standardize ldap and related tests

ldap was accidentally supplying some of its own values rather than using
the built-in fixtures, so it was providing the incorrect interface for a
couple calls.

also adds a test for get_user_by_name (skipped for ldap) and
standardizes the kvs and ldap authenticate calls

fix user authentication live ldap tests
Change-Id: If1ccce1fd9c84622bb89344bc5d5c59b059d03ae

keystone/identity/backends/kvs.py

@@ -49,7 +49,9 @@ class Identity(kvs.Base, identity.Driver):
         if (not user_ref
             or not utils.check_password(password, user_ref.get('password'))):
             raise AssertionError('Invalid user / password')
-        if tenant_id and tenant_id not in user_ref['tenants']:
+
+        tenants = self.get_tenants_for_user(user_id)
+        if tenant_id and tenant_id not in tenants:
             raise AssertionError('Invalid tenant')
 
         tenant_ref = self.get_tenant(tenant_id)

keystone/identity/backends/ldap/core.py

@@ -74,17 +74,11 @@ class Identity(identity.Driver):
         except Exception:
             raise AssertionError('Invalid user / password')
 
-        if tenant_id:
-            found = False
-            for tenant in user_ref['tenants']:
-                if tenant == tenant_id:
-                    found = True
-                    break
+        tenants = self.get_tenants_for_user(user_id)
+        if tenant_id and tenant_id not in tenants:
+            raise AssertionError('Invalid tenant')
 
-            if not found:
-                raise AssertionError('Invalid tenant')
-
-        tenant_ref = self.tenant.get(tenant_id)
+        tenant_ref = self.get_tenant(tenant_id)
         metadata_ref = {}
         # TODO(termie): this should probably be made into a get roles call
         #if tenant_ref:
@@ -103,10 +97,6 @@ class Identity(identity.Driver):
         user_ref = self.user.get(user_id)
         if not user_ref:
             return None
-        tenants = self.tenant.get_user_tenants(user_id)
-        user_ref['tenants'] = []
-        for tenant in tenants:
-            user_ref['tenants'].append(tenant['id'])
         return user_ref
 
     def get_user(self, user_id):

keystone/identity/backends/sql.py

@@ -128,8 +128,6 @@ class Identity(sql.Base, identity.Driver):
 
         """
         user_ref = self._get_user(user_id)
-        tenant_ref = None
-        metadata_ref = None
         if (not user_ref
             or not utils.check_password(password, user_ref.get('password'))):
             raise AssertionError('Invalid user / password')

tests/_ldap_livetest.py

@@ -1,6 +1,7 @@
 # vim: tabstop=4 shiftwidth=4 softtabstop=4
 
 import subprocess
+import nose.exc
 
 from keystone import config
 from keystone import test
@@ -27,20 +28,20 @@ def delete_object(name):
 
 def clear_live_database():
     roles = ['keystone_admin']
-    groups = ['baz', 'bar', 'tenent4add','fake1','fake2']
-    users = ['foo', 'two','fake1','fake2']
+    groups = ['baz', 'bar', 'tenent4add', 'fake1', 'fake2']
+    users = ['foo', 'two', 'fake1', 'fake2']
     roles = ['keystone_admin', 'useless']
 
     for group in groups:
         for role in roles:
-            delete_object ('cn=%s,cn=%s,ou=Groups' % (role, group))
+            delete_object('cn=%s,cn=%s,ou=Groups' % (role, group))
         delete_object('cn=%s,ou=Groups' % group)
 
     for user in users:
-        delete_object ('cn=%s,ou=Users' % user)
+        delete_object('cn=%s,ou=Users' % user)
 
     for role in roles:
-        delete_object ('cn=%s,ou=Roles' % role)
+        delete_object('cn=%s,ou=Roles' % role)
 
 
 class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
@@ -52,10 +53,9 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
         clear_live_database()
         self.identity_api = identity_ldap.Identity()
         self.load_fixtures(default_fixtures)
-        self.user_foo = {'id': 'foo',
-                         'name': 'FOO',
-                         'password': 'foo2',
-                         'tenants': ['bar']}
 
     def tearDown(self):
         test.TestCase.tearDown(self)
+
+    def test_get_user_by_name(self):
+        raise nose.exc.SkipTest('not implemented in ldap yet')

tests/test_backend.py

@@ -71,7 +71,6 @@ class IdentityTests(object):
         user_ref = self.identity_api._get_user(self.user_foo['id'])
         self.assertNotEqual(user_ref['password'], self.user_foo['password'])
 
-
     def test_get_tenant_bad_tenant(self):
         tenant_ref = self.identity_api.get_tenant(
                 tenant_id=self.tenant_bar['id'] + 'WRONG')
@@ -105,6 +104,15 @@ class IdentityTests(object):
         self.user_foo.pop('password')
         self.assertDictEquals(user_ref, self.user_foo)
 
+    def test_get_user_by_name(self):
+        user_ref = self.identity_api.get_user_by_name(
+                user_name=self.user_foo['name'])
+        # NOTE(termie): the password field is left in user_foo to make it easier
+        #               to authenticate in tests, but should not be returned by
+        #               the api
+        self.user_foo.pop('password')
+        self.assertDictEquals(user_ref, self.user_foo)
+
     def test_get_metadata_bad_user(self):
         metadata_ref = self.identity_api.get_metadata(
                 user_id=self.user_foo['id'] + 'WRONG',

tests/test_backend_ldap.py

@@ -1,5 +1,7 @@
 # vim: tabstop=4 shiftwidth=4 softtabstop=4
 
+import nose.exc
+
 from keystone import config
 from keystone import test
 from keystone.common.ldap import fakeldap
@@ -26,10 +28,9 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
         clear_database()
         self.identity_api = identity_ldap.Identity()
         self.load_fixtures(default_fixtures)
-        self.user_foo = {'id': 'foo',
-                         'name': 'FOO',
-                         'password': 'foo2',
-                         'tenants': ['bar']}
 
     def tearDown(self):
         test.TestCase.tearDown(self)
+
+    def test_get_user_by_name(self):
+        raise nose.exc.SkipTest('not implemented in ldap yet')