Validate that connect_as connects as the project

We validate that a second keystone auth is made, but we don't currently validate that the second auth is to the correct thing. Add in a token payload validation, and have it set the project. This will get subsummed in a bit with some work to make a proper Fixture for the catalog/requests_mock stuff. But for now, this should work. Change-Id: I59c068c3a7e8e8d028b89da6a2f49e845d279473
2019-08-07 14:44:46 -04:00 · 2019-08-07 14:44:46 -04:00 · 0ea5860385
parent 95bf14908e
commit 0ea5860385
2 changed files with 36 additions and 6 deletions
--- a/openstack/tests/unit/base.py
+++ b/openstack/tests/unit/base.py
@ -420,7 +420,11 @@ class TestCase(base.TestCase):
        self.calls = []
        self._uri_registry.clear()

-    def get_keystone_v3_token(self, catalog='catalog-v3.json'):
+    def get_keystone_v3_token(
+            self,
+            catalog='catalog-v3.json',
+            project_name='admin',
+    ):
        catalog_file = os.path.join(self.fixtures_directory, catalog)
        with open(catalog_file, 'r') as tokens_file:
            return dict(
@ -429,7 +433,31 @@ class TestCase(base.TestCase):
                headers={
                    'X-Subject-Token': self.getUniqueString('KeystoneToken')
                },
-                text=tokens_file.read()
+                text=tokens_file.read(),
+                validate=dict(json={
+                    'auth': {
+                        'identity': {
+                            'methods': ['password'],
+                            'password': {
+                                'user': {
+                                    'domain': {
+                                        'name': 'default',
+                                    },
+                                    'name': 'admin',
+                                    'password': 'password'
+                                }
+                            }
+                        },
+                        'scope': {
+                            'project': {
+                                'domain': {
+                                    'name': 'default'
+                                },
+                                'name': project_name
+                            }
+                        }
+                    }
+                }),
            )

    def get_keystone_v3_discovery(self):
--- a/openstack/tests/unit/cloud/test_shade.py
+++ b/openstack/tests/unit/cloud/test_shade.py
@ -58,8 +58,9 @@ class TestShade(base.TestCase):
        # Do initial auth/catalog steps
        # This should authenticate a second time, but should not
        # need a second identity discovery
+        project_name = 'test_project'
        self.register_uris([
-            self.get_keystone_v3_token(),
+            self.get_keystone_v3_token(project_name=project_name),
            self.get_nova_discovery_mock_dict(),
            dict(
                method='GET',
@ -69,7 +70,7 @@ class TestShade(base.TestCase):
            ),
        ])

-        c2 = self.cloud.connect_as(project_name='test_project')
+        c2 = self.cloud.connect_as(project_name=project_name)
        self.assertEqual(c2.list_servers(), [])
        self.assert_calls()

@ -77,8 +78,9 @@ class TestShade(base.TestCase):
        # Do initial auth/catalog steps
        # This should authenticate a second time, but should not
        # need a second identity discovery
+        project_name = 'test_project'
        self.register_uris([
-            self.get_keystone_v3_token(),
+            self.get_keystone_v3_token(project_name=project_name),
            self.get_nova_discovery_mock_dict(),
            dict(
                method='GET',
@ -88,7 +90,7 @@ class TestShade(base.TestCase):
            ),
        ])

-        with self.cloud.connect_as(project_name='test_project') as c2:
+        with self.cloud.connect_as(project_name=project_name) as c2:
            self.assertEqual(c2.list_servers(), [])
        self.assert_calls()