| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Similar to a range of other components (e.g. glance,nova,...) and recent
reviews by Monty.
Running individual tests can be done like this:
./run_tests.sh keystone.tests.test_drivers
Change-Id: I2482a48322150e5eb09b703326a94d8283f1c75b
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With 19081b834991d263d84c761dcf422a8c9faf40a1, the token_provider
is created in load_backends() so it doesn't have to be created by
the tests.
This makes the tests using token_provider_api consistent with how
other backends are used in the tests.
This change only affects unit tests.
Change-Id: I9c05c7876bd14fb28e77fe1e49dd509a2a1cb788
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The backends should be loaded before the app is deployed for
the client tests, otherwise the wrong backends may be loaded
when the app is deployed.
Part of fix for bug 1204605
Change-Id: I70680c3daea3a863bcbde07b1ee7e062cd150e51
|
|/
|
|
|
|
|
|
|
| |
Replaced `raise nose.exc.SkipTest()` statement to self.skipTest().
Removed unused nose.exc imports.
Fixes bug 1172794
Change-Id: Ieb353864acadef43508d185156c7fa1667baa845
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When you load an old version of keystoneclient doing legacy tests and
then start the test app the ec2 work that depends on keystoneclient sees
the recently loaded legacy one which doesn't have the required modules
in it.
If we load the app first the ec2 modules are resolved and finds the
original keystone client. The ec2 module then uses
'from keystoneclient.contrib.ec2 import utils as ec2_utils' so the
ec2_utils reference is kept in the file scope so isn't affected by the
tests changing keystoneclient.
It is not a long term fix for bug 1178532 but it solves the immediate
symptoms when running client tests independently.
Change-Id: I7267ca0d4740f037884fae95f8a6562ee86584b9
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implemented V2 token provider.
Abstract token provider backend to make token provider pluggable. It enables
deployers to customize token management to add their own capabilities.
Token provider is responsible for issuing, checking, validating, and
revoking tokens. Note the distinction between token 'driver' and 'provider'.
Token 'driver' simply provides token CRUD. It does not issue or interpret
tokens.
Token provider is specified by the 'provider' property in the '[token]'
section of the Keystone configuration file.
Change-Id: Ic418ec433bd9e3f2f70fa31c90e570e32c1ca687
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently there is a mixture of strategies in the v2 and v3 controllers
for how to get the roles assigned for the scope of the requested
authentication. This duplicates code, is hard to maintain and in at
least once case (where your only roles on a project are due to a group
membership) is not actually correct (for v2 tokens).
This change does the following:
- Standardizes on using the 'get_roles_for_user_and_project()', and its
domain equivalent, for how roles are obtained to build a token. This
was already the case for v3 tokens. The controllers no longer need
to get metadata and extract the roles.
- Removes the driver level function to 'authorize_for_project' - this is
now handled wihin the controller. The driver simply supports the user
authentication.
A nice (and planned for) sideffect of the above is that we now hide
the schema of how we store roles within the driver layer - i.e.
nothing outside of the driver (other than any specific-to-implementation
tests) have to know about how roles are stored in the metadata. This paves
the way for a re-implementation of the grant tables in IceHouse.
This change also fills in missing function definitons in the assignment
driver.
Implements bp authenticate-role-rationalization
Change-Id: I75fc7f5f728649d40ab1c696b33bbcd88ea6edee
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The environment module will be configured once, during code initialization.
Subsequently all other possibly-evented modules will retrieve from
environment and transparently obtain either the eventlet or standard
library modules.
If eventlet, httplib, subprocess or other environment dependant module
is referenced outside of the environment module it should be considered
a bug.
The changes to tests are required to ensure that test is imported first
to setup the environment. Hopefully these can all be replaced with an
__init__.py in a post-nose keystone.
Implements: blueprint extract-eventlet
Change-Id: Icacd6f2ee0906ac5d303777c1f87a184f38283bf
|
|
|
|
| |
Change-Id: I10581a39325b4fcdb997ad704c3ee0de494b32e0
|
|
|
|
|
|
|
|
|
| |
- docstring should not start with a space (flake8 H401)
- one line docstring needs punctuation (flake8 H402)
- multi line docstring end on new line (flake8 H403)
- multi line docstring should start with a summary (flake8 H404)
Change-Id: I69b414395930bda739aa01b785ac619fa8bb7d9b
|
|
|
|
| |
Change-Id: I0f6c5fc27b0bb2da553e9345a8ac4949ce46e685
|
|
|
|
| |
Change-Id: Ic47bdd61d9818f203a88ae16f97c2b61b1c1bd8c
|
|
|
|
| |
Change-Id: Ieeb2246579ddc0608092eed5239258d2b4dbf42b
|
|
|
|
| |
Change-Id: Ief6534ee25a83027979d92c9ce3a92e0ea28c07c
|
|
|
|
|
|
|
| |
we use timeutils.utcnow so that we have an overridable clock just like
in the big leagues, making tests literally sleep just slows us down
Change-Id: I8522aef1fab39a3370448bce779ca69d8f5e07b5
|
|
|
|
|
|
| |
This reverts commit d8599dcda06514a9687af3f714e55ff7580af9db.
Change-Id: Iddb881070a91b9761a567a7d3b6d906e228af9f6
|
|
|
|
|
|
|
|
|
| |
Makes the resolution of local imports work
when running individual tests.
Bug 1152326
Change-Id: I72f54bdbb60a6d7acf32bdbdc02d7bce69add84e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also implemented the following:
blueprint pluggable-identity-authentication-handlers
blueprint stop-ids-in-uris
blueprint multi-factor-authn (just the plumbing)
What's missing?
* domain scoping (will be implemented by Henry?)
Change-Id: I191c0b2cb3367b2a5f8a2dc674c284bb13ea97e3
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes the relationship between users and projects.
There is no more direct membership in projects. Instead,
all membership is now done via roles.
A default role has been created called _member_ with a uuid (both
configurable) that will be added in place of the group membership
for databse upgrades.
DocImpact: https://bugs.launchpad.net/openstack-manuals/+bug/1087483
Change-Id: I2482f9ef7b838e5dade5096d6d00e81db71604d1
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
git ls-files | misspellings -f -
Source: https://github.com/lyda/misspell-check
Change-Id: Icbd2412aa65bc8135e5dcd83ee69e94f5a42f7a2
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These changes lay the ground work for the implmentation of
domain-scoping, but are benign in that they don't change the token.
They include making domain_id a first-class attribute in the user
and project entity (i.e. move it out of the 'extra' attribute),
filling in domain grant and project support for the kvs backend and
fixing a series of issues in the mirgation to make it work for both
MySQL, Postgresql and sqlite.
A further, separate, commit will actually provide the code to
update the actual tokens once the v3 token support has been added.
blueprint domain-scoping
blueprint default-domain
Change-Id: I55ab7947a6a1efbab003bd234856bd3805bb4a63
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Taking advantage of this middleware either requires enabling
verbose/debug or utilizing an external logging.conf which configures an
'access' logger.
Example output:
127.0.0.1 - - [2013-01-29T17:15:02.752214] "GET http://localhost:5000/v3/projects HTTP/1.0" 200 16
This patch also revises etc/logging.conf.sample with some more practical
defaults (e.g. supporting externally-managed log rotations) in addition
to illustrating how to generate an 'access.log' file.
DocImpact
Change-Id: I2a6048fa5fbf8661a6859d9e3a259d4cfa5fc589
|
|/
|
|
| |
Change-Id: I1f6fdf304ca3ff0b6e0e05a71fd944189105c5b6
|
|
|
|
| |
Change-Id: I5a527e0f5010171a202de5894d124d213d22a073
|
|
|
|
|
|
|
| |
- v3 catalog tests (bug 1023933)
- v3 catalog implementation (bug 1023938)
Change-Id: Ie118819d25afbff62327ffc8be5b5fda2ef7f4ed
|
|
|
|
|
|
|
|
| |
- v3 policy (bp rbac-keystone-api)
- v3 policy tests (bug 1023935)
- v3 policy implementation (bug 1023939)
Change-Id: I163fbb67726c295fe9ed09b68cd18d2273345d29
|
|
|
|
| |
Change-Id: I29710f749c67cf83ccad12deee54fe6b71dd53b8
|
|
|
|
|
|
|
|
|
|
|
| |
Fixtures are created before every test, so each fixture adds a
considerable amount of overhead to the overall test suite.
This patch attempts to eliminate fixtures utilized by only a few tests
in favor of re-cycling as many fixtures as possible. As a result, a few
tests are refactored to depend on different fixtures.
Change-Id: Idd4dcef5e38e304d19110c61886887fb64b4d658
|
|
|
|
| |
Change-Id: I45a1167a473df02a4461286b8a09723315018fcb
|
|
|
|
|
|
|
|
|
| |
There is a rounding problem that occurs periodically. Token expiration
Does not need to be confirmed to this level of granularity.
Bug 1045962
Change-Id: I361c5cf309c47b142c35c4359234fd0e44005e5a
|
|
|
|
|
|
|
| |
Removed unnecessary backslash continuations
Added backslash continuation rules to HACKING.rst
Change-Id: Id91da5b7e9be4d4587dded95fe7a0415240213ec
|
|
|
|
|
|
|
|
|
|
|
| |
Delete user tokens when a new role is granted or revoked, in order to
prevent old tokens to continue to be valid for the original set of
roles for the remainder of the token's lifespan.
Addresses CVE-2012-4413.
Fixes bug 1041396.
Change-Id: Iecf891f274b67408f568b949a7028362c4c30312
|
|
|
|
|
|
|
| |
If the client attempts to explicitly authenticate against a disabled
tenant, keystone should return HTTP 401 Unauthorized.
Change-Id: I49fe56b6ef8d9f2fc6b9357472dae8964bb9cb9c
|
|
|
|
|
|
|
| |
adding a test for version 0.1.1 with the new tagging scheme (released
with/just post Essex)
Change-Id: Ic6900717c616feee0bce8253fae1e51ac837b811
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes bug 996922
This commit adds a user_crud module that can be used in the public wsgi
pipeline, currently the only operation included allows a user to update
their own password.
In order to change their password a user should make a HTTP PATCH to
/v2.0/OS-KSCRUD/users/<userid>
with the json data fomated like this
{"user": {"password": "DCBA", "original_password": "ABCD"}}
in addition to changing the users password, all current tokens
will be cleared (for token backends that support listing) and
a new token id will be returned.
Change-Id: I0cbdafbb29a5b6531ad192f240efb9379f0efd2d
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes bug 1022575
Making change to tests/*py to pass pep8 tests.
pep8 tests started failing following
39b20acc933cb0fdf73075ddb9a9d82665b84b23 update pep8 to 1.3.3
04df79b64e5f2296df03579700535774e158f623 include tests dir in pep8 tests
Change-Id: I2d7dec0a87f1ae9b5f828d7f321b65bf8c06a421
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The goal is to move the responsibility of reference checks away from
controllers and into the underlying managers & drivers, which can
handle the task with equal or greater efficiency.
- Tenant references from create_user/update_user are NOT tested
due to inconsistencies between backends
- Additional test coverage improvements
Also fixes bug 999209, bug 999608, bug 1006029, bug 1006055, bug 1006287,
bug 1006334, and bug 1006344.
Change-Id: I7de592e7dd4518038436b9a9fdaab559b00a0537
|
|
|
|
|
|
|
|
|
| |
Fixes bug #998185
This commit causes the token expiry time to be maintained when
one token is being created from another
Change-Id: I7b61692a60d9227423b93c267864a5abe939ca33
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes Bug 997194
Delete valid tokens for a user when they have been disabled
Moved logic to delete tokens into update_user, as this can be called
directly form the REST API.
Also checks if a user is enabled when creating a token from another
token, this helps in cases there the backend didn't support listing of
tokens (and as a result weren't deleted)
Change-Id: Ib5ed73a7873bfa66ef31bf6d0f0322f50e677688
|
|/
|
|
|
|
| |
Fixes LP Bug #997725
Change-Id: I2759d21bed3c0e42642de96184844e1b9e795bb6
|
|
|
|
|
|
|
|
|
| |
Fixes bug 996595
This commit will cause all valid tokens to be deleted for a user
who's password is changed (implemented for the sql and kvs backends)
Change-Id: I6ad7da8957b7041983a3fc91d9ba9368667d06ac
|
|
|
|
|
|
|
| |
endpoint-create
endpoint-delete
Change-Id: I70ae14ca385a0ed2d3438b8dc2f7ba93b91f400b
|
|
|
|
|
|
|
| |
user-role-add
user-role-remove
Change-Id: I1b3cd019d0d110b01ed175822cdd6c9ddb486412
|
|
|
|
|
|
|
|
|
| |
ec2-credential-create
ec2-credential-delete
ec2-credential-get
ec2-credential-list
Change-Id: If8bfb77017f55c24738baf18b937c78b179831e5
|
|
|
|
|
|
|
| |
service-delete
service-get
Change-Id: Ifecf4c74abf408b009a783a9d7be0e98219e0fe4
|
|
|
|
|
|
|
|
|
|
|
| |
user-create
user-get
user-list
user-update
user-update-password
user-delete
Change-Id: I7762aaaae9817ea7426039e4700e16b59e18cba1
|