diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py index f7fe1f0057..fdef15fd60 100644 --- a/keystone/auth/controllers.py +++ b/keystone/auth/controllers.py @@ -14,7 +14,7 @@ # License for the specific language governing permissions and limitations # under the License. - +from keystone import assignment from keystone.common import controller from keystone.common import dependency from keystone.common import wsgi @@ -49,10 +49,12 @@ def get_auth_method(method_name): return AUTH_METHODS[method_name] +@dependency.requires('assignment_api') class AuthInfo(object): """Encapsulation of "auth" request.""" def __init__(self, context, auth=None): + self.assignment_api = assignment.Manager() self.identity_api = identity.Manager() self.trust_api = trust.Manager() self.context = context @@ -115,10 +117,10 @@ class AuthInfo(object): raise exception.ValidationError(attribute='domain', target='project') domain_ref = self._lookup_domain(project_info['domain']) - project_ref = self.identity_api.get_project_by_name( + project_ref = self.assignment_api.get_project_by_name( project_name, domain_ref['id']) else: - project_ref = self.identity_api.get_project(project_id) + project_ref = self.assignment_api.get_project(project_id) except exception.ProjectNotFound as e: LOG.exception(e) raise exception.Unauthorized(e) diff --git a/keystone/common/controller.py b/keystone/common/controller.py index faadc09d5d..9c0f5b0c91 100644 --- a/keystone/common/controller.py +++ b/keystone/common/controller.py @@ -79,7 +79,7 @@ def _build_policy_check_credentials(self, action, context, kwargs): except AttributeError: LOG.debug(_('RBAC: Proceeding without tenant')) # NOTE(vish): this is pretty inefficient - creds['roles'] = [self.identity_api.get_role(role)['name'] + creds['roles'] = [self.assignment_api.get_role(role)['name'] for role in creds.get('roles', [])] return creds diff --git a/keystone/common/wsgi.py b/keystone/common/wsgi.py index b6eb474b1e..39278dc123 100644 --- a/keystone/common/wsgi.py +++ b/keystone/common/wsgi.py @@ -303,7 +303,7 @@ class Application(BaseApplication): raise exception.Unauthorized() # NOTE(vish): this is pretty inefficient - creds['roles'] = [self.identity_api.get_role(role)['name'] + creds['roles'] = [self.assignment_api.get_role(role)['name'] for role in creds.get('roles', [])] # Accept either is_admin or the admin role self.policy_api.enforce(creds, 'admin_required', {}) diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py index 94b7430ec9..e6f98f3564 100644 --- a/keystone/contrib/ec2/controllers.py +++ b/keystone/contrib/ec2/controllers.py @@ -45,7 +45,8 @@ from keystone import exception from keystone import token -@dependency.requires('catalog_api', 'credential_api', 'token_provider_api') +@dependency.requires('assignment_api', 'catalog_api', 'credential_api', + 'token_provider_api') class Ec2Controller(controller.V2Controller): def check_signature(self, creds_ref, credentials): signer = ec2_utils.Ec2Signer(creds_ref['secret']) @@ -99,11 +100,11 @@ class Ec2Controller(controller.V2Controller): # TODO(termie): don't create new tokens every time # TODO(termie): this is copied from TokenController.authenticate token_id = uuid.uuid4().hex - tenant_ref = self.identity_api.get_project(creds_ref['tenant_id']) + tenant_ref = self.assignment_api.get_project(creds_ref['tenant_id']) user_ref = self.identity_api.get_user(creds_ref['user_id']) metadata_ref = {} metadata_ref['roles'] = ( - self.identity_api.get_roles_for_user_and_project( + self.assignment_api.get_roles_for_user_and_project( user_ref['id'], tenant_ref['id'])) # Validate that the auth info is valid and nothing is disabled @@ -112,7 +113,7 @@ class Ec2Controller(controller.V2Controller): roles = metadata_ref.get('roles', []) if not roles: raise exception.Unauthorized(message='User not valid for tenant.') - roles_ref = [self.identity_api.get_role(role_id) + roles_ref = [self.assignment_api.get_role(role_id) for role_id in roles] catalog_ref = self.catalog_api.get_catalog( @@ -289,6 +290,6 @@ class Ec2Controller(controller.V2Controller): :raises exception.ProjectNotFound: on failure """ - project_ref = self.identity_api.get_project(project_id) + project_ref = self.assignment_api.get_project(project_id) if not project_ref: raise exception.ProjectNotFound(project_id=project_id) diff --git a/keystone/contrib/endpoint_filter/controllers.py b/keystone/contrib/endpoint_filter/controllers.py index 2b3ced77d6..5939215eea 100644 --- a/keystone/contrib/endpoint_filter/controllers.py +++ b/keystone/contrib/endpoint_filter/controllers.py @@ -21,7 +21,7 @@ from keystone.common import dependency from keystone.identity import controllers as identity_controllers -@dependency.requires('catalog_api', 'identity_api', 'endpoint_filter_api') +@dependency.requires('assignment_api', 'endpoint_filter_api') class EndpointFilterV3Controller(controller.V3Controller): @controller.protected() @@ -32,7 +32,7 @@ class EndpointFilterV3Controller(controller.V3Controller): # The relationship can still be establed even with a disabled project # as there are no security implications. self.catalog_api.get_endpoint(endpoint_id) - self.identity_api.get_project(project_id) + self.assignment_api.get_project(project_id) # NOTE(gyee): we may need to cleanup any existing project-endpoint # associations here if either project or endpoint is not found. self.endpoint_filter_api.add_endpoint_to_project(endpoint_id, @@ -42,7 +42,7 @@ class EndpointFilterV3Controller(controller.V3Controller): def check_endpoint_in_project(self, context, project_id, endpoint_id): """Verifies endpoint is currently associated with given project.""" self.catalog_api.get_endpoint(endpoint_id) - self.identity_api.get_project(project_id) + self.assignment_api.get_project(project_id) # TODO(gyee): we may need to cleanup any existing project-endpoint # associations here if either project or endpoint is not found. self.endpoint_filter_api.check_endpoint_in_project(endpoint_id, @@ -51,7 +51,7 @@ class EndpointFilterV3Controller(controller.V3Controller): @controller.protected() def list_endpoints_for_project(self, context, project_id): """Lists all endpoints currently associated with a given project.""" - self.identity_api.get_project(project_id) + self.assignment_api.get_project(project_id) refs = self.endpoint_filter_api.list_endpoints_for_project(project_id) endpoints = [self.catalog_api.get_endpoint( @@ -70,7 +70,7 @@ class EndpointFilterV3Controller(controller.V3Controller): """Return a list of projects associated with the endpoint.""" refs = self.endpoint_filter_api.list_project_endpoints(endpoint_id) - projects = [self.identity_api.get_project( + projects = [self.assignment_api.get_project( ref.project_id) for ref in refs] return identity_controllers.ProjectV3.wrap_collection(context, projects) diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py index 58a11fd087..394cc1b592 100644 --- a/keystone/identity/controllers.py +++ b/keystone/identity/controllers.py @@ -39,7 +39,7 @@ class Tenant(controller.V2Controller): context, context['query_string'].get('name')) self.assert_admin(context) - tenant_refs = self.identity_api.list_projects() + tenant_refs = self.assignment_api.list_projects() for tenant_ref in tenant_refs: tenant_ref = self.filter_domain_id(tenant_ref) params = { @@ -77,12 +77,12 @@ class Tenant(controller.V2Controller): def get_project(self, context, tenant_id): # TODO(termie): this stuff should probably be moved to middleware self.assert_admin(context) - ref = self.identity_api.get_project(tenant_id) + ref = self.assignment_api.get_project(tenant_id) return {'tenant': self.filter_domain_id(ref)} def get_project_by_name(self, context, tenant_name): self.assert_admin(context) - ref = self.identity_api.get_project_by_name( + ref = self.assignment_api.get_project_by_name( tenant_name, DEFAULT_DOMAIN_ID) return {'tenant': self.filter_domain_id(ref)} @@ -214,7 +214,8 @@ class User(controller.V2Controller): self.identity_api.create_user(user_id, user_ref)) if default_project_id is not None: - self.identity_api.add_user_to_project(default_project_id, user_id) + self.assignment_api.add_user_to_project(default_project_id, + user_id) return {'user': new_user_ref} def update_user(self, context, user_id, user): @@ -312,15 +313,15 @@ class Role(controller.V2Controller): raise exception.NotImplemented(message='User roles not supported: ' 'tenant ID required') - roles = self.identity_api.get_roles_for_user_and_project( + roles = self.assignment_api.get_roles_for_user_and_project( user_id, tenant_id) - return {'roles': [self.identity_api.get_role(x) + return {'roles': [self.assignment_api.get_role(x) for x in roles]} # CRUD extension def get_role(self, context, role_id): self.assert_admin(context) - return {'role': self.identity_api.get_role(role_id)} + return {'role': self.assignment_api.get_role(role_id)} def create_role(self, context, role): role = self._normalize_dict(role) @@ -332,7 +333,7 @@ class Role(controller.V2Controller): role_id = uuid.uuid4().hex role['id'] = role_id - role_ref = self.identity_api.create_role(role_id, role) + role_ref = self.assignment_api.create_role(role_id, role) return {'role': role_ref} def delete_role(self, context, role_id): @@ -341,11 +342,11 @@ class Role(controller.V2Controller): # We must first, however, revoke any tokens for users that have an # assignment with this role. self._delete_tokens_for_role(role_id) - self.identity_api.delete_role(role_id) + self.assignment_api.delete_role(role_id) def get_roles(self, context): self.assert_admin(context) - return {'roles': self.identity_api.list_roles()} + return {'roles': self.assignment_api.list_roles()} def add_role_to_user(self, context, user_id, role_id, tenant_id=None): """Add a role to a user and tenant pair. @@ -359,10 +360,10 @@ class Role(controller.V2Controller): raise exception.NotImplemented(message='User roles not supported: ' 'tenant_id required') - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( user_id, tenant_id, role_id) - role_ref = self.identity_api.get_role(role_id) + role_ref = self.assignment_api.get_role(role_id) return {'role': role_ref} def remove_role_from_user(self, context, user_id, role_id, tenant_id=None): @@ -379,7 +380,7 @@ class Role(controller.V2Controller): # This still has the weird legacy semantics that adding a role to # a user also adds them to a tenant, so we must follow up on that - self.identity_api.remove_role_from_user_and_project( + self.assignment_api.remove_role_from_user_and_project( user_id, tenant_id, role_id) self._delete_tokens_for_user(user_id) @@ -403,7 +404,7 @@ class Role(controller.V2Controller): # the default domain. if tenant['domain_id'] != DEFAULT_DOMAIN_ID: continue - role_ids = self.identity_api.get_roles_for_user_and_project( + role_ids = self.assignment_api.get_roles_for_user_and_project( user_id, tenant['id']) for role_id in role_ids: ref = {'roleId': role_id, @@ -425,11 +426,11 @@ class Role(controller.V2Controller): # TODO(termie): for now we're ignoring the actual role tenant_id = role.get('tenantId') role_id = role.get('roleId') - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( user_id, tenant_id, role_id) self._delete_tokens_for_user(user_id) - role_ref = self.identity_api.get_role(role_id) + role_ref = self.assignment_api.get_role(role_id) return {'role': role_ref} # COMPAT(diablo): CRUD extension @@ -449,7 +450,7 @@ class Role(controller.V2Controller): role_ref_ref = urlparse.parse_qs(role_ref_id) tenant_id = role_ref_ref.get('tenantId')[0] role_id = role_ref_ref.get('roleId')[0] - self.identity_api.remove_role_from_user_and_project( + self.assignment_api.remove_role_from_user_and_project( user_id, tenant_id, role_id) self._delete_tokens_for_user(user_id) @@ -467,31 +468,31 @@ class DomainV3(controller.V3Controller): self._require_attribute(domain, 'name') ref = self._assign_unique_id(self._normalize_dict(domain)) - ref = self.identity_api.create_domain(ref['id'], ref) + ref = self.assignment_api.create_domain(ref['id'], ref) return DomainV3.wrap_member(context, ref) @controller.filterprotected('enabled', 'name') def list_domains(self, context, filters): - refs = self.identity_api.list_domains() + refs = self.assignment_api.list_domains() return DomainV3.wrap_collection(context, refs, filters) @controller.protected() def get_domain(self, context, domain_id): - ref = self.identity_api.get_domain(domain_id) + ref = self.assignment_api.get_domain(domain_id) return DomainV3.wrap_member(context, ref) @controller.protected() def update_domain(self, context, domain_id, domain): self._require_matching_id(domain_id, domain) - ref = self.identity_api.update_domain(domain_id, domain) + ref = self.assignment_api.update_domain(domain_id, domain) # disable owned users & projects when the API user specifically set # enabled=False # FIXME(dolph): need a driver call to directly revoke all tokens by # project or domain, regardless of user if not domain.get('enabled', True): - projects = [x for x in self.identity_api.list_projects() + projects = [x for x in self.assignment_api.list_projects() if x.get('domain_id') == domain_id] for user in self.identity_api.list_users(): # TODO(dolph): disable domain-scoped tokens @@ -548,7 +549,7 @@ class DomainV3(controller.V3Controller): user_refs = self.identity_api.list_users() user_ids = [r['id'] for r in user_refs if r['domain_id'] == domain_id] - proj_refs = self.identity_api.list_projects() + proj_refs = self.assignment_api.list_projects() proj_ids = [r['id'] for r in proj_refs if r['domain_id'] == domain_id] # First delete the projects themselves @@ -581,14 +582,14 @@ class DomainV3(controller.V3Controller): # has been previously disabled. This also prevents a user deleting # their own domain since, once it is disabled, they won't be able # to get a valid token to issue this delete. - ref = self.identity_api.get_domain(domain_id) + ref = self.assignment_api.get_domain(domain_id) if ref['enabled']: raise exception.ForbiddenAction( action='delete a domain that is not disabled') # OK, we are go for delete! self._delete_domain_contents(context, domain_id) - return self.identity_api.delete_domain(domain_id) + return self.assignment_api.delete_domain(domain_id) def _get_domain_by_name(self, context, domain_name): """Get the domain via its unique name. @@ -597,7 +598,7 @@ class DomainV3(controller.V3Controller): router as a public api. """ - ref = self.identity_api.get_domain_by_name(domain_name) + ref = self.assignment_api.get_domain_by_name(domain_name) return {'domain': ref} @@ -620,17 +621,17 @@ class ProjectV3(controller.V3Controller): @controller.filterprotected('domain_id', 'enabled', 'name') def list_projects(self, context, filters): - refs = self.identity_api.list_projects() + refs = self.assignment_api.list_projects() return ProjectV3.wrap_collection(context, refs, filters) @controller.filterprotected('enabled', 'name') def list_user_projects(self, context, filters, user_id): - refs = self.identity_api.list_projects_for_user(user_id) + refs = self.assignment_api.list_projects_for_user(user_id) return ProjectV3.wrap_collection(context, refs, filters) @controller.protected() def get_project(self, context, project_id): - ref = self.identity_api.get_project(project_id) + ref = self.assignment_api.get_project(project_id) return ProjectV3.wrap_member(context, ref) @controller.protected() @@ -840,24 +841,24 @@ class RoleV3(controller.V3Controller): self._require_attribute(role, 'name') ref = self._assign_unique_id(self._normalize_dict(role)) - ref = self.identity_api.create_role(ref['id'], ref) + ref = self.assignment_api.create_role(ref['id'], ref) return RoleV3.wrap_member(context, ref) @controller.filterprotected('name') def list_roles(self, context, filters): - refs = self.identity_api.list_roles() + refs = self.assignment_api.list_roles() return RoleV3.wrap_collection(context, refs, filters) @controller.protected() def get_role(self, context, role_id): - ref = self.identity_api.get_role(role_id) + ref = self.assignment_api.get_role(role_id) return RoleV3.wrap_member(context, ref) @controller.protected() def update_role(self, context, role_id, role): self._require_matching_id(role_id, role) - ref = self.identity_api.update_role(role_id, role) + ref = self.assignment_api.update_role(role_id, role) return RoleV3.wrap_member(context, ref) @controller.protected() @@ -866,7 +867,7 @@ class RoleV3(controller.V3Controller): # We must first, however, revoke any tokens for users that have an # assignment with this role. self._delete_tokens_for_role(role_id) - self.identity_api.delete_role(role_id) + self.assignment_api.delete_role(role_id) def _require_domain_xor_project(self, domain_id, project_id): if (domain_id and project_id) or (not domain_id and not project_id): @@ -895,7 +896,7 @@ class RoleV3(controller.V3Controller): """ ref = {} if role_id: - ref['role'] = self.identity_api.get_role(role_id) + ref['role'] = self.assignment_api.get_role(role_id) if user_id: ref['user'] = self.identity_api.get_user(user_id) else: @@ -920,7 +921,7 @@ class RoleV3(controller.V3Controller): if group_id: self.identity_api.get_group(group_id) - self.identity_api.create_grant( + self.assignment_api.create_grant( role_id, user_id, group_id, domain_id, project_id, self._check_if_inherited(context)) @@ -931,7 +932,7 @@ class RoleV3(controller.V3Controller): self._require_domain_xor_project(domain_id, project_id) self._require_user_xor_group(user_id, group_id) - refs = self.identity_api.list_grants( + refs = self.assignment_api.list_grants( user_id, group_id, domain_id, project_id, self._check_if_inherited(context)) return RoleV3.wrap_collection(context, refs) @@ -948,7 +949,7 @@ class RoleV3(controller.V3Controller): if group_id: self.identity_api.get_group(group_id) - self.identity_api.get_grant( + self.assignment_api.get_grant( role_id, user_id, group_id, domain_id, project_id, self._check_if_inherited(context)) @@ -959,7 +960,7 @@ class RoleV3(controller.V3Controller): self._require_domain_xor_project(domain_id, project_id) self._require_user_xor_group(user_id, group_id) - self.identity_api.delete_grant( + self.assignment_api.delete_grant( role_id, user_id, group_id, domain_id, project_id, self._check_if_inherited(context)) diff --git a/keystone/identity/core.py b/keystone/identity/core.py index 6bec50ead4..0d64ece42d 100644 --- a/keystone/identity/core.py +++ b/keystone/identity/core.py @@ -457,85 +457,9 @@ class Manager(manager.Manager): # API should be removed, with the controller and tests making the correct # calls direct to assignment. - def get_project_by_name(self, tenant_name, domain_id): - return self.assignment_api.get_project_by_name(tenant_name, domain_id) - - def get_project(self, tenant_id): - return self.assignment_api.get_project(tenant_id) - - def list_projects(self, domain_id=None): - return self.assignment_api.list_projects(domain_id) - - def get_role(self, role_id): - return self.assignment_api.get_role(role_id) - - def list_roles(self): - return self.assignment_api.list_roles() - - def get_project_users(self, tenant_id): - return self.assignment_api.get_project_users(tenant_id) - - def get_roles_for_user_and_project(self, user_id, tenant_id): - return self.assignment_api.get_roles_for_user_and_project( - user_id, tenant_id) - - def get_roles_for_user_and_domain(self, user_id, domain_id): - return (self.assignment_api.get_roles_for_user_and_domain - (user_id, domain_id)) - - def _subrole_id_to_dn(self, role_id, tenant_id): - return self.assignment_api._subrole_id_to_dn(role_id, tenant_id) - - def add_role_to_user_and_project(self, user_id, - tenant_id, role_id): - return (self.assignment_api.add_role_to_user_and_project - (user_id, tenant_id, role_id)) - - def create_role(self, role_id, role): - return self.assignment_api.create_role(role_id, role) - - def delete_role(self, role_id): - return self.assignment_api.delete_role(role_id) - - def remove_role_from_user_and_project(self, user_id, - tenant_id, role_id): - return (self.assignment_api.remove_role_from_user_and_project - (user_id, tenant_id, role_id)) - - def update_role(self, role_id, role): - return self.assignment_api.update_role(role_id, role) - - def create_grant(self, role_id, user_id=None, group_id=None, - domain_id=None, project_id=None, - inherited_to_projects=False): - return (self.assignment_api.create_grant - (role_id, user_id, group_id, domain_id, project_id, - inherited_to_projects)) - - def list_grants(self, user_id=None, group_id=None, - domain_id=None, project_id=None, - inherited_to_projects=False): - return (self.assignment_api.list_grants - (user_id, group_id, domain_id, project_id, - inherited_to_projects)) - - def get_grant(self, role_id, user_id=None, group_id=None, - domain_id=None, project_id=None, - inherited_to_projects=False): - return (self.assignment_api.get_grant - (role_id, user_id, group_id, domain_id, project_id, - inherited_to_projects)) - - def delete_grant(self, role_id, user_id=None, group_id=None, - domain_id=None, project_id=None, - inherited_to_projects=False): - return (self.assignment_api.delete_grant - (role_id, user_id, group_id, domain_id, project_id, - inherited_to_projects)) - - def create_domain(self, domain_id, domain): - return self.assignment_api.create_domain(domain_id, domain) - + # NOTE(tellesmvn):The following 4 methods where not removed since ayoung + # told me not to because someone else is working on a new feature involving + # these methods where the idea is to identify in which domain the user is def get_domain_by_name(self, domain_name): return self.assignment_api.get_domain_by_name(domain_name) @@ -545,21 +469,9 @@ class Manager(manager.Manager): def update_domain(self, domain_id, domain): return self.assignment_api.update_domain(domain_id, domain) - def delete_domain(self, domain_id): - return self.assignment_api.delete_domain(domain_id) - def list_domains(self): return self.assignment_api.list_domains() - def list_projects_for_user(self, user_id): - return self.assignment_api.list_projects_for_user(user_id) - - def add_user_to_project(self, tenant_id, user_id): - return self.assignment_api.add_user_to_project(tenant_id, user_id) - - def remove_user_from_project(self, tenant_id, user_id): - return self.assignment_api.remove_user_from_project(tenant_id, user_id) - @six.add_metaclass(abc.ABCMeta) class Driver(object): diff --git a/keystone/tests/core.py b/keystone/tests/core.py index f5ff65fc52..53a970ca09 100644 --- a/keystone/tests/core.py +++ b/keystone/tests/core.py @@ -333,12 +333,13 @@ class TestCase(NoModule, testtools.TestCase): """ # TODO(termie): doing something from json, probably based on Django's # loaddata will be much preferred. - if hasattr(self, 'identity_api'): + if hasattr(self, 'identity_api') and hasattr(self, 'assignment_api'): for domain in fixtures.DOMAINS: try: - rv = self.identity_api.create_domain(domain['id'], domain) + rv = self.assignment_api.create_domain(domain['id'], + domain) except exception.Conflict: - rv = self.identity_api.get_domain(domain['id']) + rv = self.assignment_api.get_domain(domain['id']) except exception.NotImplemented: rv = domain setattr(self, 'domain_%s' % domain['id'], rv) @@ -348,15 +349,15 @@ class TestCase(NoModule, testtools.TestCase): rv = self.assignment_api.create_project( tenant['id'], tenant) except exception.Conflict: - rv = self.identity_api.get_project(tenant['id']) + rv = self.assignment_api.get_project(tenant['id']) pass setattr(self, 'tenant_%s' % tenant['id'], rv) for role in fixtures.ROLES: try: - rv = self.identity_api.create_role(role['id'], role) + rv = self.assignment_api.create_role(role['id'], role) except exception.Conflict: - rv = self.identity_api.get_role(role['id']) + rv = self.assignment_api.get_role(role['id']) pass setattr(self, 'role_%s' % role['id'], rv) @@ -370,8 +371,8 @@ class TestCase(NoModule, testtools.TestCase): pass for tenant_id in tenants: try: - self.identity_api.add_user_to_project(tenant_id, - user['id']) + self.assignment_api.add_user_to_project(tenant_id, + user['id']) except exception.Conflict: pass setattr(self, 'user_%s' % user['id'], user_copy) diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py index 58791a216d..353f14ed88 100644 --- a/keystone/tests/test_auth.py +++ b/keystone/tests/test_auth.py @@ -230,7 +230,7 @@ class AuthWithToken(AuthTest): def test_auth_unscoped_token_project(self): """Verify getting a token in a tenant with an unscoped token.""" # Add a role in so we can check we get this back - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], self.role_member['id']) @@ -253,19 +253,19 @@ class AuthWithToken(AuthTest): def test_auth_token_project_group_role(self): """Verify getting a token in a tenant with group roles.""" # Add a v2 style role in so we can check we get this back - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], self.role_member['id']) # Now create a group role for this user as well domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) new_group = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'], 'name': uuid.uuid4().hex} self.identity_api.create_group(new_group['id'], new_group) self.identity_api.add_user_to_group(self.user_foo['id'], new_group['id']) - self.identity_api.create_grant( + self.assignment_api.create_grant( group_id=new_group['id'], project_id=self.tenant_bar['id'], role_id=self.role_admin['id']) @@ -288,38 +288,38 @@ class AuthWithToken(AuthTest): """Verify getting a token in cross domain group/project roles.""" # create domain, project and group and grant roles to user domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id']} self.assignment_api.create_project(project1['id'], project1) role_foo_domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role_foo_domain1['id'], - role_foo_domain1) + self.assignment_api.create_role(role_foo_domain1['id'], + role_foo_domain1) role_group_domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role_group_domain1['id'], - role_group_domain1) - self.identity_api.add_user_to_project(project1['id'], - self.user_foo['id']) + self.assignment_api.create_role(role_group_domain1['id'], + role_group_domain1) + self.assignment_api.add_user_to_project(project1['id'], + self.user_foo['id']) new_group = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'], 'name': uuid.uuid4().hex} self.identity_api.create_group(new_group['id'], new_group) self.identity_api.add_user_to_group(self.user_foo['id'], new_group['id']) - self.identity_api.create_grant( + self.assignment_api.create_grant( user_id=self.user_foo['id'], project_id=project1['id'], role_id=self.role_member['id']) - self.identity_api.create_grant( + self.assignment_api.create_grant( group_id=new_group['id'], project_id=project1['id'], role_id=self.role_admin['id']) - self.identity_api.create_grant( + self.assignment_api.create_grant( user_id=self.user_foo['id'], domain_id=domain1['id'], role_id=role_foo_domain1['id']) - self.identity_api.create_grant( + self.assignment_api.create_grant( group_id=new_group['id'], domain_id=domain1['id'], role_id=role_group_domain1['id']) @@ -410,7 +410,7 @@ class AuthWithToken(AuthTest): self.assignment_api.create_project(project1['id'], project1) role_one = {'id': 'role_one', 'name': uuid.uuid4().hex} self.assignment_api.create_role(role_one['id'], role_one) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( self.user_foo['id'], project1['id'], role_one['id']) no_context = {} @@ -597,7 +597,7 @@ class AuthWithTrust(AuthTest): self.assigned_roles = [self.role_member['id'], self.role_browser['id']] for assigned_role in self.assigned_roles: - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( self.trustor['id'], self.tenant_bar['id'], assigned_role) self.sample_data = {'trustor_user_id': self.trustor['id'], @@ -801,7 +801,7 @@ class AuthWithTrust(AuthTest): def test_token_from_trust_with_no_role_fails(self): for assigned_role in self.assigned_roles: - self.identity_api.remove_role_from_user_and_project( + self.assignment_api.remove_role_from_user_and_project( self.trustor['id'], self.tenant_bar['id'], assigned_role) request_body = self.build_v2_token_request('TWO', 'two2') self.assertRaises( @@ -817,12 +817,12 @@ class AuthWithTrust(AuthTest): self.controller.authenticate, {}, request_body) def test_token_from_trust_with_wrong_role_fails(self): - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( self.trustor['id'], self.tenant_bar['id'], self.role_other['id']) for assigned_role in self.assigned_roles: - self.identity_api.remove_role_from_user_and_project( + self.assignment_api.remove_role_from_user_and_project( self.trustor['id'], self.tenant_bar['id'], assigned_role) request_body = self.build_v2_token_request('TWO', 'two2') diff --git a/keystone/tests/test_backend.py b/keystone/tests/test_backend.py index caf33a6324..bd7dcd1ab6 100644 --- a/keystone/tests/test_backend.py +++ b/keystone/tests/test_backend.py @@ -36,7 +36,7 @@ NULL_OBJECT = object() class IdentityTests(object): def _get_domain_fixture(self): domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain['id'], domain) + self.assignment_api.create_domain(domain['id'], domain) return domain def test_project_add_and_remove_user_role(self): @@ -44,7 +44,7 @@ class IdentityTests(object): self.tenant_bar['id']) self.assertNotIn(self.user_two['id'], user_ids) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( tenant_id=self.tenant_bar['id'], user_id=self.user_two['id'], role_id=self.role_other['id']) @@ -52,7 +52,7 @@ class IdentityTests(object): self.tenant_bar['id']) self.assertIn(self.user_two['id'], user_ids) - self.identity_api.remove_role_from_user_and_project( + self.assignment_api.remove_role_from_user_and_project( tenant_id=self.tenant_bar['id'], user_id=self.user_two['id'], role_id=self.role_other['id']) @@ -65,7 +65,8 @@ class IdentityTests(object): # Expect failure if attempt to remove a role that was never assigned to # the user. self.assertRaises(exception.RoleNotFound, - self.identity_api.remove_role_from_user_and_project, + self.assignment_api. + remove_role_from_user_and_project, tenant_id=self.tenant_bar['id'], user_id=self.user_two['id'], role_id=self.role_other['id']) @@ -101,8 +102,8 @@ class IdentityTests(object): 'password': 'no_meta2', } self.identity_api.create_user(user['id'], user) - self.identity_api.add_user_to_project(self.tenant_baz['id'], - user['id']) + self.assignment_api.add_user_to_project(self.tenant_baz['id'], + user['id']) user_ref = self.identity_api.authenticate( user_id=user['id'], password=user['password']) @@ -112,7 +113,7 @@ class IdentityTests(object): # not be returned by the api user.pop('password') self.assertDictContainsSubset(user, user_ref) - role_list = self.identity_api.get_roles_for_user_and_project( + role_list = self.assignment_api.get_roles_for_user_and_project( user['id'], self.tenant_baz['id']) self.assertEqual(len(role_list), 1) self.assertIn(CONF.member_role_id, role_list) @@ -147,23 +148,23 @@ class IdentityTests(object): self.assertEqual(unicode_name, ref['name']) def test_get_project(self): - tenant_ref = self.identity_api.get_project(self.tenant_bar['id']) + tenant_ref = self.assignment_api.get_project(self.tenant_bar['id']) self.assertDictEqual(tenant_ref, self.tenant_bar) def test_get_project_404(self): self.assertRaises(exception.ProjectNotFound, - self.identity_api.get_project, + self.assignment_api.get_project, uuid.uuid4().hex) def test_get_project_by_name(self): - tenant_ref = self.identity_api.get_project_by_name( + tenant_ref = self.assignment_api.get_project_by_name( self.tenant_bar['name'], DEFAULT_DOMAIN_ID) self.assertDictEqual(tenant_ref, self.tenant_bar) def test_get_project_by_name_404(self): self.assertRaises(exception.ProjectNotFound, - self.identity_api.get_project_by_name, + self.assignment_api.get_project_by_name, uuid.uuid4().hex, DEFAULT_DOMAIN_ID) @@ -208,22 +209,22 @@ class IdentityTests(object): DEFAULT_DOMAIN_ID) def test_get_role(self): - role_ref = self.identity_api.get_role(self.role_admin['id']) + role_ref = self.assignment_api.get_role(self.role_admin['id']) role_ref_dict = dict((x, role_ref[x]) for x in role_ref) self.assertDictEqual(role_ref_dict, self.role_admin) def test_get_role_404(self): self.assertRaises(exception.RoleNotFound, - self.identity_api.get_role, + self.assignment_api.get_role, uuid.uuid4().hex) def test_create_duplicate_role_name_fails(self): role = {'id': 'fake1', 'name': 'fake1name'} - self.identity_api.create_role('fake1', role) + self.assignment_api.create_role('fake1', role) role['id'] = 'fake2' self.assertRaises(exception.Conflict, - self.identity_api.create_role, + self.assignment_api.create_role, 'fake2', role) @@ -236,11 +237,11 @@ class IdentityTests(object): 'id': 'fake2', 'name': 'fake2name' } - self.identity_api.create_role('fake1', role1) - self.identity_api.create_role('fake2', role2) + self.assignment_api.create_role('fake1', role1) + self.assignment_api.create_role('fake2', role2) role1['name'] = 'fake2name' self.assertRaises(exception.Conflict, - self.identity_api.update_role, + self.assignment_api.update_role, 'fake1', role1) @@ -272,7 +273,7 @@ class IdentityTests(object): def test_create_duplicate_user_name_in_different_domains(self): new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(new_domain['id'], new_domain) + self.assignment_api.create_domain(new_domain['id'], new_domain) user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID, @@ -286,9 +287,9 @@ class IdentityTests(object): def test_move_user_between_domains(self): domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain2['id'], domain2) + self.assignment_api.create_domain(domain2['id'], domain2) user = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id'], @@ -299,9 +300,9 @@ class IdentityTests(object): def test_move_user_between_domains_with_clashing_names_fails(self): domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain2['id'], domain2) + self.assignment_api.create_domain(domain2['id'], domain2) # First, create a user in domain1 user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, @@ -382,7 +383,7 @@ class IdentityTests(object): def test_create_duplicate_project_name_in_different_domains(self): new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(new_domain['id'], new_domain) + self.assignment_api.create_domain(new_domain['id'], new_domain) tenant1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID} tenant2 = {'id': uuid.uuid4().hex, 'name': tenant1['name'], @@ -392,9 +393,9 @@ class IdentityTests(object): def test_move_project_between_domains(self): domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain2['id'], domain2) + self.assignment_api.create_domain(domain2['id'], domain2) project = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id']} @@ -404,9 +405,9 @@ class IdentityTests(object): def test_move_project_between_domains_with_clashing_names_fails(self): domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain2['id'], domain2) + self.assignment_api.create_domain(domain2['id'], domain2) # First, create a project in domain1 project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, @@ -445,10 +446,10 @@ class IdentityTests(object): self.assignment_api.create_project('fake1', tenant) tenant['id'] = 'fake2' self.assignment_api.update_project('fake1', tenant) - tenant_ref = self.identity_api.get_project('fake1') + tenant_ref = self.assignment_api.get_project('fake1') self.assertEqual(tenant_ref['id'], 'fake1') self.assertRaises(exception.ProjectNotFound, - self.identity_api.get_project, + self.assignment_api.get_project, 'fake2') def test_list_role_assignments_unfiltered(self): @@ -466,7 +467,7 @@ class IdentityTests(object): """ new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(new_domain['id'], new_domain) + self.assignment_api.create_domain(new_domain['id'], new_domain) new_user = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'password': uuid.uuid4().hex, 'enabled': True, 'domain_id': new_domain['id']} @@ -487,18 +488,18 @@ class IdentityTests(object): role_id='admin')) # Now create the grants (roles are defined in default_fixtures) - self.identity_api.create_grant(user_id=new_user['id'], - domain_id=new_domain['id'], - role_id='member') - self.identity_api.create_grant(user_id=new_user['id'], - project_id=new_project['id'], - role_id='other') - self.identity_api.create_grant(group_id=new_group['id'], - domain_id=new_domain['id'], - role_id='admin') - self.identity_api.create_grant(group_id=new_group['id'], - project_id=new_project['id'], - role_id='admin') + self.assignment_api.create_grant(user_id=new_user['id'], + domain_id=new_domain['id'], + role_id='member') + self.assignment_api.create_grant(user_id=new_user['id'], + project_id=new_project['id'], + role_id='other') + self.assignment_api.create_grant(group_id=new_group['id'], + domain_id=new_domain['id'], + role_id='admin') + self.assignment_api.create_grant(group_id=new_group['id'], + project_id=new_project['id'], + role_id='admin') # Read back the full list of assignments - check it is gone up by 4 assignment_list = self.assignment_api.list_role_assignments() @@ -545,13 +546,13 @@ class IdentityTests(object): self.assertEqual(assignment_list, []) def test_add_duplicate_role_grant(self): - roles_ref = self.identity_api.get_roles_for_user_and_project( + roles_ref = self.assignment_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) self.assertNotIn(self.role_admin['id'], roles_ref) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], self.role_admin['id']) self.assertRaises(exception.Conflict, - self.identity_api.add_role_to_user_and_project, + self.assignment_api.add_role_to_user_and_project, self.user_foo['id'], self.tenant_bar['id'], self.role_admin['id']) @@ -586,15 +587,15 @@ class IdentityTests(object): role_ref_list = [] for i in range(2): role_ref = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role_ref['id'], role_ref) + self.assignment_api.create_role(role_ref['id'], role_ref) role_ref_list.append(role_ref) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( user_id=user_ref['id'], tenant_id=project_ref['id'], role_id=role_ref['id']) - role_list = self.identity_api.get_roles_for_user_and_project( + role_list = self.assignment_api.get_roles_for_user_and_project( user_id=user_ref['id'], tenant_id=project_ref['id']) @@ -602,19 +603,19 @@ class IdentityTests(object): set([role_ref['id'] for role_ref in role_ref_list])) def test_get_role_by_user_and_project(self): - roles_ref = self.identity_api.get_roles_for_user_and_project( + roles_ref = self.assignment_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) self.assertNotIn(self.role_admin['id'], roles_ref) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], self.role_admin['id']) - roles_ref = self.identity_api.get_roles_for_user_and_project( + roles_ref = self.assignment_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) self.assertIn(self.role_admin['id'], roles_ref) self.assertNotIn('member', roles_ref) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], 'member') - roles_ref = self.identity_api.get_roles_for_user_and_project( + roles_ref = self.assignment_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) self.assertIn(self.role_admin['id'], roles_ref) self.assertIn('member', roles_ref) @@ -633,7 +634,7 @@ class IdentityTests(object): """ new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(new_domain['id'], new_domain) + self.assignment_api.create_domain(new_domain['id'], new_domain) new_user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'password': uuid.uuid4().hex, 'enabled': True, 'domain_id': new_domain['id']} @@ -642,35 +643,35 @@ class IdentityTests(object): 'password': uuid.uuid4().hex, 'enabled': True, 'domain_id': new_domain['id']} self.identity_api.create_user(new_user2['id'], new_user2) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=new_user1['id'], domain_id=new_domain['id']) self.assertEqual(len(roles_ref), 0) # Now create the grants (roles are defined in default_fixtures) - self.identity_api.create_grant(user_id=new_user1['id'], - domain_id=new_domain['id'], - role_id='member') - self.identity_api.create_grant(user_id=new_user1['id'], - domain_id=new_domain['id'], - role_id='other') - self.identity_api.create_grant(user_id=new_user2['id'], - domain_id=new_domain['id'], - role_id='admin') + self.assignment_api.create_grant(user_id=new_user1['id'], + domain_id=new_domain['id'], + role_id='member') + self.assignment_api.create_grant(user_id=new_user1['id'], + domain_id=new_domain['id'], + role_id='other') + self.assignment_api.create_grant(user_id=new_user2['id'], + domain_id=new_domain['id'], + role_id='admin') # Read back the roles for user1 on domain - roles_ids = self.identity_api.get_roles_for_user_and_domain( + roles_ids = self.assignment_api.get_roles_for_user_and_domain( new_user1['id'], new_domain['id']) self.assertEqual(len(roles_ids), 2) self.assertIn(self.role_member['id'], roles_ids) self.assertIn(self.role_other['id'], roles_ids) # Now delete both grants for user1 - self.identity_api.delete_grant(user_id=new_user1['id'], - domain_id=new_domain['id'], - role_id='member') - self.identity_api.delete_grant(user_id=new_user1['id'], - domain_id=new_domain['id'], - role_id='other') - roles_ref = self.identity_api.list_grants( + self.assignment_api.delete_grant(user_id=new_user1['id'], + domain_id=new_domain['id'], + role_id='member') + self.assignment_api.delete_grant(user_id=new_user1['id'], + domain_id=new_domain['id'], + role_id='other') + roles_ref = self.assignment_api.list_grants( user_id=new_user1['id'], domain_id=new_domain['id']) self.assertEqual(len(roles_ref), 0) @@ -690,77 +691,78 @@ class IdentityTests(object): self.identity_api.create_user(new_user1['id'], new_user1) self.assertRaises(exception.UserNotFound, - self.identity_api.get_roles_for_user_and_domain, + self.assignment_api.get_roles_for_user_and_domain, uuid.uuid4().hex, new_domain['id']) self.assertRaises(exception.DomainNotFound, - self.identity_api.get_roles_for_user_and_domain, + self.assignment_api.get_roles_for_user_and_domain, new_user1['id'], uuid.uuid4().hex) def test_get_roles_for_user_and_project_404(self): self.assertRaises(exception.UserNotFound, - self.identity_api.get_roles_for_user_and_project, + self.assignment_api.get_roles_for_user_and_project, uuid.uuid4().hex, self.tenant_bar['id']) self.assertRaises(exception.ProjectNotFound, - self.identity_api.get_roles_for_user_and_project, + self.assignment_api.get_roles_for_user_and_project, self.user_foo['id'], uuid.uuid4().hex) def test_add_role_to_user_and_project_404(self): self.assertRaises(exception.UserNotFound, - self.identity_api.add_role_to_user_and_project, + self.assignment_api.add_role_to_user_and_project, uuid.uuid4().hex, self.tenant_bar['id'], self.role_admin['id']) self.assertRaises(exception.ProjectNotFound, - self.identity_api.add_role_to_user_and_project, + self.assignment_api.add_role_to_user_and_project, self.user_foo['id'], uuid.uuid4().hex, self.role_admin['id']) self.assertRaises(exception.RoleNotFound, - self.identity_api.add_role_to_user_and_project, + self.assignment_api.add_role_to_user_and_project, self.user_foo['id'], self.tenant_bar['id'], uuid.uuid4().hex) def test_remove_role_from_user_and_project(self): - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], 'member') - self.identity_api.remove_role_from_user_and_project( + self.assignment_api.remove_role_from_user_and_project( self.user_foo['id'], self.tenant_bar['id'], 'member') - roles_ref = self.identity_api.get_roles_for_user_and_project( + roles_ref = self.assignment_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) self.assertNotIn('member', roles_ref) self.assertRaises(exception.NotFound, - self.identity_api.remove_role_from_user_and_project, + self.assignment_api. + remove_role_from_user_and_project, self.user_foo['id'], self.tenant_bar['id'], 'member') def test_get_role_grant_by_user_and_project(self): - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=self.user_foo['id'], project_id=self.tenant_bar['id']) self.assertEqual(len(roles_ref), 1) - self.identity_api.create_grant(user_id=self.user_foo['id'], - project_id=self.tenant_bar['id'], - role_id=self.role_admin['id']) - roles_ref = self.identity_api.list_grants( + self.assignment_api.create_grant(user_id=self.user_foo['id'], + project_id=self.tenant_bar['id'], + role_id=self.role_admin['id']) + roles_ref = self.assignment_api.list_grants( user_id=self.user_foo['id'], project_id=self.tenant_bar['id']) self.assertIn(self.role_admin['id'], [role_ref['id'] for role_ref in roles_ref]) - self.identity_api.create_grant(user_id=self.user_foo['id'], - project_id=self.tenant_bar['id'], - role_id='member') - roles_ref = self.identity_api.list_grants( + self.assignment_api.create_grant(user_id=self.user_foo['id'], + project_id=self.tenant_bar['id'], + role_id='member') + roles_ref = self.assignment_api.list_grants( user_id=self.user_foo['id'], project_id=self.tenant_bar['id']) @@ -771,30 +773,30 @@ class IdentityTests(object): self.assertIn('member', roles_ref_ids) def test_remove_role_grant_from_user_and_project(self): - self.identity_api.create_grant(user_id=self.user_foo['id'], - project_id=self.tenant_baz['id'], - role_id='member') - roles_ref = self.identity_api.list_grants( + self.assignment_api.create_grant(user_id=self.user_foo['id'], + project_id=self.tenant_baz['id'], + role_id='member') + roles_ref = self.assignment_api.list_grants( user_id=self.user_foo['id'], project_id=self.tenant_baz['id']) self.assertDictEqual(roles_ref[0], self.role_member) - self.identity_api.delete_grant(user_id=self.user_foo['id'], - project_id=self.tenant_baz['id'], - role_id='member') - roles_ref = self.identity_api.list_grants( + self.assignment_api.delete_grant(user_id=self.user_foo['id'], + project_id=self.tenant_baz['id'], + role_id='member') + roles_ref = self.assignment_api.list_grants( user_id=self.user_foo['id'], project_id=self.tenant_baz['id']) self.assertEqual(len(roles_ref), 0) self.assertRaises(exception.NotFound, - self.identity_api.delete_grant, + self.assignment_api.delete_grant, user_id=self.user_foo['id'], project_id=self.tenant_baz['id'], role_id='member') def test_get_and_remove_role_grant_by_group_and_project(self): new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(new_domain['id'], new_domain) + self.assignment_api.create_domain(new_domain['id'], new_domain) new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'], 'name': uuid.uuid4().hex} self.identity_api.create_group(new_group['id'], new_group) @@ -804,34 +806,34 @@ class IdentityTests(object): self.identity_api.create_user(new_user['id'], new_user) self.identity_api.add_user_to_group(new_user['id'], new_group['id']) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=new_group['id'], project_id=self.tenant_bar['id']) self.assertEqual(len(roles_ref), 0) - self.identity_api.create_grant(group_id=new_group['id'], - project_id=self.tenant_bar['id'], - role_id='member') - roles_ref = self.identity_api.list_grants( + self.assignment_api.create_grant(group_id=new_group['id'], + project_id=self.tenant_bar['id'], + role_id='member') + roles_ref = self.assignment_api.list_grants( group_id=new_group['id'], project_id=self.tenant_bar['id']) self.assertDictEqual(roles_ref[0], self.role_member) - self.identity_api.delete_grant(group_id=new_group['id'], - project_id=self.tenant_bar['id'], - role_id='member') - roles_ref = self.identity_api.list_grants( + self.assignment_api.delete_grant(group_id=new_group['id'], + project_id=self.tenant_bar['id'], + role_id='member') + roles_ref = self.assignment_api.list_grants( group_id=new_group['id'], project_id=self.tenant_bar['id']) self.assertEqual(len(roles_ref), 0) self.assertRaises(exception.NotFound, - self.identity_api.delete_grant, + self.assignment_api.delete_grant, group_id=new_group['id'], project_id=self.tenant_bar['id'], role_id='member') def test_get_and_remove_role_grant_by_group_and_domain(self): new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(new_domain['id'], new_domain) + self.assignment_api.create_domain(new_domain['id'], new_domain) new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'], 'name': uuid.uuid4().hex} self.identity_api.create_group(new_group['id'], new_group) @@ -842,36 +844,36 @@ class IdentityTests(object): self.identity_api.add_user_to_group(new_user['id'], new_group['id']) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=new_group['id'], domain_id=new_domain['id']) self.assertEqual(len(roles_ref), 0) - self.identity_api.create_grant(group_id=new_group['id'], - domain_id=new_domain['id'], - role_id='member') + self.assignment_api.create_grant(group_id=new_group['id'], + domain_id=new_domain['id'], + role_id='member') - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=new_group['id'], domain_id=new_domain['id']) self.assertDictEqual(roles_ref[0], self.role_member) - self.identity_api.delete_grant(group_id=new_group['id'], - domain_id=new_domain['id'], - role_id='member') - roles_ref = self.identity_api.list_grants( + self.assignment_api.delete_grant(group_id=new_group['id'], + domain_id=new_domain['id'], + role_id='member') + roles_ref = self.assignment_api.list_grants( group_id=new_group['id'], domain_id=new_domain['id']) self.assertEqual(len(roles_ref), 0) self.assertRaises(exception.NotFound, - self.identity_api.delete_grant, + self.assignment_api.delete_grant, group_id=new_group['id'], domain_id=new_domain['id'], role_id='member') def test_get_and_remove_correct_role_grant_from_a_mix(self): new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(new_domain['id'], new_domain) + self.assignment_api.create_domain(new_domain['id'], new_domain) new_project = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': new_domain['id']} self.assignment_api.create_project(new_project['id'], new_project) @@ -892,72 +894,72 @@ class IdentityTests(object): self.identity_api.add_user_to_group(new_user['id'], new_group['id']) # First check we have no grants - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=new_group['id'], domain_id=new_domain['id']) self.assertEqual(len(roles_ref), 0) # Now add the grant we are going to test for, and some others as # well just to make sure we get back the right one - self.identity_api.create_grant(group_id=new_group['id'], - domain_id=new_domain['id'], - role_id='member') + self.assignment_api.create_grant(group_id=new_group['id'], + domain_id=new_domain['id'], + role_id='member') - self.identity_api.create_grant(group_id=new_group2['id'], - domain_id=new_domain['id'], - role_id=self.role_admin['id']) - self.identity_api.create_grant(user_id=new_user2['id'], - domain_id=new_domain['id'], - role_id=self.role_admin['id']) - self.identity_api.create_grant(group_id=new_group['id'], - project_id=new_project['id'], - role_id=self.role_admin['id']) + self.assignment_api.create_grant(group_id=new_group2['id'], + domain_id=new_domain['id'], + role_id=self.role_admin['id']) + self.assignment_api.create_grant(user_id=new_user2['id'], + domain_id=new_domain['id'], + role_id=self.role_admin['id']) + self.assignment_api.create_grant(group_id=new_group['id'], + project_id=new_project['id'], + role_id=self.role_admin['id']) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=new_group['id'], domain_id=new_domain['id']) self.assertDictEqual(roles_ref[0], self.role_member) - self.identity_api.delete_grant(group_id=new_group['id'], - domain_id=new_domain['id'], - role_id='member') - roles_ref = self.identity_api.list_grants( + self.assignment_api.delete_grant(group_id=new_group['id'], + domain_id=new_domain['id'], + role_id='member') + roles_ref = self.assignment_api.list_grants( group_id=new_group['id'], domain_id=new_domain['id']) self.assertEqual(len(roles_ref), 0) self.assertRaises(exception.NotFound, - self.identity_api.delete_grant, + self.assignment_api.delete_grant, group_id=new_group['id'], domain_id=new_domain['id'], role_id='member') def test_get_and_remove_role_grant_by_user_and_domain(self): new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(new_domain['id'], new_domain) + self.assignment_api.create_domain(new_domain['id'], new_domain) new_user = {'id': uuid.uuid4().hex, 'name': 'new_user', 'password': 'secret', 'enabled': True, 'domain_id': new_domain['id']} self.identity_api.create_user(new_user['id'], new_user) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=new_user['id'], domain_id=new_domain['id']) self.assertEqual(len(roles_ref), 0) - self.identity_api.create_grant(user_id=new_user['id'], - domain_id=new_domain['id'], - role_id='member') - roles_ref = self.identity_api.list_grants( + self.assignment_api.create_grant(user_id=new_user['id'], + domain_id=new_domain['id'], + role_id='member') + roles_ref = self.assignment_api.list_grants( user_id=new_user['id'], domain_id=new_domain['id']) self.assertDictEqual(roles_ref[0], self.role_member) - self.identity_api.delete_grant(user_id=new_user['id'], - domain_id=new_domain['id'], - role_id='member') - roles_ref = self.identity_api.list_grants( + self.assignment_api.delete_grant(user_id=new_user['id'], + domain_id=new_domain['id'], + role_id='member') + roles_ref = self.assignment_api.list_grants( user_id=new_user['id'], domain_id=new_domain['id']) self.assertEqual(len(roles_ref), 0) self.assertRaises(exception.NotFound, - self.identity_api.delete_grant, + self.assignment_api.delete_grant, user_id=new_user['id'], domain_id=new_domain['id'], role_id='member') @@ -965,51 +967,51 @@ class IdentityTests(object): def test_get_and_remove_role_grant_by_group_and_cross_domain(self): group1_domain1_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(group1_domain1_role['id'], - group1_domain1_role) + self.assignment_api.create_role(group1_domain1_role['id'], + group1_domain1_role) group1_domain2_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(group1_domain2_role['id'], - group1_domain2_role) + self.assignment_api.create_role(group1_domain2_role['id'], + group1_domain2_role) domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain2['id'], domain2) + self.assignment_api.create_domain(domain2['id'], domain2) group1 = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'], 'name': uuid.uuid4().hex} self.identity_api.create_group(group1['id'], group1) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], domain_id=domain1['id']) self.assertEqual(len(roles_ref), 0) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], domain_id=domain2['id']) self.assertEqual(len(roles_ref), 0) - self.identity_api.create_grant(group_id=group1['id'], - domain_id=domain1['id'], - role_id=group1_domain1_role['id']) - self.identity_api.create_grant(group_id=group1['id'], - domain_id=domain2['id'], - role_id=group1_domain2_role['id']) - roles_ref = self.identity_api.list_grants( + self.assignment_api.create_grant(group_id=group1['id'], + domain_id=domain1['id'], + role_id=group1_domain1_role['id']) + self.assignment_api.create_grant(group_id=group1['id'], + domain_id=domain2['id'], + role_id=group1_domain2_role['id']) + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], domain_id=domain1['id']) self.assertDictEqual(roles_ref[0], group1_domain1_role) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], domain_id=domain2['id']) self.assertDictEqual(roles_ref[0], group1_domain2_role) - self.identity_api.delete_grant(group_id=group1['id'], - domain_id=domain2['id'], - role_id=group1_domain2_role['id']) - roles_ref = self.identity_api.list_grants( + self.assignment_api.delete_grant(group_id=group1['id'], + domain_id=domain2['id'], + role_id=group1_domain2_role['id']) + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], domain_id=domain2['id']) self.assertEqual(len(roles_ref), 0) self.assertRaises(exception.NotFound, - self.identity_api.delete_grant, + self.assignment_api.delete_grant, group_id=group1['id'], domain_id=domain2['id'], role_id=group1_domain2_role['id']) @@ -1017,82 +1019,82 @@ class IdentityTests(object): def test_get_and_remove_role_grant_by_user_and_cross_domain(self): user1_domain1_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(user1_domain1_role['id'], - user1_domain1_role) + self.assignment_api.create_role(user1_domain1_role['id'], + user1_domain1_role) user1_domain2_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(user1_domain2_role['id'], - user1_domain2_role) + self.assignment_api.create_role(user1_domain2_role['id'], + user1_domain2_role) domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain2['id'], domain2) + self.assignment_api.create_domain(domain2['id'], domain2) user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id'], 'password': uuid.uuid4().hex, 'enabled': True} self.identity_api.create_user(user1['id'], user1) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], domain_id=domain1['id']) self.assertEqual(len(roles_ref), 0) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], domain_id=domain2['id']) self.assertEqual(len(roles_ref), 0) - self.identity_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=user1_domain1_role['id']) - self.identity_api.create_grant(user_id=user1['id'], - domain_id=domain2['id'], - role_id=user1_domain2_role['id']) - roles_ref = self.identity_api.list_grants( + self.assignment_api.create_grant(user_id=user1['id'], + domain_id=domain1['id'], + role_id=user1_domain1_role['id']) + self.assignment_api.create_grant(user_id=user1['id'], + domain_id=domain2['id'], + role_id=user1_domain2_role['id']) + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], domain_id=domain1['id']) self.assertDictEqual(roles_ref[0], user1_domain1_role) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], domain_id=domain2['id']) self.assertDictEqual(roles_ref[0], user1_domain2_role) - self.identity_api.delete_grant(user_id=user1['id'], - domain_id=domain2['id'], - role_id=user1_domain2_role['id']) - roles_ref = self.identity_api.list_grants( + self.assignment_api.delete_grant(user_id=user1['id'], + domain_id=domain2['id'], + role_id=user1_domain2_role['id']) + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], domain_id=domain2['id']) self.assertEqual(len(roles_ref), 0) self.assertRaises(exception.NotFound, - self.identity_api.delete_grant, + self.assignment_api.delete_grant, user_id=user1['id'], domain_id=domain2['id'], role_id=user1_domain2_role['id']) def test_role_grant_by_group_and_cross_domain_project(self): role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role1['id'], role1) + self.assignment_api.create_role(role1['id'], role1) role2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role2['id'], role2) + self.assignment_api.create_role(role2['id'], role2) domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain2['id'], domain2) + self.assignment_api.create_domain(domain2['id'], domain2) group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id'], 'enabled': True} self.identity_api.create_group(group1['id'], group1) project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain2['id']} self.assignment_api.create_project(project1['id'], project1) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 0) - self.identity_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role1['id']) - self.identity_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role2['id']) - roles_ref = self.identity_api.list_grants( + self.assignment_api.create_grant(group_id=group1['id'], + project_id=project1['id'], + role_id=role1['id']) + self.assignment_api.create_grant(group_id=group1['id'], + project_id=project1['id'], + role_id=role2['id']) + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], project_id=project1['id']) @@ -1102,10 +1104,10 @@ class IdentityTests(object): self.assertIn(role1['id'], roles_ref_ids) self.assertIn(role2['id'], roles_ref_ids) - self.identity_api.delete_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role1['id']) - roles_ref = self.identity_api.list_grants( + self.assignment_api.delete_grant(group_id=group1['id'], + project_id=project1['id'], + role_id=role1['id']) + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 1) @@ -1113,13 +1115,13 @@ class IdentityTests(object): def test_role_grant_by_user_and_cross_domain_project(self): role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role1['id'], role1) + self.assignment_api.create_role(role1['id'], role1) role2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role2['id'], role2) + self.assignment_api.create_role(role2['id'], role2) domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain2['id'], domain2) + self.assignment_api.create_domain(domain2['id'], domain2) user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id'], 'password': uuid.uuid4().hex, 'enabled': True} @@ -1127,17 +1129,17 @@ class IdentityTests(object): project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain2['id']} self.assignment_api.create_project(project1['id'], project1) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 0) - self.identity_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role1['id']) - self.identity_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role2['id']) - roles_ref = self.identity_api.list_grants( + self.assignment_api.create_grant(user_id=user1['id'], + project_id=project1['id'], + role_id=role1['id']) + self.assignment_api.create_grant(user_id=user1['id'], + project_id=project1['id'], + role_id=role2['id']) + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) @@ -1147,10 +1149,10 @@ class IdentityTests(object): self.assertIn(role1['id'], roles_ref_ids) self.assertIn(role2['id'], roles_ref_ids) - self.identity_api.delete_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role1['id']) - roles_ref = self.identity_api.list_grants( + self.assignment_api.delete_grant(user_id=user1['id'], + project_id=project1['id'], + role_id=role1['id']) + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 1) @@ -1160,10 +1162,10 @@ class IdentityTests(object): role_list = [] for _ in range(10): role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role['id'], role) + self.assignment_api.create_role(role['id'], role) role_list.append(role) domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id'], 'password': uuid.uuid4().hex, 'enabled': True} @@ -1183,51 +1185,51 @@ class IdentityTests(object): self.identity_api.add_user_to_group(user1['id'], group2['id']) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 0) - self.identity_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=role_list[0]['id']) - self.identity_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=role_list[1]['id']) - self.identity_api.create_grant(group_id=group1['id'], - domain_id=domain1['id'], - role_id=role_list[2]['id']) - self.identity_api.create_grant(group_id=group1['id'], - domain_id=domain1['id'], - role_id=role_list[3]['id']) - self.identity_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role_list[4]['id']) - self.identity_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role_list[5]['id']) - self.identity_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role_list[6]['id']) - self.identity_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role_list[7]['id']) - roles_ref = self.identity_api.list_grants(user_id=user1['id'], - domain_id=domain1['id']) + self.assignment_api.create_grant(user_id=user1['id'], + domain_id=domain1['id'], + role_id=role_list[0]['id']) + self.assignment_api.create_grant(user_id=user1['id'], + domain_id=domain1['id'], + role_id=role_list[1]['id']) + self.assignment_api.create_grant(group_id=group1['id'], + domain_id=domain1['id'], + role_id=role_list[2]['id']) + self.assignment_api.create_grant(group_id=group1['id'], + domain_id=domain1['id'], + role_id=role_list[3]['id']) + self.assignment_api.create_grant(user_id=user1['id'], + project_id=project1['id'], + role_id=role_list[4]['id']) + self.assignment_api.create_grant(user_id=user1['id'], + project_id=project1['id'], + role_id=role_list[5]['id']) + self.assignment_api.create_grant(group_id=group1['id'], + project_id=project1['id'], + role_id=role_list[6]['id']) + self.assignment_api.create_grant(group_id=group1['id'], + project_id=project1['id'], + role_id=role_list[7]['id']) + roles_ref = self.assignment_api.list_grants(user_id=user1['id'], + domain_id=domain1['id']) self.assertEqual(len(roles_ref), 2) self.assertIn(role_list[0], roles_ref) self.assertIn(role_list[1], roles_ref) - roles_ref = self.identity_api.list_grants(group_id=group1['id'], - domain_id=domain1['id']) + roles_ref = self.assignment_api.list_grants(group_id=group1['id'], + domain_id=domain1['id']) self.assertEqual(len(roles_ref), 2) self.assertIn(role_list[2], roles_ref) self.assertIn(role_list[3], roles_ref) - roles_ref = self.identity_api.list_grants(user_id=user1['id'], - project_id=project1['id']) + roles_ref = self.assignment_api.list_grants(user_id=user1['id'], + project_id=project1['id']) self.assertEqual(len(roles_ref), 2) self.assertIn(role_list[4], roles_ref) self.assertIn(role_list[5], roles_ref) - roles_ref = self.identity_api.list_grants(group_id=group1['id'], - project_id=project1['id']) + roles_ref = self.assignment_api.list_grants(group_id=group1['id'], + project_id=project1['id']) self.assertEqual(len(roles_ref), 2) self.assertIn(role_list[6], roles_ref) self.assertIn(role_list[7], roles_ref) @@ -1235,15 +1237,15 @@ class IdentityTests(object): # Now test the alternate way of getting back lists of grants, # where user and group roles are combined. These should match # the above results. - combined_role_list = self.identity_api.get_roles_for_user_and_project( + combined_list = self.assignment_api.get_roles_for_user_and_project( user1['id'], project1['id']) - self.assertEqual(len(combined_role_list), 4) - self.assertIn(role_list[4]['id'], combined_role_list) - self.assertIn(role_list[5]['id'], combined_role_list) - self.assertIn(role_list[6]['id'], combined_role_list) - self.assertIn(role_list[7]['id'], combined_role_list) + self.assertEqual(len(combined_list), 4) + self.assertIn(role_list[4]['id'], combined_list) + self.assertIn(role_list[5]['id'], combined_list) + self.assertIn(role_list[6]['id'], combined_list) + self.assertIn(role_list[7]['id'], combined_list) - combined_role_list = self.identity_api.get_roles_for_user_and_domain( + combined_role_list = self.assignment_api.get_roles_for_user_and_domain( user1['id'], domain1['id']) self.assertEqual(len(combined_role_list), 4) self.assertIn(role_list[0]['id'], combined_role_list) @@ -1269,10 +1271,10 @@ class IdentityTests(object): role_list = [] for _ in range(6): role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role['id'], role) + self.assignment_api.create_role(role['id'], role) role_list.append(role) domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id'], 'password': uuid.uuid4().hex, 'enabled': True} @@ -1292,39 +1294,39 @@ class IdentityTests(object): self.identity_api.add_user_to_group(user1['id'], group2['id']) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 0) - self.identity_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=role_list[0]['id']) - self.identity_api.create_grant(group_id=group1['id'], - domain_id=domain1['id'], - role_id=role_list[1]['id']) - self.identity_api.create_grant(group_id=group2['id'], - domain_id=domain1['id'], - role_id=role_list[2]['id']) - self.identity_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role_list[3]['id']) - self.identity_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role_list[4]['id']) - self.identity_api.create_grant(group_id=group2['id'], - project_id=project1['id'], - role_id=role_list[5]['id']) + self.assignment_api.create_grant(user_id=user1['id'], + domain_id=domain1['id'], + role_id=role_list[0]['id']) + self.assignment_api.create_grant(group_id=group1['id'], + domain_id=domain1['id'], + role_id=role_list[1]['id']) + self.assignment_api.create_grant(group_id=group2['id'], + domain_id=domain1['id'], + role_id=role_list[2]['id']) + self.assignment_api.create_grant(user_id=user1['id'], + project_id=project1['id'], + role_id=role_list[3]['id']) + self.assignment_api.create_grant(group_id=group1['id'], + project_id=project1['id'], + role_id=role_list[4]['id']) + self.assignment_api.create_grant(group_id=group2['id'], + project_id=project1['id'], + role_id=role_list[5]['id']) # Read by the roles, ensuring we get the correct 3 roles for # both project and domain - combined_role_list = self.identity_api.get_roles_for_user_and_project( + combined_list = self.assignment_api.get_roles_for_user_and_project( user1['id'], project1['id']) - self.assertEqual(len(combined_role_list), 3) - self.assertIn(role_list[3]['id'], combined_role_list) - self.assertIn(role_list[4]['id'], combined_role_list) - self.assertIn(role_list[5]['id'], combined_role_list) + self.assertEqual(len(combined_list), 3) + self.assertIn(role_list[3]['id'], combined_list) + self.assertIn(role_list[4]['id'], combined_list) + self.assertIn(role_list[5]['id'], combined_list) - combined_role_list = self.identity_api.get_roles_for_user_and_domain( + combined_role_list = self.assignment_api.get_roles_for_user_and_domain( user1['id'], domain1['id']) self.assertEqual(len(combined_role_list), 3) self.assertIn(role_list[0]['id'], combined_role_list) @@ -1333,9 +1335,9 @@ class IdentityTests(object): def test_delete_role_with_user_and_group_grants(self): role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role1['id'], role1) + self.assignment_api.create_role(role1['id'], role1) domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id']} self.assignment_api.create_project(project1['id'], project1) @@ -1346,57 +1348,57 @@ class IdentityTests(object): group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id'], 'enabled': True} self.identity_api.create_group(group1['id'], group1) - self.identity_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role1['id']) - self.identity_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=role1['id']) - self.identity_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role1['id']) - self.identity_api.create_grant(group_id=group1['id'], - domain_id=domain1['id'], - role_id=role1['id']) - roles_ref = self.identity_api.list_grants( + self.assignment_api.create_grant(user_id=user1['id'], + project_id=project1['id'], + role_id=role1['id']) + self.assignment_api.create_grant(user_id=user1['id'], + domain_id=domain1['id'], + role_id=role1['id']) + self.assignment_api.create_grant(group_id=group1['id'], + project_id=project1['id'], + role_id=role1['id']) + self.assignment_api.create_grant(group_id=group1['id'], + domain_id=domain1['id'], + role_id=role1['id']) + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 1) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 1) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], domain_id=domain1['id']) self.assertEqual(len(roles_ref), 1) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], domain_id=domain1['id']) self.assertEqual(len(roles_ref), 1) - self.identity_api.delete_role(role1['id']) - roles_ref = self.identity_api.list_grants( + self.assignment_api.delete_role(role1['id']) + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 0) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 0) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], domain_id=domain1['id']) self.assertEqual(len(roles_ref), 0) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], domain_id=domain1['id']) self.assertEqual(len(roles_ref), 0) def test_delete_user_with_group_project_domain_links(self): role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role1['id'], role1) + self.assignment_api.create_role(role1['id'], role1) domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id']} self.assignment_api.create_project(project1['id'], project1) @@ -1407,19 +1409,19 @@ class IdentityTests(object): group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id'], 'enabled': True} self.identity_api.create_group(group1['id'], group1) - self.identity_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role1['id']) - self.identity_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=role1['id']) + self.assignment_api.create_grant(user_id=user1['id'], + project_id=project1['id'], + role_id=role1['id']) + self.assignment_api.create_grant(user_id=user1['id'], + domain_id=domain1['id'], + role_id=role1['id']) self.identity_api.add_user_to_group(user_id=user1['id'], group_id=group1['id']) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 1) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], domain_id=domain1['id']) self.assertEqual(len(roles_ref), 1) @@ -1434,9 +1436,9 @@ class IdentityTests(object): def test_delete_group_with_user_project_domain_links(self): role1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role1['id'], role1) + self.assignment_api.create_role(role1['id'], role1) domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id']} self.assignment_api.create_project(project1['id'], project1) @@ -1447,19 +1449,19 @@ class IdentityTests(object): group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id'], 'enabled': True} self.identity_api.create_group(group1['id'], group1) - self.identity_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=role1['id']) - self.identity_api.create_grant(group_id=group1['id'], - domain_id=domain1['id'], - role_id=role1['id']) + self.assignment_api.create_grant(group_id=group1['id'], + project_id=project1['id'], + role_id=role1['id']) + self.assignment_api.create_grant(group_id=group1['id'], + domain_id=domain1['id'], + role_id=role1['id']) self.identity_api.add_user_to_group(user_id=user1['id'], group_id=group1['id']) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 1) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( group_id=group1['id'], domain_id=domain1['id']) self.assertEqual(len(roles_ref), 1) @@ -1475,32 +1477,32 @@ class IdentityTests(object): def test_role_crud(self): role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role['id'], role) - role_ref = self.identity_api.get_role(role['id']) + self.assignment_api.create_role(role['id'], role) + role_ref = self.assignment_api.get_role(role['id']) role_ref_dict = dict((x, role_ref[x]) for x in role_ref) self.assertDictEqual(role_ref_dict, role) role['name'] = uuid.uuid4().hex - self.identity_api.update_role(role['id'], role) - role_ref = self.identity_api.get_role(role['id']) + self.assignment_api.update_role(role['id'], role) + role_ref = self.assignment_api.get_role(role['id']) role_ref_dict = dict((x, role_ref[x]) for x in role_ref) self.assertDictEqual(role_ref_dict, role) - self.identity_api.delete_role(role['id']) + self.assignment_api.delete_role(role['id']) self.assertRaises(exception.RoleNotFound, - self.identity_api.get_role, + self.assignment_api.get_role, role['id']) def test_update_role_404(self): role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} self.assertRaises(exception.RoleNotFound, - self.identity_api.update_role, + self.assignment_api.update_role, role['id'], role) def test_add_user_to_project(self): - self.identity_api.add_user_to_project(self.tenant_baz['id'], - self.user_foo['id']) + self.assignment_api.add_user_to_project(self.tenant_baz['id'], + self.user_foo['id']) tenants = self.assignment_api.list_projects_for_user( self.user_foo['id']) self.assertIn(self.tenant_baz, tenants) @@ -1510,8 +1512,8 @@ class IdentityTests(object): self.assertRaises(exception.RoleNotFound, self.assignment_api.get_role, CONF.member_role_id) - self.identity_api.add_user_to_project(self.tenant_baz['id'], - self.user_foo['id']) + self.assignment_api.add_user_to_project(self.tenant_baz['id'], + self.user_foo['id']) tenants = ( self.assignment_api.list_projects_for_user(self.user_foo['id'])) self.assertIn(self.tenant_baz, tenants) @@ -1520,37 +1522,37 @@ class IdentityTests(object): def test_add_user_to_project_404(self): self.assertRaises(exception.ProjectNotFound, - self.identity_api.add_user_to_project, + self.assignment_api.add_user_to_project, uuid.uuid4().hex, self.user_foo['id']) self.assertRaises(exception.UserNotFound, - self.identity_api.add_user_to_project, + self.assignment_api.add_user_to_project, self.tenant_bar['id'], uuid.uuid4().hex) def test_remove_user_from_project(self): - self.identity_api.add_user_to_project(self.tenant_baz['id'], - self.user_foo['id']) - self.identity_api.remove_user_from_project(self.tenant_baz['id'], - self.user_foo['id']) + self.assignment_api.add_user_to_project(self.tenant_baz['id'], + self.user_foo['id']) + self.assignment_api.remove_user_from_project(self.tenant_baz['id'], + self.user_foo['id']) tenants = self.assignment_api.list_projects_for_user( self.user_foo['id']) self.assertNotIn(self.tenant_baz, tenants) def test_remove_user_from_project_404(self): self.assertRaises(exception.ProjectNotFound, - self.identity_api.remove_user_from_project, + self.assignment_api.remove_user_from_project, uuid.uuid4().hex, self.user_foo['id']) self.assertRaises(exception.UserNotFound, - self.identity_api.remove_user_from_project, + self.assignment_api.remove_user_from_project, self.tenant_bar['id'], uuid.uuid4().hex) self.assertRaises(exception.NotFound, - self.identity_api.remove_user_from_project, + self.assignment_api.remove_user_from_project, self.tenant_baz['id'], self.user_foo['id']) @@ -1584,8 +1586,8 @@ class IdentityTests(object): 'domain_id': DEFAULT_DOMAIN_ID, 'password': uuid.uuid4().hex} self.identity_api.create_user(user['id'], user) - self.identity_api.add_user_to_project(self.tenant_bar['id'], - user['id']) + self.assignment_api.add_user_to_project(self.tenant_bar['id'], + user['id']) self.identity_api.delete_user(user['id']) self.assertRaises(exception.UserNotFound, self.assignment_api.list_projects_for_user, @@ -1597,7 +1599,7 @@ class IdentityTests(object): 'domain_id': DEFAULT_DOMAIN_ID, 'password': uuid.uuid4().hex} self.identity_api.create_user(user['id'], user) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( user['id'], self.tenant_bar['id'], self.role_member['id']) @@ -1613,7 +1615,7 @@ class IdentityTests(object): def test_delete_role_404(self): self.assertRaises(exception.RoleNotFound, - self.identity_api.delete_role, + self.assignment_api.delete_role, uuid.uuid4().hex) def test_create_update_delete_unicode_project(self): @@ -1755,7 +1757,7 @@ class IdentityTests(object): 'enabled': True, 'domain_id': DEFAULT_DOMAIN_ID} self.assignment_api.create_project(project['id'], project) - project_ref = self.identity_api.get_project(project['id']) + project_ref = self.assignment_api.get_project(project['id']) self.assertEqual(project_ref['enabled'], True) # Strings are not valid boolean values @@ -1856,9 +1858,9 @@ class IdentityTests(object): def test_list_domains(self): domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) - self.identity_api.create_domain(domain2['id'], domain2) - domains = self.identity_api.list_domains() + self.assignment_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain2['id'], domain2) + domains = self.assignment_api.list_domains() self.assertEqual(len(domains), 3) domain_ids = [] for domain in domains: @@ -1868,7 +1870,7 @@ class IdentityTests(object): self.assertIn(domain2['id'], domain_ids) def test_list_projects(self): - projects = self.identity_api.list_projects() + projects = self.assignment_api.list_projects() self.assertEqual(len(projects), 4) project_ids = [] for project in projects: @@ -1901,7 +1903,7 @@ class IdentityTests(object): self.assertIn(project2['id'], project_ids) def test_list_roles(self): - roles = self.identity_api.list_roles() + roles = self.assignment_api.list_roles() self.assertEqual(len(default_fixtures.ROLES), len(roles)) role_ids = set(role['id'] for role in roles) expected_role_ids = set(role['id'] for role in default_fixtures.ROLES) @@ -1911,24 +1913,24 @@ class IdentityTests(object): tenant = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID} self.assignment_api.create_project(tenant['id'], tenant) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( self.user_foo['id'], tenant['id'], 'member') self.assignment_api.delete_project(tenant['id']) self.assertRaises(exception.NotFound, - self.identity_api.get_project, + self.assignment_api.get_project, tenant['id']) def test_delete_role_check_role_grant(self): role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} alt_role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role['id'], role) - self.identity_api.create_role(alt_role['id'], alt_role) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.create_role(role['id'], role) + self.assignment_api.create_role(alt_role['id'], alt_role) + self.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], role['id']) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], alt_role['id']) - self.identity_api.delete_role(role['id']) - roles_ref = self.identity_api.get_roles_for_user_and_project( + self.assignment_api.delete_role(role['id']) + roles_ref = self.assignment_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) self.assertNotIn(role['id'], roles_ref) self.assertIn(alt_role['id'], roles_ref) @@ -2030,28 +2032,28 @@ class IdentityTests(object): tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True, 'domain_id': DEFAULT_DOMAIN_ID} self.assignment_api.create_project('fake1', tenant) - tenant_ref = self.identity_api.get_project('fake1') + tenant_ref = self.assignment_api.get_project('fake1') self.assertEqual(tenant_ref['enabled'], True) tenant['enabled'] = False self.assignment_api.update_project('fake1', tenant) - tenant_ref = self.identity_api.get_project('fake1') + tenant_ref = self.assignment_api.get_project('fake1') self.assertEqual(tenant_ref['enabled'], tenant['enabled']) # If not present, enabled field should not be updated del tenant['enabled'] self.assignment_api.update_project('fake1', tenant) - tenant_ref = self.identity_api.get_project('fake1') + tenant_ref = self.assignment_api.get_project('fake1') self.assertEqual(tenant_ref['enabled'], False) tenant['enabled'] = True self.assignment_api.update_project('fake1', tenant) - tenant_ref = self.identity_api.get_project('fake1') + tenant_ref = self.assignment_api.get_project('fake1') self.assertEqual(tenant_ref['enabled'], tenant['enabled']) del tenant['enabled'] self.assignment_api.update_project('fake1', tenant) - tenant_ref = self.identity_api.get_project('fake1') + tenant_ref = self.assignment_api.get_project('fake1') self.assertEqual(tenant_ref['enabled'], True) def test_add_user_to_group(self): @@ -2261,7 +2263,7 @@ class IdentityTests(object): def test_group_crud(self): domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain['id'], domain) + self.assignment_api.create_domain(domain['id'], domain) group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'], 'name': uuid.uuid4().hex} self.identity_api.create_group(group['id'], group) @@ -2290,7 +2292,7 @@ class IdentityTests(object): def test_create_duplicate_group_name_in_different_domains(self): new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(new_domain['id'], new_domain) + self.assignment_api.create_domain(new_domain['id'], new_domain) group1 = {'id': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID, 'name': uuid.uuid4().hex} group2 = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'], @@ -2300,9 +2302,9 @@ class IdentityTests(object): def test_move_group_between_domains(self): domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain2['id'], domain2) + self.assignment_api.create_domain(domain2['id'], domain2) group = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id']} @@ -2312,9 +2314,9 @@ class IdentityTests(object): def test_move_group_between_domains_with_clashing_names_fails(self): domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain2['id'], domain2) + self.assignment_api.create_domain(domain2['id'], domain2) # First, create a group in domain1 group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, @@ -2337,21 +2339,21 @@ class IdentityTests(object): def test_project_crud(self): domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'enabled': True} - self.identity_api.create_domain(domain['id'], domain) + self.assignment_api.create_domain(domain['id'], domain) project = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain['id']} self.assignment_api.create_project(project['id'], project) - project_ref = self.identity_api.get_project(project['id']) + project_ref = self.assignment_api.get_project(project['id']) self.assertDictContainsSubset(project, project_ref) project['name'] = uuid.uuid4().hex self.assignment_api.update_project(project['id'], project) - project_ref = self.identity_api.get_project(project['id']) + project_ref = self.assignment_api.get_project(project['id']) self.assertDictContainsSubset(project, project_ref) self.assignment_api.delete_project(project['id']) self.assertRaises(exception.ProjectNotFound, - self.identity_api.get_project, + self.assignment_api.get_project, project['id']) def test_project_update_missing_attrs_with_a_value(self): @@ -2366,7 +2368,7 @@ class IdentityTests(object): project['description'] = uuid.uuid4().hex self.assignment_api.update_project(project['id'], project) - project_ref = self.identity_api.get_project(project['id']) + project_ref = self.assignment_api.get_project(project['id']) self.assertDictEqual(project_ref, project) def test_project_update_missing_attrs_with_a_falsey_value(self): @@ -2381,22 +2383,22 @@ class IdentityTests(object): project['description'] = '' self.assignment_api.update_project(project['id'], project) - project_ref = self.identity_api.get_project(project['id']) + project_ref = self.assignment_api.get_project(project['id']) self.assertDictEqual(project_ref, project) def test_domain_crud(self): domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'enabled': True} - self.identity_api.create_domain(domain['id'], domain) + self.assignment_api.create_domain(domain['id'], domain) domain_ref = self.identity_api.get_domain(domain['id']) self.assertDictEqual(domain_ref, domain) domain['name'] = uuid.uuid4().hex - self.identity_api.update_domain(domain['id'], domain) + self.assignment_api.update_domain(domain['id'], domain) domain_ref = self.identity_api.get_domain(domain['id']) self.assertDictEqual(domain_ref, domain) - self.identity_api.delete_domain(domain['id']) + self.assignment_api.delete_domain(domain['id']) self.assertRaises(exception.DomainNotFound, self.identity_api.get_domain, domain['id']) @@ -2437,19 +2439,19 @@ class IdentityTests(object): def test_list_projects_for_user(self): domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain['id'], domain) + self.assignment_api.create_domain(domain['id'], domain) user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'password': uuid.uuid4().hex, 'domain_id': domain['id'], 'enabled': True} self.identity_api.create_user(user1['id'], user1) user_projects = self.assignment_api.list_projects_for_user(user1['id']) self.assertEqual(len(user_projects), 0) - self.identity_api.create_grant(user_id=user1['id'], - project_id=self.tenant_bar['id'], - role_id=self.role_member['id']) - self.identity_api.create_grant(user_id=user1['id'], - project_id=self.tenant_baz['id'], - role_id=self.role_member['id']) + self.assignment_api.create_grant(user_id=user1['id'], + project_id=self.tenant_bar['id'], + role_id=self.role_member['id']) + self.assignment_api.create_grant(user_id=user1['id'], + project_id=self.tenant_baz['id'], + role_id=self.role_member['id']) user_projects = self.assignment_api.list_projects_for_user(user1['id']) self.assertEqual(len(user_projects), 2) @@ -2458,7 +2460,7 @@ class IdentityTests(object): # make user1 a member of both groups. Both these new projects # should now be included, along with any direct user grants. domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain['id'], domain) + self.assignment_api.create_domain(domain['id'], domain) user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'password': uuid.uuid4().hex, 'domain_id': domain['id'], 'enabled': True} @@ -2479,15 +2481,15 @@ class IdentityTests(object): self.identity_api.add_user_to_group(user1['id'], group2['id']) # Create 3 grants, one user grant, the other two as group grants - self.identity_api.create_grant(user_id=user1['id'], - project_id=self.tenant_bar['id'], - role_id=self.role_member['id']) - self.identity_api.create_grant(group_id=group1['id'], - project_id=project1['id'], - role_id=self.role_admin['id']) - self.identity_api.create_grant(group_id=group2['id'], - project_id=project2['id'], - role_id=self.role_admin['id']) + self.assignment_api.create_grant(user_id=user1['id'], + project_id=self.tenant_bar['id'], + role_id=self.role_member['id']) + self.assignment_api.create_grant(group_id=group1['id'], + project_id=project1['id'], + role_id=self.role_admin['id']) + self.assignment_api.create_grant(group_id=group2['id'], + project_id=project2['id'], + role_id=self.role_admin['id']) user_projects = self.assignment_api.list_projects_for_user(user1['id']) self.assertEqual(len(user_projects), 3) @@ -2528,7 +2530,7 @@ class IdentityTests(object): self.assertRaises(exception.DomainNotFound, self.assignment_api.get_domain, domain_id) # Recreate Domain - self.identity_api.create_domain(domain_id, domain) + self.assignment_api.create_domain(domain_id, domain) self.assignment_api.get_domain(domain_id) # Delete domain self.assignment_api.delete_domain(domain_id) @@ -3337,10 +3339,10 @@ class InheritanceTests(object): role_list = [] for _ in range(3): role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role['id'], role) + self.assignment_api.create_role(role['id'], role) role_list.append(role) domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id'], 'password': uuid.uuid4().hex, 'enabled': True} @@ -3349,43 +3351,43 @@ class InheritanceTests(object): 'domain_id': domain1['id']} self.assignment_api.create_project(project1['id'], project1) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 0) # Create the first two roles - the domain one is not inherited - self.identity_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role_list[0]['id']) - self.identity_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=role_list[1]['id']) + self.assignment_api.create_grant(user_id=user1['id'], + project_id=project1['id'], + role_id=role_list[0]['id']) + self.assignment_api.create_grant(user_id=user1['id'], + domain_id=domain1['id'], + role_id=role_list[1]['id']) # Now get the effective roles for the user and project, this # should only include the direct role assignment on the project - combined_role_list = self.identity_api.get_roles_for_user_and_project( + combined_list = self.assignment_api.get_roles_for_user_and_project( user1['id'], project1['id']) - self.assertEqual(len(combined_role_list), 1) - self.assertIn(role_list[0]['id'], combined_role_list) + self.assertEqual(len(combined_list), 1) + self.assertIn(role_list[0]['id'], combined_list) # Now add an inherited role on the domain - self.identity_api.create_grant(user_id=user1['id'], - domain_id=domain1['id'], - role_id=role_list[2]['id'], - inherited_to_projects=True) + self.assignment_api.create_grant(user_id=user1['id'], + domain_id=domain1['id'], + role_id=role_list[2]['id'], + inherited_to_projects=True) # Now get the effective roles for the user and project again, this # should now include the inherited role on the domain - combined_role_list = self.identity_api.get_roles_for_user_and_project( + combined_list = self.assignment_api.get_roles_for_user_and_project( user1['id'], project1['id']) - self.assertEqual(len(combined_role_list), 2) - self.assertIn(role_list[0]['id'], combined_role_list) - self.assertIn(role_list[2]['id'], combined_role_list) + self.assertEqual(len(combined_list), 2) + self.assertIn(role_list[0]['id'], combined_list) + self.assertIn(role_list[2]['id'], combined_list) # Finally, check that the inherited role does not appear as a valid # directly assigned role on the domain itself - combined_role_list = self.identity_api.get_roles_for_user_and_domain( + combined_role_list = self.assignment_api.get_roles_for_user_and_domain( user1['id'], domain1['id']) self.assertEqual(len(combined_role_list), 1) self.assertIn(role_list[1]['id'], combined_role_list) @@ -3411,10 +3413,10 @@ class InheritanceTests(object): role_list = [] for _ in range(4): role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role['id'], role) + self.assignment_api.create_role(role['id'], role) role_list.append(role) domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain1['id'], domain1) + self.assignment_api.create_domain(domain1['id'], domain1) user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain1['id'], 'password': uuid.uuid4().hex, 'enabled': True} @@ -3434,44 +3436,44 @@ class InheritanceTests(object): self.identity_api.add_user_to_group(user1['id'], group2['id']) - roles_ref = self.identity_api.list_grants( + roles_ref = self.assignment_api.list_grants( user_id=user1['id'], project_id=project1['id']) self.assertEqual(len(roles_ref), 0) # Create two roles - the domain one is not inherited - self.identity_api.create_grant(user_id=user1['id'], - project_id=project1['id'], - role_id=role_list[0]['id']) - self.identity_api.create_grant(group_id=group1['id'], - domain_id=domain1['id'], - role_id=role_list[1]['id']) + self.assignment_api.create_grant(user_id=user1['id'], + project_id=project1['id'], + role_id=role_list[0]['id']) + self.assignment_api.create_grant(group_id=group1['id'], + domain_id=domain1['id'], + role_id=role_list[1]['id']) # Now get the effective roles for the user and project, this # should only include the direct role assignment on the project - combined_role_list = self.identity_api.get_roles_for_user_and_project( + combined_list = self.assignment_api.get_roles_for_user_and_project( user1['id'], project1['id']) - self.assertEqual(len(combined_role_list), 1) - self.assertIn(role_list[0]['id'], combined_role_list) + self.assertEqual(len(combined_list), 1) + self.assertIn(role_list[0]['id'], combined_list) # Now add to more group roles, both inherited, to the domain - self.identity_api.create_grant(group_id=group2['id'], - domain_id=domain1['id'], - role_id=role_list[2]['id'], - inherited_to_projects=True) - self.identity_api.create_grant(group_id=group2['id'], - domain_id=domain1['id'], - role_id=role_list[3]['id'], - inherited_to_projects=True) + self.assignment_api.create_grant(group_id=group2['id'], + domain_id=domain1['id'], + role_id=role_list[2]['id'], + inherited_to_projects=True) + self.assignment_api.create_grant(group_id=group2['id'], + domain_id=domain1['id'], + role_id=role_list[3]['id'], + inherited_to_projects=True) # Now get the effective roles for the user and project again, this # should now include the inherited roles on the domain - combined_role_list = self.identity_api.get_roles_for_user_and_project( + combined_list = self.assignment_api.get_roles_for_user_and_project( user1['id'], project1['id']) - self.assertEqual(len(combined_role_list), 3) - self.assertIn(role_list[0]['id'], combined_role_list) - self.assertIn(role_list[2]['id'], combined_role_list) - self.assertIn(role_list[3]['id'], combined_role_list) + self.assertEqual(len(combined_list), 3) + self.assertIn(role_list[0]['id'], combined_list) + self.assertIn(role_list[2]['id'], combined_list) + self.assertIn(role_list[3]['id'], combined_list) def test_list_projects_for_user_with_inherited_grants(self): """Test inherited group roles. @@ -3486,7 +3488,7 @@ class InheritanceTests(object): """ self.opt_in_group('os_inherit', enabled=True) domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain['id'], domain) + self.assignment_api.create_domain(domain['id'], domain) user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'password': uuid.uuid4().hex, 'domain_id': domain['id'], 'enabled': True} @@ -3500,13 +3502,13 @@ class InheritanceTests(object): # Create 2 grants, one on a project and one inherited grant # on the domain - self.identity_api.create_grant(user_id=user1['id'], - project_id=self.tenant_bar['id'], - role_id=self.role_member['id']) - self.identity_api.create_grant(user_id=user1['id'], - domain_id=domain['id'], - role_id=self.role_admin['id'], - inherited_to_projects=True) + self.assignment_api.create_grant(user_id=user1['id'], + project_id=self.tenant_bar['id'], + role_id=self.role_member['id']) + self.assignment_api.create_grant(user_id=user1['id'], + domain_id=domain['id'], + role_id=self.role_admin['id'], + inherited_to_projects=True) # Should get back all three projects, one by virtue of the direct # grant, plus both projects in the domain user_projects = self.assignment_api.list_projects_for_user(user1['id']) @@ -3529,9 +3531,9 @@ class InheritanceTests(object): """ self.opt_in_group('os_inherit', enabled=True) domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain['id'], domain) + self.assignment_api.create_domain(domain['id'], domain) domain2 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_domain(domain2['id'], domain2) + self.assignment_api.create_domain(domain2['id'], domain2) project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': domain['id']} self.assignment_api.create_project(project1['id'], project1) @@ -3558,20 +3560,20 @@ class InheritanceTests(object): # - one user grant on a project in the default domain # - one inherited user grant on domain # - one inherited group grant on domain2 - self.identity_api.create_grant(user_id=user1['id'], - project_id=project3['id'], - role_id=self.role_member['id']) - self.identity_api.create_grant(user_id=user1['id'], - project_id=self.tenant_bar['id'], - role_id=self.role_member['id']) - self.identity_api.create_grant(user_id=user1['id'], - domain_id=domain['id'], - role_id=self.role_admin['id'], - inherited_to_projects=True) - self.identity_api.create_grant(group_id=group1['id'], - domain_id=domain2['id'], - role_id=self.role_admin['id'], - inherited_to_projects=True) + self.assignment_api.create_grant(user_id=user1['id'], + project_id=project3['id'], + role_id=self.role_member['id']) + self.assignment_api.create_grant(user_id=user1['id'], + project_id=self.tenant_bar['id'], + role_id=self.role_member['id']) + self.assignment_api.create_grant(user_id=user1['id'], + domain_id=domain['id'], + role_id=self.role_admin['id'], + inherited_to_projects=True) + self.assignment_api.create_grant(group_id=group1['id'], + domain_id=domain2['id'], + role_id=self.role_admin['id'], + inherited_to_projects=True) # Should get back all five projects, but without a duplicate for # project3 (since it has both a direct user role and an inherited role) user_projects = self.assignment_api.list_projects_for_user(user1['id']) diff --git a/keystone/tests/test_backend_ldap.py b/keystone/tests/test_backend_ldap.py index 12833af4b6..25c747acfb 100644 --- a/keystone/tests/test_backend_ldap.py +++ b/keystone/tests/test_backend_ldap.py @@ -273,8 +273,8 @@ class BaseLDAPIdentity(test_backend.IdentityTests): 'enabled': True, } self.identity_api.create_user(user['id'], user) - self.identity_api.add_user_to_project(self.tenant_baz['id'], - user['id']) + self.assignment_api.add_user_to_project(self.tenant_baz['id'], + user['id']) driver = self.identity_api._select_identity_driver( user['domain_id']) driver.user.LDAP_USER = None @@ -345,7 +345,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): def test_configurable_allowed_project_actions(self): tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True} self.assignment_api.create_project('fake1', tenant) - tenant_ref = self.identity_api.get_project('fake1') + tenant_ref = self.assignment_api.get_project('fake1') self.assertEqual(tenant_ref['id'], 'fake1') tenant['enabled'] = False @@ -353,7 +353,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): self.assignment_api.delete_project('fake1') self.assertRaises(exception.ProjectNotFound, - self.identity_api.get_project, + self.assignment_api.get_project, 'fake1') def test_configurable_forbidden_project_actions(self): @@ -379,16 +379,16 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): def test_configurable_allowed_role_actions(self): role = {'id': 'fake1', 'name': 'fake1'} - self.identity_api.create_role('fake1', role) - role_ref = self.identity_api.get_role('fake1') + self.assignment_api.create_role('fake1', role) + role_ref = self.assignment_api.get_role('fake1') self.assertEqual(role_ref['id'], 'fake1') role['name'] = 'fake2' - self.identity_api.update_role('fake1', role) + self.assignment_api.update_role('fake1', role) - self.identity_api.delete_role('fake1') + self.assignment_api.delete_role('fake1') self.assertRaises(exception.RoleNotFound, - self.identity_api.get_role, + self.assignment_api.get_role, 'fake1') def test_configurable_forbidden_role_actions(self): @@ -399,22 +399,22 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} self.assertRaises(exception.ForbiddenAction, - self.identity_api.create_role, + self.assignment_api.create_role, role['id'], role) self.role_member['name'] = uuid.uuid4().hex self.assertRaises(exception.ForbiddenAction, - self.identity_api.update_role, + self.assignment_api.update_role, self.role_member['id'], self.role_member) self.assertRaises(exception.ForbiddenAction, - self.identity_api.delete_role, + self.assignment_api.delete_role, self.role_member['id']) def test_project_filter(self): - tenant_ref = self.identity_api.get_project(self.tenant_bar['id']) + tenant_ref = self.assignment_api.get_project(self.tenant_bar['id']) self.assertDictEqual(tenant_ref, self.tenant_bar) CONF.ldap.tenant_filter = '(CN=DOES_NOT_MATCH)' @@ -427,15 +427,15 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): # cache population. self.assignment_api.get_role.invalidate(self.assignment_api, self.role_member['id']) - self.identity_api.get_role(self.role_member['id']) + self.assignment_api.get_role(self.role_member['id']) self.assignment_api.get_project.invalidate(self.assignment_api, self.tenant_bar['id']) self.assertRaises(exception.ProjectNotFound, - self.identity_api.get_project, + self.assignment_api.get_project, self.tenant_bar['id']) def test_role_filter(self): - role_ref = self.identity_api.get_role(self.role_member['id']) + role_ref = self.assignment_api.get_role(self.role_member['id']) self.assertDictEqual(role_ref, self.role_member) CONF.ldap.role_filter = '(CN=DOES_NOT_MATCH)' @@ -449,7 +449,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): self.assignment_api.get_role.invalidate(self.assignment_api, self.role_member['id']) self.assertRaises(exception.RoleNotFound, - self.identity_api.get_role, + self.assignment_api.get_role, self.role_member['id']) def test_dumb_member(self): @@ -479,7 +479,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): # cache population. self.assignment_api.get_project.invalidate(self.assignment_api, self.tenant_baz['id']) - tenant_ref = self.identity_api.get_project(self.tenant_baz['id']) + tenant_ref = self.assignment_api.get_project(self.tenant_baz['id']) self.assertEqual(tenant_ref['id'], self.tenant_baz['id']) self.assertEqual(tenant_ref['name'], self.tenant_baz['name']) self.assertEqual( @@ -500,7 +500,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): # cache population. self.assignment_api.get_project.invalidate(self.assignment_api, self.tenant_baz['id']) - tenant_ref = self.identity_api.get_project(self.tenant_baz['id']) + tenant_ref = self.assignment_api.get_project(self.tenant_baz['id']) self.assertEqual(tenant_ref['id'], self.tenant_baz['id']) self.assertEqual(tenant_ref['name'], self.tenant_baz['description']) self.assertEqual(tenant_ref['description'], self.tenant_baz['name']) @@ -521,7 +521,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): # cache population. self.assignment_api.get_project.invalidate(self.assignment_api, self.tenant_baz['id']) - tenant_ref = self.identity_api.get_project(self.tenant_baz['id']) + tenant_ref = self.assignment_api.get_project(self.tenant_baz['id']) self.assertEqual(tenant_ref['id'], self.tenant_baz['id']) self.assertNotIn('name', tenant_ref) self.assertNotIn('description', tenant_ref) @@ -540,7 +540,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): # cache population. self.assignment_api.get_role.invalidate(self.assignment_api, self.role_member['id']) - role_ref = self.identity_api.get_role(self.role_member['id']) + role_ref = self.assignment_api.get_role(self.role_member['id']) self.assertEqual(role_ref['id'], self.role_member['id']) self.assertEqual(role_ref['name'], self.role_member['name']) @@ -554,7 +554,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): # cache population. self.assignment_api.get_role.invalidate(self.assignment_api, self.role_member['id']) - role_ref = self.identity_api.get_role(self.role_member['id']) + role_ref = self.assignment_api.get_role(self.role_member['id']) self.assertEqual(role_ref['id'], self.role_member['id']) self.assertNotIn('name', role_ref) @@ -571,7 +571,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): # cache population. self.assignment_api.get_role.invalidate(self.assignment_api, self.role_member['id']) - role_ref = self.identity_api.get_role(self.role_member['id']) + role_ref = self.assignment_api.get_role(self.role_member['id']) self.assertEqual(role_ref['id'], self.role_member['id']) self.assertNotIn('name', role_ref) @@ -692,11 +692,11 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'enabled': True, 'description': uuid.uuid4().hex} self.assertRaises(exception.Forbidden, - self.identity_api.create_domain, + self.assignment_api.create_domain, domain['id'], domain) self.assertRaises(exception.Conflict, - self.identity_api.create_domain, + self.assignment_api.create_domain, CONF.identity.default_domain_id, domain) self.assertRaises(exception.DomainNotFound, @@ -705,21 +705,21 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): domain['description'] = uuid.uuid4().hex self.assertRaises(exception.DomainNotFound, - self.identity_api.update_domain, + self.assignment_api.update_domain, domain['id'], domain) self.assertRaises(exception.Forbidden, - self.identity_api.update_domain, + self.assignment_api.update_domain, CONF.identity.default_domain_id, domain) self.assertRaises(exception.DomainNotFound, self.identity_api.get_domain, domain['id']) self.assertRaises(exception.DomainNotFound, - self.identity_api.delete_domain, + self.assignment_api.delete_domain, domain['id']) self.assertRaises(exception.Forbidden, - self.identity_api.delete_domain, + self.assignment_api.delete_domain, CONF.identity.default_domain_id) self.assertRaises(exception.DomainNotFound, self.identity_api.get_domain, @@ -756,12 +756,12 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): project['description'] = uuid.uuid4().hex self.assignment_api.update_project(project['id'], project) - project_ref = self.identity_api.get_project(project['id']) + project_ref = self.assignment_api.get_project(project['id']) self.assertDictEqual(project_ref, project) self.assignment_api.delete_project(project['id']) self.assertRaises(exception.ProjectNotFound, - self.identity_api.get_project, + self.assignment_api.get_project, project['id']) def test_cache_layer_project_crud(self): @@ -826,7 +826,7 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): role_list = [] for _ in range(2): role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role['id'], role) + self.assignment_api.create_role(role['id'], role) role_list.append(role) user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, @@ -838,11 +838,11 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): 'domain_id': CONF.identity.default_domain_id} self.assignment_api.create_project(project1['id'], project1) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( user_id=user1['id'], tenant_id=project1['id'], role_id=role_list[0]['id']) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( user_id=user1['id'], tenant_id=project1['id'], role_id=role_list[1]['id']) @@ -852,17 +852,18 @@ class LDAPIdentity(tests.TestCase, BaseLDAPIdentity): # and group roles are combined. Only directly assigned user # roles are available, since group grants are not yet supported - combined_role_list = self.identity_api.get_roles_for_user_and_project( - user1['id'], project1['id']) - self.assertEqual(len(combined_role_list), 2) - self.assertIn(role_list[0]['id'], combined_role_list) - self.assertIn(role_list[1]['id'], combined_role_list) + combined_list = self.assignment_api.get_roles_for_user_and_project( + user1['id'], + project1['id']) + self.assertEqual(len(combined_list), 2) + self.assertIn(role_list[0]['id'], combined_list) + self.assertIn(role_list[1]['id'], combined_list) # Finally, although domain roles are not implemented, check we can # issue the combined get roles call with benign results, since thus is # used in token generation - combined_role_list = self.identity_api.get_roles_for_user_and_domain( + combined_role_list = self.assignment_api.get_roles_for_user_and_domain( user1['id'], CONF.identity.default_domain_id) self.assertEqual(len(combined_role_list), 0) @@ -897,7 +898,7 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity): 'description': uuid.uuid4().hex} self.assignment_api.create_project(project['id'], project) - project_ref = self.identity_api.get_project(project['id']) + project_ref = self.assignment_api.get_project(project['id']) # self.assignment_api.create_project adds an enabled # key with a value of True when LDAPIdentityEnabledEmulation @@ -907,12 +908,12 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity): project['description'] = uuid.uuid4().hex self.assignment_api.update_project(project['id'], project) - project_ref = self.identity_api.get_project(project['id']) + project_ref = self.assignment_api.get_project(project['id']) self.assertDictEqual(project_ref, project) self.assignment_api.delete_project(project['id']) self.assertRaises(exception.ProjectNotFound, - self.identity_api.get_project, + self.assignment_api.get_project, project['id']) def test_user_crud(self): diff --git a/keystone/tests/test_backend_sql.py b/keystone/tests/test_backend_sql.py index 8eeb3740fd..b9bd0dc3f9 100644 --- a/keystone/tests/test_backend_sql.py +++ b/keystone/tests/test_backend_sql.py @@ -158,8 +158,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests): 'domain_id': DEFAULT_DOMAIN_ID, 'password': uuid.uuid4().hex} self.identity_api.create_user(user['id'], user) - self.identity_api.add_user_to_project(self.tenant_bar['id'], - user['id']) + self.assignment_api.add_user_to_project(self.tenant_bar['id'], + user['id']) self.identity_api.delete_user(user['id']) self.assertRaises(exception.UserNotFound, self.assignment_api.list_projects_for_user, @@ -191,10 +191,10 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests): tenant['id'], tenant) self.assertRaises(exception.ProjectNotFound, - self.identity_api.get_project, + self.assignment_api.get_project, tenant['id']) self.assertRaises(exception.ProjectNotFound, - self.identity_api.get_project_by_name, + self.assignment_api.get_project_by_name, tenant['name'], DEFAULT_DOMAIN_ID) @@ -202,11 +202,11 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests): role = {'id': uuid.uuid4().hex, 'name': None} self.assertRaises(exception.Conflict, - self.identity_api.create_role, + self.assignment_api.create_role, role['id'], role) self.assertRaises(exception.RoleNotFound, - self.identity_api.get_role, + self.assignment_api.get_role, role['id']) def test_delete_project_with_user_association(self): @@ -215,8 +215,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests): 'domain_id': DEFAULT_DOMAIN_ID, 'password': 'passwd'} self.identity_api.create_user('fake', user) - self.identity_api.add_user_to_project(self.tenant_bar['id'], - user['id']) + self.assignment_api.add_user_to_project(self.tenant_bar['id'], + user['id']) self.assignment_api.delete_project(self.tenant_bar['id']) tenants = self.assignment_api.list_projects_for_user(user['id']) self.assertEqual(tenants, []) @@ -231,8 +231,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests): self.identity_api.create_user(user['id'], user) role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role['id'], role) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.create_role(role['id'], role) + self.assignment_api.add_role_to_user_and_project( user['id'], self.tenant_bar['id'], role['id']) @@ -255,8 +255,8 @@ class SqlIdentity(SqlTests, test_backend.IdentityTests): self.identity_api.create_user(user['id'], user) role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} - self.identity_api.create_role(role['id'], role) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.create_role(role['id'], role) + self.assignment_api.add_role_to_user_and_project( user['id'], self.tenant_bar['id'], role['id']) diff --git a/keystone/tests/test_content_types.py b/keystone/tests/test_content_types.py index 0132ffb452..49035f4c05 100644 --- a/keystone/tests/test_content_types.py +++ b/keystone/tests/test_content_types.py @@ -73,7 +73,7 @@ class RestfulTestCase(tests.TestCase): # TODO(termie): add an admin user to the fixtures and use that user # override the fixtures, for now - self.metadata_foobar = self.identity_api.add_role_to_user_and_project( + self.md_foobar = self.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], self.role_admin['id']) @@ -412,7 +412,7 @@ class CoreApiTests(object): expected_status=404) def test_validate_token_service_role(self): - self.metadata_foobar = self.identity_api.add_role_to_user_and_project( + self.md_foobar = self.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_service['id'], self.role_service['id']) diff --git a/keystone/tests/test_keystoneclient.py b/keystone/tests/test_keystoneclient.py index f2f5a03880..4d3de8a693 100644 --- a/keystone/tests/test_keystoneclient.py +++ b/keystone/tests/test_keystoneclient.py @@ -42,7 +42,7 @@ class CompatTestCase(tests.TestCase): # TODO(termie): add an admin user to the fixtures and use that user # override the fixtures, for now - self.metadata_foobar = self.identity_api.add_role_to_user_and_project( + self.md_foobar = self.assignment_api.add_role_to_user_and_project( self.user_foo['id'], self.tenant_bar['id'], self.role_admin['id']) @@ -927,8 +927,8 @@ class KcMasterTestCase(CompatTestCase, KeystoneClientTests): tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id, 'domain_id': DEFAULT_DOMAIN_ID} self.assignment_api.create_project(tenant_id, tenant) - self.identity_api.add_user_to_project(tenant_id, - self.user_foo['id']) + self.assignment_api.add_user_to_project(tenant_id, + self.user_foo['id']) tenants = client.tenants.list() self.assertEqual(len(tenants), 3) @@ -954,8 +954,8 @@ class KcMasterTestCase(CompatTestCase, KeystoneClientTests): tenant = {'name': 'tenant-%s' % tenant_id, 'id': tenant_id, 'domain_id': DEFAULT_DOMAIN_ID} self.assignment_api.create_project(tenant_id, tenant) - self.identity_api.add_user_to_project(tenant_id, - self.user_foo['id']) + self.assignment_api.add_user_to_project(tenant_id, + self.user_foo['id']) tenants = client.tenants.list() self.assertEqual(len(tenants), 3) diff --git a/keystone/tests/test_v3.py b/keystone/tests/test_v3.py index ba6363b52e..f736b29520 100644 --- a/keystone/tests/test_v3.py +++ b/keystone/tests/test_v3.py @@ -100,7 +100,7 @@ class RestfulTestCase(test_content_types.RestfulTestCase): self.domain_id = uuid.uuid4().hex self.domain = self.new_domain_ref() self.domain['id'] = self.domain_id - self.identity_api.create_domain(self.domain_id, self.domain) + self.assignment_api.create_domain(self.domain_id, self.domain) self.project_id = uuid.uuid4().hex self.project = self.new_project_ref( @@ -132,13 +132,13 @@ class RestfulTestCase(test_content_types.RestfulTestCase): self.role = self.new_role_ref() self.role['id'] = self.role_id self.role['name'] = 'admin' - self.identity_api.create_role(self.role_id, self.role) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.create_role(self.role_id, self.role) + self.assignment_api.add_role_to_user_and_project( self.user_id, self.project_id, self.role_id) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( self.default_domain_user_id, self.default_domain_project_id, self.role_id) - self.identity_api.add_role_to_user_and_project( + self.assignment_api.add_role_to_user_and_project( self.default_domain_user_id, self.project_id, self.role_id) diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py index c0e191bee2..73fe2f122b 100644 --- a/keystone/tests/test_v3_auth.py +++ b/keystone/tests/test_v3_auth.py @@ -372,7 +372,7 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase): super(TestTokenRevokeSelfAndAdmin, self).setUp() self.domainA = self.new_domain_ref() - self.identity_api.create_domain(self.domainA['id'], self.domainA) + self.assignment_api.create_domain(self.domainA['id'], self.domainA) self.userAdminA = self.new_user_ref(domain_id=self.domainA['id']) self.userAdminA['password'] = uuid.uuid4().hex @@ -385,11 +385,11 @@ class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase): self.role1 = self.new_role_ref() self.role1['name'] = 'admin' - self.identity_api.create_role(self.role1['id'], self.role1) + self.assignment_api.create_role(self.role1['id'], self.role1) - self.identity_api.create_grant(self.role1['id'], - user_id=self.userAdminA['id'], - domain_id=self.domainA['id']) + self.assignment_api.create_grant(self.role1['id'], + user_id=self.userAdminA['id'], + domain_id=self.domainA['id']) # Finally, switch to the v3 sample policy file self.orig_policy_file = CONF.policy_file @@ -503,9 +503,9 @@ class TestTokenRevoking(test_v3.RestfulTestCase): # Start by creating a couple of domains and projects self.domainA = self.new_domain_ref() - self.identity_api.create_domain(self.domainA['id'], self.domainA) + self.assignment_api.create_domain(self.domainA['id'], self.domainA) self.domainB = self.new_domain_ref() - self.identity_api.create_domain(self.domainB['id'], self.domainB) + self.assignment_api.create_domain(self.domainB['id'], self.domainB) self.projectA = self.new_project_ref(domain_id=self.domainA['id']) self.assignment_api.create_project(self.projectA['id'], self.projectA) self.projectB = self.new_project_ref(domain_id=self.domainA['id']) @@ -547,25 +547,25 @@ class TestTokenRevoking(test_v3.RestfulTestCase): self.group2['id']) self.role1 = self.new_role_ref() - self.identity_api.create_role(self.role1['id'], self.role1) + self.assignment_api.create_role(self.role1['id'], self.role1) self.role2 = self.new_role_ref() - self.identity_api.create_role(self.role2['id'], self.role2) + self.assignment_api.create_role(self.role2['id'], self.role2) - self.identity_api.create_grant(self.role2['id'], - user_id=self.user1['id'], - domain_id=self.domainA['id']) - self.identity_api.create_grant(self.role1['id'], - user_id=self.user1['id'], - project_id=self.projectA['id']) - self.identity_api.create_grant(self.role1['id'], - user_id=self.user2['id'], - project_id=self.projectA['id']) - self.identity_api.create_grant(self.role1['id'], - user_id=self.user3['id'], - project_id=self.projectA['id']) - self.identity_api.create_grant(self.role1['id'], - group_id=self.group1['id'], - project_id=self.projectA['id']) + self.assignment_api.create_grant(self.role2['id'], + user_id=self.user1['id'], + domain_id=self.domainA['id']) + self.assignment_api.create_grant(self.role1['id'], + user_id=self.user1['id'], + project_id=self.projectA['id']) + self.assignment_api.create_grant(self.role1['id'], + user_id=self.user2['id'], + project_id=self.projectA['id']) + self.assignment_api.create_grant(self.role1['id'], + user_id=self.user3['id'], + project_id=self.projectA['id']) + self.assignment_api.create_grant(self.role1['id'], + group_id=self.group1['id'], + project_id=self.projectA['id']) def test_unscoped_token_remains_valid_after_role_assignment(self): r = self.post( @@ -592,7 +592,7 @@ class TestTokenRevoking(test_v3.RestfulTestCase): # create a new role role = self.new_role_ref() - self.identity_api.create_role(role['id'], role) + self.assignment_api.create_role(role['id'], role) # assign a new role self.put( @@ -685,18 +685,18 @@ class TestTokenRevoking(test_v3.RestfulTestCase): self.identity_api.create_user(self.user6['id'], self.user6) self.identity_api.add_user_to_group(self.user5['id'], self.group1['id']) - self.identity_api.create_grant(self.role1['id'], - group_id=self.group1['id'], - project_id=self.projectB['id']) - self.identity_api.create_grant(self.role2['id'], - user_id=self.user4['id'], - project_id=self.projectC['id']) - self.identity_api.create_grant(self.role1['id'], - user_id=self.user6['id'], - project_id=self.projectA['id']) - self.identity_api.create_grant(self.role1['id'], - user_id=self.user6['id'], - domain_id=self.domainA['id']) + self.assignment_api.create_grant(self.role1['id'], + group_id=self.group1['id'], + project_id=self.projectB['id']) + self.assignment_api.create_grant(self.role2['id'], + user_id=self.user4['id'], + project_id=self.projectC['id']) + self.assignment_api.create_grant(self.role1['id'], + user_id=self.user6['id'], + project_id=self.projectA['id']) + self.assignment_api.create_grant(self.role1['id'], + user_id=self.user6['id'], + domain_id=self.domainA['id']) # Now we are ready to start issuing requests auth_data = self.build_authentication_request( @@ -1306,7 +1306,7 @@ class TestAuthJSON(test_v3.RestfulTestCase): """ domainA = self.new_domain_ref() - self.identity_api.create_domain(domainA['id'], domainA) + self.assignment_api.create_domain(domainA['id'], domainA) projectA = self.new_project_ref(domain_id=domainA['id']) self.assignment_api.create_project(projectA['id'], projectA) @@ -1337,33 +1337,33 @@ class TestAuthJSON(test_v3.RestfulTestCase): role_list = [] for _ in range(8): role = self.new_role_ref() - self.identity_api.create_role(role['id'], role) + self.assignment_api.create_role(role['id'], role) role_list.append(role) - self.identity_api.create_grant(role_list[0]['id'], - user_id=user1['id'], - domain_id=domainA['id']) - self.identity_api.create_grant(role_list[1]['id'], - user_id=user1['id'], - project_id=projectA['id']) - self.identity_api.create_grant(role_list[2]['id'], - user_id=user2['id'], - domain_id=domainA['id']) - self.identity_api.create_grant(role_list[3]['id'], - user_id=user2['id'], - project_id=projectA['id']) - self.identity_api.create_grant(role_list[4]['id'], - group_id=group1['id'], - domain_id=domainA['id']) - self.identity_api.create_grant(role_list[5]['id'], - group_id=group1['id'], - project_id=projectA['id']) - self.identity_api.create_grant(role_list[6]['id'], - group_id=group2['id'], - domain_id=domainA['id']) - self.identity_api.create_grant(role_list[7]['id'], - group_id=group2['id'], - project_id=projectA['id']) + self.assignment_api.create_grant(role_list[0]['id'], + user_id=user1['id'], + domain_id=domainA['id']) + self.assignment_api.create_grant(role_list[1]['id'], + user_id=user1['id'], + project_id=projectA['id']) + self.assignment_api.create_grant(role_list[2]['id'], + user_id=user2['id'], + domain_id=domainA['id']) + self.assignment_api.create_grant(role_list[3]['id'], + user_id=user2['id'], + project_id=projectA['id']) + self.assignment_api.create_grant(role_list[4]['id'], + group_id=group1['id'], + domain_id=domainA['id']) + self.assignment_api.create_grant(role_list[5]['id'], + group_id=group1['id'], + project_id=projectA['id']) + self.assignment_api.create_grant(role_list[6]['id'], + group_id=group2['id'], + domain_id=domainA['id']) + self.assignment_api.create_grant(role_list[7]['id'], + group_id=group2['id'], + project_id=projectA['id']) # First, get a project scoped token - which should # contain the direct user role and the one by virtue diff --git a/keystone/tests/test_v3_identity.py b/keystone/tests/test_v3_identity.py index f6d57e621e..a686583b36 100644 --- a/keystone/tests/test_v3_identity.py +++ b/keystone/tests/test_v3_identity.py @@ -156,7 +156,7 @@ class IdentityTestCase(test_v3.RestfulTestCase): """Call ``PATCH /domains/{domain_id}`` (set enabled=False).""" # Create a 2nd set of entities in a 2nd domain self.domain2 = self.new_domain_ref() - self.identity_api.create_domain(self.domain2['id'], self.domain2) + self.assignment_api.create_domain(self.domain2['id'], self.domain2) self.project2 = self.new_project_ref( domain_id=self.domain2['id']) @@ -167,8 +167,8 @@ class IdentityTestCase(test_v3.RestfulTestCase): project_id=self.project2['id']) self.identity_api.create_user(self.user2['id'], self.user2) - self.identity_api.add_user_to_project(self.project2['id'], - self.user2['id']) + self.assignment_api.add_user_to_project(self.project2['id'], + self.user2['id']) # First check a user in that domain can authenticate, via # Both v2 and v3 @@ -254,7 +254,7 @@ class IdentityTestCase(test_v3.RestfulTestCase): # Create a 2nd set of entities in a 2nd domain self.domain2 = self.new_domain_ref() - self.identity_api.create_domain(self.domain2['id'], self.domain2) + self.assignment_api.create_domain(self.domain2['id'], self.domain2) self.project2 = self.new_project_ref( domain_id=self.domain2['id']) @@ -290,7 +290,7 @@ class IdentityTestCase(test_v3.RestfulTestCase): self.identity_api.get_domain, self.domain2['id']) self.assertRaises(exception.ProjectNotFound, - self.identity_api.get_project, + self.assignment_api.get_project, self.project2['id']) self.assertRaises(exception.GroupNotFound, self.identity_api.get_group, @@ -305,7 +305,7 @@ class IdentityTestCase(test_v3.RestfulTestCase): # ...and that all self.domain entities are still here r = self.identity_api.get_domain(self.domain['id']) self.assertDictEqual(r, self.domain) - r = self.identity_api.get_project(self.project['id']) + r = self.assignment_api.get_project(self.project['id']) self.assertDictEqual(r, self.project) r = self.identity_api.get_group(self.group['id']) self.assertDictEqual(r, self.group) @@ -1015,9 +1015,9 @@ class IdentityTestCase(test_v3.RestfulTestCase): domain_id=self.domain['id']) self.assignment_api.create_project(self.project1['id'], self.project1) self.role1 = self.new_role_ref() - self.identity_api.create_role(self.role1['id'], self.role1) + self.assignment_api.create_role(self.role1['id'], self.role1) self.role2 = self.new_role_ref() - self.identity_api.create_role(self.role2['id'], self.role2) + self.assignment_api.create_role(self.role2['id'], self.role2) # Now add one of each of the four types of assignment @@ -1203,7 +1203,7 @@ class IdentityInheritanceTestCase(test_v3.RestfulTestCase): role_list.append(role) domain = self.new_domain_ref() - self.identity_api.create_domain(domain['id'], domain) + self.assignment_api.create_domain(domain['id'], domain) user1 = self.new_user_ref( domain_id=domain['id']) user1['password'] = uuid.uuid4().hex @@ -1295,7 +1295,7 @@ class IdentityInheritanceTestCase(test_v3.RestfulTestCase): role_list.append(role) domain = self.new_domain_ref() - self.identity_api.create_domain(domain['id'], domain) + self.assignment_api.create_domain(domain['id'], domain) user1 = self.new_user_ref( domain_id=domain['id']) user1['password'] = uuid.uuid4().hex @@ -1388,7 +1388,7 @@ class IdentityInheritanceTestCase(test_v3.RestfulTestCase): role_list.append(role) domain = self.new_domain_ref() - self.identity_api.create_domain(domain['id'], domain) + self.assignment_api.create_domain(domain['id'], domain) user1 = self.new_user_ref( domain_id=domain['id']) user1['password'] = uuid.uuid4().hex @@ -1491,7 +1491,7 @@ class IdentityInheritanceTestCase(test_v3.RestfulTestCase): role_list.append(role) domain = self.new_domain_ref() - self.identity_api.create_domain(domain['id'], domain) + self.assignment_api.create_domain(domain['id'], domain) user1 = self.new_user_ref( domain_id=domain['id']) user1['password'] = uuid.uuid4().hex diff --git a/keystone/tests/test_v3_oauth1.py b/keystone/tests/test_v3_oauth1.py index a398cffbed..009046e734 100644 --- a/keystone/tests/test_v3_oauth1.py +++ b/keystone/tests/test_v3_oauth1.py @@ -507,9 +507,9 @@ class MaliciousOAuth1Tests(OAuth1Tests): credentials = urlparse.parse_qs(content.result) request_key = credentials.get('oauth_token')[0] - self.identity_api.remove_role_from_user_and_project(self.user_id, - self.project_id, - self.role_id) + self.assignment_api.remove_role_from_user_and_project(self.user_id, + self.project_id, + self.role_id) url = self._authorize_request_token(request_key) body = {'roles': [{'id': self.role_id}]} self.admin_request(path=url, method='PUT', diff --git a/keystone/tests/test_v3_protection.py b/keystone/tests/test_v3_protection.py index 54f34b9050..adbaa87dbb 100644 --- a/keystone/tests/test_v3_protection.py +++ b/keystone/tests/test_v3_protection.py @@ -55,12 +55,12 @@ class IdentityTestProtectedCase(test_v3.RestfulTestCase): super(IdentityTestProtectedCase, self).setUp(load_sample_data=False) # Start by creating a couple of domains self.domainA = self.new_domain_ref() - self.identity_api.create_domain(self.domainA['id'], self.domainA) + self.assignment_api.create_domain(self.domainA['id'], self.domainA) self.domainB = self.new_domain_ref() - self.identity_api.create_domain(self.domainB['id'], self.domainB) + self.assignment_api.create_domain(self.domainB['id'], self.domainB) self.domainC = self.new_domain_ref() self.domainC['enabled'] = False - self.identity_api.create_domain(self.domainC['id'], self.domainC) + self.assignment_api.create_domain(self.domainC['id'], self.domainC) # Now create some users, one in domainA and two of them in domainB self.user1 = self.new_user_ref(domain_id=self.domainA['id']) @@ -85,18 +85,18 @@ class IdentityTestProtectedCase(test_v3.RestfulTestCase): self.identity_api.create_group(self.group3['id'], self.group3) self.role = self.new_role_ref() - self.identity_api.create_role(self.role['id'], self.role) + self.assignment_api.create_role(self.role['id'], self.role) self.role1 = self.new_role_ref() - self.identity_api.create_role(self.role1['id'], self.role1) - self.identity_api.create_grant(self.role['id'], - user_id=self.user1['id'], - domain_id=self.domainA['id']) - self.identity_api.create_grant(self.role['id'], - user_id=self.user2['id'], - domain_id=self.domainA['id']) - self.identity_api.create_grant(self.role1['id'], - user_id=self.user1['id'], - domain_id=self.domainA['id']) + self.assignment_api.create_role(self.role1['id'], self.role1) + self.assignment_api.create_grant(self.role['id'], + user_id=self.user1['id'], + domain_id=self.domainA['id']) + self.assignment_api.create_grant(self.role['id'], + user_id=self.user2['id'], + domain_id=self.domainA['id']) + self.assignment_api.create_grant(self.role1['id'], + user_id=self.user1['id'], + domain_id=self.domainA['id']) # Initialize the policy engine and allow us to write to a temp # file in each test to create the policies @@ -411,9 +411,9 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase): load_sample_data=False) # Start by creating a couple of domains self.domainA = self.new_domain_ref() - self.identity_api.create_domain(self.domainA['id'], self.domainA) + self.assignment_api.create_domain(self.domainA['id'], self.domainA) self.domainB = self.new_domain_ref() - self.identity_api.create_domain(self.domainB['id'], self.domainB) + self.assignment_api.create_domain(self.domainB['id'], self.domainB) self.admin_domain = {'id': 'admin_domain_id', 'name': 'Admin_domain'} self.assignment_api.create_domain(self.admin_domain['id'], self.admin_domain) @@ -442,7 +442,7 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase): self.admin_role = {'id': uuid.uuid4().hex, 'name': 'admin'} self.assignment_api.create_role(self.admin_role['id'], self.admin_role) self.role = self.new_role_ref() - self.identity_api.create_role(self.role['id'], self.role) + self.assignment_api.create_role(self.role['id'], self.role) # The cloud admin just gets the admin role self.assignment_api.create_grant(self.admin_role['id'], diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py index 72486a1af5..8027154a31 100644 --- a/keystone/token/controllers.py +++ b/keystone/token/controllers.py @@ -120,7 +120,7 @@ class Auth(controller.V2Controller): roles_ref = [] for role_id in metadata_ref.get('roles', []): - role_ref = self.identity_api.get_role(role_id) + role_ref = self.assignment_api.get_role(role_id) roles_ref.append(dict(name=role_ref['name'])) (token_id, token_data) = self.token_provider_api.issue_v2_token( @@ -331,7 +331,7 @@ class Auth(controller.V2Controller): if tenant_name: try: - tenant_ref = self.identity_api.get_project_by_name( + tenant_ref = self.assignment_api.get_project_by_name( tenant_name, DEFAULT_DOMAIN_ID) tenant_id = tenant_ref['id'] except exception.ProjectNotFound as e: @@ -364,8 +364,8 @@ class Auth(controller.V2Controller): role_list = [] if tenant_id: try: - tenant_ref = self.identity_api.get_project(tenant_id) - role_list = self.identity_api.get_roles_for_user_and_project( + tenant_ref = self.assignment_api.get_project(tenant_id) + role_list = self.assignment_api.get_roles_for_user_and_project( user_id, tenant_id) except exception.ProjectNotFound: pass diff --git a/keystone/token/providers/uuid.py b/keystone/token/providers/uuid.py index afbacc789d..5ddc0498bf 100644 --- a/keystone/token/providers/uuid.py +++ b/keystone/token/providers/uuid.py @@ -36,7 +36,7 @@ CONF = config.CONF DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id -@dependency.requires('catalog_api', 'identity_api') +@dependency.requires('assignment_api', 'catalog_api', 'identity_api') class V2TokenDataHelper(object): """Creates V2 token data.""" @classmethod @@ -132,7 +132,7 @@ class V2TokenDataHelper(object): return services.values() -@dependency.requires('catalog_api', 'identity_api') +@dependency.requires('assignment_api', 'catalog_api', 'identity_api') class V3TokenDataHelper(object): """Token data helper.""" def __init__(self): @@ -144,7 +144,7 @@ class V3TokenDataHelper(object): return {'id': domain_ref['id'], 'name': domain_ref['name']} def _get_filtered_project(self, project_id): - project_ref = self.identity_api.get_project(project_id) + project_ref = self.assignment_api.get_project(project_id) filtered_project = { 'id': project_ref['id'], 'name': project_ref['name']} @@ -165,12 +165,12 @@ class V3TokenDataHelper(object): def _get_roles_for_user(self, user_id, domain_id, project_id): roles = [] if domain_id: - roles = self.identity_api.get_roles_for_user_and_domain( + roles = self.assignment_api.get_roles_for_user_and_domain( user_id, domain_id) if project_id: - roles = self.identity_api.get_roles_for_user_and_project( + roles = self.assignment_api.get_roles_for_user_and_project( user_id, project_id) - return [self.identity_api.get_role(role_id) for role_id in roles] + return [self.assignment_api.get_role(role_id) for role_id in roles] def _populate_user(self, token_data, user_id, domain_id, project_id, trust): @@ -215,7 +215,7 @@ class V3TokenDataHelper(object): if access_token: filtered_roles = [] authed_role_ids = json.loads(access_token['role_ids']) - all_roles = self.identity_api.list_roles() + all_roles = self.assignment_api.list_roles() for role in all_roles: for authed_role in authed_role_ids: if authed_role == role['id']: @@ -329,7 +329,8 @@ class V3TokenDataHelper(object): @dependency.optional('oauth_api') -@dependency.requires('token_api', 'identity_api', 'catalog_api') +@dependency.requires('assignment_api', 'catalog_api', 'identity_api', + 'token_api') class Provider(token.provider.Provider): def __init__(self, *args, **kwargs): super(Provider, self).__init__(*args, **kwargs) @@ -507,7 +508,7 @@ class Provider(token.provider.Provider): trust_ref['trustor_user_id']) if trustor_user_ref['domain_id'] != DEFAULT_DOMAIN_ID: raise exception.Unauthorized(msg) - project_ref = self.identity_api.get_project( + project_ref = self.assignment_api.get_project( trust_ref['project_id']) if project_ref['domain_id'] != DEFAULT_DOMAIN_ID: raise exception.Unauthorized(msg) @@ -535,7 +536,7 @@ class Provider(token.provider.Provider): metadata_ref = token_ref['metadata'] roles_ref = [] for role_id in metadata_ref.get('roles', []): - roles_ref.append(self.identity_api.get_role(role_id)) + roles_ref.append(self.assignment_api.get_role(role_id)) # Get a service catalog if possible # This is needed for on-behalf-of requests diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py index 8553e50c16..c3d0ae3aa0 100644 --- a/keystone/trust/controllers.py +++ b/keystone/trust/controllers.py @@ -46,7 +46,8 @@ def _admin_trustor_only(context, trust, user_id): raise exception.Forbidden() -@dependency.requires('identity_api', 'trust_api', 'token_api') +@dependency.requires('assignment_api', 'identity_api', 'trust_api', + 'token_api') class TrustV3(controller.V3Controller): collection_name = "trusts" member_name = "trust" @@ -86,7 +87,7 @@ class TrustV3(controller.V3Controller): user_id != trust['trustee_user_id']): raise exception.Forbidden() self._fill_in_roles(context, trust, - self.identity_api.list_roles()) + self.assignment_api.list_roles()) return TrustV3.wrap_member(context, trust) def _fill_in_roles(self, context, trust, global_roles): @@ -154,15 +155,16 @@ class TrustV3(controller.V3Controller): trustee_ref = self.identity_api.get_user(trust['trustee_user_id']) if not trustee_ref: raise exception.UserNotFound(user_id=trust['trustee_user_id']) - global_roles = self.identity_api.list_roles() + global_roles = self.assignment_api.list_roles() clean_roles = self._clean_role_list(context, trust, global_roles) if trust.get('project_id'): - user_roles = self.identity_api.get_roles_for_user_and_project( - user_id, trust['project_id']) + user_role = self.assignment_api.get_roles_for_user_and_project( + user_id, + trust['project_id']) else: - user_roles = [] + user_role = [] for trust_role in clean_roles: - matching_roles = [x for x in user_roles + matching_roles = [x for x in user_role if x == trust_role['id']] if not matching_roles: raise exception.RoleNotFound(role_id=trust_role['id']) @@ -203,7 +205,7 @@ class TrustV3(controller.V3Controller): if user_id != calling_user_id: raise exception.Forbidden() trusts += self.trust_api.list_trusts_for_trustee(user_id) - global_roles = self.identity_api.list_roles() + global_roles = self.assignment_api.list_roles() for trust in trusts: self._fill_in_roles(context, trust, global_roles) return TrustV3.wrap_collection(context, trusts) @@ -256,7 +258,7 @@ class TrustV3(controller.V3Controller): if x['id'] == role_id] if not matching_roles: raise exception.RoleNotFound(role_id=role_id) - global_roles = self.identity_api.list_roles() + global_roles = self.assignment_api.list_roles() matching_roles = [x for x in global_roles if x['id'] == role_id] if matching_roles: