diff options
| -rw-r--r-- | keystone/identity/backends/ldap/core.py | 4 | ||||
| -rw-r--r-- | tests/_ldap_livetest.py | 93 | ||||
| -rw-r--r-- | tests/backend_liveldap.conf | 21 | ||||
| -rw-r--r-- | tests/test_backend.py | 22 | ||||
| -rw-r--r-- | tests/test_backend_ldap.py | 59 |
5 files changed, 121 insertions, 78 deletions
diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py index cc60d0b9..72446ce3 100644 --- a/keystone/identity/backends/ldap/core.py +++ b/keystone/identity/backends/ldap/core.py @@ -176,7 +176,9 @@ class Identity(identity.Driver): data = tenant.copy() if 'id' not in data or data['id'] is None: data['id'] = str(uuid.uuid4().hex) - return self.project.create(tenant) + if 'description' in data and data['description'] in ['', None]: + data.pop('description') + return self.project.create(data) def update_project(self, tenant_id, tenant): if 'name' in tenant: diff --git a/tests/_ldap_livetest.py b/tests/_ldap_livetest.py index f74bf16c..7eb343e6 100644 --- a/tests/_ldap_livetest.py +++ b/tests/_ldap_livetest.py @@ -14,6 +14,9 @@ # License for the specific language governing permissions and limitations # under the License. +import ldap +import ldap.modlist +import nose.exc import subprocess from keystone import config @@ -27,44 +30,70 @@ import test_backend_ldap CONF = config.CONF -def delete_object(name): - devnull = open('/dev/null', 'w') - dn = '%s,%s' % (name, CONF.ldap.suffix) - subprocess.call(['ldapdelete', - '-x', - '-D', CONF.ldap.user, - '-H', CONF.ldap.url, - '-w', CONF.ldap.password, - dn], - stderr=devnull) - - -def clear_live_database(): - roles = ['keystone_admin', 'fake1', 'fake2', 'useless'] - groups = ['baz', 'bar', 'tenent4add', 'fake1', 'fake2'] - users = ['foo', 'two', 'fake1', 'fake2', 'no_meta'] - - for group in groups: - for role in roles: - delete_object('cn=%s,cn=%s,ou=Groups' % (role, group)) - delete_object('cn=%s,ou=Groups' % group) - - for user in users: - delete_object('cn=%s,ou=Users' % user) - - for role in roles: - delete_object('cn=%s,ou=Roles' % role) +def create_object(dn, attrs): + conn = ldap.initialize(CONF.ldap.url) + conn.simple_bind_s(CONF.ldap.user, CONF.ldap.password) + ldif = ldap.modlist.addModlist(attrs) + conn.add_s(dn, ldif) + conn.unbind_s() class LiveLDAPIdentity(test_backend_ldap.LDAPIdentity): - def setUp(self): - super(LiveLDAPIdentity, self).setUp() + + def clear_database(self): + devnull = open('/dev/null', 'w') + subprocess.call(['ldapdelete', + '-x', + '-D', CONF.ldap.user, + '-H', CONF.ldap.url, + '-w', CONF.ldap.password, + '-r', CONF.ldap.suffix], + stderr=devnull) + + if CONF.ldap.suffix.startswith('ou='): + tree_dn_attrs = {'objectclass': 'organizationalUnit', + 'ou': 'openstack'} + else: + tree_dn_attrs = {'objectclass': ['dcObject', 'organizationalUnit'], + 'dc': 'openstack', + 'ou': 'openstack'} + create_object(CONF.ldap.suffix, tree_dn_attrs) + create_object(CONF.ldap.user_tree_dn, + {'objectclass': 'organizationalUnit', + 'ou': 'Users'}) + create_object(CONF.ldap.role_tree_dn, + {'objectclass': 'organizationalUnit', + 'ou': 'Roles'}) + create_object(CONF.ldap.tenant_tree_dn, + {'objectclass': 'organizationalUnit', + 'ou': 'Projects'}) + + # NOTE(crazed): This feature is currently being added + create_object("ou=Groups,%s" % CONF.ldap.suffix, + {'objectclass': 'organizationalUnit', + 'ou': 'Groups'}) + + def _set_config(self): self.config([test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_liveldap.conf')]) - clear_live_database() - self.identity_api = identity_ldap.Identity() - self.load_fixtures(default_fixtures) + + def test_build_tree(self): + """Regression test for building the tree names + """ + #logic is different from the fake backend. + user_api = identity_ldap.UserApi(CONF) + self.assertTrue(user_api) + self.assertEquals(user_api.tree_dn, CONF.ldap.user_tree_dn) def tearDown(self): test.TestCase.tearDown(self) + + def test_user_enable_attribute_mask(self): + raise nose.exc.SkipTest('Test is for Active Directory Only') + + def test_configurable_allowed_project_actions(self): + raise nose.exc.SkipTest('Blocked by bug 1155234') + + def test_project_crud(self): + raise nose.exc.SkipTest('Blocked by bug 1155234') diff --git a/tests/backend_liveldap.conf b/tests/backend_liveldap.conf index d1075664..60a71cc8 100644 --- a/tests/backend_liveldap.conf +++ b/tests/backend_liveldap.conf @@ -1,9 +1,16 @@ [ldap] url = ldap://localhost -suffix = dc=younglogic,dc=com -user_tree_dn = ou=Users,dc=younglogic,dc=com -role_tree_dn = ou=Roles,dc=younglogic,dc=com -tenant_tree_dn = ou=Groups,dc=younglogic,dc=com -user = dc=Manager,dc=younglogic,dc=com -password = freeipa4all -backend_entities = ['Tenant', 'User', 'UserRoleAssociation', 'Role'] +user = dc=Manager,dc=openstack,dc=org +password = test +suffix = dc=openstack,dc=org +role_tree_dn = ou=Roles,dc=openstack,dc=org +tenant_tree_dn = ou=Projects,dc=openstack,dc=org +user_tree_dn = ou=Users,dc=openstack,dc=org +tenant_enabled_emulation = True +user_enabled_emulation = True +user_mail_attribute = mail +use_dumb_member = True + +[identity] +driver = keystone.identity.backends.ldap.Identity + diff --git a/tests/test_backend.py b/tests/test_backend.py index ce5ca258..ac54aba4 100644 --- a/tests/test_backend.py +++ b/tests/test_backend.py @@ -117,7 +117,7 @@ class IdentityTests(object): 'domain_id': DEFAULT_DOMAIN_ID, 'password': 'no_meta2', } - self.identity_man.create_user({}, user['id'], user) + self.identity_api.create_user(user['id'], user) self.identity_api.add_user_to_project(self.tenant_baz['id'], user['id']) user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate( @@ -350,8 +350,8 @@ class IdentityTests(object): 'domain_id': DEFAULT_DOMAIN_ID, 'password': 'fakepass', 'tenants': ['bar']} - self.identity_man.create_user({}, 'fake1', user1) - self.identity_man.create_user({}, 'fake2', user2) + self.identity_api.create_user('fake1', user1) + self.identity_api.create_user('fake2', user2) user2['name'] = 'fake1' self.assertRaises(exception.Conflict, self.identity_api.update_user, @@ -364,7 +364,7 @@ class IdentityTests(object): 'domain_id': DEFAULT_DOMAIN_ID, 'password': 'fakepass', 'tenants': ['bar']} - self.identity_man.create_user({}, 'fake1', user) + self.identity_api.create_user('fake1', user) user['id'] = 'fake2' self.assertRaises(exception.ValidationError, self.identity_api.update_user, @@ -458,7 +458,7 @@ class IdentityTests(object): def test_update_project_id_does_nothing(self): tenant = {'id': 'fake1', 'name': 'fake1', 'domain_id': DEFAULT_DOMAIN_ID} - self.identity_man.create_project({}, 'fake1', tenant) + self.identity_api.create_project('fake1', tenant) tenant['id'] = 'fake2' self.identity_api.update_project('fake1', tenant) tenant_ref = self.identity_api.get_project('fake1') @@ -1389,7 +1389,7 @@ class IdentityTests(object): 'name': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID, 'password': uuid.uuid4().hex} - self.identity_man.create_user({}, user['id'], user) + self.identity_api.create_user(user['id'], user) self.identity_api.add_user_to_project(self.tenant_bar['id'], user['id']) self.identity_api.delete_user(user['id']) @@ -1402,7 +1402,7 @@ class IdentityTests(object): 'name': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID, 'password': uuid.uuid4().hex} - self.identity_man.create_user({}, user['id'], user) + self.identity_api.create_user(user['id'], user) self.identity_api.add_role_to_user_and_project( user['id'], self.tenant_bar['id'], @@ -1606,7 +1606,7 @@ class IdentityTests(object): def test_delete_project_with_role_assignments(self): tenant = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID} - self.identity_man.create_project({}, tenant['id'], tenant) + self.identity_api.create_project(tenant['id'], tenant) self.identity_api.add_role_to_user_and_project( self.user_foo['id'], tenant['id'], 'member') self.identity_api.delete_project(tenant['id']) @@ -1647,7 +1647,7 @@ class IdentityTests(object): def test_update_user_enable(self): user = {'id': 'fake1', 'name': 'fake1', 'enabled': True, 'domain_id': DEFAULT_DOMAIN_ID} - self.identity_man.create_user({}, 'fake1', user) + self.identity_api.create_user('fake1', user) user_ref = self.identity_api.get_user('fake1') self.assertEqual(user_ref['enabled'], True) @@ -1664,7 +1664,7 @@ class IdentityTests(object): def test_update_project_enable(self): tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True, 'domain_id': DEFAULT_DOMAIN_ID} - self.identity_man.create_project({}, 'fake1', tenant) + self.identity_api.create_project('fake1', tenant) tenant_ref = self.identity_api.get_project('fake1') self.assertEqual(tenant_ref['enabled'], True) @@ -1914,7 +1914,7 @@ class IdentityTests(object): def test_user_crud(self): user = {'domain_id': uuid.uuid4().hex, 'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, 'password': 'passw0rd'} - self.identity_man.create_user({}, user['id'], user) + self.identity_api.create_user(user['id'], user) user_ref = self.identity_api.get_user(user['id']) del user['password'] user_ref_dict = dict((x, user_ref[x]) for x in user_ref) diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py index c93749a7..8ea514bc 100644 --- a/tests/test_backend_ldap.py +++ b/tests/test_backend_ldap.py @@ -32,18 +32,21 @@ import test_backend CONF = config.CONF -def clear_database(): - db = fakeldap.FakeShelve().get_instance() - db.clear() +class LDAPIdentity(test.TestCase, test_backend.IdentityTests): + def clear_database(self): + db = fakeldap.FakeShelve().get_instance() + db.clear() -class LDAPIdentity(test.TestCase, test_backend.IdentityTests): - def setUp(self): - super(LDAPIdentity, self).setUp() + def _set_config(self): self.config([test.etcdir('keystone.conf.sample'), test.testsdir('test_overrides.conf'), test.testsdir('backend_ldap.conf')]) - clear_database() + + def setUp(self): + super(LDAPIdentity, self).setUp() + self._set_config() + self.clear_database() self.identity_man = identity.Manager() self.identity_api = self.identity_man.driver self.load_fixtures(default_fixtures) @@ -62,7 +65,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): 'name': 'fake1', 'password': 'fakepass1', 'tenants': ['bar']} - self.identity_man.create_user({}, 'fake1', user) + self.identity_api.create_user('fake1', user) user_ref = self.identity_api.get_user('fake1') self.assertEqual(user_ref['id'], 'fake1') @@ -103,7 +106,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): self.identity_api = identity.backends.ldap.Identity() tenant = {'id': 'fake1', 'name': 'fake1', 'enabled': True} - self.identity_man.create_project({}, 'fake1', tenant) + self.identity_api.create_project('fake1', tenant) tenant_ref = self.identity_api.get_project('fake1') self.assertEqual(tenant_ref['id'], 'fake1') @@ -208,7 +211,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): def test_dumb_member(self): CONF.ldap.use_dumb_member = True CONF.ldap.dumb_member = 'cn=dumb,cn=example,cn=com' - clear_database() + self.clear_database() self.identity_api = identity.backends.ldap.Identity() self.load_fixtures(default_fixtures) self.assertRaises(exception.UserNotFound, @@ -217,35 +220,32 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): def test_user_attribute_mapping(self): CONF.ldap.user_name_attribute = 'sn' - CONF.ldap.user_mail_attribute = 'email' + CONF.ldap.user_mail_attribute = 'mail' CONF.ldap.user_enabled_attribute = 'enabled' - clear_database() + self.clear_database() self.identity_api = identity.backends.ldap.Identity() self.load_fixtures(default_fixtures) user_ref = self.identity_api.get_user(self.user_two['id']) self.assertEqual(user_ref['id'], self.user_two['id']) self.assertEqual(user_ref['name'], self.user_two['name']) self.assertEqual(user_ref['email'], self.user_two['email']) - self.assertEqual(user_ref['enabled'], self.user_two['enabled']) - CONF.ldap.user_name_attribute = 'email' + CONF.ldap.user_name_attribute = 'mail' CONF.ldap.user_mail_attribute = 'sn' self.identity_api = identity.backends.ldap.Identity() user_ref = self.identity_api.get_user(self.user_two['id']) self.assertEqual(user_ref['id'], self.user_two['id']) self.assertEqual(user_ref['name'], self.user_two['email']) self.assertEqual(user_ref['email'], self.user_two['name']) - self.assertEqual(user_ref['enabled'], self.user_two['enabled']) def test_user_attribute_ignore(self): - CONF.ldap.user_attribute_ignore = ['name', 'email', 'password', + CONF.ldap.user_attribute_ignore = ['email', 'password', 'tenant_id', 'enabled', 'tenants'] - clear_database() + self.clear_database() self.identity_api = identity.backends.ldap.Identity() self.load_fixtures(default_fixtures) user_ref = self.identity_api.get_user(self.user_two['id']) self.assertEqual(user_ref['id'], self.user_two['id']) - self.assertNotIn('name', user_ref) self.assertNotIn('email', user_ref) self.assertNotIn('password', user_ref) self.assertNotIn('tenant_id', user_ref) @@ -254,9 +254,9 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): def test_project_attribute_mapping(self): CONF.ldap.tenant_name_attribute = 'ou' - CONF.ldap.tenant_desc_attribute = 'desc' + CONF.ldap.tenant_desc_attribute = 'description' CONF.ldap.tenant_enabled_attribute = 'enabled' - clear_database() + self.clear_database() self.identity_api = identity.backends.ldap.Identity() self.load_fixtures(default_fixtures) tenant_ref = self.identity_api.get_project(self.tenant_baz['id']) @@ -267,7 +267,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): self.tenant_baz['description']) self.assertEqual(tenant_ref['enabled'], self.tenant_baz['enabled']) - CONF.ldap.tenant_name_attribute = 'desc' + CONF.ldap.tenant_name_attribute = 'description' CONF.ldap.tenant_desc_attribute = 'ou' self.identity_api = identity.backends.ldap.Identity() tenant_ref = self.identity_api.get_project(self.tenant_baz['id']) @@ -280,7 +280,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): CONF.ldap.tenant_attribute_ignore = ['name', 'description', 'enabled'] - clear_database() + self.clear_database() self.identity_api = identity.backends.ldap.Identity() self.load_fixtures(default_fixtures) tenant_ref = self.identity_api.get_project(self.tenant_baz['id']) @@ -291,7 +291,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): def test_role_attribute_mapping(self): CONF.ldap.role_name_attribute = 'ou' - clear_database() + self.clear_database() self.identity_api = identity.backends.ldap.Identity() self.load_fixtures(default_fixtures) role_ref = self.identity_api.get_role(self.role_member['id']) @@ -306,7 +306,7 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): def test_role_attribute_ignore(self): CONF.ldap.role_attribute_ignore = ['name'] - clear_database() + self.clear_database() self.identity_api = identity.backends.ldap.Identity() self.load_fixtures(default_fixtures) role_ref = self.identity_api.get_role(self.role_member['id']) @@ -317,10 +317,10 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): CONF.ldap.user_enabled_attribute = 'enabled' CONF.ldap.user_enabled_mask = 2 CONF.ldap.user_enabled_default = 512 - clear_database() + self.clear_database() self.identity_api = identity.backends.ldap.Identity() user = {'id': 'fake1', 'name': 'fake1', 'enabled': True} - self.identity_man.create_user({}, 'fake1', user) + self.identity_api.create_user('fake1', user) user_ref = self.identity_api.get_user('fake1') self.assertEqual(user_ref['enabled'], True) @@ -426,6 +426,11 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests): } self.identity_api.create_project(project['id'], project) project_ref = self.identity_api.get_project(project['id']) + + # NOTE(crazed): If running live test with emulation, there will be + # an enabled key in the project_ref. + if self.identity_api.project.enabled_emulation: + project['enabled'] = True self.assertDictEqual(project_ref, project) project['description'] = uuid.uuid4().hex @@ -513,7 +518,7 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity): test.testsdir('backend_ldap.conf')]) CONF.ldap.user_enabled_emulation = True CONF.ldap.tenant_enabled_emulation = True - clear_database() + self.clear_database() self.identity_man = identity.Manager() self.identity_api = self.identity_man.driver self.load_fixtures(default_fixtures) |