Finish refactoring self.*_api out of tests
A previous change started remove the self magic: Ic2094dca56158d8e4cd843eadff837f3a17ea38f This commit finishes that work. A subsequent patch will remove the self manager logic all together and we'll fix up any trivial test infrastructure then. Change-Id: Iedbde34ef5aa84905fd6b5f2297bf7f46dd7d278
This commit is contained in:
parent
bbe2d7ee48
commit
8761066260
|
@ -12,12 +12,15 @@
|
|||
|
||||
import uuid
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone.common import sql
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit.assignment import test_core
|
||||
from keystone.tests.unit.backend import core_sql
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class SqlRoleModels(core_sql.BaseBackendSqlModels):
|
||||
|
||||
|
@ -33,80 +36,80 @@ class SqlRole(core_sql.BaseBackendSqlTests, test_core.RoleTests):
|
|||
def test_create_null_role_name(self):
|
||||
role = unit.new_role_ref(name=None)
|
||||
self.assertRaises(exception.UnexpectedError,
|
||||
self.role_api.create_role,
|
||||
PROVIDERS.role_api.create_role,
|
||||
role['id'],
|
||||
role)
|
||||
self.assertRaises(exception.RoleNotFound,
|
||||
self.role_api.get_role,
|
||||
PROVIDERS.role_api.get_role,
|
||||
role['id'])
|
||||
|
||||
def test_create_duplicate_role_domain_specific_name_fails(self):
|
||||
domain = unit.new_domain_ref()
|
||||
role1 = unit.new_role_ref(domain_id=domain['id'])
|
||||
self.role_api.create_role(role1['id'], role1)
|
||||
PROVIDERS.role_api.create_role(role1['id'], role1)
|
||||
role2 = unit.new_role_ref(name=role1['name'],
|
||||
domain_id=domain['id'])
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.role_api.create_role,
|
||||
PROVIDERS.role_api.create_role,
|
||||
role2['id'],
|
||||
role2)
|
||||
|
||||
def test_update_domain_id_of_role_fails(self):
|
||||
# Create a global role
|
||||
role1 = unit.new_role_ref()
|
||||
role1 = self.role_api.create_role(role1['id'], role1)
|
||||
role1 = PROVIDERS.role_api.create_role(role1['id'], role1)
|
||||
# Try and update it to be domain specific
|
||||
domainA = unit.new_domain_ref()
|
||||
role1['domain_id'] = domainA['id']
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.role_api.update_role,
|
||||
PROVIDERS.role_api.update_role,
|
||||
role1['id'],
|
||||
role1)
|
||||
|
||||
# Create a domain specific role from scratch
|
||||
role2 = unit.new_role_ref(domain_id=domainA['id'])
|
||||
self.role_api.create_role(role2['id'], role2)
|
||||
PROVIDERS.role_api.create_role(role2['id'], role2)
|
||||
# Try to "move" it to another domain
|
||||
domainB = unit.new_domain_ref()
|
||||
role2['domain_id'] = domainB['id']
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.role_api.update_role,
|
||||
PROVIDERS.role_api.update_role,
|
||||
role2['id'],
|
||||
role2)
|
||||
# Now try to make it global
|
||||
role2['domain_id'] = None
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.role_api.update_role,
|
||||
PROVIDERS.role_api.update_role,
|
||||
role2['id'],
|
||||
role2)
|
||||
|
||||
def test_domain_specific_separation(self):
|
||||
domain1 = unit.new_domain_ref()
|
||||
role1 = unit.new_role_ref(domain_id=domain1['id'])
|
||||
role_ref1 = self.role_api.create_role(role1['id'], role1)
|
||||
role_ref1 = PROVIDERS.role_api.create_role(role1['id'], role1)
|
||||
self.assertDictEqual(role1, role_ref1)
|
||||
# Check we can have the same named role in a different domain
|
||||
domain2 = unit.new_domain_ref()
|
||||
role2 = unit.new_role_ref(name=role1['name'], domain_id=domain2['id'])
|
||||
role_ref2 = self.role_api.create_role(role2['id'], role2)
|
||||
role_ref2 = PROVIDERS.role_api.create_role(role2['id'], role2)
|
||||
self.assertDictEqual(role2, role_ref2)
|
||||
# ...and in fact that you can have the same named role as a global role
|
||||
role3 = unit.new_role_ref(name=role1['name'])
|
||||
role_ref3 = self.role_api.create_role(role3['id'], role3)
|
||||
role_ref3 = PROVIDERS.role_api.create_role(role3['id'], role3)
|
||||
self.assertDictEqual(role3, role_ref3)
|
||||
# Check that updating one doesn't change the others
|
||||
role1['name'] = uuid.uuid4().hex
|
||||
self.role_api.update_role(role1['id'], role1)
|
||||
role_ref1 = self.role_api.get_role(role1['id'])
|
||||
PROVIDERS.role_api.update_role(role1['id'], role1)
|
||||
role_ref1 = PROVIDERS.role_api.get_role(role1['id'])
|
||||
self.assertDictEqual(role1, role_ref1)
|
||||
role_ref2 = self.role_api.get_role(role2['id'])
|
||||
role_ref2 = PROVIDERS.role_api.get_role(role2['id'])
|
||||
self.assertDictEqual(role2, role_ref2)
|
||||
role_ref3 = self.role_api.get_role(role3['id'])
|
||||
role_ref3 = PROVIDERS.role_api.get_role(role3['id'])
|
||||
self.assertDictEqual(role3, role_ref3)
|
||||
# Check that deleting one of these, doesn't affect the others
|
||||
self.role_api.delete_role(role1['id'])
|
||||
PROVIDERS.role_api.delete_role(role1['id'])
|
||||
self.assertRaises(exception.RoleNotFound,
|
||||
self.role_api.get_role,
|
||||
PROVIDERS.role_api.get_role,
|
||||
role1['id'])
|
||||
self.role_api.get_role(role2['id'])
|
||||
self.role_api.get_role(role3['id'])
|
||||
PROVIDERS.role_api.get_role(role2['id'])
|
||||
PROVIDERS.role_api.get_role(role3['id'])
|
||||
|
|
|
@ -15,31 +15,34 @@
|
|||
import copy
|
||||
import uuid
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit import default_fixtures
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class RoleTests(object):
|
||||
|
||||
def test_get_role_returns_not_found(self):
|
||||
self.assertRaises(exception.RoleNotFound,
|
||||
self.role_api.get_role,
|
||||
PROVIDERS.role_api.get_role,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_get_unique_role_by_name_returns_not_found(self):
|
||||
self.assertRaises(exception.RoleNotFound,
|
||||
self.role_api.get_unique_role_by_name,
|
||||
PROVIDERS.role_api.get_unique_role_by_name,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_create_duplicate_role_name_fails(self):
|
||||
role_id = uuid.uuid4().hex
|
||||
role = unit.new_role_ref(id=role_id, name='fake1name')
|
||||
self.role_api.create_role(role_id, role)
|
||||
PROVIDERS.role_api.create_role(role_id, role)
|
||||
new_role_id = uuid.uuid4().hex
|
||||
role['id'] = new_role_id
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.role_api.create_role,
|
||||
PROVIDERS.role_api.create_role,
|
||||
new_role_id,
|
||||
role)
|
||||
|
||||
|
@ -48,46 +51,46 @@ class RoleTests(object):
|
|||
role_id2 = uuid.uuid4().hex
|
||||
role1 = unit.new_role_ref(id=role_id1, name='fake1name')
|
||||
role2 = unit.new_role_ref(id=role_id2, name='fake2name')
|
||||
self.role_api.create_role(role_id1, role1)
|
||||
self.role_api.create_role(role_id2, role2)
|
||||
PROVIDERS.role_api.create_role(role_id1, role1)
|
||||
PROVIDERS.role_api.create_role(role_id2, role2)
|
||||
role1['name'] = 'fake2name'
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.role_api.update_role,
|
||||
PROVIDERS.role_api.update_role,
|
||||
role_id1,
|
||||
role1)
|
||||
|
||||
def test_role_crud(self):
|
||||
role = unit.new_role_ref()
|
||||
role_name = role['name']
|
||||
self.role_api.create_role(role['id'], role)
|
||||
role_ref = self.role_api.get_role(role['id'])
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
role_ref = PROVIDERS.role_api.get_role(role['id'])
|
||||
role_ref_dict = {x: role_ref[x] for x in role_ref}
|
||||
self.assertDictEqual(role, role_ref_dict)
|
||||
|
||||
role_ref = self.role_api.get_unique_role_by_name(role_name)
|
||||
role_ref = PROVIDERS.role_api.get_unique_role_by_name(role_name)
|
||||
self.assertEqual(role['id'], role_ref['id'])
|
||||
|
||||
role['name'] = uuid.uuid4().hex
|
||||
updated_role_ref = self.role_api.update_role(role['id'], role)
|
||||
role_ref = self.role_api.get_role(role['id'])
|
||||
updated_role_ref = PROVIDERS.role_api.update_role(role['id'], role)
|
||||
role_ref = PROVIDERS.role_api.get_role(role['id'])
|
||||
role_ref_dict = {x: role_ref[x] for x in role_ref}
|
||||
self.assertDictEqual(role, role_ref_dict)
|
||||
self.assertDictEqual(role_ref_dict, updated_role_ref)
|
||||
|
||||
self.role_api.delete_role(role['id'])
|
||||
PROVIDERS.role_api.delete_role(role['id'])
|
||||
self.assertRaises(exception.RoleNotFound,
|
||||
self.role_api.get_role,
|
||||
PROVIDERS.role_api.get_role,
|
||||
role['id'])
|
||||
|
||||
def test_update_role_returns_not_found(self):
|
||||
role = unit.new_role_ref()
|
||||
self.assertRaises(exception.RoleNotFound,
|
||||
self.role_api.update_role,
|
||||
PROVIDERS.role_api.update_role,
|
||||
role['id'],
|
||||
role)
|
||||
|
||||
def test_list_roles(self):
|
||||
roles = self.role_api.list_roles()
|
||||
roles = PROVIDERS.role_api.list_roles()
|
||||
self.assertEqual(len(default_fixtures.ROLES), len(roles))
|
||||
role_ids = set(role['id'] for role in roles)
|
||||
expected_role_ids = set(role['id'] for role in default_fixtures.ROLES)
|
||||
|
@ -98,39 +101,39 @@ class RoleTests(object):
|
|||
role = unit.new_role_ref()
|
||||
role_id = role['id']
|
||||
# Create role
|
||||
self.role_api.create_role(role_id, role)
|
||||
role_ref = self.role_api.get_role(role_id)
|
||||
PROVIDERS.role_api.create_role(role_id, role)
|
||||
role_ref = PROVIDERS.role_api.get_role(role_id)
|
||||
updated_role_ref = copy.deepcopy(role_ref)
|
||||
updated_role_ref['name'] = uuid.uuid4().hex
|
||||
# Update role, bypassing the role api manager
|
||||
self.role_api.driver.update_role(role_id, updated_role_ref)
|
||||
PROVIDERS.role_api.driver.update_role(role_id, updated_role_ref)
|
||||
# Verify get_role still returns old ref
|
||||
self.assertDictEqual(role_ref, self.role_api.get_role(role_id))
|
||||
self.assertDictEqual(role_ref, PROVIDERS.role_api.get_role(role_id))
|
||||
# Invalidate Cache
|
||||
self.role_api.get_role.invalidate(self.role_api, role_id)
|
||||
PROVIDERS.role_api.get_role.invalidate(PROVIDERS.role_api, role_id)
|
||||
# Verify get_role returns the new role_ref
|
||||
self.assertDictEqual(updated_role_ref,
|
||||
self.role_api.get_role(role_id))
|
||||
PROVIDERS.role_api.get_role(role_id))
|
||||
# Update role back to original via the assignment api manager
|
||||
self.role_api.update_role(role_id, role_ref)
|
||||
PROVIDERS.role_api.update_role(role_id, role_ref)
|
||||
# Verify get_role returns the original role ref
|
||||
self.assertDictEqual(role_ref, self.role_api.get_role(role_id))
|
||||
self.assertDictEqual(role_ref, PROVIDERS.role_api.get_role(role_id))
|
||||
# Delete role bypassing the role api manager
|
||||
self.role_api.driver.delete_role(role_id)
|
||||
PROVIDERS.role_api.driver.delete_role(role_id)
|
||||
# Verify get_role still returns the role_ref
|
||||
self.assertDictEqual(role_ref, self.role_api.get_role(role_id))
|
||||
self.assertDictEqual(role_ref, PROVIDERS.role_api.get_role(role_id))
|
||||
# Invalidate cache
|
||||
self.role_api.get_role.invalidate(self.role_api, role_id)
|
||||
PROVIDERS.role_api.get_role.invalidate(PROVIDERS.role_api, role_id)
|
||||
# Verify RoleNotFound is now raised
|
||||
self.assertRaises(exception.RoleNotFound,
|
||||
self.role_api.get_role,
|
||||
PROVIDERS.role_api.get_role,
|
||||
role_id)
|
||||
# recreate role
|
||||
self.role_api.create_role(role_id, role)
|
||||
self.role_api.get_role(role_id)
|
||||
PROVIDERS.role_api.create_role(role_id, role)
|
||||
PROVIDERS.role_api.get_role(role_id)
|
||||
# delete role via the assignment api manager
|
||||
self.role_api.delete_role(role_id)
|
||||
PROVIDERS.role_api.delete_role(role_id)
|
||||
# verity RoleNotFound is now raised
|
||||
self.assertRaises(exception.RoleNotFound,
|
||||
self.role_api.get_role,
|
||||
PROVIDERS.role_api.get_role,
|
||||
role_id)
|
||||
|
|
|
@ -14,6 +14,7 @@ import ldap
|
|||
|
||||
|
||||
from keystone.common import cache
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit import default_fixtures
|
||||
|
@ -22,6 +23,7 @@ from keystone.tests.unit.ksfixtures import ldapdb
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
def create_group_container(identity_api):
|
||||
|
@ -45,7 +47,9 @@ class BaseBackendLdapCommon(object):
|
|||
|
||||
def _get_domain_fixture(self):
|
||||
"""Return the static domain, since domains in LDAP are read-only."""
|
||||
return self.resource_api.get_domain(CONF.identity.default_domain_id)
|
||||
return PROVIDERS.resource_api.get_domain(
|
||||
CONF.identity.default_domain_id
|
||||
)
|
||||
|
||||
def get_config(self, domain_id):
|
||||
# Only one conf structure unless we are using separate domain backends
|
||||
|
@ -62,10 +66,13 @@ class BaseBackendLdapCommon(object):
|
|||
|
||||
def get_user_enabled_vals(self, user):
|
||||
user_dn = (
|
||||
self.identity_api.driver.user._id_to_dn_string(user['id']))
|
||||
PROVIDERS.identity_api.driver.user._id_to_dn_string(
|
||||
user['id']
|
||||
)
|
||||
)
|
||||
enabled_attr_name = CONF.ldap.user_enabled_attribute
|
||||
|
||||
ldap_ = self.identity_api.driver.user.get_connection()
|
||||
ldap_ = PROVIDERS.identity_api.driver.user.get_connection()
|
||||
res = ldap_.search_s(user_dn,
|
||||
ldap.SCOPE_BASE,
|
||||
u'(sn=%s)' % user['name'])
|
||||
|
@ -87,7 +94,7 @@ class BaseBackendLdap(object):
|
|||
|
||||
def load_fixtures(self, fixtures):
|
||||
# Override super impl since need to create group container.
|
||||
create_group_container(self.identity_api)
|
||||
create_group_container(PROVIDERS.identity_api)
|
||||
super(BaseBackendLdap, self).load_fixtures(fixtures)
|
||||
|
||||
|
||||
|
|
|
@ -19,9 +19,12 @@ from testtools import matchers
|
|||
|
||||
from keystone.catalog.backends import base
|
||||
from keystone.common import driver_hints
|
||||
from keystone.common import provider_api
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class CatalogTests(object):
|
||||
|
||||
|
@ -32,7 +35,7 @@ class CatalogTests(object):
|
|||
# create
|
||||
region_id = 'default'
|
||||
new_region = unit.new_region_ref(id=region_id)
|
||||
res = self.catalog_api.create_region(new_region)
|
||||
res = PROVIDERS.catalog_api.create_region(new_region)
|
||||
|
||||
# Ensure that we don't need to have a
|
||||
# parent_region_id in the original supplied
|
||||
|
@ -48,11 +51,11 @@ class CatalogTests(object):
|
|||
parent_region_id = region_id
|
||||
new_region = unit.new_region_ref(parent_region_id=parent_region_id)
|
||||
region_id = new_region['id']
|
||||
res = self.catalog_api.create_region(new_region)
|
||||
res = PROVIDERS.catalog_api.create_region(new_region)
|
||||
self.assertDictEqual(new_region, res)
|
||||
|
||||
# list
|
||||
regions = self.catalog_api.list_regions()
|
||||
regions = PROVIDERS.catalog_api.list_regions()
|
||||
self.assertThat(regions, matchers.HasLength(2))
|
||||
region_ids = [x['id'] for x in regions]
|
||||
self.assertIn(parent_region_id, region_ids)
|
||||
|
@ -60,27 +63,29 @@ class CatalogTests(object):
|
|||
|
||||
# update
|
||||
region_desc_update = {'description': uuid.uuid4().hex}
|
||||
res = self.catalog_api.update_region(region_id, region_desc_update)
|
||||
res = PROVIDERS.catalog_api.update_region(
|
||||
region_id, region_desc_update
|
||||
)
|
||||
expected_region = new_region.copy()
|
||||
expected_region['description'] = region_desc_update['description']
|
||||
self.assertDictEqual(expected_region, res)
|
||||
|
||||
# delete
|
||||
self.catalog_api.delete_region(parent_region_id)
|
||||
PROVIDERS.catalog_api.delete_region(parent_region_id)
|
||||
self.assertRaises(exception.RegionNotFound,
|
||||
self.catalog_api.delete_region,
|
||||
PROVIDERS.catalog_api.delete_region,
|
||||
parent_region_id)
|
||||
self.assertRaises(exception.RegionNotFound,
|
||||
self.catalog_api.get_region,
|
||||
PROVIDERS.catalog_api.get_region,
|
||||
parent_region_id)
|
||||
# Ensure the child is also gone...
|
||||
self.assertRaises(exception.RegionNotFound,
|
||||
self.catalog_api.get_region,
|
||||
PROVIDERS.catalog_api.get_region,
|
||||
region_id)
|
||||
|
||||
def _create_region_with_parent_id(self, parent_id=None):
|
||||
new_region = unit.new_region_ref(parent_region_id=parent_id)
|
||||
self.catalog_api.create_region(new_region)
|
||||
PROVIDERS.catalog_api.create_region(new_region)
|
||||
return new_region
|
||||
|
||||
def test_list_regions_filtered_by_parent_region_id(self):
|
||||
|
@ -92,7 +97,7 @@ class CatalogTests(object):
|
|||
# filter by parent_region_id
|
||||
hints = driver_hints.Hints()
|
||||
hints.add_filter('parent_region_id', parent_id)
|
||||
regions = self.catalog_api.list_regions(hints)
|
||||
regions = PROVIDERS.catalog_api.list_regions(hints)
|
||||
for region in regions:
|
||||
self.assertEqual(parent_id, region['parent_region_id'])
|
||||
|
||||
|
@ -100,67 +105,74 @@ class CatalogTests(object):
|
|||
def test_cache_layer_region_crud(self):
|
||||
new_region = unit.new_region_ref()
|
||||
region_id = new_region['id']
|
||||
self.catalog_api.create_region(new_region.copy())
|
||||
PROVIDERS.catalog_api.create_region(new_region.copy())
|
||||
updated_region = copy.deepcopy(new_region)
|
||||
updated_region['description'] = uuid.uuid4().hex
|
||||
# cache the result
|
||||
self.catalog_api.get_region(region_id)
|
||||
PROVIDERS.catalog_api.get_region(region_id)
|
||||
# update the region bypassing catalog_api
|
||||
self.catalog_api.driver.update_region(region_id, updated_region)
|
||||
self.assertDictContainsSubset(new_region,
|
||||
self.catalog_api.get_region(region_id))
|
||||
self.catalog_api.get_region.invalidate(self.catalog_api, region_id)
|
||||
self.assertDictContainsSubset(updated_region,
|
||||
self.catalog_api.get_region(region_id))
|
||||
PROVIDERS.catalog_api.driver.update_region(region_id, updated_region)
|
||||
self.assertDictContainsSubset(
|
||||
new_region, PROVIDERS.catalog_api.get_region(region_id)
|
||||
)
|
||||
PROVIDERS.catalog_api.get_region.invalidate(
|
||||
PROVIDERS.catalog_api, region_id
|
||||
)
|
||||
self.assertDictContainsSubset(
|
||||
updated_region, PROVIDERS.catalog_api.get_region(region_id)
|
||||
)
|
||||
# delete the region
|
||||
self.catalog_api.driver.delete_region(region_id)
|
||||
PROVIDERS.catalog_api.driver.delete_region(region_id)
|
||||
# still get the old region
|
||||
self.assertDictContainsSubset(updated_region,
|
||||
self.catalog_api.get_region(region_id))
|
||||
self.catalog_api.get_region.invalidate(self.catalog_api, region_id)
|
||||
self.assertDictContainsSubset(
|
||||
updated_region, PROVIDERS.catalog_api.get_region(region_id)
|
||||
)
|
||||
PROVIDERS.catalog_api.get_region.invalidate(
|
||||
PROVIDERS.catalog_api, region_id
|
||||
)
|
||||
self.assertRaises(exception.RegionNotFound,
|
||||
self.catalog_api.get_region, region_id)
|
||||
PROVIDERS.catalog_api.get_region, region_id)
|
||||
|
||||
@unit.skip_if_cache_disabled('catalog')
|
||||
def test_invalidate_cache_when_updating_region(self):
|
||||
new_region = unit.new_region_ref()
|
||||
region_id = new_region['id']
|
||||
self.catalog_api.create_region(new_region)
|
||||
PROVIDERS.catalog_api.create_region(new_region)
|
||||
|
||||
# cache the region
|
||||
self.catalog_api.get_region(region_id)
|
||||
PROVIDERS.catalog_api.get_region(region_id)
|
||||
|
||||
# update the region via catalog_api
|
||||
new_description = {'description': uuid.uuid4().hex}
|
||||
self.catalog_api.update_region(region_id, new_description)
|
||||
PROVIDERS.catalog_api.update_region(region_id, new_description)
|
||||
|
||||
# assert that we can get the new region
|
||||
current_region = self.catalog_api.get_region(region_id)
|
||||
current_region = PROVIDERS.catalog_api.get_region(region_id)
|
||||
self.assertEqual(new_description['description'],
|
||||
current_region['description'])
|
||||
|
||||
def test_create_region_with_duplicate_id(self):
|
||||
new_region = unit.new_region_ref()
|
||||
self.catalog_api.create_region(new_region)
|
||||
PROVIDERS.catalog_api.create_region(new_region)
|
||||
# Create region again with duplicate id
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.catalog_api.create_region,
|
||||
PROVIDERS.catalog_api.create_region,
|
||||
new_region)
|
||||
|
||||
def test_get_region_returns_not_found(self):
|
||||
self.assertRaises(exception.RegionNotFound,
|
||||
self.catalog_api.get_region,
|
||||
PROVIDERS.catalog_api.get_region,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_delete_region_returns_not_found(self):
|
||||
self.assertRaises(exception.RegionNotFound,
|
||||
self.catalog_api.delete_region,
|
||||
PROVIDERS.catalog_api.delete_region,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_create_region_invalid_parent_region_returns_not_found(self):
|
||||
new_region = unit.new_region_ref(parent_region_id=uuid.uuid4().hex)
|
||||
self.assertRaises(exception.RegionNotFound,
|
||||
self.catalog_api.create_region,
|
||||
PROVIDERS.catalog_api.create_region,
|
||||
new_region)
|
||||
|
||||
def test_avoid_creating_circular_references_in_regions_update(self):
|
||||
|
@ -168,14 +180,14 @@ class CatalogTests(object):
|
|||
|
||||
# self circle: region_one->region_one
|
||||
self.assertRaises(exception.CircularRegionHierarchyError,
|
||||
self.catalog_api.update_region,
|
||||
PROVIDERS.catalog_api.update_region,
|
||||
region_one['id'],
|
||||
{'parent_region_id': region_one['id']})
|
||||
|
||||
# region_one->region_two->region_one
|
||||
region_two = self._create_region_with_parent_id(region_one['id'])
|
||||
self.assertRaises(exception.CircularRegionHierarchyError,
|
||||
self.catalog_api.update_region,
|
||||
PROVIDERS.catalog_api.update_region,
|
||||
region_one['id'],
|
||||
{'parent_region_id': region_two['id']})
|
||||
|
||||
|
@ -183,7 +195,7 @@ class CatalogTests(object):
|
|||
region_three = self._create_region_with_parent_id(region_two['id'])
|
||||
region_four = self._create_region_with_parent_id(region_three['id'])
|
||||
self.assertRaises(exception.CircularRegionHierarchyError,
|
||||
self.catalog_api.update_region,
|
||||
PROVIDERS.catalog_api.update_region,
|
||||
region_two['id'],
|
||||
{'parent_region_id': region_four['id']})
|
||||
|
||||
|
@ -196,77 +208,79 @@ class CatalogTests(object):
|
|||
region_one = self._create_region_with_parent_id()
|
||||
|
||||
# self circle: region_one->region_one
|
||||
self.catalog_api.update_region(
|
||||
PROVIDERS.catalog_api.update_region(
|
||||
region_one['id'],
|
||||
{'parent_region_id': region_one['id']})
|
||||
self.catalog_api.delete_region(region_one['id'])
|
||||
PROVIDERS.catalog_api.delete_region(region_one['id'])
|
||||
self.assertRaises(exception.RegionNotFound,
|
||||
self.catalog_api.get_region,
|
||||
PROVIDERS.catalog_api.get_region,
|
||||
region_one['id'])
|
||||
|
||||
# region_one->region_two->region_one
|
||||
region_one = self._create_region_with_parent_id()
|
||||
region_two = self._create_region_with_parent_id(region_one['id'])
|
||||
self.catalog_api.update_region(
|
||||
PROVIDERS.catalog_api.update_region(
|
||||
region_one['id'],
|
||||
{'parent_region_id': region_two['id']})
|
||||
self.catalog_api.delete_region(region_one['id'])
|
||||
PROVIDERS.catalog_api.delete_region(region_one['id'])
|
||||
self.assertRaises(exception.RegionNotFound,
|
||||
self.catalog_api.get_region,
|
||||
PROVIDERS.catalog_api.get_region,
|
||||
region_one['id'])
|
||||
self.assertRaises(exception.RegionNotFound,
|
||||
self.catalog_api.get_region,
|
||||
PROVIDERS.catalog_api.get_region,
|
||||
region_two['id'])
|
||||
|
||||
# region_one->region_two->region_three->region_one
|
||||
region_one = self._create_region_with_parent_id()
|
||||
region_two = self._create_region_with_parent_id(region_one['id'])
|
||||
region_three = self._create_region_with_parent_id(region_two['id'])
|
||||
self.catalog_api.update_region(
|
||||
PROVIDERS.catalog_api.update_region(
|
||||
region_one['id'],
|
||||
{'parent_region_id': region_three['id']})
|
||||
self.catalog_api.delete_region(region_two['id'])
|
||||
PROVIDERS.catalog_api.delete_region(region_two['id'])
|
||||
self.assertRaises(exception.RegionNotFound,
|
||||
self.catalog_api.get_region,
|
||||
PROVIDERS.catalog_api.get_region,
|
||||
region_two['id'])
|
||||
self.assertRaises(exception.RegionNotFound,
|
||||
self.catalog_api.get_region,
|
||||
PROVIDERS.catalog_api.get_region,
|
||||
region_one['id'])
|
||||
self.assertRaises(exception.RegionNotFound,
|
||||
self.catalog_api.get_region,
|
||||
PROVIDERS.catalog_api.get_region,
|
||||
region_three['id'])
|
||||
|
||||
def test_service_crud(self):
|
||||
# create
|
||||
new_service = unit.new_service_ref()
|
||||
service_id = new_service['id']
|
||||
res = self.catalog_api.create_service(service_id, new_service)
|
||||
res = PROVIDERS.catalog_api.create_service(service_id, new_service)
|
||||
self.assertDictEqual(new_service, res)
|
||||
|
||||
# list
|
||||
services = self.catalog_api.list_services()
|
||||
services = PROVIDERS.catalog_api.list_services()
|
||||
self.assertIn(service_id, [x['id'] for x in services])
|
||||
|
||||
# update
|
||||
service_name_update = {'name': uuid.uuid4().hex}
|
||||
res = self.catalog_api.update_service(service_id, service_name_update)
|
||||
res = PROVIDERS.catalog_api.update_service(
|
||||
service_id, service_name_update
|
||||
)
|
||||
expected_service = new_service.copy()
|
||||
expected_service['name'] = service_name_update['name']
|
||||
self.assertDictEqual(expected_service, res)
|
||||
|
||||
# delete
|
||||
self.catalog_api.delete_service(service_id)
|
||||
PROVIDERS.catalog_api.delete_service(service_id)
|
||||
self.assertRaises(exception.ServiceNotFound,
|
||||
self.catalog_api.delete_service,
|
||||
PROVIDERS.catalog_api.delete_service,
|
||||
service_id)
|
||||
self.assertRaises(exception.ServiceNotFound,
|
||||
self.catalog_api.get_service,
|
||||
PROVIDERS.catalog_api.get_service,
|
||||
service_id)
|
||||
|
||||
def _create_random_service(self):
|
||||
new_service = unit.new_service_ref()
|
||||
service_id = new_service['id']
|
||||
return self.catalog_api.create_service(service_id, new_service)
|
||||
return PROVIDERS.catalog_api.create_service(service_id, new_service)
|
||||
|
||||
def test_service_filtering(self):
|
||||
target_service = self._create_random_service()
|
||||
|
@ -276,7 +290,7 @@ class CatalogTests(object):
|
|||
# filter by type
|
||||
hint_for_type = driver_hints.Hints()
|
||||
hint_for_type.add_filter(name="type", value=target_service['type'])
|
||||
services = self.catalog_api.list_services(hint_for_type)
|
||||
services = PROVIDERS.catalog_api.list_services(hint_for_type)
|
||||
|
||||
self.assertEqual(1, len(services))
|
||||
filtered_service = services[0]
|
||||
|
@ -291,145 +305,156 @@ class CatalogTests(object):
|
|||
# front end
|
||||
hint_for_name = driver_hints.Hints()
|
||||
hint_for_name.add_filter(name="name", value=target_service['name'])
|
||||
services = self.catalog_api.list_services(hint_for_name)
|
||||
services = PROVIDERS.catalog_api.list_services(hint_for_name)
|
||||
|
||||
self.assertEqual(3, len(services))
|
||||
|
||||
# filter should still be there, since it wasn't used by the backend
|
||||
self.assertEqual(1, len(hint_for_name.filters))
|
||||
|
||||
self.catalog_api.delete_service(target_service['id'])
|
||||
self.catalog_api.delete_service(unrelated_service1['id'])
|
||||
self.catalog_api.delete_service(unrelated_service2['id'])
|
||||
PROVIDERS.catalog_api.delete_service(target_service['id'])
|
||||
PROVIDERS.catalog_api.delete_service(unrelated_service1['id'])
|
||||
PROVIDERS.catalog_api.delete_service(unrelated_service2['id'])
|
||||
|
||||
@unit.skip_if_cache_disabled('catalog')
|
||||
def test_cache_layer_service_crud(self):
|
||||
new_service = unit.new_service_ref()
|
||||
service_id = new_service['id']
|
||||
res = self.catalog_api.create_service(service_id, new_service)
|
||||
res = PROVIDERS.catalog_api.create_service(service_id, new_service)
|
||||
self.assertDictEqual(new_service, res)
|
||||
self.catalog_api.get_service(service_id)
|
||||
PROVIDERS.catalog_api.get_service(service_id)
|
||||
updated_service = copy.deepcopy(new_service)
|
||||
updated_service['description'] = uuid.uuid4().hex
|
||||
# update bypassing catalog api
|
||||
self.catalog_api.driver.update_service(service_id, updated_service)
|
||||
self.assertDictContainsSubset(new_service,
|
||||
self.catalog_api.get_service(service_id))
|
||||
self.catalog_api.get_service.invalidate(self.catalog_api, service_id)
|
||||
self.assertDictContainsSubset(updated_service,
|
||||
self.catalog_api.get_service(service_id))
|
||||
PROVIDERS.catalog_api.driver.update_service(
|
||||
service_id, updated_service
|
||||
)
|
||||
self.assertDictContainsSubset(
|
||||
new_service, PROVIDERS.catalog_api.get_service(service_id)
|
||||
)
|
||||
PROVIDERS.catalog_api.get_service.invalidate(
|
||||
PROVIDERS.catalog_api, service_id
|
||||
)
|
||||
self.assertDictContainsSubset(
|
||||
updated_service, PROVIDERS.catalog_api.get_service(service_id)
|
||||
)
|
||||
|
||||
# delete bypassing catalog api
|
||||
self.catalog_api.driver.delete_service(service_id)
|
||||
self.assertDictContainsSubset(updated_service,
|
||||
self.catalog_api.get_service(service_id))
|
||||
self.catalog_api.get_service.invalidate(self.catalog_api, service_id)
|
||||
PROVIDERS.catalog_api.driver.delete_service(service_id)
|
||||
self.assertDictContainsSubset(
|
||||
updated_service, PROVIDERS.catalog_api.get_service(service_id)
|
||||
)
|
||||
PROVIDERS.catalog_api.get_service.invalidate(
|
||||
PROVIDERS.catalog_api, service_id
|
||||
)
|
||||
self.assertRaises(exception.ServiceNotFound,
|
||||
self.catalog_api.delete_service,
|
||||
PROVIDERS.catalog_api.delete_service,
|
||||
service_id)
|
||||
self.assertRaises(exception.ServiceNotFound,
|
||||
self.catalog_api.get_service,
|
||||
PROVIDERS.catalog_api.get_service,
|
||||
service_id)
|
||||
|
||||
@unit.skip_if_cache_disabled('catalog')
|
||||
def test_invalidate_cache_when_updating_service(self):
|
||||
new_service = unit.new_service_ref()
|
||||
service_id = new_service['id']
|
||||
self.catalog_api.create_service(service_id, new_service)
|
||||
PROVIDERS.catalog_api.create_service(service_id, new_service)
|
||||
|
||||
# cache the service
|
||||
self.catalog_api.get_service(service_id)
|
||||
PROVIDERS.catalog_api.get_service(service_id)
|
||||
|
||||
# update the service via catalog api
|
||||
new_type = {'type': uuid.uuid4().hex}
|
||||
self.catalog_api.update_service(service_id, new_type)
|
||||
PROVIDERS.catalog_api.update_service(service_id, new_type)
|
||||
|
||||
# assert that we can get the new service
|
||||
current_service = self.catalog_api.get_service(service_id)
|
||||
current_service = PROVIDERS.catalog_api.get_service(service_id)
|
||||
self.assertEqual(new_type['type'], current_service['type'])
|
||||
|
||||
def test_delete_service_with_endpoint(self):
|
||||
# create a service
|
||||
service = unit.new_service_ref()
|
||||
self.catalog_api.create_service(service['id'], service)
|
||||
PROVIDERS.catalog_api.create_service(service['id'], service)
|
||||
|
||||
# create an endpoint attached to the service
|
||||
endpoint = unit.new_endpoint_ref(service_id=service['id'],
|
||||
region_id=None)
|
||||
self.catalog_api.create_endpoint(endpoint['id'], endpoint)
|
||||
PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
|
||||
|
||||
# deleting the service should also delete the endpoint
|
||||
self.catalog_api.delete_service(service['id'])
|
||||
PROVIDERS.catalog_api.delete_service(service['id'])
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_api.get_endpoint,
|
||||
PROVIDERS.catalog_api.get_endpoint,
|
||||
endpoint['id'])
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_api.delete_endpoint,
|
||||
PROVIDERS.catalog_api.delete_endpoint,
|
||||
endpoint['id'])
|
||||
|
||||
def test_cache_layer_delete_service_with_endpoint(self):
|
||||
service = unit.new_service_ref()
|
||||
self.catalog_api.create_service(service['id'], service)
|
||||
PROVIDERS.catalog_api.create_service(service['id'], service)
|
||||
|
||||
# create an endpoint attached to the service
|
||||
endpoint = unit.new_endpoint_ref(service_id=service['id'],
|
||||
region_id=None)
|
||||
self.catalog_api.create_endpoint(endpoint['id'], endpoint)
|
||||
PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
|
||||
# cache the result
|
||||
self.catalog_api.get_service(service['id'])
|
||||
self.catalog_api.get_endpoint(endpoint['id'])
|
||||
PROVIDERS.catalog_api.get_service(service['id'])
|
||||
PROVIDERS.catalog_api.get_endpoint(endpoint['id'])
|
||||
# delete the service bypassing catalog api
|
||||
self.catalog_api.driver.delete_service(service['id'])
|
||||
PROVIDERS.catalog_api.driver.delete_service(service['id'])
|
||||
self.assertDictContainsSubset(endpoint,
|
||||
self.catalog_api.
|
||||
PROVIDERS.catalog_api.
|
||||
get_endpoint(endpoint['id']))
|
||||
self.assertDictContainsSubset(service,
|
||||
self.catalog_api.
|
||||
PROVIDERS.catalog_api.
|
||||
get_service(service['id']))
|
||||
self.catalog_api.get_endpoint.invalidate(self.catalog_api,
|
||||
endpoint['id'])
|
||||
PROVIDERS.catalog_api.get_endpoint.invalidate(
|
||||
PROVIDERS.catalog_api, endpoint['id']
|
||||
)
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_api.get_endpoint,
|
||||
PROVIDERS.catalog_api.get_endpoint,
|
||||
endpoint['id'])
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_api.delete_endpoint,
|
||||
PROVIDERS.catalog_api.delete_endpoint,
|
||||
endpoint['id'])
|
||||
# multiple endpoints associated with a service
|
||||
second_endpoint = unit.new_endpoint_ref(service_id=service['id'],
|
||||
region_id=None)
|
||||
self.catalog_api.create_service(service['id'], service)
|
||||
self.catalog_api.create_endpoint(endpoint['id'], endpoint)
|
||||
self.catalog_api.create_endpoint(second_endpoint['id'],
|
||||
second_endpoint)
|
||||
self.catalog_api.delete_service(service['id'])
|
||||
PROVIDERS.catalog_api.create_service(service['id'], service)
|
||||
PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
|
||||
PROVIDERS.catalog_api.create_endpoint(
|
||||
second_endpoint['id'], second_endpoint
|
||||
)
|
||||
PROVIDERS.catalog_api.delete_service(service['id'])
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_api.get_endpoint,
|
||||
PROVIDERS.catalog_api.get_endpoint,
|
||||
endpoint['id'])
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_api.delete_endpoint,
|
||||
PROVIDERS.catalog_api.delete_endpoint,
|
||||
endpoint['id'])
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_api.get_endpoint,
|
||||
PROVIDERS.catalog_api.get_endpoint,
|
||||
second_endpoint['id'])
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_api.delete_endpoint,
|
||||
PROVIDERS.catalog_api.delete_endpoint,
|
||||
second_endpoint['id'])
|
||||
|
||||
def test_get_service_returns_not_found(self):
|
||||
self.assertRaises(exception.ServiceNotFound,
|
||||
self.catalog_api.get_service,
|
||||
PROVIDERS.catalog_api.get_service,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_delete_service_returns_not_found(self):
|
||||
self.assertRaises(exception.ServiceNotFound,
|
||||
self.catalog_api.delete_service,
|
||||
PROVIDERS.catalog_api.delete_service,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_create_endpoint_nonexistent_service(self):
|
||||
endpoint = unit.new_endpoint_ref(service_id=uuid.uuid4().hex,
|
||||
region_id=None)
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.catalog_api.create_endpoint,
|
||||
PROVIDERS.catalog_api.create_endpoint,
|
||||
endpoint['id'],
|
||||
endpoint)
|
||||
|
||||
|
@ -438,17 +463,17 @@ class CatalogTests(object):
|
|||
self._create_endpoints())
|
||||
new_endpoint = unit.new_endpoint_ref(service_id=uuid.uuid4().hex)
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.catalog_api.update_endpoint,
|
||||
PROVIDERS.catalog_api.update_endpoint,
|
||||
enabled_endpoint['id'],
|
||||
new_endpoint)
|
||||
|
||||
def test_create_endpoint_nonexistent_region(self):
|
||||
service = unit.new_service_ref()
|
||||
self.catalog_api.create_service(service['id'], service)
|
||||
PROVIDERS.catalog_api.create_service(service['id'], service)
|
||||
|
||||
endpoint = unit.new_endpoint_ref(service_id=service['id'])
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.catalog_api.create_endpoint,
|
||||
PROVIDERS.catalog_api.create_endpoint,
|
||||
endpoint['id'],
|
||||
endpoint)
|
||||
|
||||
|
@ -457,33 +482,34 @@ class CatalogTests(object):
|
|||
self._create_endpoints())
|
||||
new_endpoint = unit.new_endpoint_ref(service_id=uuid.uuid4().hex)
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.catalog_api.update_endpoint,
|
||||
PROVIDERS.catalog_api.update_endpoint,
|
||||
enabled_endpoint['id'],
|
||||
new_endpoint)
|
||||
|
||||
def test_get_endpoint_returns_not_found(self):
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_api.get_endpoint,
|
||||
PROVIDERS.catalog_api.get_endpoint,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_delete_endpoint_returns_not_found(self):
|
||||
self.assertRaises(exception.EndpointNotFound,
|
||||
self.catalog_api.delete_endpoint,
|
||||
PROVIDERS.catalog_api.delete_endpoint,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_create_endpoint(self):
|
||||
service = unit.new_service_ref()
|
||||
self.catalog_api.create_service(service['id'], service)
|
||||
PROVIDERS.catalog_api.create_service(service['id'], service)
|
||||
|
||||
endpoint = unit.new_endpoint_ref(service_id=service['id'],
|
||||
region_id=None)
|
||||
self.catalog_api.create_endpoint(endpoint['id'], endpoint.copy())
|
||||
PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint.copy())
|
||||
|
||||
def test_update_endpoint(self):
|
||||
dummy_service_ref, endpoint_ref, dummy_disabled_endpoint_ref = (
|
||||
self._create_endpoints())
|
||||
res = self.catalog_api.update_endpoint(endpoint_ref['id'],
|
||||
{'interface': 'private'})
|
||||
res = PROVIDERS.catalog_api.update_endpoint(
|
||||
endpoint_ref['id'], {'interface': 'private'}
|
||||
)
|
||||
expected_endpoint = endpoint_ref.copy()
|
||||
expected_endpoint['enabled'] = True
|
||||
expected_endpoint['interface'] = 'private'
|
||||
|
@ -505,16 +531,16 @@ class CatalogTests(object):
|
|||
url='http://localhost/%s' % uuid.uuid4().hex,
|
||||
**kwargs)
|
||||
|
||||
self.catalog_api.create_endpoint(ref['id'], ref)
|
||||
PROVIDERS.catalog_api.create_endpoint(ref['id'], ref)
|
||||
return ref
|
||||
|
||||
# Create a service for use with the endpoints.
|
||||
service_ref = unit.new_service_ref()
|
||||
service_id = service_ref['id']
|
||||
self.catalog_api.create_service(service_id, service_ref)
|
||||
PROVIDERS.catalog_api.create_service(service_id, service_ref)
|
||||
|
||||
region = unit.new_region_ref()
|
||||
self.catalog_api.create_region(region)
|
||||
PROVIDERS.catalog_api.create_region(region)
|
||||
|
||||
# Create endpoints
|
||||
enabled_endpoint_ref = create_endpoint(service_id, region['id'])
|
||||
|
@ -525,16 +551,16 @@ class CatalogTests(object):
|
|||
|
||||
def test_list_endpoints(self):
|
||||
service = unit.new_service_ref()
|
||||
self.catalog_api.create_service(service['id'], service)
|
||||
PROVIDERS.catalog_api.create_service(service['id'], service)
|
||||
|
||||
expected_ids = set([uuid.uuid4().hex for _ in range(3)])
|
||||
for endpoint_id in expected_ids:
|
||||
endpoint = unit.new_endpoint_ref(service_id=service['id'],
|
||||
id=endpoint_id,
|
||||
region_id=None)
|
||||
self.catalog_api.create_endpoint(endpoint['id'], endpoint)
|
||||
PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
|
||||
|
||||
endpoints = self.catalog_api.list_endpoints()
|
||||
endpoints = PROVIDERS.catalog_api.list_endpoints()
|
||||
self.assertEqual(expected_ids, set(e['id'] for e in endpoints))
|
||||
|
||||
def test_get_v3_catalog_endpoint_disabled(self):
|
||||
|
@ -545,8 +571,9 @@ class CatalogTests(object):
|
|||
# Use the project created by the default fixture since the project
|
||||
# should exist if we want to filter the catalog by the project or
|
||||
# replace the url with a valid project id.
|
||||
catalog = self.catalog_api.get_v3_catalog(user_id,
|
||||
self.tenant_bar['id'])
|
||||
catalog = PROVIDERS.catalog_api.get_v3_catalog(
|
||||
user_id, self.tenant_bar['id']
|
||||
)
|
||||
|
||||
endpoint_ids = [x['id'] for x in catalog[0]['endpoints']]
|
||||
self.assertEqual([enabled_endpoint_ref['id']], endpoint_ids)
|
||||
|
@ -554,20 +581,20 @@ class CatalogTests(object):
|
|||
@unit.skip_if_cache_disabled('catalog')
|
||||
def test_invalidate_cache_when_updating_endpoint(self):
|
||||
service = unit.new_service_ref()
|
||||
self.catalog_api.create_service(service['id'], service)
|
||||
PROVIDERS.catalog_api.create_service(service['id'], service)
|
||||
|
||||
# create an endpoint attached to the service
|
||||
endpoint = unit.new_endpoint_ref(service_id=service['id'],
|
||||
region_id=None)
|
||||
self.catalog_api.create_endpoint(endpoint['id'], endpoint)
|
||||
PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
|
||||
|
||||
# cache the endpoint
|
||||
self.catalog_api.get_endpoint(endpoint['id'])
|
||||
PROVIDERS.catalog_api.get_endpoint(endpoint['id'])
|
||||
|
||||
# update the endpoint via catalog api
|
||||
new_url = {'url': uuid.uuid4().hex}
|
||||
self.catalog_api.update_endpoint(endpoint['id'], new_url)
|
||||
PROVIDERS.catalog_api.update_endpoint(endpoint['id'], new_url)
|
||||
|
||||
# assert that we can get the new endpoint
|
||||
current_endpoint = self.catalog_api.get_endpoint(endpoint['id'])
|
||||
current_endpoint = PROVIDERS.catalog_api.get_endpoint(endpoint['id'])
|
||||
self.assertEqual(new_url['url'], current_endpoint['url'])
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
|
||||
import uuid
|
||||
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
|
@ -20,6 +21,7 @@ from keystone.tests.unit import test_v3
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class DuplicateTestCase(test_v3.RestfulTestCase):
|
||||
|
@ -34,10 +36,10 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_domain_duplicate_conflict_gives_name(self):
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
domain['id'] = uuid.uuid4().hex
|
||||
try:
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("%s" % domain['name'], repr(e))
|
||||
else:
|
||||
|
@ -45,10 +47,10 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_project_duplicate_conflict_gives_name(self):
|
||||
project = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(project['id'], project)
|
||||
PROVIDERS.resource_api.create_project(project['id'], project)
|
||||
project['id'] = uuid.uuid4().hex
|
||||
try:
|
||||
self.resource_api.create_project(project['id'], project)
|
||||
PROVIDERS.resource_api.create_project(project['id'], project)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("%s" % project['name'], repr(e))
|
||||
else:
|
||||
|
@ -56,10 +58,10 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_user_duplicate_conflict_gives_name(self):
|
||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user = self.identity_api.create_user(user)
|
||||
user = PROVIDERS.identity_api.create_user(user)
|
||||
user['id'] = uuid.uuid4().hex
|
||||
try:
|
||||
self.identity_api.create_user(user)
|
||||
PROVIDERS.identity_api.create_user(user)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("Duplicate entry found with name %s" % user['name'],
|
||||
repr(e))
|
||||
|
@ -68,10 +70,10 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_role_duplicate_conflict_gives_name(self):
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
role['id'] = uuid.uuid4().hex
|
||||
try:
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("Duplicate entry found with name %s" % role['name'],
|
||||
repr(e))
|
||||
|
@ -80,9 +82,9 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_group_duplicate_conflict_gives_name(self):
|
||||
group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
|
||||
group = self.identity_api.create_group(group)
|
||||
group = PROVIDERS.identity_api.create_group(group)
|
||||
try:
|
||||
self.identity_api.create_group(group)
|
||||
PROVIDERS.identity_api.create_group(group)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("Duplicate entry found with name %s"
|
||||
% group['name'], repr(e))
|
||||
|
@ -91,9 +93,9 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_policy_duplicate_conflict_gives_name(self):
|
||||
policy_ref = unit.new_policy_ref()
|
||||
self.policy_api.create_policy(policy_ref['id'], policy_ref)
|
||||
PROVIDERS.policy_api.create_policy(policy_ref['id'], policy_ref)
|
||||
try:
|
||||
self.policy_api.create_policy(policy_ref['id'], policy_ref)
|
||||
PROVIDERS.policy_api.create_policy(policy_ref['id'], policy_ref)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("Duplicate entry found with name %s"
|
||||
% policy_ref['name'], repr(e))
|
||||
|
@ -103,9 +105,13 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
def test_credential_duplicate_conflict_gives_name(self):
|
||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
credential = unit.new_credential_ref(user_id=user['id'])
|
||||
self.credential_api.create_credential(credential['id'], credential)
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
credential['id'], credential
|
||||
)
|
||||
try:
|
||||
self.credential_api.create_credential(credential['id'], credential)
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
credential['id'], credential
|
||||
)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("Duplicate entry found with ID %s"
|
||||
% credential['id'], repr(e))
|
||||
|
@ -114,15 +120,19 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_trust_duplicate_conflict_gives_name(self):
|
||||
trustor = unit.new_user_ref(domain_id=self.domain_id)
|
||||
trustor = self.identity_api.create_user(trustor)
|
||||
trustor = PROVIDERS.identity_api.create_user(trustor)
|
||||
trustee = unit.new_user_ref(domain_id=self.domain_id)
|
||||
trustee = self.identity_api.create_user(trustee)
|
||||
trustee = PROVIDERS.identity_api.create_user(trustee)
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
trust_ref = unit.new_trust_ref(trustor['id'], trustee['id'])
|
||||
self.trust_api.create_trust(trust_ref['id'], trust_ref, [role_ref])
|
||||
PROVIDERS.trust_api.create_trust(
|
||||
trust_ref['id'], trust_ref, [role_ref]
|
||||
)
|
||||
try:
|
||||
self.trust_api.create_trust(trust_ref['id'], trust_ref, [role_ref])
|
||||
PROVIDERS.trust_api.create_trust(
|
||||
trust_ref['id'], trust_ref, [role_ref]
|
||||
)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("Duplicate entry found with ID %s"
|
||||
% trust_ref['id'], repr(e))
|
||||
|
@ -132,11 +142,13 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
def test_mapping_duplicate_conflict_gives_name(self):
|
||||
self.mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
|
||||
self.mapping['id'] = uuid.uuid4().hex
|
||||
self.federation_api.create_mapping(self.mapping['id'],
|
||||
self.mapping)
|
||||
PROVIDERS.federation_api.create_mapping(
|
||||
self.mapping['id'], self.mapping
|
||||
)
|
||||
try:
|
||||
self.federation_api.create_mapping(self.mapping['id'],
|
||||
self.mapping)
|
||||
PROVIDERS.federation_api.create_mapping(
|
||||
self.mapping['id'], self.mapping
|
||||
)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("Duplicate entry found with ID %s"
|
||||
% self.mapping['id'], repr(e))
|
||||
|
@ -146,11 +158,13 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
def test_mapping_duplicate_conflict_with_id_in_id(self):
|
||||
self.mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
|
||||
self.mapping['id'] = 'mapping_with_id_in_the_id'
|
||||
self.federation_api.create_mapping(self.mapping['id'],
|
||||
self.mapping)
|
||||
PROVIDERS.federation_api.create_mapping(
|
||||
self.mapping['id'], self.mapping
|
||||
)
|
||||
try:
|
||||
self.federation_api.create_mapping(self.mapping['id'],
|
||||
self.mapping)
|
||||
PROVIDERS.federation_api.create_mapping(
|
||||
self.mapping['id'], self.mapping
|
||||
)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("Duplicate entry found with ID %s"
|
||||
% self.mapping['id'], repr(e))
|
||||
|
@ -158,9 +172,9 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_region_duplicate_conflict_gives_name(self):
|
||||
region_ref = unit.new_region_ref()
|
||||
self.catalog_api.create_region(region_ref)
|
||||
PROVIDERS.catalog_api.create_region(region_ref)
|
||||
try:
|
||||
self.catalog_api.create_region(region_ref)
|
||||
PROVIDERS.catalog_api.create_region(region_ref)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("Duplicate ID, %s" % region_ref['id'], repr(e))
|
||||
else:
|
||||
|
@ -172,22 +186,23 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
'enabled': True,
|
||||
'description': uuid.uuid4().hex
|
||||
}
|
||||
self.federation_api.create_idp(self.idp['id'], self.idp)
|
||||
PROVIDERS.federation_api.create_idp(self.idp['id'], self.idp)
|
||||
self.mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
|
||||
self.mapping['id'] = uuid.uuid4().hex
|
||||
self.federation_api.create_mapping(self.mapping['id'],
|
||||
self.mapping)
|
||||
PROVIDERS.federation_api.create_mapping(
|
||||
self.mapping['id'], self.mapping
|
||||
)
|
||||
protocol = {
|
||||
'id': uuid.uuid4().hex,
|
||||
'mapping_id': self.mapping['id']
|
||||
}
|
||||
protocol_ret = self.federation_api.create_protocol(self.idp['id'],
|
||||
protocol['id'],
|
||||
protocol)
|
||||
protocol_ret = PROVIDERS.federation_api.create_protocol(
|
||||
self.idp['id'], protocol['id'], protocol
|
||||
)
|
||||
try:
|
||||
self.federation_api.create_protocol(self.idp['id'],
|
||||
protocol['id'],
|
||||
protocol)
|
||||
PROVIDERS.federation_api.create_protocol(
|
||||
self.idp['id'], protocol['id'], protocol
|
||||
)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("Duplicate entry found with ID %s"
|
||||
% protocol_ret['id'], repr(e))
|
||||
|
@ -201,22 +216,23 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
'enabled': True,
|
||||
'description': uuid.uuid4().hex
|
||||
}
|
||||
self.federation_api.create_idp(self.idp['id'], self.idp)
|
||||
PROVIDERS.federation_api.create_idp(self.idp['id'], self.idp)
|
||||
self.mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
|
||||
self.mapping['id'] = uuid.uuid4().hex
|
||||
self.federation_api.create_mapping(self.mapping['id'],
|
||||
self.mapping)
|
||||
PROVIDERS.federation_api.create_mapping(
|
||||
self.mapping['id'], self.mapping
|
||||
)
|
||||
protocol = {
|
||||
'id': 'federation_protocol_with_id_in_the_id',
|
||||
'mapping_id': self.mapping['id']
|
||||
}
|
||||
protocol_ret = self.federation_api.create_protocol(self.idp['id'],
|
||||
protocol['id'],
|
||||
protocol)
|
||||
protocol_ret = PROVIDERS.federation_api.create_protocol(
|
||||
self.idp['id'], protocol['id'], protocol
|
||||
)
|
||||
try:
|
||||
self.federation_api.create_protocol(self.idp['id'],
|
||||
protocol['id'],
|
||||
protocol)
|
||||
PROVIDERS.federation_api.create_protocol(
|
||||
self.idp['id'], protocol['id'], protocol
|
||||
)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("Duplicate entry found with ID %s"
|
||||
% protocol_ret['id'], repr(e))
|
||||
|
@ -228,22 +244,23 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
'enabled': True,
|
||||
'description': uuid.uuid4().hex
|
||||
}
|
||||
self.federation_api.create_idp(self.idp['id'], self.idp)
|
||||
PROVIDERS.federation_api.create_idp(self.idp['id'], self.idp)
|
||||
self.mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
|
||||
self.mapping['id'] = uuid.uuid4().hex
|
||||
self.federation_api.create_mapping(self.mapping['id'],
|
||||
self.mapping)
|
||||
PROVIDERS.federation_api.create_mapping(
|
||||
self.mapping['id'], self.mapping
|
||||
)
|
||||
protocol = {
|
||||
'id': uuid.uuid4().hex,
|
||||
'mapping_id': self.mapping['id']
|
||||
}
|
||||
protocol_ret = self.federation_api.create_protocol(self.idp['id'],
|
||||
protocol['id'],
|
||||
protocol)
|
||||
protocol_ret = PROVIDERS.federation_api.create_protocol(
|
||||
self.idp['id'], protocol['id'], protocol
|
||||
)
|
||||
try:
|
||||
self.federation_api.create_protocol(self.idp['id'],
|
||||
protocol['id'],
|
||||
protocol)
|
||||
PROVIDERS.federation_api.create_protocol(
|
||||
self.idp['id'], protocol['id'], protocol
|
||||
)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("Duplicate entry found with ID %s"
|
||||
% protocol_ret['id'], repr(e))
|
||||
|
@ -257,9 +274,9 @@ class DuplicateTestCase(test_v3.RestfulTestCase):
|
|||
'sp_url': uuid.uuid4().hex,
|
||||
'relay_state_prefix': CONF.saml.relay_state_prefix,
|
||||
}
|
||||
service_ref = self.federation_api.create_sp('SP1', sp)
|
||||
service_ref = PROVIDERS.federation_api.create_sp('SP1', sp)
|
||||
try:
|
||||
self.federation_api.create_sp('SP1', sp)
|
||||
PROVIDERS.federation_api.create_sp('SP1', sp)
|
||||
except exception.Conflict as e:
|
||||
self.assertIn("Duplicate entry found with ID %s"
|
||||
% service_ref['id'], repr(e))
|
||||
|
|
|
@ -25,6 +25,7 @@ from pycadf import cadftype
|
|||
from pycadf import eventfactory
|
||||
from pycadf import resource as cadfresource
|
||||
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone import notifications
|
||||
|
@ -33,6 +34,7 @@ from keystone.tests.unit import test_v3
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
EXP_RESOURCE_TYPE = uuid.uuid4().hex
|
||||
CREATED_OPERATION = notifications.ACTIONS.created
|
||||
|
@ -363,14 +365,14 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_create_group(self):
|
||||
group_ref = unit.new_group_ref(domain_id=self.domain_id)
|
||||
group_ref = self.identity_api.create_group(group_ref)
|
||||
group_ref = PROVIDERS.identity_api.create_group(group_ref)
|
||||
self._assert_last_note(group_ref['id'], CREATED_OPERATION, 'group')
|
||||
self._assert_last_audit(group_ref['id'], CREATED_OPERATION, 'group',
|
||||
cadftaxonomy.SECURITY_GROUP)
|
||||
|
||||
def test_create_project(self):
|
||||
project_ref = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
|
||||
self._assert_last_note(
|
||||
project_ref['id'], CREATED_OPERATION, 'project')
|
||||
self._assert_last_audit(project_ref['id'], CREATED_OPERATION,
|
||||
|
@ -378,30 +380,30 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_create_role(self):
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
self._assert_last_note(role_ref['id'], CREATED_OPERATION, 'role')
|
||||
self._assert_last_audit(role_ref['id'], CREATED_OPERATION, 'role',
|
||||
cadftaxonomy.SECURITY_ROLE)
|
||||
|
||||
def test_create_user(self):
|
||||
user_ref = unit.new_user_ref(domain_id=self.domain_id)
|
||||
user_ref = self.identity_api.create_user(user_ref)
|
||||
user_ref = PROVIDERS.identity_api.create_user(user_ref)
|
||||
self._assert_last_note(user_ref['id'], CREATED_OPERATION, 'user')
|
||||
self._assert_last_audit(user_ref['id'], CREATED_OPERATION, 'user',
|
||||
cadftaxonomy.SECURITY_ACCOUNT_USER)
|
||||
|
||||
def test_create_trust(self):
|
||||
trustor = unit.new_user_ref(domain_id=self.domain_id)
|
||||
trustor = self.identity_api.create_user(trustor)
|
||||
trustor = PROVIDERS.identity_api.create_user(trustor)
|
||||
trustee = unit.new_user_ref(domain_id=self.domain_id)
|
||||
trustee = self.identity_api.create_user(trustee)
|
||||
trustee = PROVIDERS.identity_api.create_user(trustee)
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
trust_ref = unit.new_trust_ref(trustor['id'],
|
||||
trustee['id'])
|
||||
self.trust_api.create_trust(trust_ref['id'],
|
||||
trust_ref,
|
||||
[role_ref])
|
||||
PROVIDERS.trust_api.create_trust(
|
||||
trust_ref['id'], trust_ref, [role_ref]
|
||||
)
|
||||
self._assert_last_note(
|
||||
trust_ref['id'], CREATED_OPERATION, 'OS-TRUST:trust')
|
||||
self._assert_last_audit(trust_ref['id'], CREATED_OPERATION,
|
||||
|
@ -409,16 +411,16 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_delete_group(self):
|
||||
group_ref = unit.new_group_ref(domain_id=self.domain_id)
|
||||
group_ref = self.identity_api.create_group(group_ref)
|
||||
self.identity_api.delete_group(group_ref['id'])
|
||||
group_ref = PROVIDERS.identity_api.create_group(group_ref)
|
||||
PROVIDERS.identity_api.delete_group(group_ref['id'])
|
||||
self._assert_last_note(group_ref['id'], DELETED_OPERATION, 'group')
|
||||
self._assert_last_audit(group_ref['id'], DELETED_OPERATION, 'group',
|
||||
cadftaxonomy.SECURITY_GROUP)
|
||||
|
||||
def test_delete_project(self):
|
||||
project_ref = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(project_ref['id'], project_ref)
|
||||
self.resource_api.delete_project(project_ref['id'])
|
||||
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.delete_project(project_ref['id'])
|
||||
self._assert_last_note(
|
||||
project_ref['id'], DELETED_OPERATION, 'project')
|
||||
self._assert_last_audit(project_ref['id'], DELETED_OPERATION,
|
||||
|
@ -426,57 +428,57 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_delete_role(self):
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
self.role_api.delete_role(role_ref['id'])
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.delete_role(role_ref['id'])
|
||||
self._assert_last_note(role_ref['id'], DELETED_OPERATION, 'role')
|
||||
self._assert_last_audit(role_ref['id'], DELETED_OPERATION, 'role',
|
||||
cadftaxonomy.SECURITY_ROLE)
|
||||
|
||||
def test_delete_user(self):
|
||||
user_ref = unit.new_user_ref(domain_id=self.domain_id)
|
||||
user_ref = self.identity_api.create_user(user_ref)
|
||||
self.identity_api.delete_user(user_ref['id'])
|
||||
user_ref = PROVIDERS.identity_api.create_user(user_ref)
|
||||
PROVIDERS.identity_api.delete_user(user_ref['id'])
|
||||
self._assert_last_note(user_ref['id'], DELETED_OPERATION, 'user')
|
||||
self._assert_last_audit(user_ref['id'], DELETED_OPERATION, 'user',
|
||||
cadftaxonomy.SECURITY_ACCOUNT_USER)
|
||||
|
||||
def test_create_domain(self):
|
||||
domain_ref = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
self._assert_last_note(domain_ref['id'], CREATED_OPERATION, 'domain')
|
||||
self._assert_last_audit(domain_ref['id'], CREATED_OPERATION, 'domain',
|
||||
cadftaxonomy.SECURITY_DOMAIN)
|
||||
|
||||
def test_update_domain(self):
|
||||
domain_ref = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
domain_ref['description'] = uuid.uuid4().hex
|
||||
self.resource_api.update_domain(domain_ref['id'], domain_ref)
|
||||
PROVIDERS.resource_api.update_domain(domain_ref['id'], domain_ref)
|
||||
self._assert_last_note(domain_ref['id'], UPDATED_OPERATION, 'domain')
|
||||
self._assert_last_audit(domain_ref['id'], UPDATED_OPERATION, 'domain',
|
||||
cadftaxonomy.SECURITY_DOMAIN)
|
||||
|
||||
def test_delete_domain(self):
|
||||
domain_ref = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
domain_ref['enabled'] = False
|
||||
self.resource_api.update_domain(domain_ref['id'], domain_ref)
|
||||
self.resource_api.delete_domain(domain_ref['id'])
|
||||
PROVIDERS.resource_api.update_domain(domain_ref['id'], domain_ref)
|
||||
PROVIDERS.resource_api.delete_domain(domain_ref['id'])
|
||||
self._assert_last_note(domain_ref['id'], DELETED_OPERATION, 'domain')
|
||||
self._assert_last_audit(domain_ref['id'], DELETED_OPERATION, 'domain',
|
||||
cadftaxonomy.SECURITY_DOMAIN)
|
||||
|
||||
def test_delete_trust(self):
|
||||
trustor = unit.new_user_ref(domain_id=self.domain_id)
|
||||
trustor = self.identity_api.create_user(trustor)
|
||||
trustor = PROVIDERS.identity_api.create_user(trustor)
|
||||
trustee = unit.new_user_ref(domain_id=self.domain_id)
|
||||
trustee = self.identity_api.create_user(trustee)
|
||||
trustee = PROVIDERS.identity_api.create_user(trustee)
|
||||
role_ref = unit.new_role_ref()
|
||||
trust_ref = unit.new_trust_ref(trustor['id'], trustee['id'])
|
||||
self.trust_api.create_trust(trust_ref['id'],
|
||||
trust_ref,
|
||||
[role_ref])
|
||||
self.trust_api.delete_trust(trust_ref['id'])
|
||||
PROVIDERS.trust_api.create_trust(
|
||||
trust_ref['id'], trust_ref, [role_ref]
|
||||
)
|
||||
PROVIDERS.trust_api.delete_trust(trust_ref['id'])
|
||||
self._assert_last_note(
|
||||
trust_ref['id'], DELETED_OPERATION, 'OS-TRUST:trust')
|
||||
self._assert_last_audit(trust_ref['id'], DELETED_OPERATION,
|
||||
|
@ -486,7 +488,7 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
endpoint_ref = unit.new_endpoint_ref(service_id=self.service_id,
|
||||
interface='public',
|
||||
region_id=self.region_id)
|
||||
self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
|
||||
PROVIDERS.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
|
||||
self._assert_notify_sent(endpoint_ref['id'], CREATED_OPERATION,
|
||||
'endpoint')
|
||||
self._assert_last_audit(endpoint_ref['id'], CREATED_OPERATION,
|
||||
|
@ -496,8 +498,8 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
endpoint_ref = unit.new_endpoint_ref(service_id=self.service_id,
|
||||
interface='public',
|
||||
region_id=self.region_id)
|
||||
self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
|
||||
self.catalog_api.update_endpoint(endpoint_ref['id'], endpoint_ref)
|
||||
PROVIDERS.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
|
||||
PROVIDERS.catalog_api.update_endpoint(endpoint_ref['id'], endpoint_ref)
|
||||
self._assert_notify_sent(endpoint_ref['id'], UPDATED_OPERATION,
|
||||
'endpoint')
|
||||
self._assert_last_audit(endpoint_ref['id'], UPDATED_OPERATION,
|
||||
|
@ -507,8 +509,8 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
endpoint_ref = unit.new_endpoint_ref(service_id=self.service_id,
|
||||
interface='public',
|
||||
region_id=self.region_id)
|
||||
self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
|
||||
self.catalog_api.delete_endpoint(endpoint_ref['id'])
|
||||
PROVIDERS.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref)
|
||||
PROVIDERS.catalog_api.delete_endpoint(endpoint_ref['id'])
|
||||
self._assert_notify_sent(endpoint_ref['id'], DELETED_OPERATION,
|
||||
'endpoint')
|
||||
self._assert_last_audit(endpoint_ref['id'], DELETED_OPERATION,
|
||||
|
@ -516,7 +518,7 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_create_service(self):
|
||||
service_ref = unit.new_service_ref()
|
||||
self.catalog_api.create_service(service_ref['id'], service_ref)
|
||||
PROVIDERS.catalog_api.create_service(service_ref['id'], service_ref)
|
||||
self._assert_notify_sent(service_ref['id'], CREATED_OPERATION,
|
||||
'service')
|
||||
self._assert_last_audit(service_ref['id'], CREATED_OPERATION,
|
||||
|
@ -524,8 +526,8 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_update_service(self):
|
||||
service_ref = unit.new_service_ref()
|
||||
self.catalog_api.create_service(service_ref['id'], service_ref)
|
||||
self.catalog_api.update_service(service_ref['id'], service_ref)
|
||||
PROVIDERS.catalog_api.create_service(service_ref['id'], service_ref)
|
||||
PROVIDERS.catalog_api.update_service(service_ref['id'], service_ref)
|
||||
self._assert_notify_sent(service_ref['id'], UPDATED_OPERATION,
|
||||
'service')
|
||||
self._assert_last_audit(service_ref['id'], UPDATED_OPERATION,
|
||||
|
@ -533,8 +535,8 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_delete_service(self):
|
||||
service_ref = unit.new_service_ref()
|
||||
self.catalog_api.create_service(service_ref['id'], service_ref)
|
||||
self.catalog_api.delete_service(service_ref['id'])
|
||||
PROVIDERS.catalog_api.create_service(service_ref['id'], service_ref)
|
||||
PROVIDERS.catalog_api.delete_service(service_ref['id'])
|
||||
self._assert_notify_sent(service_ref['id'], DELETED_OPERATION,
|
||||
'service')
|
||||
self._assert_last_audit(service_ref['id'], DELETED_OPERATION,
|
||||
|
@ -542,7 +544,7 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_create_region(self):
|
||||
region_ref = unit.new_region_ref()
|
||||
self.catalog_api.create_region(region_ref)
|
||||
PROVIDERS.catalog_api.create_region(region_ref)
|
||||
self._assert_notify_sent(region_ref['id'], CREATED_OPERATION,
|
||||
'region')
|
||||
self._assert_last_audit(region_ref['id'], CREATED_OPERATION,
|
||||
|
@ -550,8 +552,8 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_update_region(self):
|
||||
region_ref = unit.new_region_ref()
|
||||
self.catalog_api.create_region(region_ref)
|
||||
self.catalog_api.update_region(region_ref['id'], region_ref)
|
||||
PROVIDERS.catalog_api.create_region(region_ref)
|
||||
PROVIDERS.catalog_api.update_region(region_ref['id'], region_ref)
|
||||
self._assert_notify_sent(region_ref['id'], UPDATED_OPERATION,
|
||||
'region')
|
||||
self._assert_last_audit(region_ref['id'], UPDATED_OPERATION,
|
||||
|
@ -559,8 +561,8 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_delete_region(self):
|
||||
region_ref = unit.new_region_ref()
|
||||
self.catalog_api.create_region(region_ref)
|
||||
self.catalog_api.delete_region(region_ref['id'])
|
||||
PROVIDERS.catalog_api.create_region(region_ref)
|
||||
PROVIDERS.catalog_api.delete_region(region_ref['id'])
|
||||
self._assert_notify_sent(region_ref['id'], DELETED_OPERATION,
|
||||
'region')
|
||||
self._assert_last_audit(region_ref['id'], DELETED_OPERATION,
|
||||
|
@ -568,7 +570,7 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_create_policy(self):
|
||||
policy_ref = unit.new_policy_ref()
|
||||
self.policy_api.create_policy(policy_ref['id'], policy_ref)
|
||||
PROVIDERS.policy_api.create_policy(policy_ref['id'], policy_ref)
|
||||
self._assert_notify_sent(policy_ref['id'], CREATED_OPERATION,
|
||||
'policy')
|
||||
self._assert_last_audit(policy_ref['id'], CREATED_OPERATION,
|
||||
|
@ -576,8 +578,8 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_update_policy(self):
|
||||
policy_ref = unit.new_policy_ref()
|
||||
self.policy_api.create_policy(policy_ref['id'], policy_ref)
|
||||
self.policy_api.update_policy(policy_ref['id'], policy_ref)
|
||||
PROVIDERS.policy_api.create_policy(policy_ref['id'], policy_ref)
|
||||
PROVIDERS.policy_api.update_policy(policy_ref['id'], policy_ref)
|
||||
self._assert_notify_sent(policy_ref['id'], UPDATED_OPERATION,
|
||||
'policy')
|
||||
self._assert_last_audit(policy_ref['id'], UPDATED_OPERATION,
|
||||
|
@ -585,8 +587,8 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_delete_policy(self):
|
||||
policy_ref = unit.new_policy_ref()
|
||||
self.policy_api.create_policy(policy_ref['id'], policy_ref)
|
||||
self.policy_api.delete_policy(policy_ref['id'])
|
||||
PROVIDERS.policy_api.create_policy(policy_ref['id'], policy_ref)
|
||||
PROVIDERS.policy_api.delete_policy(policy_ref['id'])
|
||||
self._assert_notify_sent(policy_ref['id'], DELETED_OPERATION,
|
||||
'policy')
|
||||
self._assert_last_audit(policy_ref['id'], DELETED_OPERATION,
|
||||
|
@ -594,33 +596,33 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_disable_domain(self):
|
||||
domain_ref = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
domain_ref['enabled'] = False
|
||||
self.resource_api.update_domain(domain_ref['id'], domain_ref)
|
||||
PROVIDERS.resource_api.update_domain(domain_ref['id'], domain_ref)
|
||||
self._assert_notify_sent(domain_ref['id'], 'disabled', 'domain',
|
||||
public=False)
|
||||
|
||||
def test_disable_of_disabled_domain_does_not_notify(self):
|
||||
domain_ref = unit.new_domain_ref(enabled=False)
|
||||
self.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
# The domain_ref above is not changed during the create process. We
|
||||
# can use the same ref to perform the update.
|
||||
self.resource_api.update_domain(domain_ref['id'], domain_ref)
|
||||
PROVIDERS.resource_api.update_domain(domain_ref['id'], domain_ref)
|
||||
self._assert_notify_not_sent(domain_ref['id'], 'disabled', 'domain',
|
||||
public=False)
|
||||
|
||||
def test_update_group(self):
|
||||
group_ref = unit.new_group_ref(domain_id=self.domain_id)
|
||||
group_ref = self.identity_api.create_group(group_ref)
|
||||
self.identity_api.update_group(group_ref['id'], group_ref)
|
||||
group_ref = PROVIDERS.identity_api.create_group(group_ref)
|
||||
PROVIDERS.identity_api.update_group(group_ref['id'], group_ref)
|
||||
self._assert_last_note(group_ref['id'], UPDATED_OPERATION, 'group')
|
||||
self._assert_last_audit(group_ref['id'], UPDATED_OPERATION, 'group',
|
||||
cadftaxonomy.SECURITY_GROUP)
|
||||
|
||||
def test_update_project(self):
|
||||
project_ref = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(project_ref['id'], project_ref)
|
||||
self.resource_api.update_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.update_project(project_ref['id'], project_ref)
|
||||
self._assert_notify_sent(
|
||||
project_ref['id'], UPDATED_OPERATION, 'project', public=True)
|
||||
self._assert_last_audit(project_ref['id'], UPDATED_OPERATION,
|
||||
|
@ -628,43 +630,43 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_disable_project(self):
|
||||
project_ref = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
|
||||
project_ref['enabled'] = False
|
||||
self.resource_api.update_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.update_project(project_ref['id'], project_ref)
|
||||
self._assert_notify_sent(project_ref['id'], 'disabled', 'project',
|
||||
public=False)
|
||||
|
||||
def test_disable_of_disabled_project_does_not_notify(self):
|
||||
project_ref = unit.new_project_ref(domain_id=self.domain_id,
|
||||
enabled=False)
|
||||
self.resource_api.create_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
|
||||
# The project_ref above is not changed during the create process. We
|
||||
# can use the same ref to perform the update.
|
||||
self.resource_api.update_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.update_project(project_ref['id'], project_ref)
|
||||
self._assert_notify_not_sent(project_ref['id'], 'disabled', 'project',
|
||||
public=False)
|
||||
|
||||
def test_update_project_does_not_send_disable(self):
|
||||
project_ref = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
|
||||
project_ref['enabled'] = True
|
||||
self.resource_api.update_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.update_project(project_ref['id'], project_ref)
|
||||
self._assert_last_note(
|
||||
project_ref['id'], UPDATED_OPERATION, 'project')
|
||||
self._assert_notify_not_sent(project_ref['id'], 'disabled', 'project')
|
||||
|
||||
def test_update_role(self):
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
self.role_api.update_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.update_role(role_ref['id'], role_ref)
|
||||
self._assert_last_note(role_ref['id'], UPDATED_OPERATION, 'role')
|
||||
self._assert_last_audit(role_ref['id'], UPDATED_OPERATION, 'role',
|
||||
cadftaxonomy.SECURITY_ROLE)
|
||||
|
||||
def test_update_user(self):
|
||||
user_ref = unit.new_user_ref(domain_id=self.domain_id)
|
||||
user_ref = self.identity_api.create_user(user_ref)
|
||||
self.identity_api.update_user(user_ref['id'], user_ref)
|
||||
user_ref = PROVIDERS.identity_api.create_user(user_ref)
|
||||
PROVIDERS.identity_api.update_user(user_ref['id'], user_ref)
|
||||
self._assert_last_note(user_ref['id'], UPDATED_OPERATION, 'user')
|
||||
self._assert_last_audit(user_ref['id'], UPDATED_OPERATION, 'user',
|
||||
cadftaxonomy.SECURITY_ACCOUNT_USER)
|
||||
|
@ -672,7 +674,7 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
def test_config_option_no_events(self):
|
||||
self.config_fixture.config(notification_format='basic')
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
# The regular notifications will still be emitted, since they are
|
||||
# used for callback handling.
|
||||
self._assert_last_note(role_ref['id'], CREATED_OPERATION, 'role')
|
||||
|
@ -681,22 +683,27 @@ class NotificationsForEntities(BaseNotificationTest):
|
|||
|
||||
def test_add_user_to_group(self):
|
||||
user_ref = unit.new_user_ref(domain_id=self.domain_id)
|
||||
user_ref = self.identity_api.create_user(user_ref)
|
||||
user_ref = PROVIDERS.identity_api.create_user(user_ref)
|
||||
group_ref = unit.new_group_ref(domain_id=self.domain_id)
|
||||
group_ref = self.identity_api.create_group(group_ref)
|
||||
self.identity_api.add_user_to_group(user_ref['id'], group_ref['id'])
|
||||
group_ref = PROVIDERS.identity_api.create_group(group_ref)
|
||||
PROVIDERS.identity_api.add_user_to_group(
|
||||
user_ref['id'], group_ref['id']
|
||||
)
|
||||
self._assert_last_note(group_ref['id'], UPDATED_OPERATION, 'group',
|
||||
actor_id=user_ref['id'], actor_type='user',
|
||||
actor_operation='added')
|
||||
|
||||
def test_remove_user_from_group(self):
|
||||
user_ref = unit.new_user_ref(domain_id=self.domain_id)
|
||||
user_ref = self.identity_api.create_user(user_ref)
|
||||
user_ref = PROVIDERS.identity_api.create_user(user_ref)
|
||||
group_ref = unit.new_group_ref(domain_id=self.domain_id)
|
||||
group_ref = self.identity_api.create_group(group_ref)
|
||||
self.identity_api.add_user_to_group(user_ref['id'], group_ref['id'])
|
||||
self.identity_api.remove_user_from_group(user_ref['id'],
|
||||
group_ref['id'])
|
||||
group_ref = PROVIDERS.identity_api.create_group(group_ref)
|
||||
PROVIDERS.identity_api.add_user_to_group(
|
||||
user_ref['id'], group_ref['id']
|
||||
)
|
||||
PROVIDERS.identity_api.remove_user_from_group(
|
||||
user_ref['id'], group_ref['id']
|
||||
)
|
||||
self._assert_last_note(group_ref['id'], UPDATED_OPERATION, 'group',
|
||||
actor_id=user_ref['id'], actor_type='user',
|
||||
actor_operation='removed')
|
||||
|
@ -738,9 +745,10 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
|
|||
freezer.start()
|
||||
user_ref = unit.new_user_ref(domain_id=self.domain_id,
|
||||
password=password)
|
||||
user_ref = self.identity_api.create_user(user_ref)
|
||||
self.identity_api.authenticate(self.make_request(),
|
||||
user_ref['id'], password)
|
||||
user_ref = PROVIDERS.identity_api.create_user(user_ref)
|
||||
PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_ref['id'], password
|
||||
)
|
||||
freezer.stop()
|
||||
|
||||
reason_type = (exception.PasswordExpired.message_format %
|
||||
|
@ -748,7 +756,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
|
|||
expected_reason = {'reasonCode': '401',
|
||||
'reasonType': reason_type}
|
||||
self.assertRaises(exception.PasswordExpired,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=user_ref['id'],
|
||||
password=password)
|
||||
|
@ -763,14 +771,14 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
|
|||
exception.AccountLocked]
|
||||
user_ref = unit.new_user_ref(domain_id=self.domain_id,
|
||||
password=password)
|
||||
user_ref = self.identity_api.create_user(user_ref)
|
||||
user_ref = PROVIDERS.identity_api.create_user(user_ref)
|
||||
reason_type = (exception.AccountLocked.message_format %
|
||||
{'user_id': user_ref['id']})
|
||||
expected_reason = {'reasonCode': '401',
|
||||
'reasonType': reason_type}
|
||||
for ex in expected_responses:
|
||||
self.assertRaises(ex,
|
||||
self.identity_api.change_password,
|
||||
PROVIDERS.identity_api.change_password,
|
||||
self.make_request(),
|
||||
user_id=user_ref['id'],
|
||||
original_password=new_password,
|
||||
|
@ -793,13 +801,13 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
|
|||
'reasonType': reason_type}
|
||||
user_ref = unit.new_user_ref(domain_id=self.domain_id,
|
||||
password=password)
|
||||
user_ref = self.identity_api.create_user(user_ref)
|
||||
self.identity_api.change_password(self.make_request(),
|
||||
user_id=user_ref['id'],
|
||||
original_password=password,
|
||||
new_password=new_password)
|
||||
user_ref = PROVIDERS.identity_api.create_user(user_ref)
|
||||
PROVIDERS.identity_api.change_password(
|
||||
self.make_request(), user_id=user_ref['id'],
|
||||
original_password=password, new_password=new_password
|
||||
)
|
||||
self.assertRaises(exception.PasswordValidationError,
|
||||
self.identity_api.change_password,
|
||||
PROVIDERS.identity_api.change_password,
|
||||
self.make_request(),
|
||||
user_id=user_ref['id'],
|
||||
original_password=new_password,
|
||||
|
@ -820,9 +828,9 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
|
|||
'reasonType': reason_type}
|
||||
user_ref = unit.new_user_ref(domain_id=self.domain_id,
|
||||
password=password)
|
||||
user_ref = self.identity_api.create_user(user_ref)
|
||||
user_ref = PROVIDERS.identity_api.create_user(user_ref)
|
||||
self.assertRaises(exception.PasswordValidationError,
|
||||
self.identity_api.change_password,
|
||||
PROVIDERS.identity_api.change_password,
|
||||
self.make_request(),
|
||||
user_id=user_ref['id'],
|
||||
original_password=password,
|
||||
|
@ -841,7 +849,7 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
|
|||
password=password,
|
||||
password_created_at=(
|
||||
datetime.datetime.utcnow()))
|
||||
user_ref = self.identity_api.create_user(user_ref)
|
||||
user_ref = PROVIDERS.identity_api.create_user(user_ref)
|
||||
|
||||
min_days = CONF.security_compliance.minimum_password_age
|
||||
min_age = (user_ref['password_created_at'] +
|
||||
|
@ -851,12 +859,12 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest):
|
|||
{'min_age_days': min_days, 'days_left': days_left})
|
||||
expected_reason = {'reasonCode': '400',
|
||||
'reasonType': reason_type}
|
||||
self.identity_api.change_password(self.make_request(),
|
||||
user_id=user_ref['id'],
|
||||
original_password=password,
|
||||
new_password=new_password)
|
||||
PROVIDERS.identity_api.change_password(
|
||||
self.make_request(), user_id=user_ref['id'],
|
||||
original_password=password, new_password=new_password
|
||||
)
|
||||
self.assertRaises(exception.PasswordValidationError,
|
||||
self.identity_api.change_password,
|
||||
PROVIDERS.identity_api.change_password,
|
||||
self.make_request(),
|
||||
user_id=user_ref['id'],
|
||||
original_password=new_password,
|
||||
|
@ -895,7 +903,7 @@ class TestEventCallbacks(test_v3.RestfulTestCase):
|
|||
def test_notification_received(self):
|
||||
callback = register_callback(CREATED_OPERATION, 'project')
|
||||
project_ref = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
|
||||
self.assertTrue(callback.called)
|
||||
|
||||
def test_notification_method_not_callable(self):
|
||||
|
@ -946,7 +954,7 @@ class TestEventCallbacks(test_v3.RestfulTestCase):
|
|||
|
||||
Foo()
|
||||
project_ref = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
|
||||
self.assertEqual([True], callback_called)
|
||||
|
||||
def test_provider_event_callbacks_subscription(self):
|
||||
|
@ -969,7 +977,7 @@ class TestEventCallbacks(test_v3.RestfulTestCase):
|
|||
|
||||
Foo()
|
||||
project_ref = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
|
||||
self.assertItemsEqual(['cb1', 'cb0'], callback_called)
|
||||
|
||||
def test_invalid_event_callbacks(self):
|
||||
|
@ -1011,7 +1019,7 @@ class TestEventCallbacks(test_v3.RestfulTestCase):
|
|||
# self.assertRaises(TypeError, Foo)
|
||||
Foo()
|
||||
project_ref = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.assertRaises(TypeError, self.resource_api.create_project,
|
||||
self.assertRaises(TypeError, PROVIDERS.resource_api.create_project,
|
||||
project_ref['id'], project_ref)
|
||||
|
||||
|
||||
|
@ -1165,8 +1173,8 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_group_domain_grant(self):
|
||||
group_ref = unit.new_group_ref(domain_id=self.domain_id)
|
||||
group = self.identity_api.create_group(group_ref)
|
||||
self.identity_api.add_user_to_group(self.user_id, group['id'])
|
||||
group = PROVIDERS.identity_api.create_group(group_ref)
|
||||
PROVIDERS.identity_api.add_user_to_group(self.user_id, group['id'])
|
||||
url = ('/domains/%s/groups/%s/roles/%s' %
|
||||
(self.domain_id, group['id'], self.role_id))
|
||||
self._test_role_assignment(url, self.role_id,
|
||||
|
@ -1178,11 +1186,11 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
|
|||
# the assignment manager.
|
||||
|
||||
project_ref = unit.new_project_ref(self.domain_id)
|
||||
project = self.resource_api.create_project(
|
||||
project = PROVIDERS.resource_api.create_project(
|
||||
project_ref['id'], project_ref)
|
||||
tenant_id = project['id']
|
||||
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
self.user_id, tenant_id, self.role_id)
|
||||
|
||||
self.assertTrue(self._notifications)
|
||||
|
@ -1196,7 +1204,7 @@ class CadfNotificationsWrapperTestCase(test_v3.RestfulTestCase):
|
|||
# A notification is sent when remove_role_from_user_and_project is
|
||||
# called on the assignment manager.
|
||||
|
||||
self.assignment_api.remove_role_from_user_and_project(
|
||||
PROVIDERS.assignment_api.remove_role_from_user_and_project(
|
||||
self.user_id, self.project_id, self.role_id)
|
||||
|
||||
self.assertTrue(self._notifications)
|
||||
|
@ -1312,7 +1320,7 @@ class CADFNotificationsDataTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
ref = unit.new_service_ref()
|
||||
ref['type'] = 'identity'
|
||||
self.catalog_api.create_service(ref['id'], ref.copy())
|
||||
PROVIDERS.catalog_api.create_service(ref['id'], ref.copy())
|
||||
|
||||
action = CREATED_OPERATION + '.' + resource_type
|
||||
initiator = notifications._get_request_audit_info(self.user_id)
|
||||
|
|
|
@ -74,6 +74,7 @@ def _calc_tmpdir():
|
|||
TMPDIR = _calc_tmpdir()
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
log.register_options(CONF)
|
||||
|
||||
IN_MEM_DB_CONN_STRING = 'sqlite://'
|
||||
|
@ -737,20 +738,20 @@ class TestCase(BaseTestCase):
|
|||
hasattr(self, 'assignment_api') and
|
||||
hasattr(self, 'resource_api')):
|
||||
for domain in fixtures.DOMAINS:
|
||||
rv = self.resource_api.create_domain(domain['id'], domain)
|
||||
rv = PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
attrname = 'domain_%s' % domain['id']
|
||||
setattr(self, attrname, rv)
|
||||
fixtures_to_cleanup.append(attrname)
|
||||
|
||||
for tenant in fixtures.TENANTS:
|
||||
tenant_attr_name = 'tenant_%s' % tenant['name'].lower()
|
||||
rv = self.resource_api.create_project(
|
||||
rv = PROVIDERS.resource_api.create_project(
|
||||
tenant['id'], tenant)
|
||||
setattr(self, tenant_attr_name, rv)
|
||||
fixtures_to_cleanup.append(tenant_attr_name)
|
||||
|
||||
for role in fixtures.ROLES:
|
||||
rv = self.role_api.create_role(role['id'], role)
|
||||
rv = PROVIDERS.role_api.create_role(role['id'], role)
|
||||
attrname = 'role_%s' % role['name']
|
||||
setattr(self, attrname, rv)
|
||||
fixtures_to_cleanup.append(attrname)
|
||||
|
@ -760,7 +761,7 @@ class TestCase(BaseTestCase):
|
|||
tenants = user_copy.pop('tenants')
|
||||
|
||||
# For users, the manager layer will generate the ID
|
||||
user_copy = self.identity_api.create_user(user_copy)
|
||||
user_copy = PROVIDERS.identity_api.create_user(user_copy)
|
||||
# Our tests expect that the password is still in the user
|
||||
# record so that they can reference it, so put it back into
|
||||
# the dict returned.
|
||||
|
@ -768,7 +769,7 @@ class TestCase(BaseTestCase):
|
|||
|
||||
# fixtures.ROLES[2] is the _member_ role.
|
||||
for tenant_id in tenants:
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user_copy['id'], tenant_id, fixtures.ROLES[2]['id'])
|
||||
|
||||
# Use the ID from the fixture as the attribute name, so
|
||||
|
@ -783,7 +784,7 @@ class TestCase(BaseTestCase):
|
|||
user = role_assignment['user']
|
||||
tenant_id = role_assignment['tenant_id']
|
||||
user_id = getattr(self, 'user_%s' % user)['id']
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user_id, tenant_id, role_id)
|
||||
|
||||
self.addCleanup(self.cleanup_instance(*fixtures_to_cleanup))
|
||||
|
|
|
@ -12,11 +12,14 @@
|
|||
|
||||
import uuid
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit.ksfixtures import database
|
||||
from keystone.tests.unit import mapping_fixtures
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class TestFederationProtocol(unit.TestCase):
|
||||
|
||||
|
@ -29,20 +32,21 @@ class TestFederationProtocol(unit.TestCase):
|
|||
'enabled': True,
|
||||
'description': uuid.uuid4().hex
|
||||
}
|
||||
self.federation_api.create_idp(self.idp['id'], self.idp)
|
||||
PROVIDERS.federation_api.create_idp(self.idp['id'], self.idp)
|
||||
self.mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
|
||||
self.mapping['id'] = uuid.uuid4().hex
|
||||
self.federation_api.create_mapping(self.mapping['id'],
|
||||
self.mapping)
|
||||
PROVIDERS.federation_api.create_mapping(
|
||||
self.mapping['id'], self.mapping
|
||||
)
|
||||
|
||||
def test_create_protocol(self):
|
||||
protocol = {
|
||||
'id': uuid.uuid4().hex,
|
||||
'mapping_id': self.mapping['id']
|
||||
}
|
||||
protocol_ret = self.federation_api.create_protocol(self.idp['id'],
|
||||
protocol['id'],
|
||||
protocol)
|
||||
protocol_ret = PROVIDERS.federation_api.create_protocol(
|
||||
self.idp['id'], protocol['id'], protocol
|
||||
)
|
||||
self.assertEqual(protocol['id'], protocol_ret['id'])
|
||||
|
||||
def test_create_protocol_with_invalid_mapping_id(self):
|
||||
|
@ -51,7 +55,7 @@ class TestFederationProtocol(unit.TestCase):
|
|||
'mapping_id': uuid.uuid4().hex
|
||||
}
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.federation_api.create_protocol,
|
||||
PROVIDERS.federation_api.create_protocol,
|
||||
self.idp['id'],
|
||||
protocol['id'],
|
||||
protocol)
|
||||
|
@ -61,17 +65,17 @@ class TestFederationProtocol(unit.TestCase):
|
|||
'id': uuid.uuid4().hex,
|
||||
'mapping_id': self.mapping['id']
|
||||
}
|
||||
protocol_ret = self.federation_api.create_protocol(self.idp['id'],
|
||||
protocol['id'],
|
||||
protocol)
|
||||
protocol_ret = PROVIDERS.federation_api.create_protocol(
|
||||
self.idp['id'], protocol['id'], protocol
|
||||
)
|
||||
self.assertEqual(protocol['id'], protocol_ret['id'])
|
||||
new_mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
|
||||
new_mapping['id'] = uuid.uuid4().hex
|
||||
self.federation_api.create_mapping(new_mapping['id'], new_mapping)
|
||||
PROVIDERS.federation_api.create_mapping(new_mapping['id'], new_mapping)
|
||||
protocol['mapping_id'] = new_mapping['id']
|
||||
protocol_ret = self.federation_api.update_protocol(self.idp['id'],
|
||||
protocol['id'],
|
||||
protocol)
|
||||
protocol_ret = PROVIDERS.federation_api.update_protocol(
|
||||
self.idp['id'], protocol['id'], protocol
|
||||
)
|
||||
self.assertEqual(protocol['id'], protocol_ret['id'])
|
||||
self.assertEqual(new_mapping['id'], protocol_ret['mapping_id'])
|
||||
|
||||
|
@ -80,13 +84,13 @@ class TestFederationProtocol(unit.TestCase):
|
|||
'id': uuid.uuid4().hex,
|
||||
'mapping_id': self.mapping['id']
|
||||
}
|
||||
protocol_ret = self.federation_api.create_protocol(self.idp['id'],
|
||||
protocol['id'],
|
||||
protocol)
|
||||
protocol_ret = PROVIDERS.federation_api.create_protocol(
|
||||
self.idp['id'], protocol['id'], protocol
|
||||
)
|
||||
self.assertEqual(protocol['id'], protocol_ret['id'])
|
||||
protocol['mapping_id'] = uuid.uuid4().hex
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.federation_api.update_protocol,
|
||||
PROVIDERS.federation_api.update_protocol,
|
||||
self.idp['id'],
|
||||
protocol['id'],
|
||||
protocol)
|
||||
|
|
|
@ -16,10 +16,12 @@ import uuid
|
|||
|
||||
from six.moves import range
|
||||
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
CONF = keystone.conf.CONF
|
||||
|
||||
|
||||
|
@ -51,11 +53,13 @@ class FilterTests(object):
|
|||
one.
|
||||
|
||||
"""
|
||||
f = getattr(self.identity_api, 'create_%s' % entity_type, None)
|
||||
f = getattr(PROVIDERS.identity_api, 'create_%s' % entity_type, None)
|
||||
if f is None:
|
||||
f = getattr(self.resource_api, 'create_%s' % entity_type, None)
|
||||
f = getattr(
|
||||
PROVIDERS.resource_api, 'create_%s' % entity_type, None
|
||||
)
|
||||
if f is None:
|
||||
f = getattr(self.assignment_api, 'create_%s' % entity_type)
|
||||
f = getattr(PROVIDERS.assignment_api, 'create_%s' % entity_type)
|
||||
return f
|
||||
|
||||
def _delete_entity(self, entity_type):
|
||||
|
@ -66,11 +70,13 @@ class FilterTests(object):
|
|||
one.
|
||||
|
||||
"""
|
||||
f = getattr(self.identity_api, 'delete_%s' % entity_type, None)
|
||||
f = getattr(PROVIDERS.identity_api, 'delete_%s' % entity_type, None)
|
||||
if f is None:
|
||||
f = getattr(self.resource_api, 'delete_%s' % entity_type, None)
|
||||
f = getattr(
|
||||
PROVIDERS.resource_api, 'delete_%s' % entity_type, None
|
||||
)
|
||||
if f is None:
|
||||
f = getattr(self.assignment_api, 'delete_%s' % entity_type)
|
||||
f = getattr(PROVIDERS.assignment_api, 'delete_%s' % entity_type)
|
||||
return f
|
||||
|
||||
def _list_entities(self, entity_type):
|
||||
|
@ -81,11 +87,11 @@ class FilterTests(object):
|
|||
one.
|
||||
|
||||
"""
|
||||
f = getattr(self.identity_api, 'list_%ss' % entity_type, None)
|
||||
f = getattr(PROVIDERS.identity_api, 'list_%ss' % entity_type, None)
|
||||
if f is None:
|
||||
f = getattr(self.resource_api, 'list_%ss' % entity_type, None)
|
||||
f = getattr(PROVIDERS.resource_api, 'list_%ss' % entity_type, None)
|
||||
if f is None:
|
||||
f = getattr(self.assignment_api, 'list_%ss' % entity_type)
|
||||
f = getattr(PROVIDERS.assignment_api, 'list_%ss' % entity_type)
|
||||
return f
|
||||
|
||||
def _create_one_entity(self, entity_type, domain_id, name):
|
||||
|
|
|
@ -21,6 +21,7 @@ import mock
|
|||
from oslo_config import fixture as config_fixture
|
||||
|
||||
from keystone.common import driver_hints
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone import exception as ks_exception
|
||||
from keystone.identity.backends.ldap import common as common_ldap
|
||||
|
@ -32,6 +33,7 @@ from keystone.tests.unit.ksfixtures import ldapdb
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class DnCompareTest(unit.BaseTestCase):
|
||||
|
@ -399,7 +401,7 @@ class LDAPPagedResultsTest(unit.TestCase):
|
|||
self.config_fixture.config(group='ldap',
|
||||
page_size=1)
|
||||
|
||||
conn = self.identity_api.user.get_connection()
|
||||
conn = PROVIDERS.identity_api.user.get_connection()
|
||||
conn._paged_search_s('dc=example,dc=test',
|
||||
ldap.SCOPE_SUBTREE,
|
||||
'objectclass=*')
|
||||
|
@ -602,7 +604,7 @@ class LDAPSizeLimitTest(unit.TestCase):
|
|||
@mock.patch.object(fakeldap.FakeLdap, 'search_s')
|
||||
def test_search_s_sizelimit_exceeded(self, mock_search_s):
|
||||
mock_search_s.side_effect = ldap.SIZELIMIT_EXCEEDED
|
||||
conn = self.identity_api.user.get_connection()
|
||||
conn = PROVIDERS.identity_api.user.get_connection()
|
||||
self.assertRaises(ks_exception.LDAPSizeLimitExceeded,
|
||||
conn.search_s,
|
||||
'dc=example,dc=test',
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
import datetime
|
||||
import uuid
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone.common import sql
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
|
@ -21,12 +22,13 @@ from keystone.tests import unit
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class ShadowUsersBackendTests(object):
|
||||
def test_create_nonlocal_user_unique_constraint(self):
|
||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user_created = self.shadow_users_api.create_nonlocal_user(user)
|
||||
user_created = PROVIDERS.shadow_users_api.create_nonlocal_user(user)
|
||||
self.assertNotIn('password', user_created)
|
||||
self.assertEqual(user_created['id'], user['id'])
|
||||
self.assertEqual(user_created['domain_id'], user['domain_id'])
|
||||
|
@ -34,18 +36,20 @@ class ShadowUsersBackendTests(object):
|
|||
new_user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
new_user['name'] = user['name']
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.shadow_users_api.create_nonlocal_user,
|
||||
PROVIDERS.shadow_users_api.create_nonlocal_user,
|
||||
new_user)
|
||||
|
||||
def test_create_nonlocal_user_does_not_create_local_user(self):
|
||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
new_nonlocal_user = self.shadow_users_api.create_nonlocal_user(user)
|
||||
new_nonlocal_user = PROVIDERS.shadow_users_api.create_nonlocal_user(
|
||||
user
|
||||
)
|
||||
user_ref = self._get_user_ref(new_nonlocal_user['id'])
|
||||
self.assertIsNone(user_ref.local_user)
|
||||
|
||||
def test_nonlocal_user_unique_user_id_constraint(self):
|
||||
user_ref = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user = self.shadow_users_api.create_nonlocal_user(user_ref)
|
||||
user = PROVIDERS.shadow_users_api.create_nonlocal_user(user_ref)
|
||||
# attempt to create a nonlocal_user with the same user_id
|
||||
nonlocal_user = {
|
||||
'domain_id': CONF.identity.default_domain_id,
|
||||
|
@ -59,30 +63,30 @@ class ShadowUsersBackendTests(object):
|
|||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user.pop('email')
|
||||
user.pop('password')
|
||||
user_created = self.shadow_users_api.create_nonlocal_user(user)
|
||||
user_created = PROVIDERS.shadow_users_api.create_nonlocal_user(user)
|
||||
self.assertEqual(user_created['id'], user['id'])
|
||||
user_found = self.shadow_users_api.get_user(user_created['id'])
|
||||
user_found = PROVIDERS.shadow_users_api.get_user(user_created['id'])
|
||||
self.assertItemsEqual(user_created, user_found)
|
||||
|
||||
def test_create_federated_user_unique_constraint(self):
|
||||
user_dict = self.shadow_users_api.create_federated_user(
|
||||
user_dict = PROVIDERS.shadow_users_api.create_federated_user(
|
||||
self.domain_id, self.federated_user)
|
||||
user_dict = self.shadow_users_api.get_user(user_dict["id"])
|
||||
user_dict = PROVIDERS.shadow_users_api.get_user(user_dict["id"])
|
||||
self.assertIsNotNone(user_dict["id"])
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.shadow_users_api.create_federated_user,
|
||||
PROVIDERS.shadow_users_api.create_federated_user,
|
||||
self.domain_id,
|
||||
self.federated_user)
|
||||
|
||||
def test_create_federated_user_domain(self):
|
||||
user = self.shadow_users_api.create_federated_user(
|
||||
user = PROVIDERS.shadow_users_api.create_federated_user(
|
||||
self.domain_id, self.federated_user)
|
||||
self.assertEqual(user['domain_id'], self.domain_id)
|
||||
|
||||
def test_get_federated_user(self):
|
||||
user_dict_create = self.shadow_users_api.create_federated_user(
|
||||
user_dict_create = PROVIDERS.shadow_users_api.create_federated_user(
|
||||
self.domain_id, self.federated_user)
|
||||
user_dict_get = self.shadow_users_api.get_federated_user(
|
||||
user_dict_get = PROVIDERS.shadow_users_api.get_federated_user(
|
||||
self.federated_user["idp_id"],
|
||||
self.federated_user["protocol_id"],
|
||||
self.federated_user["unique_id"])
|
||||
|
@ -90,15 +94,15 @@ class ShadowUsersBackendTests(object):
|
|||
self.assertEqual(user_dict_create["id"], user_dict_get["id"])
|
||||
|
||||
def test_update_federated_user_display_name(self):
|
||||
user_dict_create = self.shadow_users_api.create_federated_user(
|
||||
user_dict_create = PROVIDERS.shadow_users_api.create_federated_user(
|
||||
self.domain_id, self.federated_user)
|
||||
new_display_name = uuid.uuid4().hex
|
||||
self.shadow_users_api.update_federated_user_display_name(
|
||||
PROVIDERS.shadow_users_api.update_federated_user_display_name(
|
||||
self.federated_user["idp_id"],
|
||||
self.federated_user["protocol_id"],
|
||||
self.federated_user["unique_id"],
|
||||
new_display_name)
|
||||
user_ref = self.shadow_users_api._get_federated_user(
|
||||
user_ref = PROVIDERS.shadow_users_api._get_federated_user(
|
||||
self.federated_user["idp_id"],
|
||||
self.federated_user["protocol_id"],
|
||||
self.federated_user["unique_id"])
|
||||
|
@ -112,7 +116,7 @@ class ShadowUsersBackendTests(object):
|
|||
now = datetime.datetime.utcnow().date()
|
||||
password = uuid.uuid4().hex
|
||||
user = self._create_user(password)
|
||||
user_auth = self.identity_api.authenticate(
|
||||
user_auth = PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=password)
|
||||
|
@ -124,7 +128,7 @@ class ShadowUsersBackendTests(object):
|
|||
disable_user_account_days_inactive=None)
|
||||
password = uuid.uuid4().hex
|
||||
user = self._create_user(password)
|
||||
user_auth = self.identity_api.authenticate(
|
||||
user_auth = PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=password)
|
||||
|
@ -143,7 +147,7 @@ class ShadowUsersBackendTests(object):
|
|||
'enabled': True,
|
||||
'password': password
|
||||
}
|
||||
return self.identity_api.create_user(user)
|
||||
return PROVIDERS.identity_api.create_user(user)
|
||||
|
||||
def _get_user_ref(self, user_id):
|
||||
with sql.session_for_read() as session:
|
||||
|
|
|
@ -12,10 +12,14 @@
|
|||
|
||||
import uuid
|
||||
|
||||
from keystone.common import provider_api
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class ShadowUsersCoreTests(object):
|
||||
def test_shadow_federated_user(self):
|
||||
user = self.identity_api.shadow_federated_user(
|
||||
user = PROVIDERS.identity_api.shadow_federated_user(
|
||||
self.federated_user['idp_id'],
|
||||
self.federated_user['protocol_id'],
|
||||
self.federated_user['unique_id'],
|
||||
|
@ -33,7 +37,7 @@ class ShadowUsersCoreTests(object):
|
|||
def test_shadow_existing_federated_user(self):
|
||||
|
||||
# introduce the user to keystone for the first time
|
||||
shadow_user1 = self.identity_api.shadow_federated_user(
|
||||
shadow_user1 = PROVIDERS.identity_api.shadow_federated_user(
|
||||
self.federated_user['idp_id'],
|
||||
self.federated_user['protocol_id'],
|
||||
self.federated_user['unique_id'],
|
||||
|
@ -45,7 +49,7 @@ class ShadowUsersCoreTests(object):
|
|||
# internally, this operation causes request to the driver. It should
|
||||
# not fail.
|
||||
self.federated_user['display_name'] = uuid.uuid4().hex
|
||||
shadow_user2 = self.identity_api.shadow_federated_user(
|
||||
shadow_user2 = PROVIDERS.identity_api.shadow_federated_user(
|
||||
self.federated_user['idp_id'],
|
||||
self.federated_user['protocol_id'],
|
||||
self.federated_user['unique_id'],
|
||||
|
|
|
@ -17,6 +17,7 @@ import freezegun
|
|||
import passlib.hash
|
||||
|
||||
from keystone.common import password_hashing
|
||||
from keystone.common import provider_api
|
||||
from keystone.common import resource_options
|
||||
from keystone.common import sql
|
||||
import keystone.conf
|
||||
|
@ -28,6 +29,7 @@ from keystone.tests.unit import test_backend_sql
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class UserPasswordCreatedAtIntTests(test_backend_sql.SqlTests):
|
||||
|
@ -38,8 +40,9 @@ class UserPasswordCreatedAtIntTests(test_backend_sql.SqlTests):
|
|||
|
||||
def test_user_password_created_expired_at_int_matches_created_at(self):
|
||||
with sql.session_for_read() as session:
|
||||
user_ref = self.identity_api._get_user(session,
|
||||
self.user_foo['id'])
|
||||
user_ref = PROVIDERS.identity_api._get_user(
|
||||
session, self.user_foo['id']
|
||||
)
|
||||
self.assertIsNotNone(user_ref.password_ref._created_at)
|
||||
self.assertIsNotNone(user_ref.password_ref._expires_at)
|
||||
self.assertEqual(user_ref.password_ref._created_at,
|
||||
|
@ -60,8 +63,9 @@ class UserPasswordHashingTestsNoCompat(test_backend_sql.SqlTests):
|
|||
|
||||
def test_password_hashing_compat_not_set_used(self):
|
||||
with sql.session_for_read() as session:
|
||||
user_ref = self.identity_api._get_user(session,
|
||||
self.user_foo['id'])
|
||||
user_ref = PROVIDERS.identity_api._get_user(
|
||||
session, self.user_foo['id']
|
||||
)
|
||||
self.assertIsNone(user_ref.password_ref.password)
|
||||
self.assertIsNotNone(user_ref.password_ref.password_hash)
|
||||
self.assertEqual(user_ref.password,
|
||||
|
@ -71,8 +75,9 @@ class UserPasswordHashingTestsNoCompat(test_backend_sql.SqlTests):
|
|||
|
||||
def test_configured_algorithm_used(self):
|
||||
with sql.session_for_read() as session:
|
||||
user_ref = self.identity_api._get_user(session,
|
||||
self.user_foo['id'])
|
||||
user_ref = PROVIDERS.identity_api._get_user(
|
||||
session, self.user_foo['id']
|
||||
)
|
||||
self.assertEqual(
|
||||
passlib.hash.scrypt,
|
||||
password_hashing._get_hasher_from_ident(user_ref.password))
|
||||
|
@ -97,7 +102,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
|
|||
user = self._create_user(self._get_user_dict())
|
||||
opt_value = uuid.uuid4().hex
|
||||
user['options'][self.option1.option_name] = opt_value
|
||||
new_ref = self.identity_api.update_user(user['id'], user)
|
||||
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertEqual(opt_value,
|
||||
new_ref['options'][self.option1.option_name])
|
||||
raw_ref = self._get_user_ref(user['id'])
|
||||
|
@ -106,7 +111,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
|
|||
opt_value,
|
||||
raw_ref._resource_option_mapper[
|
||||
self.option1.option_id].option_value)
|
||||
api_get_ref = self.identity_api.get_user(user['id'])
|
||||
api_get_ref = PROVIDERS.identity_api.get_user(user['id'])
|
||||
# Ensure options are properly set in a .get_user call.
|
||||
self.assertEqual(opt_value,
|
||||
api_get_ref['options'][self.option1.option_name])
|
||||
|
@ -119,19 +124,19 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
|
|||
|
||||
# Update user to add the new value option
|
||||
user['options'][self.option1.option_name] = opt_value
|
||||
new_ref = self.identity_api.update_user(user['id'], user)
|
||||
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertEqual(opt_value,
|
||||
new_ref['options'][self.option1.option_name])
|
||||
|
||||
# Update the option Value and confirm it is updated
|
||||
user['options'][self.option1.option_name] = new_opt_value
|
||||
new_ref = self.identity_api.update_user(user['id'], user)
|
||||
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertEqual(new_opt_value,
|
||||
new_ref['options'][self.option1.option_name])
|
||||
|
||||
# Set the option value to None, meaning delete the option
|
||||
user['options'][self.option1.option_name] = None
|
||||
new_ref = self.identity_api.update_user(user['id'], user)
|
||||
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertNotIn(self.option1.option_name, new_ref['options'])
|
||||
|
||||
def test_user_add_delete_resource_option_existing_option_values(self):
|
||||
|
@ -142,7 +147,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
|
|||
|
||||
# Update user to add the new value option
|
||||
user['options'][self.option1.option_name] = opt_value
|
||||
new_ref = self.identity_api.update_user(user['id'], user)
|
||||
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertEqual(opt_value,
|
||||
new_ref['options'][self.option1.option_name])
|
||||
|
||||
|
@ -151,7 +156,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
|
|||
# updated user ref.
|
||||
del user['options'][self.option1.option_name]
|
||||
user['options'][self.option2.option_name] = opt2_value
|
||||
new_ref = self.identity_api.update_user(user['id'], user)
|
||||
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertEqual(opt_value,
|
||||
new_ref['options'][self.option1.option_name])
|
||||
self.assertEqual(opt2_value,
|
||||
|
@ -169,7 +174,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
|
|||
# Set the option value to None, meaning delete the option, ensure
|
||||
# option 2 still remains and has the right value
|
||||
user['options'][self.option1.option_name] = None
|
||||
new_ref = self.identity_api.update_user(user['id'], user)
|
||||
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertNotIn(self.option1.option_name, new_ref['options'])
|
||||
self.assertEqual(opt2_value,
|
||||
new_ref['options'][self.option2.option_name])
|
||||
|
@ -189,7 +194,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
|
|||
|
||||
# Update user to add the new value option
|
||||
user['options'][self.option1.option_name] = opt_value
|
||||
new_ref = self.identity_api.update_user(user['id'], user)
|
||||
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertEqual(opt_value,
|
||||
new_ref['options'][self.option1.option_name])
|
||||
|
||||
|
@ -198,7 +203,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
|
|||
# updated user ref.
|
||||
del user['options'][self.option1.option_name]
|
||||
user['options'][self.option2.option_name] = opt2_value
|
||||
new_ref = self.identity_api.update_user(user['id'], user)
|
||||
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertEqual(opt_value,
|
||||
new_ref['options'][self.option1.option_name])
|
||||
self.assertEqual(opt2_value,
|
||||
|
@ -218,7 +223,7 @@ class UserResourceOptionTests(test_backend_sql.SqlTests):
|
|||
iro.USER_OPTIONS_REGISTRY._registered_options.clear()
|
||||
iro.USER_OPTIONS_REGISTRY.register_option(self.option1)
|
||||
user['name'] = uuid.uuid4().hex
|
||||
new_ref = self.identity_api.update_user(user['id'], user)
|
||||
new_ref = PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertNotIn(self.option2.option_name, new_ref['options'])
|
||||
self.assertEqual(opt_value,
|
||||
new_ref['options'][self.option1.option_name])
|
||||
|
@ -268,19 +273,19 @@ class DisableInactiveUserTests(test_backend_sql.SqlTests):
|
|||
datetime.timedelta(days=self.max_inactive_days + 1))
|
||||
user = self._create_user(self.user_dict, last_active_at.date())
|
||||
self.assertRaises(exception.UserDisabled,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=self.password)
|
||||
# verify that the user is actually disabled
|
||||
user = self.identity_api.get_user(user['id'])
|
||||
user = PROVIDERS.identity_api.get_user(user['id'])
|
||||
self.assertFalse(user['enabled'])
|
||||
# set the user to enabled and authenticate
|
||||
user['enabled'] = True
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
user = self.identity_api.authenticate(self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=self.password)
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
user = PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=user['id'], password=self.password
|
||||
)
|
||||
self.assertTrue(user['enabled'])
|
||||
|
||||
def test_authenticate_user_not_disabled_due_to_inactivity(self):
|
||||
|
@ -289,29 +294,29 @@ class DisableInactiveUserTests(test_backend_sql.SqlTests):
|
|||
datetime.datetime.utcnow() -
|
||||
datetime.timedelta(days=self.max_inactive_days - 1)).date()
|
||||
user = self._create_user(self.user_dict, last_active_at)
|
||||
user = self.identity_api.authenticate(self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=self.password)
|
||||
user = PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=user['id'], password=self.password
|
||||
)
|
||||
self.assertTrue(user['enabled'])
|
||||
|
||||
def test_get_user_disabled_due_to_inactivity(self):
|
||||
user = self.identity_api.create_user(self.user_dict)
|
||||
user = PROVIDERS.identity_api.create_user(self.user_dict)
|
||||
# set last_active_at just beyond the max
|
||||
last_active_at = (
|
||||
datetime.datetime.utcnow() -
|
||||
datetime.timedelta(self.max_inactive_days + 1)).date()
|
||||
self._update_user_last_active_at(user['id'], last_active_at)
|
||||
# get user and verify that the user is actually disabled
|
||||
user = self.identity_api.get_user(user['id'])
|
||||
user = PROVIDERS.identity_api.get_user(user['id'])
|
||||
self.assertFalse(user['enabled'])
|
||||
# set enabled and test
|
||||
user['enabled'] = True
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
user = self.identity_api.get_user(user['id'])
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
user = PROVIDERS.identity_api.get_user(user['id'])
|
||||
self.assertTrue(user['enabled'])
|
||||
|
||||
def test_get_user_not_disabled_due_to_inactivity(self):
|
||||
user = self.identity_api.create_user(self.user_dict)
|
||||
user = PROVIDERS.identity_api.create_user(self.user_dict)
|
||||
self.assertTrue(user['enabled'])
|
||||
# set last_active_at just below the max
|
||||
last_active_at = (
|
||||
|
@ -319,7 +324,7 @@ class DisableInactiveUserTests(test_backend_sql.SqlTests):
|
|||
datetime.timedelta(self.max_inactive_days - 1)).date()
|
||||
self._update_user_last_active_at(user['id'], last_active_at)
|
||||
# get user and verify that the user is still enabled
|
||||
user = self.identity_api.get_user(user['id'])
|
||||
user = PROVIDERS.identity_api.get_user(user['id'])
|
||||
self.assertTrue(user['enabled'])
|
||||
|
||||
def test_enabled_after_create_update_user(self):
|
||||
|
@ -327,24 +332,24 @@ class DisableInactiveUserTests(test_backend_sql.SqlTests):
|
|||
disable_user_account_days_inactive=90)
|
||||
# create user without enabled; assert enabled
|
||||
del self.user_dict['enabled']
|
||||
user = self.identity_api.create_user(self.user_dict)
|
||||
user = PROVIDERS.identity_api.create_user(self.user_dict)
|
||||
user_ref = self._get_user_ref(user['id'])
|
||||
self.assertTrue(user_ref.enabled)
|
||||
now = datetime.datetime.utcnow().date()
|
||||
self.assertGreaterEqual(now, user_ref.last_active_at)
|
||||
# set enabled and test
|
||||
user['enabled'] = True
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
user_ref = self._get_user_ref(user['id'])
|
||||
self.assertTrue(user_ref.enabled)
|
||||
# set disabled and test
|
||||
user['enabled'] = False
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
user_ref = self._get_user_ref(user['id'])
|
||||
self.assertFalse(user_ref.enabled)
|
||||
# re-enable user and test
|
||||
user['enabled'] = True
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
user_ref = self._get_user_ref(user['id'])
|
||||
self.assertTrue(user_ref.enabled)
|
||||
|
||||
|
@ -388,7 +393,7 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
|
|||
user = self._create_user(password)
|
||||
# Attempt to change to the same password
|
||||
self.assertRaises(exception.PasswordValidationError,
|
||||
self.identity_api.change_password,
|
||||
PROVIDERS.identity_api.change_password,
|
||||
self.make_request(),
|
||||
user_id=user['id'],
|
||||
original_password=password,
|
||||
|
@ -398,7 +403,7 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
|
|||
self.assertValidChangePassword(user['id'], password, new_password)
|
||||
# Attempt to change back to the initial password
|
||||
self.assertRaises(exception.PasswordValidationError,
|
||||
self.identity_api.change_password,
|
||||
PROVIDERS.identity_api.change_password,
|
||||
self.make_request(),
|
||||
user_id=user['id'],
|
||||
original_password=new_password,
|
||||
|
@ -424,12 +429,12 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
|
|||
self.assertIsNone(user_ref.password)
|
||||
# Admin password reset
|
||||
user['password'] = passwords[0]
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
# Self-service change password
|
||||
self.assertValidChangePassword(user['id'], passwords[0], passwords[1])
|
||||
# Attempt to update with a previous password
|
||||
self.assertRaises(exception.PasswordValidationError,
|
||||
self.identity_api.change_password,
|
||||
PROVIDERS.identity_api.change_password,
|
||||
self.make_request(),
|
||||
user_id=user['id'],
|
||||
original_password=passwords[1],
|
||||
|
@ -449,22 +454,22 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
|
|||
user = self._create_user(passwords[0])
|
||||
# Attempt to change password to a unique password
|
||||
user['password'] = passwords[1]
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
self.identity_api.authenticate(self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=passwords[1])
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=user['id'], password=passwords[1]
|
||||
)
|
||||
# Attempt to change password with the same password
|
||||
user['password'] = passwords[1]
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
self.identity_api.authenticate(self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=passwords[1])
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=user['id'], password=passwords[1]
|
||||
)
|
||||
# Attempt to change password with the initial password
|
||||
user['password'] = passwords[0]
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
self.identity_api.authenticate(self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=passwords[0])
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=user['id'], password=passwords[0]
|
||||
)
|
||||
|
||||
def test_truncate_passwords(self):
|
||||
user = self._create_user(uuid.uuid4().hex)
|
||||
|
@ -507,7 +512,7 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
|
|||
'domain_id': 'default',
|
||||
'enabled': True,
|
||||
}
|
||||
user = self.identity_api.create_user(user)
|
||||
user = PROVIDERS.identity_api.create_user(user)
|
||||
self._add_passwords_to_history(user, n=1)
|
||||
user_ref = self._get_user_ref(user['id'])
|
||||
self.assertEqual(len(user_ref.local_user.passwords), expected_length)
|
||||
|
@ -519,25 +524,25 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests):
|
|||
'enabled': True,
|
||||
'password': password
|
||||
}
|
||||
return self.identity_api.create_user(user)
|
||||
return PROVIDERS.identity_api.create_user(user)
|
||||
|
||||
def assertValidChangePassword(self, user_id, password, new_password):
|
||||
self.identity_api.change_password(self.make_request(),
|
||||
user_id=user_id,
|
||||
original_password=password,
|
||||
new_password=new_password)
|
||||
self.identity_api.authenticate(self.make_request(),
|
||||
user_id=user_id,
|
||||
password=new_password)
|
||||
PROVIDERS.identity_api.change_password(
|
||||
self.make_request(), user_id=user_id, original_password=password,
|
||||
new_password=new_password
|
||||
)
|
||||
PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=user_id, password=new_password
|
||||
)
|
||||
|
||||
def _add_passwords_to_history(self, user, n):
|
||||
for _ in range(n):
|
||||
user['password'] = uuid.uuid4().hex
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
|
||||
def _get_user_ref(self, user_id):
|
||||
with sql.session_for_read() as session:
|
||||
return self.identity_api._get_user(session, user_id)
|
||||
return PROVIDERS.identity_api._get_user(session, user_id)
|
||||
|
||||
|
||||
class LockingOutUserTests(test_backend_sql.SqlTests):
|
||||
|
@ -557,23 +562,24 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
|
|||
'enabled': True,
|
||||
'password': self.password
|
||||
}
|
||||
self.user = self.identity_api.create_user(user_dict)
|
||||
self.user = PROVIDERS.identity_api.create_user(user_dict)
|
||||
|
||||
def test_locking_out_user_after_max_failed_attempts(self):
|
||||
# authenticate with wrong password
|
||||
self.assertRaises(AssertionError,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
password=uuid.uuid4().hex)
|
||||
# authenticate with correct password
|
||||
self.identity_api.authenticate(self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
password=self.password)
|
||||
PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=self.user['id'],
|
||||
password=self.password
|
||||
)
|
||||
# test locking out user after max failed attempts
|
||||
self._fail_auth_repeatedly(self.user['id'])
|
||||
self.assertRaises(exception.AccountLocked,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
password=uuid.uuid4().hex)
|
||||
|
@ -582,35 +588,37 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
|
|||
# mark the user as exempt from failed password attempts
|
||||
# ignore user and reset password, password not expired
|
||||
self.user['options'][iro.IGNORE_LOCKOUT_ATTEMPT_OPT.option_name] = True
|
||||
self.identity_api.update_user(self.user['id'], self.user)
|
||||
PROVIDERS.identity_api.update_user(self.user['id'], self.user)
|
||||
|
||||
# fail authentication repeatedly the max number of times
|
||||
self._fail_auth_repeatedly(self.user['id'])
|
||||
# authenticate with wrong password, account should not be locked
|
||||
self.assertRaises(AssertionError,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
password=uuid.uuid4().hex)
|
||||
# authenticate with correct password, account should not be locked
|
||||
self.identity_api.authenticate(self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
password=self.password)
|
||||
PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=self.user['id'],
|
||||
password=self.password
|
||||
)
|
||||
|
||||
def test_set_enabled_unlocks_user(self):
|
||||
# lockout user
|
||||
self._fail_auth_repeatedly(self.user['id'])
|
||||
self.assertRaises(exception.AccountLocked,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
password=uuid.uuid4().hex)
|
||||
# set enabled, user should be unlocked
|
||||
self.user['enabled'] = True
|
||||
self.identity_api.update_user(self.user['id'], self.user)
|
||||
user_ret = self.identity_api.authenticate(self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
password=self.password)
|
||||
PROVIDERS.identity_api.update_user(self.user['id'], self.user)
|
||||
user_ret = PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=self.user['id'],
|
||||
password=self.password
|
||||
)
|
||||
self.assertTrue(user_ret['enabled'])
|
||||
|
||||
def test_lockout_duration(self):
|
||||
|
@ -619,7 +627,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
|
|||
# lockout user
|
||||
self._fail_auth_repeatedly(self.user['id'])
|
||||
self.assertRaises(exception.AccountLocked,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
password=uuid.uuid4().hex)
|
||||
|
@ -627,13 +635,14 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
|
|||
# auth count should get reset
|
||||
frozen_time.tick(delta=datetime.timedelta(
|
||||
seconds=CONF.security_compliance.lockout_duration + 1))
|
||||
self.identity_api.authenticate(self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
password=self.password)
|
||||
PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=self.user['id'],
|
||||
password=self.password
|
||||
)
|
||||
# test failed auth count was reset by authenticating with the wrong
|
||||
# password, should raise an assertion error and not account locked
|
||||
self.assertRaises(AssertionError,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
password=uuid.uuid4().hex)
|
||||
|
@ -644,7 +653,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
|
|||
# lockout user
|
||||
self._fail_auth_repeatedly(self.user['id'])
|
||||
self.assertRaises(exception.AccountLocked,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
password=uuid.uuid4().hex)
|
||||
|
@ -655,7 +664,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
|
|||
self._fail_auth_repeatedly(self.user['id'])
|
||||
# test user account is locked
|
||||
self.assertRaises(exception.AccountLocked,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
password=uuid.uuid4().hex)
|
||||
|
@ -664,7 +673,7 @@ class LockingOutUserTests(test_backend_sql.SqlTests):
|
|||
wrong_password = uuid.uuid4().hex
|
||||
for _ in range(CONF.security_compliance.lockout_failure_attempts):
|
||||
self.assertRaises(AssertionError,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=user_id,
|
||||
password=wrong_password)
|
||||
|
@ -689,7 +698,7 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests):
|
|||
user = self._create_user(self.user_dict, password_created_at)
|
||||
# test password is expired
|
||||
self.assertRaises(exception.PasswordExpired,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=self.password)
|
||||
|
@ -703,9 +712,9 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests):
|
|||
)
|
||||
user = self._create_user(self.user_dict, password_created_at)
|
||||
# test password is not expired
|
||||
self.identity_api.authenticate(self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=self.password)
|
||||
PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=user['id'], password=self.password
|
||||
)
|
||||
|
||||
def test_authenticate_with_expired_password_for_ignore_user_option(self):
|
||||
# set user to have the 'ignore_password_expiry' option set to False
|
||||
|
@ -719,7 +728,7 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests):
|
|||
)
|
||||
user = self._create_user(self.user_dict, password_created_at)
|
||||
self.assertRaises(exception.PasswordExpired,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=self.password)
|
||||
|
@ -727,12 +736,13 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests):
|
|||
# update user to explicitly have the expiry option to True
|
||||
user['options'][
|
||||
iro.IGNORE_PASSWORD_EXPIRY_OPT.option_name] = True
|
||||
user = self.identity_api.update_user(user['id'],
|
||||
user)
|
||||
user = PROVIDERS.identity_api.update_user(
|
||||
user['id'], user
|
||||
)
|
||||
# test password is not expired due to ignore option
|
||||
self.identity_api.authenticate(self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=self.password)
|
||||
PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=user['id'], password=self.password
|
||||
)
|
||||
|
||||
def _get_test_user_dict(self, password):
|
||||
test_user_dict = {
|
||||
|
@ -747,7 +757,7 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests):
|
|||
def _create_user(self, user_dict, password_created_at):
|
||||
# Bypass business logic and go straight for the identity driver
|
||||
# (SQL in this case)
|
||||
driver = self.identity_api.driver
|
||||
driver = PROVIDERS.identity_api.driver
|
||||
driver.create_user(user_dict['id'], user_dict)
|
||||
with sql.session_for_write() as session:
|
||||
user_ref = session.query(model.User).get(user_dict['id'])
|
||||
|
@ -773,7 +783,7 @@ class MinimumPasswordAgeTests(test_backend_sql.SqlTests):
|
|||
new_password)
|
||||
# user cannot change password before min age
|
||||
self.assertRaises(exception.PasswordAgeValidationError,
|
||||
self.identity_api.change_password,
|
||||
PROVIDERS.identity_api.change_password,
|
||||
self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
original_password=new_password,
|
||||
|
@ -801,7 +811,7 @@ class MinimumPasswordAgeTests(test_backend_sql.SqlTests):
|
|||
new_password)
|
||||
# user cannot change password before min age
|
||||
self.assertRaises(exception.PasswordAgeValidationError,
|
||||
self.identity_api.change_password,
|
||||
PROVIDERS.identity_api.change_password,
|
||||
self.make_request(),
|
||||
user_id=self.user['id'],
|
||||
original_password=new_password,
|
||||
|
@ -809,19 +819,19 @@ class MinimumPasswordAgeTests(test_backend_sql.SqlTests):
|
|||
# admin reset
|
||||
new_password = uuid.uuid4().hex
|
||||
self.user['password'] = new_password
|
||||
self.identity_api.update_user(self.user['id'], self.user)
|
||||
PROVIDERS.identity_api.update_user(self.user['id'], self.user)
|
||||
# user can change password after admin reset
|
||||
self.assertValidChangePassword(self.user['id'], new_password,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def assertValidChangePassword(self, user_id, password, new_password):
|
||||
self.identity_api.change_password(self.make_request(),
|
||||
user_id=user_id,
|
||||
original_password=password,
|
||||
new_password=new_password)
|
||||
self.identity_api.authenticate(self.make_request(),
|
||||
user_id=user_id,
|
||||
password=new_password)
|
||||
PROVIDERS.identity_api.change_password(
|
||||
self.make_request(), user_id=user_id, original_password=password,
|
||||
new_password=new_password
|
||||
)
|
||||
PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=user_id, password=new_password
|
||||
)
|
||||
|
||||
def _create_new_user(self, password):
|
||||
user = {
|
||||
|
@ -830,7 +840,7 @@ class MinimumPasswordAgeTests(test_backend_sql.SqlTests):
|
|||
'enabled': True,
|
||||
'password': password
|
||||
}
|
||||
return self.identity_api.create_user(user)
|
||||
return PROVIDERS.identity_api.create_user(user)
|
||||
|
||||
def _update_password_created_at(self, user_id, password_create_at):
|
||||
# User instance has an attribute password_ref. This attribute is used
|
||||
|
@ -860,19 +870,19 @@ class ChangePasswordRequiredAfterFirstUse(test_backend_sql.SqlTests):
|
|||
'enabled': True,
|
||||
'password': password
|
||||
}
|
||||
return self.identity_api.create_user(user_dict)
|
||||
return PROVIDERS.identity_api.create_user(user_dict)
|
||||
|
||||
def assertPasswordIsExpired(self, user_id, password):
|
||||
self.assertRaises(exception.PasswordExpired,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
self.make_request(),
|
||||
user_id=user_id,
|
||||
password=password)
|
||||
|
||||
def assertPasswordIsNotExpired(self, user_id, password):
|
||||
self.identity_api.authenticate(self.make_request(),
|
||||
user_id=user_id,
|
||||
password=password)
|
||||
PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=user_id, password=password
|
||||
)
|
||||
|
||||
def test_password_expired_after_create(self):
|
||||
# create user, password expired
|
||||
|
@ -881,10 +891,9 @@ class ChangePasswordRequiredAfterFirstUse(test_backend_sql.SqlTests):
|
|||
self.assertPasswordIsExpired(user['id'], initial_password)
|
||||
# change password (self-service), password not expired
|
||||
new_password = uuid.uuid4().hex
|
||||
self.identity_api.change_password(self.make_request(),
|
||||
user['id'],
|
||||
initial_password,
|
||||
new_password)
|
||||
PROVIDERS.identity_api.change_password(
|
||||
self.make_request(), user['id'], initial_password, new_password
|
||||
)
|
||||
self.assertPasswordIsNotExpired(user['id'], new_password)
|
||||
|
||||
def test_password_expired_after_reset(self):
|
||||
|
@ -899,14 +908,13 @@ class ChangePasswordRequiredAfterFirstUse(test_backend_sql.SqlTests):
|
|||
# admin reset, password expired
|
||||
admin_password = uuid.uuid4().hex
|
||||
user['password'] = admin_password
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertPasswordIsExpired(user['id'], admin_password)
|
||||
# change password (self-service), password not expired
|
||||
new_password = uuid.uuid4().hex
|
||||
self.identity_api.change_password(self.make_request(),
|
||||
user['id'],
|
||||
admin_password,
|
||||
new_password)
|
||||
PROVIDERS.identity_api.change_password(
|
||||
self.make_request(), user['id'], admin_password, new_password
|
||||
)
|
||||
self.assertPasswordIsNotExpired(user['id'], new_password)
|
||||
|
||||
def test_password_not_expired_when_feature_disabled(self):
|
||||
|
@ -917,7 +925,7 @@ class ChangePasswordRequiredAfterFirstUse(test_backend_sql.SqlTests):
|
|||
# admin reset
|
||||
admin_password = uuid.uuid4().hex
|
||||
user['password'] = admin_password
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertPasswordIsNotExpired(user['id'], admin_password)
|
||||
|
||||
def test_password_not_expired_for_ignore_user(self):
|
||||
|
@ -933,11 +941,11 @@ class ChangePasswordRequiredAfterFirstUse(test_backend_sql.SqlTests):
|
|||
user['options'][iro.IGNORE_CHANGE_PASSWORD_OPT.option_name] = True
|
||||
admin_password = uuid.uuid4().hex
|
||||
user['password'] = admin_password
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertPasswordIsNotExpired(user['id'], admin_password)
|
||||
# set ignore user to false and reset password, password is expired
|
||||
user['options'][iro.IGNORE_CHANGE_PASSWORD_OPT.option_name] = False
|
||||
admin_password = uuid.uuid4().hex
|
||||
user['password'] = admin_password
|
||||
self.identity_api.update_user(user['id'], user)
|
||||
PROVIDERS.identity_api.update_user(user['id'], user)
|
||||
self.assertPasswordIsExpired(user['id'], admin_password)
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -19,6 +19,7 @@ import uuid
|
|||
import mock
|
||||
from oslo_config import fixture as config_fixture
|
||||
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone import identity
|
||||
|
@ -27,6 +28,7 @@ from keystone.tests.unit.ksfixtures import database
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class TestDomainConfigs(unit.BaseTestCase):
|
||||
|
@ -139,18 +141,18 @@ class TestDatabaseDomainConfigs(unit.TestCase):
|
|||
self.config_fixture.config(domain_configurations_from_database=True,
|
||||
group='identity')
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
# Override two config options for our domain
|
||||
conf = {'ldap': {'url': uuid.uuid4().hex,
|
||||
'suffix': uuid.uuid4().hex,
|
||||
'use_tls': True},
|
||||
'identity': {
|
||||
'driver': 'ldap'}}
|
||||
self.domain_config_api.create_config(domain['id'], conf)
|
||||
PROVIDERS.domain_config_api.create_config(domain['id'], conf)
|
||||
fake_standard_driver = None
|
||||
domain_config = identity.DomainConfigs()
|
||||
domain_config.setup_domain_drivers(fake_standard_driver,
|
||||
self.resource_api)
|
||||
PROVIDERS.resource_api)
|
||||
# Make sure our two overrides are in place, and others are not affected
|
||||
res = domain_config.get_domain_conf(domain['id'])
|
||||
self.assertEqual(conf['ldap']['url'], res.ldap.url)
|
||||
|
@ -170,7 +172,7 @@ class TestDatabaseDomainConfigs(unit.TestCase):
|
|||
|
||||
domain_config = identity.DomainConfigs()
|
||||
domain_config.setup_domain_drivers(fake_standard_driver,
|
||||
self.resource_api)
|
||||
PROVIDERS.resource_api)
|
||||
res = domain_config.get_domain_conf(domain['id'])
|
||||
self.assertEqual(CONF.ldap.url, res.ldap.url)
|
||||
self.assertEqual(CONF.ldap.suffix, res.ldap.suffix)
|
||||
|
|
|
@ -12,75 +12,78 @@
|
|||
|
||||
import uuid
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class PolicyTests(object):
|
||||
def test_create(self):
|
||||
ref = unit.new_policy_ref()
|
||||
res = self.policy_api.create_policy(ref['id'], ref)
|
||||
res = PROVIDERS.policy_api.create_policy(ref['id'], ref)
|
||||
self.assertDictEqual(ref, res)
|
||||
|
||||
def test_get(self):
|
||||
ref = unit.new_policy_ref()
|
||||
res = self.policy_api.create_policy(ref['id'], ref)
|
||||
res = PROVIDERS.policy_api.create_policy(ref['id'], ref)
|
||||
|
||||
res = self.policy_api.get_policy(ref['id'])
|
||||
res = PROVIDERS.policy_api.get_policy(ref['id'])
|
||||
self.assertDictEqual(ref, res)
|
||||
|
||||
def test_list(self):
|
||||
ref = unit.new_policy_ref()
|
||||
self.policy_api.create_policy(ref['id'], ref)
|
||||
PROVIDERS.policy_api.create_policy(ref['id'], ref)
|
||||
|
||||
res = self.policy_api.list_policies()
|
||||
res = PROVIDERS.policy_api.list_policies()
|
||||
res = [x for x in res if x['id'] == ref['id']][0]
|
||||
self.assertDictEqual(ref, res)
|
||||
|
||||
def test_update(self):
|
||||
ref = unit.new_policy_ref()
|
||||
self.policy_api.create_policy(ref['id'], ref)
|
||||
PROVIDERS.policy_api.create_policy(ref['id'], ref)
|
||||
orig = ref
|
||||
|
||||
ref = unit.new_policy_ref()
|
||||
|
||||
# (cannot change policy ID)
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.policy_api.update_policy,
|
||||
PROVIDERS.policy_api.update_policy,
|
||||
orig['id'],
|
||||
ref)
|
||||
|
||||
ref['id'] = orig['id']
|
||||
res = self.policy_api.update_policy(orig['id'], ref)
|
||||
res = PROVIDERS.policy_api.update_policy(orig['id'], ref)
|
||||
self.assertDictEqual(ref, res)
|
||||
|
||||
def test_delete(self):
|
||||
ref = unit.new_policy_ref()
|
||||
self.policy_api.create_policy(ref['id'], ref)
|
||||
PROVIDERS.policy_api.create_policy(ref['id'], ref)
|
||||
|
||||
self.policy_api.delete_policy(ref['id'])
|
||||
PROVIDERS.policy_api.delete_policy(ref['id'])
|
||||
self.assertRaises(exception.PolicyNotFound,
|
||||
self.policy_api.delete_policy,
|
||||
PROVIDERS.policy_api.delete_policy,
|
||||
ref['id'])
|
||||
self.assertRaises(exception.PolicyNotFound,
|
||||
self.policy_api.get_policy,
|
||||
PROVIDERS.policy_api.get_policy,
|
||||
ref['id'])
|
||||
res = self.policy_api.list_policies()
|
||||
res = PROVIDERS.policy_api.list_policies()
|
||||
self.assertFalse(len([x for x in res if x['id'] == ref['id']]))
|
||||
|
||||
def test_get_policy_returns_not_found(self):
|
||||
self.assertRaises(exception.PolicyNotFound,
|
||||
self.policy_api.get_policy,
|
||||
PROVIDERS.policy_api.get_policy,
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_update_policy_returns_not_found(self):
|
||||
ref = unit.new_policy_ref()
|
||||
self.assertRaises(exception.PolicyNotFound,
|
||||
self.policy_api.update_policy,
|
||||
PROVIDERS.policy_api.update_policy,
|
||||
ref['id'],
|
||||
ref)
|
||||
|
||||
def test_delete_policy_returns_not_found(self):
|
||||
self.assertRaises(exception.PolicyNotFound,
|
||||
self.policy_api.delete_policy,
|
||||
PROVIDERS.policy_api.delete_policy,
|
||||
uuid.uuid4().hex)
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -17,6 +17,7 @@ import mock
|
|||
from oslo_config import cfg
|
||||
from testtools import matchers
|
||||
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
|
@ -24,6 +25,7 @@ from keystone.tests.unit.ksfixtures import database
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class TestResourceManagerNoFixtures(unit.SQLDriverOverrides, unit.TestCase):
|
||||
|
@ -41,17 +43,19 @@ class TestResourceManagerNoFixtures(unit.SQLDriverOverrides, unit.TestCase):
|
|||
'name': name,
|
||||
'description': description,
|
||||
}
|
||||
domain = self.resource_api.create_domain(
|
||||
domain = PROVIDERS.resource_api.create_domain(
|
||||
CONF.identity.default_domain_id, domain_attrs)
|
||||
project1 = unit.new_project_ref(domain_id=domain['id'],
|
||||
name=uuid.uuid4().hex)
|
||||
self.resource_api.create_project(project1['id'], project1)
|
||||
PROVIDERS.resource_api.create_project(project1['id'], project1)
|
||||
project2 = unit.new_project_ref(domain_id=domain['id'],
|
||||
name=uuid.uuid4().hex)
|
||||
project = self.resource_api.create_project(project2['id'], project2)
|
||||
project = PROVIDERS.resource_api.create_project(
|
||||
project2['id'], project2
|
||||
)
|
||||
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.resource_api.update_project,
|
||||
PROVIDERS.resource_api.update_project,
|
||||
project['id'], {'name': project1['name']})
|
||||
|
||||
|
||||
|
@ -204,35 +208,35 @@ class DomainConfigTests(object):
|
|||
|
||||
def setUp(self):
|
||||
self.domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(self.domain['id'], self.domain)
|
||||
PROVIDERS.resource_api.create_domain(self.domain['id'], self.domain)
|
||||
self.addCleanup(self.clean_up_domain)
|
||||
|
||||
def clean_up_domain(self):
|
||||
# NOTE(henry-nash): Deleting the domain will also delete any domain
|
||||
# configs for this domain.
|
||||
self.domain['enabled'] = False
|
||||
self.resource_api.update_domain(self.domain['id'], self.domain)
|
||||
self.resource_api.delete_domain(self.domain['id'])
|
||||
PROVIDERS.resource_api.update_domain(self.domain['id'], self.domain)
|
||||
PROVIDERS.resource_api.delete_domain(self.domain['id'])
|
||||
del self.domain
|
||||
|
||||
def test_create_domain_config_including_sensitive_option(self):
|
||||
config = {'ldap': {'url': uuid.uuid4().hex,
|
||||
'user_tree_dn': uuid.uuid4().hex,
|
||||
'password': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
|
||||
# password is sensitive, so check that the whitelisted portion and
|
||||
# the sensitive piece have been stored in the appropriate locations.
|
||||
res = self.domain_config_api.get_config(self.domain['id'])
|
||||
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
|
||||
config_whitelisted = copy.deepcopy(config)
|
||||
config_whitelisted['ldap'].pop('password')
|
||||
self.assertEqual(config_whitelisted, res)
|
||||
res = self.domain_config_api.driver.get_config_option(
|
||||
res = PROVIDERS.domain_config_api.driver.get_config_option(
|
||||
self.domain['id'], 'ldap', 'password', sensitive=True)
|
||||
self.assertEqual(config['ldap']['password'], res['value'])
|
||||
|
||||
# Finally, use the non-public API to get back the whole config
|
||||
res = self.domain_config_api.get_config_with_sensitive_info(
|
||||
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
|
||||
self.domain['id'])
|
||||
self.assertEqual(config, res)
|
||||
|
||||
|
@ -241,67 +245,82 @@ class DomainConfigTests(object):
|
|||
'user_tree_dn': uuid.uuid4().hex,
|
||||
'password': uuid.uuid4().hex},
|
||||
'identity': {'driver': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
|
||||
res = self.domain_config_api.get_config(self.domain['id'],
|
||||
group='identity')
|
||||
res = PROVIDERS.domain_config_api.get_config(
|
||||
self.domain['id'], group='identity'
|
||||
)
|
||||
config_partial = copy.deepcopy(config)
|
||||
config_partial.pop('ldap')
|
||||
self.assertEqual(config_partial, res)
|
||||
res = self.domain_config_api.get_config(
|
||||
res = PROVIDERS.domain_config_api.get_config(
|
||||
self.domain['id'], group='ldap', option='user_tree_dn')
|
||||
self.assertEqual({'user_tree_dn': config['ldap']['user_tree_dn']}, res)
|
||||
# ...but we should fail to get a sensitive option
|
||||
self.assertRaises(exception.DomainConfigNotFound,
|
||||
self.domain_config_api.get_config, self.domain['id'],
|
||||
group='ldap', option='password')
|
||||
self.assertRaises(
|
||||
exception.DomainConfigNotFound,
|
||||
PROVIDERS.domain_config_api.get_config,
|
||||
self.domain['id'],
|
||||
group='ldap',
|
||||
option='password'
|
||||
)
|
||||
|
||||
def test_delete_partial_domain_config(self):
|
||||
config = {'ldap': {'url': uuid.uuid4().hex,
|
||||
'user_tree_dn': uuid.uuid4().hex,
|
||||
'password': uuid.uuid4().hex},
|
||||
'identity': {'driver': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
|
||||
self.domain_config_api.delete_config(
|
||||
PROVIDERS.domain_config_api.delete_config(
|
||||
self.domain['id'], group='identity')
|
||||
config_partial = copy.deepcopy(config)
|
||||
config_partial.pop('identity')
|
||||
config_partial['ldap'].pop('password')
|
||||
res = self.domain_config_api.get_config(self.domain['id'])
|
||||
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
|
||||
self.assertEqual(config_partial, res)
|
||||
|
||||
self.domain_config_api.delete_config(
|
||||
PROVIDERS.domain_config_api.delete_config(
|
||||
self.domain['id'], group='ldap', option='url')
|
||||
config_partial = copy.deepcopy(config_partial)
|
||||
config_partial['ldap'].pop('url')
|
||||
res = self.domain_config_api.get_config(self.domain['id'])
|
||||
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
|
||||
self.assertEqual(config_partial, res)
|
||||
|
||||
def test_get_options_not_in_domain_config(self):
|
||||
self.assertRaises(exception.DomainConfigNotFound,
|
||||
self.domain_config_api.get_config, self.domain['id'])
|
||||
self.assertRaises(
|
||||
exception.DomainConfigNotFound,
|
||||
PROVIDERS.domain_config_api.get_config,
|
||||
self.domain['id']
|
||||
)
|
||||
config = {'ldap': {'url': uuid.uuid4().hex}}
|
||||
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
|
||||
self.assertRaises(exception.DomainConfigNotFound,
|
||||
self.domain_config_api.get_config, self.domain['id'],
|
||||
group='identity')
|
||||
self.assertRaises(exception.DomainConfigNotFound,
|
||||
self.domain_config_api.get_config, self.domain['id'],
|
||||
group='ldap', option='user_tree_dn')
|
||||
self.assertRaises(
|
||||
exception.DomainConfigNotFound,
|
||||
PROVIDERS.domain_config_api.get_config,
|
||||
self.domain['id'],
|
||||
group='identity'
|
||||
)
|
||||
self.assertRaises(
|
||||
exception.DomainConfigNotFound,
|
||||
PROVIDERS.domain_config_api.get_config,
|
||||
self.domain['id'],
|
||||
group='ldap',
|
||||
option='user_tree_dn'
|
||||
)
|
||||
|
||||
def test_get_sensitive_config(self):
|
||||
config = {'ldap': {'url': uuid.uuid4().hex,
|
||||
'user_tree_dn': uuid.uuid4().hex,
|
||||
'password': uuid.uuid4().hex},
|
||||
'identity': {'driver': uuid.uuid4().hex}}
|
||||
res = self.domain_config_api.get_config_with_sensitive_info(
|
||||
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
|
||||
self.domain['id'])
|
||||
self.assertEqual({}, res)
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
res = self.domain_config_api.get_config_with_sensitive_info(
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
|
||||
self.domain['id'])
|
||||
self.assertEqual(config, res)
|
||||
|
||||
|
@ -310,12 +329,12 @@ class DomainConfigTests(object):
|
|||
'user_tree_dn': uuid.uuid4().hex,
|
||||
'password': uuid.uuid4().hex},
|
||||
'identity': {'driver': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
|
||||
# Try updating a group
|
||||
new_config = {'ldap': {'url': uuid.uuid4().hex,
|
||||
'user_filter': uuid.uuid4().hex}}
|
||||
res = self.domain_config_api.update_config(
|
||||
res = PROVIDERS.domain_config_api.update_config(
|
||||
self.domain['id'], new_config, group='ldap')
|
||||
expected_config = copy.deepcopy(config)
|
||||
expected_config['ldap']['url'] = new_config['ldap']['url']
|
||||
|
@ -323,18 +342,18 @@ class DomainConfigTests(object):
|
|||
new_config['ldap']['user_filter'])
|
||||
expected_full_config = copy.deepcopy(expected_config)
|
||||
expected_config['ldap'].pop('password')
|
||||
res = self.domain_config_api.get_config(self.domain['id'])
|
||||
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
|
||||
self.assertEqual(expected_config, res)
|
||||
# The sensitive option should still exist
|
||||
res = self.domain_config_api.get_config_with_sensitive_info(
|
||||
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
|
||||
self.domain['id'])
|
||||
self.assertEqual(expected_full_config, res)
|
||||
|
||||
# Try updating a single whitelisted option
|
||||
self.domain_config_api.delete_config(self.domain['id'])
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.delete_config(self.domain['id'])
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
new_config = {'url': uuid.uuid4().hex}
|
||||
res = self.domain_config_api.update_config(
|
||||
res = PROVIDERS.domain_config_api.update_config(
|
||||
self.domain['id'], new_config, group='ldap', option='url')
|
||||
|
||||
# Make sure whitelisted and full config is updated
|
||||
|
@ -343,27 +362,27 @@ class DomainConfigTests(object):
|
|||
expected_full_config = copy.deepcopy(expected_whitelisted_config)
|
||||
expected_whitelisted_config['ldap'].pop('password')
|
||||
self.assertEqual(expected_whitelisted_config, res)
|
||||
res = self.domain_config_api.get_config(self.domain['id'])
|
||||
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
|
||||
self.assertEqual(expected_whitelisted_config, res)
|
||||
res = self.domain_config_api.get_config_with_sensitive_info(
|
||||
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
|
||||
self.domain['id'])
|
||||
self.assertEqual(expected_full_config, res)
|
||||
|
||||
# Try updating a single sensitive option
|
||||
self.domain_config_api.delete_config(self.domain['id'])
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.delete_config(self.domain['id'])
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
new_config = {'password': uuid.uuid4().hex}
|
||||
res = self.domain_config_api.update_config(
|
||||
res = PROVIDERS.domain_config_api.update_config(
|
||||
self.domain['id'], new_config, group='ldap', option='password')
|
||||
# The whitelisted config should not have changed...
|
||||
expected_whitelisted_config = copy.deepcopy(config)
|
||||
expected_full_config = copy.deepcopy(config)
|
||||
expected_whitelisted_config['ldap'].pop('password')
|
||||
self.assertEqual(expected_whitelisted_config, res)
|
||||
res = self.domain_config_api.get_config(self.domain['id'])
|
||||
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
|
||||
self.assertEqual(expected_whitelisted_config, res)
|
||||
expected_full_config['ldap']['password'] = new_config['password']
|
||||
res = self.domain_config_api.get_config_with_sensitive_info(
|
||||
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
|
||||
self.domain['id'])
|
||||
# ...but the sensitive piece should have.
|
||||
self.assertEqual(expected_full_config, res)
|
||||
|
@ -375,11 +394,11 @@ class DomainConfigTests(object):
|
|||
'identity': {'driver': uuid.uuid4().hex}}
|
||||
# An extra group, when specifying one group should fail
|
||||
self.assertRaises(exception.InvalidDomainConfig,
|
||||
self.domain_config_api.update_config,
|
||||
PROVIDERS.domain_config_api.update_config,
|
||||
self.domain['id'], config, group='ldap')
|
||||
# An extra option, when specifying one option should fail
|
||||
self.assertRaises(exception.InvalidDomainConfig,
|
||||
self.domain_config_api.update_config,
|
||||
PROVIDERS.domain_config_api.update_config,
|
||||
self.domain['id'], config['ldap'],
|
||||
group='ldap', option='url')
|
||||
|
||||
|
@ -387,25 +406,25 @@ class DomainConfigTests(object):
|
|||
# ones that are in the config provided
|
||||
config = {'ldap': {'user_tree_dn': uuid.uuid4().hex}}
|
||||
self.assertRaises(exception.InvalidDomainConfig,
|
||||
self.domain_config_api.update_config,
|
||||
PROVIDERS.domain_config_api.update_config,
|
||||
self.domain['id'], config, group='identity')
|
||||
self.assertRaises(exception.InvalidDomainConfig,
|
||||
self.domain_config_api.update_config,
|
||||
PROVIDERS.domain_config_api.update_config,
|
||||
self.domain['id'], config['ldap'], group='ldap',
|
||||
option='url')
|
||||
|
||||
# Now some valid groups/options, but just not ones that are in the
|
||||
# existing config
|
||||
config = {'ldap': {'user_tree_dn': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
config_wrong_group = {'identity': {'driver': uuid.uuid4().hex}}
|
||||
self.assertRaises(exception.DomainConfigNotFound,
|
||||
self.domain_config_api.update_config,
|
||||
PROVIDERS.domain_config_api.update_config,
|
||||
self.domain['id'], config_wrong_group,
|
||||
group='identity')
|
||||
config_wrong_option = {'url': uuid.uuid4().hex}
|
||||
self.assertRaises(exception.DomainConfigNotFound,
|
||||
self.domain_config_api.update_config,
|
||||
PROVIDERS.domain_config_api.update_config,
|
||||
self.domain['id'], config_wrong_option,
|
||||
group='ldap', option='url')
|
||||
|
||||
|
@ -413,49 +432,49 @@ class DomainConfigTests(object):
|
|||
bad_group = uuid.uuid4().hex
|
||||
config = {bad_group: {'user': uuid.uuid4().hex}}
|
||||
self.assertRaises(exception.InvalidDomainConfig,
|
||||
self.domain_config_api.update_config,
|
||||
PROVIDERS.domain_config_api.update_config,
|
||||
self.domain['id'], config, group=bad_group,
|
||||
option='user')
|
||||
bad_option = uuid.uuid4().hex
|
||||
config = {'ldap': {bad_option: uuid.uuid4().hex}}
|
||||
self.assertRaises(exception.InvalidDomainConfig,
|
||||
self.domain_config_api.update_config,
|
||||
PROVIDERS.domain_config_api.update_config,
|
||||
self.domain['id'], config, group='ldap',
|
||||
option=bad_option)
|
||||
|
||||
def test_create_invalid_domain_config(self):
|
||||
self.assertRaises(exception.InvalidDomainConfig,
|
||||
self.domain_config_api.create_config,
|
||||
PROVIDERS.domain_config_api.create_config,
|
||||
self.domain['id'], {})
|
||||
config = {uuid.uuid4().hex: uuid.uuid4().hex}
|
||||
self.assertRaises(exception.InvalidDomainConfig,
|
||||
self.domain_config_api.create_config,
|
||||
PROVIDERS.domain_config_api.create_config,
|
||||
self.domain['id'], config)
|
||||
config = {uuid.uuid4().hex: {uuid.uuid4().hex: uuid.uuid4().hex}}
|
||||
self.assertRaises(exception.InvalidDomainConfig,
|
||||
self.domain_config_api.create_config,
|
||||
PROVIDERS.domain_config_api.create_config,
|
||||
self.domain['id'], config)
|
||||
config = {'ldap': {uuid.uuid4().hex: uuid.uuid4().hex}}
|
||||
self.assertRaises(exception.InvalidDomainConfig,
|
||||
self.domain_config_api.create_config,
|
||||
PROVIDERS.domain_config_api.create_config,
|
||||
self.domain['id'], config)
|
||||
# Try an option that IS in the standard conf, but neither whitelisted
|
||||
# or marked as sensitive
|
||||
config = {'identity': {'user_tree_dn': uuid.uuid4().hex}}
|
||||
self.assertRaises(exception.InvalidDomainConfig,
|
||||
self.domain_config_api.create_config,
|
||||
PROVIDERS.domain_config_api.create_config,
|
||||
self.domain['id'], config)
|
||||
|
||||
def test_delete_invalid_partial_domain_config(self):
|
||||
config = {'ldap': {'url': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
# Try deleting a group not in the config
|
||||
self.assertRaises(exception.DomainConfigNotFound,
|
||||
self.domain_config_api.delete_config,
|
||||
PROVIDERS.domain_config_api.delete_config,
|
||||
self.domain['id'], group='identity')
|
||||
# Try deleting an option not in the config
|
||||
self.assertRaises(exception.DomainConfigNotFound,
|
||||
self.domain_config_api.delete_config,
|
||||
PROVIDERS.domain_config_api.delete_config,
|
||||
self.domain['id'],
|
||||
group='ldap', option='user_tree_dn')
|
||||
|
||||
|
@ -466,11 +485,11 @@ class DomainConfigTests(object):
|
|||
'user_tree_dn': uuid.uuid4().hex,
|
||||
'password': uuid.uuid4().hex},
|
||||
'identity': {'driver': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
|
||||
# Read back the config with the internal method and ensure that the
|
||||
# substitution has taken place.
|
||||
res = self.domain_config_api.get_config_with_sensitive_info(
|
||||
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
|
||||
self.domain['id'])
|
||||
expected_url = (
|
||||
config['ldap']['url'] % {'password': config['ldap']['password']})
|
||||
|
@ -490,12 +509,15 @@ class DomainConfigTests(object):
|
|||
'my_url/%(password)',
|
||||
'my_url/%(password)d']:
|
||||
invalid_option_config['ldap']['url'] = invalid_option
|
||||
self.domain_config_api.create_config(
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], invalid_option_config)
|
||||
|
||||
with mock.patch('keystone.resource.core.LOG', mock_log):
|
||||
res = self.domain_config_api.get_config_with_sensitive_info(
|
||||
self.domain['id'])
|
||||
res = (
|
||||
PROVIDERS.domain_config_api.get_config_with_sensitive_info(
|
||||
self.domain['id']
|
||||
)
|
||||
)
|
||||
mock_log.warning.assert_any_call(mock.ANY, mock.ANY)
|
||||
self.assertEqual(
|
||||
invalid_option_config['ldap']['url'], res['ldap']['url'])
|
||||
|
@ -510,11 +532,11 @@ class DomainConfigTests(object):
|
|||
'password': uuid.uuid4().hex},
|
||||
'identity': {'driver': uuid.uuid4().hex}}
|
||||
|
||||
self.domain_config_api.create_config(
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], escaped_option_config)
|
||||
|
||||
with mock.patch('keystone.resource.core.LOG', mock_log):
|
||||
res = self.domain_config_api.get_config_with_sensitive_info(
|
||||
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
|
||||
self.domain['id'])
|
||||
self.assertFalse(mock_log.warn.called)
|
||||
# The escaping '%' should have been removed
|
||||
|
@ -526,100 +548,100 @@ class DomainConfigTests(object):
|
|||
'user_tree_dn': uuid.uuid4().hex,
|
||||
'password': uuid.uuid4().hex},
|
||||
'identity': {'driver': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
# cache the result
|
||||
res = self.domain_config_api.get_config_with_sensitive_info(
|
||||
res = PROVIDERS.domain_config_api.get_config_with_sensitive_info(
|
||||
self.domain['id'])
|
||||
self.assertEqual(config, res)
|
||||
|
||||
# delete, bypassing domain config manager api
|
||||
self.domain_config_api.delete_config_options(self.domain['id'])
|
||||
PROVIDERS.domain_config_api.delete_config_options(self.domain['id'])
|
||||
|
||||
self.assertDictEqual(
|
||||
res, self.domain_config_api.get_config_with_sensitive_info(
|
||||
res, PROVIDERS.domain_config_api.get_config_with_sensitive_info(
|
||||
self.domain['id']))
|
||||
self.domain_config_api.get_config_with_sensitive_info.invalidate(
|
||||
self.domain_config_api, self.domain['id'])
|
||||
PROVIDERS.domain_config_api.get_config_with_sensitive_info.invalidate(
|
||||
PROVIDERS.domain_config_api, self.domain['id'])
|
||||
self.assertDictEqual(
|
||||
{},
|
||||
self.domain_config_api.get_config_with_sensitive_info(
|
||||
PROVIDERS.domain_config_api.get_config_with_sensitive_info(
|
||||
self.domain['id']))
|
||||
|
||||
def test_delete_domain_deletes_configs(self):
|
||||
"""Test domain deletion clears the domain configs."""
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
config = {'ldap': {'url': uuid.uuid4().hex,
|
||||
'user_tree_dn': uuid.uuid4().hex,
|
||||
'password': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(domain['id'], config)
|
||||
|
||||
# Now delete the domain
|
||||
domain['enabled'] = False
|
||||
self.resource_api.update_domain(domain['id'], domain)
|
||||
self.resource_api.delete_domain(domain['id'])
|
||||
PROVIDERS.resource_api.update_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.delete_domain(domain['id'])
|
||||
|
||||
# Check domain configs have also been deleted
|
||||
self.assertRaises(
|
||||
exception.DomainConfigNotFound,
|
||||
self.domain_config_api.get_config,
|
||||
PROVIDERS.domain_config_api.get_config,
|
||||
domain['id'])
|
||||
|
||||
# The get_config_with_sensitive_info does not throw an exception if
|
||||
# the config is empty, it just returns an empty dict
|
||||
self.assertDictEqual(
|
||||
{},
|
||||
self.domain_config_api.get_config_with_sensitive_info(
|
||||
PROVIDERS.domain_config_api.get_config_with_sensitive_info(
|
||||
domain['id']))
|
||||
|
||||
def test_config_registration(self):
|
||||
type = uuid.uuid4().hex
|
||||
self.domain_config_api.obtain_registration(
|
||||
PROVIDERS.domain_config_api.obtain_registration(
|
||||
self.domain['id'], type)
|
||||
self.domain_config_api.release_registration(
|
||||
PROVIDERS.domain_config_api.release_registration(
|
||||
self.domain['id'], type=type)
|
||||
|
||||
# Make sure that once someone has it, nobody else can get it.
|
||||
# This includes the domain who already has it.
|
||||
self.domain_config_api.obtain_registration(
|
||||
PROVIDERS.domain_config_api.obtain_registration(
|
||||
self.domain['id'], type)
|
||||
self.assertFalse(
|
||||
self.domain_config_api.obtain_registration(
|
||||
PROVIDERS.domain_config_api.obtain_registration(
|
||||
self.domain['id'], type))
|
||||
|
||||
# Make sure we can read who does have it
|
||||
self.assertEqual(
|
||||
self.domain['id'],
|
||||
self.domain_config_api.read_registration(type))
|
||||
PROVIDERS.domain_config_api.read_registration(type))
|
||||
|
||||
# Make sure releasing it is silent if the domain specified doesn't
|
||||
# have the registration
|
||||
domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||
self.resource_api.create_domain(domain2['id'], domain2)
|
||||
self.domain_config_api.release_registration(
|
||||
PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
|
||||
PROVIDERS.domain_config_api.release_registration(
|
||||
domain2['id'], type=type)
|
||||
|
||||
# If nobody has the type registered, then trying to read it should
|
||||
# raise ConfigRegistrationNotFound
|
||||
self.domain_config_api.release_registration(
|
||||
PROVIDERS.domain_config_api.release_registration(
|
||||
self.domain['id'], type=type)
|
||||
self.assertRaises(exception.ConfigRegistrationNotFound,
|
||||
self.domain_config_api.read_registration,
|
||||
PROVIDERS.domain_config_api.read_registration,
|
||||
type)
|
||||
|
||||
# Finally check multiple registrations are cleared if you free the
|
||||
# registration without specifying the type
|
||||
type2 = uuid.uuid4().hex
|
||||
self.domain_config_api.obtain_registration(
|
||||
PROVIDERS.domain_config_api.obtain_registration(
|
||||
self.domain['id'], type)
|
||||
self.domain_config_api.obtain_registration(
|
||||
PROVIDERS.domain_config_api.obtain_registration(
|
||||
self.domain['id'], type2)
|
||||
self.domain_config_api.release_registration(self.domain['id'])
|
||||
PROVIDERS.domain_config_api.release_registration(self.domain['id'])
|
||||
self.assertRaises(exception.ConfigRegistrationNotFound,
|
||||
self.domain_config_api.read_registration,
|
||||
PROVIDERS.domain_config_api.read_registration,
|
||||
type)
|
||||
self.assertRaises(exception.ConfigRegistrationNotFound,
|
||||
self.domain_config_api.read_registration,
|
||||
PROVIDERS.domain_config_api.read_registration,
|
||||
type2)
|
||||
|
||||
def test_option_dict_fails_when_group_is_none(self):
|
||||
|
@ -627,7 +649,7 @@ class DomainConfigTests(object):
|
|||
option = 'bar'
|
||||
self.assertRaises(
|
||||
cfg.NoSuchOptError,
|
||||
self.domain_config_api._option_dict,
|
||||
PROVIDERS.domain_config_api._option_dict,
|
||||
group,
|
||||
option
|
||||
)
|
||||
|
@ -642,7 +664,7 @@ class DomainConfigTests(object):
|
|||
'option': 'password_regex',
|
||||
'value': regex
|
||||
}
|
||||
option_dict = self.domain_config_api._option_dict(
|
||||
option_dict = PROVIDERS.domain_config_api._option_dict(
|
||||
'security_compliance', 'password_regex'
|
||||
)
|
||||
self.assertEqual(option_dict, expected_dict)
|
||||
|
|
|
@ -17,21 +17,30 @@ import uuid
|
|||
from six.moves import range
|
||||
from testtools import matchers
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class PolicyAssociationTests(object):
|
||||
|
||||
def _assert_correct_policy(self, endpoint, policy):
|
||||
ref = (
|
||||
self.endpoint_policy_api.get_policy_for_endpoint(endpoint['id']))
|
||||
PROVIDERS.endpoint_policy_api.get_policy_for_endpoint(
|
||||
endpoint['id']
|
||||
)
|
||||
)
|
||||
self.assertEqual(policy['id'], ref['id'])
|
||||
|
||||
def _assert_correct_endpoints(self, policy, endpoint_list):
|
||||
endpoint_id_list = [ep['id'] for ep in endpoint_list]
|
||||
endpoints = (
|
||||
self.endpoint_policy_api.list_endpoints_for_policy(policy['id']))
|
||||
PROVIDERS.endpoint_policy_api.list_endpoints_for_policy(
|
||||
policy['id']
|
||||
)
|
||||
)
|
||||
self.assertThat(endpoints, matchers.HasLength(len(endpoint_list)))
|
||||
for endpoint in endpoints:
|
||||
self.assertIn(endpoint['id'], endpoint_id_list)
|
||||
|
@ -57,7 +66,7 @@ class PolicyAssociationTests(object):
|
|||
region_id=region_id,
|
||||
service_id=service_id,
|
||||
url='/url')
|
||||
self.endpoint.append(self.catalog_api.create_endpoint(
|
||||
self.endpoint.append(PROVIDERS.catalog_api.create_endpoint(
|
||||
endpoint['id'], endpoint))
|
||||
|
||||
self.policy = []
|
||||
|
@ -68,15 +77,18 @@ class PolicyAssociationTests(object):
|
|||
parent_region_id = None
|
||||
for i in range(3):
|
||||
policy = unit.new_policy_ref()
|
||||
self.policy.append(self.policy_api.create_policy(policy['id'],
|
||||
policy))
|
||||
self.policy.append(
|
||||
PROVIDERS.policy_api.create_policy(policy['id'], policy)
|
||||
)
|
||||
|
||||
service = unit.new_service_ref()
|
||||
self.service.append(self.catalog_api.create_service(service['id'],
|
||||
service))
|
||||
self.service.append(
|
||||
PROVIDERS.catalog_api.create_service(service['id'], service)
|
||||
)
|
||||
region = unit.new_region_ref(parent_region_id=parent_region_id)
|
||||
# Link the regions together as a hierarchy, [0] at the top
|
||||
parent_region_id = region['id']
|
||||
self.region.append(self.catalog_api.create_region(region))
|
||||
self.region.append(PROVIDERS.catalog_api.create_region(region))
|
||||
|
||||
new_endpoint(self.region[0]['id'], self.service[0]['id'])
|
||||
new_endpoint(self.region[0]['id'], self.service[1]['id'])
|
||||
|
@ -86,62 +98,76 @@ class PolicyAssociationTests(object):
|
|||
new_endpoint(self.region[2]['id'], self.service[0]['id'])
|
||||
|
||||
def test_policy_to_endpoint_association_crud(self):
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[0]['id'], endpoint_id=self.endpoint[0]['id'])
|
||||
self.endpoint_policy_api.check_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.check_policy_association(
|
||||
self.policy[0]['id'], endpoint_id=self.endpoint[0]['id'])
|
||||
self.endpoint_policy_api.delete_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.delete_policy_association(
|
||||
self.policy[0]['id'], endpoint_id=self.endpoint[0]['id'])
|
||||
self.assertRaises(exception.NotFound,
|
||||
self.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
endpoint_id=self.endpoint[0]['id'])
|
||||
self.assertRaises(
|
||||
exception.NotFound,
|
||||
PROVIDERS.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
endpoint_id=self.endpoint[0]['id']
|
||||
)
|
||||
|
||||
def test_overwriting_policy_to_endpoint_association(self):
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[0]['id'], endpoint_id=self.endpoint[0]['id'])
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[1]['id'], endpoint_id=self.endpoint[0]['id'])
|
||||
self.assertRaises(exception.NotFound,
|
||||
self.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
endpoint_id=self.endpoint[0]['id'])
|
||||
self.endpoint_policy_api.check_policy_association(
|
||||
self.assertRaises(
|
||||
exception.NotFound,
|
||||
PROVIDERS.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
endpoint_id=self.endpoint[0]['id']
|
||||
)
|
||||
PROVIDERS.endpoint_policy_api.check_policy_association(
|
||||
self.policy[1]['id'], endpoint_id=self.endpoint[0]['id'])
|
||||
|
||||
def test_invalid_policy_to_endpoint_association(self):
|
||||
self.assertRaises(exception.InvalidPolicyAssociation,
|
||||
self.endpoint_policy_api.create_policy_association,
|
||||
self.policy[0]['id'])
|
||||
self.assertRaises(exception.InvalidPolicyAssociation,
|
||||
self.endpoint_policy_api.create_policy_association,
|
||||
self.policy[0]['id'],
|
||||
endpoint_id=self.endpoint[0]['id'],
|
||||
region_id=self.region[0]['id'])
|
||||
self.assertRaises(exception.InvalidPolicyAssociation,
|
||||
self.endpoint_policy_api.create_policy_association,
|
||||
self.policy[0]['id'],
|
||||
endpoint_id=self.endpoint[0]['id'],
|
||||
service_id=self.service[0]['id'])
|
||||
self.assertRaises(exception.InvalidPolicyAssociation,
|
||||
self.endpoint_policy_api.create_policy_association,
|
||||
self.policy[0]['id'],
|
||||
region_id=self.region[0]['id'])
|
||||
self.assertRaises(
|
||||
exception.InvalidPolicyAssociation,
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association,
|
||||
self.policy[0]['id']
|
||||
)
|
||||
self.assertRaises(
|
||||
exception.InvalidPolicyAssociation,
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association,
|
||||
self.policy[0]['id'],
|
||||
endpoint_id=self.endpoint[0]['id'],
|
||||
region_id=self.region[0]['id']
|
||||
)
|
||||
self.assertRaises(
|
||||
exception.InvalidPolicyAssociation,
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association,
|
||||
self.policy[0]['id'],
|
||||
endpoint_id=self.endpoint[0]['id'],
|
||||
service_id=self.service[0]['id']
|
||||
)
|
||||
self.assertRaises(
|
||||
exception.InvalidPolicyAssociation,
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association,
|
||||
self.policy[0]['id'],
|
||||
region_id=self.region[0]['id']
|
||||
)
|
||||
|
||||
def test_policy_to_explicit_endpoint_association(self):
|
||||
# Associate policy 0 with endpoint 0
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[0]['id'], endpoint_id=self.endpoint[0]['id'])
|
||||
self._assert_correct_policy(self.endpoint[0], self.policy[0])
|
||||
self._assert_correct_endpoints(self.policy[0], [self.endpoint[0]])
|
||||
self.assertRaises(exception.NotFound,
|
||||
self.endpoint_policy_api.get_policy_for_endpoint,
|
||||
uuid.uuid4().hex)
|
||||
self.assertRaises(
|
||||
exception.NotFound,
|
||||
PROVIDERS.endpoint_policy_api.get_policy_for_endpoint,
|
||||
uuid.uuid4().hex
|
||||
)
|
||||
|
||||
def test_policy_to_service_association(self):
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[0]['id'], service_id=self.service[0]['id'])
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[1]['id'], service_id=self.service[1]['id'])
|
||||
|
||||
# Endpoints 0 and 5 are part of service 0
|
||||
|
@ -157,13 +183,13 @@ class PolicyAssociationTests(object):
|
|||
self.policy[1], [self.endpoint[1], self.endpoint[2]])
|
||||
|
||||
def test_policy_to_region_and_service_association(self):
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[0]['id'], service_id=self.service[0]['id'],
|
||||
region_id=self.region[0]['id'])
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[1]['id'], service_id=self.service[1]['id'],
|
||||
region_id=self.region[1]['id'])
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[2]['id'], service_id=self.service[2]['id'],
|
||||
region_id=self.region[2]['id'])
|
||||
|
||||
|
@ -188,62 +214,74 @@ class PolicyAssociationTests(object):
|
|||
self.policy[0], [self.endpoint[0], self.endpoint[5]])
|
||||
|
||||
def test_delete_association_by_entity(self):
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[0]['id'], endpoint_id=self.endpoint[0]['id'])
|
||||
self.endpoint_policy_api.delete_association_by_endpoint(
|
||||
PROVIDERS.endpoint_policy_api.delete_association_by_endpoint(
|
||||
self.endpoint[0]['id'])
|
||||
self.assertRaises(exception.NotFound,
|
||||
self.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
endpoint_id=self.endpoint[0]['id'])
|
||||
self.assertRaises(
|
||||
exception.NotFound,
|
||||
PROVIDERS.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
endpoint_id=self.endpoint[0]['id']
|
||||
)
|
||||
# Make sure deleting it again is silent - since this method is used
|
||||
# in response to notifications by the controller.
|
||||
self.endpoint_policy_api.delete_association_by_endpoint(
|
||||
PROVIDERS.endpoint_policy_api.delete_association_by_endpoint(
|
||||
self.endpoint[0]['id'])
|
||||
|
||||
# Now try with service - ensure both combined region & service
|
||||
# associations and explicit service ones are removed
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[0]['id'], service_id=self.service[0]['id'],
|
||||
region_id=self.region[0]['id'])
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[1]['id'], service_id=self.service[0]['id'],
|
||||
region_id=self.region[1]['id'])
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[0]['id'], service_id=self.service[0]['id'])
|
||||
|
||||
self.endpoint_policy_api.delete_association_by_service(
|
||||
PROVIDERS.endpoint_policy_api.delete_association_by_service(
|
||||
self.service[0]['id'])
|
||||
|
||||
self.assertRaises(exception.NotFound,
|
||||
self.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
service_id=self.service[0]['id'],
|
||||
region_id=self.region[0]['id'])
|
||||
self.assertRaises(exception.NotFound,
|
||||
self.endpoint_policy_api.check_policy_association,
|
||||
self.policy[1]['id'],
|
||||
service_id=self.service[0]['id'],
|
||||
region_id=self.region[1]['id'])
|
||||
self.assertRaises(exception.NotFound,
|
||||
self.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
service_id=self.service[0]['id'])
|
||||
self.assertRaises(
|
||||
exception.NotFound,
|
||||
PROVIDERS.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
service_id=self.service[0]['id'],
|
||||
region_id=self.region[0]['id']
|
||||
)
|
||||
self.assertRaises(
|
||||
exception.NotFound,
|
||||
PROVIDERS.endpoint_policy_api.check_policy_association,
|
||||
self.policy[1]['id'],
|
||||
service_id=self.service[0]['id'],
|
||||
region_id=self.region[1]['id']
|
||||
)
|
||||
self.assertRaises(
|
||||
exception.NotFound,
|
||||
PROVIDERS.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
service_id=self.service[0]['id']
|
||||
)
|
||||
|
||||
# Finally, check delete by region
|
||||
self.endpoint_policy_api.create_policy_association(
|
||||
PROVIDERS.endpoint_policy_api.create_policy_association(
|
||||
self.policy[0]['id'], service_id=self.service[0]['id'],
|
||||
region_id=self.region[0]['id'])
|
||||
|
||||
self.endpoint_policy_api.delete_association_by_region(
|
||||
PROVIDERS.endpoint_policy_api.delete_association_by_region(
|
||||
self.region[0]['id'])
|
||||
|
||||
self.assertRaises(exception.NotFound,
|
||||
self.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
service_id=self.service[0]['id'],
|
||||
region_id=self.region[0]['id'])
|
||||
self.assertRaises(exception.NotFound,
|
||||
self.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
service_id=self.service[0]['id'])
|
||||
self.assertRaises(
|
||||
exception.NotFound,
|
||||
PROVIDERS.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
service_id=self.service[0]['id'],
|
||||
region_id=self.region[0]['id']
|
||||
)
|
||||
self.assertRaises(
|
||||
exception.NotFound,
|
||||
PROVIDERS.endpoint_policy_api.check_policy_association,
|
||||
self.policy[0]['id'],
|
||||
service_id=self.service[0]['id']
|
||||
)
|
||||
|
|
|
@ -17,12 +17,15 @@ import uuid
|
|||
|
||||
from testtools import matchers
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone.common import sql
|
||||
from keystone.identity.mapping_backends import mapping
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit import identity_mapping as mapping_sql
|
||||
from keystone.tests.unit import test_backend_sql
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class SqlIDMappingTable(test_backend_sql.SqlModels):
|
||||
"""Set of tests for checking SQL Identity ID Mapping."""
|
||||
|
@ -44,22 +47,32 @@ class SqlIDMapping(test_backend_sql.SqlTests):
|
|||
def load_sample_data(self):
|
||||
self.addCleanup(self.clean_sample_data)
|
||||
domainA = unit.new_domain_ref()
|
||||
self.domainA = self.resource_api.create_domain(domainA['id'], domainA)
|
||||
self.domainA = PROVIDERS.resource_api.create_domain(
|
||||
domainA['id'], domainA
|
||||
)
|
||||
domainB = unit.new_domain_ref()
|
||||
self.domainB = self.resource_api.create_domain(domainB['id'], domainB)
|
||||
self.domainB = PROVIDERS.resource_api.create_domain(
|
||||
domainB['id'], domainB
|
||||
)
|
||||
|
||||
def clean_sample_data(self):
|
||||
if hasattr(self, 'domainA'):
|
||||
self.domainA['enabled'] = False
|
||||
self.resource_api.update_domain(self.domainA['id'], self.domainA)
|
||||
self.resource_api.delete_domain(self.domainA['id'])
|
||||
PROVIDERS.resource_api.update_domain(
|
||||
self.domainA['id'], self.domainA
|
||||
)
|
||||
PROVIDERS.resource_api.delete_domain(self.domainA['id'])
|
||||
if hasattr(self, 'domainB'):
|
||||
self.domainB['enabled'] = False
|
||||
self.resource_api.update_domain(self.domainB['id'], self.domainB)
|
||||
self.resource_api.delete_domain(self.domainB['id'])
|
||||
PROVIDERS.resource_api.update_domain(
|
||||
self.domainB['id'], self.domainB
|
||||
)
|
||||
PROVIDERS.resource_api.delete_domain(self.domainB['id'])
|
||||
|
||||
def test_invalid_public_key(self):
|
||||
self.assertIsNone(self.id_mapping_api.get_id_mapping(uuid.uuid4().hex))
|
||||
self.assertIsNone(
|
||||
PROVIDERS.id_mapping_api.get_id_mapping(uuid.uuid4().hex)
|
||||
)
|
||||
|
||||
def test_id_mapping_crud(self):
|
||||
initial_mappings = len(mapping_sql.list_id_mappings())
|
||||
|
@ -73,27 +86,31 @@ class SqlIDMapping(test_backend_sql.SqlTests):
|
|||
'entity_type': mapping.EntityType.GROUP}
|
||||
|
||||
# Check no mappings for the new local entities
|
||||
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity1))
|
||||
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity2))
|
||||
self.assertIsNone(
|
||||
PROVIDERS.id_mapping_api.get_public_id(local_entity1)
|
||||
)
|
||||
self.assertIsNone(
|
||||
PROVIDERS.id_mapping_api.get_public_id(local_entity2)
|
||||
)
|
||||
|
||||
# Create the new mappings and then read them back
|
||||
public_id1 = self.id_mapping_api.create_id_mapping(local_entity1)
|
||||
public_id2 = self.id_mapping_api.create_id_mapping(local_entity2)
|
||||
public_id1 = PROVIDERS.id_mapping_api.create_id_mapping(local_entity1)
|
||||
public_id2 = PROVIDERS.id_mapping_api.create_id_mapping(local_entity2)
|
||||
self.assertThat(mapping_sql.list_id_mappings(),
|
||||
matchers.HasLength(initial_mappings + 2))
|
||||
self.assertEqual(
|
||||
public_id1, self.id_mapping_api.get_public_id(local_entity1))
|
||||
public_id1, PROVIDERS.id_mapping_api.get_public_id(local_entity1))
|
||||
self.assertEqual(
|
||||
public_id2, self.id_mapping_api.get_public_id(local_entity2))
|
||||
public_id2, PROVIDERS.id_mapping_api.get_public_id(local_entity2))
|
||||
|
||||
local_id_ref = self.id_mapping_api.get_id_mapping(public_id1)
|
||||
local_id_ref = PROVIDERS.id_mapping_api.get_id_mapping(public_id1)
|
||||
self.assertEqual(self.domainA['id'], local_id_ref['domain_id'])
|
||||
self.assertEqual(local_id1, local_id_ref['local_id'])
|
||||
self.assertEqual(mapping.EntityType.USER, local_id_ref['entity_type'])
|
||||
# Check we have really created a new external ID
|
||||
self.assertNotEqual(local_id1, public_id1)
|
||||
|
||||
local_id_ref = self.id_mapping_api.get_id_mapping(public_id2)
|
||||
local_id_ref = PROVIDERS.id_mapping_api.get_id_mapping(public_id2)
|
||||
self.assertEqual(self.domainB['id'], local_id_ref['domain_id'])
|
||||
self.assertEqual(local_id2, local_id_ref['local_id'])
|
||||
self.assertEqual(mapping.EntityType.GROUP, local_id_ref['entity_type'])
|
||||
|
@ -102,7 +119,7 @@ class SqlIDMapping(test_backend_sql.SqlTests):
|
|||
|
||||
# Create another mappings, this time specifying a public ID to use
|
||||
new_public_id = uuid.uuid4().hex
|
||||
public_id3 = self.id_mapping_api.create_id_mapping(
|
||||
public_id3 = PROVIDERS.id_mapping_api.create_id_mapping(
|
||||
{'domain_id': self.domainB['id'], 'local_id': local_id2,
|
||||
'entity_type': mapping.EntityType.USER},
|
||||
public_id=new_public_id)
|
||||
|
@ -112,9 +129,9 @@ class SqlIDMapping(test_backend_sql.SqlTests):
|
|||
|
||||
# Delete the mappings we created, and make sure the mapping count
|
||||
# goes back to where it was
|
||||
self.id_mapping_api.delete_id_mapping(public_id1)
|
||||
self.id_mapping_api.delete_id_mapping(public_id2)
|
||||
self.id_mapping_api.delete_id_mapping(public_id3)
|
||||
PROVIDERS.id_mapping_api.delete_id_mapping(public_id1)
|
||||
PROVIDERS.id_mapping_api.delete_id_mapping(public_id2)
|
||||
PROVIDERS.id_mapping_api.delete_id_mapping(public_id3)
|
||||
self.assertThat(mapping_sql.list_id_mappings(),
|
||||
matchers.HasLength(initial_mappings))
|
||||
|
||||
|
@ -126,18 +143,18 @@ class SqlIDMapping(test_backend_sql.SqlTests):
|
|||
'entity_type': mapping.EntityType.USER}
|
||||
|
||||
# Check no mappings for the new local entity
|
||||
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity))
|
||||
self.assertIsNone(PROVIDERS.id_mapping_api.get_public_id(local_entity))
|
||||
|
||||
# Create the new mapping and then read it back
|
||||
public_id = self.id_mapping_api.create_id_mapping(local_entity)
|
||||
public_id = PROVIDERS.id_mapping_api.create_id_mapping(local_entity)
|
||||
self.assertThat(mapping_sql.list_id_mappings(),
|
||||
matchers.HasLength(initial_mappings + 1))
|
||||
self.assertEqual(
|
||||
public_id, self.id_mapping_api.get_public_id(local_entity))
|
||||
public_id, PROVIDERS.id_mapping_api.get_public_id(local_entity))
|
||||
|
||||
def test_delete_public_id_is_silent(self):
|
||||
# Test that deleting an invalid public key is silent
|
||||
self.id_mapping_api.delete_id_mapping(uuid.uuid4().hex)
|
||||
PROVIDERS.id_mapping_api.delete_id_mapping(uuid.uuid4().hex)
|
||||
|
||||
def test_purge_mappings(self):
|
||||
initial_mappings = len(mapping_sql.list_id_mappings())
|
||||
|
@ -148,19 +165,19 @@ class SqlIDMapping(test_backend_sql.SqlTests):
|
|||
local_id5 = uuid.uuid4().hex
|
||||
|
||||
# Create five mappings,two in domainA, three in domainB
|
||||
self.id_mapping_api.create_id_mapping(
|
||||
PROVIDERS.id_mapping_api.create_id_mapping(
|
||||
{'domain_id': self.domainA['id'], 'local_id': local_id1,
|
||||
'entity_type': mapping.EntityType.USER})
|
||||
self.id_mapping_api.create_id_mapping(
|
||||
PROVIDERS.id_mapping_api.create_id_mapping(
|
||||
{'domain_id': self.domainA['id'], 'local_id': local_id2,
|
||||
'entity_type': mapping.EntityType.USER})
|
||||
public_id3 = self.id_mapping_api.create_id_mapping(
|
||||
public_id3 = PROVIDERS.id_mapping_api.create_id_mapping(
|
||||
{'domain_id': self.domainB['id'], 'local_id': local_id3,
|
||||
'entity_type': mapping.EntityType.GROUP})
|
||||
public_id4 = self.id_mapping_api.create_id_mapping(
|
||||
public_id4 = PROVIDERS.id_mapping_api.create_id_mapping(
|
||||
{'domain_id': self.domainB['id'], 'local_id': local_id4,
|
||||
'entity_type': mapping.EntityType.USER})
|
||||
public_id5 = self.id_mapping_api.create_id_mapping(
|
||||
public_id5 = PROVIDERS.id_mapping_api.create_id_mapping(
|
||||
{'domain_id': self.domainB['id'], 'local_id': local_id5,
|
||||
'entity_type': mapping.EntityType.USER})
|
||||
|
||||
|
@ -168,32 +185,32 @@ class SqlIDMapping(test_backend_sql.SqlTests):
|
|||
matchers.HasLength(initial_mappings + 5))
|
||||
|
||||
# Purge mappings for domainA, should be left with those in B
|
||||
self.id_mapping_api.purge_mappings(
|
||||
PROVIDERS.id_mapping_api.purge_mappings(
|
||||
{'domain_id': self.domainA['id']})
|
||||
self.assertThat(mapping_sql.list_id_mappings(),
|
||||
matchers.HasLength(initial_mappings + 3))
|
||||
self.id_mapping_api.get_id_mapping(public_id3)
|
||||
self.id_mapping_api.get_id_mapping(public_id4)
|
||||
self.id_mapping_api.get_id_mapping(public_id5)
|
||||
PROVIDERS.id_mapping_api.get_id_mapping(public_id3)
|
||||
PROVIDERS.id_mapping_api.get_id_mapping(public_id4)
|
||||
PROVIDERS.id_mapping_api.get_id_mapping(public_id5)
|
||||
|
||||
# Purge mappings for type Group, should purge one more
|
||||
self.id_mapping_api.purge_mappings(
|
||||
PROVIDERS.id_mapping_api.purge_mappings(
|
||||
{'entity_type': mapping.EntityType.GROUP})
|
||||
self.assertThat(mapping_sql.list_id_mappings(),
|
||||
matchers.HasLength(initial_mappings + 2))
|
||||
self.id_mapping_api.get_id_mapping(public_id4)
|
||||
self.id_mapping_api.get_id_mapping(public_id5)
|
||||
PROVIDERS.id_mapping_api.get_id_mapping(public_id4)
|
||||
PROVIDERS.id_mapping_api.get_id_mapping(public_id5)
|
||||
|
||||
# Purge mapping for a specific local identifier
|
||||
self.id_mapping_api.purge_mappings(
|
||||
PROVIDERS.id_mapping_api.purge_mappings(
|
||||
{'domain_id': self.domainB['id'], 'local_id': local_id4,
|
||||
'entity_type': mapping.EntityType.USER})
|
||||
self.assertThat(mapping_sql.list_id_mappings(),
|
||||
matchers.HasLength(initial_mappings + 1))
|
||||
self.id_mapping_api.get_id_mapping(public_id5)
|
||||
PROVIDERS.id_mapping_api.get_id_mapping(public_id5)
|
||||
|
||||
# Purge mappings the remaining mappings
|
||||
self.id_mapping_api.purge_mappings({})
|
||||
PROVIDERS.id_mapping_api.purge_mappings({})
|
||||
self.assertThat(mapping_sql.list_id_mappings(),
|
||||
matchers.HasLength(initial_mappings))
|
||||
|
||||
|
@ -202,16 +219,16 @@ class SqlIDMapping(test_backend_sql.SqlTests):
|
|||
'domain_id': self.domainA['id'],
|
||||
'local_id': uuid.uuid4().hex,
|
||||
'entity_type': mapping.EntityType.USER}
|
||||
public_id1 = self.id_mapping_api.create_id_mapping(local_entity)
|
||||
public_id1 = PROVIDERS.id_mapping_api.create_id_mapping(local_entity)
|
||||
|
||||
# second call should be successful and return the same
|
||||
# public_id as above
|
||||
public_id2 = self.id_mapping_api.create_id_mapping(local_entity)
|
||||
public_id2 = PROVIDERS.id_mapping_api.create_id_mapping(local_entity)
|
||||
self.assertEqual(public_id1, public_id2)
|
||||
|
||||
# even if public_id was specified, it should not be used,
|
||||
# and still the same public_id should be returned
|
||||
public_id3 = self.id_mapping_api.create_id_mapping(
|
||||
public_id3 = PROVIDERS.id_mapping_api.create_id_mapping(
|
||||
local_entity, public_id=uuid.uuid4().hex)
|
||||
self.assertEqual(public_id1, public_id3)
|
||||
|
||||
|
@ -223,21 +240,21 @@ class SqlIDMapping(test_backend_sql.SqlTests):
|
|||
'entity_type': mapping.EntityType.USER}
|
||||
|
||||
# Check no mappings for the new local entity
|
||||
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity))
|
||||
self.assertIsNone(PROVIDERS.id_mapping_api.get_public_id(local_entity))
|
||||
|
||||
# Create new mappings, and it should be in the cache after created
|
||||
public_id = self.id_mapping_api.create_id_mapping(local_entity)
|
||||
public_id = PROVIDERS.id_mapping_api.create_id_mapping(local_entity)
|
||||
self.assertEqual(
|
||||
public_id, self.id_mapping_api.get_public_id(local_entity))
|
||||
local_id_ref = self.id_mapping_api.get_id_mapping(public_id)
|
||||
public_id, PROVIDERS.id_mapping_api.get_public_id(local_entity))
|
||||
local_id_ref = PROVIDERS.id_mapping_api.get_id_mapping(public_id)
|
||||
self.assertEqual(self.domainA['id'], local_id_ref['domain_id'])
|
||||
self.assertEqual(local_id, local_id_ref['local_id'])
|
||||
self.assertEqual(mapping.EntityType.USER, local_id_ref['entity_type'])
|
||||
|
||||
# After delete the mapping, should be deleted from cache too
|
||||
self.id_mapping_api.delete_id_mapping(public_id)
|
||||
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity))
|
||||
self.assertIsNone(self.id_mapping_api.get_id_mapping(public_id))
|
||||
PROVIDERS.id_mapping_api.delete_id_mapping(public_id)
|
||||
self.assertIsNone(PROVIDERS.id_mapping_api.get_public_id(local_entity))
|
||||
self.assertIsNone(PROVIDERS.id_mapping_api.get_id_mapping(public_id))
|
||||
|
||||
@unit.skip_if_cache_disabled('identity')
|
||||
def test_invalidate_cache_when_purge_mappings(self):
|
||||
|
@ -264,32 +281,42 @@ class SqlIDMapping(test_backend_sql.SqlTests):
|
|||
'local_id': local_id5,
|
||||
'entity_type': mapping.EntityType.USER}
|
||||
|
||||
self.id_mapping_api.create_id_mapping(local_entity1)
|
||||
self.id_mapping_api.create_id_mapping(local_entity2)
|
||||
self.id_mapping_api.create_id_mapping(local_entity3)
|
||||
self.id_mapping_api.create_id_mapping(local_entity4)
|
||||
self.id_mapping_api.create_id_mapping(local_entity5)
|
||||
PROVIDERS.id_mapping_api.create_id_mapping(local_entity1)
|
||||
PROVIDERS.id_mapping_api.create_id_mapping(local_entity2)
|
||||
PROVIDERS.id_mapping_api.create_id_mapping(local_entity3)
|
||||
PROVIDERS.id_mapping_api.create_id_mapping(local_entity4)
|
||||
PROVIDERS.id_mapping_api.create_id_mapping(local_entity5)
|
||||
|
||||
# Purge mappings for domainA, should be left with those in B
|
||||
self.id_mapping_api.purge_mappings(
|
||||
PROVIDERS.id_mapping_api.purge_mappings(
|
||||
{'domain_id': self.domainA['id']})
|
||||
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity1))
|
||||
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity2))
|
||||
self.assertIsNone(
|
||||
PROVIDERS.id_mapping_api.get_public_id(local_entity1)
|
||||
)
|
||||
self.assertIsNone(
|
||||
PROVIDERS.id_mapping_api.get_public_id(local_entity2)
|
||||
)
|
||||
|
||||
# Purge mappings for type Group, should purge one more
|
||||
self.id_mapping_api.purge_mappings(
|
||||
PROVIDERS.id_mapping_api.purge_mappings(
|
||||
{'entity_type': mapping.EntityType.GROUP})
|
||||
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity3))
|
||||
self.assertIsNone(
|
||||
PROVIDERS.id_mapping_api.get_public_id(local_entity3)
|
||||
)
|
||||
|
||||
# Purge mapping for a specific local identifier
|
||||
self.id_mapping_api.purge_mappings(
|
||||
PROVIDERS.id_mapping_api.purge_mappings(
|
||||
{'domain_id': self.domainB['id'], 'local_id': local_id4,
|
||||
'entity_type': mapping.EntityType.USER})
|
||||
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity4))
|
||||
self.assertIsNone(
|
||||
PROVIDERS.id_mapping_api.get_public_id(local_entity4)
|
||||
)
|
||||
|
||||
# Purge mappings the remaining mappings
|
||||
self.id_mapping_api.purge_mappings({})
|
||||
self.assertIsNone(self.id_mapping_api.get_public_id(local_entity5))
|
||||
PROVIDERS.id_mapping_api.purge_mappings({})
|
||||
self.assertIsNone(
|
||||
PROVIDERS.id_mapping_api.get_public_id(local_entity5)
|
||||
)
|
||||
|
||||
def test_get_domain_mapping_list(self):
|
||||
local_id1 = uuid.uuid4().hex
|
||||
|
@ -315,24 +342,32 @@ class SqlIDMapping(test_backend_sql.SqlTests):
|
|||
'local_id': local_id5,
|
||||
'entity_type': mapping.EntityType.USER}
|
||||
|
||||
local_entity1['public_id'] = self.id_mapping_api.create_id_mapping(
|
||||
local_entity1)
|
||||
local_entity2['public_id'] = self.id_mapping_api.create_id_mapping(
|
||||
local_entity2)
|
||||
local_entity3['public_id'] = self.id_mapping_api.create_id_mapping(
|
||||
local_entity3)
|
||||
local_entity4['public_id'] = self.id_mapping_api.create_id_mapping(
|
||||
local_entity4)
|
||||
local_entity5['public_id'] = self.id_mapping_api.create_id_mapping(
|
||||
local_entity5)
|
||||
local_entity1['public_id'] = (
|
||||
PROVIDERS.id_mapping_api.create_id_mapping(local_entity1)
|
||||
)
|
||||
local_entity2['public_id'] = (
|
||||
PROVIDERS.id_mapping_api.create_id_mapping(local_entity2)
|
||||
)
|
||||
local_entity3['public_id'] = (
|
||||
PROVIDERS.id_mapping_api.create_id_mapping(local_entity3)
|
||||
)
|
||||
local_entity4['public_id'] = (
|
||||
PROVIDERS.id_mapping_api.create_id_mapping(local_entity4)
|
||||
)
|
||||
local_entity5['public_id'] = (
|
||||
PROVIDERS.id_mapping_api.create_id_mapping(local_entity5)
|
||||
)
|
||||
|
||||
# NOTE(notmorgan): Always call to_dict in an active session context to
|
||||
# ensure that lazy-loaded relationships succeed. Edge cases could cause
|
||||
# issues especially in attribute mappers.
|
||||
with sql.session_for_read():
|
||||
# list mappings for domainA
|
||||
domain_a_mappings = self.id_mapping_api.get_domain_mapping_list(
|
||||
self.domainA['id'])
|
||||
domain_a_mappings = (
|
||||
PROVIDERS.id_mapping_api.get_domain_mapping_list(
|
||||
self.domainA['id']
|
||||
)
|
||||
)
|
||||
domain_a_mappings = [m.to_dict() for m in domain_a_mappings]
|
||||
self.assertItemsEqual([local_entity1, local_entity2],
|
||||
domain_a_mappings)
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -18,12 +18,14 @@ import mock
|
|||
from six.moves import zip
|
||||
|
||||
from keystone.catalog.backends import base as catalog_base
|
||||
from keystone.common import provider_api
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit.catalog import test_backends as catalog_tests
|
||||
from keystone.tests.unit import default_fixtures
|
||||
from keystone.tests.unit.ksfixtures import database
|
||||
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
BROKEN_WRITE_FUNCTIONALITY_MSG = ("Templated backend doesn't correctly "
|
||||
"implement write operations")
|
||||
|
||||
|
@ -63,7 +65,7 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
|
|||
template_file=unit.dirs.tests('default_catalog.templates'))
|
||||
|
||||
def test_get_catalog(self):
|
||||
catalog_ref = self.catalog_api.get_catalog('foo', 'bar')
|
||||
catalog_ref = PROVIDERS.catalog_api.get_catalog('foo', 'bar')
|
||||
self.assertDictEqual(self.DEFAULT_FIXTURE, catalog_ref)
|
||||
|
||||
# NOTE(lbragstad): This test is skipped because the catalog is being
|
||||
|
@ -71,14 +73,14 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
|
|||
@unit.skip_if_cache_is_enabled('catalog')
|
||||
def test_catalog_ignored_malformed_urls(self):
|
||||
# both endpoints are in the catalog
|
||||
catalog_ref = self.catalog_api.get_catalog('foo', 'bar')
|
||||
catalog_ref = PROVIDERS.catalog_api.get_catalog('foo', 'bar')
|
||||
self.assertEqual(2, len(catalog_ref['RegionOne']))
|
||||
|
||||
region = self.catalog_api.driver.templates['RegionOne']
|
||||
region = PROVIDERS.catalog_api.driver.templates['RegionOne']
|
||||
region['compute']['adminURL'] = 'http://localhost:8774/v1.1/$(tenant)s'
|
||||
|
||||
# the malformed one has been removed
|
||||
catalog_ref = self.catalog_api.get_catalog('foo', 'bar')
|
||||
catalog_ref = PROVIDERS.catalog_api.get_catalog('foo', 'bar')
|
||||
self.assertEqual(1, len(catalog_ref['RegionOne']))
|
||||
|
||||
def test_get_v3_catalog_endpoint_disabled(self):
|
||||
|
@ -97,7 +99,7 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
|
|||
def test_get_v3_catalog(self):
|
||||
user_id = uuid.uuid4().hex
|
||||
project_id = uuid.uuid4().hex
|
||||
catalog_ref = self.catalog_api.get_v3_catalog(user_id, project_id)
|
||||
catalog_ref = PROVIDERS.catalog_api.get_v3_catalog(user_id, project_id)
|
||||
exp_catalog = [
|
||||
{'endpoints': [
|
||||
{'interface': 'admin',
|
||||
|
@ -132,7 +134,7 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
|
|||
project_id = None
|
||||
# If the URL has no 'project_id' to substitute, we will skip the
|
||||
# endpoint which contains this kind of URL.
|
||||
catalog_ref = self.catalog_api.get_v3_catalog(user_id, project_id)
|
||||
catalog_ref = PROVIDERS.catalog_api.get_v3_catalog(user_id, project_id)
|
||||
exp_catalog = [
|
||||
{'endpoints': [],
|
||||
'type': 'compute',
|
||||
|
@ -161,7 +163,7 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
|
|||
|
||||
def test_list_services_with_hints(self):
|
||||
hints = {}
|
||||
services = self.catalog_api.list_services(hints=hints)
|
||||
services = PROVIDERS.catalog_api.list_services(hints=hints)
|
||||
exp_services = [
|
||||
{'type': 'compute',
|
||||
'description': '',
|
||||
|
@ -252,7 +254,7 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
|
|||
expected_urls = set(['http://localhost:$(public_port)s/v3',
|
||||
'http://localhost:$(admin_port)s/v3',
|
||||
'http://localhost:8774/v1.1/$(tenant_id)s'])
|
||||
endpoints = self.catalog_api.list_endpoints()
|
||||
endpoints = PROVIDERS.catalog_api.list_endpoints()
|
||||
self.assertEqual(expected_urls, set(e['url'] for e in endpoints))
|
||||
|
||||
@unit.skip_if_cache_disabled('catalog')
|
||||
|
@ -262,17 +264,17 @@ class TestTemplatedCatalog(unit.TestCase, catalog_tests.CatalogTests):
|
|||
def test_delete_endpoint_group_association_by_project(self):
|
||||
# Deleting endpoint group association is not supported by the templated
|
||||
# driver, but it should be silent about it and not raise an error.
|
||||
self.catalog_api.delete_endpoint_group_association_by_project(
|
||||
PROVIDERS.catalog_api.delete_endpoint_group_association_by_project(
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_delete_association_by_endpoint(self):
|
||||
# Deleting endpoint association is not supported by the templated
|
||||
# driver, but it should be silent about it and not raise an error.
|
||||
self.catalog_api.delete_association_by_endpoint(
|
||||
PROVIDERS.catalog_api.delete_association_by_endpoint(
|
||||
uuid.uuid4().hex)
|
||||
|
||||
def test_delete_association_by_project(self):
|
||||
# Deleting endpoint association is not supported by the templated
|
||||
# driver, but it should be silent about it and not raise an error.
|
||||
self.catalog_api.delete_association_by_project(
|
||||
PROVIDERS.catalog_api.delete_association_by_project(
|
||||
uuid.uuid4().hex)
|
||||
|
|
|
@ -15,11 +15,14 @@
|
|||
from keystoneclient.contrib.ec2 import utils as ec2_utils
|
||||
from six.moves import http_client
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone.contrib.ec2 import controllers
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit import rest
|
||||
from keystone.tests.unit import test_v3
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class EC2ContribCoreV2(rest.RestfulTestCase):
|
||||
def config_overrides(self):
|
||||
|
@ -55,7 +58,7 @@ class EC2ContribCoreV2(rest.RestfulTestCase):
|
|||
cred_blob, credential = unit.new_ec2_credential(
|
||||
self.user_foo['id'], self.tenant_bar['id'])
|
||||
|
||||
self.credential_api.create_credential(
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
credential['id'], credential)
|
||||
|
||||
signer = ec2_utils.Ec2Signer(cred_blob['secret'])
|
||||
|
@ -103,7 +106,7 @@ class EC2ContribCoreV2(rest.RestfulTestCase):
|
|||
cred_blob, credential = unit.new_ec2_credential(
|
||||
self.user_foo['id'], self.tenant_bar['id'])
|
||||
|
||||
self.credential_api.create_credential(
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
credential['id'], credential)
|
||||
|
||||
signer = ec2_utils.Ec2Signer('totally not the secret')
|
||||
|
@ -133,7 +136,7 @@ class EC2ContribCoreV3(test_v3.RestfulTestCase):
|
|||
|
||||
self.cred_blob, self.credential = unit.new_ec2_credential(
|
||||
self.user['id'], self.project_id)
|
||||
self.credential_api.create_credential(
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
self.credential['id'], self.credential)
|
||||
|
||||
self.controller = controllers.Ec2ControllerV3
|
||||
|
|
|
@ -19,11 +19,14 @@ import uuid
|
|||
|
||||
from six.moves import http_client
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone.contrib import s3
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit import test_v3
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class S3ContribCore(test_v3.RestfulTestCase):
|
||||
def setUp(self):
|
||||
|
@ -33,7 +36,7 @@ class S3ContribCore(test_v3.RestfulTestCase):
|
|||
|
||||
self.cred_blob, self.credential = unit.new_ec2_credential(
|
||||
self.user['id'], self.project_id)
|
||||
self.credential_api.create_credential(
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
self.credential['id'], self.credential)
|
||||
|
||||
self.controller = s3.S3Controller()
|
||||
|
|
|
@ -18,6 +18,7 @@ from keystoneclient.contrib.ec2 import utils as ec2_utils
|
|||
from six.moves import http_client
|
||||
|
||||
from keystone.common import context
|
||||
from keystone.common import provider_api
|
||||
from keystone.common import request
|
||||
from keystone.common import utils
|
||||
from keystone.contrib.ec2 import controllers
|
||||
|
@ -30,6 +31,7 @@ from keystone.tests.unit.ksfixtures import database
|
|||
from keystone.tests.unit import test_v3 as rest
|
||||
|
||||
CRED_TYPE_EC2 = controllers.CRED_TYPE_EC2
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class V2CredentialEc2TestCase(rest.RestfulTestCase):
|
||||
|
@ -52,7 +54,7 @@ class V2CredentialEc2TestCase(rest.RestfulTestCase):
|
|||
user_id=self.user_id,
|
||||
project_id=self.project_id)
|
||||
non_ec2_cred['id'] = cred_id
|
||||
self.credential_api.create_credential(cred_id, non_ec2_cred)
|
||||
PROVIDERS.credential_api.create_credential(cred_id, non_ec2_cred)
|
||||
|
||||
# if access_key is not found, ec2 controller raises Unauthorized
|
||||
# exception
|
||||
|
@ -87,8 +89,9 @@ class V2CredentialEc2TestCase(rest.RestfulTestCase):
|
|||
user_id=self.user_id,
|
||||
project_id=self.project_id)
|
||||
non_ec2_cred['type'] = uuid.uuid4().hex
|
||||
self.credential_api.create_credential(non_ec2_cred['id'],
|
||||
non_ec2_cred)
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
non_ec2_cred['id'], non_ec2_cred
|
||||
)
|
||||
r = self.public_request(method='GET', token=self.get_scoped_token(),
|
||||
path=uri)
|
||||
cred_list_2 = r.result['credentials']
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
|
||||
import ldappool
|
||||
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone.identity.backends import ldap
|
||||
from keystone.identity.backends.ldap import common as ldap_common
|
||||
|
@ -24,6 +25,7 @@ from keystone.tests.unit import test_ldap_livetest
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class LiveLDAPPoolIdentity(test_backend_ldap_pool.LdapPoolCommonTestMixin,
|
||||
|
@ -97,22 +99,22 @@ class LiveLDAPPoolIdentity(test_backend_ldap_pool.LdapPoolCommonTestMixin,
|
|||
self.test_password_change_with_pool()
|
||||
|
||||
self.assertRaises(AssertionError,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
context={},
|
||||
user_id=self.user_sna['id'],
|
||||
password=old_password)
|
||||
|
||||
def _create_user_and_authenticate(self, password):
|
||||
user = unit.create_user(self.identity_api,
|
||||
user = unit.create_user(PROVIDERS.identity_api,
|
||||
CONF.identity.default_domain_id,
|
||||
password=password)
|
||||
|
||||
self.identity_api.authenticate(
|
||||
PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(),
|
||||
user_id=user['id'],
|
||||
password=password)
|
||||
|
||||
return self.identity_api.get_user(user['id'])
|
||||
return PROVIDERS.identity_api.get_user(user['id'])
|
||||
|
||||
def _get_auth_conn_pool_cm(self):
|
||||
pool_url = (
|
||||
|
@ -160,7 +162,7 @@ class LiveLDAPPoolIdentity(test_backend_ldap_pool.LdapPoolCommonTestMixin,
|
|||
_.unbind_s()
|
||||
|
||||
user3['password'] = new_password
|
||||
self.identity_api.update_user(user3['id'], user3)
|
||||
PROVIDERS.identity_api.update_user(user3['id'], user3)
|
||||
|
||||
return user3
|
||||
|
||||
|
@ -177,7 +179,7 @@ class LiveLDAPPoolIdentity(test_backend_ldap_pool.LdapPoolCommonTestMixin,
|
|||
# successfully which is not desired if password change is frequent
|
||||
# use case in a deployment.
|
||||
# This can happen in multiple concurrent connections case only.
|
||||
user_ref = self.identity_api.authenticate(
|
||||
user_ref = PROVIDERS.identity_api.authenticate(
|
||||
self.make_request(), user_id=user['id'], password=old_password)
|
||||
|
||||
self.assertDictEqual(user, user_ref)
|
||||
|
@ -193,6 +195,6 @@ class LiveLDAPPoolIdentity(test_backend_ldap_pool.LdapPoolCommonTestMixin,
|
|||
# now as connection lifetime is zero, so authentication
|
||||
# with old password will always fail.
|
||||
self.assertRaises(AssertionError,
|
||||
self.identity_api.authenticate,
|
||||
PROVIDERS.identity_api.authenticate,
|
||||
context={}, user_id=user['id'],
|
||||
password=old_password)
|
||||
|
|
|
@ -21,6 +21,7 @@ from six.moves import http_client
|
|||
import webtest
|
||||
|
||||
from keystone.common import authorization
|
||||
from keystone.common import provider_api
|
||||
from keystone.common import tokenless_auth
|
||||
from keystone.common import wsgi
|
||||
import keystone.conf
|
||||
|
@ -33,6 +34,7 @@ from keystone.tests.unit import test_backend_sql
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class MiddlewareRequestTestBase(unit.TestCase):
|
||||
|
@ -190,44 +192,45 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests,
|
|||
self.domain = unit.new_domain_ref()
|
||||
self.domain_id = self.domain['id']
|
||||
self.domain_name = self.domain['name']
|
||||
self.resource_api.create_domain(self.domain_id, self.domain)
|
||||
PROVIDERS.resource_api.create_domain(self.domain_id, self.domain)
|
||||
|
||||
# 2) Create a project for the user.
|
||||
self.project = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.project_id = self.project['id']
|
||||
self.project_name = self.project['name']
|
||||
|
||||
self.resource_api.create_project(self.project_id, self.project)
|
||||
PROVIDERS.resource_api.create_project(self.project_id, self.project)
|
||||
|
||||
# 3) Create a user in new domain.
|
||||
self.user = unit.new_user_ref(domain_id=self.domain_id,
|
||||
project_id=self.project_id)
|
||||
|
||||
self.user = self.identity_api.create_user(self.user)
|
||||
self.user = PROVIDERS.identity_api.create_user(self.user)
|
||||
|
||||
# Add IDP
|
||||
self.idp = self._idp_ref(id=self.idp_id)
|
||||
self.federation_api.create_idp(self.idp['id'],
|
||||
self.idp)
|
||||
PROVIDERS.federation_api.create_idp(
|
||||
self.idp['id'], self.idp
|
||||
)
|
||||
|
||||
# Add a role
|
||||
self.role = unit.new_role_ref()
|
||||
self.role_id = self.role['id']
|
||||
self.role_name = self.role['name']
|
||||
self.role_api.create_role(self.role_id, self.role)
|
||||
PROVIDERS.role_api.create_role(self.role_id, self.role)
|
||||
|
||||
# Add a group
|
||||
self.group = unit.new_group_ref(domain_id=self.domain_id)
|
||||
self.group = self.identity_api.create_group(self.group)
|
||||
self.group = PROVIDERS.identity_api.create_group(self.group)
|
||||
|
||||
# Assign a role to the user on a project
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user_id=self.user['id'],
|
||||
tenant_id=self.project_id,
|
||||
role_id=self.role_id)
|
||||
|
||||
# Assign a role to the group on a project
|
||||
self.assignment_api.create_grant(
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_id=self.role_id,
|
||||
group_id=self.group['id'],
|
||||
project_id=self.project_id)
|
||||
|
@ -235,14 +238,15 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests,
|
|||
def _load_mapping_rules(self, rules):
|
||||
# Add a mapping
|
||||
self.mapping = self._mapping_ref(rules=rules)
|
||||
self.federation_api.create_mapping(self.mapping['id'],
|
||||
self.mapping)
|
||||
PROVIDERS.federation_api.create_mapping(
|
||||
self.mapping['id'], self.mapping
|
||||
)
|
||||
# Add protocols
|
||||
self.proto_x509 = self._proto_ref(mapping_id=self.mapping['id'])
|
||||
self.proto_x509['id'] = self.protocol_id
|
||||
self.federation_api.create_protocol(self.idp['id'],
|
||||
self.proto_x509['id'],
|
||||
self.proto_x509)
|
||||
PROVIDERS.federation_api.create_protocol(
|
||||
self.idp['id'], self.proto_x509['id'], self.proto_x509
|
||||
)
|
||||
|
||||
def _idp_ref(self, id=None):
|
||||
idp = {
|
||||
|
@ -543,7 +547,7 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests,
|
|||
env['SSL_CLIENT_DOMAIN_ID'] = self.domain_id
|
||||
|
||||
self.domain['enabled'] = False
|
||||
self.domain = self.resource_api.update_domain(
|
||||
self.domain = PROVIDERS.resource_api.update_domain(
|
||||
self.domain['id'], self.domain)
|
||||
|
||||
self._load_mapping_rules(
|
||||
|
@ -561,7 +565,9 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests,
|
|||
env['SSL_CLIENT_DOMAIN_ID'] = self.domain_id
|
||||
|
||||
self.user['enabled'] = False
|
||||
self.user = self.identity_api.update_user(self.user['id'], self.user)
|
||||
self.user = PROVIDERS.identity_api.update_user(
|
||||
self.user['id'], self.user
|
||||
)
|
||||
|
||||
self._load_mapping_rules(
|
||||
mapping_fixtures.MAPPING_WITH_USERNAME_AND_DOMAINID)
|
||||
|
|
|
@ -16,6 +16,7 @@ import datetime
|
|||
|
||||
from oslo_utils import timeutils
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone.common import utils
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
|
@ -26,6 +27,7 @@ from keystone import token
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
FUTURE_DELTA = datetime.timedelta(seconds=CONF.token.expiration)
|
||||
CURRENT_DATE = timeutils.utcnow()
|
||||
|
@ -452,13 +454,13 @@ class TestTokenProvider(unit.TestCase):
|
|||
def test_get_token_version(self):
|
||||
self.assertEqual(
|
||||
token.provider.V3,
|
||||
self.token_provider_api.get_token_version(SAMPLE_V3_TOKEN))
|
||||
PROVIDERS.token_provider_api.get_token_version(SAMPLE_V3_TOKEN))
|
||||
self.assertEqual(
|
||||
token.provider.V3,
|
||||
self.token_provider_api.get_token_version(
|
||||
PROVIDERS.token_provider_api.get_token_version(
|
||||
SAMPLE_V3_TOKEN_WITH_EMBEDED_VERSION))
|
||||
self.assertRaises(exception.UnsupportedTokenVersionException,
|
||||
self.token_provider_api.get_token_version,
|
||||
PROVIDERS.token_provider_api.get_token_version,
|
||||
'bogus')
|
||||
|
||||
def test_unsupported_token_provider(self):
|
||||
|
@ -469,16 +471,16 @@ class TestTokenProvider(unit.TestCase):
|
|||
|
||||
def test_provider_token_expiration_validation(self):
|
||||
self.assertRaises(exception.TokenNotFound,
|
||||
self.token_provider_api._is_valid_token,
|
||||
PROVIDERS.token_provider_api._is_valid_token,
|
||||
SAMPLE_V3_TOKEN_EXPIRED)
|
||||
self.assertRaises(exception.TokenNotFound,
|
||||
self.token_provider_api._is_valid_token,
|
||||
PROVIDERS.token_provider_api._is_valid_token,
|
||||
SAMPLE_MALFORMED_TOKEN)
|
||||
self.assertIsNone(
|
||||
self.token_provider_api._is_valid_token(create_v3_token()))
|
||||
PROVIDERS.token_provider_api._is_valid_token(create_v3_token()))
|
||||
|
||||
def test_validate_v3_token_with_no_token_raises_token_not_found(self):
|
||||
self.assertRaises(
|
||||
exception.TokenNotFound,
|
||||
self.token_provider_api.validate_token,
|
||||
PROVIDERS.token_provider_api.validate_token,
|
||||
None)
|
||||
|
|
|
@ -24,6 +24,7 @@ import webtest
|
|||
from keystone import auth
|
||||
from keystone.common import authorization
|
||||
from keystone.common import cache
|
||||
from keystone.common import provider_api
|
||||
from keystone.common.validation import validators
|
||||
from keystone import exception
|
||||
from keystone import middleware
|
||||
|
@ -32,6 +33,7 @@ from keystone.tests import unit
|
|||
from keystone.tests.unit import rest
|
||||
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
DEFAULT_DOMAIN_ID = 'default'
|
||||
|
||||
TIME_FORMAT = unit.TIME_FORMAT
|
||||
|
@ -215,26 +217,27 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
|
|||
|
||||
def _populate_default_domain(self):
|
||||
try:
|
||||
self.resource_api.get_domain(DEFAULT_DOMAIN_ID)
|
||||
PROVIDERS.resource_api.get_domain(DEFAULT_DOMAIN_ID)
|
||||
except exception.DomainNotFound:
|
||||
domain = unit.new_domain_ref(
|
||||
description=(u'The default domain'),
|
||||
id=DEFAULT_DOMAIN_ID,
|
||||
name=u'Default')
|
||||
self.resource_api.create_domain(DEFAULT_DOMAIN_ID, domain)
|
||||
PROVIDERS.resource_api.create_domain(DEFAULT_DOMAIN_ID, domain)
|
||||
|
||||
def load_sample_data(self, create_region_and_endpoints=True):
|
||||
self._populate_default_domain()
|
||||
self.domain = unit.new_domain_ref()
|
||||
self.domain_id = self.domain['id']
|
||||
self.resource_api.create_domain(self.domain_id, self.domain)
|
||||
PROVIDERS.resource_api.create_domain(self.domain_id, self.domain)
|
||||
|
||||
self.project = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.project_id = self.project['id']
|
||||
self.project = self.resource_api.create_project(self.project_id,
|
||||
self.project)
|
||||
self.project = PROVIDERS.resource_api.create_project(
|
||||
self.project_id, self.project
|
||||
)
|
||||
|
||||
self.user = unit.create_user(self.identity_api,
|
||||
self.user = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain_id)
|
||||
self.user_id = self.user['id']
|
||||
|
||||
|
@ -242,32 +245,33 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
|
|||
self.default_domain_project = unit.new_project_ref(
|
||||
domain_id=DEFAULT_DOMAIN_ID)
|
||||
self.default_domain_project['id'] = self.default_domain_project_id
|
||||
self.resource_api.create_project(self.default_domain_project_id,
|
||||
self.default_domain_project)
|
||||
PROVIDERS.resource_api.create_project(
|
||||
self.default_domain_project_id, self.default_domain_project
|
||||
)
|
||||
|
||||
self.default_domain_user = unit.create_user(
|
||||
self.identity_api,
|
||||
PROVIDERS.identity_api,
|
||||
domain_id=DEFAULT_DOMAIN_ID)
|
||||
self.default_domain_user_id = self.default_domain_user['id']
|
||||
|
||||
# create & grant policy.json's default role for admin_required
|
||||
self.role = unit.new_role_ref(name='admin')
|
||||
self.role_id = self.role['id']
|
||||
self.role_api.create_role(self.role_id, self.role)
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.role_api.create_role(self.role_id, self.role)
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
self.user_id, self.project_id, self.role_id)
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
self.default_domain_user_id, self.default_domain_project_id,
|
||||
self.role_id)
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
self.default_domain_user_id, self.project_id,
|
||||
self.role_id)
|
||||
|
||||
# Create "req_admin" user for simulating a real user instead of the
|
||||
# admin_token_auth middleware
|
||||
self.user_reqadmin = unit.create_user(self.identity_api,
|
||||
self.user_reqadmin = unit.create_user(PROVIDERS.identity_api,
|
||||
DEFAULT_DOMAIN_ID)
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
self.user_reqadmin['id'],
|
||||
self.default_domain_project_id,
|
||||
self.role_id)
|
||||
|
@ -275,19 +279,21 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
|
|||
if create_region_and_endpoints:
|
||||
self.region = unit.new_region_ref()
|
||||
self.region_id = self.region['id']
|
||||
self.catalog_api.create_region(self.region)
|
||||
PROVIDERS.catalog_api.create_region(self.region)
|
||||
|
||||
self.service = unit.new_service_ref()
|
||||
self.service_id = self.service['id']
|
||||
self.catalog_api.create_service(self.service_id,
|
||||
self.service.copy())
|
||||
PROVIDERS.catalog_api.create_service(
|
||||
self.service_id, self.service.copy()
|
||||
)
|
||||
|
||||
self.endpoint = unit.new_endpoint_ref(service_id=self.service_id,
|
||||
interface='public',
|
||||
region_id=self.region_id)
|
||||
self.endpoint_id = self.endpoint['id']
|
||||
self.catalog_api.create_endpoint(self.endpoint_id,
|
||||
self.endpoint.copy())
|
||||
PROVIDERS.catalog_api.create_endpoint(
|
||||
self.endpoint_id, self.endpoint.copy()
|
||||
)
|
||||
# The server adds 'enabled' and defaults to True.
|
||||
self.endpoint['enabled'] = True
|
||||
|
||||
|
@ -1484,7 +1490,7 @@ class AssignmentTestMixin(object):
|
|||
entity = {'links': {}}
|
||||
attributes_for_links = {}
|
||||
if project_ref:
|
||||
dmn_name = self.resource_api.get_domain(
|
||||
dmn_name = PROVIDERS.resource_api.get_domain(
|
||||
project_ref['domain_id'])['name']
|
||||
|
||||
entity['scope'] = {'project': {
|
||||
|
@ -1499,7 +1505,7 @@ class AssignmentTestMixin(object):
|
|||
'name': domain_ref['name']}}
|
||||
attributes_for_links['domain_id'] = domain_ref['id']
|
||||
if user_ref:
|
||||
dmn_name = self.resource_api.get_domain(
|
||||
dmn_name = PROVIDERS.resource_api.get_domain(
|
||||
user_ref['domain_id'])['name']
|
||||
entity['user'] = {'id': user_ref['id'],
|
||||
'name': user_ref['name'],
|
||||
|
@ -1507,7 +1513,7 @@ class AssignmentTestMixin(object):
|
|||
'name': dmn_name}}
|
||||
attributes_for_links['user_id'] = user_ref['id']
|
||||
else:
|
||||
dmn_name = self.resource_api.get_domain(
|
||||
dmn_name = PROVIDERS.resource_api.get_domain(
|
||||
group_ref['domain_id'])['name']
|
||||
entity['group'] = {'id': group_ref['id'],
|
||||
'name': group_ref['name'],
|
||||
|
@ -1520,7 +1526,7 @@ class AssignmentTestMixin(object):
|
|||
entity['role'] = {'id': role_ref['id'],
|
||||
'name': role_ref['name']}
|
||||
if role_ref['domain_id']:
|
||||
dmn_name = self.resource_api.get_domain(
|
||||
dmn_name = PROVIDERS.resource_api.get_domain(
|
||||
role_ref['domain_id'])['name']
|
||||
entity['role']['domain'] = {'id': role_ref['domain_id'],
|
||||
'name': dmn_name}
|
||||
|
|
|
@ -19,6 +19,7 @@ from six.moves import http_client
|
|||
from six.moves import range
|
||||
from testtools import matchers
|
||||
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
|
@ -26,6 +27,7 @@ from keystone.tests.unit import test_v3
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class SystemRoleAssignmentMixin(object):
|
||||
|
@ -68,7 +70,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
super(AssignmentTestCase, self).setUp()
|
||||
|
||||
self.group = unit.new_group_ref(domain_id=self.domain_id)
|
||||
self.group = self.identity_api.create_group(self.group)
|
||||
self.group = PROVIDERS.identity_api.create_group(self.group)
|
||||
self.group_id = self.group['id']
|
||||
|
||||
# Role CRUD tests
|
||||
|
@ -132,7 +134,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
def test_crud_user_project_role_grants(self):
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
|
||||
collection_url = (
|
||||
'/projects/%(project_id)s/users/%(user_id)s/roles' % {
|
||||
|
@ -338,7 +340,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
"""Create a new user and assign user a role on a project."""
|
||||
# Create a new user
|
||||
new_user = unit.new_user_ref(domain_id=self.domain_id)
|
||||
user_ref = self.identity_api.create_user(new_user)
|
||||
user_ref = PROVIDERS.identity_api.create_user(new_user)
|
||||
# Assign the user a role on the project
|
||||
collection_url = (
|
||||
'/projects/%(project_id)s/users/%(user_id)s/roles' % {
|
||||
|
@ -357,7 +359,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
"""Call ``DELETE`` on the user before the role assignment."""
|
||||
member_url, user = self._create_new_user_and_assign_role_on_project()
|
||||
# Delete the user from identity backend
|
||||
self.identity_api.driver.delete_user(user['id'])
|
||||
PROVIDERS.identity_api.driver.delete_user(user['id'])
|
||||
# Clean up the role assignment
|
||||
self.delete(member_url)
|
||||
# Make sure the role is gone
|
||||
|
@ -367,7 +369,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
"""Call ``DELETE`` on the user and check the role assignment."""
|
||||
member_url, user = self._create_new_user_and_assign_role_on_project()
|
||||
# Delete the user from identity backend
|
||||
self.identity_api.delete_user(user['id'])
|
||||
PROVIDERS.identity_api.delete_user(user['id'])
|
||||
# We should get a 404 Not Found when looking for the user in the
|
||||
# identity backend because we're not performing a delete operation on
|
||||
# the role.
|
||||
|
@ -384,13 +386,15 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
time = datetime.datetime.utcnow()
|
||||
with freezegun.freeze_time(time) as frozen_datetime:
|
||||
# creates grant from group on project.
|
||||
self.assignment_api.create_grant(role_id=self.role['id'],
|
||||
project_id=self.project['id'],
|
||||
group_id=self.group['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_id=self.role['id'], project_id=self.project['id'],
|
||||
group_id=self.group['id']
|
||||
)
|
||||
|
||||
# adds user to the group.
|
||||
self.identity_api.add_user_to_group(user_id=self.user['id'],
|
||||
group_id=self.group['id'])
|
||||
PROVIDERS.identity_api.add_user_to_group(
|
||||
user_id=self.user['id'], group_id=self.group['id']
|
||||
)
|
||||
|
||||
# creates a token for the user
|
||||
auth_body = self.build_authentication_request(
|
||||
|
@ -407,13 +411,14 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
|
||||
# revokes the grant from group on project.
|
||||
self.assignment_api.delete_grant(role_id=self.role['id'],
|
||||
project_id=self.project['id'],
|
||||
group_id=self.group['id'])
|
||||
PROVIDERS.assignment_api.delete_grant(
|
||||
role_id=self.role['id'], project_id=self.project['id'],
|
||||
group_id=self.group['id'])
|
||||
# revokes the direct role form user on project
|
||||
self.assignment_api.delete_grant(role_id=self.role['id'],
|
||||
project_id=self.project['id'],
|
||||
user_id=self.user['id'])
|
||||
PROVIDERS.assignment_api.delete_grant(
|
||||
role_id=self.role['id'], project_id=self.project['id'],
|
||||
user_id=self.user['id']
|
||||
)
|
||||
|
||||
frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
|
||||
# validates the same token again; it should not longer be valid.
|
||||
|
@ -424,7 +429,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
def test_delete_grant_from_user_and_project_invalidate_cache(self):
|
||||
# create a new project
|
||||
new_project = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(new_project['id'], new_project)
|
||||
PROVIDERS.resource_api.create_project(new_project['id'], new_project)
|
||||
|
||||
collection_url = (
|
||||
'/projects/%(project_id)s/users/%(user_id)s/roles' % {
|
||||
|
@ -455,7 +460,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
def test_delete_grant_from_user_and_domain_invalidates_cache(self):
|
||||
# create a new domain
|
||||
new_domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(new_domain['id'], new_domain)
|
||||
PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
|
||||
|
||||
collection_url = (
|
||||
'/domains/%(domain_id)s/users/%(user_id)s/roles' % {
|
||||
|
@ -486,7 +491,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
def test_delete_grant_from_group_and_project_invalidates_cache(self):
|
||||
# create a new project
|
||||
new_project = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(new_project['id'], new_project)
|
||||
PROVIDERS.resource_api.create_project(new_project['id'], new_project)
|
||||
|
||||
collection_url = (
|
||||
'/projects/%(project_id)s/groups/%(group_id)s/roles' % {
|
||||
|
@ -517,7 +522,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
def test_delete_grant_from_group_and_domain_invalidates_cache(self):
|
||||
# create a new domain
|
||||
new_domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(new_domain['id'], new_domain)
|
||||
PROVIDERS.resource_api.create_domain(new_domain['id'], new_domain)
|
||||
|
||||
collection_url = (
|
||||
'/domains/%(domain_id)s/groups/%(group_id)s/roles' % {
|
||||
|
@ -578,10 +583,10 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
# user it creates, we also need a new user that will not have any
|
||||
# existing assignments
|
||||
user1 = unit.new_user_ref(domain_id=self.domain['id'])
|
||||
user1 = self.identity_api.create_user(user1)
|
||||
user1 = PROVIDERS.identity_api.create_user(user1)
|
||||
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
|
||||
collection_url = '/role_assignments'
|
||||
r = self.get(collection_url)
|
||||
|
@ -675,13 +680,13 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
for each of the group members.
|
||||
|
||||
"""
|
||||
user1 = unit.create_user(self.identity_api,
|
||||
user1 = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
user2 = unit.create_user(self.identity_api,
|
||||
user2 = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
|
||||
self.identity_api.add_user_to_group(user1['id'], self.group['id'])
|
||||
self.identity_api.add_user_to_group(user2['id'], self.group['id'])
|
||||
PROVIDERS.identity_api.add_user_to_group(user1['id'], self.group['id'])
|
||||
PROVIDERS.identity_api.add_user_to_group(user2['id'], self.group['id'])
|
||||
|
||||
collection_url = '/role_assignments'
|
||||
r = self.get(collection_url)
|
||||
|
@ -744,13 +749,13 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
know if we are getting effective roles or not
|
||||
|
||||
"""
|
||||
user1 = unit.create_user(self.identity_api,
|
||||
user1 = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
user2 = unit.create_user(self.identity_api,
|
||||
user2 = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
|
||||
self.identity_api.add_user_to_group(user1['id'], self.group['id'])
|
||||
self.identity_api.add_user_to_group(user2['id'], self.group['id'])
|
||||
PROVIDERS.identity_api.add_user_to_group(user1['id'], self.group['id'])
|
||||
PROVIDERS.identity_api.add_user_to_group(user2['id'], self.group['id'])
|
||||
|
||||
collection_url = '/role_assignments'
|
||||
r = self.get(collection_url, expected_status=http_client.OK)
|
||||
|
@ -832,21 +837,21 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
|
|||
# Since the default fixtures already assign some roles to the
|
||||
# user it creates, we also need a new user that will not have any
|
||||
# existing assignments
|
||||
user1 = unit.create_user(self.identity_api,
|
||||
user1 = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
user2 = unit.create_user(self.identity_api,
|
||||
user2 = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
|
||||
group1 = unit.new_group_ref(domain_id=self.domain['id'])
|
||||
group1 = self.identity_api.create_group(group1)
|
||||
self.identity_api.add_user_to_group(user1['id'], group1['id'])
|
||||
self.identity_api.add_user_to_group(user2['id'], group1['id'])
|
||||
group1 = PROVIDERS.identity_api.create_group(group1)
|
||||
PROVIDERS.identity_api.add_user_to_group(user1['id'], group1['id'])
|
||||
PROVIDERS.identity_api.add_user_to_group(user2['id'], group1['id'])
|
||||
project1 = unit.new_project_ref(domain_id=self.domain['id'])
|
||||
self.resource_api.create_project(project1['id'], project1)
|
||||
PROVIDERS.resource_api.create_project(project1['id'], project1)
|
||||
self.role1 = unit.new_role_ref()
|
||||
self.role_api.create_role(self.role1['id'], self.role1)
|
||||
PROVIDERS.role_api.create_role(self.role1['id'], self.role1)
|
||||
self.role2 = unit.new_role_ref()
|
||||
self.role_api.create_role(self.role2['id'], self.role2)
|
||||
PROVIDERS.role_api.create_role(self.role2['id'], self.role2)
|
||||
|
||||
# Now add one of each of the four types of assignment
|
||||
|
||||
|
@ -1121,8 +1126,9 @@ class RoleAssignmentBaseTestCase(test_v3.RestfulTestCase,
|
|||
for i in range(breadth):
|
||||
subprojects.append(unit.new_project_ref(
|
||||
domain_id=self.domain_id, parent_id=parent_id))
|
||||
self.resource_api.create_project(subprojects[-1]['id'],
|
||||
subprojects[-1])
|
||||
PROVIDERS.resource_api.create_project(
|
||||
subprojects[-1]['id'], subprojects[-1]
|
||||
)
|
||||
|
||||
new_parent = subprojects[random.randint(0, breadth - 1)]
|
||||
create_project_hierarchy(new_parent['id'], depth - 1)
|
||||
|
@ -1132,12 +1138,12 @@ class RoleAssignmentBaseTestCase(test_v3.RestfulTestCase,
|
|||
# Create a domain
|
||||
self.domain = unit.new_domain_ref()
|
||||
self.domain_id = self.domain['id']
|
||||
self.resource_api.create_domain(self.domain_id, self.domain)
|
||||
PROVIDERS.resource_api.create_domain(self.domain_id, self.domain)
|
||||
|
||||
# Create a project hierarchy
|
||||
self.project = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.project_id = self.project['id']
|
||||
self.resource_api.create_project(self.project_id, self.project)
|
||||
PROVIDERS.resource_api.create_project(self.project_id, self.project)
|
||||
|
||||
# Create a random project hierarchy
|
||||
create_project_hierarchy(self.project_id,
|
||||
|
@ -1147,30 +1153,33 @@ class RoleAssignmentBaseTestCase(test_v3.RestfulTestCase,
|
|||
self.user_ids = []
|
||||
for i in range(3):
|
||||
user = unit.new_user_ref(domain_id=self.domain_id)
|
||||
user = self.identity_api.create_user(user)
|
||||
user = PROVIDERS.identity_api.create_user(user)
|
||||
self.user_ids.append(user['id'])
|
||||
|
||||
# Create 3 groups
|
||||
self.group_ids = []
|
||||
for i in range(3):
|
||||
group = unit.new_group_ref(domain_id=self.domain_id)
|
||||
group = self.identity_api.create_group(group)
|
||||
group = PROVIDERS.identity_api.create_group(group)
|
||||
self.group_ids.append(group['id'])
|
||||
|
||||
# Put 2 members on each group
|
||||
self.identity_api.add_user_to_group(user_id=self.user_ids[i],
|
||||
group_id=group['id'])
|
||||
self.identity_api.add_user_to_group(user_id=self.user_ids[i % 2],
|
||||
group_id=group['id'])
|
||||
PROVIDERS.identity_api.add_user_to_group(
|
||||
user_id=self.user_ids[i], group_id=group['id']
|
||||
)
|
||||
PROVIDERS.identity_api.add_user_to_group(
|
||||
user_id=self.user_ids[i % 2], group_id=group['id']
|
||||
)
|
||||
|
||||
self.assignment_api.create_grant(user_id=self.user_id,
|
||||
project_id=self.project_id,
|
||||
role_id=self.role_id)
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
user_id=self.user_id, project_id=self.project_id,
|
||||
role_id=self.role_id
|
||||
)
|
||||
|
||||
# Create a role
|
||||
self.role = unit.new_role_ref()
|
||||
self.role_id = self.role['id']
|
||||
self.role_api.create_role(self.role_id, self.role)
|
||||
PROVIDERS.role_api.create_role(self.role_id, self.role)
|
||||
|
||||
# Set default user and group to be used on tests
|
||||
self.default_user_id = self.user_ids[0]
|
||||
|
@ -1267,7 +1276,7 @@ class RoleAssignmentDirectTestCase(RoleAssignmentBaseTestCase):
|
|||
test_assignment = self._set_default_assignment_attributes(**filters)
|
||||
|
||||
# Create new role assignment for this test
|
||||
self.assignment_api.create_grant(**test_assignment)
|
||||
PROVIDERS.assignment_api.create_grant(**test_assignment)
|
||||
|
||||
# Get expected role assignments
|
||||
expected_assignments = self._list_expected_role_assignments(
|
||||
|
@ -1285,7 +1294,7 @@ class RoleAssignmentDirectTestCase(RoleAssignmentBaseTestCase):
|
|||
self.assertRoleAssignmentInListResponse(response, assignment)
|
||||
|
||||
# Delete created role assignment
|
||||
self.assignment_api.delete_grant(**test_assignment)
|
||||
PROVIDERS.assignment_api.delete_grant(**test_assignment)
|
||||
|
||||
def _set_default_assignment_attributes(self, **attribs):
|
||||
"""Insert default values for missing attributes of role assignment.
|
||||
|
@ -1449,7 +1458,7 @@ class RoleAssignmentEffectiveTestCase(RoleAssignmentInheritedTestCase):
|
|||
user_ids = [None]
|
||||
if filters.get('group_id'):
|
||||
user_ids = [user['id'] for user in
|
||||
self.identity_api.list_users_in_group(
|
||||
PROVIDERS.identity_api.list_users_in_group(
|
||||
filters['group_id'])]
|
||||
else:
|
||||
user_ids = [self.default_user_id]
|
||||
|
@ -1458,11 +1467,11 @@ class RoleAssignmentEffectiveTestCase(RoleAssignmentInheritedTestCase):
|
|||
project_ids = [None]
|
||||
if filters.get('domain_id'):
|
||||
project_ids = [project['id'] for project in
|
||||
self.resource_api.list_projects_in_domain(
|
||||
PROVIDERS.resource_api.list_projects_in_domain(
|
||||
filters.pop('domain_id'))]
|
||||
else:
|
||||
project_ids = [project['id'] for project in
|
||||
self.resource_api.list_projects_in_subtree(
|
||||
PROVIDERS.resource_api.list_projects_in_subtree(
|
||||
self.project_id)]
|
||||
|
||||
# Compute expected role assignments
|
||||
|
@ -1483,7 +1492,9 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
def test_get_token_from_inherited_user_domain_role_grants(self):
|
||||
# Create a new user to ensure that no grant is loaded from sample data
|
||||
user = unit.create_user(self.identity_api, domain_id=self.domain_id)
|
||||
user = unit.create_user(
|
||||
PROVIDERS.identity_api, domain_id=self.domain_id
|
||||
)
|
||||
|
||||
# Define domain and project authentication data
|
||||
domain_auth_data = self.build_authentication_request(
|
||||
|
@ -1513,7 +1524,7 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
# Create inherited role
|
||||
inherited_role = unit.new_role_ref(name='inherited')
|
||||
self.role_api.create_role(inherited_role['id'], inherited_role)
|
||||
PROVIDERS.role_api.create_role(inherited_role['id'], inherited_role)
|
||||
|
||||
# Grant inherited role for user on domain
|
||||
inher_ud_link = self.build_role_assignment_link(
|
||||
|
@ -1543,11 +1554,13 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
def test_get_token_from_inherited_group_domain_role_grants(self):
|
||||
# Create a new group and put a new user in it to
|
||||
# ensure that no grant is loaded from sample data
|
||||
user = unit.create_user(self.identity_api, domain_id=self.domain_id)
|
||||
user = unit.create_user(
|
||||
PROVIDERS.identity_api, domain_id=self.domain_id
|
||||
)
|
||||
|
||||
group = unit.new_group_ref(domain_id=self.domain['id'])
|
||||
group = self.identity_api.create_group(group)
|
||||
self.identity_api.add_user_to_group(user['id'], group['id'])
|
||||
group = PROVIDERS.identity_api.create_group(group)
|
||||
PROVIDERS.identity_api.add_user_to_group(user['id'], group['id'])
|
||||
|
||||
# Define domain and project authentication data
|
||||
domain_auth_data = self.build_authentication_request(
|
||||
|
@ -1577,7 +1590,7 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
# Create inherited role
|
||||
inherited_role = unit.new_role_ref(name='inherited')
|
||||
self.role_api.create_role(inherited_role['id'], inherited_role)
|
||||
PROVIDERS.role_api.create_role(inherited_role['id'], inherited_role)
|
||||
|
||||
# Grant inherited role for user on domain
|
||||
inher_gd_link = self.build_role_assignment_link(
|
||||
|
@ -1609,7 +1622,7 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
with freezegun.freeze_time(time) as frozen_datetime:
|
||||
# Create a new role to avoid assignments loaded from sample data
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
|
||||
# Define URLs
|
||||
direct_url = '%s/users/%s/roles/%s' % (
|
||||
|
@ -1655,11 +1668,11 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
role_list = []
|
||||
for _ in range(2):
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
role_list.append(role)
|
||||
|
||||
# Create a non-inherited role as a spoiler
|
||||
self.assignment_api.create_grant(
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_list[1]['id'], user_id=self.user['id'],
|
||||
domain_id=self.domain_id)
|
||||
|
||||
|
@ -1705,23 +1718,25 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
role_list = []
|
||||
for _ in range(4):
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
role_list.append(role)
|
||||
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
user1 = unit.create_user(self.identity_api, domain_id=domain['id'])
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
user1 = unit.create_user(
|
||||
PROVIDERS.identity_api, domain_id=domain['id']
|
||||
)
|
||||
project1 = unit.new_project_ref(domain_id=domain['id'])
|
||||
self.resource_api.create_project(project1['id'], project1)
|
||||
PROVIDERS.resource_api.create_project(project1['id'], project1)
|
||||
project2 = unit.new_project_ref(domain_id=domain['id'])
|
||||
self.resource_api.create_project(project2['id'], project2)
|
||||
PROVIDERS.resource_api.create_project(project2['id'], project2)
|
||||
# Add some roles to the project
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user1['id'], project1['id'], role_list[0]['id'])
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user1['id'], project1['id'], role_list[1]['id'])
|
||||
# ..and one on a different project as a spoiler
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user1['id'], project2['id'], role_list[2]['id'])
|
||||
|
||||
# Now create our inherited role on the domain
|
||||
|
@ -1790,12 +1805,14 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
"""
|
||||
role1 = unit.new_role_ref()
|
||||
self.role_api.create_role(role1['id'], role1)
|
||||
user1 = unit.create_user(self.identity_api, domain_id=self.domain_id)
|
||||
PROVIDERS.role_api.create_role(role1['id'], role1)
|
||||
user1 = unit.create_user(
|
||||
PROVIDERS.identity_api, domain_id=self.domain_id
|
||||
)
|
||||
group = unit.new_group_ref(domain_id=self.domain_id)
|
||||
group = self.identity_api.create_group(group)
|
||||
group = PROVIDERS.identity_api.create_group(group)
|
||||
project1 = unit.new_project_ref(domain_id=self.domain_id)
|
||||
self.resource_api.create_project(project1['id'], project1)
|
||||
PROVIDERS.resource_api.create_project(project1['id'], project1)
|
||||
|
||||
expected_entity1 = self.build_role_assignment_entity_include_names(
|
||||
role_ref=role1,
|
||||
|
@ -1874,13 +1891,13 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
def test_list_role_assignments_include_names_global_role(self):
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
|
||||
self._test_list_role_assignments_include_names(role)
|
||||
|
||||
def test_list_role_assignments_include_names_domain_role(self):
|
||||
role = unit.new_role_ref(domain_id=self.domain['id'])
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
|
||||
self._test_list_role_assignments_include_names(role)
|
||||
|
||||
|
@ -1898,10 +1915,10 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
"""
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
user = unit.create_user(self.identity_api, domain_id=domain['id'])
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
user = unit.create_user(PROVIDERS.identity_api, domain_id=domain['id'])
|
||||
|
||||
# Create and store expected assignment refs
|
||||
assignment = self.build_role_assignment_entity(
|
||||
|
@ -1951,23 +1968,25 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
role_list = []
|
||||
for _ in range(4):
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
role_list.append(role)
|
||||
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
user1 = unit.create_user(self.identity_api, domain_id=domain['id'])
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
user1 = unit.create_user(
|
||||
PROVIDERS.identity_api, domain_id=domain['id']
|
||||
)
|
||||
project1 = unit.new_project_ref(domain_id=domain['id'])
|
||||
self.resource_api.create_project(project1['id'], project1)
|
||||
PROVIDERS.resource_api.create_project(project1['id'], project1)
|
||||
project2 = unit.new_project_ref(domain_id=domain['id'])
|
||||
self.resource_api.create_project(project2['id'], project2)
|
||||
PROVIDERS.resource_api.create_project(project2['id'], project2)
|
||||
# Add some roles to the project
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user1['id'], project1['id'], role_list[0]['id'])
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user1['id'], project1['id'], role_list[1]['id'])
|
||||
# ..and one on a different project as a spoiler
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user1['id'], project2['id'], role_list[2]['id'])
|
||||
|
||||
# Now create our inherited role on the domain
|
||||
|
@ -2028,30 +2047,36 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
role_list = []
|
||||
for _ in range(4):
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
role_list.append(role)
|
||||
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
user1 = unit.create_user(self.identity_api, domain_id=domain['id'])
|
||||
user2 = unit.create_user(self.identity_api, domain_id=domain['id'])
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
user1 = unit.create_user(
|
||||
PROVIDERS.identity_api, domain_id=domain['id']
|
||||
)
|
||||
user2 = unit.create_user(
|
||||
PROVIDERS.identity_api, domain_id=domain['id']
|
||||
)
|
||||
group1 = unit.new_group_ref(domain_id=domain['id'])
|
||||
group1 = self.identity_api.create_group(group1)
|
||||
self.identity_api.add_user_to_group(user1['id'],
|
||||
group1['id'])
|
||||
self.identity_api.add_user_to_group(user2['id'],
|
||||
group1['id'])
|
||||
group1 = PROVIDERS.identity_api.create_group(group1)
|
||||
PROVIDERS.identity_api.add_user_to_group(
|
||||
user1['id'], group1['id']
|
||||
)
|
||||
PROVIDERS.identity_api.add_user_to_group(
|
||||
user2['id'], group1['id']
|
||||
)
|
||||
project1 = unit.new_project_ref(domain_id=domain['id'])
|
||||
self.resource_api.create_project(project1['id'], project1)
|
||||
PROVIDERS.resource_api.create_project(project1['id'], project1)
|
||||
project2 = unit.new_project_ref(domain_id=domain['id'])
|
||||
self.resource_api.create_project(project2['id'], project2)
|
||||
PROVIDERS.resource_api.create_project(project2['id'], project2)
|
||||
# Add some roles to the project
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user1['id'], project1['id'], role_list[0]['id'])
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user1['id'], project1['id'], role_list[1]['id'])
|
||||
# ..and one on a different project as a spoiler
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user1['id'], project2['id'], role_list[2]['id'])
|
||||
|
||||
# Now create our inherited role on the domain
|
||||
|
@ -2124,25 +2149,27 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
role_list = []
|
||||
for _ in range(5):
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
role_list.append(role)
|
||||
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
user1 = unit.create_user(self.identity_api, domain_id=domain['id'])
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
user1 = unit.create_user(
|
||||
PROVIDERS.identity_api, domain_id=domain['id']
|
||||
)
|
||||
group1 = unit.new_group_ref(domain_id=domain['id'])
|
||||
group1 = self.identity_api.create_group(group1)
|
||||
group1 = PROVIDERS.identity_api.create_group(group1)
|
||||
project1 = unit.new_project_ref(domain_id=domain['id'])
|
||||
self.resource_api.create_project(project1['id'], project1)
|
||||
PROVIDERS.resource_api.create_project(project1['id'], project1)
|
||||
project2 = unit.new_project_ref(domain_id=domain['id'])
|
||||
self.resource_api.create_project(project2['id'], project2)
|
||||
PROVIDERS.resource_api.create_project(project2['id'], project2)
|
||||
# Add some spoiler roles to the projects
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user1['id'], project1['id'], role_list[0]['id'])
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user1['id'], project2['id'], role_list[1]['id'])
|
||||
# Create a non-inherited role as a spoiler
|
||||
self.assignment_api.create_grant(
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_list[2]['id'], user_id=user1['id'], domain_id=domain['id'])
|
||||
|
||||
# Now create two inherited roles on the domain, one for a user
|
||||
|
@ -2208,14 +2235,16 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
leaf = unit.new_project_ref(domain_id=self.domain['id'],
|
||||
parent_id=root['id'])
|
||||
|
||||
self.resource_api.create_project(root['id'], root)
|
||||
self.resource_api.create_project(leaf['id'], leaf)
|
||||
PROVIDERS.resource_api.create_project(root['id'], root)
|
||||
PROVIDERS.resource_api.create_project(leaf['id'], leaf)
|
||||
|
||||
# Create 'non-inherited' and 'inherited' roles
|
||||
non_inherited_role = unit.new_role_ref(name='non-inherited')
|
||||
self.role_api.create_role(non_inherited_role['id'], non_inherited_role)
|
||||
PROVIDERS.role_api.create_role(
|
||||
non_inherited_role['id'], non_inherited_role
|
||||
)
|
||||
inherited_role = unit.new_role_ref(name='inherited')
|
||||
self.role_api.create_role(inherited_role['id'], inherited_role)
|
||||
PROVIDERS.role_api.create_role(inherited_role['id'], inherited_role)
|
||||
|
||||
return (root['id'], leaf['id'],
|
||||
non_inherited_role['id'], inherited_role['id'])
|
||||
|
@ -2285,8 +2314,8 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
# Create group and add user to it
|
||||
group = unit.new_group_ref(domain_id=self.domain['id'])
|
||||
group = self.identity_api.create_group(group)
|
||||
self.identity_api.add_user_to_group(self.user['id'], group['id'])
|
||||
group = PROVIDERS.identity_api.create_group(group)
|
||||
PROVIDERS.identity_api.add_user_to_group(self.user['id'], group['id'])
|
||||
|
||||
# Define root and leaf projects authentication data
|
||||
root_project_auth_data = self.build_authentication_request(
|
||||
|
@ -2545,9 +2574,9 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
|
|||
parent_id=level2['id'])
|
||||
level4 = unit.new_project_ref(domain_id=self.domain['id'],
|
||||
parent_id=level3['id'])
|
||||
self.resource_api.create_project(level2['id'], level2)
|
||||
self.resource_api.create_project(level3['id'], level3)
|
||||
self.resource_api.create_project(level4['id'], level4)
|
||||
PROVIDERS.resource_api.create_project(level2['id'], level2)
|
||||
PROVIDERS.resource_api.create_project(level3['id'], level3)
|
||||
PROVIDERS.resource_api.create_project(level4['id'], level4)
|
||||
|
||||
# Grant non-inherited role to root (as a spoiler) and to
|
||||
# the level 1 (leaf) project
|
||||
|
@ -2768,19 +2797,19 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
|
|||
self.role_list = []
|
||||
for _ in range(3):
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
self.role_list.append(role)
|
||||
|
||||
def _create_test_domain_user_project(self):
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
user = unit.create_user(self.identity_api, domain_id=domain['id'])
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
user = unit.create_user(PROVIDERS.identity_api, domain_id=domain['id'])
|
||||
project = unit.new_project_ref(domain_id=domain['id'])
|
||||
self.resource_api.create_project(project['id'], project)
|
||||
PROVIDERS.resource_api.create_project(project['id'], project)
|
||||
return domain, user, project
|
||||
|
||||
def _assign_top_role_to_user_on_project(self, user, project):
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user['id'], project['id'], self.role_list[0]['id'])
|
||||
|
||||
def _build_effective_role_assignments_url(self, user):
|
||||
|
@ -2853,7 +2882,7 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
|
|||
def _create_named_role(self, name):
|
||||
role = unit.new_role_ref()
|
||||
role['name'] = name
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
return role
|
||||
|
||||
def test_root_role_as_implied_role_forbidden(self):
|
||||
|
@ -2901,7 +2930,9 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
|
|||
self._assign_top_role_to_user_on_project(self.user, self.project)
|
||||
|
||||
# Create a trustee and assign the prior role to her
|
||||
trustee = unit.create_user(self.identity_api, domain_id=self.domain_id)
|
||||
trustee = unit.create_user(
|
||||
PROVIDERS.identity_api, domain_id=self.domain_id
|
||||
)
|
||||
ref = unit.new_trust_ref(
|
||||
trustor_user_id=self.user['id'],
|
||||
trustee_user_id=trustee['id'],
|
||||
|
@ -2932,13 +2963,15 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
|
|||
self._create_three_roles()
|
||||
# Overwrite the first role with a domain specific role
|
||||
role = unit.new_role_ref(domain_id=self.domain_id)
|
||||
self.role_list[0] = self.role_api.create_role(role['id'], role)
|
||||
self.role_list[0] = PROVIDERS.role_api.create_role(role['id'], role)
|
||||
self._create_implied_role(self.role_list[0], self.role_list[1])
|
||||
self._create_implied_role(self.role_list[1], self.role_list[2])
|
||||
self._assign_top_role_to_user_on_project(self.user, self.project)
|
||||
|
||||
# Create a trustee and assign the prior role to her
|
||||
trustee = unit.create_user(self.identity_api, domain_id=self.domain_id)
|
||||
trustee = unit.create_user(
|
||||
PROVIDERS.identity_api, domain_id=self.domain_id
|
||||
)
|
||||
ref = unit.new_trust_ref(
|
||||
trustor_user_id=self.user['id'],
|
||||
trustee_user_id=trustee['id'],
|
||||
|
@ -2971,14 +3004,16 @@ class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin,
|
|||
|
||||
def test_global_role_cannot_imply_domain_specific_role(self):
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
|
||||
domain_role_ref = unit.new_role_ref(domain_id=domain['id'])
|
||||
domain_role = self.role_api.create_role(domain_role_ref['id'],
|
||||
domain_role_ref)
|
||||
domain_role = PROVIDERS.role_api.create_role(
|
||||
domain_role_ref['id'], domain_role_ref
|
||||
)
|
||||
global_role_ref = unit.new_role_ref()
|
||||
global_role = self.role_api.create_role(global_role_ref['id'],
|
||||
global_role_ref)
|
||||
global_role = PROVIDERS.role_api.create_role(
|
||||
global_role_ref['id'], global_role_ref
|
||||
)
|
||||
|
||||
self.put('/roles/%s/implies/%s' % (global_role['id'],
|
||||
domain_role['id']),
|
||||
|
@ -2997,9 +3032,9 @@ class DomainSpecificRoleTests(test_v3.RestfulTestCase, unit.TestCase):
|
|||
|
||||
super(DomainSpecificRoleTests, self).setUp()
|
||||
self.domainA = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(self.domainA['id'], self.domainA)
|
||||
PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA)
|
||||
self.domainB = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(self.domainB['id'], self.domainB)
|
||||
PROVIDERS.resource_api.create_domain(self.domainB['id'], self.domainB)
|
||||
|
||||
self.global_role1 = create_role()
|
||||
self.global_role2 = create_role()
|
||||
|
@ -3057,52 +3092,54 @@ class DomainSpecificRoleTests(test_v3.RestfulTestCase, unit.TestCase):
|
|||
self.assertRoleInListResponse(r, self.domainA_role2)
|
||||
|
||||
def test_same_domain_assignment(self):
|
||||
user = unit.create_user(self.identity_api,
|
||||
user = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domainA['id'])
|
||||
|
||||
projectA = unit.new_project_ref(domain_id=self.domainA['id'])
|
||||
self.resource_api.create_project(projectA['id'], projectA)
|
||||
PROVIDERS.resource_api.create_project(projectA['id'], projectA)
|
||||
|
||||
self.assignment_api.create_grant(self.domainA_role1['id'],
|
||||
user_id=user['id'],
|
||||
project_id=projectA['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.domainA_role1['id'], user_id=user['id'],
|
||||
project_id=projectA['id']
|
||||
)
|
||||
|
||||
def test_cross_domain_assignment_valid(self):
|
||||
user = unit.create_user(self.identity_api,
|
||||
user = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domainB['id'])
|
||||
|
||||
projectA = unit.new_project_ref(domain_id=self.domainA['id'])
|
||||
self.resource_api.create_project(projectA['id'], projectA)
|
||||
PROVIDERS.resource_api.create_project(projectA['id'], projectA)
|
||||
|
||||
# Positive: a role on domainA can be assigned to a user from domainB
|
||||
# but only for use on a project from domainA
|
||||
self.assignment_api.create_grant(self.domainA_role1['id'],
|
||||
user_id=user['id'],
|
||||
project_id=projectA['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.domainA_role1['id'], user_id=user['id'],
|
||||
project_id=projectA['id']
|
||||
)
|
||||
|
||||
def test_cross_domain_assignment_invalid(self):
|
||||
user = unit.create_user(self.identity_api,
|
||||
user = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domainB['id'])
|
||||
|
||||
projectB = unit.new_project_ref(domain_id=self.domainB['id'])
|
||||
self.resource_api.create_project(projectB['id'], projectB)
|
||||
PROVIDERS.resource_api.create_project(projectB['id'], projectB)
|
||||
|
||||
# Negative: a role on domainA can be assigned to a user from domainB
|
||||
# only for a project from domainA
|
||||
self.assertRaises(exception.DomainSpecificRoleMismatch,
|
||||
self.assignment_api.create_grant,
|
||||
PROVIDERS.assignment_api.create_grant,
|
||||
self.domainA_role1['id'],
|
||||
user_id=user['id'],
|
||||
project_id=projectB['id'])
|
||||
|
||||
def test_cross_domain_implied_roles_authentication(self):
|
||||
# Create a user in domainB
|
||||
user = unit.create_user(self.identity_api,
|
||||
user = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domainB['id'])
|
||||
|
||||
# Create project in domainA
|
||||
projectA = unit.new_project_ref(domain_id=self.domainA['id'])
|
||||
self.resource_api.create_project(projectA['id'], projectA)
|
||||
PROVIDERS.resource_api.create_project(projectA['id'], projectA)
|
||||
|
||||
# Now we create an implied rule from a role in domainA to a
|
||||
# role in domainB
|
||||
|
@ -3112,13 +3149,14 @@ class DomainSpecificRoleTests(test_v3.RestfulTestCase, unit.TestCase):
|
|||
|
||||
# A role in domainA can be assigned to a user from domainB
|
||||
# only for a project from domainA
|
||||
self.assignment_api.create_grant(self.domainA_role1['id'],
|
||||
user_id=user['id'],
|
||||
project_id=projectA['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.domainA_role1['id'], user_id=user['id'],
|
||||
project_id=projectA['id']
|
||||
)
|
||||
|
||||
# The role assignments should return an empty list since domain roles
|
||||
# can only be used to imply another roles
|
||||
assignments = self.assignment_api.list_role_assignments(
|
||||
assignments = PROVIDERS.assignment_api.list_role_assignments(
|
||||
user_id=user['id'], effective=True)
|
||||
self.assertEqual([], assignments)
|
||||
|
||||
|
@ -3149,23 +3187,25 @@ class ListUserProjectsTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
for _ in range(3):
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
|
||||
user = unit.create_user(self.identity_api, domain_id=domain['id'])
|
||||
user = unit.create_user(
|
||||
PROVIDERS.identity_api, domain_id=domain['id']
|
||||
)
|
||||
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
|
||||
self.assignment_api.create_grant(role['id'],
|
||||
user_id=user['id'],
|
||||
domain_id=domain['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role['id'], user_id=user['id'], domain_id=domain['id']
|
||||
)
|
||||
|
||||
project = unit.new_project_ref(domain_id=domain['id'])
|
||||
self.resource_api.create_project(project['id'], project)
|
||||
PROVIDERS.resource_api.create_project(project['id'], project)
|
||||
|
||||
self.assignment_api.create_grant(role['id'],
|
||||
user_id=user['id'],
|
||||
project_id=project['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role['id'], user_id=user['id'], project_id=project['id']
|
||||
)
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=user['id'],
|
||||
|
@ -3215,7 +3255,7 @@ class ListUserProjectsTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
# disable this one and check again
|
||||
project['enabled'] = False
|
||||
self.resource_api.update_project(project['id'], project)
|
||||
PROVIDERS.resource_api.update_project(project['id'], project)
|
||||
result = self.get(url, auth=auth)
|
||||
projects_result = result.json['projects']
|
||||
self.assertEqual(1, len(projects_result))
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -20,6 +20,7 @@ from keystoneclient.contrib.ec2 import utils as ec2_utils
|
|||
from six.moves import http_client
|
||||
from testtools import matchers
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone.common import utils
|
||||
from keystone.contrib.ec2 import controllers
|
||||
from keystone.credential.providers import fernet as credential_fernet
|
||||
|
@ -29,6 +30,7 @@ from keystone.tests.unit import ksfixtures
|
|||
from keystone.tests.unit import test_v3
|
||||
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
CRED_TYPE_EC2 = controllers.CRED_TYPE_EC2
|
||||
|
||||
|
||||
|
@ -55,7 +57,7 @@ class CredentialBaseTestCase(test_v3.RestfulTestCase):
|
|||
credential_id = credential['id']
|
||||
|
||||
# Create direct via the DB API to avoid validation failure
|
||||
self.credential_api.create_credential(credential_id, credential)
|
||||
PROVIDERS.credential_api.create_credential(credential_id, credential)
|
||||
|
||||
return json.dumps(blob), credential_id
|
||||
|
||||
|
@ -70,24 +72,26 @@ class CredentialTestCase(CredentialBaseTestCase):
|
|||
self.credential = unit.new_credential_ref(user_id=self.user['id'],
|
||||
project_id=self.project_id)
|
||||
|
||||
self.credential_api.create_credential(
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
self.credential['id'],
|
||||
self.credential)
|
||||
|
||||
def test_credential_api_delete_credentials_for_project(self):
|
||||
self.credential_api.delete_credentials_for_project(self.project_id)
|
||||
PROVIDERS.credential_api.delete_credentials_for_project(
|
||||
self.project_id
|
||||
)
|
||||
# Test that the credential that we created in .setUp no longer exists
|
||||
# once we delete all credentials for self.project_id
|
||||
self.assertRaises(exception.CredentialNotFound,
|
||||
self.credential_api.get_credential,
|
||||
PROVIDERS.credential_api.get_credential,
|
||||
credential_id=self.credential['id'])
|
||||
|
||||
def test_credential_api_delete_credentials_for_user(self):
|
||||
self.credential_api.delete_credentials_for_user(self.user_id)
|
||||
PROVIDERS.credential_api.delete_credentials_for_user(self.user_id)
|
||||
# Test that the credential that we created in .setUp no longer exists
|
||||
# once we delete all credentials for self.user_id
|
||||
self.assertRaises(exception.CredentialNotFound,
|
||||
self.credential_api.get_credential,
|
||||
PROVIDERS.credential_api.get_credential,
|
||||
credential_id=self.credential['id'])
|
||||
|
||||
def test_list_credentials(self):
|
||||
|
@ -98,7 +102,9 @@ class CredentialTestCase(CredentialBaseTestCase):
|
|||
def test_list_credentials_filtered_by_user_id(self):
|
||||
"""Call ``GET /credentials?user_id={user_id}``."""
|
||||
credential = unit.new_credential_ref(user_id=uuid.uuid4().hex)
|
||||
self.credential_api.create_credential(credential['id'], credential)
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
credential['id'], credential
|
||||
)
|
||||
|
||||
r = self.get('/credentials?user_id=%s' % self.user['id'])
|
||||
self.assertValidCredentialListResponse(r, ref=self.credential)
|
||||
|
@ -113,7 +119,7 @@ class CredentialTestCase(CredentialBaseTestCase):
|
|||
project_id=self.project_id,
|
||||
type=CRED_TYPE_EC2)
|
||||
|
||||
ec2_resp = self.credential_api.create_credential(
|
||||
ec2_resp = PROVIDERS.credential_api.create_credential(
|
||||
ec2_credential['id'], ec2_credential)
|
||||
|
||||
# The type cert was chosen for the same reason as ec2
|
||||
|
@ -143,11 +149,11 @@ class CredentialTestCase(CredentialBaseTestCase):
|
|||
credential_user1_cert = unit.new_credential_ref(user_id=user1_id)
|
||||
credential_user2_cert = unit.new_credential_ref(user_id=user2_id)
|
||||
|
||||
self.credential_api.create_credential(
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
credential_user1_ec2['id'], credential_user1_ec2)
|
||||
self.credential_api.create_credential(
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
credential_user1_cert['id'], credential_user1_cert)
|
||||
self.credential_api.create_credential(
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
credential_user2_cert['id'], credential_user2_cert)
|
||||
|
||||
r = self.get('/credentials?user_id=%s&type=ec2' % user1_id)
|
||||
|
@ -349,7 +355,9 @@ class TestCredentialTrustScoped(test_v3.RestfulTestCase):
|
|||
|
||||
self.trustee_user = unit.new_user_ref(domain_id=self.domain_id)
|
||||
password = self.trustee_user['password']
|
||||
self.trustee_user = self.identity_api.create_user(self.trustee_user)
|
||||
self.trustee_user = PROVIDERS.identity_api.create_user(
|
||||
self.trustee_user
|
||||
)
|
||||
self.trustee_user['password'] = password
|
||||
self.trustee_user_id = self.trustee_user['id']
|
||||
self.useFixture(
|
||||
|
@ -505,7 +513,7 @@ class TestCredentialEc2(CredentialBaseTestCase):
|
|||
user_id=self.user_id,
|
||||
project_id=self.project_id)
|
||||
non_ec2_cred['id'] = cred_id
|
||||
self.credential_api.create_credential(cred_id, non_ec2_cred)
|
||||
PROVIDERS.credential_api.create_credential(cred_id, non_ec2_cred)
|
||||
uri = '/'.join([self._get_ec2_cred_uri(), access_key])
|
||||
# if access_key is not found, ec2 controller raises Unauthorized
|
||||
# exception
|
||||
|
@ -526,8 +534,9 @@ class TestCredentialEc2(CredentialBaseTestCase):
|
|||
user_id=self.user_id,
|
||||
project_id=self.project_id)
|
||||
non_ec2_cred['type'] = uuid.uuid4().hex
|
||||
self.credential_api.create_credential(non_ec2_cred['id'],
|
||||
non_ec2_cred)
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
non_ec2_cred['id'], non_ec2_cred
|
||||
)
|
||||
r = self.get(uri)
|
||||
cred_list_2 = r.result['credentials']
|
||||
# still one element because non-EC2 credentials are not returned.
|
||||
|
@ -539,10 +548,10 @@ class TestCredentialEc2(CredentialBaseTestCase):
|
|||
ec2_cred = self._get_ec2_cred()
|
||||
uri = '/'.join([self._get_ec2_cred_uri(), ec2_cred['access']])
|
||||
cred_from_credential_api = (
|
||||
self.credential_api
|
||||
PROVIDERS.credential_api
|
||||
.list_credentials_for_user(self.user_id, type=CRED_TYPE_EC2))
|
||||
self.assertEqual(1, len(cred_from_credential_api))
|
||||
self.delete(uri)
|
||||
self.assertRaises(exception.CredentialNotFound,
|
||||
self.credential_api.get_credential,
|
||||
PROVIDERS.credential_api.get_credential,
|
||||
cred_from_credential_api[0]['id'])
|
||||
|
|
|
@ -15,6 +15,7 @@ import uuid
|
|||
|
||||
from six.moves import http_client
|
||||
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.tests import unit
|
||||
|
@ -22,6 +23,7 @@ from keystone.tests.unit import test_v3
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class DomainConfigTestCase(test_v3.RestfulTestCase):
|
||||
|
@ -31,7 +33,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
super(DomainConfigTestCase, self).setUp()
|
||||
|
||||
self.domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(self.domain['id'], self.domain)
|
||||
PROVIDERS.resource_api.create_domain(self.domain['id'], self.domain)
|
||||
self.config = {'ldap': {'url': uuid.uuid4().hex,
|
||||
'user_tree_dn': uuid.uuid4().hex},
|
||||
'identity': {'driver': uuid.uuid4().hex}}
|
||||
|
@ -42,7 +44,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
'domain_id': self.domain['id']}
|
||||
r = self.put(url, body={'config': self.config},
|
||||
expected_status=http_client.CREATED)
|
||||
res = self.domain_config_api.get_config(self.domain['id'])
|
||||
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
|
||||
self.assertEqual(self.config, r.result['config'])
|
||||
self.assertEqual(self.config, res)
|
||||
|
||||
|
@ -72,7 +74,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_delete_config(self):
|
||||
"""Call ``DELETE /domains{domain_id}/config``."""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
self.delete('/domains/%(domain_id)s/config' % {
|
||||
'domain_id': self.domain['id']})
|
||||
self.get('/domains/%(domain_id)s/config' % {
|
||||
|
@ -86,7 +90,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
id provided, the request shall be rejected with a response, 404 domain
|
||||
not found.
|
||||
"""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
invalid_domain_id = uuid.uuid4().hex
|
||||
self.delete('/domains/%(domain_id)s/config' % {
|
||||
'domain_id': invalid_domain_id},
|
||||
|
@ -94,10 +100,12 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_delete_config_by_group(self):
|
||||
"""Call ``DELETE /domains{domain_id}/config/{group}``."""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
self.delete('/domains/%(domain_id)s/config/ldap' % {
|
||||
'domain_id': self.domain['id']})
|
||||
res = self.domain_config_api.get_config(self.domain['id'])
|
||||
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
|
||||
self.assertNotIn('ldap', res)
|
||||
|
||||
def test_delete_config_by_group_invalid_domain(self):
|
||||
|
@ -107,7 +115,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
invalid domain id provided, the request shall be rejected with a
|
||||
response 404 domain not found.
|
||||
"""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
invalid_domain_id = uuid.uuid4().hex
|
||||
self.delete('/domains/%(domain_id)s/config/ldap' % {
|
||||
'domain_id': invalid_domain_id},
|
||||
|
@ -115,7 +125,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_get_head_config(self):
|
||||
"""Call ``GET & HEAD for /domains{domain_id}/config``."""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
url = '/domains/%(domain_id)s/config' % {
|
||||
'domain_id': self.domain['id']}
|
||||
r = self.get(url)
|
||||
|
@ -124,7 +136,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_get_head_config_by_group(self):
|
||||
"""Call ``GET & HEAD /domains{domain_id}/config/{group}``."""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
url = '/domains/%(domain_id)s/config/ldap' % {
|
||||
'domain_id': self.domain['id']}
|
||||
r = self.get(url)
|
||||
|
@ -138,7 +152,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
invalid domain id provided, the request shall be rejected with a
|
||||
response 404 domain not found.
|
||||
"""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
invalid_domain_id = uuid.uuid4().hex
|
||||
url = ('/domains/%(domain_id)s/config/ldap' % {
|
||||
'domain_id': invalid_domain_id}
|
||||
|
@ -148,7 +164,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_get_head_config_by_option(self):
|
||||
"""Call ``GET & HEAD /domains{domain_id}/config/{group}/{option}``."""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
url = '/domains/%(domain_id)s/config/ldap/url' % {
|
||||
'domain_id': self.domain['id']}
|
||||
r = self.get(url)
|
||||
|
@ -163,7 +181,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
invalid domain id provided, the request shall be rejected with a
|
||||
response 404 domain not found.
|
||||
"""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
invalid_domain_id = uuid.uuid4().hex
|
||||
url = ('/domains/%(domain_id)s/config/ldap/url' % {
|
||||
'domain_id': invalid_domain_id}
|
||||
|
@ -196,7 +216,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
def test_get_head_non_existant_config_group(self):
|
||||
"""Call ``GET /domains/{domain_id}/config/{group_not_exist}``."""
|
||||
config = {'ldap': {'url': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
url = ('/domains/%(domain_id)s/config/identity' % {
|
||||
'domain_id': self.domain['id']}
|
||||
)
|
||||
|
@ -211,7 +231,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
a response, 404 domain not found.
|
||||
"""
|
||||
config = {'ldap': {'url': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
invalid_domain_id = uuid.uuid4().hex
|
||||
url = ('/domains/%(domain_id)s/config/identity' % {
|
||||
'domain_id': invalid_domain_id}
|
||||
|
@ -227,7 +247,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
within the group.
|
||||
"""
|
||||
config = {'ldap': {'url': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
url = ('/domains/%(domain_id)s/config/ldap/user_tree_dn' % {
|
||||
'domain_id': self.domain['id']}
|
||||
)
|
||||
|
@ -244,7 +264,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
a response, 404 domain not found.
|
||||
"""
|
||||
config = {'ldap': {'url': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
invalid_domain_id = uuid.uuid4().hex
|
||||
url = ('/domains/%(domain_id)s/config/ldap/user_tree_dn' % {
|
||||
'domain_id': invalid_domain_id}
|
||||
|
@ -254,13 +274,15 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_update_config(self):
|
||||
"""Call ``PATCH /domains/{domain_id}/config``."""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
new_config = {'ldap': {'url': uuid.uuid4().hex},
|
||||
'identity': {'driver': uuid.uuid4().hex}}
|
||||
r = self.patch('/domains/%(domain_id)s/config' % {
|
||||
'domain_id': self.domain['id']},
|
||||
body={'config': new_config})
|
||||
res = self.domain_config_api.get_config(self.domain['id'])
|
||||
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
|
||||
expected_config = copy.deepcopy(self.config)
|
||||
expected_config['ldap']['url'] = new_config['ldap']['url']
|
||||
expected_config['identity']['driver'] = (
|
||||
|
@ -275,7 +297,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
id provided, the request shall be rejected with a response, 404 domain
|
||||
not found.
|
||||
"""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
new_config = {'ldap': {'url': uuid.uuid4().hex},
|
||||
'identity': {'driver': uuid.uuid4().hex}}
|
||||
invalid_domain_id = uuid.uuid4().hex
|
||||
|
@ -286,13 +310,15 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_update_config_group(self):
|
||||
"""Call ``PATCH /domains/{domain_id}/config/{group}``."""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
new_config = {'ldap': {'url': uuid.uuid4().hex,
|
||||
'user_filter': uuid.uuid4().hex}}
|
||||
r = self.patch('/domains/%(domain_id)s/config/ldap' % {
|
||||
'domain_id': self.domain['id']},
|
||||
body={'config': new_config})
|
||||
res = self.domain_config_api.get_config(self.domain['id'])
|
||||
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
|
||||
expected_config = copy.deepcopy(self.config)
|
||||
expected_config['ldap']['url'] = new_config['ldap']['url']
|
||||
expected_config['ldap']['user_filter'] = (
|
||||
|
@ -307,7 +333,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
domain id provided, the request shall be rejected with a response,
|
||||
404 domain not found.
|
||||
"""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
new_config = {'ldap': {'url': uuid.uuid4().hex,
|
||||
'user_filter': uuid.uuid4().hex}}
|
||||
invalid_domain_id = uuid.uuid4().hex
|
||||
|
@ -318,7 +346,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_update_config_invalid_group(self):
|
||||
"""Call ``PATCH /domains/{domain_id}/config/{invalid_group}``."""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
|
||||
# Trying to update a group that is neither whitelisted or sensitive
|
||||
# should result in Forbidden.
|
||||
|
@ -332,7 +362,7 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
# Trying to update a valid group, but one that is not in the current
|
||||
# config should result in NotFound
|
||||
config = {'ldap': {'suffix': uuid.uuid4().hex}}
|
||||
self.domain_config_api.create_config(self.domain['id'], config)
|
||||
PROVIDERS.domain_config_api.create_config(self.domain['id'], config)
|
||||
new_config = {'identity': {'driver': uuid.uuid4().hex}}
|
||||
self.patch('/domains/%(domain_id)s/config/identity' % {
|
||||
'domain_id': self.domain['id']},
|
||||
|
@ -346,7 +376,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
and an invalid domain id provided, the request shall be rejected
|
||||
with a response, 404 domain not found.
|
||||
"""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
invalid_group = uuid.uuid4().hex
|
||||
new_config = {invalid_group: {'url': uuid.uuid4().hex,
|
||||
'user_filter': uuid.uuid4().hex}}
|
||||
|
@ -359,12 +391,14 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_update_config_option(self):
|
||||
"""Call ``PATCH /domains/{domain_id}/config/{group}/{option}``."""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
new_config = {'url': uuid.uuid4().hex}
|
||||
r = self.patch('/domains/%(domain_id)s/config/ldap/url' % {
|
||||
'domain_id': self.domain['id']},
|
||||
body={'config': new_config})
|
||||
res = self.domain_config_api.get_config(self.domain['id'])
|
||||
res = PROVIDERS.domain_config_api.get_config(self.domain['id'])
|
||||
expected_config = copy.deepcopy(self.config)
|
||||
expected_config['ldap']['url'] = new_config['url']
|
||||
self.assertEqual(expected_config, r.result['config'])
|
||||
|
@ -377,7 +411,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
domain id provided, the request shall be rejected with a response, 404
|
||||
domain not found.
|
||||
"""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
new_config = {'url': uuid.uuid4().hex}
|
||||
invalid_domain_id = uuid.uuid4().hex
|
||||
self.patch('/domains/%(domain_id)s/config/ldap/url' % {
|
||||
|
@ -387,7 +423,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_update_config_invalid_option(self):
|
||||
"""Call ``PATCH /domains/{domain_id}/config/{group}/{invalid}``."""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
invalid_option = uuid.uuid4().hex
|
||||
new_config = {'ldap': {invalid_option: uuid.uuid4().hex}}
|
||||
# Trying to update an option that is neither whitelisted or sensitive
|
||||
|
@ -414,7 +452,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
and an invalid domain id provided, the request shall be rejected
|
||||
with a response, 404 domain not found.
|
||||
"""
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
invalid_option = uuid.uuid4().hex
|
||||
new_config = {'ldap': {invalid_option: uuid.uuid4().hex}}
|
||||
invalid_domain_id = uuid.uuid4().hex
|
||||
|
@ -429,7 +469,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
"""Call ``GET & HEAD /domains/config/default``."""
|
||||
# Create a config that overrides a few of the options so that we can
|
||||
# check that only the defaults are returned.
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
url = '/domains/config/default'
|
||||
r = self.get(url)
|
||||
default_config = r.result['config']
|
||||
|
@ -443,7 +485,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
"""Call ``GET & HEAD /domains/config/{group}/default``."""
|
||||
# Create a config that overrides a few of the options so that we can
|
||||
# check that only the defaults are returned.
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
url = '/domains/config/ldap/default'
|
||||
r = self.get(url)
|
||||
default_config = r.result['config']
|
||||
|
@ -456,7 +500,9 @@ class DomainConfigTestCase(test_v3.RestfulTestCase):
|
|||
"""Call ``GET & HEAD /domains/config/{group}/{option}/default``."""
|
||||
# Create a config that overrides a few of the options so that we can
|
||||
# check that only the defaults are returned.
|
||||
self.domain_config_api.create_config(self.domain['id'], self.config)
|
||||
PROVIDERS.domain_config_api.create_config(
|
||||
self.domain['id'], self.config
|
||||
)
|
||||
url = '/domains/config/ldap/url/default'
|
||||
r = self.get(url)
|
||||
default_config = r.result['config']
|
||||
|
@ -500,13 +546,13 @@ class SecurityRequirementsTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
# Create a user in the default domain
|
||||
self.non_admin_user = unit.create_user(
|
||||
self.identity_api,
|
||||
PROVIDERS.identity_api,
|
||||
CONF.identity.default_domain_id
|
||||
)
|
||||
|
||||
# Create an admin in the default domain
|
||||
self.admin_user = unit.create_user(
|
||||
self.identity_api,
|
||||
PROVIDERS.identity_api,
|
||||
CONF.identity.default_domain_id
|
||||
)
|
||||
|
||||
|
@ -514,15 +560,15 @@ class SecurityRequirementsTestCase(test_v3.RestfulTestCase):
|
|||
self.project = unit.new_project_ref(
|
||||
domain_id=CONF.identity.default_domain_id
|
||||
)
|
||||
self.resource_api.create_project(self.project['id'], self.project)
|
||||
PROVIDERS.resource_api.create_project(self.project['id'], self.project)
|
||||
self.non_admin_role = unit.new_role_ref(name='not_admin')
|
||||
self.role_api.create_role(
|
||||
PROVIDERS.role_api.create_role(
|
||||
self.non_admin_role['id'],
|
||||
self.non_admin_role
|
||||
)
|
||||
|
||||
# Give the non-admin user a role on the project
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
self.non_admin_user['id'],
|
||||
self.project['id'],
|
||||
self.role['id']
|
||||
|
@ -530,7 +576,7 @@ class SecurityRequirementsTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
# Give the user the admin role on the project, which is technically
|
||||
# `self.role` because RestfulTestCase sets that up for us.
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
self.admin_user['id'],
|
||||
self.project['id'],
|
||||
self.role_id
|
||||
|
@ -612,7 +658,7 @@ class SecurityRequirementsTestCase(test_v3.RestfulTestCase):
|
|||
"""
|
||||
# Create a new domain that is not the default domain
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
|
||||
# Set the security compliance configuration options
|
||||
password_regex = uuid.uuid4().hex
|
||||
|
@ -868,17 +914,17 @@ class SecurityRequirementsTestCase(test_v3.RestfulTestCase):
|
|||
"""
|
||||
# Make a new domain
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
|
||||
# Create a user in the new domain
|
||||
user = unit.create_user(self.identity_api, domain['id'])
|
||||
user = unit.create_user(PROVIDERS.identity_api, domain['id'])
|
||||
|
||||
# Create a project in the new domain
|
||||
project = unit.new_project_ref(domain_id=domain['id'])
|
||||
self.resource_api.create_project(project['id'], project)
|
||||
PROVIDERS.resource_api.create_project(project['id'], project)
|
||||
|
||||
# Give the new user a non-admin role on the project
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user['id'],
|
||||
project['id'],
|
||||
self.non_admin_role['id']
|
||||
|
|
|
@ -32,6 +32,7 @@ if not xmldsig:
|
|||
xmldsig = importutils.try_import("xmldsig")
|
||||
|
||||
from keystone.auth import controllers as auth_controllers
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.federation import controllers as federation_controllers
|
||||
|
@ -48,6 +49,7 @@ from keystone.token.providers import common as token_common
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
ROOTDIR = os.path.dirname(os.path.abspath(__file__))
|
||||
XMLDIR = os.path.join(ROOTDIR, 'saml2/')
|
||||
|
||||
|
@ -203,129 +205,155 @@ class FederatedSetupMixin(object):
|
|||
"""Inject additional data."""
|
||||
# Create and add domains
|
||||
self.domainA = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(self.domainA['id'],
|
||||
self.domainA)
|
||||
PROVIDERS.resource_api.create_domain(
|
||||
self.domainA['id'], self.domainA
|
||||
)
|
||||
|
||||
self.domainB = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(self.domainB['id'],
|
||||
self.domainB)
|
||||
PROVIDERS.resource_api.create_domain(
|
||||
self.domainB['id'], self.domainB
|
||||
)
|
||||
|
||||
self.domainC = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(self.domainC['id'],
|
||||
self.domainC)
|
||||
PROVIDERS.resource_api.create_domain(
|
||||
self.domainC['id'], self.domainC
|
||||
)
|
||||
|
||||
self.domainD = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(self.domainD['id'],
|
||||
self.domainD)
|
||||
PROVIDERS.resource_api.create_domain(
|
||||
self.domainD['id'], self.domainD
|
||||
)
|
||||
|
||||
# Create and add projects
|
||||
self.proj_employees = unit.new_project_ref(
|
||||
domain_id=self.domainA['id'])
|
||||
self.resource_api.create_project(self.proj_employees['id'],
|
||||
self.proj_employees)
|
||||
PROVIDERS.resource_api.create_project(
|
||||
self.proj_employees['id'], self.proj_employees
|
||||
)
|
||||
self.proj_customers = unit.new_project_ref(
|
||||
domain_id=self.domainA['id'])
|
||||
self.resource_api.create_project(self.proj_customers['id'],
|
||||
self.proj_customers)
|
||||
PROVIDERS.resource_api.create_project(
|
||||
self.proj_customers['id'], self.proj_customers
|
||||
)
|
||||
|
||||
self.project_all = unit.new_project_ref(
|
||||
domain_id=self.domainA['id'])
|
||||
self.resource_api.create_project(self.project_all['id'],
|
||||
self.project_all)
|
||||
PROVIDERS.resource_api.create_project(
|
||||
self.project_all['id'], self.project_all
|
||||
)
|
||||
|
||||
self.project_inherited = unit.new_project_ref(
|
||||
domain_id=self.domainD['id'])
|
||||
self.resource_api.create_project(self.project_inherited['id'],
|
||||
self.project_inherited)
|
||||
PROVIDERS.resource_api.create_project(
|
||||
self.project_inherited['id'], self.project_inherited
|
||||
)
|
||||
|
||||
# Create and add groups
|
||||
self.group_employees = unit.new_group_ref(domain_id=self.domainA['id'])
|
||||
self.group_employees = (
|
||||
self.identity_api.create_group(self.group_employees))
|
||||
PROVIDERS.identity_api.create_group(self.group_employees))
|
||||
|
||||
self.group_customers = unit.new_group_ref(domain_id=self.domainA['id'])
|
||||
self.group_customers = (
|
||||
self.identity_api.create_group(self.group_customers))
|
||||
PROVIDERS.identity_api.create_group(self.group_customers))
|
||||
|
||||
self.group_admins = unit.new_group_ref(domain_id=self.domainA['id'])
|
||||
self.group_admins = self.identity_api.create_group(self.group_admins)
|
||||
self.group_admins = PROVIDERS.identity_api.create_group(
|
||||
self.group_admins
|
||||
)
|
||||
|
||||
# Create and add roles
|
||||
self.role_employee = unit.new_role_ref()
|
||||
self.role_api.create_role(self.role_employee['id'], self.role_employee)
|
||||
PROVIDERS.role_api.create_role(
|
||||
self.role_employee['id'], self.role_employee
|
||||
)
|
||||
self.role_customer = unit.new_role_ref()
|
||||
self.role_api.create_role(self.role_customer['id'], self.role_customer)
|
||||
PROVIDERS.role_api.create_role(
|
||||
self.role_customer['id'], self.role_customer
|
||||
)
|
||||
|
||||
self.role_admin = unit.new_role_ref()
|
||||
self.role_api.create_role(self.role_admin['id'], self.role_admin)
|
||||
PROVIDERS.role_api.create_role(self.role_admin['id'], self.role_admin)
|
||||
|
||||
# Employees can access
|
||||
# * proj_employees
|
||||
# * project_all
|
||||
self.assignment_api.create_grant(self.role_employee['id'],
|
||||
group_id=self.group_employees['id'],
|
||||
project_id=self.proj_employees['id'])
|
||||
self.assignment_api.create_grant(self.role_employee['id'],
|
||||
group_id=self.group_employees['id'],
|
||||
project_id=self.project_all['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_employee['id'], group_id=self.group_employees['id'],
|
||||
project_id=self.proj_employees['id']
|
||||
)
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_employee['id'], group_id=self.group_employees['id'],
|
||||
project_id=self.project_all['id']
|
||||
)
|
||||
# Customers can access
|
||||
# * proj_customers
|
||||
self.assignment_api.create_grant(self.role_customer['id'],
|
||||
group_id=self.group_customers['id'],
|
||||
project_id=self.proj_customers['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_customer['id'], group_id=self.group_customers['id'],
|
||||
project_id=self.proj_customers['id']
|
||||
)
|
||||
|
||||
# Admins can access:
|
||||
# * proj_customers
|
||||
# * proj_employees
|
||||
# * project_all
|
||||
self.assignment_api.create_grant(self.role_admin['id'],
|
||||
group_id=self.group_admins['id'],
|
||||
project_id=self.proj_customers['id'])
|
||||
self.assignment_api.create_grant(self.role_admin['id'],
|
||||
group_id=self.group_admins['id'],
|
||||
project_id=self.proj_employees['id'])
|
||||
self.assignment_api.create_grant(self.role_admin['id'],
|
||||
group_id=self.group_admins['id'],
|
||||
project_id=self.project_all['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_admin['id'], group_id=self.group_admins['id'],
|
||||
project_id=self.proj_customers['id']
|
||||
)
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_admin['id'], group_id=self.group_admins['id'],
|
||||
project_id=self.proj_employees['id']
|
||||
)
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_admin['id'], group_id=self.group_admins['id'],
|
||||
project_id=self.project_all['id']
|
||||
)
|
||||
|
||||
# Customers can access:
|
||||
# * domain A
|
||||
self.assignment_api.create_grant(self.role_customer['id'],
|
||||
group_id=self.group_customers['id'],
|
||||
domain_id=self.domainA['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_customer['id'], group_id=self.group_customers['id'],
|
||||
domain_id=self.domainA['id']
|
||||
)
|
||||
|
||||
# Customers can access projects via inheritance:
|
||||
# * domain D
|
||||
self.assignment_api.create_grant(self.role_customer['id'],
|
||||
group_id=self.group_customers['id'],
|
||||
domain_id=self.domainD['id'],
|
||||
inherited_to_projects=True)
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_customer['id'], group_id=self.group_customers['id'],
|
||||
domain_id=self.domainD['id'], inherited_to_projects=True
|
||||
)
|
||||
|
||||
# Employees can access:
|
||||
# * domain A
|
||||
# * domain B
|
||||
|
||||
self.assignment_api.create_grant(self.role_employee['id'],
|
||||
group_id=self.group_employees['id'],
|
||||
domain_id=self.domainA['id'])
|
||||
self.assignment_api.create_grant(self.role_employee['id'],
|
||||
group_id=self.group_employees['id'],
|
||||
domain_id=self.domainB['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_employee['id'], group_id=self.group_employees['id'],
|
||||
domain_id=self.domainA['id']
|
||||
)
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_employee['id'], group_id=self.group_employees['id'],
|
||||
domain_id=self.domainB['id']
|
||||
)
|
||||
|
||||
# Admins can access:
|
||||
# * domain A
|
||||
# * domain B
|
||||
# * domain C
|
||||
self.assignment_api.create_grant(self.role_admin['id'],
|
||||
group_id=self.group_admins['id'],
|
||||
domain_id=self.domainA['id'])
|
||||
self.assignment_api.create_grant(self.role_admin['id'],
|
||||
group_id=self.group_admins['id'],
|
||||
domain_id=self.domainB['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_admin['id'], group_id=self.group_admins['id'],
|
||||
domain_id=self.domainA['id']
|
||||
)
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_admin['id'], group_id=self.group_admins['id'],
|
||||
domain_id=self.domainB['id']
|
||||
)
|
||||
|
||||
self.assignment_api.create_grant(self.role_admin['id'],
|
||||
group_id=self.group_admins['id'],
|
||||
domain_id=self.domainC['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_admin['id'], group_id=self.group_admins['id'],
|
||||
domain_id=self.domainC['id']
|
||||
)
|
||||
self.rules = {
|
||||
'rules': [
|
||||
{
|
||||
|
@ -706,27 +734,30 @@ class FederatedSetupMixin(object):
|
|||
|
||||
# Add IDP
|
||||
self.idp = self.idp_ref(id=self.IDP)
|
||||
self.federation_api.create_idp(self.idp['id'],
|
||||
self.idp)
|
||||
PROVIDERS.federation_api.create_idp(
|
||||
self.idp['id'], self.idp
|
||||
)
|
||||
# Add IDP with remote
|
||||
self.idp_with_remote = self.idp_ref(id=self.IDP_WITH_REMOTE)
|
||||
self.idp_with_remote['remote_ids'] = self.REMOTE_IDS
|
||||
self.federation_api.create_idp(self.idp_with_remote['id'],
|
||||
self.idp_with_remote)
|
||||
PROVIDERS.federation_api.create_idp(
|
||||
self.idp_with_remote['id'], self.idp_with_remote
|
||||
)
|
||||
# Add a mapping
|
||||
self.mapping = self.mapping_ref()
|
||||
self.federation_api.create_mapping(self.mapping['id'],
|
||||
self.mapping)
|
||||
PROVIDERS.federation_api.create_mapping(
|
||||
self.mapping['id'], self.mapping
|
||||
)
|
||||
# Add protocols
|
||||
self.proto_saml = self.proto_ref(mapping_id=self.mapping['id'])
|
||||
self.proto_saml['id'] = self.PROTOCOL
|
||||
self.federation_api.create_protocol(self.idp['id'],
|
||||
self.proto_saml['id'],
|
||||
self.proto_saml)
|
||||
PROVIDERS.federation_api.create_protocol(
|
||||
self.idp['id'], self.proto_saml['id'], self.proto_saml
|
||||
)
|
||||
# Add protocols IDP with remote
|
||||
self.federation_api.create_protocol(self.idp_with_remote['id'],
|
||||
self.proto_saml['id'],
|
||||
self.proto_saml)
|
||||
PROVIDERS.federation_api.create_protocol(
|
||||
self.idp_with_remote['id'], self.proto_saml['id'], self.proto_saml
|
||||
)
|
||||
# Generate fake tokens
|
||||
request = self.make_request()
|
||||
|
||||
|
@ -870,7 +901,7 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
|
|||
expected_status=http_client.CREATED)
|
||||
|
||||
def assertIdpDomainCreated(self, idp_id, domain_id):
|
||||
domain = self.resource_api.get_domain(domain_id)
|
||||
domain = PROVIDERS.resource_api.get_domain(domain_id)
|
||||
self.assertEqual(domain_id, domain['name'])
|
||||
self.assertIn(idp_id, domain['description'])
|
||||
|
||||
|
@ -892,7 +923,7 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
|
|||
body = self.default_body.copy()
|
||||
body['description'] = uuid.uuid4().hex
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
body['domain_id'] = domain['id']
|
||||
resp = self._create_default_idp(body=body)
|
||||
self.assertValidResponse(resp, 'identity_provider', dummy_validator,
|
||||
|
@ -916,7 +947,7 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
|
|||
# the number of domains.
|
||||
resp = self._create_default_idp()
|
||||
idp_id = resp.json_body['identity_provider']['id']
|
||||
domains = self.resource_api.list_domains()
|
||||
domains = PROVIDERS.resource_api.list_domains()
|
||||
number_of_domains = len(domains)
|
||||
|
||||
# Create an identity provider with the same ID to intentionally cause a
|
||||
|
@ -930,13 +961,13 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
|
|||
body={'identity_provider': self.default_body.copy()},
|
||||
expected_status=http_client.CONFLICT
|
||||
)
|
||||
domains = self.resource_api.list_domains()
|
||||
domains = PROVIDERS.resource_api.list_domains()
|
||||
self.assertEqual(number_of_domains, len(domains))
|
||||
|
||||
def test_conflicting_idp_does_not_delete_existing_domain(self):
|
||||
# Create a new domain
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
|
||||
# Create an identity provider and specify the domain
|
||||
body = self.default_body.copy()
|
||||
|
@ -960,12 +991,12 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
|
|||
|
||||
# Make sure the domain specified in the second request was not deleted,
|
||||
# since it wasn't auto-generated
|
||||
self.assertIsNotNone(self.resource_api.get_domain(domain['id']))
|
||||
self.assertIsNotNone(PROVIDERS.resource_api.get_domain(domain['id']))
|
||||
|
||||
def test_create_idp_domain_id_unique_constraint(self):
|
||||
# create domain and add domain_id to keys to check
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
keys_to_check = list(self.idp_keys)
|
||||
keys_to_check.append('domain_id')
|
||||
# create idp with the domain_id
|
||||
|
@ -997,7 +1028,7 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
|
|||
self.assertIsNotNone(idp_id)
|
||||
# create domain and try to update the idp's domain
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
body['domain_id'] = domain['id']
|
||||
body = {'identity_provider': body}
|
||||
url = self.base_url(suffix=idp_id)
|
||||
|
@ -1263,7 +1294,7 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
|
|||
url = self.base_url(suffix=uuid.uuid4().hex)
|
||||
body = self._http_idp_input()
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
body['domain_id'] = domain['id']
|
||||
self.put(url, body={'identity_provider': body},
|
||||
expected_status=http_client.CREATED)
|
||||
|
@ -1278,7 +1309,7 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
|
|||
"""Create and later fetch IdP."""
|
||||
body = self._http_idp_input()
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
body['domain_id'] = domain['id']
|
||||
default_resp = self._create_default_idp(body=body)
|
||||
default_idp = self._fetch_attribute_from_response(default_resp,
|
||||
|
@ -1342,10 +1373,14 @@ class FederatedIdentityProviderTests(test_v3.RestfulTestCase):
|
|||
**kwargs)
|
||||
|
||||
# removing IdP will remove the assigned protocol as well
|
||||
self.assertEqual(1, len(self.federation_api.list_protocols(idp_id)))
|
||||
self.assertEqual(
|
||||
1, len(PROVIDERS.federation_api.list_protocols(idp_id))
|
||||
)
|
||||
self.delete(idp_url)
|
||||
self.get(idp_url, expected_status=http_client.NOT_FOUND)
|
||||
self.assertEqual(0, len(self.federation_api.list_protocols(idp_id)))
|
||||
self.assertEqual(
|
||||
0, len(PROVIDERS.federation_api.list_protocols(idp_id))
|
||||
)
|
||||
|
||||
def test_delete_nonexisting_idp(self):
|
||||
"""Delete nonexisting IdP.
|
||||
|
@ -1876,7 +1911,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
|
||||
"""
|
||||
enabled_false = {'enabled': False}
|
||||
self.federation_api.update_idp(self.IDP, enabled_false)
|
||||
PROVIDERS.federation_api.update_idp(self.IDP, enabled_false)
|
||||
self.assertRaises(exception.Forbidden,
|
||||
self._issue_unscoped_token)
|
||||
|
||||
|
@ -1988,10 +2023,11 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
# let admin get roles in a project
|
||||
self.proj_employees
|
||||
admin = unit.new_user_ref(CONF.identity.default_domain_id)
|
||||
self.identity_api.create_user(admin)
|
||||
self.assignment_api.create_grant(self.role_admin['id'],
|
||||
user_id=admin['id'],
|
||||
project_id=self.proj_employees['id'])
|
||||
PROVIDERS.identity_api.create_user(admin)
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_admin['id'], user_id=admin['id'],
|
||||
project_id=self.proj_employees['id']
|
||||
)
|
||||
|
||||
# try to scope the token. It should fail
|
||||
scope = self._scope_request(
|
||||
|
@ -2056,7 +2092,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
|
||||
"""
|
||||
enabled_false = {'enabled': False}
|
||||
self.federation_api.update_idp(self.IDP, enabled_false)
|
||||
PROVIDERS.federation_api.update_idp(self.IDP, enabled_false)
|
||||
self.v3_create_token(
|
||||
self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_CUSTOMER,
|
||||
expected_status=http_client.FORBIDDEN)
|
||||
|
@ -2070,7 +2106,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
token_id = token.headers.get('X-Subject-Token')
|
||||
federated_info = token.json_body['token']['user']['OS-FEDERATION']
|
||||
idp_id = federated_info['identity_provider']['id']
|
||||
self.federation_api.delete_idp(idp_id)
|
||||
PROVIDERS.federation_api.delete_idp(idp_id)
|
||||
headers = {
|
||||
'X-Subject-Token': token_id
|
||||
}
|
||||
|
@ -2118,7 +2154,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
user_id = r.json_body['token']['user']['id']
|
||||
project_id = r.json_body['token']['project']['id']
|
||||
for role in r.json_body['token']['roles']:
|
||||
self.assignment_api.create_grant(
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_id=role['id'], user_id=user_id, project_id=project_id
|
||||
)
|
||||
|
||||
|
@ -2236,11 +2272,12 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
subproject_inherited = unit.new_project_ref(
|
||||
domain_id=self.domainD['id'],
|
||||
parent_id=self.project_inherited['id'])
|
||||
self.resource_api.create_project(subproject_inherited['id'],
|
||||
subproject_inherited)
|
||||
PROVIDERS.resource_api.create_project(
|
||||
subproject_inherited['id'], subproject_inherited
|
||||
)
|
||||
|
||||
# Create an inherited role assignment
|
||||
self.assignment_api.create_grant(
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_id=self.role_employee['id'],
|
||||
group_id=self.group_employees['id'],
|
||||
project_id=self.project_inherited['id'],
|
||||
|
@ -2331,14 +2368,14 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
"""
|
||||
# create group and role
|
||||
group = unit.new_group_ref(domain_id=self.domainA['id'])
|
||||
group = self.identity_api.create_group(group)
|
||||
group = PROVIDERS.identity_api.create_group(group)
|
||||
role = unit.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
PROVIDERS.role_api.create_role(role['id'], role)
|
||||
|
||||
# assign role to group and project_admins
|
||||
self.assignment_api.create_grant(role['id'],
|
||||
group_id=group['id'],
|
||||
project_id=self.project_all['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role['id'], group_id=group['id'], project_id=self.project_all['id']
|
||||
)
|
||||
|
||||
rules = {
|
||||
'rules': [
|
||||
|
@ -2370,13 +2407,13 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
]
|
||||
}
|
||||
|
||||
self.federation_api.update_mapping(self.mapping['id'], rules)
|
||||
PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules)
|
||||
|
||||
r = self._issue_unscoped_token(assertion='TESTER_ASSERTION')
|
||||
token_id = r.headers.get('X-Subject-Token')
|
||||
|
||||
# delete group
|
||||
self.identity_api.delete_group(group['id'])
|
||||
PROVIDERS.identity_api.delete_group(group['id'])
|
||||
|
||||
# scope token to project_all, expect HTTP 500
|
||||
scoped_token = self._scope_request(
|
||||
|
@ -2404,7 +2441,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
domain_id = self.domainA['id']
|
||||
domain_name = self.domainA['name']
|
||||
group = unit.new_group_ref(domain_id=domain_id, name='EXISTS')
|
||||
group = self.identity_api.create_group(group)
|
||||
group = PROVIDERS.identity_api.create_group(group)
|
||||
rules = {
|
||||
'rules': [
|
||||
{
|
||||
|
@ -2437,7 +2474,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
}
|
||||
]
|
||||
}
|
||||
self.federation_api.update_mapping(self.mapping['id'], rules)
|
||||
PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules)
|
||||
|
||||
def test_empty_blacklist_passess_all_values(self):
|
||||
"""Test a mapping with empty blacklist specified.
|
||||
|
@ -2464,12 +2501,12 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
|
||||
# Add a group "EXISTS"
|
||||
group_exists = unit.new_group_ref(domain_id=domain_id, name='EXISTS')
|
||||
group_exists = self.identity_api.create_group(group_exists)
|
||||
group_exists = PROVIDERS.identity_api.create_group(group_exists)
|
||||
|
||||
# Add a group "NO_EXISTS"
|
||||
group_no_exists = unit.new_group_ref(domain_id=domain_id,
|
||||
name='NO_EXISTS')
|
||||
group_no_exists = self.identity_api.create_group(group_no_exists)
|
||||
group_no_exists = PROVIDERS.identity_api.create_group(group_no_exists)
|
||||
|
||||
group_ids = set([group_exists['id'], group_no_exists['id']])
|
||||
|
||||
|
@ -2506,7 +2543,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
}
|
||||
]
|
||||
}
|
||||
self.federation_api.update_mapping(self.mapping['id'], rules)
|
||||
PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules)
|
||||
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
|
||||
assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups']
|
||||
self.assertEqual(len(group_ids), len(assigned_group_ids))
|
||||
|
@ -2538,12 +2575,12 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
# Add a group "EXISTS"
|
||||
group_exists = unit.new_group_ref(domain_id=domain_id,
|
||||
name='EXISTS')
|
||||
group_exists = self.identity_api.create_group(group_exists)
|
||||
group_exists = PROVIDERS.identity_api.create_group(group_exists)
|
||||
|
||||
# Add a group "NO_EXISTS"
|
||||
group_no_exists = unit.new_group_ref(domain_id=domain_id,
|
||||
name='NO_EXISTS')
|
||||
group_no_exists = self.identity_api.create_group(group_no_exists)
|
||||
group_no_exists = PROVIDERS.identity_api.create_group(group_no_exists)
|
||||
|
||||
group_ids = set([group_exists['id'], group_no_exists['id']])
|
||||
|
||||
|
@ -2579,7 +2616,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
}
|
||||
]
|
||||
}
|
||||
self.federation_api.update_mapping(self.mapping['id'], rules)
|
||||
PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules)
|
||||
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
|
||||
assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups']
|
||||
self.assertEqual(len(group_ids), len(assigned_group_ids))
|
||||
|
@ -2607,7 +2644,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
domain_id = self.domainA['id']
|
||||
domain_name = self.domainA['name']
|
||||
group = unit.new_group_ref(domain_id=domain_id, name='EXISTS')
|
||||
group = self.identity_api.create_group(group)
|
||||
group = PROVIDERS.identity_api.create_group(group)
|
||||
rules = {
|
||||
'rules': [
|
||||
{
|
||||
|
@ -2641,7 +2678,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
}
|
||||
]
|
||||
}
|
||||
self.federation_api.update_mapping(self.mapping['id'], rules)
|
||||
PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules)
|
||||
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
|
||||
assigned_groups = r.json['token']['user']['OS-FEDERATION']['groups']
|
||||
self.assertEqual(len(assigned_groups), 0)
|
||||
|
@ -2670,12 +2707,12 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
# Add a group "EXISTS"
|
||||
group_exists = unit.new_group_ref(domain_id=domain_id,
|
||||
name='EXISTS')
|
||||
group_exists = self.identity_api.create_group(group_exists)
|
||||
group_exists = PROVIDERS.identity_api.create_group(group_exists)
|
||||
|
||||
# Add a group "NO_EXISTS"
|
||||
group_no_exists = unit.new_group_ref(domain_id=domain_id,
|
||||
name='NO_EXISTS')
|
||||
group_no_exists = self.identity_api.create_group(group_no_exists)
|
||||
group_no_exists = PROVIDERS.identity_api.create_group(group_no_exists)
|
||||
|
||||
group_ids = set([group_exists['id'], group_no_exists['id']])
|
||||
|
||||
|
@ -2711,7 +2748,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
}
|
||||
]
|
||||
}
|
||||
self.federation_api.update_mapping(self.mapping['id'], rules)
|
||||
PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules)
|
||||
r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION')
|
||||
assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups']
|
||||
self.assertEqual(len(group_ids), len(assigned_group_ids))
|
||||
|
@ -2917,20 +2954,20 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
"""Ensure user_id is persistend for multiple federated authn calls."""
|
||||
r = self._issue_unscoped_token()
|
||||
user_id = r.json_body['token']['user']['id']
|
||||
self.assertNotEmpty(self.identity_api.get_user(user_id))
|
||||
self.assertNotEmpty(PROVIDERS.identity_api.get_user(user_id))
|
||||
|
||||
r = self._issue_unscoped_token()
|
||||
user_id2 = r.json_body['token']['user']['id']
|
||||
self.assertNotEmpty(self.identity_api.get_user(user_id2))
|
||||
self.assertNotEmpty(PROVIDERS.identity_api.get_user(user_id2))
|
||||
self.assertEqual(user_id, user_id2)
|
||||
|
||||
def test_user_role_assignment(self):
|
||||
# create project and role
|
||||
project_ref = unit.new_project_ref(
|
||||
domain_id=CONF.identity.default_domain_id)
|
||||
self.resource_api.create_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
|
||||
# authenticate via saml get back a user id
|
||||
user_id, unscoped_token = self._authenticate_via_saml()
|
||||
|
@ -2943,7 +2980,7 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
expected_status=http_client.UNAUTHORIZED)
|
||||
|
||||
# assign project role to federated user
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user_id, project_ref['id'], role_ref['id'])
|
||||
|
||||
# exchange an unscoped token for a scoped token
|
||||
|
@ -2961,7 +2998,7 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
# create a 2nd project
|
||||
project_ref2 = unit.new_project_ref(
|
||||
domain_id=CONF.identity.default_domain_id)
|
||||
self.resource_api.create_project(project_ref2['id'], project_ref2)
|
||||
PROVIDERS.resource_api.create_project(project_ref2['id'], project_ref2)
|
||||
|
||||
# ensure the user cannot access the 2nd resource (forbidden)
|
||||
path = '/projects/%(project_id)s' % {'project_id': project_ref2['id']}
|
||||
|
@ -2972,9 +3009,9 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
def test_domain_scoped_user_role_assignment(self):
|
||||
# create domain and role
|
||||
domain_ref = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
|
||||
# authenticate via saml get back a user id
|
||||
user_id, unscoped_token = self._authenticate_via_saml()
|
||||
|
@ -2987,9 +3024,9 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
expected_status=http_client.UNAUTHORIZED)
|
||||
|
||||
# assign domain role to user
|
||||
self.assignment_api.create_grant(role_ref['id'],
|
||||
user_id=user_id,
|
||||
domain_id=domain_ref['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_ref['id'], user_id=user_id, domain_id=domain_ref['id']
|
||||
)
|
||||
|
||||
# exchange an unscoped token for domain scoped token and test
|
||||
r = self.v3_create_token(v3_scope_request,
|
||||
|
@ -3002,15 +3039,15 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
# create project and role
|
||||
project_ref = unit.new_project_ref(
|
||||
domain_id=CONF.identity.default_domain_id)
|
||||
self.resource_api.create_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
|
||||
# authenticate via saml get back a user id
|
||||
user_id, unscoped_token = self._authenticate_via_saml()
|
||||
|
||||
# assign project role to federated user
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user_id, project_ref['id'], role_ref['id'])
|
||||
|
||||
# get auth projects
|
||||
|
@ -3028,24 +3065,25 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
# create project, role, group
|
||||
domain_id = CONF.identity.default_domain_id
|
||||
project_ref = unit.new_project_ref(domain_id=domain_id)
|
||||
self.resource_api.create_project(project_ref['id'], project_ref)
|
||||
PROVIDERS.resource_api.create_project(project_ref['id'], project_ref)
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
group_ref = unit.new_group_ref(domain_id=domain_id)
|
||||
group_ref = self.identity_api.create_group(group_ref)
|
||||
group_ref = PROVIDERS.identity_api.create_group(group_ref)
|
||||
|
||||
# authenticate via saml get back a user id
|
||||
user_id, unscoped_token = self._authenticate_via_saml()
|
||||
|
||||
# assign role to group at project
|
||||
self.assignment_api.create_grant(role_ref['id'],
|
||||
group_id=group_ref['id'],
|
||||
project_id=project_ref['id'],
|
||||
domain_id=domain_id)
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_ref['id'], group_id=group_ref['id'],
|
||||
project_id=project_ref['id'], domain_id=domain_id
|
||||
)
|
||||
|
||||
# add user to group
|
||||
self.identity_api.add_user_to_group(user_id=user_id,
|
||||
group_id=group_ref['id'])
|
||||
PROVIDERS.identity_api.add_user_to_group(
|
||||
user_id=user_id, group_id=group_ref['id']
|
||||
)
|
||||
|
||||
# get auth projects
|
||||
r = self.get('/auth/projects', token=unscoped_token)
|
||||
|
@ -3061,17 +3099,17 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
def test_auth_domains_matches_federation_domains(self):
|
||||
# create domain and role
|
||||
domain_ref = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
|
||||
# authenticate via saml get back a user id and token
|
||||
user_id, unscoped_token = self._authenticate_via_saml()
|
||||
|
||||
# assign domain role to user
|
||||
self.assignment_api.create_grant(role_ref['id'],
|
||||
user_id=user_id,
|
||||
domain_id=domain_ref['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_ref['id'], user_id=user_id, domain_id=domain_ref['id']
|
||||
)
|
||||
|
||||
# get auth domains
|
||||
r = self.get('/auth/domains', token=unscoped_token)
|
||||
|
@ -3087,23 +3125,25 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
def test_auth_domains_matches_federation_domains_with_group_assign(self):
|
||||
# create role, group, and domain
|
||||
domain_ref = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
PROVIDERS.resource_api.create_domain(domain_ref['id'], domain_ref)
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
group_ref = unit.new_group_ref(domain_id=domain_ref['id'])
|
||||
group_ref = self.identity_api.create_group(group_ref)
|
||||
group_ref = PROVIDERS.identity_api.create_group(group_ref)
|
||||
|
||||
# authenticate via saml get back a user id and token
|
||||
user_id, unscoped_token = self._authenticate_via_saml()
|
||||
|
||||
# assign domain role to group
|
||||
self.assignment_api.create_grant(role_ref['id'],
|
||||
group_id=group_ref['id'],
|
||||
domain_id=domain_ref['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_ref['id'], group_id=group_ref['id'],
|
||||
domain_id=domain_ref['id']
|
||||
)
|
||||
|
||||
# add user to group
|
||||
self.identity_api.add_user_to_group(user_id=user_id,
|
||||
group_id=group_ref['id'])
|
||||
PROVIDERS.identity_api.add_user_to_group(
|
||||
user_id=user_id, group_id=group_ref['id']
|
||||
)
|
||||
|
||||
# get auth domains
|
||||
r = self.get('/auth/domains', token=unscoped_token)
|
||||
|
@ -3119,7 +3159,7 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
def test_list_head_domains_for_user_duplicates(self):
|
||||
# create role
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
|
||||
# authenticate via saml get back a user id and token
|
||||
user_id, unscoped_token = self._authenticate_via_saml()
|
||||
|
@ -3137,9 +3177,9 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
|
||||
# assign group domain and role to user, this should create a
|
||||
# duplicate domain
|
||||
self.assignment_api.create_grant(role_ref['id'],
|
||||
user_id=user_id,
|
||||
domain_id=domain_from_group['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_ref['id'], user_id=user_id, domain_id=domain_from_group['id']
|
||||
)
|
||||
|
||||
# get user domains via /OS-FEDERATION/domains and test for duplicates
|
||||
r = self.get('/OS-FEDERATION/domains', token=unscoped_token)
|
||||
|
@ -3160,7 +3200,7 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
def test_list_head_projects_for_user_duplicates(self):
|
||||
# create role
|
||||
role_ref = unit.new_role_ref()
|
||||
self.role_api.create_role(role_ref['id'], role_ref)
|
||||
PROVIDERS.role_api.create_role(role_ref['id'], role_ref)
|
||||
|
||||
# authenticate via saml get back a user id and token
|
||||
user_id, unscoped_token = self._authenticate_via_saml()
|
||||
|
@ -3178,7 +3218,7 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
|
||||
# assign group project and role to user, this should create a
|
||||
# duplicate project
|
||||
self.assignment_api.add_role_to_user_and_project(
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user_id, project_from_group['id'], role_ref['id'])
|
||||
|
||||
# get user projects via /OS-FEDERATION/projects and test for duplicates
|
||||
|
@ -3200,17 +3240,17 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
def test_delete_protocol_after_federated_authentication(self):
|
||||
# Create a protocol
|
||||
protocol = self.proto_ref(mapping_id=self.mapping['id'])
|
||||
self.federation_api.create_protocol(
|
||||
PROVIDERS.federation_api.create_protocol(
|
||||
self.IDP, protocol['id'], protocol)
|
||||
|
||||
# Authenticate to create a new federated_user entry with a foreign
|
||||
# key pointing to the protocol
|
||||
r = self._issue_unscoped_token()
|
||||
user_id = r.json_body['token']['user']['id']
|
||||
self.assertNotEmpty(self.identity_api.get_user(user_id))
|
||||
self.assertNotEmpty(PROVIDERS.identity_api.get_user(user_id))
|
||||
|
||||
# Now we should be able to delete the protocol
|
||||
self.federation_api.delete_protocol(self.IDP, protocol['id'])
|
||||
PROVIDERS.federation_api.delete_protocol(self.IDP, protocol['id'])
|
||||
|
||||
def _authenticate_via_saml(self):
|
||||
r = self._issue_unscoped_token()
|
||||
|
@ -3237,7 +3277,7 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
super(ShadowMappingTests, self).setUp()
|
||||
# update the mapping we have already setup to have specific projects
|
||||
# and roles.
|
||||
self.federation_api.update_mapping(
|
||||
PROVIDERS.federation_api.update_mapping(
|
||||
self.mapping['id'],
|
||||
mapping_fixtures.MAPPING_PROJECTS
|
||||
)
|
||||
|
@ -3254,12 +3294,12 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
# below that test that behavior and the setup is done in the test.
|
||||
member_role_ref = unit.new_role_ref(name='member')
|
||||
assert member_role_ref['domain_id'] is None
|
||||
self.member_role = self.role_api.create_role(
|
||||
self.member_role = PROVIDERS.role_api.create_role(
|
||||
member_role_ref['id'], member_role_ref
|
||||
)
|
||||
observer_role_ref = unit.new_role_ref(name='observer')
|
||||
assert observer_role_ref['domain_id'] is None
|
||||
self.observer_role = self.role_api.create_role(
|
||||
self.observer_role = PROVIDERS.role_api.create_role(
|
||||
observer_role_ref['id'], observer_role_ref
|
||||
)
|
||||
|
||||
|
@ -3280,7 +3320,7 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
self.load_federation_sample_data()
|
||||
|
||||
def test_shadow_mapping_creates_projects(self):
|
||||
projects = self.resource_api.list_projects()
|
||||
projects = PROVIDERS.resource_api.list_projects()
|
||||
for project in projects:
|
||||
self.assertNotIn(project['name'], self.expected_results)
|
||||
|
||||
|
@ -3290,7 +3330,7 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
response = self.get('/auth/projects', token=unscoped_token)
|
||||
projects = response.json_body['projects']
|
||||
for project in projects:
|
||||
project = self.resource_api.get_project_by_name(
|
||||
project = PROVIDERS.resource_api.get_project_by_name(
|
||||
project['name'],
|
||||
self.idp['domain_id']
|
||||
)
|
||||
|
@ -3320,7 +3360,7 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
# If a role required by the mapping does not exist, then we should fail
|
||||
# the mapping since shadow mapping currently does not support creating
|
||||
# mappings on-the-fly.
|
||||
self.role_api.delete_role(self.observer_role['id'])
|
||||
PROVIDERS.role_api.delete_role(self.observer_role['id'])
|
||||
self.assertRaises(exception.RoleNotFound, self._issue_unscoped_token)
|
||||
|
||||
def test_shadow_mapping_creates_project_in_identity_provider_domain(self):
|
||||
|
@ -3349,15 +3389,15 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
def test_roles_outside_idp_domain_fail_mapping(self):
|
||||
# Create a new domain
|
||||
d = unit.new_domain_ref()
|
||||
new_domain = self.resource_api.create_domain(d['id'], d)
|
||||
new_domain = PROVIDERS.resource_api.create_domain(d['id'], d)
|
||||
|
||||
# Delete the member role and recreate it in a different domain
|
||||
self.role_api.delete_role(self.member_role['id'])
|
||||
PROVIDERS.role_api.delete_role(self.member_role['id'])
|
||||
member_role_ref = unit.new_role_ref(
|
||||
name='member',
|
||||
domain_id=new_domain['id']
|
||||
)
|
||||
self.role_api.create_role(member_role_ref['id'], member_role_ref)
|
||||
PROVIDERS.role_api.create_role(member_role_ref['id'], member_role_ref)
|
||||
self.assertRaises(
|
||||
exception.DomainSpecificRoleNotWithinIdPDomain,
|
||||
self._issue_unscoped_token
|
||||
|
@ -3365,18 +3405,18 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
|
||||
def test_roles_in_idp_domain_can_be_assigned_from_mapping(self):
|
||||
# Delete the member role and recreate it in the domain of the idp
|
||||
self.role_api.delete_role(self.member_role['id'])
|
||||
PROVIDERS.role_api.delete_role(self.member_role['id'])
|
||||
member_role_ref = unit.new_role_ref(
|
||||
name='member',
|
||||
domain_id=self.idp['domain_id']
|
||||
)
|
||||
self.role_api.create_role(member_role_ref['id'], member_role_ref)
|
||||
PROVIDERS.role_api.create_role(member_role_ref['id'], member_role_ref)
|
||||
response = self._issue_unscoped_token()
|
||||
user_id = response.json_body['token']['user']['id']
|
||||
unscoped_token = response.headers.get('X-Subject-Token')
|
||||
response = self.get('/auth/projects', token=unscoped_token)
|
||||
projects = response.json_body['projects']
|
||||
staging_project = self.resource_api.get_project_by_name(
|
||||
staging_project = PROVIDERS.resource_api.get_project_by_name(
|
||||
'Staging', self.idp['domain_id']
|
||||
)
|
||||
for project in projects:
|
||||
|
@ -3384,10 +3424,12 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
# a member role for our user, the /auth/projects response doesn't
|
||||
# include projects with only domain-specific role assignments.
|
||||
self.assertNotEqual(project['name'], 'Staging')
|
||||
domain_role_assignments = self.assignment_api.list_role_assignments(
|
||||
user_id=user_id,
|
||||
project_id=staging_project['id'],
|
||||
strip_domain_roles=False
|
||||
domain_role_assignments = (
|
||||
PROVIDERS.assignment_api.list_role_assignments(
|
||||
user_id=user_id,
|
||||
project_id=staging_project['id'],
|
||||
strip_domain_roles=False
|
||||
)
|
||||
)
|
||||
self.assertEqual(
|
||||
staging_project['id'], domain_role_assignments[0]['project_id']
|
||||
|
@ -3402,16 +3444,16 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
domain_id=self.idp['domain_id'],
|
||||
name='Observers'
|
||||
)
|
||||
observer_group = self.identity_api.create_group(observer_group)
|
||||
observer_group = PROVIDERS.identity_api.create_group(observer_group)
|
||||
# make sure the Observers group has a role on the finance project
|
||||
finance_project = unit.new_project_ref(
|
||||
domain_id=self.idp['domain_id'],
|
||||
name='Finance'
|
||||
)
|
||||
finance_project = self.resource_api.create_project(
|
||||
finance_project = PROVIDERS.resource_api.create_project(
|
||||
finance_project['id'], finance_project
|
||||
)
|
||||
self.assignment_api.create_grant(
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.observer_role['id'],
|
||||
group_id=observer_group['id'],
|
||||
project_id=finance_project['id']
|
||||
|
@ -3427,7 +3469,9 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
}
|
||||
updated_mapping = copy.deepcopy(mapping_fixtures.MAPPING_PROJECTS)
|
||||
updated_mapping['rules'][0]['local'].append(group_rule)
|
||||
self.federation_api.update_mapping(self.mapping['id'], updated_mapping)
|
||||
PROVIDERS.federation_api.update_mapping(
|
||||
self.mapping['id'], updated_mapping
|
||||
)
|
||||
response = self._issue_unscoped_token()
|
||||
# user_id = response.json_body['token']['user']['id']
|
||||
unscoped_token = response.headers.get('X-Subject-Token')
|
||||
|
@ -3466,14 +3510,15 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
|||
unscoped_token = response.headers.get('X-Subject-Token')
|
||||
|
||||
# Assign admin role to newly-created project to another user
|
||||
staging_project = self.resource_api.get_project_by_name(
|
||||
staging_project = PROVIDERS.resource_api.get_project_by_name(
|
||||
'Staging', self.idp['domain_id']
|
||||
)
|
||||
admin = unit.new_user_ref(CONF.identity.default_domain_id)
|
||||
self.identity_api.create_user(admin)
|
||||
self.assignment_api.create_grant(self.role_admin['id'],
|
||||
user_id=admin['id'],
|
||||
project_id=staging_project['id'])
|
||||
PROVIDERS.identity_api.create_user(admin)
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role_admin['id'], user_id=admin['id'],
|
||||
project_id=staging_project['id']
|
||||
)
|
||||
|
||||
# Authenticate again with the federated user and verify roles
|
||||
response = self._issue_unscoped_token()
|
||||
|
@ -3898,7 +3943,7 @@ class SAMLGenerationTests(test_v3.RestfulTestCase):
|
|||
"""Try generating assertion for disabled Service Provider."""
|
||||
# Disable Service Provider
|
||||
sp_ref = {'enabled': False}
|
||||
self.federation_api.update_sp(self.SERVICE_PROVDIER_ID, sp_ref)
|
||||
PROVIDERS.federation_api.update_sp(self.SERVICE_PROVDIER_ID, sp_ref)
|
||||
|
||||
token_id = self._fetch_valid_token()
|
||||
body = self._create_generate_saml_request(token_id,
|
||||
|
@ -4633,15 +4678,15 @@ class K2KServiceCatalogTests(test_v3.RestfulTestCase):
|
|||
super(K2KServiceCatalogTests, self).setUp()
|
||||
|
||||
sp = self.sp_ref()
|
||||
self.federation_api.create_sp(self.SP1, sp)
|
||||
PROVIDERS.federation_api.create_sp(self.SP1, sp)
|
||||
self.sp_alpha = {self.SP1: sp}
|
||||
|
||||
sp = self.sp_ref()
|
||||
self.federation_api.create_sp(self.SP2, sp)
|
||||
PROVIDERS.federation_api.create_sp(self.SP2, sp)
|
||||
self.sp_beta = {self.SP2: sp}
|
||||
|
||||
sp = self.sp_ref()
|
||||
self.federation_api.create_sp(self.SP3, sp)
|
||||
PROVIDERS.federation_api.create_sp(self.SP3, sp)
|
||||
self.sp_gamma = {self.SP3: sp}
|
||||
|
||||
self.token_v3_helper = token_common.V3TokenDataHelper()
|
||||
|
@ -4692,7 +4737,7 @@ class K2KServiceCatalogTests(test_v3.RestfulTestCase):
|
|||
"""
|
||||
# disable service provider ALPHA
|
||||
sp_ref = {'enabled': False}
|
||||
self.federation_api.update_sp(self.SP1, sp_ref)
|
||||
PROVIDERS.federation_api.update_sp(self.SP1, sp_ref)
|
||||
|
||||
token = self.token_v3_helper.get_token_data(self.user_id, ['password'])
|
||||
ref = {}
|
||||
|
@ -4709,7 +4754,7 @@ class K2KServiceCatalogTests(test_v3.RestfulTestCase):
|
|||
"""
|
||||
sp_ref = {'enabled': False}
|
||||
for sp in (self.SP1, self.SP2, self.SP3):
|
||||
self.federation_api.update_sp(sp, sp_ref)
|
||||
PROVIDERS.federation_api.update_sp(sp, sp_ref)
|
||||
|
||||
token = self.token_v3_helper.get_token_data(self.user_id, ['password'])
|
||||
self.assertNotIn('service_providers', token['token'],
|
||||
|
|
|
@ -23,6 +23,7 @@ from oslo_log import log
|
|||
from six.moves import http_client
|
||||
from testtools import matchers
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone.common import sql
|
||||
import keystone.conf
|
||||
from keystone.credential.providers import fernet as credential_fernet
|
||||
|
@ -38,6 +39,7 @@ from keystone.tests.unit import test_v3
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class IdentityTestCase(test_v3.RestfulTestCase):
|
||||
|
@ -54,15 +56,16 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
)
|
||||
|
||||
self.group = unit.new_group_ref(domain_id=self.domain_id)
|
||||
self.group = self.identity_api.create_group(self.group)
|
||||
self.group = PROVIDERS.identity_api.create_group(self.group)
|
||||
self.group_id = self.group['id']
|
||||
|
||||
self.credential = unit.new_credential_ref(
|
||||
user_id=self.user['id'],
|
||||
project_id=self.project_id)
|
||||
|
||||
self.credential_api.create_credential(self.credential['id'],
|
||||
self.credential)
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
self.credential['id'], self.credential
|
||||
)
|
||||
|
||||
# user crud tests
|
||||
|
||||
|
@ -85,9 +88,9 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
# Create a user with a role on the domain so we can get a
|
||||
# domain scoped token
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
user = unit.create_user(self.identity_api, domain_id=domain['id'])
|
||||
self.assignment_api.create_grant(
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
user = unit.create_user(PROVIDERS.identity_api, domain_id=domain['id'])
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_id=self.role_id, user_id=user['id'],
|
||||
domain_id=domain['id'])
|
||||
|
||||
|
@ -151,9 +154,9 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
"""
|
||||
# Create two domains to work with.
|
||||
domain1 = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain1['id'], domain1)
|
||||
PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
|
||||
domain2 = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain2['id'], domain2)
|
||||
PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
|
||||
|
||||
# We can successfully create a normal user without any surprises.
|
||||
user = unit.new_user_ref(domain_id=domain1['id'])
|
||||
|
@ -230,19 +233,19 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
# Create a new domain with a new project and user
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
|
||||
project = unit.new_project_ref(domain_id=domain['id'])
|
||||
self.resource_api.create_project(project['id'], project)
|
||||
PROVIDERS.resource_api.create_project(project['id'], project)
|
||||
|
||||
user = unit.create_user(self.identity_api, domain_id=domain['id'])
|
||||
user = unit.create_user(PROVIDERS.identity_api, domain_id=domain['id'])
|
||||
|
||||
# Create both project and domain role grants for the user so we
|
||||
# can get both project and domain scoped tokens
|
||||
self.assignment_api.create_grant(
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_id=self.role_id, user_id=user['id'],
|
||||
domain_id=domain['id'])
|
||||
self.assignment_api.create_grant(
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
role_id=self.role_id, user_id=user['id'],
|
||||
project_id=project['id'])
|
||||
|
||||
|
@ -277,7 +280,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
def test_list_users_no_default_project(self):
|
||||
"""Call ``GET /users`` making sure no default_project_id."""
|
||||
user = unit.new_user_ref(self.domain_id)
|
||||
user = self.identity_api.create_user(user)
|
||||
user = PROVIDERS.identity_api.create_user(user)
|
||||
resource_url = '/users'
|
||||
r = self.get(resource_url)
|
||||
self.assertValidUserListResponse(r, ref=user,
|
||||
|
@ -295,7 +298,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
"""Call ``GET /users/{user_id}`` extra attributes are not included."""
|
||||
user = unit.new_user_ref(domain_id=self.domain_id,
|
||||
project_id=self.project_id)
|
||||
user = self.identity_api.create_user(user)
|
||||
user = PROVIDERS.identity_api.create_user(user)
|
||||
self.assertNotIn('created_at', user)
|
||||
self.assertNotIn('last_active_at', user)
|
||||
|
||||
|
@ -303,7 +306,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
"""Call ``GET /users/{user_id}`` required attributes are included."""
|
||||
user = unit.new_user_ref(domain_id=self.domain_id,
|
||||
project_id=self.project_id)
|
||||
user = self.identity_api.create_user(user)
|
||||
user = PROVIDERS.identity_api.create_user(user)
|
||||
self.assertIn('id', user)
|
||||
self.assertIn('name', user)
|
||||
self.assertIn('enabled', user)
|
||||
|
@ -315,7 +318,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
"""Call ``GET /users/{user_id}`` making sure of default_project_id."""
|
||||
user = unit.new_user_ref(domain_id=self.domain_id,
|
||||
project_id=self.project_id)
|
||||
user = self.identity_api.create_user(user)
|
||||
user = PROVIDERS.identity_api.create_user(user)
|
||||
r = self.get('/users/%(user_id)s' % {'user_id': user['id']})
|
||||
self.assertValidUserResponse(r, user)
|
||||
|
||||
|
@ -326,9 +329,9 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_list_head_groups_for_user(self):
|
||||
"""Call ``GET & HEAD /users/{user_id}/groups``."""
|
||||
user1 = unit.create_user(self.identity_api,
|
||||
user1 = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
user2 = unit.create_user(self.identity_api,
|
||||
user2 = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
|
||||
self.put('/groups/%(group_id)s/users/%(user_id)s' % {
|
||||
|
@ -404,7 +407,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def test_admin_password_reset(self):
|
||||
# bootstrap a user as admin
|
||||
user_ref = unit.create_user(self.identity_api,
|
||||
user_ref = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
|
||||
# auth as user should work before a password change
|
||||
|
@ -443,7 +446,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
self.config_fixture.config(group='security_compliance',
|
||||
minimum_password_age=1)
|
||||
# create user
|
||||
user_ref = unit.create_user(self.identity_api,
|
||||
user_ref = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
# administrative password reset
|
||||
new_password = uuid.uuid4().hex
|
||||
|
@ -463,7 +466,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
the `domain_id` of a user fails.
|
||||
"""
|
||||
user = unit.new_user_ref(domain_id=self.domain['id'])
|
||||
user = self.identity_api.create_user(user)
|
||||
user = PROVIDERS.identity_api.create_user(user)
|
||||
user['domain_id'] = CONF.identity.default_domain_id
|
||||
self.patch('/users/%(user_id)s' % {
|
||||
'user_id': user['id']},
|
||||
|
@ -480,16 +483,18 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
"""
|
||||
# First check the credential for this user is present
|
||||
r = self.credential_api.get_credential(self.credential['id'])
|
||||
r = PROVIDERS.credential_api.get_credential(self.credential['id'])
|
||||
self.assertDictEqual(self.credential, r)
|
||||
# Create a second credential with a different user
|
||||
|
||||
user2 = unit.new_user_ref(domain_id=self.domain['id'],
|
||||
project_id=self.project['id'])
|
||||
user2 = self.identity_api.create_user(user2)
|
||||
user2 = PROVIDERS.identity_api.create_user(user2)
|
||||
credential2 = unit.new_credential_ref(user_id=user2['id'],
|
||||
project_id=self.project['id'])
|
||||
self.credential_api.create_credential(credential2['id'], credential2)
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
credential2['id'], credential2
|
||||
)
|
||||
|
||||
# Create a token for this user which we can check later
|
||||
# gets deleted
|
||||
|
@ -510,14 +515,14 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
# Deleting the user should have deleted any credentials
|
||||
# that reference this project
|
||||
self.assertRaises(exception.CredentialNotFound,
|
||||
self.credential_api.get_credential,
|
||||
PROVIDERS.credential_api.get_credential,
|
||||
self.credential['id'])
|
||||
# And the no tokens we remain valid
|
||||
tokens = self.token_provider_api._persistence._list_tokens(
|
||||
tokens = PROVIDERS.token_provider_api._persistence._list_tokens(
|
||||
self.user['id'])
|
||||
self.assertEqual(0, len(tokens))
|
||||
# But the credential for user2 is unaffected
|
||||
r = self.credential_api.get_credential(credential2['id'])
|
||||
r = PROVIDERS.credential_api.get_credential(credential2['id'])
|
||||
self.assertDictEqual(credential2, r)
|
||||
|
||||
def test_delete_user_retries_on_deadlock(self):
|
||||
|
@ -542,11 +547,11 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
side_effect = FakeDeadlock(patcher)
|
||||
sql_delete_mock.side_effect = side_effect
|
||||
|
||||
user_ref = unit.create_user(self.identity_api,
|
||||
user_ref = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
|
||||
try:
|
||||
self.identity_api.delete_user(user_id=user_ref['id'])
|
||||
PROVIDERS.identity_api.delete_user(user_id=user_ref['id'])
|
||||
finally:
|
||||
if side_effect.patched:
|
||||
patcher.stop()
|
||||
|
@ -634,7 +639,7 @@ class IdentityTestCase(test_v3.RestfulTestCase):
|
|||
log_fix = self.useFixture(fixtures.FakeLogger(level=log.DEBUG))
|
||||
|
||||
# bootstrap a user as admin
|
||||
user_ref = unit.create_user(self.identity_api,
|
||||
user_ref = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
|
||||
self.assertNotIn(user_ref['password'], log_fix.output)
|
||||
|
@ -677,7 +682,7 @@ class ChangePasswordTestCase(test_v3.RestfulTestCase):
|
|||
|
||||
def setUp(self):
|
||||
super(ChangePasswordTestCase, self).setUp()
|
||||
self.user_ref = unit.create_user(self.identity_api,
|
||||
self.user_ref = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
self.token = self.get_request_token(self.user_ref['password'],
|
||||
http_client.CREATED)
|
||||
|
@ -710,7 +715,7 @@ class UserSelfServiceChangingPasswordsTestCase(ChangePasswordTestCase):
|
|||
user_ref = unit.new_user_ref(domain_id=self.domain_id,
|
||||
password=password)
|
||||
with freezegun.freeze_time(time):
|
||||
self.user_ref = self.identity_api.create_user(user_ref)
|
||||
self.user_ref = PROVIDERS.identity_api.create_user(user_ref)
|
||||
|
||||
return password
|
||||
|
||||
|
@ -843,7 +848,7 @@ class UserSelfServiceChangingPasswordsTestCase(ChangePasswordTestCase):
|
|||
change_password_upon_first_use=True)
|
||||
|
||||
# create user
|
||||
self.user_ref = unit.create_user(self.identity_api,
|
||||
self.user_ref = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
|
||||
# attempt to authenticate with create user password
|
||||
|
@ -866,7 +871,7 @@ class UserSelfServiceChangingPasswordsTestCase(ChangePasswordTestCase):
|
|||
# admin reset
|
||||
reset_password = uuid.uuid4().hex
|
||||
user_password = {'password': reset_password}
|
||||
self.identity_api.update_user(self.user_ref['id'], user_password)
|
||||
PROVIDERS.identity_api.update_user(self.user_ref['id'], user_password)
|
||||
|
||||
# attempt to authenticate with admin reset password
|
||||
self.get_request_token(reset_password,
|
||||
|
@ -890,7 +895,7 @@ class UserSelfServiceChangingPasswordsTestCase(ChangePasswordTestCase):
|
|||
self.user_ref['password'] = reset_password
|
||||
ignore_opt_name = options.IGNORE_CHANGE_PASSWORD_OPT.option_name
|
||||
self.user_ref['options'][ignore_opt_name] = True
|
||||
self.identity_api.update_user(self.user_ref['id'], self.user_ref)
|
||||
PROVIDERS.identity_api.update_user(self.user_ref['id'], self.user_ref)
|
||||
|
||||
# authenticate with the reset password
|
||||
self.token = self.get_request_token(reset_password,
|
||||
|
@ -901,13 +906,13 @@ class UserSelfServiceChangingPasswordsTestCase(ChangePasswordTestCase):
|
|||
lockout_failure_attempts=1)
|
||||
|
||||
# create user
|
||||
self.user_ref = unit.create_user(self.identity_api,
|
||||
self.user_ref = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
|
||||
# update the user, mark her as exempt from lockout
|
||||
ignore_opt_name = options.IGNORE_LOCKOUT_ATTEMPT_OPT.option_name
|
||||
self.user_ref['options'][ignore_opt_name] = True
|
||||
self.identity_api.update_user(self.user_ref['id'], self.user_ref)
|
||||
PROVIDERS.identity_api.update_user(self.user_ref['id'], self.user_ref)
|
||||
|
||||
# fail to auth, this should lockout the user, since we're allowed
|
||||
# one failure, but we're exempt from lockout!
|
||||
|
@ -936,7 +941,7 @@ class PasswordValidationTestCase(ChangePasswordTestCase):
|
|||
expected_status=http_client.BAD_REQUEST)
|
||||
|
||||
def test_update_user_with_invalid_password(self):
|
||||
user = unit.create_user(self.identity_api,
|
||||
user = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain['id'])
|
||||
user['password'] = 'simple'
|
||||
self.patch('/users/%(user_id)s' % {
|
||||
|
@ -982,19 +987,19 @@ class UserFederatedAttributesTests(test_v3.RestfulTestCase):
|
|||
'enabled': True,
|
||||
'description': uuid.uuid4().hex
|
||||
}
|
||||
self.federation_api.create_idp(idp['id'], idp)
|
||||
PROVIDERS.federation_api.create_idp(idp['id'], idp)
|
||||
# Create the mapping
|
||||
mapping = mapping_fixtures.MAPPING_EPHEMERAL_USER
|
||||
mapping['id'] = uuid.uuid4().hex
|
||||
self.federation_api.create_mapping(mapping['id'], mapping)
|
||||
PROVIDERS.federation_api.create_mapping(mapping['id'], mapping)
|
||||
# Create the protocol
|
||||
protocol = {
|
||||
'id': uuid.uuid4().hex,
|
||||
'mapping_id': mapping['id']
|
||||
}
|
||||
self.federation_api.create_protocol(idp['id'],
|
||||
protocol['id'],
|
||||
protocol)
|
||||
PROVIDERS.federation_api.create_protocol(
|
||||
idp['id'], protocol['id'], protocol
|
||||
)
|
||||
return idp, protocol
|
||||
|
||||
def _create_user_with_federated_user(self, user, fed_dict):
|
||||
|
@ -1018,7 +1023,7 @@ class UserFederatedAttributesTests(test_v3.RestfulTestCase):
|
|||
self.fed_dict['unique_id'] = "jdoe"
|
||||
# Create the domain_id, user, and federated_user relationship
|
||||
self.domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(self.domain['id'], self.domain)
|
||||
PROVIDERS.resource_api.create_domain(self.domain['id'], self.domain)
|
||||
self.fed_user = unit.new_user_ref(domain_id=self.domain['id'])
|
||||
self.fed_user = self._create_user_with_federated_user(self.fed_user,
|
||||
self.fed_dict)
|
||||
|
|
|
@ -16,6 +16,7 @@ from six.moves import http_client
|
|||
from six.moves import range
|
||||
from testtools import matchers
|
||||
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone.credential.providers import fernet as credential_fernet
|
||||
from keystone import exception
|
||||
|
@ -26,6 +27,7 @@ from keystone.tests.unit import utils as test_utils
|
|||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class ResourceTestCase(test_v3.RestfulTestCase,
|
||||
|
@ -225,21 +227,21 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
"""Call ``PATCH /domains/{domain_id}`` (set enabled=False)."""
|
||||
# Create a 2nd set of entities in a 2nd domain
|
||||
domain2 = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain2['id'], domain2)
|
||||
PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
|
||||
|
||||
project2 = unit.new_project_ref(domain_id=domain2['id'])
|
||||
self.resource_api.create_project(project2['id'], project2)
|
||||
PROVIDERS.resource_api.create_project(project2['id'], project2)
|
||||
|
||||
user2 = unit.create_user(self.identity_api,
|
||||
user2 = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=domain2['id'],
|
||||
project_id=project2['id'])
|
||||
|
||||
role_member = unit.new_role_ref()
|
||||
self.role_api.create_role(role_member['id'], role_member)
|
||||
PROVIDERS.role_api.create_role(role_member['id'], role_member)
|
||||
|
||||
self.assignment_api.add_role_to_user_and_project(user2['id'],
|
||||
project2['id'],
|
||||
role_member['id'])
|
||||
PROVIDERS.assignment_api.add_role_to_user_and_project(
|
||||
user2['id'], project2['id'], role_member['id']
|
||||
)
|
||||
|
||||
# First check a user in that domain can authenticate..
|
||||
auth_data = self.build_authentication_request(
|
||||
|
@ -300,30 +302,35 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
"""
|
||||
# Create a group and a credential in the main domain
|
||||
group = unit.new_group_ref(domain_id=self.domain_id)
|
||||
group = self.identity_api.create_group(group)
|
||||
group = PROVIDERS.identity_api.create_group(group)
|
||||
|
||||
credential = unit.new_credential_ref(user_id=self.user['id'],
|
||||
project_id=self.project_id)
|
||||
self.credential_api.create_credential(credential['id'], credential)
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
credential['id'], credential
|
||||
)
|
||||
|
||||
# Create a 2nd set of entities in a 2nd domain
|
||||
domain2 = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain2['id'], domain2)
|
||||
PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
|
||||
|
||||
project2 = unit.new_project_ref(domain_id=domain2['id'])
|
||||
project2 = self.resource_api.create_project(project2['id'], project2)
|
||||
project2 = PROVIDERS.resource_api.create_project(
|
||||
project2['id'], project2
|
||||
)
|
||||
|
||||
user2 = unit.new_user_ref(domain_id=domain2['id'],
|
||||
project_id=project2['id'])
|
||||
user2 = self.identity_api.create_user(user2)
|
||||
user2 = PROVIDERS.identity_api.create_user(user2)
|
||||
|
||||
group2 = unit.new_group_ref(domain_id=domain2['id'])
|
||||
group2 = self.identity_api.create_group(group2)
|
||||
group2 = PROVIDERS.identity_api.create_group(group2)
|
||||
|
||||
credential2 = unit.new_credential_ref(user_id=user2['id'],
|
||||
project_id=project2['id'])
|
||||
self.credential_api.create_credential(credential2['id'],
|
||||
credential2)
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
credential2['id'], credential2
|
||||
)
|
||||
|
||||
# Now disable the new domain and delete it
|
||||
domain2['enabled'] = False
|
||||
|
@ -335,32 +342,32 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
# Check all the domain2 relevant entities are gone
|
||||
self.assertRaises(exception.DomainNotFound,
|
||||
self.resource_api.get_domain,
|
||||
PROVIDERS.resource_api.get_domain,
|
||||
domain2['id'])
|
||||
self.assertRaises(exception.ProjectNotFound,
|
||||
self.resource_api.get_project,
|
||||
PROVIDERS.resource_api.get_project,
|
||||
project2['id'])
|
||||
self.assertRaises(exception.GroupNotFound,
|
||||
self.identity_api.get_group,
|
||||
PROVIDERS.identity_api.get_group,
|
||||
group2['id'])
|
||||
self.assertRaises(exception.UserNotFound,
|
||||
self.identity_api.get_user,
|
||||
PROVIDERS.identity_api.get_user,
|
||||
user2['id'])
|
||||
self.assertRaises(exception.CredentialNotFound,
|
||||
self.credential_api.get_credential,
|
||||
PROVIDERS.credential_api.get_credential,
|
||||
credential2['id'])
|
||||
|
||||
# ...and that all self.domain entities are still here
|
||||
r = self.resource_api.get_domain(self.domain['id'])
|
||||
r = PROVIDERS.resource_api.get_domain(self.domain['id'])
|
||||
self.assertDictEqual(self.domain, r)
|
||||
r = self.resource_api.get_project(self.project['id'])
|
||||
r = PROVIDERS.resource_api.get_project(self.project['id'])
|
||||
self.assertDictEqual(self.project, r)
|
||||
r = self.identity_api.get_group(group['id'])
|
||||
r = PROVIDERS.identity_api.get_group(group['id'])
|
||||
self.assertDictEqual(group, r)
|
||||
r = self.identity_api.get_user(self.user['id'])
|
||||
r = PROVIDERS.identity_api.get_user(self.user['id'])
|
||||
self.user.pop('password')
|
||||
self.assertDictEqual(self.user, r)
|
||||
r = self.credential_api.get_credential(credential['id'])
|
||||
r = PROVIDERS.credential_api.get_credential(credential['id'])
|
||||
self.assertDictEqual(credential, r)
|
||||
|
||||
def test_delete_domain_deletes_is_domain_project(self):
|
||||
|
@ -404,9 +411,9 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
"""
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
|
||||
user2 = unit.create_user(self.identity_api,
|
||||
user2 = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=domain['id'])
|
||||
|
||||
# build a request body
|
||||
|
@ -439,16 +446,17 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
def test_delete_domain_hierarchy(self):
|
||||
"""Call ``DELETE /domains/{domain_id}``."""
|
||||
domain = unit.new_domain_ref()
|
||||
self.resource_api.create_domain(domain['id'], domain)
|
||||
PROVIDERS.resource_api.create_domain(domain['id'], domain)
|
||||
|
||||
root_project = unit.new_project_ref(domain_id=domain['id'])
|
||||
root_project = self.resource_api.create_project(root_project['id'],
|
||||
root_project)
|
||||
root_project = PROVIDERS.resource_api.create_project(
|
||||
root_project['id'], root_project
|
||||
)
|
||||
|
||||
leaf_project = unit.new_project_ref(
|
||||
domain_id=domain['id'],
|
||||
parent_id=root_project['id'])
|
||||
self.resource_api.create_project(leaf_project['id'], leaf_project)
|
||||
PROVIDERS.resource_api.create_project(leaf_project['id'], leaf_project)
|
||||
|
||||
# Need to disable it first.
|
||||
self.patch('/domains/%(domain_id)s' % {
|
||||
|
@ -460,15 +468,15 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
'domain_id': domain['id']})
|
||||
|
||||
self.assertRaises(exception.DomainNotFound,
|
||||
self.resource_api.get_domain,
|
||||
PROVIDERS.resource_api.get_domain,
|
||||
domain['id'])
|
||||
|
||||
self.assertRaises(exception.ProjectNotFound,
|
||||
self.resource_api.get_project,
|
||||
PROVIDERS.resource_api.get_project,
|
||||
root_project['id'])
|
||||
|
||||
self.assertRaises(exception.ProjectNotFound,
|
||||
self.resource_api.get_project,
|
||||
PROVIDERS.resource_api.get_project,
|
||||
leaf_project['id'])
|
||||
|
||||
def test_forbid_operations_on_federated_domain(self):
|
||||
|
@ -488,26 +496,26 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
for domain in create_domains():
|
||||
self.assertRaises(
|
||||
AssertionError, self.resource_api.create_domain,
|
||||
AssertionError, PROVIDERS.resource_api.create_domain,
|
||||
domain['id'], domain)
|
||||
self.assertRaises(
|
||||
AssertionError, self.resource_api.update_domain,
|
||||
AssertionError, PROVIDERS.resource_api.update_domain,
|
||||
domain['id'], domain)
|
||||
self.assertRaises(
|
||||
exception.DomainNotFound, self.resource_api.delete_domain,
|
||||
exception.DomainNotFound, PROVIDERS.resource_api.delete_domain,
|
||||
domain['id'])
|
||||
|
||||
# swap 'name' with 'id' and try again, expecting the request to
|
||||
# gracefully fail
|
||||
domain['id'], domain['name'] = domain['name'], domain['id']
|
||||
self.assertRaises(
|
||||
AssertionError, self.resource_api.create_domain,
|
||||
AssertionError, PROVIDERS.resource_api.create_domain,
|
||||
domain['id'], domain)
|
||||
self.assertRaises(
|
||||
AssertionError, self.resource_api.update_domain,
|
||||
AssertionError, PROVIDERS.resource_api.update_domain,
|
||||
domain['id'], domain)
|
||||
self.assertRaises(
|
||||
exception.DomainNotFound, self.resource_api.delete_domain,
|
||||
exception.DomainNotFound, PROVIDERS.resource_api.delete_domain,
|
||||
domain['id'])
|
||||
|
||||
def test_forbid_operations_on_defined_federated_domain(self):
|
||||
|
@ -521,13 +529,13 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
federated_domain_name=non_default_name)
|
||||
domain = unit.new_domain_ref(name=non_default_name)
|
||||
self.assertRaises(AssertionError,
|
||||
self.resource_api.create_domain,
|
||||
PROVIDERS.resource_api.create_domain,
|
||||
domain['id'], domain)
|
||||
self.assertRaises(exception.DomainNotFound,
|
||||
self.resource_api.delete_domain,
|
||||
PROVIDERS.resource_api.delete_domain,
|
||||
domain['id'])
|
||||
self.assertRaises(AssertionError,
|
||||
self.resource_api.update_domain,
|
||||
PROVIDERS.resource_api.update_domain,
|
||||
domain['id'], domain)
|
||||
|
||||
# Project CRUD tests
|
||||
|
@ -1053,10 +1061,10 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
# Add some more projects acting as domains
|
||||
new_is_domain_project = unit.new_project_ref(is_domain=True)
|
||||
new_is_domain_project = self.resource_api.create_project(
|
||||
new_is_domain_project = PROVIDERS.resource_api.create_project(
|
||||
new_is_domain_project['id'], new_is_domain_project)
|
||||
new_is_domain_project2 = unit.new_project_ref(is_domain=True)
|
||||
new_is_domain_project2 = self.resource_api.create_project(
|
||||
new_is_domain_project2 = PROVIDERS.resource_api.create_project(
|
||||
new_is_domain_project2['id'], new_is_domain_project2)
|
||||
number_is_domain_true = initial_number_is_domain_true + 2
|
||||
|
||||
|
@ -1070,7 +1078,7 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
# Now add a regular project
|
||||
new_regular_project = unit.new_project_ref(domain_id=self.domain_id)
|
||||
new_regular_project = self.resource_api.create_project(
|
||||
new_regular_project = PROVIDERS.resource_api.create_project(
|
||||
new_regular_project['id'], new_regular_project)
|
||||
number_is_domain_false = initial_number_is_domain_false + 1
|
||||
|
||||
|
@ -1094,7 +1102,7 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
|
||||
# Make sure we have at least one project acting as a domain
|
||||
new_is_domain_project = unit.new_project_ref(is_domain=True)
|
||||
new_is_domain_project = self.resource_api.create_project(
|
||||
new_is_domain_project = PROVIDERS.resource_api.create_project(
|
||||
new_is_domain_project['id'], new_is_domain_project)
|
||||
|
||||
r = self.get('/projects', expected_status=200)
|
||||
|
@ -1327,7 +1335,7 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
update the `domain_id` of a project fails.
|
||||
"""
|
||||
project = unit.new_project_ref(domain_id=self.domain['id'])
|
||||
project = self.resource_api.create_project(project['id'], project)
|
||||
project = PROVIDERS.resource_api.create_project(project['id'], project)
|
||||
project['domain_id'] = CONF.identity.default_domain_id
|
||||
self.patch('/projects/%(project_id)s' % {
|
||||
'project_id': project['id']},
|
||||
|
@ -1395,17 +1403,21 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
"""
|
||||
credential = unit.new_credential_ref(user_id=self.user['id'],
|
||||
project_id=self.project_id)
|
||||
self.credential_api.create_credential(credential['id'], credential)
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
credential['id'], credential
|
||||
)
|
||||
|
||||
# First check the credential for this project is present
|
||||
r = self.credential_api.get_credential(credential['id'])
|
||||
r = PROVIDERS.credential_api.get_credential(credential['id'])
|
||||
self.assertDictEqual(credential, r)
|
||||
# Create a second credential with a different project
|
||||
project2 = unit.new_project_ref(domain_id=self.domain['id'])
|
||||
self.resource_api.create_project(project2['id'], project2)
|
||||
PROVIDERS.resource_api.create_project(project2['id'], project2)
|
||||
credential2 = unit.new_credential_ref(user_id=self.user['id'],
|
||||
project_id=project2['id'])
|
||||
self.credential_api.create_credential(credential2['id'], credential2)
|
||||
PROVIDERS.credential_api.create_credential(
|
||||
credential2['id'], credential2
|
||||
)
|
||||
|
||||
# Now delete the project
|
||||
self.delete(
|
||||
|
@ -1415,10 +1427,10 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
# Deleting the project should have deleted any credentials
|
||||
# that reference this project
|
||||
self.assertRaises(exception.CredentialNotFound,
|
||||
self.credential_api.get_credential,
|
||||
PROVIDERS.credential_api.get_credential,
|
||||
credential_id=credential['id'])
|
||||
# But the credential for project2 is unaffected
|
||||
r = self.credential_api.get_credential(credential2['id'])
|
||||
r = PROVIDERS.credential_api.get_credential(credential2['id'])
|
||||
self.assertDictEqual(credential2, r)
|
||||
|
||||
def test_delete_not_leaf_project(self):
|
||||
|
|
|
@ -37,7 +37,7 @@ class TestTrustOperations(test_v3.RestfulTestCase):
|
|||
def setUp(self):
|
||||
super(TestTrustOperations, self).setUp()
|
||||
# create a trustee to delegate stuff to
|
||||
self.trustee_user = unit.create_user(self.identity_api,
|
||||
self.trustee_user = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain_id)
|
||||
self.trustee_user_id = self.trustee_user['id']
|
||||
|
||||
|
@ -417,7 +417,7 @@ class TestTrustOperations(test_v3.RestfulTestCase):
|
|||
|
||||
# create third-party user, which will be trustee in trust created from
|
||||
# redelegated trust
|
||||
third_party_trustee = unit.create_user(self.identity_api,
|
||||
third_party_trustee = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain_id)
|
||||
third_party_trustee_id = third_party_trustee['id']
|
||||
|
||||
|
@ -461,7 +461,7 @@ class TestTrustOperations(test_v3.RestfulTestCase):
|
|||
expected_status=http_client.NOT_FOUND)
|
||||
|
||||
# create another user as the new trustee
|
||||
trustee_user = unit.create_user(self.identity_api,
|
||||
trustee_user = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domain_id)
|
||||
trustee_user_id = trustee_user['id']
|
||||
# create the trust again
|
||||
|
@ -479,7 +479,7 @@ class TestTrustOperations(test_v3.RestfulTestCase):
|
|||
# call the backend method directly to bypass authentication since the
|
||||
# user has been deleted.
|
||||
self.assertRaises(exception.TrustNotFound,
|
||||
self.trust_api.get_trust,
|
||||
PROVIDERS.trust_api.get_trust,
|
||||
trust['id'])
|
||||
|
||||
def test_trust_deleted_when_project_deleted(self):
|
||||
|
@ -506,7 +506,7 @@ class TestTrustOperations(test_v3.RestfulTestCase):
|
|||
# call the backend method directly to bypass authentication since the
|
||||
# user no longer has the assignment on the project.
|
||||
self.assertRaises(exception.TrustNotFound,
|
||||
self.trust_api.get_trust,
|
||||
PROVIDERS.trust_api.get_trust,
|
||||
trust['id'])
|
||||
|
||||
|
||||
|
|
|
@ -16,15 +16,18 @@ import uuid
|
|||
from oslo_utils import timeutils
|
||||
from six.moves import range
|
||||
|
||||
from keystone.common import provider_api
|
||||
from keystone import exception
|
||||
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class TrustTests(object):
|
||||
def create_sample_trust(self, new_id, remaining_uses=None):
|
||||
self.trustor = self.user_foo
|
||||
self.trustee = self.user_two
|
||||
expires_at = datetime.datetime.utcnow().replace(year=2032)
|
||||
trust_data = (self.trust_api.create_trust
|
||||
trust_data = (PROVIDERS.trust_api.create_trust
|
||||
(new_id,
|
||||
{'trustor_user_id': self.trustor['id'],
|
||||
'trustee_user_id': self.user_two['id'],
|
||||
|
@ -42,17 +45,17 @@ class TrustTests(object):
|
|||
trust_data = self.create_sample_trust(new_id)
|
||||
trust_id = trust_data['id']
|
||||
self.assertIsNotNone(trust_data)
|
||||
trust_data = self.trust_api.get_trust(trust_id)
|
||||
trust_data = PROVIDERS.trust_api.get_trust(trust_id)
|
||||
self.assertEqual(new_id, trust_data['id'])
|
||||
self.trust_api.delete_trust(trust_id)
|
||||
PROVIDERS.trust_api.delete_trust(trust_id)
|
||||
self.assertRaises(exception.TrustNotFound,
|
||||
self.trust_api.get_trust,
|
||||
PROVIDERS.trust_api.get_trust,
|
||||
trust_id)
|
||||
|
||||
def test_delete_trust_not_found(self):
|
||||
trust_id = uuid.uuid4().hex
|
||||
self.assertRaises(exception.TrustNotFound,
|
||||
self.trust_api.delete_trust,
|
||||
PROVIDERS.trust_api.delete_trust,
|
||||
trust_id)
|
||||
|
||||
def test_get_trust(self):
|
||||
|
@ -60,21 +63,22 @@ class TrustTests(object):
|
|||
trust_data = self.create_sample_trust(new_id)
|
||||
trust_id = trust_data['id']
|
||||
self.assertIsNotNone(trust_data)
|
||||
trust_data = self.trust_api.get_trust(trust_id)
|
||||
trust_data = PROVIDERS.trust_api.get_trust(trust_id)
|
||||
self.assertEqual(new_id, trust_data['id'])
|
||||
self.trust_api.delete_trust(trust_data['id'])
|
||||
PROVIDERS.trust_api.delete_trust(trust_data['id'])
|
||||
|
||||
def test_get_deleted_trust(self):
|
||||
new_id = uuid.uuid4().hex
|
||||
trust_data = self.create_sample_trust(new_id)
|
||||
self.assertIsNotNone(trust_data)
|
||||
self.assertIsNone(trust_data['deleted_at'])
|
||||
self.trust_api.delete_trust(new_id)
|
||||
PROVIDERS.trust_api.delete_trust(new_id)
|
||||
self.assertRaises(exception.TrustNotFound,
|
||||
self.trust_api.get_trust,
|
||||
PROVIDERS.trust_api.get_trust,
|
||||
new_id)
|
||||
deleted_trust = self.trust_api.get_trust(trust_data['id'],
|
||||
deleted=True)
|
||||
deleted_trust = PROVIDERS.trust_api.get_trust(
|
||||
trust_data['id'], deleted=True
|
||||
)
|
||||
self.assertEqual(trust_data['id'], deleted_trust['id'])
|
||||
self.assertIsNotNone(deleted_trust.get('deleted_at'))
|
||||
|
||||
|
@ -95,25 +99,33 @@ class TrustTests(object):
|
|||
def test_list_trust_by_trustee(self):
|
||||
for i in range(3):
|
||||
self.create_sample_trust(uuid.uuid4().hex)
|
||||
trusts = self.trust_api.list_trusts_for_trustee(self.trustee['id'])
|
||||
trusts = PROVIDERS.trust_api.list_trusts_for_trustee(
|
||||
self.trustee['id']
|
||||
)
|
||||
self.assertEqual(3, len(trusts))
|
||||
self.assertEqual(trusts[0]["trustee_user_id"], self.trustee['id'])
|
||||
trusts = self.trust_api.list_trusts_for_trustee(self.trustor['id'])
|
||||
trusts = PROVIDERS.trust_api.list_trusts_for_trustee(
|
||||
self.trustor['id']
|
||||
)
|
||||
self.assertEqual(0, len(trusts))
|
||||
|
||||
def test_list_trust_by_trustor(self):
|
||||
for i in range(3):
|
||||
self.create_sample_trust(uuid.uuid4().hex)
|
||||
trusts = self.trust_api.list_trusts_for_trustor(self.trustor['id'])
|
||||
trusts = PROVIDERS.trust_api.list_trusts_for_trustor(
|
||||
self.trustor['id']
|
||||
)
|
||||
self.assertEqual(3, len(trusts))
|
||||
self.assertEqual(trusts[0]["trustor_user_id"], self.trustor['id'])
|
||||
trusts = self.trust_api.list_trusts_for_trustor(self.trustee['id'])
|
||||
trusts = PROVIDERS.trust_api.list_trusts_for_trustor(
|
||||
self.trustee['id']
|
||||
)
|
||||
self.assertEqual(0, len(trusts))
|
||||
|
||||
def test_list_trusts(self):
|
||||
for i in range(3):
|
||||
self.create_sample_trust(uuid.uuid4().hex)
|
||||
trusts = self.trust_api.list_trusts()
|
||||
trusts = PROVIDERS.trust_api.list_trusts()
|
||||
self.assertEqual(3, len(trusts))
|
||||
|
||||
def test_trust_has_remaining_uses_positive(self):
|
||||
|
@ -142,13 +154,13 @@ class TrustTests(object):
|
|||
# consume a trust repeatedly until it has no uses anymore
|
||||
trust_data = self.create_sample_trust(uuid.uuid4().hex,
|
||||
remaining_uses=2)
|
||||
self.trust_api.consume_use(trust_data['id'])
|
||||
t = self.trust_api.get_trust(trust_data['id'])
|
||||
PROVIDERS.trust_api.consume_use(trust_data['id'])
|
||||
t = PROVIDERS.trust_api.get_trust(trust_data['id'])
|
||||
self.assertEqual(1, t['remaining_uses'])
|
||||
self.trust_api.consume_use(trust_data['id'])
|
||||
PROVIDERS.trust_api.consume_use(trust_data['id'])
|
||||
# This was the last use, the trust isn't available anymore
|
||||
self.assertRaises(exception.TrustNotFound,
|
||||
self.trust_api.get_trust,
|
||||
PROVIDERS.trust_api.get_trust,
|
||||
trust_data['id'])
|
||||
|
||||
def test_duplicate_trusts_not_allowed(self):
|
||||
|
@ -164,9 +176,9 @@ class TrustTests(object):
|
|||
roles = [{"id": "member"},
|
||||
{"id": "other"},
|
||||
{"id": "browser"}]
|
||||
self.trust_api.create_trust(uuid.uuid4().hex, trust_data, roles)
|
||||
PROVIDERS.trust_api.create_trust(uuid.uuid4().hex, trust_data, roles)
|
||||
self.assertRaises(exception.Conflict,
|
||||
self.trust_api.create_trust,
|
||||
PROVIDERS.trust_api.create_trust,
|
||||
uuid.uuid4().hex,
|
||||
trust_data,
|
||||
roles)
|
||||
|
|
Loading…
Reference in New Issue