Re-enable line-length linter

In 09088690 we mistakenly added E501 to the flake8 ignore list. Since then, many new violations have been introduced. This patch re-enables the check and corrects all violations, except in some cases like unit test names where the subunit output would suffer if we attempted to shorten the function name. This may appear to be a pointless no-op that messes with git-blameability, and it is, but the reason to do this is that if PEP8 violations are introduced in master and then backported to a stable branch, most stable branches will fail the pep8 job since the flake8 ignore list is correct for those branches. Rather than loosening the check in older branches or requiring those backports to fix the linter errors independently of what's been merged in master, we should fix it now so that we don't introduce more errors in the future and patches can more easily be backported. Change-Id: I9f71926105eb448bb0200201d1838b67d4963cd6
2019-10-18 09:08:07 -07:00 · 2019-10-18 09:08:07 -07:00 · e2d83ae95d
commit e2d83ae95d
parent 19d4831daa
35 changed files with 597 additions and 417 deletions
--- a/keystone/api/credentials.py
+++ b/keystone/api/credentials.py
@ -139,8 +139,8 @@ class CredentialResource(ks_flask.ResourceBase):
        trust_id = getattr(self.oslo_context, 'trust_id', None)
        ref = self._assign_unique_id(
            self._normalize_dict(credential), trust_id=trust_id)
-        ref = PROVIDERS.credential_api.create_credential(ref['id'], ref,
-                                                         initiator=self.audit_initiator)
+        ref = PROVIDERS.credential_api.create_credential(
+            ref['id'], ref, initiator=self.audit_initiator)
        return self.wrap_member(ref), http_client.CREATED

    def patch(self, credential_id):
@ -165,9 +165,9 @@ class CredentialResource(ks_flask.ResourceBase):
            build_target=_build_target_enforcement
        )

-        return (PROVIDERS.credential_api.delete_credential(credential_id,
-                                                           initiator=self.audit_initiator),
-                http_client.NO_CONTENT)
+        return (PROVIDERS.credential_api.delete_credential(
+            credential_id, initiator=self.audit_initiator),
+            http_client.NO_CONTENT)


 class CredentialAPI(ks_flask.APIBase):
--- a/keystone/api/trusts.py
+++ b/keystone/api/trusts.py
@ -228,12 +228,13 @@ class TrustResource(ks_flask.ResourceBase):
        # rule check_str is ""
        if isinstance(rules, op_checks.TrueCheck):
            LOG.warning(
-                "The policy check string for rule \"identity:list_trusts\" has been overridden "
-                "to \"always true\". In the next release, this will cause the "
-                "\"identity:list_trusts\" action to be fully permissive as hardcoded "
-                "enforcement will be removed. To correct this issue, either stop overriding the "
-                "\"identity:list_trusts\" rule in config to accept the defaults, or explicitly "
-                "set a rule that is not empty."
+                "The policy check string for rule \"identity:list_trusts\" "
+                "has been overridden to \"always true\". In the next release, "
+                "this will cause the \"identity:list_trusts\" action to be "
+                "fully permissive as hardcoded enforcement will be removed. "
+                "To correct this issue, either stop overriding the "
+                "\"identity:list_trusts\" rule in config to accept the "
+                "defaults, or explicitly set a rule that is not empty."
            )
            if not flask.request.args:
                # NOTE(morgan): Admin can list all trusts.
@ -242,9 +243,11 @@ class TrustResource(ks_flask.ResourceBase):
        if not flask.request.args:
            trusts += PROVIDERS.trust_api.list_trusts()
        elif trustor_user_id:
-            trusts += PROVIDERS.trust_api.list_trusts_for_trustor(trustor_user_id)
+            trusts += PROVIDERS.trust_api.list_trusts_for_trustor(
+                trustor_user_id)
        elif trustee_user_id:
-            trusts += PROVIDERS.trust_api.list_trusts_for_trustee(trustee_user_id)
+            trusts += PROVIDERS.trust_api.list_trusts_for_trustee(
+                trustee_user_id)

        for trust in trusts:
            # get_trust returns roles, list_trusts does not
--- a/keystone/application_credential/backends/sql.py
+++ b/keystone/application_credential/backends/sql.py
@ -143,7 +143,8 @@ class ApplicationCredential(base.ApplicationCredentialDriverBase):
                    access_rule_ref = session.query(AccessRuleModel).filter_by(
                        external_id=access_rule['id']).first()
                    if not access_rule_ref:
-                        access_rule_ref = session.query(AccessRuleModel).filter_by(
+                        query = session.query(AccessRuleModel)
+                        access_rule_ref = query.filter_by(
                            user_id=app_cred['user_id'],
                            service=access_rule['service'],
                            path=access_rule['path'],
@ -154,7 +155,8 @@ class ApplicationCredential(base.ApplicationCredentialDriverBase):
                            for k, v in access_rule.items()})
                        access_rule_ref['user_id'] = app_cred['user_id']
                        session.add(access_rule_ref)
-                    app_cred_access_rule = ApplicationCredentialAccessRuleModel()
+                    app_cred_access_rule = (
+                        ApplicationCredentialAccessRuleModel())
                    app_cred_access_rule.application_credential = ref
                    app_cred_access_rule.access_rule = access_rule_ref
                    session.add(app_cred_access_rule)
@ -253,7 +255,8 @@ class ApplicationCredential(base.ApplicationCredentialDriverBase):
                        access_rule_id=access_rule_id)
                session.delete(ref)
        except AssertionError:
-            raise exception.ForbiddenNotSecurity("May not delete access rule in use")
+            raise exception.ForbiddenNotSecurity(
+                "May not delete access rule in use")

    def delete_access_rules_for_user(self, user_id):
        with sql.session_for_write() as session:
--- a/keystone/cmd/bootstrap.py
+++ b/keystone/cmd/bootstrap.py
@ -127,7 +127,8 @@ class Bootstrapper(object):
                            "bootstrap command in the future.You can opt into "
                            "this behavior by using the --immutable-role "
                            "flag, or update role %(role)s with the "
-                            "'immutable' resource option.", {'role': role_name})
+                            "'immutable' resource option.",
+                            {'role': role_name})
            return role
        except exception.Conflict:
            LOG.info('Role %s exists, skipping creation.', role_name)
--- a/keystone/common/policies/endpoint_group.py
+++ b/keystone/common/policies/endpoint_group.py
@ -25,12 +25,12 @@ deprecated_get_endpoint_group = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_REQUIRED,
 )

-deprecated_list_projects_associated_with_endpoint_group = policy.DeprecatedRule(
+deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule(
    name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
    check_str=base.RULE_ADMIN_REQUIRED,
 )

-deprecated_list_endpoints_associated_with_endpoint_group = policy.DeprecatedRule(
+deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule(
    name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
    check_str=base.RULE_ADMIN_REQUIRED,
 )
@ -142,7 +142,7 @@ group_endpoint_policies = [
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                              '{endpoint_group_id}/projects'),
                     'method': 'GET'}],
-        deprecated_rule=deprecated_list_projects_associated_with_endpoint_group,
+        deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
@ -153,7 +153,7 @@ group_endpoint_policies = [
        operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
                              '{endpoint_group_id}/endpoints'),
                     'method': 'GET'}],
-        deprecated_rule=deprecated_list_endpoints_associated_with_endpoint_group,
+        deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/grant.py
+++ b/keystone/common/policies/grant.py
@ -27,12 +27,18 @@ DOMAIN_MATCHES_USER_DOMAIN = 'domain_id:%(target.user.domain_id)s'
 DOMAIN_MATCHES_GROUP_DOMAIN = 'domain_id:%(target.group.domain_id)s'
 DOMAIN_MATCHES_PROJECT_DOMAIN = 'domain_id:%(target.project.domain_id)s'
 DOMAIN_MATCHES_TARGET_DOMAIN = 'domain_id:%(target.domain.id)s'
-DOMAIN_MATCHES_ROLE = 'domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s'
+DOMAIN_MATCHES_ROLE = (
+    'domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s'
+)
 GRANTS_DOMAIN_READER = (
-    '(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
-    '(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or '
-    '(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
-    '(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
+    '(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
+    ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
+    '(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
+    ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or '
+    '(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
+    ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
+    '(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
+    ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
 )
 SYSTEM_READER_OR_DOMAIN_READER = (
    '(' + base.SYSTEM_READER + ') or '
@ -45,10 +51,14 @@ SYSTEM_READER_OR_DOMAIN_READER_LIST = (
 )

 GRANTS_DOMAIN_ADMIN = (
-    '(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
-    '(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or '
-    '(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
-    '(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
+    '(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
+    ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
+    '(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and'
+    ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or '
+    '(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
+    ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or '
+    '(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and'
+    ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')'
 )
 SYSTEM_ADMIN_OR_DOMAIN_ADMIN = (
    '(' + base.SYSTEM_ADMIN + ') or '
--- a/keystone/common/policies/policy_association.py
+++ b/keystone/common/policies/policy_association.py
@ -19,17 +19,17 @@ from keystone.common.policies import base
 # System-scoped tokens should be required to manage policy associations to
 # existing system-level resources.

-deprecated_check_policy_association_for_endpoint = policy.DeprecatedRule(
+deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule(
    name=base.IDENTITY % 'check_policy_association_for_endpoint',
    check_str=base.RULE_ADMIN_REQUIRED,
 )

-deprecated_check_policy_association_for_service = policy.DeprecatedRule(
+deprecated_check_policy_assoc_for_service = policy.DeprecatedRule(
    name=base.IDENTITY % 'check_policy_association_for_service',
    check_str=base.RULE_ADMIN_REQUIRED,
 )

-deprecated_check_policy_association_for_region_and_service = policy.DeprecatedRule(
+deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule(
    name=base.IDENTITY % 'check_policy_association_for_region_and_service',
    check_str=base.RULE_ADMIN_REQUIRED,
 )
@ -44,38 +44,39 @@ deprecated_list_endpoints_for_policy = policy.DeprecatedRule(
    check_str=base.RULE_ADMIN_REQUIRED,
 )

-deprecated_create_policy_association_for_endpoint = policy.DeprecatedRule(
+deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule(
    name=base.IDENTITY % 'create_policy_association_for_endpoint',
    check_str=base.RULE_ADMIN_REQUIRED,
 )

-deprecated_delete_policy_association_for_endpoint = policy.DeprecatedRule(
+deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule(
    name=base.IDENTITY % 'delete_policy_association_for_endpoint',
    check_str=base.RULE_ADMIN_REQUIRED,
 )

-deprecated_create_policy_association_for_service = policy.DeprecatedRule(
+deprecated_create_policy_assoc_for_service = policy.DeprecatedRule(
    name=base.IDENTITY % 'create_policy_association_for_service',
    check_str=base.RULE_ADMIN_REQUIRED,
 )

-deprecated_delete_policy_association_for_service = policy.DeprecatedRule(
+deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule(
    name=base.IDENTITY % 'delete_policy_association_for_service',
    check_str=base.RULE_ADMIN_REQUIRED,
 )

-deprecated_create_policy_association_for_region_and_service = policy.DeprecatedRule(
+deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule(
    name=base.IDENTITY % 'create_policy_association_for_region_and_service',
    check_str=base.RULE_ADMIN_REQUIRED,
 )

-deprecated_delete_policy_association_for_region_and_service = policy.DeprecatedRule(
+deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule(
    name=base.IDENTITY % 'delete_policy_association_for_region_and_service',
    check_str=base.RULE_ADMIN_REQUIRED,
 )

 DEPRECATED_REASON = (
-    "The policy association API is now aware of system scope and default roles."
+    "The policy association API is now aware of system scope and default "
+    "roles."
 )

 policy_association_policies = [
@ -87,7 +88,7 @@ policy_association_policies = [
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                              'endpoints/{endpoint_id}'),
                     'method': 'PUT'}],
-        deprecated_rule=deprecated_create_policy_association_for_endpoint,
+        deprecated_rule=deprecated_create_policy_assoc_for_endpoint,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
@ -101,7 +102,7 @@ policy_association_policies = [
                    {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                              'endpoints/{endpoint_id}'),
                     'method': 'HEAD'}],
-        deprecated_rule=deprecated_check_policy_association_for_endpoint,
+        deprecated_rule=deprecated_check_policy_assoc_for_endpoint,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
@ -112,7 +113,7 @@ policy_association_policies = [
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                              'endpoints/{endpoint_id}'),
                     'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_policy_association_for_endpoint,
+        deprecated_rule=deprecated_delete_policy_assoc_for_endpoint,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
@ -123,7 +124,7 @@ policy_association_policies = [
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                              'services/{service_id}'),
                     'method': 'PUT'}],
-        deprecated_rule=deprecated_create_policy_association_for_service,
+        deprecated_rule=deprecated_create_policy_assoc_for_service,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
@ -137,7 +138,7 @@ policy_association_policies = [
                    {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                              'services/{service_id}'),
                     'method': 'HEAD'}],
-        deprecated_rule=deprecated_check_policy_association_for_service,
+        deprecated_rule=deprecated_check_policy_assoc_for_service,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
@ -148,7 +149,7 @@ policy_association_policies = [
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                              'services/{service_id}'),
                     'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_policy_association_for_service,
+        deprecated_rule=deprecated_delete_policy_assoc_for_service,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
@ -161,7 +162,7 @@ policy_association_policies = [
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                              'services/{service_id}/regions/{region_id}'),
                     'method': 'PUT'}],
-        deprecated_rule=deprecated_create_policy_association_for_region_and_service,
+        deprecated_rule=deprecated_create_policy_assoc_for_region_and_service,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
@ -175,7 +176,7 @@ policy_association_policies = [
                    {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                              'services/{service_id}/regions/{region_id}'),
                     'method': 'HEAD'}],
-        deprecated_rule=deprecated_check_policy_association_for_region_and_service,
+        deprecated_rule=deprecated_check_policy_assoc_for_region_and_service,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
@ -187,7 +188,7 @@ policy_association_policies = [
        operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/'
                              'services/{service_id}/regions/{region_id}'),
                     'method': 'DELETE'}],
-        deprecated_rule=deprecated_delete_policy_association_for_region_and_service,
+        deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service,
        deprecated_reason=DEPRECATED_REASON,
        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
--- a/keystone/common/policies/trust.py
+++ b/keystone/common/policies/trust.py
@ -77,18 +77,22 @@ trust_policies = [
        check_str=SYSTEM_READER_OR_TRUSTOR,
        scope_types=['system', 'project'],
        description='List trusts for trustor.',
-        operations=[{'path': '/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}',
+        operations=[{'path': '/v3/OS-TRUST/trusts?'
+                             'trustor_user_id={trustor_user_id}',
                     'method': 'GET'},
-                    {'path': '/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}',
+                    {'path': '/v3/OS-TRUST/trusts?'
+                             'trustor_user_id={trustor_user_id}',
                     'method': 'HEAD'}]),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_trusts_for_trustee',
        check_str=SYSTEM_READER_OR_TRUSTEE,
        scope_types=['system', 'project'],
        description='List trusts for trustee.',
-        operations=[{'path': '/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}',
+        operations=[{'path': '/v3/OS-TRUST/trusts?'
+                             'trustee_user_id={trustee_user_id}',
                     'method': 'GET'},
-                    {'path': '/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}',
+                    {'path': '/v3/OS-TRUST/trusts?'
+                             'trustee_user_id={trustee_user_id}',
                     'method': 'HEAD'}]),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_roles_for_trust',
--- a/keystone/common/sql/expand_repo/versions/056_expand_add_application_credential_access_rules.py
+++ b/keystone/common/sql/expand_repo/versions/056_expand_add_application_credential_access_rules.py
@ -19,7 +19,8 @@ def upgrade(migrate_engine):
    meta = sql.MetaData()
    meta.bind = migrate_engine

-    application_credential = sql.Table('application_credential', meta, autoload=True)
+    application_credential = sql.Table(
+        'application_credential', meta, autoload=True)
    access_rule = sql.Table(
        'access_rule', meta,
        sql.Column('id', sql.Integer, primary_key=True, nullable=False),
--- a/keystone/common/sql/expand_repo/versions/064_expand_add_remote_id_attribute_to_federation_protocol_table.py
+++ b/keystone/common/sql/expand_repo/versions/064_expand_add_remote_id_attribute_to_federation_protocol_table.py
@ -17,6 +17,7 @@ def upgrade(migrate_engine):
    meta = sql.MetaData()
    meta.bind = migrate_engine

-    federation_protocol_table = sql.Table('federation_protocol', meta, autoload=True)
+    federation_protocol_table = sql.Table(
+        'federation_protocol', meta, autoload=True)
    remote_id_attribute = sql.Column('remote_id_attribute', sql.String(64))
    federation_protocol_table.create_column(remote_id_attribute)
--- a/keystone/conf/memcache.py
+++ b/keystone/conf/memcache.py
@ -29,8 +29,9 @@ socket_timeout = cfg.IntOpt(
    default=3,
    deprecated_for_removal=True,
    deprecated_reason='This option is duplicated with oslo.cache. '
-                      'Configure ``keystone.conf [cache] memcache_socket_timeout`` '
-                      'option to set the socket_timeout of memcached instead. ',
+                      'Configure ``keystone.conf [cache] '
+                      'memcache_socket_timeout`` option to set the '
+                      'socket_timeout of memcached instead. ',
    deprecated_since=versionutils.deprecated.TRAIN,
    help=utils.fmt("""
 Timeout in seconds for every call to a server. This is used by the key value
--- a/keystone/federation/utils.py
+++ b/keystone/federation/utils.py
@ -285,15 +285,16 @@ def validate_expiration(token):

 def get_remote_id_parameter(idp, protocol):
    # NOTE(marco-fargetta): Since we support any protocol ID, we attempt to
-    # retrieve the remote_id_attribute of the protocol ID. It will look up first
-    # if the remote_id_attribute exists.
+    # retrieve the remote_id_attribute of the protocol ID. It will look up
+    # first if the remote_id_attribute exists.
    protocol_ref = PROVIDERS.federation_api.get_protocol(idp['id'], protocol)
    remote_id_parameter = protocol_ref.get('remote_id_attribute')
    if remote_id_parameter:
        return remote_id_parameter
    else:
-        # If it's not registered in the config, then register the option and try again.
-        # This allows the user to register protocols other than oidc and saml2.
+        # If it's not registered in the config, then register the option and
+        # try again. This allows the user to register protocols other than
+        # oidc and saml2.
        try:
            remote_id_parameter = CONF[protocol]['remote_id_attribute']
        except AttributeError:
@ -303,7 +304,8 @@ def get_remote_id_parameter(idp, protocol):
            try:
                remote_id_parameter = CONF[protocol]['remote_id_attribute']
            except AttributeError:  # nosec
-                # No remote ID attr, will be logged and use the default instead.
+                # No remote ID attr, will be logged and use the default
+                # instead.
                pass
    if not remote_id_parameter:
        LOG.debug('Cannot find "remote_id_attribute" in configuration '
--- a/keystone/receipt/receipt_formatters.py
+++ b/keystone/receipt/receipt_formatters.py
@ -290,7 +290,7 @@ class ReceiptPayload(object):

    @classmethod
    def random_urlsafe_str_to_bytes(cls, s):
-        """Convert a string from :func:`random_urlsafe_str()` to six.binary_type.
+        """Convert string from :func:`random_urlsafe_str()` to six.binary_type.

        :type s: six.text_type
        :rtype: six.binary_type
--- a/keystone/tests/protection/v3/test_access_rules.py
+++ b/keystone/tests/protection/v3/test_access_rules.py
@ -44,9 +44,11 @@ class _UserAccessRuleTests(object):
                'method': uuid.uuid4().hex[16:]
            }]
        }
-        PROVIDERS.application_credential_api.create_application_credential(app_cred)
+        PROVIDERS.application_credential_api.create_application_credential(
+            app_cred)
        with self.test_client() as c:
-            path = '/v3/users/%s/access_rules/%s' % (self.user_id, app_cred['access_rules'][0]['id'])
+            path = '/v3/users/%s/access_rules/%s' % (
+                self.user_id, app_cred['access_rules'][0]['id'])
            c.get(path, headers=self.headers)

    def test_user_can_list_their_access_rules(self):
@ -63,9 +65,11 @@ class _UserAccessRuleTests(object):
                'method': uuid.uuid4().hex[16:]
            }]
        }
-        PROVIDERS.application_credential_api.create_application_credential(app_cred)
+        PROVIDERS.application_credential_api.create_application_credential(
+            app_cred)
        with self.test_client() as c:
-            r = c.get('/v3/users/%s/access_rules' % self.user_id, headers=self.headers)
+            r = c.get('/v3/users/%s/access_rules' % self.user_id,
+                      headers=self.headers)
            self.assertEqual(len(r.json['access_rules']), 1)

    def test_user_can_delete_their_access_rules(self):
@ -83,10 +87,13 @@ class _UserAccessRuleTests(object):
                'method': uuid.uuid4().hex[16:]
            }]
        }
-        PROVIDERS.application_credential_api.create_application_credential(app_cred)
-        PROVIDERS.application_credential_api.delete_application_credential(app_cred['id'])
+        PROVIDERS.application_credential_api.create_application_credential(
+            app_cred)
+        PROVIDERS.application_credential_api.delete_application_credential(
+            app_cred['id'])
        with self.test_client() as c:
-            path = '/v3/users/%s/access_rules/%s' % (self.user_id, access_rule_id)
+            path = '/v3/users/%s/access_rules/%s' % (
+                self.user_id, access_rule_id)
            c.delete(path, headers=self.headers)


@ -119,9 +126,11 @@ class _ProjectUsersTests(object):
                'method': uuid.uuid4().hex[16:]
            }]
        }
-        PROVIDERS.application_credential_api.create_application_credential(app_cred)
+        PROVIDERS.application_credential_api.create_application_credential(
+            app_cred)
        with self.test_client() as c:
-            path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id)
+            path = '/v3/users/%s/access_rules/%s' % (
+                user['id'], access_rule_id)
            c.get(
                path, headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
@ -136,7 +145,7 @@ class _ProjectUsersTests(object):
                expected_status_code=http_client.NOT_FOUND
            )

-    def test_user_cannot_get_non_existent_access_rule_other_user_forbidden(self):
+    def test_cannot_get_non_existent_access_rule_other_user_forbidden(self):
        user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        user = PROVIDERS.identity_api.create_user(user)
        with self.test_client() as c:
@ -171,7 +180,8 @@ class _ProjectUsersTests(object):
                'method': uuid.uuid4().hex[16:]
            }]
        }
-        PROVIDERS.application_credential_api.create_application_credential(app_cred)
+        PROVIDERS.application_credential_api.create_application_credential(
+            app_cred)

        with self.test_client() as c:
            path = '/v3/users/%s/access_rules' % user['id']
@ -203,16 +213,19 @@ class _ProjectUsersTests(object):
                'method': uuid.uuid4().hex[16:]
            }]
        }
-        PROVIDERS.application_credential_api.create_application_credential(app_cred)
-        PROVIDERS.application_credential_api.delete_application_credential(app_cred['id'])
+        PROVIDERS.application_credential_api.create_application_credential(
+            app_cred)
+        PROVIDERS.application_credential_api.delete_application_credential(
+            app_cred['id'])
        with self.test_client() as c:
-            path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id)
+            path = '/v3/users/%s/access_rules/%s' % (
+                user['id'], access_rule_id)
            c.delete(
                path, headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_delete_non_existent_access_rule_other_user_forbidden(self):
+    def test_cannot_delete_non_existent_access_rule_other_user_forbidden(self):
        user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        user = PROVIDERS.identity_api.create_user(user)
        with self.test_client() as c:
@ -252,7 +265,8 @@ class _SystemUserAccessRuleTests(object):
                'method': uuid.uuid4().hex[16:]
            }]
        }
-        PROVIDERS.application_credential_api.create_application_credential(app_cred)
+        PROVIDERS.application_credential_api.create_application_credential(
+            app_cred)

        with self.test_client() as c:
            r = c.get('/v3/users/%s/access_rules' % user['id'],
@ -329,10 +343,13 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
                'method': uuid.uuid4().hex[16:]
            }]
        }
-        PROVIDERS.application_credential_api.create_application_credential(app_cred)
-        PROVIDERS.application_credential_api.delete_application_credential(app_cred['id'])
+        PROVIDERS.application_credential_api.create_application_credential(
+            app_cred)
+        PROVIDERS.application_credential_api.delete_application_credential(
+            app_cred['id'])
        with self.test_client() as c:
-            path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id)
+            path = '/v3/users/%s/access_rules/%s' % (
+                user['id'], access_rule_id)
            c.delete(
                path, headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
@ -408,17 +425,21 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
                'method': uuid.uuid4().hex[16:]
            }]
        }
-        PROVIDERS.application_credential_api.create_application_credential(app_cred)
-        PROVIDERS.application_credential_api.delete_application_credential(app_cred['id'])
+        PROVIDERS.application_credential_api.create_application_credential(
+            app_cred)
+        PROVIDERS.application_credential_api.delete_application_credential(
+            app_cred['id'])
        with self.test_client() as c:
-            path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id)
+            path = '/v3/users/%s/access_rules/%s' % (
+                user['id'], access_rule_id)
            c.delete(
                path, headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
            )

        with self.test_client() as c:
-            path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id)
+            path = '/v3/users/%s/access_rules/%s' % (
+                user['id'], access_rule_id)
            c.delete(
                path, headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
@ -487,11 +508,14 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                'method': uuid.uuid4().hex[16:]
            }]
        }
-        PROVIDERS.application_credential_api.create_application_credential(app_cred)
-        PROVIDERS.application_credential_api.delete_application_credential(app_cred['id'])
+        PROVIDERS.application_credential_api.create_application_credential(
+            app_cred)
+        PROVIDERS.application_credential_api.delete_application_credential(
+            app_cred['id'])

        with self.test_client() as c:
-            path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id)
+            path = '/v3/users/%s/access_rules/%s' % (
+                user['id'], access_rule_id)
            c.delete(path, headers=self.headers)

    def test_user_cannot_delete_non_existent_access_rule_not_found(self):
--- a/keystone/tests/protection/v3/test_assignment.py
+++ b/keystone/tests/protection/v3/test_assignment.py
@ -1086,9 +1086,9 @@ class _ProjectUserTests(object):
    def test_user_cannot_filter_role_assignments_by_other_project_user(self):
        assignments = self._setup_test_role_assignments()

-        # This user doesn't have any role assignments on self.project_id, so the
-        # project user of self.project_id should only see an empty list of role
-        # assignments.
+        # This user doesn't have any role assignments on self.project_id, so
+        # the project user of self.project_id should only see an empty list of
+        # role assignments.
        user_id = assignments['user_id']

        with self.test_client() as c:
--- a/keystone/tests/protection/v3/test_domain_config.py
+++ b/keystone/tests/protection/v3/test_domain_config.py
@ -50,10 +50,11 @@ class _SystemDomainAndProjectUserDomainConfigTests(object):
            password_regex_description=password_regex_description
        )
        with self.test_client() as c:
-            c.get('/v3/domains/%s/config/security_compliance/password_regex_description'
+            c.get('/v3/domains/%s/config/security_compliance'
+                  '/password_regex_description'
                  % CONF.identity.default_domain_id, headers=self.headers)

-    def test_user_can_get_security_compliance_config_with_user_from_other_domain(self):
+    def test_can_get_security_compliance_config_with_user_from_other_domain(self):  # noqa: E501
        domain = unit.new_domain_ref()
        PROVIDERS.resource_api.create_domain(domain['id'], domain)

@ -95,7 +96,8 @@ class _SystemUserDomainConfigTests(object):
        domain = PROVIDERS.resource_api.create_domain(
            uuid.uuid4().hex, unit.new_domain_ref()
        )
-        PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
+        PROVIDERS.domain_config_api.create_config(
+            domain['id'], unit.new_domain_config_ref())
        with self.test_client() as c:
            c.get('/v3/domains/%s/config'
                  % domain['id'], headers=self.headers)
@ -104,7 +106,8 @@ class _SystemUserDomainConfigTests(object):
        domain = PROVIDERS.resource_api.create_domain(
            uuid.uuid4().hex, unit.new_domain_ref()
        )
-        PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
+        PROVIDERS.domain_config_api.create_config(
+            domain['id'], unit.new_domain_config_ref())
        with self.test_client() as c:
            c.get('/v3/domains/%s/config/ldap'
                  % domain['id'], headers=self.headers)
@ -113,7 +116,8 @@ class _SystemUserDomainConfigTests(object):
        domain = PROVIDERS.resource_api.create_domain(
            uuid.uuid4().hex, unit.new_domain_ref()
        )
-        PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
+        PROVIDERS.domain_config_api.create_config(
+            domain['id'], unit.new_domain_config_ref())
        invalid_domain_id = uuid.uuid4().hex
        with self.test_client() as c:
            c.get('/v3/domains/%s/config/ldap'
@ -144,7 +148,8 @@ class _SystemUserDomainConfigTests(object):
        domain = PROVIDERS.resource_api.create_domain(
            uuid.uuid4().hex, unit.new_domain_ref()
        )
-        PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
+        PROVIDERS.domain_config_api.create_config(
+            domain['id'], unit.new_domain_config_ref())
        with self.test_client() as c:
            c.get('/v3/domains/%s/config/ldap/url'
                  % domain['id'], headers=self.headers)
@ -195,10 +200,11 @@ class _SystemUserDomainConfigTests(object):
            password_regex_description=password_regex_description
        )
        with self.test_client() as c:
-            c.get('/v3/domains/%s/config/security_compliance/password_regex_description'
+            c.get('/v3/domains/%s/config/security_compliance'
+                  '/password_regex_description'
                  % CONF.identity.default_domain_id, headers=self.headers)

-    def test_user_can_get_security_compliance_config_with_user_from_other_domain(self):
+    def test_can_get_security_compliance_config_with_user_from_other_domain(self):  # noqa: E501
        domain = unit.new_domain_ref()
        PROVIDERS.resource_api.create_domain(domain['id'], domain)

@ -238,58 +244,70 @@ class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object):
        )
        with self.test_client() as c:
            c.put('/v3/domains/%s/config'
-                  % domain['id'], json={'config': unit.new_domain_config_ref()},
-                  headers=self.headers, expected_status_code=http_client.FORBIDDEN)
+                  % domain['id'],
+                  json={'config': unit.new_domain_config_ref()},
+                  headers=self.headers,
+                  expected_status_code=http_client.FORBIDDEN)

    def test_user_cannot_update_domain_config(self):
        domain = PROVIDERS.resource_api.create_domain(
            uuid.uuid4().hex, unit.new_domain_ref()
        )
-        PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
+        PROVIDERS.domain_config_api.create_config(
+            domain['id'], unit.new_domain_config_ref())
        new_config = {'ldap': {'url': uuid.uuid4().hex},
                      'identity': {'driver': uuid.uuid4().hex}}
        with self.test_client() as c:
            c.patch('/v3/domains/%s/config'
                    % domain['id'], json={'config': new_config},
-                    headers=self.headers, expected_status_code=http_client.FORBIDDEN)
+                    headers=self.headers,
+                    expected_status_code=http_client.FORBIDDEN)

    def test_user_cannot_update_domain_group_config(self):
        domain = PROVIDERS.resource_api.create_domain(
            uuid.uuid4().hex, unit.new_domain_ref()
        )
-        PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
+        PROVIDERS.domain_config_api.create_config(
+            domain['id'], unit.new_domain_config_ref())
        new_config = {'ldap': {'url': uuid.uuid4().hex,
                               'user_filter': uuid.uuid4().hex}}
        with self.test_client() as c:
            c.patch('/v3/domains/%s/config/ldap'
                    % domain['id'], json={'config': new_config},
-                    headers=self.headers, expected_status_code=http_client.FORBIDDEN)
+                    headers=self.headers,
+                    expected_status_code=http_client.FORBIDDEN)

    def test_user_cannot_update_domain_config_option(self):
        domain = PROVIDERS.resource_api.create_domain(
            uuid.uuid4().hex, unit.new_domain_ref()
        )
        new_config = {'url': uuid.uuid4().hex}
-        PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
+        PROVIDERS.domain_config_api.create_config(
+            domain['id'], unit.new_domain_config_ref())
        with self.test_client() as c:
            c.patch('/v3/domains/%s/config/ldap/url'
-                    % domain['id'], json={'config': new_config},
-                    headers=self.headers, expected_status_code=http_client.FORBIDDEN)
+                    % domain['id'],
+                    json={'config': new_config},
+                    headers=self.headers,
+                    expected_status_code=http_client.FORBIDDEN)

    def test_user_cannot_delete_domain_config(self):
        domain = PROVIDERS.resource_api.create_domain(
            uuid.uuid4().hex, unit.new_domain_ref()
        )
-        PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
+        PROVIDERS.domain_config_api.create_config(
+            domain['id'], unit.new_domain_config_ref())
        with self.test_client() as c:
            c.delete('/v3/domains/%s/config' % domain['id'],
-                     headers=self.headers, expected_status_code=http_client.FORBIDDEN)
+                     headers=self.headers,
+                     expected_status_code=http_client.FORBIDDEN)

    def test_user_cannot_delete_domain_group_config(self):
        domain = PROVIDERS.resource_api.create_domain(
            uuid.uuid4().hex, unit.new_domain_ref()
        )
-        PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
+        PROVIDERS.domain_config_api.create_config(
+            domain['id'], unit.new_domain_config_ref())
        with self.test_client() as c:
            c.delete('/v3/domains/%s/config/ldap'
                     % domain['id'], headers=self.headers,
@ -299,7 +317,8 @@ class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object):
        domain = PROVIDERS.resource_api.create_domain(
            uuid.uuid4().hex, unit.new_domain_ref()
        )
-        PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
+        PROVIDERS.domain_config_api.create_config(
+            domain['id'], unit.new_domain_config_ref())
        with self.test_client() as c:
            c.delete('/v3/domains/%s/config/ldap/url'
                     % domain['id'], headers=self.headers,
@ -312,7 +331,8 @@ class _DomainAndProjectUserDomainConfigTests(object):
        domain = PROVIDERS.resource_api.create_domain(
            uuid.uuid4().hex, unit.new_domain_ref()
        )
-        PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
+        PROVIDERS.domain_config_api.create_config(
+            domain['id'], unit.new_domain_config_ref())
        with self.test_client() as c:
            c.get('/v3/domains/%s/config'
                  % domain['id'], headers=self.headers,
@ -322,7 +342,8 @@ class _DomainAndProjectUserDomainConfigTests(object):
        domain = PROVIDERS.resource_api.create_domain(
            uuid.uuid4().hex, unit.new_domain_ref()
        )
-        PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
+        PROVIDERS.domain_config_api.create_config(
+            domain['id'], unit.new_domain_config_ref())
        with self.test_client() as c:
            c.get('/v3/domains/%s/config/ldap'
                  % domain['id'], headers=self.headers,
@ -340,7 +361,8 @@ class _DomainAndProjectUserDomainConfigTests(object):
        domain = PROVIDERS.resource_api.create_domain(
            uuid.uuid4().hex, unit.new_domain_ref()
        )
-        PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref())
+        PROVIDERS.domain_config_api.create_config(
+            domain['id'], unit.new_domain_config_ref())
        with self.test_client() as c:
            c.get('/v3/domains/%s/config/ldap/url'
                  % domain['id'], headers=self.headers,
@ -362,11 +384,12 @@ class _DomainAndProjectUserDomainConfigTests(object):
                  expected_status_code=http_client.FORBIDDEN)


-class SystemReaderTests(base_classes.TestCaseWithBootstrap,
-                        common_auth.AuthTestMixin,
-                        _SystemUserDomainConfigTests,
-                        _SystemReaderMemberDomainAndProjectUserDomainConfigTests,
-                        _SystemDomainAndProjectUserDomainConfigTests):
+class SystemReaderTests(
+        base_classes.TestCaseWithBootstrap,
+        common_auth.AuthTestMixin,
+        _SystemUserDomainConfigTests,
+        _SystemReaderMemberDomainAndProjectUserDomainConfigTests,
+        _SystemDomainAndProjectUserDomainConfigTests):

    def setUp(self):
        super(SystemReaderTests, self).setUp()
@ -397,11 +420,12 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
            self.headers = {'X-Auth-Token': self.token_id}


-class SystemMemberTests(base_classes.TestCaseWithBootstrap,
-                        common_auth.AuthTestMixin,
-                        _SystemUserDomainConfigTests,
-                        _SystemReaderMemberDomainAndProjectUserDomainConfigTests,
-                        _SystemDomainAndProjectUserDomainConfigTests):
+class SystemMemberTests(
+        base_classes.TestCaseWithBootstrap,
+        common_auth.AuthTestMixin,
+        _SystemUserDomainConfigTests,
+        _SystemReaderMemberDomainAndProjectUserDomainConfigTests,
+        _SystemDomainAndProjectUserDomainConfigTests):

    def setUp(self):
        super(SystemMemberTests, self).setUp()
@ -465,15 +489,19 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
        )
        with self.test_client() as c:
            c.put('/v3/domains/%s/config'
-                  % domain['id'], json={'config': unit.new_domain_config_ref()},
-                  headers=self.headers, expected_status_code=http_client.CREATED)
+                  % domain['id'],
+                  json={'config': unit.new_domain_config_ref()},
+                  headers=self.headers,
+                  expected_status_code=http_client.CREATED)

    def test_user_cannot_create_invalid_domain_config(self):
        invalid_domain_id = uuid.uuid4().hex
        with self.test_client() as c:
            c.put('/v3/domains/%s/config'
-                  % invalid_domain_id, json={'config': unit.new_domain_config_ref()},
-                  headers=self.headers, expected_status_code=http_client.NOT_FOUND)
+                  % invalid_domain_id,
+                  json={'config': unit.new_domain_config_ref()},
+                  headers=self.headers,
+                  expected_status_code=http_client.NOT_FOUND)

    def test_user_can_update_domain_config(self):
        domain = PROVIDERS.resource_api.create_domain(
@ -556,11 +584,12 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                     expected_status_code=http_client.NOT_FOUND)


-class DomainUserTests(base_classes.TestCaseWithBootstrap,
-                      common_auth.AuthTestMixin,
-                      _SystemDomainAndProjectUserDomainConfigTests,
-                      _DomainAndProjectUserDomainConfigTests,
-                      _SystemReaderMemberDomainAndProjectUserDomainConfigTests):
+class DomainUserTests(
+        base_classes.TestCaseWithBootstrap,
+        common_auth.AuthTestMixin,
+        _SystemDomainAndProjectUserDomainConfigTests,
+        _DomainAndProjectUserDomainConfigTests,
+        _SystemReaderMemberDomainAndProjectUserDomainConfigTests):

    def setUp(self):
        super(DomainUserTests, self).setUp()
@ -593,11 +622,12 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap,
            self.headers = {'X-Auth-Token': self.token_id}


-class ProjectUserTests(base_classes.TestCaseWithBootstrap,
-                       common_auth.AuthTestMixin,
-                       _SystemDomainAndProjectUserDomainConfigTests,
-                       _DomainAndProjectUserDomainConfigTests,
-                       _SystemReaderMemberDomainAndProjectUserDomainConfigTests):
+class ProjectUserTests(
+        base_classes.TestCaseWithBootstrap,
+        common_auth.AuthTestMixin,
+        _SystemDomainAndProjectUserDomainConfigTests,
+        _DomainAndProjectUserDomainConfigTests,
+        _SystemReaderMemberDomainAndProjectUserDomainConfigTests):

    def setUp(self):
        super(ProjectUserTests, self).setUp()
--- a/keystone/tests/protection/v3/test_domain_roles.py
+++ b/keystone/tests/protection/v3/test_domain_roles.py
@ -248,14 +248,16 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
            self.headers = {'X-Auth-Token': self.token_id}

    def test_user_can_create_roles(self):
-        create = {'role': unit.new_role_ref(domain_id=CONF.identity.default_domain_id)}
+        create = {'role': unit.new_role_ref(
+            domain_id=CONF.identity.default_domain_id)}

        with self.test_client() as c:
            c.post('/v3/roles', json=create, headers=self.headers)

    def test_user_can_update_roles(self):
        role = PROVIDERS.role_api.create_role(
-            uuid.uuid4().hex, unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
+            uuid.uuid4().hex,
+            unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
        )

        update = {'role': {'description': uuid.uuid4().hex}}
@ -267,7 +269,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,

    def test_user_can_delete_roles(self):
        role = PROVIDERS.role_api.create_role(
-            uuid.uuid4().hex, unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
+            uuid.uuid4().hex,
+            unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
        )

        with self.test_client() as c:
--- a/keystone/tests/protection/v3/test_ec2_credential.py
+++ b/keystone/tests/protection/v3/test_ec2_credential.py
@ -44,7 +44,8 @@ class _UserEC2CredentialTests(object):

            credential_id = r.json['credential']['access']

-            path = '/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id)
+            path = '/v3/users/%s/credentials/OS-EC2/%s' % (
+                self.user_id, credential_id)
            r = c.get(path, headers=self.headers)
            self.assertEqual(
                self.user_id, r.json['credential']['user_id']
@ -101,7 +102,8 @@ class _UserEC2CredentialTests(object):
                       json={'tenant_id': project['id']}, headers=self.headers)
            credential_id = r.json['credential']['access']

-            c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id),
+            c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (
+                     self.user_id, credential_id),
                     headers=self.headers)

    def test_user_cannot_create_ec2_credentials_for_others(self):
@ -147,8 +149,10 @@ class _UserEC2CredentialTests(object):
                       json={'tenant_id': project['id']}, headers=headers)
            credential_id = r.json['credential']['access']

-            c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id),
-                     headers=self.headers, expected_status_code=http_client.FORBIDDEN)
+            c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (
+                     self.user_id, credential_id),
+                     headers=self.headers,
+                     expected_status_code=http_client.FORBIDDEN)


 class _SystemUserTests(object):
@ -178,8 +182,10 @@ class _SystemUserTests(object):
                       json={'tenant_id': project['id']}, headers=headers)
            credential_id = r.json['credential']['access']

-            path = '/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id)
-            c.get(path, headers=self.headers, expected_status_code=http_client.OK)
+            path = '/v3/users/%s/credentials/OS-EC2/%s' % (
+                self.user_id, credential_id)
+            c.get(path, headers=self.headers,
+                  expected_status_code=http_client.OK)


 class _SystemReaderAndMemberTests(object):
@ -377,7 +383,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                       json={'tenant_id': project['id']}, headers=headers)
            credential_id = r.json['credential']['access']

-            c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id),
+            c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (
+                     self.user_id, credential_id),
                     headers=self.headers)


@ -395,13 +402,16 @@ class ProjectAdminTests(base_classes.TestCaseWithBootstrap,
        # update permissions or update policies without breaking users. This
        # will cause these specific tests to fail since we're trying to correct
        # this broken behavior with better scope checking.
+        reader_or_cred_owner = bp.SYSTEM_READER_OR_CRED_OWNER
+        reader_or_owner = bp.RULE_SYSTEM_READER_OR_OWNER
+        admin_or_cred_owner = bp.SYSTEM_ADMIN_OR_CRED_OWNER
        with open(self.policy_file_name, 'w') as f:
            overridden_policies = {
-                'identity:ec2_get_credential': bp.SYSTEM_READER_OR_CRED_OWNER,
-                'identity:ec2_list_credentials': bp.RULE_SYSTEM_READER_OR_OWNER,
-                'identity:ec2_create_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER,
-                'identity:ec2_update_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER,
-                'identity:ec2_delete_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER
+                'identity:ec2_get_credential': reader_or_cred_owner,
+                'identity:ec2_list_credentials': reader_or_owner,
+                'identity:ec2_create_credential': admin_or_cred_owner,
+                'identity:ec2_update_credential': admin_or_cred_owner,
+                'identity:ec2_delete_credential': admin_or_cred_owner
            }
            f.write(jsonutils.dumps(overridden_policies))

--- a/keystone/tests/protection/v3/test_endpoint_group.py
+++ b/keystone/tests/protection/v3/test_endpoint_group.py
@ -29,7 +29,8 @@ class _SystemUserEndpointGroupsTests(object):
    """Common default functionality for all system users."""

    def test_user_can_list_endpoint_groups(self):
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -43,7 +44,8 @@ class _SystemUserEndpointGroupsTests(object):
            self.assertIn(endpoint_group['id'], endpoint_groups)

    def test_user_can_get_an_endpoint_group(self):
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -57,7 +59,8 @@ class _SystemUserEndpointGroupsTests(object):
                domain_id=CONF.identity.default_domain_id
            )
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -79,7 +82,8 @@ class _SystemUserEndpointGroupsTests(object):
        endpoint = PROVIDERS.catalog_api.create_endpoint(
            endpoint['id'], endpoint
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -98,7 +102,8 @@ class _SystemUserEndpointGroupsTests(object):
                domain_id=CONF.identity.default_domain_id
            )
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -115,7 +120,8 @@ class _SystemUserEndpointGroupsTests(object):
                domain_id=CONF.identity.default_domain_id
            )
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -145,12 +151,14 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):

        with self.test_client() as c:
            c.post(
-                '/v3/OS-EP-FILTER/endpoint_groups', json=create, headers=self.headers,
+                '/v3/OS-EP-FILTER/endpoint_groups', json=create,
+                headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
            )

    def test_user_cannot_update_endpoint_groups(self):
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -159,20 +167,23 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):

        with self.test_client() as c:
            c.patch(
-                '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], json=update,
+                '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
+                json=update,
                headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
            )

    def test_user_cannot_delete_endpoint_groups(self):
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )

        with self.test_client() as c:
            c.delete(
-                '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], headers=self.headers,
+                '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
+                headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
            )

@ -182,7 +193,8 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):
                domain_id=CONF.identity.default_domain_id
            )
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -199,7 +211,8 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):
                domain_id=CONF.identity.default_domain_id
            )
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -214,7 +227,8 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object):
 class _DomainAndProjectUserEndpointGroupTests(object):

    def test_user_cannot_list_endpoint_groups(self):
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -224,13 +238,15 @@ class _DomainAndProjectUserEndpointGroupTests(object):
                  expected_status_code=http_client.FORBIDDEN)

    def test_user_cannot_get_an_endpoint_group(self):
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
        with self.test_client() as c:
            c.get('/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
-                  headers=self.headers, expected_status_code=http_client.FORBIDDEN)
+                  headers=self.headers,
+                  expected_status_code=http_client.FORBIDDEN)

    def test_user_cannot_list_projects_associated_with_endpoint_groups(self):
        project = PROVIDERS.resource_api.create_project(
@ -238,15 +254,18 @@ class _DomainAndProjectUserEndpointGroupTests(object):
                domain_id=CONF.identity.default_domain_id
            )
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
        PROVIDERS.catalog_api.add_endpoint_group_to_project(
            endpoint_group['id'], project['id'])
        with self.test_client() as c:
-            c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects' % endpoint_group['id'],
-                  headers=self.headers, expected_status_code=http_client.FORBIDDEN)
+            c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects'
+                  % endpoint_group['id'],
+                  headers=self.headers,
+                  expected_status_code=http_client.FORBIDDEN)

    def test_user_cannot_list_endpoints_associated_with_endpoint_groups(self):
        service = PROVIDERS.catalog_api.create_service(
@ -256,13 +275,16 @@ class _DomainAndProjectUserEndpointGroupTests(object):
        endpoint = PROVIDERS.catalog_api.create_endpoint(
            endpoint['id'], endpoint
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
        with self.test_client() as c:
-            c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/endpoints' % endpoint_group['id'],
-                  headers=self.headers, expected_status_code=http_client.FORBIDDEN)
+            c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/endpoints'
+                  % endpoint_group['id'],
+                  headers=self.headers,
+                  expected_status_code=http_client.FORBIDDEN)

    def test_user_cannot_get_endpoints_associated_with_endpoint_groups(self):
        project = PROVIDERS.resource_api.create_project(
@ -270,7 +292,8 @@ class _DomainAndProjectUserEndpointGroupTests(object):
                domain_id=CONF.identity.default_domain_id
            )
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -279,7 +302,8 @@ class _DomainAndProjectUserEndpointGroupTests(object):
        with self.test_client() as c:
            c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s'
                  % (endpoint_group['id'], project['id']),
-                  headers=self.headers, expected_status_code=http_client.FORBIDDEN)
+                  headers=self.headers,
+                  expected_status_code=http_client.FORBIDDEN)

    def test_user_cannot_list_endpoint_groups_with_their_projects(self):
        project = PROVIDERS.resource_api.create_project(
@ -287,15 +311,18 @@ class _DomainAndProjectUserEndpointGroupTests(object):
                domain_id=CONF.identity.default_domain_id
            )
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
        PROVIDERS.catalog_api.add_endpoint_group_to_project(
            endpoint_group['id'], project['id'])
        with self.test_client() as c:
-            c.get('/v3/OS-EP-FILTER/projects/%s/endpoint_groups' % project['id'],
-                  headers=self.headers, expected_status_code=http_client.FORBIDDEN)
+            c.get('/v3/OS-EP-FILTER/projects/%s/endpoint_groups'
+                  % project['id'],
+                  headers=self.headers,
+                  expected_status_code=http_client.FORBIDDEN)

    def test_user_cannot_create_endpoint_groups(self):
        create = {
@ -309,12 +336,14 @@ class _DomainAndProjectUserEndpointGroupTests(object):

        with self.test_client() as c:
            c.post(
-                '/v3/OS-EP-FILTER/endpoint_groups', json=create, headers=self.headers,
+                '/v3/OS-EP-FILTER/endpoint_groups', json=create,
+                headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
            )

    def test_user_cannot_update_endpoint_groups(self):
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -323,20 +352,23 @@ class _DomainAndProjectUserEndpointGroupTests(object):

        with self.test_client() as c:
            c.patch(
-                '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], json=update,
+                '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
+                json=update,
                headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
            )

    def test_user_cannot_delete_endpoint_groups(self):
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )

        with self.test_client() as c:
            c.delete(
-                '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], headers=self.headers,
+                '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
+                headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
            )

@ -346,7 +378,8 @@ class _DomainAndProjectUserEndpointGroupTests(object):
                domain_id=CONF.identity.default_domain_id
            )
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -363,7 +396,8 @@ class _DomainAndProjectUserEndpointGroupTests(object):
                domain_id=CONF.identity.default_domain_id
            )
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -481,10 +515,12 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,

        with self.test_client() as c:
            c.post(
-                '/v3/OS-EP-FILTER/endpoint_groups', json=create, headers=self.headers)
+                '/v3/OS-EP-FILTER/endpoint_groups', json=create,
+                headers=self.headers)

    def test_user_can_update_endpoint_group(self):
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -493,18 +529,21 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,

        with self.test_client() as c:
            c.patch(
-                '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], json=update,
+                '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
+                json=update,
                headers=self.headers)

    def test_user_can_delete_endpoint_group(self):
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )

        with self.test_client() as c:
            c.delete(
-                '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], headers=self.headers
+                '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
+                headers=self.headers
            )

    def test_user_add_endpoint_group_to_project(self):
@ -513,7 +552,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                domain_id=CONF.identity.default_domain_id
            )
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
@ -529,7 +569,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                domain_id=CONF.identity.default_domain_id
            )
        )
-        endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
+        endpoint_group = unit.new_endpoint_group_ref(
+            filters={'interface': 'public'})
        endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
            endpoint_group['id'], endpoint_group
        )
--- a/keystone/tests/protection/v3/test_grants.py
+++ b/keystone/tests/protection/v3/test_grants.py
@ -30,7 +30,7 @@ PROVIDERS = provider_api.ProviderAPIs

 class _SystemUserGrantTests(object):

-    def test_user_can_list_grants_for_user_on_project(self):
+    def test_can_list_grants_for_user_on_project(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -53,7 +53,7 @@ class _SystemUserGrantTests(object):
            )
            self.assertEqual(1, len(r.json['roles']))

-    def test_user_can_list_grants_for_user_on_domain(self):
+    def test_can_list_grants_for_user_on_domain(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -74,7 +74,7 @@ class _SystemUserGrantTests(object):
            )
            self.assertEqual(1, len(r.json['roles']))

-    def test_user_can_list_grants_for_group_on_project(self):
+    def test_can_list_grants_for_group_on_project(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -98,7 +98,7 @@ class _SystemUserGrantTests(object):
            )
            self.assertEqual(1, len(r.json['roles']))

-    def test_user_can_list_grants_for_group_on_domain(self):
+    def test_can_list_grants_for_group_on_domain(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -119,7 +119,7 @@ class _SystemUserGrantTests(object):
            )
            self.assertEqual(1, len(r.json['roles']))

-    def test_user_can_check_grant_for_user_on_project(self):
+    def test_can_check_grant_for_user_on_project(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -144,7 +144,7 @@ class _SystemUserGrantTests(object):
                expected_status_code=http_client.NO_CONTENT
            )

-    def test_user_can_check_grant_for_user_on_domain(self):
+    def test_can_check_grant_for_user_on_domain(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -167,7 +167,7 @@ class _SystemUserGrantTests(object):
                expected_status_code=http_client.NO_CONTENT
            )

-    def test_user_can_check_grant_for_group_on_project(self):
+    def test_can_check_grant_for_group_on_project(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -194,7 +194,7 @@ class _SystemUserGrantTests(object):
                expected_status_code=http_client.NO_CONTENT
            )

-    def test_user_can_check_grant_for_group_on_domain(self):
+    def test_can_check_grant_for_group_on_domain(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -220,7 +220,7 @@ class _SystemUserGrantTests(object):

 class _SystemMemberAndReaderGrantTests(object):

-    def test_user_cannot_create_grant_for_user_on_project(self):
+    def test_cannot_create_grant_for_user_on_project(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -240,7 +240,7 @@ class _SystemMemberAndReaderGrantTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_user_on_domain(self):
+    def test_cannot_create_grant_for_user_on_domain(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -258,7 +258,7 @@ class _SystemMemberAndReaderGrantTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_group_on_project(self):
+    def test_cannot_create_grant_for_group_on_project(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -280,7 +280,7 @@ class _SystemMemberAndReaderGrantTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_group_on_domain(self):
+    def test_cannot_create_grant_for_group_on_domain(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -298,7 +298,7 @@ class _SystemMemberAndReaderGrantTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_user_on_project(self):
+    def test_cannot_revoke_grant_from_user_on_project(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -323,7 +323,7 @@ class _SystemMemberAndReaderGrantTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_user_on_domain(self):
+    def test_cannot_revoke_grant_from_user_on_domain(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -346,7 +346,7 @@ class _SystemMemberAndReaderGrantTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_group_on_project(self):
+    def test_cannot_revoke_grant_from_group_on_project(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -373,7 +373,7 @@ class _SystemMemberAndReaderGrantTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_group_on_domain(self):
+    def test_cannot_revoke_grant_from_group_on_domain(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -399,7 +399,7 @@ class _SystemMemberAndReaderGrantTests(object):

 class _DomainUserTests(object):

-    def test_user_can_list_grants_for_user_on_project(self):
+    def test_can_list_grants_for_user_on_project(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=self.domain_id)
        )
@ -420,7 +420,7 @@ class _DomainUserTests(object):
            )
            self.assertEqual(1, len(r.json['roles']))

-    def test_user_can_list_grants_for_user_on_domain(self):
+    def test_can_list_grants_for_user_on_domain(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=self.domain_id)
        )
@ -437,7 +437,7 @@ class _DomainUserTests(object):
            )
            self.assertEqual(1, len(r.json['roles']))

-    def test_user_can_list_grants_for_group_on_project(self):
+    def test_can_list_grants_for_group_on_project(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=self.domain_id)
        )
@ -459,7 +459,7 @@ class _DomainUserTests(object):
            )
            self.assertEqual(1, len(r.json['roles']))

-    def test_user_can_list_grants_for_group_on_domain(self):
+    def test_can_list_grants_for_group_on_domain(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=self.domain_id)
        )
@ -477,7 +477,7 @@ class _DomainUserTests(object):
            )
            self.assertEqual(1, len(r.json['roles']))

-    def test_user_can_check_grant_for_user_on_project(self):
+    def test_can_check_grant_for_user_on_project(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=self.domain_id)
        )
@ -502,7 +502,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.NO_CONTENT
            )

-    def test_user_can_check_grant_for_user_on_domain(self):
+    def test_can_check_grant_for_user_on_domain(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=self.domain_id)
        )
@ -522,7 +522,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.NO_CONTENT
            )

-    def test_user_can_check_grant_for_group_on_project(self):
+    def test_can_check_grant_for_group_on_project(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=self.domain_id)
        )
@ -547,7 +547,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.NO_CONTENT
            )

-    def test_user_can_check_grant_for_group_on_domain(self):
+    def test_can_check_grant_for_group_on_domain(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=self.domain_id)
        )
@ -567,7 +567,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.NO_CONTENT
            )

-    def test_user_cannot_list_grants_for_user_other_domain_on_project_own_domain(self):
+    def test_cannot_list_grants_for_user_other_domain_on_project_own_domain(self):  # noqa: E501
        user_domain_id = CONF.identity.default_domain_id
        project_domain_id = self.domain_id

@ -591,7 +591,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_list_grants_for_user_own_domain_on_project_other_domain(self):
+    def test_cannot_list_grants_for_user_own_domain_on_project_other_domain(self):  # noqa: E501
        user_domain_id = self.domain_id
        project_domain_id = CONF.identity.default_domain_id

@ -616,7 +616,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_list_grants_for_user_own_domain_on_other_domain(self):
+    def test_cannot_list_grants_for_user_own_domain_on_other_domain(self):
        user_domain_id = self.domain_id
        domain_id = CONF.identity.default_domain_id

@ -636,7 +636,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_list_grants_for_user_other_domain_on_own_domain(self):
+    def test_cannot_list_grants_for_user_other_domain_on_own_domain(self):
        user_domain_id = CONF.identity.default_domain_id
        domain_id = self.domain_id

@ -656,7 +656,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_list_grants_for_group_other_domain_on_project_own_domain(self):
+    def test_cannot_list_grants_for_group_other_domain_on_project_own_domain(self):  # noqa: E501
        group_domain_id = CONF.identity.default_domain_id
        project_domain_id = self.domain_id

@ -681,7 +681,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_list_grants_for_group_own_domain_on_project_other_domain(self):
+    def test_cannot_list_grants_for_group_own_domain_on_project_other_domain(self):  # noqa: E501
        group_domain_id = self.domain_id
        project_domain_id = CONF.identity.default_domain_id

@ -707,7 +707,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_list_grants_for_group_own_domain_on_other_domain(self):
+    def test_cannot_list_grants_for_group_own_domain_on_other_domain(self):
        group_domain_id = self.domain_id
        domain_id = CONF.identity.default_domain_id

@ -728,7 +728,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_list_grants_for_group_other_domain_on_own_domain(self):
+    def test_cannot_list_grants_for_group_other_domain_on_own_domain(self):
        group_domain_id = CONF.identity.default_domain_id
        domain_id = self.domain_id

@ -749,7 +749,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_check_grant_for_user_other_domain_on_project_own_domain(self):
+    def test_cannot_check_grant_for_user_other_domain_on_project_own_domain(self):  # noqa: E501
        user_domain_id = CONF.identity.default_domain_id
        project_domain_id = self.domain_id

@ -775,7 +775,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_check_grant_for_user_own_domain_on_project_other_domain(self):
+    def test_cannot_check_grant_for_user_own_domain_on_project_other_domain(self):  # noqa: E501
        user_domain_id = self.domain_id
        project_domain_id = CONF.identity.default_domain_id

@ -802,7 +802,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_check_grant_for_user_own_domain_on_project_own_domain_with_role_other_domain(self):
+    def test_cannot_check_grant_for_user_own_domain_on_project_own_domain_with_role_other_domain(self):  # noqa: E501
        user_domain_id = self.domain_id
        project_domain_id = self.domain_id
        role_domain_id = CONF.identity.default_domain_id
@ -833,7 +833,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_check_grant_for_user_own_domain_on_other_domain(self):
+    def test_cannot_check_grant_for_user_own_domain_on_other_domain(self):
        user_domain_id = self.domain_id
        domain_id = CONF.identity.default_domain_id

@ -856,7 +856,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_check_grant_for_user_other_domain_on_own_domain(self):
+    def test_cannot_check_grant_for_user_other_domain_on_own_domain(self):
        user_domain_id = CONF.identity.default_domain_id
        domain_id = self.domain_id

@ -879,7 +879,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_check_grant_for_user_own_domain_on_own_domain_with_role_other_domain(self):
+    def test_cannot_check_grant_for_user_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
        user_domain_id = self.domain_id
        domain_id = self.domain_id
        role_domain_id = CONF.identity.default_domain_id
@ -907,7 +907,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_check_grant_for_group_other_domain_on_project_own_domain(self):
+    def test_cannot_check_grant_for_group_other_domain_on_project_own_domain(self):  # noqa: E501
        group_domain_id = CONF.identity.default_domain_id
        project_domain_id = self.domain_id

@ -933,7 +933,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_check_grant_for_group_own_domain_on_project_other_domain(self):
+    def test_cannot_check_grant_for_group_own_domain_on_project_other_domain(self):  # noqa: E501
        group_domain_id = self.domain_id
        project_domain_id = CONF.identity.default_domain_id

@ -959,7 +959,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_check_grant_for_group_own_domain_on_project_own_domain_with_role_other_domain(self):
+    def test_cannot_check_grant_for_group_own_domain_on_project_own_domain_with_role_other_domain(self):  # noqa: E501
        group_domain_id = self.domain_id
        project_domain_id = CONF.identity.default_domain_id
        role_domain_id = CONF.identity.default_domain_id
@ -990,7 +990,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_check_grant_for_group_own_domain_on_other_domain(self):
+    def test_cannot_check_grant_for_group_own_domain_on_other_domain(self):
        group_domain_id = self.domain_id
        domain_id = CONF.identity.default_domain_id

@ -1012,7 +1012,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_check_grant_for_group_other_domain_on_own_domain(self):
+    def test_cannot_check_grant_for_group_other_domain_on_own_domain(self):
        group_domain_id = CONF.identity.default_domain_id
        domain_id = self.domain_id

@ -1034,12 +1034,13 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_check_grant_for_group_own_domain_on_own_domain_with_role_other_domain(self):
+    def test_cannot_check_grant_for_group_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
        group_domain_id = self.domain_id
        domain_id = self.domain_id
        role_domain_id = CONF.identity.default_domain_id

-        role = PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
+        role = PROVIDERS.role_api.create_role(
+            uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))

        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=group_domain_id)
@ -1059,7 +1060,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_user_other_domain_on_project_own_domain(self):
+    def test_cannot_create_grant_for_user_other_domain_on_project_own_domain(self):  # noqa: E501
        user_domain_id = CONF.identity.default_domain_id
        project_domain_id = self.domain_id

@ -1082,7 +1083,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_user_own_domain_on_project_other_domain(self):
+    def test_cannot_create_grant_for_user_own_domain_on_project_other_domain(self):  # noqa: E501
        user_domain_id = self.domain_id
        project_domain_id = CONF.identity.default_domain_id

@ -1105,7 +1106,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_cannot_create_grant_for_user_own_domain_on_project_own_domain_with_role_other_domain(self):
+    def test_cannot_create_grant_for_user_own_domain_on_project_own_domain_with_role_other_domain(self):  # noqa: E501
        user_domain_id = self.domain_id
        project_domain_id = self.domain_id
        role_domain_id = CONF.identity.default_domain_id
@ -1131,7 +1132,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_user_other_domain_on_own_domain(self):
+    def test_cannot_create_grant_for_user_other_domain_on_own_domain(self):
        user_domain_id = CONF.identity.default_domain_id
        domain_id = self.domain_id

@ -1148,7 +1149,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_user_own_domain_on_other_domain(self):
+    def test_cannot_create_grant_for_user_own_domain_on_other_domain(self):
        user_domain_id = self.domain_id
        domain_id = CONF.identity.default_domain_id

@ -1165,7 +1166,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_cannot_create_grant_for_user_own_domain_on_own_domain_with_role_other_domain(self):
+    def test_cannot_create_grant_for_user_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
        user_domain_id = self.domain_id
        domain_id = self.domain_id
        role_domain_id = CONF.identity.default_domain_id
@ -1186,7 +1187,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_group_other_domain_on_project_own_domain(self):
+    def test_cannot_create_grant_for_group_other_domain_on_project_own_domain(self):  # noqa: E501
        group_domain_id = CONF.identity.default_domain_id
        project_domain_id = self.domain_id

@ -1211,7 +1212,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_group_own_domain_on_project_other_domain(self):
+    def test_cannot_create_grant_for_group_own_domain_on_project_other_domain(self):  # noqa: E501
        group_domain_id = self.domain_id
        project_domain_id = CONF.identity.default_domain_id

@ -1236,7 +1237,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_cannot_create_grant_for_group_own_domain_on_project_own_domain_with_role_other_domain(self):
+    def test_cannot_create_grant_for_group_own_domain_on_project_own_domain_with_role_other_domain(self):  # noqa: E501
        group_domain_id = self.domain_id
        project_domain_id = self.domain_id
        role_domain_id = CONF.identity.default_domain_id
@ -1265,7 +1266,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_group_other_domain_on_own_domain(self):
+    def test_cannot_create_grant_for_group_other_domain_on_own_domain(self):
        group_domain_id = CONF.identity.default_domain_id
        domain_id = self.domain_id

@ -1282,7 +1283,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_group_own_domain_on_other_domain(self):
+    def test_cannot_create_grant_for_group_own_domain_on_other_domain(self):
        group_domain_id = self.domain_id
        domain_id = CONF.identity.default_domain_id

@ -1299,7 +1300,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_group_own_domain_on_own_domain_with_role_other_domain(self):
+    def test_cannot_create_grant_for_group_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
        group_domain_id = self.domain_id
        domain_id = self.domain_id
        role_domain_id = CONF.identity.default_domain_id
@ -1320,7 +1321,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_user_other_domain_on_project_own_domain(self):
+    def test_cannot_revoke_grant_from_user_other_domain_on_project_own_domain(self):  # noqa: E501
        user_domain_id = CONF.identity.default_domain_id
        project_domain_id = self.domain_id

@ -1348,7 +1349,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_user_own_domain_on_project_other_domain(self):
+    def test_cannot_revoke_grant_from_user_own_domain_on_project_other_domain(self):  # noqa: E501
        user_domain_id = self.domain_id
        project_domain_id = CONF.identity.default_domain_id

@ -1376,7 +1377,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_user_other_domain_on_own_domain(self):
+    def test_cannot_revoke_grant_from_user_other_domain_on_own_domain(self):
        user_domain_id = CONF.identity.default_domain_id
        domain_id = self.domain_id

@ -1398,7 +1399,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_user_own_domain_on_other_domain(self):
+    def test_cannot_revoke_grant_from_user_own_domain_on_other_domain(self):
        user_domain_id = self.domain_id
        domain_id = CONF.identity.default_domain_id

@ -1420,7 +1421,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_user_own_domain_on_own_domain_with_role_other_domain(self):
+    def test_cannot_revoke_grant_from_user_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
        user_domain_id = self.domain_id
        domain_id = self.domain_id
        role_domain_id = CONF.identity.default_domain_id
@ -1446,7 +1447,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_group_other_domain_on_project_own_domain(self):
+    def test_cannot_revoke_grant_from_group_other_domain_on_project_own_domain(self):  # noqa: E501
        group_domain_id = CONF.identity.default_domain_id
        project_domain_id = self.domain_id

@ -1476,7 +1477,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_group_own_domain_on_project_other_domain(self):
+    def test_cannot_revoke_grant_from_group_own_domain_on_project_other_domain(self):  # noqa: E501
        group_domain_id = self.domain_id
        project_domain_id = CONF.identity.default_domain_id

@ -1506,7 +1507,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_group_other_domain_on_own_domain(self):
+    def test_cannot_revoke_grant_from_group_other_domain_on_own_domain(self):
        group_domain_id = CONF.identity.default_domain_id
        domain_id = self.domain_id

@ -1528,7 +1529,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_group_own_domain_on_other_domain(self):
+    def test_cannot_revoke_grant_from_group_own_domain_on_other_domain(self):
        group_domain_id = self.domain_id
        domain_id = CONF.identity.default_domain_id

@ -1550,7 +1551,7 @@ class _DomainUserTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_group_own_domain_on_own_domain_with_role_other_domain(self):
+    def test_cannot_revoke_grant_from_group_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
        group_domain_id = self.domain_id
        domain_id = self.domain_id
        role_domain_id = CONF.identity.default_domain_id
@ -1670,7 +1671,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
            self.token_id = r.headers['X-Subject-Token']
            self.headers = {'X-Auth-Token': self.token_id}

-    def test_user_can_create_grant_for_user_on_project(self):
+    def test_can_create_grant_for_user_on_project(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -1689,7 +1690,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                headers=self.headers
            )

-    def test_user_can_create_grant_for_user_on_domain(self):
+    def test_can_create_grant_for_user_on_domain(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -1706,7 +1707,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                headers=self.headers
            )

-    def test_user_can_create_grant_for_group_on_project(self):
+    def test_can_create_grant_for_group_on_project(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -1727,7 +1728,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                headers=self.headers
            )

-    def test_user_can_create_grant_for_group_on_domain(self):
+    def test_can_create_grant_for_group_on_domain(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -1744,7 +1745,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                headers=self.headers
            )

-    def test_user_can_revoke_grant_from_user_on_project(self):
+    def test_can_revoke_grant_from_user_on_project(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -1768,7 +1769,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                headers=self.headers
            )

-    def test_user_can_revoke_grant_from_user_on_domain(self):
+    def test_can_revoke_grant_from_user_on_domain(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -1790,7 +1791,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                headers=self.headers
            )

-    def test_user_can_revoke_grant_from_group_on_project(self):
+    def test_can_revoke_grant_from_group_on_project(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -1816,7 +1817,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                headers=self.headers
            )

-    def test_user_can_revoke_grant_from_group_on_domain(self):
+    def test_can_revoke_grant_from_group_on_domain(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
        )
@ -1841,7 +1842,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,

 class _DomainMemberAndReaderTests(object):

-    def test_user_cannot_create_grant_for_user_on_project(self):
+    def test_cannot_create_grant_for_user_on_project(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=self.domain_id)
        )
@ -1861,7 +1862,7 @@ class _DomainMemberAndReaderTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_user_on_domain(self):
+    def test_cannot_create_grant_for_user_on_domain(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=self.domain_id)
        )
@ -1879,7 +1880,7 @@ class _DomainMemberAndReaderTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_group_on_project(self):
+    def test_cannot_create_grant_for_group_on_project(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=self.domain_id)
        )
@ -1899,7 +1900,7 @@ class _DomainMemberAndReaderTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_grant_for_group_on_domain(self):
+    def test_cannot_create_grant_for_group_on_domain(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=self.domain_id)
        )
@ -1917,7 +1918,7 @@ class _DomainMemberAndReaderTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_user_on_project(self):
+    def test_cannot_revoke_grant_from_user_on_project(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=self.domain_id)
        )
@ -1940,7 +1941,7 @@ class _DomainMemberAndReaderTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_user_on_domain(self):
+    def test_cannot_revoke_grant_from_user_on_domain(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=self.domain_id)
        )
@ -1963,7 +1964,7 @@ class _DomainMemberAndReaderTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_group_on_project(self):
+    def test_cannot_revoke_grant_from_group_on_project(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=self.domain_id)
        )
@ -1990,7 +1991,7 @@ class _DomainMemberAndReaderTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_revoke_grant_from_group_on_domain(self):
+    def test_cannot_revoke_grant_from_group_on_domain(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=self.domain_id)
        )
@ -2142,7 +2143,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
            }
            f.write(jsonutils.dumps(overridden_policies))

-    def test_user_can_create_grant_for_user_on_project(self):
+    def test_can_create_grant_for_user_on_project(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=self.domain_id)
        )
@ -2159,7 +2160,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
                headers=self.headers
            )

-    def test_user_can_create_grant_for_group_on_project(self):
+    def test_can_create_grant_for_group_on_project(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=self.domain_id)
        )
@ -2178,7 +2179,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
                headers=self.headers
            )

-    def test_user_can_revoke_grant_from_user_on_project(self):
+    def test_can_revoke_grant_from_user_on_project(self):
        user = PROVIDERS.identity_api.create_user(
            unit.new_user_ref(domain_id=self.domain_id)
        )
@ -2200,7 +2201,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
                headers=self.headers
            )

-    def test_user_can_revoke_grant_from_group_on_project(self):
+    def test_can_revoke_grant_from_group_on_project(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=self.domain_id)
        )
@ -2224,7 +2225,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap,
                headers=self.headers
            )

-    def test_user_cannot_revoke_grant_from_group_on_domain(self):
+    def test_cannot_revoke_grant_from_group_on_domain(self):
        group = PROVIDERS.identity_api.create_group(
            unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
        )
--- a/keystone/tests/protection/v3/test_policy.py
+++ b/keystone/tests/protection/v3/test_policy.py
@ -252,7 +252,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                'name': uuid.uuid4().hex,
                'description': uuid.uuid4().hex,
                'enabled': True,
-                # Store serialized JSON data as the blob to mimic real world usage.
+                # Store serialized JSON data as the blob to mimic real world
+                # usage.
                'blob': json.dumps({'data': uuid.uuid4().hex, }),
                'type': uuid.uuid4().hex
            }
--- a/keystone/tests/protection/v3/test_policy_association.py
+++ b/keystone/tests/protection/v3/test_policy_association.py
@ -194,7 +194,7 @@ class _SystemReaderAndMemberPoliciesAssociationTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_policy_association_for_region_and_service(self):
+    def test_user_cannot_create_policy_assoc_for_region_and_service(self):
        policy = unit.new_policy_ref()
        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
        service = PROVIDERS.catalog_api.create_service(
@ -210,7 +210,7 @@ class _SystemReaderAndMemberPoliciesAssociationTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_delete_policy_association_for_region_and_service(self):
+    def test_user_cannot_delete_policy_assoc_for_region_and_service(self):
        policy = unit.new_policy_ref()
        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
        service = PROVIDERS.catalog_api.create_service(
@ -392,7 +392,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_create_policy_association_for_region_and_service(self):
+    def test_user_cannot_create_policy_assoc_for_region_and_service(self):
        policy = unit.new_policy_ref()
        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
        service = PROVIDERS.catalog_api.create_service(
@ -408,7 +408,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_delete_policy_association_for_region_and_service(self):
+    def test_user_cannot_delete_policy_assoc_for_region_and_service(self):
        policy = unit.new_policy_ref()
        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
        service = PROVIDERS.catalog_api.create_service(
--- a/keystone/tests/protection/v3/test_project_endpoint.py
+++ b/keystone/tests/protection/v3/test_project_endpoint.py
@ -45,9 +45,11 @@ class _SystemUserProjectEndpointTests(object):
            endpoint['id'], endpoint
        )

-        PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id'])
+        PROVIDERS.catalog_api.add_endpoint_to_project(
+            endpoint['id'], project['id'])
        with self.test_client() as c:
-            r = c.get('/v3/OS-EP-FILTER/endpoints/%s/projects' % endpoint['id'],
+            r = c.get('/v3/OS-EP-FILTER/endpoints/%s/projects'
+                      % endpoint['id'],
                      headers=self.headers)
            for project_itr in r.json['projects']:
                self.assertIn(project['id'], project_itr['id'])
@ -66,7 +68,8 @@ class _SystemUserProjectEndpointTests(object):
            endpoint['id'], endpoint
        )

-        PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id'])
+        PROVIDERS.catalog_api.add_endpoint_to_project(
+            endpoint['id'], project['id'])
        with self.test_client() as c:
            c.get('/v3/OS-EP-FILTER/projects/%s/endpoints/%s'
                  % (project['id'], endpoint['id']),
@ -87,7 +90,8 @@ class _SystemUserProjectEndpointTests(object):
            endpoint['id'], endpoint
        )

-        PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id'])
+        PROVIDERS.catalog_api.add_endpoint_to_project(
+            endpoint['id'], project['id'])
        with self.test_client() as c:
            r = c.get('/v3/OS-EP-FILTER/projects/%s/endpoints' % project['id'],
                      headers=self.headers)
@ -152,7 +156,8 @@ class _DomainAndProjectUserProjectEndpointTests(object):
            endpoint['id'], endpoint
        )

-        PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id'])
+        PROVIDERS.catalog_api.add_endpoint_to_project(
+            endpoint['id'], project['id'])
        with self.test_client() as c:
            c.get('/v3/OS-EP-FILTER/endpoints/%s/projects' % endpoint['id'],
                  headers=self.headers,
@ -172,7 +177,8 @@ class _DomainAndProjectUserProjectEndpointTests(object):
            endpoint['id'], endpoint
        )

-        PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id'])
+        PROVIDERS.catalog_api.add_endpoint_to_project(
+            endpoint['id'], project['id'])
        with self.test_client() as c:
            c.get('/v3/OS-EP-FILTER/projects/%s/endpoints/%s'
                  % (project['id'], endpoint['id']),
@ -193,7 +199,8 @@ class _DomainAndProjectUserProjectEndpointTests(object):
            endpoint['id'], endpoint
        )

-        PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id'])
+        PROVIDERS.catalog_api.add_endpoint_to_project(
+            endpoint['id'], project['id'])
        with self.test_client() as c:
            c.get('/v3/OS-EP-FILTER/projects/%s/endpoints' % project['id'],
                  headers=self.headers,
@ -326,7 +333,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
        endpoint = PROVIDERS.catalog_api.create_endpoint(
            endpoint['id'], endpoint
        )
-        PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id'])
+        PROVIDERS.catalog_api.add_endpoint_to_project(
+            endpoint['id'], project['id'])
        with self.test_client() as c:
            c.delete('/v3/OS-EP-FILTER/projects/%s/endpoints/%s'
                     % (project['id'], endpoint['id']),
--- a/keystone/tests/protection/v3/test_system_assignments.py
+++ b/keystone/tests/protection/v3/test_system_assignments.py
@ -240,7 +240,8 @@ class _DomainAndProjectUserSystemAssignmentTests(object):

        with self.test_client() as c:
            c.get(
-                '/v3/system/groups/%s/roles' % group['id'], headers=self.headers,
+                '/v3/system/groups/%s/roles' % group['id'],
+                headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
            )

--- a/keystone/tests/protection/v3/test_trusts.py
+++ b/keystone/tests/protection/v3/test_trusts.py
@ -441,7 +441,7 @@ class SystemAdminTests(TrustTests, _AdminTestsMixin, _SystemUserTests):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_admin_cannot_get_trust_role_for_other_user_overridden_defaults(self):
+    def test_admin_cannot_get_trust_role_for_other_user_overridden(self):
        self._override_policy_old_defaults()
        PROVIDERS.trust_api.create_trust(
            self.trust_id, **self.trust_data)
@ -768,7 +768,7 @@ class ProjectUserTests(TrustTests):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_cannot_list_trusts_for_other_trustor_overridden_default(self):
+    def test_user_cannot_list_trusts_for_other_trustor_overridden(self):
        self._override_policy_old_defaults()
        PROVIDERS.trust_api.create_trust(
            self.trust_id, **self.trust_data)
@ -841,7 +841,7 @@ class ProjectUserTests(TrustTests):
                expected_status_code=http_client.FORBIDDEN
            )

-    def test_user_can_get_trust_of_whom_they_are_the_trustor_overridden_default(self):
+    def test_user_can_get_trust_of_whom_they_are_the_trustor_overridden(self):
        self._override_policy_old_defaults()
        ref = PROVIDERS.trust_api.create_trust(
            self.trust_id, **self.trust_data)
--- a/keystone/tests/unit/application_credential/test_backends.py
+++ b/keystone/tests/unit/application_credential/test_backends.py
@ -243,11 +243,14 @@ class ApplicationCredentialTests(object):

    def test_removing_user_from_project_deletes_application_credentials(self):
        app_cred_proj_A_1 = self._new_app_cred_data(
-            self.user_foo['id'], project_id=self.project_bar['id'], name='app1')
+            self.user_foo['id'], project_id=self.project_bar['id'],
+            name='app1')
        app_cred_proj_A_2 = self._new_app_cred_data(
-            self.user_foo['id'], project_id=self.project_bar['id'], name='app2')
+            self.user_foo['id'], project_id=self.project_bar['id'],
+            name='app2')
        app_cred_proj_B = self._new_app_cred_data(
-            self.user_foo['id'], project_id=self.project_baz['id'], name='app3')
+            self.user_foo['id'], project_id=self.project_baz['id'],
+            name='app3')
        PROVIDERS.assignment_api.add_role_to_user_and_project(
            project_id=self.project_baz['id'],
            user_id=self.user_foo['id'],
--- a/keystone/tests/unit/resource/test_backends.py
+++ b/keystone/tests/unit/resource/test_backends.py
@ -37,7 +37,8 @@ class ResourceTests(object):
    domain_count = len(default_fixtures.DOMAINS)

    def test_get_project(self):
-        project_ref = PROVIDERS.resource_api.get_project(self.project_bar['id'])
+        project_ref = PROVIDERS.resource_api.get_project(
+            self.project_bar['id'])
        self.assertDictEqual(self.project_bar, project_ref)

    def test_get_project_returns_not_found(self):
--- a/keystone/tests/unit/test_cli.py
+++ b/keystone/tests/unit/test_cli.py
@ -220,8 +220,10 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
                  headers={'X-Auth-Token': r.headers['X-Subject-Token'],
                           'X-Subject-Token': token})
        admin_role = PROVIDERS.role_api.get_role(self.bootstrap.role_id)
-        reader_role = PROVIDERS.role_api.get_role(self.bootstrap.reader_role_id)
-        member_role = PROVIDERS.role_api.get_role(self.bootstrap.member_role_id)
+        reader_role = PROVIDERS.role_api.get_role(
+            self.bootstrap.reader_role_id)
+        member_role = PROVIDERS.role_api.get_role(
+            self.bootstrap.member_role_id)
        self.assertEqual(admin_role['options'], {})
        self.assertEqual(member_role['options'], {})
        self.assertEqual(reader_role['options'], {})
@ -305,8 +307,10 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
             project='keystone')
        self._do_test_bootstrap(self.bootstrap)
        admin_role = PROVIDERS.role_api.get_role(self.bootstrap.role_id)
-        reader_role = PROVIDERS.role_api.get_role(self.bootstrap.reader_role_id)
-        member_role = PROVIDERS.role_api.get_role(self.bootstrap.member_role_id)
+        reader_role = PROVIDERS.role_api.get_role(
+            self.bootstrap.reader_role_id)
+        member_role = PROVIDERS.role_api.get_role(
+            self.bootstrap.member_role_id)
        self.assertTrue(admin_role['options']['immutable'])
        self.assertTrue(member_role['options']['immutable'])
        self.assertTrue(reader_role['options']['immutable'])
--- a/keystone/tests/unit/test_sql_upgrade.py
+++ b/keystone/tests/unit/test_sql_upgrade.py
@ -1679,8 +1679,8 @@ class VersionTests(SqlMigrateBase):
            self.repos[EXPAND_REPO].repo_path + versions_path + '/*.py')
        self.assertRepoFileNamePrefix(expand_list, 'expand')
        # test for migrate prefix, e.g. 001_migrate_new_fk_constraint.py
-        migrate_list = glob.glob(
-            self.repos[DATA_MIGRATION_REPO].repo_path + versions_path + '/*.py')
+        repo_path = self.repos[DATA_MIGRATION_REPO].repo_path
+        migrate_list = glob.glob(repo_path + versions_path + '/*.py')
        self.assertRepoFileNamePrefix(migrate_list, 'migrate')
        # test for contract prefix, e.g. 001_contract_new_fk_constraint.py
        contract_list = glob.glob(
@ -3250,10 +3250,10 @@ class FullMigration(SqlMigrateBase, unit.TestCase):
            'application_credential_access_rule',
            ['application_credential_id', 'access_rule_id']
        )
-        self.assertTrue(self.does_fk_exist('application_credential_access_rule',
-                                           'application_credential_id'))
-        self.assertTrue(self.does_fk_exist('application_credential_access_rule',
-                                           'access_rule_id'))
+        self.assertTrue(self.does_fk_exist(
+            'application_credential_access_rule', 'application_credential_id'))
+        self.assertTrue(self.does_fk_exist(
+            'application_credential_access_rule', 'access_rule_id'))

        app_cred_table = sqlalchemy.Table(
            'application_credential', self.metadata, autoload=True
@ -3392,7 +3392,7 @@ class FullMigration(SqlMigrateBase, unit.TestCase):
            ['id', 'project_id', 'resource_limit', 'description',
             'internal_id', 'registered_limit_id', 'domain_id'])

-    def test_migration_064_add_remote_id_attribute_to_federation_protocol(self):
+    def test_migration_064_add_remote_id_attribute_federation_protocol(self):
        self.expand(63)
        self.migrate(63)
        self.contract(63)
--- a/keystone/tests/unit/test_v3_application_credential.py
+++ b/keystone/tests/unit/test_v3_application_credential.py
@ -58,10 +58,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
            roles = [{'id': self.role_id}]
            app_cred_body = self._app_cred_body(roles=roles)
            token = self.get_scoped_token()
-            resp = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                          json=app_cred_body,
-                          expected_status_code=http_client.CREATED,
-                          headers={'X-Auth-Token': token})
+            resp = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                json=app_cred_body,
+                expected_status_code=http_client.CREATED,
+                headers={'X-Auth-Token': token})
        # Create operation returns the secret
        self.assertIn('secret', resp.json['application_credential'])
        # But not the stored hash
@ -73,24 +74,27 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
            roles = [{'id': self.role_id}]
            app_cred_body = self._app_cred_body(roles=roles, secret=secret)
            token = self.get_scoped_token()
-            resp = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                          json=app_cred_body,
-                          expected_status_code=http_client.CREATED,
-                          headers={'X-Auth-Token': token})
+            resp = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                json=app_cred_body,
+                expected_status_code=http_client.CREATED,
+                headers={'X-Auth-Token': token})
        self.assertEqual(secret, resp.json['application_credential']['secret'])

    def test_create_application_credential_roles_from_token(self):
        with self.test_client() as c:
            app_cred_body = self._app_cred_body()
            token = self.get_scoped_token()
-            resp = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                          json=app_cred_body,
-                          expected_status_code=http_client.CREATED,
-                          headers={'X-Auth-Token': token})
+            resp = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                json=app_cred_body,
+                expected_status_code=http_client.CREATED,
+                headers={'X-Auth-Token': token})
            self.assertThat(resp.json['application_credential']['roles'],
                            matchers.HasLength(1))
-            self.assertEqual(resp.json['application_credential']['roles'][0]['id'],
-                             self.role_id)
+            self.assertEqual(
+                resp.json['application_credential']['roles'][0]['id'],
+                self.role_id)

    def test_create_application_credential_wrong_user(self):
        wrong_user = unit.create_user(PROVIDERS.identity_api,
@ -153,15 +157,16 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
            roles = [{'id': self.role_id}]
            app_cred_body_1 = self._app_cred_body(roles=roles)
            token = self.get_scoped_token()
-            app_cred_1 = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                                json=app_cred_body_1,
-                                expected_status_code=http_client.CREATED,
-                                headers={'X-Auth-Token': token})
+            app_cred_1 = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                json=app_cred_body_1,
+                expected_status_code=http_client.CREATED,
+                headers={'X-Auth-Token': token})
            auth_data = self.build_authentication_request(
                app_cred_id=app_cred_1.json['application_credential']['id'],
                secret=app_cred_1.json['application_credential']['secret'])
-            token_data = self.v3_create_token(auth_data,
-                                              expected_status=http_client.CREATED)
+            token_data = self.v3_create_token(
+                auth_data, expected_status=http_client.CREATED)
            app_cred_body_2 = self._app_cred_body(roles=roles)
            token = token_data.headers['x-subject-token']
            c.post('/v3/users/%s/application_credentials' % self.user_id,
@ -175,20 +180,22 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
            app_cred_body_1 = self._app_cred_body(roles=roles)
            app_cred_body_1['application_credential']['unrestricted'] = True
            token = self.get_scoped_token()
-            app_cred_1 = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                                json=app_cred_body_1,
-                                expected_status_code=http_client.CREATED,
-                                headers={'X-Auth-Token': token})
+            app_cred_1 = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                json=app_cred_body_1,
+                expected_status_code=http_client.CREATED,
+                headers={'X-Auth-Token': token})
            auth_data = self.build_authentication_request(
                app_cred_id=app_cred_1.json['application_credential']['id'],
                secret=app_cred_1.json['application_credential']['secret'])
-            token_data = self.v3_create_token(auth_data,
-                                              expected_status=http_client.CREATED)
+            token_data = self.v3_create_token(
+                auth_data, expected_status=http_client.CREATED)
            app_cred_body_2 = self._app_cred_body(roles=roles)
            c.post('/v3/users/%s/application_credentials' % self.user_id,
                   json=app_cred_body_2,
                   expected_status_code=http_client.CREATED,
-                   headers={'x-Auth-Token': token_data.headers['x-subject-token']})
+                   headers={
+                       'x-Auth-Token': token_data.headers['x-subject-token']})

    def test_create_application_credential_with_access_rules(self):
        roles = [{'id': self.role_id}]
@ -203,12 +210,14 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
                                            access_rules=access_rules)
        with self.test_client() as c:
            token = self.get_scoped_token()
-            resp = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                          headers={'X-Auth-Token': token},
-                          json=app_cred_body,
-                          expected_status_code=http_client.CREATED)
+            resp = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                headers={'X-Auth-Token': token},
+                json=app_cred_body,
+                expected_status_code=http_client.CREATED)
            app_cred_id = resp.json['application_credential']['id']
-            resp_access_rules = resp.json['application_credential']['access_rules']
+            resp_access_rules = (
+                resp.json['application_credential']['access_rules'])
            access_rule_id = resp_access_rules[0].pop('id')
            self.assertEqual(access_rules[0], resp_access_rules[0])
            resp = c.get('/v3/users/%s/access_rules' % self.user_id,
@ -248,10 +257,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
                                              access_rules=access_rules)
        with self.test_client() as c:
            token = self.get_scoped_token()
-            resp = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                          headers={'X-Auth-Token': token},
-                          json=app_cred_body_1,
-                          expected_status_code=http_client.CREATED)
+            resp = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                headers={'X-Auth-Token': token},
+                json=app_cred_body_1,
+                expected_status_code=http_client.CREATED)
        resp_access_rules = resp.json['application_credential']['access_rules']
        self.assertIn('id', resp_access_rules[0])
        access_rule_id = resp_access_rules[0].pop('id')
@ -261,10 +271,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
                                              access_rules=access_rules)
        with self.test_client() as c:
            token = self.get_scoped_token()
-            resp = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                          headers={'X-Auth-Token': token},
-                          json=app_cred_body_2,
-                          expected_status_code=http_client.CREATED)
+            resp = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                headers={'X-Auth-Token': token},
+                json=app_cred_body_2,
+                expected_status_code=http_client.CREATED)
        resp_access_rules = resp.json['application_credential']['access_rules']
        self.assertEqual(access_rule_id, resp_access_rules[0]['id'])

@ -281,10 +292,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
                                              access_rules=access_rules)
        with self.test_client() as c:
            token = self.get_scoped_token()
-            resp = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                          headers={'X-Auth-Token': token},
-                          json=app_cred_body_1,
-                          expected_status_code=http_client.CREATED)
+            resp = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                headers={'X-Auth-Token': token},
+                json=app_cred_body_1,
+                expected_status_code=http_client.CREATED)
        resp_access_rules = resp.json['application_credential']['access_rules']
        access_rule_id = resp_access_rules
        self.assertIn('id', resp_access_rules[0])
@ -296,10 +308,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
                                              access_rules=access_rules)
        with self.test_client() as c:
            token = self.get_scoped_token()
-            resp = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                          headers={'X-Auth-Token': token},
-                          json=app_cred_body_2,
-                          expected_status_code=http_client.CREATED)
+            resp = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                headers={'X-Auth-Token': token},
+                json=app_cred_body_2,
+                expected_status_code=http_client.CREATED)
        resp_access_rules = resp.json['application_credential']['access_rules']
        self.assertEqual(access_rule_id, resp_access_rules[0]['id'])

@ -349,10 +362,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
                         expected_status_code=http_client.OK,
                         headers={'X-Auth-Token': token})
            self.assertEqual([], resp.json['application_credentials'])
-            resp = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                          json=app_cred_body,
-                          expected_status_code=http_client.CREATED,
-                          headers={'X-Auth-Token': token})
+            resp = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                json=app_cred_body,
+                expected_status_code=http_client.CREATED,
+                headers={'X-Auth-Token': token})
            resp = c.get(search_path, expected_status_code=http_client.OK,
                         headers={'X-Auth-Token': token})
            self.assertEqual(1, len(resp.json['application_credentials']))
@ -367,17 +381,19 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
            resp = c.get(search_path, expected_status_code=http_client.OK,
                         headers={'X-Auth-Token': token})
            self.assertEqual(1, len(resp.json['application_credentials']))
-            self.assertEqual(resp.json['application_credentials'][0]['name'], name)
+            self.assertEqual(resp.json['application_credentials'][0]['name'],
+                             name)

    def test_get_head_application_credential(self):
        with self.test_client() as c:
            roles = [{'id': self.role_id}]
            app_cred_body = self._app_cred_body(roles=roles)
            token = self.get_scoped_token()
-            resp = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                          json=app_cred_body,
-                          expected_status_code=http_client.CREATED,
-                          headers={'X-Auth-Token': token})
+            resp = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                json=app_cred_body,
+                expected_status_code=http_client.CREATED,
+                headers={'X-Auth-Token': token})
            app_cred_id = resp.json['application_credential']['id']
            c.head('/v3%s' % MEMBER_PATH_FMT % {'user_id': self.user_id,
                                                'app_cred_id': app_cred_id},
@ -408,10 +424,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
            roles = [{'id': self.role_id}]
            app_cred_body = self._app_cred_body(roles=roles)
            token = self.get_scoped_token()
-            resp = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                          json=app_cred_body,
-                          expected_status_code=http_client.CREATED,
-                          headers={'X-Auth-Token': token})
+            resp = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                json=app_cred_body,
+                expected_status_code=http_client.CREATED,
+                headers={'X-Auth-Token': token})
            app_cred_id = resp.json['application_credential']['id']
            c.delete('/v3%s' % MEMBER_PATH_FMT % {'user_id': self.user_id,
                     'app_cred_id': app_cred_id},
@ -431,18 +448,19 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
            roles = [{'id': self.role_id}]
            app_cred_body = self._app_cred_body(roles=roles)
            token = self.get_scoped_token()
-            app_cred = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                              json=app_cred_body,
-                              expected_status_code=http_client.CREATED,
-                              headers={'X-Auth-Token': token})
+            app_cred = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                json=app_cred_body,
+                expected_status_code=http_client.CREATED,
+                headers={'X-Auth-Token': token})
            auth_data = self.build_authentication_request(
                app_cred_id=app_cred.json['application_credential']['id'],
                secret=app_cred.json['application_credential']['secret'])
-            token_data = self.v3_create_token(auth_data,
-                                              expected_status=http_client.CREATED)
+            token_data = self.v3_create_token(
+                auth_data, expected_status=http_client.CREATED)
            member_path = '/v3%s' % MEMBER_PATH_FMT % {
-                          'user_id': self.user_id,
-                          'app_cred_id': app_cred.json['application_credential']['id']}
+                'user_id': self.user_id,
+                'app_cred_id': app_cred.json['application_credential']['id']}
            token = token_data.headers['x-subject-token']
            c.delete(member_path,
                     json=app_cred_body,
@ -455,22 +473,25 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase):
            app_cred_body = self._app_cred_body(roles=roles)
            app_cred_body['application_credential']['unrestricted'] = True
            token = self.get_scoped_token()
-            app_cred = c.post('/v3/users/%s/application_credentials' % self.user_id,
-                              json=app_cred_body,
-                              expected_status_code=http_client.CREATED,
-                              headers={'X-Auth-Token': token})
+            app_cred = c.post(
+                '/v3/users/%s/application_credentials' % self.user_id,
+                json=app_cred_body,
+                expected_status_code=http_client.CREATED,
+                headers={'X-Auth-Token': token})
            auth_data = self.build_authentication_request(
                app_cred_id=app_cred.json['application_credential']['id'],
                secret=app_cred.json['application_credential']['secret'])
-            token_data = self.v3_create_token(auth_data,
-                                              expected_status=http_client.CREATED)
+            token_data = self.v3_create_token(
+                auth_data, expected_status=http_client.CREATED)
            member_path = '/v3%s' % MEMBER_PATH_FMT % {
-                          'user_id': self.user_id,
-                          'app_cred_id': app_cred.json['application_credential']['id']}
+                'user_id': self.user_id,
+                'app_cred_id': app_cred.json['application_credential']['id']}
            c.delete(member_path,
                     json=app_cred_body,
                     expected_status_code=http_client.NO_CONTENT,
-                     headers={'x-Auth-Token': token_data.headers['x-subject-token']})
+                     headers={
+                         'x-Auth-Token': token_data.headers['x-subject-token']
+                     })

    def test_update_application_credential(self):
        with self.test_client() as c:
--- a/keystone/tests/unit/test_v3_auth.py
+++ b/keystone/tests/unit/test_v3_auth.py
@ -5475,7 +5475,8 @@ class ApplicationCredentialAuth(test_v3.RestfulTestCase):
            data['access_rules'] = access_rules
        return data

-    def _validate_token(self, token, headers=None, expected_status=http_client.OK):
+    def _validate_token(self, token, headers=None,
+                        expected_status=http_client.OK):
        path = '/v3/auth/tokens'
        headers = headers or {}
        headers.update({'X-Auth-Token': token, 'X-Subject-Token': token})
--- a/keystone/tests/unit/token/test_fernet_provider.py
+++ b/keystone/tests/unit/token/test_fernet_provider.py
@ -231,18 +231,20 @@ class TestTokenFormatter(unit.TestCase):
        exp_protocol_id = uuid.uuid4().hex

        token_formatter = token_formatters.TokenFormatter()
-        token = token_formatter.create_token(user_id=exp_user_id,
-                                             expires_at=exp_expires_at,
-                                             audit_ids=exp_audit_ids,
-                                             payload_class=token_formatters.FederatedUnscopedPayload,
-                                             methods=exp_methods,
-                                             federated_group_ids=exp_federated_group_ids,
-                                             identity_provider_id=exp_idp_id,
-                                             protocol_id=exp_protocol_id)
+        token = token_formatter.create_token(
+            user_id=exp_user_id,
+            expires_at=exp_expires_at,
+            audit_ids=exp_audit_ids,
+            payload_class=token_formatters.FederatedUnscopedPayload,
+            methods=exp_methods,
+            federated_group_ids=exp_federated_group_ids,
+            identity_provider_id=exp_idp_id,
+            protocol_id=exp_protocol_id)

        (user_id, methods, audit_ids, system, domain_id, project_id, trust_id,
         federated_group_ids, identity_provider_id, protocol_id,
-         access_token_id, app_cred_id, issued_at, expires_at) = token_formatter.validate_token(token)
+         access_token_id, app_cred_id, issued_at,
+         expires_at) = token_formatter.validate_token(token)

        self.assertEqual(exp_user_id, user_id)
        self.assertTrue(isinstance(user_id, six.string_types))
@ -263,19 +265,21 @@ class TestTokenFormatter(unit.TestCase):
        exp_project_id = uuid.uuid4().hex

        token_formatter = token_formatters.TokenFormatter()
-        token = token_formatter.create_token(user_id=exp_user_id,
-                                             expires_at=exp_expires_at,
-                                             audit_ids=exp_audit_ids,
-                                             payload_class=token_formatters.FederatedProjectScopedPayload,
-                                             methods=exp_methods,
-                                             federated_group_ids=exp_federated_group_ids,
-                                             identity_provider_id=exp_idp_id,
-                                             protocol_id=exp_protocol_id,
-                                             project_id=exp_project_id)
+        token = token_formatter.create_token(
+            user_id=exp_user_id,
+            expires_at=exp_expires_at,
+            audit_ids=exp_audit_ids,
+            payload_class=token_formatters.FederatedProjectScopedPayload,
+            methods=exp_methods,
+            federated_group_ids=exp_federated_group_ids,
+            identity_provider_id=exp_idp_id,
+            protocol_id=exp_protocol_id,
+            project_id=exp_project_id)

        (user_id, methods, audit_ids, system, domain_id, project_id, trust_id,
         federated_group_ids, identity_provider_id, protocol_id,
-         access_token_id, app_cred_id, issued_at, expires_at) = token_formatter.validate_token(token)
+         access_token_id, app_cred_id, issued_at,
+         expires_at) = token_formatter.validate_token(token)

        self.assertEqual(exp_user_id, user_id)
        self.assertTrue(isinstance(user_id, six.string_types))
--- a/keystone/token/token_formatters.py
+++ b/keystone/token/token_formatters.py
@ -334,7 +334,7 @@ class BasePayload(object):

    @classmethod
    def random_urlsafe_str_to_bytes(cls, s):
-        """Convert a string from :func:`random_urlsafe_str()` to six.binary_type.
+        """Convert string from :func:`random_urlsafe_str()` to six.binary_type.

        :type s: six.text_type
        :rtype: six.binary_type
--- a/tools/fast8.sh
+++ b/tools/fast8.sh
@ -22,4 +22,4 @@ for FILE in $CHANGED; do
    fi
 done

-diff -u --from-file /dev/null $CHECK | flake8 --diff --ignore=D100,D101,D102,D103,D104,E305,E402,E501,W503,W504,W605
+diff -u --from-file /dev/null $CHECK | flake8 --diff --ignore=D100,D101,D102,D103,D104,E305,E402,W503,W504,W605
--- a/tox.ini
+++ b/tox.ini
@ -32,7 +32,7 @@ deps =
     .[bandit]
     {[testenv]deps}
 commands =
-  flake8 --ignore=D100,D101,D102,D103,D104,E305,E402,E501,W503,W504,W605
+  flake8 --ignore=D100,D101,D102,D103,D104,E305,E402,W503,W504,W605
  # Run bash8 during pep8 runs to ensure violations are caught by
  # the check and gate queues
  bashate devstack/plugin.sh