Expose idempotency issue with bootstrap
During some upgrade testing I was doing locally, I noticed an issue where `keystone-manage bootstrap` isn't completely idempotent. This is because `bootstrap` has the ability to recover lost admin accounts by reseting the admin user's enabled status and updating their password, regardless of it being different. This creates a revocation event and causes admin tokens to be invalid after bootstrap is run for a second time, making it not as idempotent as we'd like. This commit introduces a test that exposes this behavior. Change-Id: I627255b2b5d6ec401af2c07c4018930fea206e4a Partial-Bug: 1647800
This commit is contained in:
parent
562b3f8b29
commit
2dae412940
|
@ -24,6 +24,7 @@ from oslotest import mockpatch
|
|||
from six.moves import range
|
||||
from testtools import matchers
|
||||
|
||||
from keystone.auth import controllers
|
||||
from keystone.cmd import cli
|
||||
from keystone.cmd.doctor import caching
|
||||
from keystone.cmd.doctor import federation
|
||||
|
@ -163,7 +164,48 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
|
|||
# without erroring.
|
||||
bootstrap = cli.BootStrap()
|
||||
self._do_test_bootstrap(bootstrap)
|
||||
v3_token_controller = controllers.Auth()
|
||||
v3_password_data = {
|
||||
'identity': {
|
||||
"methods": ["password"],
|
||||
"password": {
|
||||
"user": {
|
||||
"name": bootstrap.username,
|
||||
"password": bootstrap.password,
|
||||
"domain": {
|
||||
"id": CONF.identity.default_domain_id
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
auth_response = v3_token_controller.authenticate_for_token(
|
||||
self.make_request(), v3_password_data)
|
||||
token = auth_response.headers['X-Subject-Token']
|
||||
self._do_test_bootstrap(bootstrap)
|
||||
# build validation request
|
||||
request = self.make_request(
|
||||
is_admin=True,
|
||||
headers={
|
||||
'X-Subject-Token': token,
|
||||
'X-Auth-Token': token
|
||||
}
|
||||
)
|
||||
request.context_dict['subject_token_id'] = token
|
||||
# NOTE(lbragstad): This is currently broken because the bootstrap
|
||||
# operation will automatically reset a user's password even if it is
|
||||
# the same as it was before. Bootstrap has this behavior so it's
|
||||
# possible to recover admin accounts, which was one of our main
|
||||
# usecases for introducing the bootstrap functionality. The side-effect
|
||||
# is that changing the password will create a revocation event. So if a
|
||||
# token is obtained in-between two bootstrap calls, the token will no
|
||||
# longer be valid after the second bootstrap operation completes, even
|
||||
# if the password is the same.
|
||||
self.assertRaises(
|
||||
exception.TokenNotFound,
|
||||
v3_token_controller.validate_token,
|
||||
request
|
||||
)
|
||||
|
||||
def test_bootstrap_recovers_user(self):
|
||||
bootstrap = cli.BootStrap()
|
||||
|
|
Loading…
Reference in New Issue