Drop identity v2 api tests

These tests can be removed now, because the identity v2 API was removed
from Keystone during Queens cycle and Queens is no longer supported
by current master of tempest.

This also deprecates the related options so that we can drop these
options later.

Change-Id: I0be2273890cecaa26da37624c185c1bd367b2acf
This commit is contained in:
Takashi Kajinami 2024-01-20 11:23:09 +09:00
parent 6f92b52575
commit c0c90279ce
22 changed files with 44 additions and 2166 deletions

@ -0,0 +1,23 @@
---
upgrade:
- |
Tests for identity v2 API have been removed.
deprecations:
- |
The following options have been formally deprecated. These options were
used to test identity v2 API which was removed during Queens cycle.
The tests for identity v2 API were removed from tempest and these options
have no effect.
- ``[identity] uri``
- ``[identity] v2_admin_endpoint_type``
- ``[identity] v2_public_endpoint_type``
- ``[identity-feature-enabled] api_v2_admin``
- |
The following options have been deprecated because only identity v3 API
is used.
- ``[identity] auth_version``
- ``[identity-feature-enabled] api_v3``

@ -1,97 +0,0 @@
# Copyright 2013 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
CONF = config.CONF
class EndPointsTestJSON(base.BaseIdentityV2AdminTest):
"""Test keystone v2 endpoints"""
@classmethod
def resource_setup(cls):
super(EndPointsTestJSON, cls).resource_setup()
s_name = data_utils.rand_name(
name='service', prefix=CONF.resource_name_prefix)
s_type = data_utils.rand_name(
name='type', prefix=CONF.resource_name_prefix)
s_description = data_utils.rand_name(
name='description', prefix=CONF.resource_name_prefix)
service_data = cls.services_client.create_service(
name=s_name, type=s_type,
description=s_description)['OS-KSADM:service']
cls.addClassResourceCleanup(cls.services_client.delete_service,
service_data['id'])
cls.service_id = service_data['id']
# Create endpoints so as to use for LIST and GET test cases
cls.setup_endpoints = list()
for _ in range(2):
region = data_utils.rand_name(
name='region', prefix=CONF.resource_name_prefix)
url = data_utils.rand_url()
endpoint = cls.endpoints_client.create_endpoint(
service_id=cls.service_id,
region=region,
publicurl=url,
adminurl=url,
internalurl=url)['endpoint']
cls.addClassResourceCleanup(cls.endpoints_client.delete_endpoint,
endpoint['id'])
# list_endpoints() will return 'enabled' field
endpoint['enabled'] = True
cls.setup_endpoints.append(endpoint)
@decorators.idempotent_id('11f590eb-59d8-4067-8b2b-980c7f387f51')
def test_list_endpoints(self):
"""Test listing keystone endpoints"""
# Get a list of endpoints
fetched_endpoints = self.endpoints_client.list_endpoints()['endpoints']
# Asserting LIST endpoints
missing_endpoints =\
[e for e in self.setup_endpoints if e not in fetched_endpoints]
self.assertEmpty(missing_endpoints,
"Failed to find endpoint %s in fetched list" %
', '.join(str(e) for e in missing_endpoints))
@decorators.idempotent_id('9974530a-aa28-4362-8403-f06db02b26c1')
def test_create_list_delete_endpoint(self):
"""Test creating, listing and deleting a keystone endpoint"""
region = data_utils.rand_name(
name='region', prefix=CONF.resource_name_prefix)
url = data_utils.rand_url()
endpoint = self.endpoints_client.create_endpoint(
service_id=self.service_id,
region=region,
publicurl=url,
adminurl=url,
internalurl=url)['endpoint']
# Asserting Create Endpoint response body
self.assertIn('id', endpoint)
self.assertEqual(region, endpoint['region'])
self.assertEqual(url, endpoint['publicurl'])
# Checking if created endpoint is present in the list of endpoints
fetched_endpoints = self.endpoints_client.list_endpoints()['endpoints']
fetched_endpoints_id = [e['id'] for e in fetched_endpoints]
self.assertIn(endpoint['id'], fetched_endpoints_id)
# Deleting the endpoint created in this method
self.endpoints_client.delete_endpoint(endpoint['id'])
# Checking whether endpoint is deleted successfully
fetched_endpoints = self.endpoints_client.list_endpoints()['endpoints']
fetched_endpoints_id = [e['id'] for e in fetched_endpoints]
self.assertNotIn(endpoint['id'], fetched_endpoints_id)

@ -1,121 +0,0 @@
# Copyright 2012 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
CONF = config.CONF
class RolesTestJSON(base.BaseIdentityV2AdminTest):
@classmethod
def resource_setup(cls):
super(RolesTestJSON, cls).resource_setup()
cls.roles = list()
for _ in range(5):
role_name = data_utils.rand_name(
name='role', prefix=CONF.resource_name_prefix)
role = cls.roles_client.create_role(name=role_name)['role']
cls.addClassResourceCleanup(
test_utils.call_and_ignore_notfound_exc,
cls.roles_client.delete_role, role['id'])
cls.roles.append(role)
def _get_role_params(self):
user = self.setup_test_user()
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
role = self.setup_test_role()
return (user, tenant, role)
def assert_role_in_role_list(self, role, roles):
found = False
for user_role in roles:
if user_role['id'] == role['id']:
found = True
self.assertTrue(found, "assigned role was not in list")
@decorators.idempotent_id('75d9593f-50b7-4fcf-bd64-e3fb4a278e23')
def test_list_roles(self):
"""Return a list of all roles."""
body = self.roles_client.list_roles()['roles']
found = [role for role in body if role in self.roles]
self.assertNotEmpty(found)
self.assertEqual(len(found), len(self.roles))
@decorators.idempotent_id('c62d909d-6c21-48c0-ae40-0a0760e6db5e')
def test_role_create_delete(self):
"""Role should be created, verified, and deleted."""
role_name = data_utils.rand_name(
name='role-test', prefix=CONF.resource_name_prefix)
body = self.roles_client.create_role(name=role_name)['role']
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.roles_client.delete_role, body['id'])
self.assertEqual(role_name, body['name'])
body = self.roles_client.list_roles()['roles']
found = [role for role in body if role['name'] == role_name]
self.assertNotEmpty(found)
body = self.roles_client.delete_role(found[0]['id'])
body = self.roles_client.list_roles()['roles']
found = [role for role in body if role['name'] == role_name]
self.assertEmpty(found)
@decorators.idempotent_id('db6870bd-a6ed-43be-a9b1-2f10a5c9994f')
def test_get_role_by_id(self):
"""Get a role by its id."""
role = self.setup_test_role()
role_id = role['id']
role_name = role['name']
body = self.roles_client.show_role(role_id)['role']
self.assertEqual(role_id, body['id'])
self.assertEqual(role_name, body['name'])
@decorators.idempotent_id('0146f675-ffbd-4208-b3a4-60eb628dbc5e')
def test_assign_user_role(self):
"""Assign a role to a user on a tenant."""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
roles = self.roles_client.list_user_roles_on_project(
tenant['id'], user['id'])['roles']
self.assert_role_in_role_list(role, roles)
@decorators.idempotent_id('f0b9292c-d3ba-4082-aa6c-440489beef69')
def test_remove_user_role(self):
"""Remove a role assigned to a user on a tenant."""
(user, tenant, role) = self._get_role_params()
user_role = self.roles_client.create_user_role_on_project(
tenant['id'], user['id'], role['id'])['role']
self.roles_client.delete_role_from_user_on_project(tenant['id'],
user['id'],
user_role['id'])
@decorators.idempotent_id('262e1e3e-ed71-4edd-a0e5-d64e83d66d05')
def test_list_user_roles(self):
"""List roles assigned to a user on tenant."""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
roles = self.roles_client.list_user_roles_on_project(
tenant['id'], user['id'])['roles']
self.assert_role_in_role_list(role, roles)

@ -1,296 +0,0 @@
# Copyright 2013 Huawei Technologies Co.,LTD.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
CONF = config.CONF
class RolesNegativeTestJSON(base.BaseIdentityV2AdminTest):
"""Negative tests of keystone roles via v2 API"""
def _get_role_params(self):
user = self.setup_test_user()
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
role = self.setup_test_role()
return (user, tenant, role)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('d5d5f1df-f8ca-4de0-b2ef-259c1cc67025')
def test_list_roles_by_unauthorized_user(self):
"""Test Non-admin user should not be able to list roles via v2 API"""
self.assertRaises(lib_exc.Forbidden,
self.non_admin_roles_client.list_roles)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('11a3c7da-df6c-40c2-abc2-badd682edf9f')
def test_list_roles_request_without_token(self):
"""Test listing roles without a valid token via v2 API should fail"""
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(lib_exc.Unauthorized, self.roles_client.list_roles)
self.client.auth_provider.clear_auth()
@decorators.attr(type=['negative'])
@decorators.idempotent_id('c0b89e56-accc-4c73-85f8-9c0f866104c1')
def test_role_create_blank_name(self):
"""Test creating a role with a blank name via v2 API is not allowed"""
self.assertRaises(lib_exc.BadRequest, self.roles_client.create_role,
name='')
@decorators.attr(type=['negative'])
@decorators.idempotent_id('585c8998-a8a4-4641-a5dd-abef7a8ced00')
def test_create_role_by_unauthorized_user(self):
"""Test non-admin user should not be able to create role via v2 API"""
role_name = data_utils.rand_name(
name='role', prefix=CONF.resource_name_prefix)
self.assertRaises(lib_exc.Forbidden,
self.non_admin_roles_client.create_role,
name=role_name)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('a7edd17a-e34a-4aab-8bb7-fa6f498645b8')
def test_create_role_request_without_token(self):
"""Test creating role without a valid token via v2 API should fail"""
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
role_name = data_utils.rand_name(
name='role', prefix=CONF.resource_name_prefix)
self.assertRaises(lib_exc.Unauthorized,
self.roles_client.create_role, name=role_name)
self.client.auth_provider.clear_auth()
@decorators.attr(type=['negative'])
@decorators.idempotent_id('c0cde2c8-81c1-4bb0-8fe2-cf615a3547a8')
def test_role_create_duplicate(self):
"""Test role names should be unique via v2 API"""
role_name = data_utils.rand_name(
name='role-dup', prefix=CONF.resource_name_prefix)
body = self.roles_client.create_role(name=role_name)['role']
role1_id = body.get('id')
self.addCleanup(self.roles_client.delete_role, role1_id)
self.assertRaises(lib_exc.Conflict, self.roles_client.create_role,
name=role_name)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('15347635-b5b1-4a87-a280-deb2bd6d865e')
def test_delete_role_by_unauthorized_user(self):
"""Test non-admin user should not be able to delete role via v2 API"""
role_name = data_utils.rand_name(
name='role', prefix=CONF.resource_name_prefix)
body = self.roles_client.create_role(name=role_name)['role']
self.addCleanup(self.roles_client.delete_role, body['id'])
role_id = body.get('id')
self.assertRaises(lib_exc.Forbidden,
self.non_admin_roles_client.delete_role, role_id)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('44b60b20-70de-4dac-beaf-a3fc2650a16b')
def test_delete_role_request_without_token(self):
"""Test deleting role without a valid token via v2 API should fail"""
role_name = data_utils.rand_name(
name='role', prefix=CONF.resource_name_prefix)
body = self.roles_client.create_role(name=role_name)['role']
self.addCleanup(self.roles_client.delete_role, body['id'])
role_id = body.get('id')
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(lib_exc.Unauthorized,
self.roles_client.delete_role,
role_id)
self.client.auth_provider.clear_auth()
@decorators.attr(type=['negative'])
@decorators.idempotent_id('38373691-8551-453a-b074-4260ad8298ef')
def test_delete_role_non_existent(self):
"""Test deleting a non existent role via v2 API should fail"""
non_existent_role = data_utils.rand_uuid_hex()
self.assertRaises(lib_exc.NotFound, self.roles_client.delete_role,
non_existent_role)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('391df5cf-3ec3-46c9-bbe5-5cb58dd4dc41')
def test_assign_user_role_by_unauthorized_user(self):
"""Test non-admin user assigning a role to user via v2 API
Non-admin user should not be authorized to assign a role to user via
v2 API.
"""
(user, tenant, role) = self._get_role_params()
self.assertRaises(
lib_exc.Forbidden,
self.non_admin_roles_client.create_user_role_on_project,
tenant['id'], user['id'], role['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('f0d2683c-5603-4aee-95d7-21420e87cfd8')
def test_assign_user_role_request_without_token(self):
"""Test assigning a role to a user without a valid token via v2 API
Assigning a role to a user without a valid token via v2 API should
fail.
"""
(user, tenant, role) = self._get_role_params()
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(
lib_exc.Unauthorized,
self.roles_client.create_user_role_on_project, tenant['id'],
user['id'], role['id'])
self.client.auth_provider.clear_auth()
@decorators.attr(type=['negative'])
@decorators.idempotent_id('99b297f6-2b5d-47c7-97a9-8b6bb4f91042')
def test_assign_user_role_for_non_existent_role(self):
"""Test assigning a non existent role to user via v2 API
Assigning a non existent role to user via v2 API should fail.
"""
(user, tenant, _) = self._get_role_params()
non_existent_role = data_utils.rand_uuid_hex()
self.assertRaises(lib_exc.NotFound,
self.roles_client.create_user_role_on_project,
tenant['id'], user['id'], non_existent_role)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('b2285aaa-9e76-4704-93a9-7a8acd0a6c8f')
def test_assign_user_role_for_non_existent_tenant(self):
"""Test assigning a role on a non existent tenant via v2 API
Assigning a role on a non existent tenant via v2 API should fail.
"""
(user, _, role) = self._get_role_params()
non_existent_tenant = data_utils.rand_uuid_hex()
self.assertRaises(lib_exc.NotFound,
self.roles_client.create_user_role_on_project,
non_existent_tenant, user['id'], role['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('5c3132cd-c4c8-4402-b5ea-71eb44e97793')
def test_assign_duplicate_user_role(self):
"""Test duplicate user role should not get assigned via v2 API"""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
self.assertRaises(lib_exc.Conflict,
self.roles_client.create_user_role_on_project,
tenant['id'], user['id'], role['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('d0537987-0977-448f-a435-904c15de7298')
def test_remove_user_role_by_unauthorized_user(self):
"""Test non-admin user removing a user's role via v2 API
Non-admin user should not be authorized to remove a user's role via
v2 API
"""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
self.assertRaises(
lib_exc.Forbidden,
self.non_admin_roles_client.delete_role_from_user_on_project,
tenant['id'], user['id'], role['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('cac81cf4-c1d2-47dc-90d3-f2b7eb572286')
def test_remove_user_role_request_without_token(self):
"""Test removing a user's role without a valid token via v2 API
Removing a user's role without a valid token via v2 API should fail.
"""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(lib_exc.Unauthorized,
self.roles_client.delete_role_from_user_on_project,
tenant['id'], user['id'], role['id'])
self.client.auth_provider.clear_auth()
@decorators.attr(type=['negative'])
@decorators.idempotent_id('ab32d759-cd16-41f1-a86e-44405fa9f6d2')
def test_remove_user_role_non_existent_role(self):
"""Test deleting a non existent role from a user via v2 API
Deleting a non existent role from a user via v2 API should fail.
"""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
non_existent_role = data_utils.rand_uuid_hex()
self.assertRaises(lib_exc.NotFound,
self.roles_client.delete_role_from_user_on_project,
tenant['id'], user['id'], non_existent_role)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('67a679ec-03dd-4551-bbfc-d1c93284f023')
def test_remove_user_role_non_existent_tenant(self):
"""Test removing a role from a non existent tenant via v2 API
Removing a role from a non existent tenant via v2 API should fail.
"""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
non_existent_tenant = data_utils.rand_uuid_hex()
self.assertRaises(lib_exc.NotFound,
self.roles_client.delete_role_from_user_on_project,
non_existent_tenant, user['id'], role['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('7391ab4c-06f3-477a-a64a-c8e55ce89837')
def test_list_user_roles_by_unauthorized_user(self):
"""Test non-admin user listing a user's roles via v2 API
Non-admin user should not be authorized to list a user's roles via v2
API.
"""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
self.assertRaises(
lib_exc.Forbidden,
self.non_admin_roles_client.list_user_roles_on_project,
tenant['id'], user['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('682adfb2-fd5f-4b0a-a9ca-322e9bebb907')
def test_list_user_roles_request_without_token(self):
"""Test listing user's roles without a valid token via v2 API
Listing user's roles without a valid token via v2 API should fail
"""
(user, tenant, _) = self._get_role_params()
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
try:
self.assertRaises(lib_exc.Unauthorized,
self.roles_client.list_user_roles_on_project,
tenant['id'],
user['id'])
finally:
self.client.auth_provider.clear_auth()

@ -1,115 +0,0 @@
# Copyright 2012 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
CONF = config.CONF
class ServicesTestJSON(base.BaseIdentityV2AdminTest):
"""Test identity services via v2 API"""
def _del_service(self, service_id):
# Deleting the service created in this method
self.services_client.delete_service(service_id)
# Checking whether service is deleted successfully
self.assertRaises(lib_exc.NotFound, self.services_client.show_service,
service_id)
@decorators.idempotent_id('84521085-c6e6-491c-9a08-ec9f70f90110')
def test_create_get_delete_service(self):
"""Test verifies the identity service create/get/delete via v2 API"""
# GET Service
# Creating a Service
name = data_utils.rand_name(
name='service', prefix=CONF.resource_name_prefix)
s_type = data_utils.rand_name(
name='type', prefix=CONF.resource_name_prefix)
description = data_utils.rand_name(
name='description', prefix=CONF.resource_name_prefix)
service_data = self.services_client.create_service(
name=name, type=s_type,
description=description)['OS-KSADM:service']
self.assertIsNotNone(service_data['id'])
self.addCleanup(self._del_service, service_data['id'])
# Verifying response body of create service
self.assertIn('name', service_data)
self.assertEqual(name, service_data['name'])
self.assertIn('type', service_data)
self.assertEqual(s_type, service_data['type'])
self.assertIn('description', service_data)
self.assertEqual(description, service_data['description'])
# Get service
fetched_service = (
self.services_client.show_service(service_data['id'])
['OS-KSADM:service'])
# verifying the existence of service created
self.assertIn('id', fetched_service)
self.assertEqual(fetched_service['id'], service_data['id'])
self.assertIn('name', fetched_service)
self.assertEqual(fetched_service['name'], service_data['name'])
self.assertIn('type', fetched_service)
self.assertEqual(fetched_service['type'], service_data['type'])
self.assertIn('description', fetched_service)
self.assertEqual(fetched_service['description'],
service_data['description'])
@decorators.idempotent_id('5d3252c8-e555-494b-a6c8-e11d7335da42')
def test_create_service_without_description(self):
"""Test creating identity service without description via v2 API
Create a service only with name and type.
"""
name = data_utils.rand_name(
name='service', prefix=CONF.resource_name_prefix)
s_type = data_utils.rand_name(
name='type', prefix=CONF.resource_name_prefix)
service = self.services_client.create_service(
name=name, type=s_type)['OS-KSADM:service']
self.assertIn('id', service)
self.addCleanup(self._del_service, service['id'])
self.assertIn('name', service)
self.assertEqual(name, service['name'])
self.assertIn('type', service)
self.assertEqual(s_type, service['type'])
@decorators.attr(type='smoke')
@decorators.idempotent_id('34ea6489-012d-4a86-9038-1287cadd5eca')
def test_list_services(self):
"""Test Create/List/Verify/Delete of identity service via v2 API"""
services = []
for _ in range(3):
name = data_utils.rand_name(
name='service', prefix=CONF.resource_name_prefix)
s_type = data_utils.rand_name(
name='type', prefix=CONF.resource_name_prefix)
description = data_utils.rand_name(
name='description', prefix=CONF.resource_name_prefix)
service = self.services_client.create_service(
name=name, type=s_type,
description=description)['OS-KSADM:service']
self.addCleanup(self.services_client.delete_service, service['id'])
services.append(service)
service_ids = [svc['id'] for svc in services]
# List and Verify Services
body = self.services_client.list_services()['OS-KSADM:services']
found = [serv for serv in body if serv['id'] in service_ids]
self.assertEqual(len(found), len(services), 'Services not found')

@ -1,164 +0,0 @@
# Copyright 2013 Huawei Technologies Co.,LTD.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
CONF = config.CONF
class TenantsNegativeTestJSON(base.BaseIdentityV2AdminTest):
"""Negative tests of keystone tenants via v2 API"""
@decorators.attr(type=['negative'])
@decorators.idempotent_id('ca9bb202-63dd-4240-8a07-8ef9c19c04bb')
def test_list_tenants_by_unauthorized_user(self):
"""Test Non-admin should not be able to list tenants via v2 API"""
self.assertRaises(lib_exc.Forbidden,
self.non_admin_tenants_client.list_tenants)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('df33926c-1c96-4d8d-a762-79cc6b0c3cf4')
def test_list_tenant_request_without_token(self):
"""Test listing tenants without a valid token via v2 API
Listing tenants without a valid token via v2 API should fail.
"""
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(lib_exc.Unauthorized,
self.tenants_client.list_tenants)
self.client.auth_provider.clear_auth()
@decorators.attr(type=['negative'])
@decorators.idempotent_id('162ba316-f18b-4987-8c0c-fd9140cd63ed')
def test_tenant_delete_by_unauthorized_user(self):
"""Test non-admin should not be able to delete a tenant via v2 API"""
tenant = self.setup_test_tenant()
self.assertRaises(lib_exc.Forbidden,
self.non_admin_tenants_client.delete_tenant,
tenant['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('e450db62-2e9d-418f-893a-54772d6386b1')
def test_tenant_delete_request_without_token(self):
"""Test deleting a tenant without a valid token via v2 API
Deleting a tenant without a valid token via v2 API should fail.
"""
tenant = self.setup_test_tenant()
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(lib_exc.Unauthorized,
self.tenants_client.delete_tenant,
tenant['id'])
self.client.auth_provider.clear_auth()
@decorators.attr(type=['negative'])
@decorators.idempotent_id('9c9a2aed-6e3c-467a-8f5c-89da9d1b516b')
def test_delete_non_existent_tenant(self):
"""Test deleting a non existent tenant via v2 API should fail"""
self.assertRaises(lib_exc.NotFound, self.tenants_client.delete_tenant,
data_utils.rand_uuid_hex())
@decorators.attr(type=['negative'])
@decorators.idempotent_id('af16f44b-a849-46cb-9f13-a751c388f739')
def test_tenant_create_duplicate(self):
"""Test tenant names should be unique via v2 API"""
tenant_name = data_utils.rand_name(
name='tenant', prefix=CONF.resource_name_prefix)
self.setup_test_tenant(name=tenant_name)
self.assertRaises(lib_exc.Conflict, self.tenants_client.create_tenant,
name=tenant_name)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('d26b278a-6389-4702-8d6e-5980d80137e0')
def test_create_tenant_by_unauthorized_user(self):
"""Test non-admin user creating a tenant via v2 API
Non-admin user should not be authorized to create a tenant via v2 API.
"""
tenant_name = data_utils.rand_name(
name='tenant', prefix=CONF.resource_name_prefix)
self.assertRaises(lib_exc.Forbidden,
self.non_admin_tenants_client.create_tenant,
name=tenant_name)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('a3ee9d7e-6920-4dd5-9321-d4b2b7f0a638')
def test_create_tenant_request_without_token(self):
"""Test creating tenant without a token via v2 API is not allowed"""
tenant_name = data_utils.rand_name(
name='tenant', prefix=CONF.resource_name_prefix)
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(lib_exc.Unauthorized,
self.tenants_client.create_tenant,
name=tenant_name)
self.client.auth_provider.clear_auth()
@decorators.attr(type=['negative'])
@decorators.idempotent_id('5a2e4ca9-b0c0-486c-9c48-64a94fba2395')
def test_create_tenant_with_empty_name(self):
"""Test tenant name should not be empty via v2 API"""
self.assertRaises(lib_exc.BadRequest,
self.tenants_client.create_tenant,
name='')
@decorators.attr(type=['negative'])
@decorators.idempotent_id('2ff18d1e-dfe3-4359-9dc3-abf582c196b9')
def test_create_tenants_name_length_over_64(self):
"""Test tenant name length should not exceed 64 via v2 API"""
tenant_name = 'a' * 65
self.assertRaises(lib_exc.BadRequest,
self.tenants_client.create_tenant,
name=tenant_name)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('bd20dc2a-9557-4db7-b755-f48d952ad706')
def test_update_non_existent_tenant(self):
"""Test updating a non existent tenant via v2 API should fail"""
self.assertRaises(lib_exc.NotFound, self.tenants_client.update_tenant,
data_utils.rand_uuid_hex())
@decorators.attr(type=['negative'])
@decorators.idempotent_id('41704dc5-c5f7-4f79-abfa-76e6fedc570b')
def test_tenant_update_by_unauthorized_user(self):
"""Test non-admin user updating a tenant via v2 API
Non-admin user should not be able to update a tenant via v2 API
"""
tenant = self.setup_test_tenant()
self.assertRaises(lib_exc.Forbidden,
self.non_admin_tenants_client.update_tenant,
tenant['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('7a421573-72c7-4c22-a98e-ce539219c657')
def test_tenant_update_request_without_token(self):
"""Test updating a tenant without a valid token via v2 API
Updating a tenant without a valid token via v2 API should fail
"""
tenant = self.setup_test_tenant()
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(lib_exc.Unauthorized,
self.tenants_client.update_tenant,
tenant['id'])
self.client.auth_provider.clear_auth()

@ -1,157 +0,0 @@
# Copyright 2012 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
CONF = config.CONF
class TenantsTestJSON(base.BaseIdentityV2AdminTest):
"""Test identity tenants via v2 API"""
@decorators.idempotent_id('16c6e05c-6112-4b0e-b83f-5e43f221b6b0')
def test_tenant_list_delete(self):
"""Test listing and deleting tenants via v2 API
Create several tenants and delete them
"""
tenants = []
for _ in range(3):
tenant = self.setup_test_tenant()
tenants.append(tenant)
tenant_ids = [tn['id'] for tn in tenants]
body = self.tenants_client.list_tenants()['tenants']
found = [t for t in body if t['id'] in tenant_ids]
self.assertEqual(len(found), len(tenants), 'Tenants not created')
for tenant in tenants:
self.tenants_client.delete_tenant(tenant['id'])
body = self.tenants_client.list_tenants()['tenants']
found = [tenant for tenant in body if tenant['id'] in tenant_ids]
self.assertEmpty(found, 'Tenants failed to delete')
@decorators.idempotent_id('d25e9f24-1310-4d29-b61b-d91299c21d6d')
def test_tenant_create_with_description(self):
"""Test creating tenant with a description via v2 API"""
tenant_desc = data_utils.rand_name(
name='desc', prefix=CONF.resource_name_prefix)
tenant = self.setup_test_tenant(description=tenant_desc)
tenant_id = tenant['id']
desc1 = tenant['description']
self.assertEqual(desc1, tenant_desc, 'Description should have '
'been sent in response for create')
body = self.tenants_client.show_tenant(tenant_id)['tenant']
desc2 = body['description']
self.assertEqual(desc2, tenant_desc, 'Description does not appear '
'to be set')
self.tenants_client.delete_tenant(tenant_id)
@decorators.idempotent_id('670bdddc-1cd7-41c7-b8e2-751cfb67df50')
def test_tenant_create_enabled(self):
"""Test creating a tenant that is enabled via v2 API"""
tenant = self.setup_test_tenant(enabled=True)
tenant_id = tenant['id']
self.assertTrue(tenant['enabled'], 'Enable should be True in response')
body = self.tenants_client.show_tenant(tenant_id)['tenant']
self.assertTrue(body['enabled'], 'Enable should be True in lookup')
self.tenants_client.delete_tenant(tenant_id)
@decorators.idempotent_id('3be22093-b30f-499d-b772-38340e5e16fb')
def test_tenant_create_not_enabled(self):
"""Test creating a tenant that is not enabled via v2 API"""
tenant = self.setup_test_tenant(enabled=False)
tenant_id = tenant['id']
self.assertFalse(tenant['enabled'],
'Enable should be False in response')
body = self.tenants_client.show_tenant(tenant_id)['tenant']
self.assertFalse(body['enabled'],
'Enable should be False in lookup')
self.tenants_client.delete_tenant(tenant_id)
@decorators.idempotent_id('781f2266-d128-47f3-8bdb-f70970add238')
def test_tenant_update_name(self):
"""Test updating name attribute of a tenant via v2 API"""
t_name1 = data_utils.rand_name(
name='tenant', prefix=CONF.resource_name_prefix)
tenant = self.setup_test_tenant(name=t_name1)
t_id = tenant['id']
resp1_name = tenant['name']
t_name2 = data_utils.rand_name(
name='tenant2', prefix=CONF.resource_name_prefix)
body = self.tenants_client.update_tenant(t_id, name=t_name2)['tenant']
resp2_name = body['name']
self.assertNotEqual(resp1_name, resp2_name)
body = self.tenants_client.show_tenant(t_id)['tenant']
resp3_name = body['name']
self.assertNotEqual(resp1_name, resp3_name)
self.assertEqual(t_name1, resp1_name)
self.assertEqual(resp2_name, resp3_name)
self.tenants_client.delete_tenant(t_id)
@decorators.idempotent_id('859fcfe1-3a03-41ef-86f9-b19a47d1cd87')
def test_tenant_update_desc(self):
"""Test updating description attribute of a tenant via v2 API"""
t_desc = data_utils.rand_name(
name='desc', prefix=CONF.resource_name_prefix)
tenant = self.setup_test_tenant(description=t_desc)
t_id = tenant['id']
resp1_desc = tenant['description']
t_desc2 = data_utils.rand_name(
name='desc2', prefix=CONF.resource_name_prefix)
body = self.tenants_client.update_tenant(t_id, description=t_desc2)
updated_tenant = body['tenant']
resp2_desc = updated_tenant['description']
self.assertNotEqual(resp1_desc, resp2_desc)
body = self.tenants_client.show_tenant(t_id)['tenant']
resp3_desc = body['description']
self.assertNotEqual(resp1_desc, resp3_desc)
self.assertEqual(t_desc, resp1_desc)
self.assertEqual(resp2_desc, resp3_desc)
self.tenants_client.delete_tenant(t_id)
@decorators.idempotent_id('8fc8981f-f12d-4c66-9972-2bdcf2bc2e1a')
def test_tenant_update_enable(self):
"""Test updating the enabled attribute of a tenant via v2 API"""
t_en = False
tenant = self.setup_test_tenant(enabled=t_en)
t_id = tenant['id']
resp1_en = tenant['enabled']
t_en2 = True
body = self.tenants_client.update_tenant(t_id, enabled=t_en2)
updated_tenant = body['tenant']
resp2_en = updated_tenant['enabled']
self.assertNotEqual(resp1_en, resp2_en)
body = self.tenants_client.show_tenant(t_id)['tenant']
resp3_en = body['enabled']
self.assertNotEqual(resp1_en, resp3_en)
self.assertFalse(tenant['enabled'])
self.assertEqual(resp2_en, resp3_en)
self.tenants_client.delete_tenant(t_id)

@ -1,143 +0,0 @@
# Copyright 2013 Huawei Technologies Co.,LTD.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
CONF = config.CONF
class TokensTestJSON(base.BaseIdentityV2AdminTest):
"""Test keystone tokens via v2 API"""
@decorators.idempotent_id('453ad4d5-e486-4b2f-be72-cffc8149e586')
def test_create_check_get_delete_token(self):
"""Test getting create/check/get/delete token for user via v2 API"""
# get a token by username and password
user_name = data_utils.rand_name(
name='user', prefix=CONF.resource_name_prefix)
user_password = data_utils.rand_password()
# first:create a tenant
tenant = self.setup_test_tenant()
# second:create a user
user = self.create_test_user(name=user_name,
password=user_password,
tenantId=tenant['id'],
email='')
# then get a token for the user
body = self.token_client.auth(user_name,
user_password,
tenant['name'])
self.assertEqual(body['token']['tenant']['name'],
tenant['name'])
# Perform GET Token
token_id = body['token']['id']
self.client.check_token_existence(token_id)
token_details = self.client.show_token(token_id)['access']
self.assertEqual(token_id, token_details['token']['id'])
self.assertEqual(user['id'], token_details['user']['id'])
self.assertEqual(user_name, token_details['user']['name'])
self.assertEqual(tenant['name'],
token_details['token']['tenant']['name'])
# then delete the token
self.client.delete_token(token_id)
self.assertRaises(lib_exc.NotFound,
self.client.check_token_existence,
token_id)
@decorators.idempotent_id('25ba82ee-8a32-4ceb-8f50-8b8c71e8765e')
def test_rescope_token(self):
"""Test an unscoped token can be requested via v2 API
That token can be used to request a scoped token.
"""
# Create a user.
user_name = data_utils.rand_name(
name='user', prefix=CONF.resource_name_prefix)
user_password = data_utils.rand_password()
tenant_id = None # No default tenant so will get unscoped token.
user = self.create_test_user(name=user_name,
password=user_password,
tenantId=tenant_id,
email='')
# Create a couple tenants.
tenant1_name = data_utils.rand_name(
name='tenant', prefix=CONF.resource_name_prefix)
tenant1 = self.setup_test_tenant(name=tenant1_name)
tenant2_name = data_utils.rand_name(
name='tenant', prefix=CONF.resource_name_prefix)
tenant2 = self.setup_test_tenant(name=tenant2_name)
# Create a role
role = self.setup_test_role()
# Grant the user the role on the tenants.
self.roles_client.create_user_role_on_project(tenant1['id'],
user['id'],
role['id'])
self.roles_client.create_user_role_on_project(tenant2['id'],
user['id'],
role['id'])
# Get an unscoped token.
body = self.token_client.auth(user_name, user_password)
token_id = body['token']['id']
# Use the unscoped token to get a token scoped to tenant1
body = self.token_client.auth_token(token_id,
tenant=tenant1_name)
scoped_token_id = body['token']['id']
# Revoke the scoped token
self.client.delete_token(scoped_token_id)
# Use the unscoped token to get a token scoped to tenant2
body = self.token_client.auth_token(token_id,
tenant=tenant2_name)
@decorators.idempotent_id('ca3ea6f7-ed08-4a61-adbd-96906456ad31')
def test_list_endpoints_for_token(self):
"""Test listing endpoints for token via v2 API"""
tempest_services = ['keystone', 'nova', 'neutron', 'swift', 'cinder',
'neutron']
# get a token for the user
creds = self.os_primary.credentials
username = creds.username
password = creds.password
tenant_name = creds.tenant_name
token = self.token_client.auth(username,
password,
tenant_name)['token']
endpoints = self.client.list_endpoints_for_token(
token['id'])['endpoints']
self.assertIsInstance(endpoints, list)
# Store list of service names
service_names = [e['name'] for e in endpoints]
# Get the list of available services. Keystone is always available.
available_services = [s[0] for s in list(
CONF.service_available.items()) if s[1] is True] + ['keystone']
# Verify that all available services are present.
for service in tempest_services:
if service in available_services:
self.assertIn(service, service_names)

@ -1,43 +0,0 @@
# Copyright 2017 AT&T Corporation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
class TokensAdminTestNegative(base.BaseIdentityV2AdminTest):
"""Negative tests of keystone tokens via v2 API"""
credentials = ['primary', 'admin', 'alt']
@decorators.attr(type=['negative'])
@decorators.idempotent_id('a0a0a600-4292-4364-99c5-922c834fdf05')
def test_check_token_existence_negative(self):
"""Test checking other tenant's token existence via v2 API
Checking other tenant's token existence via v2 API should fail.
"""
creds = self.os_primary.credentials
creds_alt = self.os_alt.credentials
username = creds.username
password = creds.password
tenant_name = creds.tenant_name
alt_tenant_name = creds_alt.tenant_name
body = self.token_client.auth(username, password, tenant_name)
self.assertRaises(lib_exc.Unauthorized,
self.client.check_token_existence,
body['token']['id'],
belongsTo=alt_tenant_name)

@ -1,204 +0,0 @@
# Copyright 2012 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import time
from testtools import matchers
from tempest.api.identity import base
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
CONF = config.CONF
class UsersTestJSON(base.BaseIdentityV2AdminTest):
"""Test keystone users via v2 API"""
@classmethod
def resource_setup(cls):
super(UsersTestJSON, cls).resource_setup()
cls.alt_user = data_utils.rand_name(
name='test_user', prefix=CONF.resource_name_prefix)
cls.alt_email = cls.alt_user + '@testmail.tm'
@decorators.attr(type='smoke')
@decorators.idempotent_id('2d55a71e-da1d-4b43-9c03-d269fd93d905')
def test_create_user(self):
"""Test creating a user via v2 API"""
tenant = self.setup_test_tenant()
user = self.create_test_user(name=self.alt_user, tenantId=tenant['id'])
self.assertEqual(self.alt_user, user['name'])
@decorators.idempotent_id('89d9fdb8-15c2-4304-a429-48715d0af33d')
def test_create_user_with_enabled(self):
"""Test creating a user with enabled : False via v2 API"""
tenant = self.setup_test_tenant()
name = data_utils.rand_name(
name='test_user', prefix=CONF.resource_name_prefix)
user = self.create_test_user(name=name,
tenantId=tenant['id'],
email=self.alt_email,
enabled=False)
self.assertEqual(name, user['name'])
self.assertEqual(False, user['enabled'])
self.assertEqual(self.alt_email, user['email'])
@decorators.idempotent_id('39d05857-e8a5-4ed4-ba83-0b52d3ab97ee')
def test_update_user(self):
"""Test updating user attributes via v2 API"""
tenant = self.setup_test_tenant()
user = self.create_test_user(tenantId=tenant['id'])
# Updating user details with new values
u_name2 = data_utils.rand_name(
name='user2', prefix=CONF.resource_name_prefix)
u_email2 = u_name2 + '@testmail.tm'
update_user = self.users_client.update_user(user['id'], name=u_name2,
email=u_email2,
enabled=False)['user']
self.assertEqual(u_name2, update_user['name'])
self.assertEqual(u_email2, update_user['email'])
self.assertEqual(False, update_user['enabled'])
# GET by id after updating
updated_user = self.users_client.show_user(user['id'])['user']
# Assert response body of GET after updating
self.assertEqual(u_name2, updated_user['name'])
self.assertEqual(u_email2, updated_user['email'])
self.assertEqual(False, update_user['enabled'])
@decorators.idempotent_id('29ed26f4-a74e-4425-9a85-fdb49fa269d2')
def test_delete_user(self):
"""Test deleting a user via v2 API"""
tenant = self.setup_test_tenant()
user = self.create_test_user(tenantId=tenant['id'])
self.users_client.delete_user(user['id'])
@decorators.idempotent_id('aca696c3-d645-4f45-b728-63646045beb1')
def test_user_authentication(self):
"""Test that valid user's token is authenticated via v2 API"""
password = data_utils.rand_password()
user = self.setup_test_user(password)
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
# Get a token
self.token_client.auth(user['name'],
password,
tenant['name'])
# Re-auth
self.token_client.auth(user['name'],
password,
tenant['name'])
@decorators.idempotent_id('5d1fa498-4c2d-4732-a8fe-2b054598cfdd')
def test_authentication_request_without_token(self):
"""Test authentication request without token via v2 API"""
# Request for token authentication with a valid token in header
password = data_utils.rand_password()
user = self.setup_test_user(password)
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
self.token_client.auth(user['name'],
password,
tenant['name'])
# Get the token of the current client
token = self.client.auth_provider.get_token()
# Delete the token from database
self.client.delete_token(token)
# Re-auth
self.token_client.auth(user['name'],
password,
tenant['name'])
self.client.auth_provider.clear_auth()
@decorators.idempotent_id('a149c02e-e5e0-4b89-809e-7e8faf33ccda')
def test_get_users(self):
"""Test getting users via v2 API
Get a list of users and find the test user
"""
user = self.setup_test_user()
users = self.users_client.list_users()['users']
self.assertThat([u['name'] for u in users],
matchers.Contains(user['name']),
"Could not find %s" % user['name'])
@decorators.idempotent_id('6e317209-383a-4bed-9f10-075b7c82c79a')
def test_list_users_for_tenant(self):
"""Test returning a list of all users for a tenant via v2 API"""
tenant = self.setup_test_tenant()
user_ids = list()
fetched_user_ids = list()
user1 = self.create_test_user(tenantId=tenant['id'])
user_ids.append(user1['id'])
user2 = self.create_test_user(tenantId=tenant['id'])
user_ids.append(user2['id'])
# List of users for the respective tenant ID
body = (self.tenants_client.list_tenant_users(tenant['id'])
['users'])
for i in body:
fetched_user_ids.append(i['id'])
# verifying the user Id in the list
missing_users =\
[user for user in user_ids if user not in fetched_user_ids]
self.assertEmpty(missing_users,
"Failed to find user %s in fetched list" %
', '.join(m_user for m_user in missing_users))
@decorators.idempotent_id('a8b54974-40e1-41c0-b812-50fc90827971')
def test_list_users_with_roles_for_tenant(self):
"""Test listing users on tenant with roles assigned via v2 API"""
user = self.setup_test_user()
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
role = self.setup_test_role()
# Assigning roles to two users
user_ids = list()
fetched_user_ids = list()
user_ids.append(user['id'])
role = self.roles_client.create_user_role_on_project(
tenant['id'], user['id'], role['id'])['role']
second_user = self.create_test_user(tenantId=tenant['id'])
user_ids.append(second_user['id'])
role = self.roles_client.create_user_role_on_project(
tenant['id'], second_user['id'], role['id'])['role']
# List of users with roles for the respective tenant ID
body = (self.tenants_client.list_tenant_users(tenant['id'])['users'])
for i in body:
fetched_user_ids.append(i['id'])
# verifying the user Id in the list
missing_users = [missing_user for missing_user in user_ids
if missing_user not in fetched_user_ids]
self.assertEmpty(missing_users,
"Failed to find user %s in fetched list" %
', '.join(m_user for m_user in missing_users))
@decorators.idempotent_id('1aeb25ac-6ec5-4d8b-97cb-7ac3567a989f')
def test_update_user_password(self):
"""Test updating of user password via v2 API"""
user = self.setup_test_user()
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
# Updating the user with new password
new_pass = data_utils.rand_password()
update_user = self.users_client.update_user_password(
user['id'], password=new_pass)['user']
self.assertEqual(update_user['id'], user['id'])
# NOTE(morganfainberg): Fernet tokens are not subsecond aware and
# Keystone should only be precise to the second. Sleep to ensure
# we are passing the second boundary.
time.sleep(1)
# Validate the updated password through getting a token.
body = self.token_client.auth(user['name'], new_pass,
tenant['name'])
self.assertIn('id', body['token'])

@ -1,286 +0,0 @@
# Copyright 2012 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
CONF = config.CONF
class UsersNegativeTestJSON(base.BaseIdentityV2AdminTest):
"""Negative tests of identity users via v2 API"""
@classmethod
def resource_setup(cls):
super(UsersNegativeTestJSON, cls).resource_setup()
cls.alt_user = data_utils.rand_name(
'test_user', prefix=CONF.resource_name_prefix)
cls.alt_password = data_utils.rand_password()
cls.alt_email = cls.alt_user + '@testmail.tm'
@decorators.attr(type=['negative'])
@decorators.idempotent_id('60a1f5fa-5744-4cdf-82bf-60b7de2d29a4')
def test_create_user_by_unauthorized_user(self):
"""Non-admin should not be authorized to create a user via v2 API"""
tenant = self.setup_test_tenant()
self.assertRaises(lib_exc.Forbidden,
self.non_admin_users_client.create_user,
name=self.alt_user, password=self.alt_password,
tenantId=tenant['id'],
email=self.alt_email)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('d80d0c2f-4514-4d1e-806d-0930dfc5a187')
def test_create_user_with_empty_name(self):
"""User with an empty name should not be created via v2 API"""
tenant = self.setup_test_tenant()
self.assertRaises(lib_exc.BadRequest, self.users_client.create_user,
name='', password=self.alt_password,
tenantId=tenant['id'],
email=self.alt_email)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('7704b4f3-3b75-4b82-87cc-931d41c8f780')
def test_create_user_with_name_length_over_255(self):
"""Length of user name should not exceed 255 via v2 API"""
tenant = self.setup_test_tenant()
self.assertRaises(lib_exc.BadRequest, self.users_client.create_user,
name='a' * 256, password=self.alt_password,
tenantId=tenant['id'],
email=self.alt_email)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('57ae8558-120c-4723-9308-3751474e7ecf')
def test_create_user_with_duplicate_name(self):
"""Duplicate user should not be created via v2 API"""
password = data_utils.rand_password()
user = self.setup_test_user(password)
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
self.assertRaises(lib_exc.Conflict, self.users_client.create_user,
name=user['name'],
password=password,
tenantId=tenant['id'],
email=user['email'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('0132cc22-7c4f-42e1-9e50-ac6aad31d59a')
def test_create_user_for_non_existent_tenant(self):
"""Creating a user in a non-existent tenant via v2 API should fail"""
self.assertRaises(lib_exc.NotFound, self.users_client.create_user,
name=self.alt_user,
password=self.alt_password,
tenantId='49ffgg99999',
email=self.alt_email)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('55bbb103-d1ae-437b-989b-bcdf8175c1f4')
def test_create_user_request_without_a_token(self):
"""Creating a user without a valid token via v2 API should fail"""
tenant = self.setup_test_tenant()
# Get the token of the current client
token = self.client.auth_provider.get_token()
# Delete the token from database
self.client.delete_token(token)
# Unset the token to allow further tests to generate a new token
self.addCleanup(self.client.auth_provider.clear_auth)
self.assertRaises(lib_exc.Unauthorized, self.users_client.create_user,
name=self.alt_user, password=self.alt_password,
tenantId=tenant['id'],
email=self.alt_email)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('23a2f3da-4a1a-41da-abdd-632328a861ad')
def test_create_user_with_enabled_non_bool(self):
"""Creating a user with invalid enabled para via v2 API should fail"""
tenant = self.setup_test_tenant()
name = data_utils.rand_name(
'test_user', prefix=CONF.resource_name_prefix)
self.assertRaises(lib_exc.BadRequest, self.users_client.create_user,
name=name, password=self.alt_password,
tenantId=tenant['id'],
email=self.alt_email, enabled=3)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('3d07e294-27a0-4144-b780-a2a1bf6fee19')
def test_update_user_for_non_existent_user(self):
"""Updating a non-existent user via v2 API should fail"""
user_name = data_utils.rand_name(
'user', prefix=CONF.resource_name_prefix)
non_existent_id = data_utils.rand_uuid()
self.assertRaises(lib_exc.NotFound, self.users_client.update_user,
non_existent_id, name=user_name)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('3cc2a64b-83aa-4b02-88f0-d6ab737c4466')
def test_update_user_request_without_a_token(self):
"""Updating a user without a valid token via v2 API should fail"""
# Get the token of the current client
token = self.client.auth_provider.get_token()
# Delete the token from database
self.client.delete_token(token)
# Unset the token to allow further tests to generate a new token
self.addCleanup(self.client.auth_provider.clear_auth)
self.assertRaises(lib_exc.Unauthorized, self.users_client.update_user,
self.alt_user)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('424868d5-18a7-43e1-8903-a64f95ee3aac')
def test_update_user_by_unauthorized_user(self):
"""Non-admin should not be authorized to update user via v2 API"""
self.assertRaises(lib_exc.Forbidden,
self.non_admin_users_client.update_user,
self.alt_user)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('d45195d5-33ed-41b9-a452-7d0d6a00f6e9')
def test_delete_users_by_unauthorized_user(self):
"""Non-admin should not be authorized to delete a user via v2 API"""
user = self.setup_test_user()
self.assertRaises(lib_exc.Forbidden,
self.non_admin_users_client.delete_user,
user['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('7cc82f7e-9998-4f89-abae-23df36495867')
def test_delete_non_existent_user(self):
"""Attempt to delete a non-existent user via v2 API should fail"""
self.assertRaises(lib_exc.NotFound, self.users_client.delete_user,
'junk12345123')
@decorators.attr(type=['negative'])
@decorators.idempotent_id('57fe1df8-0aa7-46c0-ae9f-c2e785c7504a')
def test_delete_user_request_without_a_token(self):
"""Deleting a user without a valid token via v2 API should fail"""
# Get the token of the current client
token = self.client.auth_provider.get_token()
# Delete the token from database
self.client.delete_token(token)
# Unset the token to allow further tests to generate a new token
self.addCleanup(self.client.auth_provider.clear_auth)
self.assertRaises(lib_exc.Unauthorized, self.users_client.delete_user,
self.alt_user)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('593a4981-f6d4-460a-99a1-57a78bf20829')
def test_authentication_for_disabled_user(self):
"""Disabled user's token should not get authenticated via v2 API"""
password = data_utils.rand_password()
user = self.setup_test_user(password)
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
self.disable_user(user['name'])
self.assertRaises(lib_exc.Unauthorized, self.token_client.auth,
user['name'],
password,
tenant['name'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('440a7a8d-9328-4b7b-83e0-d717010495e4')
def test_authentication_when_tenant_is_disabled(self):
"""Test User's token for a disabled tenant via v2 API
User's token for a disabled tenant should not be authenticated via
v2 API.
"""
password = data_utils.rand_password()
user = self.setup_test_user(password)
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
self.disable_tenant(tenant['name'])
self.assertRaises(lib_exc.Unauthorized, self.token_client.auth,
user['name'],
password,
tenant['name'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('921f1ad6-7907-40b8-853f-637e7ee52178')
def test_authentication_with_invalid_tenant(self):
"""Test User's token for an invalid tenant via v2 API
User's token for an invalid tenant should not be authenticated via V2
API.
"""
password = data_utils.rand_password()
user = self.setup_test_user(password)
self.assertRaises(lib_exc.Unauthorized, self.token_client.auth,
user['name'],
password,
'junktenant1234')
@decorators.attr(type=['negative'])
@decorators.idempotent_id('bde9aecd-3b1c-4079-858f-beb5deaa5b5e')
def test_authentication_with_invalid_username(self):
"""Non-existent user's token should not get authorized via v2 API"""
password = data_utils.rand_password()
user = self.setup_test_user(password)
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
self.assertRaises(lib_exc.Unauthorized, self.token_client.auth,
'junkuser123', password, tenant['name'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('d5308b33-3574-43c3-8d87-1c090c5e1eca')
def test_authentication_with_invalid_password(self):
"""Test User's token with invalid password via v2 API
User's token with invalid password should not be authenticated via V2
API.
"""
user = self.setup_test_user()
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
self.assertRaises(lib_exc.Unauthorized, self.token_client.auth,
user['name'], 'junkpass1234', tenant['name'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('284192ce-fb7c-4909-a63b-9a502e0ddd11')
def test_get_users_by_unauthorized_user(self):
"""Non-admin should not be authorized to get user list via v2 API"""
self.assertRaises(lib_exc.Forbidden,
self.non_admin_users_client.list_users)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('a73591ec-1903-4ffe-be42-282b39fefc9d')
def test_get_users_request_without_token(self):
"""Listing users without a valid token via v2 API should fail"""
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
# Unset the token to allow further tests to generate a new token
self.addCleanup(self.client.auth_provider.clear_auth)
self.assertRaises(lib_exc.Unauthorized, self.users_client.list_users)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('f5d39046-fc5f-425c-b29e-bac2632da28e')
def test_list_users_with_invalid_tenant(self):
"""Listing users for a non-existent tenant via v2 API should fail"""
# Assign invalid tenant ids
invalid_id = list()
invalid_id.append(data_utils.rand_name('999'))
invalid_id.append('alpha')
invalid_id.append(data_utils.rand_name("dddd@#%%^$"))
invalid_id.append('!@#()$%^&*?<>{}[]')
# List the users with invalid tenant id
for invalid in invalid_id:
self.assertRaises(lib_exc.NotFound,
self.tenants_client.list_tenant_users, invalid)

@ -98,85 +98,6 @@ class BaseIdentityTest(tempest.test.BaseTestCase):
return role
class BaseIdentityV2Test(BaseIdentityTest):
credentials = ['primary']
# identity v2 tests should obtain tokens and create accounts via v2
# regardless of the configured CONF.identity.auth_version
identity_version = 'v2'
@classmethod
def setup_clients(cls):
super(BaseIdentityV2Test, cls).setup_clients()
cls.non_admin_client = cls.os_primary.identity_public_client
cls.non_admin_token_client = cls.os_primary.token_client
cls.non_admin_tenants_client = cls.os_primary.tenants_public_client
cls.non_admin_users_client = cls.os_primary.users_public_client
class BaseIdentityV2AdminTest(BaseIdentityV2Test):
credentials = ['primary', 'admin']
# NOTE(andreaf) Identity tests work with credentials, so it is safer
# for them to always use disposable credentials. Forcing dynamic creds
# on regular identity tests would be however to restrictive, since it
# would prevent any identity test from being executed against clouds where
# admin credentials are not available.
# Since All admin tests require admin credentials to be
# executed, so this will not impact the ability to execute tests.
force_tenant_isolation = True
@classmethod
def skip_checks(cls):
super(BaseIdentityV2AdminTest, cls).skip_checks()
if not CONF.identity_feature_enabled.api_v2_admin:
raise cls.skipException('Identity v2 admin not available')
@classmethod
def setup_clients(cls):
super(BaseIdentityV2AdminTest, cls).setup_clients()
cls.client = cls.os_admin.identity_client
cls.non_admin_client = cls.os_primary.identity_client
cls.token_client = cls.os_admin.token_client
cls.tenants_client = cls.os_admin.tenants_client
cls.non_admin_tenants_client = cls.os_primary.tenants_client
cls.roles_client = cls.os_admin.roles_client
cls.non_admin_roles_client = cls.os_primary.roles_client
cls.users_client = cls.os_admin.users_client
cls.non_admin_users_client = cls.os_primary.users_client
cls.services_client = cls.os_admin.identity_services_client
cls.endpoints_client = cls.os_admin.endpoints_client
@classmethod
def resource_setup(cls):
super(BaseIdentityV2AdminTest, cls).resource_setup()
cls.projects_client = cls.tenants_client
def setup_test_user(self, password=None):
"""Set up a test user."""
tenant = self.setup_test_tenant()
user = self.create_test_user(tenantId=tenant['id'], password=password)
return user
def setup_test_tenant(self, **kwargs):
"""Set up a test tenant."""
if 'name' not in kwargs:
kwargs['name'] = data_utils.rand_name(
name='test_tenant',
prefix=CONF.resource_name_prefix)
if 'description' not in kwargs:
kwargs['description'] = data_utils.rand_name(
name='desc', prefix=CONF.resource_name_prefix)
tenant = self.projects_client.create_tenant(**kwargs)['tenant']
# Delete the tenant at the end of the test
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.tenants_client.delete_tenant, tenant['id'])
return tenant
class BaseIdentityV3Test(BaseIdentityTest):
credentials = ['primary']

@ -1,60 +0,0 @@
# Copyright 2015 OpenStack Foundation.
# Copyright 2015, Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest.lib import decorators
class TestApiDiscovery(base.BaseIdentityV2Test):
"""Tests for identity v2 API discovery features."""
@decorators.attr(type='smoke')
@decorators.idempotent_id('ea889a68-a15f-4166-bfb1-c12456eae853')
def test_api_version_resources(self):
"""Test showing identity v2 api version resources"""
descr = self.non_admin_client.show_api_description()['version']
expected_resources = ('id', 'links', 'media-types', 'status',
'updated')
keys = descr.keys()
for res in expected_resources:
self.assertIn(res, keys)
@decorators.attr(type='smoke')
@decorators.idempotent_id('007a0be0-78fe-4fdb-bbee-e9216cc17bb2')
def test_api_media_types(self):
"""Test showing identity v2 api version media type"""
descr = self.non_admin_client.show_api_description()['version']
# Get MIME type bases and descriptions
media_types = [(media_type['base'], media_type['type']) for
media_type in descr['media-types']]
# These are supported for API version 2
supported_types = [('application/json',
'application/vnd.openstack.identity-v2.0+json')]
# Check if supported types exist in response body
for s_type in supported_types:
self.assertIn(s_type, media_types)
@decorators.attr(type='smoke')
@decorators.idempotent_id('77fd6be0-8801-48e6-b9bf-38cdd2f253ec')
def test_api_version_statuses(self):
"""Test showing identity v2 api version status"""
descr = self.non_admin_client.show_api_description()['version']
status = descr['status'].lower()
supported_statuses = ['current', 'stable', 'experimental',
'supported', 'deprecated']
self.assertIn(status, supported_statuses)

@ -1,113 +0,0 @@
# Copyright 2015 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest.common import utils
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
class EC2CredentialsTest(base.BaseIdentityV2Test):
@classmethod
def skip_checks(cls):
super(EC2CredentialsTest, cls).skip_checks()
if not utils.is_extension_enabled('OS-EC2', 'identity'):
msg = "OS-EC2 identity extension not enabled."
raise cls.skipException(msg)
@classmethod
def resource_setup(cls):
super(EC2CredentialsTest, cls).resource_setup()
cls.creds = cls.os_primary.credentials
@decorators.idempotent_id('b580fab9-7ae9-46e8-8138-417260cb6f9f')
def test_create_ec2_credential(self):
"""Create user ec2 credential."""
resp = self.non_admin_users_client.create_user_ec2_credential(
self.creds.user_id,
tenant_id=self.creds.tenant_id)["credential"]
access = resp['access']
self.addCleanup(
self.non_admin_users_client.delete_user_ec2_credential,
self.creds.user_id, access)
self.assertNotEmpty(resp['access'])
self.assertNotEmpty(resp['secret'])
self.assertEqual(self.creds.user_id, resp['user_id'])
self.assertEqual(self.creds.tenant_id, resp['tenant_id'])
@decorators.idempotent_id('9e2ea42f-0a4f-468c-a768-51859ce492e0')
def test_list_ec2_credentials(self):
"""Get the list of user ec2 credentials."""
created_creds = []
# create first ec2 credentials
creds1 = self.non_admin_users_client.create_user_ec2_credential(
self.creds.user_id,
tenant_id=self.creds.tenant_id)["credential"]
created_creds.append(creds1['access'])
self.addCleanup(
self.non_admin_users_client.delete_user_ec2_credential,
self.creds.user_id, creds1['access'])
# create second ec2 credentials
creds2 = self.non_admin_users_client.create_user_ec2_credential(
self.creds.user_id,
tenant_id=self.creds.tenant_id)["credential"]
created_creds.append(creds2['access'])
self.addCleanup(
self.non_admin_users_client.delete_user_ec2_credential,
self.creds.user_id, creds2['access'])
# get the list of user ec2 credentials
resp = self.non_admin_users_client.list_user_ec2_credentials(
self.creds.user_id)["credentials"]
fetched_creds = [cred['access'] for cred in resp]
# created credentials should be in a fetched list
missing = [cred for cred in created_creds
if cred not in fetched_creds]
self.assertEmpty(missing,
"Failed to find ec2_credentials %s in fetched list" %
', '.join(cred for cred in missing))
@decorators.idempotent_id('cb284075-b613-440d-83ca-fe0b33b3c2b8')
def test_show_ec2_credential(self):
"""Get the definite user ec2 credential."""
resp = self.non_admin_users_client.create_user_ec2_credential(
self.creds.user_id,
tenant_id=self.creds.tenant_id)["credential"]
self.addCleanup(
self.non_admin_users_client.delete_user_ec2_credential,
self.creds.user_id, resp['access'])
ec2_creds = self.non_admin_users_client.show_user_ec2_credential(
self.creds.user_id, resp['access']
)["credential"]
for key in ['access', 'secret', 'user_id', 'tenant_id']:
self.assertEqual(ec2_creds[key], resp[key])
@decorators.idempotent_id('6aba0d4c-b76b-4e46-aa42-add79bc1551d')
def test_delete_ec2_credential(self):
"""Delete user ec2 credential."""
resp = self.non_admin_users_client.create_user_ec2_credential(
self.creds.user_id,
tenant_id=self.creds.tenant_id)["credential"]
access = resp['access']
self.non_admin_users_client.delete_user_ec2_credential(
self.creds.user_id, access)
self.assertRaises(
lib_exc.NotFound,
self.non_admin_users_client.show_user_ec2_credential,
self.creds.user_id,
access)

@ -1,32 +0,0 @@
# Copyright 2014 NEC Corporation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest.lib import decorators
class ExtensionTestJSON(base.BaseIdentityV2Test):
"""Test extensions in identity v2 API"""
@decorators.idempotent_id('85f3f661-f54c-4d48-b563-72ae952b9383')
def test_list_extensions(self):
"""List all the identity extensions via v2 API"""
body = self.non_admin_client.list_extensions()['extensions']['values']
self.assertNotEmpty(body)
keys = ['name', 'updated', 'alias', 'links',
'namespace', 'description']
for value in body:
for key in keys:
self.assertIn(key, value)

@ -1,52 +0,0 @@
# Copyright 2015 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
class IdentityTenantsTest(base.BaseIdentityV2Test):
"""Test listing tenants in identity v2 API"""
credentials = ['primary', 'alt']
@decorators.idempotent_id('ecae2459-243d-4ba1-ad02-65f15dc82b78')
def test_list_tenants_returns_only_authorized_tenants(self):
"""Test listing tenants only returns authorized tenants via v2 API"""
alt_tenant_name = self.os_alt.credentials.tenant_name
resp = self.non_admin_tenants_client.list_tenants()
# check that user can see only that tenants that he presents in so user
# can successfully authenticate using his credentials and tenant name
# from received tenants list
for tenant in resp['tenants']:
body = self.non_admin_token_client.auth(
self.os_primary.credentials.username,
self.os_primary.credentials.password,
tenant['name'])
self.assertNotEmpty(body['token']['id'])
self.assertEqual(body['token']['tenant']['id'], tenant['id'])
self.assertEqual(body['token']['tenant']['name'], tenant['name'])
self.assertEqual(
body['user']['id'], self.os_primary.credentials.user_id)
# check that user cannot log in to alt user's tenant
self.assertRaises(
lib_exc.Unauthorized,
self.non_admin_token_client.auth,
self.os_primary.credentials.username,
self.os_primary.credentials.password,
alt_tenant_name)

@ -1,50 +0,0 @@
# Copyright 2015 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_utils import timeutils
from tempest.api.identity import base
from tempest.lib import decorators
class TokensTest(base.BaseIdentityV2Test):
"""Test tokens in identity v2 API"""
@decorators.idempotent_id('65ae3b78-91ff-467b-a705-f6678863b8ec')
def test_create_token(self):
"""Test creating token for user via v2 API"""
token_client = self.non_admin_token_client
# get a token for the user
creds = self.os_primary.credentials
username = creds.username
password = creds.password
tenant_name = creds.tenant_name
body = token_client.auth(username, password, tenant_name)
self.assertNotEmpty(body['token']['id'])
self.assertIsInstance(body['token']['id'], str)
now = timeutils.utcnow()
expires_at = timeutils.normalize_time(
timeutils.parse_isotime(body['token']['expires']))
self.assertGreater(expires_at, now)
self.assertEqual(body['token']['tenant']['id'],
creds.tenant_id)
self.assertEqual(body['token']['tenant']['name'],
tenant_name)
self.assertEqual(body['user']['id'], creds.user_id)

@ -1,112 +0,0 @@
# Copyright 2015 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import time
import testtools
from tempest.api.identity import base
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from tempest.lib import exceptions
CONF = config.CONF
class IdentityUsersTest(base.BaseIdentityV2Test):
"""Test user password in identity v2 API"""
@classmethod
def resource_setup(cls):
super(IdentityUsersTest, cls).resource_setup()
cls.creds = cls.os_primary.credentials
cls.username = cls.creds.username
cls.password = cls.creds.password
cls.tenant_name = cls.creds.tenant_name
def _update_password(self, user_id, original_password, password):
self.non_admin_users_client.update_user_own_password(
user_id, password=password, original_password=original_password)
# NOTE(morganfainberg): Fernet tokens are not subsecond aware and
# Keystone should only be precise to the second. Sleep to ensure
# we are passing the second boundary.
time.sleep(1)
# check authorization with new password
self.non_admin_token_client.auth(self.username,
password,
self.tenant_name)
# Reset auth to get a new token with the new password
self.non_admin_users_client.auth_provider.clear_auth()
self.non_admin_users_client.auth_provider.credentials.password = (
password)
def _restore_password(self, user_id, old_pass, new_pass):
if CONF.identity_feature_enabled.security_compliance:
# First we need to clear the password history
unique_count = CONF.identity.user_unique_last_password_count
for _ in range(unique_count):
random_pass = data_utils.rand_password()
self._update_password(
user_id, original_password=new_pass, password=random_pass)
new_pass = random_pass
self._update_password(
user_id, original_password=new_pass, password=old_pass)
# Reset auth again to verify the password restore does work.
# Clear auth restores the original credentials and deletes
# cached auth data
self.non_admin_users_client.auth_provider.clear_auth()
# NOTE(lbragstad): Fernet tokens are not subsecond aware and
# Keystone should only be precise to the second. Sleep to ensure we
# are passing the second boundary before attempting to
# authenticate.
time.sleep(1)
self.non_admin_users_client.auth_provider.set_auth()
@decorators.idempotent_id('165859c9-277f-4124-9479-a7d1627b0ca7')
@testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
'Skipped because environment has an '
'immutable user source and solely '
'provides read-only access to users.')
def test_user_update_own_password(self):
"""test updating user's own password via v2 API"""
old_pass = self.creds.password
old_token = self.non_admin_users_client.token
new_pass = data_utils.rand_password()
user_id = self.creds.user_id
# to change password back. important for use_dynamic_credentials=false
self.addCleanup(self._restore_password, user_id, old_pass, new_pass)
# user updates own password
self._update_password(
user_id, original_password=old_pass, password=new_pass)
# authorize with old token should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth_token,
old_token)
# authorize with old password should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth,
self.username,
old_pass,
self.tenant_name)

@ -173,30 +173,6 @@ class Manager(clients.ServiceClients):
self.placement.ResourceProvidersClient()
def _set_identity_clients(self):
# Clients below use the admin endpoint type of Keystone API v2
params_v2_admin = {
'endpoint_type': CONF.identity.v2_admin_endpoint_type}
self.endpoints_client = self.identity_v2.EndpointsClient(
**params_v2_admin)
self.identity_client = self.identity_v2.IdentityClient(
**params_v2_admin)
self.tenants_client = self.identity_v2.TenantsClient(
**params_v2_admin)
self.roles_client = self.identity_v2.RolesClient(**params_v2_admin)
self.users_client = self.identity_v2.UsersClient(**params_v2_admin)
self.identity_services_client = self.identity_v2.ServicesClient(
**params_v2_admin)
# Clients below use the public endpoint type of Keystone API v2
params_v2_public = {
'endpoint_type': CONF.identity.v2_public_endpoint_type}
self.identity_public_client = self.identity_v2.IdentityClient(
**params_v2_public)
self.tenants_public_client = self.identity_v2.TenantsClient(
**params_v2_public)
self.users_public_client = self.identity_v2.UsersClient(
**params_v2_public)
# Clients below use the endpoint type of Keystone API v3, which is set
# in endpoint_type
params_v3 = {'endpoint_type': CONF.identity.v3_endpoint_type}
@ -241,16 +217,6 @@ class Manager(clients.ServiceClients):
self.identity_limits_client = \
self.identity_v3.LimitsClient(**params_v3)
# Token clients do not use the catalog. They only need default_params.
# They read auth_url, so they should only be set if the corresponding
# API version is marked as enabled
if CONF.identity_feature_enabled.api_v2:
if CONF.identity.uri:
self.token_client = self.identity_v2.TokenClient(
auth_url=CONF.identity.uri)
else:
msg = 'Identity v2 API enabled, but no identity.uri set'
raise lib_exc.InvalidConfiguration(msg)
if CONF.identity_feature_enabled.api_v3:
if CONF.identity.uri_v3:
self.token_v3_client = self.identity_v3.V3TokenClient(

@ -128,12 +128,18 @@ IdentityGroup = [
'TLS (https) server certificate.'),
cfg.URIOpt('uri',
schemes=['http', 'https'],
deprecated_for_removal=True,
deprecated_reason='The identity v2 API tests were removed '
'and this option has no effect',
help="Full URI of the OpenStack Identity API (Keystone), v2"),
cfg.URIOpt('uri_v3',
schemes=['http', 'https'],
help='Full URI of the OpenStack Identity API (Keystone), v3'),
cfg.StrOpt('auth_version',
default='v3',
deprecated_for_removal=True,
deprecated_reason='Identity v2 API was removed and v3 is '
'the only available identity API version now',
help="Identity API version to be used for authentication "
"for API tests."),
cfg.StrOpt('region',
@ -146,12 +152,16 @@ IdentityGroup = [
default='adminURL',
choices=['public', 'admin', 'internal',
'publicURL', 'adminURL', 'internalURL'],
deprecated_for_removal=True,
deprecated_reason='This option has no effect',
help="The admin endpoint type to use for OpenStack Identity "
"(Keystone) API v2"),
cfg.StrOpt('v2_public_endpoint_type',
default='publicURL',
choices=['public', 'admin', 'internal',
'publicURL', 'adminURL', 'internalURL'],
deprecated_for_removal=True,
deprecated_reason='This option has no effect',
help="The public endpoint type to use for OpenStack Identity "
"(Keystone) API v2"),
cfg.StrOpt('v3_endpoint_type',
@ -234,19 +244,22 @@ IdentityFeatureGroup = [
'impersonation enabled'),
cfg.BoolOpt('api_v2',
default=False,
help='Is the v2 identity API enabled',
deprecated_for_removal=True,
deprecated_reason='The identity v2.0 API was removed in the '
'Queens release. Tests that exercise the '
'v2.0 API will be removed from tempest in '
'the v22.0.0 release. They are kept only to '
'test stable branches.'),
deprecated_reason='The identity v2 API tests were removed '
'and this option has no effect',
help='Is the v2 identity API enabled'),
cfg.BoolOpt('api_v2_admin',
default=True,
help="Is the v2 identity admin API available? This setting "
"only applies if api_v2 is set to True."),
deprecated_for_removal=True,
deprecated_reason='The identity v2 API tests were removed '
'and this option has no effect',
help="Is the v2 identity admin API available?"),
cfg.BoolOpt('api_v3',
default=True,
deprecated_for_removal=True,
deprecated_reason='Identity v2 API was removed and v3 is '
'the only available identity API version '
'now',
help='Is the v3 identity API enabled'),
cfg.ListOpt('api_extensions',
default=['all'],