def test_password_history_check_self_service_api(self): old_pass = self.creds.password new_pass1 = data_utils.rand_password() new_pass2 = data_utils.rand_password() self.addCleanup(self._restore_password, old_pass, new_pass2) # Update password self._update_password(original_password=old_pass, password=new_pass1) if CONF.identity.user_unique_last_password_count > 1: # Can not reuse a previously set password self.assertRaises(exceptions.BadRequest, self.non_admin_users_client.update_user_password, self.user_id, password=new_pass1, original_password=new_pass1) self.assertRaises(exceptions.BadRequest, self.non_admin_users_client.update_user_password, self.user_id, password=old_pass, original_password=new_pass1) # A different password can be set self._update_password(original_password=new_pass1, password=new_pass2)
def test_rand_password_with_len(self): actual = data_utils.rand_password(8) self.assertIsInstance(actual, str) self.assertEqual(len(actual), 8) self.assertRegexpMatches(actual, "[A-Za-z0-9~!@#$%^&*_=+]{8}") actual2 = data_utils.rand_password(8) self.assertNotEqual(actual, actual2)
def test_rand_password_with_len_2(self): actual = data_utils.rand_password(2) self.assertIsInstance(actual, str) self.assertEqual(len(actual), 3) self.assertRegex(actual, "[A-Za-z0-9~!@#$%^&*_=+]{3}") actual2 = data_utils.rand_password(2) self.assertNotEqual(actual, actual2)
def test_rand_password_with_len_2(self): actual = data_utils.rand_password(2) self.assertIsInstance(actual, str) self.assertEqual(len(actual), 3) self.assertRegex(actual, "[A-Za-z0-9~!@#%^&*_=+]{3}") actual2 = data_utils.rand_password(2) self.assertNotEqual(actual, actual2)
def test_password_history_check_self_service_api(self): old_pass = self.creds.password new_pass1 = data_utils.rand_password() new_pass2 = data_utils.rand_password() self.addCleanup(self._restore_password, old_pass, new_pass2) # Update password self._update_password(original_password=old_pass, password=new_pass1) if CONF.identity.user_unique_last_password_count > 1: # Can not reuse a previously set password self.assertRaises(exceptions.BadRequest, self.non_admin_users_client.update_user_password, self.user_id, password=new_pass1, original_password=new_pass1) self.assertRaises(exceptions.BadRequest, self.non_admin_users_client.update_user_password, self.user_id, password=old_pass, original_password=new_pass1) # A different password can be set self._update_password(original_password=new_pass1, password=new_pass2)
def test_update_user_password(self): # Creating User to check password updation u_name = data_utils.rand_name('user') original_password = data_utils.rand_password() user = self.users_client.create_user( name=u_name, password=original_password)['user'] # Delete the User at the end all test methods self.addCleanup(self.users_client.delete_user, user['id']) # Update user with new password new_password = data_utils.rand_password() self.users_client.update_user_password( user['id'], password=new_password, original_password=original_password) # NOTE(morganfainberg): Fernet tokens are not subsecond aware and # Keystone should only be precise to the second. Sleep to ensure # we are passing the second boundary. time.sleep(1) resp = self.token.auth(user_id=user['id'], password=new_password).response subject_token = resp['x-subject-token'] # Perform GET Token to verify and confirm password is updated token_details = self.client.show_token(subject_token)['token'] self.assertEqual(token_details['user']['id'], user['id']) self.assertEqual(token_details['user']['name'], u_name)
def test_change_password(self): original_password = data_utils.rand_password() user = self.setup_test_user(password=original_password) self.rbac_utils.switch_role(self, toggle_rbac_role=True) self.users_client.update_user_password( user['id'], original_password=original_password, password=data_utils.rand_password())
def test_rand_password_with_len_2(self): actual = data_utils.rand_password(2) self.assertIsInstance(actual, str) self.assertEqual(len(actual), 3) self.assertRegex(actual, "[A-Za-z0-9~!@#%^&*_=+]{3}") actual2 = data_utils.rand_password(2) # NOTE(masayukig): Originally, we checked that the acutal and actual2 # are different each other. But only 3 letters can be the same value # in a very rare case. So, we just check the length here, too, # just in case. self.assertEqual(len(actual2), 3)
def test_rand_password_with_len_2(self): actual = data_utils.rand_password(2) self.assertIsInstance(actual, str) self.assertEqual(len(actual), 3) self.assertRegex(actual, "[A-Za-z0-9~!@#%^&*_=+]{3}") actual2 = data_utils.rand_password(2) # NOTE(masayukig): Originally, we checked that the acutal and actual2 # are different each other. But only 3 letters can be the same value # in a very rare case. So, we just check the length here, too, # just in case. self.assertEqual(len(actual2), 3)
def test_create_server_with_personality(self): file_contents = 'This is a test file.' file_path = '/test.txt' personality = [{'path': file_path, 'contents': base64.encode_as_text(file_contents)}] password = data_utils.rand_password() validation_resources = self.get_test_validation_resources( self.os_primary) created_server = self.create_test_server( personality=personality, adminPass=password, wait_until='ACTIVE', validatable=True, validation_resources=validation_resources) self.addCleanup(waiters.wait_for_server_termination, self.servers_client, created_server['id']) self.addCleanup(test_utils.call_and_ignore_notfound_exc, self.servers_client.delete_server, created_server['id']) server = self.client.show_server(created_server['id'])['server'] if CONF.validation.run_validation: linux_client = remote_client.RemoteClient( self.get_server_ip(server, validation_resources), self.ssh_user, password, validation_resources['keypair']['private_key'], server=server, servers_client=self.client) self.assertEqual(file_contents, linux_client.exec_command( 'sudo cat %s' % file_path))
def test_create_check_get_delete_token(self): """Test getting create/check/get/delete token for user via v2 API""" # get a token by username and password user_name = data_utils.rand_name(name='user') user_password = data_utils.rand_password() # first:create a tenant tenant = self.setup_test_tenant() # second:create a user user = self.create_test_user(name=user_name, password=user_password, tenantId=tenant['id'], email='') # then get a token for the user body = self.token_client.auth(user_name, user_password, tenant['name']) self.assertEqual(body['token']['tenant']['name'], tenant['name']) # Perform GET Token token_id = body['token']['id'] self.client.check_token_existence(token_id) token_details = self.client.show_token(token_id)['access'] self.assertEqual(token_id, token_details['token']['id']) self.assertEqual(user['id'], token_details['user']['id']) self.assertEqual(user_name, token_details['user']['name']) self.assertEqual(tenant['name'], token_details['token']['tenant']['name']) # then delete the token self.client.delete_token(token_id) self.assertRaises(lib_exc.NotFound, self.client.check_token_existence, token_id)
def setUp(self): super(TestK2KFederatedAuthentication, self).setUp() self._setup_sp() self.auth = {'password': data_utils.rand_password()} user_id = self.keystone_manager.users_v3_client.create_user( name=data_utils.rand_name('user'), password=self.auth['password'])['user']['id'] self.addCleanup(self.keystone_manager.users_v3_client.delete_user, user_id) self.auth['user_id'] = user_id idp_info = self.idps_client.show_identity_provider(self.idp_id) domain_id = idp_info['identity_provider']['domain_id'] project_id = self.keystone_manager.identity_providers_client.tenant_id self.auth['project_id'] = project_id group = self.keystone_manager.groups_client.create_group( name=data_utils.rand_uuid_hex(), domain_id=domain_id) self.addCleanup(self.keystone_manager.groups_client.delete_group, group['group']['id']) role = self.keystone_manager.roles_v3_client.create_role( name=data_utils.rand_uuid_hex(), project_id=project_id) self.addCleanup(self.keystone_manager.roles_v3_client.delete_role, role['role']['id']) self.keystone_manager.roles_v3_client.create_group_role_on_project( group_id=group['group']['id'], project_id=project_id, role_id=role['role']['id']) self.keystone_manager.groups_client.add_group_user( group_id=group['group']['id'], user_id=user_id)
def test_user_update(self): # Test case to check if updating of user attributes is successful. # Creating first user u_name = data_utils.rand_name('user') u_desc = u_name + 'description' u_email = u_name + '@testmail.tm' u_password = data_utils.rand_password() user = self.users_client.create_user( name=u_name, description=u_desc, password=u_password, email=u_email, enabled=False)['user'] # Delete the User at the end of this method self.addCleanup(self.users_client.delete_user, user['id']) # Creating second project for updation project = self.setup_test_project() # Updating user details with new values update_kwargs = {'name': data_utils.rand_name('user2'), 'description': data_utils.rand_name('desc2'), 'project_id': project['id'], 'email': '*****@*****.**', 'enabled': False} updated_user = self.users_client.update_user( user['id'], **update_kwargs)['user'] for field in update_kwargs: self.assertEqual(update_kwargs[field], updated_user[field]) # GET by id after updating new_user_get = self.users_client.show_user(user['id'])['user'] # Assert response body of GET after updation for field in update_kwargs: self.assertEqual(update_kwargs[field], new_user_get[field])
def test_create_transfer_accept_using_invalid_key(self): LOG.info('Create a zone') zone_name = dns_data_utils.rand_zone_name( name="create_transfer_accept_invalid_key", suffix=self.tld_name) zone = self.zone_client.create_zone(name=zone_name, wait_until='ACTIVE')[1] self.addCleanup(self.wait_zone_delete, self.zone_client, zone['id']) LOG.info('Create a zone transfer_request') transfer_request = self.request_client.create_transfer_request( zone['id'])[1] self.addCleanup( self.transfer_request_delete, self.request_client, transfer_request['id'] ) data = {"key": data_utils.rand_password( len(transfer_request['key'])), "zone_transfer_request_id": transfer_request['id']} LOG.info('Create a zone transfer_accept using invalid key') self.assertRaises( lib_exc.Forbidden, self.client.create_transfer_accept, transfer_accept_data=data)
def test_user_account_lockout(self): if (CONF.identity.user_lockout_failure_attempts <= 0 or CONF.identity.user_lockout_duration <= 0): raise self.skipException( "Both CONF.identity.user_lockout_failure_attempts and " "CONF.identity.user_lockout_duration should be greater than " "zero to test this feature") password = self.creds.password # First, we login using the correct credentials self.non_admin_token.auth(user_id=self.user_id, password=password) # Lock user account by using the wrong password to login bad_password = data_utils.rand_password() for _ in range(CONF.identity.user_lockout_failure_attempts): self.assertRaises(exceptions.Unauthorized, self.non_admin_token.auth, user_id=self.user_id, password=bad_password) # The user account must be locked, so now it is not possible to login # even using the correct password self.assertRaises(exceptions.Unauthorized, self.non_admin_token.auth, user_id=self.user_id, password=password) # If we wait the required time, the user account will be unlocked time.sleep(CONF.identity.user_lockout_duration + 1) self.non_admin_token.auth(user_id=self.user_id, password=password)
def test_can_create_server_with_max_number_personality_files(self): # Server should be created successfully if maximum allowed number of # files is injected into the server during creation. file_contents = 'This is a test file.' limits = self.user_client.show_limits()['limits'] max_file_limit = limits['absolute']['maxPersonality'] if max_file_limit == -1: raise self.skipException("No limit for personality files") person = [] for i in range(0, int(max_file_limit)): # NOTE(andreaf) The cirros disk image is blank before boot # so we can only inject safely to / path = '/test' + str(i) + '.txt' person.append({ 'path': path, 'contents': base64.encode_as_text(file_contents + str(i)), }) password = data_utils.rand_password() created_server = self.create_test_server(personality=person, adminPass=password, wait_until='ACTIVE', validatable=True) server = self.client.show_server(created_server['id'])['server'] if CONF.validation.run_validation: linux_client = remote_client.RemoteClient( self.get_server_ip(server), self.ssh_user, password, self.validation_resources['keypair']['private_key'], server=server, servers_client=self.client) for i in person: self.assertEqual(base64.decode_as_text(i['contents']), linux_client.exec_command( 'sudo cat %s' % i['path']))
def _setup_new_user_client(cls, project_id, role): """Create a new tempest.clients.Manager Creates a new user with the given roles on the given project, and returns an instance of tempest.clients.Manager set up for that user. Users are cleaned up during class teardown in cls.clear_credentials """ user = { 'name': data_utils.rand_name('user'), 'password': data_utils.rand_password() } user_id = cls.os_system_admin.users_v3_client.create_user( **user)['user']['id'] cls._created_users.append(user_id) role_id = cls.os_system_admin.roles_v3_client.list_roles( name=role)['roles'][0]['id'] cls.os_system_admin.roles_v3_client.create_user_role_on_project( project_id, user_id, role_id) creds = auth.KeystoneV3Credentials(user_id=user_id, password=user['password'], project_id=project_id) auth_provider = clients.get_auth_provider(creds) creds = auth_provider.fill_credentials() return clients.Manager(credentials=creds)
def test_create_get_delete_token(self): # get a token by username and password user_name = data_utils.rand_name(name='user') user_password = data_utils.rand_password() # first:create a tenant tenant_name = data_utils.rand_name(name='tenant') tenant = self.tenants_client.create_tenant(name=tenant_name)['tenant'] # Delete the tenant at the end of the test self.addCleanup(self.tenants_client.delete_tenant, tenant['id']) # second:create a user user = self.create_test_user(name=user_name, password=user_password, tenantId=tenant['id'], email='') # then get a token for the user body = self.token_client.auth(user_name, user_password, tenant['name']) self.assertEqual(body['token']['tenant']['name'], tenant['name']) # Perform GET Token token_id = body['token']['id'] token_details = self.client.show_token(token_id)['access'] self.assertEqual(token_id, token_details['token']['id']) self.assertEqual(user['id'], token_details['user']['id']) self.assertEqual(user_name, token_details['user']['name']) self.assertEqual(tenant['name'], token_details['token']['tenant']['name']) # then delete the token self.client.delete_token(token_id)
def _get_updated_quotas(self): # Verify that GET shows the updated quota set of project project_name = data_utils.rand_name('cpu_quota_project') project_desc = project_name + '-desc' project = identity.identity_utils(self.os_admin).create_project( name=project_name, description=project_desc) project_id = project['id'] self.addCleanup(identity.identity_utils(self.os_admin).delete_project, project_id) self.adm_client.update_quota_set(project_id, ram='5120') # Call show_quota_set with detail=true to cover the # get_quota_set_details response schema for microversion tests quota_set = self.adm_client.show_quota_set( project_id, detail=True)['quota_set'] self.assertEqual(5120, quota_set['ram']['limit']) # Verify that GET shows the updated quota set of user user_name = data_utils.rand_name('cpu_quota_user') password = data_utils.rand_password() email = user_name + '@testmail.tm' user = identity.identity_utils(self.os_admin).create_user( username=user_name, password=password, project=project, email=email) user_id = user['id'] self.addCleanup(identity.identity_utils(self.os_admin).delete_user, user_id) self.adm_client.update_quota_set(project_id, user_id=user_id, ram='2048') quota_set = self.adm_client.show_quota_set( project_id, user_id=user_id)['quota_set'] self.assertEqual(2048, quota_set['ram'])
def test_can_create_server_with_max_number_personality_files(self): # Server should be created successfully if maximum allowed number of # files is injected into the server during creation. file_contents = 'This is a test file.' limits = self.user_client.show_limits()['limits'] max_file_limit = limits['absolute']['maxPersonality'] if max_file_limit == -1: raise self.skipException("No limit for personality files") person = [] for i in range(0, int(max_file_limit)): path = '/etc/test' + str(i) + '.txt' person.append({ 'path': path, 'contents': base64.encode_as_text(file_contents), }) password = data_utils.rand_password() created_server = self.create_test_server(personality=person, adminPass=password, wait_until='ACTIVE', validatable=True) server = self.client.show_server(created_server['id'])['server'] if CONF.validation.run_validation: linux_client = remote_client.RemoteClient( self.get_server_ip(server), self.ssh_user, password, self.validation_resources['keypair']['private_key'], server=server, servers_client=self.client) for i in person: self.assertEqual(base64.decode_as_text(i['contents']), linux_client.exec_command( 'sudo cat %s' % i['path']))
def test_create_server_with_fqdn_name(self): """Test to create an instance with FQDN type name scheme""" validation_resources = self.get_class_validation_resources( self.os_primary) self.server_name = 'guest-instance-1.domain.com' self.password = data_utils.rand_password() self.accessIPv4 = '2.2.2.2' test_server = self.create_test_server( validatable=True, validation_resources=validation_resources, wait_until='ACTIVE', adminPass=self.password, name=self.server_name, accessIPv4=self.accessIPv4) """Verify the hostname within the instance is sanitized Freeform characters in the hostname are replaced with dashes """ linux_client = remote_client.RemoteClient( self.get_server_ip(test_server, validation_resources), self.ssh_user, self.password, validation_resources['keypair']['private_key'], server=test_server, servers_client=self.client) hostname = linux_client.exec_command("hostname").rstrip() self.assertEqual('guest-instance-1-domain-com', hostname)
def create_trustor_and_roles(self): # create a project that trusts will be granted on trustor_project_name = data_utils.rand_name(name='project') project = self.projects_client.create_project( trustor_project_name, domain_id=CONF.identity.default_domain_id)['project'] self.trustor_project_id = project['id'] self.assertIsNotNone(self.trustor_project_id) # Create a trustor User trustor_username = data_utils.rand_name('user') u_desc = trustor_username + 'description' u_email = trustor_username + '@testmail.xx' trustor_password = data_utils.rand_password() user = self.users_client.create_user( name=trustor_username, description=u_desc, password=trustor_password, email=u_email, project_id=self.trustor_project_id, domain_id=CONF.identity.default_domain_id)['user'] self.trustor_user_id = user['id'] # And two roles, one we'll delegate and one we won't self.delegated_role = data_utils.rand_name('DelegatedRole') self.not_delegated_role = data_utils.rand_name('NotDelegatedRole') role = self.roles_client.create_role(name=self.delegated_role)['role'] self.delegated_role_id = role['id'] role = self.roles_client.create_role( name=self.not_delegated_role)['role'] self.not_delegated_role_id = role['id'] # Assign roles to trustor self.roles_client.create_user_role_on_project( self.trustor_project_id, self.trustor_user_id, self.delegated_role_id) self.roles_client.create_user_role_on_project( self.trustor_project_id, self.trustor_user_id, self.not_delegated_role_id) # Get trustee user ID, use the demo user trustee_username = self.non_admin_client.user self.trustee_user_id = self.get_user_by_name(trustee_username)['id'] self.assertIsNotNone(self.trustee_user_id) # Initialize a new client with the trustor credentials creds = common_creds.get_credentials( identity_version='v3', username=trustor_username, password=trustor_password, user_domain_id=CONF.identity.default_domain_id, tenant_name=trustor_project_name, project_domain_id=CONF.identity.default_domain_id, domain_id=CONF.identity.default_domain_id) os = clients.Manager(credentials=creds) self.trustor_client = os.trusts_client
def test_get_updated_quotas(self): # Verify that GET shows the updated quota set of project project_name = data_utils.rand_name('cpu_quota_project') project_desc = project_name + '-desc' project = self.identity_utils.create_project(name=project_name, description=project_desc) project_id = project['id'] self.addCleanup(self.identity_utils.delete_project, project_id) self.adm_client.update_quota_set(project_id, ram='5120') quota_set = self.adm_client.show_quota_set(project_id)['quota_set'] self.assertEqual(5120, quota_set['ram']) # Verify that GET shows the updated quota set of user user_name = data_utils.rand_name('cpu_quota_user') password = data_utils.rand_password() email = user_name + '@testmail.tm' user = self.identity_utils.create_user(username=user_name, password=password, project=project, email=email) user_id = user['id'] self.addCleanup(self.identity_utils.delete_user, user_id) self.adm_client.update_quota_set(project_id, user_id=user_id, ram='2048') quota_set = self.adm_client.show_quota_set( project_id, user_id=user_id)['quota_set'] self.assertEqual(2048, quota_set['ram'])
def test_user_update(self): """Test case to check if updating of user attributes is successful""" # Creating first user u_name = data_utils.rand_name('user') u_desc = u_name + 'description' u_email = u_name + '@testmail.tm' u_password = data_utils.rand_password() user = self.users_client.create_user( name=u_name, description=u_desc, password=u_password, email=u_email, enabled=False)['user'] # Delete the User at the end of this method self.addCleanup(self.users_client.delete_user, user['id']) # Creating second project for updation project = self.setup_test_project() # Updating user details with new values update_kwargs = {'name': data_utils.rand_name('user2'), 'description': data_utils.rand_name('desc2'), 'project_id': project['id'], 'email': '*****@*****.**', 'enabled': False} updated_user = self.users_client.update_user( user['id'], **update_kwargs)['user'] for field in update_kwargs: self.assertEqual(update_kwargs[field], updated_user[field]) # GET by id after updating new_user_get = self.users_client.show_user(user['id'])['user'] # Assert response body of GET after updation for field in update_kwargs: self.assertEqual(update_kwargs[field], new_user_get[field])
def resource_setup(cls): admin_client = cls.os_system_admin cls.user = { 'name': data_utils.rand_name('user'), 'password': data_utils.rand_password(), } cls.user_id = admin_client.users_v3_client.create_user( **cls.user)['user']['id'] cls.addClassResourceCleanup(admin_client.users_v3_client.delete_user, user_id=cls.user_id) cls.project_id = admin_client.projects_client.create_project( name=data_utils.rand_name())['project']['id'] cls.addClassResourceCleanup( admin_client.projects_client.delete_project, project_id=cls.project_id) cls.domain_id = admin_client.domains_client.create_domain( name=data_utils.rand_name())['domain']['id'] cls.addClassResourceCleanup(admin_client.domains_client.delete_domain, domain_id=cls.domain_id) cls.addClassResourceCleanup(admin_client.domains_client.update_domain, domain_id=cls.domain_id, enabled=False) role_id = admin_client.roles_v3_client.create_role( name=data_utils.rand_name())['role']['id'] cls.addClassResourceCleanup(admin_client.roles_v3_client.delete_role, role_id=role_id) admin_client.roles_v3_client.create_user_role_on_project( project_id=cls.project_id, user_id=cls.user_id, role_id=role_id) admin_client.roles_v3_client.create_user_role_on_domain( domain_id=cls.domain_id, user_id=cls.user_id, role_id=role_id) admin_client.roles_v3_client.create_user_role_on_system( user_id=cls.user_id, role_id=role_id)
def _get_updated_quotas(self): # Verify that GET shows the updated quota set of project project_name = data_utils.rand_name('cpu_quota_project') project_desc = project_name + '-desc' project = identity.identity_utils(self.os_admin).create_project( name=project_name, description=project_desc) project_id = project['id'] self.addCleanup(identity.identity_utils(self.os_admin).delete_project, project_id) self.adm_client.update_quota_set(project_id, ram='5120') # Call show_quota_set with detail=true to cover the # get_quota_set_details response schema for microversion tests quota_set = self.adm_client.show_quota_set( project_id, detail=True)['quota_set'] self.assertEqual(5120, quota_set['ram']['limit']) # Verify that GET shows the updated quota set of user user_name = data_utils.rand_name('cpu_quota_user') password = data_utils.rand_password() email = user_name + '@testmail.tm' user = identity.identity_utils(self.os_admin).create_user( username=user_name, password=password, project=project, email=email) user_id = user['id'] self.addCleanup(identity.identity_utils(self.os_admin).delete_user, user_id) self.adm_client.update_quota_set(project_id, user_id=user_id, ram='2048') quota_set = self.adm_client.show_quota_set( project_id, user_id=user_id)['quota_set'] self.assertEqual(2048, quota_set['ram'])
def recreate_server(cls, server_id, validatable=False, **kwargs): """Destroy an existing class level server and creates a new one Some test classes use a test server that can be used by multiple tests. This is done to optimise runtime and test load. If something goes wrong with the test server, it can be rebuilt using this helper. This helper can also be used for the initial provisioning if no server_id is specified. :param server_id: UUID of the server to be rebuilt. If None is specified, a new server is provisioned. :param validatable: whether to the server needs to be validatable. When True, validation resources are acquired via the `get_class_validation_resources` helper. :param kwargs: extra paramaters are passed through to the `create_test_server` call. :return: the UUID of the created server. """ if server_id: cls.delete_server(server_id) cls.password = data_utils.rand_password() server = cls.create_test_server( validatable, validation_resources=cls.get_class_validation_resources( cls.os_primary), wait_until='ACTIVE', adminPass=cls.password, **kwargs) return server['id']
def resource_setup(cls): super(UsersV3TestJSON, cls).resource_setup() alt_user = data_utils.rand_name('test_user') alt_password = data_utils.rand_password() cls.alt_email = alt_user + '@testmail.tm' # Create a domain cls.domain = cls.create_domain() # Create user with Domain cls.users = list() u1_name = data_utils.rand_name('test_user') cls.domain_enabled_user = cls.users_client.create_user( name=u1_name, password=alt_password, email=cls.alt_email, domain_id=cls.domain['id'])['user'] cls.addClassResourceCleanup(cls.users_client.delete_user, cls.domain_enabled_user['id']) cls.users.append(cls.domain_enabled_user) # Create default not enabled user u2_name = data_utils.rand_name('test_user') cls.non_domain_enabled_user = cls.users_client.create_user( name=u2_name, password=alt_password, email=cls.alt_email, enabled=False)['user'] cls.addClassResourceCleanup(cls.users_client.delete_user, cls.non_domain_enabled_user['id']) cls.users.append(cls.non_domain_enabled_user)
def resource_setup(cls): super(InheritsV3TestJSON, cls).resource_setup() u_name = data_utils.rand_name('user-') u_desc = '%s description' % u_name u_email = '*****@*****.**' % u_name u_password = data_utils.rand_password() cls.domain = cls.create_domain() cls.project = cls.projects_client.create_project( data_utils.rand_name('project-'), description=data_utils.rand_name('project-desc-'), domain_id=cls.domain['id'])['project'] cls.addClassResourceCleanup(cls.projects_client.delete_project, cls.project['id']) cls.group = cls.groups_client.create_group( name=data_utils.rand_name('group-'), project_id=cls.project['id'], domain_id=cls.domain['id'])['group'] cls.addClassResourceCleanup(cls.groups_client.delete_group, cls.group['id']) if not CONF.identity_feature_enabled.immutable_user_source: cls.user = cls.users_client.create_user( name=u_name, description=u_desc, password=u_password, email=u_email, project_id=cls.project['id'], domain_id=cls.domain['id'])['user'] cls.addClassResourceCleanup(cls.users_client.delete_user, cls.user['id'])
def resource_setup(cls): super(CredentialsTestJSON, cls).resource_setup() cls.projects = list() cls.creds_list = [['project_id', 'user_id', 'id'], ['access', 'secret']] u_name = data_utils.rand_name('user') u_desc = '%s description' % u_name u_email = '*****@*****.**' % u_name u_password = data_utils.rand_password() for _ in range(2): project = cls.projects_client.create_project( data_utils.rand_name('project'), description=data_utils.rand_name('project-desc'))['project'] cls.addClassResourceCleanup(cls.projects_client.delete_project, project['id']) cls.projects.append(project['id']) cls.user_body = cls.users_client.create_user( name=u_name, description=u_desc, password=u_password, email=u_email, project_id=cls.projects[0])['user'] cls.addClassResourceCleanup(cls.users_client.delete_user, cls.user_body['id'])
def resource_setup(cls): super(RolesV3TestJSON, cls).resource_setup() cls.roles = list() for _ in range(3): role_name = data_utils.rand_name(name='role') role = cls.roles_client.create_role(name=role_name)['role'] cls.roles.append(role) u_name = data_utils.rand_name('user') u_desc = '%s description' % u_name u_email = '*****@*****.**' % u_name cls.u_password = data_utils.rand_password() cls.domain = cls.create_domain() cls.project = cls.projects_client.create_project( data_utils.rand_name('project'), description=data_utils.rand_name('project-desc'), domain_id=cls.domain['id'])['project'] cls.group_body = cls.groups_client.create_group( name=data_utils.rand_name('Group'), project_id=cls.project['id'], domain_id=cls.domain['id'])['group'] cls.user_body = cls.users_client.create_user( name=u_name, description=u_desc, password=cls.u_password, email=u_email, project_id=cls.project['id'], domain_id=cls.domain['id'])['user'] cls.role = cls.roles_client.create_role( name=data_utils.rand_name('Role'))['role']
def resource_setup(cls): super(InheritsV3TestJSON, cls).resource_setup() u_name = data_utils.rand_name('user-') u_desc = '%s description' % u_name u_email = '*****@*****.**' % u_name u_password = data_utils.rand_password() cls.domain = cls.create_domain() cls.project = cls.projects_client.create_project( data_utils.rand_name('project-'), description=data_utils.rand_name('project-desc-'), domain_id=cls.domain['id'])['project'] cls.addClassResourceCleanup(cls.projects_client.delete_project, cls.project['id']) cls.group = cls.groups_client.create_group( name=data_utils.rand_name('group-'), project_id=cls.project['id'], domain_id=cls.domain['id'])['group'] cls.addClassResourceCleanup(cls.groups_client.delete_group, cls.group['id']) if not CONF.identity_feature_enabled.immutable_user_source: cls.user = cls.users_client.create_user( name=u_name, description=u_desc, password=u_password, email=u_email, project_id=cls.project['id'], domain_id=cls.domain['id'] )['user'] cls.addClassResourceCleanup(cls.users_client.delete_user, cls.user['id'])
def test_create_server_with_personality(self): """Test creating server with file injection""" file_contents = 'This is a test file.' file_path = '/test.txt' personality = [{ 'path': file_path, 'contents': base64.encode_as_text(file_contents) }] password = data_utils.rand_password() validation_resources = self.get_test_validation_resources( self.os_primary) created_server = self.create_test_server( personality=personality, adminPass=password, wait_until='ACTIVE', validatable=True, validation_resources=validation_resources) self.addCleanup(waiters.wait_for_server_termination, self.servers_client, created_server['id']) self.addCleanup(test_utils.call_and_ignore_notfound_exc, self.servers_client.delete_server, created_server['id']) server = self.client.show_server(created_server['id'])['server'] if CONF.validation.run_validation: linux_client = remote_client.RemoteClient( self.get_server_ip(server, validation_resources), self.ssh_user, password, validation_resources['keypair']['private_key'], server=server, servers_client=self.client) self.assertEqual( file_contents, linux_client.exec_command('sudo cat %s' % file_path))
def test_user_account_lockout(self): if (CONF.identity.user_lockout_failure_attempts <= 0 or CONF.identity.user_lockout_duration <= 0): raise self.skipException( "Both CONF.identity.user_lockout_failure_attempts and " "CONF.identity.user_lockout_duration should be greater than " "zero to test this feature") password = self.creds.password # First, we login using the correct credentials self.non_admin_token.auth(user_id=self.user_id, password=password) # Lock user account by using the wrong password to login bad_password = data_utils.rand_password() for _ in range(CONF.identity.user_lockout_failure_attempts): self.assertRaises(exceptions.Unauthorized, self.non_admin_token.auth, user_id=self.user_id, password=bad_password) # The user account must be locked, so now it is not possible to login # even using the correct password self.assertRaises(exceptions.Unauthorized, self.non_admin_token.auth, user_id=self.user_id, password=password) # If we wait the required time, the user account will be unlocked time.sleep(CONF.identity.user_lockout_duration + 1) self.non_admin_token.auth(user_id=self.user_id, password=password)
def setup_user_client(self, project_id=None): """Set up project user with its own client. This is useful for testing protection of resources in separate projects. Returns a client object and the user's ID. """ user_dict = { 'name': data_utils.rand_name('user'), 'password': data_utils.rand_password(), } user_id = self.os_system_admin.users_v3_client.create_user( **user_dict)['user']['id'] self.addCleanup(self.os_system_admin.users_v3_client.delete_user, user_id) if not project_id: project_id = self.os_system_admin.projects_client.create_project( data_utils.rand_name())['project']['id'] self.addCleanup( self.os_system_admin.projects_client.delete_project, project_id) member_role_id = self.os_system_admin.roles_v3_client.list_roles( name='member')['roles'][0]['id'] self.os_system_admin.roles_v3_client.create_user_role_on_project( project_id, user_id, member_role_id) creds = auth.KeystoneV3Credentials(user_id=user_id, password=user_dict['password'], project_id=project_id) auth_provider = clients.get_auth_provider(creds) creds = auth_provider.fill_credentials() client = clients.Manager(credentials=creds) return client
def test_associate_user_to_project(self): # Associate a user to a project # Create a Project project = self.setup_test_project() # Create a User u_name = data_utils.rand_name('user') u_desc = u_name + 'description' u_email = u_name + '@testmail.tm' u_password = data_utils.rand_password() user = self.users_client.create_user(name=u_name, description=u_desc, password=u_password, email=u_email, project_id=project['id'])['user'] # Delete the User at the end of this method self.addCleanup(self.users_client.delete_user, user['id']) # Get User To validate the user details new_user_get = self.users_client.show_user(user['id'])['user'] # Assert response body of GET self.assertEqual(u_name, new_user_get['name']) self.assertEqual(u_desc, new_user_get['description']) self.assertEqual(project['id'], new_user_get['project_id']) self.assertEqual(u_email, new_user_get['email'])
def test_authentication_with_invalid_username(self): # Non-existent user's token should not get authenticated password = data_utils.rand_password() user = self.setup_test_user(password) tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant'] self.assertRaises(lib_exc.Unauthorized, self.token_client.auth, 'junkuser123', password, tenant['name'])
def create_trustor_and_roles(self): # create a project that trusts will be granted on trustor_project_name = data_utils.rand_name(name='project') project = self.projects_client.create_project( trustor_project_name, domain_id=CONF.identity.default_domain_id)['project'] self.trustor_project_id = project['id'] self.assertIsNotNone(self.trustor_project_id) # Create a trustor User trustor_username = data_utils.rand_name('user') u_desc = trustor_username + 'description' u_email = trustor_username + '@testmail.xx' trustor_password = data_utils.rand_password() user = self.users_client.create_user( name=trustor_username, description=u_desc, password=trustor_password, email=u_email, project_id=self.trustor_project_id, domain_id=CONF.identity.default_domain_id)['user'] self.trustor_user_id = user['id'] # And two roles, one we'll delegate and one we won't self.delegated_role = data_utils.rand_name('DelegatedRole') self.not_delegated_role = data_utils.rand_name('NotDelegatedRole') role = self.roles_client.create_role(name=self.delegated_role)['role'] self.delegated_role_id = role['id'] role = self.roles_client.create_role( name=self.not_delegated_role)['role'] self.not_delegated_role_id = role['id'] # Assign roles to trustor self.roles_client.create_user_role_on_project( self.trustor_project_id, self.trustor_user_id, self.delegated_role_id) self.roles_client.create_user_role_on_project( self.trustor_project_id, self.trustor_user_id, self.not_delegated_role_id) # Get trustee user ID, use the demo user trustee_username = self.non_admin_client.user self.trustee_user_id = self.get_user_by_name(trustee_username)['id'] self.assertIsNotNone(self.trustee_user_id) # Initialize a new client with the trustor credentials creds = common_creds.get_credentials( identity_version='v3', username=trustor_username, password=trustor_password, user_domain_id=CONF.identity.default_domain_id, tenant_name=trustor_project_name, project_domain_id=CONF.identity.default_domain_id, domain_id=CONF.identity.default_domain_id) os = clients.Manager(credentials=creds) self.trustor_client = os.trusts_client
def recreate_server(cls, server_id, validatable=False, **kwargs): """Destroy an existing class level server and creates a new one Some test classes use a test server that can be used by multiple tests. This is done to optimise runtime and test load. If something goes wrong with the test server, it can be rebuilt using this helper. This helper can also be used for the initial provisioning if no server_id is specified. :param server_id: UUID of the server to be rebuilt. If None is specified, a new server is provisioned. :param validatable: whether to the server needs to be validatable. When True, validation resources are acquired via the `get_class_validation_resources` helper. :param kwargs: extra paramaters are passed through to the `create_test_server` call. :return: the UUID of the created server. """ if server_id: cls.delete_server(server_id) cls.password = data_utils.rand_password() server = cls.create_test_server( validatable, validation_resources=cls.get_class_validation_resources( cls.os_primary), wait_until='ACTIVE', adminPass=cls.password, **kwargs) return server['id']
def test_user_update_own_password(self): """test updating user's own password via v2 API""" old_pass = self.creds.password old_token = self.non_admin_users_client.token new_pass = data_utils.rand_password() user_id = self.creds.user_id # to change password back. important for use_dynamic_credentials=false self.addCleanup(self._restore_password, user_id, old_pass, new_pass) # user updates own password self._update_password( user_id, original_password=old_pass, password=new_pass) # authorize with old token should lead to Unauthorized self.assertRaises(exceptions.Unauthorized, self.non_admin_token_client.auth_token, old_token) # authorize with old password should lead to Unauthorized self.assertRaises(exceptions.Unauthorized, self.non_admin_token_client.auth, self.username, old_pass, self.tenant_name)
def resource_setup(cls): super(RolesV3TestJSON, cls).resource_setup() cls.roles = list() for _ in range(3): role_name = data_utils.rand_name(name='role') role = cls.roles_client.create_role(name=role_name)['role'] cls.roles.append(role) u_name = data_utils.rand_name('user') u_desc = '%s description' % u_name u_email = '*****@*****.**' % u_name cls.u_password = data_utils.rand_password() cls.domain = cls.create_domain() cls.project = cls.projects_client.create_project( data_utils.rand_name('project'), description=data_utils.rand_name('project-desc'), domain_id=cls.domain['id'])['project'] cls.group_body = cls.groups_client.create_group( name=data_utils.rand_name('Group'), project_id=cls.project['id'], domain_id=cls.domain['id'])['group'] cls.user_body = cls.users_client.create_user( name=u_name, description=u_desc, password=cls.u_password, email=u_email, project_id=cls.project['id'], domain_id=cls.domain['id'])['user'] cls.role = cls.roles_client.create_role( name=data_utils.rand_name('Role'))['role']
def test_authentication_with_invalid_tenant(self): # User's token for an invalid tenant should not be authenticated password = data_utils.rand_password() user = self.setup_test_user(password) self.assertRaises(lib_exc.Unauthorized, self.token_client.auth, user['name'], password, 'junktenant1234')
def _rebuild_server(self, server_id): # Destroy an existing server and creates a new one. if server_id: self.delete_server(server_id) self.password = data_utils.rand_password() return self.create_test_server( wait_until='ACTIVE', adminPass=self.password)
def _create_creds(self, admin=False, roles=None): """Create credentials with random name. Creates project and user. When admin flag is True create user with admin role. Assign user with additional roles (for example _member_) and roles requested by caller. :param admin: Flag if to assign to the user admin role :type admin: bool :param roles: Roles to assign for the user :type roles: list :return: Readonly Credentials with network resources """ root = self.name project_name = data_utils.rand_name(root, prefix=self.resource_prefix) project_desc = project_name + "-desc" project = self.creds_client.create_project( name=project_name, description=project_desc) # NOTE(andreaf) User and project can be distinguished from the context, # having the same ID in both makes it easier to match them and debug. username = project_name user_password = data_utils.rand_password() email = data_utils.rand_name( root, prefix=self.resource_prefix) + "@example.com" user = self.creds_client.create_user( username, user_password, project, email) role_assigned = False if admin: self.creds_client.assign_user_role(user, project, self.admin_role) role_assigned = True if (self.identity_version == 'v3' and self.identity_admin_domain_scope): self.creds_client.assign_user_role_on_domain( user, self.identity_admin_role) # Add roles specified in config file for conf_role in self.extra_roles: self.creds_client.assign_user_role(user, project, conf_role) role_assigned = True # Add roles requested by caller if roles: for role in roles: self.creds_client.assign_user_role(user, project, role) role_assigned = True # NOTE(mtreinish) For a user to have access to a project with v3 auth # it must beassigned a role on the project. So we need to ensure that # our newly created user has a role on the newly created project. if self.identity_version == 'v3' and not role_assigned: try: self.creds_client.create_user_role('Member') except lib_exc.Conflict: LOG.warning('Member role already exists, ignoring conflict.') self.creds_client.assign_user_role(user, project, 'Member') creds = self.creds_client.get_credentials(user, project, user_password) return cred_provider.TestResources(creds)
def test_authentication_for_disabled_user(self): # Attempt to authenticate for disabled user should fail password = data_utils.rand_password() user = self.setup_test_user(password) self.disable_user(user['name'], user['domain_id']) self.assertRaises(lib_exc.Unauthorized, self.token.auth, username=user['name'], password=password, user_domain_id=CONF.identity.default_domain_id)
def test_create_user_for_non_existent_domain(self): # Attempt to create a user in a non-existent domain should fail u_name = data_utils.rand_name('user') u_email = u_name + '@testmail.tm' u_password = data_utils.rand_password() self.assertRaises(lib_exc.NotFound, self.users_client.create_user, name=u_name, password=u_password, email=u_email, domain_id=data_utils.rand_uuid_hex())
def resource_setup(cls): super(ServerRescueNegativeTestJSON, cls).resource_setup() cls.password = data_utils.rand_password() rescue_password = data_utils.rand_password() # Server for negative tests server = cls.create_test_server(adminPass=cls.password, wait_until='BUILD') resc_server = cls.create_test_server(adminPass=rescue_password, wait_until='ACTIVE') cls.server_id = server['id'] cls.rescue_id = resc_server['id'] cls.servers_client.rescue_server( cls.rescue_id, adminPass=rescue_password) waiters.wait_for_server_status(cls.servers_client, cls.rescue_id, 'RESCUE') waiters.wait_for_server_status(cls.servers_client, cls.server_id, 'ACTIVE')
def test_create_user_with_duplicate_name(self): # Duplicate user should not be created password = data_utils.rand_password() user = self.setup_test_user(password) tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant'] self.assertRaises(lib_exc.Conflict, self.users_client.create_user, name=user['name'], password=password, tenantId=tenant['id'], email=user['email'])
def test_authentication_when_tenant_is_disabled(self): # User's token for a disabled tenant should not be authenticated password = data_utils.rand_password() user = self.setup_test_user(password) tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant'] self.disable_tenant(tenant['name']) self.assertRaises(lib_exc.Unauthorized, self.token_client.auth, user['name'], password, tenant['name'])
def resource_setup(cls): super(ServerRescueTestBase, cls).resource_setup() password = data_utils.rand_password() server = cls.create_test_server(adminPass=password, wait_until='ACTIVE') cls.servers_client.rescue_server(server['id'], adminPass=password) waiters.wait_for_server_status(cls.servers_client, server['id'], 'RESCUE') cls.rescued_server_id = server['id']
def test_rescue_unrescue_instance(self): password = data_utils.rand_password() server = self.create_test_server(adminPass=password, wait_until='ACTIVE') self.servers_client.rescue_server(server['id'], adminPass=password) waiters.wait_for_server_status(self.servers_client, server['id'], 'RESCUE') self.servers_client.unrescue_server(server['id']) waiters.wait_for_server_status(self.servers_client, server['id'], 'ACTIVE')
def rebuild_server(cls, server_id, validatable=False, **kwargs): # Destroy an existing server and creates a new one if server_id: cls.delete_server(server_id) cls.password = data_utils.rand_password() server = cls.create_test_server( validatable, wait_until='ACTIVE', adminPass=cls.password, **kwargs) return server['id']
def test_user_authentication(self): # Valid user's token is authenticated password = data_utils.rand_password() user = self.setup_test_user(password) tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant'] # Get a token self.token_client.auth(user['name'], password, tenant['name']) # Re-auth self.token_client.auth(user['name'], password, tenant['name'])
def test_default_project_id(self): # create a domain dom_name = data_utils.rand_name('dom') domain_body = self.domains_client.create_domain( name=dom_name)['domain'] dom_id = domain_body['id'] self.addCleanup(self._delete_domain, dom_id) # create a project in the domain proj_body = self.setup_test_project(domain_id=dom_id) proj_id = proj_body['id'] self.assertEqual(proj_body['domain_id'], dom_id, "project " + proj_body['name'] + "doesn't have domain id " + dom_id) # create a user in the domain, with the previous project as his # default project user_name = data_utils.rand_name('user') user_pass = data_utils.rand_password() user_body = self.users_client.create_user( name=user_name, password=user_pass, domain_id=dom_id, default_project_id=proj_id)['user'] user_id = user_body['id'] self.addCleanup(self.users_client.delete_user, user_id) self.assertEqual(user_body['domain_id'], dom_id, "user " + user_name + "doesn't have domain id " + dom_id) # get roles and find the admin role admin_role = self.get_role_by_name(CONF.identity.admin_role) admin_role_id = admin_role['id'] # grant the admin role to the user on his project self.roles_client.create_user_role_on_project(proj_id, user_id, admin_role_id) # create a new client with user's credentials (NOTE: unscoped token!) creds = auth.KeystoneV3Credentials(username=user_name, password=user_pass, user_domain_name=dom_name) auth_provider = clients.get_auth_provider(creds) creds = auth_provider.fill_credentials() admin_client = clients.Manager(credentials=creds) # verify the user's token and see that it is scoped to the project token, _ = admin_client.auth_provider.get_auth() result = admin_client.identity_v3_client.show_token(token)['token'] self.assertEqual(result['project']['domain']['id'], dom_id) self.assertEqual(result['project']['id'], proj_id)
def test_user_update_own_password(self): def _restore_password(client, user_id, old_pass, new_pass): # Reset auth to get a new token with the new password client.auth_provider.clear_auth() client.auth_provider.credentials.password = new_pass client.update_user_own_password(user_id, password=old_pass, original_password=new_pass) # Reset auth again to verify the password restore does work. # Clear auth restores the original credentials and deletes # cached auth data client.auth_provider.clear_auth() # NOTE(lbragstad): Fernet tokens are not subsecond aware and # Keystone should only be precise to the second. Sleep to ensure we # are passing the second boundary before attempting to # authenticate. time.sleep(1) client.auth_provider.set_auth() old_pass = self.creds.password new_pass = data_utils.rand_password() user_id = self.creds.user_id # to change password back. important for allow_tenant_isolation = false self.addCleanup(_restore_password, self.non_admin_users_client, user_id, old_pass=old_pass, new_pass=new_pass) # user updates own password self.non_admin_users_client.update_user_own_password( user_id, password=new_pass, original_password=old_pass) # NOTE(morganfainberg): Fernet tokens are not subsecond aware and # Keystone should only be precise to the second. Sleep to ensure # we are passing the second boundary. time.sleep(1) # check authorization with new password self.non_admin_token_client.auth(self.username, new_pass, self.tenant_name) # authorize with old token should lead to Unauthorized self.assertRaises(exceptions.Unauthorized, self.non_admin_token_client.auth_token, self.non_admin_users_client.token) # authorize with old password should lead to Unauthorized self.assertRaises(exceptions.Unauthorized, self.non_admin_token_client.auth, self.username, old_pass, self.tenant_name)
def create_test_user(self, **kwargs): if kwargs.get('password', None) is None: kwargs['password'] = data_utils.rand_password() if 'name' not in kwargs: kwargs['name'] = data_utils.rand_name('test_user') if 'email' not in kwargs: kwargs['email'] = kwargs['name'] + '@testmail.tm' user = self.users_client.create_user(**kwargs)['user'] # Delete the user at the end of the test self.addCleanup( test_utils.call_and_ignore_notfound_exc, self.users_client.delete_user, user['id']) return user
def test_update_user_password(self): # Creating User to check password updation u_name = data_utils.rand_name('user') original_password = data_utils.rand_password() user = self.users_client.create_user( name=u_name, password=original_password)['user'] # Delete the User at the end all test methods self.addCleanup(self.users_client.delete_user, user['id']) # Update user with new password new_password = data_utils.rand_password() self.users_client.update_user_password( user['id'], password=new_password, original_password=original_password) # NOTE(morganfainberg): Fernet tokens are not subsecond aware and # Keystone should only be precise to the second. Sleep to ensure # we are passing the second boundary. time.sleep(1) resp = self.token.auth(user_id=user['id'], password=new_password).response subject_token = resp['x-subject-token'] # Perform GET Token to verify and confirm password is updated token_details = self.client.show_token(subject_token)['token'] self.assertEqual(token_details['user']['id'], user['id']) self.assertEqual(token_details['user']['name'], u_name)
def generate_resources(opts): spec = [{'number': 1, 'prefix': 'primary', 'roles': (CONF.auth.tempest_roles + [CONF.object_storage.operator_role])}, {'number': 1, 'prefix': 'alt', 'roles': (CONF.auth.tempest_roles + [CONF.object_storage.operator_role])}] if CONF.service_available.swift: spec.append({'number': 1, 'prefix': 'swift_operator', 'roles': (CONF.auth.tempest_roles + [CONF.object_storage.operator_role])}) spec.append({'number': 1, 'prefix': 'swift_reseller_admin', 'roles': (CONF.auth.tempest_roles + [CONF.object_storage.reseller_admin_role])}) if CONF.service_available.heat: spec.append({'number': 1, 'prefix': 'stack_owner', 'roles': (CONF.auth.tempest_roles + [CONF.orchestration.stack_owner_role])}) if opts.admin: spec.append({ 'number': 1, 'prefix': 'admin', 'roles': (CONF.auth.tempest_roles + [CONF.identity.admin_role]) }) resources = {'tenants': [], 'users': []} for count in range(opts.concurrency): for user_group in spec: users = [random_user_name(opts.tag, user_group['prefix']) for _ in range(user_group['number'])] for user in users: tenant = '-'.join((user, 'tenant')) resources['tenants'].append(tenant) resources['users'].append({ 'tenant': tenant, 'name': user, 'pass': data_utils.rand_password(), 'prefix': user_group['prefix'], 'roles': user_group['roles'] }) return resources