Merge "Expose idempotency issue with bootstrap" into stable/newton

2016-12-14 20:37:41 +00:00 · 2016-12-14 20:37:41 +00:00 · d4201ba228
parent 846790870a 0d9a51ea77
commit d4201ba228
1 changed files with 42 additions and 0 deletions
--- a/keystone/tests/unit/test_cli.py
+++ b/keystone/tests/unit/test_cli.py
@ -23,6 +23,7 @@ from oslotest import mockpatch
 from six.moves import range
 from testtools import matchers
 from keystone.auth import controllers
 from keystone.cmd import cli
 from keystone.common import dependency
 from keystone.common.sql import migration_helpers
@ -160,7 +161,48 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
        # without erroring.
        bootstrap = cli.BootStrap()
        self._do_test_bootstrap(bootstrap)
        v3_token_controller = controllers.Auth()
        v3_password_data = {
            'identity': {
                "methods": ["password"],
                "password": {
                    "user": {
                        "name": bootstrap.username,
                        "password": bootstrap.password,
                        "domain": {
                            "id": CONF.identity.default_domain_id
                        }
                    }
                }
            }
        }
        auth_response = v3_token_controller.authenticate_for_token(
            self.make_request(), v3_password_data)
        token = auth_response.headers['X-Subject-Token']
        self._do_test_bootstrap(bootstrap)
        # build validation request
        request = self.make_request(
            is_admin=True,
            headers={
                'X-Subject-Token': token,
                'X-Auth-Token': token
            }
        )
        request.context_dict['subject_token_id'] = token
        # NOTE(lbragstad): This is currently broken because the bootstrap
        # operation will automatically reset a user's password even if it is
        # the same as it was before. Bootstrap has this behavior so it's
        # possible to recover admin accounts, which was one of our main
        # usecases for introducing the bootstrap functionality. The side-effect
        # is that changing the password will create a revocation event. So if a
        # token is obtained in-between two bootstrap calls, the token will no
        # longer be valid after the second bootstrap operation completes, even
        # if the password is the same.
        self.assertRaises(
            exception.TokenNotFound,
            v3_token_controller.validate_token,
            request
        )
    def test_bootstrap_recovers_user(self):
        bootstrap = cli.BootStrap()