Gitiles
Code Review Sign In
spfactory.storpool.com / tempest / acf0051a8ab20c7d71a6eb2824a48ea2b8946a39 / . / tempest / api / identity / admin / v3 / test_trusts.py
blob: 1ac34eb5c6660ab9e3cc183ac628d6f2d011cd74 [file] [log] [blame]
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License"); you may
2# not use this file except in compliance with the License. You may obtain
3# a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10# License for the specific language governing permissions and limitations
11# under the License.
12
Steven Hardyc234ada2013-12-10 17:00:41 +0000[diff] [blame]13import datetime
14import re
Matthew Treinish96e9e882014-06-09 18:37:19 -0400[diff] [blame]15
Doug Hellmann583ce2c2015-03-11 14:55:46 +0000[diff] [blame]16from oslo_utils import timeutils
Masayuki Igawabfa07602015-01-20 18:47:17 +0900[diff] [blame]17from tempest_lib import exceptions as lib_exc
18
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]19from tempest.api.identity import base
20from tempest import clients
Andrea Frittoli878d5ab2015-01-30 13:22:50 +0000[diff] [blame]21from tempest.common import cred_provider
Fei Long Wangd39431f2015-05-14 11:30:48 +1200[diff] [blame]22from tempest.common.utils import data_utils
Matthew Treinishd5021a72014-01-09 18:42:51 +0000[diff] [blame]23from tempest import config
Masayuki Igawaba7bcf62014-02-17 14:56:41 +0900[diff] [blame]24from tempest import test
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]25
Matthew Treinishd5021a72014-01-09 18:42:51 +0000[diff] [blame]26CONF = config.CONF
27
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]28
Matthew Treinishdb2c5972014-01-31 22:18:59 +0000[diff] [blame]29class BaseTrustsV3Test(base.BaseIdentityV3AdminTest):
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]30
31 def setUp(self):
32 super(BaseTrustsV3Test, self).setUp()
33 # Use alt_username as the trustee
Matthew Treinishd5021a72014-01-09 18:42:51 +0000[diff] [blame]34 if not CONF.identity_feature_enabled.trust:
35 raise self.skipException("Trusts aren't enabled")
36
Matthew Treinish5ba84e32014-01-29 16:52:57 +0000[diff] [blame]37 self.trustee_username = CONF.identity.alt_username
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]38 self.trust_id = None
Steven Hardy776f4572013-12-23 21:42:48 +0000[diff] [blame]39
40 def tearDown(self):
41 if self.trust_id:
42 # Do the delete in tearDown not addCleanup - we want the test to
43 # fail in the event there is a bug which causes undeletable trusts
44 self.delete_trust()
45 super(BaseTrustsV3Test, self).tearDown()
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]46
47 def create_trustor_and_roles(self):
Jamie Lennoxf8507b42015-02-23 06:17:57 +0000[diff] [blame]48 # create a project that trusts will be granted on
Ken'ichi Ohmichi80369a92015-04-06 23:41:14 +0000[diff] [blame]49 self.trustor_project_name = data_utils.rand_name(name='project')
Jamie Lennoxf8507b42015-02-23 06:17:57 +0000[diff] [blame]50 project = self.client.create_project(self.trustor_project_name,
51 domain_id='default')
52 self.trustor_project_id = project['id']
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]53 self.assertIsNotNone(self.trustor_project_id)
54
55 # Create a trustor User
Ken'ichi Ohmichi96508472015-03-23 01:43:42 +0000[diff] [blame]56 self.trustor_username = data_utils.rand_name('user')
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]57 u_desc = self.trustor_username + 'description'
Steven Hardy68f95282014-01-10 17:40:31 +0000[diff] [blame]58 u_email = self.trustor_username + '@testmail.xx'
Ken'ichi Ohmichi96508472015-03-23 01:43:42 +0000[diff] [blame]59 self.trustor_password = data_utils.rand_name('pass')
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]60 user = self.client.create_user(
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]61 self.trustor_username,
62 description=u_desc,
63 password=self.trustor_password,
64 email=u_email,
Jamie Lennoxf8507b42015-02-23 06:17:57 +0000[diff] [blame]65 project_id=self.trustor_project_id,
66 domain_id='default')
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]67 self.trustor_user_id = user['id']
68
69 # And two roles, one we'll delegate and one we won't
Ken'ichi Ohmichi96508472015-03-23 01:43:42 +0000[diff] [blame]70 self.delegated_role = data_utils.rand_name('DelegatedRole')
71 self.not_delegated_role = data_utils.rand_name('NotDelegatedRole')
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]72
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]73 role = self.client.create_role(self.delegated_role)
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]74 self.delegated_role_id = role['id']
75
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]76 role = self.client.create_role(self.not_delegated_role)
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]77 self.not_delegated_role_id = role['id']
78
79 # Assign roles to trustor
Matthew Treinishdb2c5972014-01-31 22:18:59 +0000[diff] [blame]80 self.client.assign_user_role(self.trustor_project_id,
81 self.trustor_user_id,
82 self.delegated_role_id)
83 self.client.assign_user_role(self.trustor_project_id,
84 self.trustor_user_id,
85 self.not_delegated_role_id)
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]86
87 # Get trustee user ID, use the demo user
Matthew Treinishdb2c5972014-01-31 22:18:59 +0000[diff] [blame]88 trustee_username = self.non_admin_client.user
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]89 self.trustee_user_id = self.get_user_by_name(trustee_username)['id']
90 self.assertIsNotNone(self.trustee_user_id)
91
92 # Initialize a new client with the trustor credentials
Andrea Frittoli878d5ab2015-01-30 13:22:50 +0000[diff] [blame]93 creds = cred_provider.get_credentials(
Jamie Lennoxf8507b42015-02-23 06:17:57 +0000[diff] [blame]94 identity_version='v3',
Andrea Frittoli422fbdf2014-03-20 10:05:18 +0000[diff] [blame]95 username=self.trustor_username,
96 password=self.trustor_password,
Jamie Lennoxf8507b42015-02-23 06:17:57 +0000[diff] [blame]97 user_domain_id='default',
98 tenant_name=self.trustor_project_name,
99 project_domain_id='default')
Andrea Frittolic0978352015-02-06 15:57:40 +0000[diff] [blame]100 os = clients.Manager(credentials=creds)
Matthew Treinishdb2c5972014-01-31 22:18:59 +0000[diff] [blame]101 self.trustor_client = os.identity_v3_client
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]102
Steven Hardy776f4572013-12-23 21:42:48 +0000[diff] [blame]103 def cleanup_user_and_roles(self):
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]104 if self.trustor_user_id:
Matthew Treinishdb2c5972014-01-31 22:18:59 +0000[diff] [blame]105 self.client.delete_user(self.trustor_user_id)
Jamie Lennoxf8507b42015-02-23 06:17:57 +0000[diff] [blame]106 if self.trustor_project_id:
107 self.client.delete_project(self.trustor_project_id)
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]108 if self.delegated_role_id:
Matthew Treinishdb2c5972014-01-31 22:18:59 +0000[diff] [blame]109 self.client.delete_role(self.delegated_role_id)
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]110 if self.not_delegated_role_id:
Matthew Treinishdb2c5972014-01-31 22:18:59 +0000[diff] [blame]111 self.client.delete_role(self.not_delegated_role_id)
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]112
113 def create_trust(self, impersonate=True, expires=None):
114
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]115 trust_create = self.trustor_client.create_trust(
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]116 trustor_user_id=self.trustor_user_id,
117 trustee_user_id=self.trustee_user_id,
118 project_id=self.trustor_project_id,
119 role_names=[self.delegated_role],
120 impersonation=impersonate,
121 expires_at=expires)
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]122 self.trust_id = trust_create['id']
123 return trust_create
124
125 def validate_trust(self, trust, impersonate=True, expires=None,
126 summary=False):
127 self.assertIsNotNone(trust['id'])
128 self.assertEqual(impersonate, trust['impersonation'])
Steven Hardyc234ada2013-12-10 17:00:41 +0000[diff] [blame]129 if expires is not None:
Yaroslav Lobankov8801baa2015-02-25 11:23:36 +0300[diff] [blame]130 # Omit microseconds component of the expiry time
Yaroslav Lobankov94340b52015-02-17 22:15:37 +0300[diff] [blame]131 trust_expires_at = re.sub(r'\.([0-9]){6}', '', trust['expires_at'])
132 self.assertEqual(expires, trust_expires_at)
Steven Hardyc234ada2013-12-10 17:00:41 +0000[diff] [blame]133 else:
134 self.assertIsNone(trust['expires_at'])
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]135 self.assertEqual(self.trustor_user_id, trust['trustor_user_id'])
136 self.assertEqual(self.trustee_user_id, trust['trustee_user_id'])
137 self.assertIn('v3/OS-TRUST/trusts', trust['links']['self'])
138 self.assertEqual(self.trustor_project_id, trust['project_id'])
139 if not summary:
140 self.assertEqual(self.delegated_role, trust['roles'][0]['name'])
141 self.assertEqual(1, len(trust['roles']))
142
143 def get_trust(self):
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]144 trust_get = self.trustor_client.get_trust(self.trust_id)
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]145 return trust_get
146
147 def validate_role(self, role):
148 self.assertEqual(self.delegated_role_id, role['id'])
149 self.assertEqual(self.delegated_role, role['name'])
150 self.assertIn('v3/roles/%s' % self.delegated_role_id,
151 role['links']['self'])
152 self.assertNotEqual(self.not_delegated_role_id, role['id'])
153 self.assertNotEqual(self.not_delegated_role, role['name'])
154 self.assertNotIn('v3/roles/%s' % self.not_delegated_role_id,
155 role['links']['self'])
156
157 def check_trust_roles(self):
158 # Check we find the delegated role
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]159 roles_get = self.trustor_client.get_trust_roles(
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]160 self.trust_id)
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]161 self.assertEqual(1, len(roles_get))
162 self.validate_role(roles_get[0])
163
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]164 role_get = self.trustor_client.get_trust_role(
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]165 self.trust_id, self.delegated_role_id)
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]166 self.validate_role(role_get)
167
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]168 role_get = self.trustor_client.check_trust_role(
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]169 self.trust_id, self.delegated_role_id)
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]170
171 # And that we don't find not_delegated_role
Masayuki Igawabfa07602015-01-20 18:47:17 +0900[diff] [blame]172 self.assertRaises(lib_exc.NotFound,
Matthew Treinishdb2c5972014-01-31 22:18:59 +0000[diff] [blame]173 self.trustor_client.get_trust_role,
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]174 self.trust_id,
175 self.not_delegated_role_id)
176
Masayuki Igawabfa07602015-01-20 18:47:17 +0900[diff] [blame]177 self.assertRaises(lib_exc.NotFound,
Matthew Treinishdb2c5972014-01-31 22:18:59 +0000[diff] [blame]178 self.trustor_client.check_trust_role,
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]179 self.trust_id,
180 self.not_delegated_role_id)
181
182 def delete_trust(self):
David Kranze9d2f422014-07-02 13:57:41 -0400[diff] [blame]183 self.trustor_client.delete_trust(self.trust_id)
Masayuki Igawabfa07602015-01-20 18:47:17 +0900[diff] [blame]184 self.assertRaises(lib_exc.NotFound,
Matthew Treinishdb2c5972014-01-31 22:18:59 +0000[diff] [blame]185 self.trustor_client.get_trust,
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]186 self.trust_id)
187 self.trust_id = None
188
189
190class TrustsV3TestJSON(BaseTrustsV3Test):
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]191
192 def setUp(self):
193 super(TrustsV3TestJSON, self).setUp()
194 self.create_trustor_and_roles()
Steven Hardy68f95282014-01-10 17:40:31 +0000[diff] [blame]195 self.addCleanup(self.cleanup_user_and_roles)
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]196
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]197 @test.idempotent_id('5a0a91a4-baef-4a14-baba-59bf4d7fcace')
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]198 def test_trust_impersonate(self):
199 # Test case to check we can create, get and delete a trust
200 # updates are not supported for trusts
201 trust = self.create_trust()
202 self.validate_trust(trust)
203
204 trust_get = self.get_trust()
205 self.validate_trust(trust_get)
206
207 self.check_trust_roles()
208
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]209 @test.idempotent_id('ed2a8779-a7ac-49dc-afd7-30f32f936ed2')
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]210 def test_trust_noimpersonate(self):
211 # Test case to check we can create, get and delete a trust
212 # with impersonation=False
213 trust = self.create_trust(impersonate=False)
214 self.validate_trust(trust, impersonate=False)
215
216 trust_get = self.get_trust()
217 self.validate_trust(trust_get, impersonate=False)
218
219 self.check_trust_roles()
220
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]221 @test.idempotent_id('0ed14b66-cefd-4b5c-a964-65759453e292')
Steven Hardyc234ada2013-12-10 17:00:41 +0000[diff] [blame]222 def test_trust_expire(self):
223 # Test case to check we can create, get and delete a trust
224 # with an expiry specified
225 expires_at = timeutils.utcnow() + datetime.timedelta(hours=1)
Yaroslav Lobankov94340b52015-02-17 22:15:37 +0300[diff] [blame]226 # NOTE(ylobankov) In some cases the expiry time may be rounded up
Yaroslav Lobankov8801baa2015-02-25 11:23:36 +0300[diff] [blame]227 # because of microseconds. In fact, it depends on database and its
228 # version. At least MySQL 5.6.16 does this.
229 # For example, when creating a trust, we will set the expiry time of
230 # the trust to 2015-02-17T17:34:01.907051Z. However, if we make a GET
231 # request on the trust, the response will contain the time rounded up
232 # to 2015-02-17T17:34:02.000000Z. That is why we shouldn't set flag
233 # "subsecond" to True when we invoke timeutils.isotime(...) to avoid
234 # problems with rounding.
Yaroslav Lobankov94340b52015-02-17 22:15:37 +0300[diff] [blame]235 expires_str = timeutils.isotime(at=expires_at)
Steven Hardyc234ada2013-12-10 17:00:41 +0000[diff] [blame]236
237 trust = self.create_trust(expires=expires_str)
238 self.validate_trust(trust, expires=expires_str)
239
240 trust_get = self.get_trust()
241
242 self.validate_trust(trust_get, expires=expires_str)
243
244 self.check_trust_roles()
245
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]246 @test.idempotent_id('3e48f95d-e660-4fa9-85e0-5a3d85594384')
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]247 def test_trust_expire_invalid(self):
248 # Test case to check we can check an invlaid expiry time
249 # is rejected with the correct error
250 # with an expiry specified
251 expires_str = 'bad.123Z'
Masayuki Igawa4b29e472015-02-16 10:41:54 +0900[diff] [blame]252 self.assertRaises(lib_exc.BadRequest,
Steven Hardybf70c5c2013-10-30 21:55:16 +0000[diff] [blame]253 self.create_trust,
254 expires=expires_str)
Steven Hardyf31fd2d2013-12-10 17:02:36 +0000[diff] [blame]255
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]256 @test.idempotent_id('6268b345-87ca-47c0-9ce3-37792b43403a')
Steven Hardyf31fd2d2013-12-10 17:02:36 +0000[diff] [blame]257 def test_get_trusts_query(self):
258 self.create_trust()
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]259 trusts_get = self.trustor_client.get_trusts(
Steven Hardyf31fd2d2013-12-10 17:02:36 +0000[diff] [blame]260 trustor_user_id=self.trustor_user_id)
Steven Hardyf31fd2d2013-12-10 17:02:36 +0000[diff] [blame]261 self.assertEqual(1, len(trusts_get))
262 self.validate_trust(trusts_get[0], summary=True)
263
Masayuki Igawaba7bcf62014-02-17 14:56:41 +0900[diff] [blame]264 @test.attr(type='smoke')
Chris Hoge7579c1a2015-02-26 14:12:15 -0800[diff] [blame]265 @test.idempotent_id('4773ebd5-ecbf-4255-b8d8-b63e6f72b65d')
Steven Hardyf31fd2d2013-12-10 17:02:36 +0000[diff] [blame]266 def test_get_trusts_all(self):
267 self.create_trust()
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]268 trusts_get = self.client.get_trusts()
Steven Hardyf31fd2d2013-12-10 17:02:36 +0000[diff] [blame]269 trusts = [t for t in trusts_get
270 if t['id'] == self.trust_id]
271 self.assertEqual(1, len(trusts))
272 self.validate_trust(trusts[0], summary=True)