Gitiles
Code Review Sign In
spfactory.storpool.com / tempest / 8f018cb7c87fd1c17d3e6f62b0e219d53d781b41 / . / tempest / api / identity / admin / v3 / test_tokens.py
blob: 5c3cd2667f70936e576258950101b9facb268dc5 [file] [log] [blame]
ZhiQiang Fan39f97222013-09-20 04:49:44 +0800[diff] [blame]1# Copyright 2012 OpenStack Foundation
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
Jordan Pittiere8791202016-04-25 18:12:16 +0200[diff] [blame]16import six
17
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]18from tempest.api.identity import base
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]19from tempest import config
Ken'ichi Ohmichi7bd25752017-03-10 10:45:39 -0800[diff] [blame]20from tempest.lib.common.utils import data_utils
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]21from tempest.lib import decorators
Andrea Frittoli (andreaf)db9672e2016-02-23 14:07:24 -0500[diff] [blame]22from tempest.lib import exceptions as lib_exc
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]23
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]24CONF = config.CONF
25
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]26
Masayuki Igawabe64ed32014-02-19 14:32:03 +0900[diff] [blame]27class TokensV3TestJSON(base.BaseIdentityV3AdminTest):
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]28
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]29 @decorators.idempotent_id('0f9f5a5f-d5cd-4a86-8a5b-c5ded151f212')
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]30 def test_tokens(self):
31 # Valid user's token is authenticated
32 # Create a User
Ken'ichi Ohmichi96508472015-03-23 01:43:42 +0000[diff] [blame]33 u_name = data_utils.rand_name('user')
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]34 u_desc = '%s-description' % u_name
Zack Feldsteind8c5f7a2015-12-14 10:44:07 -0600[diff] [blame]35 u_password = data_utils.rand_password()
zhufl75d51a92017-04-11 16:02:39 +0800[diff] [blame]36 user = self.create_test_user(
37 name=u_name, description=u_desc, password=u_password)
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]38 # Perform Authentication
Jamie Lennox97504612015-02-26 16:47:06 +1100[diff] [blame]39 resp = self.token.auth(user_id=user['id'],
40 password=u_password).response
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]41 subject_token = resp['x-subject-token']
Pramod Kumar Singh1e8a0ed2017-06-02 16:21:10 +0530[diff] [blame]42 self.client.check_token_existence(subject_token)
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]43 # Perform GET Token
Ken'ichi Ohmichi402b8752015-11-09 10:47:16 +0000[diff] [blame]44 token_details = self.client.show_token(subject_token)['token']
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]45 self.assertEqual(resp['x-subject-token'], subject_token)
46 self.assertEqual(token_details['user']['id'], user['id'])
47 self.assertEqual(token_details['user']['name'], u_name)
48 # Perform Delete Token
David Kranze9d2f422014-07-02 13:57:41 -0400[diff] [blame]49 self.client.delete_token(subject_token)
Pramod Kumar Singh1e8a0ed2017-06-02 16:21:10 +0530[diff] [blame]50 self.assertRaises(lib_exc.NotFound, self.client.check_token_existence,
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]51 subject_token)
52
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]53 @decorators.idempotent_id('565fa210-1da1-4563-999b-f7b5b67cf112')
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]54 def test_rescope_token(self):
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]55 """Rescope a token.
56
57 An unscoped token can be requested, that token can be used to request a
58 scoped token. The scoped token can be revoked, and the original token
59 used to get a token in a different project.
60
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]61 """
62
63 # Create a user.
Zack Feldsteind8c5f7a2015-12-14 10:44:07 -0600[diff] [blame]64 user_password = data_utils.rand_password()
zhufl75d51a92017-04-11 16:02:39 +0800[diff] [blame]65 user = self.create_test_user(password=user_password)
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]66
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]67 # Create a couple projects
Ken'ichi Ohmichi96508472015-03-23 01:43:42 +0000[diff] [blame]68 project1_name = data_utils.rand_name(name='project')
zhuflf2f47052017-04-20 15:08:02 +0800[diff] [blame]69 project1 = self.setup_test_project(name=project1_name)
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]70
Ken'ichi Ohmichi96508472015-03-23 01:43:42 +0000[diff] [blame]71 project2_name = data_utils.rand_name(name='project')
zhuflf2f47052017-04-20 15:08:02 +0800[diff] [blame]72 project2 = self.setup_test_project(name=project2_name)
Yaroslav Lobankov47a93ab2016-02-07 16:32:49 -0600[diff] [blame]73 self.addCleanup(self.projects_client.delete_project, project2['id'])
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]74
75 # Create a role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]76 role = self.setup_test_role()
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]77
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]78 # Grant the user the role on both projects.
ghanshyam2e6fb562016-09-06 11:14:31 +0900[diff] [blame]79 self.roles_client.create_user_role_on_project(project1['id'],
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]80 user['id'],
81 role['id'])
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]82
ghanshyam2e6fb562016-09-06 11:14:31 +0900[diff] [blame]83 self.roles_client.create_user_role_on_project(project2['id'],
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]84 user['id'],
85 role['id'])
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]86
87 # Get an unscoped token.
Jamie Lennox97504612015-02-26 16:47:06 +1100[diff] [blame]88 token_auth = self.token.auth(user_id=user['id'],
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]89 password=user_password)
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]90
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]91 token_id = token_auth.response['x-subject-token']
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]92 orig_expires_at = token_auth['token']['expires_at']
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]93 orig_user = token_auth['token']['user']
94
Jordan Pittiere8791202016-04-25 18:12:16 +0200[diff] [blame]95 self.assertIsInstance(token_auth['token']['expires_at'], six.text_type)
96 self.assertIsInstance(token_auth['token']['issued_at'], six.text_type)
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]97 self.assertEqual(['password'], token_auth['token']['methods'])
98 self.assertEqual(user['id'], token_auth['token']['user']['id'])
99 self.assertEqual(user['name'], token_auth['token']['user']['name'])
gongxiao5092b812017-04-14 08:50:32 +0800[diff] [blame]100 self.assertEqual(CONF.identity.default_domain_id,
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]101 token_auth['token']['user']['domain']['id'])
gongxiao5092b812017-04-14 08:50:32 +0800[diff] [blame]102 self.assertIsNotNone(token_auth['token']['user']['domain']['name'])
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]103 self.assertNotIn('catalog', token_auth['token'])
104 self.assertNotIn('project', token_auth['token'])
105 self.assertNotIn('roles', token_auth['token'])
106
107 # Use the unscoped token to get a scoped token.
gongxiao5092b812017-04-14 08:50:32 +0800[diff] [blame]108 token_auth = self.token.auth(
109 token=token_id,
110 project_name=project1_name,
111 project_domain_id=CONF.identity.default_domain_id)
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]112 token1_id = token_auth.response['x-subject-token']
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]113
114 self.assertEqual(orig_expires_at, token_auth['token']['expires_at'],
115 'Expiration time should match original token')
Jordan Pittiere8791202016-04-25 18:12:16 +0200[diff] [blame]116 self.assertIsInstance(token_auth['token']['issued_at'], six.text_type)
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]117 self.assertEqual(set(['password', 'token']),
118 set(token_auth['token']['methods']))
119 self.assertEqual(orig_user, token_auth['token']['user'],
120 'User should match original token')
121 self.assertIsInstance(token_auth['token']['catalog'], list)
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]122 self.assertEqual(project1['id'],
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]123 token_auth['token']['project']['id'])
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]124 self.assertEqual(project1['name'],
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]125 token_auth['token']['project']['name'])
gongxiao5092b812017-04-14 08:50:32 +0800[diff] [blame]126 self.assertEqual(CONF.identity.default_domain_id,
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]127 token_auth['token']['project']['domain']['id'])
gongxiao5092b812017-04-14 08:50:32 +0800[diff] [blame]128 self.assertIsNotNone(token_auth['token']['project']['domain']['name'])
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]129 self.assertEqual(1, len(token_auth['token']['roles']))
130 self.assertEqual(role['id'], token_auth['token']['roles'][0]['id'])
131 self.assertEqual(role['name'], token_auth['token']['roles'][0]['name'])
132
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]133 # Revoke the unscoped token.
David Kranze9d2f422014-07-02 13:57:41 -0400[diff] [blame]134 self.client.delete_token(token1_id)
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]135
136 # Now get another scoped token using the unscoped token.
gongxiao5092b812017-04-14 08:50:32 +0800[diff] [blame]137 token_auth = self.token.auth(
138 token=token_id,
139 project_name=project2_name,
140 project_domain_id=CONF.identity.default_domain_id)
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]141
142 self.assertEqual(project2['id'],
143 token_auth['token']['project']['id'])
144 self.assertEqual(project2['name'],
145 token_auth['token']['project']['name'])
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]146
147 @decorators.idempotent_id('08ed85ce-2ba8-4864-b442-bcc61f16ae89')
148 def test_get_available_project_scopes(self):
jeremy.zhang0343be52017-05-25 21:29:57 +0800[diff] [blame]149 manager_project_id = self.os_primary.credentials.project_id
Jordan Pittier8160d312017-04-18 11:52:23 +0200[diff] [blame]150 admin_user_id = self.os_admin.credentials.user_id
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]151 admin_role_id = self.get_role_by_name(CONF.identity.admin_role)['id']
152
153 # Grant the user the role on both projects.
154 self.roles_client.create_user_role_on_project(
155 manager_project_id, admin_user_id, admin_role_id)
156 self.addCleanup(
157 self.roles_client.delete_role_from_user_on_project,
158 manager_project_id, admin_user_id, admin_role_id)
159
Jordan Pittier8160d312017-04-18 11:52:23 +0200[diff] [blame]160 assigned_project_ids = [self.os_admin.credentials.project_id,
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]161 manager_project_id]
162
163 # Get available project scopes
164 available_projects =\
165 self.client.list_auth_projects()['projects']
166
167 # create list to save fetched project's id
168 fetched_project_ids = [i['id'] for i in available_projects]
169
170 # verifying the project ids in list
171 missing_project_ids = \
172 [p for p in assigned_project_ids
173 if p not in fetched_project_ids]
174 self.assertEmpty(missing_project_ids,
175 "Failed to find project_id %s in fetched list" %
176 ', '.join(missing_project_ids))