openstack/keystone
Code Issues Proposed changes

Fix live ldap tests

Browse Source 
Clean up clear_live_database so that all fixture data is removed. Make sure we
use the configured trees for each ldap object in tests. Ensure all live tests
pass or are skipped where appropriate.

Fixes: bug #1154277

Change-Id: I2eb4efe78e2c9d2a18bce339765b3ab5d20ac8f5
This commit is contained in:
Allan Feid 2013-03-12 15:47:45 -04:00 committed by Adam Young
parent aa6ec45fc0
commit a066b69fbe
5 changed files with 122 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
keystone/identity/backends/ldap/core.py
View File

@ -176,7 +176,9 @@ class Identity(identity.Driver):
data = tenant.copy()
if 'id' not in data or data['id'] is None:
data['id'] = str(uuid.uuid4().hex)
return self.project.create(tenant)
if 'description' in data and data['description'] in ['', None]:
data.pop('description')
return self.project.create(data)
def update_project(self, tenant_id, tenant):
if 'name' in tenant:

93
tests/_ldap_livetest.py
View File

@ -14,6 +14,9 @@
# License for the specific language governing permissions and limitations
# under the License.
import ldap
import ldap.modlist
import nose.exc
import subprocess
from keystone import config
@ -27,44 +30,70 @@ import test_backend_ldap
CONF = config.CONF
def delete_object(name):
devnull = open('/dev/null', 'w')
dn = '%s,%s' % (name, CONF.ldap.suffix)
subprocess.call(['ldapdelete',
'-x',
'-D', CONF.ldap.user,
'-H', CONF.ldap.url,
'-w', CONF.ldap.password,
dn],
stderr=devnull)
def clear_live_database():
roles = ['keystone_admin', 'fake1', 'fake2', 'useless']
groups = ['baz', 'bar', 'tenent4add', 'fake1', 'fake2']
users = ['foo', 'two', 'fake1', 'fake2', 'no_meta']
for group in groups:
for role in roles:
delete_object('cn=%s,cn=%s,ou=Groups' % (role, group))
delete_object('cn=%s,ou=Groups' % group)
for user in users:
delete_object('cn=%s,ou=Users' % user)
for role in roles:
delete_object('cn=%s,ou=Roles' % role)
def create_object(dn, attrs):
conn = ldap.initialize(CONF.ldap.url)
conn.simple_bind_s(CONF.ldap.user, CONF.ldap.password)
ldif = ldap.modlist.addModlist(attrs)
conn.add_s(dn, ldif)
conn.unbind_s()
class LiveLDAPIdentity(test_backend_ldap.LDAPIdentity):
def setUp(self):
super(LiveLDAPIdentity, self).setUp()
def clear_database(self):
devnull = open('/dev/null', 'w')
subprocess.call(['ldapdelete',
'-x',
'-D', CONF.ldap.user,
'-H', CONF.ldap.url,
'-w', CONF.ldap.password,
'-r', CONF.ldap.suffix],
stderr=devnull)
if CONF.ldap.suffix.startswith('ou='):
tree_dn_attrs = {'objectclass': 'organizationalUnit',
'ou': 'openstack'}
else:
tree_dn_attrs = {'objectclass': ['dcObject', 'organizationalUnit'],
'dc': 'openstack',
'ou': 'openstack'}
create_object(CONF.ldap.suffix, tree_dn_attrs)
create_object(CONF.ldap.user_tree_dn,
{'objectclass': 'organizationalUnit',
'ou': 'Users'})
create_object(CONF.ldap.role_tree_dn,
{'objectclass': 'organizationalUnit',
'ou': 'Roles'})
create_object(CONF.ldap.tenant_tree_dn,
{'objectclass': 'organizationalUnit',
'ou': 'Projects'})
# NOTE(crazed): This feature is currently being added
create_object("ou=Groups,%s" % CONF.ldap.suffix,
{'objectclass': 'organizationalUnit',
'ou': 'Groups'})
def _set_config(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_liveldap.conf')])
clear_live_database()
self.identity_api = identity_ldap.Identity()
self.load_fixtures(default_fixtures)
def test_build_tree(self):
"""Regression test for building the tree names
"""
#logic is different from the fake backend.
user_api = identity_ldap.UserApi(CONF)
self.assertTrue(user_api)
self.assertEquals(user_api.tree_dn, CONF.ldap.user_tree_dn)
def tearDown(self):
test.TestCase.tearDown(self)
def test_user_enable_attribute_mask(self):
raise nose.exc.SkipTest('Test is for Active Directory Only')
def test_configurable_allowed_project_actions(self):
raise nose.exc.SkipTest('Blocked by bug 1155234')
def test_project_crud(self):
raise nose.exc.SkipTest('Blocked by bug 1155234')

21
tests/backend_liveldap.conf
View File

@ -1,9 +1,16 @@
[ldap]
url = ldap://localhost
suffix = dc=younglogic,dc=com
user_tree_dn = ou=Users,dc=younglogic,dc=com
role_tree_dn = ou=Roles,dc=younglogic,dc=com
tenant_tree_dn = ou=Groups,dc=younglogic,dc=com
user = dc=Manager,dc=younglogic,dc=com
password = freeipa4all
backend_entities = ['Tenant', 'User', 'UserRoleAssociation', 'Role']
user = dc=Manager,dc=openstack,dc=org
password = test
suffix = dc=openstack,dc=org
role_tree_dn = ou=Roles,dc=openstack,dc=org
tenant_tree_dn = ou=Projects,dc=openstack,dc=org
user_tree_dn = ou=Users,dc=openstack,dc=org
tenant_enabled_emulation = True
user_enabled_emulation = True
user_mail_attribute = mail
use_dumb_member = True
[identity]
driver = keystone.identity.backends.ldap.Identity

22
tests/test_backend.py
View File

@ -117,7 +117,7 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'no_meta2',
}
self.identity_man.create_user({}, user['id'], user)
self.identity_api.create_user(user['id'], user)
self.identity_api.add_user_to_project(self.tenant_baz['id'],
user['id'])
user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
@ -350,8 +350,8 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'fakepass',
'tenants': ['bar']}
self.identity_man.create_user({}, 'fake1', user1)
self.identity_man.create_user({}, 'fake2', user2)
self.identity_api.create_user('fake1', user1)
self.identity_api.create_user('fake2', user2)
user2['name'] = 'fake1'
self.assertRaises(exception.Conflict,
self.identity_api.update_user,
@ -364,7 +364,7 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'fakepass',
'tenants': ['bar']}
self.identity_man.create_user({}, 'fake1', user)
self.identity_api.create_user('fake1', user)
user['id'] = 'fake2'
self.assertRaises(exception.ValidationError,
self.identity_api.update_user,
@ -458,7 +458,7 @@ class IdentityTests(object):
def test_update_project_id_does_nothing(self):
tenant = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_project({}, 'fake1', tenant)
self.identity_api.create_project('fake1', tenant)
tenant['id'] = 'fake2'
self.identity_api.update_project('fake1', tenant)
tenant_ref = self.identity_api.get_project('fake1')
@ -1389,7 +1389,7 @@ class IdentityTests(object):
'name': uuid.uuid4().hex,
'domain_id': DEFAULT_DOMAIN_ID,
'password': uuid.uuid4().hex}
self.identity_man.create_user({}, user['id'], user)
self.identity_api.create_user(user['id'], user)
self.identity_api.add_user_to_project(self.tenant_bar['id'],
user['id'])
self.identity_api.delete_user(user['id'])
@ -1402,7 +1402,7 @@ class IdentityTests(object):
'name': uuid.uuid4().hex,
'domain_id': DEFAULT_DOMAIN_ID,
'password': uuid.uuid4().hex}
self.identity_man.create_user({}, user['id'], user)
self.identity_api.create_user(user['id'], user)
self.identity_api.add_role_to_user_and_project(
user['id'],
self.tenant_bar['id'],
@ -1606,7 +1606,7 @@ class IdentityTests(object):
def test_delete_project_with_role_assignments(self):
tenant = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_project({}, tenant['id'], tenant)
self.identity_api.create_project(tenant['id'], tenant)
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], tenant['id'], 'member')
self.identity_api.delete_project(tenant['id'])
@ -1647,7 +1647,7 @@ class IdentityTests(object):
def test_update_user_enable(self):
user = {'id': 'fake1', 'name': 'fake1', 'enabled': True,
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_user({}, 'fake1', user)
self.identity_api.create_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], True)
@ -1664,7 +1664,7 @@ class IdentityTests(object):
def test_update_project_enable(self):
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True,
'domain_id': DEFAULT_DOMAIN_ID}
self.identity_man.create_project({}, 'fake1', tenant)
self.identity_api.create_project('fake1', tenant)
tenant_ref = self.identity_api.get_project('fake1')
self.assertEqual(tenant_ref['enabled'], True)
@ -1914,7 +1914,7 @@ class IdentityTests(object):
def test_user_crud(self):
user = {'domain_id': uuid.uuid4().hex, 'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex, 'password': 'passw0rd'}
self.identity_man.create_user({}, user['id'], user)
self.identity_api.create_user(user['id'], user)
user_ref = self.identity_api.get_user(user['id'])
del user['password']
user_ref_dict = dict((x, user_ref[x]) for x in user_ref)

61
tests/test_backend_ldap.py
View File

@ -32,18 +32,21 @@ import test_backend
CONF = config.CONF
def clear_database():
db = fakeldap.FakeShelve().get_instance()
db.clear()
class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
def setUp(self):
super(LDAPIdentity, self).setUp()
def clear_database(self):
db = fakeldap.FakeShelve().get_instance()
db.clear()
def _set_config(self):
self.config([test.etcdir('keystone.conf.sample'),
test.testsdir('test_overrides.conf'),
test.testsdir('backend_ldap.conf')])
clear_database()
def setUp(self):
super(LDAPIdentity, self).setUp()
self._set_config()
self.clear_database()
self.identity_man = identity.Manager()
self.identity_api = self.identity_man.driver
self.load_fixtures(default_fixtures)
@ -62,7 +65,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
'name': 'fake1',
'password': 'fakepass1',
'tenants': ['bar']}
self.identity_man.create_user({}, 'fake1', user)
self.identity_api.create_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['id'], 'fake1')
@ -103,7 +106,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
self.identity_api = identity.backends.ldap.Identity()
tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
self.identity_man.create_project({}, 'fake1', tenant)
self.identity_api.create_project('fake1', tenant)
tenant_ref = self.identity_api.get_project('fake1')
self.assertEqual(tenant_ref['id'], 'fake1')
@ -208,7 +211,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
def test_dumb_member(self):
CONF.ldap.use_dumb_member = True
CONF.ldap.dumb_member = 'cn=dumb,cn=example,cn=com'
clear_database()
self.clear_database()
self.identity_api = identity.backends.ldap.Identity()
self.load_fixtures(default_fixtures)
self.assertRaises(exception.UserNotFound,
@ -217,35 +220,32 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
def test_user_attribute_mapping(self):
CONF.ldap.user_name_attribute = 'sn'
CONF.ldap.user_mail_attribute = 'email'
CONF.ldap.user_mail_attribute = 'mail'
CONF.ldap.user_enabled_attribute = 'enabled'
clear_database()
self.clear_database()
self.identity_api = identity.backends.ldap.Identity()
self.load_fixtures(default_fixtures)
user_ref = self.identity_api.get_user(self.user_two['id'])
self.assertEqual(user_ref['id'], self.user_two['id'])
self.assertEqual(user_ref['name'], self.user_two['name'])
self.assertEqual(user_ref['email'], self.user_two['email'])
self.assertEqual(user_ref['enabled'], self.user_two['enabled'])
CONF.ldap.user_name_attribute = 'email'
CONF.ldap.user_name_attribute = 'mail'
CONF.ldap.user_mail_attribute = 'sn'
self.identity_api = identity.backends.ldap.Identity()
user_ref = self.identity_api.get_user(self.user_two['id'])
self.assertEqual(user_ref['id'], self.user_two['id'])
self.assertEqual(user_ref['name'], self.user_two['email'])
self.assertEqual(user_ref['email'], self.user_two['name'])
self.assertEqual(user_ref['enabled'], self.user_two['enabled'])
def test_user_attribute_ignore(self):
CONF.ldap.user_attribute_ignore = ['name', 'email', 'password',
CONF.ldap.user_attribute_ignore = ['email', 'password',
'tenant_id', 'enabled', 'tenants']
clear_database()
self.clear_database()
self.identity_api = identity.backends.ldap.Identity()
self.load_fixtures(default_fixtures)
user_ref = self.identity_api.get_user(self.user_two['id'])
self.assertEqual(user_ref['id'], self.user_two['id'])
self.assertNotIn('name', user_ref)
self.assertNotIn('email', user_ref)
self.assertNotIn('password', user_ref)
self.assertNotIn('tenant_id', user_ref)
@ -254,9 +254,9 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
def test_project_attribute_mapping(self):
CONF.ldap.tenant_name_attribute = 'ou'
CONF.ldap.tenant_desc_attribute = 'desc'
CONF.ldap.tenant_desc_attribute = 'description'
CONF.ldap.tenant_enabled_attribute = 'enabled'
clear_database()
self.clear_database()
self.identity_api = identity.backends.ldap.Identity()
self.load_fixtures(default_fixtures)
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
@ -267,7 +267,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
self.tenant_baz['description'])
self.assertEqual(tenant_ref['enabled'], self.tenant_baz['enabled'])
CONF.ldap.tenant_name_attribute = 'desc'
CONF.ldap.tenant_name_attribute = 'description'
CONF.ldap.tenant_desc_attribute = 'ou'
self.identity_api = identity.backends.ldap.Identity()
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
@ -280,7 +280,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
CONF.ldap.tenant_attribute_ignore = ['name',
'description',
'enabled']
clear_database()
self.clear_database()
self.identity_api = identity.backends.ldap.Identity()
self.load_fixtures(default_fixtures)
tenant_ref = self.identity_api.get_project(self.tenant_baz['id'])
@ -291,7 +291,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
def test_role_attribute_mapping(self):
CONF.ldap.role_name_attribute = 'ou'
clear_database()
self.clear_database()
self.identity_api = identity.backends.ldap.Identity()
self.load_fixtures(default_fixtures)
role_ref = self.identity_api.get_role(self.role_member['id'])
@ -306,7 +306,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
def test_role_attribute_ignore(self):
CONF.ldap.role_attribute_ignore = ['name']
clear_database()
self.clear_database()
self.identity_api = identity.backends.ldap.Identity()
self.load_fixtures(default_fixtures)
role_ref = self.identity_api.get_role(self.role_member['id'])
@ -317,10 +317,10 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
CONF.ldap.user_enabled_attribute = 'enabled'
CONF.ldap.user_enabled_mask = 2
CONF.ldap.user_enabled_default = 512
clear_database()
self.clear_database()
self.identity_api = identity.backends.ldap.Identity()
user = {'id': 'fake1', 'name': 'fake1', 'enabled': True}
self.identity_man.create_user({}, 'fake1', user)
self.identity_api.create_user('fake1', user)
user_ref = self.identity_api.get_user('fake1')
self.assertEqual(user_ref['enabled'], True)
@ -426,6 +426,11 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
}
self.identity_api.create_project(project['id'], project)
project_ref = self.identity_api.get_project(project['id'])
# NOTE(crazed): If running live test with emulation, there will be
# an enabled key in the project_ref.
if self.identity_api.project.enabled_emulation:
project['enabled'] = True
self.assertDictEqual(project_ref, project)
project['description'] = uuid.uuid4().hex
@ -513,7 +518,7 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
test.testsdir('backend_ldap.conf')])
CONF.ldap.user_enabled_emulation = True
CONF.ldap.tenant_enabled_emulation = True
clear_database()
self.clear_database()
self.identity_man = identity.Manager()
self.identity_api = self.identity_man.driver
self.load_fixtures(default_fixtures)