Gitiles
Code Review Sign In
spfactory.storpool.com / tempest / b18d7dda308d5558f097a72c8fe5e5bc3ea07531 / . / tempest / api / identity / admin / v3 / test_tokens.py
blob: f3a747141bd3853fc7cd5c27919e1fa63cbbdd0b [file] [log] [blame]
ZhiQiang Fan39f97222013-09-20 04:49:44 +0800[diff] [blame]1# Copyright 2012 OpenStack Foundation
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
Jordan Pittiere8791202016-04-25 18:12:16 +0200[diff] [blame]16import six
17
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]18from tempest.api.identity import base
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]19from tempest import config
Ken'ichi Ohmichi7bd25752017-03-10 10:45:39 -0800[diff] [blame]20from tempest.lib.common.utils import data_utils
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]21from tempest.lib import decorators
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]22
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]23CONF = config.CONF
24
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]25
Masayuki Igawabe64ed32014-02-19 14:32:03 +0900[diff] [blame]26class TokensV3TestJSON(base.BaseIdentityV3AdminTest):
zhufla7635d72020-04-29 14:36:41 +0800[diff] [blame]27 """Test tokens"""
nayna-patelb35f7232013-06-28 07:08:44 +0000[diff] [blame]28
Felipe Monteiro60ebc5d2017-07-12 04:13:37 +0100[diff] [blame]29 credentials = ['primary', 'admin', 'alt']
30
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]31 @decorators.idempotent_id('565fa210-1da1-4563-999b-f7b5b67cf112')
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]32 def test_rescope_token(self):
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]33 """Rescope a token.
34
35 An unscoped token can be requested, that token can be used to request a
36 scoped token. The scoped token can be revoked, and the original token
37 used to get a token in a different project.
38
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]39 """
40
41 # Create a user.
Zack Feldsteind8c5f7a2015-12-14 10:44:07 -0600[diff] [blame]42 user_password = data_utils.rand_password()
zhufl75d51a92017-04-11 16:02:39 +0800[diff] [blame]43 user = self.create_test_user(password=user_password)
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]44
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]45 # Create a couple projects
nicolas9e0ac6c2019-01-15 13:54:01 -0800[diff] [blame]46 project1_name = data_utils.rand_name(name=self.__class__.__name__)
zhuflf2f47052017-04-20 15:08:02 +0800[diff] [blame]47 project1 = self.setup_test_project(name=project1_name)
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]48
nicolas9e0ac6c2019-01-15 13:54:01 -0800[diff] [blame]49 project2_name = data_utils.rand_name(name=self.__class__.__name__)
zhuflf2f47052017-04-20 15:08:02 +0800[diff] [blame]50 project2 = self.setup_test_project(name=project2_name)
Yaroslav Lobankov47a93ab2016-02-07 16:32:49 -0600[diff] [blame]51 self.addCleanup(self.projects_client.delete_project, project2['id'])
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]52
53 # Create a role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]54 role = self.setup_test_role()
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]55
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]56 # Grant the user the role on both projects.
ghanshyam2e6fb562016-09-06 11:14:31 +0900[diff] [blame]57 self.roles_client.create_user_role_on_project(project1['id'],
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]58 user['id'],
59 role['id'])
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]60
ghanshyam2e6fb562016-09-06 11:14:31 +0900[diff] [blame]61 self.roles_client.create_user_role_on_project(project2['id'],
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]62 user['id'],
63 role['id'])
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]64
65 # Get an unscoped token.
Jamie Lennox97504612015-02-26 16:47:06 +1100[diff] [blame]66 token_auth = self.token.auth(user_id=user['id'],
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]67 password=user_password)
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]68
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]69 token_id = token_auth.response['x-subject-token']
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]70 orig_expires_at = token_auth['token']['expires_at']
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]71 orig_user = token_auth['token']['user']
72
Jordan Pittiere8791202016-04-25 18:12:16 +0200[diff] [blame]73 self.assertIsInstance(token_auth['token']['expires_at'], six.text_type)
74 self.assertIsInstance(token_auth['token']['issued_at'], six.text_type)
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]75 self.assertEqual(['password'], token_auth['token']['methods'])
76 self.assertEqual(user['id'], token_auth['token']['user']['id'])
77 self.assertEqual(user['name'], token_auth['token']['user']['name'])
gongxiao5092b812017-04-14 08:50:32 +0800[diff] [blame]78 self.assertEqual(CONF.identity.default_domain_id,
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]79 token_auth['token']['user']['domain']['id'])
gongxiao5092b812017-04-14 08:50:32 +0800[diff] [blame]80 self.assertIsNotNone(token_auth['token']['user']['domain']['name'])
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]81 self.assertNotIn('catalog', token_auth['token'])
82 self.assertNotIn('project', token_auth['token'])
83 self.assertNotIn('roles', token_auth['token'])
84
85 # Use the unscoped token to get a scoped token.
gongxiao5092b812017-04-14 08:50:32 +0800[diff] [blame]86 token_auth = self.token.auth(
87 token=token_id,
88 project_name=project1_name,
89 project_domain_id=CONF.identity.default_domain_id)
David Kranzd8ccb792014-12-29 11:32:05 -0500[diff] [blame]90 token1_id = token_auth.response['x-subject-token']
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]91
92 self.assertEqual(orig_expires_at, token_auth['token']['expires_at'],
93 'Expiration time should match original token')
Jordan Pittiere8791202016-04-25 18:12:16 +0200[diff] [blame]94 self.assertIsInstance(token_auth['token']['issued_at'], six.text_type)
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]95 self.assertEqual(set(['password', 'token']),
96 set(token_auth['token']['methods']))
97 self.assertEqual(orig_user, token_auth['token']['user'],
98 'User should match original token')
99 self.assertIsInstance(token_auth['token']['catalog'], list)
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]100 self.assertEqual(project1['id'],
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]101 token_auth['token']['project']['id'])
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]102 self.assertEqual(project1['name'],
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]103 token_auth['token']['project']['name'])
gongxiao5092b812017-04-14 08:50:32 +0800[diff] [blame]104 self.assertEqual(CONF.identity.default_domain_id,
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]105 token_auth['token']['project']['domain']['id'])
gongxiao5092b812017-04-14 08:50:32 +0800[diff] [blame]106 self.assertIsNotNone(token_auth['token']['project']['domain']['name'])
Brant Knudsonc5553292014-03-15 11:06:05 -0500[diff] [blame]107 self.assertEqual(1, len(token_auth['token']['roles']))
108 self.assertEqual(role['id'], token_auth['token']['roles'][0]['id'])
109 self.assertEqual(role['name'], token_auth['token']['roles'][0]['name'])
110
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]111 # Revoke the unscoped token.
David Kranze9d2f422014-07-02 13:57:41 -0400[diff] [blame]112 self.client.delete_token(token1_id)
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]113
114 # Now get another scoped token using the unscoped token.
gongxiao5092b812017-04-14 08:50:32 +0800[diff] [blame]115 token_auth = self.token.auth(
116 token=token_id,
117 project_name=project2_name,
118 project_domain_id=CONF.identity.default_domain_id)
Brant Knudson5ee44a42014-03-16 10:55:21 -0500[diff] [blame]119
120 self.assertEqual(project2['id'],
121 token_auth['token']['project']['id'])
122 self.assertEqual(project2['name'],
123 token_auth['token']['project']['name'])
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]124
125 @decorators.idempotent_id('08ed85ce-2ba8-4864-b442-bcc61f16ae89')
126 def test_get_available_project_scopes(self):
zhufla7635d72020-04-29 14:36:41 +0800[diff] [blame]127 """Test getting available project scopes"""
jeremy.zhang0343be52017-05-25 21:29:57 +0800[diff] [blame]128 manager_project_id = self.os_primary.credentials.project_id
Jordan Pittier8160d312017-04-18 11:52:23 +0200[diff] [blame]129 admin_user_id = self.os_admin.credentials.user_id
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]130 admin_role_id = self.get_role_by_name(CONF.identity.admin_role)['id']
131
132 # Grant the user the role on both projects.
133 self.roles_client.create_user_role_on_project(
134 manager_project_id, admin_user_id, admin_role_id)
135 self.addCleanup(
136 self.roles_client.delete_role_from_user_on_project,
137 manager_project_id, admin_user_id, admin_role_id)
138
Jordan Pittier8160d312017-04-18 11:52:23 +0200[diff] [blame]139 assigned_project_ids = [self.os_admin.credentials.project_id,
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]140 manager_project_id]
141
142 # Get available project scopes
zhufl0a1f6c42017-09-08 09:12:05 +0800[diff] [blame]143 available_projects = self.client.list_auth_projects()['projects']
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]144
Felipe Monteiro60ebc5d2017-07-12 04:13:37 +0100[diff] [blame]145 # Create list to save fetched project IDs
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]146 fetched_project_ids = [i['id'] for i in available_projects]
147
148 # verifying the project ids in list
149 missing_project_ids = \
zhufl0a1f6c42017-09-08 09:12:05 +0800[diff] [blame]150 [p for p in assigned_project_ids if p not in fetched_project_ids]
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]151 self.assertEmpty(missing_project_ids,
Felipe Monteiro60ebc5d2017-07-12 04:13:37 +0100[diff] [blame]152 "Failed to find project_ids %s in fetched list" %
ZhangHongtao74e1df52017-03-13 18:32:43 +0800[diff] [blame]153 ', '.join(missing_project_ids))
Felipe Monteiro60ebc5d2017-07-12 04:13:37 +0100[diff] [blame]154
155 @decorators.idempotent_id('ec5ecb05-af64-4c04-ac86-4d9f6f12f185')
156 def test_get_available_domain_scopes(self):
zhufla7635d72020-04-29 14:36:41 +0800[diff] [blame]157 """Test getting available domain scopes
158
159 To verify that listing domain scopes for a user works if
160 the user has a domain role or belongs to a group that has a domain
161 role. For this test, admin client is used to add roles to alt user,
162 which performs API calls, to avoid 401 Unauthorized errors.
163 """
Felipe Monteiro60ebc5d2017-07-12 04:13:37 +0100[diff] [blame]164 alt_user_id = self.os_alt.credentials.user_id
165
166 def _create_user_domain_role_for_alt_user():
167 domain_id = self.setup_test_domain()['id']
168 role_id = self.setup_test_role()['id']
169
170 # Create a role association between the user and domain.
171 self.roles_client.create_user_role_on_domain(
172 domain_id, alt_user_id, role_id)
173 self.addCleanup(
174 self.roles_client.delete_role_from_user_on_domain,
175 domain_id, alt_user_id, role_id)
176
177 return domain_id
178
179 def _create_group_domain_role_for_alt_user():
180 domain_id = self.setup_test_domain()['id']
181 role_id = self.setup_test_role()['id']
182
183 # Create a group.
Felipe Monteirod4415072018-07-03 14:09:02 -0400[diff] [blame]184 group_id = self.setup_test_group(domain_id=domain_id)['id']
Felipe Monteiro60ebc5d2017-07-12 04:13:37 +0100[diff] [blame]185
186 # Add the alt user to the group.
187 self.groups_client.add_group_user(group_id, alt_user_id)
188 self.addCleanup(self.groups_client.delete_group_user,
189 group_id, alt_user_id)
190
191 # Create a role association between the group and domain.
192 self.roles_client.create_group_role_on_domain(
193 domain_id, group_id, role_id)
194 self.addCleanup(
195 self.roles_client.delete_role_from_group_on_domain,
196 domain_id, group_id, role_id)
197
198 return domain_id
199
200 # Add the alt user to 2 random domains and 2 random groups
201 # with randomized domains and roles.
202 assigned_domain_ids = []
203 for _ in range(2):
204 domain_id = _create_user_domain_role_for_alt_user()
205 assigned_domain_ids.append(domain_id)
206 domain_id = _create_group_domain_role_for_alt_user()
207 assigned_domain_ids.append(domain_id)
208
209 # Get available domain scopes for the alt user.
210 available_domains = self.os_alt.identity_v3_client.list_auth_domains()[
211 'domains']
212 fetched_domain_ids = [i['id'] for i in available_domains]
213
214 # Verify the expected domain IDs are in the list.
215 missing_domain_ids = \
216 [p for p in assigned_domain_ids if p not in fetched_domain_ids]
217 self.assertEmpty(missing_domain_ids,
218 "Failed to find domain_ids %s in fetched list"
219 % ", ".join(missing_domain_ids))