diff options
author | Jenkins <jenkins@review.openstack.org> | 2013-03-20 08:26:50 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2013-03-20 08:26:50 +0000 |
commit | 3c9768f6e002eac556a0e2f23d8f2cdd0ecfa5eb (patch) | |
tree | 9f90c4b02c5ce7f90c31db3bc5ee8f30e1f9d789 /tests | |
parent | 533bb01947199e20b840917ab5ee387451b174a0 (diff) | |
parent | cd3f58a8d05010838bd5e2d095103c2623499112 (diff) | |
download | keystone-3c9768f6e002eac556a0e2f23d8f2cdd0ecfa5eb.tar.gz keystone-3c9768f6e002eac556a0e2f23d8f2cdd0ecfa5eb.tar.xz keystone-3c9768f6e002eac556a0e2f23d8f2cdd0ecfa5eb.zip |
Merge "Validate domains unconditionally (bug 1130236)"
Diffstat (limited to 'tests')
-rw-r--r-- | tests/default_fixtures.py | 10 | ||||
-rw-r--r-- | tests/test_auth.py | 3 | ||||
-rw-r--r-- | tests/test_backend.py | 4 | ||||
-rw-r--r-- | tests/test_cert_setup.py | 4 | ||||
-rw-r--r-- | tests/test_v3_auth.py | 4 | ||||
-rw-r--r-- | tests/test_v3_identity.py | 87 |
6 files changed, 89 insertions, 23 deletions
diff --git a/tests/default_fixtures.py b/tests/default_fixtures.py index 1141ddfd..3a1379ed 100644 --- a/tests/default_fixtures.py +++ b/tests/default_fixtures.py @@ -118,3 +118,13 @@ ROLES = [ } ] + +DOMAINS = [ + { + 'id': DEFAULT_DOMAIN_ID, + 'name': 'Default', + 'enabled': True, + 'description': 'Owns users and tenants (i.e. projects) available ' + 'on Identity API v2.' + } +] diff --git a/tests/test_auth.py b/tests/test_auth.py index 3603adcc..bf43c4af 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -612,9 +612,6 @@ class AuthWithTrust(AuthTest): return auth_response def fetch_v3_token_from_trust(self): - self.identity_api.create_domain("default", - {"name": "default", - "id": "default"}) v3_password_data = { 'identity': { "methods": ["password"], diff --git a/tests/test_backend.py b/tests/test_backend.py index ac54aba4..fea52b8e 100644 --- a/tests/test_backend.py +++ b/tests/test_backend.py @@ -23,7 +23,6 @@ from keystone.catalog import core from keystone import config from keystone import exception from keystone.openstack.common import timeutils -from keystone import config from keystone import test @@ -1582,10 +1581,11 @@ class IdentityTests(object): self.identity_api.create_domain(domain1['id'], domain1) self.identity_api.create_domain(domain2['id'], domain2) domains = self.identity_api.list_domains() - self.assertEquals(len(domains), 2) + self.assertEquals(len(domains), 3) domain_ids = [] for domain in domains: domain_ids.append(domain.get('id')) + self.assertIn(DEFAULT_DOMAIN_ID, domain_ids) self.assertIn(domain1['id'], domain_ids) self.assertIn(domain2['id'], domain_ids) diff --git a/tests/test_cert_setup.py b/tests/test_cert_setup.py index 76396fd9..951b06ad 100644 --- a/tests/test_cert_setup.py +++ b/tests/test_cert_setup.py @@ -23,6 +23,9 @@ from keystone import exception from keystone import test from keystone import token +import default_fixtures + + ROOTDIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) SSLDIR = "%s/tests/ssl/" % ROOTDIR CONF = test.CONF @@ -46,6 +49,7 @@ class CertSetupTestCase(test.TestCase): CONF.signing.keyfile = os.path.join(KEYDIR, "signing_key.pem") self.load_backends() + self.load_fixtures(default_fixtures) self.controller = token.controllers.Auth() def test_can_handle_missing_certs(self): diff --git a/tests/test_v3_auth.py b/tests/test_v3_auth.py index 092980e7..7b687477 100644 --- a/tests/test_v3_auth.py +++ b/tests/test_v3_auth.py @@ -340,7 +340,7 @@ class TestTokenAPIs(test_v3.RestfulTestCase): self.assertIn('signed', r.body) -class ATestTokenRevoking(test_v3.RestfulTestCase): +class TestTokenRevoking(test_v3.RestfulTestCase): """Test token revoking for relevant v3 identity apis""" def setUp(self): @@ -360,7 +360,7 @@ class ATestTokenRevoking(test_v3.RestfulTestCase): - User3 is a member of group2 """ - super(ATestTokenRevoking, self).setUp() + super(TestTokenRevoking, self).setUp() # Start by creating a couple of domains and projects self.domainA = self.new_domain_ref() diff --git a/tests/test_v3_identity.py b/tests/test_v3_identity.py index 05d65d89..e9fe44c9 100644 --- a/tests/test_v3_identity.py +++ b/tests/test_v3_identity.py @@ -79,26 +79,81 @@ class IdentityTestCase(test_v3.RestfulTestCase): def test_disable_domain(self): """PATCH /domains/{domain_id} (set enabled=False)""" - self.domain['enabled'] = False + # Create a 2nd set of entities in a 2nd domain + self.domain2 = self.new_domain_ref() + self.identity_api.create_domain(self.domain2['id'], self.domain2) + + self.project2 = self.new_project_ref( + domain_id=self.domain2['id']) + self.identity_api.create_project(self.project2['id'], self.project2) + + self.user2 = self.new_user_ref( + domain_id=self.domain2['id'], + project_id=self.project2['id']) + self.identity_api.create_user(self.user2['id'], self.user2) + + self.identity_api.add_user_to_project(self.project2['id'], + self.user2['id']) + + # First check a user in that domain can authenticate, via + # Both v2 and v3 + body = { + 'auth': { + 'passwordCredentials': { + 'userId': self.user2['id'], + 'password': self.user2['password'] + }, + 'tenantId': self.project2['id'] + } + } + resp = self.admin_request(path='/v2.0/tokens', + method='POST', + body=body) + + auth_data = self.build_authentication_request( + user_id=self.user2['id'], + password=self.user2['password'], + project_id=self.project2['id']) + resp = self.post('/auth/tokens', body=auth_data) + + # Now disable the domain + self.domain2['enabled'] = False r = self.patch('/domains/%(domain_id)s' % { - 'domain_id': self.domain_id}, + 'domain_id': self.domain2['id']}, body={'domain': {'enabled': False}}) - self.assertValidDomainResponse(r, self.domain) - - # check that the project and user are still enabled - # FIXME(gyee): are these tests still valid since user should not - # be able to authenticate into a disabled domain - #r = self.get('/projects/%(project_id)s' % { - # 'project_id': self.project_id}) - #self.assertValidProjectResponse(r, self.project) - #self.assertTrue(r.body['project']['enabled']) + self.assertValidDomainResponse(r, self.domain2) - #r = self.get('/users/%(user_id)s' % { - # 'user_id': self.user['id']}) - #self.assertValidUserResponse(r, self.user) - #self.assertTrue(r.body['user']['enabled']) + # Make sure the user can no longer authenticate, via + # either API + body = { + 'auth': { + 'passwordCredentials': { + 'userId': self.user2['id'], + 'password': self.user2['password'] + }, + 'tenantId': self.project2['id'] + } + } + resp = self.admin_request(path='/v2.0/tokens', + method='POST', + body=body, + expected_status=401) + + # Try looking up in v3 by name and id + auth_data = self.build_authentication_request( + user_id=self.user2['id'], + password=self.user2['password'], + project_id=self.project2['id']) + resp = self.post('/auth/tokens', body=auth_data, + expected_status=401) - # TODO(dolph): assert that v2 & v3 auth return 401 + auth_data = self.build_authentication_request( + username=self.user2['name'], + user_domain_id=self.domain2['id'], + password=self.user2['password'], + project_id=self.project2['id']) + resp = self.post('/auth/tokens', body=auth_data, + expected_status=401) def test_delete_enabled_domain_fails(self): """DELETE /domains/{domain_id}...(when domain enabled)""" |