Add test cases for oauth1 token related APIs.
Add test_oauth_tokens_rbac.py with RBAC test cases
related to OAUTH1 token APIs
Change-Id: I811ae810f95266f950a867d2993d56f632d20495
Co-Authored-By: Nishant Kumar <nk613n@att.com>
Co-Authored-By: Hemanth Nakkina <nh863p@att.com>
Depends-On: I4c5369ae3ad7a7add630e3ac6a4fc52f854bc77c
Closes-Bug: #1686076
diff --git a/patrole_tempest_plugin/tests/api/identity/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
index 2998dbe..1ed081e 100644
--- a/patrole_tempest_plugin/tests/api/identity/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
@@ -242,6 +242,7 @@
cls.services_client = cls.os_primary.identity_services_v3_client
cls.trusts_client = cls.os_primary.trusts_client
cls.users_client = cls.os_primary.users_v3_client
+ cls.oauth_token_client = cls.os_primary.oauth_token_client
@classmethod
def resource_setup(cls):
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py
index 5e21338..d3e17f1 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_consumers_rbac.py
@@ -25,7 +25,7 @@
def _create_consumer(self):
description = data_utils.rand_name(
- self.__class__.__name__ + '-test_consumer')
+ self.__class__.__name__ + '-IdentityConsumer')
consumer = self.consumers_client.create_consumer(
description)['consumer']
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
@@ -54,12 +54,12 @@
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d972')
def test_update_consumer(self):
consumer = self._create_consumer()
- new_description = data_utils.rand_name(
- self.__class__.__name__ + '-test_consumer')
+ updated_description = data_utils.rand_name(
+ self.__class__.__name__ + '-IdentityConsumer')
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.consumers_client.update_consumer(consumer['id'],
- new_description)
+ updated_description)
@rbac_rule_validation.action(service="keystone",
rule="identity:get_consumer")
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_tokens_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_tokens_rbac.py
new file mode 100644
index 0000000..78ee78a
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_oauth_tokens_rbac.py
@@ -0,0 +1,138 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity import rbac_base
+
+CONF = config.CONF
+
+
+class IdentityOAuthTokensV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
+
+ @classmethod
+ def resource_setup(cls):
+ super(IdentityOAuthTokensV3RbacTest, cls).resource_setup()
+ # Authorize token on admin role since primary user has admin
+ # credentials before switching roles. Populate role_ids with admin
+ # role id.
+ cls.role_ids = [cls.get_role_by_name(CONF.identity.admin_role)['id']]
+ cls.project_id = cls.auth_provider.credentials.project_id
+ cls.user_id = cls.auth_provider.credentials.user_id
+
+ def _create_consumer(self):
+ description = data_utils.rand_name(
+ self.__class__.__name__ + '-Consumer')
+ consumer = self.consumers_client.create_consumer(
+ description)['consumer']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.consumers_client.delete_consumer,
+ consumer['id'])
+ return consumer
+
+ def _create_consumer_and_request_token(self):
+ # Create consumer
+ consumer = self._create_consumer()
+
+ # Create request token
+ request_token = self.oauth_token_client.create_request_token(
+ consumer['id'], consumer['secret'], self.project_id)
+
+ return consumer, request_token
+
+ def _create_access_token(self):
+ consumer, request_token = self._create_consumer_and_request_token()
+
+ # Authorize request token
+ resp = self.oauth_token_client.authorize_request_token(
+ request_token['oauth_token'], self.role_ids)['token']
+ auth_verifier = resp['oauth_verifier']
+
+ # Create access token
+ body = self.oauth_token_client.create_access_token(
+ consumer['id'],
+ consumer['secret'],
+ request_token['oauth_token'],
+ request_token['oauth_token_secret'],
+ auth_verifier)
+ access_key = body['oauth_token']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.oauth_token_client.revoke_access_token,
+ self.user_id, access_key)
+
+ return access_key
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:authorize_request_token")
+ @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d976')
+ def test_authorize_request_token(self):
+ _, request_token = self._create_consumer_and_request_token()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.oauth_token_client.authorize_request_token(
+ request_token['oauth_token'],
+ self.role_ids)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_access_token")
+ @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d977')
+ def test_get_access_token(self):
+ access_token = self._create_access_token()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.oauth_token_client.get_access_token(self.user_id,
+ access_token)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_access_token_role")
+ @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d980')
+ def test_get_access_token_role(self):
+ access_token = self._create_access_token()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.oauth_token_client.get_access_token_role(
+ self.user_id, access_token, self.role_ids[0])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_access_tokens")
+ @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d979')
+ def test_list_access_tokens(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.oauth_token_client.list_access_tokens(self.user_id)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_access_token_roles")
+ @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d978')
+ def test_list_access_token_roles(self):
+ access_token = self._create_access_token()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.oauth_token_client.list_access_token_roles(
+ self.user_id, access_token)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:delete_access_token")
+ @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d981')
+ def test_revoke_access_token(self):
+ access_token = self._create_access_token()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.oauth_token_client.revoke_access_token(
+ self.user_id, access_token)
diff --git a/releasenotes/notes/test_oauth_tokens_rbac-13e1d3b5decbaf79.yaml b/releasenotes/notes/test_oauth_tokens_rbac-13e1d3b5decbaf79.yaml
new file mode 100644
index 0000000..d7c5d5b
--- /dev/null
+++ b/releasenotes/notes/test_oauth_tokens_rbac-13e1d3b5decbaf79.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - Add test_oauth_tokens_rbac.py with RBAC test cases related to
+ the OS-OAUTH1 Keystone v3 extension API.