def resource_setup(cls):
super(RolesV3TestJSON, cls).resource_setup()
for _ in range(3):
role_name = data_utils.rand_name(name='role')
role = cls.client.create_role(role_name)['role']
cls.data.v3_roles.append(role)
cls.fetched_role_ids = list()
u_name = data_utils.rand_name('user')
u_desc = '%s description' % u_name
u_email = '*****@*****.**' % u_name
cls.u_password = credentials.get_policy_password()
cls.domain = cls.client.create_domain(
data_utils.rand_name('domain'),
description=data_utils.rand_name('domain-desc'))['domain']
cls.project = cls.client.create_project(
data_utils.rand_name('project'),
description=data_utils.rand_name('project-desc'),
domain_id=cls.domain['id'])['project']
cls.group_body = cls.client.create_group(
data_utils.rand_name('Group'), project_id=cls.project['id'],
domain_id=cls.domain['id'])['group']
cls.user_body = cls.client.create_user(
u_name, description=u_desc, password=cls.u_password,
email=u_email, project_id=cls.project['id'],
domain_id=cls.domain['id'])['user']
cls.role = cls.client.create_role(
data_utils.rand_name('Role'))['role']
def create_trustor_and_roles(self):
# create a project that trusts will be granted on
self.trustor_project_name = data_utils.rand_name(name='project')
project = self.client.create_project(self.trustor_project_name,
domain_id='default')['project']
self.trustor_project_id = project['id']
self.assertIsNotNone(self.trustor_project_id)
# Create a trustor User
self.trustor_username = data_utils.rand_name('user')
u_desc = self.trustor_username + 'description'
u_email = self.trustor_username + '@testmail.xx'
self.trustor_password = credentials.get_policy_password()
user = self.client.create_user(
self.trustor_username,
description=u_desc,
password=self.trustor_password,
email=u_email,
project_id=self.trustor_project_id,
domain_id='default')['user']
self.trustor_user_id = user['id']
# And two roles, one we'll delegate and one we won't
self.delegated_role = data_utils.rand_name('DelegatedRole')
self.not_delegated_role = data_utils.rand_name('NotDelegatedRole')
role = self.client.create_role(self.delegated_role)['role']
self.delegated_role_id = role['id']
role = self.client.create_role(self.not_delegated_role)['role']
self.not_delegated_role_id = role['id']
# Assign roles to trustor
self.client.assign_user_role(self.trustor_project_id,
self.trustor_user_id,
self.delegated_role_id)
self.client.assign_user_role(self.trustor_project_id,
self.trustor_user_id,
self.not_delegated_role_id)
# Get trustee user ID, use the demo user
trustee_username = self.non_admin_client.user
self.trustee_user_id = self.get_user_by_name(trustee_username)['id']
self.assertIsNotNone(self.trustee_user_id)
# Initialize a new client with the trustor credentials
creds = cred_provider.get_credentials(
identity_version='v3',
username=self.trustor_username,
password=self.trustor_password,
user_domain_id='default',
tenant_name=self.trustor_project_name,
project_domain_id='default')
os = clients.Manager(credentials=creds)
self.trustor_client = os.identity_v3_client
def setup_test_user(self):
"""Set up a test user."""
self.setup_test_tenant()
self.test_user = data_utils.rand_name('test_user')
self.test_password = credentials.get_policy_password()
self.test_email = self.test_user + '@testmail.tm'
self.user = self.client.create_user(self.test_user,
self.test_password,
self.tenant['id'],
self.test_email)['user']
self.users.append(self.user)
def setup_test_v3_user(self):
"""Set up a test v3 user."""
self.setup_test_project()
self.test_user = data_utils.rand_name('test_user')
self.test_password = credentials.get_policy_password()
self.test_email = self.test_user + '@testmail.tm'
self.v3_user = self.client.create_user(
self.test_user,
password=self.test_password,
project_id=self.project['id'],
email=self.test_email)['user']
self.v3_users.append(self.v3_user)
def test_list_user_projects(self):
# List the projects that a user has access upon
assigned_project_ids = list()
fetched_project_ids = list()
u_project = self.client.create_project(
data_utils.rand_name('project'),
description=data_utils.rand_name('project-desc'))['project']
# Delete the Project at the end of this method
self.addCleanup(self.client.delete_project, u_project['id'])
# Create a user.
u_name = data_utils.rand_name('user')
u_desc = u_name + 'description'
u_email = u_name + '@testmail.tm'
#u_password = data_utils.rand_name('pass')
# password policy changes
u_password = credentials.get_policy_password()
user_body = self.client.create_user(
u_name, description=u_desc, password=u_password,
email=u_email, enabled=False, project_id=u_project['id'])['user']
# Delete the User at the end of this method
self.addCleanup(self.client.delete_user, user_body['id'])
# Creating Role
role_body = self.client.create_role(
data_utils.rand_name('role'))['role']
# Delete the Role at the end of this method
self.addCleanup(self.client.delete_role, role_body['id'])
user = self.client.get_user(user_body['id'])['user']
role = self.client.get_role(role_body['id'])['role']
for i in range(2):
# Creating project so as to assign role
project_body = self.client.create_project(
data_utils.rand_name('project'),
description=data_utils.rand_name('project-desc'))['project']
project = self.client.get_project(project_body['id'])['project']
# Delete the Project at the end of this method
self.addCleanup(self.client.delete_project, project_body['id'])
# Assigning roles to user on project
self.client.assign_user_role(project['id'],
user['id'],
role['id'])
assigned_project_ids.append(project['id'])
body = self.client.list_user_projects(user['id'])['projects']
for i in body:
fetched_project_ids.append(i['id'])
# verifying the project ids in list
missing_projects =\
[p for p in assigned_project_ids
if p not in fetched_project_ids]
self.assertEqual(0, len(missing_projects),
"Failed to find project %s in fetched list" %
', '.join(m_project for m_project
in missing_projects))
def test_update_user_password(self):
# Creating User to check password updation
u_name = data_utils.rand_name('user')
# original_password = data_utils.rand_name('pass')
original_password = credentials.get_policy_password()
user = self.client.create_user(
u_name, password=original_password)['user']
# Delete the User at the end all test methods
self.addCleanup(self.client.delete_user, user['id'])
# Update user with new password
# new_password = data_utils.rand_name('pass1')
new_password = credentials.get_policy_password()
self.client.update_user_password(user['id'], new_password,
original_password)
resp = self.token.auth(user_id=user['id'],
password=new_password).response
subject_token = resp['x-subject-token']
# Perform GET Token to verify and confirm password is updated
token_details = self.client.get_token(subject_token)['token']
self.assertEqual(resp['x-subject-token'], subject_token)
self.assertEqual(token_details['user']['id'], user['id'])
self.assertEqual(token_details['user']['name'], u_name)
def resource_setup(cls):
super(UsersV3TestJSON, cls).resource_setup()
alt_user = data_utils.rand_name("test_user")
alt_password = credentials.get_policy_password()
cls.alt_email = alt_user + "@testmail.tm"
cls.data.setup_test_domain()
# Create user with Domain
u1_name = data_utils.rand_name("test_user")
cls.domain_enabled_user = cls.client.create_user(
u1_name, password=alt_password, email=cls.alt_email, domain_id=cls.data.domain["id"]
)["user"]
cls.data.v3_users.append(cls.domain_enabled_user)
# Create default not enabled user
u2_name = data_utils.rand_name("test_user")
cls.non_domain_enabled_user = cls.client.create_user(
u2_name, password=alt_password, email=cls.alt_email, enabled=False
)["user"]
cls.data.v3_users.append(cls.non_domain_enabled_user)
def test_list_user_groups(self):
# create a user
user = self.client.create_user(
data_utils.rand_name('User'),
password=credentials.get_policy_password())['user']
self.addCleanup(self.client.delete_user, user['id'])
# create two groups, and add user into them
groups = []
for i in range(2):
name = data_utils.rand_name('Group')
group = self.client.create_group(name)['group']
groups.append(group)
self.addCleanup(self.client.delete_group, group['id'])
self.client.add_group_user(group['id'], user['id'])
# list groups which user belongs to
user_groups = self.client.list_user_groups(user['id'])['groups']
self.assertEqual(sorted(groups), sorted(user_groups))
self.assertEqual(2, len(user_groups))
def resource_setup(cls):
super(CredentialsTestJSON, cls).resource_setup()
cls.projects = list()
cls.creds_list = [['project_id', 'user_id', 'id'],
['access', 'secret']]
u_name = data_utils.rand_name('user')
u_desc = '%s description' % u_name
u_email = '*****@*****.**' % u_name
# changes due to password policy
u_password = credentials.get_policy_password()
for i in range(2):
cls.project = cls.client.create_project(
data_utils.rand_name('project'),
description=data_utils.rand_name('project-desc'))['project']
cls.projects.append(cls.project['id'])
cls.user_body = cls.client.create_user(
u_name, description=u_desc, password=u_password,
email=u_email, project_id=cls.projects[0])['user']
def test_user_update(self):
# Test case to check if updating of user attributes is successful.
# Creating first user
u_name = data_utils.rand_name('user')
u_desc = u_name + 'description'
u_email = u_name + '@testmail.tm'
# u_password = data_utils.rand_name('pass')
# changes due to password policy.
u_password = credentials.get_policy_password()
user = self.client.create_user(
u_name, description=u_desc, password=u_password,
email=u_email, enabled=False)['user']
# Delete the User at the end of this method
self.addCleanup(self.client.delete_user, user['id'])
# Creating second project for updation
project = self.client.create_project(
data_utils.rand_name('project'),
description=data_utils.rand_name('project-desc'))['project']
# Delete the Project at the end of this method
self.addCleanup(self.client.delete_project, project['id'])
# Updating user details with new values
u_name2 = data_utils.rand_name('user2')
u_email2 = u_name2 + '@testmail.tm'
u_description2 = u_name2 + ' description'
update_user = self.client.update_user(
user['id'], name=u_name2, description=u_description2,
project_id=project['id'],
email=u_email2, enabled=False)['user']
self.assertEqual(u_name2, update_user['name'])
self.assertEqual(u_description2, update_user['description'])
self.assertEqual(project['id'],
update_user['project_id'])
self.assertEqual(u_email2, update_user['email'])
self.assertEqual(False, update_user['enabled'])
# GET by id after updation
new_user_get = self.client.get_user(user['id'])['user']
# Assert response body of GET after updation
self.assertEqual(u_name2, new_user_get['name'])
self.assertEqual(u_description2, new_user_get['description'])
self.assertEqual(project['id'],
new_user_get['project_id'])
self.assertEqual(u_email2, new_user_get['email'])
self.assertEqual(False, new_user_get['enabled'])
def test_default_project_id(self):
# create a domain
dom_name = data_utils.rand_name("dom")
domain_body = self.client.create_domain(dom_name)["domain"]
dom_id = domain_body["id"]
self.addCleanup(self._delete_domain, dom_id)
# create a project in the domain
proj_name = data_utils.rand_name("proj")
proj_body = self.client.create_project(proj_name, domain_id=dom_id)["project"]
proj_id = proj_body["id"]
self.addCleanup(self.client.delete_project, proj_id)
self.assertEqual(proj_body["domain_id"], dom_id, "project " + proj_name + "doesn't have domain id " + dom_id)
# create a user in the domain, with the previous project as his
# default project
user_name = data_utils.rand_name("user")
user_password = credentials.get_policy_password()
user_body = self.client.create_user(
user_name, password=user_password, domain_id=dom_id, default_project_id=proj_id
)["user"]
user_id = user_body["id"]
self.addCleanup(self.client.delete_user, user_id)
self.assertEqual(user_body["domain_id"], dom_id, "user " + user_name + "doesn't have domain id " + dom_id)
# get roles and find the admin role
admin_role = self.get_role_by_name(CONF.identity.admin_role)
admin_role_id = admin_role["id"]
# grant the admin role to the user on his project
self.client.assign_user_role_on_project(proj_id, user_id, admin_role_id)
# create a new client with user's credentials (NOTE: unscoped token!)
creds = auth.KeystoneV3Credentials(username=user_name, password=user_password, user_domain_name=dom_name)
auth_provider = manager.get_auth_provider(creds)
creds = auth_provider.fill_credentials()
admin_client = clients.Manager(credentials=creds)
# verify the user's token and see that it is scoped to the project
token, auth_data = admin_client.auth_provider.get_auth()
result = admin_client.identity_v3_client.get_token(token)["token"]
self.assertEqual(result["project"]["domain"]["id"], dom_id)
self.assertEqual(result["project"]["id"], proj_id)
def test_tokens(self):
# Valid user's token is authenticated
# Create a User
u_name = data_utils.rand_name('user')
u_desc = '%s-description' % u_name
u_email = '*****@*****.**' % u_name
u_password = credentials.get_policy_password()
user = self.client.create_user(
u_name, description=u_desc, password=u_password,
email=u_email)['user']
self.addCleanup(self.client.delete_user, user['id'])
# Perform Authentication
resp = self.token.auth(user_id=user['id'],
password=u_password).response
subject_token = resp['x-subject-token']
# Perform GET Token
token_details = self.client.get_token(subject_token)['token']
self.assertEqual(resp['x-subject-token'], subject_token)
self.assertEqual(token_details['user']['id'], user['id'])
self.assertEqual(token_details['user']['name'], u_name)
# Perform Delete Token
self.client.delete_token(subject_token)
self.assertRaises(lib_exc.NotFound, self.client.get_token,
subject_token)
def test_rescope_token(self):
"""Rescope a token.
An unscoped token can be requested, that token can be used to request a
scoped token. The scoped token can be revoked, and the original token
used to get a token in a different project.
"""
# Create a user.
user_name = data_utils.rand_name(name='user')
user_password = credentials.get_policy_password()
user = self.client.create_user(user_name,
password=user_password)['user']
self.addCleanup(self.client.delete_user, user['id'])
# Create a couple projects
project1_name = data_utils.rand_name(name='project')
project1 = self.client.create_project(project1_name)['project']
self.addCleanup(self.client.delete_project, project1['id'])
project2_name = data_utils.rand_name(name='project')
project2 = self.client.create_project(project2_name)['project']
self.addCleanup(self.client.delete_project, project2['id'])
# Create a role
role_name = data_utils.rand_name(name='role')
role = self.client.create_role(role_name)['role']
self.addCleanup(self.client.delete_role, role['id'])
# Grant the user the role on both projects.
self.client.assign_user_role(project1['id'], user['id'],
role['id'])
self.client.assign_user_role(project2['id'], user['id'],
role['id'])
# Get an unscoped token.
token_auth = self.token.auth(user_id=user['id'],
password=user_password)
token_id = token_auth.response['x-subject-token']
orig_expires_at = token_auth['token']['expires_at']
orig_user = token_auth['token']['user']
self.assertIsInstance(token_auth['token']['expires_at'], unicode)
self.assertIsInstance(token_auth['token']['issued_at'], unicode)
self.assertEqual(['password'], token_auth['token']['methods'])
self.assertEqual(user['id'], token_auth['token']['user']['id'])
self.assertEqual(user['name'], token_auth['token']['user']['name'])
self.assertEqual('default',
token_auth['token']['user']['domain']['id'])
self.assertEqual('Default',
token_auth['token']['user']['domain']['name'])
self.assertNotIn('catalog', token_auth['token'])
self.assertNotIn('project', token_auth['token'])
self.assertNotIn('roles', token_auth['token'])
# Use the unscoped token to get a scoped token.
token_auth = self.token.auth(token=token_id,
project_name=project1_name,
project_domain_name='Default')
token1_id = token_auth.response['x-subject-token']
self.assertEqual(orig_expires_at, token_auth['token']['expires_at'],
'Expiration time should match original token')
self.assertIsInstance(token_auth['token']['issued_at'], unicode)
self.assertEqual(set(['password', 'token']),
set(token_auth['token']['methods']))
self.assertEqual(orig_user, token_auth['token']['user'],
'User should match original token')
self.assertIsInstance(token_auth['token']['catalog'], list)
self.assertEqual(project1['id'],
token_auth['token']['project']['id'])
self.assertEqual(project1['name'],
token_auth['token']['project']['name'])
self.assertEqual('default',
token_auth['token']['project']['domain']['id'])
self.assertEqual('Default',
token_auth['token']['project']['domain']['name'])
self.assertEqual(1, len(token_auth['token']['roles']))
self.assertEqual(role['id'], token_auth['token']['roles'][0]['id'])
self.assertEqual(role['name'], token_auth['token']['roles'][0]['name'])
# Revoke the unscoped token.
self.client.delete_token(token1_id)
# Now get another scoped token using the unscoped token.
token_auth = self.token.auth(token=token_id,
project_name=project2_name,
project_domain_name='Default')
self.assertEqual(project2['id'],
token_auth['token']['project']['id'])
self.assertEqual(project2['name'],
token_auth['token']['project']['name'])
