def test_password_history_check_self_service_api(self):
old_pass = self.creds.password
new_pass1 = data_utils.rand_password()
new_pass2 = data_utils.rand_password()
self.addCleanup(self._restore_password, old_pass, new_pass2)
# Update password
self._update_password(original_password=old_pass, password=new_pass1)
if CONF.identity.user_unique_last_password_count > 1:
# Can not reuse a previously set password
self.assertRaises(exceptions.BadRequest,
self.non_admin_users_client.update_user_password,
self.user_id,
password=new_pass1,
original_password=new_pass1)
self.assertRaises(exceptions.BadRequest,
self.non_admin_users_client.update_user_password,
self.user_id,
password=old_pass,
original_password=new_pass1)
# A different password can be set
self._update_password(original_password=new_pass1, password=new_pass2)
def test_rand_password_with_len(self):
actual = data_utils.rand_password(8)
self.assertIsInstance(actual, str)
self.assertEqual(len(actual), 8)
self.assertRegexpMatches(actual, "[A-Za-z0-9~!@#$%^&*_=+]{8}")
actual2 = data_utils.rand_password(8)
self.assertNotEqual(actual, actual2)
def test_rand_password_with_len_2(self):
actual = data_utils.rand_password(2)
self.assertIsInstance(actual, str)
self.assertEqual(len(actual), 3)
self.assertRegex(actual, "[A-Za-z0-9~!@#$%^&*_=+]{3}")
actual2 = data_utils.rand_password(2)
self.assertNotEqual(actual, actual2)
def test_rand_password_with_len_2(self):
actual = data_utils.rand_password(2)
self.assertIsInstance(actual, str)
self.assertEqual(len(actual), 3)
self.assertRegex(actual, "[A-Za-z0-9~!@#%^&*_=+]{3}")
actual2 = data_utils.rand_password(2)
self.assertNotEqual(actual, actual2)
def test_password_history_check_self_service_api(self):
old_pass = self.creds.password
new_pass1 = data_utils.rand_password()
new_pass2 = data_utils.rand_password()
self.addCleanup(self._restore_password, old_pass, new_pass2)
# Update password
self._update_password(original_password=old_pass, password=new_pass1)
if CONF.identity.user_unique_last_password_count > 1:
# Can not reuse a previously set password
self.assertRaises(exceptions.BadRequest,
self.non_admin_users_client.update_user_password,
self.user_id,
password=new_pass1,
original_password=new_pass1)
self.assertRaises(exceptions.BadRequest,
self.non_admin_users_client.update_user_password,
self.user_id,
password=old_pass,
original_password=new_pass1)
# A different password can be set
self._update_password(original_password=new_pass1, password=new_pass2)
def test_update_user_password(self):
# Creating User to check password updation
u_name = data_utils.rand_name('user')
original_password = data_utils.rand_password()
user = self.users_client.create_user(
name=u_name, password=original_password)['user']
# Delete the User at the end all test methods
self.addCleanup(self.users_client.delete_user, user['id'])
# Update user with new password
new_password = data_utils.rand_password()
self.users_client.update_user_password(
user['id'],
password=new_password,
original_password=original_password)
# NOTE(morganfainberg): Fernet tokens are not subsecond aware and
# Keystone should only be precise to the second. Sleep to ensure
# we are passing the second boundary.
time.sleep(1)
resp = self.token.auth(user_id=user['id'],
password=new_password).response
subject_token = resp['x-subject-token']
# Perform GET Token to verify and confirm password is updated
token_details = self.client.show_token(subject_token)['token']
self.assertEqual(token_details['user']['id'], user['id'])
self.assertEqual(token_details['user']['name'], u_name)
def test_change_password(self):
original_password = data_utils.rand_password()
user = self.setup_test_user(password=original_password)
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.users_client.update_user_password(
user['id'],
original_password=original_password,
password=data_utils.rand_password())
def test_rand_password_with_len_2(self):
actual = data_utils.rand_password(2)
self.assertIsInstance(actual, str)
self.assertEqual(len(actual), 3)
self.assertRegex(actual, "[A-Za-z0-9~!@#%^&*_=+]{3}")
actual2 = data_utils.rand_password(2)
# NOTE(masayukig): Originally, we checked that the acutal and actual2
# are different each other. But only 3 letters can be the same value
# in a very rare case. So, we just check the length here, too,
# just in case.
self.assertEqual(len(actual2), 3)
def test_rand_password_with_len_2(self):
actual = data_utils.rand_password(2)
self.assertIsInstance(actual, str)
self.assertEqual(len(actual), 3)
self.assertRegex(actual, "[A-Za-z0-9~!@#%^&*_=+]{3}")
actual2 = data_utils.rand_password(2)
# NOTE(masayukig): Originally, we checked that the acutal and actual2
# are different each other. But only 3 letters can be the same value
# in a very rare case. So, we just check the length here, too,
# just in case.
self.assertEqual(len(actual2), 3)
def test_create_server_with_personality(self):
file_contents = 'This is a test file.'
file_path = '/test.txt'
personality = [{'path': file_path,
'contents': base64.encode_as_text(file_contents)}]
password = data_utils.rand_password()
validation_resources = self.get_test_validation_resources(
self.os_primary)
created_server = self.create_test_server(
personality=personality, adminPass=password, wait_until='ACTIVE',
validatable=True,
validation_resources=validation_resources)
self.addCleanup(waiters.wait_for_server_termination,
self.servers_client, created_server['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.servers_client.delete_server,
created_server['id'])
server = self.client.show_server(created_server['id'])['server']
if CONF.validation.run_validation:
linux_client = remote_client.RemoteClient(
self.get_server_ip(server, validation_resources),
self.ssh_user, password,
validation_resources['keypair']['private_key'],
server=server,
servers_client=self.client)
self.assertEqual(file_contents,
linux_client.exec_command(
'sudo cat %s' % file_path))
def test_create_check_get_delete_token(self):
"""Test getting create/check/get/delete token for user via v2 API"""
# get a token by username and password
user_name = data_utils.rand_name(name='user')
user_password = data_utils.rand_password()
# first:create a tenant
tenant = self.setup_test_tenant()
# second:create a user
user = self.create_test_user(name=user_name,
password=user_password,
tenantId=tenant['id'],
email='')
# then get a token for the user
body = self.token_client.auth(user_name,
user_password,
tenant['name'])
self.assertEqual(body['token']['tenant']['name'],
tenant['name'])
# Perform GET Token
token_id = body['token']['id']
self.client.check_token_existence(token_id)
token_details = self.client.show_token(token_id)['access']
self.assertEqual(token_id, token_details['token']['id'])
self.assertEqual(user['id'], token_details['user']['id'])
self.assertEqual(user_name, token_details['user']['name'])
self.assertEqual(tenant['name'],
token_details['token']['tenant']['name'])
# then delete the token
self.client.delete_token(token_id)
self.assertRaises(lib_exc.NotFound,
self.client.check_token_existence,
token_id)
def setUp(self):
super(TestK2KFederatedAuthentication, self).setUp()
self._setup_sp()
self.auth = {'password': data_utils.rand_password()}
user_id = self.keystone_manager.users_v3_client.create_user(
name=data_utils.rand_name('user'),
password=self.auth['password'])['user']['id']
self.addCleanup(self.keystone_manager.users_v3_client.delete_user,
user_id)
self.auth['user_id'] = user_id
idp_info = self.idps_client.show_identity_provider(self.idp_id)
domain_id = idp_info['identity_provider']['domain_id']
project_id = self.keystone_manager.identity_providers_client.tenant_id
self.auth['project_id'] = project_id
group = self.keystone_manager.groups_client.create_group(
name=data_utils.rand_uuid_hex(), domain_id=domain_id)
self.addCleanup(self.keystone_manager.groups_client.delete_group,
group['group']['id'])
role = self.keystone_manager.roles_v3_client.create_role(
name=data_utils.rand_uuid_hex(), project_id=project_id)
self.addCleanup(self.keystone_manager.roles_v3_client.delete_role,
role['role']['id'])
self.keystone_manager.roles_v3_client.create_group_role_on_project(
group_id=group['group']['id'],
project_id=project_id,
role_id=role['role']['id'])
self.keystone_manager.groups_client.add_group_user(
group_id=group['group']['id'], user_id=user_id)
def test_user_update(self):
# Test case to check if updating of user attributes is successful.
# Creating first user
u_name = data_utils.rand_name('user')
u_desc = u_name + 'description'
u_email = u_name + '@testmail.tm'
u_password = data_utils.rand_password()
user = self.users_client.create_user(
name=u_name, description=u_desc, password=u_password,
email=u_email, enabled=False)['user']
# Delete the User at the end of this method
self.addCleanup(self.users_client.delete_user, user['id'])
# Creating second project for updation
project = self.setup_test_project()
# Updating user details with new values
update_kwargs = {'name': data_utils.rand_name('user2'),
'description': data_utils.rand_name('desc2'),
'project_id': project['id'],
'email': '*****@*****.**',
'enabled': False}
updated_user = self.users_client.update_user(
user['id'], **update_kwargs)['user']
for field in update_kwargs:
self.assertEqual(update_kwargs[field], updated_user[field])
# GET by id after updating
new_user_get = self.users_client.show_user(user['id'])['user']
# Assert response body of GET after updation
for field in update_kwargs:
self.assertEqual(update_kwargs[field], new_user_get[field])
def test_create_transfer_accept_using_invalid_key(self):
LOG.info('Create a zone')
zone_name = dns_data_utils.rand_zone_name(
name="create_transfer_accept_invalid_key", suffix=self.tld_name)
zone = self.zone_client.create_zone(name=zone_name,
wait_until='ACTIVE')[1]
self.addCleanup(self.wait_zone_delete, self.zone_client, zone['id'])
LOG.info('Create a zone transfer_request')
transfer_request = self.request_client.create_transfer_request(
zone['id'])[1]
self.addCleanup(
self.transfer_request_delete,
self.request_client,
transfer_request['id']
)
data = {"key": data_utils.rand_password(
len(transfer_request['key'])),
"zone_transfer_request_id": transfer_request['id']}
LOG.info('Create a zone transfer_accept using invalid key')
self.assertRaises(
lib_exc.Forbidden, self.client.create_transfer_accept,
transfer_accept_data=data)
def test_user_account_lockout(self):
if (CONF.identity.user_lockout_failure_attempts <= 0 or
CONF.identity.user_lockout_duration <= 0):
raise self.skipException(
"Both CONF.identity.user_lockout_failure_attempts and "
"CONF.identity.user_lockout_duration should be greater than "
"zero to test this feature")
password = self.creds.password
# First, we login using the correct credentials
self.non_admin_token.auth(user_id=self.user_id, password=password)
# Lock user account by using the wrong password to login
bad_password = data_utils.rand_password()
for _ in range(CONF.identity.user_lockout_failure_attempts):
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token.auth,
user_id=self.user_id,
password=bad_password)
# The user account must be locked, so now it is not possible to login
# even using the correct password
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token.auth,
user_id=self.user_id,
password=password)
# If we wait the required time, the user account will be unlocked
time.sleep(CONF.identity.user_lockout_duration + 1)
self.non_admin_token.auth(user_id=self.user_id, password=password)
def test_can_create_server_with_max_number_personality_files(self):
# Server should be created successfully if maximum allowed number of
# files is injected into the server during creation.
file_contents = 'This is a test file.'
limits = self.user_client.show_limits()['limits']
max_file_limit = limits['absolute']['maxPersonality']
if max_file_limit == -1:
raise self.skipException("No limit for personality files")
person = []
for i in range(0, int(max_file_limit)):
# NOTE(andreaf) The cirros disk image is blank before boot
# so we can only inject safely to /
path = '/test' + str(i) + '.txt'
person.append({
'path': path,
'contents': base64.encode_as_text(file_contents + str(i)),
})
password = data_utils.rand_password()
created_server = self.create_test_server(personality=person,
adminPass=password,
wait_until='ACTIVE',
validatable=True)
server = self.client.show_server(created_server['id'])['server']
if CONF.validation.run_validation:
linux_client = remote_client.RemoteClient(
self.get_server_ip(server),
self.ssh_user, password,
self.validation_resources['keypair']['private_key'],
server=server,
servers_client=self.client)
for i in person:
self.assertEqual(base64.decode_as_text(i['contents']),
linux_client.exec_command(
'sudo cat %s' % i['path']))
def _setup_new_user_client(cls, project_id, role):
"""Create a new tempest.clients.Manager
Creates a new user with the given roles on the given project,
and returns an instance of tempest.clients.Manager set up
for that user.
Users are cleaned up during class teardown in cls.clear_credentials
"""
user = {
'name': data_utils.rand_name('user'),
'password': data_utils.rand_password()
}
user_id = cls.os_system_admin.users_v3_client.create_user(
**user)['user']['id']
cls._created_users.append(user_id)
role_id = cls.os_system_admin.roles_v3_client.list_roles(
name=role)['roles'][0]['id']
cls.os_system_admin.roles_v3_client.create_user_role_on_project(
project_id, user_id, role_id)
creds = auth.KeystoneV3Credentials(user_id=user_id,
password=user['password'],
project_id=project_id)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
return clients.Manager(credentials=creds)
def test_create_get_delete_token(self):
# get a token by username and password
user_name = data_utils.rand_name(name='user')
user_password = data_utils.rand_password()
# first:create a tenant
tenant_name = data_utils.rand_name(name='tenant')
tenant = self.tenants_client.create_tenant(name=tenant_name)['tenant']
# Delete the tenant at the end of the test
self.addCleanup(self.tenants_client.delete_tenant, tenant['id'])
# second:create a user
user = self.create_test_user(name=user_name,
password=user_password,
tenantId=tenant['id'],
email='')
# then get a token for the user
body = self.token_client.auth(user_name, user_password, tenant['name'])
self.assertEqual(body['token']['tenant']['name'], tenant['name'])
# Perform GET Token
token_id = body['token']['id']
token_details = self.client.show_token(token_id)['access']
self.assertEqual(token_id, token_details['token']['id'])
self.assertEqual(user['id'], token_details['user']['id'])
self.assertEqual(user_name, token_details['user']['name'])
self.assertEqual(tenant['name'],
token_details['token']['tenant']['name'])
# then delete the token
self.client.delete_token(token_id)
def _get_updated_quotas(self):
# Verify that GET shows the updated quota set of project
project_name = data_utils.rand_name('cpu_quota_project')
project_desc = project_name + '-desc'
project = identity.identity_utils(self.os_admin).create_project(
name=project_name, description=project_desc)
project_id = project['id']
self.addCleanup(identity.identity_utils(self.os_admin).delete_project,
project_id)
self.adm_client.update_quota_set(project_id, ram='5120')
# Call show_quota_set with detail=true to cover the
# get_quota_set_details response schema for microversion tests
quota_set = self.adm_client.show_quota_set(
project_id, detail=True)['quota_set']
self.assertEqual(5120, quota_set['ram']['limit'])
# Verify that GET shows the updated quota set of user
user_name = data_utils.rand_name('cpu_quota_user')
password = data_utils.rand_password()
email = user_name + '@testmail.tm'
user = identity.identity_utils(self.os_admin).create_user(
username=user_name, password=password, project=project,
email=email)
user_id = user['id']
self.addCleanup(identity.identity_utils(self.os_admin).delete_user,
user_id)
self.adm_client.update_quota_set(project_id,
user_id=user_id,
ram='2048')
quota_set = self.adm_client.show_quota_set(
project_id, user_id=user_id)['quota_set']
self.assertEqual(2048, quota_set['ram'])
def test_can_create_server_with_max_number_personality_files(self):
# Server should be created successfully if maximum allowed number of
# files is injected into the server during creation.
file_contents = 'This is a test file.'
limits = self.user_client.show_limits()['limits']
max_file_limit = limits['absolute']['maxPersonality']
if max_file_limit == -1:
raise self.skipException("No limit for personality files")
person = []
for i in range(0, int(max_file_limit)):
path = '/etc/test' + str(i) + '.txt'
person.append({
'path': path,
'contents': base64.encode_as_text(file_contents),
})
password = data_utils.rand_password()
created_server = self.create_test_server(personality=person,
adminPass=password,
wait_until='ACTIVE',
validatable=True)
server = self.client.show_server(created_server['id'])['server']
if CONF.validation.run_validation:
linux_client = remote_client.RemoteClient(
self.get_server_ip(server),
self.ssh_user, password,
self.validation_resources['keypair']['private_key'],
server=server,
servers_client=self.client)
for i in person:
self.assertEqual(base64.decode_as_text(i['contents']),
linux_client.exec_command(
'sudo cat %s' % i['path']))
def test_create_server_with_fqdn_name(self):
"""Test to create an instance with FQDN type name scheme"""
validation_resources = self.get_class_validation_resources(
self.os_primary)
self.server_name = 'guest-instance-1.domain.com'
self.password = data_utils.rand_password()
self.accessIPv4 = '2.2.2.2'
test_server = self.create_test_server(
validatable=True,
validation_resources=validation_resources,
wait_until='ACTIVE',
adminPass=self.password,
name=self.server_name,
accessIPv4=self.accessIPv4)
"""Verify the hostname within the instance is sanitized
Freeform characters in the hostname are replaced with dashes
"""
linux_client = remote_client.RemoteClient(
self.get_server_ip(test_server, validation_resources),
self.ssh_user,
self.password,
validation_resources['keypair']['private_key'],
server=test_server,
servers_client=self.client)
hostname = linux_client.exec_command("hostname").rstrip()
self.assertEqual('guest-instance-1-domain-com', hostname)
def create_trustor_and_roles(self):
# create a project that trusts will be granted on
trustor_project_name = data_utils.rand_name(name='project')
project = self.projects_client.create_project(
trustor_project_name,
domain_id=CONF.identity.default_domain_id)['project']
self.trustor_project_id = project['id']
self.assertIsNotNone(self.trustor_project_id)
# Create a trustor User
trustor_username = data_utils.rand_name('user')
u_desc = trustor_username + 'description'
u_email = trustor_username + '@testmail.xx'
trustor_password = data_utils.rand_password()
user = self.users_client.create_user(
name=trustor_username,
description=u_desc,
password=trustor_password,
email=u_email,
project_id=self.trustor_project_id,
domain_id=CONF.identity.default_domain_id)['user']
self.trustor_user_id = user['id']
# And two roles, one we'll delegate and one we won't
self.delegated_role = data_utils.rand_name('DelegatedRole')
self.not_delegated_role = data_utils.rand_name('NotDelegatedRole')
role = self.roles_client.create_role(name=self.delegated_role)['role']
self.delegated_role_id = role['id']
role = self.roles_client.create_role(
name=self.not_delegated_role)['role']
self.not_delegated_role_id = role['id']
# Assign roles to trustor
self.roles_client.create_user_role_on_project(
self.trustor_project_id,
self.trustor_user_id,
self.delegated_role_id)
self.roles_client.create_user_role_on_project(
self.trustor_project_id,
self.trustor_user_id,
self.not_delegated_role_id)
# Get trustee user ID, use the demo user
trustee_username = self.non_admin_client.user
self.trustee_user_id = self.get_user_by_name(trustee_username)['id']
self.assertIsNotNone(self.trustee_user_id)
# Initialize a new client with the trustor credentials
creds = common_creds.get_credentials(
identity_version='v3',
username=trustor_username,
password=trustor_password,
user_domain_id=CONF.identity.default_domain_id,
tenant_name=trustor_project_name,
project_domain_id=CONF.identity.default_domain_id,
domain_id=CONF.identity.default_domain_id)
os = clients.Manager(credentials=creds)
self.trustor_client = os.trusts_client
def test_get_updated_quotas(self):
# Verify that GET shows the updated quota set of project
project_name = data_utils.rand_name('cpu_quota_project')
project_desc = project_name + '-desc'
project = self.identity_utils.create_project(name=project_name,
description=project_desc)
project_id = project['id']
self.addCleanup(self.identity_utils.delete_project, project_id)
self.adm_client.update_quota_set(project_id, ram='5120')
quota_set = self.adm_client.show_quota_set(project_id)['quota_set']
self.assertEqual(5120, quota_set['ram'])
# Verify that GET shows the updated quota set of user
user_name = data_utils.rand_name('cpu_quota_user')
password = data_utils.rand_password()
email = user_name + '@testmail.tm'
user = self.identity_utils.create_user(username=user_name,
password=password,
project=project,
email=email)
user_id = user['id']
self.addCleanup(self.identity_utils.delete_user, user_id)
self.adm_client.update_quota_set(project_id,
user_id=user_id,
ram='2048')
quota_set = self.adm_client.show_quota_set(
project_id, user_id=user_id)['quota_set']
self.assertEqual(2048, quota_set['ram'])
def test_user_update(self):
"""Test case to check if updating of user attributes is successful"""
# Creating first user
u_name = data_utils.rand_name('user')
u_desc = u_name + 'description'
u_email = u_name + '@testmail.tm'
u_password = data_utils.rand_password()
user = self.users_client.create_user(
name=u_name, description=u_desc, password=u_password,
email=u_email, enabled=False)['user']
# Delete the User at the end of this method
self.addCleanup(self.users_client.delete_user, user['id'])
# Creating second project for updation
project = self.setup_test_project()
# Updating user details with new values
update_kwargs = {'name': data_utils.rand_name('user2'),
'description': data_utils.rand_name('desc2'),
'project_id': project['id'],
'email': '*****@*****.**',
'enabled': False}
updated_user = self.users_client.update_user(
user['id'], **update_kwargs)['user']
for field in update_kwargs:
self.assertEqual(update_kwargs[field], updated_user[field])
# GET by id after updating
new_user_get = self.users_client.show_user(user['id'])['user']
# Assert response body of GET after updation
for field in update_kwargs:
self.assertEqual(update_kwargs[field], new_user_get[field])
def resource_setup(cls):
admin_client = cls.os_system_admin
cls.user = {
'name': data_utils.rand_name('user'),
'password': data_utils.rand_password(),
}
cls.user_id = admin_client.users_v3_client.create_user(
**cls.user)['user']['id']
cls.addClassResourceCleanup(admin_client.users_v3_client.delete_user,
user_id=cls.user_id)
cls.project_id = admin_client.projects_client.create_project(
name=data_utils.rand_name())['project']['id']
cls.addClassResourceCleanup(
admin_client.projects_client.delete_project,
project_id=cls.project_id)
cls.domain_id = admin_client.domains_client.create_domain(
name=data_utils.rand_name())['domain']['id']
cls.addClassResourceCleanup(admin_client.domains_client.delete_domain,
domain_id=cls.domain_id)
cls.addClassResourceCleanup(admin_client.domains_client.update_domain,
domain_id=cls.domain_id,
enabled=False)
role_id = admin_client.roles_v3_client.create_role(
name=data_utils.rand_name())['role']['id']
cls.addClassResourceCleanup(admin_client.roles_v3_client.delete_role,
role_id=role_id)
admin_client.roles_v3_client.create_user_role_on_project(
project_id=cls.project_id, user_id=cls.user_id, role_id=role_id)
admin_client.roles_v3_client.create_user_role_on_domain(
domain_id=cls.domain_id, user_id=cls.user_id, role_id=role_id)
admin_client.roles_v3_client.create_user_role_on_system(
user_id=cls.user_id, role_id=role_id)
def _get_updated_quotas(self):
# Verify that GET shows the updated quota set of project
project_name = data_utils.rand_name('cpu_quota_project')
project_desc = project_name + '-desc'
project = identity.identity_utils(self.os_admin).create_project(
name=project_name, description=project_desc)
project_id = project['id']
self.addCleanup(identity.identity_utils(self.os_admin).delete_project,
project_id)
self.adm_client.update_quota_set(project_id, ram='5120')
# Call show_quota_set with detail=true to cover the
# get_quota_set_details response schema for microversion tests
quota_set = self.adm_client.show_quota_set(
project_id, detail=True)['quota_set']
self.assertEqual(5120, quota_set['ram']['limit'])
# Verify that GET shows the updated quota set of user
user_name = data_utils.rand_name('cpu_quota_user')
password = data_utils.rand_password()
email = user_name + '@testmail.tm'
user = identity.identity_utils(self.os_admin).create_user(
username=user_name, password=password, project=project,
email=email)
user_id = user['id']
self.addCleanup(identity.identity_utils(self.os_admin).delete_user,
user_id)
self.adm_client.update_quota_set(project_id,
user_id=user_id,
ram='2048')
quota_set = self.adm_client.show_quota_set(
project_id, user_id=user_id)['quota_set']
self.assertEqual(2048, quota_set['ram'])
def recreate_server(cls, server_id, validatable=False, **kwargs):
"""Destroy an existing class level server and creates a new one
Some test classes use a test server that can be used by multiple
tests. This is done to optimise runtime and test load.
If something goes wrong with the test server, it can be rebuilt
using this helper.
This helper can also be used for the initial provisioning if no
server_id is specified.
:param server_id: UUID of the server to be rebuilt. If None is
specified, a new server is provisioned.
:param validatable: whether to the server needs to be
validatable. When True, validation resources are acquired via
the `get_class_validation_resources` helper.
:param kwargs: extra paramaters are passed through to the
`create_test_server` call.
:return: the UUID of the created server.
"""
if server_id:
cls.delete_server(server_id)
cls.password = data_utils.rand_password()
server = cls.create_test_server(
validatable,
validation_resources=cls.get_class_validation_resources(
cls.os_primary),
wait_until='ACTIVE',
adminPass=cls.password,
**kwargs)
return server['id']
def resource_setup(cls):
super(UsersV3TestJSON, cls).resource_setup()
alt_user = data_utils.rand_name('test_user')
alt_password = data_utils.rand_password()
cls.alt_email = alt_user + '@testmail.tm'
# Create a domain
cls.domain = cls.create_domain()
# Create user with Domain
cls.users = list()
u1_name = data_utils.rand_name('test_user')
cls.domain_enabled_user = cls.users_client.create_user(
name=u1_name,
password=alt_password,
email=cls.alt_email,
domain_id=cls.domain['id'])['user']
cls.addClassResourceCleanup(cls.users_client.delete_user,
cls.domain_enabled_user['id'])
cls.users.append(cls.domain_enabled_user)
# Create default not enabled user
u2_name = data_utils.rand_name('test_user')
cls.non_domain_enabled_user = cls.users_client.create_user(
name=u2_name,
password=alt_password,
email=cls.alt_email,
enabled=False)['user']
cls.addClassResourceCleanup(cls.users_client.delete_user,
cls.non_domain_enabled_user['id'])
cls.users.append(cls.non_domain_enabled_user)
def resource_setup(cls):
super(InheritsV3TestJSON, cls).resource_setup()
u_name = data_utils.rand_name('user-')
u_desc = '%s description' % u_name
u_email = '*****@*****.**' % u_name
u_password = data_utils.rand_password()
cls.domain = cls.create_domain()
cls.project = cls.projects_client.create_project(
data_utils.rand_name('project-'),
description=data_utils.rand_name('project-desc-'),
domain_id=cls.domain['id'])['project']
cls.addClassResourceCleanup(cls.projects_client.delete_project,
cls.project['id'])
cls.group = cls.groups_client.create_group(
name=data_utils.rand_name('group-'),
project_id=cls.project['id'],
domain_id=cls.domain['id'])['group']
cls.addClassResourceCleanup(cls.groups_client.delete_group,
cls.group['id'])
if not CONF.identity_feature_enabled.immutable_user_source:
cls.user = cls.users_client.create_user(
name=u_name,
description=u_desc,
password=u_password,
email=u_email,
project_id=cls.project['id'],
domain_id=cls.domain['id'])['user']
cls.addClassResourceCleanup(cls.users_client.delete_user,
cls.user['id'])
def resource_setup(cls):
super(CredentialsTestJSON, cls).resource_setup()
cls.projects = list()
cls.creds_list = [['project_id', 'user_id', 'id'],
['access', 'secret']]
u_name = data_utils.rand_name('user')
u_desc = '%s description' % u_name
u_email = '*****@*****.**' % u_name
u_password = data_utils.rand_password()
for _ in range(2):
project = cls.projects_client.create_project(
data_utils.rand_name('project'),
description=data_utils.rand_name('project-desc'))['project']
cls.addClassResourceCleanup(cls.projects_client.delete_project,
project['id'])
cls.projects.append(project['id'])
cls.user_body = cls.users_client.create_user(
name=u_name,
description=u_desc,
password=u_password,
email=u_email,
project_id=cls.projects[0])['user']
cls.addClassResourceCleanup(cls.users_client.delete_user,
cls.user_body['id'])
def resource_setup(cls):
super(RolesV3TestJSON, cls).resource_setup()
cls.roles = list()
for _ in range(3):
role_name = data_utils.rand_name(name='role')
role = cls.roles_client.create_role(name=role_name)['role']
cls.roles.append(role)
u_name = data_utils.rand_name('user')
u_desc = '%s description' % u_name
u_email = '*****@*****.**' % u_name
cls.u_password = data_utils.rand_password()
cls.domain = cls.create_domain()
cls.project = cls.projects_client.create_project(
data_utils.rand_name('project'),
description=data_utils.rand_name('project-desc'),
domain_id=cls.domain['id'])['project']
cls.group_body = cls.groups_client.create_group(
name=data_utils.rand_name('Group'),
project_id=cls.project['id'],
domain_id=cls.domain['id'])['group']
cls.user_body = cls.users_client.create_user(
name=u_name,
description=u_desc,
password=cls.u_password,
email=u_email,
project_id=cls.project['id'],
domain_id=cls.domain['id'])['user']
cls.role = cls.roles_client.create_role(
name=data_utils.rand_name('Role'))['role']
def resource_setup(cls):
super(InheritsV3TestJSON, cls).resource_setup()
u_name = data_utils.rand_name('user-')
u_desc = '%s description' % u_name
u_email = '*****@*****.**' % u_name
u_password = data_utils.rand_password()
cls.domain = cls.create_domain()
cls.project = cls.projects_client.create_project(
data_utils.rand_name('project-'),
description=data_utils.rand_name('project-desc-'),
domain_id=cls.domain['id'])['project']
cls.addClassResourceCleanup(cls.projects_client.delete_project,
cls.project['id'])
cls.group = cls.groups_client.create_group(
name=data_utils.rand_name('group-'), project_id=cls.project['id'],
domain_id=cls.domain['id'])['group']
cls.addClassResourceCleanup(cls.groups_client.delete_group,
cls.group['id'])
if not CONF.identity_feature_enabled.immutable_user_source:
cls.user = cls.users_client.create_user(
name=u_name,
description=u_desc,
password=u_password,
email=u_email,
project_id=cls.project['id'],
domain_id=cls.domain['id']
)['user']
cls.addClassResourceCleanup(cls.users_client.delete_user,
cls.user['id'])
def test_create_server_with_personality(self):
"""Test creating server with file injection"""
file_contents = 'This is a test file.'
file_path = '/test.txt'
personality = [{
'path': file_path,
'contents': base64.encode_as_text(file_contents)
}]
password = data_utils.rand_password()
validation_resources = self.get_test_validation_resources(
self.os_primary)
created_server = self.create_test_server(
personality=personality,
adminPass=password,
wait_until='ACTIVE',
validatable=True,
validation_resources=validation_resources)
self.addCleanup(waiters.wait_for_server_termination,
self.servers_client, created_server['id'])
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.servers_client.delete_server,
created_server['id'])
server = self.client.show_server(created_server['id'])['server']
if CONF.validation.run_validation:
linux_client = remote_client.RemoteClient(
self.get_server_ip(server, validation_resources),
self.ssh_user,
password,
validation_resources['keypair']['private_key'],
server=server,
servers_client=self.client)
self.assertEqual(
file_contents,
linux_client.exec_command('sudo cat %s' % file_path))
def test_user_account_lockout(self):
if (CONF.identity.user_lockout_failure_attempts <= 0
or CONF.identity.user_lockout_duration <= 0):
raise self.skipException(
"Both CONF.identity.user_lockout_failure_attempts and "
"CONF.identity.user_lockout_duration should be greater than "
"zero to test this feature")
password = self.creds.password
# First, we login using the correct credentials
self.non_admin_token.auth(user_id=self.user_id, password=password)
# Lock user account by using the wrong password to login
bad_password = data_utils.rand_password()
for _ in range(CONF.identity.user_lockout_failure_attempts):
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token.auth,
user_id=self.user_id,
password=bad_password)
# The user account must be locked, so now it is not possible to login
# even using the correct password
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token.auth,
user_id=self.user_id,
password=password)
# If we wait the required time, the user account will be unlocked
time.sleep(CONF.identity.user_lockout_duration + 1)
self.non_admin_token.auth(user_id=self.user_id, password=password)
def setup_user_client(self, project_id=None):
"""Set up project user with its own client.
This is useful for testing protection of resources in separate
projects.
Returns a client object and the user's ID.
"""
user_dict = {
'name': data_utils.rand_name('user'),
'password': data_utils.rand_password(),
}
user_id = self.os_system_admin.users_v3_client.create_user(
**user_dict)['user']['id']
self.addCleanup(self.os_system_admin.users_v3_client.delete_user,
user_id)
if not project_id:
project_id = self.os_system_admin.projects_client.create_project(
data_utils.rand_name())['project']['id']
self.addCleanup(
self.os_system_admin.projects_client.delete_project,
project_id)
member_role_id = self.os_system_admin.roles_v3_client.list_roles(
name='member')['roles'][0]['id']
self.os_system_admin.roles_v3_client.create_user_role_on_project(
project_id, user_id, member_role_id)
creds = auth.KeystoneV3Credentials(user_id=user_id,
password=user_dict['password'],
project_id=project_id)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
client = clients.Manager(credentials=creds)
return client
def test_associate_user_to_project(self):
# Associate a user to a project
# Create a Project
project = self.setup_test_project()
# Create a User
u_name = data_utils.rand_name('user')
u_desc = u_name + 'description'
u_email = u_name + '@testmail.tm'
u_password = data_utils.rand_password()
user = self.users_client.create_user(name=u_name,
description=u_desc,
password=u_password,
email=u_email,
project_id=project['id'])['user']
# Delete the User at the end of this method
self.addCleanup(self.users_client.delete_user, user['id'])
# Get User To validate the user details
new_user_get = self.users_client.show_user(user['id'])['user']
# Assert response body of GET
self.assertEqual(u_name, new_user_get['name'])
self.assertEqual(u_desc, new_user_get['description'])
self.assertEqual(project['id'], new_user_get['project_id'])
self.assertEqual(u_email, new_user_get['email'])
def test_authentication_with_invalid_username(self):
# Non-existent user's token should not get authenticated
password = data_utils.rand_password()
user = self.setup_test_user(password)
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
self.assertRaises(lib_exc.Unauthorized, self.token_client.auth,
'junkuser123', password, tenant['name'])
def create_trustor_and_roles(self):
# create a project that trusts will be granted on
trustor_project_name = data_utils.rand_name(name='project')
project = self.projects_client.create_project(
trustor_project_name,
domain_id=CONF.identity.default_domain_id)['project']
self.trustor_project_id = project['id']
self.assertIsNotNone(self.trustor_project_id)
# Create a trustor User
trustor_username = data_utils.rand_name('user')
u_desc = trustor_username + 'description'
u_email = trustor_username + '@testmail.xx'
trustor_password = data_utils.rand_password()
user = self.users_client.create_user(
name=trustor_username,
description=u_desc,
password=trustor_password,
email=u_email,
project_id=self.trustor_project_id,
domain_id=CONF.identity.default_domain_id)['user']
self.trustor_user_id = user['id']
# And two roles, one we'll delegate and one we won't
self.delegated_role = data_utils.rand_name('DelegatedRole')
self.not_delegated_role = data_utils.rand_name('NotDelegatedRole')
role = self.roles_client.create_role(name=self.delegated_role)['role']
self.delegated_role_id = role['id']
role = self.roles_client.create_role(
name=self.not_delegated_role)['role']
self.not_delegated_role_id = role['id']
# Assign roles to trustor
self.roles_client.create_user_role_on_project(
self.trustor_project_id,
self.trustor_user_id,
self.delegated_role_id)
self.roles_client.create_user_role_on_project(
self.trustor_project_id,
self.trustor_user_id,
self.not_delegated_role_id)
# Get trustee user ID, use the demo user
trustee_username = self.non_admin_client.user
self.trustee_user_id = self.get_user_by_name(trustee_username)['id']
self.assertIsNotNone(self.trustee_user_id)
# Initialize a new client with the trustor credentials
creds = common_creds.get_credentials(
identity_version='v3',
username=trustor_username,
password=trustor_password,
user_domain_id=CONF.identity.default_domain_id,
tenant_name=trustor_project_name,
project_domain_id=CONF.identity.default_domain_id,
domain_id=CONF.identity.default_domain_id)
os = clients.Manager(credentials=creds)
self.trustor_client = os.trusts_client
def recreate_server(cls, server_id, validatable=False, **kwargs):
"""Destroy an existing class level server and creates a new one
Some test classes use a test server that can be used by multiple
tests. This is done to optimise runtime and test load.
If something goes wrong with the test server, it can be rebuilt
using this helper.
This helper can also be used for the initial provisioning if no
server_id is specified.
:param server_id: UUID of the server to be rebuilt. If None is
specified, a new server is provisioned.
:param validatable: whether to the server needs to be
validatable. When True, validation resources are acquired via
the `get_class_validation_resources` helper.
:param kwargs: extra paramaters are passed through to the
`create_test_server` call.
:return: the UUID of the created server.
"""
if server_id:
cls.delete_server(server_id)
cls.password = data_utils.rand_password()
server = cls.create_test_server(
validatable,
validation_resources=cls.get_class_validation_resources(
cls.os_primary),
wait_until='ACTIVE',
adminPass=cls.password,
**kwargs)
return server['id']
def test_user_update_own_password(self):
"""test updating user's own password via v2 API"""
old_pass = self.creds.password
old_token = self.non_admin_users_client.token
new_pass = data_utils.rand_password()
user_id = self.creds.user_id
# to change password back. important for use_dynamic_credentials=false
self.addCleanup(self._restore_password, user_id, old_pass, new_pass)
# user updates own password
self._update_password(
user_id, original_password=old_pass, password=new_pass)
# authorize with old token should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth_token,
old_token)
# authorize with old password should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth,
self.username,
old_pass,
self.tenant_name)
def resource_setup(cls):
super(RolesV3TestJSON, cls).resource_setup()
cls.roles = list()
for _ in range(3):
role_name = data_utils.rand_name(name='role')
role = cls.roles_client.create_role(name=role_name)['role']
cls.roles.append(role)
u_name = data_utils.rand_name('user')
u_desc = '%s description' % u_name
u_email = '*****@*****.**' % u_name
cls.u_password = data_utils.rand_password()
cls.domain = cls.create_domain()
cls.project = cls.projects_client.create_project(
data_utils.rand_name('project'),
description=data_utils.rand_name('project-desc'),
domain_id=cls.domain['id'])['project']
cls.group_body = cls.groups_client.create_group(
name=data_utils.rand_name('Group'), project_id=cls.project['id'],
domain_id=cls.domain['id'])['group']
cls.user_body = cls.users_client.create_user(
name=u_name, description=u_desc, password=cls.u_password,
email=u_email, project_id=cls.project['id'],
domain_id=cls.domain['id'])['user']
cls.role = cls.roles_client.create_role(
name=data_utils.rand_name('Role'))['role']
def test_authentication_with_invalid_tenant(self):
# User's token for an invalid tenant should not be authenticated
password = data_utils.rand_password()
user = self.setup_test_user(password)
self.assertRaises(lib_exc.Unauthorized, self.token_client.auth,
user['name'],
password,
'junktenant1234')
def _rebuild_server(self, server_id):
# Destroy an existing server and creates a new one.
if server_id:
self.delete_server(server_id)
self.password = data_utils.rand_password()
return self.create_test_server(
wait_until='ACTIVE', adminPass=self.password)
def _create_creds(self, admin=False, roles=None):
"""Create credentials with random name.
Creates project and user. When admin flag is True create user
with admin role. Assign user with additional roles (for example
_member_) and roles requested by caller.
:param admin: Flag if to assign to the user admin role
:type admin: bool
:param roles: Roles to assign for the user
:type roles: list
:return: Readonly Credentials with network resources
"""
root = self.name
project_name = data_utils.rand_name(root, prefix=self.resource_prefix)
project_desc = project_name + "-desc"
project = self.creds_client.create_project(
name=project_name, description=project_desc)
# NOTE(andreaf) User and project can be distinguished from the context,
# having the same ID in both makes it easier to match them and debug.
username = project_name
user_password = data_utils.rand_password()
email = data_utils.rand_name(
root, prefix=self.resource_prefix) + "@example.com"
user = self.creds_client.create_user(
username, user_password, project, email)
role_assigned = False
if admin:
self.creds_client.assign_user_role(user, project, self.admin_role)
role_assigned = True
if (self.identity_version == 'v3' and
self.identity_admin_domain_scope):
self.creds_client.assign_user_role_on_domain(
user, self.identity_admin_role)
# Add roles specified in config file
for conf_role in self.extra_roles:
self.creds_client.assign_user_role(user, project, conf_role)
role_assigned = True
# Add roles requested by caller
if roles:
for role in roles:
self.creds_client.assign_user_role(user, project, role)
role_assigned = True
# NOTE(mtreinish) For a user to have access to a project with v3 auth
# it must beassigned a role on the project. So we need to ensure that
# our newly created user has a role on the newly created project.
if self.identity_version == 'v3' and not role_assigned:
try:
self.creds_client.create_user_role('Member')
except lib_exc.Conflict:
LOG.warning('Member role already exists, ignoring conflict.')
self.creds_client.assign_user_role(user, project, 'Member')
creds = self.creds_client.get_credentials(user, project, user_password)
return cred_provider.TestResources(creds)
def test_authentication_for_disabled_user(self):
# Attempt to authenticate for disabled user should fail
password = data_utils.rand_password()
user = self.setup_test_user(password)
self.disable_user(user['name'], user['domain_id'])
self.assertRaises(lib_exc.Unauthorized, self.token.auth,
username=user['name'],
password=password,
user_domain_id=CONF.identity.default_domain_id)
def test_create_user_for_non_existent_domain(self):
# Attempt to create a user in a non-existent domain should fail
u_name = data_utils.rand_name('user')
u_email = u_name + '@testmail.tm'
u_password = data_utils.rand_password()
self.assertRaises(lib_exc.NotFound, self.users_client.create_user,
name=u_name, password=u_password,
email=u_email,
domain_id=data_utils.rand_uuid_hex())
def resource_setup(cls):
super(ServerRescueNegativeTestJSON, cls).resource_setup()
cls.password = data_utils.rand_password()
rescue_password = data_utils.rand_password()
# Server for negative tests
server = cls.create_test_server(adminPass=cls.password,
wait_until='BUILD')
resc_server = cls.create_test_server(adminPass=rescue_password,
wait_until='ACTIVE')
cls.server_id = server['id']
cls.rescue_id = resc_server['id']
cls.servers_client.rescue_server(
cls.rescue_id, adminPass=rescue_password)
waiters.wait_for_server_status(cls.servers_client,
cls.rescue_id, 'RESCUE')
waiters.wait_for_server_status(cls.servers_client,
cls.server_id, 'ACTIVE')
def test_create_user_with_duplicate_name(self):
# Duplicate user should not be created
password = data_utils.rand_password()
user = self.setup_test_user(password)
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
self.assertRaises(lib_exc.Conflict, self.users_client.create_user,
name=user['name'],
password=password,
tenantId=tenant['id'],
email=user['email'])
def test_authentication_when_tenant_is_disabled(self):
# User's token for a disabled tenant should not be authenticated
password = data_utils.rand_password()
user = self.setup_test_user(password)
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
self.disable_tenant(tenant['name'])
self.assertRaises(lib_exc.Unauthorized, self.token_client.auth,
user['name'],
password,
tenant['name'])
def resource_setup(cls):
super(ServerRescueTestBase, cls).resource_setup()
password = data_utils.rand_password()
server = cls.create_test_server(adminPass=password,
wait_until='ACTIVE')
cls.servers_client.rescue_server(server['id'], adminPass=password)
waiters.wait_for_server_status(cls.servers_client, server['id'],
'RESCUE')
cls.rescued_server_id = server['id']
def test_rescue_unrescue_instance(self):
password = data_utils.rand_password()
server = self.create_test_server(adminPass=password,
wait_until='ACTIVE')
self.servers_client.rescue_server(server['id'], adminPass=password)
waiters.wait_for_server_status(self.servers_client, server['id'],
'RESCUE')
self.servers_client.unrescue_server(server['id'])
waiters.wait_for_server_status(self.servers_client, server['id'],
'ACTIVE')
def rebuild_server(cls, server_id, validatable=False, **kwargs):
# Destroy an existing server and creates a new one
if server_id:
cls.delete_server(server_id)
cls.password = data_utils.rand_password()
server = cls.create_test_server(
validatable,
wait_until='ACTIVE',
adminPass=cls.password,
**kwargs)
return server['id']
def test_user_authentication(self):
# Valid user's token is authenticated
password = data_utils.rand_password()
user = self.setup_test_user(password)
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
# Get a token
self.token_client.auth(user['name'],
password,
tenant['name'])
# Re-auth
self.token_client.auth(user['name'],
password,
tenant['name'])
def test_default_project_id(self):
# create a domain
dom_name = data_utils.rand_name('dom')
domain_body = self.domains_client.create_domain(
name=dom_name)['domain']
dom_id = domain_body['id']
self.addCleanup(self._delete_domain, dom_id)
# create a project in the domain
proj_body = self.setup_test_project(domain_id=dom_id)
proj_id = proj_body['id']
self.assertEqual(proj_body['domain_id'], dom_id,
"project " + proj_body['name'] +
"doesn't have domain id " + dom_id)
# create a user in the domain, with the previous project as his
# default project
user_name = data_utils.rand_name('user')
user_pass = data_utils.rand_password()
user_body = self.users_client.create_user(
name=user_name,
password=user_pass,
domain_id=dom_id,
default_project_id=proj_id)['user']
user_id = user_body['id']
self.addCleanup(self.users_client.delete_user, user_id)
self.assertEqual(user_body['domain_id'], dom_id,
"user " + user_name +
"doesn't have domain id " + dom_id)
# get roles and find the admin role
admin_role = self.get_role_by_name(CONF.identity.admin_role)
admin_role_id = admin_role['id']
# grant the admin role to the user on his project
self.roles_client.create_user_role_on_project(proj_id, user_id,
admin_role_id)
# create a new client with user's credentials (NOTE: unscoped token!)
creds = auth.KeystoneV3Credentials(username=user_name,
password=user_pass,
user_domain_name=dom_name)
auth_provider = clients.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
admin_client = clients.Manager(credentials=creds)
# verify the user's token and see that it is scoped to the project
token, _ = admin_client.auth_provider.get_auth()
result = admin_client.identity_v3_client.show_token(token)['token']
self.assertEqual(result['project']['domain']['id'], dom_id)
self.assertEqual(result['project']['id'], proj_id)
def test_user_update_own_password(self):
def _restore_password(client, user_id, old_pass, new_pass):
# Reset auth to get a new token with the new password
client.auth_provider.clear_auth()
client.auth_provider.credentials.password = new_pass
client.update_user_own_password(user_id, password=old_pass,
original_password=new_pass)
# Reset auth again to verify the password restore does work.
# Clear auth restores the original credentials and deletes
# cached auth data
client.auth_provider.clear_auth()
# NOTE(lbragstad): Fernet tokens are not subsecond aware and
# Keystone should only be precise to the second. Sleep to ensure we
# are passing the second boundary before attempting to
# authenticate.
time.sleep(1)
client.auth_provider.set_auth()
old_pass = self.creds.password
new_pass = data_utils.rand_password()
user_id = self.creds.user_id
# to change password back. important for allow_tenant_isolation = false
self.addCleanup(_restore_password, self.non_admin_users_client,
user_id, old_pass=old_pass, new_pass=new_pass)
# user updates own password
self.non_admin_users_client.update_user_own_password(
user_id, password=new_pass, original_password=old_pass)
# NOTE(morganfainberg): Fernet tokens are not subsecond aware and
# Keystone should only be precise to the second. Sleep to ensure
# we are passing the second boundary.
time.sleep(1)
# check authorization with new password
self.non_admin_token_client.auth(self.username,
new_pass,
self.tenant_name)
# authorize with old token should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth_token,
self.non_admin_users_client.token)
# authorize with old password should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth,
self.username,
old_pass,
self.tenant_name)
def create_test_user(self, **kwargs):
if kwargs.get('password', None) is None:
kwargs['password'] = data_utils.rand_password()
if 'name' not in kwargs:
kwargs['name'] = data_utils.rand_name('test_user')
if 'email' not in kwargs:
kwargs['email'] = kwargs['name'] + '@testmail.tm'
user = self.users_client.create_user(**kwargs)['user']
# Delete the user at the end of the test
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.users_client.delete_user, user['id'])
return user
def test_update_user_password(self):
# Creating User to check password updation
u_name = data_utils.rand_name('user')
original_password = data_utils.rand_password()
user = self.users_client.create_user(
name=u_name, password=original_password)['user']
# Delete the User at the end all test methods
self.addCleanup(self.users_client.delete_user, user['id'])
# Update user with new password
new_password = data_utils.rand_password()
self.users_client.update_user_password(
user['id'], password=new_password,
original_password=original_password)
# NOTE(morganfainberg): Fernet tokens are not subsecond aware and
# Keystone should only be precise to the second. Sleep to ensure
# we are passing the second boundary.
time.sleep(1)
resp = self.token.auth(user_id=user['id'],
password=new_password).response
subject_token = resp['x-subject-token']
# Perform GET Token to verify and confirm password is updated
token_details = self.client.show_token(subject_token)['token']
self.assertEqual(token_details['user']['id'], user['id'])
self.assertEqual(token_details['user']['name'], u_name)
def generate_resources(opts):
spec = [{'number': 1,
'prefix': 'primary',
'roles': (CONF.auth.tempest_roles +
[CONF.object_storage.operator_role])},
{'number': 1,
'prefix': 'alt',
'roles': (CONF.auth.tempest_roles +
[CONF.object_storage.operator_role])}]
if CONF.service_available.swift:
spec.append({'number': 1,
'prefix': 'swift_operator',
'roles': (CONF.auth.tempest_roles +
[CONF.object_storage.operator_role])})
spec.append({'number': 1,
'prefix': 'swift_reseller_admin',
'roles': (CONF.auth.tempest_roles +
[CONF.object_storage.reseller_admin_role])})
if CONF.service_available.heat:
spec.append({'number': 1,
'prefix': 'stack_owner',
'roles': (CONF.auth.tempest_roles +
[CONF.orchestration.stack_owner_role])})
if opts.admin:
spec.append({
'number': 1,
'prefix': 'admin',
'roles': (CONF.auth.tempest_roles +
[CONF.identity.admin_role])
})
resources = {'tenants': [],
'users': []}
for count in range(opts.concurrency):
for user_group in spec:
users = [random_user_name(opts.tag, user_group['prefix'])
for _ in range(user_group['number'])]
for user in users:
tenant = '-'.join((user, 'tenant'))
resources['tenants'].append(tenant)
resources['users'].append({
'tenant': tenant,
'name': user,
'pass': data_utils.rand_password(),
'prefix': user_group['prefix'],
'roles': user_group['roles']
})
return resources
