From e2d83ae95df2a9c5bb0ad72f2aef957e7eb36a2d Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Fri, 18 Oct 2019 09:08:07 -0700 Subject: [PATCH] Re-enable line-length linter In 09088690 we mistakenly added E501 to the flake8 ignore list. Since then, many new violations have been introduced. This patch re-enables the check and corrects all violations, except in some cases like unit test names where the subunit output would suffer if we attempted to shorten the function name. This may appear to be a pointless no-op that messes with git-blameability, and it is, but the reason to do this is that if PEP8 violations are introduced in master and then backported to a stable branch, most stable branches will fail the pep8 job since the flake8 ignore list is correct for those branches. Rather than loosening the check in older branches or requiring those backports to fix the linter errors independently of what's been merged in master, we should fix it now so that we don't introduce more errors in the future and patches can more easily be backported. Change-Id: I9f71926105eb448bb0200201d1838b67d4963cd6 --- keystone/api/credentials.py | 10 +- keystone/api/trusts.py | 19 +- .../application_credential/backends/sql.py | 9 +- keystone/cmd/bootstrap.py | 3 +- keystone/common/policies/endpoint_group.py | 8 +- keystone/common/policies/grant.py | 28 ++- .../common/policies/policy_association.py | 39 ++-- keystone/common/policies/trust.py | 12 +- ...add_application_credential_access_rules.py | 3 +- ..._attribute_to_federation_protocol_table.py | 3 +- keystone/conf/memcache.py | 5 +- keystone/federation/utils.py | 12 +- keystone/receipt/receipt_formatters.py | 2 +- .../tests/protection/v3/test_access_rules.py | 76 +++++--- .../tests/protection/v3/test_assignment.py | 6 +- .../tests/protection/v3/test_domain_config.py | 126 ++++++++----- .../tests/protection/v3/test_domain_roles.py | 9 +- .../protection/v3/test_ec2_credential.py | 34 ++-- .../protection/v3/test_endpoint_group.py | 123 ++++++++---- keystone/tests/protection/v3/test_grants.py | 177 +++++++++--------- keystone/tests/protection/v3/test_policy.py | 3 +- .../protection/v3/test_policy_association.py | 8 +- .../protection/v3/test_project_endpoint.py | 24 ++- .../protection/v3/test_system_assignments.py | 3 +- keystone/tests/protection/v3/test_trusts.py | 6 +- .../application_credential/test_backends.py | 9 +- keystone/tests/unit/resource/test_backends.py | 3 +- keystone/tests/unit/test_cli.py | 12 +- keystone/tests/unit/test_sql_upgrade.py | 14 +- .../unit/test_v3_application_credential.py | 177 ++++++++++-------- keystone/tests/unit/test_v3_auth.py | 3 +- .../tests/unit/token/test_fernet_provider.py | 42 +++-- keystone/token/token_formatters.py | 2 +- tools/fast8.sh | 2 +- tox.ini | 2 +- 35 files changed, 597 insertions(+), 417 deletions(-) diff --git a/keystone/api/credentials.py b/keystone/api/credentials.py index 15cabe9e6c..1e8c95747c 100644 --- a/keystone/api/credentials.py +++ b/keystone/api/credentials.py @@ -139,8 +139,8 @@ class CredentialResource(ks_flask.ResourceBase): trust_id = getattr(self.oslo_context, 'trust_id', None) ref = self._assign_unique_id( self._normalize_dict(credential), trust_id=trust_id) - ref = PROVIDERS.credential_api.create_credential(ref['id'], ref, - initiator=self.audit_initiator) + ref = PROVIDERS.credential_api.create_credential( + ref['id'], ref, initiator=self.audit_initiator) return self.wrap_member(ref), http_client.CREATED def patch(self, credential_id): @@ -165,9 +165,9 @@ class CredentialResource(ks_flask.ResourceBase): build_target=_build_target_enforcement ) - return (PROVIDERS.credential_api.delete_credential(credential_id, - initiator=self.audit_initiator), - http_client.NO_CONTENT) + return (PROVIDERS.credential_api.delete_credential( + credential_id, initiator=self.audit_initiator), + http_client.NO_CONTENT) class CredentialAPI(ks_flask.APIBase): diff --git a/keystone/api/trusts.py b/keystone/api/trusts.py index 6c56fe1b0b..74638b0593 100644 --- a/keystone/api/trusts.py +++ b/keystone/api/trusts.py @@ -228,12 +228,13 @@ class TrustResource(ks_flask.ResourceBase): # rule check_str is "" if isinstance(rules, op_checks.TrueCheck): LOG.warning( - "The policy check string for rule \"identity:list_trusts\" has been overridden " - "to \"always true\". In the next release, this will cause the " - "\"identity:list_trusts\" action to be fully permissive as hardcoded " - "enforcement will be removed. To correct this issue, either stop overriding the " - "\"identity:list_trusts\" rule in config to accept the defaults, or explicitly " - "set a rule that is not empty." + "The policy check string for rule \"identity:list_trusts\" " + "has been overridden to \"always true\". In the next release, " + "this will cause the \"identity:list_trusts\" action to be " + "fully permissive as hardcoded enforcement will be removed. " + "To correct this issue, either stop overriding the " + "\"identity:list_trusts\" rule in config to accept the " + "defaults, or explicitly set a rule that is not empty." ) if not flask.request.args: # NOTE(morgan): Admin can list all trusts. @@ -242,9 +243,11 @@ class TrustResource(ks_flask.ResourceBase): if not flask.request.args: trusts += PROVIDERS.trust_api.list_trusts() elif trustor_user_id: - trusts += PROVIDERS.trust_api.list_trusts_for_trustor(trustor_user_id) + trusts += PROVIDERS.trust_api.list_trusts_for_trustor( + trustor_user_id) elif trustee_user_id: - trusts += PROVIDERS.trust_api.list_trusts_for_trustee(trustee_user_id) + trusts += PROVIDERS.trust_api.list_trusts_for_trustee( + trustee_user_id) for trust in trusts: # get_trust returns roles, list_trusts does not diff --git a/keystone/application_credential/backends/sql.py b/keystone/application_credential/backends/sql.py index a7b4e6bea0..c647fb68a1 100644 --- a/keystone/application_credential/backends/sql.py +++ b/keystone/application_credential/backends/sql.py @@ -143,7 +143,8 @@ class ApplicationCredential(base.ApplicationCredentialDriverBase): access_rule_ref = session.query(AccessRuleModel).filter_by( external_id=access_rule['id']).first() if not access_rule_ref: - access_rule_ref = session.query(AccessRuleModel).filter_by( + query = session.query(AccessRuleModel) + access_rule_ref = query.filter_by( user_id=app_cred['user_id'], service=access_rule['service'], path=access_rule['path'], @@ -154,7 +155,8 @@ class ApplicationCredential(base.ApplicationCredentialDriverBase): for k, v in access_rule.items()}) access_rule_ref['user_id'] = app_cred['user_id'] session.add(access_rule_ref) - app_cred_access_rule = ApplicationCredentialAccessRuleModel() + app_cred_access_rule = ( + ApplicationCredentialAccessRuleModel()) app_cred_access_rule.application_credential = ref app_cred_access_rule.access_rule = access_rule_ref session.add(app_cred_access_rule) @@ -253,7 +255,8 @@ class ApplicationCredential(base.ApplicationCredentialDriverBase): access_rule_id=access_rule_id) session.delete(ref) except AssertionError: - raise exception.ForbiddenNotSecurity("May not delete access rule in use") + raise exception.ForbiddenNotSecurity( + "May not delete access rule in use") def delete_access_rules_for_user(self, user_id): with sql.session_for_write() as session: diff --git a/keystone/cmd/bootstrap.py b/keystone/cmd/bootstrap.py index b18a3f5501..6ba791bfe8 100644 --- a/keystone/cmd/bootstrap.py +++ b/keystone/cmd/bootstrap.py @@ -127,7 +127,8 @@ class Bootstrapper(object): "bootstrap command in the future.You can opt into " "this behavior by using the --immutable-role " "flag, or update role %(role)s with the " - "'immutable' resource option.", {'role': role_name}) + "'immutable' resource option.", + {'role': role_name}) return role except exception.Conflict: LOG.info('Role %s exists, skipping creation.', role_name) diff --git a/keystone/common/policies/endpoint_group.py b/keystone/common/policies/endpoint_group.py index c9e34dff19..691a6fe282 100644 --- a/keystone/common/policies/endpoint_group.py +++ b/keystone/common/policies/endpoint_group.py @@ -25,12 +25,12 @@ deprecated_get_endpoint_group = policy.DeprecatedRule( check_str=base.RULE_ADMIN_REQUIRED, ) -deprecated_list_projects_associated_with_endpoint_group = policy.DeprecatedRule( +deprecated_list_projects_assoc_with_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'list_projects_associated_with_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, ) -deprecated_list_endpoints_associated_with_endpoint_group = policy.DeprecatedRule( +deprecated_list_endpoints_assoc_with_endpoint_group = policy.DeprecatedRule( name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group', check_str=base.RULE_ADMIN_REQUIRED, ) @@ -142,7 +142,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/projects'), 'method': 'GET'}], - deprecated_rule=deprecated_list_projects_associated_with_endpoint_group, + deprecated_rule=deprecated_list_projects_assoc_with_endpoint_group, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( @@ -153,7 +153,7 @@ group_endpoint_policies = [ operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/' '{endpoint_group_id}/endpoints'), 'method': 'GET'}], - deprecated_rule=deprecated_list_endpoints_associated_with_endpoint_group, + deprecated_rule=deprecated_list_endpoints_assoc_with_endpoint_group, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/grant.py b/keystone/common/policies/grant.py index ab46fb0e8c..09ef1c983d 100644 --- a/keystone/common/policies/grant.py +++ b/keystone/common/policies/grant.py @@ -27,12 +27,18 @@ DOMAIN_MATCHES_USER_DOMAIN = 'domain_id:%(target.user.domain_id)s' DOMAIN_MATCHES_GROUP_DOMAIN = 'domain_id:%(target.group.domain_id)s' DOMAIN_MATCHES_PROJECT_DOMAIN = 'domain_id:%(target.project.domain_id)s' DOMAIN_MATCHES_TARGET_DOMAIN = 'domain_id:%(target.domain.id)s' -DOMAIN_MATCHES_ROLE = 'domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s' +DOMAIN_MATCHES_ROLE = ( + 'domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s' +) GRANTS_DOMAIN_READER = ( - '(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or ' - '(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or ' - '(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or ' - '(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')' + '(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and' + ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or ' + '(role:reader and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and' + ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or ' + '(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and' + ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or ' + '(role:reader and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and' + ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')' ) SYSTEM_READER_OR_DOMAIN_READER = ( '(' + base.SYSTEM_READER + ') or ' @@ -45,10 +51,14 @@ SYSTEM_READER_OR_DOMAIN_READER_LIST = ( ) GRANTS_DOMAIN_ADMIN = ( - '(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or ' - '(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or ' - '(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or ' - '(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')' + '(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and' + ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or ' + '(role:admin and ' + DOMAIN_MATCHES_USER_DOMAIN + ' and' + ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ') or ' + '(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and' + ' ' + DOMAIN_MATCHES_PROJECT_DOMAIN + ') or ' + '(role:admin and ' + DOMAIN_MATCHES_GROUP_DOMAIN + ' and' + ' ' + DOMAIN_MATCHES_TARGET_DOMAIN + ')' ) SYSTEM_ADMIN_OR_DOMAIN_ADMIN = ( '(' + base.SYSTEM_ADMIN + ') or ' diff --git a/keystone/common/policies/policy_association.py b/keystone/common/policies/policy_association.py index e195d85c10..af5790058e 100644 --- a/keystone/common/policies/policy_association.py +++ b/keystone/common/policies/policy_association.py @@ -19,17 +19,17 @@ from keystone.common.policies import base # System-scoped tokens should be required to manage policy associations to # existing system-level resources. -deprecated_check_policy_association_for_endpoint = policy.DeprecatedRule( +deprecated_check_policy_assoc_for_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'check_policy_association_for_endpoint', check_str=base.RULE_ADMIN_REQUIRED, ) -deprecated_check_policy_association_for_service = policy.DeprecatedRule( +deprecated_check_policy_assoc_for_service = policy.DeprecatedRule( name=base.IDENTITY % 'check_policy_association_for_service', check_str=base.RULE_ADMIN_REQUIRED, ) -deprecated_check_policy_association_for_region_and_service = policy.DeprecatedRule( +deprecated_check_policy_assoc_for_region_and_service = policy.DeprecatedRule( name=base.IDENTITY % 'check_policy_association_for_region_and_service', check_str=base.RULE_ADMIN_REQUIRED, ) @@ -44,38 +44,39 @@ deprecated_list_endpoints_for_policy = policy.DeprecatedRule( check_str=base.RULE_ADMIN_REQUIRED, ) -deprecated_create_policy_association_for_endpoint = policy.DeprecatedRule( +deprecated_create_policy_assoc_for_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'create_policy_association_for_endpoint', check_str=base.RULE_ADMIN_REQUIRED, ) -deprecated_delete_policy_association_for_endpoint = policy.DeprecatedRule( +deprecated_delete_policy_assoc_for_endpoint = policy.DeprecatedRule( name=base.IDENTITY % 'delete_policy_association_for_endpoint', check_str=base.RULE_ADMIN_REQUIRED, ) -deprecated_create_policy_association_for_service = policy.DeprecatedRule( +deprecated_create_policy_assoc_for_service = policy.DeprecatedRule( name=base.IDENTITY % 'create_policy_association_for_service', check_str=base.RULE_ADMIN_REQUIRED, ) -deprecated_delete_policy_association_for_service = policy.DeprecatedRule( +deprecated_delete_policy_assoc_for_service = policy.DeprecatedRule( name=base.IDENTITY % 'delete_policy_association_for_service', check_str=base.RULE_ADMIN_REQUIRED, ) -deprecated_create_policy_association_for_region_and_service = policy.DeprecatedRule( +deprecated_create_policy_assoc_for_region_and_service = policy.DeprecatedRule( name=base.IDENTITY % 'create_policy_association_for_region_and_service', check_str=base.RULE_ADMIN_REQUIRED, ) -deprecated_delete_policy_association_for_region_and_service = policy.DeprecatedRule( +deprecated_delete_policy_assoc_for_region_and_service = policy.DeprecatedRule( name=base.IDENTITY % 'delete_policy_association_for_region_and_service', check_str=base.RULE_ADMIN_REQUIRED, ) DEPRECATED_REASON = ( - "The policy association API is now aware of system scope and default roles." + "The policy association API is now aware of system scope and default " + "roles." ) policy_association_policies = [ @@ -87,7 +88,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'endpoints/{endpoint_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_create_policy_association_for_endpoint, + deprecated_rule=deprecated_create_policy_assoc_for_endpoint, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( @@ -101,7 +102,7 @@ policy_association_policies = [ {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'endpoints/{endpoint_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_check_policy_association_for_endpoint, + deprecated_rule=deprecated_check_policy_assoc_for_endpoint, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( @@ -112,7 +113,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'endpoints/{endpoint_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_policy_association_for_endpoint, + deprecated_rule=deprecated_delete_policy_assoc_for_endpoint, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( @@ -123,7 +124,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_create_policy_association_for_service, + deprecated_rule=deprecated_create_policy_assoc_for_service, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( @@ -137,7 +138,7 @@ policy_association_policies = [ {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_check_policy_association_for_service, + deprecated_rule=deprecated_check_policy_assoc_for_service, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( @@ -148,7 +149,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_policy_association_for_service, + deprecated_rule=deprecated_delete_policy_assoc_for_service, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( @@ -161,7 +162,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}/regions/{region_id}'), 'method': 'PUT'}], - deprecated_rule=deprecated_create_policy_association_for_region_and_service, + deprecated_rule=deprecated_create_policy_assoc_for_region_and_service, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( @@ -175,7 +176,7 @@ policy_association_policies = [ {'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}/regions/{region_id}'), 'method': 'HEAD'}], - deprecated_rule=deprecated_check_policy_association_for_region_and_service, + deprecated_rule=deprecated_check_policy_assoc_for_region_and_service, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( @@ -187,7 +188,7 @@ policy_association_policies = [ operations=[{'path': ('/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/' 'services/{service_id}/regions/{region_id}'), 'method': 'DELETE'}], - deprecated_rule=deprecated_delete_policy_association_for_region_and_service, + deprecated_rule=deprecated_delete_policy_assoc_for_region_and_service, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.TRAIN), policy.DocumentedRuleDefault( diff --git a/keystone/common/policies/trust.py b/keystone/common/policies/trust.py index 4e9c7f4e18..82acb0a93f 100644 --- a/keystone/common/policies/trust.py +++ b/keystone/common/policies/trust.py @@ -77,18 +77,22 @@ trust_policies = [ check_str=SYSTEM_READER_OR_TRUSTOR, scope_types=['system', 'project'], description='List trusts for trustor.', - operations=[{'path': '/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}', + operations=[{'path': '/v3/OS-TRUST/trusts?' + 'trustor_user_id={trustor_user_id}', 'method': 'GET'}, - {'path': '/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}', + {'path': '/v3/OS-TRUST/trusts?' + 'trustor_user_id={trustor_user_id}', 'method': 'HEAD'}]), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_trusts_for_trustee', check_str=SYSTEM_READER_OR_TRUSTEE, scope_types=['system', 'project'], description='List trusts for trustee.', - operations=[{'path': '/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}', + operations=[{'path': '/v3/OS-TRUST/trusts?' + 'trustee_user_id={trustee_user_id}', 'method': 'GET'}, - {'path': '/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}', + {'path': '/v3/OS-TRUST/trusts?' + 'trustee_user_id={trustee_user_id}', 'method': 'HEAD'}]), policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_roles_for_trust', diff --git a/keystone/common/sql/expand_repo/versions/056_expand_add_application_credential_access_rules.py b/keystone/common/sql/expand_repo/versions/056_expand_add_application_credential_access_rules.py index 9fa49879f2..5df205b00b 100644 --- a/keystone/common/sql/expand_repo/versions/056_expand_add_application_credential_access_rules.py +++ b/keystone/common/sql/expand_repo/versions/056_expand_add_application_credential_access_rules.py @@ -19,7 +19,8 @@ def upgrade(migrate_engine): meta = sql.MetaData() meta.bind = migrate_engine - application_credential = sql.Table('application_credential', meta, autoload=True) + application_credential = sql.Table( + 'application_credential', meta, autoload=True) access_rule = sql.Table( 'access_rule', meta, sql.Column('id', sql.Integer, primary_key=True, nullable=False), diff --git a/keystone/common/sql/expand_repo/versions/064_expand_add_remote_id_attribute_to_federation_protocol_table.py b/keystone/common/sql/expand_repo/versions/064_expand_add_remote_id_attribute_to_federation_protocol_table.py index 44f20f05c4..e16c90eebd 100644 --- a/keystone/common/sql/expand_repo/versions/064_expand_add_remote_id_attribute_to_federation_protocol_table.py +++ b/keystone/common/sql/expand_repo/versions/064_expand_add_remote_id_attribute_to_federation_protocol_table.py @@ -17,6 +17,7 @@ def upgrade(migrate_engine): meta = sql.MetaData() meta.bind = migrate_engine - federation_protocol_table = sql.Table('federation_protocol', meta, autoload=True) + federation_protocol_table = sql.Table( + 'federation_protocol', meta, autoload=True) remote_id_attribute = sql.Column('remote_id_attribute', sql.String(64)) federation_protocol_table.create_column(remote_id_attribute) diff --git a/keystone/conf/memcache.py b/keystone/conf/memcache.py index cd256bb8a7..97dc2c9e19 100644 --- a/keystone/conf/memcache.py +++ b/keystone/conf/memcache.py @@ -29,8 +29,9 @@ socket_timeout = cfg.IntOpt( default=3, deprecated_for_removal=True, deprecated_reason='This option is duplicated with oslo.cache. ' - 'Configure ``keystone.conf [cache] memcache_socket_timeout`` ' - 'option to set the socket_timeout of memcached instead. ', + 'Configure ``keystone.conf [cache] ' + 'memcache_socket_timeout`` option to set the ' + 'socket_timeout of memcached instead. ', deprecated_since=versionutils.deprecated.TRAIN, help=utils.fmt(""" Timeout in seconds for every call to a server. This is used by the key value diff --git a/keystone/federation/utils.py b/keystone/federation/utils.py index 86bc6569da..7dea74f08c 100644 --- a/keystone/federation/utils.py +++ b/keystone/federation/utils.py @@ -285,15 +285,16 @@ def validate_expiration(token): def get_remote_id_parameter(idp, protocol): # NOTE(marco-fargetta): Since we support any protocol ID, we attempt to - # retrieve the remote_id_attribute of the protocol ID. It will look up first - # if the remote_id_attribute exists. + # retrieve the remote_id_attribute of the protocol ID. It will look up + # first if the remote_id_attribute exists. protocol_ref = PROVIDERS.federation_api.get_protocol(idp['id'], protocol) remote_id_parameter = protocol_ref.get('remote_id_attribute') if remote_id_parameter: return remote_id_parameter else: - # If it's not registered in the config, then register the option and try again. - # This allows the user to register protocols other than oidc and saml2. + # If it's not registered in the config, then register the option and + # try again. This allows the user to register protocols other than + # oidc and saml2. try: remote_id_parameter = CONF[protocol]['remote_id_attribute'] except AttributeError: @@ -303,7 +304,8 @@ def get_remote_id_parameter(idp, protocol): try: remote_id_parameter = CONF[protocol]['remote_id_attribute'] except AttributeError: # nosec - # No remote ID attr, will be logged and use the default instead. + # No remote ID attr, will be logged and use the default + # instead. pass if not remote_id_parameter: LOG.debug('Cannot find "remote_id_attribute" in configuration ' diff --git a/keystone/receipt/receipt_formatters.py b/keystone/receipt/receipt_formatters.py index 6684d9f84b..a5aac18867 100644 --- a/keystone/receipt/receipt_formatters.py +++ b/keystone/receipt/receipt_formatters.py @@ -290,7 +290,7 @@ class ReceiptPayload(object): @classmethod def random_urlsafe_str_to_bytes(cls, s): - """Convert a string from :func:`random_urlsafe_str()` to six.binary_type. + """Convert string from :func:`random_urlsafe_str()` to six.binary_type. :type s: six.text_type :rtype: six.binary_type diff --git a/keystone/tests/protection/v3/test_access_rules.py b/keystone/tests/protection/v3/test_access_rules.py index be0706a130..b93f61b50c 100644 --- a/keystone/tests/protection/v3/test_access_rules.py +++ b/keystone/tests/protection/v3/test_access_rules.py @@ -44,9 +44,11 @@ class _UserAccessRuleTests(object): 'method': uuid.uuid4().hex[16:] }] } - PROVIDERS.application_credential_api.create_application_credential(app_cred) + PROVIDERS.application_credential_api.create_application_credential( + app_cred) with self.test_client() as c: - path = '/v3/users/%s/access_rules/%s' % (self.user_id, app_cred['access_rules'][0]['id']) + path = '/v3/users/%s/access_rules/%s' % ( + self.user_id, app_cred['access_rules'][0]['id']) c.get(path, headers=self.headers) def test_user_can_list_their_access_rules(self): @@ -63,9 +65,11 @@ class _UserAccessRuleTests(object): 'method': uuid.uuid4().hex[16:] }] } - PROVIDERS.application_credential_api.create_application_credential(app_cred) + PROVIDERS.application_credential_api.create_application_credential( + app_cred) with self.test_client() as c: - r = c.get('/v3/users/%s/access_rules' % self.user_id, headers=self.headers) + r = c.get('/v3/users/%s/access_rules' % self.user_id, + headers=self.headers) self.assertEqual(len(r.json['access_rules']), 1) def test_user_can_delete_their_access_rules(self): @@ -83,10 +87,13 @@ class _UserAccessRuleTests(object): 'method': uuid.uuid4().hex[16:] }] } - PROVIDERS.application_credential_api.create_application_credential(app_cred) - PROVIDERS.application_credential_api.delete_application_credential(app_cred['id']) + PROVIDERS.application_credential_api.create_application_credential( + app_cred) + PROVIDERS.application_credential_api.delete_application_credential( + app_cred['id']) with self.test_client() as c: - path = '/v3/users/%s/access_rules/%s' % (self.user_id, access_rule_id) + path = '/v3/users/%s/access_rules/%s' % ( + self.user_id, access_rule_id) c.delete(path, headers=self.headers) @@ -119,9 +126,11 @@ class _ProjectUsersTests(object): 'method': uuid.uuid4().hex[16:] }] } - PROVIDERS.application_credential_api.create_application_credential(app_cred) + PROVIDERS.application_credential_api.create_application_credential( + app_cred) with self.test_client() as c: - path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id) + path = '/v3/users/%s/access_rules/%s' % ( + user['id'], access_rule_id) c.get( path, headers=self.headers, expected_status_code=http_client.FORBIDDEN @@ -136,7 +145,7 @@ class _ProjectUsersTests(object): expected_status_code=http_client.NOT_FOUND ) - def test_user_cannot_get_non_existent_access_rule_other_user_forbidden(self): + def test_cannot_get_non_existent_access_rule_other_user_forbidden(self): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = PROVIDERS.identity_api.create_user(user) with self.test_client() as c: @@ -171,7 +180,8 @@ class _ProjectUsersTests(object): 'method': uuid.uuid4().hex[16:] }] } - PROVIDERS.application_credential_api.create_application_credential(app_cred) + PROVIDERS.application_credential_api.create_application_credential( + app_cred) with self.test_client() as c: path = '/v3/users/%s/access_rules' % user['id'] @@ -203,16 +213,19 @@ class _ProjectUsersTests(object): 'method': uuid.uuid4().hex[16:] }] } - PROVIDERS.application_credential_api.create_application_credential(app_cred) - PROVIDERS.application_credential_api.delete_application_credential(app_cred['id']) + PROVIDERS.application_credential_api.create_application_credential( + app_cred) + PROVIDERS.application_credential_api.delete_application_credential( + app_cred['id']) with self.test_client() as c: - path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id) + path = '/v3/users/%s/access_rules/%s' % ( + user['id'], access_rule_id) c.delete( path, headers=self.headers, expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_delete_non_existent_access_rule_other_user_forbidden(self): + def test_cannot_delete_non_existent_access_rule_other_user_forbidden(self): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = PROVIDERS.identity_api.create_user(user) with self.test_client() as c: @@ -252,7 +265,8 @@ class _SystemUserAccessRuleTests(object): 'method': uuid.uuid4().hex[16:] }] } - PROVIDERS.application_credential_api.create_application_credential(app_cred) + PROVIDERS.application_credential_api.create_application_credential( + app_cred) with self.test_client() as c: r = c.get('/v3/users/%s/access_rules' % user['id'], @@ -329,10 +343,13 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap, 'method': uuid.uuid4().hex[16:] }] } - PROVIDERS.application_credential_api.create_application_credential(app_cred) - PROVIDERS.application_credential_api.delete_application_credential(app_cred['id']) + PROVIDERS.application_credential_api.create_application_credential( + app_cred) + PROVIDERS.application_credential_api.delete_application_credential( + app_cred['id']) with self.test_client() as c: - path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id) + path = '/v3/users/%s/access_rules/%s' % ( + user['id'], access_rule_id) c.delete( path, headers=self.headers, expected_status_code=http_client.FORBIDDEN @@ -408,17 +425,21 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap, 'method': uuid.uuid4().hex[16:] }] } - PROVIDERS.application_credential_api.create_application_credential(app_cred) - PROVIDERS.application_credential_api.delete_application_credential(app_cred['id']) + PROVIDERS.application_credential_api.create_application_credential( + app_cred) + PROVIDERS.application_credential_api.delete_application_credential( + app_cred['id']) with self.test_client() as c: - path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id) + path = '/v3/users/%s/access_rules/%s' % ( + user['id'], access_rule_id) c.delete( path, headers=self.headers, expected_status_code=http_client.FORBIDDEN ) with self.test_client() as c: - path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id) + path = '/v3/users/%s/access_rules/%s' % ( + user['id'], access_rule_id) c.delete( path, headers=self.headers, expected_status_code=http_client.FORBIDDEN @@ -487,11 +508,14 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, 'method': uuid.uuid4().hex[16:] }] } - PROVIDERS.application_credential_api.create_application_credential(app_cred) - PROVIDERS.application_credential_api.delete_application_credential(app_cred['id']) + PROVIDERS.application_credential_api.create_application_credential( + app_cred) + PROVIDERS.application_credential_api.delete_application_credential( + app_cred['id']) with self.test_client() as c: - path = '/v3/users/%s/access_rules/%s' % (user['id'], access_rule_id) + path = '/v3/users/%s/access_rules/%s' % ( + user['id'], access_rule_id) c.delete(path, headers=self.headers) def test_user_cannot_delete_non_existent_access_rule_not_found(self): diff --git a/keystone/tests/protection/v3/test_assignment.py b/keystone/tests/protection/v3/test_assignment.py index d275ba45ae..c97a63b08b 100644 --- a/keystone/tests/protection/v3/test_assignment.py +++ b/keystone/tests/protection/v3/test_assignment.py @@ -1086,9 +1086,9 @@ class _ProjectUserTests(object): def test_user_cannot_filter_role_assignments_by_other_project_user(self): assignments = self._setup_test_role_assignments() - # This user doesn't have any role assignments on self.project_id, so the - # project user of self.project_id should only see an empty list of role - # assignments. + # This user doesn't have any role assignments on self.project_id, so + # the project user of self.project_id should only see an empty list of + # role assignments. user_id = assignments['user_id'] with self.test_client() as c: diff --git a/keystone/tests/protection/v3/test_domain_config.py b/keystone/tests/protection/v3/test_domain_config.py index 1c1a891e4e..63556a90b8 100644 --- a/keystone/tests/protection/v3/test_domain_config.py +++ b/keystone/tests/protection/v3/test_domain_config.py @@ -50,10 +50,11 @@ class _SystemDomainAndProjectUserDomainConfigTests(object): password_regex_description=password_regex_description ) with self.test_client() as c: - c.get('/v3/domains/%s/config/security_compliance/password_regex_description' + c.get('/v3/domains/%s/config/security_compliance' + '/password_regex_description' % CONF.identity.default_domain_id, headers=self.headers) - def test_user_can_get_security_compliance_config_with_user_from_other_domain(self): + def test_can_get_security_compliance_config_with_user_from_other_domain(self): # noqa: E501 domain = unit.new_domain_ref() PROVIDERS.resource_api.create_domain(domain['id'], domain) @@ -95,7 +96,8 @@ class _SystemUserDomainConfigTests(object): domain = PROVIDERS.resource_api.create_domain( uuid.uuid4().hex, unit.new_domain_ref() ) - PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref()) + PROVIDERS.domain_config_api.create_config( + domain['id'], unit.new_domain_config_ref()) with self.test_client() as c: c.get('/v3/domains/%s/config' % domain['id'], headers=self.headers) @@ -104,7 +106,8 @@ class _SystemUserDomainConfigTests(object): domain = PROVIDERS.resource_api.create_domain( uuid.uuid4().hex, unit.new_domain_ref() ) - PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref()) + PROVIDERS.domain_config_api.create_config( + domain['id'], unit.new_domain_config_ref()) with self.test_client() as c: c.get('/v3/domains/%s/config/ldap' % domain['id'], headers=self.headers) @@ -113,7 +116,8 @@ class _SystemUserDomainConfigTests(object): domain = PROVIDERS.resource_api.create_domain( uuid.uuid4().hex, unit.new_domain_ref() ) - PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref()) + PROVIDERS.domain_config_api.create_config( + domain['id'], unit.new_domain_config_ref()) invalid_domain_id = uuid.uuid4().hex with self.test_client() as c: c.get('/v3/domains/%s/config/ldap' @@ -144,7 +148,8 @@ class _SystemUserDomainConfigTests(object): domain = PROVIDERS.resource_api.create_domain( uuid.uuid4().hex, unit.new_domain_ref() ) - PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref()) + PROVIDERS.domain_config_api.create_config( + domain['id'], unit.new_domain_config_ref()) with self.test_client() as c: c.get('/v3/domains/%s/config/ldap/url' % domain['id'], headers=self.headers) @@ -195,10 +200,11 @@ class _SystemUserDomainConfigTests(object): password_regex_description=password_regex_description ) with self.test_client() as c: - c.get('/v3/domains/%s/config/security_compliance/password_regex_description' + c.get('/v3/domains/%s/config/security_compliance' + '/password_regex_description' % CONF.identity.default_domain_id, headers=self.headers) - def test_user_can_get_security_compliance_config_with_user_from_other_domain(self): + def test_can_get_security_compliance_config_with_user_from_other_domain(self): # noqa: E501 domain = unit.new_domain_ref() PROVIDERS.resource_api.create_domain(domain['id'], domain) @@ -238,58 +244,70 @@ class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object): ) with self.test_client() as c: c.put('/v3/domains/%s/config' - % domain['id'], json={'config': unit.new_domain_config_ref()}, - headers=self.headers, expected_status_code=http_client.FORBIDDEN) + % domain['id'], + json={'config': unit.new_domain_config_ref()}, + headers=self.headers, + expected_status_code=http_client.FORBIDDEN) def test_user_cannot_update_domain_config(self): domain = PROVIDERS.resource_api.create_domain( uuid.uuid4().hex, unit.new_domain_ref() ) - PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref()) + PROVIDERS.domain_config_api.create_config( + domain['id'], unit.new_domain_config_ref()) new_config = {'ldap': {'url': uuid.uuid4().hex}, 'identity': {'driver': uuid.uuid4().hex}} with self.test_client() as c: c.patch('/v3/domains/%s/config' % domain['id'], json={'config': new_config}, - headers=self.headers, expected_status_code=http_client.FORBIDDEN) + headers=self.headers, + expected_status_code=http_client.FORBIDDEN) def test_user_cannot_update_domain_group_config(self): domain = PROVIDERS.resource_api.create_domain( uuid.uuid4().hex, unit.new_domain_ref() ) - PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref()) + PROVIDERS.domain_config_api.create_config( + domain['id'], unit.new_domain_config_ref()) new_config = {'ldap': {'url': uuid.uuid4().hex, 'user_filter': uuid.uuid4().hex}} with self.test_client() as c: c.patch('/v3/domains/%s/config/ldap' % domain['id'], json={'config': new_config}, - headers=self.headers, expected_status_code=http_client.FORBIDDEN) + headers=self.headers, + expected_status_code=http_client.FORBIDDEN) def test_user_cannot_update_domain_config_option(self): domain = PROVIDERS.resource_api.create_domain( uuid.uuid4().hex, unit.new_domain_ref() ) new_config = {'url': uuid.uuid4().hex} - PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref()) + PROVIDERS.domain_config_api.create_config( + domain['id'], unit.new_domain_config_ref()) with self.test_client() as c: c.patch('/v3/domains/%s/config/ldap/url' - % domain['id'], json={'config': new_config}, - headers=self.headers, expected_status_code=http_client.FORBIDDEN) + % domain['id'], + json={'config': new_config}, + headers=self.headers, + expected_status_code=http_client.FORBIDDEN) def test_user_cannot_delete_domain_config(self): domain = PROVIDERS.resource_api.create_domain( uuid.uuid4().hex, unit.new_domain_ref() ) - PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref()) + PROVIDERS.domain_config_api.create_config( + domain['id'], unit.new_domain_config_ref()) with self.test_client() as c: c.delete('/v3/domains/%s/config' % domain['id'], - headers=self.headers, expected_status_code=http_client.FORBIDDEN) + headers=self.headers, + expected_status_code=http_client.FORBIDDEN) def test_user_cannot_delete_domain_group_config(self): domain = PROVIDERS.resource_api.create_domain( uuid.uuid4().hex, unit.new_domain_ref() ) - PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref()) + PROVIDERS.domain_config_api.create_config( + domain['id'], unit.new_domain_config_ref()) with self.test_client() as c: c.delete('/v3/domains/%s/config/ldap' % domain['id'], headers=self.headers, @@ -299,7 +317,8 @@ class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object): domain = PROVIDERS.resource_api.create_domain( uuid.uuid4().hex, unit.new_domain_ref() ) - PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref()) + PROVIDERS.domain_config_api.create_config( + domain['id'], unit.new_domain_config_ref()) with self.test_client() as c: c.delete('/v3/domains/%s/config/ldap/url' % domain['id'], headers=self.headers, @@ -312,7 +331,8 @@ class _DomainAndProjectUserDomainConfigTests(object): domain = PROVIDERS.resource_api.create_domain( uuid.uuid4().hex, unit.new_domain_ref() ) - PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref()) + PROVIDERS.domain_config_api.create_config( + domain['id'], unit.new_domain_config_ref()) with self.test_client() as c: c.get('/v3/domains/%s/config' % domain['id'], headers=self.headers, @@ -322,7 +342,8 @@ class _DomainAndProjectUserDomainConfigTests(object): domain = PROVIDERS.resource_api.create_domain( uuid.uuid4().hex, unit.new_domain_ref() ) - PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref()) + PROVIDERS.domain_config_api.create_config( + domain['id'], unit.new_domain_config_ref()) with self.test_client() as c: c.get('/v3/domains/%s/config/ldap' % domain['id'], headers=self.headers, @@ -340,7 +361,8 @@ class _DomainAndProjectUserDomainConfigTests(object): domain = PROVIDERS.resource_api.create_domain( uuid.uuid4().hex, unit.new_domain_ref() ) - PROVIDERS.domain_config_api.create_config(domain['id'], unit.new_domain_config_ref()) + PROVIDERS.domain_config_api.create_config( + domain['id'], unit.new_domain_config_ref()) with self.test_client() as c: c.get('/v3/domains/%s/config/ldap/url' % domain['id'], headers=self.headers, @@ -362,11 +384,12 @@ class _DomainAndProjectUserDomainConfigTests(object): expected_status_code=http_client.FORBIDDEN) -class SystemReaderTests(base_classes.TestCaseWithBootstrap, - common_auth.AuthTestMixin, - _SystemUserDomainConfigTests, - _SystemReaderMemberDomainAndProjectUserDomainConfigTests, - _SystemDomainAndProjectUserDomainConfigTests): +class SystemReaderTests( + base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserDomainConfigTests, + _SystemReaderMemberDomainAndProjectUserDomainConfigTests, + _SystemDomainAndProjectUserDomainConfigTests): def setUp(self): super(SystemReaderTests, self).setUp() @@ -397,11 +420,12 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap, self.headers = {'X-Auth-Token': self.token_id} -class SystemMemberTests(base_classes.TestCaseWithBootstrap, - common_auth.AuthTestMixin, - _SystemUserDomainConfigTests, - _SystemReaderMemberDomainAndProjectUserDomainConfigTests, - _SystemDomainAndProjectUserDomainConfigTests): +class SystemMemberTests( + base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemUserDomainConfigTests, + _SystemReaderMemberDomainAndProjectUserDomainConfigTests, + _SystemDomainAndProjectUserDomainConfigTests): def setUp(self): super(SystemMemberTests, self).setUp() @@ -465,15 +489,19 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, ) with self.test_client() as c: c.put('/v3/domains/%s/config' - % domain['id'], json={'config': unit.new_domain_config_ref()}, - headers=self.headers, expected_status_code=http_client.CREATED) + % domain['id'], + json={'config': unit.new_domain_config_ref()}, + headers=self.headers, + expected_status_code=http_client.CREATED) def test_user_cannot_create_invalid_domain_config(self): invalid_domain_id = uuid.uuid4().hex with self.test_client() as c: c.put('/v3/domains/%s/config' - % invalid_domain_id, json={'config': unit.new_domain_config_ref()}, - headers=self.headers, expected_status_code=http_client.NOT_FOUND) + % invalid_domain_id, + json={'config': unit.new_domain_config_ref()}, + headers=self.headers, + expected_status_code=http_client.NOT_FOUND) def test_user_can_update_domain_config(self): domain = PROVIDERS.resource_api.create_domain( @@ -556,11 +584,12 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, expected_status_code=http_client.NOT_FOUND) -class DomainUserTests(base_classes.TestCaseWithBootstrap, - common_auth.AuthTestMixin, - _SystemDomainAndProjectUserDomainConfigTests, - _DomainAndProjectUserDomainConfigTests, - _SystemReaderMemberDomainAndProjectUserDomainConfigTests): +class DomainUserTests( + base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemDomainAndProjectUserDomainConfigTests, + _DomainAndProjectUserDomainConfigTests, + _SystemReaderMemberDomainAndProjectUserDomainConfigTests): def setUp(self): super(DomainUserTests, self).setUp() @@ -593,11 +622,12 @@ class DomainUserTests(base_classes.TestCaseWithBootstrap, self.headers = {'X-Auth-Token': self.token_id} -class ProjectUserTests(base_classes.TestCaseWithBootstrap, - common_auth.AuthTestMixin, - _SystemDomainAndProjectUserDomainConfigTests, - _DomainAndProjectUserDomainConfigTests, - _SystemReaderMemberDomainAndProjectUserDomainConfigTests): +class ProjectUserTests( + base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _SystemDomainAndProjectUserDomainConfigTests, + _DomainAndProjectUserDomainConfigTests, + _SystemReaderMemberDomainAndProjectUserDomainConfigTests): def setUp(self): super(ProjectUserTests, self).setUp() diff --git a/keystone/tests/protection/v3/test_domain_roles.py b/keystone/tests/protection/v3/test_domain_roles.py index 86a19cf85b..899fe421c2 100644 --- a/keystone/tests/protection/v3/test_domain_roles.py +++ b/keystone/tests/protection/v3/test_domain_roles.py @@ -248,14 +248,16 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, self.headers = {'X-Auth-Token': self.token_id} def test_user_can_create_roles(self): - create = {'role': unit.new_role_ref(domain_id=CONF.identity.default_domain_id)} + create = {'role': unit.new_role_ref( + domain_id=CONF.identity.default_domain_id)} with self.test_client() as c: c.post('/v3/roles', json=create, headers=self.headers) def test_user_can_update_roles(self): role = PROVIDERS.role_api.create_role( - uuid.uuid4().hex, unit.new_role_ref(domain_id=CONF.identity.default_domain_id) + uuid.uuid4().hex, + unit.new_role_ref(domain_id=CONF.identity.default_domain_id) ) update = {'role': {'description': uuid.uuid4().hex}} @@ -267,7 +269,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, def test_user_can_delete_roles(self): role = PROVIDERS.role_api.create_role( - uuid.uuid4().hex, unit.new_role_ref(domain_id=CONF.identity.default_domain_id) + uuid.uuid4().hex, + unit.new_role_ref(domain_id=CONF.identity.default_domain_id) ) with self.test_client() as c: diff --git a/keystone/tests/protection/v3/test_ec2_credential.py b/keystone/tests/protection/v3/test_ec2_credential.py index f17279fc9d..a1bdaaa566 100644 --- a/keystone/tests/protection/v3/test_ec2_credential.py +++ b/keystone/tests/protection/v3/test_ec2_credential.py @@ -44,7 +44,8 @@ class _UserEC2CredentialTests(object): credential_id = r.json['credential']['access'] - path = '/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id) + path = '/v3/users/%s/credentials/OS-EC2/%s' % ( + self.user_id, credential_id) r = c.get(path, headers=self.headers) self.assertEqual( self.user_id, r.json['credential']['user_id'] @@ -101,7 +102,8 @@ class _UserEC2CredentialTests(object): json={'tenant_id': project['id']}, headers=self.headers) credential_id = r.json['credential']['access'] - c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id), + c.delete('/v3/users/%s/credentials/OS-EC2/%s' % ( + self.user_id, credential_id), headers=self.headers) def test_user_cannot_create_ec2_credentials_for_others(self): @@ -147,8 +149,10 @@ class _UserEC2CredentialTests(object): json={'tenant_id': project['id']}, headers=headers) credential_id = r.json['credential']['access'] - c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id), - headers=self.headers, expected_status_code=http_client.FORBIDDEN) + c.delete('/v3/users/%s/credentials/OS-EC2/%s' % ( + self.user_id, credential_id), + headers=self.headers, + expected_status_code=http_client.FORBIDDEN) class _SystemUserTests(object): @@ -178,8 +182,10 @@ class _SystemUserTests(object): json={'tenant_id': project['id']}, headers=headers) credential_id = r.json['credential']['access'] - path = '/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id) - c.get(path, headers=self.headers, expected_status_code=http_client.OK) + path = '/v3/users/%s/credentials/OS-EC2/%s' % ( + self.user_id, credential_id) + c.get(path, headers=self.headers, + expected_status_code=http_client.OK) class _SystemReaderAndMemberTests(object): @@ -377,7 +383,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, json={'tenant_id': project['id']}, headers=headers) credential_id = r.json['credential']['access'] - c.delete('/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id, credential_id), + c.delete('/v3/users/%s/credentials/OS-EC2/%s' % ( + self.user_id, credential_id), headers=self.headers) @@ -395,13 +402,16 @@ class ProjectAdminTests(base_classes.TestCaseWithBootstrap, # update permissions or update policies without breaking users. This # will cause these specific tests to fail since we're trying to correct # this broken behavior with better scope checking. + reader_or_cred_owner = bp.SYSTEM_READER_OR_CRED_OWNER + reader_or_owner = bp.RULE_SYSTEM_READER_OR_OWNER + admin_or_cred_owner = bp.SYSTEM_ADMIN_OR_CRED_OWNER with open(self.policy_file_name, 'w') as f: overridden_policies = { - 'identity:ec2_get_credential': bp.SYSTEM_READER_OR_CRED_OWNER, - 'identity:ec2_list_credentials': bp.RULE_SYSTEM_READER_OR_OWNER, - 'identity:ec2_create_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER, - 'identity:ec2_update_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER, - 'identity:ec2_delete_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER + 'identity:ec2_get_credential': reader_or_cred_owner, + 'identity:ec2_list_credentials': reader_or_owner, + 'identity:ec2_create_credential': admin_or_cred_owner, + 'identity:ec2_update_credential': admin_or_cred_owner, + 'identity:ec2_delete_credential': admin_or_cred_owner } f.write(jsonutils.dumps(overridden_policies)) diff --git a/keystone/tests/protection/v3/test_endpoint_group.py b/keystone/tests/protection/v3/test_endpoint_group.py index 2d0faa0859..1a121fad4d 100644 --- a/keystone/tests/protection/v3/test_endpoint_group.py +++ b/keystone/tests/protection/v3/test_endpoint_group.py @@ -29,7 +29,8 @@ class _SystemUserEndpointGroupsTests(object): """Common default functionality for all system users.""" def test_user_can_list_endpoint_groups(self): - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -43,7 +44,8 @@ class _SystemUserEndpointGroupsTests(object): self.assertIn(endpoint_group['id'], endpoint_groups) def test_user_can_get_an_endpoint_group(self): - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -57,7 +59,8 @@ class _SystemUserEndpointGroupsTests(object): domain_id=CONF.identity.default_domain_id ) ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -79,7 +82,8 @@ class _SystemUserEndpointGroupsTests(object): endpoint = PROVIDERS.catalog_api.create_endpoint( endpoint['id'], endpoint ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -98,7 +102,8 @@ class _SystemUserEndpointGroupsTests(object): domain_id=CONF.identity.default_domain_id ) ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -115,7 +120,8 @@ class _SystemUserEndpointGroupsTests(object): domain_id=CONF.identity.default_domain_id ) ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -145,12 +151,14 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object): with self.test_client() as c: c.post( - '/v3/OS-EP-FILTER/endpoint_groups', json=create, headers=self.headers, + '/v3/OS-EP-FILTER/endpoint_groups', json=create, + headers=self.headers, expected_status_code=http_client.FORBIDDEN ) def test_user_cannot_update_endpoint_groups(self): - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -159,20 +167,23 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object): with self.test_client() as c: c.patch( - '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], json=update, + '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], + json=update, headers=self.headers, expected_status_code=http_client.FORBIDDEN ) def test_user_cannot_delete_endpoint_groups(self): - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) with self.test_client() as c: c.delete( - '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], headers=self.headers, + '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], + headers=self.headers, expected_status_code=http_client.FORBIDDEN ) @@ -182,7 +193,8 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object): domain_id=CONF.identity.default_domain_id ) ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -199,7 +211,8 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object): domain_id=CONF.identity.default_domain_id ) ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -214,7 +227,8 @@ class _SystemReaderAndMemberUserEndpointGroupsTests(object): class _DomainAndProjectUserEndpointGroupTests(object): def test_user_cannot_list_endpoint_groups(self): - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -224,13 +238,15 @@ class _DomainAndProjectUserEndpointGroupTests(object): expected_status_code=http_client.FORBIDDEN) def test_user_cannot_get_an_endpoint_group(self): - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) with self.test_client() as c: c.get('/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], - headers=self.headers, expected_status_code=http_client.FORBIDDEN) + headers=self.headers, + expected_status_code=http_client.FORBIDDEN) def test_user_cannot_list_projects_associated_with_endpoint_groups(self): project = PROVIDERS.resource_api.create_project( @@ -238,15 +254,18 @@ class _DomainAndProjectUserEndpointGroupTests(object): domain_id=CONF.identity.default_domain_id ) ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) PROVIDERS.catalog_api.add_endpoint_group_to_project( endpoint_group['id'], project['id']) with self.test_client() as c: - c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects' % endpoint_group['id'], - headers=self.headers, expected_status_code=http_client.FORBIDDEN) + c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects' + % endpoint_group['id'], + headers=self.headers, + expected_status_code=http_client.FORBIDDEN) def test_user_cannot_list_endpoints_associated_with_endpoint_groups(self): service = PROVIDERS.catalog_api.create_service( @@ -256,13 +275,16 @@ class _DomainAndProjectUserEndpointGroupTests(object): endpoint = PROVIDERS.catalog_api.create_endpoint( endpoint['id'], endpoint ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) with self.test_client() as c: - c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/endpoints' % endpoint_group['id'], - headers=self.headers, expected_status_code=http_client.FORBIDDEN) + c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/endpoints' + % endpoint_group['id'], + headers=self.headers, + expected_status_code=http_client.FORBIDDEN) def test_user_cannot_get_endpoints_associated_with_endpoint_groups(self): project = PROVIDERS.resource_api.create_project( @@ -270,7 +292,8 @@ class _DomainAndProjectUserEndpointGroupTests(object): domain_id=CONF.identity.default_domain_id ) ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -279,7 +302,8 @@ class _DomainAndProjectUserEndpointGroupTests(object): with self.test_client() as c: c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s' % (endpoint_group['id'], project['id']), - headers=self.headers, expected_status_code=http_client.FORBIDDEN) + headers=self.headers, + expected_status_code=http_client.FORBIDDEN) def test_user_cannot_list_endpoint_groups_with_their_projects(self): project = PROVIDERS.resource_api.create_project( @@ -287,15 +311,18 @@ class _DomainAndProjectUserEndpointGroupTests(object): domain_id=CONF.identity.default_domain_id ) ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) PROVIDERS.catalog_api.add_endpoint_group_to_project( endpoint_group['id'], project['id']) with self.test_client() as c: - c.get('/v3/OS-EP-FILTER/projects/%s/endpoint_groups' % project['id'], - headers=self.headers, expected_status_code=http_client.FORBIDDEN) + c.get('/v3/OS-EP-FILTER/projects/%s/endpoint_groups' + % project['id'], + headers=self.headers, + expected_status_code=http_client.FORBIDDEN) def test_user_cannot_create_endpoint_groups(self): create = { @@ -309,12 +336,14 @@ class _DomainAndProjectUserEndpointGroupTests(object): with self.test_client() as c: c.post( - '/v3/OS-EP-FILTER/endpoint_groups', json=create, headers=self.headers, + '/v3/OS-EP-FILTER/endpoint_groups', json=create, + headers=self.headers, expected_status_code=http_client.FORBIDDEN ) def test_user_cannot_update_endpoint_groups(self): - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -323,20 +352,23 @@ class _DomainAndProjectUserEndpointGroupTests(object): with self.test_client() as c: c.patch( - '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], json=update, + '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], + json=update, headers=self.headers, expected_status_code=http_client.FORBIDDEN ) def test_user_cannot_delete_endpoint_groups(self): - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) with self.test_client() as c: c.delete( - '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], headers=self.headers, + '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], + headers=self.headers, expected_status_code=http_client.FORBIDDEN ) @@ -346,7 +378,8 @@ class _DomainAndProjectUserEndpointGroupTests(object): domain_id=CONF.identity.default_domain_id ) ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -363,7 +396,8 @@ class _DomainAndProjectUserEndpointGroupTests(object): domain_id=CONF.identity.default_domain_id ) ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -481,10 +515,12 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, with self.test_client() as c: c.post( - '/v3/OS-EP-FILTER/endpoint_groups', json=create, headers=self.headers) + '/v3/OS-EP-FILTER/endpoint_groups', json=create, + headers=self.headers) def test_user_can_update_endpoint_group(self): - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -493,18 +529,21 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, with self.test_client() as c: c.patch( - '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], json=update, + '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], + json=update, headers=self.headers) def test_user_can_delete_endpoint_group(self): - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) with self.test_client() as c: c.delete( - '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], headers=self.headers + '/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], + headers=self.headers ) def test_user_add_endpoint_group_to_project(self): @@ -513,7 +552,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, domain_id=CONF.identity.default_domain_id ) ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) @@ -529,7 +569,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, domain_id=CONF.identity.default_domain_id ) ) - endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'}) + endpoint_group = unit.new_endpoint_group_ref( + filters={'interface': 'public'}) endpoint_group = PROVIDERS.catalog_api.create_endpoint_group( endpoint_group['id'], endpoint_group ) diff --git a/keystone/tests/protection/v3/test_grants.py b/keystone/tests/protection/v3/test_grants.py index c289a3e74d..90a235f106 100644 --- a/keystone/tests/protection/v3/test_grants.py +++ b/keystone/tests/protection/v3/test_grants.py @@ -30,7 +30,7 @@ PROVIDERS = provider_api.ProviderAPIs class _SystemUserGrantTests(object): - def test_user_can_list_grants_for_user_on_project(self): + def test_can_list_grants_for_user_on_project(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=CONF.identity.default_domain_id) ) @@ -53,7 +53,7 @@ class _SystemUserGrantTests(object): ) self.assertEqual(1, len(r.json['roles'])) - def test_user_can_list_grants_for_user_on_domain(self): + def test_can_list_grants_for_user_on_domain(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=CONF.identity.default_domain_id) ) @@ -74,7 +74,7 @@ class _SystemUserGrantTests(object): ) self.assertEqual(1, len(r.json['roles'])) - def test_user_can_list_grants_for_group_on_project(self): + def test_can_list_grants_for_group_on_project(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=CONF.identity.default_domain_id) ) @@ -98,7 +98,7 @@ class _SystemUserGrantTests(object): ) self.assertEqual(1, len(r.json['roles'])) - def test_user_can_list_grants_for_group_on_domain(self): + def test_can_list_grants_for_group_on_domain(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=CONF.identity.default_domain_id) ) @@ -119,7 +119,7 @@ class _SystemUserGrantTests(object): ) self.assertEqual(1, len(r.json['roles'])) - def test_user_can_check_grant_for_user_on_project(self): + def test_can_check_grant_for_user_on_project(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=CONF.identity.default_domain_id) ) @@ -144,7 +144,7 @@ class _SystemUserGrantTests(object): expected_status_code=http_client.NO_CONTENT ) - def test_user_can_check_grant_for_user_on_domain(self): + def test_can_check_grant_for_user_on_domain(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=CONF.identity.default_domain_id) ) @@ -167,7 +167,7 @@ class _SystemUserGrantTests(object): expected_status_code=http_client.NO_CONTENT ) - def test_user_can_check_grant_for_group_on_project(self): + def test_can_check_grant_for_group_on_project(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=CONF.identity.default_domain_id) ) @@ -194,7 +194,7 @@ class _SystemUserGrantTests(object): expected_status_code=http_client.NO_CONTENT ) - def test_user_can_check_grant_for_group_on_domain(self): + def test_can_check_grant_for_group_on_domain(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=CONF.identity.default_domain_id) ) @@ -220,7 +220,7 @@ class _SystemUserGrantTests(object): class _SystemMemberAndReaderGrantTests(object): - def test_user_cannot_create_grant_for_user_on_project(self): + def test_cannot_create_grant_for_user_on_project(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=CONF.identity.default_domain_id) ) @@ -240,7 +240,7 @@ class _SystemMemberAndReaderGrantTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_user_on_domain(self): + def test_cannot_create_grant_for_user_on_domain(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=CONF.identity.default_domain_id) ) @@ -258,7 +258,7 @@ class _SystemMemberAndReaderGrantTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_group_on_project(self): + def test_cannot_create_grant_for_group_on_project(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=CONF.identity.default_domain_id) ) @@ -280,7 +280,7 @@ class _SystemMemberAndReaderGrantTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_group_on_domain(self): + def test_cannot_create_grant_for_group_on_domain(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=CONF.identity.default_domain_id) ) @@ -298,7 +298,7 @@ class _SystemMemberAndReaderGrantTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_user_on_project(self): + def test_cannot_revoke_grant_from_user_on_project(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=CONF.identity.default_domain_id) ) @@ -323,7 +323,7 @@ class _SystemMemberAndReaderGrantTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_user_on_domain(self): + def test_cannot_revoke_grant_from_user_on_domain(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=CONF.identity.default_domain_id) ) @@ -346,7 +346,7 @@ class _SystemMemberAndReaderGrantTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_group_on_project(self): + def test_cannot_revoke_grant_from_group_on_project(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=CONF.identity.default_domain_id) ) @@ -373,7 +373,7 @@ class _SystemMemberAndReaderGrantTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_group_on_domain(self): + def test_cannot_revoke_grant_from_group_on_domain(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=CONF.identity.default_domain_id) ) @@ -399,7 +399,7 @@ class _SystemMemberAndReaderGrantTests(object): class _DomainUserTests(object): - def test_user_can_list_grants_for_user_on_project(self): + def test_can_list_grants_for_user_on_project(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=self.domain_id) ) @@ -420,7 +420,7 @@ class _DomainUserTests(object): ) self.assertEqual(1, len(r.json['roles'])) - def test_user_can_list_grants_for_user_on_domain(self): + def test_can_list_grants_for_user_on_domain(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=self.domain_id) ) @@ -437,7 +437,7 @@ class _DomainUserTests(object): ) self.assertEqual(1, len(r.json['roles'])) - def test_user_can_list_grants_for_group_on_project(self): + def test_can_list_grants_for_group_on_project(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=self.domain_id) ) @@ -459,7 +459,7 @@ class _DomainUserTests(object): ) self.assertEqual(1, len(r.json['roles'])) - def test_user_can_list_grants_for_group_on_domain(self): + def test_can_list_grants_for_group_on_domain(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=self.domain_id) ) @@ -477,7 +477,7 @@ class _DomainUserTests(object): ) self.assertEqual(1, len(r.json['roles'])) - def test_user_can_check_grant_for_user_on_project(self): + def test_can_check_grant_for_user_on_project(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=self.domain_id) ) @@ -502,7 +502,7 @@ class _DomainUserTests(object): expected_status_code=http_client.NO_CONTENT ) - def test_user_can_check_grant_for_user_on_domain(self): + def test_can_check_grant_for_user_on_domain(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=self.domain_id) ) @@ -522,7 +522,7 @@ class _DomainUserTests(object): expected_status_code=http_client.NO_CONTENT ) - def test_user_can_check_grant_for_group_on_project(self): + def test_can_check_grant_for_group_on_project(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=self.domain_id) ) @@ -547,7 +547,7 @@ class _DomainUserTests(object): expected_status_code=http_client.NO_CONTENT ) - def test_user_can_check_grant_for_group_on_domain(self): + def test_can_check_grant_for_group_on_domain(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=self.domain_id) ) @@ -567,7 +567,7 @@ class _DomainUserTests(object): expected_status_code=http_client.NO_CONTENT ) - def test_user_cannot_list_grants_for_user_other_domain_on_project_own_domain(self): + def test_cannot_list_grants_for_user_other_domain_on_project_own_domain(self): # noqa: E501 user_domain_id = CONF.identity.default_domain_id project_domain_id = self.domain_id @@ -591,7 +591,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_list_grants_for_user_own_domain_on_project_other_domain(self): + def test_cannot_list_grants_for_user_own_domain_on_project_other_domain(self): # noqa: E501 user_domain_id = self.domain_id project_domain_id = CONF.identity.default_domain_id @@ -616,7 +616,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_list_grants_for_user_own_domain_on_other_domain(self): + def test_cannot_list_grants_for_user_own_domain_on_other_domain(self): user_domain_id = self.domain_id domain_id = CONF.identity.default_domain_id @@ -636,7 +636,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_list_grants_for_user_other_domain_on_own_domain(self): + def test_cannot_list_grants_for_user_other_domain_on_own_domain(self): user_domain_id = CONF.identity.default_domain_id domain_id = self.domain_id @@ -656,7 +656,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_list_grants_for_group_other_domain_on_project_own_domain(self): + def test_cannot_list_grants_for_group_other_domain_on_project_own_domain(self): # noqa: E501 group_domain_id = CONF.identity.default_domain_id project_domain_id = self.domain_id @@ -681,7 +681,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_list_grants_for_group_own_domain_on_project_other_domain(self): + def test_cannot_list_grants_for_group_own_domain_on_project_other_domain(self): # noqa: E501 group_domain_id = self.domain_id project_domain_id = CONF.identity.default_domain_id @@ -707,7 +707,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_list_grants_for_group_own_domain_on_other_domain(self): + def test_cannot_list_grants_for_group_own_domain_on_other_domain(self): group_domain_id = self.domain_id domain_id = CONF.identity.default_domain_id @@ -728,7 +728,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_list_grants_for_group_other_domain_on_own_domain(self): + def test_cannot_list_grants_for_group_other_domain_on_own_domain(self): group_domain_id = CONF.identity.default_domain_id domain_id = self.domain_id @@ -749,7 +749,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_check_grant_for_user_other_domain_on_project_own_domain(self): + def test_cannot_check_grant_for_user_other_domain_on_project_own_domain(self): # noqa: E501 user_domain_id = CONF.identity.default_domain_id project_domain_id = self.domain_id @@ -775,7 +775,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_check_grant_for_user_own_domain_on_project_other_domain(self): + def test_cannot_check_grant_for_user_own_domain_on_project_other_domain(self): # noqa: E501 user_domain_id = self.domain_id project_domain_id = CONF.identity.default_domain_id @@ -802,7 +802,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_check_grant_for_user_own_domain_on_project_own_domain_with_role_other_domain(self): + def test_cannot_check_grant_for_user_own_domain_on_project_own_domain_with_role_other_domain(self): # noqa: E501 user_domain_id = self.domain_id project_domain_id = self.domain_id role_domain_id = CONF.identity.default_domain_id @@ -833,7 +833,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_check_grant_for_user_own_domain_on_other_domain(self): + def test_cannot_check_grant_for_user_own_domain_on_other_domain(self): user_domain_id = self.domain_id domain_id = CONF.identity.default_domain_id @@ -856,7 +856,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_check_grant_for_user_other_domain_on_own_domain(self): + def test_cannot_check_grant_for_user_other_domain_on_own_domain(self): user_domain_id = CONF.identity.default_domain_id domain_id = self.domain_id @@ -879,7 +879,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_check_grant_for_user_own_domain_on_own_domain_with_role_other_domain(self): + def test_cannot_check_grant_for_user_own_domain_on_own_domain_with_role_other_domain(self): # noqa: E501 user_domain_id = self.domain_id domain_id = self.domain_id role_domain_id = CONF.identity.default_domain_id @@ -907,7 +907,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_check_grant_for_group_other_domain_on_project_own_domain(self): + def test_cannot_check_grant_for_group_other_domain_on_project_own_domain(self): # noqa: E501 group_domain_id = CONF.identity.default_domain_id project_domain_id = self.domain_id @@ -933,7 +933,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_check_grant_for_group_own_domain_on_project_other_domain(self): + def test_cannot_check_grant_for_group_own_domain_on_project_other_domain(self): # noqa: E501 group_domain_id = self.domain_id project_domain_id = CONF.identity.default_domain_id @@ -959,7 +959,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_check_grant_for_group_own_domain_on_project_own_domain_with_role_other_domain(self): + def test_cannot_check_grant_for_group_own_domain_on_project_own_domain_with_role_other_domain(self): # noqa: E501 group_domain_id = self.domain_id project_domain_id = CONF.identity.default_domain_id role_domain_id = CONF.identity.default_domain_id @@ -990,7 +990,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_check_grant_for_group_own_domain_on_other_domain(self): + def test_cannot_check_grant_for_group_own_domain_on_other_domain(self): group_domain_id = self.domain_id domain_id = CONF.identity.default_domain_id @@ -1012,7 +1012,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_check_grant_for_group_other_domain_on_own_domain(self): + def test_cannot_check_grant_for_group_other_domain_on_own_domain(self): group_domain_id = CONF.identity.default_domain_id domain_id = self.domain_id @@ -1034,12 +1034,13 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_check_grant_for_group_own_domain_on_own_domain_with_role_other_domain(self): + def test_cannot_check_grant_for_group_own_domain_on_own_domain_with_role_other_domain(self): # noqa: E501 group_domain_id = self.domain_id domain_id = self.domain_id role_domain_id = CONF.identity.default_domain_id - role = PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id)) + role = PROVIDERS.role_api.create_role( + uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id)) group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=group_domain_id) @@ -1059,7 +1060,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_user_other_domain_on_project_own_domain(self): + def test_cannot_create_grant_for_user_other_domain_on_project_own_domain(self): # noqa: E501 user_domain_id = CONF.identity.default_domain_id project_domain_id = self.domain_id @@ -1082,7 +1083,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_user_own_domain_on_project_other_domain(self): + def test_cannot_create_grant_for_user_own_domain_on_project_other_domain(self): # noqa: E501 user_domain_id = self.domain_id project_domain_id = CONF.identity.default_domain_id @@ -1105,7 +1106,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_cannot_create_grant_for_user_own_domain_on_project_own_domain_with_role_other_domain(self): + def test_cannot_create_grant_for_user_own_domain_on_project_own_domain_with_role_other_domain(self): # noqa: E501 user_domain_id = self.domain_id project_domain_id = self.domain_id role_domain_id = CONF.identity.default_domain_id @@ -1131,7 +1132,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_user_other_domain_on_own_domain(self): + def test_cannot_create_grant_for_user_other_domain_on_own_domain(self): user_domain_id = CONF.identity.default_domain_id domain_id = self.domain_id @@ -1148,7 +1149,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_user_own_domain_on_other_domain(self): + def test_cannot_create_grant_for_user_own_domain_on_other_domain(self): user_domain_id = self.domain_id domain_id = CONF.identity.default_domain_id @@ -1165,7 +1166,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_cannot_create_grant_for_user_own_domain_on_own_domain_with_role_other_domain(self): + def test_cannot_create_grant_for_user_own_domain_on_own_domain_with_role_other_domain(self): # noqa: E501 user_domain_id = self.domain_id domain_id = self.domain_id role_domain_id = CONF.identity.default_domain_id @@ -1186,7 +1187,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_group_other_domain_on_project_own_domain(self): + def test_cannot_create_grant_for_group_other_domain_on_project_own_domain(self): # noqa: E501 group_domain_id = CONF.identity.default_domain_id project_domain_id = self.domain_id @@ -1211,7 +1212,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_group_own_domain_on_project_other_domain(self): + def test_cannot_create_grant_for_group_own_domain_on_project_other_domain(self): # noqa: E501 group_domain_id = self.domain_id project_domain_id = CONF.identity.default_domain_id @@ -1236,7 +1237,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_cannot_create_grant_for_group_own_domain_on_project_own_domain_with_role_other_domain(self): + def test_cannot_create_grant_for_group_own_domain_on_project_own_domain_with_role_other_domain(self): # noqa: E501 group_domain_id = self.domain_id project_domain_id = self.domain_id role_domain_id = CONF.identity.default_domain_id @@ -1265,7 +1266,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_group_other_domain_on_own_domain(self): + def test_cannot_create_grant_for_group_other_domain_on_own_domain(self): group_domain_id = CONF.identity.default_domain_id domain_id = self.domain_id @@ -1282,7 +1283,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_group_own_domain_on_other_domain(self): + def test_cannot_create_grant_for_group_own_domain_on_other_domain(self): group_domain_id = self.domain_id domain_id = CONF.identity.default_domain_id @@ -1299,7 +1300,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_group_own_domain_on_own_domain_with_role_other_domain(self): + def test_cannot_create_grant_for_group_own_domain_on_own_domain_with_role_other_domain(self): # noqa: E501 group_domain_id = self.domain_id domain_id = self.domain_id role_domain_id = CONF.identity.default_domain_id @@ -1320,7 +1321,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_user_other_domain_on_project_own_domain(self): + def test_cannot_revoke_grant_from_user_other_domain_on_project_own_domain(self): # noqa: E501 user_domain_id = CONF.identity.default_domain_id project_domain_id = self.domain_id @@ -1348,7 +1349,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_user_own_domain_on_project_other_domain(self): + def test_cannot_revoke_grant_from_user_own_domain_on_project_other_domain(self): # noqa: E501 user_domain_id = self.domain_id project_domain_id = CONF.identity.default_domain_id @@ -1376,7 +1377,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_user_other_domain_on_own_domain(self): + def test_cannot_revoke_grant_from_user_other_domain_on_own_domain(self): user_domain_id = CONF.identity.default_domain_id domain_id = self.domain_id @@ -1398,7 +1399,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_user_own_domain_on_other_domain(self): + def test_cannot_revoke_grant_from_user_own_domain_on_other_domain(self): user_domain_id = self.domain_id domain_id = CONF.identity.default_domain_id @@ -1420,7 +1421,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_user_own_domain_on_own_domain_with_role_other_domain(self): + def test_cannot_revoke_grant_from_user_own_domain_on_own_domain_with_role_other_domain(self): # noqa: E501 user_domain_id = self.domain_id domain_id = self.domain_id role_domain_id = CONF.identity.default_domain_id @@ -1446,7 +1447,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_group_other_domain_on_project_own_domain(self): + def test_cannot_revoke_grant_from_group_other_domain_on_project_own_domain(self): # noqa: E501 group_domain_id = CONF.identity.default_domain_id project_domain_id = self.domain_id @@ -1476,7 +1477,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_group_own_domain_on_project_other_domain(self): + def test_cannot_revoke_grant_from_group_own_domain_on_project_other_domain(self): # noqa: E501 group_domain_id = self.domain_id project_domain_id = CONF.identity.default_domain_id @@ -1506,7 +1507,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_group_other_domain_on_own_domain(self): + def test_cannot_revoke_grant_from_group_other_domain_on_own_domain(self): group_domain_id = CONF.identity.default_domain_id domain_id = self.domain_id @@ -1528,7 +1529,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_group_own_domain_on_other_domain(self): + def test_cannot_revoke_grant_from_group_own_domain_on_other_domain(self): group_domain_id = self.domain_id domain_id = CONF.identity.default_domain_id @@ -1550,7 +1551,7 @@ class _DomainUserTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_group_own_domain_on_own_domain_with_role_other_domain(self): + def test_cannot_revoke_grant_from_group_own_domain_on_own_domain_with_role_other_domain(self): # noqa: E501 group_domain_id = self.domain_id domain_id = self.domain_id role_domain_id = CONF.identity.default_domain_id @@ -1670,7 +1671,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, self.token_id = r.headers['X-Subject-Token'] self.headers = {'X-Auth-Token': self.token_id} - def test_user_can_create_grant_for_user_on_project(self): + def test_can_create_grant_for_user_on_project(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=CONF.identity.default_domain_id) ) @@ -1689,7 +1690,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, headers=self.headers ) - def test_user_can_create_grant_for_user_on_domain(self): + def test_can_create_grant_for_user_on_domain(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=CONF.identity.default_domain_id) ) @@ -1706,7 +1707,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, headers=self.headers ) - def test_user_can_create_grant_for_group_on_project(self): + def test_can_create_grant_for_group_on_project(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=CONF.identity.default_domain_id) ) @@ -1727,7 +1728,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, headers=self.headers ) - def test_user_can_create_grant_for_group_on_domain(self): + def test_can_create_grant_for_group_on_domain(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=CONF.identity.default_domain_id) ) @@ -1744,7 +1745,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, headers=self.headers ) - def test_user_can_revoke_grant_from_user_on_project(self): + def test_can_revoke_grant_from_user_on_project(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=CONF.identity.default_domain_id) ) @@ -1768,7 +1769,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, headers=self.headers ) - def test_user_can_revoke_grant_from_user_on_domain(self): + def test_can_revoke_grant_from_user_on_domain(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=CONF.identity.default_domain_id) ) @@ -1790,7 +1791,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, headers=self.headers ) - def test_user_can_revoke_grant_from_group_on_project(self): + def test_can_revoke_grant_from_group_on_project(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=CONF.identity.default_domain_id) ) @@ -1816,7 +1817,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, headers=self.headers ) - def test_user_can_revoke_grant_from_group_on_domain(self): + def test_can_revoke_grant_from_group_on_domain(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=CONF.identity.default_domain_id) ) @@ -1841,7 +1842,7 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, class _DomainMemberAndReaderTests(object): - def test_user_cannot_create_grant_for_user_on_project(self): + def test_cannot_create_grant_for_user_on_project(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=self.domain_id) ) @@ -1861,7 +1862,7 @@ class _DomainMemberAndReaderTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_user_on_domain(self): + def test_cannot_create_grant_for_user_on_domain(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=self.domain_id) ) @@ -1879,7 +1880,7 @@ class _DomainMemberAndReaderTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_group_on_project(self): + def test_cannot_create_grant_for_group_on_project(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=self.domain_id) ) @@ -1899,7 +1900,7 @@ class _DomainMemberAndReaderTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_grant_for_group_on_domain(self): + def test_cannot_create_grant_for_group_on_domain(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=self.domain_id) ) @@ -1917,7 +1918,7 @@ class _DomainMemberAndReaderTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_user_on_project(self): + def test_cannot_revoke_grant_from_user_on_project(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=self.domain_id) ) @@ -1940,7 +1941,7 @@ class _DomainMemberAndReaderTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_user_on_domain(self): + def test_cannot_revoke_grant_from_user_on_domain(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=self.domain_id) ) @@ -1963,7 +1964,7 @@ class _DomainMemberAndReaderTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_group_on_project(self): + def test_cannot_revoke_grant_from_group_on_project(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=self.domain_id) ) @@ -1990,7 +1991,7 @@ class _DomainMemberAndReaderTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_revoke_grant_from_group_on_domain(self): + def test_cannot_revoke_grant_from_group_on_domain(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=self.domain_id) ) @@ -2142,7 +2143,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap, } f.write(jsonutils.dumps(overridden_policies)) - def test_user_can_create_grant_for_user_on_project(self): + def test_can_create_grant_for_user_on_project(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=self.domain_id) ) @@ -2159,7 +2160,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap, headers=self.headers ) - def test_user_can_create_grant_for_group_on_project(self): + def test_can_create_grant_for_group_on_project(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=self.domain_id) ) @@ -2178,7 +2179,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap, headers=self.headers ) - def test_user_can_revoke_grant_from_user_on_project(self): + def test_can_revoke_grant_from_user_on_project(self): user = PROVIDERS.identity_api.create_user( unit.new_user_ref(domain_id=self.domain_id) ) @@ -2200,7 +2201,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap, headers=self.headers ) - def test_user_can_revoke_grant_from_group_on_project(self): + def test_can_revoke_grant_from_group_on_project(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=self.domain_id) ) @@ -2224,7 +2225,7 @@ class DomainAdminTests(base_classes.TestCaseWithBootstrap, headers=self.headers ) - def test_user_cannot_revoke_grant_from_group_on_domain(self): + def test_cannot_revoke_grant_from_group_on_domain(self): group = PROVIDERS.identity_api.create_group( unit.new_group_ref(domain_id=CONF.identity.default_domain_id) ) diff --git a/keystone/tests/protection/v3/test_policy.py b/keystone/tests/protection/v3/test_policy.py index ab66c77d7a..0c59e1ef53 100644 --- a/keystone/tests/protection/v3/test_policy.py +++ b/keystone/tests/protection/v3/test_policy.py @@ -252,7 +252,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, 'name': uuid.uuid4().hex, 'description': uuid.uuid4().hex, 'enabled': True, - # Store serialized JSON data as the blob to mimic real world usage. + # Store serialized JSON data as the blob to mimic real world + # usage. 'blob': json.dumps({'data': uuid.uuid4().hex, }), 'type': uuid.uuid4().hex } diff --git a/keystone/tests/protection/v3/test_policy_association.py b/keystone/tests/protection/v3/test_policy_association.py index c279745eef..a3494f8071 100644 --- a/keystone/tests/protection/v3/test_policy_association.py +++ b/keystone/tests/protection/v3/test_policy_association.py @@ -194,7 +194,7 @@ class _SystemReaderAndMemberPoliciesAssociationTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_policy_association_for_region_and_service(self): + def test_user_cannot_create_policy_assoc_for_region_and_service(self): policy = unit.new_policy_ref() policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) service = PROVIDERS.catalog_api.create_service( @@ -210,7 +210,7 @@ class _SystemReaderAndMemberPoliciesAssociationTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_delete_policy_association_for_region_and_service(self): + def test_user_cannot_delete_policy_assoc_for_region_and_service(self): policy = unit.new_policy_ref() policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) service = PROVIDERS.catalog_api.create_service( @@ -392,7 +392,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_create_policy_association_for_region_and_service(self): + def test_user_cannot_create_policy_assoc_for_region_and_service(self): policy = unit.new_policy_ref() policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) service = PROVIDERS.catalog_api.create_service( @@ -408,7 +408,7 @@ class _DomainAndProjectUserPolicyAssociationsTests(object): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_delete_policy_association_for_region_and_service(self): + def test_user_cannot_delete_policy_assoc_for_region_and_service(self): policy = unit.new_policy_ref() policy = PROVIDERS.policy_api.create_policy(policy['id'], policy) service = PROVIDERS.catalog_api.create_service( diff --git a/keystone/tests/protection/v3/test_project_endpoint.py b/keystone/tests/protection/v3/test_project_endpoint.py index 4e2d5a14fd..73cbb5655a 100644 --- a/keystone/tests/protection/v3/test_project_endpoint.py +++ b/keystone/tests/protection/v3/test_project_endpoint.py @@ -45,9 +45,11 @@ class _SystemUserProjectEndpointTests(object): endpoint['id'], endpoint ) - PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id']) + PROVIDERS.catalog_api.add_endpoint_to_project( + endpoint['id'], project['id']) with self.test_client() as c: - r = c.get('/v3/OS-EP-FILTER/endpoints/%s/projects' % endpoint['id'], + r = c.get('/v3/OS-EP-FILTER/endpoints/%s/projects' + % endpoint['id'], headers=self.headers) for project_itr in r.json['projects']: self.assertIn(project['id'], project_itr['id']) @@ -66,7 +68,8 @@ class _SystemUserProjectEndpointTests(object): endpoint['id'], endpoint ) - PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id']) + PROVIDERS.catalog_api.add_endpoint_to_project( + endpoint['id'], project['id']) with self.test_client() as c: c.get('/v3/OS-EP-FILTER/projects/%s/endpoints/%s' % (project['id'], endpoint['id']), @@ -87,7 +90,8 @@ class _SystemUserProjectEndpointTests(object): endpoint['id'], endpoint ) - PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id']) + PROVIDERS.catalog_api.add_endpoint_to_project( + endpoint['id'], project['id']) with self.test_client() as c: r = c.get('/v3/OS-EP-FILTER/projects/%s/endpoints' % project['id'], headers=self.headers) @@ -152,7 +156,8 @@ class _DomainAndProjectUserProjectEndpointTests(object): endpoint['id'], endpoint ) - PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id']) + PROVIDERS.catalog_api.add_endpoint_to_project( + endpoint['id'], project['id']) with self.test_client() as c: c.get('/v3/OS-EP-FILTER/endpoints/%s/projects' % endpoint['id'], headers=self.headers, @@ -172,7 +177,8 @@ class _DomainAndProjectUserProjectEndpointTests(object): endpoint['id'], endpoint ) - PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id']) + PROVIDERS.catalog_api.add_endpoint_to_project( + endpoint['id'], project['id']) with self.test_client() as c: c.get('/v3/OS-EP-FILTER/projects/%s/endpoints/%s' % (project['id'], endpoint['id']), @@ -193,7 +199,8 @@ class _DomainAndProjectUserProjectEndpointTests(object): endpoint['id'], endpoint ) - PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id']) + PROVIDERS.catalog_api.add_endpoint_to_project( + endpoint['id'], project['id']) with self.test_client() as c: c.get('/v3/OS-EP-FILTER/projects/%s/endpoints' % project['id'], headers=self.headers, @@ -326,7 +333,8 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, endpoint = PROVIDERS.catalog_api.create_endpoint( endpoint['id'], endpoint ) - PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'], project['id']) + PROVIDERS.catalog_api.add_endpoint_to_project( + endpoint['id'], project['id']) with self.test_client() as c: c.delete('/v3/OS-EP-FILTER/projects/%s/endpoints/%s' % (project['id'], endpoint['id']), diff --git a/keystone/tests/protection/v3/test_system_assignments.py b/keystone/tests/protection/v3/test_system_assignments.py index 72adc1d675..72936b902a 100644 --- a/keystone/tests/protection/v3/test_system_assignments.py +++ b/keystone/tests/protection/v3/test_system_assignments.py @@ -240,7 +240,8 @@ class _DomainAndProjectUserSystemAssignmentTests(object): with self.test_client() as c: c.get( - '/v3/system/groups/%s/roles' % group['id'], headers=self.headers, + '/v3/system/groups/%s/roles' % group['id'], + headers=self.headers, expected_status_code=http_client.FORBIDDEN ) diff --git a/keystone/tests/protection/v3/test_trusts.py b/keystone/tests/protection/v3/test_trusts.py index 0cb3b06c54..3614a8b9a2 100644 --- a/keystone/tests/protection/v3/test_trusts.py +++ b/keystone/tests/protection/v3/test_trusts.py @@ -441,7 +441,7 @@ class SystemAdminTests(TrustTests, _AdminTestsMixin, _SystemUserTests): expected_status_code=http_client.FORBIDDEN ) - def test_admin_cannot_get_trust_role_for_other_user_overridden_defaults(self): + def test_admin_cannot_get_trust_role_for_other_user_overridden(self): self._override_policy_old_defaults() PROVIDERS.trust_api.create_trust( self.trust_id, **self.trust_data) @@ -768,7 +768,7 @@ class ProjectUserTests(TrustTests): expected_status_code=http_client.FORBIDDEN ) - def test_user_cannot_list_trusts_for_other_trustor_overridden_default(self): + def test_user_cannot_list_trusts_for_other_trustor_overridden(self): self._override_policy_old_defaults() PROVIDERS.trust_api.create_trust( self.trust_id, **self.trust_data) @@ -841,7 +841,7 @@ class ProjectUserTests(TrustTests): expected_status_code=http_client.FORBIDDEN ) - def test_user_can_get_trust_of_whom_they_are_the_trustor_overridden_default(self): + def test_user_can_get_trust_of_whom_they_are_the_trustor_overridden(self): self._override_policy_old_defaults() ref = PROVIDERS.trust_api.create_trust( self.trust_id, **self.trust_data) diff --git a/keystone/tests/unit/application_credential/test_backends.py b/keystone/tests/unit/application_credential/test_backends.py index 8baef27fdc..a7560b34de 100644 --- a/keystone/tests/unit/application_credential/test_backends.py +++ b/keystone/tests/unit/application_credential/test_backends.py @@ -243,11 +243,14 @@ class ApplicationCredentialTests(object): def test_removing_user_from_project_deletes_application_credentials(self): app_cred_proj_A_1 = self._new_app_cred_data( - self.user_foo['id'], project_id=self.project_bar['id'], name='app1') + self.user_foo['id'], project_id=self.project_bar['id'], + name='app1') app_cred_proj_A_2 = self._new_app_cred_data( - self.user_foo['id'], project_id=self.project_bar['id'], name='app2') + self.user_foo['id'], project_id=self.project_bar['id'], + name='app2') app_cred_proj_B = self._new_app_cred_data( - self.user_foo['id'], project_id=self.project_baz['id'], name='app3') + self.user_foo['id'], project_id=self.project_baz['id'], + name='app3') PROVIDERS.assignment_api.add_role_to_user_and_project( project_id=self.project_baz['id'], user_id=self.user_foo['id'], diff --git a/keystone/tests/unit/resource/test_backends.py b/keystone/tests/unit/resource/test_backends.py index 3368f74ed0..42f854ecf5 100644 --- a/keystone/tests/unit/resource/test_backends.py +++ b/keystone/tests/unit/resource/test_backends.py @@ -37,7 +37,8 @@ class ResourceTests(object): domain_count = len(default_fixtures.DOMAINS) def test_get_project(self): - project_ref = PROVIDERS.resource_api.get_project(self.project_bar['id']) + project_ref = PROVIDERS.resource_api.get_project( + self.project_bar['id']) self.assertDictEqual(self.project_bar, project_ref) def test_get_project_returns_not_found(self): diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index cdc0e1327c..990b90d9d2 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -220,8 +220,10 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): headers={'X-Auth-Token': r.headers['X-Subject-Token'], 'X-Subject-Token': token}) admin_role = PROVIDERS.role_api.get_role(self.bootstrap.role_id) - reader_role = PROVIDERS.role_api.get_role(self.bootstrap.reader_role_id) - member_role = PROVIDERS.role_api.get_role(self.bootstrap.member_role_id) + reader_role = PROVIDERS.role_api.get_role( + self.bootstrap.reader_role_id) + member_role = PROVIDERS.role_api.get_role( + self.bootstrap.member_role_id) self.assertEqual(admin_role['options'], {}) self.assertEqual(member_role['options'], {}) self.assertEqual(reader_role['options'], {}) @@ -305,8 +307,10 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): project='keystone') self._do_test_bootstrap(self.bootstrap) admin_role = PROVIDERS.role_api.get_role(self.bootstrap.role_id) - reader_role = PROVIDERS.role_api.get_role(self.bootstrap.reader_role_id) - member_role = PROVIDERS.role_api.get_role(self.bootstrap.member_role_id) + reader_role = PROVIDERS.role_api.get_role( + self.bootstrap.reader_role_id) + member_role = PROVIDERS.role_api.get_role( + self.bootstrap.member_role_id) self.assertTrue(admin_role['options']['immutable']) self.assertTrue(member_role['options']['immutable']) self.assertTrue(reader_role['options']['immutable']) diff --git a/keystone/tests/unit/test_sql_upgrade.py b/keystone/tests/unit/test_sql_upgrade.py index cd03fbf011..877b57cbca 100644 --- a/keystone/tests/unit/test_sql_upgrade.py +++ b/keystone/tests/unit/test_sql_upgrade.py @@ -1679,8 +1679,8 @@ class VersionTests(SqlMigrateBase): self.repos[EXPAND_REPO].repo_path + versions_path + '/*.py') self.assertRepoFileNamePrefix(expand_list, 'expand') # test for migrate prefix, e.g. 001_migrate_new_fk_constraint.py - migrate_list = glob.glob( - self.repos[DATA_MIGRATION_REPO].repo_path + versions_path + '/*.py') + repo_path = self.repos[DATA_MIGRATION_REPO].repo_path + migrate_list = glob.glob(repo_path + versions_path + '/*.py') self.assertRepoFileNamePrefix(migrate_list, 'migrate') # test for contract prefix, e.g. 001_contract_new_fk_constraint.py contract_list = glob.glob( @@ -3250,10 +3250,10 @@ class FullMigration(SqlMigrateBase, unit.TestCase): 'application_credential_access_rule', ['application_credential_id', 'access_rule_id'] ) - self.assertTrue(self.does_fk_exist('application_credential_access_rule', - 'application_credential_id')) - self.assertTrue(self.does_fk_exist('application_credential_access_rule', - 'access_rule_id')) + self.assertTrue(self.does_fk_exist( + 'application_credential_access_rule', 'application_credential_id')) + self.assertTrue(self.does_fk_exist( + 'application_credential_access_rule', 'access_rule_id')) app_cred_table = sqlalchemy.Table( 'application_credential', self.metadata, autoload=True @@ -3392,7 +3392,7 @@ class FullMigration(SqlMigrateBase, unit.TestCase): ['id', 'project_id', 'resource_limit', 'description', 'internal_id', 'registered_limit_id', 'domain_id']) - def test_migration_064_add_remote_id_attribute_to_federation_protocol(self): + def test_migration_064_add_remote_id_attribute_federation_protocol(self): self.expand(63) self.migrate(63) self.contract(63) diff --git a/keystone/tests/unit/test_v3_application_credential.py b/keystone/tests/unit/test_v3_application_credential.py index 55a81fb8d2..75591872e3 100644 --- a/keystone/tests/unit/test_v3_application_credential.py +++ b/keystone/tests/unit/test_v3_application_credential.py @@ -58,10 +58,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): roles = [{'id': self.role_id}] app_cred_body = self._app_cred_body(roles=roles) token = self.get_scoped_token() - resp = c.post('/v3/users/%s/application_credentials' % self.user_id, - json=app_cred_body, - expected_status_code=http_client.CREATED, - headers={'X-Auth-Token': token}) + resp = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + json=app_cred_body, + expected_status_code=http_client.CREATED, + headers={'X-Auth-Token': token}) # Create operation returns the secret self.assertIn('secret', resp.json['application_credential']) # But not the stored hash @@ -73,24 +74,27 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): roles = [{'id': self.role_id}] app_cred_body = self._app_cred_body(roles=roles, secret=secret) token = self.get_scoped_token() - resp = c.post('/v3/users/%s/application_credentials' % self.user_id, - json=app_cred_body, - expected_status_code=http_client.CREATED, - headers={'X-Auth-Token': token}) + resp = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + json=app_cred_body, + expected_status_code=http_client.CREATED, + headers={'X-Auth-Token': token}) self.assertEqual(secret, resp.json['application_credential']['secret']) def test_create_application_credential_roles_from_token(self): with self.test_client() as c: app_cred_body = self._app_cred_body() token = self.get_scoped_token() - resp = c.post('/v3/users/%s/application_credentials' % self.user_id, - json=app_cred_body, - expected_status_code=http_client.CREATED, - headers={'X-Auth-Token': token}) + resp = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + json=app_cred_body, + expected_status_code=http_client.CREATED, + headers={'X-Auth-Token': token}) self.assertThat(resp.json['application_credential']['roles'], matchers.HasLength(1)) - self.assertEqual(resp.json['application_credential']['roles'][0]['id'], - self.role_id) + self.assertEqual( + resp.json['application_credential']['roles'][0]['id'], + self.role_id) def test_create_application_credential_wrong_user(self): wrong_user = unit.create_user(PROVIDERS.identity_api, @@ -153,15 +157,16 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): roles = [{'id': self.role_id}] app_cred_body_1 = self._app_cred_body(roles=roles) token = self.get_scoped_token() - app_cred_1 = c.post('/v3/users/%s/application_credentials' % self.user_id, - json=app_cred_body_1, - expected_status_code=http_client.CREATED, - headers={'X-Auth-Token': token}) + app_cred_1 = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + json=app_cred_body_1, + expected_status_code=http_client.CREATED, + headers={'X-Auth-Token': token}) auth_data = self.build_authentication_request( app_cred_id=app_cred_1.json['application_credential']['id'], secret=app_cred_1.json['application_credential']['secret']) - token_data = self.v3_create_token(auth_data, - expected_status=http_client.CREATED) + token_data = self.v3_create_token( + auth_data, expected_status=http_client.CREATED) app_cred_body_2 = self._app_cred_body(roles=roles) token = token_data.headers['x-subject-token'] c.post('/v3/users/%s/application_credentials' % self.user_id, @@ -175,20 +180,22 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): app_cred_body_1 = self._app_cred_body(roles=roles) app_cred_body_1['application_credential']['unrestricted'] = True token = self.get_scoped_token() - app_cred_1 = c.post('/v3/users/%s/application_credentials' % self.user_id, - json=app_cred_body_1, - expected_status_code=http_client.CREATED, - headers={'X-Auth-Token': token}) + app_cred_1 = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + json=app_cred_body_1, + expected_status_code=http_client.CREATED, + headers={'X-Auth-Token': token}) auth_data = self.build_authentication_request( app_cred_id=app_cred_1.json['application_credential']['id'], secret=app_cred_1.json['application_credential']['secret']) - token_data = self.v3_create_token(auth_data, - expected_status=http_client.CREATED) + token_data = self.v3_create_token( + auth_data, expected_status=http_client.CREATED) app_cred_body_2 = self._app_cred_body(roles=roles) c.post('/v3/users/%s/application_credentials' % self.user_id, json=app_cred_body_2, expected_status_code=http_client.CREATED, - headers={'x-Auth-Token': token_data.headers['x-subject-token']}) + headers={ + 'x-Auth-Token': token_data.headers['x-subject-token']}) def test_create_application_credential_with_access_rules(self): roles = [{'id': self.role_id}] @@ -203,12 +210,14 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): access_rules=access_rules) with self.test_client() as c: token = self.get_scoped_token() - resp = c.post('/v3/users/%s/application_credentials' % self.user_id, - headers={'X-Auth-Token': token}, - json=app_cred_body, - expected_status_code=http_client.CREATED) + resp = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + headers={'X-Auth-Token': token}, + json=app_cred_body, + expected_status_code=http_client.CREATED) app_cred_id = resp.json['application_credential']['id'] - resp_access_rules = resp.json['application_credential']['access_rules'] + resp_access_rules = ( + resp.json['application_credential']['access_rules']) access_rule_id = resp_access_rules[0].pop('id') self.assertEqual(access_rules[0], resp_access_rules[0]) resp = c.get('/v3/users/%s/access_rules' % self.user_id, @@ -248,10 +257,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): access_rules=access_rules) with self.test_client() as c: token = self.get_scoped_token() - resp = c.post('/v3/users/%s/application_credentials' % self.user_id, - headers={'X-Auth-Token': token}, - json=app_cred_body_1, - expected_status_code=http_client.CREATED) + resp = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + headers={'X-Auth-Token': token}, + json=app_cred_body_1, + expected_status_code=http_client.CREATED) resp_access_rules = resp.json['application_credential']['access_rules'] self.assertIn('id', resp_access_rules[0]) access_rule_id = resp_access_rules[0].pop('id') @@ -261,10 +271,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): access_rules=access_rules) with self.test_client() as c: token = self.get_scoped_token() - resp = c.post('/v3/users/%s/application_credentials' % self.user_id, - headers={'X-Auth-Token': token}, - json=app_cred_body_2, - expected_status_code=http_client.CREATED) + resp = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + headers={'X-Auth-Token': token}, + json=app_cred_body_2, + expected_status_code=http_client.CREATED) resp_access_rules = resp.json['application_credential']['access_rules'] self.assertEqual(access_rule_id, resp_access_rules[0]['id']) @@ -281,10 +292,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): access_rules=access_rules) with self.test_client() as c: token = self.get_scoped_token() - resp = c.post('/v3/users/%s/application_credentials' % self.user_id, - headers={'X-Auth-Token': token}, - json=app_cred_body_1, - expected_status_code=http_client.CREATED) + resp = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + headers={'X-Auth-Token': token}, + json=app_cred_body_1, + expected_status_code=http_client.CREATED) resp_access_rules = resp.json['application_credential']['access_rules'] access_rule_id = resp_access_rules self.assertIn('id', resp_access_rules[0]) @@ -296,10 +308,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): access_rules=access_rules) with self.test_client() as c: token = self.get_scoped_token() - resp = c.post('/v3/users/%s/application_credentials' % self.user_id, - headers={'X-Auth-Token': token}, - json=app_cred_body_2, - expected_status_code=http_client.CREATED) + resp = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + headers={'X-Auth-Token': token}, + json=app_cred_body_2, + expected_status_code=http_client.CREATED) resp_access_rules = resp.json['application_credential']['access_rules'] self.assertEqual(access_rule_id, resp_access_rules[0]['id']) @@ -349,10 +362,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): expected_status_code=http_client.OK, headers={'X-Auth-Token': token}) self.assertEqual([], resp.json['application_credentials']) - resp = c.post('/v3/users/%s/application_credentials' % self.user_id, - json=app_cred_body, - expected_status_code=http_client.CREATED, - headers={'X-Auth-Token': token}) + resp = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + json=app_cred_body, + expected_status_code=http_client.CREATED, + headers={'X-Auth-Token': token}) resp = c.get(search_path, expected_status_code=http_client.OK, headers={'X-Auth-Token': token}) self.assertEqual(1, len(resp.json['application_credentials'])) @@ -367,17 +381,19 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): resp = c.get(search_path, expected_status_code=http_client.OK, headers={'X-Auth-Token': token}) self.assertEqual(1, len(resp.json['application_credentials'])) - self.assertEqual(resp.json['application_credentials'][0]['name'], name) + self.assertEqual(resp.json['application_credentials'][0]['name'], + name) def test_get_head_application_credential(self): with self.test_client() as c: roles = [{'id': self.role_id}] app_cred_body = self._app_cred_body(roles=roles) token = self.get_scoped_token() - resp = c.post('/v3/users/%s/application_credentials' % self.user_id, - json=app_cred_body, - expected_status_code=http_client.CREATED, - headers={'X-Auth-Token': token}) + resp = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + json=app_cred_body, + expected_status_code=http_client.CREATED, + headers={'X-Auth-Token': token}) app_cred_id = resp.json['application_credential']['id'] c.head('/v3%s' % MEMBER_PATH_FMT % {'user_id': self.user_id, 'app_cred_id': app_cred_id}, @@ -408,10 +424,11 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): roles = [{'id': self.role_id}] app_cred_body = self._app_cred_body(roles=roles) token = self.get_scoped_token() - resp = c.post('/v3/users/%s/application_credentials' % self.user_id, - json=app_cred_body, - expected_status_code=http_client.CREATED, - headers={'X-Auth-Token': token}) + resp = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + json=app_cred_body, + expected_status_code=http_client.CREATED, + headers={'X-Auth-Token': token}) app_cred_id = resp.json['application_credential']['id'] c.delete('/v3%s' % MEMBER_PATH_FMT % {'user_id': self.user_id, 'app_cred_id': app_cred_id}, @@ -431,18 +448,19 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): roles = [{'id': self.role_id}] app_cred_body = self._app_cred_body(roles=roles) token = self.get_scoped_token() - app_cred = c.post('/v3/users/%s/application_credentials' % self.user_id, - json=app_cred_body, - expected_status_code=http_client.CREATED, - headers={'X-Auth-Token': token}) + app_cred = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + json=app_cred_body, + expected_status_code=http_client.CREATED, + headers={'X-Auth-Token': token}) auth_data = self.build_authentication_request( app_cred_id=app_cred.json['application_credential']['id'], secret=app_cred.json['application_credential']['secret']) - token_data = self.v3_create_token(auth_data, - expected_status=http_client.CREATED) + token_data = self.v3_create_token( + auth_data, expected_status=http_client.CREATED) member_path = '/v3%s' % MEMBER_PATH_FMT % { - 'user_id': self.user_id, - 'app_cred_id': app_cred.json['application_credential']['id']} + 'user_id': self.user_id, + 'app_cred_id': app_cred.json['application_credential']['id']} token = token_data.headers['x-subject-token'] c.delete(member_path, json=app_cred_body, @@ -455,22 +473,25 @@ class ApplicationCredentialTestCase(test_v3.RestfulTestCase): app_cred_body = self._app_cred_body(roles=roles) app_cred_body['application_credential']['unrestricted'] = True token = self.get_scoped_token() - app_cred = c.post('/v3/users/%s/application_credentials' % self.user_id, - json=app_cred_body, - expected_status_code=http_client.CREATED, - headers={'X-Auth-Token': token}) + app_cred = c.post( + '/v3/users/%s/application_credentials' % self.user_id, + json=app_cred_body, + expected_status_code=http_client.CREATED, + headers={'X-Auth-Token': token}) auth_data = self.build_authentication_request( app_cred_id=app_cred.json['application_credential']['id'], secret=app_cred.json['application_credential']['secret']) - token_data = self.v3_create_token(auth_data, - expected_status=http_client.CREATED) + token_data = self.v3_create_token( + auth_data, expected_status=http_client.CREATED) member_path = '/v3%s' % MEMBER_PATH_FMT % { - 'user_id': self.user_id, - 'app_cred_id': app_cred.json['application_credential']['id']} + 'user_id': self.user_id, + 'app_cred_id': app_cred.json['application_credential']['id']} c.delete(member_path, json=app_cred_body, expected_status_code=http_client.NO_CONTENT, - headers={'x-Auth-Token': token_data.headers['x-subject-token']}) + headers={ + 'x-Auth-Token': token_data.headers['x-subject-token'] + }) def test_update_application_credential(self): with self.test_client() as c: diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py index 6d6c6f6496..d591180e85 100644 --- a/keystone/tests/unit/test_v3_auth.py +++ b/keystone/tests/unit/test_v3_auth.py @@ -5475,7 +5475,8 @@ class ApplicationCredentialAuth(test_v3.RestfulTestCase): data['access_rules'] = access_rules return data - def _validate_token(self, token, headers=None, expected_status=http_client.OK): + def _validate_token(self, token, headers=None, + expected_status=http_client.OK): path = '/v3/auth/tokens' headers = headers or {} headers.update({'X-Auth-Token': token, 'X-Subject-Token': token}) diff --git a/keystone/tests/unit/token/test_fernet_provider.py b/keystone/tests/unit/token/test_fernet_provider.py index a3e6d870c1..d741b53b1f 100644 --- a/keystone/tests/unit/token/test_fernet_provider.py +++ b/keystone/tests/unit/token/test_fernet_provider.py @@ -231,18 +231,20 @@ class TestTokenFormatter(unit.TestCase): exp_protocol_id = uuid.uuid4().hex token_formatter = token_formatters.TokenFormatter() - token = token_formatter.create_token(user_id=exp_user_id, - expires_at=exp_expires_at, - audit_ids=exp_audit_ids, - payload_class=token_formatters.FederatedUnscopedPayload, - methods=exp_methods, - federated_group_ids=exp_federated_group_ids, - identity_provider_id=exp_idp_id, - protocol_id=exp_protocol_id) + token = token_formatter.create_token( + user_id=exp_user_id, + expires_at=exp_expires_at, + audit_ids=exp_audit_ids, + payload_class=token_formatters.FederatedUnscopedPayload, + methods=exp_methods, + federated_group_ids=exp_federated_group_ids, + identity_provider_id=exp_idp_id, + protocol_id=exp_protocol_id) (user_id, methods, audit_ids, system, domain_id, project_id, trust_id, federated_group_ids, identity_provider_id, protocol_id, - access_token_id, app_cred_id, issued_at, expires_at) = token_formatter.validate_token(token) + access_token_id, app_cred_id, issued_at, + expires_at) = token_formatter.validate_token(token) self.assertEqual(exp_user_id, user_id) self.assertTrue(isinstance(user_id, six.string_types)) @@ -263,19 +265,21 @@ class TestTokenFormatter(unit.TestCase): exp_project_id = uuid.uuid4().hex token_formatter = token_formatters.TokenFormatter() - token = token_formatter.create_token(user_id=exp_user_id, - expires_at=exp_expires_at, - audit_ids=exp_audit_ids, - payload_class=token_formatters.FederatedProjectScopedPayload, - methods=exp_methods, - federated_group_ids=exp_federated_group_ids, - identity_provider_id=exp_idp_id, - protocol_id=exp_protocol_id, - project_id=exp_project_id) + token = token_formatter.create_token( + user_id=exp_user_id, + expires_at=exp_expires_at, + audit_ids=exp_audit_ids, + payload_class=token_formatters.FederatedProjectScopedPayload, + methods=exp_methods, + federated_group_ids=exp_federated_group_ids, + identity_provider_id=exp_idp_id, + protocol_id=exp_protocol_id, + project_id=exp_project_id) (user_id, methods, audit_ids, system, domain_id, project_id, trust_id, federated_group_ids, identity_provider_id, protocol_id, - access_token_id, app_cred_id, issued_at, expires_at) = token_formatter.validate_token(token) + access_token_id, app_cred_id, issued_at, + expires_at) = token_formatter.validate_token(token) self.assertEqual(exp_user_id, user_id) self.assertTrue(isinstance(user_id, six.string_types)) diff --git a/keystone/token/token_formatters.py b/keystone/token/token_formatters.py index 182755cc67..04aef7b668 100644 --- a/keystone/token/token_formatters.py +++ b/keystone/token/token_formatters.py @@ -334,7 +334,7 @@ class BasePayload(object): @classmethod def random_urlsafe_str_to_bytes(cls, s): - """Convert a string from :func:`random_urlsafe_str()` to six.binary_type. + """Convert string from :func:`random_urlsafe_str()` to six.binary_type. :type s: six.text_type :rtype: six.binary_type diff --git a/tools/fast8.sh b/tools/fast8.sh index dbe8536662..b7fd1433ed 100755 --- a/tools/fast8.sh +++ b/tools/fast8.sh @@ -22,4 +22,4 @@ for FILE in $CHANGED; do fi done -diff -u --from-file /dev/null $CHECK | flake8 --diff --ignore=D100,D101,D102,D103,D104,E305,E402,E501,W503,W504,W605 +diff -u --from-file /dev/null $CHECK | flake8 --diff --ignore=D100,D101,D102,D103,D104,E305,E402,W503,W504,W605 diff --git a/tox.ini b/tox.ini index 59145f9a93..c9a2a9557e 100644 --- a/tox.ini +++ b/tox.ini @@ -32,7 +32,7 @@ deps = .[bandit] {[testenv]deps} commands = - flake8 --ignore=D100,D101,D102,D103,D104,E305,E402,E501,W503,W504,W605 + flake8 --ignore=D100,D101,D102,D103,D104,E305,E402,W503,W504,W605 # Run bash8 during pep8 runs to ensure violations are caught by # the check and gate queues bashate devstack/plugin.sh