def setUp(self):
"""
Run before each test.
"""
cert_file = isSsl()
self.client = keystone.client.ServiceClient(
client_tests.TEST_TARGET_SERVER_SERVICE_ADDRESS,
port=client_tests.TEST_TARGET_SERVER_SERVICE_PORT,
is_ssl=(cert_file is not None),
cert_file=cert_file)
def setUp(self):
"""
Run before each test.
"""
cert_file = isSsl()
self.client = keystone.client.ServiceClient(
client_tests.TEST_TARGET_SERVER_SERVICE_ADDRESS,
port=client_tests.TEST_TARGET_SERVER_SERVICE_PORT,
is_ssl=(cert_file is not None),
cert_file=cert_file)
def setUp(self):
"""
Run before each test.
"""
cert_file = isSsl()
self.client = keystone.client.AdminClient(
client_tests.TEST_TARGET_SERVER_ADMIN_ADDRESS,
port=client_tests.TEST_TARGET_SERVER_ADMIN_PORT,
is_ssl=(cert_file is not None),
cert_file=cert_file,
admin_name="admin",
admin_pass="******")
def setUp(self):
"""
Run before each test.
"""
cert_file = isSsl()
self.client = keystone.client.AdminClient(
client_tests.TEST_TARGET_SERVER_ADMIN_ADDRESS,
port=client_tests.TEST_TARGET_SERVER_ADMIN_PORT,
is_ssl=(cert_file is not None),
cert_file=cert_file,
admin_name="admin",
admin_pass="******")
def test_extensions_xml(self):
r = self.admin_request(path='/extensions.xml')
self.assertTrue('xml' in r.getheader('Content-Type'))
content = r.xml
extensions = content.findall(
"{http://docs.openstack.org/common/api/v1.0}extension")
found_osksadm = False
found_oskscatalog = False
found_hpidm = False
for extension in extensions:
if extension.get("alias") == 'OS-KSADM':
found_osksadm = True
if extension.get("alias") == 'OS-KSCATALOG':
found_oskscatalog = True
if extension.get("alias") == 'HP-IDM':
found_hpidm = True
self.assertTrue(found_osksadm, "Missing OS-KSADM extension.")
self.assertTrue(found_oskscatalog, "Missing OS-KSCATALOG extension.")
if not common.isSsl() and 'HP-IDM_Disabled' not in os.environ:
self.assertTrue(found_hpidm, "Missing HP-IDM extension.")
def test_extensions_json(self):
r = self.admin_request(path='/extensions.json')
self.assertTrue('json' in r.getheader('Content-Type'))
content = r.json
self.assertIsNotNone(content['extensions'])
self.assertIsNotNone(content['extensions']['values'])
found_osksadm = False
found_oskscatalog = False
found_hpidm = False
for value in content['extensions']['values']:
if value['extension']['alias'] == 'OS-KSADM':
found_osksadm = True
if value['extension']['alias'] == 'OS-KSCATALOG':
found_oskscatalog = True
if value['extension']['alias'] == 'HP-IDM':
found_hpidm = True
self.assertTrue(found_osksadm, "Missing OS-KSADM extension.")
self.assertTrue(found_oskscatalog, "Missing OS-KSCATALOG extension.")
if not common.isSsl() and 'HP-IDM_Disabled' not in os.environ:
self.assertTrue(found_hpidm, "Missing HP-IDM extension.")
def test_pdf_contract(self):
if not common.isSsl():
#TODO(ziad): Caller hangs in SSL (but works with cURL)
r = self.service_request(path='/identitydevguide.pdf')
self.assertTrue('pdf' in r.getheader('Content-Type'))
def test_pdf_contract(self):
if not common.isSsl():
#TODO(ziad): Caller hangs in SSL (but works with cURL)
r = self.service_request(path='/identitydevguide.pdf')
self.assertResponseSuccessful(r)
class TestHPIDMTokensExtension(common.FunctionalTestCase):
"""Test HP-IDM token validation extension"""
def setUp(self):
super(TestHPIDMTokensExtension, self).setUp()
password = common.unique_str()
self.user = self.create_user(user_password=password).json['user']
self.user['password'] = password
self.tenant = self.create_tenant().json['tenant']
self.service = self.create_service().json['OS-KSADM:service']
r = self.create_role(service_name=self.service['name'])
self.role = r.json['role']
self.another_service = self.create_service().json['OS-KSADM:service']
self.service_with_no_users = self.create_service().\
json['OS-KSADM:service']
ar = self.create_role(service_name=self.another_service['name'])
self.another_role = ar.json['role']
rnu = self.create_role(service_name=self.service_with_no_users['name'])
self.role_with_no_users = rnu.json['role']
rns = self.create_role()
self.role_with_no_service = rns.json['role']
self.grant_role_to_user(self.user['id'],
self.role['id'], self.tenant['id'])
self.grant_role_to_user(self.user['id'],
self.role_with_no_service['id'],
self.tenant['id'])
self.grant_role_to_user(self.user['id'],
self.another_role['id'], self.tenant['id'])
self.global_role = self.create_role().json['role']
# crete a global role
self.put_user_role(self.user['id'], self.global_role['id'], None)
def get_token_belongsto(self, token_id, tenant_id, service_ids, **kwargs):
"""GET /tokens/{token_id}?belongsTo={tenant_id}
[&HP-IDM-serviceId={service_ids}]"""
serviceId_qs = ""
if service_ids:
serviceId_qs = "&HP-IDM-serviceId=%s" % (service_ids)
return self.admin_request(method='GET',
path='/tokens/%s?belongsTo=%s%s' % (token_id, tenant_id,
serviceId_qs), **kwargs)
def check_token_belongs_to(self, token_id, tenant_id, service_ids,
**kwargs):
"""HEAD /tokens/{token_id}?belongsTo={tenant_id}
[&HP-IDM-serviceId={service_ids}]"""
serviceId_qs = ""
if service_ids:
serviceId_qs = "&HP-IDM-serviceId=%s" % (service_ids)
return self.admin_request(method='HEAD',
path='/tokens/%s?belongsTo=%s%s' % (token_id, tenant_id,
serviceId_qs), **kwargs)
@unittest.skipIf(common.isSsl(),
"Skipping SSL tests")
def test_token_validation_with_serviceId(self):
scoped = self.post_token(as_json={
'auth': {
'passwordCredentials': {
'username': self.user['name'],
'password': self.user['password']},
'tenantName': self.tenant['name']}}).json['access']
self.assertEqual(scoped['token']['tenant']['id'], self.tenant['id'])
self.assertEqual(scoped['token']['tenant']['name'],
self.tenant['name'])
# And an admin should be able to validate that our new token is scoped
r = self.get_token_belongsto(token_id=scoped['token']['id'],
tenant_id=self.tenant['id'], service_ids=self.service['id'])
access = r.json['access']
self.assertEqual(access['user']['id'], self.user['id'])
self.assertEqual(access['user']['name'], self.user['name'])
self.assertEqual(access['token']['tenant']['id'], self.tenant['id'])
self.assertEqual(access['token']['tenant']['name'],
self.tenant['name'])
# make sure only the service roles are returned
self.assertIsNotNone(access['user'].get('roles'))
self.assertEqual(len(access['user']['roles']), 1)
self.assertEqual(access['user']['roles'][0]['name'],
self.role['name'])
# make sure check token also works
self.check_token_belongs_to(token_id=scoped['token']['id'],
tenant_id=self.tenant['id'], service_ids=self.service['id'],
assert_status=200)
@unittest.skipIf(common.isSsl(),
"Skipping SSL tests")
def test_token_validation_with_all_serviceId(self):
scoped = self.post_token(as_json={
'auth': {
'passwordCredentials': {
'username': self.user['name'],
'password': self.user['password']},
'tenantName': self.tenant['name']}}).json['access']
self.assertEqual(scoped['token']['tenant']['id'], self.tenant['id'])
self.assertEqual(scoped['token']['tenant']['name'],
self.tenant['name'])
# And an admin should be able to validate that our new token is scoped
service_ids = "%s,%s" % \
(self.service['id'], self.another_service['id'])
r = self.get_token_belongsto(token_id=scoped['token']['id'],
tenant_id=self.tenant['id'], service_ids=service_ids)
access = r.json['access']
self.assertEqual(access['user']['id'], self.user['id'])
self.assertEqual(access['user']['name'], self.user['name'])
self.assertEqual(access['token']['tenant']['id'], self.tenant['id'])
self.assertEqual(access['token']['tenant']['name'],
self.tenant['name'])
# make sure only the service roles are returned
self.assertIsNotNone(access['user'].get('roles'))
self.assertEqual(len(access['user']['roles']), 2)
role_names = map(lambda x: x['name'], access['user']['roles'])
self.assertTrue(self.role['name'] in role_names)
self.assertTrue(self.another_role['name'] in role_names)
@unittest.skipIf(common.isSsl(),
"Skipping SSL tests")
def test_token_validation_with_no_user_service(self):
scoped = self.post_token(as_json={
'auth': {
'passwordCredentials': {
'username': self.user['name'],
'password': self.user['password']},
'tenantName': self.tenant['name']}}).json['access']
self.assertEqual(scoped['token']['tenant']['id'], self.tenant['id'])
self.assertEqual(scoped['token']['tenant']['name'],
self.tenant['name'])
# And an admin should be able to validate that our new token is scoped
service_ids = "%s,%s,%s" % (self.service['id'],
self.another_service['id'],
self.service_with_no_users['id'])
r = self.get_token_belongsto(token_id=scoped['token']['id'],
tenant_id=self.tenant['id'], service_ids=service_ids)
access = r.json['access']
self.assertEqual(access['user']['id'], self.user['id'])
self.assertEqual(access['user']['name'], self.user['name'])
self.assertEqual(access['token']['tenant']['id'], self.tenant['id'])
self.assertEqual(access['token']['tenant']['name'],
self.tenant['name'])
# make sure only the service roles are returned, excluding the one
# with no users
self.assertIsNotNone(access['user'].get('roles'))
self.assertEqual(len(access['user']['roles']), 2)
role_names = map(lambda x: x['name'], access['user']['roles'])
self.assertTrue(self.role['name'] in role_names)
self.assertTrue(self.another_role['name'] in role_names)
# make sure check token also works
self.check_token_belongs_to(token_id=scoped['token']['id'],
tenant_id=self.tenant['id'], service_ids=service_ids,
assert_status=200)
@unittest.skipIf(common.isSsl(),
"Skipping SSL tests")
def test_token_validation_without_serviceId(self):
scoped = self.post_token(as_json={
'auth': {
'passwordCredentials': {
'username': self.user['name'],
'password': self.user['password']},
'tenantName': self.tenant['name']}}).json['access']
self.assertEqual(scoped['token']['tenant']['id'], self.tenant['id'])
self.assertEqual(scoped['token']['tenant']['name'],
self.tenant['name'])
# And an admin should be able to validate that our new token is scoped
r = self.get_token_belongsto(token_id=scoped['token']['id'],
tenant_id=self.tenant['id'], service_ids=None)
access = r.json['access']
self.assertEqual(access['user']['id'], self.user['id'])
self.assertEqual(access['user']['name'], self.user['name'])
self.assertEqual(access['token']['tenant']['id'], self.tenant['id'])
self.assertEqual(access['token']['tenant']['name'],
self.tenant['name'])
# make sure all the roles are returned
self.assertIsNotNone(access['user'].get('roles'))
self.assertEqual(len(access['user']['roles']), 4)
role_names = map(lambda x: x['name'], access['user']['roles'])
self.assertTrue(self.role['name'] in role_names)
self.assertTrue(self.another_role['name'] in role_names)
self.assertTrue(self.global_role['name'] in role_names)
self.assertTrue(self.role_with_no_service['name'] in role_names)
@unittest.skipIf(common.isSsl(),
"Skipping SSL tests")
def test_token_validation_with_global_service_id(self):
scoped = self.post_token(as_json={
'auth': {
'passwordCredentials': {
'username': self.user['name'],
'password': self.user['password']},
'tenantName': self.tenant['name']}}).json['access']
self.assertEqual(scoped['token']['tenant']['id'], self.tenant['id'])
self.assertEqual(scoped['token']['tenant']['name'],
self.tenant['name'])
service_ids = "%s,%s,global" % (self.service['id'],
self.another_service['id'])
r = self.get_token_belongsto(token_id=scoped['token']['id'],
tenant_id=self.tenant['id'], service_ids=service_ids)
access = r.json['access']
self.assertEqual(access['user']['id'], self.user['id'])
self.assertEqual(access['user']['name'], self.user['name'])
self.assertEqual(access['token']['tenant']['id'], self.tenant['id'])
self.assertEqual(access['token']['tenant']['name'],
self.tenant['name'])
# make sure only the service roles are returned
self.assertIsNotNone(access['user'].get('roles'))
self.assertEqual(len(access['user']['roles']), 3)
role_names = map(lambda x: x['name'], access['user']['roles'])
self.assertTrue(self.role['name'] in role_names)
self.assertTrue(self.another_role['name'] in role_names)
self.assertTrue(self.global_role['name'] in role_names)
@unittest.skipIf(common.isSsl(),
"Skipping SSL tests")
def test_token_validation_with_bogus_service_id(self):
scoped = self.post_token(as_json={
'auth': {
'passwordCredentials': {
'username': self.user['name'],
'password': self.user['password']},
'tenantName': self.tenant['name']}}).json['access']
self.assertEqual(scoped['token']['tenant']['id'], self.tenant['id'])
self.assertEqual(scoped['token']['tenant']['name'],
self.tenant['name'])
service_ids = "%s,%s,boguzzz" % (self.service['id'],
self.another_service['id'])
self.get_token_belongsto(token_id=scoped['token']['id'],
tenant_id=self.tenant['id'], service_ids=service_ids,
assert_status=401)
# make sure check token also works
self.check_token_belongs_to(token_id=scoped['token']['id'],
tenant_id=self.tenant['id'], service_ids=service_ids,
assert_status=401)
def test_pdf_contract(self):
if not common.isSsl():
#TODO(ziad): Caller hangs in SSL (but works with cURL)
r = self.service_request(path='/identitydevguide.pdf')
self.assertTrue('pdf' in r.getheader('Content-Type'))