diff --git a/keystone/identity/backends/kvs.py b/keystone/identity/backends/kvs.py index 35ac476dec..1e1c6ad6f2 100644 --- a/keystone/identity/backends/kvs.py +++ b/keystone/identity/backends/kvs.py @@ -49,7 +49,9 @@ class Identity(kvs.Base, identity.Driver): if (not user_ref or not utils.check_password(password, user_ref.get('password'))): raise AssertionError('Invalid user / password') - if tenant_id and tenant_id not in user_ref['tenants']: + + tenants = self.get_tenants_for_user(user_id) + if tenant_id and tenant_id not in tenants: raise AssertionError('Invalid tenant') tenant_ref = self.get_tenant(tenant_id) diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py index 409a384a0b..3138720f38 100644 --- a/keystone/identity/backends/ldap/core.py +++ b/keystone/identity/backends/ldap/core.py @@ -74,17 +74,11 @@ class Identity(identity.Driver): except Exception: raise AssertionError('Invalid user / password') - if tenant_id: - found = False - for tenant in user_ref['tenants']: - if tenant == tenant_id: - found = True - break + tenants = self.get_tenants_for_user(user_id) + if tenant_id and tenant_id not in tenants: + raise AssertionError('Invalid tenant') - if not found: - raise AssertionError('Invalid tenant') - - tenant_ref = self.tenant.get(tenant_id) + tenant_ref = self.get_tenant(tenant_id) metadata_ref = {} # TODO(termie): this should probably be made into a get roles call #if tenant_ref: @@ -103,10 +97,6 @@ class Identity(identity.Driver): user_ref = self.user.get(user_id) if not user_ref: return None - tenants = self.tenant.get_user_tenants(user_id) - user_ref['tenants'] = [] - for tenant in tenants: - user_ref['tenants'].append(tenant['id']) return user_ref def get_user(self, user_id): diff --git a/keystone/identity/backends/sql.py b/keystone/identity/backends/sql.py index adc33b1286..cf1f70e294 100644 --- a/keystone/identity/backends/sql.py +++ b/keystone/identity/backends/sql.py @@ -128,8 +128,6 @@ class Identity(sql.Base, identity.Driver): """ user_ref = self._get_user(user_id) - tenant_ref = None - metadata_ref = None if (not user_ref or not utils.check_password(password, user_ref.get('password'))): raise AssertionError('Invalid user / password') diff --git a/tests/_ldap_livetest.py b/tests/_ldap_livetest.py index 76b2e7e112..167e0e5159 100644 --- a/tests/_ldap_livetest.py +++ b/tests/_ldap_livetest.py @@ -1,6 +1,7 @@ # vim: tabstop=4 shiftwidth=4 softtabstop=4 import subprocess +import nose.exc from keystone import config from keystone import test @@ -27,20 +28,20 @@ def delete_object(name): def clear_live_database(): roles = ['keystone_admin'] - groups = ['baz', 'bar', 'tenent4add','fake1','fake2'] - users = ['foo', 'two','fake1','fake2'] + groups = ['baz', 'bar', 'tenent4add', 'fake1', 'fake2'] + users = ['foo', 'two', 'fake1', 'fake2'] roles = ['keystone_admin', 'useless'] for group in groups: for role in roles: - delete_object ('cn=%s,cn=%s,ou=Groups' % (role, group)) + delete_object('cn=%s,cn=%s,ou=Groups' % (role, group)) delete_object('cn=%s,ou=Groups' % group) for user in users: - delete_object ('cn=%s,ou=Users' % user) + delete_object('cn=%s,ou=Users' % user) for role in roles: - delete_object ('cn=%s,ou=Roles' % role) + delete_object('cn=%s,ou=Roles' % role) class LDAPIdentity(test.TestCase, test_backend.IdentityTests): @@ -52,10 +53,9 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): clear_live_database() self.identity_api = identity_ldap.Identity() self.load_fixtures(default_fixtures) - self.user_foo = {'id': 'foo', - 'name': 'FOO', - 'password': 'foo2', - 'tenants': ['bar']} def tearDown(self): test.TestCase.tearDown(self) + + def test_get_user_by_name(self): + raise nose.exc.SkipTest('not implemented in ldap yet') diff --git a/tests/test_backend.py b/tests/test_backend.py index 01ac73ea98..dc566252a4 100644 --- a/tests/test_backend.py +++ b/tests/test_backend.py @@ -71,7 +71,6 @@ class IdentityTests(object): user_ref = self.identity_api._get_user(self.user_foo['id']) self.assertNotEqual(user_ref['password'], self.user_foo['password']) - def test_get_tenant_bad_tenant(self): tenant_ref = self.identity_api.get_tenant( tenant_id=self.tenant_bar['id'] + 'WRONG') @@ -105,6 +104,15 @@ class IdentityTests(object): self.user_foo.pop('password') self.assertDictEquals(user_ref, self.user_foo) + def test_get_user_by_name(self): + user_ref = self.identity_api.get_user_by_name( + user_name=self.user_foo['name']) + # NOTE(termie): the password field is left in user_foo to make it easier + # to authenticate in tests, but should not be returned by + # the api + self.user_foo.pop('password') + self.assertDictEquals(user_ref, self.user_foo) + def test_get_metadata_bad_user(self): metadata_ref = self.identity_api.get_metadata( user_id=self.user_foo['id'] + 'WRONG', diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py index 06bf073522..b989bcefb6 100644 --- a/tests/test_backend_ldap.py +++ b/tests/test_backend_ldap.py @@ -1,5 +1,7 @@ # vim: tabstop=4 shiftwidth=4 softtabstop=4 +import nose.exc + from keystone import config from keystone import test from keystone.common.ldap import fakeldap @@ -26,10 +28,9 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): clear_database() self.identity_api = identity_ldap.Identity() self.load_fixtures(default_fixtures) - self.user_foo = {'id': 'foo', - 'name': 'FOO', - 'password': 'foo2', - 'tenants': ['bar']} def tearDown(self): test.TestCase.tearDown(self) + + def test_get_user_by_name(self): + raise nose.exc.SkipTest('not implemented in ldap yet')