Fix tests comparing tokens

There were tests that verified that the PKI token body could be
encrypted with CMS and compared to the token ID in the response.
This test isn't safe because the token body may be different than
the token encrypted with CMS since the order of items in the dict
can change.

The fix is to change the test to decode the PKI token ID and
compare that to the response body JSON instead.

Conflicts:
	keystone/tests/test_v3_auth.py

Change-Id: Icc649b96071ff084d5c76f2ea2bcf3ecb08a0351

keystone/tests/test_v3_auth.py

@@ -128,6 +128,9 @@ class TokenAPITests(object):
     def test_default_fixture_scope_token(self):
         self.assertIsNotNone(self.get_scoped_token())
 
+    def verify_token(self, *args, **kwargs):
+        return cms.verify_token(*args, **kwargs)
+
     def test_v3_token_id(self):
         auth_data = self.build_authentication_request(
             user_id=self.user['id'],
@@ -137,10 +140,13 @@ class TokenAPITests(object):
         token_id = resp.headers.get('X-Subject-Token')
         self.assertIn('expires_at', token_data['token'])
 
-        expected_token_id = cms.cms_sign_token(json.dumps(token_data),
-                                               CONF.signing.certfile,
-                                               CONF.signing.keyfile)
-        self.assertEqual(expected_token_id, token_id)
+        decoded_token = self.verify_token(token_id, CONF.signing.certfile,
+                                          CONF.signing.ca_certs)
+        decoded_token_dict = json.loads(decoded_token)
+
+        token_resp_dict = json.loads(resp.body)
+
+        self.assertEqual(decoded_token_dict, token_resp_dict)
         # should be able to validate hash PKI token as well
         hash_token_id = cms.cms_hash_token(token_id)
         headers = {'X-Subject-Token': hash_token_id}