diff options
Diffstat (limited to 'keystone-moon/keystone/tests/unit/test_v2.py')
-rw-r--r-- | keystone-moon/keystone/tests/unit/test_v2.py | 150 |
1 files changed, 98 insertions, 52 deletions
diff --git a/keystone-moon/keystone/tests/unit/test_v2.py b/keystone-moon/keystone/tests/unit/test_v2.py index acdfca5f..e81c6040 100644 --- a/keystone-moon/keystone/tests/unit/test_v2.py +++ b/keystone-moon/keystone/tests/unit/test_v2.py @@ -23,9 +23,11 @@ from six.moves import http_client from testtools import matchers from keystone.common import extension as keystone_extension +from keystone.tests import unit +from keystone.tests.unit import default_fixtures from keystone.tests.unit import ksfixtures from keystone.tests.unit import rest - +from keystone.tests.unit.schema import v2 CONF = cfg.CONF @@ -106,11 +108,11 @@ class CoreApiTests(object): self.assertValidExtensionListResponse( r, keystone_extension.ADMIN_EXTENSIONS) - def test_admin_extensions_404(self): + def test_admin_extensions_returns_not_found(self): self.admin_request(path='/v2.0/extensions/invalid-extension', expected_status=http_client.NOT_FOUND) - def test_public_osksadm_extension_404(self): + def test_public_osksadm_extension_returns_not_found(self): self.public_request(path='/v2.0/extensions/OS-KSADM', expected_status=http_client.NOT_FOUND) @@ -132,7 +134,7 @@ class CoreApiTests(object): 'tenantId': self.tenant_bar['id'], }, }, - expected_status=200) + expected_status=http_client.OK) self.assertValidAuthenticationResponse(r, require_service_catalog=True) def test_authenticate_unscoped(self): @@ -147,7 +149,7 @@ class CoreApiTests(object): }, }, }, - expected_status=200) + expected_status=http_client.OK) self.assertValidAuthenticationResponse(r) def test_get_tenants_for_token(self): @@ -164,7 +166,7 @@ class CoreApiTests(object): token=token) self.assertValidAuthenticationResponse(r) - def test_invalid_token_404(self): + def test_invalid_token_returns_not_found(self): token = self.get_scoped_token() self.admin_request( path='/v2.0/tokens/%(token_id)s' % { @@ -179,7 +181,8 @@ class CoreApiTests(object): self.tenant_service['id'], self.role_service['id']) - token = self.get_scoped_token(tenant_id='service') + token = self.get_scoped_token( + tenant_id=default_fixtures.SERVICE_TENANT_ID) r = self.admin_request( path='/v2.0/tokens/%s' % token, token=token) @@ -191,7 +194,8 @@ class CoreApiTests(object): self.tenant_service['id'], self.role_service['id']) - token = self.get_scoped_token(tenant_id='service') + token = self.get_scoped_token( + tenant_id=default_fixtures.SERVICE_TENANT_ID) r = self.admin_request( path='/v2.0/tokens/%s' % token, token=token) @@ -234,7 +238,7 @@ class CoreApiTests(object): 'token_id': token, }, token=token, - expected_status=200) + expected_status=http_client.OK) def test_endpoints(self): token = self.get_scoped_token() @@ -273,6 +277,14 @@ class CoreApiTests(object): token=token) self.assertValidRoleListResponse(r) + def test_get_user_roles_without_tenant(self): + token = self.get_scoped_token() + self.admin_request( + path='/v2.0/users/%(user_id)s/roles' % { + 'user_id': self.user_foo['id'], + }, + token=token, expected_status=http_client.NOT_IMPLEMENTED) + def test_get_user(self): token = self.get_scoped_token() r = self.admin_request( @@ -370,7 +382,7 @@ class CoreApiTests(object): }, }, token=token, - expected_status=200) + expected_status=http_client.OK) def test_error_response(self): """This triggers assertValidErrorResponse by convention.""" @@ -459,7 +471,7 @@ class CoreApiTests(object): }, }, token=token, - expected_status=200) + expected_status=http_client.OK) user_id = self._get_user_id(r.result) @@ -470,7 +482,7 @@ class CoreApiTests(object): 'user_id': user_id }, token=token, - expected_status=200) + expected_status=http_client.OK) self.assertEqual(CONF.member_role_name, self._get_role_name(r.result)) # Create a new tenant @@ -485,7 +497,7 @@ class CoreApiTests(object): }, }, token=token, - expected_status=200) + expected_status=http_client.OK) project_id = self._get_project_id(r.result) @@ -501,7 +513,7 @@ class CoreApiTests(object): }, }, token=token, - expected_status=200) + expected_status=http_client.OK) # 'member_role' should be in new_tenant r = self.admin_request( @@ -510,7 +522,7 @@ class CoreApiTests(object): 'user_id': user_id }, token=token, - expected_status=200) + expected_status=http_client.OK) self.assertEqual('_member_', self._get_role_name(r.result)) # 'member_role' should not be in tenant_bar any more @@ -520,7 +532,7 @@ class CoreApiTests(object): 'user_id': user_id }, token=token, - expected_status=200) + expected_status=http_client.OK) self.assertNoRoles(r.result) def test_update_user_with_invalid_tenant(self): @@ -539,7 +551,7 @@ class CoreApiTests(object): }, }, token=token, - expected_status=200) + expected_status=http_client.OK) user_id = self._get_user_id(r.result) # Update user with an invalid tenant @@ -571,7 +583,7 @@ class CoreApiTests(object): }, }, token=token, - expected_status=200) + expected_status=http_client.OK) user_id = self._get_user_id(r.result) # Update user with an invalid tenant @@ -604,7 +616,7 @@ class CoreApiTests(object): }, }, token=token, - expected_status=200) + expected_status=http_client.OK) user_id = self._get_user_id(r.result) @@ -615,7 +627,7 @@ class CoreApiTests(object): 'user_id': user_id }, token=token, - expected_status=200) + expected_status=http_client.OK) self.assertEqual(CONF.member_role_name, self._get_role_name(r.result)) # Update user's tenant with old tenant id @@ -630,7 +642,7 @@ class CoreApiTests(object): }, }, token=token, - expected_status=200) + expected_status=http_client.OK) # 'member_role' should still be in tenant_bar r = self.admin_request( @@ -639,7 +651,7 @@ class CoreApiTests(object): 'user_id': user_id }, token=token, - expected_status=200) + expected_status=http_client.OK) self.assertEqual('_member_', self._get_role_name(r.result)) def test_authenticating_a_user_with_no_password(self): @@ -721,7 +733,7 @@ class LegacyV2UsernameTests(object): path='/v2.0/users', token=token, body=body, - expected_status=200) + expected_status=http_client.OK) def test_create_with_extra_username(self): """The response for creating a user will contain the extra fields.""" @@ -772,7 +784,7 @@ class LegacyV2UsernameTests(object): 'enabled': enabled, }, }, - expected_status=200) + expected_status=http_client.OK) self.assertValidUserResponse(r) @@ -802,7 +814,7 @@ class LegacyV2UsernameTests(object): 'enabled': enabled, }, }, - expected_status=200) + expected_status=http_client.OK) self.assertValidUserResponse(r) @@ -881,7 +893,7 @@ class LegacyV2UsernameTests(object): 'enabled': enabled, }, }, - expected_status=200) + expected_status=http_client.OK) self.assertValidUserResponse(r) @@ -911,7 +923,7 @@ class LegacyV2UsernameTests(object): 'enabled': enabled, }, }, - expected_status=200) + expected_status=http_client.OK) self.assertValidUserResponse(r) @@ -931,7 +943,7 @@ class LegacyV2UsernameTests(object): 'enabled': True, }, }, - expected_status=200) + expected_status=http_client.OK) self.assertValidUserResponse(r) @@ -956,7 +968,7 @@ class LegacyV2UsernameTests(object): 'enabled': enabled, }, }, - expected_status=200) + expected_status=http_client.OK) self.assertValidUserResponse(r) @@ -979,6 +991,14 @@ class RestfulTestCase(rest.RestfulTestCase): class V2TestCase(RestfulTestCase, CoreApiTests, LegacyV2UsernameTests): + + def config_overrides(self): + super(V2TestCase, self).config_overrides() + self.config_fixture.config( + group='catalog', + driver='templated', + template_file=unit.dirs.tests('default_catalog.templates')) + def _get_user_id(self, r): return r['user']['id'] @@ -1200,7 +1220,7 @@ class V2TestCase(RestfulTestCase, CoreApiTests, LegacyV2UsernameTests): method='GET', path='/v2.0/tokens/revoked', token=token, - expected_status=200) + expected_status=http_client.OK) self.assertValidRevocationListResponse(r) def assertValidRevocationListResponse(self, response): @@ -1231,7 +1251,7 @@ class V2TestCase(RestfulTestCase, CoreApiTests, LegacyV2UsernameTests): method='GET', path='/v2.0/tokens/revoked', token=token1, - expected_status=200) + expected_status=http_client.OK) signed_text = r.result['signed'] data_json = cms.cms_verify(signed_text, CONF.signing.certfile, @@ -1242,10 +1262,11 @@ class V2TestCase(RestfulTestCase, CoreApiTests, LegacyV2UsernameTests): return (data, token2) def test_fetch_revocation_list_md5(self): - """If the server is configured for md5, then the revocation list has - tokens hashed with MD5. - """ + """Hash for tokens in revocation list and server config should match. + If the server is configured for md5, then the revocation list has + tokens hashed with MD5. + """ # The default hash algorithm is md5. hash_algorithm = 'md5' @@ -1254,10 +1275,11 @@ class V2TestCase(RestfulTestCase, CoreApiTests, LegacyV2UsernameTests): self.assertThat(token_hash, matchers.Equals(data['revoked'][0]['id'])) def test_fetch_revocation_list_sha256(self): - """If the server is configured for sha256, then the revocation list has - tokens hashed with SHA256 - """ + """Hash for tokens in revocation list and server config should match. + If the server is configured for sha256, then the revocation list has + tokens hashed with SHA256. + """ hash_algorithm = 'sha256' self.config_fixture.config(group='token', hash_algorithm=hash_algorithm) @@ -1333,7 +1355,7 @@ class V2TestCase(RestfulTestCase, CoreApiTests, LegacyV2UsernameTests): }, }, }, - expected_status=200) + expected_status=http_client.OK) # ensure password doesn't leak user_id = r.result['user']['id'] @@ -1341,7 +1363,7 @@ class V2TestCase(RestfulTestCase, CoreApiTests, LegacyV2UsernameTests): method='GET', path='/v2.0/users/%s' % user_id, token=token, - expected_status=200) + expected_status=http_client.OK) self.assertNotIn('OS-KSADM:password', r.result['user']) def test_updating_a_user_with_an_OSKSADM_password(self): @@ -1360,7 +1382,7 @@ class V2TestCase(RestfulTestCase, CoreApiTests, LegacyV2UsernameTests): }, }, token=token, - expected_status=200) + expected_status=http_client.OK) # successfully authenticate self.public_request( @@ -1374,13 +1396,12 @@ class V2TestCase(RestfulTestCase, CoreApiTests, LegacyV2UsernameTests): }, }, }, - expected_status=200) + expected_status=http_client.OK) class RevokeApiTestCase(V2TestCase): def config_overrides(self): super(RevokeApiTestCase, self).config_overrides() - self.config_fixture.config(group='revoke', driver='kvs') self.config_fixture.config( group='token', provider='pki', @@ -1402,6 +1423,27 @@ class TestFernetTokenProviderV2(RestfulTestCase): super(TestFernetTokenProviderV2, self).setUp() self.useFixture(ksfixtures.KeyRepository(self.config_fixture)) + # Add catalog data + self.region = unit.new_region_ref() + self.region_id = self.region['id'] + self.catalog_api.create_region(self.region) + + self.service = unit.new_service_ref() + self.service_id = self.service['id'] + self.catalog_api.create_service(self.service_id, self.service) + + self.endpoint = unit.new_endpoint_ref(service_id=self.service_id, + interface='public', + region_id=self.region_id) + self.endpoint_id = self.endpoint['id'] + self.catalog_api.create_endpoint(self.endpoint_id, self.endpoint) + + def assertValidUnscopedTokenResponse(self, r): + v2.unscoped_validator.validate(r.json['access']) + + def assertValidScopedTokenResponse(self, r): + v2.scoped_validator.validate(r.json['access']) + # Used by RestfulTestCase def _get_token_id(self, r): return r.result['access']['token']['id'] @@ -1432,11 +1474,12 @@ class TestFernetTokenProviderV2(RestfulTestCase): admin_token = self.get_scoped_token(tenant_id=project_ref['id']) unscoped_token = self.get_unscoped_token() path = ('/v2.0/tokens/%s' % unscoped_token) - self.admin_request( + resp = self.admin_request( method='GET', path=path, token=admin_token, - expected_status=200) + expected_status=http_client.OK) + self.assertValidUnscopedTokenResponse(resp) def test_authenticate_scoped_token(self): project_ref = self.new_project_ref() @@ -1462,11 +1505,12 @@ class TestFernetTokenProviderV2(RestfulTestCase): path = ('/v2.0/tokens/%s?belongsTo=%s' % (member_token, project2_ref['id'])) # Validate token belongs to project - self.admin_request( + resp = self.admin_request( method='GET', path=path, token=admin_token, - expected_status=200) + expected_status=http_client.OK) + self.assertValidScopedTokenResponse(resp) def test_token_authentication_and_validation(self): """Test token authentication for Fernet token provider. @@ -1491,16 +1535,17 @@ class TestFernetTokenProviderV2(RestfulTestCase): } } }, - expected_status=200) + expected_status=http_client.OK) token_id = self._get_token_id(r) path = ('/v2.0/tokens/%s?belongsTo=%s' % (token_id, project_ref['id'])) # Validate token belongs to project - self.admin_request( + resp = self.admin_request( method='GET', path=path, - token=CONF.admin_token, - expected_status=200) + token=self.get_admin_token(), + expected_status=http_client.OK) + self.assertValidScopedTokenResponse(resp) def test_rescoped_tokens_maintain_original_expiration(self): project_ref = self.new_project_ref() @@ -1522,7 +1567,7 @@ class TestFernetTokenProviderV2(RestfulTestCase): }, # NOTE(lbragstad): This test may need to be refactored if Keystone # decides to disallow rescoping using a scoped token. - expected_status=200) + expected_status=http_client.OK) original_token = resp.result['access']['token']['id'] original_expiration = resp.result['access']['token']['expires'] @@ -1537,8 +1582,9 @@ class TestFernetTokenProviderV2(RestfulTestCase): } } }, - expected_status=200) + expected_status=http_client.OK) rescoped_token = resp.result['access']['token']['id'] rescoped_expiration = resp.result['access']['token']['expires'] self.assertNotEqual(original_token, rescoped_token) self.assertEqual(original_expiration, rescoped_expiration) + self.assertValidScopedTokenResponse(resp) |