diff options
author | Henry Nash <henryn@linux.vnet.ibm.com> | 2013-07-05 06:04:25 +0100 |
---|---|---|
committer | Henry Nash <henryn@linux.vnet.ibm.com> | 2013-07-10 05:23:00 +0100 |
commit | 661cef927e95cf87a96eea7f0f6d840f8bf4adcd (patch) | |
tree | 50762c60adead7c8c557696da8b70b2c87da6283 /tests/test_backend.py | |
parent | fafdf072f5a34ee12ffe9d7651551c83459759bb (diff) | |
download | keystone-661cef927e95cf87a96eea7f0f6d840f8bf4adcd.tar.gz keystone-661cef927e95cf87a96eea7f0f6d840f8bf4adcd.tar.xz keystone-661cef927e95cf87a96eea7f0f6d840f8bf4adcd.zip |
Rationalize how we get roles after authentication in the controllers
Currently there is a mixture of strategies in the v2 and v3 controllers
for how to get the roles assigned for the scope of the requested
authentication. This duplicates code, is hard to maintain and in at
least once case (where your only roles on a project are due to a group
membership) is not actually correct (for v2 tokens).
This change does the following:
- Standardizes on using the 'get_roles_for_user_and_project()', and its
domain equivalent, for how roles are obtained to build a token. This
was already the case for v3 tokens. The controllers no longer need
to get metadata and extract the roles.
- Removes the driver level function to 'authorize_for_project' - this is
now handled wihin the controller. The driver simply supports the user
authentication.
A nice (and planned for) sideffect of the above is that we now hide
the schema of how we store roles within the driver layer - i.e.
nothing outside of the driver (other than any specific-to-implementation
tests) have to know about how roles are stored in the metadata. This paves
the way for a re-implementation of the grant tables in IceHouse.
This change also fills in missing function definitons in the assignment
driver.
Implements bp authenticate-role-rationalization
Change-Id: I75fc7f5f728649d40ab1c696b33bbcd88ea6edee
Diffstat (limited to 'tests/test_backend.py')
-rw-r--r-- | tests/test_backend.py | 68 |
1 files changed, 7 insertions, 61 deletions
diff --git a/tests/test_backend.py b/tests/test_backend.py index 87762244..a260f2dd 100644 --- a/tests/test_backend.py +++ b/tests/test_backend.py @@ -62,39 +62,17 @@ class IdentityTests(object): self.assertRaises(AssertionError, self.identity_api.authenticate, user_id=uuid.uuid4().hex, - tenant_id=self.tenant_bar['id'], password=self.user_foo['password']) def test_authenticate_bad_password(self): self.assertRaises(AssertionError, self.identity_api.authenticate, user_id=self.user_foo['id'], - tenant_id=self.tenant_bar['id'], password=uuid.uuid4().hex) - def test_authenticate_bad_project(self): - self.assertRaises(AssertionError, - self.identity_api.authenticate, - user_id=self.user_foo['id'], - tenant_id=uuid.uuid4().hex, - password=self.user_foo['password']) - - def test_authenticate_no_project(self): - user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate( - user_id=self.user_foo['id'], - password=self.user_foo['password']) - # NOTE(termie): the password field is left in user_foo to make - # it easier to authenticate in tests, but should - # not be returned by the api - self.user_foo.pop('password') - self.assertDictEqual(user_ref, self.user_foo) - self.assert_(tenant_ref is None) - self.assert_(not metadata_ref) - def test_authenticate(self): - user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate( + user_ref = self.identity_api.authenticate( user_id=self.user_sna['id'], - tenant_id=self.tenant_bar['id'], password=self.user_sna['password']) # NOTE(termie): the password field is left in user_foo to make # it easier to authenticate in tests, but should @@ -102,21 +80,8 @@ class IdentityTests(object): self.user_sna.pop('password') self.user_sna['enabled'] = True self.assertDictEqual(user_ref, self.user_sna) - self.assertDictEqual(tenant_ref, self.tenant_bar) - metadata_ref.pop('roles') - self.assertDictEqual(metadata_ref, self.metadata_snamtu) - def test_authenticate_role_return(self): - self.identity_api.add_role_to_user_and_project( - self.user_foo['id'], self.tenant_baz['id'], self.role_admin['id']) - user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate( - user_id=self.user_foo['id'], - tenant_id=self.tenant_baz['id'], - password=self.user_foo['password']) - self.assertIn('roles', metadata_ref) - self.assertIn(self.role_admin['id'], metadata_ref['roles']) - - def test_authenticate_no_metadata(self): + def test_authenticate_and_get_roles_no_metadata(self): user = { 'id': 'no_meta', 'name': 'NO_META', @@ -126,18 +91,18 @@ class IdentityTests(object): self.identity_api.create_user(user['id'], user) self.identity_api.add_user_to_project(self.tenant_baz['id'], user['id']) - user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate( + user_ref = self.identity_api.authenticate( user_id=user['id'], - tenant_id=self.tenant_baz['id'], password=user['password']) # NOTE(termie): the password field is left in user_foo to make # it easier to authenticate in tests, but should # not be returned by the api user.pop('password') - self.assertEquals(metadata_ref, {"roles": - [CONF.member_role_id]}) self.assertDictContainsSubset(user, user_ref) - self.assertDictEqual(tenant_ref, self.tenant_baz) + role_list = self.identity_api.get_roles_for_user_and_project( + user['id'], self.tenant_baz['id']) + self.assertEqual(len(role_list), 1) + self.assertIn(CONF.member_role_id, role_list) def test_password_hashed(self): user_ref = self.identity_api._get_user(self.user_foo['id']) @@ -218,25 +183,6 @@ class IdentityTests(object): user_name=uuid.uuid4().hex, domain_id=DEFAULT_DOMAIN_ID) - def test_get_metadata(self): - metadata_ref = self.identity_api.get_metadata( - user_id=self.user_sna['id'], - tenant_id=self.tenant_bar['id']) - metadata_ref.pop('roles') - self.assertDictEqual(metadata_ref, self.metadata_snamtu) - - def test_get_metadata_404(self): - # FIXME(dolph): these exceptions could be more specific - self.assertRaises(exception.NotFound, - self.identity_api.get_metadata, - user_id=uuid.uuid4().hex, - tenant_id=self.tenant_bar['id']) - - self.assertRaises(exception.NotFound, - self.identity_api.get_metadata, - user_id=self.user_foo['id'], - tenant_id=uuid.uuid4().hex) - def test_get_role(self): role_ref = self.identity_api.get_role( role_id=self.role_admin['id']) |