summaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/test_backend.py265
-rw-r--r--tests/test_backend_ldap.py3
-rw-r--r--tests/test_content_types.py36
-rw-r--r--tests/test_import_legacy.py14
-rw-r--r--tests/test_keystoneclient.py13
-rw-r--r--tests/test_migrate_nova_auth.py5
-rw-r--r--tests/test_v3_auth.py60
7 files changed, 254 insertions, 142 deletions
diff --git a/tests/test_backend.py b/tests/test_backend.py
index 8f87e4e1..57f3315c 100644
--- a/tests/test_backend.py
+++ b/tests/test_backend.py
@@ -29,6 +29,7 @@ CONF = config.CONF
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
TIME_FORMAT = '%Y-%m-%dT%H:%M:%S.%fZ'
NULL_OBJECT = object()
+EMPTY_CONTEXT = {}
class IdentityTests(object):
@@ -58,27 +59,31 @@ class IdentityTests(object):
def test_authenticate_bad_user(self):
self.assertRaises(AssertionError,
- self.identity_api.authenticate,
+ self.identity_man.authenticate,
+ EMPTY_CONTEXT,
user_id=uuid.uuid4().hex,
tenant_id=self.tenant_bar['id'],
password=self.user_foo['password'])
def test_authenticate_bad_password(self):
self.assertRaises(AssertionError,
- self.identity_api.authenticate,
+ self.identity_man.authenticate,
+ EMPTY_CONTEXT,
user_id=self.user_foo['id'],
tenant_id=self.tenant_bar['id'],
password=uuid.uuid4().hex)
def test_authenticate_bad_project(self):
self.assertRaises(AssertionError,
- self.identity_api.authenticate,
+ self.identity_man.authenticate,
+ EMPTY_CONTEXT,
user_id=self.user_foo['id'],
tenant_id=uuid.uuid4().hex,
password=self.user_foo['password'])
def test_authenticate_no_project(self):
- user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
+ user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
+ EMPTY_CONTEXT,
user_id=self.user_foo['id'],
password=self.user_foo['password'])
# NOTE(termie): the password field is left in user_foo to make
@@ -90,7 +95,8 @@ class IdentityTests(object):
self.assert_(not metadata_ref)
def test_authenticate(self):
- user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
+ user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
+ EMPTY_CONTEXT,
user_id=self.user_sna['id'],
tenant_id=self.tenant_bar['id'],
password=self.user_sna['password'])
@@ -107,7 +113,8 @@ class IdentityTests(object):
def test_authenticate_role_return(self):
self.identity_api.add_role_to_user_and_project(
self.user_foo['id'], self.tenant_baz['id'], self.role_admin['id'])
- user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
+ user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
+ EMPTY_CONTEXT,
user_id=self.user_foo['id'],
tenant_id=self.tenant_baz['id'],
password=self.user_foo['password'])
@@ -124,7 +131,8 @@ class IdentityTests(object):
self.identity_api.create_user(user['id'], user)
self.identity_api.add_user_to_project(self.tenant_baz['id'],
user['id'])
- user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
+ user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
+ EMPTY_CONTEXT,
user_id=user['id'],
tenant_id=self.tenant_baz['id'],
password=user['password'])
@@ -279,10 +287,10 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'fakepass',
'tenants': ['bar']}
- self.identity_man.create_user({}, 'fake1', user)
+ self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
user['name'] = 'fake2'
self.assertRaises(exception.Conflict,
- self.identity_man.create_user, {},
+ self.identity_man.create_user, EMPTY_CONTEXT,
'fake1',
user)
@@ -292,10 +300,10 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID,
'password': 'fakepass',
'tenants': ['bar']}
- self.identity_man.create_user({}, 'fake1', user)
+ self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
user['id'] = 'fake2'
self.assertRaises(exception.Conflict,
- self.identity_man.create_user, {},
+ self.identity_man.create_user, EMPTY_CONTEXT,
'fake2',
user)
@@ -310,8 +318,8 @@ class IdentityTests(object):
'name': user1['name'],
'domain_id': new_domain['id'],
'password': uuid.uuid4().hex}
- self.identity_man.create_user({}, user1['id'], user1)
- self.identity_man.create_user({}, user2['id'], user2)
+ self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
+ self.identity_man.create_user(EMPTY_CONTEXT, user2['id'], user2)
def test_move_user_between_domains(self):
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
@@ -322,7 +330,7 @@ class IdentityTests(object):
'name': uuid.uuid4().hex,
'domain_id': domain1['id'],
'password': uuid.uuid4().hex}
- self.identity_man.create_user({}, user['id'], user)
+ self.identity_man.create_user(EMPTY_CONTEXT, user['id'], user)
user['domain_id'] = domain2['id']
self.identity_api.update_user(user['id'], user)
@@ -336,14 +344,14 @@ class IdentityTests(object):
'name': uuid.uuid4().hex,
'domain_id': domain1['id'],
'password': uuid.uuid4().hex}
- self.identity_man.create_user({}, user1['id'], user1)
+ self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
# Now create a user in domain2 with a potentially clashing
# name - which should work since we have domain separation
user2 = {'id': uuid.uuid4().hex,
'name': user1['name'],
'domain_id': domain2['id'],
'password': uuid.uuid4().hex}
- self.identity_man.create_user({}, user2['id'], user2)
+ self.identity_man.create_user(EMPTY_CONTEXT, user2['id'], user2)
# Now try and move user1 into the 2nd domain - which should
# fail since the names clash
user1['domain_id'] = domain2['id']
@@ -392,20 +400,20 @@ class IdentityTests(object):
def test_create_duplicate_project_id_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
- self.identity_man.create_project({}, 'fake1', tenant)
+ self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
tenant['name'] = 'fake2'
self.assertRaises(exception.Conflict,
- self.identity_man.create_project, {},
+ self.identity_man.create_project, EMPTY_CONTEXT,
'fake1',
tenant)
def test_create_duplicate_project_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake',
'domain_id': DEFAULT_DOMAIN_ID}
- self.identity_man.create_project({}, 'fake1', tenant)
+ self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
tenant['id'] = 'fake2'
self.assertRaises(exception.Conflict,
- self.identity_man.create_project, {},
+ self.identity_man.create_project, EMPTY_CONTEXT,
'fake1',
tenant)
@@ -416,8 +424,8 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID}
tenant2 = {'id': uuid.uuid4().hex, 'name': tenant1['name'],
'domain_id': new_domain['id']}
- self.identity_man.create_project({}, tenant1['id'], tenant1)
- self.identity_man.create_project({}, tenant2['id'], tenant2)
+ self.identity_man.create_project(EMPTY_CONTEXT, tenant1['id'], tenant1)
+ self.identity_man.create_project(EMPTY_CONTEXT, tenant2['id'], tenant2)
def test_move_project_between_domains(self):
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
@@ -427,7 +435,7 @@ class IdentityTests(object):
project = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
- self.identity_man.create_project({}, project['id'], project)
+ self.identity_man.create_project(EMPTY_CONTEXT, project['id'], project)
project['domain_id'] = domain2['id']
self.identity_api.update_project(project['id'], project)
@@ -440,13 +448,15 @@ class IdentityTests(object):
project1 = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
- self.identity_man.create_project({}, project1['id'], project1)
+ self.identity_man.create_project(EMPTY_CONTEXT,
+ project1['id'], project1)
# Now create a project in domain2 with a potentially clashing
# name - which should work since we have domain separation
project2 = {'id': uuid.uuid4().hex,
'name': project1['name'],
'domain_id': domain2['id']}
- self.identity_man.create_project({}, project2['id'], project2)
+ self.identity_man.create_project(EMPTY_CONTEXT,
+ project2['id'], project2)
# Now try and move project1 into the 2nd domain - which should
# fail since the names clash
project1['domain_id'] = domain2['id']
@@ -460,8 +470,8 @@ class IdentityTests(object):
'domain_id': DEFAULT_DOMAIN_ID}
tenant2 = {'id': 'fake2', 'name': 'fake2',
'domain_id': DEFAULT_DOMAIN_ID}
- self.identity_man.create_project({}, 'fake1', tenant1)
- self.identity_man.create_project({}, 'fake2', tenant2)
+ self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant1)
+ self.identity_man.create_project(EMPTY_CONTEXT, 'fake2', tenant2)
tenant2['name'] = 'fake1'
self.assertRaises(exception.Error,
self.identity_api.update_project,
@@ -718,11 +728,12 @@ class IdentityTests(object):
self.identity_api.create_domain(new_domain['id'], new_domain)
new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, new_group['id'], new_group)
+ self.identity_man.create_group(EMPTY_CONTEXT,
+ new_group['id'], new_group)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': 'secret', 'enabled': True,
'domain_id': new_domain['id']}
- self.identity_man.create_user({}, new_user['id'], new_user)
+ self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
roles_ref = self.identity_api.list_grants(
@@ -755,11 +766,12 @@ class IdentityTests(object):
self.identity_api.create_domain(new_domain['id'], new_domain)
new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, new_group['id'], new_group)
+ self.identity_man.create_group(EMPTY_CONTEXT,
+ new_group['id'], new_group)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': new_domain['id']}
- self.identity_man.create_user({}, new_user['id'], new_user)
+ self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
@@ -795,21 +807,25 @@ class IdentityTests(object):
self.identity_api.create_domain(new_domain['id'], new_domain)
new_project = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': new_domain['id']}
- self.identity_man.create_project({}, new_project['id'], new_project)
+ self.identity_man.create_project(EMPTY_CONTEXT,
+ new_project['id'], new_project)
new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, new_group['id'], new_group)
+ self.identity_man.create_group(EMPTY_CONTEXT,
+ new_group['id'], new_group)
new_group2 = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, new_group2['id'], new_group2)
+ self.identity_man.create_group(EMPTY_CONTEXT,
+ new_group2['id'], new_group2)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': new_domain['id']}
- self.identity_man.create_user({}, new_user['id'], new_user)
+ self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
new_user2 = {'id': uuid.uuid4().hex, 'name': 'new_user2',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': new_domain['id']}
- self.identity_man.create_user({}, new_user2['id'], new_user2)
+ self.identity_man.create_user(EMPTY_CONTEXT,
+ new_user2['id'], new_user2)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
# First check we have no grants
@@ -857,7 +873,7 @@ class IdentityTests(object):
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': 'secret', 'enabled': True,
'domain_id': new_domain['id']}
- self.identity_man.create_user({}, new_user['id'], new_user)
+ self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
roles_ref = self.identity_api.list_grants(
user_id=new_user['id'],
domain_id=new_domain['id'])
@@ -898,7 +914,7 @@ class IdentityTests(object):
self.identity_api.create_domain(domain2['id'], domain2)
group1 = {'id': uuid.uuid4().hex, 'domain_id': domain1['id'],
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, group1['id'], group1)
+ self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
roles_ref = self.identity_api.list_grants(
group_id=group1['id'],
domain_id=domain1['id'])
@@ -951,7 +967,7 @@ class IdentityTests(object):
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
'enabled': True}
- self.identity_man.create_user({}, user1['id'], user1)
+ self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
roles_ref = self.identity_api.list_grants(
user_id=user1['id'],
domain_id=domain1['id'])
@@ -999,10 +1015,11 @@ class IdentityTests(object):
self.identity_api.create_domain(domain2['id'], domain2)
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'enabled': True}
- self.identity_man.create_group({}, group1['id'], group1)
+ self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain2['id']}
- self.identity_man.create_project({}, project1['id'], project1)
+ self.identity_man.create_project(EMPTY_CONTEXT,
+ project1['id'], project1)
roles_ref = self.identity_api.list_grants(
group_id=group1['id'],
project_id=project1['id'])
@@ -1044,10 +1061,11 @@ class IdentityTests(object):
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
'enabled': True}
- self.identity_man.create_user({}, user1['id'], user1)
+ self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain2['id']}
- self.identity_man.create_project({}, project1['id'], project1)
+ self.identity_man.create_project(EMPTY_CONTEXT,
+ project1['id'], project1)
roles_ref = self.identity_api.list_grants(
user_id=user1['id'],
project_id=project1['id'])
@@ -1088,13 +1106,15 @@ class IdentityTests(object):
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
'enabled': True}
- self.identity_man.create_user({}, user1['id'], user1)
+ self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'enabled': True}
- self.identity_man.create_group({}, group1['id'], group1)
+ self.identity_man.create_group(EMPTY_CONTEXT,
+ group1['id'], group1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
- self.identity_man.create_project({}, project1['id'], project1)
+ self.identity_man.create_project(EMPTY_CONTEXT,
+ project1['id'], project1)
self.identity_api.add_user_to_group(user1['id'],
group1['id'])
@@ -1155,14 +1175,15 @@ class IdentityTests(object):
self.identity_api.create_domain(domain1['id'], domain1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
- self.identity_man.create_project({}, project1['id'], project1)
+ self.identity_man.create_project(EMPTY_CONTEXT,
+ project1['id'], project1)
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
'enabled': True}
- self.identity_man.create_user({}, user1['id'], user1)
+ self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'enabled': True}
- self.identity_man.create_group({}, group1['id'], group1)
+ self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
self.identity_api.create_grant(user_id=user1['id'],
project_id=project1['id'],
role_id=role1['id'])
@@ -1216,14 +1237,15 @@ class IdentityTests(object):
self.identity_api.create_domain(domain1['id'], domain1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
- self.identity_man.create_project({}, project1['id'], project1)
+ self.identity_man.create_project(EMPTY_CONTEXT,
+ project1['id'], project1)
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
'enabled': True}
- self.identity_man.create_user({}, user1['id'], user1)
+ self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'enabled': True}
- self.identity_man.create_group({}, group1['id'], group1)
+ self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
self.identity_api.create_grant(user_id=user1['id'],
project_id=project1['id'],
role_id=role1['id'])
@@ -1264,14 +1286,15 @@ class IdentityTests(object):
self.identity_api.create_domain(domain1['id'], domain1)
project1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
- self.identity_man.create_project({}, project1['id'], project1)
+ self.identity_man.create_project(EMPTY_CONTEXT,
+ project1['id'], project1)
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'password': uuid.uuid4().hex,
'enabled': True}
- self.identity_man.create_user({}, user1['id'], user1)
+ self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
group1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain1['id'], 'enabled': True}
- self.identity_man.create_group({}, group1['id'], group1)
+ self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
self.identity_api.create_grant(group_id=group1['id'],
project_id=project1['id'],
role_id=role1['id'])
@@ -1437,7 +1460,7 @@ class IdentityTests(object):
tenant = {'id': 'fake1', 'name': 'a' * 65,
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
- self.identity_man.create_project, {},
+ self.identity_man.create_project, EMPTY_CONTEXT,
tenant['id'],
tenant)
@@ -1445,7 +1468,7 @@ class IdentityTests(object):
tenant = {'id': 'fake1', 'name': '',
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
- self.identity_man.create_project, {},
+ self.identity_man.create_project, EMPTY_CONTEXT,
tenant['id'],
tenant)
@@ -1453,20 +1476,20 @@ class IdentityTests(object):
tenant = {'id': 'fake1', 'name': None,
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
- self.identity_man.create_project, {},
+ self.identity_man.create_project, EMPTY_CONTEXT,
tenant['id'],
tenant)
tenant = {'id': 'fake1', 'name': 123,
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
- self.identity_man.create_project, {},
+ self.identity_man.create_project, EMPTY_CONTEXT,
tenant['id'],
tenant)
def test_update_project_blank_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
- self.identity_man.create_project({}, 'fake1', tenant)
+ self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
tenant['name'] = ''
self.assertRaises(exception.ValidationError,
self.identity_api.update_project,
@@ -1476,7 +1499,7 @@ class IdentityTests(object):
def test_update_project_long_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
- self.identity_man.create_project({}, 'fake1', tenant)
+ self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
tenant['name'] = 'a' * 65
self.assertRaises(exception.ValidationError,
self.identity_api.update_project,
@@ -1486,7 +1509,7 @@ class IdentityTests(object):
def test_update_project_invalid_name_fails(self):
tenant = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
- self.identity_man.create_project({}, 'fake1', tenant)
+ self.identity_man.create_project(EMPTY_CONTEXT, 'fake1', tenant)
tenant['name'] = None
self.assertRaises(exception.ValidationError,
self.identity_api.update_project,
@@ -1503,7 +1526,7 @@ class IdentityTests(object):
user = {'id': 'fake1', 'name': 'a' * 65,
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
- self.identity_man.create_user, {},
+ self.identity_man.create_user, EMPTY_CONTEXT,
'fake1',
user)
@@ -1511,7 +1534,7 @@ class IdentityTests(object):
user = {'id': 'fake1', 'name': '',
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
- self.identity_man.create_user, {},
+ self.identity_man.create_user, EMPTY_CONTEXT,
'fake1',
user)
@@ -1519,14 +1542,14 @@ class IdentityTests(object):
user = {'id': 'fake1', 'name': None,
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
- self.identity_man.create_user, {},
+ self.identity_man.create_user, EMPTY_CONTEXT,
'fake1',
user)
user = {'id': 'fake1', 'name': 123,
'domain_id': DEFAULT_DOMAIN_ID}
self.assertRaises(exception.ValidationError,
- self.identity_man.create_user, {},
+ self.identity_man.create_user, EMPTY_CONTEXT,
'fake1',
user)
@@ -1538,14 +1561,14 @@ class IdentityTests(object):
# invalid string value
'enabled': "true"}
self.assertRaises(exception.ValidationError,
- self.identity_man.create_user, {},
+ self.identity_man.create_user, EMPTY_CONTEXT,
user['id'],
user)
def test_update_user_long_name_fails(self):
user = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
- self.identity_man.create_user({}, 'fake1', user)
+ self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
user['name'] = 'a' * 65
self.assertRaises(exception.ValidationError,
self.identity_api.update_user,
@@ -1555,7 +1578,7 @@ class IdentityTests(object):
def test_update_user_blank_name_fails(self):
user = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
- self.identity_man.create_user({}, 'fake1', user)
+ self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
user['name'] = ''
self.assertRaises(exception.ValidationError,
self.identity_api.update_user,
@@ -1565,7 +1588,7 @@ class IdentityTests(object):
def test_update_user_invalid_name_fails(self):
user = {'id': 'fake1', 'name': 'fake1',
'domain_id': DEFAULT_DOMAIN_ID}
- self.identity_man.create_user({}, 'fake1', user)
+ self.identity_man.create_user(EMPTY_CONTEXT, 'fake1', user)
user['name'] = None
self.assertRaises(exception.ValidationError,
@@ -1593,8 +1616,8 @@ class IdentityTests(object):
'id': uuid.uuid4().hex,
'domain_id': CONF.identity.default_domain_id,
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, group1['id'], group1)
- self.identity_man.create_group({}, group2['id'], group2)
+ self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
+ self.identity_man.create_group(EMPTY_CONTEXT, group2['id'], group2)
groups = self.identity_api.list_groups()
self.assertEquals(len(groups), 2)
group_ids = []
@@ -1661,7 +1684,8 @@ class IdentityTests(object):
new_project = {'id': 'tenant_id', 'name': uuid.uuid4().hex,
'domain_id': DEFAULT_DOMAIN_ID}
original_project = new_project.copy()
- self.identity_man.create_project({}, 'tenant_id', new_project)
+ self.identity_man.create_project(EMPTY_CONTEXT,
+ 'tenant_id', new_project)
self.assertDictEqual(original_project, new_project)
def test_create_user_doesnt_modify_passed_in_dict(self):
@@ -1669,7 +1693,7 @@ class IdentityTests(object):
'password': uuid.uuid4().hex,
'domain_id': DEFAULT_DOMAIN_ID}
original_user = new_user.copy()
- self.identity_man.create_user({}, 'user_id', new_user)
+ self.identity_man.create_user(EMPTY_CONTEXT, 'user_id', new_user)
self.assertDictEqual(original_user, new_user)
def test_update_user_enable(self):
@@ -1745,11 +1769,12 @@ class IdentityTests(object):
domain = self._get_domain_fixture()
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, new_group['id'], new_group)
+ self.identity_man.create_group(EMPTY_CONTEXT,
+ new_group['id'], new_group)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': domain['id']}
- self.identity_man.create_user({}, new_user['id'], new_user)
+ self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
groups = self.identity_api.list_groups_for_user(new_user['id'])
@@ -1765,7 +1790,8 @@ class IdentityTests(object):
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': domain['id']}
- self.identity_man.create_user({}, new_user['id'], new_user)
+ self.identity_man.create_user(EMPTY_CONTEXT,
+ new_user['id'], new_user)
self.assertRaises(exception.GroupNotFound,
self.identity_api.add_user_to_group,
new_user['id'],
@@ -1773,7 +1799,8 @@ class IdentityTests(object):
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, new_group['id'], new_group)
+ self.identity_man.create_group(EMPTY_CONTEXT,
+ new_group['id'], new_group)
self.assertRaises(exception.UserNotFound,
self.identity_api.add_user_to_group,
uuid.uuid4().hex,
@@ -1783,11 +1810,12 @@ class IdentityTests(object):
domain = self._get_domain_fixture()
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, new_group['id'], new_group)
+ self.identity_man.create_group(EMPTY_CONTEXT,
+ new_group['id'], new_group)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': domain['id']}
- self.identity_man.create_user({}, new_user['id'], new_user)
+ self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
self.identity_api.check_user_in_group(new_user['id'], new_group['id'])
@@ -1797,7 +1825,8 @@ class IdentityTests(object):
'id': uuid.uuid4().hex,
'domain_id': CONF.identity.default_domain_id,
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, new_group['id'], new_group)
+ self.identity_man.create_group(EMPTY_CONTEXT,
+ new_group['id'], new_group)
self.assertRaises(exception.UserNotFound,
self.identity_api.check_user_in_group,
uuid.uuid4().hex,
@@ -1807,11 +1836,13 @@ class IdentityTests(object):
domain = self._get_domain_fixture()
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, new_group['id'], new_group)
+ self.identity_man.create_group(EMPTY_CONTEXT,
+ new_group['id'], new_group)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': domain['id']}
- self.identity_man.create_user({}, new_user['id'], new_user)
+ self.identity_man.create_user(EMPTY_CONTEXT,
+ new_user['id'], new_user)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
user_refs = self.identity_api.list_users_in_group(new_group['id'])
@@ -1825,11 +1856,12 @@ class IdentityTests(object):
domain = self._get_domain_fixture()
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, new_group['id'], new_group)
+ self.identity_man.create_group(EMPTY_CONTEXT,
+ new_group['id'], new_group)
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': domain['id']}
- self.identity_man.create_user({}, new_user['id'], new_user)
+ self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
self.identity_api.add_user_to_group(new_user['id'],
new_group['id'])
groups = self.identity_api.list_groups_for_user(new_user['id'])
@@ -1844,10 +1876,11 @@ class IdentityTests(object):
new_user = {'id': uuid.uuid4().hex, 'name': 'new_user',
'password': uuid.uuid4().hex, 'enabled': True,
'domain_id': domain['id']}
- self.identity_man.create_user({}, new_user['id'], new_user)
+ self.identity_man.create_user(EMPTY_CONTEXT, new_user['id'], new_user)
new_group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, new_group['id'], new_group)
+ self.identity_man.create_group(EMPTY_CONTEXT,
+ new_group['id'], new_group)
self.assertRaises(exception.NotFound,
self.identity_api.remove_user_from_group,
new_user['id'],
@@ -1868,7 +1901,7 @@ class IdentityTests(object):
self.identity_api.create_domain(domain['id'], domain)
group = {'id': uuid.uuid4().hex, 'domain_id': domain['id'],
'name': uuid.uuid4().hex}
- self.identity_man.create_group({}, group['id'], group)
+ self.identity_man.create_group(EMPTY_CONTEXT, group['id'], group)
group_ref = self.identity_api.get_group(group['id'])
self.assertDictContainsSubset(group, group_ref)
@@ -1887,9 +1920,9 @@ class IdentityTests(object):
'name': uuid.uuid4().hex}
group2 = {'id': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID,
'name': group1['name']}
- self.identity_man.create_group({}, group1['id'], group1)
+ self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
self.assertRaises(exception.Conflict,
- self.identity_man.create_group, {},
+ self.identity_man.create_group, EMPTY_CONTEXT,
group2['id'], group2)
def test_create_duplicate_group_name_in_different_domains(self):
@@ -1899,8 +1932,8 @@ class IdentityTests(object):
'name': uuid.uuid4().hex}
group2 = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'],
'name': group1['name']}
- self.identity_man.create_group({}, group1['id'], group1)
- self.identity_man.create_group({}, group2['id'], group2)
+ self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
+ self.identity_man.create_group(EMPTY_CONTEXT, group2['id'], group2)
def test_move_group_between_domains(self):
domain1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
@@ -1910,7 +1943,7 @@ class IdentityTests(object):
group = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
- self.identity_man.create_group({}, group['id'], group)
+ self.identity_man.create_group(EMPTY_CONTEXT, group['id'], group)
group['domain_id'] = domain2['id']
self.identity_api.update_group(group['id'], group)
@@ -1923,13 +1956,13 @@ class IdentityTests(object):
group1 = {'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
'domain_id': domain1['id']}
- self.identity_man.create_group({}, group1['id'], group1)
+ self.identity_man.create_group(EMPTY_CONTEXT, group1['id'], group1)
# Now create a group in domain2 with a potentially clashing
# name - which should work since we have domain separation
group2 = {'id': uuid.uuid4().hex,
'name': group1['name'],
'domain_id': domain2['id']}
- self.identity_man.create_group({}, group2['id'], group2)
+ self.identity_man.create_group(EMPTY_CONTEXT, group2['id'], group2)
# Now try and move group1 into the 2nd domain - which should
# fail since the names clash
group1['domain_id'] = domain2['id']
@@ -1944,7 +1977,7 @@ class IdentityTests(object):
self.identity_api.create_domain(domain['id'], domain)
project = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'domain_id': domain['id']}
- self.identity_man.create_project({}, project['id'], project)
+ self.identity_man.create_project(EMPTY_CONTEXT, project['id'], project)
project_ref = self.identity_api.get_project(project['id'])
self.assertDictContainsSubset(project, project_ref)
@@ -2003,7 +2036,7 @@ class IdentityTests(object):
user1 = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex,
'password': uuid.uuid4().hex, 'domain_id': domain['id'],
'enabled': True}
- self.identity_man.create_user({}, user1['id'], user1)
+ self.identity_man.create_user(EMPTY_CONTEXT, user1['id'], user1)
user_projects = self.identity_api.list_user_projects(user1['id'])
self.assertEquals(len(user_projects), 0)
self.identity_api.create_grant(user_id=user1['id'],
@@ -2371,9 +2404,11 @@ class CatalogTests(object):
# delete
self.catalog_api.delete_service(service_id)
self.assertRaises(exception.ServiceNotFound,
- self.catalog_man.delete_service, {}, service_id)
+ self.catalog_man.delete_service,
+ EMPTY_CONTEXT, service_id)
self.assertRaises(exception.ServiceNotFound,
- self.catalog_man.get_service, {}, service_id)
+ self.catalog_man.get_service,
+ EMPTY_CONTEXT, service_id)
def test_delete_service_with_endpoint(self):
# create a service
@@ -2398,20 +2433,22 @@ class CatalogTests(object):
# deleting the service should also delete the endpoint
self.catalog_api.delete_service(service['id'])
self.assertRaises(exception.EndpointNotFound,
- self.catalog_man.get_endpoint, {}, endpoint['id'])
+ self.catalog_man.get_endpoint,
+ EMPTY_CONTEXT, endpoint['id'])
self.assertRaises(exception.EndpointNotFound,
- self.catalog_man.delete_endpoint, {}, endpoint['id'])
+ self.catalog_man.delete_endpoint,
+ EMPTY_CONTEXT, endpoint['id'])
def test_get_service_404(self):
self.assertRaises(exception.ServiceNotFound,
self.catalog_man.get_service,
- {},
+ EMPTY_CONTEXT,
uuid.uuid4().hex)
def test_delete_service_404(self):
self.assertRaises(exception.ServiceNotFound,
self.catalog_man.delete_service,
- {},
+ EMPTY_CONTEXT,
uuid.uuid4().hex)
def test_create_endpoint_404(self):
@@ -2421,20 +2458,20 @@ class CatalogTests(object):
}
self.assertRaises(exception.ServiceNotFound,
self.catalog_man.create_endpoint,
- {},
+ EMPTY_CONTEXT,
endpoint['id'],
endpoint)
def test_get_endpoint_404(self):
self.assertRaises(exception.EndpointNotFound,
self.catalog_man.get_endpoint,
- {},
+ EMPTY_CONTEXT,
uuid.uuid4().hex)
def test_delete_endpoint_404(self):
self.assertRaises(exception.EndpointNotFound,
self.catalog_man.delete_endpoint,
- {},
+ EMPTY_CONTEXT,
uuid.uuid4().hex)
def test_create_endpoint(self):
@@ -2501,7 +2538,7 @@ class PolicyTests(object):
# (cannot change policy ID)
self.assertRaises(exception.ValidationError,
self.policy_man.update_policy,
- {},
+ EMPTY_CONTEXT,
orig['id'],
ref)
@@ -2515,27 +2552,29 @@ class PolicyTests(object):
self.policy_api.delete_policy(ref['id'])
self.assertRaises(exception.PolicyNotFound,
- self.policy_man.delete_policy, {}, ref['id'])
+ self.policy_man.delete_policy,
+ EMPTY_CONTEXT, ref['id'])
self.assertRaises(exception.PolicyNotFound,
- self.policy_man.get_policy, {}, ref['id'])
+ self.policy_man.get_policy,
+ EMPTY_CONTEXT, ref['id'])
res = self.policy_api.list_policies()
self.assertFalse(len([x for x in res if x['id'] == ref['id']]))
def test_get_policy_404(self):
self.assertRaises(exception.PolicyNotFound,
self.policy_man.get_policy,
- {},
+ EMPTY_CONTEXT,
uuid.uuid4().hex)
def test_update_policy_404(self):
self.assertRaises(exception.PolicyNotFound,
self.policy_man.update_policy,
- {},
+ EMPTY_CONTEXT,
uuid.uuid4().hex,
- {})
+ EMPTY_CONTEXT)
def test_delete_policy_404(self):
self.assertRaises(exception.PolicyNotFound,
self.policy_man.delete_policy,
- {},
+ EMPTY_CONTEXT,
uuid.uuid4().hex)
diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
index 61214002..5845dda7 100644
--- a/tests/test_backend_ldap.py
+++ b/tests/test_backend_ldap.py
@@ -624,7 +624,8 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity):
self.identity_man.create_user({}, user['id'], user)
self.identity_api.add_user_to_project(self.tenant_baz['id'],
user['id'])
- user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
+ user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
+ {},
user_id=user['id'],
tenant_id=self.tenant_baz['id'],
password=user['password'])
diff --git a/tests/test_content_types.py b/tests/test_content_types.py
index e5bdc56a..d4cc1d81 100644
--- a/tests/test_content_types.py
+++ b/tests/test_content_types.py
@@ -214,23 +214,35 @@ class RestfulTestCase(test.TestCase):
def admin_request(self, **kwargs):
return self._request(app=self.admin_app, **kwargs)
+ def _get_token(self, body):
+ """Convenience method so that we can test authenticated requests."""
+ r = self.public_request(method='POST', path='/v2.0/tokens', body=body)
+ return self._get_token_id(r)
+
+ def get_unscoped_token(self):
+ """Convenience method so that we can test authenticated requests."""
+ return self._get_token({
+ 'auth': {
+ 'passwordCredentials': {
+ 'username': self.user_foo['name'],
+ 'password': self.user_foo['password'],
+ },
+ },
+ })
+
def get_scoped_token(self, tenant_id=None):
"""Convenience method so that we can test authenticated requests."""
if not tenant_id:
tenant_id = self.tenant_bar['id']
- r = self.public_request(
- method='POST',
- path='/v2.0/tokens',
- body={
- 'auth': {
- 'passwordCredentials': {
- 'username': self.user_foo['name'],
- 'password': self.user_foo['password'],
- },
- 'tenantId': tenant_id,
+ return self._get_token({
+ 'auth': {
+ 'passwordCredentials': {
+ 'username': self.user_foo['name'],
+ 'password': self.user_foo['password'],
},
- })
- return self._get_token_id(r)
+ 'tenantId': tenant_id,
+ },
+ })
def _get_token_id(self, r):
"""Helper method to return a token ID from a response.
diff --git a/tests/test_import_legacy.py b/tests/test_import_legacy.py
index 0c37e808..50bf22f9 100644
--- a/tests/test_import_legacy.py
+++ b/tests/test_import_legacy.py
@@ -25,6 +25,7 @@ from keystone.catalog.backends import templated as catalog_templated
from keystone.common.sql import legacy
from keystone.common.sql import util as sql_util
from keystone import config
+from keystone import identity
from keystone.identity.backends import sql as identity_sql
from keystone import test
@@ -40,6 +41,7 @@ class ImportLegacy(test.TestCase):
test.testsdir('backend_sql.conf'),
test.testsdir('backend_sql_disk.conf')])
sql_util.setup_test_database()
+ self.identity_man = identity.Manager()
self.identity_api = identity_sql.Identity()
def tearDown(self):
@@ -70,8 +72,8 @@ class ImportLegacy(test.TestCase):
self.assertEquals(user_ref['enabled'], True)
# check password hashing
- user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
- user_id=admin_id, password='secrete')
+ user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
+ {}, user_id=admin_id, password='secrete')
# check catalog
self._check_catalog(migration)
@@ -87,8 +89,8 @@ class ImportLegacy(test.TestCase):
self.assertEquals(user_ref['enabled'], True)
# check password hashing
- user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
- user_id=admin_id, password='secrete')
+ user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
+ {}, user_id=admin_id, password='secrete')
# check catalog
self._check_catalog(migration)
@@ -104,8 +106,8 @@ class ImportLegacy(test.TestCase):
self.assertEquals(user_ref['enabled'], True)
# check password hashing
- user_ref, tenant_ref, metadata_ref = self.identity_api.authenticate(
- user_id=admin_id, password='secrete')
+ user_ref, tenant_ref, metadata_ref = self.identity_man.authenticate(
+ {}, user_id=admin_id, password='secrete')
# check catalog
self._check_catalog(migration)
diff --git a/tests/test_keystoneclient.py b/tests/test_keystoneclient.py
index 49e3bfc9..bd538700 100644
--- a/tests/test_keystoneclient.py
+++ b/tests/test_keystoneclient.py
@@ -482,6 +482,19 @@ class KeystoneClientTests(object):
tenant_id='bar')
self.assertEquals(user2.name, test_username)
+ def test_update_default_tenant_to_existing_value(self):
+ client = self.get_client(admin=True)
+
+ user = client.users.create(
+ name=uuid.uuid4().hex,
+ password=uuid.uuid4().hex,
+ email=uuid.uuid4().hex,
+ tenant_id=self.tenant_bar['id'])
+
+ # attempting to update the tenant with the existing value should work
+ user = client.users.update_tenant(
+ user=user, tenant=self.tenant_bar['id'])
+
def test_user_create_no_name(self):
from keystoneclient import exceptions as client_exceptions
client = self.get_client(admin=True)
diff --git a/tests/test_migrate_nova_auth.py b/tests/test_migrate_nova_auth.py
index 4e3e37b8..a4ad0fb4 100644
--- a/tests/test_migrate_nova_auth.py
+++ b/tests/test_migrate_nova_auth.py
@@ -20,6 +20,7 @@ from keystone.common.sql import nova
from keystone.common.sql import util as sql_util
from keystone import config
from keystone.contrib.ec2.backends import sql as ec2_sql
+from keystone import identity
from keystone.identity.backends import sql as identity_sql
from keystone import test
@@ -74,6 +75,7 @@ class MigrateNovaAuth(test.TestCase):
test.testsdir('backend_sql.conf'),
test.testsdir('backend_sql_disk.conf')])
sql_util.setup_test_database()
+ self.identity_man = identity.Manager()
self.identity_api = identity_sql.Identity()
self.ec2_api = ec2_sql.Ec2()
@@ -118,7 +120,8 @@ class MigrateNovaAuth(test.TestCase):
for _user in FIXTURE['users']:
if _user['id'] == old_user:
password = _user['password']
- self.identity_api.authenticate(user['id'], tenant_id, password)
+ self.identity_man.authenticate({}, user['id'],
+ tenant_id, password)
for ec2_cred in FIXTURE['ec2_credentials']:
user_id = users[ec2_cred['user_id']]['id']
diff --git a/tests/test_v3_auth.py b/tests/test_v3_auth.py
index c9d1edfb..a2bee8b8 100644
--- a/tests/test_v3_auth.py
+++ b/tests/test_v3_auth.py
@@ -490,6 +490,48 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
group_id=self.group1['id'],
project_id=self.projectA['id'])
+ def test_unscoped_token_remains_valid_after_role_assignment(self):
+ r = self.post(
+ '/auth/tokens',
+ body=self.build_authentication_request(
+ user_id=self.user1['id'],
+ password=self.user1['password']))
+ unscoped_token = r.headers.get('X-Subject-Token')
+
+ r = self.post(
+ '/auth/tokens',
+ body=self.build_authentication_request(
+ token=unscoped_token,
+ project_id=self.projectA['id']))
+ scoped_token = r.headers.get('X-Subject-Token')
+
+ # confirm both tokens are valid
+ self.head('/auth/tokens',
+ headers={'X-Subject-Token': unscoped_token},
+ expected_status=204)
+ self.head('/auth/tokens',
+ headers={'X-Subject-Token': scoped_token},
+ expected_status=204)
+
+ # create a new role
+ role = self.new_role_ref()
+ self.identity_api.create_role(role['id'], role)
+
+ # assign a new role
+ self.put(
+ '/projects/%(project_id)s/users/%(user_id)s/roles/%(role_id)s' % {
+ 'project_id': self.projectA['id'],
+ 'user_id': self.user1['id'],
+ 'role_id': role['id']})
+
+ # both tokens should remain valid
+ self.head('/auth/tokens',
+ headers={'X-Subject-Token': unscoped_token},
+ expected_status=204)
+ self.head('/auth/tokens',
+ headers={'X-Subject-Token': scoped_token},
+ expected_status=204)
+
def test_deleting_user_grant_revokes_token(self):
"""Test deleting a user grant revokes token.
@@ -521,13 +563,13 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
headers={'X-Subject-Token': token},
expected_status=401)
- def test_creating_user_grant_revokes_token(self):
- """Test creating a user grant revokes token.
+ def test_domain_user_role_assignment_maintains_token(self):
+ """Test user-domain role assignment maintains existing token.
Test Plan:
- Get a token for user1, scoped to ProjectA
- Create a grant for user1 on DomainB
- - Check token is no longer valid
+ - Check token is still valid
"""
auth_data = self.build_authentication_request(
@@ -540,7 +582,7 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
self.head('/auth/tokens',
headers={'X-Subject-Token': token},
expected_status=204)
- # Delete the grant, which should invalidate the token
+ # Assign a role, which should not affect the token
grant_url = (
'/domains/%(domain_id)s/users/%(user_id)s/'
'roles/%(role_id)s' % {
@@ -550,7 +592,7 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
self.put(grant_url)
self.head('/auth/tokens',
headers={'X-Subject-Token': token},
- expected_status=401)
+ expected_status=204)
def test_deleting_group_grant_revokes_tokens(self):
"""Test deleting a group grant revokes tokens.
@@ -613,13 +655,13 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
headers={'X-Subject-Token': token3},
expected_status=204)
- def test_creating_group_grant_revokes_token(self):
- """Test creating a group grant revokes token.
+ def test_domain_group_role_assignment_maintains_token(self):
+ """Test domain-group role assignment maintains existing token.
Test Plan:
- Get a token for user1, scoped to ProjectA
- Create a grant for group1 on DomainB
- - Check token is no longer valid
+ - Check token is still longer valid
"""
auth_data = self.build_authentication_request(
@@ -642,7 +684,7 @@ class TestTokenRevoking(test_v3.RestfulTestCase):
self.put(grant_url)
self.head('/auth/tokens',
headers={'X-Subject-Token': token},
- expected_status=401)
+ expected_status=204)
def test_group_membership_changes_revokes_token(self):
"""Test add/removal to/from group revokes token.
generated by cgit (git 2.34.1) at 2024-07-08 11:14:39 +0000