diff options
| author | Jenkins <jenkins@review.openstack.org> | 2013-07-08 20:57:57 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-07-08 20:57:57 +0000 |
| commit | d398d57304e6eb37ec70510e5b7f3cfbbff5f4d2 (patch) | |
| tree | fd8950ec3927f16566082b7711a2772771c0e87c /tests/test_backend_ldap.py | |
| parent | f37c0ea2adad642e5f2f9648796a03fb2f4a86d5 (diff) | |
| parent | 22e3fb773176dd9a8bbf41b5268564bc0e4ed6f1 (diff) | |
| download | keystone-d398d57304e6eb37ec70510e5b7f3cfbbff5f4d2.tar.gz keystone-d398d57304e6eb37ec70510e5b7f3cfbbff5f4d2.tar.xz keystone-d398d57304e6eb37ec70510e5b7f3cfbbff5f4d2.zip | |
Merge "Fix issue with v3 tokens and group membership roles"
Diffstat (limited to 'tests/test_backend_ldap.py')
| -rw-r--r-- | tests/test_backend_ldap.py | 51 |
1 files changed, 50 insertions, 1 deletions
diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py index a38f1ece..f52e30cc 100644 --- a/tests/test_backend_ldap.py +++ b/tests/test_backend_ldap.py @@ -501,7 +501,56 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): raise nose.exc.SkipTest('N/A: LDAP does not support multiple domains') def test_multi_role_grant_by_user_group_on_project_domain(self): - raise nose.exc.SkipTest('N/A: LDAP does not support multiple domains') + # This is a partial implementation of the standard test that + # is defined in test_backend.py. It omits both domain and + # group grants. since neither of these are yet supported by + # the ldap backend. + + role_list = [] + for _ in range(2): + role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} + self.identity_api.create_role(role['id'], role) + role_list.append(role) + + user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, + 'domain_id': CONF.identity.default_domain_id, + 'password': uuid.uuid4().hex, + 'enabled': True} + self.identity_api.create_user(user1['id'], user1) + project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, + 'domain_id': CONF.identity.default_domain_id} + self.identity_api.create_project(project1['id'], project1) + + self.identity_api.add_role_to_user_and_project( + user_id=user1['id'], + tenant_id=project1['id'], + role_id=role_list[0]['id']) + self.identity_api.add_role_to_user_and_project( + user_id=user1['id'], + tenant_id=project1['id'], + role_id=role_list[1]['id']) + + # Although list_grants are not yet supported, we can test the + # alternate way of getting back lists of grants, where user + # and group roles are combined. Only directly assigned user + # roles are available, since group grants are not yet supported + + combined_role_list = self.identity_api.get_roles_for_user_and_project( + user1['id'], project1['id']) + self.assertEquals(len(combined_role_list), 2) + self.assertIn(role_list[0]['id'], combined_role_list) + self.assertIn(role_list[1]['id'], combined_role_list) + + # Finally, although domain roles are not implemented, check we can + # issue the combined get roles call with benign results, since thus is + # used in token generation + + combined_role_list = self.identity_api.get_roles_for_user_and_domain( + user1['id'], CONF.identity.default_domain_id) + self.assertEquals(len(combined_role_list), 0) + + def test_multi_group_grants_on_project_domain(self): + raise nose.exc.SkipTest('Blocked by bug 1101287') def test_delete_role_with_user_and_group_grants(self): raise nose.exc.SkipTest('Blocked by bug 1101287') |