openstack/keystone
Code Issues Proposed changes

Merge "Separate trust crud tests from trust auth tests"

Browse Source
This commit is contained in:
Jenkins 2016-01-12 04:20:23 +00:00 committed by Gerrit Code Review
commit c0c1227c30
2 changed files with 407 additions and 378 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

379
keystone/tests/unit/test_v3_auth.py
View File

@ -3205,12 +3205,6 @@ class TestTrustAuth(test_v3.RestfulTestCase):
domain_id=self.domain_id)
self.trustee_user_id = self.trustee_user['id']
def test_create_trust_bad_request(self):
# The server returns a 403 Forbidden rather than a 400 Bad Request, see
# bug 1133435
self.post('/OS-TRUST/trusts', body={'trust': {}},
expected_status=http_client.FORBIDDEN)
def test_create_unscoped_trust(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
@ -3260,6 +3254,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
trust = r.result.get('trust')
self.assertIsNotNone(trust)
self.assertEqual(1, trust['remaining_uses'])
# FIXME(lbragstad): Assert the role that is returned is the right role.
def test_create_one_time_use_trust(self):
trust = self._initialize_test_consume_trust(1)
@ -3275,52 +3270,6 @@ class TestTrustAuth(test_v3.RestfulTestCase):
self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_create_trust_with_bad_values_for_remaining_uses(self):
# negative values for the remaining_uses parameter are forbidden
self._create_trust_with_bad_remaining_use(bad_value=-1)
# 0 is a forbidden value as well
self._create_trust_with_bad_remaining_use(bad_value=0)
# as are non integer values
self._create_trust_with_bad_remaining_use(bad_value="a bad value")
self._create_trust_with_bad_remaining_use(bad_value=7.2)
def _create_trust_with_bad_remaining_use(self, bad_value):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
remaining_uses=bad_value,
role_ids=[self.role_id])
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_invalid_trust_request_without_impersonation(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
del ref['impersonation']
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_invalid_trust_request_without_trustee(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
del ref['trustee_user_id']
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_create_unlimited_use_trust(self):
# by default trusts are unlimited in terms of tokens that can be
# generated from them, this test creates such a trust explicitly
@ -3349,293 +3298,6 @@ class TestTrustAuth(test_v3.RestfulTestCase):
trust = r.result.get('trust')
self.assertIsNone(trust['remaining_uses'])
def test_trust_crud(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
r = self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})
self.assertValidTrustResponse(r, ref)
# validate roles on the trust
r = self.get(
'/OS-TRUST/trusts/%(trust_id)s/roles' % {
'trust_id': trust['id']})
roles = self.assertValidRoleListResponse(r, self.role)
self.assertIn(self.role['id'], [x['id'] for x in roles])
self.head(
'/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
'trust_id': trust['id'],
'role_id': self.role['id']},
expected_status=http_client.OK)
r = self.get(
'/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
'trust_id': trust['id'],
'role_id': self.role['id']})
self.assertValidRoleResponse(r, self.role)
r = self.get('/OS-TRUST/trusts')
self.assertValidTrustListResponse(r, trust)
# trusts are immutable
self.patch(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
body={'trust': ref},
expected_status=http_client.NOT_FOUND)
self.delete(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})
self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=http_client.NOT_FOUND)
def test_create_trust_trustee_returns_not_found(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=uuid.uuid4().hex,
project_id=self.project_id,
role_ids=[self.role_id])
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_create_trust_trustor_trustee_backwards(self):
ref = unit.new_trust_ref(
trustor_user_id=self.trustee_user_id,
trustee_user_id=self.user_id,
project_id=self.project_id,
role_ids=[self.role_id])
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.FORBIDDEN)
def test_create_trust_project_returns_not_found(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=uuid.uuid4().hex,
role_ids=[self.role_id])
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_create_trust_role_id_returns_not_found(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[uuid.uuid4().hex])
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_create_trust_role_name_returns_not_found(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_names=[uuid.uuid4().hex])
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_v3_v2_intermix_trustor_not_in_default_domain_failed(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.default_domain_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(
r, self.default_domain_user)
token = r.headers.get('X-Subject-Token')
# now validate the v3 token with v2 API
path = '/v2.0/tokens/%s' % (token)
self.admin_request(
path=path, token=CONF.admin_token,
method='GET', expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix_trustor_not_in_default_domaini_failed(self):
ref = unit.new_trust_ref(
trustor_user_id=self.default_domain_user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.default_domain_project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
project_id=self.default_domain_project_id)
token = self.get_requested_token(auth_data)
r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(
r, self.trustee_user)
token = r.headers.get('X-Subject-Token')
# now validate the v3 token with v2 API
path = '/v2.0/tokens/%s' % (token)
self.admin_request(
path=path, token=CONF.admin_token,
method='GET', expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix_project_not_in_default_domaini_failed(self):
# create a trustee in default domain to delegate stuff to
trustee_user = unit.create_user(self.identity_api,
domain_id=test_v3.DEFAULT_DOMAIN_ID)
trustee_user_id = trustee_user['id']
ref = unit.new_trust_ref(
trustor_user_id=self.default_domain_user_id,
trustee_user_id=trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
project_id=self.default_domain_project_id)
token = self.get_requested_token(auth_data)
r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
user_id=trustee_user['id'],
password=trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(
r, trustee_user)
token = r.headers.get('X-Subject-Token')
# now validate the v3 token with v2 API
path = '/v2.0/tokens/%s' % (token)
self.admin_request(
path=path, token=CONF.admin_token,
method='GET', expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix(self):
# create a trustee in default domain to delegate stuff to
trustee_user = unit.create_user(self.identity_api,
domain_id=test_v3.DEFAULT_DOMAIN_ID)
trustee_user_id = trustee_user['id']
ref = unit.new_trust_ref(
trustor_user_id=self.default_domain_user_id,
trustee_user_id=trustee_user_id,
project_id=self.default_domain_project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
project_id=self.default_domain_project_id)
token = self.get_requested_token(auth_data)
r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
user_id=trustee_user['id'],
password=trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(
r, trustee_user)
token = r.headers.get('X-Subject-Token')
# now validate the v3 token with v2 API
path = '/v2.0/tokens/%s' % (token)
self.admin_request(
path=path, token=CONF.admin_token,
method='GET', expected_status=http_client.OK)
def test_exercise_trust_scoped_token_without_impersonation(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(r, self.trustee_user)
self.assertEqual(self.trustee_user['id'],
r.result['token']['user']['id'])
self.assertEqual(self.trustee_user['name'],
r.result['token']['user']['name'])
self.assertEqual(self.domain['id'],
r.result['token']['user']['domain']['id'])
self.assertEqual(self.domain['name'],
r.result['token']['user']['domain']['name'])
self.assertEqual(self.project['id'],
r.result['token']['project']['id'])
self.assertEqual(self.project['name'],
r.result['token']['project']['name'])
def test_exercise_trust_scoped_token_with_impersonation(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(r, self.user)
self.assertEqual(self.user['id'], r.result['token']['user']['id'])
self.assertEqual(self.user['name'], r.result['token']['user']['name'])
self.assertEqual(self.domain['id'],
r.result['token']['user']['domain']['id'])
self.assertEqual(self.domain['name'],
r.result['token']['user']['domain']['name'])
self.assertEqual(self.project['id'],
r.result['token']['project']['id'])
self.assertEqual(self.project['name'],
r.result['token']['project']['name'])
def test_impersonation_token_cannot_create_new_trust(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
@ -3887,14 +3549,6 @@ class TestTrustAuth(test_v3.RestfulTestCase):
self.delete('/OS-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']})
self.get('/OS-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']},
expected_status=http_client.NOT_FOUND)
self.get('/OS-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']},
expected_status=http_client.NOT_FOUND)
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
@ -3902,37 +3556,6 @@ class TestTrustAuth(test_v3.RestfulTestCase):
self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_list_trusts(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
for i in range(3):
ref['expires_at'] = datetime.datetime.utcnow().replace(
year=2031).strftime(unit.TIME_FORMAT)
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
self.assertValidTrustResponse(r, ref)
r = self.get('/OS-TRUST/trusts')
trusts = r.result['trusts']
self.assertEqual(3, len(trusts))
self.assertValidTrustListResponse(r)
r = self.get('/OS-TRUST/trusts?trustor_user_id=%s' %
self.user_id)
trusts = r.result['trusts']
self.assertEqual(3, len(trusts))
self.assertValidTrustListResponse(r)
r = self.get('/OS-TRUST/trusts?trustee_user_id=%s' %
self.user_id)
trusts = r.result['trusts']
self.assertEqual(0, len(trusts))
def test_change_password_invalidates_trust_tokens(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,

406
keystone/tests/unit/test_v3_trust.py Normal file
View File

@ -0,0 +1,406 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import datetime
import uuid
from oslo_config import cfg
from six.moves import http_client
from keystone.tests import unit
from keystone.tests.unit import test_v3
CONF = cfg.CONF
class TestTrustOperations(test_v3.RestfulTestCase):
"""Test module for create, read, update and delete operations on trusts.
This module is specific to tests for trust CRUD operations. All other tests
related to trusts that are authentication or authorization specific should
live in in the keystone/tests/unit/test_v3_auth.py module.
"""
def setUp(self):
super(TestTrustOperations, self).setUp()
# create a trustee to delegate stuff to
self.trustee_user = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.trustee_user_id = self.trustee_user['id']
def test_create_trust_bad_request(self):
# The server returns a 403 Forbidden rather than a 400 Bad Request, see
# bug 1133435
self.post('/OS-TRUST/trusts', body={'trust': {}},
expected_status=http_client.FORBIDDEN)
def test_trust_crud(self):
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
# get the trust
r = self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})
self.assertValidTrustResponse(r, ref)
# validate roles on the trust
r = self.get(
'/OS-TRUST/trusts/%(trust_id)s/roles' % {
'trust_id': trust['id']})
roles = self.assertValidRoleListResponse(r, self.role)
self.assertIn(self.role['id'], [x['id'] for x in roles])
self.head(
'/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
'trust_id': trust['id'],
'role_id': self.role['id']},
expected_status=http_client.OK)
r = self.get(
'/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
'trust_id': trust['id'],
'role_id': self.role['id']})
self.assertValidRoleResponse(r, self.role)
# list all trusts
r = self.get('/OS-TRUST/trusts')
self.assertValidTrustListResponse(r, trust)
# trusts are immutable
self.patch(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
body={'trust': ref},
expected_status=http_client.NOT_FOUND)
# delete the trust
self.delete(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})
# ensure the trust is not found
self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
expected_status=http_client.NOT_FOUND)
def test_list_trusts(self):
# create three trusts with the same trustor and trustee
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
for i in range(3):
ref['expires_at'] = datetime.datetime.utcnow().replace(
year=2031).strftime(unit.TIME_FORMAT)
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
self.assertValidTrustResponse(r, ref)
# list all trusts
r = self.get('/OS-TRUST/trusts')
trusts = r.result['trusts']
self.assertEqual(3, len(trusts))
self.assertValidTrustListResponse(r)
# list all trusts for the trustor
r = self.get('/OS-TRUST/trusts?trustor_user_id=%s' %
self.user_id)
trusts = r.result['trusts']
self.assertEqual(3, len(trusts))
self.assertValidTrustListResponse(r)
# list all trusts as the trustor as the trustee.
r = self.get('/OS-TRUST/trusts?trustee_user_id=%s' %
self.user_id)
trusts = r.result['trusts']
self.assertEqual(0, len(trusts))
# list all trusts as the trustee is forbidden
r = self.get('/OS-TRUST/trusts?trustee_user_id=%s' %
self.trustee_user_id,
expected_status=http_client.FORBIDDEN)
def test_delete_trust(self):
# create a trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r, ref)
# delete the trust
self.delete('/OS-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']})
# ensure the trust isn't found
self.get('/OS-TRUST/trusts/%(trust_id)s' % {
'trust_id': trust['id']},
expected_status=http_client.NOT_FOUND)
def test_create_trust_without_trustee_returns_bad_request(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
# trustee_user_id is required to create a trust
del ref['trustee_user_id']
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_create_trust_without_impersonation_returns_bad_request(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[self.role_id])
# impersonation is required to create a trust
del ref['impersonation']
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_create_trust_with_bad_remaining_uses_returns_bad_request(self):
# negative numbers, strings, non-integers, and 0 are not value values
for value in [-1, 0, "a bad value", 7.2]:
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
remaining_uses=value,
role_ids=[self.role_id])
self.post('/OS-TRUST/trusts',
body={'trust': ref},
expected_status=http_client.BAD_REQUEST)
def test_create_trust_with_non_existant_trustee_returns_not_found(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=uuid.uuid4().hex,
project_id=self.project_id,
role_ids=[self.role_id])
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_create_trust_with_trustee_as_trustor_returns_forbidden(self):
ref = unit.new_trust_ref(
trustor_user_id=self.trustee_user_id,
trustee_user_id=self.user_id,
project_id=self.project_id,
role_ids=[self.role_id])
# NOTE(lbragstad): This fails because the user making the request isn't
# the trustor defined in the request.
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.FORBIDDEN)
def test_create_trust_with_non_existant_project_returns_not_found(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=uuid.uuid4().hex,
role_ids=[self.role_id])
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_create_trust_with_non_existant_role_id_returns_not_found(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_ids=[uuid.uuid4().hex])
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_create_trust_with_non_existant_role_name_returns_not_found(self):
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
role_names=[uuid.uuid4().hex])
self.post('/OS-TRUST/trusts', body={'trust': ref},
expected_status=http_client.NOT_FOUND)
def test_validate_trust_scoped_token_against_v2_returns_unauthorized(self):
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.default_domain_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(r)
# get a v3 trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(
r, self.default_domain_user)
token = r.headers.get('X-Subject-Token')
# now validate the v3 token with v2 API
path = '/v2.0/tokens/%s' % (token)
self.admin_request(
path=path, token=CONF.admin_token,
method='GET', expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix_trustor_not_in_default_domain_failed(self):
# get a project-scoped token
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
project_id=self.default_domain_project_id)
token = self.get_requested_token(auth_data)
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.default_domain_user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.default_domain_project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
# get a trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(
r, self.trustee_user)
token = r.headers.get('X-Subject-Token')
# now validate the v3 token with v2 API
path = '/v2.0/tokens/%s' % (token)
self.admin_request(
path=path, token=CONF.admin_token,
method='GET', expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_intermix_project_not_in_default_domain_failed(self):
# create a trustee in default domain to delegate stuff to
trustee_user = unit.create_user(self.identity_api,
domain_id=test_v3.DEFAULT_DOMAIN_ID)
trustee_user_id = trustee_user['id']
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.default_domain_user_id,
trustee_user_id=trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
# get a project-scoped token as the default_domain_user
auth_data = self.build_authentication_request(
user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'],
project_id=self.default_domain_project_id)
token = self.get_requested_token(auth_data)
r = self.post('/OS-TRUST/trusts', body={'trust': ref}, token=token)
trust = self.assertValidTrustResponse(r)
# get a trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=trustee_user['id'],
password=trustee_user['password'],
trust_id=trust['id'])
r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(r, trustee_user)
token = r.headers.get('X-Subject-Token')
# ensure the token is invalid against v2
path = '/v2.0/tokens/%s' % (token)
self.admin_request(
path=path, token=CONF.admin_token,
method='GET', expected_status=http_client.UNAUTHORIZED)
def test_exercise_trust_scoped_token_without_impersonation(self):
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=False,
expires=dict(minutes=1),
role_ids=[self.role_id])
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
# get a trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
resp = self.v3_create_token(auth_data)
resp_body = resp.json_body['token']
self.assertValidProjectTrustScopedTokenResponse(resp,
self.trustee_user)
self.assertEqual(self.trustee_user['id'], resp_body['user']['id'])
self.assertEqual(self.trustee_user['name'], resp_body['user']['name'])
self.assertEqual(self.domain['id'], resp_body['user']['domain']['id'])
self.assertEqual(self.domain['name'],
resp_body['user']['domain']['name'])
self.assertEqual(self.project['id'], resp_body['project']['id'])
self.assertEqual(self.project['name'], resp_body['project']['name'])
def test_exercise_trust_scoped_token_with_impersonation(self):
# create a new trust
ref = unit.new_trust_ref(
trustor_user_id=self.user_id,
trustee_user_id=self.trustee_user_id,
project_id=self.project_id,
impersonation=True,
expires=dict(minutes=1),
role_ids=[self.role_id])
resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
trust = self.assertValidTrustResponse(resp)
# get a trust-scoped token as the trustee
auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'],
password=self.trustee_user['password'],
trust_id=trust['id'])
resp = self.v3_create_token(auth_data)
resp_body = resp.json_body['token']
self.assertValidProjectTrustScopedTokenResponse(resp, self.user)
self.assertEqual(self.user['id'], resp_body['user']['id'])
self.assertEqual(self.user['name'], resp_body['user']['name'])
self.assertEqual(self.domain['id'], resp_body['user']['domain']['id'])
self.assertEqual(self.domain['name'],
resp_body['user']['domain']['name'])
self.assertEqual(self.project['id'], resp_body['project']['id'])
self.assertEqual(self.project['name'], resp_body['project']['name'])