Add test to rescope token using v3
This adds a test that shows that an unscoped token can be used to
get a scoped token using the identity v3 API.
Change-Id: Ic0807dc8c91b0125bc9c447314cc095b511853ae
diff --git a/tempest/api/identity/admin/v3/test_tokens.py b/tempest/api/identity/admin/v3/test_tokens.py
index 9629213..2d75d0a 100644
--- a/tempest/api/identity/admin/v3/test_tokens.py
+++ b/tempest/api/identity/admin/v3/test_tokens.py
@@ -33,15 +33,15 @@
resp, user = self.client.create_user(
u_name, description=u_desc, password=u_password,
email=u_email)
- self.assertTrue(resp['status'].startswith('2'))
+ self.assertEqual(201, resp.status)
self.addCleanup(self.client.delete_user, user['id'])
# Perform Authentication
resp, body = self.token.auth(user['id'], u_password)
- self.assertEqual(resp['status'], '201')
+ self.assertEqual(201, resp.status)
subject_token = resp['x-subject-token']
# Perform GET Token
resp, token_details = self.client.get_token(subject_token)
- self.assertEqual(resp['status'], '200')
+ self.assertEqual(200, resp.status)
self.assertEqual(resp['x-subject-token'], subject_token)
self.assertEqual(token_details['user']['id'], user['id'])
self.assertEqual(token_details['user']['name'], u_name)
@@ -50,6 +50,85 @@
self.assertRaises(exceptions.NotFound, self.client.get_token,
subject_token)
+ @attr(type='gate')
+ def test_rescope_token(self):
+ """An unscoped token can be requested, that token can be used to
+ request a scoped token.
+ """
+
+ # Create a user.
+ user_name = data_utils.rand_name(name='user-')
+ user_password = data_utils.rand_name(name='pass-')
+ resp, user = self.client.create_user(user_name, password=user_password)
+ self.assertEqual(201, resp.status)
+ self.addCleanup(self.client.delete_user, user['id'])
+
+ # Create a project.
+ project_name = data_utils.rand_name(name='project-')
+ resp, project = self.client.create_project(project_name)
+ self.assertEqual(201, resp.status)
+ self.addCleanup(self.client.delete_project, project['id'])
+
+ # Create a role
+ role_name = data_utils.rand_name(name='role-')
+ resp, role = self.client.create_role(role_name)
+ self.assertEqual(201, resp.status)
+ self.addCleanup(self.client.delete_role, role['id'])
+
+ # Grant the user the role on the project.
+ resp, _ = self.client.assign_user_role(project['id'], user['id'],
+ role['id'])
+ self.assertEqual(204, resp.status)
+
+ # Get an unscoped token.
+ resp, token_auth = self.token.auth(user=user['id'],
+ password=user_password)
+ self.assertEqual(201, resp.status)
+
+ token_id = resp['x-subject-token']
+ orig_expires_at = token_auth['token']['expires_at']
+ orig_issued_at = token_auth['token']['issued_at']
+ orig_user = token_auth['token']['user']
+
+ self.assertIsInstance(token_auth['token']['expires_at'], unicode)
+ self.assertIsInstance(token_auth['token']['issued_at'], unicode)
+ self.assertEqual(['password'], token_auth['token']['methods'])
+ self.assertEqual(user['id'], token_auth['token']['user']['id'])
+ self.assertEqual(user['name'], token_auth['token']['user']['name'])
+ self.assertEqual('default',
+ token_auth['token']['user']['domain']['id'])
+ self.assertEqual('Default',
+ token_auth['token']['user']['domain']['name'])
+ self.assertNotIn('catalog', token_auth['token'])
+ self.assertNotIn('project', token_auth['token'])
+ self.assertNotIn('roles', token_auth['token'])
+
+ # Use the unscoped token to get a scoped token.
+ resp, token_auth = self.token.auth(token=token_id, tenant=project_name,
+ domain='Default')
+ self.assertEqual(201, resp.status)
+
+ self.assertEqual(orig_expires_at, token_auth['token']['expires_at'],
+ 'Expiration time should match original token')
+ self.assertIsInstance(token_auth['token']['issued_at'], unicode)
+ self.assertNotEqual(orig_issued_at, token_auth['token']['issued_at'])
+ self.assertEqual(set(['password', 'token']),
+ set(token_auth['token']['methods']))
+ self.assertEqual(orig_user, token_auth['token']['user'],
+ 'User should match original token')
+ self.assertIsInstance(token_auth['token']['catalog'], list)
+ self.assertEqual(project['id'],
+ token_auth['token']['project']['id'])
+ self.assertEqual(project['name'],
+ token_auth['token']['project']['name'])
+ self.assertEqual('default',
+ token_auth['token']['project']['domain']['id'])
+ self.assertEqual('Default',
+ token_auth['token']['project']['domain']['name'])
+ self.assertEqual(1, len(token_auth['token']['roles']))
+ self.assertEqual(role['id'], token_auth['token']['roles'][0]['id'])
+ self.assertEqual(role['name'], token_auth['token']['roles'][0]['name'])
+
class TokensV3TestXML(TokensV3TestJSON):
_interface = 'xml'
diff --git a/tempest/services/identity/v3/json/identity_client.py b/tempest/services/identity/v3/json/identity_client.py
index 65f3355..ea213c9 100644
--- a/tempest/services/identity/v3/json/identity_client.py
+++ b/tempest/services/identity/v3/json/identity_client.py
@@ -453,16 +453,20 @@
self.auth_url = auth_url
- def auth(self, user, password, tenant=None, user_type='id', domain=None):
+ def auth(self, user=None, password=None, tenant=None, user_type='id',
+ domain=None, token=None):
"""
:param user: user id or name, as specified in user_type
:param domain: the user and tenant domain
+ :param token: a token to re-scope.
Accepts different combinations of credentials. Restrictions:
- tenant and domain are only name (no id)
- user domain and tenant domain are assumed identical
- domain scope is not supported here
Sample sample valid combinations:
+ - token
+ - token, tenant, domain
- user_id, password
- username, password, domain
- username, password, tenant, domain
@@ -471,23 +475,32 @@
creds = {
'auth': {
'identity': {
- 'methods': ['password'],
- 'password': {
- 'user': {
- 'password': password,
- }
- }
+ 'methods': [],
}
}
}
- if user_type == 'id':
- creds['auth']['identity']['password']['user']['id'] = user
- else:
- creds['auth']['identity']['password']['user']['name'] = user
- if domain is not None:
- _domain = dict(name=domain)
- creds['auth']['identity']['password']['user']['domain'] = _domain
+ id_obj = creds['auth']['identity']
+ if token:
+ id_obj['methods'].append('token')
+ id_obj['token'] = {
+ 'id': token
+ }
+ if user and password:
+ id_obj['methods'].append('password')
+ id_obj['password'] = {
+ 'user': {
+ 'password': password,
+ }
+ }
+ if user_type == 'id':
+ id_obj['password']['user']['id'] = user
+ else:
+ id_obj['password']['user']['name'] = user
+ if domain is not None:
+ _domain = dict(name=domain)
+ id_obj['password']['user']['domain'] = _domain
if tenant is not None:
+ _domain = dict(name=domain)
project = dict(name=tenant, domain=_domain)
scope = dict(project=project)
creds['auth']['scope'] = scope
diff --git a/tempest/services/identity/v3/xml/identity_client.py b/tempest/services/identity/v3/xml/identity_client.py
index 6ff6d56..cc71b99 100644
--- a/tempest/services/identity/v3/xml/identity_client.py
+++ b/tempest/services/identity/v3/xml/identity_client.py
@@ -439,43 +439,61 @@
self.auth_url = auth_url
- def auth(self, user, password, tenant=None, user_type='id', domain=None):
+ def auth(self, user=None, password=None, tenant=None, user_type='id',
+ domain=None, token=None):
"""
:param user: user id or name, as specified in user_type
+ :param domain: the user and tenant domain
+ :param token: a token to re-scope.
Accepts different combinations of credentials. Restrictions:
- tenant and domain are only name (no id)
- user domain and tenant domain are assumed identical
+ - domain scope is not supported here
Sample sample valid combinations:
+ - token
+ - token, tenant, domain
- user_id, password
- username, password, domain
- username, password, tenant, domain
Validation is left to the server side.
"""
- if user_type == 'id':
- _user = common.Element('user', id=user, password=password)
- else:
- _user = common.Element('user', name=user, password=password)
- if domain is not None:
- _domain = common.Element('domain', name=domain)
- _user.append(_domain)
- password = common.Element('password')
- password.append(_user)
-
- method = common.Element('method')
- method.append(common.Text('password'))
methods = common.Element('methods')
- methods.append(method)
identity = common.Element('identity')
+
+ if token:
+ method = common.Element('method')
+ method.append(common.Text('token'))
+ methods.append(method)
+
+ token = common.Element('token', id=token)
+ identity.append(token)
+
+ if user and password:
+ if user_type == 'id':
+ _user = common.Element('user', id=user, password=password)
+ else:
+ _user = common.Element('user', name=user, password=password)
+ if domain is not None:
+ _domain = common.Element('domain', name=domain)
+ _user.append(_domain)
+
+ password = common.Element('password')
+ password.append(_user)
+ method = common.Element('method')
+ method.append(common.Text('password'))
+ methods.append(method)
+ identity.append(password)
+
identity.append(methods)
- identity.append(password)
auth = common.Element('auth')
auth.append(identity)
if tenant is not None:
project = common.Element('project', name=tenant)
+ _domain = common.Element('domain', name=domain)
project.append(_domain)
scope = common.Element('scope')
scope.append(project)