint(self):
# create domain and add domain_id to keys to check
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
keys_to_check = list(self.idp_keys)
keys_to_check.append('domain_id')
# create idp with the domain_id
@ -997,7 +1028,7 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
self.assertIsNotNone(idp_id)
# create domain and try to update the idp's domain
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
body['domain_id'] = domain['id']
body = {'identity_provider': body}
url = self.base_url(suffix=idp_id)
@ -1263,7 +1294,7 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
url = self.base_url(suffix=uuid.uuid4().hex)
body = self._http_idp_input()
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
body['domain_id'] = domain['id']
self.put(url, body={'identity_provider': body},
expected_status=http_client.CREATED)
@ -1278,7 +1309,7 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
"""Create and later fetch IdP."""
body = self._http_idp_input()
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
body['domain_id'] = domain['id']
default_resp = self._create_default_idp(body=body)
default_idp = self._fetch_attribute_from_response(default_resp,
@ -1342,10 +1373,14 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
**kwargs)
# removing IdP will remove the assigned protocol as well
self.assertEqual(1, len(self.federation_api.list_protocols(idp_id)))
self.assertEqual(
1, len(PROVIDERS.federation_api.list_protocols(idp_id))
)
self.delete(idp_url)
self.get(idp_url, expected_status=http_client.NOT_FOUND)
self.assertEqual(0, len(self.federation_api.list_protocols(idp_id)))
self.assertEqual(
0, len(PROVIDERS.federation_api.list_protocols(idp_id))
)
def test_delete_nonexisting_idp(self):
"""Delete nonexisting IdP.
@ -1876,7 +1911,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
"""
enabled_false = {'enabled': False}
self.federation_api.update_idp(self.IDP, enabled_false)
PROVIDERS.federation_api.update_idp(self.IDP, enabled_false)
self.assertRaises(exception.Forbidden,
self._issue_unscoped_token)
@ -1988,10 +2023,11 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
# let admin get roles in a project
self.proj_employees
admin = unit.new_user_ref(CONF.identity.default_domain_id)
self.identity_api.create_user(admin)
self.assignment_api.create_grant(self.role_admin['id'],
user_id=admin['id'],
project_id=self.proj_employees['id'])
PROVIDERS.identity_api.create_user(admin)
PROVIDERS.assignment_api.create_grant(
self.role_admin['id'], user_id=admin['id'],
project_id=self.proj_employees['id']
)
# try to scope the token. It should fail
scope = self._scope_request(
@ -2056,7 +2092,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
"""
enabled_false = {'enabled': False}
self.federation_api.update_idp(self.IDP, enabled_false)
PROVIDERS.federation_api.update_idp(self.IDP, enabled_false)
self.v3_create_token(
self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_CUSTOMER,
expected_status=http_client.FORBIDDEN)
@ -2070,7 +2106,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
token_id = token.headers.get('X-Subject-Token')
federated_info = token.json_body['token']['user']['OS-FEDERATION']
idp_id = federated_info['identity_provider']['id']
self.federation_api.delete_idp(idp_id)
PROVIDERS.federation_api.delete_idp(idp_id)
headers = {
'X-Subject-Token': token_id
}
@ -2118,7 +2154,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
user_id = r.json_body['token']['user']['id']
project_id = r.json_body['token']['project']['id']
for role in r.json_body['token']['roles']:
self.assignment_api.create_grant(
PROVIDERS.assignment_api.create_grant(
role_id=role['id'], user_id=user_id, project_id=project_id
)
@ -2236,11 +2272,12 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
subproject_inherited = unit.new_project_ref(
domain_id=self.domainD['id'],
parent_id=self.project_inherited['id'])
self.resource_api.create_project(subproject_inherited['id'],
subproject_inherited)
PROVIDERS.resource_api.create_project(
subproject_inherited['id'], subproject_inherited
)
# Create an inherited role assignment
self.assignment_api.create_grant(
PROVIDERS.assignment_api.create_grant(
role_id=self.role_employee['id'],
group_id=self.group_employees['id'],
project_id=self.project_inherited['id'],
@ -2331,14 +2368,14 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
"""
# create group and role
group = unit.new_group_ref(domain_id=self.domainA['id'])
group = self.identity_api.create_group(group)
group = PROVIDERS.identity_api.create_group(group)
role = unit.new_role_ref()
self.role_api.create_role(role['id'], role)
PROVIDERS.role_api.create_role(role['id'], role)
# assign role to group and project_admins
self.assignment_api.create_grant(role['id'],
group_id=group['id'],
project_id=self.project_all['id'])
PROVIDERS.assignment_api.create_grant(
role['id'], group_id=group['id'], project_id=self.project_all['id']
)
rules = {
'rules': [
@ -2370,13 +2407,13 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
]
}
self.federation_api.update_mapping(self.mapping['id'], rules)
PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules)
r = self._issue_unscoped_token(assertion='TESTER_ASSERTION')
token_id = r.headers.get('X-Subject-Token')
# delete group
self.identity_api.delete_group(group['id'])
PROVIDERS.identity_api.delete_group(group['id'])
# scope token to project_all, expect HTTP 500
scoped_token = self._scope_request(
@ -2404,7 +2441,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
domain_id = self.domainA['id']
domain_name = self.domainA['name']
group = unit.new_group_ref(domain_id=domain_id, name='EXISTS')
group = self.identity_api.create_group(group)
group = PROVIDERS.identity_api.create_group(group)
rules = {
'rules': [
{
@ -2437,7 +2474,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
}
]
}
self.federation_api.update_mapping(self.mapping['id'], rules)
PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules)
def test_empty_blacklist_passess_all_values(self):
"""Test a mapping with empty blacklist specified.
@ -2464,12 +2501,12 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
# Add a group "EXISTS"
group_exists = unit.new_group_ref(domain_id=domain_id, name='EXISTS')
group_exists = self.identity_api.create_group(group_exists)
group_exists = PROVIDERS.identity_api.create_group(group_exists)
# Add a group "NO_EXISTS"
group_no_exists = unit.new_group_ref(domain_id=domain_id,
name='NO_EXISTS')
group_no_exists = self.identity_api.create_group(group_no_exists)
group_no_exists = PROVIDERS.identity_api.create_group(group_no_exists)
group_ids = set([group_exists['id'], group_no_exists['id']])
@ -2506,7 +2543,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
}
]
}
self.federation_api.update_mapping(self.mapping['id'], rules)
PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules)
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups']
self.assertEqual(len(group_ids), len(assigned_group_ids))
@ -2538,12 +2575,12 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
# Add a group "EXISTS"
group_exists = unit.new_group_ref(domain_id=domain_id,
name='EXISTS')
group_exists = self.identity_api.create_group(group_exists)
group_exists = PROVIDERS.identity_api.create_group(group_exists)
# Add a group "NO_EXISTS"
group_no_exists = unit.new_group_ref(domain_id=domain_id,
name='NO_EXISTS')
group_no_exists = self.identity_api.create_group(group_no_exists)
group_no_exists = PROVIDERS.identity_api.create_group(group_no_exists)
group_ids = set([group_exists['id'], group_no_exists['id']])
@ -2579,7 +2616,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
}
]
}
self.federation_api.update_mapping(self.mapping['id'], rules)
PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules)
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups']
self.assertEqual(len(group_ids), len(assigned_group_ids))
@ -2607,7 +2644,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
domain_id = self.domainA['id']
domain_name = self.domainA['name']
group = unit.new_group_ref(domain_id=domain_id, name='EXISTS')
group = self.identity_api.create_group(group)
group = PROVIDERS.identity_api.create_group(group)
rules = {
'rules': [
{
@ -2641,7 +2678,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
}
]
}
self.federation_api.update_mapping(self.mapping['id'], rules)
PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules)
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
assigned_groups = r.json['token']['user']['OS-FEDERATION']['groups']
self.assertEqual(len(assigned_groups), 0)
@ -2670,12 +2707,12 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
# Add a group "EXISTS"
group_exists = unit.new_group_ref(domain_id=domain_id,
name='EXISTS')
group_exists = self.identity_api.create_group(group_exists)
group_exists = PROVIDERS.identity_api.create_group(group_exists)
# Add a group "NO_EXISTS"
group_no_exists = unit.new_group_ref(domain_id=domain_id,
name='NO_EXISTS')
group_no_exists = self.identity_api.create_group(group_no_exists)
group_no_exists = PROVIDERS.identity_api.create_group(group_no_exists)
group_ids = set([group_exists['id'], group_no_exists['id']])
@ -2711,7 +2748,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
}
]
}
self.federation_api.update_mapping(self.mapping['id'], rules)
PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules)
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups']
self.assertEqual(len(group_ids), len(assigned_group_ids))
@ -2917,20 +2954,20 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
"""Ensure user_id is persistend for multiple federated authn calls."""
r = self._issue_unscoped_token()
user_id = r.json_body['token']['user']['id']
self.assertNotEmpty(self.identity_api.get_user(user_id))
self.assertNotEmpty(PROVIDERS.identity_api.get_user(user_id))
r = self._issue_unscoped_token()
user_id2 = r.json_body['token']['user']['id']
self.assertNotEmpty(self.identity_api.get_user(user_id2))
self.assertNotEmpty(PROVIDERS.identity_api.get_user(user_id2))
self.assertEqual(user_id, user_id2)
def test_user_role_assignment(self):
# create project and role
project_ref = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id)
self.resource_api.create_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
# authenticate via saml get back a user id
user_id, unscoped_token = self._authenticate_via_saml()
@ -2943,7 +2980,7 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
expected_status=http_client.UNAUTHORIZED)
# assign project role to federated user
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user_id, project_ref['id'], role_ref['id'])
# exchange an unscoped token for a scoped token
@ -2961,7 +2998,7 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
# create a 2nd project
project_ref2 = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id)
self.resource_api.create_project(project_ref2['id'], project_ref2)
PROVIDERS.resource_api.create_project(project_ref2['id'], project_ref2)
# ensure the user cannot access the 2nd resource (forbidden)
path = '/projects/%(project_id)s' % {'project_id': project_ref2['id']}
@ -2972,9 +3009,9 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
def test_domain_scoped_user_role_assignment(self):
# create domain and role
domain_ref = unit.new_domain_ref()
self.resource_api.create_domain(domain_ref['id'], domain_ref)
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
# authenticate via saml get back a user id
user_id, unscoped_token = self._authenticate_via_saml()
@ -2987,9 +3024,9 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
expected_status=http_client.UNAUTHORIZED)
# assign domain role to user
self.assignment_api.create_grant(role_ref['id'],
user_id=user_id,
domain_id=domain_ref['id'])
PROVIDERS.assignment_api.create_grant(
role_ref['id'], user_id=user_id, domain_id=domain_ref['id']
)
# exchange an unscoped token for domain scoped token and test
r = self.v3_create_token(v3_scope_request,
@ -3002,15 +3039,15 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
# create project and role
project_ref = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id)
self.resource_api.create_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
# authenticate via saml get back a user id
user_id, unscoped_token = self._authenticate_via_saml()
# assign project role to federated user
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user_id, project_ref['id'], role_ref['id'])
# get auth projects
@ -3028,24 +3065,25 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
# create project, role, group
domain_id = CONF.identity.default_domain_id
project_ref = unit.new_project_ref(domain_id=domain_id)
self.resource_api.create_project(project_ref['id'], project_ref)
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
group_ref = unit.new_group_ref(domain_id=domain_id)
group_ref = self.identity_api.create_group(group_ref)
group_ref = PROVIDERS.identity_api.create_group(group_ref)
# authenticate via saml get back a user id
user_id, unscoped_token = self._authenticate_via_saml()
# assign role to group at project
self.assignment_api.create_grant(role_ref['id'],
group_id=group_ref['id'],
project_id=project_ref['id'],
domain_id=domain_id)
PROVIDERS.assignment_api.create_grant(
role_ref['id'], group_id=group_ref['id'],
project_id=project_ref['id'], domain_id=domain_id
)
# add user to group
self.identity_api.add_user_to_group(user_id=user_id,
group_id=group_ref['id'])
PROVIDERS.identity_api.add_user_to_group(
user_id=user_id, group_id=group_ref['id']
)
# get auth projects
r = self.get('/auth/projects', token=unscoped_token)
@ -3061,17 +3099,17 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
def test_auth_domains_matches_federation_domains(self):
# create domain and role
domain_ref = unit.new_domain_ref()
self.resource_api.create_domain(domain_ref['id'], domain_ref)
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
# authenticate via saml get back a user id and token
user_id, unscoped_token = self._authenticate_via_saml()
# assign domain role to user
self.assignment_api.create_grant(role_ref['id'],
user_id=user_id,
domain_id=domain_ref['id'])
PROVIDERS.assignment_api.create_grant(
role_ref['id'], user_id=user_id, domain_id=domain_ref['id']
)
# get auth domains
r = self.get('/auth/domains', token=unscoped_token)
@ -3087,23 +3125,25 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
def test_auth_domains_matches_federation_domains_with_group_assign(self):
# create role, group, and domain
domain_ref = unit.new_domain_ref()
self.resource_api.create_domain(domain_ref['id'], domain_ref)
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
group_ref = unit.new_group_ref(domain_id=domain_ref['id'])
group_ref = self.identity_api.create_group(group_ref)
group_ref = PROVIDERS.identity_api.create_group(group_ref)
# authenticate via saml get back a user id and token
user_id, unscoped_token = self._authenticate_via_saml()
# assign domain role to group
self.assignment_api.create_grant(role_ref['id'],
group_id=group_ref['id'],
domain_id=domain_ref['id'])
PROVIDERS.assignment_api.create_grant(
role_ref['id'], group_id=group_ref['id'],
domain_id=domain_ref['id']
)
# add user to group
self.identity_api.add_user_to_group(user_id=user_id,
group_id=group_ref['id'])
PROVIDERS.identity_api.add_user_to_group(
user_id=user_id, group_id=group_ref['id']
)
# get auth domains
r = self.get('/auth/domains', token=unscoped_token)
@ -3119,7 +3159,7 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
def test_list_head_domains_for_user_duplicates(self):
# create role
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
# authenticate via saml get back a user id and token
user_id, unscoped_token = self._authenticate_via_saml()
@ -3137,9 +3177,9 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
# assign group domain and role to user, this should create a
# duplicate domain
self.assignment_api.create_grant(role_ref['id'],
user_id=user_id,
domain_id=domain_from_group['id'])
PROVIDERS.assignment_api.create_grant(
role_ref['id'], user_id=user_id, domain_id=domain_from_group['id']
)
# get user domains via /OS-FEDERATION/domains and test for duplicates
r = self.get('/OS-FEDERATION/domains', token=unscoped_token)
@ -3160,7 +3200,7 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
def test_list_head_projects_for_user_duplicates(self):
# create role
role_ref = unit.new_role_ref()
self.role_api.create_role(role_ref['id'], role_ref)
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
# authenticate via saml get back a user id and token
user_id, unscoped_token = self._authenticate_via_saml()
@ -3178,7 +3218,7 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
# assign group project and role to user, this should create a
# duplicate project
self.assignment_api.add_role_to_user_and_project(
PROVIDERS.assignment_api.add_role_to_user_and_project(
user_id, project_from_group['id'], role_ref['id'])
# get user projects via /OS-FEDERATION/projects and test for duplicates
@ -3200,17 +3240,17 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
def test_delete_protocol_after_federated_authentication(self):
# Create a protocol
protocol = self.proto_ref(mapping_id=self.mapping['id'])
self.federation_api.create_protocol(
PROVIDERS.federation_api.create_protocol(
self.IDP, protocol['id'], protocol)
# Authenticate to create a new federated_user entry with a foreign
# key pointing to the protocol
r = self._issue_unscoped_token()
user_id = r.json_body['token']['user']['id']
self.assertNotEmpty(self.identity_api.get_user(user_id))
self.assertNotEmpty(PROVIDERS.identity_api.get_user(user_id))
# Now we should be able to delete the protocol
self.federation_api.delete_protocol(self.IDP, protocol['id'])
PROVIDERS.federation_api.delete_protocol(self.IDP, protocol['id'])
def _authenticate_via_saml(self):
r = self._issue_unscoped_token()
@ -3237,7 +3277,7 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
super(ShadowMappingTests, self).setUp()
# update the mapping we have already setup to have specific projects
# and roles.
self.federation_api.update_mapping(
PROVIDERS.federation_api.update_mapping(
self.mapping['id'],
mapping_fixtures.MAPPING_PROJECTS
)
@ -3254,12 +3294,12 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
# below that test that behavior and the setup is done in the test.
member_role_ref = unit.new_role_ref(name='member')
assert member_role_ref['domain_id'] is None
self.member_role = self.role_api.create_role(
self.member_role = PROVIDERS.role_api.create_role(
member_role_ref['id'], member_role_ref
)
observer_role_ref = unit.new_role_ref(name='observer')
assert observer_role_ref['domain_id'] is None
self.observer_role = self.role_api.create_role(
self.observer_role = PROVIDERS.role_api.create_role(
observer_role_ref['id'], observer_role_ref
)
@ -3280,7 +3320,7 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
self.load_federation_sample_data()
def test_shadow_mapping_creates_projects(self):
projects = self.resource_api.list_projects()
projects = PROVIDERS.resource_api.list_projects()
for project in projects:
self.assertNotIn(project['name'], self.expected_results)
@ -3290,7 +3330,7 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
response = self.get('/auth/projects', token=unscoped_token)
projects = response.json_body['projects']
for project in projects:
project = self.resource_api.get_project_by_name(
project = PROVIDERS.resource_api.get_project_by_name(
project['name'],
self.idp['domain_id']
)
@ -3320,7 +3360,7 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
# If a role required by the mapping does not exist, then we should fail
# the mapping since shadow mapping currently does not support creating
# mappings on-the-fly.
self.role_api.delete_role(self.observer_role['id'])
PROVIDERS.role_api.delete_role(self.observer_role['id'])
self.assertRaises(exception.RoleNotFound, self._issue_unscoped_token)
def test_shadow_mapping_creates_project_in_identity_provider_domain(self):
@ -3349,15 +3389,15 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
def test_roles_outside_idp_domain_fail_mapping(self):
# Create a new domain
d = unit.new_domain_ref()
new_domain = self.resource_api.create_domain(d['id'], d)
new_domain = PROVIDERS.resource_api.create_domain(d['id'], d)
# Delete the member role and recreate it in a different domain
self.role_api.delete_role(self.member_role['id'])
PROVIDERS.role_api.delete_role(self.member_role['id'])
member_role_ref = unit.new_role_ref(
name='member',
domain_id=new_domain['id']
)
self.role_api.create_role(member_role_ref['id'], member_role_ref)
PROVIDERS.role_api.create_role(member_role_ref['id'], member_role_ref)
self.assertRaises(
exception.DomainSpecificRoleNotWithinIdPDomain,
self._issue_unscoped_token
@ -3365,18 +3405,18 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
def test_roles_in_idp_domain_can_be_assigned_from_mapping(self):
# Delete the member role and recreate it in the domain of the idp
self.role_api.delete_role(self.member_role['id'])
PROVIDERS.role_api.delete_role(self.member_role['id'])
member_role_ref = unit.new_role_ref(
name='member',
domain_id=self.idp['domain_id']
)
self.role_api.create_role(member_role_ref['id'], member_role_ref)
PROVIDERS.role_api.create_role(member_role_ref['id'], member_role_ref)
response = self._issue_unscoped_token()
user_id = response.json_body['token']['user']['id']
unscoped_token = response.headers.get('X-Subject-Token')
response = self.get('/auth/projects', token=unscoped_token)
projects = response.json_body['projects']
staging_project = self.resource_api.get_project_by_name(
staging_project = PROVIDERS.resource_api.get_project_by_name(
'Staging', self.idp['domain_id']
)
for project in projects:
@ -3384,10 +3424,12 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
# a member role for our user, the /auth/projects response doesn't
# include projects with only domain-specific role assignments.
self.assertNotEqual(project['name'], 'Staging')
domain_role_assignments = self.assignment_api.list_role_assignments(
user_id=user_id,
project_id=staging_project['id'],
strip_domain_roles=False
domain_role_assignments = (
PROVIDERS.assignment_api.list_role_assignments(
user_id=user_id,
project_id=staging_project['id'],
strip_domain_roles=False
)
)
self.assertEqual(
staging_project['id'], domain_role_assignments[0]['project_id']
@ -3402,16 +3444,16 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
domain_id=self.idp['domain_id'],
name='Observers'
)
observer_group = self.identity_api.create_group(observer_group)
observer_group = PROVIDERS.identity_api.create_group(observer_group)
# make sure the Observers group has a role on the finance project
finance_project = unit.new_project_ref(
domain_id=self.idp['domain_id'],
name='Finance'
)
finance_project = self.resource_api.create_project(
finance_project = PROVIDERS.resource_api.create_project(
finance_project['id'], finance_project
)
self.assignment_api.create_grant(
PROVIDERS.assignment_api.create_grant(
self.observer_role['id'],
group_id=observer_group['id'],
project_id=finance_project['id']
@ -3427,7 +3469,9 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
}
updated_mapping = copy.deepcopy(mapping_fixtures.MAPPING_PROJECTS)
updated_mapping['rules'][0]['local'].append(group_rule)
self.federation_api.update_mapping(self.mapping['id'], updated_mapping)
PROVIDERS.federation_api.update_mapping(
self.mapping['id'], updated_mapping
)
response = self._issue_unscoped_token()
# user_id = response.json_body['token']['user']['id']
unscoped_token = response.headers.get('X-Subject-Token')
@ -3466,14 +3510,15 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
unscoped_token = response.headers.get('X-Subject-Token')
# Assign admin role to newly-created project to another user
staging_project = self.resource_api.get_project_by_name(
staging_project = PROVIDERS.resource_api.get_project_by_name(
'Staging', self.idp['domain_id']
)
admin = unit.new_user_ref(CONF.identity.default_domain_id)
self.identity_api.create_user(admin)
self.assignment_api.create_grant(self.role_admin['id'],
user_id=admin['id'],
project_id=staging_project['id'])
PROVIDERS.identity_api.create_user(admin)
PROVIDERS.assignment_api.create_grant(
self.role_admin['id'], user_id=admin['id'],
project_id=staging_project['id']
)
# Authenticate again with the federated user and verify roles
response = self._issue_unscoped_token()
@ -3898,7 +3943,7 @@ class SAMLGenerationTests(test_v3.RestfulTestCase):
"""Try generating assertion for disabled Service Provider."""
# Disable Service Provider
sp_ref = {'enabled': False}
self.federation_api.update_sp(self.SERVICE_PROVDIER_ID, sp_ref)
PROVIDERS.federation_api.update_sp(self.SERVICE_PROVDIER_ID, sp_ref)
token_id = self._fetch_valid_token()
body = self._create_generate_saml_request(token_id,
@ -4633,15 +4678,15 @@ class K2KServiceCatalogTests(test_v3.RestfulTestCase):
super(K2KServiceCatalogTests, self).setUp()
sp = self.sp_ref()
self.federation_api.create_sp(self.SP1, sp)
PROVIDERS.federation_api.create_sp(self.SP1, sp)
self.sp_alpha = {self.SP1: sp}
sp = self.sp_ref()
self.federation_api.create_sp(self.SP2, sp)
PROVIDERS.federation_api.create_sp(self.SP2, sp)
self.sp_beta = {self.SP2: sp}
sp = self.sp_ref()
self.federation_api.create_sp(self.SP3, sp)
PROVIDERS.federation_api.create_sp(self.SP3, sp)
self.sp_gamma = {self.SP3: sp}
self.token_v3_helper = token_common.V3TokenDataHelper()
@ -4692,7 +4737,7 @@ class K2KServiceCatalogTests(test_v3.RestfulTestCase):
"""
# disable service provider ALPHA
sp_ref = {'enabled': False}
self.federation_api.update_sp(self.SP1, sp_ref)
PROVIDERS.federation_api.update_sp(self.SP1, sp_ref)
token = self.token_v3_helper.get_token_data(self.user_id, ['password'])
ref = {}
@ -4709,7 +4754,7 @@ class K2KServiceCatalogTests(test_v3.RestfulTestCase):
"""
sp_ref = {'enabled': False}
for sp in (self.SP1, self.SP2, self.SP3):
self.federation_api.update_sp(sp, sp_ref)
PROVIDERS.federation_api.update_sp(sp, sp_ref)
token = self.token_v3_helper.get_token_data(self.user_id, ['password'])
self.assertNotIn('service_providers', token['token'],

View File

@ -23,6 +23,7 @@ from oslo_log import log
from six.moves import http_client
from testtools import matchers
from keystone.common import provider_api
from keystone.common import sql
import keystone.conf
from keystone.credential.providers import fernet as credential_fernet
@ -38,6 +39,7 @@ from keystone.tests.unit import test_v3
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class IdentityTestCase(test_v3.RestfulTestCase):
@ -54,15 +56,16 @@ class IdentityTestCase(test_v3.RestfulTestCase):
)
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
self.group = PROVIDERS.identity_api.create_group(self.group)
self.group_id = self.group['id']
self.credential = unit.new_credential_ref(
user_id=self.user['id'],
project_id=self.project_id)
self.credential_api.create_credential(self.credential['id'],
self.credential)
PROVIDERS.credential_api.create_credential(
self.credential['id'], self.credential
)
# user crud tests
@ -85,9 +88,9 @@ class IdentityTestCase(test_v3.RestfulTestCase):
# Create a user with a role on the domain so we can get a
# domain scoped token
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
user = unit.create_user(self.identity_api, domain_id=domain['id'])
self.assignment_api.create_grant(
PROVIDERS.resource_api.create_domain(domain['id'], domain)
user = unit.create_user(PROVIDERS.identity_api, domain_id=domain['id'])
PROVIDERS.assignment_api.create_grant(
role_id=self.role_id, user_id=user['id'],
domain_id=domain['id'])
@ -151,9 +154,9 @@ class IdentityTestCase(test_v3.RestfulTestCase):
"""
# Create two domains to work with.
domain1 = unit.new_domain_ref()
self.resource_api.create_domain(domain1['id'], domain1)
PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
domain2 = unit.new_domain_ref()
self.resource_api.create_domain(domain2['id'], domain2)
PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
# We can successfully create a normal user without any surprises.
user = unit.new_user_ref(domain_id=domain1['id'])
@ -230,19 +233,19 @@ class IdentityTestCase(test_v3.RestfulTestCase):
# Create a new domain with a new project and user
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
project = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project['id'], project)
PROVIDERS.resource_api.create_project(project['id'], project)
user = unit.create_user(self.identity_api, domain_id=domain['id'])
user = unit.create_user(PROVIDERS.identity_api, domain_id=domain['id'])
# Create both project and domain role grants for the user so we
# can get both project and domain scoped tokens
self.assignment_api.create_grant(
PROVIDERS.assignment_api.create_grant(
role_id=self.role_id, user_id=user['id'],
domain_id=domain['id'])
self.assignment_api.create_grant(
PROVIDERS.assignment_api.create_grant(
role_id=self.role_id, user_id=user['id'],
project_id=project['id'])
@ -277,7 +280,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
def test_list_users_no_default_project(self):
"""Call ``GET /users`` making sure no default_project_id."""
user = unit.new_user_ref(self.domain_id)
user = self.identity_api.create_user(user)
user = PROVIDERS.identity_api.create_user(user)
resource_url = '/users'
r = self.get(resource_url)
self.assertValidUserListResponse(r, ref=user,
@ -295,7 +298,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
"""Call ``GET /users/{user_id}`` extra attributes are not included."""
user = unit.new_user_ref(domain_id=self.domain_id,
project_id=self.project_id)
user = self.identity_api.create_user(user)
user = PROVIDERS.identity_api.create_user(user)
self.assertNotIn('created_at', user)
self.assertNotIn('last_active_at', user)
@ -303,7 +306,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
"""Call ``GET /users/{user_id}`` required attributes are included."""
user = unit.new_user_ref(domain_id=self.domain_id,
project_id=self.project_id)
user = self.identity_api.create_user(user)
user = PROVIDERS.identity_api.create_user(user)
self.assertIn('id', user)
self.assertIn('name', user)
self.assertIn('enabled', user)
@ -315,7 +318,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
"""Call ``GET /users/{user_id}`` making sure of default_project_id."""
user = unit.new_user_ref(domain_id=self.domain_id,
project_id=self.project_id)
user = self.identity_api.create_user(user)
user = PROVIDERS.identity_api.create_user(user)
r = self.get('/users/%(user_id)s' % {'user_id': user['id']})
self.assertValidUserResponse(r, user)
@ -326,9 +329,9 @@ class IdentityTestCase(test_v3.RestfulTestCase):
def test_list_head_groups_for_user(self):
"""Call ``GET & HEAD /users/{user_id}/groups``."""
user1 = unit.create_user(self.identity_api,
user1 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
user2 = unit.create_user(self.identity_api,
user2 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
self.put('/groups/%(group_id)s/users/%(user_id)s' % {
@ -404,7 +407,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
def test_admin_password_reset(self):
# bootstrap a user as admin
user_ref = unit.create_user(self.identity_api,
user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
# auth as user should work before a password change
@ -443,7 +446,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
self.config_fixture.config(group='security_compliance',
minimum_password_age=1)
# create user
user_ref = unit.create_user(self.identity_api,
user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
# administrative password reset
new_password = uuid.uuid4().hex
@ -463,7 +466,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
the `domain_id` of a user fails.
"""
user = unit.new_user_ref(domain_id=self.domain['id'])
user = self.identity_api.create_user(user)
user = PROVIDERS.identity_api.create_user(user)
user['domain_id'] = CONF.identity.default_domain_id
self.patch('/users/%(user_id)s' % {
'user_id': user['id']},
@ -480,16 +483,18 @@ class IdentityTestCase(test_v3.RestfulTestCase):
"""
# First check the credential for this user is present
r = self.credential_api.get_credential(self.credential['id'])
r = PROVIDERS.credential_api.get_credential(self.credential['id'])
self.assertDictEqual(self.credential, r)
# Create a second credential with a different user
user2 = unit.new_user_ref(domain_id=self.domain['id'],
project_id=self.project['id'])
user2 = self.identity_api.create_user(user2)
user2 = PROVIDERS.identity_api.create_user(user2)
credential2 = unit.new_credential_ref(user_id=user2['id'],
project_id=self.project['id'])
self.credential_api.create_credential(credential2['id'], credential2)
PROVIDERS.credential_api.create_credential(
credential2['id'], credential2
)
# Create a token for this user which we can check later
# gets deleted
@ -510,14 +515,14 @@ class IdentityTestCase(test_v3.RestfulTestCase):
# Deleting the user should have deleted any credentials
# that reference this project
self.assertRaises(exception.CredentialNotFound,
self.credential_api.get_credential,
PROVIDERS.credential_api.get_credential,
self.credential['id'])
# And the no tokens we remain valid
tokens = self.token_provider_api._persistence._list_tokens(
tokens = PROVIDERS.token_provider_api._persistence._list_tokens(
self.user['id'])
self.assertEqual(0, len(tokens))
# But the credential for user2 is unaffected
r = self.credential_api.get_credential(credential2['id'])
r = PROVIDERS.credential_api.get_credential(credential2['id'])
self.assertDictEqual(credential2, r)
def test_delete_user_retries_on_deadlock(self):
@ -542,11 +547,11 @@ class IdentityTestCase(test_v3.RestfulTestCase):
side_effect = FakeDeadlock(patcher)
sql_delete_mock.side_effect = side_effect
user_ref = unit.create_user(self.identity_api,
user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
try:
self.identity_api.delete_user(user_id=user_ref['id'])
PROVIDERS.identity_api.delete_user(user_id=user_ref['id'])
finally:
if side_effect.patched:
patcher.stop()
@ -634,7 +639,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
log_fix = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
# bootstrap a user as admin
user_ref = unit.create_user(self.identity_api,
user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
self.assertNotIn(user_ref['password'], log_fix.output)
@ -677,7 +682,7 @@ class ChangePasswordTestCase(test_v3.RestfulTestCase):
def setUp(self):
super(ChangePasswordTestCase, self).setUp()
self.user_ref = unit.create_user(self.identity_api,
self.user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
self.token = self.get_request_token(self.user_ref['password'],
http_client.CREATED)
@ -710,7 +715,7 @@ class UserSelfServiceChangingPasswordsTestCase(ChangePasswordTestCase):
user_ref = unit.new_user_ref(domain_id=self.domain_id,
password=password)
with freezegun.freeze_time(time):
self.user_ref = self.identity_api.create_user(user_ref)
self.user_ref = PROVIDERS.identity_api.create_user(user_ref)
return password
@ -843,7 +848,7 @@ class UserSelfServiceChangingPasswordsTestCase(ChangePasswordTestCase):
change_password_upon_first_use=True)
# create user
self.user_ref = unit.create_user(self.identity_api,
self.user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
# attempt to authenticate with create user password
@ -866,7 +871,7 @@ class UserSelfServiceChangingPasswordsTestCase(ChangePasswordTestCase):
# admin reset
reset_password = uuid.uuid4().hex
user_password = {'password': reset_password}
self.identity_api.update_user(self.user_ref['id'], user_password)
PROVIDERS.identity_api.update_user(self.user_ref['id'], user_password)
# attempt to authenticate with admin reset password
self.get_request_token(reset_password,
@ -890,7 +895,7 @@ class UserSelfServiceChangingPasswordsTestCase(ChangePasswordTestCase):
self.user_ref['password'] = reset_password
ignore_opt_name = options.IGNORE_CHANGE_PASSWORD_OPT.option_name
self.user_ref['options'][ignore_opt_name] = True
self.identity_api.update_user(self.user_ref['id'], self.user_ref)
PROVIDERS.identity_api.update_user(self.user_ref['id'], self.user_ref)
# authenticate with the reset password
self.token = self.get_request_token(reset_password,
@ -901,13 +906,13 @@ class UserSelfServiceChangingPasswordsTestCase(ChangePasswordTestCase):
lockout_failure_attempts=1)
# create user
self.user_ref = unit.create_user(self.identity_api,
self.user_ref = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
# update the user, mark her as exempt from lockout
ignore_opt_name = options.IGNORE_LOCKOUT_ATTEMPT_OPT.option_name
self.user_ref['options'][ignore_opt_name] = True
self.identity_api.update_user(self.user_ref['id'], self.user_ref)
PROVIDERS.identity_api.update_user(self.user_ref['id'], self.user_ref)
# fail to auth, this should lockout the user, since we're allowed
# one failure, but we're exempt from lockout!
@ -936,7 +941,7 @@ class PasswordValidationTestCase(ChangePasswordTestCase):
expected_status=http_client.BAD_REQUEST)
def test_update_user_with_invalid_password(self):
user = unit.create_user(self.identity_api,
user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id'])
user['password'] = 'simple'
self.patch('/users/%(user_id)s' % {
@ -982,19 +987,19 @@ class UserFederatedAttributesTests(test_v3.RestfulTestCase):
'enabled': True,
'description': uuid.uuid4().hex
}
self.federation_api.create_idp(idp['id'], idp)
PROVIDERS.federation_api.create_idp(idp['id'], idp)
# Create the mapping
mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
mapping['id'] = uuid.uuid4().hex
self.federation_api.create_mapping(mapping['id'], mapping)
PROVIDERS.federation_api.create_mapping(mapping['id'], mapping)
# Create the protocol
protocol = {
'id': uuid.uuid4().hex,
'mapping_id': mapping['id']
}
self.federation_api.create_protocol(idp['id'],
protocol['id'],
protocol)
PROVIDERS.federation_api.create_protocol(
idp['id'], protocol['id'], protocol
)
return idp, protocol
def _create_user_with_federated_user(self, user, fed_dict):
@ -1018,7 +1023,7 @@ class UserFederatedAttributesTests(test_v3.RestfulTestCase):
self.fed_dict['unique_id'] = "jdoe"
# Create the domain_id, user, and federated_user relationship
self.domain = unit.new_domain_ref()
self.resource_api.create_domain(self.domain['id'], self.domain)
PROVIDERS.resource_api.create_domain(self.domain['id'], self.domain)
self.fed_user = unit.new_user_ref(domain_id=self.domain['id'])
self.fed_user = self._create_user_with_federated_user(self.fed_user,
self.fed_dict)

View File

@ -16,6 +16,7 @@ from six.moves import http_client
from six.moves import range
from testtools import matchers
from keystone.common import provider_api
import keystone.conf
from keystone.credential.providers import fernet as credential_fernet
from keystone import exception
@ -26,6 +27,7 @@ from keystone.tests.unit import utils as test_utils
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class ResourceTestCase(test_v3.RestfulTestCase,
@ -225,21 +227,21 @@ class ResourceTestCase(test_v3.RestfulTestCase,
"""Call ``PATCH /domains/{domain_id}`` (set enabled=False)."""
# Create a 2nd set of entities in a 2nd domain
domain2 = unit.new_domain_ref()
self.resource_api.create_domain(domain2['id'], domain2)
PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
project2 = unit.new_project_ref(domain_id=domain2['id'])
self.resource_api.create_project(project2['id'], project2)
PROVIDERS.resource_api.create_project(project2['id'], project2)
user2 = unit.create_user(self.identity_api,
user2 = unit.create_user(PROVIDERS.identity_api,
domain_id=domain2['id'],
project_id=project2['id'])
role_member = unit.new_role_ref()
self.role_api.create_role(role_member['id'], role_member)
PROVIDERS.role_api.create_role(role_member['id'], role_member)
self.assignment_api.add_role_to_user_and_project(user2['id'],
project2['id'],
role_member['id'])
PROVIDERS.assignment_api.add_role_to_user_and_project(
user2['id'], project2['id'], role_member['id']
)
# First check a user in that domain can authenticate..
auth_data = self.build_authentication_request(
@ -300,30 +302,35 @@ class ResourceTestCase(test_v3.RestfulTestCase,
"""
# Create a group and a credential in the main domain
group = unit.new_group_ref(domain_id=self.domain_id)
group = self.identity_api.create_group(group)
group = PROVIDERS.identity_api.create_group(group)
credential = unit.new_credential_ref(user_id=self.user['id'],
project_id=self.project_id)
self.credential_api.create_credential(credential['id'], credential)
PROVIDERS.credential_api.create_credential(
credential['id'], credential
)
# Create a 2nd set of entities in a 2nd domain
domain2 = unit.new_domain_ref()
self.resource_api.create_domain(domain2['id'], domain2)
PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
project2 = unit.new_project_ref(domain_id=domain2['id'])
project2 = self.resource_api.create_project(project2['id'], project2)
project2 = PROVIDERS.resource_api.create_project(
project2['id'], project2
)
user2 = unit.new_user_ref(domain_id=domain2['id'],
project_id=project2['id'])
user2 = self.identity_api.create_user(user2)
user2 = PROVIDERS.identity_api.create_user(user2)
group2 = unit.new_group_ref(domain_id=domain2['id'])
group2 = self.identity_api.create_group(group2)
group2 = PROVIDERS.identity_api.create_group(group2)
credential2 = unit.new_credential_ref(user_id=user2['id'],
project_id=project2['id'])
self.credential_api.create_credential(credential2['id'],
credential2)
PROVIDERS.credential_api.create_credential(
credential2['id'], credential2
)
# Now disable the new domain and delete it
domain2['enabled'] = False
@ -335,32 +342,32 @@ class ResourceTestCase(test_v3.RestfulTestCase,
# Check all the domain2 relevant entities are gone
self.assertRaises(exception.DomainNotFound,
self.resource_api.get_domain,
PROVIDERS.resource_api.get_domain,
domain2['id'])
self.assertRaises(exception.ProjectNotFound,
self.resource_api.get_project,
PROVIDERS.resource_api.get_project,
project2['id'])
self.assertRaises(exception.GroupNotFound,
self.identity_api.get_group,
PROVIDERS.identity_api.get_group,
group2['id'])
self.assertRaises(exception.UserNotFound,
self.identity_api.get_user,
PROVIDERS.identity_api.get_user,
user2['id'])
self.assertRaises(exception.CredentialNotFound,
self.credential_api.get_credential,
PROVIDERS.credential_api.get_credential,
credential2['id'])
# ...and that all self.domain entities are still here
r = self.resource_api.get_domain(self.domain['id'])
r = PROVIDERS.resource_api.get_domain(self.domain['id'])
self.assertDictEqual(self.domain, r)
r = self.resource_api.get_project(self.project['id'])
r = PROVIDERS.resource_api.get_project(self.project['id'])
self.assertDictEqual(self.project, r)
r = self.identity_api.get_group(group['id'])
r = PROVIDERS.identity_api.get_group(group['id'])
self.assertDictEqual(group, r)
r = self.identity_api.get_user(self.user['id'])
r = PROVIDERS.identity_api.get_user(self.user['id'])
self.user.pop('password')
self.assertDictEqual(self.user, r)
r = self.credential_api.get_credential(credential['id'])
r = PROVIDERS.credential_api.get_credential(credential['id'])
self.assertDictEqual(credential, r)
def test_delete_domain_deletes_is_domain_project(self):
@ -404,9 +411,9 @@ class ResourceTestCase(test_v3.RestfulTestCase,
"""
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
user2 = unit.create_user(self.identity_api,
user2 = unit.create_user(PROVIDERS.identity_api,
domain_id=domain['id'])
# build a request body
@ -439,16 +446,17 @@ class ResourceTestCase(test_v3.RestfulTestCase,
def test_delete_domain_hierarchy(self):
"""Call ``DELETE /domains/{domain_id}``."""
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
PROVIDERS.resource_api.create_domain(domain['id'], domain)
root_project = unit.new_project_ref(domain_id=domain['id'])
root_project = self.resource_api.create_project(root_project['id'],
root_project)
root_project = PROVIDERS.resource_api.create_project(
root_project['id'], root_project
)
leaf_project = unit.new_project_ref(
domain_id=domain['id'],
parent_id=root_project['id'])
self.resource_api.create_project(leaf_project['id'], leaf_project)
PROVIDERS.resource_api.create_project(leaf_project['id'], leaf_project)
# Need to disable it first.
self.patch('/domains/%(domain_id)s' % {
@ -460,15 +468,15 @@ class ResourceTestCase(test_v3.RestfulTestCase,
'domain_id': domain['id']})
self.assertRaises(exception.DomainNotFound,
self.resource_api.get_domain,
PROVIDERS.resource_api.get_domain,
domain['id'])
self.assertRaises(exception.ProjectNotFound,
self.resource_api.get_project,
PROVIDERS.resource_api.get_project,
root_project['id'])
self.assertRaises(exception.ProjectNotFound,
self.resource_api.get_project,
PROVIDERS.resource_api.get_project,
leaf_project['id'])
def test_forbid_operations_on_federated_domain(self):
@ -488,26 +496,26 @@ class ResourceTestCase(test_v3.RestfulTestCase,
for domain in create_domains():
self.assertRaises(
AssertionError, self.resource_api.create_domain,
AssertionError, PROVIDERS.resource_api.create_domain,
domain['id'], domain)
self.assertRaises(
AssertionError, self.resource_api.update_domain,
AssertionError, PROVIDERS.resource_api.update_domain,
domain['id'], domain)
self.assertRaises(
exception.DomainNotFound, self.resource_api.delete_domain,
exception.DomainNotFound, PROVIDERS.resource_api.delete_domain,
domain['id'])
# swap 'name' with 'id' and try again, expecting the request to
# gracefully fail
domain['id'], domain['name'] = domain['name'], domain['id']
self.assertRaises(
AssertionError, self.resource_api.create_domain,
AssertionError, PROVIDERS.resource_api.create_domain,
domain['id'], domain)
self.assertRaises(
AssertionError, self.resource_api.update_domain,
AssertionError, PROVIDERS.resource_api.update_domain,
domain['id'], domain)
self.assertRaises(
exception.DomainNotFound, self.resource_api.delete_domain,
exception.DomainNotFound, PROVIDERS.resource_api.delete_domain,
domain['id'])
def test_forbid_operations_on_defined_federated_domain(self):
@ -521,13 +529,13 @@ class ResourceTestCase(test_v3.RestfulTestCase,
federated_domain_name=non_default_name)
domain = unit.new_domain_ref(name=non_default_name)
self.assertRaises(AssertionError,
self.resource_api.create_domain,
PROVIDERS.resource_api.create_domain,
domain['id'], domain)
self.assertRaises(exception.DomainNotFound,
self.resource_api.delete_domain,
PROVIDERS.resource_api.delete_domain,
domain['id'])
self.assertRaises(AssertionError,
self.resource_api.update_domain,
PROVIDERS.resource_api.update_domain,
domain['id'], domain)
# Project CRUD tests
@ -1053,10 +1061,10 @@ class ResourceTestCase(test_v3.RestfulTestCase,
# Add some more projects acting as domains
new_is_domain_project = unit.new_project_ref(is_domain=True)
new_is_domain_project = self.resource_api.create_project(
new_is_domain_project = PROVIDERS.resource_api.create_project(
new_is_domain_project['id'], new_is_domain_project)
new_is_domain_project2 = unit.new_project_ref(is_domain=True)
new_is_domain_project2 = self.resource_api.create_project(
new_is_domain_project2 = PROVIDERS.resource_api.create_project(
new_is_domain_project2['id'], new_is_domain_project2)
number_is_domain_true = initial_number_is_domain_true + 2
@ -1070,7 +1078,7 @@ class ResourceTestCase(test_v3.RestfulTestCase,
# Now add a regular project
new_regular_project = unit.new_project_ref(domain_id=self.domain_id)
new_regular_project = self.resource_api.create_project(
new_regular_project = PROVIDERS.resource_api.create_project(
new_regular_project['id'], new_regular_project)
number_is_domain_false = initial_number_is_domain_false + 1
@ -1094,7 +1102,7 @@ class ResourceTestCase(test_v3.RestfulTestCase,
# Make sure we have at least one project acting as a domain
new_is_domain_project = unit.new_project_ref(is_domain=True)
new_is_domain_project = self.resource_api.create_project(
new_is_domain_project = PROVIDERS.resource_api.create_project(
new_is_domain_project['id'], new_is_domain_project)
r = self.get('/projects', expected_status=200)
@ -1327,7 +1335,7 @@ class ResourceTestCase(test_v3.RestfulTestCase,
update the `domain_id` of a project fails.
"""
project = unit.new_project_ref(domain_id=self.domain['id'])
project = self.resource_api.create_project(project['id'], project)
project = PROVIDERS.resource_api.create_project(project['id'], project)
project['domain_id'] = CONF.identity.default_domain_id
self.patch('/projects/%(project_id)s' % {
'project_id': project['id']},
@ -1395,17 +1403,21 @@ class ResourceTestCase(test_v3.RestfulTestCase,
"""
credential = unit.new_credential_ref(user_id=self.user['id'],
project_id=self.project_id)
self.credential_api.create_credential(credential['id'], credential)
PROVIDERS.credential_api.create_credential(
credential['id'], credential
)
# First check the credential for this project is present
r = self.credential_api.get_credential(credential['id'])
r = PROVIDERS.credential_api.get_credential(credential['id'])
self.assertDictEqual(credential, r)
# Create a second credential with a different project
project2 = unit.new_project_ref(domain_id=self.domain['id'])
self.resource_api.create_project(project2['id'], project2)
PROVIDERS.resource_api.create_project(project2['id'], project2)
credential2 = unit.new_credential_ref(user_id=self.user['id'],
project_id=project2['id'])
self.credential_api.create_credential(credential2['id'], credential2)
PROVIDERS.credential_api.create_credential(
credential2['id'], credential2
)
# Now delete the project
self.delete(
@ -1415,10 +1427,10 @@ class ResourceTestCase(test_v3.RestfulTestCase,
# Deleting the project should have deleted any credentials
# that reference this project
self.assertRaises(exception.CredentialNotFound,
self.credential_api.get_credential,
PROVIDERS.credential_api.get_credential,
credential_id=credential['id'])
# But the credential for project2 is unaffected
r = self.credential_api.get_credential(credential2['id'])
r = PROVIDERS.credential_api.get_credential(credential2['id'])
self.assertDictEqual(credential2, r)
def test_delete_not_leaf_project(self):

View File

@ -37,7 +37,7 @@ class TestTrustOperations(test_v3.RestfulTestCase):
def setUp(self):
super(TestTrustOperations, self).setUp()
# create a trustee to delegate stuff to
self.trustee_user = unit.create_user(self.identity_api,
self.trustee_user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain_id)
self.trustee_user_id = self.trustee_user['id']
@ -417,7 +417,7 @@ class TestTrustOperations(test_v3.RestfulTestCase):
# create third-party user, which will be trustee in trust created from
# redelegated trust
third_party_trustee = unit.create_user(self.identity_api,
third_party_trustee = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain_id)
third_party_trustee_id = third_party_trustee['id']
@ -461,7 +461,7 @@ class TestTrustOperations(test_v3.RestfulTestCase):
expected_status=http_client.NOT_FOUND)
# create another user as the new trustee
trustee_user = unit.create_user(self.identity_api,
trustee_user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain_id)
trustee_user_id = trustee_user['id']
# create the trust again
@ -479,7 +479,7 @@ class TestTrustOperations(test_v3.RestfulTestCase):
# call the backend method directly to bypass authentication since the
# user has been deleted.
self.assertRaises(exception.TrustNotFound,
self.trust_api.get_trust,
PROVIDERS.trust_api.get_trust,
trust['id'])
def test_trust_deleted_when_project_deleted(self):
@ -506,7 +506,7 @@ class TestTrustOperations(test_v3.RestfulTestCase):
# call the backend method directly to bypass authentication since the
# user no longer has the assignment on the project.
self.assertRaises(exception.TrustNotFound,
self.trust_api.get_trust,
PROVIDERS.trust_api.get_trust,
trust['id'])

View File

@ -16,15 +16,18 @@ import uuid
from oslo_utils import timeutils
from six.moves import range
from keystone.common import provider_api
from keystone import exception
PROVIDERS = provider_api.ProviderAPIs
class TrustTests(object):
def create_sample_trust(self, new_id, remaining_uses=None):
self.trustor = self.user_foo
self.trustee = self.user_two
expires_at = datetime.datetime.utcnow().replace(year=2032)
trust_data = (self.trust_api.create_trust
trust_data = (PROVIDERS.trust_api.create_trust
(new_id,
{'trustor_user_id': self.trustor['id'],
'trustee_user_id': self.user_two['id'],
@ -42,17 +45,17 @@ class TrustTests(object):
trust_data = self.create_sample_trust(new_id)
trust_id = trust_data['id']
self.assertIsNotNone(trust_data)
trust_data = self.trust_api.get_trust(trust_id)
trust_data = PROVIDERS.trust_api.get_trust(trust_id)
self.assertEqual(new_id, trust_data['id'])
self.trust_api.delete_trust(trust_id)
PROVIDERS.trust_api.delete_trust(trust_id)
self.assertRaises(exception.TrustNotFound,
self.trust_api.get_trust,
PROVIDERS.trust_api.get_trust,
trust_id)
def test_delete_trust_not_found(self):
trust_id = uuid.uuid4().hex
self.assertRaises(exception.TrustNotFound,
self.trust_api.delete_trust,
PROVIDERS.trust_api.delete_trust,
trust_id)
def test_get_trust(self):
@ -60,21 +63,22 @@ class TrustTests(object):
trust_data = self.create_sample_trust(new_id)
trust_id = trust_data['id']
self.assertIsNotNone(trust_data)
trust_data = self.trust_api.get_trust(trust_id)
trust_data = PROVIDERS.trust_api.get_trust(trust_id)
self.assertEqual(new_id, trust_data['id'])
self.trust_api.delete_trust(trust_data['id'])
PROVIDERS.trust_api.delete_trust(trust_data['id'])
def test_get_deleted_trust(self):
new_id = uuid.uuid4().hex
trust_data = self.create_sample_trust(new_id)
self.assertIsNotNone(trust_data)
self.assertIsNone(trust_data['deleted_at'])
self.trust_api.delete_trust(new_id)
PROVIDERS.trust_api.delete_trust(new_id)
self.assertRaises(exception.TrustNotFound,
self.trust_api.get_trust,
PROVIDERS.trust_api.get_trust,
new_id)
deleted_trust = self.trust_api.get_trust(trust_data['id'],
deleted=True)
deleted_trust = PROVIDERS.trust_api.get_trust(
trust_data['id'], deleted=True
)
self.assertEqual(trust_data['id'], deleted_trust['id'])
self.assertIsNotNone(deleted_trust.get('deleted_at'))
@ -95,25 +99,33 @@ class TrustTests(object):
def test_list_trust_by_trustee(self):
for i in range(3):
self.create_sample_trust(uuid.uuid4().hex)
trusts = self.trust_api.list_trusts_for_trustee(self.trustee['id'])
trusts = PROVIDERS.trust_api.list_trusts_for_trustee(
self.trustee['id']
)
self.assertEqual(3, len(trusts))
self.assertEqual(trusts[0]["trustee_user_id"], self.trustee['id'])
trusts = self.trust_api.list_trusts_for_trustee(self.trustor['id'])
trusts = PROVIDERS.trust_api.list_trusts_for_trustee(
self.trustor['id']
)
self.assertEqual(0, len(trusts))
def test_list_trust_by_trustor(self):
for i in range(3):
self.create_sample_trust(uuid.uuid4().hex)
trusts = self.trust_api.list_trusts_for_trustor(self.trustor['id'])
trusts = PROVIDERS.trust_api.list_trusts_for_trustor(
self.trustor['id']
)
self.assertEqual(3, len(trusts))
self.assertEqual(trusts[0]["trustor_user_id"], self.trustor['id'])
trusts = self.trust_api.list_trusts_for_trustor(self.trustee['id'])
trusts = PROVIDERS.trust_api.list_trusts_for_trustor(
self.trustee['id']
)
self.assertEqual(0, len(trusts))
def test_list_trusts(self):
for i in range(3):
self.create_sample_trust(uuid.uuid4().hex)
trusts = self.trust_api.list_trusts()
trusts = PROVIDERS.trust_api.list_trusts()
self.assertEqual(3, len(trusts))
def test_trust_has_remaining_uses_positive(self):
@ -142,13 +154,13 @@ class TrustTests(object):
# consume a trust repeatedly until it has no uses anymore
trust_data = self.create_sample_trust(uuid.uuid4().hex,
remaining_uses=2)
self.trust_api.consume_use(trust_data['id'])
t = self.trust_api.get_trust(trust_data['id'])
PROVIDERS.trust_api.consume_use(trust_data['id'])
t = PROVIDERS.trust_api.get_trust(trust_data['id'])
self.assertEqual(1, t['remaining_uses'])
self.trust_api.consume_use(trust_data['id'])
PROVIDERS.trust_api.consume_use(trust_data['id'])
# This was the last use, the trust isn't available anymore
self.assertRaises(exception.TrustNotFound,
self.trust_api.get_trust,
PROVIDERS.trust_api.get_trust,
trust_data['id'])
def test_duplicate_trusts_not_allowed(self):
@ -164,9 +176,9 @@ class TrustTests(object):
roles = [{"id": "member"},
{"id": "other"},
{"id": "browser"}]
self.trust_api.create_trust(uuid.uuid4().hex, trust_data, roles)
PROVIDERS.trust_api.create_trust(uuid.uuid4().hex, trust_data, roles)
self.assertRaises(exception.Conflict,
self.trust_api.create_trust,
PROVIDERS.trust_api.create_trust,
uuid.uuid4().hex,
trust_data,
roles)