def test_user_can_list_their_projects(self):
other_project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
)
user_project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=self.user_id,
project_id=user_project['id']
)
with self.test_client() as c:
r = c.get(
'/v3/users/%s/projects' % self.user_id, headers=self.headers,
)
self.assertEqual(2, len(r.json['projects']))
project_ids = []
for project in r.json['projects']:
project_ids.append(project['id'])
self.assertIn(user_project['id'], project_ids)
self.assertIn(self.bootstrapper.project_id, project_ids)
self.assertNotIn(other_project['id'], project_ids)
def test_delete_domain_hierarchy(self):
"""Call ``DELETE /domains/{domain_id}``."""
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
root_project = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(root_project['id'], root_project)
leaf_project = unit.new_project_ref(
domain_id=domain['id'],
parent_id=root_project['id'])
self.resource_api.create_project(leaf_project['id'], leaf_project)
# Need to disable it first.
self.patch('/domains/%(domain_id)s' % {
'domain_id': domain['id']},
body={'domain': {'enabled': False}})
self.delete(
'/domains/%(domain_id)s' % {
'domain_id': domain['id']})
self.assertRaises(exception.DomainNotFound,
self.resource_api.get_domain,
domain['id'])
self.assertRaises(exception.ProjectNotFound,
self.resource_api.get_project,
root_project['id'])
self.assertRaises(exception.ProjectNotFound,
self.resource_api.get_project,
leaf_project['id'])
def _create_projects_hierarchy(self, hierarchy_size=1):
"""Creates a single-branched project hierarchy with the specified size.
:param hierarchy_size: the desired hierarchy size, default is 1 -
a project with one child.
:returns projects: a list of the projects in the created hierarchy.
"""
new_ref = unit.new_project_ref(domain_id=self.domain_id)
resp = self.post('/projects', body={'project': new_ref})
projects = [resp.result]
for i in range(hierarchy_size):
new_ref = unit.new_project_ref(
domain_id=self.domain_id,
parent_id=projects[i]['project']['id'])
resp = self.post('/projects',
body={'project': new_ref})
self.assertValidProjectResponse(resp, new_ref)
projects.append(resp.result)
return projects
def load_sample_data(self):
self._populate_default_domain()
self.domain = unit.new_domain_ref()
self.domain_id = self.domain['id']
self.resource_api.create_domain(self.domain_id, self.domain)
self.project = unit.new_project_ref(domain_id=self.domain_id)
self.project_id = self.project['id']
self.resource_api.create_project(self.project_id, self.project)
self.user = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.user_id = self.user['id']
self.default_domain_project_id = uuid.uuid4().hex
self.default_domain_project = unit.new_project_ref(
domain_id=DEFAULT_DOMAIN_ID)
self.default_domain_project['id'] = self.default_domain_project_id
self.resource_api.create_project(self.default_domain_project_id,
self.default_domain_project)
self.default_domain_user = unit.create_user(
self.identity_api,
domain_id=DEFAULT_DOMAIN_ID)
self.default_domain_user_id = self.default_domain_user['id']
# create & grant policy.json's default role for admin_required
self.role = unit.new_role_ref(name='admin')
self.role_id = self.role['id']
self.role_api.create_role(self.role_id, self.role)
self.assignment_api.add_role_to_user_and_project(
self.user_id, self.project_id, self.role_id)
self.assignment_api.add_role_to_user_and_project(
self.default_domain_user_id, self.default_domain_project_id,
self.role_id)
self.assignment_api.add_role_to_user_and_project(
self.default_domain_user_id, self.project_id,
self.role_id)
self.region = unit.new_region_ref()
self.region_id = self.region['id']
self.catalog_api.create_region(self.region)
self.service = unit.new_service_ref()
self.service_id = self.service['id']
self.catalog_api.create_service(self.service_id, self.service.copy())
self.endpoint = unit.new_endpoint_ref(service_id=self.service_id,
interface='public',
region_id=self.region_id)
self.endpoint_id = self.endpoint['id']
self.catalog_api.create_endpoint(self.endpoint_id,
self.endpoint.copy())
# The server adds 'enabled' and defaults to True.
self.endpoint['enabled'] = True
def test_create_project_unsafe(self):
"""Call ``POST /projects with unsafe names``."""
unsafe_name = "i am not / safe"
self.config_fixture.config(group="resource", project_name_url_safe="off")
ref = unit.new_project_ref(name=unsafe_name)
self.post("/projects", body={"project": ref})
self.config_fixture.config(group="resource", project_name_url_safe="new")
ref = unit.new_project_ref(name=unsafe_name)
self.post("/projects", body={"project": ref}, expected_status=http_client.BAD_REQUEST)
def test_storing_null_domain_id_in_project_ref(self):
"""Test the special storage of domain_id=None in sql resource driver.
The resource driver uses a special value in place of None for domain_id
in the project record. This shouldn't escape the driver. Hence we test
the interface to ensure that you can store a domain_id of None, and
that any special value used inside the driver does not escape through
the interface.
"""
spoiler_project = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id)
PROVIDERS.resource_api.create_project(
spoiler_project['id'], spoiler_project
)
# First let's create a project with a None domain_id and make sure we
# can read it back.
project = unit.new_project_ref(domain_id=None, is_domain=True)
project = PROVIDERS.resource_api.create_project(project['id'], project)
ref = PROVIDERS.resource_api.get_project(project['id'])
self.assertDictEqual(project, ref)
# Can we get it by name?
ref = PROVIDERS.resource_api.get_project_by_name(project['name'], None)
self.assertDictEqual(project, ref)
# Can we filter for them - create a second domain to ensure we are
# testing the receipt of more than one.
project2 = unit.new_project_ref(domain_id=None, is_domain=True)
project2 = PROVIDERS.resource_api.create_project(
project2['id'], project2
)
hints = driver_hints.Hints()
hints.add_filter('domain_id', None)
refs = PROVIDERS.resource_api.list_projects(hints)
self.assertThat(refs, matchers.HasLength(2 + self.domain_count))
self.assertIn(project, refs)
self.assertIn(project2, refs)
# Can we update it?
project['name'] = uuid.uuid4().hex
PROVIDERS.resource_api.update_project(project['id'], project)
ref = PROVIDERS.resource_api.get_project(project['id'])
self.assertDictEqual(project, ref)
# Finally, make sure we can delete it
project['enabled'] = False
PROVIDERS.resource_api.update_project(project['id'], project)
PROVIDERS.resource_api.delete_project(project['id'])
self.assertRaises(exception.ProjectNotFound,
PROVIDERS.resource_api.get_project,
project['id'])
def test_delete_project(self):
"""Call ``DELETE /projects/{project_id}``
As well as making sure the delete succeeds, we ensure
that any credentials that reference this projects are
also deleted, while other credentials are unaffected.
"""
credential = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id)
self.credential_api.create_credential(credential["id"], credential)
# First check the credential for this project is present
r = self.credential_api.get_credential(credential["id"])
self.assertDictEqual(credential, r)
# Create a second credential with a different project
project2 = unit.new_project_ref(domain_id=self.domain["id"])
self.resource_api.create_project(project2["id"], project2)
credential2 = unit.new_credential_ref(user_id=self.user["id"], project_id=project2["id"])
self.credential_api.create_credential(credential2["id"], credential2)
# Now delete the project
self.delete("/projects/%(project_id)s" % {"project_id": self.project_id})
# Deleting the project should have deleted any credentials
# that reference this project
self.assertRaises(
exception.CredentialNotFound, self.credential_api.get_credential, credential_id=credential["id"]
)
# But the credential for project2 is unaffected
r = self.credential_api.get_credential(credential2["id"])
self.assertDictEqual(credential2, r)
def test_user_can_revoke_grant_from_group_on_project(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
)
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
)
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'],
project_id=project['id']
)
with self.test_client() as c:
c.delete(
'/v3/projects/%s/groups/%s/roles/%s' % (
project['id'],
group['id'],
self.bootstrapper.reader_role_id
),
headers=self.headers
)
def test_create_project_unsafe_default(self):
"""Check default for unsafe names for``POST /projects ``."""
unsafe_name = "i am not / safe"
# By default, we should be able to create unsafe names
ref = unit.new_project_ref(name=unsafe_name)
self.post("/projects", body={"project": ref})
def _setup_initial_projects(self):
self.project_id = uuid.uuid4().hex
self.domain_id = CONF.identity.default_domain_id
self.parent_id = uuid.uuid4().hex
# Project with only domain_id in ref
self.project1 = unit.new_project_ref(id=self.project_id, name=self.project_id, domain_id=self.domain_id)
# Project with both domain_id and parent_id in ref
self.project2 = unit.new_project_ref(
id=self.project_id, name=self.project_id, domain_id=self.domain_id, parent_id=self.parent_id
)
# Project with no domain_id and parent_id in ref
self.project3 = unit.new_project_ref(
id=self.project_id, name=self.project_id, domain_id=self.domain_id, parent_id=self.parent_id
)
# Expected result with no domain_id and parent_id
self.expected_project = {"id": self.project_id, "name": self.project_id}
def setUp(self):
super(ProjectMemberTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
self.domain_id = domain['id']
project = unit.new_project_ref(domain_id=self.domain_id)
project = PROVIDERS.resource_api.create_project(project['id'], project)
self.project_id = project['id']
project_member = unit.new_user_ref(domain_id=self.domain_id)
self.user_id = PROVIDERS.identity_api.create_user(project_member)['id']
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.member_role_id, user_id=self.user_id,
project_id=self.project_id
)
auth = self.build_authentication_request(
user_id=self.user_id, password=project_member['password'],
project_id=self.project_id,
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_get_catalog_always_returns_service_name(self):
user_id = uuid.uuid4().hex
# create a project since the project should exist if we want to
# filter the catalog by the project or replace the url with a
# valid project id.
domain = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain['id'], domain)
project = unit.new_project_ref(domain_id=domain['id'])
PROVIDERS.resource_api.create_project(project['id'], project)
# create a service, with a name
named_svc = unit.new_service_ref()
PROVIDERS.catalog_api.create_service(named_svc['id'], named_svc)
self.create_endpoint(service_id=named_svc['id'])
# create a service, with no name
unnamed_svc = unit.new_service_ref(name=None)
del unnamed_svc['name']
PROVIDERS.catalog_api.create_service(unnamed_svc['id'], unnamed_svc)
self.create_endpoint(service_id=unnamed_svc['id'])
catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id'])
named_endpoint = [ep for ep in catalog
if ep['type'] == named_svc['type']][0]
self.assertEqual(named_svc['name'], named_endpoint['name'])
unnamed_endpoint = [ep for ep in catalog
if ep['type'] == unnamed_svc['type']][0]
self.assertEqual('', unnamed_endpoint['name'])
def test_assignment_created_with_project_exists(self):
# test assignment can be created if project already exists.
bootstrap = cli.BootStrap()
bootstrap.resource_manager.create_domain(self.default_domain["id"], self.default_domain)
project_ref = unit.new_project_ref(self.default_domain["id"], name=self.project_name)
bootstrap.resource_manager.create_project(project_ref["id"], project_ref)
self._do_test_bootstrap(bootstrap)
def _create_limit_and_dependencies():
"""Create a limit and its dependencies to test with."""
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
registered_limit = unit.new_registered_limit_ref(
service_id=service['id'], id=uuid.uuid4().hex
)
registered_limits = (
PROVIDERS.unified_limit_api.create_registered_limits(
[registered_limit]
)
)
registered_limit = registered_limits[0]
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
)
limit = unit.new_limit_ref(
project_id=project['id'], service_id=service['id'],
resource_name=registered_limit['resource_name'],
resource_limit=5, id=uuid.uuid4().hex
)
limits = PROVIDERS.unified_limit_api.create_limits([limit])
return limits
def test_user_cannot_create_limits(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
registered_limit = unit.new_registered_limit_ref(
service_id=service['id'], id=uuid.uuid4().hex
)
registered_limits = (
PROVIDERS.unified_limit_api.create_registered_limits(
[registered_limit]
)
)
registered_limit = registered_limits[0]
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
)
create = {
'limits': [
unit.new_limit_ref(
project_id=project['id'], service_id=service['id'],
resource_name=registered_limit['resource_name'],
resource_limit=5
)
]
}
with self.test_client() as c:
c.post(
'/v3/limits', json=create, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_can_check_grant_for_group_on_project(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
)
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
)
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'],
project_id=project['id']
)
with self.test_client() as c:
c.get(
'/v3/projects/%s/groups/%s/roles/%s' % (
project['id'],
group['id'],
self.bootstrapper.reader_role_id
),
headers=self.headers,
expected_status_code=http_client.NO_CONTENT
)
def test_list_projects_default_domain(self):
"""Test that list projects only returns those in the default domain."""
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
project1 = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project1['id'], project1)
# Check the real total number of projects, we should have the:
# - tenants in the default fixtures
# - the project representing the default domain
# - the project representing the domain we created above
# - the project we created above
refs = self.resource_api.list_projects()
self.assertThat(
refs, matchers.HasLength(len(default_fixtures.TENANTS) + 3))
# Now list all projects using the v2 API - we should only get
# back those in the default features, since only those are in the
# default domain.
refs = self.tenant_controller.get_all_projects(_ADMIN_CONTEXT)
self.assertEqual(len(default_fixtures.TENANTS), len(refs['tenants']))
for tenant in default_fixtures.TENANTS:
tenant_copy = tenant.copy()
tenant_copy.pop('domain_id')
tenant_copy.pop('parent_id')
tenant_copy.pop('is_domain')
self.assertIn(tenant_copy, refs['tenants'])
def test_create_project(self):
"""Call ``POST /projects``."""
ref = unit.new_project_ref(domain_id=self.domain_id)
r = self.post(
'/projects',
body={'project': ref})
self.assertValidProjectResponse(r, ref)
def test_create_project_without_parent_id_and_without_domain_id(self):
"""Call ``POST /projects``."""
# Grant a domain role for the user
collection_url = (
'/domains/%(domain_id)s/users/%(user_id)s/roles' % {
'domain_id': self.domain_id,
'user_id': self.user['id']})
member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url,
'role_id': self.role_id}
self.put(member_url)
# Create an authentication request for a domain scoped token
auth = self.build_authentication_request(
user_id=self.user['id'],
password=self.user['password'],
domain_id=self.domain_id)
# Without domain_id and parent_id, the domain_id should be
# normalized to the domain on the token, when using a domain
# scoped token.
ref = unit.new_project_ref()
r = self.post(
'/projects',
auth=auth,
body={'project': ref})
ref['domain_id'] = self.domain['id']
self.assertValidProjectResponse(r, ref)
def test_update_project_does_not_send_disable(self):
project_ref = unit.new_project_ref(domain_id=self.domain_id)
self.resource_api.create_project(project_ref["id"], project_ref)
project_ref["enabled"] = True
self.resource_api.update_project(project_ref["id"], project_ref)
self._assert_last_note(project_ref["id"], UPDATED_OPERATION, "project")
self._assert_notify_not_sent(project_ref["id"], "disabled", "project")
def test_disable_of_disabled_project_does_not_notify(self):
project_ref = unit.new_project_ref(domain_id=self.domain_id, enabled=False)
self.resource_api.create_project(project_ref["id"], project_ref)
# The project_ref above is not changed during the create process. We
# can use the same ref to perform the update.
self.resource_api.update_project(project_ref["id"], project_ref)
self._assert_notify_not_sent(project_ref["id"], "disabled", "project", public=False)
def test_update_project_unsafe_default(self):
"""Check default for unsafe names for``POST /projects ``."""
unsafe_name = "i am not / safe"
# By default, we should be able to create unsafe names
ref = unit.new_project_ref(name=unsafe_name, domain_id=self.domain_id)
del ref["id"]
self.patch("/projects/%(project_id)s" % {"project_id": self.project_id}, body={"project": ref})
def test_user_cannot_create_projects_within_domain(self):
create = {'project': unit.new_project_ref(domain_id=self.domain_id)}
with self.test_client() as c:
c.post(
'/v3/projects', json=create, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_can_delete_projects_within_domain(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=self.domain_id)
)
with self.test_client() as c:
c.delete('/v3/projects/%s' % project['id'], headers=self.headers)
def test_update_project_unsafe(self):
"""Call ``POST /projects/{project_id} with unsafe names``."""
unsafe_name = "i am not / safe"
self.config_fixture.config(group="resource", project_name_url_safe="off")
ref = unit.new_project_ref(name=unsafe_name, domain_id=self.domain_id)
del ref["id"]
self.patch("/projects/%(project_id)s" % {"project_id": self.project_id}, body={"project": ref})
unsafe_name = "i am still not / safe"
self.config_fixture.config(group="resource", project_name_url_safe="new")
ref = unit.new_project_ref(name=unsafe_name, domain_id=self.domain_id)
del ref["id"]
self.patch(
"/projects/%(project_id)s" % {"project_id": self.project_id},
body={"project": ref},
expected_status=http_client.BAD_REQUEST,
)
def test_update_project(self):
"""Call ``PATCH /projects/{project_id}``."""
ref = unit.new_project_ref(domain_id=self.domain_id)
del ref['id']
r = self.patch(
'/projects/%(project_id)s' % {
'project_id': self.project_id},
body={'project': ref})
self.assertValidProjectResponse(r, ref)
def test_create_project_is_domain_not_allowed(self):
"""Call ``POST /projects``.
Setting is_domain=True is not supported yet and should raise
NotImplemented.
"""
ref = unit.new_project_ref(domain_id=self.domain_id, is_domain=True)
self.post("/projects", body={"project": ref}, expected_status=http_client.NOT_IMPLEMENTED)
def test_user_can_list_projects(self):
PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
)
with self.test_client() as c:
r = c.get('/v3/projects', headers=self.headers)
self.assertEqual(2, len(r.json['projects']))
def test_user_can_create_projects(self):
create = {
'project': unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
}
with self.test_client() as c:
c.post('/v3/projects', json=create, headers=self.headers)
def test_user_can_get_a_project(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
)
with self.test_client() as c:
r = c.get('/v3/projects/%s' % project['id'], headers=self.headers)
self.assertEqual(project['id'], r.json['project']['id'])
def test_user_can_list_projects_associated_with_endpoint_groups(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id))
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group)
PROVIDERS.catalog_api.add_endpoint_group_to_project(
endpoint_group['id'], project['id'])
with self.test_client() as c:
r = c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects' %
endpoint_group['id'],
headers=self.headers)
projects = []
for project in r.json['projects']:
projects.append(project['id'])
self.assertIn(project['id'], projects)
def test_remove_endpoint_group_from_project(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
PROVIDERS.catalog_api.add_endpoint_group_to_project(
endpoint_group['id'], project['id'])
with self.test_client() as c:
c.delete('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s'
% (endpoint_group['id'], project['id']),
headers=self.headers
)
def test_user_can_add_endpoint_to_project(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
)
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
endpoint = PROVIDERS.catalog_api.create_endpoint(
endpoint['id'], endpoint
)
with self.test_client() as c:
c.put('/v3/OS-EP-FILTER/projects/%s/endpoints/%s'
% (project['id'], endpoint['id']),
headers=self.headers,
expected_status_code=http.client.NO_CONTENT)
def test_user_can_check_grant_for_group_on_project(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id))
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id))
PROVIDERS.assignment_api.create_grant(self.bootstrapper.reader_role_id,
group_id=group['id'],
project_id=project['id'])
with self.test_client() as c:
c.get(
'/v3/projects/%s/groups/%s/roles/%s' %
(project['id'], group['id'], self.bootstrapper.reader_role_id),
headers=self.headers,
expected_status_code=http_client.NO_CONTENT)
def test_user_cannot_list_endpoint_groups_with_their_projects(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(
filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
PROVIDERS.catalog_api.add_endpoint_group_to_project(
endpoint_group['id'], project['id'])
with self.test_client() as c:
c.get('/v3/OS-EP-FILTER/projects/%s/endpoint_groups'
% project['id'],
headers=self.headers,
expected_status_code=http.client.FORBIDDEN)
def setUp(self):
super(ProjectAdminTests, self).setUp()
self.loadapp()
self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
self.policy_file_name = self.policy_file.file_name
self.useFixture(
ksfixtures.Policy(
self.config_fixture, policy_file=self.policy_file_name
)
)
self._override_policy()
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
self.domain_id = domain['id']
project_admin = unit.new_user_ref(domain_id=self.domain_id)
project_admin_id = PROVIDERS.identity_api.create_user(
project_admin
)['id']
project = unit.new_project_ref(domain_id=self.domain_id)
project_id = PROVIDERS.resource_api.create_project(
project['id'], project
)['id']
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.admin_role_id, user_id=project_admin_id,
project_id=project_id
)
auth = self.build_authentication_request(
user_id=project_admin_id,
password=project_admin['password'],
project_id=project_id
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_get_catalog_ignores_endpoints_with_invalid_urls(self):
user_id = uuid.uuid4().hex
# create a project since the project should exist if we want to
# filter the catalog by the project or replace the url with a
# valid project id.
domain = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain['id'], domain)
project = unit.new_project_ref(domain_id=domain['id'])
PROVIDERS.resource_api.create_project(project['id'], project)
# the only endpoint in the catalog is the one created in setUp
catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id'])
self.assertEqual(1, len(catalog[0]['endpoints']))
# it's also the only endpoint in the backend
self.assertEqual(1, len(PROVIDERS.catalog_api.list_endpoints()))
# create a new, invalid endpoint - malformed type declaration
self.create_endpoint(self.service_id,
url='http://keystone/%(project_id)')
# create a new, invalid endpoint - nonexistent key
self.create_endpoint(self.service_id,
url='http://keystone/%(you_wont_find_me)s')
# verify that the invalid endpoints don't appear in the catalog
catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id'])
self.assertEqual(1, len(catalog[0]['endpoints']))
# all three appear in the backend
self.assertEqual(3, len(PROVIDERS.catalog_api.list_endpoints()))
# create another valid endpoint - project_id will be replaced
self.create_endpoint(self.service_id,
url='http://keystone/%(project_id)s')
# there are two valid endpoints, positive check
catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id'])
self.assertThat(catalog[0]['endpoints'], matchers.HasLength(2))
# If the URL has no 'project_id' to substitute, we will skip the
# endpoint which contains this kind of URL, negative check.
project_id = None
catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project_id)
self.assertThat(catalog[0]['endpoints'], matchers.HasLength(1))
def test_user_can_list_projects_for_endpoint(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id))
service = PROVIDERS.catalog_api.create_service(uuid.uuid4().hex,
unit.new_service_ref())
endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
endpoint = PROVIDERS.catalog_api.create_endpoint(
endpoint['id'], endpoint)
PROVIDERS.catalog_api.add_endpoint_to_project(endpoint['id'],
project['id'])
with self.test_client() as c:
r = c.get('/v3/OS-EP-FILTER/endpoints/%s/projects' %
endpoint['id'],
headers=self.headers)
for project_itr in r.json['projects']:
self.assertIn(project['id'], project_itr['id'])
def test_user_can_get_their_ec2_credentials(self):
project = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id)
project = PROVIDERS.resource_api.create_project(project['id'], project)
PROVIDERS.assignment_api.create_grant(self.bootstrapper.reader_role_id,
user_id=self.user_id,
project_id=project['id'])
with self.test_client() as c:
r = c.post('/v3/users/%s/credentials/OS-EC2' % self.user_id,
json={'tenant_id': project['id']},
headers=self.headers)
credential_id = r.json['credential']['access']
path = '/v3/users/%s/credentials/OS-EC2/%s' % (self.user_id,
credential_id)
r = c.get(path, headers=self.headers)
self.assertEqual(self.user_id, r.json['credential']['user_id'])
def _create_limits_and_dependencies(domain_id=None):
"""Create limits and its dependencies for testing."""
if not domain_id:
domain_id = CONF.identity.default_domain_id
service = PROVIDERS.catalog_api.create_service(uuid.uuid4().hex,
unit.new_service_ref())
registered_limit = unit.new_registered_limit_ref(service_id=service['id'],
id=uuid.uuid4().hex)
registered_limits = (PROVIDERS.unified_limit_api.create_registered_limits(
[registered_limit]))
registered_limit = registered_limits[0]
domain_limit = unit.new_limit_ref(
domain_id=domain_id,
service_id=service['id'],
resource_name=registered_limit['resource_name'],
resource_limit=10,
id=uuid.uuid4().hex)
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=domain_id))
project_limit = unit.new_limit_ref(
project_id=project['id'],
service_id=service['id'],
resource_name=registered_limit['resource_name'],
resource_limit=5,
id=uuid.uuid4().hex)
limits = PROVIDERS.unified_limit_api.create_limits(
[domain_limit, project_limit])
project_limit_id = None
domain_limit_id = None
for limit in limits:
if limit.get('domain_id'):
domain_limit_id = limit['id']
else:
project_limit_id = limit['id']
return (project_limit_id, domain_limit_id)
def test_get_catalog_returns_proper_endpoints_with_no_region(self):
service = unit.new_service_ref()
service_id = service['id']
PROVIDERS.catalog_api.create_service(service_id, service)
endpoint = unit.new_endpoint_ref(service_id=service_id, region_id=None)
del endpoint['region_id']
PROVIDERS.catalog_api.create_endpoint(endpoint['id'], endpoint)
# create a project since the project should exist if we want to
# filter the catalog by the project or replace the url with a
# valid project id.
domain = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain['id'], domain)
project = unit.new_project_ref(domain_id=domain['id'])
PROVIDERS.resource_api.create_project(project['id'], project)
user_id = uuid.uuid4().hex
catalog = PROVIDERS.catalog_api.get_v3_catalog(user_id, project['id'])
self.assertValidCatalogEndpoint(catalog[0]['endpoints'][0],
ref=endpoint)
def test_user_can_list_projects_for_other_users(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id))
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(CONF.identity.default_domain_id,
id=uuid.uuid4().hex))
PROVIDERS.assignment_api.create_grant(self.bootstrapper.reader_role_id,
user_id=user['id'],
project_id=project['id'])
with self.test_client() as c:
r = c.get(
'/v3/users/%s/projects' % user['id'],
headers=self.headers,
)
self.assertEqual(1, len(r.json['projects']))
self.assertEqual(project['id'], r.json['projects'][0]['id'])
def test_user_can_filter_credentials_by_user_for_others(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user_password = user['password']
user = PROVIDERS.identity_api.create_user(user)
project = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
project = PROVIDERS.resource_api.create_project(project['id'], project)
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.member_role_id, user_id=user['id'],
project_id=project['id']
)
user_auth = self.build_authentication_request(
user_id=user['id'], password=user_password,
project_id=project['id']
)
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=user_auth)
token_id = r.headers['X-Subject-Token']
headers = {'X-Auth-Token': token_id}
expected_cred_ids = []
for _ in range(2):
create = {
'credential': {
'blob': uuid.uuid4().hex,
'type': uuid.uuid4().hex,
'user_id': user['id']
}
}
r = c.post('/v3/credentials', json=create, headers=headers)
expected_cred_ids.append(r.json['credential']['id'])
with self.test_client() as c:
path = '/v3/credentials?user_id=%s' % user['id']
r = c.get(path, headers=self.headers)
self.assertEqual(2, len(r.json['credentials']))
for credential in r.json['credentials']:
self.assertIn(credential['id'], expected_cred_ids)
self.assertEqual(user['id'], credential['user_id'])
def test_user_cannot_delete_access_rules_for_others(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user = PROVIDERS.identity_api.create_user(user)
project = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id)
project = PROVIDERS.resource_api.create_project(project['id'], project)
PROVIDERS.assignment_api.create_grant(self.bootstrapper.member_role_id,
user_id=user['id'],
project_id=project['id'])
access_rule_id = uuid.uuid4().hex
app_cred = {
'id':
uuid.uuid4().hex,
'name':
uuid.uuid4().hex,
'user_id':
user['id'],
'project_id':
project['id'],
'secret':
uuid.uuid4().hex,
'access_rules': [{
'id': access_rule_id,
'service': uuid.uuid4().hex,
'path': uuid.uuid4().hex,
'method': uuid.uuid4().hex[16:]
}]
}
PROVIDERS.application_credential_api.create_application_credential(
app_cred)
PROVIDERS.application_credential_api.delete_application_credential(
app_cred['id'])
with self.test_client() as c:
path = '/v3/users/%s/access_rules/%s' % (user['id'],
access_rule_id)
c.delete(path,
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_update_project_returns_extra(self):
"""This tests for backwards-compatibility with an essex/folsom bug.
Non-indexed attributes were returned in an 'extra' attribute, instead
of on the entity itself; for consistency and backwards compatibility,
those attributes should be included twice.
This behavior is specific to the SQL driver.
"""
arbitrary_key = uuid.uuid4().hex
arbitrary_value = uuid.uuid4().hex
project = unit.new_project_ref(domain_id=DEFAULT_DOMAIN_ID)
project[arbitrary_key] = arbitrary_value
ref = self.resource_api.create_project(project['id'], project)
self.assertEqual(arbitrary_value, ref[arbitrary_key])
self.assertIsNone(ref.get('extra'))
project['name'] = uuid.uuid4().hex
ref = self.resource_api.update_project(project['id'], project)
self.assertEqual(arbitrary_value, ref[arbitrary_key])
self.assertEqual(arbitrary_value, ref['extra'][arbitrary_key])
def test_user_can_update_credentials_for_others(self):
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user_password = user['password']
user = PROVIDERS.identity_api.create_user(user)
project = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
project = PROVIDERS.resource_api.create_project(project['id'], project)
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.member_role_id, user_id=user['id'],
project_id=project['id']
)
user_auth = self.build_authentication_request(
user_id=user['id'], password=user_password,
project_id=project['id']
)
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=user_auth)
token_id = r.headers['X-Subject-Token']
headers = {'X-Auth-Token': token_id}
create = {
'credential': {
'blob': uuid.uuid4().hex,
'type': uuid.uuid4().hex,
'user_id': user['id']
}
}
r = c.post('/v3/credentials', json=create, headers=headers)
credential_id = r.json['credential']['id']
with self.test_client() as c:
path = '/v3/credentials/%s' % credential_id
updated_blob = uuid.uuid4().hex
update = {'credential': {'blob': updated_blob}}
r = c.patch(path, json=update, headers=self.headers)
self.assertEqual(updated_blob, r.json['credential']['blob'])
self.assertEqual(user['id'], r.json['credential']['user_id'])
def _create_limit_and_dependencies():
"""Create a limit and its dependencies to test with."""
service = PROVIDERS.catalog_api.create_service(uuid.uuid4().hex,
unit.new_service_ref())
registered_limit = unit.new_registered_limit_ref(service_id=service['id'],
id=uuid.uuid4().hex)
registered_limits = (PROVIDERS.unified_limit_api.create_registered_limits(
[registered_limit]))
registered_limit = registered_limits[0]
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id))
limit = unit.new_limit_ref(project_id=project['id'],
service_id=service['id'],
resource_name=registered_limit['resource_name'],
resource_limit=5,
id=uuid.uuid4().hex)
limits = PROVIDERS.unified_limit_api.create_limits([limit])
return limits
def setUp(self):
super(_TestAppCredBase, self).setUp()
# create a user and project for app cred testing
new_user_ref = unit.new_user_ref(
domain_id=CONF.identity.default_domain_id
)
app_cred_user_ref = PROVIDERS.identity_api.create_user(
new_user_ref
)
self.app_cred_user_id = app_cred_user_ref['id']
self.app_cred_user_password = new_user_ref['password']
app_cred_project_ref = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
)
self.app_cred_project_id = app_cred_project_ref['id']
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.member_role_id,
user_id=self.app_cred_user_id,
project_id=self.app_cred_project_id
)
def test_list_projects_default_domain(self):
"""Test that list projects only returns those in the default domain."""
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
project1 = unit.new_project_ref(domain_id=domain['id'])
self.resource_api.create_project(project1['id'], project1)
# Check the real total number of projects, we should have the above
# plus those in the default features
refs = self.resource_api.list_projects()
self.assertEqual(len(default_fixtures.TENANTS) + 1, len(refs))
# Now list all projects using the v2 API - we should only get
# back those in the default features, since only those are in the
# default domain.
refs = self.tenant_controller.get_all_projects(_ADMIN_CONTEXT)
self.assertEqual(len(default_fixtures.TENANTS), len(refs['tenants']))
for tenant in default_fixtures.TENANTS:
tenant_copy = tenant.copy()
tenant_copy.pop('domain_id')
tenant_copy.pop('parent_id')
tenant_copy.pop('is_domain')
self.assertIn(tenant_copy, refs['tenants'])
def test_user_cannot_list_projects_for_others(self):
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(
CONF.identity.default_domain_id,
id=uuid.uuid4().hex
)
)
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id']
)
with self.test_client() as c:
c.get(
'/v3/users/%s/projects' % user['id'], headers=self.headers,
expected_status_code=http.client.FORBIDDEN
)
def setUp(self):
super(ProjectUserTestsWithoutEnforceScope, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
# Explicitly set enforce_scope to False to make sure we maintain
# backwards compatibility with project users.
self.config_fixture.config(group='oslo_policy', enforce_scope=False)
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
user = unit.new_user_ref(domain_id=domain['id'])
self.user_id = PROVIDERS.identity_api.create_user(user)['id']
self.project_id = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=domain['id'])
)['id']
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.member_role_id, user_id=self.user_id,
project_id=self.project_id
)
auth = self.build_authentication_request(
user_id=self.user_id,
password=user['password'],
project_id=self.project_id
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_validate_project_scoped_token(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id))
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
PROVIDERS.assignment_api.create_grant(self.bootstrapper.reader_role_id,
user_id=user['id'],
project_id=project['id'])
project_auth = self.build_authentication_request(
user_id=user['id'],
password=user['password'],
project_id=project['id'])
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=project_auth)
project_token = r.headers['X-Subject-Token']
with self.test_client() as c:
self.headers['X-Subject-Token'] = project_token
c.get('/v3/auth/tokens', headers=self.headers)
def setUp(self):
super(TrustTests, self).setUp()
self.loadapp()
self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
self.policy_file_name = self.policy_file.file_name
self.useFixture(
ksfixtures.Policy(self.config_fixture,
policy_file=self.policy_file_name))
domain = PROVIDERS.resource_api.create_domain(uuid.uuid4().hex,
unit.new_domain_ref())
self.domain_id = domain['id']
trustor_user = unit.new_user_ref(domain_id=self.domain_id)
self.trustor_user_id = PROVIDERS.identity_api.create_user(
trustor_user)['id']
trustee_user = unit.new_user_ref(domain_id=self.domain_id)
self.trustee_user_id = PROVIDERS.identity_api.create_user(
trustee_user)['id']
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id))
self.project_id = project['id']
PROVIDERS.assignment_api.create_grant(self.bootstrapper.member_role_id,
user_id=self.trustor_user_id,
project_id=self.project_id)
PROVIDERS.assignment_api.create_grant(self.bootstrapper.member_role_id,
user_id=self.trustee_user_id,
project_id=project['id'])
self.trust_id = uuid.uuid4().hex
self.trust_data = {
'trust': {
'trustor_user_id': self.trustor_user_id,
'trustee_user_id': self.trustee_user_id,
'project_id': self.project_id,
'impersonation': False
},
'roles': [{
"id": self.bootstrapper.member_role_id
}]
}
auth = self.build_authentication_request(
user_id=self.trustor_user_id,
password=trustor_user['password'],
project_id=project['id'])
# Grab a token using the trustor persona we're testing and prepare
# headers for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.trustor_headers = {'X-Auth-Token': self.token_id}
auth = self.build_authentication_request(
user_id=self.trustee_user_id,
password=trustee_user['password'],
project_id=project['id'])
# Grab a token using the trustee persona we're testing and prepare
# headers for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.trustee_headers = {'X-Auth-Token': self.token_id}
def test_get_project_with_subtree_as_ids(self):
"""Call ``GET /projects/{project_id}?subtree_as_ids``.
This test creates a more complex hierarchy to test if the structured
dictionary returned by using the ``subtree_as_ids`` query param
correctly represents the hierarchy.
The hierarchy contains 5 projects with the following structure::
+--A--+
| |
+--B--+ C
| |
D E
"""
projects = self._create_projects_hierarchy(hierarchy_size=2)
# Add another child to projects[0] - it will be projects[3]
new_ref = unit.new_project_ref(domain_id=self.domain_id,
parent_id=projects[0]['project']['id'])
resp = self.post('/projects', body={'project': new_ref})
self.assertValidProjectResponse(resp, new_ref)
projects.append(resp.result)
# Add another child to projects[1] - it will be projects[4]
new_ref = unit.new_project_ref(domain_id=self.domain_id,
parent_id=projects[1]['project']['id'])
resp = self.post('/projects', body={'project': new_ref})
self.assertValidProjectResponse(resp, new_ref)
projects.append(resp.result)
# Query for projects[0] subtree_as_ids
r = self.get('/projects/%(project_id)s?subtree_as_ids' %
{'project_id': projects[0]['project']['id']})
self.assertValidProjectResponse(r, projects[0]['project'])
subtree_as_ids = r.result['project']['subtree']
# The subtree hierarchy from projects[0] should have the following
# structure:
# {
# projects[1]: {
# projects[2]: None,
# projects[4]: None
# },
# projects[3]: None
# }
expected_dict = {
projects[1]['project']['id']: {
projects[2]['project']['id']: None,
projects[4]['project']['id']: None
},
projects[3]['project']['id']: None
}
self.assertDictEqual(expected_dict, subtree_as_ids)
# Now query for projects[1] subtree_as_ids
r = self.get('/projects/%(project_id)s?subtree_as_ids' %
{'project_id': projects[1]['project']['id']})
self.assertValidProjectResponse(r, projects[1]['project'])
subtree_as_ids = r.result['project']['subtree']
# The subtree hierarchy from projects[1] should have the following
# structure:
# {
# projects[2]: None,
# projects[4]: None
# }
expected_dict = {
projects[2]['project']['id']: None,
projects[4]['project']['id']: None
}
self.assertDictEqual(expected_dict, subtree_as_ids)
# Now query for projects[3] subtree_as_ids
r = self.get('/projects/%(project_id)s?subtree_as_ids' %
{'project_id': projects[3]['project']['id']})
self.assertValidProjectResponse(r, projects[3]['project'])
subtree_as_ids = r.result['project']['subtree']
# projects[3] has no subtree, subtree_as_ids must be None
self.assertIsNone(subtree_as_ids)
def test_user_can_create_projects_within_domain(self):
create = {'project': unit.new_project_ref(domain_id=self.domain_id)}
with self.test_client() as c:
c.post('/v3/projects', json=create, headers=self.headers)
def test_validate_v3_token_trust(self):
# Check the trust fields in the token result when use validate_v3_token
# when the token has trust info.
domain_ref = unit.new_domain_ref()
domain_ref = self.resource_api.create_domain(domain_ref['id'],
domain_ref)
user_ref = unit.new_user_ref(domain_ref['id'])
user_ref = self.identity_api.create_user(user_ref)
trustor_user_ref = unit.new_user_ref(domain_ref['id'])
trustor_user_ref = self.identity_api.create_user(trustor_user_ref)
project_ref = unit.new_project_ref(domain_id=domain_ref['id'])
project_ref = self.resource_api.create_project(project_ref['id'],
project_ref)
role_ref = unit.new_role_ref()
role_ref = self.role_api.create_role(role_ref['id'], role_ref)
self.assignment_api.create_grant(role_ref['id'],
user_id=user_ref['id'],
project_id=project_ref['id'])
self.assignment_api.create_grant(role_ref['id'],
user_id=trustor_user_ref['id'],
project_id=project_ref['id'])
trustor_user_id = trustor_user_ref['id']
trustee_user_id = user_ref['id']
trust_ref = unit.new_trust_ref(trustor_user_id,
trustee_user_id,
project_id=project_ref['id'],
role_ids=[
role_ref['id'],
])
trust_ref = self.trust_api.create_trust(trust_ref['id'], trust_ref,
trust_ref['roles'])
method_names = ['password']
token_id, token_data_ = self.token_provider_api.issue_v3_token(
user_ref['id'],
method_names,
project_id=project_ref['id'],
trust=trust_ref)
token_data = self.token_provider_api.validate_v3_token(token_id)
token = token_data['token']
exp_trust_info = {
'id': trust_ref['id'],
'impersonation': False,
'trustee_user': {
'id': user_ref['id'],
},
'trustor_user': {
'id': trustor_user_ref['id'],
},
}
self.assertEqual(exp_trust_info, token['OS-TRUST:trust'])
def load_sample_data(self):
"""Create sample data for password expiry tests.
The test environment will consist of a single domain, containing
a single project. It will create three users and one group.
Each user is going to be given a role assignment on the project
and the domain. Two of the three users are going to be placed into
the group, which won't have any role assignments to either the
project or the domain.
"""
self._populate_default_domain()
self.domain = unit.new_domain_ref()
self.resource_api.create_domain(self.domain['id'], self.domain)
self.domain_id = self.domain['id']
self.project = unit.new_project_ref(domain_id=self.domain_id)
self.project_id = self.project['id']
self.project = self.resource_api.create_project(
self.project_id, self.project)
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
self.group_id = self.group['id']
# Creates three users each with password expiration offset
# by one day, starting with the current time frozen.
self.starttime = datetime.datetime.utcnow()
with freezegun.freeze_time(self.starttime):
self.config_fixture.config(group='security_compliance',
password_expires_days=1)
self.user = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.config_fixture.config(group='security_compliance',
password_expires_days=2)
self.user2 = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.config_fixture.config(group='security_compliance',
password_expires_days=3)
self.user3 = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.role = unit.new_role_ref(name='admin')
self.role_api.create_role(self.role['id'], self.role)
self.role_id = self.role['id']
# Grant admin role to the users created.
self.assignment_api.create_grant(self.role_id,
user_id=self.user['id'],
domain_id=self.domain_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user2['id'],
domain_id=self.domain_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user3['id'],
domain_id=self.domain_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user['id'],
project_id=self.project_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user2['id'],
project_id=self.project_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user3['id'],
project_id=self.project_id)
# Add the last two users to the group.
self.identity_api.add_user_to_group(self.user2['id'], self.group_id)
self.identity_api.add_user_to_group(self.user3['id'], self.group_id)
def test_user_can_delete_projects_within_domain(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id))
with self.test_client() as c:
c.delete('/v3/projects/%s' % project['id'], headers=self.headers)
def _create_is_domain_project(self):
project = unit.new_project_ref(domain_id='default', is_domain=True)
project_ref = self.resource_api.create_project(project['id'], project)
return self.tenant_controller.v3_to_v2_project(project_ref)
def test_disable_domain(self):
"""Call ``PATCH /domains/{domain_id}`` (set enabled=False)."""
# Create a 2nd set of entities in a 2nd domain
domain2 = unit.new_domain_ref()
self.resource_api.create_domain(domain2['id'], domain2)
project2 = unit.new_project_ref(domain_id=domain2['id'])
self.resource_api.create_project(project2['id'], project2)
user2 = unit.create_user(self.identity_api,
domain_id=domain2['id'],
project_id=project2['id'])
self.assignment_api.add_user_to_project(project2['id'], user2['id'])
# First check a user in that domain can authenticate. The v2 user
# cannot authenticate because they exist outside the default domain.
body = {
'auth': {
'passwordCredentials': {
'userId': user2['id'],
'password': user2['password']
},
'tenantId': project2['id']
}
}
self.admin_request(path='/v2.0/tokens',
method='POST',
body=body,
expected_status=http_client.UNAUTHORIZED)
auth_data = self.build_authentication_request(
user_id=user2['id'],
password=user2['password'],
project_id=project2['id'])
self.v3_create_token(auth_data)
# Now disable the domain
domain2['enabled'] = False
r = self.patch('/domains/%(domain_id)s' % {'domain_id': domain2['id']},
body={'domain': {
'enabled': False
}})
self.assertValidDomainResponse(r, domain2)
# Make sure the user can no longer authenticate, via
# either API
body = {
'auth': {
'passwordCredentials': {
'userId': user2['id'],
'password': user2['password']
},
'tenantId': project2['id']
}
}
self.admin_request(path='/v2.0/tokens',
method='POST',
body=body,
expected_status=http_client.UNAUTHORIZED)
# Try looking up in v3 by name and id
auth_data = self.build_authentication_request(
user_id=user2['id'],
password=user2['password'],
project_id=project2['id'])
self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
auth_data = self.build_authentication_request(
username=user2['name'],
user_domain_id=domain2['id'],
password=user2['password'],
project_id=project2['id'])
self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
