def test_new_project_existing_user(self):
"""
Create a project for a user that already exists.
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(users=[user])
task = Task.objects.create(keystone_user={})
data = {
"domain_id": "default",
"parent_id": None,
"email": "*****@*****.**",
"project_name": "test_project",
}
action = NewProjectWithUserAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache["new_projects"][0]
self.assertEqual(new_project.name, "test_project")
self.assertEqual(len(fake_clients.identity_cache["new_users"]), 0)
self.assertEqual(
task.cache,
{
"project_id": new_project.id,
"user_id": user.id,
"user_state": "existing",
},
)
# submit does nothing for existing
action.submit({})
self.assertEqual(action.valid, True)
self.assertEqual(user.password, "123")
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, new_project)
self.assertEqual(
sorted(roles),
sorted(
["member", "project_admin", "project_mod",
"heat_stack_owner"]),
)
def test_new_project_signup(self):
"""
Base case, no project, no user.
Organisation, and primary is billing.
Project and user created at post_approve step,
user password at submit step.
"""
setup_identity_cache()
task = Task.objects.create(ip_address="0.0.0.0", keystone_user={})
task.cache = {
'project_name': 'test_project',
'partner_id': 1,
'primary_id': 2,
'billing_id': 2,
}
data = {
'domain_id': 'default',
'parent_id': None,
'email': '*****@*****.**',
'signup_type': 'organisation',
}
action = NewProjectSignUpAction(data, task=task, order=1)
action.pre_approve()
self.assertEquals(action.valid, True)
action.post_approve()
self.assertEquals(len(odoo_cache['projects']), 1)
self.assertEquals(len(odoo_cache['project_rels']), 3)
self.assertEquals(action.valid, True)
self.assertEquals(fake_clients.identity_cache['new_projects'][0].name,
'test_project')
token_data = {'password': '******'}
action.submit(token_data)
self.assertEquals(action.valid, True)
new_project = fake_clients.identity_cache['new_projects'][0]
new_user = fake_clients.identity_cache['new_users'][0]
self.assertEquals(new_user.email, '*****@*****.**')
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(new_user, new_project)
self.assertEquals(
sorted(roles),
sorted([
'_member_', 'project_admin', 'project_mod', 'heat_stack_owner'
]))
def test_new_user_disabled(self):
"""
Disabled user, valid existing tenant, no role.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**",
password="******",
email="*****@*****.**",
enabled=False,
)
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(
keystone_user={
"roles": ["admin", "project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"email": "*****@*****.**",
"project_id": project.id,
"roles": ["member"],
"inherited_roles": [],
"domain_id": "default",
}
action = NewUserAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
token_data = {"password": "******"}
action.submit(token_data)
self.assertEqual(action.valid, True)
self.assertEqual(len(fake_clients.identity_cache["users"]), 2)
fake_client = fake_clients.FakeManager()
user = fake_client.find_user(name="*****@*****.**", domain="default")
self.assertEqual(user.email, "*****@*****.**")
self.assertEqual(user.password, "123456")
self.assertTrue(user.enabled)
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["member"])
def test_new_project_email_not_username(self):
"""
Base case, no project, no user.
Project and user created at post_approve step,
user password at submit step.
"""
setup_identity_cache()
task = Task.objects.create(ip_address="0.0.0.0", keystone_user={})
data = {
'domain_id': 'default',
'parent_id': None,
'email': '*****@*****.**',
'username': '******',
'project_name': 'test_project',
}
action = NewProjectWithUserAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache['new_projects'][0]
self.assertEqual(new_project.name, 'test_project')
new_user = fake_clients.identity_cache['new_users'][0]
self.assertEqual(new_user.name, 'test_user')
self.assertEqual(new_user.email, '*****@*****.**')
self.assertEqual(
task.cache, {
'project_id': new_project.id,
'user_id': new_user.id,
'user_state': 'default'
})
token_data = {'password': '******'}
action.submit(token_data)
self.assertEqual(action.valid, True)
self.assertEqual(new_user.password, '123456')
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(new_user, new_project)
self.assertEqual(
sorted(roles),
sorted([
'_member_', 'project_admin', 'project_mod', 'heat_stack_owner'
]))
def test_edit_user_roles_can_manage_all(self):
"""
Confirm that you cannot edit a user unless all their roles
can be managed by you.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignments = [
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="_member_",
user={'id': user.id}),
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="project_admin",
user={'id': user.id}),
]
setup_identity_cache(projects=[project],
users=[user],
role_assignments=assignments)
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['project_mod'],
'inherited_roles': [],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, False)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['_member_', 'project_admin'])
def test_edit_user_roles_remove_complete(self):
"""
Remove roles from user that does not have them.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="_member_",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['project_mod'],
'inherited_roles': [],
'remove': True
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
self.assertEqual(action.action.state, "complete")
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['_member_'])
def test_edit_user_roles_remove_complete(self):
"""
Remove roles from user that does not have them.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
task = Task.objects.create(
keystone_user={
"roles": ["admin", "project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["project_mod"],
"inherited_roles": [],
"remove": True,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
self.assertEqual(action.action.state, "complete")
action.approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["member"])
def test_edit_user_roles_can_manage_all(self):
"""
Confirm that you cannot edit a user unless all their roles
can be managed by you.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignments = [
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
),
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="project_admin",
user={"id": user.id},
),
]
setup_identity_cache(
projects=[project], users=[user], role_assignments=assignments
)
task = Task.objects.create(
keystone_user={
"roles": ["project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["project_mod"],
"inherited_roles": [],
"remove": False,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, False)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["member", "project_admin"])
def test_new_project_existing_user(self):
"""
Create a project for a user that already exists.
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(users=[user])
task = Task.objects.create(ip_address="0.0.0.0", keystone_user={})
data = {
'domain_id': 'default',
'parent_id': None,
'email': '*****@*****.**',
'project_name': 'test_project',
}
action = NewProjectWithUserAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache['new_projects'][0]
self.assertEqual(new_project.name, 'test_project')
self.assertEqual(len(fake_clients.identity_cache['new_users']), 0)
self.assertEqual(
task.cache, {
'project_id': new_project.id,
'user_id': user.id,
'user_state': 'existing'
})
# submit does nothing for existing
action.submit({})
self.assertEqual(action.valid, True)
self.assertEqual(user.password, '123')
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, new_project)
self.assertEqual(
sorted(roles),
sorted([
'_member_', 'project_admin', 'project_mod', 'heat_stack_owner'
]))
def test_new_user_disabled(self):
"""
Disabled user, valid existing tenant, no role.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**",
enabled=False)
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'email': '*****@*****.**',
'project_id': project.id,
'roles': ['_member_'],
'inherited_roles': [],
'domain_id': 'default',
}
action = NewUserAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {'password': '******'}
action.submit(token_data)
self.assertEqual(action.valid, True)
self.assertEqual(len(fake_clients.identity_cache['users']), 2)
fake_client = fake_clients.FakeManager()
user = fake_client.find_user(name="*****@*****.**", domain="default")
self.assertEqual(user.email, '*****@*****.**')
self.assertEqual(user.password, '123456')
self.assertTrue(user.enabled)
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['_member_'])
def test_create_user_email_not_username(self):
"""
Test the default case, all valid.
No existing user, valid tenant.
Different username from email address
"""
project = fake_clients.FakeProject(name="test_project")
setup_identity_cache(projects=[project])
task = Task.objects.create(
keystone_user={
"roles": ["admin", "project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"username": "******",
"email": "*****@*****.**",
"project_id": project.id,
"roles": ["member"],
"inherited_roles": [],
"domain_id": "default",
}
action = NewUserAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
token_data = {"password": "******"}
action.submit(token_data)
self.assertEqual(action.valid, True)
self.assertEqual(len(fake_clients.identity_cache["users"]), 2)
fake_client = fake_clients.FakeManager()
user = fake_client.find_user(name="test_user", domain="default")
self.assertEqual(user.email, "*****@*****.**")
self.assertEqual(user.password, "123456")
self.assertTrue(user.enabled)
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["member"])
def test_new_project_action(self):
"""
Tests the new project action for an existing user.
"""
project = fake_clients.FakeProject(name="parent_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(
keystone_user={
"user_id": user.id,
"project_id": project.id,
"project_domain_id": "default",
})
data = {
"domain_id": "default",
"parent_id": project.id,
"project_name": "test_project",
"description": "",
}
action = NewProjectAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache["new_projects"][0]
self.assertEqual(new_project.name, "test_project")
self.assertEqual(new_project.parent_id, project.id)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, new_project)
self.assertEqual(
sorted(roles),
sorted(
["member", "project_admin", "project_mod",
"heat_stack_owner"]),
)
action.submit({})
self.assertEqual(action.valid, True)
def test_create_user_email_not_username(self):
"""
Test the default case, all valid.
No existing user, valid tenant.
Different username from email address
"""
project = fake_clients.FakeProject(name="test_project")
setup_identity_cache(projects=[project])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'username': '******',
'email': '*****@*****.**',
'project_id': project.id,
'roles': ['_member_'],
'inherited_roles': [],
'domain_id': 'default',
}
action = NewUserAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {'password': '******'}
action.submit(token_data)
self.assertEqual(action.valid, True)
self.assertEqual(len(fake_clients.identity_cache['users']), 2)
fake_client = fake_clients.FakeManager()
user = fake_client.find_user(name="test_user", domain="default")
self.assertEqual(user.email, '*****@*****.**')
self.assertEqual(user.password, '123456')
self.assertTrue(user.enabled)
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['_member_'])
def test_new_project_action(self):
"""
Tests the new project action for an existing user.
"""
project = fake_clients.FakeProject(name="parent_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
"user_id": user.id,
"project_id": project.id,
"project_domain_id": 'default'
})
data = {
'domain_id': 'default',
'parent_id': project.id,
'project_name': 'test_project',
'description': '',
}
action = NewProjectAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache['new_projects'][0]
self.assertEqual(new_project.name, 'test_project')
self.assertEqual(new_project.parent_id, project.id)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, new_project)
self.assertEqual(
sorted(roles),
sorted([
'_member_', 'project_admin', 'project_mod', 'heat_stack_owner'
]))
action.submit({})
self.assertEqual(action.valid, True)
def test_edit_user_roles_add(self):
"""
Add roles to existing user.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(
keystone_user={
"roles": ["admin", "project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["member", "project_mod"],
"inherited_roles": [],
"remove": False,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(sorted(roles), sorted(["member", "project_mod"]))
def test_edit_user_roles_add(self):
"""
Add roles to existing user.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['_member_', 'project_mod'],
'inherited_roles': [],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(sorted(roles), sorted(['_member_', 'project_mod']))
def test_reset_user_email_not_username(self):
"""
Base case, existing user.
Username not email address
"""
user = fake_clients.FakeUser(
name="test_user", password="******", email="*****@*****.**"
)
setup_identity_cache(users=[user])
task = Task.objects.create(
keystone_user={
"roles": ["project_mod"],
"project_id": "test_project_id",
"project_domain_id": "default",
}
)
data = {
"username": "******",
"domain_name": "Default",
"email": "*****@*****.**",
}
action = ResetUserPasswordAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
token_data = {"password": "******"}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
user = fake_client.find_user(name="test_user", domain="default")
self.assertEqual(user.email, "*****@*****.**")
self.assertEqual(user.password, "123456")
def test_reset_user_email_not_username(self):
"""
Base case, existing user.
Username not email address
"""
user = fake_clients.FakeUser(name="test_user",
password="******",
email="*****@*****.**")
setup_identity_cache(users=[user])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': 'test_project_id',
'project_domain_id': 'default',
})
data = {
'username': "******",
'domain_name': 'Default',
'email': '*****@*****.**',
}
action = ResetUserPasswordAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {'password': '******'}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
user = fake_client.find_user(name="test_user", domain="default")
self.assertEqual(user.email, '*****@*****.**')
self.assertEqual(user.password, '123456')
def test_new_project_disabled_user(self):
"""
Create a project for a user that is disabled.
"""
user = fake_clients.FakeUser(
name="*****@*****.**",
password="******",
email="*****@*****.**",
enabled=False,
)
setup_identity_cache(users=[user])
task = Task.objects.create(keystone_user={})
data = {
"domain_id": "default",
"parent_id": None,
"email": "*****@*****.**",
"project_name": "test_project",
}
# Sign up, approve
action = NewProjectWithUserAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache["new_projects"][0]
self.assertEqual(new_project.name, "test_project")
self.assertEqual(len(fake_clients.identity_cache["new_users"]), 0)
self.assertEqual(
task.cache,
{
"user_id": user.id,
"project_id": new_project.id,
"user_state": "disabled",
},
)
self.assertEqual(action.action.cache["token_fields"], ["password"])
# submit password reset
token_data = {"password": "******"}
action.submit(token_data)
self.assertEqual(action.valid, True)
self.assertEqual(user.password, "123456")
# check that user has been enabled correctly
self.assertEqual(user.email, "*****@*****.**")
self.assertEqual(user.enabled, True)
# Check user has correct roles in new project
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, new_project)
self.assertEqual(
sorted(roles),
sorted(
["member", "project_admin", "project_mod",
"heat_stack_owner"]),
)
def test_new_project_user_disabled_during_signup(self):
"""
Create a project for a user that is created and disabled during signup.
This exercises the tasks ability to correctly act based on changed
circumstances between two states.
"""
# Start with nothing created
setup_identity_cache()
# Sign up for the project+user, validate.
task = Task.objects.create(keystone_user={})
data = {
"domain_id": "default",
"parent_id": None,
"email": "*****@*****.**",
"project_name": "test_project",
}
# Sign up
action = NewProjectWithUserAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
# Create the disabled user directly with the Identity Manager.
fake_client = fake_clients.FakeManager()
user = fake_client.create_user(
name="*****@*****.**",
password="******",
email="*****@*****.**",
created_on=None,
domain="default",
default_project=None,
)
fake_client.disable_user(user.id)
# approve previous signup
action.approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache["new_projects"][0]
self.assertEqual(new_project.name, "test_project")
self.assertEqual(len(fake_clients.identity_cache["new_users"]), 1)
self.assertEqual(
task.cache,
{
"user_id": user.id,
"project_id": new_project.id,
"user_state": "disabled",
},
)
# check that user has been re-enabled with a generated password.
self.assertEqual(user.enabled, True)
self.assertNotEqual(user.password, "origpass")
# submit password reset
token_data = {"password": "******"}
action.submit(token_data)
self.assertEqual(action.valid, True)
# Ensure user has new password:
self.assertEqual(user.password, "123456")
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, new_project)
self.assertEqual(
sorted(roles),
sorted(
["member", "project_admin", "project_mod",
"heat_stack_owner"]),
)
def test_new_project_reapprove(self):
"""
Project created at approve step,
ensure reapprove does nothing.
"""
setup_identity_cache()
task = Task.objects.create(keystone_user={})
data = {
"domain_id": "default",
"parent_id": None,
"email": "*****@*****.**",
"project_name": "test_project",
}
action = NewProjectWithUserAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache["new_projects"][0]
self.assertEqual(new_project.name, "test_project")
new_user = fake_clients.identity_cache["new_users"][0]
self.assertEqual(new_user.name, "*****@*****.**")
self.assertEqual(new_user.email, "*****@*****.**")
self.assertEqual(
task.cache,
{
"project_id": new_project.id,
"user_id": new_user.id,
"user_state": "default",
},
)
action.approve()
self.assertEqual(action.valid, True)
self.assertEqual(len(fake_clients.identity_cache["new_projects"]), 1)
self.assertEqual(len(fake_clients.identity_cache["new_users"]), 1)
self.assertEqual(
task.cache,
{
"project_id": new_project.id,
"user_id": new_user.id,
"user_state": "default",
},
)
token_data = {"password": "******"}
action.submit(token_data)
self.assertEqual(action.valid, True)
self.assertEqual(new_user.password, "123456")
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(new_user, new_project)
self.assertEqual(
sorted(roles),
sorted(
["member", "project_admin", "project_mod",
"heat_stack_owner"]),
)
def test_new_project_reapprove_failure(self):
"""
Project created at approve step, failure at role grant.
Ensure reapprove correctly finishes.
"""
setup_identity_cache()
task = Task.objects.create(keystone_user={})
data = {
"domain_id": "default",
"parent_id": None,
"email": "*****@*****.**",
"project_name": "test_project",
}
action = NewProjectWithUserAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
# NOTE(adrian): We need the code to fail at the
# grant roles step so we can attempt reapproving it
class FakeException(Exception):
pass
def fail_grant(user, default_roles, project_id):
raise FakeException
# We swap out the old grant function and keep
# it for later.
old_grant_function = action.grant_roles
action.grant_roles = fail_grant
# Now we expect the failure
self.assertRaises(FakeException, action.approve)
# No roles_granted yet, but user created
self.assertTrue("user_id" in action.action.cache)
self.assertFalse("roles_granted" in action.action.cache)
new_project = fake_clients.identity_cache["new_projects"][0]
self.assertEqual(new_project.name, "test_project")
new_user = fake_clients.identity_cache["new_users"][0]
self.assertEqual(new_user.name, "*****@*****.**")
self.assertEqual(new_user.email, "*****@*****.**")
self.assertEqual(len(fake_clients.identity_cache["role_assignments"]),
0)
# And then swap back the correct function
action.grant_roles = old_grant_function
# and try again, it should work this time
action.approve()
self.assertEqual(action.valid, True)
# roles_granted in cache
self.assertTrue("roles_granted" in action.action.cache)
token_data = {"password": "******"}
action.submit(token_data)
self.assertEqual(action.valid, True)
self.assertEqual(new_user.password, "123456")
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(new_user, new_project)
self.assertEqual(
sorted(roles),
sorted(
["member", "project_admin", "project_mod",
"heat_stack_owner"]),
)
def test_edit_user_roles_modified_config(self):
"""
Tests that the role mappings do come from config and that they
are enforced.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="project_mod",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
task = Task.objects.create(
keystone_user={
"roles": ["project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["heat_stack_owner"],
"inherited_roles": [],
"remove": False,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
# Change config
with conf_utils.modify_conf(
CONF,
operations={
"adjutant.identity.role_mapping": [
{
"operation": "update",
"value": {
"project_mod": [
"member",
"project_mod",
],
},
},
],
},
):
action.approve()
self.assertEqual(action.valid, False)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, False)
# After Settings Reset
action.approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["project_mod", "heat_stack_owner"])
def test_edit_user_roles_modified_settings(self):
"""
Tests that the role mappings do come from settings and that they
are enforced.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="project_mod",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['heat_stack_owner'],
'inherited_roles': [],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
# Change settings
with self.modify_dict_settings(
ROLES_MAPPING={
'key_list': ['project_mod'],
'operation': "remove",
'value': 'heat_stack_owner'
}):
action.post_approve()
self.assertEqual(action.valid, False)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, False)
# After Settings Reset
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['project_mod', 'heat_stack_owner'])
def test_new_project_user_disabled_during_signup(self):
"""
Create a project for a user that is created and disabled during signup.
This exercises the tasks ability to correctly act based on changed
circumstances between two states.
"""
# Start with nothing created
setup_identity_cache()
# Sign up for the project+user, validate.
task = Task.objects.create(ip_address="0.0.0.0", keystone_user={})
data = {
'domain_id': 'default',
'parent_id': None,
'email': '*****@*****.**',
'project_name': 'test_project',
}
# Sign up
action = NewProjectWithUserAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
# Create the disabled user directly with the Identity Manager.
fake_client = fake_clients.FakeManager()
user = fake_client.create_user(name="*****@*****.**",
password='******',
email="*****@*****.**",
created_on=None,
domain='default',
default_project=None)
fake_client.disable_user(user.id)
# approve previous signup
action.post_approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache['new_projects'][0]
self.assertEqual(new_project.name, 'test_project')
self.assertEqual(len(fake_clients.identity_cache['new_users']), 1)
self.assertEqual(
task.cache, {
'user_id': user.id,
'project_id': new_project.id,
'user_state': 'disabled'
})
# check that user has been re-enabled with a generated password.
self.assertEqual(user.enabled, True)
self.assertNotEqual(user.password, 'origpass')
# submit password reset
token_data = {'password': '******'}
action.submit(token_data)
self.assertEqual(action.valid, True)
# Ensure user has new password:
self.assertEqual(user.password, '123456')
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, new_project)
self.assertEqual(
sorted(roles),
sorted([
'_member_', 'project_admin', 'project_mod', 'heat_stack_owner'
]))
def test_new_project_disabled_user(self):
"""
Create a project for a user that is disabled.
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**",
enabled=False)
setup_identity_cache(users=[user])
task = Task.objects.create(ip_address="0.0.0.0", keystone_user={})
data = {
'domain_id': 'default',
'parent_id': None,
'email': '*****@*****.**',
'project_name': 'test_project',
}
# Sign up, approve
action = NewProjectWithUserAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
new_project = fake_clients.identity_cache['new_projects'][0]
self.assertEqual(new_project.name, 'test_project')
self.assertEqual(len(fake_clients.identity_cache['new_users']), 0)
self.assertEqual(
task.cache, {
'user_id': user.id,
'project_id': new_project.id,
'user_state': 'disabled'
})
self.assertEqual(action.action.cache["token_fields"], ['password'])
# submit password reset
token_data = {'password': '******'}
action.submit(token_data)
self.assertEqual(action.valid, True)
self.assertEqual(user.password, '123456')
# check that user has been enabled correctly
self.assertEqual(user.email, '*****@*****.**')
self.assertEqual(user.enabled, True)
# Check user has correct roles in new project
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, new_project)
self.assertEqual(
sorted(roles),
sorted([
'_member_', 'project_admin', 'project_mod', 'heat_stack_owner'
]))
def test_new_project_signup_existing(self):
"""
Existing project case, existing project, no user.
Organisation, and primary is billing.
Project and user created at post_approve step,
user password at submit step.
The only difference here to the default case
is that we find/create a new unique project name
and thus avoid the conflict entirely.
"""
project = fake_clients.FakeProject(name="test_project")
setup_identity_cache(projects=[project])
task = Task.objects.create(ip_address="0.0.0.0", keystone_user={})
task.cache = {
'project_name': 'test_project',
'partner_id': 1,
'primary_id': 2,
'billing_id': 2,
}
data = {
'domain_id': 'default',
'parent_id': None,
'email': '*****@*****.**',
'signup_type': 'organisation',
}
action = NewProjectSignUpAction(data, task=task, order=1)
action.pre_approve()
self.assertEquals(action.valid, True)
action.post_approve()
self.assertEquals(len(odoo_cache['projects']), 1)
self.assertEquals(len(odoo_cache['project_rels']), 3)
self.assertEquals(action.valid, True)
self.assertEquals(len(fake_clients.identity_cache['new_projects']), 1)
self.assertNotEquals(action.project_name, 'test_project')
token_data = {'password': '******'}
action.submit(token_data)
self.assertEquals(action.valid, True)
new_project = fake_clients.identity_cache['new_projects'][0]
new_user = fake_clients.identity_cache['new_users'][0]
self.assertEquals(new_user.email, '*****@*****.**')
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(new_user, new_project)
self.assertEquals(
sorted(roles),
sorted([
'_member_', 'project_admin', 'project_mod', 'heat_stack_owner'
]))
