From 8380f3f2a843f40892bb3171bda4aaa0332f04f9 Mon Sep 17 00:00:00 2001
From: Haneef Ali <haneef.ali@hp.com>
Date: Tue, 6 Oct 2015 15:51:12 -0700
Subject: [PATCH] Remove hardcoded endpoint filter for update password

User password update hardcoded the endpoint_filter to always use the public
endpoint. This will break deployments where services behind the firewall have
no access to the public endpoint. Endpoint selection should be allowed
by the end user (i.e. openstack --os-interface internal user password set).

Closes-Bug: 1503459

Change-Id: Ib11d60cd8e81b99aedb27f1cbbf6b79218045cf0
---
 keystoneclient/tests/unit/v3/test_users.py | 22 ++++++++++++++++++++++
 keystoneclient/v3/users.py                 |  3 +--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/keystoneclient/tests/unit/v3/test_users.py b/keystoneclient/tests/unit/v3/test_users.py
index ddc0aecbf..ccb3b002c 100644
--- a/keystoneclient/tests/unit/v3/test_users.py
+++ b/keystoneclient/tests/unit/v3/test_users.py
@@ -12,6 +12,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import mock
 import uuid
 
 from keystoneclient import exceptions
@@ -254,6 +255,27 @@ class UserTests(utils.TestCase, utils.CrudTests):
         self.assertNotIn(old_password, self.logger.output)
         self.assertNotIn(new_password, self.logger.output)
 
+    def test_update_password_with_no_hardcoded_endpoint_filter(self):
+        # test to ensure the 'endpoint_filter' parameter is not being
+        # passed from the manager. Endpoint filtering should be done at
+        # the Session, not the individual managers.
+        old_password = uuid.uuid4().hex
+        new_password = uuid.uuid4().hex
+        expected_params = {'user': {'password': new_password,
+                                    'original_password': old_password}}
+        user_password_update_path = '/users/%s/password' % self.TEST_USER_ID
+
+        self.client.user_id = self.TEST_USER_ID
+        # NOTE(gyee): user manager subclass keystoneclient.base.Manager
+        # and utilize the _update() method in the base class to interface
+        # with the client session to perform the update. In the case, we
+        # just need to make sure the 'endpoint_filter' parameter is not
+        # there.
+        with mock.patch('keystoneclient.base.Manager._update') as m:
+            self.manager.update_password(old_password, new_password)
+            m.assert_called_with(user_password_update_path, expected_params,
+                                 method='POST', log=False)
+
     def test_update_password_with_bad_inputs(self):
         old_password = uuid.uuid4().hex
         new_password = uuid.uuid4().hex
diff --git a/keystoneclient/v3/users.py b/keystoneclient/v3/users.py
index 6eeddb58f..708b5f679 100644
--- a/keystoneclient/v3/users.py
+++ b/keystoneclient/v3/users.py
@@ -160,8 +160,7 @@ class UserManager(base.CrudManager):
 
         base_url = '/users/%s/password' % self.client.user_id
 
-        return self._update(base_url, params, method='POST', log=False,
-                            endpoint_filter={'interface': 'public'})
+        return self._update(base_url, params, method='POST', log=False)
 
     def add_to_group(self, user, group):
         self._require_user_and_group(user, group)