def test_list_users_for_tenant(self): # Return a list of all users for a tenant tenant = self.setup_test_tenant() user_ids = list() fetched_user_ids = list() password1 = data_utils.rand_password() alt_tenant_user1 = data_utils.rand_name('tenant_user1') user1 = self.users_client.create_user(name=alt_tenant_user1, password=password1, tenantId=tenant['id'], email='user1@123')['user'] user_ids.append(user1['id']) # Delete the User at the end of the test self.addCleanup(self.users_client.delete_user, user1['id']) password2 = data_utils.rand_password() alt_tenant_user2 = data_utils.rand_name('tenant_user2') user2 = self.users_client.create_user(name=alt_tenant_user2, password=password2, tenantId=tenant['id'], email='user2@123')['user'] user_ids.append(user2['id']) # Delete the User at the end of the test self.addCleanup(self.users_client.delete_user, user2['id']) # List of users for the respective tenant ID body = (self.tenants_client.list_tenant_users(tenant['id']) ['users']) for i in body: fetched_user_ids.append(i['id']) # verifying the user Id in the list missing_users =\ [user for user in user_ids if user not in fetched_user_ids] self.assertEqual(0, len(missing_users), "Failed to find user %s in fetched list" % ', '.join(m_user for m_user in missing_users))
def test_update_user_password(self): # Creating User to check password updation u_name = data_utils.rand_name('user') original_password = data_utils.rand_password() user = self.client.create_user( u_name, password=original_password)['user'] # Delete the User at the end all test methods self.addCleanup(self.client.delete_user, user['id']) # Update user with new password new_password = data_utils.rand_password() self.client.update_user_password(user['id'], password=new_password, original_password=original_password) # TODO(lbragstad): Sleeping after the response status has been checked # and the body loaded as JSON allows requests to fail-fast. The sleep # is necessary because keystone will err on the side of security and # invalidate tokens within a small margin of error (within the same # wall clock second) after a revocation event is issued (such as a # password change). Remove this once keystone and Fernet support # sub-second precision, see bug 1517697 for more details. time.sleep(1) resp = self.token.auth(user_id=user['id'], password=new_password).response subject_token = resp['x-subject-token'] # Perform GET Token to verify and confirm password is updated token_details = self.client.show_token(subject_token)['token'] self.assertEqual(resp['x-subject-token'], subject_token) self.assertEqual(token_details['user']['id'], user['id']) self.assertEqual(token_details['user']['name'], u_name)
def test_update_user_password(self): # Creating User to check password updation u_name = data_utils.rand_name('user') original_password = data_utils.rand_password() user = self.users_client.create_user( name=u_name, password=original_password)['user'] # Delete the User at the end all test methods self.addCleanup(self.users_client.delete_user, user['id']) # Update user with new password new_password = data_utils.rand_password() self.users_client.update_user_password( user['id'], password=new_password, original_password=original_password) # NOTE(morganfainberg): Fernet tokens are not subsecond aware and # Keystone should only be precise to the second. Sleep to ensure # we are passing the second boundary. time.sleep(1) resp = self.token.auth(user_id=user['id'], password=new_password).response subject_token = resp['x-subject-token'] # Perform GET Token to verify and confirm password is updated token_details = self.client.show_token(subject_token)['token'] self.assertEqual(token_details['user']['id'], user['id']) self.assertEqual(token_details['user']['name'], u_name)
def test_update_user_password(self): # Creating User to check password updation u_name = data_utils.rand_name("user") original_password = data_utils.rand_password() user = self.client.create_user(u_name, password=original_password)["user"] # Delete the User at the end all test methods self.addCleanup(self.client.delete_user, user["id"]) # Update user with new password new_password = data_utils.rand_password() self.client.update_user_password(user["id"], password=new_password, original_password=original_password) # TODO(lbragstad): Sleeping after the response status has been checked # and the body loaded as JSON allows requests to fail-fast. The sleep # is necessary because keystone will err on the side of security and # invalidate tokens within a small margin of error (within the same # wall clock second) after a revocation event is issued (such as a # password change). Remove this once keystone and Fernet support # sub-second precision, see bug 1517697 for more details. time.sleep(1) resp = self.token.auth(user_id=user["id"], password=new_password).response subject_token = resp["x-subject-token"] # Perform GET Token to verify and confirm password is updated token_details = self.client.show_token(subject_token)["token"] self.assertEqual(resp["x-subject-token"], subject_token) self.assertEqual(token_details["user"]["id"], user["id"]) self.assertEqual(token_details["user"]["name"], u_name)
def test_list_users_for_tenant(self): # Return a list of all users for a tenant self.data.setup_test_tenant() user_ids = list() fetched_user_ids = list() password1 = data_utils.rand_password() alt_tenant_user1 = data_utils.rand_name('tenant_user1') user1 = self.client.create_user(alt_tenant_user1, password1, self.data.tenant['id'], 'user1@123')['user'] user_ids.append(user1['id']) self.data.users.append(user1) password2 = data_utils.rand_password() alt_tenant_user2 = data_utils.rand_name('tenant_user2') user2 = self.client.create_user(alt_tenant_user2, password2, self.data.tenant['id'], 'user2@123')['user'] user_ids.append(user2['id']) self.data.users.append(user2) # List of users for the respective tenant ID body = (self.tenants_client.list_tenant_users(self.data.tenant['id']) ['users']) for i in body: fetched_user_ids.append(i['id']) # verifying the user Id in the list missing_users =\ [user for user in user_ids if user not in fetched_user_ids] self.assertEqual(0, len(missing_users), "Failed to find user %s in fetched list" % ', '.join(m_user for m_user in missing_users))
def resource_setup(cls): super(ServerRescueNegativeTestJSON, cls).resource_setup() cls.device = CONF.compute.volume_device_name cls.password = data_utils.rand_password() rescue_password = data_utils.rand_password() # Server for negative tests server = cls.create_test_server(adminPass=cls.password, wait_until="BUILD") resc_server = cls.create_test_server(adminPass=rescue_password, wait_until="ACTIVE") cls.server_id = server["id"] cls.rescue_id = resc_server["id"] cls.servers_client.rescue_server(cls.rescue_id, adminPass=rescue_password) waiters.wait_for_server_status(cls.servers_client, cls.rescue_id, "RESCUE") waiters.wait_for_server_status(cls.servers_client, cls.server_id, "ACTIVE")
def test_get_updated_quotas(self): # Verify that GET shows the updated quota set of project project_name = data_utils.rand_name('cpu_quota_project') project_desc = project_name + '-desc' project = self.identity_utils.create_project(name=project_name, description=project_desc) project_id = project['id'] self.addCleanup(self.identity_utils.delete_project, project_id) self.adm_client.update_quota_set(project_id, ram='5120') quota_set = self.adm_client.show_quota_set(project_id)['quota_set'] self.assertEqual(5120, quota_set['ram']) # Verify that GET shows the updated quota set of user user_name = data_utils.rand_name('cpu_quota_user') password = data_utils.rand_password() email = user_name + '@testmail.tm' user = self.identity_utils.create_user(username=user_name, password=password, project=project, email=email) user_id = user['id'] self.addCleanup(self.identity_utils.delete_user, user_id) self.adm_client.update_quota_set(project_id, user_id=user_id, ram='2048') quota_set = self.adm_client.show_quota_set( project_id, user_id=user_id)['quota_set'] self.assertEqual(2048, quota_set['ram'])
def test_associate_user_to_project(self): # Associate a user to a project # Create a Project p_name = data_utils.rand_name('project') project = self.projects_client.create_project(p_name)['project'] self.data.projects.append(project) # Create a User u_name = data_utils.rand_name('user') u_desc = u_name + 'description' u_email = u_name + '@testmail.tm' u_password = data_utils.rand_password() user = self.users_client.create_user( u_name, description=u_desc, password=u_password, email=u_email, project_id=project['id'])['user'] # Delete the User at the end of this method self.addCleanup(self.users_client.delete_user, user['id']) # Get User To validate the user details new_user_get = self.users_client.show_user(user['id'])['user'] # Assert response body of GET self.assertEqual(u_name, new_user_get['name']) self.assertEqual(u_desc, new_user_get['description']) self.assertEqual(project['id'], new_user_get['project_id']) self.assertEqual(u_email, new_user_get['email'])
def test_list_users_with_roles_for_tenant(self): # Return list of users on tenant when roles are assigned to users self.data.setup_test_user() self.data.setup_test_role() user = self.get_user_by_name(self.data.test_user) tenant = self.get_tenant_by_name(self.data.test_tenant) role = self.get_role_by_name(self.data.test_role) # Assigning roles to two users user_ids = list() fetched_user_ids = list() user_ids.append(user['id']) role = self.roles_client.assign_user_role(tenant['id'], user['id'], role['id'])['role'] alt_user2 = data_utils.rand_name('second_user') alt_password2 = data_utils.rand_password() second_user = self.client.create_user(alt_user2, alt_password2, self.data.tenant['id'], 'user2@123')['user'] user_ids.append(second_user['id']) self.data.users.append(second_user) role = self.roles_client.assign_user_role(tenant['id'], second_user['id'], role['id'])['role'] # List of users with roles for the respective tenant ID body = (self.tenants_client.list_tenant_users(self.data.tenant['id']) ['users']) for i in body: fetched_user_ids.append(i['id']) # verifying the user Id in the list missing_users = [missing_user for missing_user in user_ids if missing_user not in fetched_user_ids] self.assertEqual(0, len(missing_users), "Failed to find user %s in fetched list" % ', '.join(m_user for m_user in missing_users))
def test_tokens(self): # Valid user's token is authenticated # Create a User u_name = data_utils.rand_name('user') u_desc = '%s-description' % u_name u_email = '*****@*****.**' % u_name u_password = data_utils.rand_password() user = self.users_client.create_user(name=u_name, description=u_desc, password=u_password, email=u_email)['user'] self.addCleanup(self.users_client.delete_user, user['id']) # Perform Authentication resp = self.token.auth(user_id=user['id'], password=u_password).response subject_token = resp['x-subject-token'] # Perform GET Token token_details = self.client.show_token(subject_token)['token'] self.assertEqual(resp['x-subject-token'], subject_token) self.assertEqual(token_details['user']['id'], user['id']) self.assertEqual(token_details['user']['name'], u_name) # Perform Delete Token self.client.delete_token(subject_token) self.assertRaises(lib_exc.NotFound, self.client.show_token, subject_token)
def test_associate_user_to_project(self): # Associate a user to a project # Create a Project p_name = data_utils.rand_name('project') project = self.projects_client.create_project(p_name)['project'] self.addCleanup(self.projects_client.delete_project, project['id']) # Create a User u_name = data_utils.rand_name('user') u_desc = u_name + 'description' u_email = u_name + '@testmail.tm' u_password = data_utils.rand_password() user = self.users_client.create_user(name=u_name, description=u_desc, password=u_password, email=u_email, project_id=project['id'])['user'] # Delete the User at the end of this method self.addCleanup(self.users_client.delete_user, user['id']) # Get User To validate the user details new_user_get = self.users_client.show_user(user['id'])['user'] # Assert response body of GET self.assertEqual(u_name, new_user_get['name']) self.assertEqual(u_desc, new_user_get['description']) self.assertEqual(project['id'], new_user_get['project_id']) self.assertEqual(u_email, new_user_get['email'])
def test_list_users_with_roles_for_tenant(self): # Return list of users on tenant when roles are assigned to users user = self.setup_test_user() tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant'] role = self.setup_test_role() # Assigning roles to two users user_ids = list() fetched_user_ids = list() user_ids.append(user['id']) role = self.roles_client.create_user_role_on_project( tenant['id'], user['id'], role['id'])['role'] alt_user2 = data_utils.rand_name('second_user') alt_password2 = data_utils.rand_password() second_user = self.users_client.create_user( name=alt_user2, password=alt_password2, tenantId=tenant['id'], email='user2@123')['user'] user_ids.append(second_user['id']) # Delete the User at the end of the test self.addCleanup(self.users_client.delete_user, second_user['id']) role = self.roles_client.create_user_role_on_project( tenant['id'], second_user['id'], role['id'])['role'] # List of users with roles for the respective tenant ID body = (self.tenants_client.list_tenant_users(tenant['id'])['users']) for i in body: fetched_user_ids.append(i['id']) # verifying the user Id in the list missing_users = [missing_user for missing_user in user_ids if missing_user not in fetched_user_ids] self.assertEqual(0, len(missing_users), "Failed to find user %s in fetched list" % ', '.join(m_user for m_user in missing_users))
def _create_test_user(self, **kwargs): username = data_utils.rand_name('test_user') self.user_password = data_utils.rand_password() self.user = self.users_client.create_user( username, password=self.user_password, email=username + '@testmail.tm', **kwargs)['user'] self.users.append(self.user)
def test_authentication_with_invalid_username(self): # Non-existent user's token should not get authenticated password = data_utils.rand_password() user = self.setup_test_user(password) tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant'] self.assertRaises(lib_exc.Unauthorized, self.token_client.auth, 'junkuser123', password, tenant['name'])
def test_get_tokens(self): # get a token by username and password user_name = data_utils.rand_name(name='user') user_password = data_utils.rand_password() # first:create a tenant tenant_name = data_utils.rand_name(name='tenant') tenant = self.tenants_client.create_tenant(name=tenant_name)['tenant'] tenant_id = tenant['id'] # Delete the tenant at the end of the test self.addCleanup(self.tenants_client.delete_tenant, tenant_id) # second:create a user user = self.users_client.create_user(name=user_name, password=user_password, tenantId=tenant_id, email='')['user'] user_id = user['id'] # Delete the user at the end of the test self.addCleanup(self.users_client.delete_user, user_id) # then get a token for the user body = self.token_client.auth(user=user_name, password=user_password, tenant=tenant_name) self.assertEqual(body['token']['tenant']['name'], tenant_name) # Perform GET Token token_id = body['token']['id'] token_details = self.client.show_token(token_id)['access'] self.assertEqual(token_id, token_details['token']['id']) self.assertEqual(user_id, token_details['user']['id']) self.assertEqual(user_name, token_details['user']['name']) self.assertEqual(tenant_name, token_details['token']['tenant']['name']) # then delete the token self.client.delete_token(token_id)
def test_create_get_delete_token(self): # get a token by username and password user_name = data_utils.rand_name(name='user') user_password = data_utils.rand_password() # first:create a tenant tenant_name = data_utils.rand_name(name='tenant') tenant = self.tenants_client.create_tenant(tenant_name)['tenant'] self.data.tenants.append(tenant) # second:create a user user = self.users_client.create_user(user_name, user_password, tenant['id'], '')['user'] self.data.users.append(user) # then get a token for the user body = self.token_client.auth(user_name, user_password, tenant['name']) self.assertEqual(body['token']['tenant']['name'], tenant['name']) # Perform GET Token token_id = body['token']['id'] token_details = self.client.show_token(token_id)['access'] self.assertEqual(token_id, token_details['token']['id']) self.assertEqual(user['id'], token_details['user']['id']) self.assertEqual(user_name, token_details['user']['name']) self.assertEqual(tenant['name'], token_details['token']['tenant']['name']) # then delete the token self.client.delete_token(token_id)
def test_list_users_with_roles_for_tenant(self): # Return list of users on tenant when roles are assigned to users self.data.setup_test_user() self.data.setup_test_role() user = self.get_user_by_name(self.data.user['name']) tenant = self.get_tenant_by_name(self.data.tenant['name']) role = self.get_role_by_name(self.data.role['name']) # Assigning roles to two users user_ids = list() fetched_user_ids = list() user_ids.append(user['id']) role = self.roles_client.assign_user_role(tenant['id'], user['id'], role['id'])['role'] alt_user2 = data_utils.rand_name('second_user') alt_password2 = data_utils.rand_password() second_user = self.users_client.create_user(alt_user2, alt_password2, self.data.tenant['id'], 'user2@123')['user'] user_ids.append(second_user['id']) self.data.users.append(second_user) role = self.roles_client.assign_user_role(tenant['id'], second_user['id'], role['id'])['role'] # List of users with roles for the respective tenant ID body = (self.tenants_client.list_tenant_users(self.data.tenant['id']) ['users']) for i in body: fetched_user_ids.append(i['id']) # verifying the user Id in the list missing_users = [missing_user for missing_user in user_ids if missing_user not in fetched_user_ids] self.assertEqual(0, len(missing_users), "Failed to find user %s in fetched list" % ', '.join(m_user for m_user in missing_users))
def test_get_updated_quotas(self): # Verify that GET shows the updated quota set of project project_name = data_utils.rand_name('cpu_quota_project') project_desc = project_name + '-desc' project = self.identity_utils.create_project(name=project_name, description=project_desc) project_id = project['id'] self.addCleanup(self.identity_utils.delete_project, project_id) self.adm_client.update_quota_set(project_id, ram='5120') quota_set = self.adm_client.show_quota_set(project_id)['quota_set'] self.assertEqual(5120, quota_set['ram']) # Verify that GET shows the updated quota set of user user_name = data_utils.rand_name('cpu_quota_user') password = data_utils.rand_password() email = user_name + '@testmail.tm' user = self.identity_utils.create_user(username=user_name, password=password, project=project, email=email) if 'user' in user: user = user['user'] user_id = user['id'] self.addCleanup(self.identity_utils.delete_user, user_id) self.adm_client.update_quota_set(project_id, user_id=user_id, ram='2048') quota_set = self.adm_client.show_quota_set( project_id, user_id=user_id)['quota_set'] self.assertEqual(2048, quota_set['ram'])
def test_create_get_delete_token(self): # get a token by username and password user_name = data_utils.rand_name(name='user') user_password = data_utils.rand_password() # first:create a tenant tenant_name = data_utils.rand_name(name='tenant') tenant = self.tenants_client.create_tenant(tenant_name)['tenant'] self.data.tenants.append(tenant) # second:create a user user = self.users_client.create_user(name=user_name, password=user_password, tenantId=tenant['id'], email='')['user'] self.data.users.append(user) # then get a token for the user body = self.token_client.auth(user_name, user_password, tenant['name']) self.assertEqual(body['token']['tenant']['name'], tenant['name']) # Perform GET Token token_id = body['token']['id'] token_details = self.client.show_token(token_id)['access'] self.assertEqual(token_id, token_details['token']['id']) self.assertEqual(user['id'], token_details['user']['id']) self.assertEqual(user_name, token_details['user']['name']) self.assertEqual(tenant['name'], token_details['token']['tenant']['name']) # then delete the token self.client.delete_token(token_id)
def resource_setup(cls): super(RolesV3TestJSON, cls).resource_setup() for _ in range(3): role_name = data_utils.rand_name(name='role') role = cls.roles_client.create_role(name=role_name)['role'] cls.data.roles.append(role) cls.fetched_role_ids = list() u_name = data_utils.rand_name('user') u_desc = '%s description' % u_name u_email = '*****@*****.**' % u_name cls.u_password = data_utils.rand_password() cls.domain = cls.domains_client.create_domain( data_utils.rand_name('domain'), description=data_utils.rand_name('domain-desc'))['domain'] cls.project = cls.projects_client.create_project( data_utils.rand_name('project'), description=data_utils.rand_name('project-desc'), domain_id=cls.domain['id'])['project'] cls.group_body = cls.groups_client.create_group( name=data_utils.rand_name('Group'), project_id=cls.project['id'], domain_id=cls.domain['id'])['group'] cls.user_body = cls.users_client.create_user( u_name, description=u_desc, password=cls.u_password, email=u_email, project_id=cls.project['id'], domain_id=cls.domain['id'])['user'] cls.role = cls.roles_client.create_role( name=data_utils.rand_name('Role'))['role']
def resource_setup(cls): super(RolesV3TestJSON, cls).resource_setup() cls.roles = list() for _ in range(3): role_name = data_utils.rand_name(name='role') role = cls.roles_client.create_role(name=role_name)['role'] cls.roles.append(role) cls.fetched_role_ids = list() u_name = data_utils.rand_name('user') u_desc = '%s description' % u_name u_email = '*****@*****.**' % u_name cls.u_password = data_utils.rand_password() cls.domain = cls.domains_client.create_domain( name=data_utils.rand_name('domain'), description=data_utils.rand_name('domain-desc'))['domain'] cls.project = cls.projects_client.create_project( data_utils.rand_name('project'), description=data_utils.rand_name('project-desc'), domain_id=cls.domain['id'])['project'] cls.group_body = cls.groups_client.create_group( name=data_utils.rand_name('Group'), project_id=cls.project['id'], domain_id=cls.domain['id'])['group'] cls.user_body = cls.users_client.create_user( name=u_name, description=u_desc, password=cls.u_password, email=u_email, project_id=cls.project['id'], domain_id=cls.domain['id'])['user'] cls.role = cls.roles_client.create_role( name=data_utils.rand_name('Role'))['role']
def test_group_users_add_list_delete(self): name = data_utils.rand_name('Group') group = self.groups_client.create_group( name=name, domain_id=self.data.domain['id'])['group'] self.addCleanup(self.groups_client.delete_group, group['id']) # add user into group users = [] for i in range(3): name = data_utils.rand_name('User') password = data_utils.rand_password() user = self.users_client.create_user(name, password)['user'] users.append(user) self.addCleanup(self.users_client.delete_user, user['id']) self.groups_client.add_group_user(group['id'], user['id']) # list users in group group_users = self.groups_client.list_group_users(group['id'])['users'] self.assertEqual(sorted(users), sorted(group_users)) # check and delete user in group for user in users: self.groups_client.check_group_user_existence( group['id'], user['id']) self.groups_client.delete_group_user(group['id'], user['id']) group_users = self.groups_client.list_group_users(group['id'])['users'] self.assertEqual(len(group_users), 0)
def create_trustor_and_roles(self): # create a project that trusts will be granted on self.trustor_project_name = data_utils.rand_name(name='project') project = self.projects_client.create_project( self.trustor_project_name, domain_id='default')['project'] self.trustor_project_id = project['id'] self.assertIsNotNone(self.trustor_project_id) # Create a trustor User self.trustor_username = data_utils.rand_name('user') u_desc = self.trustor_username + 'description' u_email = self.trustor_username + '@testmail.xx' self.trustor_password = data_utils.rand_password() user = self.users_client.create_user( name=self.trustor_username, description=u_desc, password=self.trustor_password, email=u_email, project_id=self.trustor_project_id, domain_id='default')['user'] self.trustor_user_id = user['id'] # And two roles, one we'll delegate and one we won't self.delegated_role = data_utils.rand_name('DelegatedRole') self.not_delegated_role = data_utils.rand_name('NotDelegatedRole') role = self.roles_client.create_role(name=self.delegated_role)['role'] self.delegated_role_id = role['id'] role = self.roles_client.create_role( name=self.not_delegated_role)['role'] self.not_delegated_role_id = role['id'] # Assign roles to trustor self.roles_client.create_user_role_on_project( self.trustor_project_id, self.trustor_user_id, self.delegated_role_id) self.roles_client.create_user_role_on_project( self.trustor_project_id, self.trustor_user_id, self.not_delegated_role_id) # Get trustee user ID, use the demo user trustee_username = self.non_admin_client.user self.trustee_user_id = self.get_user_by_name(trustee_username)['id'] self.assertIsNotNone(self.trustee_user_id) # Initialize a new client with the trustor credentials creds = common_creds.get_credentials( identity_version='v3', username=self.trustor_username, password=self.trustor_password, user_domain_id='default', tenant_name=self.trustor_project_name, project_domain_id='default', domain_id='default') os = clients.Manager(credentials=creds) self.trustor_client = os.trusts_client
def test_rescope_token(self): """An unscoped token can be requested That token can be used to request a scoped token. """ # Create a user. user_name = data_utils.rand_name(name='user') user_password = data_utils.rand_password() tenant_id = None # No default tenant so will get unscoped token. email = '' user = self.users_client.create_user(name=user_name, password=user_password, tenantId=tenant_id, email=email)['user'] # Delete the user at the end of the test self.addCleanup(self.users_client.delete_user, user['id']) # Create a couple tenants. tenant1_name = data_utils.rand_name(name='tenant') tenant1 = self.tenants_client.create_tenant( name=tenant1_name)['tenant'] # Delete the tenant at the end of the test self.addCleanup(self.tenants_client.delete_tenant, tenant1['id']) tenant2_name = data_utils.rand_name(name='tenant') tenant2 = self.tenants_client.create_tenant( name=tenant2_name)['tenant'] # Delete the tenant at the end of the test self.addCleanup(self.tenants_client.delete_tenant, tenant2['id']) # Create a role role_name = data_utils.rand_name(name='role') role = self.roles_client.create_role(name=role_name)['role'] # Delete the role at the end of the test self.addCleanup(self.roles_client.delete_role, role['id']) # Grant the user the role on the tenants. self.roles_client.create_user_role_on_project(tenant1['id'], user['id'], role['id']) self.roles_client.create_user_role_on_project(tenant2['id'], user['id'], role['id']) # Get an unscoped token. body = self.token_client.auth(user_name, user_password) token_id = body['token']['id'] # Use the unscoped token to get a token scoped to tenant1 body = self.token_client.auth_token(token_id, tenant=tenant1_name) scoped_token_id = body['token']['id'] # Revoke the scoped token self.client.delete_token(scoped_token_id) # Use the unscoped token to get a token scoped to tenant2 body = self.token_client.auth_token(token_id, tenant=tenant2_name)
def create_trustor_and_roles(self): # create a project that trusts will be granted on self.trustor_project_name = data_utils.rand_name(name='project') project = self.projects_client.create_project( self.trustor_project_name, domain_id='default')['project'] self.trustor_project_id = project['id'] self.assertIsNotNone(self.trustor_project_id) # Create a trustor User self.trustor_username = data_utils.rand_name('user') u_desc = self.trustor_username + 'description' u_email = self.trustor_username + '@testmail.xx' self.trustor_password = data_utils.rand_password() user = self.users_client.create_user( name=self.trustor_username, description=u_desc, password=self.trustor_password, email=u_email, project_id=self.trustor_project_id, domain_id='default')['user'] self.trustor_user_id = user['id'] # And two roles, one we'll delegate and one we won't self.delegated_role = data_utils.rand_name('DelegatedRole') self.not_delegated_role = data_utils.rand_name('NotDelegatedRole') role = self.roles_client.create_role(name=self.delegated_role)['role'] self.delegated_role_id = role['id'] role = self.roles_client.create_role( name=self.not_delegated_role)['role'] self.not_delegated_role_id = role['id'] # Assign roles to trustor self.roles_client.assign_user_role_on_project( self.trustor_project_id, self.trustor_user_id, self.delegated_role_id) self.roles_client.assign_user_role_on_project( self.trustor_project_id, self.trustor_user_id, self.not_delegated_role_id) # Get trustee user ID, use the demo user trustee_username = self.non_admin_client.user self.trustee_user_id = self.get_user_by_name(trustee_username)['id'] self.assertIsNotNone(self.trustee_user_id) # Initialize a new client with the trustor credentials creds = common_creds.get_credentials( identity_version='v3', username=self.trustor_username, password=self.trustor_password, user_domain_id='default', tenant_name=self.trustor_project_name, project_domain_id='default', domain_id='default') os = clients.Manager(credentials=creds) self.trustor_client = os.trusts_client
def test_rescope_token(self): """An unscoped token can be requested That token can be used to request a scoped token. """ # Create a user. user_name = data_utils.rand_name(name='user') user_password = data_utils.rand_password() tenant_id = None # No default tenant so will get unscoped token. email = '' user = self.users_client.create_user(name=user_name, password=user_password, tenantId=tenant_id, email=email)['user'] self.data.users.append(user) # Create a couple tenants. tenant1_name = data_utils.rand_name(name='tenant') tenant1 = self.tenants_client.create_tenant( name=tenant1_name)['tenant'] self.data.tenants.append(tenant1) tenant2_name = data_utils.rand_name(name='tenant') tenant2 = self.tenants_client.create_tenant( name=tenant2_name)['tenant'] self.data.tenants.append(tenant2) # Create a role role_name = data_utils.rand_name(name='role') role = self.roles_client.create_role(name=role_name)['role'] self.data.roles.append(role) # Grant the user the role on the tenants. self.roles_client.create_user_role_on_project(tenant1['id'], user['id'], role['id']) self.roles_client.create_user_role_on_project(tenant2['id'], user['id'], role['id']) # Get an unscoped token. body = self.token_client.auth(user_name, user_password) token_id = body['token']['id'] # Use the unscoped token to get a token scoped to tenant1 body = self.token_client.auth_token(token_id, tenant=tenant1_name) scoped_token_id = body['token']['id'] # Revoke the scoped token self.client.delete_token(scoped_token_id) # Use the unscoped token to get a token scoped to tenant2 body = self.token_client.auth_token(token_id, tenant=tenant2_name)
def test_authentication_when_tenant_is_disabled(self): # User's token for a disabled tenant should not be authenticated password = data_utils.rand_password() user = self.setup_test_user(password) tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant'] self.disable_tenant(tenant['name']) self.assertRaises(lib_exc.Unauthorized, self.token_client.auth, user['name'], password, tenant['name'])
def _create_test_user(self, **kwargs): if kwargs['password'] is None: user_password = data_utils.rand_password() kwargs['password'] = user_password user = self.users_client.create_user(**kwargs)['user'] # Delete the user at the end of the test self.addCleanup(self.users_client.delete_user, user['id']) return user
def _create_test_user(self, **kwargs): self.test_user = data_utils.rand_name('test_user') self.test_password = data_utils.rand_password() self.test_email = self.test_user + '@testmail.tm' self.user = self.users_client.create_user( self.test_user, password=self.test_password, email=self.test_email, **kwargs)['user'] self.users.append(self.user)
def test_authentication_with_invalid_tenant(self): # User's token for an invalid tenant should not be authenticated password = data_utils.rand_password() user = self.setup_test_user(password) self.assertRaises(lib_exc.Unauthorized, self.token_client.auth, user['name'], password, 'junktenant1234')
def _create_creds(self, admin=False, roles=None): """Create credentials with random name. Creates project and user. When admin flag is True create user with admin role. Assign user with additional roles (for example _member_) and roles requested by caller. :param admin: Flag if to assign to the user admin role :type admin: bool :param roles: Roles to assign for the user :type roles: list :return: Readonly Credentials with network resources """ root = self.name project_name = data_utils.rand_name(root) project_desc = project_name + "-desc" project = self.creds_client.create_project( name=project_name, description=project_desc) # NOTE(andreaf) User and project can be distinguished from the context, # having the same ID in both makes it easier to match them and debug. username = project_name user_password = data_utils.rand_password() email = data_utils.rand_name(root) + "@example.com" user = self.creds_client.create_user( username, user_password, project, email) if 'user' in user: user = user['user'] role_assigned = False if admin: self.creds_client.assign_user_role(user, project, self.admin_role) role_assigned = True if (self.identity_version == 'v3' and CONF.identity.admin_domain_scope): self.creds_client.assign_user_role_on_domain( user, CONF.identity.admin_role) # Add roles specified in config file for conf_role in CONF.auth.tempest_roles: self.creds_client.assign_user_role(user, project, conf_role) role_assigned = True # Add roles requested by caller if roles: for role in roles: self.creds_client.assign_user_role(user, project, role) role_assigned = True # NOTE(mtreinish) For a user to have access to a project with v3 auth # it must beassigned a role on the project. So we need to ensure that # our newly created user has a role on the newly created project. if self.identity_version == 'v3' and not role_assigned: try: self.creds_client.create_user_role('Member') except lib_exc.Conflict: LOG.warning('Member role already exists, ignoring conflict.') self.creds_client.assign_user_role(user, project, 'Member') creds = self.creds_client.get_credentials(user, project, user_password) return cred_provider.TestResources(creds)
def resource_setup(cls): cls.set_validation_resources() super(HybridCreateAwsServersTestJSON, cls).resource_setup() cls.meta = {'hello': 'world'} cls.accessIPv4 = '1.1.1.1' cls.accessIPv6 = '0000:0000:0000:0000:0000:babe:220.12.22.2' cls.name = data_utils.rand_name('server') cls.password = data_utils.rand_password() disk_config = cls.disk_config
def test_authentication_for_disabled_user(self): # Attempt to authenticate for disabled user should fail password = data_utils.rand_password() user = self.setup_test_user(password) self.disable_user(user['name'], user['domain_id']) self.assertRaises(lib_exc.Unauthorized, self.token.auth, username=user['name'], password=password, user_domain_id='default')
def test_create_user_for_non_existent_domain(self): # Attempt to create a user in a non-existent domain should fail u_name = data_utils.rand_name('user') u_email = u_name + '@testmail.tm' u_password = data_utils.rand_password() self.assertRaises(lib_exc.NotFound, self.users_client.create_user, u_name, u_password, email=u_email, domain_id=data_utils.rand_uuid_hex())
def _create_test_user(self, **kwargs): username = data_utils.rand_name('test_user') self.user_password = data_utils.rand_password() self.user = self.users_client.create_user(username, password=self.user_password, email=username + '@testmail.tm', **kwargs)['user'] self.users.append(self.user)
def test_user_authentication(self): # Valid user's token is authenticated password = data_utils.rand_password() user = self.setup_test_user(password) tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant'] # Get a token self.token_client.auth(user['name'], password, tenant['name']) # Re-auth self.token_client.auth(user['name'], password, tenant['name'])
def test_list_user_projects(self): # List the projects that a user has access upon assigned_project_ids = list() fetched_project_ids = list() u_project = self.projects_client.create_project( data_utils.rand_name('project'), description=data_utils.rand_name('project-desc'))['project'] # Delete the Project at the end of this method self.addCleanup(self.projects_client.delete_project, u_project['id']) # Create a user. u_name = data_utils.rand_name('user') u_desc = u_name + 'description' u_email = u_name + '@testmail.tm' u_password = data_utils.rand_password() user_body = self.users_client.create_user( name=u_name, description=u_desc, password=u_password, email=u_email, enabled=False, project_id=u_project['id'])['user'] # Delete the User at the end of this method self.addCleanup(self.users_client.delete_user, user_body['id']) # Creating Role role_body = self.roles_client.create_role( name=data_utils.rand_name('role'))['role'] # Delete the Role at the end of this method self.addCleanup(self.roles_client.delete_role, role_body['id']) user = self.users_client.show_user(user_body['id'])['user'] role = self.roles_client.show_role(role_body['id'])['role'] for i in range(2): # Creating project so as to assign role project_body = self.projects_client.create_project( data_utils.rand_name('project'), description=data_utils.rand_name('project-desc'))['project'] project = self.projects_client.show_project( project_body['id'])['project'] # Delete the Project at the end of this method self.addCleanup(self.projects_client.delete_project, project_body['id']) # Assigning roles to user on project self.roles_client.create_user_role_on_project( project['id'], user['id'], role['id']) assigned_project_ids.append(project['id']) body = self.users_client.list_user_projects(user['id'])['projects'] for i in body: fetched_project_ids.append(i['id']) # verifying the project ids in list missing_projects =\ [p for p in assigned_project_ids if p not in fetched_project_ids] self.assertEqual( 0, len(missing_projects), "Failed to find project %s in fetched list" % ', '.join(m_project for m_project in missing_projects))
def _create_creds(self, suffix="", admin=False, roles=None): """Create random credentials under the following schema. If the name contains a '.' is the full class path of something, and we don't really care. If it isn't, it's probably a meaningful name, so use it. For logging purposes, -user and -tenant are long and redundant, don't use them. The user# will be sufficient to figure it out. """ if '.' in self.name: root = "" else: root = self.name project_name = data_utils.rand_name(root) + suffix project_desc = project_name + "-desc" project = self.creds_client.create_project( name=project_name, description=project_desc) # NOTE(andreaf) User and project can be distinguished from the context, # having the same ID in both makes it easier to match them and debug. username = project_name user_password = data_utils.rand_password() email = data_utils.rand_name(root) + suffix + "@example.com" user = self.creds_client.create_user( username, user_password, project, email) if 'user' in user: user = user['user'] role_assigned = False if admin: self.creds_client.assign_user_role(user, project, self.admin_role) role_assigned = True if (self.identity_version == 'v3' and CONF.identity.admin_domain_scope): self.creds_client.assign_user_role_on_domain( user, CONF.identity.admin_role) # Add roles specified in config file for conf_role in CONF.auth.tempest_roles: self.creds_client.assign_user_role(user, project, conf_role) role_assigned = True # Add roles requested by caller if roles: for role in roles: self.creds_client.assign_user_role(user, project, role) role_assigned = True # NOTE(mtreinish) For a user to have access to a project with v3 auth # it must beassigned a role on the project. So we need to ensure that # our newly created user has a role on the newly created project. if self.identity_version == 'v3' and not role_assigned: self.creds_client.create_user_role('Member') self.creds_client.assign_user_role(user, project, 'Member') creds = self.creds_client.get_credentials(user, project, user_password) return cred_provider.TestResources(creds)
def resource_setup(cls): super(ResourcesV1TestJSON, cls).resource_setup() # cls.keypair_ref = CONF.conveyor.origin_keypair_ref cls.secgroup_ref = CONF.conveyor.origin_security_group_ref cls.net_ref = CONF.conveyor.origin_net_ref # cls.public_net_ref = CONF.conveyor.public_net_ref cls.floating_ip_pool_ref = CONF.conveyor.floating_ip_pool_ref # cls.subnet_ref = CONF.conveyor.origin_subnet_ref cls.image_ref = CONF.conveyor.image_ref cls.flavor_ref = CONF.conveyor.flavor_ref cls.availability_zone_ref = CONF.conveyor.availability_zone cls.volume_size = CONF.conveyor.volume_size cls.volume_type_ref = CONF.conveyor.volume_type cls.meta = {'hello': 'world'} cls.name = data_utils.rand_name('server') cls.password = data_utils.rand_password() networks = [{'uuid': cls.net_ref}] server_initial = cls.create_server( networks=networks, wait_until='ACTIVE', # name=cls.name, name="server_resource", metadata=cls.meta, adminPass=cls.password, # key_name=key_name, # security_groups=cls.secgroup_ref, availability_zone=cls.availability_zone_ref) cls.server = (cls.servers_client.show_server( server_initial['id'])['server']) cls.servers.append(cls.server) cls.volume = cls.volumes_client.create_volume( size=cls.volume_size, # display_name='volume01', display_name='volume_resource', availability_zone=cls.availability_zone_ref, volume_type=cls.volume_type_ref)['volume'] cls.volumes.append(cls.volume) waiters.wait_for_volume_status(cls.volumes_client, cls.volume['id'], 'available') # Attach the volume to the server cls.servers_client.attach_volume( server_initial['id'], volumeId=cls.volume['id'])['volumeAttachment'] waiters.wait_for_volume_status(cls.volumes_client, cls.volume['id'], 'in-use') cls.server = (cls.servers_client.show_server( server_initial['id'])['server'])
def resource_setup(cls): super(ServerRescueNegativeTestJSON, cls).resource_setup() cls.device = CONF.compute.volume_device_name cls.password = data_utils.rand_password() rescue_password = data_utils.rand_password() # Server for negative tests server = cls.create_test_server(adminPass=cls.password, wait_until='BUILD') resc_server = cls.create_test_server(adminPass=rescue_password, wait_until='ACTIVE') cls.server_id = server['id'] cls.rescue_id = resc_server['id'] cls.servers_client.rescue_server(cls.rescue_id, adminPass=rescue_password) waiters.wait_for_server_status(cls.servers_client, cls.rescue_id, 'RESCUE') waiters.wait_for_server_status(cls.servers_client, cls.server_id, 'ACTIVE')
def test_create_user_with_duplicate_name(self): # Duplicate user should not be created password = data_utils.rand_password() user = self.setup_test_user(password) tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant'] self.assertRaises(lib_exc.Conflict, self.users_client.create_user, name=user['name'], password=password, tenantId=tenant['id'], email=user['email'])
def setup_test_user(self): """Set up a test user.""" self.setup_test_tenant() self.test_user = data_utils.rand_name('test_user') self.test_password = data_utils.rand_password() self.test_email = self.test_user + '@testmail.tm' self.user = self.client.create_user(self.test_user, self.test_password, self.tenant['id'], self.test_email)['user'] self.users.append(self.user)
def _create_creds(self, admin=False, roles=None): """Create credentials with random name. Creates project and user. When admin flag is True create user with admin role. Assign user with additional roles (for example _member_) and roles requested by caller. :param admin: Flag if to assign to the user admin role :type admin: bool :param roles: Roles to assign for the user :type roles: list :return: Readonly Credentials with network resources """ root = self.name project_name = data_utils.rand_name(root) project_desc = project_name + "-desc" project = self.creds_client.create_project( name=project_name, description=project_desc) # NOTE(andreaf) User and project can be distinguished from the context, # having the same ID in both makes it easier to match them and debug. username = project_name user_password = data_utils.rand_password() email = data_utils.rand_name(root) + "@example.com" user = self.creds_client.create_user( username, user_password, project, email) if 'user' in user: user = user['user'] role_assigned = False if admin: self.creds_client.assign_user_role(user, project, self.admin_role) role_assigned = True if (self.identity_version == 'v3' and CONF.identity.admin_domain_scope): self.creds_client.assign_user_role_on_domain( user, CONF.identity.admin_role) # Add roles specified in config file for conf_role in CONF.auth.tempest_roles: self.creds_client.assign_user_role(user, project, conf_role) role_assigned = True # Add roles requested by caller if roles: for role in roles: self.creds_client.assign_user_role(user, project, role) role_assigned = True # NOTE(mtreinish) For a user to have access to a project with v3 auth # it must beassigned a role on the project. So we need to ensure that # our newly created user has a role on the newly created project. if self.identity_version == 'v3' and not role_assigned: self.creds_client.create_user_role('Member') self.creds_client.assign_user_role(user, project, 'Member') creds = self.creds_client.get_credentials(user, project, user_password) return cred_provider.TestResources(creds)
def _create_creds(self, suffix="", admin=False, roles=None): """Create random credentials under the following schema. If the name contains a '.' is the full class path of something, and we don't really care. If it isn't, it's probably a meaningful name, so use it. For logging purposes, -user and -tenant are long and redundant, don't use them. The user# will be sufficient to figure it out. """ if '.' in self.name: root = "" else: root = self.name project_name = data_utils.rand_name(root) + suffix project_desc = project_name + "-desc" project = self.creds_client.create_project(name=project_name, description=project_desc) # NOTE(andreaf) User and project can be distinguished from the context, # having the same ID in both makes it easier to match them and debug. username = project_name user_password = data_utils.rand_password() email = data_utils.rand_name(root) + suffix + "@example.com" user = self.creds_client.create_user(username, user_password, project, email) if 'user' in user: user = user['user'] role_assigned = False if admin: self.creds_client.assign_user_role(user, project, self.admin_role) role_assigned = True if self.identity_version == 'v3': self.creds_client.assign_user_role_on_domain( user, CONF.identity.admin_role) # Add roles specified in config file for conf_role in CONF.auth.tempest_roles: self.creds_client.assign_user_role(user, project, conf_role) role_assigned = True # Add roles requested by caller if roles: for role in roles: self.creds_client.assign_user_role(user, project, role) role_assigned = True # NOTE(mtreinish) For a user to have access to a project with v3 auth # it must beassigned a role on the project. So we need to ensure that # our newly created user has a role on the newly created project. if self.identity_version == 'v3' and not role_assigned: self.creds_client.create_user_role('Member') self.creds_client.assign_user_role(user, project, 'Member') creds = self.creds_client.get_credentials(user, project, user_password) return cred_provider.TestResources(creds)
def setup_test_v3_user(self): """Set up a test v3 user.""" self.setup_test_project() self.test_user = data_utils.rand_name('test_user') self.test_password = data_utils.rand_password() self.test_email = self.test_user + '@testmail.tm' self.v3_user = self.client.create_user(self.test_user, password=self.test_password, project_id=self.project['id'], email=self.test_email)['user'] self.v3_users.append(self.v3_user)
def setup_test_v3_user(self): """Set up a test v3 user.""" self.setup_test_project() self.test_user = data_utils.rand_name('test_user') self.test_password = data_utils.rand_password() self.test_email = self.test_user + '@testmail.tm' self.v3_user = self.client.create_user( self.test_user, password=self.test_password, project_id=self.project['id'], email=self.test_email)['user'] self.v3_users.append(self.v3_user)
def test_list_user_projects(self): # List the projects that a user has access upon assigned_project_ids = list() fetched_project_ids = list() u_project = self.projects_client.create_project( data_utils.rand_name('project'), description=data_utils.rand_name('project-desc'))['project'] # Delete the Project at the end of this method self.addCleanup(self.projects_client.delete_project, u_project['id']) # Create a user. u_name = data_utils.rand_name('user') u_desc = u_name + 'description' u_email = u_name + '@testmail.tm' u_password = data_utils.rand_password() user_body = self.users_client.create_user( name=u_name, description=u_desc, password=u_password, email=u_email, enabled=False, project_id=u_project['id'])['user'] # Delete the User at the end of this method self.addCleanup(self.users_client.delete_user, user_body['id']) # Creating Role role_body = self.roles_client.create_role( name=data_utils.rand_name('role'))['role'] # Delete the Role at the end of this method self.addCleanup(self.roles_client.delete_role, role_body['id']) user = self.users_client.show_user(user_body['id'])['user'] role = self.roles_client.show_role(role_body['id'])['role'] for i in range(2): # Creating project so as to assign role project_body = self.projects_client.create_project( data_utils.rand_name('project'), description=data_utils.rand_name('project-desc'))['project'] project = self.projects_client.show_project( project_body['id'])['project'] # Delete the Project at the end of this method self.addCleanup( self.projects_client.delete_project, project_body['id']) # Assigning roles to user on project self.roles_client.assign_user_role_on_project(project['id'], user['id'], role['id']) assigned_project_ids.append(project['id']) body = self.users_client.list_user_projects(user['id'])['projects'] for i in body: fetched_project_ids.append(i['id']) # verifying the project ids in list missing_projects =\ [p for p in assigned_project_ids if p not in fetched_project_ids] self.assertEqual(0, len(missing_projects), "Failed to find project %s in fetched list" % ', '.join(m_project for m_project in missing_projects))
def rebuild_server(cls, server_id, validatable=False, **kwargs): # Destroy an existing server and creates a new one if server_id: cls.delete_server(server_id) cls.password = data_utils.rand_password() server = cls.create_test_server( validatable, wait_until='ACTIVE', adminPass=cls.password, **kwargs) return server['id']