Keystone_user should not use disabled projects
When testing the password for a keystone_user resource we need to ensure the project id that is used for testing auth is not disabled causing it to fail and puppet things the password should be changed. Change-Id: Ic4b17a2c750c3162cc609a9469d7422c2084b977 Closes-Bug: 1814906
This commit is contained in:
parent
58dfc07b3a
commit
c2456fcaa8
|
@ -121,11 +121,17 @@ Puppet::Type.type(:keystone_user).provide(
|
|||
# will know we are doing v3password auth - otherwise, it is not used. The
|
||||
# user_id uniquely identifies the user including domain.
|
||||
credentials.username = resource[:name]
|
||||
|
||||
# Need to specify a project id to get a project scoped token. List
|
||||
# all of the projects for the user, and use the id from the first one.
|
||||
# all of the projects for the user, and use the id for the first one
|
||||
# that is enabled then fallback to domain id only.
|
||||
projects = self.class.request('project', 'list', ['--user', id, '--long'])
|
||||
if projects && projects[0] && projects[0][:id]
|
||||
credentials.project_id = projects[0][:id]
|
||||
first_project = nil
|
||||
if projects && projects.respond_to?(:each)
|
||||
first_project = projects.detect { |p| p && p[:id] && p[:enabled] == 'True' }
|
||||
end
|
||||
if not first_project.nil?
|
||||
credentials.project_id = first_project[:id]
|
||||
else
|
||||
# last chance - try a domain scoped token
|
||||
credentials.domain_id = domain_id
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
Fixed a bug where the keystone_user resource would test the password with
|
||||
a disabled project causing it to think the password was changed when it
|
||||
actually wasn't.
|
|
@ -172,6 +172,35 @@ ac43ec53d5a74a0b9f51523ae41a29f0
|
|||
expect(password).to eq('pass_one')
|
||||
end
|
||||
|
||||
it 'checks the password with some projects disabled' do
|
||||
mock_creds = Puppet::Provider::Openstack::CredentialsV3.new
|
||||
mock_creds.auth_url = 'http://127.0.0.1:5000'
|
||||
mock_creds.password = 'pass_one'
|
||||
mock_creds.username = 'user_one'
|
||||
mock_creds.user_id = 'project1_id'
|
||||
mock_creds.project_id = 'project-id-2'
|
||||
Puppet::Provider::Openstack::CredentialsV3.expects(:new).returns(mock_creds)
|
||||
|
||||
described_class.expects(:openstack)
|
||||
.with('project', 'list', '--quiet', '--format', 'csv',
|
||||
['--user', 'user1_id', '--long'])
|
||||
.returns('"ID","Name","Domain ID","Description","Enabled"
|
||||
"project-id-1","domain_one","domain1_id","Domain One",False
|
||||
"project-id-2","domain_one","domain1_id","Domain One",True
|
||||
"project-id-3","domain_one","domain1_id","Domain One",False
|
||||
')
|
||||
Puppet::Provider::Openstack.expects(:openstack)
|
||||
.with('token', 'issue', ['--format', 'value'])
|
||||
.returns('2015-05-14T04:06:05Z
|
||||
e664a386befa4a30878dcef20e79f167
|
||||
8dce2ae9ecd34c199d2877bf319a3d06
|
||||
ac43ec53d5a74a0b9f51523ae41a29f0
|
||||
')
|
||||
provider.expects(:id).times(2).returns('user1_id')
|
||||
password = provider.password
|
||||
expect(password).to eq('pass_one')
|
||||
end
|
||||
|
||||
it 'fails the password check' do
|
||||
described_class.expects(:openstack)
|
||||
.with('project', 'list', '--quiet', '--format', 'csv',
|
||||
|
|
Loading…
Reference in New Issue