diff options
author | Dolph Mathews <dolph.mathews@gmail.com> | 2012-07-16 16:08:32 -0500 |
---|---|---|
committer | Dolph Mathews <dolph.mathews@gmail.com> | 2012-07-16 16:08:34 -0500 |
commit | 4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685 (patch) | |
tree | 75b35e2985cdd4855e218c4582386f159ed67443 /tests/test_keystoneclient.py | |
parent | 4b97716e4a68cb55652fe2bfd62373adf2b417c5 (diff) | |
download | keystone-4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685.tar.gz keystone-4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685.tar.xz keystone-4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685.zip |
Raise unauthorized if tenant disabled (bug 988920)
If the client attempts to explicitly authenticate against a disabled
tenant, keystone should return HTTP 401 Unauthorized.
Change-Id: I49fe56b6ef8d9f2fc6b9357472dae8964bb9cb9c
Diffstat (limited to 'tests/test_keystoneclient.py')
-rw-r--r-- | tests/test_keystoneclient.py | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/tests/test_keystoneclient.py b/tests/test_keystoneclient.py index 69d4ffc2..944ca790 100644 --- a/tests/test_keystoneclient.py +++ b/tests/test_keystoneclient.py @@ -180,6 +180,53 @@ class KeystoneClientTests(object): self.get_client, user_ref) + def test_authenticate_disabled_tenant(self): + from keystoneclient import exceptions as client_exceptions + + admin_client = self.get_client(admin=True) + + tenant = { + 'name': uuid.uuid4().hex, + 'description': uuid.uuid4().hex, + 'enabled': False, + } + tenant_ref = admin_client.tenants.create( + tenant_name=tenant['name'], + description=tenant['description'], + enabled=tenant['enabled']) + tenant['id'] = tenant_ref.id + + user = { + 'name': uuid.uuid4().hex, + 'password': uuid.uuid4().hex, + 'email': uuid.uuid4().hex, + 'tenant_id': tenant['id'], + } + user_ref = admin_client.users.create( + name=user['name'], + password=user['password'], + email=user['email'], + tenant_id=user['tenant_id']) + user['id'] = user_ref.id + + # password authentication + self.assertRaises( + client_exceptions.Unauthorized, + self._client, + username=user['name'], + password=user['password'], + tenant_id=tenant['id']) + + # token authentication + client = self._client( + username=user['name'], + password=user['password']) + self.assertRaises( + client_exceptions.Unauthorized, + self._client, + token=client.auth_token, + tenant_id=tenant['id']) + # FIXME(ja): this test should require the "keystone:admin" roled # (probably the role set via --keystone_admin_role flag) # FIXME(ja): add a test that admin endpoint is only sent to admin user |