Multiversion authentication part1
Moves authentication from rest_client to an external auth_provider,
assigned to the client by the client manager.
The auth provider can decorate a request based on credentials (coming
from the client manager) and filters (region, service, endpoint_type)
given by the client. The auth provider can also return the raw
auth_data, which in the Keystone implementation is a tuple (token,
auth_data). The auth provider allows mixing multiple credentials
when decorating a request, possibly using empty or invalid credentials,
to facilitate negative tests.
The auth provider caches auth data, so that all API requests for a
specific set of credentials only require a single call to obtain a
token, unless the token expires or is forcefully deleted from the
auth provder.
Two implementations of the auth provider are included: Keystonev2 and
Keystonev3. The Manager object behaves as factory of auth_providers,
building the correct one based on the configured auth_version, and on
the interface type (JSON or XML).
Fixes endpoint selection for v3 auth. Drops unused basic_auth.
Extends TokenClients to provide both token and auth data,
and accept different combinations of credentials for v3.
Removes redundant server_client_v3_auth.
Adapts tempest unit tests to work with modified rest client.
Introduces a configuration parameter for authentication version to be
used. That is used when instantiating the client manager, and it
applies to all clients used by api tests.
Next steps (next patches):
- move to credentials as dict (as opposed to tuple)
- expose a get_client method from the client manager
and create clients only when requested
- remove redundant CustomizedHeader object storage clients
- supports keystone v3 in tenant isolation
- use Auth Provider in scenario tests
- use Auth Provider in CLI tests
- implement parsing of catalog XML format (?)
Partially implements: bp multi-keystone-api-version-tests
Change-Id: Icfa921e9051c01f339f8d2471b12d6ec950cc456
diff --git a/tempest/api/identity/admin/test_users_negative.py b/tempest/api/identity/admin/test_users_negative.py
index ba7af09..e9e7818 100644
--- a/tempest/api/identity/admin/test_users_negative.py
+++ b/tempest/api/identity/admin/test_users_negative.py
@@ -75,7 +75,7 @@
# Request to create a user without a valid token should fail
self.data.setup_test_tenant()
# Get the token of the current client
- token = self.client.get_auth()
+ token = self.client.auth_provider.get_token()
# Delete the token from database
self.client.delete_token(token)
self.assertRaises(exceptions.Unauthorized, self.client.create_user,
@@ -83,7 +83,7 @@
self.data.tenant['id'], self.alt_email)
# Unset the token to allow further tests to generate a new token
- self.client.clear_auth()
+ self.client.auth_provider.clear_auth()
@attr(type=['negative', 'gate'])
def test_create_user_with_enabled_non_bool(self):
@@ -108,14 +108,14 @@
# Request to update a user without a valid token should fail
# Get the token of the current client
- token = self.client.get_auth()
+ token = self.client.auth_provider.get_token()
# Delete the token from database
self.client.delete_token(token)
self.assertRaises(exceptions.Unauthorized, self.client.update_user,
self.alt_user)
# Unset the token to allow further tests to generate a new token
- self.client.clear_auth()
+ self.client.auth_provider.clear_auth()
@attr(type=['negative', 'gate'])
def test_update_user_by_unauthorized_user(self):
@@ -143,14 +143,14 @@
# Request to delete a user without a valid token should fail
# Get the token of the current client
- token = self.client.get_auth()
+ token = self.client.auth_provider.get_token()
# Delete the token from database
self.client.delete_token(token)
self.assertRaises(exceptions.Unauthorized, self.client.delete_user,
self.alt_user)
# Unset the token to allow further tests to generate a new token
- self.client.clear_auth()
+ self.client.auth_provider.clear_auth()
@attr(type=['negative', 'gate'])
def test_authentication_for_disabled_user(self):
@@ -207,10 +207,10 @@
@attr(type=['negative', 'gate'])
def test_get_users_request_without_token(self):
# Request to get list of users without a valid token should fail
- token = self.client.get_auth()
+ token = self.client.auth_provider.auth_data[0]
self.client.delete_token(token)
self.assertRaises(exceptions.Unauthorized, self.client.get_users)
- self.client.clear_auth()
+ self.client.auth_provider.clear_auth()
@attr(type=['negative', 'gate'])
def test_list_users_with_invalid_tenant(self):