Expose idempotency issue with bootstrap

During some upgrade testing I was doing locally, I noticed an issue where `keystone-manage bootstrap` isn't completely idempotent. This is because `bootstrap` has the ability to recover lost admin accounts by reseting the admin user's enabled status and updating their password, regardless of it being different. This creates a revocation event and causes admin tokens to be invalid after bootstrap is run for a second time, making it not as idempotent as we'd like. This commit introduces a test that exposes this behavior. Change-Id: I627255b2b5d6ec401af2c07c4018930fea206e4a Partial-Bug: 1647800
2016-12-08 15:53:51 +00:00 · 2016-12-08 15:53:51 +00:00 · 2dae412940
parent 562b3f8b29
commit 2dae412940
1 changed files with 42 additions and 0 deletions
--- a/keystone/tests/unit/test_cli.py
+++ b/keystone/tests/unit/test_cli.py
@ -24,6 +24,7 @@ from oslotest import mockpatch
 from six.moves import range
 from testtools import matchers

+from keystone.auth import controllers
 from keystone.cmd import cli
 from keystone.cmd.doctor import caching
 from keystone.cmd.doctor import federation
@ -163,7 +164,48 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
        # without erroring.
        bootstrap = cli.BootStrap()
        self._do_test_bootstrap(bootstrap)
+        v3_token_controller = controllers.Auth()
+        v3_password_data = {
+            'identity': {
+                "methods": ["password"],
+                "password": {
+                    "user": {
+                        "name": bootstrap.username,
+                        "password": bootstrap.password,
+                        "domain": {
+                            "id": CONF.identity.default_domain_id
+                        }
+                    }
+                }
+            }
+        }
+        auth_response = v3_token_controller.authenticate_for_token(
+            self.make_request(), v3_password_data)
+        token = auth_response.headers['X-Subject-Token']
        self._do_test_bootstrap(bootstrap)
+        # build validation request
+        request = self.make_request(
+            is_admin=True,
+            headers={
+                'X-Subject-Token': token,
+                'X-Auth-Token': token
+            }
+        )
+        request.context_dict['subject_token_id'] = token
+        # NOTE(lbragstad): This is currently broken because the bootstrap
+        # operation will automatically reset a user's password even if it is
+        # the same as it was before. Bootstrap has this behavior so it's
+        # possible to recover admin accounts, which was one of our main
+        # usecases for introducing the bootstrap functionality. The side-effect
+        # is that changing the password will create a revocation event. So if a
+        # token is obtained in-between two bootstrap calls, the token will no
+        # longer be valid after the second bootstrap operation completes, even
+        # if the password is the same.
+        self.assertRaises(
+            exception.TokenNotFound,
+            v3_token_controller.validate_token,
+            request
+        )

    def test_bootstrap_recovers_user(self):
        bootstrap = cli.BootStrap()