From bfc7237f9a47af021a5700e34953c2fdb3198786 Mon Sep 17 00:00:00 2001 From: Jane Zadorozhna Date: Tue, 16 Jun 2015 17:32:59 +0300 Subject: [PATCH] Added test_list_tenants non-admin test for v2, v3 api/identity test_list_tenant test uses non-admin user's token and public (non-admin) Identity API v2/v3 client to make a request to list tenants as a user action. Test checks that user can see only that tenants that he was bound to and cannot log in to tenant that is not in his list. Added 2 tests: * test_list_tenants_returns_only_authorized_tenants to api/identity/v2/test_tokens.py * test_list_projects_returns_only_authorized_projects to api/identity/v3/test_projects.py Change-Id: Iabf3a474e70f87bc494d87d6333d668d52de2968 --- tempest/api/identity/base.py | 3 +- tempest/api/identity/v2/test_tenants.py | 50 ++++++++++++++++++++++ tempest/api/identity/v3/test_projects.py | 53 ++++++++++++++++++++++++ 3 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 tempest/api/identity/v2/test_tenants.py create mode 100644 tempest/api/identity/v3/test_projects.py diff --git a/tempest/api/identity/base.py b/tempest/api/identity/base.py index 7b23e6650d..ada292fd71 100644 --- a/tempest/api/identity/base.py +++ b/tempest/api/identity/base.py @@ -77,7 +77,7 @@ class BaseIdentityV2Test(BaseIdentityTest): @classmethod def setup_clients(cls): super(BaseIdentityV2Test, cls).setup_clients() - cls.non_admin_client = cls.os.identity_client + cls.non_admin_client = cls.os.identity_public_client cls.non_admin_token_client = cls.os.token_client @classmethod @@ -97,6 +97,7 @@ class BaseIdentityV2AdminTest(BaseIdentityV2Test): def setup_clients(cls): super(BaseIdentityV2AdminTest, cls).setup_clients() cls.client = cls.os_adm.identity_client + cls.non_admin_client = cls.os.identity_client cls.token_client = cls.os_adm.token_client @classmethod diff --git a/tempest/api/identity/v2/test_tenants.py b/tempest/api/identity/v2/test_tenants.py new file mode 100644 index 0000000000..1fcff8dd08 --- /dev/null +++ b/tempest/api/identity/v2/test_tenants.py @@ -0,0 +1,50 @@ +# Copyright 2015 OpenStack Foundation +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from tempest_lib import exceptions as lib_exc + +from tempest.api.identity import base +from tempest import test + + +class IdentityTenantsTest(base.BaseIdentityV2Test): + + credentials = ['primary', 'alt'] + + @test.idempotent_id('ecae2459-243d-4ba1-ad02-65f15dc82b78') + def test_list_tenants_returns_only_authorized_tenants(self): + alt_tenant_name = self.alt_manager.credentials.credentials.tenant_name + resp = self.non_admin_client.list_tenants() + + # check that user can see only that tenants that he presents in so user + # can successfully authenticate using his credentials and tenant name + # from received tenants list + for tenant in resp['tenants']: + body = self.non_admin_token_client.auth( + self.os.credentials.username, + self.os.credentials.password, + tenant['name']) + self.assertNotEmpty(body['token']['id']) + self.assertEqual(body['token']['tenant']['id'], tenant['id']) + self.assertEqual(body['token']['tenant']['name'], tenant['name']) + self.assertEqual(body['user']['id'], self.os.credentials.user_id) + + # check that user cannot log in to alt user's tenant + self.assertRaises( + lib_exc.Unauthorized, + self.non_admin_token_client.auth, + self.os.credentials.username, + self.os.credentials.password, + alt_tenant_name) diff --git a/tempest/api/identity/v3/test_projects.py b/tempest/api/identity/v3/test_projects.py new file mode 100644 index 0000000000..a547b06b01 --- /dev/null +++ b/tempest/api/identity/v3/test_projects.py @@ -0,0 +1,53 @@ +# Copyright 2015 OpenStack Foundation +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from tempest_lib import exceptions as lib_exc + +from tempest.api.identity import base +from tempest import test + + +class IdentityV3ProjectsTest(base.BaseIdentityV3Test): + + credentials = ['primary', 'alt'] + + @test.idempotent_id('86128d46-e170-4644-866a-cc487f699e1d') + def test_list_projects_returns_only_authorized_projects(self): + alt_project_name =\ + self.alt_manager.credentials.credentials.project_name + resp = self.non_admin_client.list_user_projects( + self.os.credentials.user_id) + + # check that user can see only that projects that he presents in so + # user can successfully authenticate using his credentials and + # project name from received projects list + for project in resp['projects']: + token_id, body = self.non_admin_token.get_token( + username=self.os.credentials.username, + password=self.os.credentials.password, + project_name=project['name'], + auth_data=True) + self.assertNotEmpty(token_id) + self.assertEqual(body['project']['id'], project['id']) + self.assertEqual(body['project']['name'], project['name']) + self.assertEqual(body['user']['id'], self.os.credentials.user_id) + + # check that user cannot log in to alt user's project + self.assertRaises( + lib_exc.Unauthorized, + self.non_admin_token.get_token, + username=self.os.credentials.username, + password=self.os.credentials.password, + project_name=alt_project_name)