def setUpClass(cls):
super(ScenarioPolicyBase, cls).setUpClass()
# auth provider for admin credentials
creds = cred_provider.get_configured_credentials("identity_admin")
auth_prov = tempestmanager.get_auth_provider(creds)
cls.admin_manager.congress_client = policy_client.PolicyClient(auth_prov, "policy", CONF.identity.region)
def resource_setup(cls):
super(ESXNetworksTestJSON, cls).resource_setup()
cls.servers_client = cls.manager.servers_client
cls.networks_client = cls.manager.networks_client
cls.ports_client = cls.manager.ports_client
cls.routers_client = cls.manager.routers_client
cls.subnets_client = cls.manager.subnets_client
cls.floating_ips_client = cls.manager.floating_ips_client
cls.security_groups_client = cls.manager.security_groups_client
cls.security_group_rules_client = (
cls.manager.security_group_rules_client)
cls.creds = cls.os.credentials
cls.user_id = cls.creds.user_id
cls.username = cls.creds.username
cls.password = cls.creds.password
cls.auth_provider = manager.get_auth_provider(cls.creds)
if not test.is_extension_enabled('router', 'network'):
msg = "router extension not enabled."
raise cls.skipException(msg)
cls.ext_net_id = CONF.network.public_network_id
# Create network, subnet, router and add interface
cls.network = cls.create_network()
cls.subnet = cls.create_subnet(cls.network)
cls.tenant_cidr = (CONF.network.project_network_cidr
if cls._ip_version == 4 else
CONF.network.tenant_network_v6_cidr)
cls.router = cls.create_router(data_utils.rand_name('router-'),
external_network_id=cls.ext_net_id,
admin_state_up="true")
cls.create_router_interface(cls.router['id'], cls.subnet['id'])
cls.port = list()
cls.floating_ip = cls.create_floatingip(cls.ext_net_id)
tempest_config.register_options()
def create_client(self, client_type):
creds = credentials.get_configured_admin_credentials('identity_admin')
auth_prov = tempestmanager.get_auth_provider(creds)
return policy_client.PolicyClient(
auth_prov, client_type,
CONF.identity.region)
def resource_setup(cls):
super(ESXNetworksTestJSON, cls).resource_setup()
cls.servers_client = cls.manager.servers_client
cls.networks_client = cls.manager.networks_client
cls.ports_client = cls.manager.ports_client
cls.routers_client = cls.manager.routers_client
cls.subnets_client = cls.manager.subnets_client
cls.floating_ips_client = cls.manager.floating_ips_client
cls.security_groups_client = cls.manager.security_groups_client
cls.security_group_rules_client = (
cls.manager.security_group_rules_client)
cls.creds = cls.os.credentials
cls.user_id = cls.creds.user_id
cls.username = cls.creds.username
cls.password = cls.creds.password
cls.auth_provider = manager.get_auth_provider(cls.creds)
if not test.is_extension_enabled('router', 'network'):
msg = "router extension not enabled."
raise cls.skipException(msg)
cls.ext_net_id = CONF.network.public_network_id
# Create network, subnet, router and add interface
cls.network = cls.create_network()
cls.subnet = cls.create_subnet(cls.network)
cls.tenant_cidr = (CONF.network.project_network_cidr
if cls._ip_version == 4 else
CONF.network.tenant_network_v6_cidr)
cls.router = cls.create_router(data_utils.rand_name('router-'),
external_network_id=cls.ext_net_id,
admin_state_up="true")
cls.create_router_interface(cls.router['id'], cls.subnet['id'])
cls.port = list()
cls.floating_ip = cls.create_floatingip(cls.ext_net_id)
tempest_config.register_options()
def setUp(self):
super(TestCase, self).setUp()
credentials = SolumCredentials()
auth_provider = manager.get_auth_provider(credentials)
self.client = SolumClient(auth_provider)
self.builderclient = SolumClient(auth_provider, 'image_builder')
def setUp(self):
super(TestCase, self).setUp()
credentials = SolumCredentials()
auth_provider = manager.get_auth_provider(credentials)
self.client = SolumClient(auth_provider)
self.builderclient = SolumClient(auth_provider, 'image_builder')
def resource_setup(cls):
super(OVSVAPPTestadminJSON, cls).resource_setup()
cls.creds = cls.os_admin.credentials
cls.user_id = cls.creds.user_id
cls.username = cls.creds.username
cls.password = cls.creds.password
cls.auth_provider = auth_manager.get_auth_provider(
cls.creds.credentials)
cls.ext_net_id = CONF.network.public_network_id
cls.network = cls.create_shared_network()
cls.subnet = cls.create_subnet(cls.network, client=cls.admin_client)
def resource_setup(cls):
super(OVSVAPPTestadminJSON, cls).resource_setup()
cls.creds = cls.os_admin.credentials
cls.user_id = cls.creds.user_id
cls.username = cls.creds.username
cls.password = cls.creds.password
cls.auth_provider = auth_manager.get_auth_provider(
cls.creds.credentials)
cls.ext_net_id = CONF.network.public_network_id
cls.network = cls.create_shared_network()
cls.subnet = cls.create_subnet(cls.network, client=cls.admin_client)
def test_default_project_id(self):
# create a domain
dom_name = data_utils.rand_name('dom')
domain_body = self.domains_client.create_domain(dom_name)['domain']
dom_id = domain_body['id']
self.addCleanup(self._delete_domain, dom_id)
# create a project in the domain
proj_name = data_utils.rand_name('proj')
proj_body = self.projects_client.create_project(
proj_name, domain_id=dom_id)['project']
proj_id = proj_body['id']
self.addCleanup(self.projects_client.delete_project, proj_id)
self.assertEqual(
proj_body['domain_id'], dom_id,
"project " + proj_name + "doesn't have domain id " + dom_id)
# create a user in the domain, with the previous project as his
# default project
user_name = data_utils.rand_name('user')
user_body = self.users_client.create_user(
user_name,
password=user_name,
domain_id=dom_id,
default_project_id=proj_id)['user']
user_id = user_body['id']
self.addCleanup(self.users_client.delete_user, user_id)
self.assertEqual(
user_body['domain_id'], dom_id,
"user " + user_name + "doesn't have domain id " + dom_id)
# get roles and find the admin role
admin_role = self.get_role_by_name(CONF.identity.admin_role)
admin_role_id = admin_role['id']
# grant the admin role to the user on his project
self.roles_client.assign_user_role_on_project(proj_id, user_id,
admin_role_id)
# create a new client with user's credentials (NOTE: unscoped token!)
creds = auth.KeystoneV3Credentials(username=user_name,
password=user_name,
user_domain_name=dom_name)
auth_provider = manager.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
admin_client = clients.Manager(credentials=creds)
# verify the user's token and see that it is scoped to the project
token, auth_data = admin_client.auth_provider.get_auth()
result = admin_client.identity_v3_client.show_token(token)['token']
self.assertEqual(result['project']['domain']['id'], dom_id)
self.assertEqual(result['project']['id'], proj_id)
def test_default_project_id(self):
# create a domain
dom_name = data_utils.rand_name('dom')
domain_body = self.domains_client.create_domain(dom_name)['domain']
dom_id = domain_body['id']
self.addCleanup(self._delete_domain, dom_id)
# create a project in the domain
proj_name = data_utils.rand_name('proj')
proj_body = self.projects_client.create_project(
proj_name, domain_id=dom_id)['project']
proj_id = proj_body['id']
self.addCleanup(self.projects_client.delete_project, proj_id)
self.assertEqual(proj_body['domain_id'], dom_id,
"project " + proj_name +
"doesn't have domain id " + dom_id)
# create a user in the domain, with the previous project as his
# default project
user_name = data_utils.rand_name('user')
user_body = self.users_client.create_user(
user_name,
password=user_name,
domain_id=dom_id,
default_project_id=proj_id)['user']
user_id = user_body['id']
self.addCleanup(self.users_client.delete_user, user_id)
self.assertEqual(user_body['domain_id'], dom_id,
"user " + user_name +
"doesn't have domain id " + dom_id)
# get roles and find the admin role
admin_role = self.get_role_by_name(CONF.identity.admin_role)
admin_role_id = admin_role['id']
# grant the admin role to the user on his project
self.roles_client.assign_user_role_on_project(proj_id, user_id,
admin_role_id)
# create a new client with user's credentials (NOTE: unscoped token!)
creds = auth.KeystoneV3Credentials(username=user_name,
password=user_name,
user_domain_name=dom_name)
auth_provider = manager.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
admin_client = clients.Manager(credentials=creds)
# verify the user's token and see that it is scoped to the project
token, auth_data = admin_client.auth_provider.get_auth()
result = admin_client.identity_v3_client.show_token(token)['token']
self.assertEqual(result['project']['domain']['id'], dom_id)
self.assertEqual(result['project']['id'], proj_id)
def test_user_update_own_password(self):
self.new_creds = copy.copy(self.creds.credentials)
self.new_creds.password = data_utils.rand_password()
# we need new non-admin Identity Client with new credentials, since
# current non_admin_client token will be revoked after updating
# password
self.non_admin_client_for_cleanup = copy.copy(self.non_admin_client)
self.non_admin_client_for_cleanup.auth_provider = (
manager.get_auth_provider(self.new_creds))
user_id = self.creds.credentials.user_id
old_pass = self.creds.credentials.password
new_pass = self.new_creds.password
# to change password back. important for allow_tenant_isolation = false
self.addCleanup(
self.non_admin_client_for_cleanup.update_user_own_password,
user_id=user_id,
new_pass=old_pass,
old_pass=new_pass)
# user updates own password
resp = self.non_admin_client.update_user_own_password(
user_id=user_id, new_pass=new_pass, old_pass=old_pass)['access']
# TODO(lbragstad): Sleeping after the response status has been checked
# and the body loaded as JSON allows requests to fail-fast. The sleep
# is necessary because keystone will err on the side of security and
# invalidate tokens within a small margin of error (within the same
# wall clock second) after a revocation event is issued (such as a
# password change). Remove this once keystone and Fernet support
# sub-second precision.
time.sleep(1)
# check authorization with new token
self.non_admin_token_client.auth_token(resp['token']['id'])
# check authorization with new password
self.non_admin_token_client.auth(self.username,
new_pass,
self.tenant_name)
# authorize with old token should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth_token,
self.non_admin_client.token)
# authorize with old password should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth,
self.username,
old_pass,
self.tenant_name)
def test_user_update_own_password(self):
self.new_creds = copy.copy(self.creds.credentials)
self.new_creds.password = data_utils.rand_password()
# we need new non-admin Identity Client with new credentials, since
# current non_admin_client token will be revoked after updating
# password
self.non_admin_client_for_cleanup = copy.copy(self.non_admin_client)
self.non_admin_client_for_cleanup.auth_provider = (
manager.get_auth_provider(self.new_creds))
user_id = self.creds.credentials.user_id
old_pass = self.creds.credentials.password
new_pass = self.new_creds.password
# to change password back. important for allow_tenant_isolation = false
self.addCleanup(
self.non_admin_client_for_cleanup.update_user_own_password,
user_id=user_id,
new_pass=old_pass,
old_pass=new_pass)
# user updates own password
resp = self.non_admin_client.update_user_own_password(
user_id=user_id, new_pass=new_pass, old_pass=old_pass)['access']
# TODO(lbragstad): Sleeping after the response status has been checked
# and the body loaded as JSON allows requests to fail-fast. The sleep
# is necessary because keystone will err on the side of security and
# invalidate tokens within a small margin of error (within the same
# wall clock second) after a revocation event is issued (such as a
# password change). Remove this once keystone and Fernet support
# sub-second precision.
time.sleep(1)
# check authorization with new token
self.non_admin_token_client.auth_token(resp['token']['id'])
# check authorization with new password
self.non_admin_token_client.auth(self.username, new_pass,
self.tenant_name)
# authorize with old token should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth_token,
self.non_admin_client.token)
# authorize with old password should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth, self.username,
old_pass, self.tenant_name)
def _fetch_cluster_in_use_from_server(self, server_id):
region = CONF.compute.region
auth_provider = manager.get_auth_provider(self.creds.credentials)
endpoint_type = CONF.compute.endpoint_type
build_interval = CONF.compute.build_interval
build_timeout = CONF.compute.build_timeout
disable_ssl_cert = CONF.identity.disable_ssl_certificate_validation
ca_certs = CONF.identity.ca_certificates_file
rs_client = rest_client.RestClient(auth_provider, "compute", region,
endpoint_type, build_interval,
build_timeout, disable_ssl_cert,
ca_certs)
resp, body = rs_client.get("servers/%s" % str(server_id))
body = jsonutils.loads(body)
cst_name = body['server']['OS-EXT-SRV-ATTR:hypervisor_hostname']
return cst_name[cst_name.index("(") + 1:cst_name.rindex(")")]
def get_server_ip(self, server_id, net_name):
region = CONF.compute.region
auth_provider = manager.get_auth_provider(self.creds.credentials)
endpoint_type = CONF.compute.endpoint_type
build_interval = CONF.compute.build_interval
build_timeout = CONF.compute.build_timeout
disable_ssl_cert = CONF.identity.disable_ssl_certificate_validation
ca_certs = CONF.identity.ca_certificates_file
rs_client = rest_client.RestClient(auth_provider, "compute", region,
endpoint_type, build_interval,
build_timeout, disable_ssl_cert,
ca_certs)
resp, body = rs_client.get("servers/%s" % str(server_id))
body = jsonutils.loads(body)
ipaddress = body['server']['addresses'][net_name][0]['addr']
return ipaddress
def setUpClass(cls):
super(ScenarioPolicyBase, cls).setUpClass()
# auth provider for admin credentials
creds = credentials.get_configured_admin_credentials('identity_admin')
auth_prov = tempestmanager.get_auth_provider(creds)
cls.admin_manager.congress_client = policy_client.PolicyClient(
auth_prov, "policy", CONF.identity.region)
if getattr(CONF.service_available, 'ceilometer', False):
import ceilometer.tests.tempest.service.client as telemetry_client
cls.admin_manager.telemetry_client = (
telemetry_client.TelemetryClient(
auth_prov, CONF.telemetry.catalog_type,
CONF.identity.region,
endpoint_type=CONF.telemetry.endpoint_type))
def get_server_ip(self, server_id, net_name):
region = CONF.compute.region
auth_provider = manager.get_auth_provider(self.creds)
endpoint_type = CONF.compute.endpoint_type
build_interval = CONF.compute.build_interval
build_timeout = CONF.compute.build_timeout
disable_ssl_cert = CONF.identity.disable_ssl_certificate_validation
ca_certs = CONF.identity.ca_certificates_file
rs_client = rest_client.RestClient(auth_provider, "compute",
region, endpoint_type,
build_interval, build_timeout,
disable_ssl_cert,
ca_certs)
resp, body = rs_client.get("servers/%s" % str(server_id))
body = jsonutils.loads(body)
ipaddress = body['server']['addresses'][net_name][0]['addr']
return ipaddress
def _fetch_cluster_in_use_from_server(self, server_id):
region = CONF.compute.region
auth_provider = manager.get_auth_provider(self.creds.credentials)
endpoint_type = CONF.compute.endpoint_type
build_interval = CONF.compute.build_interval
build_timeout = CONF.compute.build_timeout
disable_ssl_cert = CONF.identity.disable_ssl_certificate_validation
ca_certs = CONF.identity.ca_certificates_file
rs_client = rest_client.RestClient(auth_provider, "compute",
region, endpoint_type,
build_interval, build_timeout,
disable_ssl_cert,
ca_certs)
resp, body = rs_client.get("servers/%s" % str(server_id))
body = jsonutils.loads(body)
cst_name = body['server']['OS-EXT-SRV-ATTR:hypervisor_hostname']
return cst_name[cst_name.index("(") + 1:cst_name.rindex(")")]
def test_user_update_own_password(self):
self.new_creds = copy.copy(self.creds.credentials)
self.new_creds.password = data_utils.rand_password()
# we need new non-admin Identity V3 Client with new credentials, since
# current non_admin_users_client token will be revoked after updating
# password
self.non_admin_users_client_for_cleanup = (
copy.copy(self.non_admin_users_client))
self.non_admin_users_client_for_cleanup.auth_provider = (
manager.get_auth_provider(self.new_creds))
user_id = self.creds.credentials.user_id
old_pass = self.creds.credentials.password
new_pass = self.new_creds.password
# to change password back. important for allow_tenant_isolation = false
self.addCleanup(
self.non_admin_users_client_for_cleanup.update_user_password,
user_id,
password=old_pass,
original_password=new_pass)
# user updates own password
self.non_admin_users_client.update_user_password(
user_id, password=new_pass, original_password=old_pass)
# NOTE(morganfainberg): Fernet tokens are not subsecond aware and
# Keystone should only be precise to the second. Sleep to ensure
# we are passing the second boundary.
time.sleep(1)
# check authorization with new password
self.non_admin_token.auth(user_id=self.user_id, password=new_pass)
# authorize with old token should lead to IdentityError (404 code)
self.assertRaises(exceptions.IdentityError,
self.non_admin_token.auth,
token=self.non_admin_client.token)
# authorize with old password should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token.auth,
user_id=self.user_id,
password=old_pass)
def test_user_update_own_password(self):
self.new_creds = copy.copy(self.creds.credentials)
self.new_creds.password = data_utils.rand_password()
# we need new non-admin Identity V3 Client with new credentials, since
# current non_admin_users_client token will be revoked after updating
# password
self.non_admin_users_client_for_cleanup = (
copy.copy(self.non_admin_users_client))
self.non_admin_users_client_for_cleanup.auth_provider = (
manager.get_auth_provider(self.new_creds))
user_id = self.creds.credentials.user_id
old_pass = self.creds.credentials.password
new_pass = self.new_creds.password
# to change password back. important for allow_tenant_isolation = false
self.addCleanup(
self.non_admin_users_client_for_cleanup.update_user_password,
user_id,
password=old_pass,
original_password=new_pass)
# user updates own password
self.non_admin_users_client.update_user_password(
user_id, password=new_pass, original_password=old_pass)
# NOTE(morganfainberg): Fernet tokens are not subsecond aware and
# Keystone should only be precise to the second. Sleep to ensure
# we are passing the second boundary.
time.sleep(1)
# check authorization with new password
self.non_admin_token.auth(user_id=self.user_id, password=new_pass)
# authorize with old token should lead to IdentityError (404 code)
self.assertRaises(exceptions.IdentityError,
self.non_admin_token.auth,
token=self.non_admin_client.token)
# authorize with old password should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token.auth,
user_id=self.user_id,
password=old_pass)
def test_user_update_own_password(self):
self.new_creds = copy.copy(self.creds.credentials)
self.new_creds.password = data_utils.rand_password()
# we need new non-admin Identity Client with new credentials, since
# current non_admin_client token will be revoked after updating
# password
self.non_admin_client_for_cleanup = copy.copy(self.non_admin_client)
self.non_admin_client_for_cleanup.auth_provider = (
manager.get_auth_provider(self.new_creds))
user_id = self.creds.credentials.user_id
old_pass = self.creds.credentials.password
new_pass = self.new_creds.password
# to change password back. important for allow_tenant_isolation = false
self.addCleanup(
self.non_admin_client_for_cleanup.update_user_own_password,
user_id=user_id,
new_pass=old_pass,
old_pass=new_pass)
# user updates own password
resp = self.non_admin_client.update_user_own_password(
user_id=user_id, new_pass=new_pass, old_pass=old_pass)
# check authorization with new token
self.non_admin_token_client.auth_token(resp['token']['id'])
# check authorization with new password
self.non_admin_token_client.auth(self.username,
new_pass,
self.tenant_name)
# authorize with old token should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth_token,
self.non_admin_client.token)
# authorize with old password should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth,
self.username,
old_pass,
self.tenant_name)
def test_user_update_own_password(self):
self.new_creds = copy.copy(self.creds.credentials)
self.new_creds.password = data_utils.rand_password()
# we need new non-admin Identity Client with new credentials, since
# current non_admin_client token will be revoked after updating
# password
self.non_admin_client_for_cleanup = copy.copy(self.non_admin_client)
self.non_admin_client_for_cleanup.auth_provider = (
manager.get_auth_provider(self.new_creds))
user_id = self.creds.credentials.user_id
old_pass = self.creds.credentials.password
new_pass = self.new_creds.password
# to change password back. important for allow_tenant_isolation = false
self.addCleanup(
self.non_admin_client_for_cleanup.update_user_own_password,
user_id=user_id,
new_pass=old_pass,
old_pass=new_pass)
# user updates own password
resp = self.non_admin_client.update_user_own_password(
user_id=user_id, new_pass=new_pass, old_pass=old_pass)['access']
# check authorization with new token
self.non_admin_token_client.auth_token(resp['token']['id'])
# check authorization with new password
self.non_admin_token_client.auth(self.username, new_pass,
self.tenant_name)
# authorize with old token should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth_token,
self.non_admin_client.token)
# authorize with old password should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token_client.auth, self.username,
old_pass, self.tenant_name)
def test_user_update_own_password(self):
self.new_creds = copy.copy(self.creds.credentials)
self.new_creds.password = data_utils.rand_password()
# we need new non-admin Identity V3 Client with new credentials, since
# current non_admin_client token will be revoked after updating
# password
self.non_admin_client_for_cleanup = copy.copy(self.non_admin_client)
self.non_admin_client_for_cleanup.auth_provider = (
manager.get_auth_provider(self.new_creds))
user_id = self.creds.credentials.user_id
old_pass = self.creds.credentials.password
new_pass = self.new_creds.password
# to change password back. important for allow_tenant_isolation = false
self.addCleanup(
self.non_admin_client_for_cleanup.update_user_password,
user_id=user_id,
password=old_pass,
original_password=new_pass)
# user updates own password
self.non_admin_client.update_user_password(
user_id=user_id, password=new_pass, original_password=old_pass)
# check authorization with new password
self.non_admin_token.auth(user_id=self.user_id, password=new_pass)
# authorize with old token should lead to IdentityError (404 code)
self.assertRaises(exceptions.IdentityError,
self.non_admin_token.auth,
token=self.non_admin_client.token)
# authorize with old password should lead to Unauthorized
self.assertRaises(exceptions.Unauthorized,
self.non_admin_token.auth,
user_id=self.user_id,
password=old_pass)
def setUpClass(cls):
super(ScenarioPolicyBase, cls).setUpClass()
# auth provider for admin credentials
creds = credentials.get_configured_admin_credentials('identity_admin')
auth_prov = tempestmanager.get_auth_provider(creds)
cls.setup_required_clients(auth_prov)
def create_client(self, client_type):
creds = credentials.get_configured_admin_credentials('identity_admin')
auth_prov = tempestmanager.get_auth_provider(creds)
return policy_client.PolicyClient(auth_prov, client_type,
CONF.identity.region)
