openstack
/
keystone
Code Issues Proposed changes

Rename RestfulTestCase.v3_authenticate_token() to v3_create_token() 

The name of this method has plagued me for years, so I figured I would
finally propose a fix. The reason v3_authenticate_token() is a terrible
name is that it implies that a token is being authenticated (in other
words: validated). As it turns out, we have another operation that
validates tokens, and this isn't it.

By renaming the method to v3_create_token() there is absolutely no
confusion about the intended outcome. This also more closely reflects
how we colloquially refer to operation.

v3_authenticate() might have also have been an improvement, but could
lead to the same confusion we have today (whether or not the user is
authenticating with keystone or whether a service is authenticating a
token).

Change-Id: I2bfebf1b48de07e81eadc2782d4e975b920f2a6a
This commit is contained in:
Dolph Mathews 2015-10-02 13:48:32 +00:00
parent 4860d0aa38
commit 0dbedfa532
6 changed files with 204 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
keystone/tests/unit/test_v3.py
View File

@ -408,10 +408,10 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
def get_requested_token(self, auth): def get_requested_token(self, auth):
"""Request the specific token we want.""" """Request the specific token we want."""
r = self.v3_authenticate_token(auth) r = self.v3_create_token(auth)
return r.headers.get('X-Subject-Token') return r.headers.get('X-Subject-Token')
def v3_authenticate_token(self, auth, expected_status=http_client.CREATED): def v3_create_token(self, auth, expected_status=http_client.CREATED):
return self.admin_request(method='POST', return self.admin_request(method='POST',
path='/v3/auth/tokens', path='/v3/auth/tokens',
body=auth, body=auth,

122
keystone/tests/unit/test_v3_assignment.py
View File

@ -142,7 +142,7 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
user_id=self.user2['id'], user_id=self.user2['id'],
password=self.user2['password'], password=self.user2['password'],
project_id=self.project2['id']) project_id=self.project2['id'])
self.v3_authenticate_token(auth_data) self.v3_create_token(auth_data)
# Now disable the domain # Now disable the domain
self.domain2['enabled'] = False self.domain2['enabled'] = False
@ -171,16 +171,16 @@ class AssignmentTestCase(test_v3.RestfulTestCase,
user_id=self.user2['id'], user_id=self.user2['id'],
password=self.user2['password'], password=self.user2['password'],
project_id=self.project2['id']) project_id=self.project2['id'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
username=self.user2['name'], username=self.user2['name'],
user_domain_id=self.domain2['id'], user_domain_id=self.domain2['id'],
password=self.user2['password'], password=self.user2['password'],
project_id=self.project2['id']) project_id=self.project2['id'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_delete_enabled_domain_fails(self): def test_delete_enabled_domain_fails(self):
"""Call ``DELETE /domains/{domain_id}`` (when domain enabled).""" """Call ``DELETE /domains/{domain_id}`` (when domain enabled)."""
@ -2203,10 +2203,10 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
project_id=self.project_id) project_id=self.project_id)
# Check the user cannot get a domain nor a project token # Check the user cannot get a domain nor a project token
self.v3_authenticate_token(domain_auth_data, self.v3_create_token(domain_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(project_auth_data, self.v3_create_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
# Grant non-inherited role for user on domain # Grant non-inherited role for user on domain
non_inher_ud_link = self.build_role_assignment_link( non_inher_ud_link = self.build_role_assignment_link(
@ -2214,9 +2214,9 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.put(non_inher_ud_link) self.put(non_inher_ud_link)
# Check the user can get only a domain token # Check the user can get only a domain token
self.v3_authenticate_token(domain_auth_data) self.v3_create_token(domain_auth_data)
self.v3_authenticate_token(project_auth_data, self.v3_create_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
# Create inherited role # Create inherited role
inherited_role = {'id': uuid.uuid4().hex, 'name': 'inherited'} inherited_role = {'id': uuid.uuid4().hex, 'name': 'inherited'}
@ -2229,23 +2229,23 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.put(inher_ud_link) self.put(inher_ud_link)
# Check the user can get both a domain and a project token # Check the user can get both a domain and a project token
self.v3_authenticate_token(domain_auth_data) self.v3_create_token(domain_auth_data)
self.v3_authenticate_token(project_auth_data) self.v3_create_token(project_auth_data)
# Delete inherited grant # Delete inherited grant
self.delete(inher_ud_link) self.delete(inher_ud_link)
# Check the user can only get a domain token # Check the user can only get a domain token
self.v3_authenticate_token(domain_auth_data) self.v3_create_token(domain_auth_data)
self.v3_authenticate_token(project_auth_data, self.v3_create_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
# Delete non-inherited grant # Delete non-inherited grant
self.delete(non_inher_ud_link) self.delete(non_inher_ud_link)
# Check the user cannot get a domain token anymore # Check the user cannot get a domain token anymore
self.v3_authenticate_token(domain_auth_data, self.v3_create_token(domain_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_get_token_from_inherited_group_domain_role_grants(self): def test_get_token_from_inherited_group_domain_role_grants(self):
# Create a new group and put a new user in it to # Create a new group and put a new user in it to
@ -2270,10 +2270,10 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
project_id=self.project_id) project_id=self.project_id)
# Check the user cannot get a domain nor a project token # Check the user cannot get a domain nor a project token
self.v3_authenticate_token(domain_auth_data, self.v3_create_token(domain_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(project_auth_data, self.v3_create_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
# Grant non-inherited role for user on domain # Grant non-inherited role for user on domain
non_inher_gd_link = self.build_role_assignment_link( non_inher_gd_link = self.build_role_assignment_link(
@ -2281,9 +2281,9 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.put(non_inher_gd_link) self.put(non_inher_gd_link)
# Check the user can get only a domain token # Check the user can get only a domain token
self.v3_authenticate_token(domain_auth_data) self.v3_create_token(domain_auth_data)
self.v3_authenticate_token(project_auth_data, self.v3_create_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
# Create inherited role # Create inherited role
inherited_role = {'id': uuid.uuid4().hex, 'name': 'inherited'} inherited_role = {'id': uuid.uuid4().hex, 'name': 'inherited'}
@ -2296,23 +2296,23 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.put(inher_gd_link) self.put(inher_gd_link)
# Check the user can get both a domain and a project token # Check the user can get both a domain and a project token
self.v3_authenticate_token(domain_auth_data) self.v3_create_token(domain_auth_data)
self.v3_authenticate_token(project_auth_data) self.v3_create_token(project_auth_data)
# Delete inherited grant # Delete inherited grant
self.delete(inher_gd_link) self.delete(inher_gd_link)
# Check the user can only get a domain token # Check the user can only get a domain token
self.v3_authenticate_token(domain_auth_data) self.v3_create_token(domain_auth_data)
self.v3_authenticate_token(project_auth_data, self.v3_create_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
# Delete non-inherited grant # Delete non-inherited grant
self.delete(non_inher_gd_link) self.delete(non_inher_gd_link)
# Check the user cannot get a domain token anymore # Check the user cannot get a domain token anymore
self.v3_authenticate_token(domain_auth_data, self.v3_create_token(domain_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def _test_crud_inherited_and_direct_assignment_on_target(self, target_url): def _test_crud_inherited_and_direct_assignment_on_target(self, target_url):
# Create a new role to avoid assignments loaded from sample data # Create a new role to avoid assignments loaded from sample data
@ -2821,10 +2821,10 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
project_id=leaf_id) project_id=leaf_id)
# Check the user cannot get a token on root nor leaf project # Check the user cannot get a token on root nor leaf project
self.v3_authenticate_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data, self.v3_create_token(leaf_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
# Grant non-inherited role for user on leaf project # Grant non-inherited role for user on leaf project
non_inher_up_link = self.build_role_assignment_link( non_inher_up_link = self.build_role_assignment_link(
@ -2833,9 +2833,9 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.put(non_inher_up_link) self.put(non_inher_up_link)
# Check the user can only get a token on leaf project # Check the user can only get a token on leaf project
self.v3_authenticate_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data) self.v3_create_token(leaf_project_auth_data)
# Grant inherited role for user on root project # Grant inherited role for user on root project
inher_up_link = self.build_role_assignment_link( inher_up_link = self.build_role_assignment_link(
@ -2844,24 +2844,24 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.put(inher_up_link) self.put(inher_up_link)
# Check the user still can get a token only on leaf project # Check the user still can get a token only on leaf project
self.v3_authenticate_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data) self.v3_create_token(leaf_project_auth_data)
# Delete non-inherited grant # Delete non-inherited grant
self.delete(non_inher_up_link) self.delete(non_inher_up_link)
# Check the inherited role still applies for leaf project # Check the inherited role still applies for leaf project
self.v3_authenticate_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data) self.v3_create_token(leaf_project_auth_data)
# Delete inherited grant # Delete inherited grant
self.delete(inher_up_link) self.delete(inher_up_link)
# Check the user cannot get a token on leaf project anymore # Check the user cannot get a token on leaf project anymore
self.v3_authenticate_token(leaf_project_auth_data, self.v3_create_token(leaf_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_get_token_from_inherited_group_project_role_grants(self): def test_get_token_from_inherited_group_project_role_grants(self):
# Create default scenario # Create default scenario
@ -2884,10 +2884,10 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
project_id=leaf_id) project_id=leaf_id)
# Check the user cannot get a token on root nor leaf project # Check the user cannot get a token on root nor leaf project
self.v3_authenticate_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data, self.v3_create_token(leaf_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
# Grant non-inherited role for group on leaf project # Grant non-inherited role for group on leaf project
non_inher_gp_link = self.build_role_assignment_link( non_inher_gp_link = self.build_role_assignment_link(
@ -2896,9 +2896,9 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.put(non_inher_gp_link) self.put(non_inher_gp_link)
# Check the user can only get a token on leaf project # Check the user can only get a token on leaf project
self.v3_authenticate_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data) self.v3_create_token(leaf_project_auth_data)
# Grant inherited role for group on root project # Grant inherited role for group on root project
inher_gp_link = self.build_role_assignment_link( inher_gp_link = self.build_role_assignment_link(
@ -2907,22 +2907,22 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase,
self.put(inher_gp_link) self.put(inher_gp_link)
# Check the user still can get a token only on leaf project # Check the user still can get a token only on leaf project
self.v3_authenticate_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
self.v3_authenticate_token(leaf_project_auth_data) self.v3_create_token(leaf_project_auth_data)
# Delete no-inherited grant # Delete no-inherited grant
self.delete(non_inher_gp_link) self.delete(non_inher_gp_link)
# Check the inherited role still applies for leaf project # Check the inherited role still applies for leaf project
self.v3_authenticate_token(leaf_project_auth_data) self.v3_create_token(leaf_project_auth_data)
# Delete inherited grant # Delete inherited grant
self.delete(inher_gp_link) self.delete(inher_gp_link)
# Check the user cannot get a token on leaf project anymore # Check the user cannot get a token on leaf project anymore
self.v3_authenticate_token(leaf_project_auth_data, self.v3_create_token(leaf_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_get_role_assignments_for_project_hierarchy(self): def test_get_role_assignments_for_project_hierarchy(self):
"""Call ``GET /role_assignments``. """Call ``GET /role_assignments``.

224
keystone/tests/unit/test_v3_auth.py
View File

@ -121,7 +121,7 @@ class TokenAPITests(object):
# resolved in Python for multiple inheritance means that a setUp in this # resolved in Python for multiple inheritance means that a setUp in this
# would get skipped by the testrunner. # would get skipped by the testrunner.
def doSetUp(self): def doSetUp(self):
r = self.v3_authenticate_token(self.build_authentication_request( r = self.v3_create_token(self.build_authentication_request(
username=self.user['name'], username=self.user['name'],
user_domain_id=self.domain_id, user_domain_id=self.domain_id,
password=self.user['password'])) password=self.user['password']))
@ -254,7 +254,7 @@ class TokenAPITests(object):
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_v3_v2_unscoped_token_intermix(self): def test_v3_v2_unscoped_token_intermix(self):
r = self.v3_authenticate_token(self.build_authentication_request( r = self.v3_create_token(self.build_authentication_request(
user_id=self.default_domain_user['id'], user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'])) password=self.default_domain_user['password']))
self.assertValidUnscopedTokenResponse(r) self.assertValidUnscopedTokenResponse(r)
@ -278,7 +278,7 @@ class TokenAPITests(object):
def test_v3_v2_token_intermix(self): def test_v3_v2_token_intermix(self):
# FIXME(gyee): PKI tokens are not interchangeable because token # FIXME(gyee): PKI tokens are not interchangeable because token
# data is baked into the token itself. # data is baked into the token itself.
r = self.v3_authenticate_token(self.build_authentication_request( r = self.v3_create_token(self.build_authentication_request(
user_id=self.default_domain_user['id'], user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'], password=self.default_domain_user['password'],
project_id=self.default_domain_project['id'])) project_id=self.default_domain_project['id']))
@ -396,7 +396,7 @@ class TokenAPITests(object):
expires = self.v3_token_data['token']['expires_at'] expires = self.v3_token_data['token']['expires_at']
# rescope the token # rescope the token
r = self.v3_authenticate_token(self.build_authentication_request( r = self.v3_create_token(self.build_authentication_request(
token=self.v3_token, token=self.v3_token,
project_id=self.project_id)) project_id=self.project_id))
self.assertValidProjectScopedTokenResponse(r) self.assertValidProjectScopedTokenResponse(r)
@ -431,7 +431,7 @@ class AllowRescopeScopedTokenDisabledTests(test_v3.RestfulTestCase):
allow_rescope_scoped_token=False) allow_rescope_scoped_token=False)
def test_rescoping_v3_to_v3_disabled(self): def test_rescoping_v3_to_v3_disabled(self):
self.v3_authenticate_token( self.v3_create_token(
self.build_authentication_request( self.build_authentication_request(
token=self.get_scoped_token(), token=self.get_scoped_token(),
project_id=self.project_id), project_id=self.project_id),
@ -465,7 +465,7 @@ class AllowRescopeScopedTokenDisabledTests(test_v3.RestfulTestCase):
def test_rescoping_v2_to_v3_disabled(self): def test_rescoping_v2_to_v3_disabled(self):
token = self._v2_token() token = self._v2_token()
self.v3_authenticate_token( self.v3_create_token(
self.build_authentication_request( self.build_authentication_request(
token=token['access']['token']['id'], token=token['access']['token']['id'],
project_id=self.project_id), project_id=self.project_id),
@ -495,7 +495,7 @@ class AllowRescopeScopedTokenDisabledTests(test_v3.RestfulTestCase):
self.build_authentication_request( self.build_authentication_request(
token=unscoped_token, token=unscoped_token,
domain_id=self.domainA['id'])) domain_id=self.domainA['id']))
self.v3_authenticate_token( self.v3_create_token(
self.build_authentication_request( self.build_authentication_request(
token=domain_scoped_token, token=domain_scoped_token,
project_id=self.project_id), project_id=self.project_id),
@ -518,7 +518,7 @@ class TestPKITokenAPIs(test_v3.RestfulTestCase, TokenAPITests):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password']) password=self.user['password'])
resp = self.v3_authenticate_token(auth_data) resp = self.v3_create_token(auth_data)
token_data = resp.result token_data = resp.result
token_id = resp.headers.get('X-Subject-Token') token_id = resp.headers.get('X-Subject-Token')
self.assertIn('expires_at', token_data['token']) self.assertIn('expires_at', token_data['token'])
@ -542,7 +542,7 @@ class TestPKITokenAPIs(test_v3.RestfulTestCase, TokenAPITests):
user_id=self.default_domain_user['id'], user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'], password=self.default_domain_user['password'],
project_id=self.default_domain_project['id']) project_id=self.default_domain_project['id'])
resp = self.v3_authenticate_token(auth_data) resp = self.v3_create_token(auth_data)
token_data = resp.result token_data = resp.result
token = resp.headers.get('X-Subject-Token') token = resp.headers.get('X-Subject-Token')
@ -585,7 +585,7 @@ class TestUUIDTokenAPIs(test_v3.RestfulTestCase, TokenAPITests):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password']) password=self.user['password'])
resp = self.v3_authenticate_token(auth_data) resp = self.v3_create_token(auth_data)
token_data = resp.result token_data = resp.result
token_id = resp.headers.get('X-Subject-Token') token_id = resp.headers.get('X-Subject-Token')
self.assertIn('expires_at', token_data['token']) self.assertIn('expires_at', token_data['token'])
@ -1101,7 +1101,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': token}, headers={'X-Subject-Token': token},
expected_status=http_client.NOT_FOUND) expected_status=http_client.NOT_FOUND)
self.v3_authenticate_token( self.v3_create_token(
self.build_authentication_request( self.build_authentication_request(
user_id=self.user3['id'], user_id=self.user3['id'],
password=self.user3['password'], password=self.user3['password'],
@ -1128,7 +1128,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': token}, headers={'X-Subject-Token': token},
expected_status=http_client.NOT_FOUND) expected_status=http_client.NOT_FOUND)
self.v3_authenticate_token( self.v3_create_token(
self.build_authentication_request( self.build_authentication_request(
user_id=self.user3['id'], user_id=self.user3['id'],
password=self.user3['password'], password=self.user3['password'],
@ -1310,7 +1310,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': user1_token}, headers={'X-Subject-Token': user1_token},
expected_status=http_client.NOT_FOUND) expected_status=http_client.NOT_FOUND)
self.v3_authenticate_token( self.v3_create_token(
self.build_authentication_request( self.build_authentication_request(
user_id=self.user1['id'], user_id=self.user1['id'],
password=self.user1['password'], password=self.user1['password'],
@ -1321,7 +1321,7 @@ class TestTokenRevokeById(test_v3.RestfulTestCase):
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'X-Subject-Token': user3_token}, headers={'X-Subject-Token': user3_token},
expected_status=http_client.OK) expected_status=http_client.OK)
self.v3_authenticate_token( self.v3_create_token(
self.build_authentication_request( self.build_authentication_request(
user_id=self.user3['id'], user_id=self.user3['id'],
password=self.user3['password'], password=self.user3['password'],
@ -1645,11 +1645,11 @@ class TestTokenRevokeApi(TestTokenRevokeById):
scoped_token = self.get_scoped_token() scoped_token = self.get_scoped_token()
headers = {'X-Subject-Token': scoped_token} headers = {'X-Subject-Token': scoped_token}
auth_req = self.build_authentication_request(token=scoped_token) auth_req = self.build_authentication_request(token=scoped_token)
response = self.v3_authenticate_token(auth_req) response = self.v3_create_token(auth_req)
token2 = response.json_body['token'] token2 = response.json_body['token']
headers2 = {'X-Subject-Token': response.headers['X-Subject-Token']} headers2 = {'X-Subject-Token': response.headers['X-Subject-Token']}
response = self.v3_authenticate_token(auth_req) response = self.v3_create_token(auth_req)
response.json_body['token'] response.json_body['token']
headers3 = {'X-Subject-Token': response.headers['X-Subject-Token']} headers3 = {'X-Subject-Token': response.headers['X-Subject-Token']}
@ -1758,7 +1758,7 @@ class TestAuthExternalDomain(test_v3.RestfulTestCase):
self.admin_app.extra_environ.update({'REMOTE_USER': remote_user, self.admin_app.extra_environ.update({'REMOTE_USER': remote_user,
'REMOTE_DOMAIN': remote_domain, 'REMOTE_DOMAIN': remote_domain,
'AUTH_TYPE': 'Negotiate'}) 'AUTH_TYPE': 'Negotiate'})
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
token = self.assertValidProjectScopedTokenResponse(r) token = self.assertValidProjectScopedTokenResponse(r)
self.assertEqual(self.user['name'], token['bind']['kerberos']) self.assertEqual(self.user['name'], token['bind']['kerberos'])
@ -1770,7 +1770,7 @@ class TestAuthExternalDomain(test_v3.RestfulTestCase):
self.admin_app.extra_environ.update({'REMOTE_USER': remote_user, self.admin_app.extra_environ.update({'REMOTE_USER': remote_user,
'REMOTE_DOMAIN': remote_domain, 'REMOTE_DOMAIN': remote_domain,
'AUTH_TYPE': 'Negotiate'}) 'AUTH_TYPE': 'Negotiate'})
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
token = self.assertValidUnscopedTokenResponse(r) token = self.assertValidUnscopedTokenResponse(r)
self.assertEqual(self.user['name'], token['bind']['kerberos']) self.assertEqual(self.user['name'], token['bind']['kerberos'])
@ -1814,7 +1814,7 @@ class TestAuthExternalDefaultDomain(test_v3.RestfulTestCase):
remote_user = self.default_domain_user['name'] remote_user = self.default_domain_user['name']
self.admin_app.extra_environ.update({'REMOTE_USER': remote_user, self.admin_app.extra_environ.update({'REMOTE_USER': remote_user,
'AUTH_TYPE': 'Negotiate'}) 'AUTH_TYPE': 'Negotiate'})
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
token = self.assertValidProjectScopedTokenResponse(r) token = self.assertValidProjectScopedTokenResponse(r)
self.assertEqual(self.default_domain_user['name'], self.assertEqual(self.default_domain_user['name'],
token['bind']['kerberos']) token['bind']['kerberos'])
@ -1825,7 +1825,7 @@ class TestAuthExternalDefaultDomain(test_v3.RestfulTestCase):
remote_user = self.default_domain_user['name'] remote_user = self.default_domain_user['name']
self.admin_app.extra_environ.update({'REMOTE_USER': remote_user, self.admin_app.extra_environ.update({'REMOTE_USER': remote_user,
'AUTH_TYPE': 'Negotiate'}) 'AUTH_TYPE': 'Negotiate'})
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
token = self.assertValidUnscopedTokenResponse(r) token = self.assertValidUnscopedTokenResponse(r)
self.assertEqual(self.default_domain_user['name'], self.assertEqual(self.default_domain_user['name'],
token['bind']['kerberos']) token['bind']['kerberos'])
@ -1846,7 +1846,7 @@ class TestAuth(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password']) password=self.user['password'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidUnscopedTokenResponse(r) self.assertValidUnscopedTokenResponse(r)
def test_unscoped_token_with_user_domain_id(self): def test_unscoped_token_with_user_domain_id(self):
@ -1854,7 +1854,7 @@ class TestAuth(test_v3.RestfulTestCase):
username=self.user['name'], username=self.user['name'],
user_domain_id=self.domain['id'], user_domain_id=self.domain['id'],
password=self.user['password']) password=self.user['password'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidUnscopedTokenResponse(r) self.assertValidUnscopedTokenResponse(r)
def test_unscoped_token_with_user_domain_name(self): def test_unscoped_token_with_user_domain_name(self):
@ -1862,7 +1862,7 @@ class TestAuth(test_v3.RestfulTestCase):
username=self.user['name'], username=self.user['name'],
user_domain_name=self.domain['name'], user_domain_name=self.domain['name'],
password=self.user['password']) password=self.user['password'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidUnscopedTokenResponse(r) self.assertValidUnscopedTokenResponse(r)
def test_project_id_scoped_token_with_user_id(self): def test_project_id_scoped_token_with_user_id(self):
@ -1870,7 +1870,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=self.project['id']) project_id=self.project['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r) self.assertValidProjectScopedTokenResponse(r)
def _second_project_as_default(self): def _second_project_as_default(self):
@ -1901,7 +1901,7 @@ class TestAuth(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password']) password=self.user['password'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r) self.assertValidProjectScopedTokenResponse(r)
self.assertEqual(project['id'], r.result['token']['project']['id']) self.assertEqual(project['id'], r.result['token']['project']['id'])
@ -1946,7 +1946,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=self.project['id']) project_id=self.project['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
catalog = r.result['token']['catalog'] catalog = r.result['token']['catalog']
self.assertEqual(1, len(catalog)) self.assertEqual(1, len(catalog))
@ -1983,7 +1983,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=self.project['id']) project_id=self.project['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertEqual([], r.result['token']['catalog']) self.assertEqual([], r.result['token']['catalog'])
@ -2005,7 +2005,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=self.project['id']) project_id=self.project['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self._check_disabled_endpoint_result(r.result['token']['catalog'], self._check_disabled_endpoint_result(r.result['token']['catalog'],
disabled_endpoint_id) disabled_endpoint_id)
@ -2018,8 +2018,8 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=project['id']) project_id=project['id'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_user_and_group_roles_scoped_token(self): def test_user_and_group_roles_scoped_token(self):
"""Test correct roles are returned in scoped token. """Test correct roles are returned in scoped token.
@ -2113,7 +2113,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=user1['id'], user_id=user1['id'],
password=user1['password'], password=user1['password'],
project_id=projectA['id']) project_id=projectA['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
token = self.assertValidScopedTokenResponse(r) token = self.assertValidScopedTokenResponse(r)
roles_ids = [] roles_ids = []
for ref in token['roles']: for ref in token['roles']:
@ -2127,7 +2127,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=user1['id'], user_id=user1['id'],
password=user1['password'], password=user1['password'],
domain_id=domainA['id']) domain_id=domainA['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
token = self.assertValidScopedTokenResponse(r) token = self.assertValidScopedTokenResponse(r)
roles_ids = [] roles_ids = []
for ref in token['roles']: for ref in token['roles']:
@ -2145,7 +2145,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=user1['id'], user_id=user1['id'],
password=user1['password'], password=user1['password'],
project_id=projectA['id']) project_id=projectA['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
token = self.assertValidScopedTokenResponse(r) token = self.assertValidScopedTokenResponse(r)
roles_ids = [] roles_ids = []
for ref in token['roles']: for ref in token['roles']:
@ -2210,7 +2210,7 @@ class TestAuth(test_v3.RestfulTestCase):
project_name=project1['name'], project_name=project1['name'],
project_domain_id=domain1['id']) project_domain_id=domain1['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
scoped_token = self.assertValidScopedTokenResponse(r) scoped_token = self.assertValidScopedTokenResponse(r)
project = scoped_token["project"] project = scoped_token["project"]
roles_ids = [] roles_ids = []
@ -2228,7 +2228,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_domain_id=self.domain['id'], user_domain_id=self.domain['id'],
password=self.user['password'], password=self.user['password'],
project_id=self.project['id']) project_id=self.project['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r) self.assertValidProjectScopedTokenResponse(r)
def test_project_id_scoped_token_with_user_domain_name(self): def test_project_id_scoped_token_with_user_domain_name(self):
@ -2237,7 +2237,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_domain_name=self.domain['name'], user_domain_name=self.domain['name'],
password=self.user['password'], password=self.user['password'],
project_id=self.project['id']) project_id=self.project['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidProjectScopedTokenResponse(r) self.assertValidProjectScopedTokenResponse(r)
def test_domain_id_scoped_token_with_user_id(self): def test_domain_id_scoped_token_with_user_id(self):
@ -2249,7 +2249,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
domain_id=self.domain['id']) domain_id=self.domain['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidDomainScopedTokenResponse(r) self.assertValidDomainScopedTokenResponse(r)
def test_domain_id_scoped_token_with_user_domain_id(self): def test_domain_id_scoped_token_with_user_domain_id(self):
@ -2262,7 +2262,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_domain_id=self.domain['id'], user_domain_id=self.domain['id'],
password=self.user['password'], password=self.user['password'],
domain_id=self.domain['id']) domain_id=self.domain['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidDomainScopedTokenResponse(r) self.assertValidDomainScopedTokenResponse(r)
def test_domain_id_scoped_token_with_user_domain_name(self): def test_domain_id_scoped_token_with_user_domain_name(self):
@ -2275,7 +2275,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_domain_name=self.domain['name'], user_domain_name=self.domain['name'],
password=self.user['password'], password=self.user['password'],
domain_id=self.domain['id']) domain_id=self.domain['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidDomainScopedTokenResponse(r) self.assertValidDomainScopedTokenResponse(r)
def test_domain_name_scoped_token_with_user_id(self): def test_domain_name_scoped_token_with_user_id(self):
@ -2287,7 +2287,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
domain_name=self.domain['name']) domain_name=self.domain['name'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidDomainScopedTokenResponse(r) self.assertValidDomainScopedTokenResponse(r)
def test_domain_name_scoped_token_with_user_domain_id(self): def test_domain_name_scoped_token_with_user_domain_id(self):
@ -2300,7 +2300,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_domain_id=self.domain['id'], user_domain_id=self.domain['id'],
password=self.user['password'], password=self.user['password'],
domain_name=self.domain['name']) domain_name=self.domain['name'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidDomainScopedTokenResponse(r) self.assertValidDomainScopedTokenResponse(r)
def test_domain_name_scoped_token_with_user_domain_name(self): def test_domain_name_scoped_token_with_user_domain_name(self):
@ -2313,7 +2313,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_domain_name=self.domain['name'], user_domain_name=self.domain['name'],
password=self.user['password'], password=self.user['password'],
domain_name=self.domain['name']) domain_name=self.domain['name'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidDomainScopedTokenResponse(r) self.assertValidDomainScopedTokenResponse(r)
def test_domain_scope_token_with_group_role(self): def test_domain_scope_token_with_group_role(self):
@ -2334,7 +2334,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
domain_id=self.domain['id']) domain_id=self.domain['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidDomainScopedTokenResponse(r) self.assertValidDomainScopedTokenResponse(r)
def test_domain_scope_token_with_name(self): def test_domain_scope_token_with_name(self):
@ -2347,7 +2347,7 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
domain_name=self.domain['name']) domain_name=self.domain['name'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidDomainScopedTokenResponse(r) self.assertValidDomainScopedTokenResponse(r)
def test_domain_scope_failed(self): def test_domain_scope_failed(self):
@ -2355,21 +2355,21 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
domain_id=self.domain['id']) domain_id=self.domain['id'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_auth_with_id(self): def test_auth_with_id(self):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password']) password=self.user['password'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidUnscopedTokenResponse(r) self.assertValidUnscopedTokenResponse(r)
token = r.headers.get('X-Subject-Token') token = r.headers.get('X-Subject-Token')
# test token auth # test token auth
auth_data = self.build_authentication_request(token=token) auth_data = self.build_authentication_request(token=token)
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidUnscopedTokenResponse(r) self.assertValidUnscopedTokenResponse(r)
def get_v2_token(self, tenant_id=None): def get_v2_token(self, tenant_id=None):
@ -2387,7 +2387,7 @@ class TestAuth(test_v3.RestfulTestCase):
def test_validate_v2_unscoped_token_with_v3_api(self): def test_validate_v2_unscoped_token_with_v3_api(self):
v2_token = self.get_v2_token().result['access']['token']['id'] v2_token = self.get_v2_token().result['access']['token']['id']
auth_data = self.build_authentication_request(token=v2_token) auth_data = self.build_authentication_request(token=v2_token)
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidUnscopedTokenResponse(r) self.assertValidUnscopedTokenResponse(r)
def test_validate_v2_scoped_token_with_v3_api(self): def test_validate_v2_scoped_token_with_v3_api(self):
@ -2398,46 +2398,46 @@ class TestAuth(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
token=v2_token, token=v2_token,
project_id=self.default_domain_project['id']) project_id=self.default_domain_project['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidScopedTokenResponse(r) self.assertValidScopedTokenResponse(r)
def test_invalid_user_id(self): def test_invalid_user_id(self):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=uuid.uuid4().hex, user_id=uuid.uuid4().hex,
password=self.user['password']) password=self.user['password'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_invalid_user_name(self): def test_invalid_user_name(self):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
username=uuid.uuid4().hex, username=uuid.uuid4().hex,
user_domain_id=self.domain['id'], user_domain_id=self.domain['id'],
password=self.user['password']) password=self.user['password'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_invalid_domain_id(self): def test_invalid_domain_id(self):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
username=self.user['name'], username=self.user['name'],
user_domain_id=uuid.uuid4().hex, user_domain_id=uuid.uuid4().hex,
password=self.user['password']) password=self.user['password'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_invalid_domain_name(self): def test_invalid_domain_name(self):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
username=self.user['name'], username=self.user['name'],
user_domain_name=uuid.uuid4().hex, user_domain_name=uuid.uuid4().hex,
password=self.user['password']) password=self.user['password'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_invalid_password(self): def test_invalid_password(self):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=uuid.uuid4().hex) password=uuid.uuid4().hex)
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_remote_user_no_realm(self): def test_remote_user_no_realm(self):
api = auth.controllers.Auth() api = auth.controllers.Auth()
@ -2518,7 +2518,7 @@ class TestAuth(test_v3.RestfulTestCase):
remote_user = self.default_domain_user['name'] remote_user = self.default_domain_user['name']
self.admin_app.extra_environ.update({'REMOTE_USER': remote_user, self.admin_app.extra_environ.update({'REMOTE_USER': remote_user,
'AUTH_TYPE': 'Negotiate'}) 'AUTH_TYPE': 'Negotiate'})
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
token = self.assertValidUnscopedTokenResponse(r) token = self.assertValidUnscopedTokenResponse(r)
self.assertNotIn('bind', token) self.assertNotIn('bind', token)
@ -2545,7 +2545,7 @@ class TestAuth(test_v3.RestfulTestCase):
remote_user = self.default_domain_user['name'] remote_user = self.default_domain_user['name']
self.admin_app.extra_environ.update({'REMOTE_USER': remote_user, self.admin_app.extra_environ.update({'REMOTE_USER': remote_user,
'AUTH_TYPE': 'Negotiate'}) 'AUTH_TYPE': 'Negotiate'})
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
# the unscoped token should have bind information in it # the unscoped token should have bind information in it
token = self.assertValidUnscopedTokenResponse(r) token = self.assertValidUnscopedTokenResponse(r)
@ -2556,7 +2556,7 @@ class TestAuth(test_v3.RestfulTestCase):
# using unscoped token with remote user succeeds # using unscoped token with remote user succeeds
auth_params = {'token': token, 'project_id': self.project_id} auth_params = {'token': token, 'project_id': self.project_id}
auth_data = self.build_authentication_request(**auth_params) auth_data = self.build_authentication_request(**auth_params)
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
token = self.assertValidProjectScopedTokenResponse(r) token = self.assertValidProjectScopedTokenResponse(r)
# the bind information should be carried over from the original token # the bind information should be carried over from the original token
@ -2603,8 +2603,8 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=user['id'], user_id=user['id'],
password='password') password='password')
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_disabled_default_project_result_in_unscoped_token(self): def test_disabled_default_project_result_in_unscoped_token(self):
# create a disabled project to work with # create a disabled project to work with
@ -2620,7 +2620,7 @@ class TestAuth(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password']) password=self.user['password'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidUnscopedTokenResponse(r) self.assertValidUnscopedTokenResponse(r)
def test_disabled_default_project_domain_result_in_unscoped_token(self): def test_disabled_default_project_domain_result_in_unscoped_token(self):
@ -2646,7 +2646,7 @@ class TestAuth(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password']) password=self.user['password'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidUnscopedTokenResponse(r) self.assertValidUnscopedTokenResponse(r)
def test_no_access_to_default_project_result_in_unscoped_token(self): def test_no_access_to_default_project_result_in_unscoped_token(self):
@ -2658,7 +2658,7 @@ class TestAuth(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password']) password=self.user['password'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidUnscopedTokenResponse(r) self.assertValidUnscopedTokenResponse(r)
def test_disabled_scope_project_domain_result_in_401(self): def test_disabled_scope_project_domain_result_in_401(self):
@ -2682,8 +2682,8 @@ class TestAuth(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=project['id']) project_id=project['id'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
# user should not be able to auth with project_name & domain # user should not be able to auth with project_name & domain
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
@ -2691,8 +2691,8 @@ class TestAuth(test_v3.RestfulTestCase):
password=self.user['password'], password=self.user['password'],
project_name=project['name'], project_name=project['name'],
project_domain_id=domain['id']) project_domain_id=domain['id'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_auth_methods_with_different_identities_fails(self): def test_auth_methods_with_different_identities_fails(self):
# get the token for a user. This is self.user which is different from # get the token for a user. This is self.user which is different from
@ -2704,8 +2704,8 @@ class TestAuth(test_v3.RestfulTestCase):
token=token, token=token,
user_id=self.default_domain_user['id'], user_id=self.default_domain_user['id'],
password=self.default_domain_user['password']) password=self.default_domain_user['password'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
class TestAuthJSONExternal(test_v3.RestfulTestCase): class TestAuthJSONExternal(test_v3.RestfulTestCase):
@ -2741,8 +2741,8 @@ class TestTrustOptional(test_v3.RestfulTestCase):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
trust_id=uuid.uuid4().hex) trust_id=uuid.uuid4().hex)
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.FORBIDDEN) expected_status=http_client.FORBIDDEN)
class TestTrustRedelegation(test_v3.RestfulTestCase): class TestTrustRedelegation(test_v3.RestfulTestCase):
@ -3082,7 +3082,7 @@ class TestTrustChain(test_v3.RestfulTestCase):
user_id=user['id'], user_id=user['id'],
password=user['password'] password=user['password']
) )
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidTokenResponse(r) self.assertValidTokenResponse(r)
def assert_trust_tokens_revoked(self, trust_id): def assert_trust_tokens_revoked(self, trust_id):
@ -3091,7 +3091,7 @@ class TestTrustChain(test_v3.RestfulTestCase):
user_id=trustee['id'], user_id=trustee['id'],
password=trustee['password'] password=trustee['password']
) )
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidTokenResponse(r) self.assertValidTokenResponse(r)
revocation_response = self.get('/OS-REVOKE/events') revocation_response = self.get('/OS-REVOKE/events')
@ -3131,8 +3131,8 @@ class TestTrustChain(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
token=self.last_token, token=self.last_token,
trust_id=self.trust_chain[-1]['id']) trust_id=self.trust_chain[-1]['id'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.NOT_FOUND) expected_status=http_client.NOT_FOUND)
def test_intermediate_user_disabled(self): def test_intermediate_user_disabled(self):
self.assert_user_authenticate(self.user_chain[0]) self.assert_user_authenticate(self.user_chain[0])
@ -3219,13 +3219,13 @@ class TestTrustAuth(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password']) password=self.trustee_user['password'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
token = r.headers.get('X-Subject-Token') token = r.headers.get('X-Subject-Token')
# get a trust token, consume one use # get a trust token, consume one use
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
token=token, token=token,
trust_id=trust['id']) trust_id=trust['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
return trust return trust
def test_consume_trust_once(self): def test_consume_trust_once(self):
@ -3248,8 +3248,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_create_trust_with_bad_values_for_remaining_uses(self): def test_create_trust_with_bad_values_for_remaining_uses(self):
# negative values for the remaining_uses parameter are forbidden # negative values for the remaining_uses parameter are forbidden
@ -3314,12 +3314,12 @@ class TestTrustAuth(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password']) password=self.trustee_user['password'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
token = r.headers.get('X-Subject-Token') token = r.headers.get('X-Subject-Token')
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
token=token, token=token,
trust_id=trust['id']) trust_id=trust['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
r = self.get( r = self.get(
'/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']}) '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})
trust = r.result.get('trust') trust = r.result.get('trust')
@ -3432,7 +3432,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.default_domain_user['id'], user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'], password=self.default_domain_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse( self.assertValidProjectTrustScopedTokenResponse(
r, self.default_domain_user) r, self.default_domain_user)
@ -3466,7 +3466,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse( self.assertValidProjectTrustScopedTokenResponse(
r, self.trustee_user) r, self.trustee_user)
token = r.headers.get('X-Subject-Token') token = r.headers.get('X-Subject-Token')
@ -3506,7 +3506,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=trustee_user['id'], user_id=trustee_user['id'],
password=trustee_user['password'], password=trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse( self.assertValidProjectTrustScopedTokenResponse(
r, trustee_user) r, trustee_user)
token = r.headers.get('X-Subject-Token') token = r.headers.get('X-Subject-Token')
@ -3545,7 +3545,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=trustee_user['id'], user_id=trustee_user['id'],
password=trustee_user['password'], password=trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse( self.assertValidProjectTrustScopedTokenResponse(
r, trustee_user) r, trustee_user)
token = r.headers.get('X-Subject-Token') token = r.headers.get('X-Subject-Token')
@ -3572,7 +3572,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(r, self.trustee_user) self.assertValidProjectTrustScopedTokenResponse(r, self.trustee_user)
self.assertEqual(self.trustee_user['id'], self.assertEqual(self.trustee_user['id'],
r.result['token']['user']['id']) r.result['token']['user']['id'])
@ -3603,7 +3603,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(r, self.user) self.assertValidProjectTrustScopedTokenResponse(r, self.user)
self.assertEqual(self.user['id'], r.result['token']['user']['id']) self.assertEqual(self.user['id'], r.result['token']['user']['id'])
self.assertEqual(self.user['name'], r.result['token']['user']['name']) self.assertEqual(self.user['name'], r.result['token']['user']['name'])
@ -3685,8 +3685,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
r = self.v3_authenticate_token(auth_data, r = self.v3_create_token(auth_data,
expected_status=http_client.FORBIDDEN) expected_status=http_client.FORBIDDEN)
def test_trust_chained(self): def test_trust_chained(self):
"""Test that a trust token can't be used to execute another trust. """Test that a trust token can't be used to execute another trust.
@ -3754,8 +3754,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
token=trust_token, token=trust_token,
trust_id=trust1['id']) trust_id=trust1['id'])
r = self.v3_authenticate_token(auth_data, r = self.v3_create_token(auth_data,
expected_status=http_client.FORBIDDEN) expected_status=http_client.FORBIDDEN)
def assertTrustTokensRevoked(self, trust_id): def assertTrustTokensRevoked(self, trust_id):
revocation_response = self.get('/OS-REVOKE/events') revocation_response = self.get('/OS-REVOKE/events')
@ -3782,7 +3782,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust_id) trust_id=trust_id)
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse( self.assertValidProjectTrustScopedTokenResponse(
r, self.trustee_user) r, self.trustee_user)
trust_token = r.headers['X-Subject-Token'] trust_token = r.headers['X-Subject-Token']
@ -3814,7 +3814,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
self.v3_authenticate_token(auth_data) self.v3_create_token(auth_data)
self.disable_user(self.user) self.disable_user(self.user)
@ -3822,8 +3822,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.FORBIDDEN) expected_status=http_client.FORBIDDEN)
def test_trust_get_token_fails_if_trustee_disabled(self): def test_trust_get_token_fails_if_trustee_disabled(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3842,7 +3842,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
self.v3_authenticate_token(auth_data) self.v3_create_token(auth_data)
self.disable_user(self.trustee_user) self.disable_user(self.trustee_user)
@ -3850,8 +3850,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_delete_trust(self): def test_delete_trust(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3881,8 +3881,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
def test_list_trusts(self): def test_list_trusts(self):
ref = self.new_trust_ref( ref = self.new_trust_ref(
@ -3929,7 +3929,7 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(r, self.user) self.assertValidProjectTrustScopedTokenResponse(r, self.user)
trust_token = r.headers.get('X-Subject-Token') trust_token = r.headers.get('X-Subject-Token')
@ -4000,8 +4000,8 @@ class TestTrustAuth(test_v3.RestfulTestCase):
user_id=self.default_domain_user['id'], user_id=self.default_domain_user['id'],
password=self.default_domain_user['password'], password=self.default_domain_user['password'],
trust_id=trust_id) trust_id=trust_id)
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.FORBIDDEN) expected_status=http_client.FORBIDDEN)
r = self.get('/OS-TRUST/trusts/%s' % trust_id) r = self.get('/OS-TRUST/trusts/%s' % trust_id)
self.assertEqual(3, r.result.get('trust').get('remaining_uses')) self.assertEqual(3, r.result.get('trust').get('remaining_uses'))
@ -4547,8 +4547,8 @@ class TestAuthFernetTokenProvider(TestAuth):
self.admin_app.extra_environ.update({'REMOTE_USER': remote_user, self.admin_app.extra_environ.update({'REMOTE_USER': remote_user,
'AUTH_TYPE': 'Negotiate'}) 'AUTH_TYPE': 'Negotiate'})
# Bind not current supported by Fernet, see bug 1433311. # Bind not current supported by Fernet, see bug 1433311.
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.NOT_IMPLEMENTED) expected_status=http_client.NOT_IMPLEMENTED)
def test_v2_v3_bind_token_intermix(self): def test_v2_v3_bind_token_intermix(self):
self.config_fixture.config(group='token', bind='kerberos') self.config_fixture.config(group='token', bind='kerberos')
@ -4573,5 +4573,5 @@ class TestAuthFernetTokenProvider(TestAuth):
self.admin_app.extra_environ.update({'REMOTE_USER': remote_user, self.admin_app.extra_environ.update({'REMOTE_USER': remote_user,
'AUTH_TYPE': 'Negotiate'}) 'AUTH_TYPE': 'Negotiate'})
# Bind not current supported by Fernet, see bug 1433311. # Bind not current supported by Fernet, see bug 1433311.
self.v3_authenticate_token(auth_data, self.v3_create_token(auth_data,
expected_status=http_client.NOT_IMPLEMENTED) expected_status=http_client.NOT_IMPLEMENTED)

2
keystone/tests/unit/test_v3_credential.py
View File

@ -316,7 +316,7 @@ class TestCredentialTrustScoped(test_v3.RestfulTestCase):
user_id=self.trustee_user['id'], user_id=self.trustee_user['id'],
password=self.trustee_user['password'], password=self.trustee_user['password'],
trust_id=trust['id']) trust_id=trust['id'])
r = self.v3_authenticate_token(auth_data) r = self.v3_create_token(auth_data)
self.assertValidProjectTrustScopedTokenResponse(r, self.user) self.assertValidProjectTrustScopedTokenResponse(r, self.user)
trust_id = r.result['token']['OS-TRUST:trust']['id'] trust_id = r.result['token']['OS-TRUST:trust']['id']
token_id = r.headers.get('X-Subject-Token') token_id = r.headers.get('X-Subject-Token')

32
keystone/tests/unit/test_v3_federation.py
View File

@ -1654,13 +1654,13 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
self.assertIsNotNone(r.headers.get('X-Subject-Token')) self.assertIsNotNone(r.headers.get('X-Subject-Token'))
def test_scope_to_project_once_notify(self): def test_scope_to_project_once_notify(self):
r = self.v3_authenticate_token( r = self.v3_create_token(
self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_EMPLOYEE) self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_EMPLOYEE)
user_id = r.json['token']['user']['id'] user_id = r.json['token']['user']['id']
self._assert_last_notify(self.ACTION, self.IDP, self.PROTOCOL, user_id) self._assert_last_notify(self.ACTION, self.IDP, self.PROTOCOL, user_id)
def test_scope_to_project_once(self): def test_scope_to_project_once(self):
r = self.v3_authenticate_token( r = self.v3_create_token(
self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_EMPLOYEE) self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_EMPLOYEE)
token_resp = r.result['token'] token_resp = r.result['token']
project_id = token_resp['project']['id'] project_id = token_resp['project']['id']
@ -1690,14 +1690,14 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
""" """
enabled_false = {'enabled': False} enabled_false = {'enabled': False}
self.federation_api.update_idp(self.IDP, enabled_false) self.federation_api.update_idp(self.IDP, enabled_false)
self.v3_authenticate_token( self.v3_create_token(
self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_CUSTOMER, self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_CUSTOMER,
expected_status=http_client.FORBIDDEN) expected_status=http_client.FORBIDDEN)
def test_scope_to_bad_project(self): def test_scope_to_bad_project(self):
"""Scope unscoped token with a project we don't have access to.""" """Scope unscoped token with a project we don't have access to."""
self.v3_authenticate_token( self.v3_create_token(
self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_CUSTOMER, self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_CUSTOMER,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
@ -1716,7 +1716,7 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
project_ids = (self.proj_employees['id'], project_ids = (self.proj_employees['id'],
self.proj_customers['id']) self.proj_customers['id'])
for body, project_id_ref in zip(bodies, project_ids): for body, project_id_ref in zip(bodies, project_ids):
r = self.v3_authenticate_token(body) r = self.v3_create_token(body)
token_resp = r.result['token'] token_resp = r.result['token']
self._check_project_scoped_token_attributes(token_resp, self._check_project_scoped_token_attributes(token_resp,
project_id_ref) project_id_ref)
@ -1724,7 +1724,7 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
def test_scope_to_project_with_only_inherited_roles(self): def test_scope_to_project_with_only_inherited_roles(self):
"""Try to scope token whose only roles are inherited.""" """Try to scope token whose only roles are inherited."""
self.config_fixture.config(group='os_inherit', enabled=True) self.config_fixture.config(group='os_inherit', enabled=True)
r = self.v3_authenticate_token( r = self.v3_create_token(
self.TOKEN_SCOPE_PROJECT_INHERITED_FROM_CUSTOMER) self.TOKEN_SCOPE_PROJECT_INHERITED_FROM_CUSTOMER)
token_resp = r.result['token'] token_resp = r.result['token']
self._check_project_scoped_token_attributes( self._check_project_scoped_token_attributes(
@ -1736,7 +1736,7 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
def test_scope_token_from_nonexistent_unscoped_token(self): def test_scope_token_from_nonexistent_unscoped_token(self):
"""Try to scope token from non-existent unscoped token.""" """Try to scope token from non-existent unscoped token."""
self.v3_authenticate_token( self.v3_create_token(
self.TOKEN_SCOPE_PROJECT_FROM_NONEXISTENT_TOKEN, self.TOKEN_SCOPE_PROJECT_FROM_NONEXISTENT_TOKEN,
expected_status=http_client.NOT_FOUND) expected_status=http_client.NOT_FOUND)
@ -1760,7 +1760,7 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
assertion='CONTRACTOR_ASSERTION') assertion='CONTRACTOR_ASSERTION')
def test_scope_to_domain_once(self): def test_scope_to_domain_once(self):
r = self.v3_authenticate_token(self.TOKEN_SCOPE_DOMAIN_A_FROM_CUSTOMER) r = self.v3_create_token(self.TOKEN_SCOPE_DOMAIN_A_FROM_CUSTOMER)
token_resp = r.result['token'] token_resp = r.result['token']
self._check_domain_scoped_token_attributes(token_resp, self._check_domain_scoped_token_attributes(token_resp,
self.domainA['id']) self.domainA['id'])
@ -1783,14 +1783,14 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
self.domainC['id']) self.domainC['id'])
for body, domain_id_ref in zip(bodies, domain_ids): for body, domain_id_ref in zip(bodies, domain_ids):
r = self.v3_authenticate_token(body) r = self.v3_create_token(body)
token_resp = r.result['token'] token_resp = r.result['token']
self._check_domain_scoped_token_attributes(token_resp, self._check_domain_scoped_token_attributes(token_resp,
domain_id_ref) domain_id_ref)
def test_scope_to_domain_with_only_inherited_roles_fails(self): def test_scope_to_domain_with_only_inherited_roles_fails(self):
"""Try to scope to a domain that has no direct roles.""" """Try to scope to a domain that has no direct roles."""
self.v3_authenticate_token( self.v3_create_token(
self.TOKEN_SCOPE_DOMAIN_D_FROM_CUSTOMER, self.TOKEN_SCOPE_DOMAIN_D_FROM_CUSTOMER,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
@ -1904,7 +1904,7 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
v3_scope_request = self._scope_request(employee_unscoped_token_id, v3_scope_request = self._scope_request(employee_unscoped_token_id,
'project', project['id']) 'project', project['id'])
r = self.v3_authenticate_token(v3_scope_request) r = self.v3_create_token(v3_scope_request)
token_resp = r.result['token'] token_resp = r.result['token']
self._check_project_scoped_token_attributes(token_resp, project['id']) self._check_project_scoped_token_attributes(token_resp, project['id'])
@ -1976,7 +1976,7 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
token_id, 'project', token_id, 'project',
self.project_all['id']) self.project_all['id'])
self.v3_authenticate_token( self.v3_create_token(
scoped_token, expected_status=http_client.INTERNAL_SERVER_ERROR) scoped_token, expected_status=http_client.INTERNAL_SERVER_ERROR)
def test_lists_with_missing_group_in_backend(self): def test_lists_with_missing_group_in_backend(self):
@ -2368,7 +2368,7 @@ class FederatedTokenTests(FederationTests, FederatedSetupMixin):
self._check_domains_are_valid(r.json_body['token']) self._check_domains_are_valid(r.json_body['token'])
def test_scoped_token_has_user_domain(self): def test_scoped_token_has_user_domain(self):
r = self.v3_authenticate_token( r = self.v3_create_token(
self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_EMPLOYEE) self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_EMPLOYEE)
self._check_domains_are_valid(r.result['token']) self._check_domains_are_valid(r.result['token'])
@ -2442,7 +2442,7 @@ class FernetFederatedTokenTests(FederationTests, FederatedSetupMixin):
v3_scope_request = self._scope_request(unscoped_token, v3_scope_request = self._scope_request(unscoped_token,
'project', project['id']) 'project', project['id'])
resp = self.v3_authenticate_token(v3_scope_request) resp = self.v3_create_token(v3_scope_request)
token_resp = resp.result['token'] token_resp = resp.result['token']
self._check_project_scoped_token_attributes(token_resp, project['id']) self._check_project_scoped_token_attributes(token_resp, project['id'])
@ -2715,7 +2715,7 @@ class SAMLGenerationTests(FederationTests):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=self.project['id']) project_id=self.project['id'])
resp = self.v3_authenticate_token(auth_data) resp = self.v3_create_token(auth_data)
token_id = resp.headers.get('X-Subject-Token') token_id = resp.headers.get('X-Subject-Token')
return token_id return token_id
@ -2724,7 +2724,7 @@ class SAMLGenerationTests(FederationTests):
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
user_domain_id=self.domain['id']) user_domain_id=self.domain['id'])
resp = self.v3_authenticate_token(auth_data) resp = self.v3_create_token(auth_data)
token_id = resp.headers.get('X-Subject-Token') token_id = resp.headers.get('X-Subject-Token')
return token_id return token_id

24
keystone/tests/unit/test_v3_identity.py
View File

@ -295,12 +295,12 @@ class IdentityTestCase(test_v3.RestfulTestCase):
old_password_auth = self.build_authentication_request( old_password_auth = self.build_authentication_request(
user_id=user_ref['id'], user_id=user_ref['id'],
password=password) password=password)
r = self.v3_authenticate_token(old_password_auth) r = self.v3_create_token(old_password_auth)
old_token = r.headers.get('X-Subject-Token') old_token = r.headers.get('X-Subject-Token')
# auth as user with a token should work before a password change # auth as user with a token should work before a password change
old_token_auth = self.build_authentication_request(token=old_token) old_token_auth = self.build_authentication_request(token=old_token)
self.v3_authenticate_token(old_token_auth) self.v3_create_token(old_token_auth)
# administrative password reset # administrative password reset
new_password = uuid.uuid4().hex new_password = uuid.uuid4().hex
@ -308,18 +308,18 @@ class IdentityTestCase(test_v3.RestfulTestCase):
body={'user': {'password': new_password}}) body={'user': {'password': new_password}})
# auth as user with original password should not work after change # auth as user with original password should not work after change
self.v3_authenticate_token(old_password_auth, self.v3_create_token(old_password_auth,
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
# auth as user with an old token should not work after change # auth as user with an old token should not work after change
self.v3_authenticate_token(old_token_auth, self.v3_create_token(old_token_auth,
expected_status=http_client.NOT_FOUND) expected_status=http_client.NOT_FOUND)
# new password should work # new password should work
new_password_auth = self.build_authentication_request( new_password_auth = self.build_authentication_request(
user_id=user_ref['id'], user_id=user_ref['id'],
password=new_password) password=new_password)
self.v3_authenticate_token(new_password_auth) self.v3_create_token(new_password_auth)
def test_update_user_domain_id(self): def test_update_user_domain_id(self):
"""Call ``PATCH /users/{user_id}`` with domain_id.""" """Call ``PATCH /users/{user_id}`` with domain_id."""
@ -566,8 +566,8 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase):
auth_data = self.build_authentication_request( auth_data = self.build_authentication_request(
user_id=self.user_ref['id'], user_id=self.user_ref['id'],
password=password) password=password)
r = self.v3_authenticate_token(auth_data, r = self.v3_create_token(auth_data,
expected_status=expected_status) expected_status=expected_status)
return r.headers.get('X-Subject-Token') return r.headers.get('X-Subject-Token')
def change_password(self, expected_status, **kwargs): def change_password(self, expected_status, **kwargs):
@ -583,7 +583,7 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase):
expected_status=http_client.CREATED) expected_status=http_client.CREATED)
# original token works # original token works
old_token_auth = self.build_authentication_request(token=token_id) old_token_auth = self.build_authentication_request(token=token_id)
self.v3_authenticate_token(old_token_auth) self.v3_create_token(old_token_auth)
# change password # change password
new_password = uuid.uuid4().hex new_password = uuid.uuid4().hex
@ -596,8 +596,8 @@ class UserSelfServiceChangingPasswordsTestCase(test_v3.RestfulTestCase):
expected_status=http_client.UNAUTHORIZED) expected_status=http_client.UNAUTHORIZED)
# old token fails # old token fails
self.v3_authenticate_token(old_token_auth, self.v3_create_token(old_token_auth,
expected_status=http_client.NOT_FOUND) expected_status=http_client.NOT_FOUND)
# new password works # new password works
self.get_request_token(new_password, self.get_request_token(new_password,