keystone.tests.unit package¶
Subpackages¶
- keystone.tests.unit.assignment package
- keystone.tests.unit.auth package
- keystone.tests.unit.backend package
- keystone.tests.unit.catalog package
- keystone.tests.unit.common package
- Submodules
- keystone.tests.unit.common.test_authorization module
- keystone.tests.unit.common.test_cache module
- keystone.tests.unit.common.test_database_conflicts module
- keystone.tests.unit.common.test_injection module
- keystone.tests.unit.common.test_json_home module
- keystone.tests.unit.common.test_notifications module
- keystone.tests.unit.common.test_resource_options_common module
- keystone.tests.unit.common.test_sql_core module
- keystone.tests.unit.common.test_utils module
- Module contents
- keystone.tests.unit.contrib package
- keystone.tests.unit.credential package
- keystone.tests.unit.endpoint_policy package
- keystone.tests.unit.external package
- keystone.tests.unit.federation package
- keystone.tests.unit.identity package
- Subpackages
- Submodules
- keystone.tests.unit.identity.test_backend_sql module
- keystone.tests.unit.identity.test_backends module
- keystone.tests.unit.identity.test_controllers module
- keystone.tests.unit.identity.test_core module
- Module contents
- keystone.tests.unit.ksfixtures package
- Submodules
- keystone.tests.unit.ksfixtures.auth_plugins module
- keystone.tests.unit.ksfixtures.backendloader module
- keystone.tests.unit.ksfixtures.cache module
- keystone.tests.unit.ksfixtures.database module
- keystone.tests.unit.ksfixtures.hacking module
- keystone.tests.unit.ksfixtures.key_repository module
- keystone.tests.unit.ksfixtures.ldapdb module
- keystone.tests.unit.ksfixtures.policy module
- keystone.tests.unit.ksfixtures.temporaryfile module
- Module contents
- keystone.tests.unit.policy package
- keystone.tests.unit.resource package
- keystone.tests.unit.schema package
- keystone.tests.unit.tests package
- keystone.tests.unit.token package
- Submodules
- keystone.tests.unit.token.test_backends module
- keystone.tests.unit.token.test_common module
- keystone.tests.unit.token.test_fernet_provider module
- keystone.tests.unit.token.test_token_data_helper module
- keystone.tests.unit.token.test_token_model module
- keystone.tests.unit.token.test_uuid_provider module
- Module contents
- keystone.tests.unit.trust package
Submodules¶
keystone.tests.unit.core module¶
-
class
keystone.tests.unit.core.
BaseTestCase
(*args, **kwargs)[source]¶ Bases:
testtools.testcase.TestCase
Light weight base test class.
This is a placeholder that will eventually go away once the setup/teardown in TestCase is properly trimmed down to the bare essentials. This is really just a play to speed up the tests by eliminating unnecessary work.
-
class
keystone.tests.unit.core.
SQLDriverOverrides
[source]¶ Bases:
object
A mixin for consolidating sql-specific test overrides.
-
class
keystone.tests.unit.core.
TestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
-
assertCloseEnoughForGovernmentWork
(a, b, delta=3)[source]¶ Assert that two datetimes are nearly equal within a small delta.
Parameters: delta – Maximum allowable time delta, defined in seconds.
-
assertRaisesRegexp
(expected_exception, expected_regexp, callable_obj, *args, **kwargs)[source]¶ Assert that the message in a raised exception matches a regexp.
-
assertUserDictEqual
(expected, observed, message='')[source]¶ Assert that a user dict is equal to another user dict.
User dictionaries have some variable values that should be ignored in the comparison. This method is a helper that strips those elements out when comparing the user dictionary. This normalized these differences that should not change the comparison.
-
ipv6_enabled
¶
-
-
keystone.tests.unit.core.
create_user
(api, domain_id, **kwargs)[source]¶ Create a user via the API. Keep the created password.
The password is saved and restored when api.create_user() is called. Only use this routine if there is a requirement for the user object to have a valid password after api.create_user() is called.
-
keystone.tests.unit.core.
new_cert_credential
(user_id, project_id=None, blob=None, **kwargs)[source]¶
-
keystone.tests.unit.core.
new_credential_ref
(user_id, project_id=None, type='cert', **kwargs)[source]¶
-
keystone.tests.unit.core.
new_endpoint_ref
(service_id, interface='public', region_id=<object object>, **kwargs)[source]¶
-
keystone.tests.unit.core.
new_endpoint_ref_with_region
(service_id, region, interface='public', **kwargs)[source]¶ Define an endpoint_ref having a pre-3.2 form.
Contains the deprecated ‘region’ instead of ‘region_id’.
-
keystone.tests.unit.core.
new_trust_ref
(trustor_user_id, trustee_user_id, project_id=None, impersonation=None, expires=None, role_ids=None, role_names=None, remaining_uses=None, allow_redelegation=False, redelegation_count=None, **kwargs)[source]¶
-
keystone.tests.unit.core.
skip_if_cache_disabled
(*sections)[source]¶ Skip a test if caching is disabled, this is a decorator.
Caching can be disabled either globally or for a specific section.
In the code fragment:
@skip_if_cache_is_disabled('assignment', 'token') def test_method(*args): ...
The method test_method would be skipped if caching is disabled globally via the enabled option in the cache section of the configuration or if the caching option is set to false in either assignment or token sections of the configuration. This decorator can be used with no arguments to only check global caching.
If a specified configuration section does not define the caching option, this decorator makes the same assumption as the should_cache_fn in keystone.common.cache that caching should be enabled.
keystone.tests.unit.default_fixtures module¶
keystone.tests.unit.fakeldap module¶
Fake LDAP server for test harness.
This class does very little error checking, and knows nothing about ldap class definitions. It implements the minimum emulation of the python ldap library to work with keystone.
-
class
keystone.tests.unit.fakeldap.
FakeLdap
(conn=None)[source]¶ Bases:
keystone.identity.backends.ldap.common.LDAPHandler
Emulate the python-ldap API.
The python-ldap API requires all strings to be UTF-8 encoded. This is assured by the caller of this interface (i.e. KeystoneLDAPHandler).
However, internally this emulation MUST process and store strings in a canonical form which permits operations on characters. Encoded strings do not provide the ability to operate on characters. Therefore this emulation accepts UTF-8 encoded strings, decodes them to unicode for operations internal to this emulation, and encodes them back to UTF-8 when returning values from the emulation.
-
connect
(url, page_size=0, alias_dereferencing=None, use_tls=False, tls_cacertfile=None, tls_cacertdir=None, tls_req_cert='demand', chase_referrals=None, debug_level=None, use_pool=None, pool_size=None, pool_retry_max=None, pool_retry_delay=None, pool_conn_timeout=None, pool_conn_lifetime=None, conn_timeout=None)[source]¶
-
modify_s
(dn, modlist)[source]¶ Modify the object at dn using the attribute list.
Parameters: - dn – an LDAP DN
- modlist – a list of tuples in the following form: ([MOD_ADD | MOD_DELETE | MOD_REPACE], attribute, value)
-
result3
(msgid=-1, all=1, timeout=None, resp_ctrl_classes=None)[source]¶ Execute async request.
Only msgid param is supported. Request info is fetched from global variable PendingRequests by msgid, executed using search_s and limited if requested.
-
search_ext
(base, scope, filterstr='(objectClass=*)', attrlist=None, attrsonly=0, serverctrls=None, clientctrls=None, timeout=-1, sizelimit=0)[source]¶
-
search_s
(base, scope, filterstr='(objectClass=*)', attrlist=None, attrsonly=0)[source]¶ Search for all matching objects under base using the query.
Args: base – dn to search under scope – search scope (base, subtree, onelevel) filterstr – filter objects by attrlist – attrs to return. Returns all attrs if not specified
-
-
class
keystone.tests.unit.fakeldap.
FakeLdapNoSubtreeDelete
(conn=None)[source]¶ Bases:
keystone.tests.unit.fakeldap.FakeLdap
FakeLdap subclass that does not support subtree delete.
Same as FakeLdap except delete will throw the LDAP error ldap.NOT_ALLOWED_ON_NONLEAF if there is an attempt to delete an entry that has children.
-
class
keystone.tests.unit.fakeldap.
FakeLdapPool
(uri, retry_max=None, retry_delay=None, conn=None)[source]¶ Bases:
keystone.tests.unit.fakeldap.FakeLdap
Emulate the python-ldap API with pooled connections.
This class is used as connector class in PooledLDAPHandler.
keystone.tests.unit.federation_fixtures module¶
keystone.tests.unit.filtering module¶
keystone.tests.unit.identity_mapping module¶
keystone.tests.unit.mapping_fixtures module¶
Fixtures for Federation Mapping.
keystone.tests.unit.rest module¶
-
class
keystone.tests.unit.rest.
RestfulTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
Performs restful tests against the WSGI app over HTTP.
This class launches public & admin WSGI servers for every test, which can be accessed by calling
public_request()
oradmin_request()
, respectfully.restful_request()
andrequest()
methods are also exposed if you need to bypass restful conventions or access HTTP details in your test implementation.Three new asserts are provided:
assertResponseSuccessful
: called automatically for every requestunless an
expected_status
is provided
assertResponseStatus
: called instead ofassertResponseSuccessful
,if an
expected_status
is provided
assertValidResponseHeaders
: validates that the response headersappear as expected
Requests are automatically serialized according to the defined
content_type
. Responses are automatically deserialized as well, and available in theresponse.body
attribute. The original body content is available in theresponse.raw
attribute.-
assertResponseStatus
(response, expected_status)[source]¶ Assert a specific status code on the response.
Parameters: - response –
httplib.HTTPResponse
- expected_status – The specific
status
result expected
example:
self.assertResponseStatus(response, http_client.NO_CONTENT)
- response –
-
assertResponseSuccessful
(response)[source]¶ Assert that a status code lies inside the 2xx range.
Parameters: response – httplib.HTTPResponse
to be verified to have a status code between 200 and 299.example:
self.assertResponseSuccessful(response)
-
assertValidErrorResponse
(response, expected_status=400)[source]¶ Verify that the error response is valid.
Subclasses can override this function based on the expected response.
-
content_type
= 'json'¶
-
get_scoped_token
(tenant_id=None)[source]¶ Convenience method so that we can test authenticated requests.
keystone.tests.unit.test_associate_project_endpoint_extension module¶
-
class
keystone.tests.unit.test_associate_project_endpoint_extension.
EndpointFilterCRUDTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase
-
test_check_endpoint_project_association
()[source]¶ HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Valid project and endpoint id test case.
-
test_check_endpoint_project_association_with_invalid_endpoint
()[source]¶ HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid endpoint id test case.
-
test_check_endpoint_project_association_with_invalid_project
()[source]¶ HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid project id test case.
-
test_create_endpoint_project_association
()[source]¶ PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Valid endpoint and project id test case.
-
test_create_endpoint_project_association_with_invalid_endpoint
()[source]¶ PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid endpoint id test case.
-
test_create_endpoint_project_association_with_invalid_project
()[source]¶ PUT OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid project id test case.
-
test_create_endpoint_project_association_with_unexpected_body
()[source]¶ PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Unexpected body in request. The body should be ignored.
-
test_list_endpoints_associated_with_invalid_project
()[source]¶ GET /OS-EP-FILTER/projects/{project_id}/endpoints.
Invalid project id test case.
-
test_list_endpoints_associated_with_valid_project
()[source]¶ GET /OS-EP-FILTER/projects/{project_id}/endpoints.
Valid project and endpoint id test case.
-
test_list_projects_associated_with_endpoint
()[source]¶ GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects.
Valid endpoint-project association test case.
-
test_list_projects_associated_with_invalid_endpoint
()[source]¶ GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects.
Invalid endpoint id test case.
-
test_list_projects_with_no_endpoint_project_association
()[source]¶ GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects.
Valid endpoint id but no endpoint-project associations test case.
-
test_remove_endpoint_project_association
()[source]¶ DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Valid project id and endpoint id test case.
-
-
class
keystone.tests.unit.test_associate_project_endpoint_extension.
EndpointFilterTestCase
(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_associate_project_endpoint_extension.
EndpointFilterTokenRequestTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase
-
test_default_scoped_token_using_endpoint_filter
()[source]¶ Verify endpoints from default scoped token filtered.
-
test_invalid_endpoint_project_association
()[source]¶ Verify an invalid endpoint-project association is handled.
-
-
class
keystone.tests.unit.test_associate_project_endpoint_extension.
EndpointGroupCRUDTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase
-
DEFAULT_ENDPOINT_GROUP_BODY
= {'endpoint_group': {'filters': {'interface': 'admin'}, 'description': 'endpoint group description', 'name': 'endpoint_group_name'}}¶
-
DEFAULT_ENDPOINT_GROUP_URL
= '/OS-EP-FILTER/endpoint_groups'¶
-
test_add_endpoint_group_to_project
()[source]¶ Create a valid endpoint group and project association.
-
test_add_endpoint_group_to_project_with_invalid_project_id
()[source]¶ Create an invalid endpoint group and project association.
-
test_check_endpoint_group
()[source]¶ HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}.
Valid endpoint_group_id test case.
-
test_check_endpoint_group_to_project
()[source]¶ Test HEAD with a valid endpoint group and project association.
-
test_check_endpoint_group_to_project_with_invalid_project_id
()[source]¶ Test HEAD with an invalid endpoint group and project association.
-
test_check_invalid_endpoint_group
()[source]¶ HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}.
Invalid endpoint_group_id test case.
-
test_create_endpoint_group
()[source]¶ POST /OS-EP-FILTER/endpoint_groups.
Valid endpoint group test case.
-
test_create_invalid_endpoint_group
()[source]¶ POST /OS-EP-FILTER/endpoint_groups.
Invalid endpoint group creation test case.
-
test_delete_endpoint_group
()[source]¶ GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Valid endpoint group test case.
-
test_delete_invalid_endpoint_group
()[source]¶ GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Invalid endpoint group test case.
-
test_empty_endpoint_groups_in_project
()[source]¶ Test when no endpoint groups associated with the project.
-
test_get_endpoint_group
()[source]¶ GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Valid endpoint group test case.
-
test_get_invalid_endpoint_group
()[source]¶ GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Invalid endpoint group test case.
-
test_get_invalid_endpoint_group_in_project
()[source]¶ Test retrieving project endpoint group association.
-
test_list_endpoint_groups_in_project
()[source]¶ GET /OS-EP-FILTER/projects/{project_id}/endpoint_groups.
-
test_list_endpoints_associated_with_endpoint_group
()[source]¶ GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}/endpoints.
Valid endpoint group test case.
-
test_list_endpoints_associated_with_project_endpoint_group
()[source]¶ GET /OS-EP-FILTER/projects/{project_id}/endpoints.
Valid project, endpoint id, and endpoint group test case.
-
test_list_projects_associated_with_endpoint_group
()[source]¶ GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}/projects.
Valid endpoint group test case.
-
test_patch_endpoint_group
()[source]¶ PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Valid endpoint group patch test case.
-
test_patch_invalid_endpoint_group
()[source]¶ PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Valid endpoint group patch test case.
-
-
class
keystone.tests.unit.test_associate_project_endpoint_extension.
JsonHomeTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase
,keystone.tests.unit.test_v3.JsonHomeTestMixin
-
JSON_HOME_DATA
= {'https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups': {'href': '/OS-EP-FILTER/endpoint_groups'}, 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint_groups': {'href-vars': {'project_id': 'https://docs.openstack.org/api/openstack-identity/3/param/project_id'}, 'href-template': '/OS-EP-FILTER/projects/{project_id}/endpoint_groups'}, 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/projects_associated_with_endpoint_group': {'href-vars': {'endpoint_group_id': 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id'}, 'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects'}, 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_projects': {'href-vars': {'endpoint_id': 'https://docs.openstack.org/api/openstack-identity/3/param/endpoint_id'}, 'href-template': '/OS-EP-FILTER/endpoints/{endpoint_id}/projects'}, 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoints_in_endpoint_group': {'href-vars': {'endpoint_group_id': 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id'}, 'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints'}, 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group': {'href-vars': {'endpoint_group_id': 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id'}, 'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}'}, 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_to_project_association': {'href-vars': {'endpoint_group_id': 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id', 'project_id': 'https://docs.openstack.org/api/openstack-identity/3/param/project_id'}, 'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}'}}¶
-
keystone.tests.unit.test_auth module¶
-
class
keystone.tests.unit.test_auth.
AuthBadRequests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthTest
-
test_authenticate_blank_request_body
()[source]¶ Verify sending empty json dict raises the right exception.
-
test_authenticate_fails_if_project_unsafe
()[source]¶ Verify authenticate to a project with unsafe name fails.
-
test_authenticate_invalid_auth_content
()[source]¶ Verify sending invalid ‘auth’ raises the right exception.
-
test_authenticate_password_too_large
()[source]¶ Verify sending large ‘password’ raises the right exception.
-
test_authenticate_tenant_id_too_large
()[source]¶ Verify sending large ‘tenantId’ raises the right exception.
-
test_authenticate_tenant_name_too_large
()[source]¶ Verify sending large ‘tenantName’ raises the right exception.
-
test_authenticate_token_too_large
()[source]¶ Verify sending large ‘token’ raises the right exception.
-
test_authenticate_user_id_too_large
()[source]¶ Verify sending large ‘userId’ raises the right exception.
-
test_authenticate_username_too_large
()[source]¶ Verify sending large ‘username’ raises the right exception.
-
test_empty_username_and_userid_in_auth
()[source]¶ Verify that empty username and userID raises ValidationError.
-
-
class
keystone.tests.unit.test_auth.
AuthCatalog
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides
,keystone.tests.unit.test_auth.AuthTest
Test for the catalog provided in the auth response.
-
class
keystone.tests.unit.test_auth.
AuthTest
(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_auth.
AuthWithPasswordCredentials
(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_auth.
AuthWithRemoteUser
[source]¶ Bases:
object
-
class
keystone.tests.unit.test_auth.
AuthWithToken
[source]¶ Bases:
object
-
test_auth_scoped_token_bad_project_with_debug
()[source]¶ Authenticating with an invalid project fails.
-
test_auth_scoped_token_bad_project_without_debug
()[source]¶ Authenticating with an invalid project fails.
-
test_auth_unscoped_token_no_project
()[source]¶ Verify getting an unscoped token with an unscoped token.
-
-
class
keystone.tests.unit.test_auth.
AuthWithTrust
[source]¶ Bases:
object
-
test_create_trust_without_project_id
()[source]¶ Verify that trust can be created without project id.
Also, token can be generated with that trust.
-
test_trust_get_token_fails_with_future_token_if_trustee_disabled
()[source]¶ Test disabling trustee and using an unrevoked token.
This test simulates what happens when a token is generated after the disable event. Technically this should not happen, but it’s possible in a multinode deployment with only a slight clock skew.
-
-
class
keystone.tests.unit.test_auth.
FernetAuthWithRemoteUser
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithRemoteUser
,keystone.tests.unit.test_auth.AuthTest
-
class
keystone.tests.unit.test_auth.
FernetAuthWithToken
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithToken
,keystone.tests.unit.test_auth.AuthTest
-
class
keystone.tests.unit.test_auth.
FernetAuthWithTrust
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithTrust
,keystone.tests.unit.test_auth.AuthTest
-
test_trust_get_token_fails_with_future_token_if_trustee_disabled
()[source]¶ Test disabling trustee and using an unrevoked token.
This test simulates what happens when a Fernet token is generated after the disable event. Technically this should not happen, but it’s possible in a multinode deployment with only a slight clock skew.
-
-
class
keystone.tests.unit.test_auth.
UUIDAuthWithRemoteUser
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithRemoteUser
,keystone.tests.unit.test_auth.AuthTest
-
class
keystone.tests.unit.test_auth.
UUIDAuthWithToken
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithToken
,keystone.tests.unit.test_auth.AuthTest
-
class
keystone.tests.unit.test_auth.
UUIDAuthWithTrust
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithTrust
,keystone.tests.unit.test_auth.AuthTest
keystone.tests.unit.test_auth_plugin module¶
-
class
keystone.tests.unit.test_auth_plugin.
TestAuthPlugin
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides
,keystone.tests.unit.core.TestCase
keystone.tests.unit.test_backend_endpoint_policy module¶
-
class
keystone.tests.unit.test_backend_endpoint_policy.
PolicyAssociationTests
[source]¶ Bases:
object
-
load_sample_data
()[source]¶ Create sample data to test policy associations.
The following data is created:
- 3 regions, in a hierarchy, 0 -> 1 -> 2 (where 0 is top)
- 3 services
- 6 endpoints, 2 in each region, with a mixture of services: 0 - region 0, Service 0 1 - region 0, Service 1 2 - region 1, Service 1 3 - region 1, Service 2 4 - region 2, Service 2 5 - region 2, Service 0
-
keystone.tests.unit.test_backend_endpoint_policy_sql module¶
-
class
keystone.tests.unit.test_backend_endpoint_policy_sql.
SqlPolicyAssociationTable
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlModels
Set of tests for checking SQL Policy Association Mapping.
-
class
keystone.tests.unit.test_backend_endpoint_policy_sql.
SqlPolicyAssociationTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.test_backend_endpoint_policy.PolicyAssociationTests
keystone.tests.unit.test_backend_federation_sql module¶
-
class
keystone.tests.unit.test_backend_federation_sql.
SqlFederation
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlModels
Set of tests for checking SQL Federation.
keystone.tests.unit.test_backend_id_mapping_sql module¶
-
class
keystone.tests.unit.test_backend_id_mapping_sql.
SqlIDMappingTable
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlModels
Set of tests for checking SQL Identity ID Mapping.
keystone.tests.unit.test_backend_kvs module¶
-
class
keystone.tests.unit.test_backend_kvs.
KvsToken
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
,keystone.tests.unit.token.test_backends.TokenTests
-
class
keystone.tests.unit.test_backend_kvs.
KvsTokenCacheInvalidation
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
,keystone.tests.unit.token.test_backends.TokenCacheInvalidation
keystone.tests.unit.test_backend_ldap module¶
-
class
keystone.tests.unit.test_backend_ldap.
AssignmentTests
[source]¶ Bases:
keystone.tests.unit.assignment.test_backends.AssignmentTests
-
class
keystone.tests.unit.test_backend_ldap.
BaseLDAPIdentity
[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.IdentityTests
,keystone.tests.unit.test_backend_ldap.AssignmentTests
,keystone.tests.unit.test_backend_ldap.ResourceTests
-
test_create_project_with_domain_id_and_without_parent_id
()[source]¶ Multiple domains are not supported.
-
test_create_project_with_domain_id_mismatch_to_parent_domain
()[source]¶ Multiple domains are not supported.
-
test_list_group_members_missing_entry
()[source]¶ List group members with deleted user.
If a group has a deleted entry for a member, the non-deleted members are returned.
-
test_list_role_assignment_by_user_with_domain_group_roles
()[source]¶ Multiple domain assignments are not supported.
-
test_list_role_assignment_using_sourced_groups_with_domains
()[source]¶ Multiple domain assignments are not supported.
-
-
class
keystone.tests.unit.test_backend_ldap.
BaseMultiLDAPandSQLIdentity
[source]¶ Bases:
object
Mixin class with support methods for domain-specific config testing.
-
class
keystone.tests.unit.test_backend_ldap.
DomainSpecificLDAPandSQLIdentity
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity
,keystone.tests.unit.core.SQLDriverOverrides
,keystone.tests.unit.core.TestCase
,keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity
Class to test when all domains use specific configs, including SQL.
We define a set of domains and domain-specific backends:
- A separate LDAP backend for the default domain
- A separate SQL backend for domain1
Although the default driver still exists, we don’t use it.
-
DOMAIN_COUNT
= 2¶
-
DOMAIN_SPECIFIC_COUNT
= 2¶
-
test_domain_segregation
()[source]¶ Test that separate configs have segregated the domain.
Test Plan:
- Users were created in each domain as part of setup, now make sure you can only find a given user in its relevant domain/backend
- Make sure that for a backend that supports multiple domains you can get the users via any of its domains
-
class
keystone.tests.unit.test_backend_ldap.
DomainSpecificSQLIdentity
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.DomainSpecificLDAPandSQLIdentity
Class to test simplest use of domain-specific SQL driver.
The simplest use of an SQL domain-specific backend is when it is used to augment the standard case when LDAP is the default driver defined in the main config file. This would allow, for example, service users to be stored in SQL while LDAP handles the rest. Hence we define:
- The default driver uses the LDAP backend for the default domain
- A separate SQL backend for domain1
-
DOMAIN_COUNT
= 2¶
-
DOMAIN_SPECIFIC_COUNT
= 1¶
-
class
keystone.tests.unit.test_backend_ldap.
IdentityTests
[source]¶ Bases:
keystone.tests.unit.identity.test_backends.IdentityTests
-
class
keystone.tests.unit.test_backend_ldap.
LDAPIdentity
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity
,keystone.tests.unit.core.TestCase
-
class
keystone.tests.unit.test_backend_ldap.
LDAPLimitTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
,keystone.tests.unit.identity.test_backends.LimitTests
-
class
keystone.tests.unit.test_backend_ldap.
LDAPTestSetup
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
Common setup for LDAP tests.
-
class
keystone.tests.unit.test_backend_ldap.
LdapFilterTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.identity.test_backends.FilterTests
,keystone.tests.unit.test_backend_ldap.LDAPTestSetup
-
class
keystone.tests.unit.test_backend_ldap.
LdapIdentityWithMapping
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity
,keystone.tests.unit.core.SQLDriverOverrides
,keystone.tests.unit.core.TestCase
Class to test mapping of default LDAP backend.
The default configuration is not to enable mapping when using a single backend LDAP driver. However, a cloud provider might want to enable the mapping, hence hiding the LDAP IDs from any clients of keystone. Setting backward_compatible_ids to False will enable this mapping.
-
test_dynamic_mapping_build
()[source]¶ Test to ensure entities not create via controller are mapped.
Many LDAP backends will, essentially, by Read Only. In these cases the mapping is not built by creating objects, rather from enumerating the entries. We test this here my manually deleting the mapping and then trying to re-read the entries.
-
-
class
keystone.tests.unit.test_backend_ldap.
MultiLDAPandSQLIdentity
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity
,keystone.tests.unit.core.SQLDriverOverrides
,keystone.tests.unit.core.TestCase
,keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity
Class to test common SQL plus individual LDAP backends.
We define a set of domains and domain-specific backends:
- A separate LDAP backend for the default domain
- A separate LDAP backend for domain1
- domain2 shares the same LDAP as domain1, but uses a different tree attach point
- An SQL backend for all other domains (which will include domain3 and domain4)
Normally one would expect that the default domain would be handled as part of the “other domains” - however the above provides better test coverage since most of the existing backend tests use the default domain.
-
enable_multi_domain
()[source]¶ Enable the chosen form of multi domain configuration support.
This method enables the file-based configuration support. Child classes that wish to use the database domain configuration support should override this method and set the appropriate config_fixture option.
-
test_domain_segregation
()[source]¶ Test that separate configs have segregated the domain.
Test Plan:
- Users were created in each domain as part of setup, now make sure you can only find a given user in its relevant domain/backend
- Make sure that for a backend that supports multiple domains you can get the users via any of its domains
-
test_existing_uuids_work
()[source]¶ Test that ‘uni-domain’ created IDs still work.
Throwing the switch to domain-specific backends should not cause existing identities to be inaccessible via ID.
-
test_scanning_of_config_dir
()[source]¶ Test the Manager class scans the config directory.
The setup for the main tests above load the domain configs directly so that the test overrides can be included. This test just makes sure that the standard config directory scanning does pick up the relevant domain config files.
-
class
keystone.tests.unit.test_backend_ldap.
MultiLDAPandSQLIdentityDomainConfigsInSQL
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentity
Class to test the use of domain configs stored in the database.
Repeat the same tests as MultiLDAPandSQLIdentity, but instead of using the domain specific config files, store the domain specific values in the database.
-
test_delete_domain_clears_sql_registration
()[source]¶ Ensure registration is deleted when a domain is deleted.
-
test_domain_config_has_no_impact_if_database_support_disabled
()[source]¶ Ensure database domain configs have no effect if disabled.
Set reading from database configs to false, restart the backends and then try and set and use database configs.
-
test_orphaned_registration_does_not_prevent_getting_sql_driver
()[source]¶ Ensure we self heal an orphaned sql registration.
-
test_reloading_domain_config
()[source]¶ Ensure domain drivers are reloaded on a config modification.
-
-
class
keystone.tests.unit.test_backend_ldap.
ResourceTests
[source]¶ Bases:
keystone.tests.unit.resource.test_backends.ResourceTests
keystone.tests.unit.test_backend_ldap_pool module¶
-
class
keystone.tests.unit.test_backend_ldap_pool.
LDAPIdentity
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap_pool.LdapPoolCommonTestMixin
,keystone.tests.unit.test_backend_ldap.LDAPIdentity
,keystone.tests.unit.core.TestCase
Executes tests in existing base class with pooled LDAP handler.
keystone.tests.unit.test_backend_rules module¶
-
class
keystone.tests.unit.test_backend_rules.
RulesPolicy
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
,keystone.tests.unit.policy.test_backends.PolicyTests
keystone.tests.unit.test_backend_sql module¶
-
class
keystone.tests.unit.test_backend_sql.
FakeTable
(*args, **kwargs)[source]¶ Bases:
sqlalchemy.ext.declarative.api.Base
-
col
¶
-
-
class
keystone.tests.unit.test_backend_sql.
SqlCatalog
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.catalog.test_backends.CatalogTests
-
class
keystone.tests.unit.test_backend_sql.
SqlFilterTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.identity.test_backends.FilterTests
-
class
keystone.tests.unit.test_backend_sql.
SqlIdentity
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.identity.test_backends.IdentityTests
,keystone.tests.unit.assignment.test_backends.AssignmentTests
,keystone.tests.unit.resource.test_backends.ResourceTests
Ensure we cannot access the hidden root of all project domains.
Calling any of the driver methods should result in the same as would be returned if we passed a project that does not exist. We don’t test create_project, since we do not allow a caller of our API to specify their own ID for a new entity.
-
test_list_domains_for_user_with_inherited_grants
()[source]¶ Test that inherited roles on the domain are excluded.
Test Plan:
- Create two domains, one user, group and role
- Domain1 is given an inherited user role, Domain2 an inherited group role (for a group of which the user is a member)
- When listing domains for user, neither domain should be returned
-
test_storing_null_domain_id_in_project_ref
()[source]¶ Test the special storage of domain_id=None in sql resource driver.
The resource driver uses a special value in place of None for domain_id in the project record. This shouldn’t escape the driver. Hence we test the interface to ensure that you can store a domain_id of None, and that any special value used inside the driver does not escape through the interface.
-
test_update_project_returns_extra
()[source]¶ Test for backward compatibility with an essex/folsom bug.
Non-indexed attributes were returned in an ‘extra’ attribute, instead of on the entity itself; for consistency and backwards compatibility, those attributes should be included twice.
This behavior is specific to the SQL driver.
-
test_update_user_returns_extra
()[source]¶ Test for backwards-compatibility with an essex/folsom bug.
Non-indexed attributes were returned in an ‘extra’ attribute, instead of on the entity itself; for consistency and backwards compatibility, those attributes should be included twice.
This behavior is specific to the SQL driver.
-
class
keystone.tests.unit.test_backend_sql.
SqlImpliedRoles
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.assignment.test_backends.ImpliedRoleTests
-
class
keystone.tests.unit.test_backend_sql.
SqlInheritance
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.assignment.test_backends.InheritanceTests
-
class
keystone.tests.unit.test_backend_sql.
SqlLimitTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.identity.test_backends.LimitTests
-
class
keystone.tests.unit.test_backend_sql.
SqlModels
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
-
assertExpectedSchema
(table, expected_schema)[source]¶ Assert that a table’s schema is what we expect.
Parameters: - table (string) – the name of the table to inspect
- expected_schema (tuple) – a tuple of tuples containing the expected schema
Raises: AssertionError – when the database schema doesn’t match the expected schema
The expected_schema format is simply:
( ('column name', sql type, qualifying detail), ... )
The qualifying detail varies based on the type of the column:
- sql.Boolean columns must indicate the column's default value or None if there is no default - Columns with a length, like sql.String, must indicate the column's length - All other column types should use None
Example:
cols = (('id', sql.String, 64), ('enabled', sql.Boolean, True), ('extra', sql.JsonBlob, None)) self.assertExpectedSchema('table_name', cols)
-
-
class
keystone.tests.unit.test_backend_sql.
SqlPolicy
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.policy.test_backends.PolicyTests
-
class
keystone.tests.unit.test_backend_sql.
SqlTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides
,keystone.tests.unit.core.TestCase
-
class
keystone.tests.unit.test_backend_sql.
SqlToken
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.token.test_backends.TokenTests
-
class
keystone.tests.unit.test_backend_sql.
SqlTokenCacheInvalidationWithUUID
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.token.test_backends.TokenCacheInvalidation
-
class
keystone.tests.unit.test_backend_sql.
SqlTrust
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.trust.test_backends.TrustTests
keystone.tests.unit.test_backend_templated module¶
-
class
keystone.tests.unit.test_backend_templated.
TestTemplatedCatalog
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
,keystone.tests.unit.catalog.test_backends.CatalogTests
-
DEFAULT_FIXTURE
= {'RegionOne': {'compute': {'internalURL': 'http://localhost:8774/v1.1/bar', 'id': '2', 'adminURL': 'http://localhost:8774/v1.1/bar', 'name': "'Compute Service'", 'publicURL': 'http://localhost:8774/v1.1/bar'}, 'identity': {'internalURL': 'http://localhost:35357/v2.0', 'id': '1', 'adminURL': 'http://localhost:35357/v2.0', 'name': "'Identity Service'", 'publicURL': 'http://localhost:5000/v2.0'}}}¶
-
keystone.tests.unit.test_catalog module¶
-
class
keystone.tests.unit.test_catalog.
V2CatalogTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.rest.RestfulTestCase
-
test_endpoint_create_with_invalid_url
()[source]¶ Test the invalid cases: substitutions is not exactly right.
-
test_endpoint_create_with_valid_url
()[source]¶ Create endpoint with valid URL should be tested, too.
-
test_pure_v3_endpoint_with_publicurl_visible_from_v2
()[source]¶ Test pure v3 endpoint can be fetched via v2.0 API.
For those who are using v2.0 APIs, endpoints created by v3 API should also be visible as there are no differences about the endpoints except the format or the internal implementation. Since publicURL is required for v2.0 API, so only v3 endpoints of the service which have the public interface endpoint will be converted into v2.0 endpoints.
-
test_pure_v3_endpoint_without_publicurl_invisible_from_v2
()[source]¶ Test that the v2.0 API can’t fetch v3 endpoints without publicURLs.
v2.0 API will return endpoints created by v3 API, but publicURL is required for the service in the v2.0 API, therefore v3 endpoints of a service which don’t have publicURL will be ignored.
-
keystone.tests.unit.test_cert_setup module¶
keystone.tests.unit.test_cli module¶
-
class
keystone.tests.unit.test_cli.
CliBootStrapTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides
,keystone.tests.unit.core.TestCase
-
class
keystone.tests.unit.test_cli.
CliDomainConfigAllTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides
,keystone.tests.unit.core.TestCase
-
class
keystone.tests.unit.test_cli.
CliDomainConfigInvalidDomainTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_cli.CliDomainConfigAllTestCase
-
class
keystone.tests.unit.test_cli.
CliDomainConfigNoOptionsTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_cli.CliDomainConfigAllTestCase
-
class
keystone.tests.unit.test_cli.
CliDomainConfigSingleDomainTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_cli.CliDomainConfigAllTestCase
-
class
keystone.tests.unit.test_cli.
CliDomainConfigTooManyOptionsTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_cli.CliDomainConfigAllTestCase
-
class
keystone.tests.unit.test_cli.
CliTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides
,keystone.tests.unit.core.TestCase
-
class
keystone.tests.unit.test_cli.
TestMappingPopulate
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides
,keystone.tests.unit.core.TestCase
keystone.tests.unit.test_config module¶
-
class
keystone.tests.unit.test_config.
DeprecatedOverrideTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
Test using the deprecated AND new name for renamed options.
keystone.tests.unit.test_contrib_s3_core module¶
keystone.tests.unit.test_contrib_simple_cert module¶
-
class
keystone.tests.unit.test_contrib_simple_cert.
BaseTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
-
CA_PATH
= '/v3/OS-SIMPLE-CERT/ca'¶
-
CERT_PATH
= '/v3/OS-SIMPLE-CERT/certificates'¶
-
keystone.tests.unit.test_credential module¶
-
class
keystone.tests.unit.test_credential.
V2CredentialEc2Controller
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
-
test_check_non_admin_user
()[source]¶ Checking if user is admin causes uncaught error.
When checking if a user is an admin, keystone.exception.Unauthorized is raised but not caught if the user is not an admin.
-
test_signature_validate_no_host_port
()[source]¶ Test signature validation with the access/secret provided.
-
test_signature_validate_no_signature
()[source]¶ Signature is not presented in signature reference data.
-
test_signature_validate_with_host_port
()[source]¶ Test signature validation when host is bound with port.
Host is bound with a port, generally, the port here is not the standard port for the protocol, like ‘80’ for HTTP and port 443 for HTTPS, the port is not omitted by the client library.
-
test_signature_validate_with_missed_host_port
()[source]¶ Test signature validation when host is bound with well-known port.
Host is bound with a port, but the port is well-know port like ‘80’ for HTTP and port 443 for HTTPS, sometimes, client library omit the port but then make the request with the port. see (How to create the string to sign): ‘http://docs.aws.amazon.com/ general/latest/gr/signature-version-2.html’.
Since “credentials[‘host’]” is not set by client library but is taken from “req.host”, so caused the differences.
-
keystone.tests.unit.test_driver_hints module¶
keystone.tests.unit.test_entry_points module¶
keystone.tests.unit.test_exception module¶
-
class
keystone.tests.unit.test_exception.
ExceptionTestCase
(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_exception.
SecurityErrorTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_exception.ExceptionTestCase
Test whether security-related info is exposed to the API user.
-
class
keystone.tests.unit.test_exception.
TestSecurityErrorTranslation
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test i18n for SecurityError exceptions.
-
exception
CustomError
(message=None, **kwargs)[source]¶ Bases:
keystone.exception.Error
-
message_format
= u'We had a failure in the %(place)r'¶
-
-
exception
TestSecurityErrorTranslation.
CustomSecurityError
(message=None, **kwargs)[source]¶ Bases:
keystone.exception.SecurityError
-
message_format
= u'We had a failure in the %(place)r'¶
-
-
exception
-
class
keystone.tests.unit.test_exception.
UnexpectedExceptionTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_exception.ExceptionTestCase
Test if internal info is exposed to the API user on UnexpectedError.
-
exception
SubClassExc
(message=None, **kwargs)[source]¶ Bases:
keystone.exception.UnexpectedError
-
debug_message_format
= 'Debug Message: %(debug_info)s'¶
-
-
exception
keystone.tests.unit.test_hacking_checks module¶
-
class
keystone.tests.unit.test_hacking_checks.
BaseLoggingCheck
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_hacking_checks.BaseStyleCheck
-
class
keystone.tests.unit.test_hacking_checks.
TestAssertingNoneEquality
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_hacking_checks.BaseStyleCheck
-
class
keystone.tests.unit.test_hacking_checks.
TestBlockCommentsBeginWithASpace
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_hacking_checks.BaseStyleCheck
-
class
keystone.tests.unit.test_hacking_checks.
TestCheckForDebugLoggingIssues
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_hacking_checks.BaseLoggingCheck
-
class
keystone.tests.unit.test_hacking_checks.
TestCheckForMutableDefaultArgs
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_hacking_checks.BaseStyleCheck
-
class
keystone.tests.unit.test_hacking_checks.
TestCheckForNonDebugLoggingIssues
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_hacking_checks.BaseLoggingCheck
-
class
keystone.tests.unit.test_hacking_checks.
TestDictConstructorWithSequenceCopy
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_hacking_checks.BaseStyleCheck
-
class
keystone.tests.unit.test_hacking_checks.
TestLoggingWithWarn
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_hacking_checks.BaseLoggingCheck
keystone.tests.unit.test_kvs module¶
-
class
keystone.tests.unit.test_kvs.
KVSBackendForcedKeyMangleFixture
(arguments)[source]¶ Bases:
keystone.tests.unit.test_kvs.KVSBackendFixture
-
use_backend_key_mangler
= True¶
-
-
class
keystone.tests.unit.test_kvs.
RegionProxy2Fixture
(*args, **kwargs)[source]¶ Bases:
dogpile.cache.proxy.ProxyBackend
A test dogpile.cache proxy that does nothing.
-
class
keystone.tests.unit.test_kvs.
RegionProxyFixture
(*args, **kwargs)[source]¶ Bases:
dogpile.cache.proxy.ProxyBackend
A test dogpile.cache proxy that does nothing.
-
class
keystone.tests.unit.test_kvs.
TestCacheRegionInit
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
Illustrate the race condition on cache initialization.
This case doesn’t actually expose the error, it just simulates unprotected code behaviour, when race condition leads to re-configuration of shared KVS backend object. What, in turn, results in an exception.
-
kvs_backend
= 'openstack.kvs.Memory'¶
-
store_name
= 'test-kvs'¶
-
-
class
keystone.tests.unit.test_kvs.
TestMemcacheDriver
(arguments)[source]¶ Bases:
dogpile.cache.api.CacheBackend
A test dogpile.cache backend.
This test backend conforms to the mixin-mechanism for overriding set and set_multi methods on dogpile memcached drivers.
keystone.tests.unit.test_ldap_livetest module¶
keystone.tests.unit.test_ldap_pool_livetest module¶
-
class
keystone.tests.unit.test_ldap_pool_livetest.
LiveLDAPPoolIdentity
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap_pool.LdapPoolCommonTestMixin
,keystone.tests.unit.test_ldap_livetest.LiveLDAPIdentity
Executes existing LDAP live test with pooled LDAP handler.
Also executes common pool specific tests via Mixin class.
keystone.tests.unit.test_ldap_tls_livetest module¶
-
class
keystone.tests.unit.test_ldap_tls_livetest.
LiveTLSLDAPIdentity
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_ldap_livetest.LiveLDAPIdentity
keystone.tests.unit.test_middleware module¶
-
class
keystone.tests.unit.test_middleware.
AdminTokenAuthMiddlewareTest
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_middleware.MiddlewareRequestTestBase
-
MIDDLEWARE_CLASS
¶ alias of
AdminTokenAuthMiddleware
-
-
class
keystone.tests.unit.test_middleware.
AuthContextMiddlewareTest
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.test_middleware.MiddlewareRequestTestBase
-
MIDDLEWARE_CLASS
¶ alias of
AuthContextMiddleware
-
test_ephemeral_any_user_success
()[source]¶ Verify ephemeral user does not need a specified user.
Keystone is not looking to match the user, but a corresponding group.
-
-
class
keystone.tests.unit.test_middleware.
JsonBodyMiddlewareTest
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_middleware.MiddlewareRequestTestBase
-
MIDDLEWARE_CLASS
¶ alias of
JsonBodyMiddleware
-
-
class
keystone.tests.unit.test_middleware.
MiddlewareRequestTestBase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
-
MIDDLEWARE_CLASS
= None¶
-
keystone.tests.unit.test_no_admin_token_auth module¶
keystone.tests.unit.test_policy module¶
keystone.tests.unit.test_revoke module¶
-
class
keystone.tests.unit.test_revoke.
FernetSqlRevokeTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.test_revoke.RevokeTests
-
class
keystone.tests.unit.test_revoke.
UUIDSqlRevokeTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests
,keystone.tests.unit.test_revoke.RevokeTests
keystone.tests.unit.test_shadow_users module¶
-
class
keystone.tests.unit.test_shadow_users.
ShadowUsersTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
,keystone.tests.unit.identity.shadow_users.test_backend.ShadowUsersBackendTests
,keystone.tests.unit.identity.shadow_users.test_core.ShadowUsersCoreTests
keystone.tests.unit.test_sql_banned_operations module¶
-
class
keystone.tests.unit.test_sql_banned_operations.
BannedDBSchemaOperations
(banned_ops=None, migration_repo='/home/jenkins/workspace/keystone-docs-unified-ubuntu-xenial/keystone/common/sql/migrate_repo/__init__.py')[source]¶ Bases:
fixtures.fixture.Fixture
Ban some operations for migrations.
-
exception
keystone.tests.unit.test_sql_banned_operations.
DBOperationNotAllowed
[source]¶ Bases:
exceptions.Exception
-
class
keystone.tests.unit.test_sql_banned_operations.
KeystoneMigrationsCheckers
[source]¶ Bases:
oslo_db.sqlalchemy.test_migrations.WalkVersionsMixin
Walk over and test all sqlalchemy-migrate migrations.
-
INIT_VERSION
¶
-
REPOSITORY
¶
-
banned_ops
= {'Column': ['alter', 'drop'], 'Table': ['alter', 'drop']}¶
-
downgrade
= False¶
-
exceptions
= [102, 106]¶
-
first_version
= 101¶
-
migrate_engine
¶
-
migrate_file
= '/home/jenkins/workspace/keystone-docs-unified-ubuntu-xenial/keystone/common/sql/migrate_repo/__init__.py'¶
-
migrate_up
(version, with_data=False)[source]¶ Check that migrations don’t cause downtime.
Schema migrations can be done online, allowing for rolling upgrades.
-
migration_api
¶
-
snake_walk
= False¶
-
-
class
keystone.tests.unit.test_sql_banned_operations.
TestBannedDBSchemaOperations
(*args, **kwargs)[source]¶ Bases:
testtools.testcase.TestCase
Test the BannedDBSchemaOperations fixture.
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneContractSchemaMigrations
[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.KeystoneMigrationsCheckers
-
banned_ops
= {'Column': ['create'], 'Table': ['create', 'insert', 'delete']}¶
-
exceptions
= [2, 4, 13]¶
-
first_version
= 1¶
-
migrate_file
= '/home/jenkins/workspace/keystone-docs-unified-ubuntu-xenial/keystone/common/sql/contract_repo/__init__.py'¶
-
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneContractSchemaMigrationsMySQL
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.TestKeystoneContractSchemaMigrations
,oslo_db.sqlalchemy.test_base.MySQLOpportunisticTestCase
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneContractSchemaMigrationsPostgreSQL
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.TestKeystoneContractSchemaMigrations
,oslo_db.sqlalchemy.test_base.PostgreSQLOpportunisticTestCase
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneContractSchemaMigrationsSQLite
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.TestKeystoneContractSchemaMigrations
,oslo_db.sqlalchemy.test_base.DbTestCase
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneDataMigrations
[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.KeystoneMigrationsCheckers
-
banned_ops
= {'Column': ['create', 'alter', 'drop'], 'Table': ['create', 'alter', 'drop']}¶
-
exceptions
= [2, 4, 13]¶
-
first_version
= 1¶
-
migrate_file
= '/home/jenkins/workspace/keystone-docs-unified-ubuntu-xenial/keystone/common/sql/data_migration_repo/__init__.py'¶
-
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneDataMigrationsMySQL
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.TestKeystoneDataMigrations
,oslo_db.sqlalchemy.test_base.MySQLOpportunisticTestCase
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneDataMigrationsPostgreSQL
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.TestKeystoneDataMigrations
,oslo_db.sqlalchemy.test_base.PostgreSQLOpportunisticTestCase
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneDataMigrationsSQLite
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.TestKeystoneDataMigrations
,oslo_db.sqlalchemy.test_base.DbTestCase
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneExpandSchemaMigrations
[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.KeystoneMigrationsCheckers
-
banned_ops
= {'Column': ['alter', 'drop'], 'Table': ['alter', 'drop', 'insert', 'delete']}¶
-
exceptions
= [2, 3, 4]¶
-
first_version
= 1¶
-
migrate_file
= '/home/jenkins/workspace/keystone-docs-unified-ubuntu-xenial/keystone/common/sql/expand_repo/__init__.py'¶
-
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneExpandSchemaMigrationsMySQL
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.TestKeystoneExpandSchemaMigrations
,oslo_db.sqlalchemy.test_base.MySQLOpportunisticTestCase
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneExpandSchemaMigrationsPostgreSQL
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.TestKeystoneExpandSchemaMigrations
,oslo_db.sqlalchemy.test_base.PostgreSQLOpportunisticTestCase
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneMigrationsMySQL
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.KeystoneMigrationsCheckers
,oslo_db.sqlalchemy.test_base.MySQLOpportunisticTestCase
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneMigrationsPostgreSQL
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.KeystoneMigrationsCheckers
,oslo_db.sqlalchemy.test_base.PostgreSQLOpportunisticTestCase
-
class
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneMigrationsSQLite
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_banned_operations.KeystoneMigrationsCheckers
,oslo_db.sqlalchemy.test_base.DbTestCase
keystone.tests.unit.test_sql_upgrade module¶
Test for SQL migration extensions.
To run these tests against a live database:
Set up a blank, live database.
Export database information to environment variable
OS_TEST_DBAPI_ADMIN_CONNECTION
. For example:export OS_TEST_DBAPI_ADMIN_CONNECTION=postgresql://localhost/postgres?host= /var/folders/7k/pwdhb_mj2cv4zyr0kyrlzjx40000gq/T/tmpMGqN8C&port=9824
Run the tests using:
tox -e py27 -- keystone.tests.unit.test_sql_upgrade
For further information, see oslo.db documentation.
WARNING:
Your database will be wiped.
Do not do this against a database with valuable data as
all data will be lost.
-
class
keystone.tests.unit.test_sql_upgrade.
FullMigration
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
,keystone.tests.unit.core.TestCase
Test complete orchestration between all database phases.
-
class
keystone.tests.unit.test_sql_upgrade.
MySQLOpportunisticContractSchemaUpgradeTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.SqlContractSchemaUpgradeTests
-
FIXTURE
¶ alias of
MySQLOpportunisticFixture
-
-
class
keystone.tests.unit.test_sql_upgrade.
MySQLOpportunisticDataMigrationUpgradeTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.SqlDataMigrationUpgradeTests
-
FIXTURE
¶ alias of
MySQLOpportunisticFixture
-
-
class
keystone.tests.unit.test_sql_upgrade.
MySQLOpportunisticExpandSchemaUpgradeTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.SqlExpandSchemaUpgradeTests
-
FIXTURE
¶ alias of
MySQLOpportunisticFixture
-
-
class
keystone.tests.unit.test_sql_upgrade.
MySQLOpportunisticFullMigration
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.FullMigration
-
FIXTURE
¶ alias of
MySQLOpportunisticFixture
-
-
class
keystone.tests.unit.test_sql_upgrade.
MySQLOpportunisticUpgradeTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.SqlLegacyRepoUpgradeTests
-
FIXTURE
¶ alias of
MySQLOpportunisticFixture
-
-
class
keystone.tests.unit.test_sql_upgrade.
PostgreSQLOpportunisticContractSchemaUpgradeTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.SqlContractSchemaUpgradeTests
-
FIXTURE
¶ alias of
PostgreSQLOpportunisticFixture
-
-
class
keystone.tests.unit.test_sql_upgrade.
PostgreSQLOpportunisticDataMigrationUpgradeTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.SqlDataMigrationUpgradeTests
-
FIXTURE
¶ alias of
PostgreSQLOpportunisticFixture
-
-
class
keystone.tests.unit.test_sql_upgrade.
PostgreSQLOpportunisticExpandSchemaUpgradeTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.SqlExpandSchemaUpgradeTests
-
FIXTURE
¶ alias of
PostgreSQLOpportunisticFixture
-
-
class
keystone.tests.unit.test_sql_upgrade.
PostgreSQLOpportunisticFullMigration
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.FullMigration
-
FIXTURE
¶ alias of
PostgreSQLOpportunisticFixture
-
-
class
keystone.tests.unit.test_sql_upgrade.
PostgreSQLOpportunisticUpgradeTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.SqlLegacyRepoUpgradeTests
-
FIXTURE
¶ alias of
PostgreSQLOpportunisticFixture
-
-
class
keystone.tests.unit.test_sql_upgrade.
SqlContractSchemaUpgradeTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
,keystone.tests.unit.core.TestCase
-
class
keystone.tests.unit.test_sql_upgrade.
SqlLegacyRepoUpgradeTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
-
test_add_domain_specific_roles
()[source]¶ Check database upgraded successfully for domain specific roles.
The following items need to be checked:
- The domain_id column has been added
- That it has been added to the uniqueness constraints
- Existing roles have their domain_id columns set to the specific string of ‘<<null>>’
-
-
class
keystone.tests.unit.test_sql_upgrade.
SqlMigrateBase
(*args, **kwargs)[source]¶ Bases:
oslo_db.sqlalchemy.test_base.DbTestCase
-
assertTableColumns
(table_name, expected_cols)[source]¶ Assert that the table contains the expected set of columns.
-
assertTableDoesNotExist
(table_name)[source]¶ Assert that a given table exists cannot be selected by name.
-
insert_dict
(session, table_name, d, table=None)[source]¶ Naively inserts key-value pairs into a table, given a dictionary.
-
metadata
¶ A collection of tables and their associated schemas.
-
-
class
keystone.tests.unit.test_sql_upgrade.
VersionTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
-
test_migrate_repos_stay_in_lockstep
()[source]¶ Rolling upgrade repositories should always stay in lockstep.
By maintaining a single “latest” version number in each of the three migration repositories (expand, data migrate, and contract), we can trivially prevent operators from “doing the wrong thing”, such as running upgrades operations out of order (for example, you should not be able to run data migration 5 until schema expansion 5 has been run).
For example, even if your rolling upgrade task only involves adding a new column with a reasonable default, and doesn’t require any triggers, data migration, etc, you still need to create “empty” upgrade steps in the data migration and contract repositories with the same version number as the expansion.
For more information, see “Database Migrations” here:
-
test_these_are_not_the_migrations_you_are_looking_for
()[source]¶ Keystone has shifted to rolling upgrades.
New database migrations should no longer land in the legacy migration repository. Instead, new database migrations should be divided into three discrete steps: schema expansion, data migration, and schema contraction. These migrations live in a new set of database migration repositories, called
expand_repo
,data_migration_repo
, andcontract_repo
.For more information, see “Database Migrations” here:
-
keystone.tests.unit.test_token_bind module¶
-
class
keystone.tests.unit.test_token_bind.
BindTest
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
Test binding tokens to a Principal.
Even though everything in this file references kerberos the same concepts will apply to all future binding mechanisms.
keystone.tests.unit.test_token_provider module¶
keystone.tests.unit.test_url_middleware module¶
-
class
keystone.tests.unit.test_url_middleware.
FakeApp
[source]¶ Bases:
object
Fakes a WSGI app URL normalized.
keystone.tests.unit.test_v2 module¶
-
class
keystone.tests.unit.test_v2.
CoreApiTests
[source]¶ Bases:
object
-
assertNoRoles
(r)[source]¶ Helper method to assert No Roles.
This needs to be overridden by child classes based on their content type.
-
-
class
keystone.tests.unit.test_v2.
LegacyV2UsernameTests
[source]¶ Bases:
object
Test to show the broken username behavior in V2.
The V2 API is documented to use username instead of name. The API forced used to use name and left the username to fall into the extra field.
These tests ensure this behavior works so fixes to username/name will be backward compatible.
-
create_user
(**user_attrs)[source]¶ Create a users and returns the response object.
Parameters: user_attrs – attributes added to the request body (optional)
-
test_create_with_extra_username
()[source]¶ The response for creating a user will contain the extra fields.
-
test_get_returns_username_from_extra
()[source]¶ The response for getting a user will contain the extra fields.
-
test_update_returns_new_username_when_adding_username
()[source]¶ The response for updating a user will contain the extra fields.
This is specifically testing for updating a username when a value was not previously set.
-
test_update_returns_new_username_when_updating_username
()[source]¶ The response for updating a user will contain the extra fields.
This tests updating a username that was previously set.
-
test_updated_username_is_returned
()[source]¶ Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username and not name.
-
test_username_is_always_returned_create
()[source]¶ Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username and not name.
-
test_username_is_always_returned_get
()[source]¶ Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username and not name.
-
-
class
keystone.tests.unit.test_v2.
TestFernetTokenProviderV2
(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_v2.
V2TestCase
[source]¶ Bases:
object
-
class
keystone.tests.unit.test_v2.
V2TestCaseFernet
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v2.V2TestCase
,keystone.tests.unit.test_v2.RestfulTestCase
,keystone.tests.unit.test_v2.CoreApiTests
,keystone.tests.unit.test_v2.LegacyV2UsernameTests
-
class
keystone.tests.unit.test_v2.
V2TestCaseUUID
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v2.V2TestCase
,keystone.tests.unit.test_v2.RestfulTestCase
,keystone.tests.unit.test_v2.CoreApiTests
,keystone.tests.unit.test_v2.LegacyV2UsernameTests
keystone.tests.unit.test_v2_controller module¶
-
class
keystone.tests.unit.test_v2_controller.
TenantTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
Test for the V2 Tenant controller.
These tests exercise
keystone.assignment.controllers.Tenant
.-
test_create_is_domain_project_fails
()[source]¶ Test that the creation of a project acting as a domain fails.
-
test_create_project_passing_is_domain_false_fails
()[source]¶ Test that passing is_domain=False is not allowed.
-
test_delete_is_domain_project_not_found
()[source]¶ Test that delete is_domain project is not allowed in v2.
-
test_get_is_domain_project_not_found
()[source]¶ Test that get project does not return is_domain projects.
-
test_get_project_users_no_user
()[source]¶ Test the user’s existence for get_project_users.
When a user that’s not known to identity has a role on a project, then get_project_users just skips that user.
-
test_list_is_domain_project_not_found
()[source]¶ Test v2 get_all_projects having projects that act as a domain.
In v2 no project with the is_domain flag enabled should be returned.
-
keystone.tests.unit.test_v2_validation module¶
-
class
keystone.tests.unit.test_v2_validation.
RoleValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V2 Roles API Validation.
-
class
keystone.tests.unit.test_v2_validation.
ServiceValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V2 Service API Validation.
-
class
keystone.tests.unit.test_v2_validation.
TenantValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for v2 Tenant API Validation.
-
test_validate_tenant_create_fails_with_invalid_name
()[source]¶ Exception when validating a create request with invalid name.
-
test_validate_tenant_create_with_invalid_enabled_fails
()[source]¶ Exception is raised when enabled isn’t a boolean-like value.
-
test_validate_tenant_update_fails_with_invalid_name
()[source]¶ Exception when validating an update request with invalid name.
-
-
class
keystone.tests.unit.test_v2_validation.
UserValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V2 User API Validation.
keystone.tests.unit.test_v3 module¶
-
class
keystone.tests.unit.test_v3.
AssignmentTestMixin
[source]¶ Bases:
object
To hold assignment helper functions.
-
build_role_assignment_entity
(link=None, prior_role_link=None, **attribs)[source]¶ Build and return a role assignment entity with provided attributes.
Provided attributes are expected to contain: domain_id or project_id, user_id or group_id, role_id and, optionally, inherited_to_projects.
-
build_role_assignment_entity_include_names
(domain_ref=None, role_ref=None, group_ref=None, user_ref=None, project_ref=None, inherited_assignment=None)[source]¶ Build and return a role assignment entity with provided attributes.
The expected attributes are: domain_ref or project_ref, user_ref or group_ref, role_ref and, optionally, inherited_to_projects.
-
-
class
keystone.tests.unit.test_v3.
AuthTestMixin
[source]¶ Bases:
object
To hold auth building helper functions.
-
build_auth_scope
(project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, domain_id=None, domain_name=None, trust_id=None, unscoped=None, is_domain=None)[source]¶
-
build_authentication_request
(token=None, user_id=None, username=None, user_domain_id=None, user_domain_name=None, password=None, kerberos=False, **kwargs)[source]¶ Build auth dictionary.
It will create an auth dictionary based on all the arguments that it receives.
-
-
class
keystone.tests.unit.test_v3.
JsonHomeTestMixin
[source]¶ Bases:
object
JSON Home test.
Mixin this class to provide a test for the JSON-Home response for an extension.
The base class must set JSON_HOME_DATA to a dict of relationship URLs (rels) to the JSON-Home data for the relationship. The rels and associated data must be in the response.
-
class
keystone.tests.unit.test_v3.
RestfulTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides
,keystone.tests.unit.rest.RestfulTestCase
,keystone.tests.common.auth.AuthTestMixin
-
assertEqualTokens
(a, b)[source]¶ Assert that two tokens are equal.
Compare two tokens except for their ids. This also truncates the time in the comparison.
-
assertValidEntity
(entity, ref=None, keys_to_check=None)[source]¶ Make assertions common to all API entities.
If a reference is provided, the entity will also be compared against the reference.
-
assertValidListResponse
(resp, key, entity_validator, ref=None, expected_length=None, keys_to_check=None, resource_url=None)[source]¶ Make assertions common to all API list responses.
If a reference is provided, it’s ID will be searched for in the response, and asserted to be equal.
-
assertValidResponse
(resp, key, entity_validator, *args, **kwargs)[source]¶ Make assertions common to all API responses.
-
build_external_auth_request
(remote_user, remote_domain=None, auth_data=None, kerberos=False)[source]¶
-
keystone.tests.unit.test_v3_assignment module¶
-
class
keystone.tests.unit.test_v3_assignment.
AssignmentInheritanceTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3.AssignmentTestMixin
Test inheritance crud and its effects.
-
test_filtered_role_assignments_for_inherited_grants
()[source]¶ Call
GET /role_assignments?scope.OS-INHERIT:inherited_to
.Test Plan:
- Create 5 roles
- Create a domain with a user, group and two projects
- Assign three direct spoiler roles to projects
- Issue the URL to add an inherited user role to the domain
- Issue the URL to add an inherited group role to the domain
- Issue the URL to filter by inherited roles - this should return just the 2 inherited roles.
-
test_get_effective_role_assignments_for_project_hierarchy
()[source]¶ Call
GET /role_assignments?effective
.Test Plan:
- Create 2 roles
- Create a hierarchy of projects with one root and one leaf project
- Issue the URL to add a non-inherited user role to the root project
- Issue the URL to add an inherited user role to the root project
- Issue the URL to get effective role assignments - this should return 1 role (non-inherited) on the root project and 1 role (inherited) on the leaf project.
-
test_get_effective_role_assignments_for_project_tree
()[source]¶ Get role_assignment ?project_id=X&include_subtree=True&effective``.
Test Plan:
- Create 2 roles and a hierarchy of projects with one root and 4 levels of child project
- Issue the URL to add a non-inherited user role to the root project and a level 1 project
- Issue the URL to add an inherited user role on the level 2 project
- Issue the URL to get effective role assignments for the level 1 project and it’s subtree - this should return a role (non-inherited) on the level 1 project and roles (inherited) on each of the level 2, 3 and 4 projects
-
test_get_inherited_role_assignments_for_project_hierarchy
()[source]¶ Call
GET /role_assignments?scope.OS-INHERIT:inherited_to
.Test Plan:
- Create 2 roles
- Create a hierarchy of projects with one root and one leaf project
- Issue the URL to add a non-inherited user role to the root project
- Issue the URL to add an inherited user role to the root project
- Issue the URL to filter inherited to projects role assignments - this should return 1 role (inherited) on the root project.
-
test_get_role_assignments_for_project_hierarchy
()[source]¶ Call
GET /role_assignments
.Test Plan:
- Create 2 roles
- Create a hierarchy of projects with one root and one leaf project
- Issue the URL to add a non-inherited user role to the root project
- Issue the URL to add an inherited user role to the root project
- Issue the URL to get all role assignments - this should return just 2 roles (non-inherited and inherited) in the root project.
-
test_get_role_assignments_for_project_tree
()[source]¶ Get role_assignment?scope.project.id=X&include_subtree``.
Test Plan:
- Create 2 roles and a hierarchy of projects with one root and one leaf
- Issue the URL to add a non-inherited user role to the root project and the leaf project
- Issue the URL to get role assignments for the root project but not the subtree - this should return just the root assignment
- Issue the URL to get role assignments for the root project and it’s subtree - this should return both assignments
- Check that explicitly setting include_subtree to False is the equivalent to not including it at all in the query.
-
test_list_inherited_role_assignments_include_names
()[source]¶ Call
GET /role_assignments?include_names
.Test goal: ensure calling list role assignments including names honors the inherited role assignments flag.
Test plan: - Create a role and a domain with a user; - Create a inherited role assignment; - List role assignments for that user; - List role assignments for that user including names.
-
test_list_role_assignments_for_disabled_inheritance_extension
()[source]¶ Call
GET /role_assignments with inherited domain grants
.Test Plan:
- Issue the URL to add inherited role to the domain
- Issue the URL to check effective roles on project include the inherited role
- Disable the extension
- Re-check the effective roles, proving the inherited role no longer shows up.
-
test_list_role_assignments_for_inherited_domain_grants
()[source]¶ Call
GET /role_assignments with inherited domain grants
.Test Plan:
- Create 4 roles
- Create a domain with a user and two projects
- Assign two direct roles to project1
- Assign a spoiler role to project2
- Issue the URL to add inherited role to the domain
- Issue the URL to check it is indeed on the domain
- Issue the URL to check effective roles on project1 - this should return 3 roles.
-
test_list_role_assignments_for_inherited_group_domain_grants
()[source]¶ Call
GET /role_assignments with inherited group domain grants
.Test Plan:
- Create 4 roles
- Create a domain with a user and two projects
- Assign two direct roles to project1
- Assign a spoiler role to project2
- Issue the URL to add inherited role to the domain
- Issue the URL to check it is indeed on the domain
- Issue the URL to check effective roles on project1 - this should return 3 roles.
-
-
class
keystone.tests.unit.test_v3_assignment.
AssignmentTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3.AssignmentTestMixin
Test roles and role assignments.
-
test_check_effective_values_for_role_assignments
()[source]¶ Call
GET /role_assignments?effective=value
.Check the various ways of specifying the ‘effective’ query parameter. If the ‘effective’ query parameter is included then this should always be treated as meaning ‘True’ unless it is specified as:
{url}?effective=0
This is by design to match the agreed way of handling policy checking on query/filter parameters.
Test Plan:
- Create two extra user for tests
- Add these users to a group
- Add a role assignment for the group on a domain
- Get a list of all role assignments, checking one has been added
- Then issue various request with different ways of defining the ‘effective’ query parameter. As we have tested the correctness of the data coming back when we get effective roles in other tests, here we just use the count of entities to know if we are getting effective roles or not
-
test_crud_group_domain_role_grants_no_group
()[source]¶ Grant role on a domain to a group that doesn’t exist.
When grant a role on a domain to a group that doesn’t exist, the server returns 404 Not Found for the group.
-
test_crud_group_project_role_grants_no_group
()[source]¶ Grant role on a project to a group that doesn’t exist.
When grant a role on a project to a group that doesn’t exist, the server returns 404 Not Found for the group.
-
test_crud_user_domain_role_grants_no_user
()[source]¶ Grant role on a domain to a user that doesn’t exist.
When grant a role on a domain to a user that doesn’t exist, the server returns 404 Not Found for the user.
-
test_crud_user_project_role_grants_no_user
()[source]¶ Grant role on a project to a user that doesn’t exist.
When grant a role on a project to a user that doesn’t exist, the server returns Not Found for the user.
-
test_delete_user_and_check_role_assignment_fails
()[source]¶ Call
DELETE
on the user and check the role assignment.
-
test_delete_user_before_removing_role_assignment_succeeds
()[source]¶ Call
DELETE
on the user before the role assignment.
-
test_filtered_role_assignments
()[source]¶ Call
GET /role_assignments?filters
.Test Plan:
- Create extra users, group, role and project for tests
- Make the following assignments: Give group1, role1 on project1 and domain Give user1, role2 on project1 and domain Make User1 a member of Group1
- Test a series of single filter list calls, checking that the correct results are obtained
- Test a multi-filtered list call
- Test listing all effective roles for a given user
- Test the equivalent of the list of roles in a project scoped token (all effective roles for a user on a project)
-
test_get_effective_role_assignments
()[source]¶ Call
GET /role_assignments?effective
.Test Plan:
- Create two extra user for tests
- Add these users to a group
- Add a role assignment for the group on a domain
- Get a list of all role assignments, checking one has been added
- Then get a list of all effective role assignments - the group assignment should have turned into assignments on the domain for each of the group members.
-
test_get_head_role_assignments
()[source]¶ Call
GET & HEAD /role_assignments
.The sample data set up already has a user, group and project that is part of self.domain. We use these plus a new user we create as our data set, making sure we ignore any role assignments that are already in existence.
Since we don’t yet support a first class entity for role assignments, we are only testing the LIST API. To create and delete the role assignments we use the old grant APIs.
Test Plan:
- Create extra user for tests
- Get a list of all existing role assignments
- Add a new assignment for each of the four combinations, i.e. group+domain, user+domain, group+project, user+project, using the same role each time
- Get a new list of all role assignments, checking these four new ones have been added
- Then delete the four we added
- Get a new list of all role assignments, checking the four have been removed
-
-
class
keystone.tests.unit.test_v3_assignment.
DomainSpecificRoleTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.core.TestCase
-
class
keystone.tests.unit.test_v3_assignment.
ImpliedRolesTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3.AssignmentTestMixin
,keystone.tests.unit.core.TestCase
-
test_list_role_assignments_with_implied_roles
()[source]¶ Call
GET /role_assignments
with implied role grant.Test Plan:
- Create a domain with a user and a project
- Create 3 roles
- Role 0 implies role 1 and role 1 implies role 2
- Assign the top role to the project
- Issue the URL to check effective roles on project - this should return all 3 roles.
- Check the links of the 3 roles indicate the prior role where appropriate
-
test_root_role_as_implied_role_forbidden
()[source]¶ Test root role is forbidden to be set as an implied role.
Create 2 roles that are prohibited from being an implied role. Create 1 additional role which should be accepted as an implied role. Assure the prohibited role names cannot be set as an implied role. Assure the accepted role name which is not a member of the prohibited implied role list can be successfully set an implied role.
-
-
class
keystone.tests.unit.test_v3_assignment.
ListUserProjectsTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Test for /users/<user>/projects.
-
class
keystone.tests.unit.test_v3_assignment.
RoleAssignmentBaseTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3.AssignmentTestMixin
Base class for testing /v3/role_assignments API behavior.
-
MAX_HIERARCHY_BREADTH
= 3¶
-
MAX_HIERARCHY_DEPTH
= 4¶
-
get_role_assignments
(expected_status=200, **filters)[source]¶ Return the result from querying role assignment API + queried URL.
Calls GET /v3/role_assignments?<params> and returns its result, where <params> is the HTTP query parameters form of effective option plus filters, if provided. Queried URL is returned as well.
Returns: a tuple containing the list role assignments API response and queried URL.
-
-
class
keystone.tests.unit.test_v3_assignment.
RoleAssignmentDirectTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_assignment.RoleAssignmentBaseTestCase
Class for testing direct assignments on /v3/role_assignments API.
Direct assignments on a domain or project have effect on them directly, instead of on their project hierarchy, i.e they are non-inherited. In addition, group direct assignments are not expanded to group’s users.
Tests on this class make assertions on the representation and API filtering of direct assignments.
-
class
keystone.tests.unit.test_v3_assignment.
RoleAssignmentEffectiveTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_assignment.RoleAssignmentInheritedTestCase
Class for testing inheritance effects on /v3/role_assignments API.
Inherited assignments on a domain or project have no effect on them directly, but on the projects under them instead.
Tests on this class make assertions on the effect of inherited assignments and API filtering.
-
class
keystone.tests.unit.test_v3_assignment.
RoleAssignmentFailureTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_assignment.RoleAssignmentBaseTestCase
Class for testing invalid query params on /v3/role_assignments API.
Querying domain and project, or user and group results in a HTTP 400 Bad Request, since a role assignment must contain only a single pair of (actor, target). In addition, since filtering on role assignments applies only to the final result, effective mode cannot be combined with i) group or ii) domain and inherited, because it would always result in an empty list.
-
class
keystone.tests.unit.test_v3_assignment.
RoleAssignmentInheritedTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_assignment.RoleAssignmentDirectTestCase
Class for testing inherited assignments on /v3/role_assignments API.
Inherited assignments on a domain or project have no effect on them directly, but on the projects under them instead.
Tests on this class do not make assertions on the effect of inherited assignments, but in their representation and API filtering.
keystone.tests.unit.test_v3_auth module¶
-
class
keystone.tests.unit.test_v3_auth.
AllowRescopeScopedTokenDisabledTests
(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_v3_auth.
AuthExternalDomainBehavior
[source]¶ Bases:
object
-
content_type
= 'json'¶
-
-
class
keystone.tests.unit.test_v3_auth.
TestAuthExternalDefaultDomain
[source]¶ Bases:
object
-
content_type
= 'json'¶
-
-
class
keystone.tests.unit.test_v3_auth.
TestAuthExternalDomainBehaviorWithUUID
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_auth.AuthExternalDomainBehavior
,keystone.tests.unit.test_v3.RestfulTestCase
-
class
keystone.tests.unit.test_v3_auth.
TestAuthInfo
(*args, **kwargs)[source]¶ Bases:
keystone.tests.common.auth.AuthTestMixin
,testtools.testcase.TestCase
-
class
keystone.tests.unit.test_v3_auth.
TestAuthJSONExternal
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
-
content_type
= 'json'¶
-
-
class
keystone.tests.unit.test_v3_auth.
TestAuthSpecificData
(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_v3_auth.
TestAuthTOTP
(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_v3_auth.
TestFernetTokenAPIs
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3_auth.TokenAPITests
,keystone.tests.unit.test_v3_auth.TokenDataTests
-
class
keystone.tests.unit.test_v3_auth.
TestFetchRevocationList
[source]¶ Bases:
object
Test fetch token revocation list on the v3 Identity API.
-
class
keystone.tests.unit.test_v3_auth.
TestTokenRevokeApi
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_auth.TestTokenRevokeById
Test token revocation on the v3 Identity API.
-
class
keystone.tests.unit.test_v3_auth.
TestTokenRevokeById
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Test token revocation on the v3 Identity API.
-
setUp
()[source]¶ Setup for Token Revoking Test Cases.
As well as the usual housekeeping, create a set of domains, users, groups, roles and projects for the subsequent tests:
- Two domains: A & B
- Three users (1, 2 and 3)
- Three groups (1, 2 and 3)
- Two roles (1 and 2)
- DomainA owns user1, domainB owns user2 and user3
- DomainA owns group1 and group2, domainB owns group3
- User1 and user2 are members of group1
- User3 is a member of group2
- Two projects: A & B, both in domainA
- Group1 has role1 on Project A and B, meaning that user1 and user2 will get these roles by virtue of membership
- User1, 2 and 3 have role1 assigned to projectA
- Group1 has role1 on Project A and B, meaning that user1 and user2 will get role1 (duplicated) by virtue of membership
- User1 has role2 assigned to domainA
-
test_deleting_group_grant_revokes_tokens
()[source]¶ Test deleting a group grant revokes tokens.
Test Plan:
- Get a token for user1, scoped to ProjectA
- Get a token for user2, scoped to ProjectA
- Get a token for user3, scoped to ProjectA
- Delete the grant group1 has on ProjectA
- Check tokens for user1 & user2 are no longer valid, since user1 and user2 are members of group1
- Check token for user3 is invalid too
-
test_deleting_role_revokes_token
()[source]¶ Test deleting a role revokes token.
Add some additional test data, namely:
- A third project (project C)
- Three additional users - user4 owned by domainB and user5 and 6 owned by domainA (different domain ownership should not affect the test results, just provided to broaden test coverage)
- User5 is a member of group1
- Group1 gets an additional assignment - role1 on projectB as well as its existing role1 on projectA
- User4 has role2 on Project C
- User6 has role1 on projectA and domainA
- This allows us to create 5 tokens by virtue of different types of role assignment: - user1, scoped to ProjectA by virtue of user role1 assignment - user5, scoped to ProjectB by virtue of group role1 assignment - user4, scoped to ProjectC by virtue of user role2 assignment - user6, scoped to ProjectA by virtue of user role1 assignment - user6, scoped to DomainA by virtue of user role1 assignment
- role1 is then deleted
- Check the tokens on Project A and B, and DomainA are revoked, but not the one for Project C
-
test_deleting_user_grant_revokes_token
()[source]¶ Test deleting a user grant revokes token.
Test Plan:
- Get a token for user, scoped to Project
- Delete the grant user has on Project
- Check token is no longer valid
-
test_domain_group_role_assignment_maintains_token
()[source]¶ Test domain-group role assignment maintains existing token.
Test Plan:
- Get a token for user1, scoped to ProjectA
- Create a grant for group1 on DomainB
- Check token is still longer valid
-
test_domain_user_role_assignment_maintains_token
()[source]¶ Test user-domain role assignment maintains existing token.
Test Plan:
- Get a token for user1, scoped to ProjectA
- Create a grant for user1 on DomainB
- Check token is still valid
-
test_group_membership_changes_revokes_token
()[source]¶ Test add/removal to/from group revokes token.
Test Plan:
- Get a token for user1, scoped to ProjectA
- Get a token for user2, scoped to ProjectA
- Remove user1 from group1
- Check token for user1 is no longer valid
- Check token for user2 is still valid, even though user2 is also part of group1
- Add user2 to group2
- Check token for user2 is now no longer valid
-
-
class
keystone.tests.unit.test_v3_auth.
TestTokenRevokeSelfAndAdmin
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Test token revoke using v3 Identity API by token owner and admin.
-
class
keystone.tests.unit.test_v3_auth.
TestTrustAuthFernetTokenProvider
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_auth.TrustAPIBehavior
,keystone.tests.unit.test_v3_auth.TestTrustChain
-
class
keystone.tests.unit.test_v3_auth.
TestUUIDTokenAPIs
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3_auth.TokenAPITests
,keystone.tests.unit.test_v3_auth.TokenDataTests
-
class
keystone.tests.unit.test_v3_auth.
TokenAPITests
[source]¶ Bases:
object
-
test_auth_token_cross_domain_group_and_project
()[source]¶ Verify getting a token in cross domain group/project roles.
-
test_create_domain_token_fails_if_domain_name_unsafe
()[source]¶ Verify authenticate to a domain with unsafe name fails.
-
test_create_project_scoped_token_fails_if_domain_name_unsafe
()[source]¶ Verify authenticate to a project using unsafe domain name fails.
-
test_create_project_scoped_token_fails_if_project_name_unsafe
()[source]¶ Verify authenticate to a project with unsafe name fails.
-
test_create_project_token_with_same_domain_and_project_name
()[source]¶ Authenticate to a project with the same name as its domain.
-
test_project_scoped_token_catalog_excludes_disabled_service
()[source]¶ On authenticate, get a catalog that excludes disabled services.
-
test_user_and_group_roles_scoped_token
()[source]¶ Test correct roles are returned in scoped token.
Test Plan:
- Create a domain, with 1 project, 2 users (user1 and user2) and 2 groups (group1 and group2)
- Make user1 a member of group1, user2 a member of group2
- Create 8 roles, assigning them to each of the 8 combinations of users/groups on domain/project
- Get a project scoped token for user1, checking that the right two roles are returned (one directly assigned, one by virtue of group membership)
- Repeat this for a domain scoped token
- Make user1 also a member of group2
- Get another scoped token making sure the additional role shows up
- User2 is just here as a spoiler, to make sure we don’t get any roles uniquely assigned to it returned in any of our tokens
-
-
class
keystone.tests.unit.test_v3_auth.
TokenDataTests
[source]¶ Bases:
object
Test the data in specific token types.
-
class
keystone.tests.unit.test_v3_auth.
TrustAPIBehavior
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Redelegation valid and secure.
Redelegation is a hierarchical structure of trusts between initial trustor and a group of users allowed to impersonate trustor and act in his name. Hierarchy is created in a process of trusting already trusted permissions and organized as an adjacency list using ‘redelegated_trust_id’ field. Redelegation is valid if each subsequent trust in a chain passes ‘not more’ permissions than being redelegated.
- Trust constraints are:
- roles - set of roles trusted by trustor
- expiration_time
- allow_redelegation - a flag
- redelegation_count - decreasing value restricting length of trust chain
- remaining_uses - DISALLOWED when allow_redelegation == True
- Trust becomes invalid in case:
- trust roles were revoked from trustor
- one of the users in the delegation chain was disabled or deleted
- expiration time passed
- one of the parent trusts has become invalid
- one of the parent trusts was deleted
-
class
keystone.tests.unit.test_v3_auth.
UUIDAuthExternalDefaultDomain
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_auth.TestAuthExternalDefaultDomain
,keystone.tests.unit.test_v3.RestfulTestCase
-
class
keystone.tests.unit.test_v3_auth.
UUIDAuthKerberos
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_auth.AuthExternalDomainBehavior
,keystone.tests.unit.test_v3.RestfulTestCase
-
class
keystone.tests.unit.test_v3_auth.
UUIDFetchRevocationList
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_auth.TestFetchRevocationList
,keystone.tests.unit.test_v3.RestfulTestCase
keystone.tests.unit.test_v3_catalog module¶
-
class
keystone.tests.unit.test_v3_catalog.
CatalogTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Test service & endpoint CRUD.
-
test_create_endpoint_with_no_region
()[source]¶ EndpointV3 allows to creates the endpoint without region.
-
test_create_endpoint_with_region
()[source]¶ EndpointV3 creates the region before creating the endpoint.
This occurs when endpoint is provided with ‘region’ and no ‘region_id’.
-
test_create_region_with_conflicting_ids
()[source]¶ Call
PUT /regions/{region_id}
with conflicting region IDs.
-
test_create_region_with_empty_id
()[source]¶ Call
POST /regions
with an empty ID in the request body.
-
test_create_region_with_matching_ids
()[source]¶ Call
PUT /regions/{region_id}
with an ID in the request body.
-
test_create_region_without_description
()[source]¶ Call
POST /regions
without description in the request body.
-
test_create_regions_with_same_description_string
()[source]¶ Call
POST /regions
with duplicate descriptions.
-
test_endpoint_create_with_invalid_url
()[source]¶ Test the invalid cases: substitutions is not exactly right.
-
test_endpoint_create_with_valid_url_project_id
()[source]¶ Create endpoint with valid url should be tested,too.
-
test_list_endpoints_filtered_by_parent_region_id
()[source]¶ Call
GET /endpoints?region_id={region_id}
.Ensure passing the parent_region_id as filter returns an empty list.
-
test_list_endpoints_with_multiple_filters
()[source]¶ Call
GET /endpoints?interface={interface}...
.Ensure passing different combinations of interface, region_id and service_id as filters will return the correct result.
-
test_list_endpoints_with_random_filter_values
()[source]¶ Call
GET /endpoints?interface={interface}...
.Ensure passing random values for: interface, region_id and service_id will return an empty list.
-
test_list_regions_filtered_by_parent_region_id
()[source]¶ Call
GET /regions?parent_region_id={parent_region_id}
.
-
test_update_endpoint_enabled_false
()[source]¶ Call
PATCH /endpoints/{endpoint_id}
with enabled: False.
-
test_update_endpoint_enabled_str_false
()[source]¶ Call
PATCH /endpoints/{endpoint_id}
with enabled: ‘False’.
-
test_update_endpoint_enabled_str_random
()[source]¶ Call
PATCH /endpoints/{endpoint_id}
with enabled: ‘kitties’.
-
test_update_endpoint_enabled_str_true
()[source]¶ Call
PATCH /endpoints/{endpoint_id}
with enabled: ‘True’.
-
-
class
keystone.tests.unit.test_v3_catalog.
TestCatalogAPISQL
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
Test for the catalog Manager against the SQL backend.
-
class
keystone.tests.unit.test_v3_catalog.
TestCatalogAPISQLRegions
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
Test for the catalog Manager against the SQL backend.
-
class
keystone.tests.unit.test_v3_catalog.
TestCatalogAPITemplatedProject
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Templated Catalog doesn’t support full API.
Eg. No region/endpoint creation.
-
test_project_delete
()[source]¶ Deleting a project should not result in an 500 ISE.
Deleting a project will create a notification, which the EndpointFilter functionality will use to clean up any project->endpoint and project->endpoint_group relationships. The templated catalog does not support such relationships, but the act of attempting to delete them should not cause a NotImplemented exception to be exposed to an API caller.
Deleting an endpoint has a similar notification and clean up mechanism, but since we do not allow deletion of endpoints with the templated catalog, there is no testing to do for that action.
-
keystone.tests.unit.test_v3_credential module¶
-
class
keystone.tests.unit.test_v3_credential.
CredentialTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_credential.CredentialBaseTestCase
Test credential CRUD.
-
test_create_ec2_credential_with_invalid_blob
()[source]¶ Test creating ec2 credential with invalid blob.
Call
POST /credentials
.
-
test_create_ec2_credential_with_missing_project_id
()[source]¶ Test Creating ec2 credential with missing project_id.
Call
POST /credentials
.
-
test_list_credentials_filtered_by_type_and_user_id
()[source]¶ Call
GET /credentials?user_id={user_id}&type={type}
.
-
-
class
keystone.tests.unit.test_v3_credential.
TestCredentialEc2
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_credential.CredentialBaseTestCase
Test v3 credential compatibility with ec2tokens.
-
test_ec2_credential_signature_validate
()[source]¶ Test signature validation with a v3 ec2 credential.
-
-
class
keystone.tests.unit.test_v3_credential.
TestCredentialTrustScoped
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Test credential with trust scoped token.
keystone.tests.unit.test_v3_domain_config module¶
-
class
keystone.tests.unit.test_v3_domain_config.
DomainConfigTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Test domain config support.
-
test_create_config_invalid_domain
()[source]¶ Call
PUT /domains/{domain_id}/config
.While creating Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_delete_config_by_group_invalid_domain
()[source]¶ Call
DELETE /domains{domain_id}/config/{group}
.While deleting Identity API-based domain config by group with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.
-
test_delete_config_invalid_domain
()[source]¶ Call
DELETE /domains{domain_id}/config
.While deleting Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_get_config_by_group_invalid_domain
()[source]¶ Call
GET & HEAD /domains{domain_id}/config/{group}
.While retrieving Identity API-based domain config by group with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.
-
test_get_config_by_option_invalid_domain
()[source]¶ Call
GET & HEAD /domains{domain_id}/config/{group}/{option}
.While retrieving Identity API-based domain config by option with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.
-
test_get_config_default_by_invalid_group
()[source]¶ Call
GET for /domains/config/{bad-group}/default
.
-
test_get_config_default_by_invalid_option
()[source]¶ Call
GET for /domains/config/{group}/{bad-option}/default
.
-
test_get_non_existant_config_group
()[source]¶ Call
GET /domains{domain_id}/config/{group_not_exist}
.
-
test_get_non_existant_config_group_invalid_domain
()[source]¶ Call
GET /domains{domain_id}/config/{group_not_exist}
.While retrieving non-existent Identity API-based domain config group with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_get_non_existant_config_invalid_domain
()[source]¶ Call
GET /domains{domain_id}/config when no config defined
.While retrieving non-existent Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.
-
test_get_non_existant_config_option
()[source]¶ Call
GET /domains{domain_id}/config/group/{option_not_exist}
.
-
test_get_non_existant_config_option_invalid_domain
()[source]¶ Call
GET /domains{domain_id}/config/group/{option_not_exist}
.While retrieving non-existent Identity API-based domain config option with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_update_config_group_invalid_domain
()[source]¶ Call
PATCH /domains/{domain_id}/config/{group}
.While updating Identity API-based domain config group with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_update_config_invalid_domain
()[source]¶ Call
PATCH /domains/{domain_id}/config
.While updating Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_update_config_invalid_group_invalid_domain
()[source]¶ Call
PATCH /domains/{domain_id}/config/{invalid_group}
.While updating Identity API-based domain config with an invalid group and an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_update_config_invalid_option
()[source]¶ Call
PATCH /domains/{domain_id}/config/{group}/{invalid}
.
-
-
class
keystone.tests.unit.test_v3_domain_config.
SecurityRequirementsTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
-
test_delete_non_whitelisted_security_compliance_options_fails
()[source]¶ The security compliance options shouldn’t be deleteable.
-
test_delete_security_compliance_group_fails
()[source]¶ The security compliance group shouldn’t be deleteable.
-
test_delete_security_compliance_password_regex_description_fails
()[source]¶ The security compliance options shouldn’t be deleteable.
-
test_delete_security_compliance_password_regex_fails
()[source]¶ The security compliance options shouldn’t be deleteable.
-
test_get_non_whitelisted_security_compliance_opt_fails
()[source]¶ We only support exposing a subset of security compliance options.
Given that security compliance information is sensitive in nature, we should make sure that only the options we want to expose are readable via the API.
-
test_get_security_compliance_config_for_default_domain
()[source]¶ Ask for all security compliance configuration options.
Support for enforcing security compliance per domain currently doesn’t exist. Make sure when we ask for security compliance information, it’s only for the default domain and that it only returns whitelisted options.
-
test_get_security_compliance_config_for_non_default_domain_fails
()[source]¶ Getting security compliance opts for other domains should fail.
Support for enforcing security compliance rules per domain currently does not exist, so exposing security compliance information for any domain other than the default domain should not be allowed.
-
test_get_security_compliance_config_with_user_from_other_domain
()[source]¶ Make sure users from other domains can access password requirements.
Even though a user is in a separate domain, they should be able to see the security requirements for the deployment. This is because security compliance is not yet implemented on a per domain basis. Once that happens, then this should no longer be possible since a user should only care about the security compliance requirements for the domain that they are in.
-
test_get_security_compliance_password_regex
()[source]¶ Ask for the security compliance password regular expression.
-
test_get_security_compliance_password_regex_desc_returns_none
()[source]¶ When an option isn’t set, we should explicitly return None.
-
test_get_security_compliance_password_regex_description
()[source]¶ Ask for the security compliance password regex description.
-
test_get_security_compliance_password_regex_returns_none
()[source]¶ When an option isn’t set, we should explicitly return None.
-
test_update_non_whitelisted_security_compliance_option_fails
()[source]¶ Updating security compliance options through the API is not allowed.
Requests to update anything in the security compliance group through the API should be Forbidden. This ensures that we are covering cases where the option being updated isn’t in the white list.
-
test_update_security_compliance_config_group_fails
()[source]¶ Make sure that updates to the entire security group section fail.
We should only allow the ability to modify a deployments security compliance rules through configuration. Especially since it’s only enforced on the default domain.
-
keystone.tests.unit.test_v3_endpoint_policy module¶
-
class
keystone.tests.unit.test_v3_endpoint_policy.
EndpointPolicyTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Test endpoint policy CRUD.
In general, the controller layer of the endpoint policy extension is really just marshalling the data around the underlying manager calls. Given that the manager layer is tested in depth by the backend tests, the tests we execute here concentrate on ensuring we are correctly passing and presenting the data.
-
test_crud_for_policy_for_explicit_endpoint
()[source]¶ PUT, HEAD and DELETE for explicit endpoint policy.
-
-
class
keystone.tests.unit.test_v3_endpoint_policy.
JsonHomeTests
[source]¶ Bases:
keystone.tests.unit.test_v3.JsonHomeTestMixin
-
EXTENSION_LOCATION
= 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel'¶
-
JSON_HOME_DATA
= {'https://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/endpoint_policy': {'href-vars': {'endpoint_id': 'https://docs.openstack.org/api/openstack-identity/3/param/endpoint_id'}, 'href-template': '/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy'}, 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/endpoint_policy_association': {'href-vars': {'endpoint_id': 'https://docs.openstack.org/api/openstack-identity/3/param/endpoint_id', 'policy_id': 'https://docs.openstack.org/api/openstack-identity/3/param/policy_id'}, 'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}'}, 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/policy_endpoints': {'href-vars': {'policy_id': 'https://docs.openstack.org/api/openstack-identity/3/param/policy_id'}, 'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints'}, 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/region_and_service_policy_association': {'href-vars': {'region_id': 'https://docs.openstack.org/api/openstack-identity/3/param/region_id', 'service_id': 'https://docs.openstack.org/api/openstack-identity/3/param/service_id', 'policy_id': 'https://docs.openstack.org/api/openstack-identity/3/param/policy_id'}, 'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}'}, 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/service_policy_association': {'href-vars': {'service_id': 'https://docs.openstack.org/api/openstack-identity/3/param/service_id', 'policy_id': 'https://docs.openstack.org/api/openstack-identity/3/param/policy_id'}, 'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}'}}¶
-
PARAM_LOCATION
= 'https://docs.openstack.org/api/openstack-identity/3/param'¶
-
keystone.tests.unit.test_v3_federation module¶
-
class
keystone.tests.unit.test_v3_federation.
FederatedIdentityProviderTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
A test class for Identity Providers.
-
default_body
= {'enabled': True, 'description': None}¶
-
idp_keys
= ['description', 'enabled']¶
-
test_assign_protocol_to_nonexistent_idp
()[source]¶ Assign protocol to IdP that doesn’t exist.
Expect HTTP 404 Not Found code.
-
test_check_idp_uniqueness
()[source]¶ Add same IdP twice.
Expect HTTP 409 Conflict code for the latter call.
-
test_create_idp_remote_repeated
()[source]¶ Create two IdentityProvider entities with some remote_ids.
A remote_id is the same for both so the second IdP is not created because of the uniqueness of the remote_ids
Expect HTTP 409 Conflict code for the latter call.
-
test_create_idp_without_domain_id
()[source]¶ Create the IdentityProvider entity associated to remote_ids.
-
test_delete_existing_idp
()[source]¶ Create and later delete IdP.
Expect HTTP 404 Not Found for the GET IdP call.
-
test_delete_idp_also_deletes_assigned_protocols
()[source]¶ Deleting an IdP will delete its assigned protocol.
-
test_delete_nonexisting_idp
()[source]¶ Delete nonexisting IdP.
Expect HTTP 404 Not Found for the GET IdP call.
-
test_delete_protocol
()[source]¶ Delete protocol.
Expect HTTP 404 Not Found code for the GET call after the protocol is deleted.
-
test_get_nonexisting_idp
()[source]¶ Fetch nonexisting IdP entity.
Expected HTTP 404 Not Found status code.
-
test_list_idps
(iterations=5)[source]¶ List all available IdentityProviders.
This test collects ids of created IdPs and intersects it with the list of all available IdPs. List of all IdPs can be a superset of IdPs created in this test, because other tests also create IdPs.
-
test_list_protocols
()[source]¶ Create set of protocols and later list them.
Compare input and output id sets.
-
test_protocol_composite_pk
()[source]¶ Test that Keystone can add two entities.
The entities have identical names, however, attached to different IdPs.
- Add IdP and assign it protocol with predefined name
- Add another IdP and assign it a protocol with same name.
Expect HTTP 201 code
-
test_protocol_idp_pk_uniqueness
()[source]¶ Test whether Keystone checks for unique idp/protocol values.
Add same protocol twice, expect Keystone to reject a latter call and return HTTP 409 Conflict code.
-
test_update_idp_immutable_attributes
()[source]¶ Update IdP’s immutable parameters.
Expect HTTP BAD REQUEST.
-
-
class
keystone.tests.unit.test_v3_federation.
FederatedSetupMixin
[source]¶ Bases:
object
-
ACTION
= 'authenticate'¶
-
ASSERTION_PREFIX
= 'PREFIX_'¶
-
AUTH_METHOD
= 'saml2'¶
-
IDP
= 'ORG_IDP'¶
-
IDP_WITH_REMOTE
= 'ORG_IDP_REMOTE'¶
-
PROTOCOL
= 'saml2'¶
-
REMOTE_IDS
= ['entityID_IDP1', 'entityID_IDP2']¶
-
REMOTE_ID_ATTR
= 'd63693d507dd400ab3e0f030ea5cbcbf'¶
-
UNSCOPED_V3_SAML2_REQ
= {'identity': {'methods': ['saml2'], 'saml2': {'protocol': 'saml2', 'identity_provider': 'ORG_IDP'}}}¶
-
USER
= 'user@ORGANIZATION'¶
-
-
class
keystone.tests.unit.test_v3_federation.
FederatedTokenTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3_federation.FederatedSetupMixin
-
test_assertion_prefix_parameter
()[source]¶ Test parameters filtering based on the prefix.
With
assertion_prefix
set to fixed, non default value, issue an unscoped token from assertion EMPLOYEE_ASSERTION_PREFIXED. Expect server to return unscoped token.
-
test_assertion_prefix_parameter_expect_fail
()[source]¶ Test parameters filtering based on the prefix.
With
assertion_prefix
default value set to empty string issue an unscoped token from assertion EMPLOYEE_ASSERTION. Next, configureassertion_prefix
to valueUserName
. Try issuing unscoped token with EMPLOYEE_ASSERTION. Expect server to raise exception.Unathorized exception.
-
test_empty_blacklist_passess_all_values
()[source]¶ Test a mapping with empty blacklist specified.
Not adding a
blacklist
keyword to the mapping rules has the same effect as adding an emptyblacklist
. In both cases, the mapping engine will not discard any groups that are associated with apache environment variables.This test checks scenario where an empty blacklist was specified. Expected result is to allow any value.
- The test scenario is as follows:
- Create group
EXISTS
- Create group
NO_EXISTS
- Set mapping rules for existing IdP with a blacklist that passes through as REMOTE_USER_GROUPS
- Issue unscoped token with groups
EXISTS
andNO_EXISTS
assigned
- Create group
-
test_empty_whitelist_discards_all_values
()[source]¶ Test that empty whitelist blocks all the values.
Not adding a
whitelist
keyword to the mapping value is different than adding empty whitelist. The former case will simply pass all the values, whereas the latter would discard all the values.This test checks scenario where an empty whitelist was specified. The expected result is that no groups are matched.
- The test scenario is as follows:
- Create group
EXISTS
- Set mapping rules for existing IdP with an empty whitelist that whould discard any values from the assertion
- Try issuing unscoped token, no groups were matched and that the federated user does not have any group assigned.
- Create group
-
test_full_workflow
(*args, **kwargs)[source]¶ Test ‘standard’ workflow for granting access tokens.
- Issue unscoped token
- List available projects based on groups
- Scope token to one of available projects
-
test_issue_scoped_token_no_groups
()[source]¶ Verify that token without groups cannot get scoped to project.
This test is required because of bug 1677723.
-
test_issue_token_with_nonexistent_group
()[source]¶ Inject assertion that matches rule issuing bad group id.
Expect server to find out that some groups are missing in the backend and raise exception.MappedGroupNotFound exception.
-
test_issue_unscoped_token_disabled_idp
()[source]¶ Check if authentication works with disabled identity providers.
Test plan: 1) Disable default IdP 2) Try issuing unscoped token for that IdP 3) Expect server to forbid authentication
-
test_issue_unscoped_token_malformed_environment
()[source]¶ Test whether non string objects are filtered out.
Put non string objects into the environment, inject correct assertion and try to get an unscoped token. Expect server not to fail on using split() method on non string objects and return token id in the HTTP header.
-
test_issue_unscoped_token_with_remote_default_overwritten
()[source]¶ Test that protocol remote_id_attribute has higher priority.
Make sure the parameter stored under
protocol
section has higher priority over parameter from defaultfederation
configuration section.
-
test_lists_with_missing_group_in_backend
()[source]¶ Test a mapping that points to a group that does not exist.
For explicit mappings, we expect the group to exist in the backend, but for lists, specifically blacklists, a missing group is expected as many groups will be specified by the IdP that are not Keystone groups.
- The test scenario is as follows:
- Create group
EXISTS
- Set mapping rules for existing IdP with a blacklist that passes through as REMOTE_USER_GROUPS
- Issue unscoped token with on group
EXISTS
id in it
- Create group
-
test_not_adding_blacklist_passess_all_values
()[source]¶ Test a mapping without blacklist specified.
Not adding a
blacklist
keyword to the mapping rules has the same effect as adding an emptyblacklist
. In both cases all values will be accepted and passed.This test checks scenario where an blacklist was not specified. Expected result is to allow any value.
- The test scenario is as follows:
- Create group
EXISTS
- Create group
NO_EXISTS
- Set mapping rules for existing IdP with a blacklist that passes through as REMOTE_USER_GROUPS
- Issue unscoped token with on groups
EXISTS
andNO_EXISTS
assigned
- Create group
-
test_not_setting_whitelist_accepts_all_values
()[source]¶ Test that not setting whitelist passes.
Not adding a
whitelist
keyword to the mapping value is different than adding empty whitelist. The former case will simply pass all the values, whereas the latter would discard all the values.This test checks a scenario where a
whitelist
was not specified. Expected result is that no groups are ignored.- The test scenario is as follows:
- Create group
EXISTS
- Set mapping rules for existing IdP with an empty whitelist that whould discard any values from the assertion
- Issue an unscoped token and make sure ephemeral user is a member of two groups.
- Create group
-
test_scope_to_domain_multiple_tokens
()[source]¶ Issue multiple tokens scoping to different domains.
The new tokens should be scoped to:
- domainA
- domainB
- domainC
-
test_scope_to_domain_with_only_inherited_roles_fails
()[source]¶ Try to scope to a domain that has no direct roles.
-
test_scope_to_project_multiple_times
()[source]¶ Try to scope the unscoped token multiple times.
The new tokens should be scoped to:
- Customers’ project
- Employees’ project
-
test_scope_to_project_with_only_inherited_roles
()[source]¶ Try to scope token whose only roles are inherited.
-
test_scope_token_from_nonexistent_unscoped_token
()[source]¶ Try to scope token from non-existent unscoped token.
-
test_scope_token_with_idp_disabled
()[source]¶ Scope token issued by disabled IdP.
Try scoping the token issued by an IdP which is disabled now. Expect server to refuse scoping operation.
This test confirms correct behaviour when IdP was enabled and unscoped token was issued, but disabled before user tries to scope the token. Here we assume the unscoped token was already issued and start from the moment where IdP is being disabled and unscoped token is being used.
Test plan: 1) Disable IdP 2) Try scoping unscoped token
-
test_v2_auth_with_federation_token_fails
()[source]¶ Test that using a federation token with v2 auth fails.
If an admin sets up a federated Keystone environment, and a user incorrectly configures a service (like Nova) to only use v2 auth, the returned message should be informative.
-
test_workflow_with_groups_deletion
()[source]¶ Test full workflow with groups deletion before token scoping.
- The test scenario is as follows:
- Create group
group
- Create and assign roles to
group
andproject_all
- Patch mapping rules for existing IdP so it issues group id
- Issue unscoped token with
group
‘s id - Delete group
group
- Scope token to
project_all
- Expect HTTP 500 response
- Create group
-
-
class
keystone.tests.unit.test_v3_federation.
FederatedTokenTestsMethodToken
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_federation.FederatedTokenTests
Test federation operation with unified scoping auth method.
Test all the operations with auth method set to
token
as a new, unified way for scoping all the tokens.-
AUTH_METHOD
= 'token'¶
-
-
class
keystone.tests.unit.test_v3_federation.
FederatedUserTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3_federation.FederatedSetupMixin
Test for federated users.
Tests new shadow users functionality
-
class
keystone.tests.unit.test_v3_federation.
FernetFederatedTokenTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3_federation.FederatedSetupMixin
-
AUTH_METHOD
= 'token'¶
-
-
class
keystone.tests.unit.test_v3_federation.
IdPMetadataGenerationTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
A class for testing Identity Provider Metadata generation.
-
METADATA_URL
= '/OS-FEDERATION/saml2/metadata'¶
-
-
class
keystone.tests.unit.test_v3_federation.
JsonHomeTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3.JsonHomeTestMixin
-
JSON_HOME_DATA
= {'https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider': {'href-vars': {'idp_id': 'https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/param/idp_id'}, 'href-template': '/OS-FEDERATION/identity_providers/{idp_id}'}}¶
-
-
class
keystone.tests.unit.test_v3_federation.
K2KServiceCatalogTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
-
SP1
= 'SP1'¶
-
SP2
= 'SP2'¶
-
SP3
= 'SP3'¶
-
test_no_service_providers_in_token
()[source]¶ Test service catalog with disabled service providers.
There should be no entry
service_providers
in the catalog. Test passes providing no attribute was raised.
-
-
class
keystone.tests.unit.test_v3_federation.
MappingCRUDTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
A class for testing CRUD operations for Mappings.
-
MAPPING_URL
= '/OS-FEDERATION/mappings/'¶
-
test_create_mapping_with_blacklist_and_whitelist
()[source]¶ Test for adding whitelist and blacklist in the rule.
Server should respond with HTTP 400 Bad Request error upon discovering both
whitelist
andblacklist
keywords in the same rule.
-
test_create_shadow_mapping_without_name_fails
()[source]¶ Validate project mappings contain the project name when created.
-
test_create_shadow_mapping_without_roles_fails
()[source]¶ Validate that mappings with projects contain roles when created.
-
-
class
keystone.tests.unit.test_v3_federation.
SAMLGenerationTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
-
ASSERTION_FILE
= 'signed_saml2_assertion.xml'¶
-
ASSERTION_VERSION
= '2.0'¶
-
ECP_GENERATION_ROUTE
= '/auth/OS-FEDERATION/saml2/ecp'¶
-
ISSUER
= 'https://acme.com/FIM/sps/openstack/saml20'¶
-
PROJECT
= 'development'¶
-
PROJECT_DOMAIN
= 'project_domain'¶
-
RECIPIENT
= 'http://beta.com/Shibboleth.sso/SAML2/POST'¶
-
ROLES
= ['admin', 'member']¶
-
SAML_GENERATION_ROUTE
= '/auth/OS-FEDERATION/saml2'¶
-
SERVICE_PROVDIER_ID
= 'ACME'¶
-
SP_AUTH_URL
= 'http://beta.com:5000/v3/OS-FEDERATION/identity_providers/BETA/protocols/saml2/auth'¶
-
SUBJECT
= 'test_user'¶
-
SUBJECT_DOMAIN
= 'user_domain'¶
-
test_generate_ecp_route
()[source]¶ Test that the ECP generation endpoint produces XML.
The ECP endpoint /v3/auth/OS-FEDERATION/saml2/ecp should take the same input as the SAML generation endpoint (scoped token ID + Service Provider ID). The controller should return a SAML assertion that is wrapped in a SOAP envelope.
-
test_generate_saml_route
()[source]¶ Test that the SAML generation endpoint produces XML.
The SAML endpoint /v3/auth/OS-FEDERATION/saml2 should take as input, a scoped token ID, and a Service Provider ID. The controller should fetch details about the user from the token, and details about the service provider from its ID. This should be enough information to invoke the SAML generator and provide a valid SAML (XML) document back.
-
test_invalid_scope_body
()[source]¶ Test that missing the scope in request body raises an exception.
Raises exception.SchemaValidationError() - error 400 Bad Request
-
test_invalid_token_body
()[source]¶ Test that missing the token in request body raises an exception.
Raises exception.SchemaValidationError() - error 400 Bad Request
-
test_not_project_scoped_token
()[source]¶ Ensure SAML generation fails when passing domain-scoped tokens.
The server should return a 403 Forbidden Action.
-
test_saml_signing
()[source]¶ Test that the SAML generator produces a SAML object.
Test the SAML generator directly by passing known arguments, the result should be a SAML object that consistently includes attributes based on the known arguments that were passed in.
-
test_samlize_token_values
()[source]¶ Test the SAML generator produces a SAML object.
Test the SAML generator directly by passing known arguments, the result should be a SAML object that consistently includes attributes based on the known arguments that were passed in.
-
test_sp_not_found
()[source]¶ Test SAML generation with an invalid service provider ID.
Raises exception.ServiceProviderNotFound() - error Not Found 404
-
test_token_not_found
()[source]¶ Test that an invalid token in the request body raises an exception.
Raises exception.TokenNotFound() - error Not Found 404
-
-
class
keystone.tests.unit.test_v3_federation.
ServiceProviderTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
A test class for Service Providers.
-
COLLECTION_NAME
= 'service_providers'¶
-
MEMBER_NAME
= 'service_provider'¶
-
SERVICE_PROVIDER_ID
= 'ACME'¶
-
SP_KEYS
= ['auth_url', 'id', 'enabled', 'description', 'relay_state_prefix', 'sp_url']¶
-
test_create_sp_relay_state_default
()[source]¶ Create an SP without relay state, should default to ss:mem.
-
test_list_service_providers
()[source]¶ Test listing of service provider objects.
Add two new service providers. List all available service providers. Expect to get list of three service providers (one created by setUp()) Test if attributes match.
-
test_update_service_provider
()[source]¶ Update existing service provider.
Update default existing service provider and make sure it has been properly changed.
-
-
class
keystone.tests.unit.test_v3_federation.
ShadowMappingTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3_federation.FederatedSetupMixin
Test class dedicated to auto-provisioning resources at login.
A shadow mapping is a mapping that contains extra properties about that specific federated user’s situation based on attributes from the assertion. For example, a shadow mapping can tell us that a user should have specific role assignments on certain projects within a domain. When a federated user authenticates, the shadow mapping will create these entities before returning the authenticated response to the user. This test class is dedicated to testing specific aspects of shadow mapping when performing federated authentication.
-
class
keystone.tests.unit.test_v3_federation.
WebSSOTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_federation.FederatedTokenTests
A class for testing Web SSO.
-
ORIGIN
= 'http%3A%2F%2Fhorizon.com'¶
-
PROTOCOL_REMOTE_ID_ATTR
= 'e8c1aa426df34c7eb595654c454c9c19'¶
-
SSO_TEMPLATE_NAME
= 'sso_callback_template.html'¶
-
SSO_TEMPLATE_PATH
= '/home/jenkins/workspace/keystone-docs-unified-ubuntu-xenial/etc/sso_callback_template.html'¶
-
SSO_URL
= '/auth/OS-FEDERATION/websso/'¶
-
TRUSTED_DASHBOARD
= 'http://horizon.com'¶
-
keystone.tests.unit.test_v3_filters module¶
-
class
keystone.tests.unit.test_v3_filters.
IdentityPasswordExpiryFilteredTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.filtering.FilterTests
,keystone.tests.unit.test_v3.RestfulTestCase
Test password expiring filter on the v3 Identity API.
-
load_sample_data
()[source]¶ Create sample data for password expiry tests.
The test environment will consist of a single domain, containing a single project. It will create three users and one group. Each user is going to be given a role assignment on the project and the domain. Two of the three users are going to be placed into the group, which won’t have any role assignments to either the project or the domain.
-
test_list_users_by_password_expires_after
()[source]¶ Ensure users can be filtered on gt and gte.
GET /users?password_expires_at=gt:{timestamp} GET /users?password_expires_at=gte:{timestamp}
-
test_list_users_by_password_expires_at
()[source]¶ Ensure users can be filtered on no operator, eq and neq.
GET /users?password_expires_at={timestamp} GET /users?password_expires_at=eq:{timestamp}
-
test_list_users_by_password_expires_before
()[source]¶ Ensure users can be filtered on lt and lte.
GET /users?password_expires_at=lt:{timestamp} GET /users?password_expires_at=lte:{timestamp}
-
test_list_users_by_password_expires_interval
()[source]¶ Ensure users can be filtered on time intervals.
GET /users?password_expires_at=lt:{timestamp}>:{timestamp} GET /users?password_expires_at=lte:{timestamp}>e:{timestamp}
Time intervals are defined by using lt or lte and gt or gte, where the lt/lte time is greater than the gt/gte time.
-
test_list_users_by_password_expires_with_bad_operator_fails
()[source]¶ Ensure an invalid operator returns a Bad Request.
GET /users?password_expires_at={invalid_operator}:{timestamp} GET /users?password_expires_at={operator}:{timestamp}& {invalid_operator}:{timestamp}
-
test_list_users_by_password_expires_with_bad_timestamp_fails
()[source]¶ Ensure a invalid timestamp returns a Bad Request.
GET /users?password_expires_at={invalid_timestamp} GET /users?password_expires_at={operator}:{timestamp}& {operator}:{invalid_timestamp}
-
test_list_users_in_group_by_password_expires_after
()[source]¶ Ensure users in a group can be filtered on with gt and gte.
GET /groups/{groupid}/users?password_expires_at=gt:{timestamp} GET /groups/{groupid}/users?password_expires_at=gte:{timestamp}
-
test_list_users_in_group_by_password_expires_at
()[source]¶ Ensure users in a group can be filtered on no operator, eq, and neq.
GET /groups/{groupid}/users?password_expires_at={timestamp} GET /groups/{groupid}/users?password_expires_at=eq:{timestamp}
-
test_list_users_in_group_by_password_expires_bad_operator_fails
()[source]¶ Ensure an invalid operator returns a Bad Request.
GET /groups/{groupid}/users?password_expires_at= {invalid_operator}:{timestamp} GET /groups/{group_id}/users?password_expires_at= {operator}:{timestamp}&{invalid_operator}:{timestamp}
-
test_list_users_in_group_by_password_expires_bad_timestamp_fails
()[source]¶ Ensure and invalid timestamp returns a Bad Request.
GET /groups/{groupid}/users?password_expires_at={invalid_timestamp} GET /groups/{groupid}/users?password_expires_at={operator}:{timestamp}& {operator}:{invalid_timestamp}
-
test_list_users_in_group_by_password_expires_before
()[source]¶ Ensure users in a group can be filtered on with lt and lte.
GET /groups/{groupid}/users?password_expires_at=lt:{timestamp} GET /groups/{groupid}/users?password_expires_at=lte:{timestamp}
-
test_list_users_in_group_by_password_expires_interval
()[source]¶ Ensure users in a group can be filtered on time intervals.
GET /groups/{groupid}/users?password_expires_at= lt:{timestamp}>:{timestamp} GET /groups/{groupid}/users?password_expires_at= lte:{timestamp}>e:{timestamp}
Time intervals are defined by using lt or lte and gt or gte, where the lt/lte time is greater than the gt/gte time.
-
-
class
keystone.tests.unit.test_v3_filters.
IdentityTestFilteredCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.filtering.FilterTests
,keystone.tests.unit.test_v3.RestfulTestCase
Test filter enforcement on the v3 Identity API.
-
load_sample_data
()[source]¶ Create sample data for these tests.
As well as the usual housekeeping, create a set of domains, users, roles and projects for the subsequent tests:
- Three domains: A,B & C. C is disabled.
- DomainA has user1, DomainB has user2 and user3
- DomainA has group1 and group2, DomainB has group3
- User1 has a role on DomainA
Remember that there will also be a fourth domain in existence, the default domain.
-
test_filter_sql_injection_attack
()[source]¶ GET /users?name=<injected sql_statement>.
Test Plan:
- Attempt to get all entities back by passing a two-term attribute
- Attempt to piggyback filter to damage DB (e.g. drop table)
-
test_invalid_filter_is_ignored
()[source]¶ GET /domains?enableds&name=myname.
Test Plan:
- Update policy for no protection on api
- Filter by name and ‘enableds’, which does not exist
- Assert ‘enableds’ is ignored
-
test_list_filtered_domains
()[source]¶ GET /domains?enabled=0.
Test Plan:
- Update policy for no protection on api
- Filter by the ‘enabled’ boolean to get disabled domains, which should return just domainC
- Try the filter using different ways of specifying True/False to test that our handling of booleans in filter matching is correct
-
test_list_users_filtered_by_domain
()[source]¶ GET /users?domain_id=mydomain (filtered).
Test Plan:
- Update policy so api is unprotected
- Use an un-scoped token to make sure we can filter the users by domainB, getting back the 2 users in that domain
-
-
class
keystone.tests.unit.test_v3_filters.
IdentityTestListLimitCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_filters.IdentityTestFilteredCase
Test list limiting enforcement on the v3 Identity API.
-
content_type
= 'json'¶
-
keystone.tests.unit.test_v3_identity module¶
-
class
keystone.tests.unit.test_v3_identity.
ChangePasswordTestCase
(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_v3_identity.
IdentityTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Test users and groups.
-
test_create_user_with_admin_token_and_domain
()[source]¶ Call
POST /users
with admin token and domain id.
-
test_create_user_without_domain
()[source]¶ Call
POST /users
without specifying domain.According to the identity-api specification, if you do not explicitly specific the domain_id in the entity, it should take the domain scope of the token as the domain_id.
-
test_delete_user
()[source]¶ Call
DELETE /users/{user_id}
.As well as making sure the delete succeeds, we ensure that any credentials that reference this user are also deleted, while other credentials are unaffected. In addition, no tokens should remain valid for this user.
-
test_get_user_does_not_include_extra_attributes
()[source]¶ Call
GET /users/{user_id}
extra attributes are not included.
-
test_get_user_includes_required_attributes
()[source]¶ Call
GET /users/{user_id}
required attributes are included.
-
test_get_user_with_default_project
()[source]¶ Call
GET /users/{user_id}
making sure of default_project_id.
-
test_list_users_with_multiple_backends
()[source]¶ Call
GET /users
when multiple backends is enabled.In this scenario, the controller requires a domain to be specified either as a filter or by using a domain scoped token.
-
test_setting_default_project_id_to_domain_failed
()[source]¶ Call
POST and PATCH /users
default_project_id=domain_id.Make sure we validate the default_project_id if it is specified. It cannot be set to a domain_id, even for a project acting as domain right now. That’s because we haven’t sort out the issuing project-scoped token for project acting as domain bit yet. Once we got that sorted out, we can relax this constraint.
-
test_update_group_domain_id
()[source]¶ Call
PATCH /groups/{group_id}
with domain_id.A group’s domain_id is immutable. Ensure that any attempts to update the domain_id of a group fails.
-
test_update_user_domain_id
()[source]¶ Call
PATCH /users/{user_id}
with domain_id.A user’s domain_id is immutable. Ensure that any attempts to update the domain_id of a user fails.
-
test_user_management_normalized_keys
()[source]¶ Illustrate the inconsistent handling of hyphens in keys.
To quote Morgan in bug 1526244:
the reason this is converted from “domain-id” to “domain_id” is because of how we process/normalize data. The way we have to handle specific data types for known columns requires avoiding “-” in the actual python code since “-” is not valid for attributes in python w/o significant use of “getattr” etc.
In short, historically we handle some things in conversions. The use of “extras” has long been a poor design choice that leads to odd/strange inconsistent behaviors because of other choices made in handling data from within the body. (In many cases we convert from “-” to “_” throughout openstack)
Source: https://bugs.launchpad.net/keystone/+bug/1526244/comments/9
-
-
class
keystone.tests.unit.test_v3_identity.
IdentityTestCaseStaticAdminToken
(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_v3_identity.
IdentityV3toV2MethodsTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
Test users V3 to V2 conversion methods.
-
class
keystone.tests.unit.test_v3_identity.
PasswordValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_identity.ChangePasswordTestCase
-
class
keystone.tests.unit.test_v3_identity.
UserSelfServiceChangingPasswordsTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_identity.ChangePasswordTestCase
keystone.tests.unit.test_v3_oauth1 module¶
-
class
keystone.tests.unit.test_v3_oauth1.
FernetAuthTokenTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_oauth1.AuthTokenTests
,keystone.tests.unit.test_v3_oauth1.OAuthFlowTests
-
class
keystone.tests.unit.test_v3_oauth1.
JsonHomeTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_oauth1.OAuth1Tests
,keystone.tests.unit.test_v3.JsonHomeTestMixin
-
JSON_HOME_DATA
= {'https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers': {'href': '/OS-OAUTH1/consumers'}}¶
-
-
class
keystone.tests.unit.test_v3_oauth1.
MaliciousOAuth1Tests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_oauth1.OAuth1Tests
-
class
keystone.tests.unit.test_v3_oauth1.
OAuth1Tests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
-
CONSUMER_URL
= '/OS-OAUTH1/consumers'¶
-
-
class
keystone.tests.unit.test_v3_oauth1.
OAuthCADFNotificationTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_oauth1.OAuthNotificationTests
-
class
keystone.tests.unit.test_v3_oauth1.
OAuthNotificationTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_oauth1.OAuth1Tests
,keystone.tests.unit.common.test_notifications.BaseNotificationTest
-
class
keystone.tests.unit.test_v3_oauth1.
UUIDAuthTokenTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_oauth1.AuthTokenTests
,keystone.tests.unit.test_v3_oauth1.OAuthFlowTests
keystone.tests.unit.test_v3_os_revoke module¶
-
class
keystone.tests.unit.test_v3_os_revoke.
OSRevokeTests
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3.JsonHomeTestMixin
-
JSON_HOME_DATA
= {'https://docs.openstack.org/api/openstack-identity/3/ext/OS-REVOKE/1.0/rel/events': {'href': '/OS-REVOKE/events'}}¶
-
keystone.tests.unit.test_v3_policy module¶
-
class
keystone.tests.unit.test_v3_policy.
PolicyTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Test policy CRUD.
keystone.tests.unit.test_v3_protection module¶
-
class
keystone.tests.unit.test_v3_protection.
IdentityTestImpliedDomainSpecificRoles
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_protection.IdentityTestv3CloudPolicySample
Test Domain specific Implied Roles via the REST API.
-
class
keystone.tests.unit.test_v3_protection.
IdentityTestPolicySample
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Test policy enforcement of the policy.json file.
-
class
keystone.tests.unit.test_v3_protection.
IdentityTestProtectedCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Test policy enforcement on the v3 Identity API.
-
setUp
()[source]¶ Setup for Identity Protection Test Cases.
As well as the usual housekeeping, create a set of domains, users, roles and projects for the subsequent tests:
- Three domains: A,B & C. C is disabled.
- DomainA has user1, DomainB has user2 and user3
- DomainA has group1 and group2, DomainB has group3
- User1 has two roles on DomainA
- User2 has one role on DomainA
Remember that there will also be a fourth domain in existence, the default domain.
-
test_get_user_protected_match_id
()[source]¶ GET /users/{id} (match payload).
Test Plan:
- Update policy to protect api by user_id
- List users with user_id of user1 as filter, to check that this will correctly match user_id in the flattened payload
-
test_get_user_protected_match_target
()[source]¶ GET /users/{id} (match target).
Test Plan:
- Update policy to protect api by domain_id
- Try and read a user who is in DomainB with a token scoped to Domain A - this should fail
- Retry this for a user who is in Domain A, which should succeed.
- Finally, try getting a user that does not exist, which should still return UserNotFound
-
test_list_groups_protected_by_domain
()[source]¶ GET /groups?domain_id=mydomain (protected).
Test Plan:
- Update policy to protect api by domain_id
- List groups using a token scoped to domainA and make sure we only get back the two groups that are in domainA
- Try and read the groups from domainB - this should fail since we don’t have a token scoped for domainB
-
test_list_groups_protected_by_domain_and_filtered
()[source]¶ GET /groups?domain_id=mydomain&name=myname (protected).
Test Plan:
- Update policy to protect api by domain_id
- List groups using a token scoped to domainA with a filter specifying both domainA and the name of group.
- We should only get back the group in domainA that matches the name
-
test_list_users_filtered_by_domain
()[source]¶ GET /users?domain_id=mydomain (filtered).
Test Plan:
- Update policy so api is unprotected
- Use an un-scoped token to make sure we can filter the users by domainB, getting back the 2 users in that domain
-
test_list_users_protected_by_domain
()[source]¶ GET /users?domain_id=mydomain (protected).
Test Plan:
- Update policy to protect api by domain_id
- List groups using a token scoped to domainA with a filter specifying domainA - we should only get back the one user that is in domainA.
- Try and read the users from domainB - this should fail since we don’t have a token scoped for domainB
-
test_list_users_unprotected
()[source]¶ GET /users (unprotected).
Test Plan:
- Update policy so api is unprotected
- Use an un-scoped token to make sure we can get back all the users independent of domain
-
test_revoke_grant_protected_match_target
()[source]¶ DELETE /domains/{id}/users/{id}/roles/{id} (match target).
Test Plan:
- Update policy to protect api by domain_id of entities in the grant
- Try and delete the existing grant that has a user who is from a different domain - this should fail.
- Retry this for a user who is in Domain A, which should succeed.
-
-
class
keystone.tests.unit.test_v3_protection.
IdentityTestv3CloudPolicySample
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3.AssignmentTestMixin
Test policy enforcement of the sample v3 cloud policy file.
-
setUp
()[source]¶ Setup for v3 Cloud Policy Sample Test Cases.
The following data is created:
- Three domains: domainA, domainB and admin_domain
- One project, which name is ‘project’
- domainA has three users: domain_admin_user, project_admin_user and
just_a_user:
- domain_admin_user has role ‘admin’ on domainA,
- project_admin_user has role ‘admin’ on the project,
- just_a_user has a non-admin role on both domainA and the project.
- admin_domain has admin_project, and user cloud_admin_user, with an ‘admin’ role on admin_project.
- domainA has two groups (group1, group2), domainB has one group (group3)
We test various api protection rules from the cloud sample policy file to make sure the sample is valid and that we correctly enforce it.
-
test_get_and_delete_ec2_credentials
()[source]¶ Test getting and deleting ec2 credentials through the ec2 API.
-
test_user_management_normalized_keys
()[source]¶ Illustrate the inconsistent handling of hyphens in keys.
To quote Morgan in bug 1526244:
the reason this is converted from “domain-id” to “domain_id” is because of how we process/normalize data. The way we have to handle specific data types for known columns requires avoiding “-” in the actual python code since “-” is not valid for attributes in python w/o significant use of “getattr” etc.
In short, historically we handle some things in conversions. The use of “extras” has long been a poor design choice that leads to odd/strange inconsistent behaviors because of other choices made in handling data from within the body. (In many cases we convert from “-” to “_” throughout openstack)
Source: https://bugs.launchpad.net/keystone/+bug/1526244/comments/9
-
keystone.tests.unit.test_v3_resource module¶
-
class
keystone.tests.unit.test_v3_resource.
ResourceTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
,keystone.tests.unit.test_v3.AssignmentTestMixin
Test domains and projects.
-
test_create_domain_case_sensitivity
()[source]¶ Call POST /domains` twice with upper() and lower() cased name.
-
test_create_domain_creates_is_domain_project
()[source]¶ Check a project that acts as a domain is created.
Call
POST /domains
.
-
test_create_is_domain_project_creates_domain
()[source]¶ Call
POST /projects
is_domain and check a domain is created.
-
test_delete_domain
()[source]¶ Call
DELETE /domains/{domain_id}
.The sample data set up already has a user and project that is part of self.domain. Additionally we will create a group and a credential within it. Since we will authenticate in this domain, we create another set of entities in a second domain. Deleting this second domain should delete all these new entities. In addition, all the entities in the regular self.domain should be unaffected by the delete.
Test Plan:
- Create domain2 and a 2nd set of entities
- Disable domain2
- Delete domain2
- Check entities in domain2 have been deleted
- Check entities in self.domain are unaffected
-
test_delete_domain_deletes_is_domain_project
()[source]¶ Check the project that acts as a domain is deleted.
Call
DELETE /domains
.
-
test_delete_project
()[source]¶ Call
DELETE /projects/{project_id}
.As well as making sure the delete succeeds, we ensure that any credentials that reference this projects are also deleted, while other credentials are unaffected.
-
test_forbid_operations_on_defined_federated_domain
()[source]¶ Make sure one cannot operate on a user-defined federated domain.
This includes operations like create, update, delete.
-
test_forbid_operations_on_federated_domain
()[source]¶ Make sure one cannot operate on federated domain.
This includes operations like create, update, delete on domain identified by id and name where difference variations of id ‘Federated’ are used.
-
test_get_project_with_parents_as_list_and_parents_as_ids
()[source]¶ Attempt to list a project’s parents as both a list and as IDs.
This uses
GET /projects/{project_id}?parents_as_list&parents_as_ids
which should fail with a Bad Request due to the conflicting query strings.
-
test_get_project_with_parents_as_list_with_full_access
()[source]¶ GET /projects/{project_id}?parents_as_list
with full access.Test plan:
- Create ‘parent’, ‘project’ and ‘subproject’ projects;
- Assign a user a role on each one of those projects;
- Check that calling parents_as_list on ‘subproject’ returns both ‘project’ and ‘parent’.
-
test_get_project_with_parents_as_list_with_invalid_id
()[source]¶ Call
GET /projects/{project_id}?parents_as_list
.
-
test_get_project_with_parents_as_list_with_partial_access
()[source]¶ GET /projects/{project_id}?parents_as_list
with partial access.Test plan:
- Create ‘parent’, ‘project’ and ‘subproject’ projects;
- Assign a user a role on ‘parent’ and ‘subproject’;
- Check that calling parents_as_list on ‘subproject’ only returns ‘parent’.
-
test_get_project_with_subtree_as_ids
()[source]¶ Call
GET /projects/{project_id}?subtree_as_ids
.This test creates a more complex hierarchy to test if the structured dictionary returned by using the
subtree_as_ids
query param correctly represents the hierarchy.The hierarchy contains 5 projects with the following structure:
+--A--+ | | +--B--+ C | | D E
-
test_get_project_with_subtree_as_list_and_subtree_as_ids
()[source]¶ Attempt to get a project subtree as both a list and as IDs.
This uses
GET /projects/{project_id}?subtree_as_list&subtree_as_ids
which should fail with a bad request due to the conflicting query strings.
-
test_get_project_with_subtree_as_list_with_full_access
()[source]¶ GET /projects/{project_id}?subtree_as_list
with full access.Test plan:
- Create ‘parent’, ‘project’ and ‘subproject’ projects;
- Assign a user a role on each one of those projects;
- Check that calling subtree_as_list on ‘parent’ returns both ‘parent’ and ‘subproject’.
-
test_get_project_with_subtree_as_list_with_invalid_id
()[source]¶ Call
GET /projects/{project_id}?subtree_as_list
.
-
test_get_project_with_subtree_as_list_with_partial_access
()[source]¶ GET /projects/{project_id}?subtree_as_list
with partial access.Test plan:
- Create ‘parent’, ‘project’ and ‘subproject’ projects;
- Assign a user a role on ‘parent’ and ‘subproject’;
- Check that calling subtree_as_list on ‘parent’ returns ‘subproject’.
-
test_list_project_is_domain_filter_default
()[source]¶ Default project list should not see projects acting as domains.
-
test_token_revoked_once_domain_disabled
()[source]¶ Test token from a disabled domain has been invalidated.
Test that a token that was valid for an enabled domain becomes invalid once that domain is disabled.
-
test_update_domain_updates_is_domain_project
()[source]¶ Check the project that acts as a domain is updated.
Call
PATCH /domains
.
-
test_update_project_domain_id
()[source]¶ Call
PATCH /projects/{project_id}
with domain_id.A projects’s domain_id is immutable. Ensure that any attempts to update the domain_id of a project fails.
-
-
class
keystone.tests.unit.test_v3_resource.
ResourceV3toV2MethodsTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
Test domain V3 to V2 conversion methods.
keystone.tests.unit.test_v3_trust module¶
-
class
keystone.tests.unit.test_v3_trust.
TestTrustOperations
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase
Test module for create, read, update and delete operations on trusts.
This module is specific to tests for trust CRUD operations. All other tests related to trusts that are authentication or authorization specific should live in the keystone/tests/unit/test_v3_auth.py module.
keystone.tests.unit.test_validation module¶
-
class
keystone.tests.unit.test_validation.
CredentialValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Credential API validation.
-
test_validate_credential_ec2_without_project_id_fails
()[source]¶ Validate project_id is required for ec2.
Test that a SchemaValidationError is raised when type is ec2 and no project_id is provided in create request.
-
test_validate_credential_non_ec2_without_project_id_succeeds
()[source]¶ Validate project_id is not required for non-ec2.
Test that create request without project_id succeeds for any non-ec2 credential.
-
test_validate_credential_update_succeeds
()[source]¶ Test that a credential request is properly validated.
-
test_validate_credential_update_with_extra_parameters_succeeds
()[source]¶ Validate credential update with extra parameters.
-
test_validate_credential_update_without_parameters_fails
()[source]¶ Exception is raised on update without parameters.
-
test_validate_credential_with_extra_parameters_succeeds
()[source]¶ Validate create request with extra parameters.
-
test_validate_credential_with_project_id_succeeds
()[source]¶ Test that credential request works for all types.
-
test_validate_credential_without_blob_fails
()[source]¶ Exception raised without blob in create request.
-
-
class
keystone.tests.unit.test_validation.
DomainValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Domain API validation.
-
test_validate_domain_create_fails_with_invalid_name
()[source]¶ Exception when validating a create request with invalid name.
-
test_validate_domain_request_with_enabled
()[source]¶ Validate enabled as boolean-like values for domains.
-
test_validate_domain_request_with_invalid_description_fails
()[source]¶ Exception is raised when description is a non-string value.
-
test_validate_domain_request_with_invalid_enabled_fails
()[source]¶ Exception is raised when enabled isn’t a boolean-like value.
-
test_validate_domain_request_with_name_too_long
()[source]¶ Exception is raised when name is too long.
-
test_validate_domain_request_with_valid_description
()[source]¶ Test that we validate description in create domain requests.
-
test_validate_domain_request_without_name_fails
()[source]¶ Make sure we raise an exception when name isn’t included.
-
test_validate_domain_update_fails_with_invalid_name
()[source]¶ Exception when validating an update request with invalid name.
-
-
class
keystone.tests.unit.test_validation.
EndpointGroupValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Endpoint Group API validation.
-
test_validate_create_endpoint_group_fails_with_invalid_filters
()[source]¶ Validate invalid filters value in endpoint group parameters.
This test ensures that exception is raised when non-dict values is used as filters in endpoint group create request.
-
test_validate_endpoint_group_create_fails_without_filters
()[source]¶ Exception raised when filters isn’t in endpoint group request.
-
test_validate_endpoint_group_create_fails_without_name
()[source]¶ Exception raised when name isn’t in endpoint group request.
-
test_validate_endpoint_group_create_succeeds_with_req_parameters
()[source]¶ Validate required endpoint group parameters.
This test ensure that validation succeeds with only the required parameters passed for creating an endpoint group.
-
test_validate_endpoint_group_create_succeeds_with_valid_filters
()[source]¶ Validate filters in endpoint group create requests.
-
test_validate_endpoint_group_request_succeeds
()[source]¶ Test that we validate an endpoint group request.
-
test_validate_endpoint_group_update_fails_with_invalid_filters
()[source]¶ Exception raised when passing invalid filters in request.
-
test_validate_endpoint_group_update_fails_with_no_parameters
()[source]¶ Exception raised when no parameters on endpoint group update.
-
test_validate_endpoint_group_update_request_succeeds
()[source]¶ Test that we validate an endpoint group update request.
-
-
class
keystone.tests.unit.test_validation.
EndpointValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Endpoint API validation.
-
test_validate_create_endpoint_fails_with_invalid_enabled
()[source]¶ Exception raised when boolean-like values as enabled.
-
test_validate_endpoint_create_fails_with_invalid_interface
()[source]¶ Exception raised with invalid interface.
-
test_validate_endpoint_create_fails_with_invalid_region_id
()[source]¶ Exception raised when passing invalid region(_id) in request.
-
test_validate_endpoint_create_fails_with_invalid_url
()[source]¶ Exception raised when passing invalid url in request.
-
test_validate_endpoint_create_fails_without_interface
()[source]¶ Exception raised when interface isn’t in endpoint request.
-
test_validate_endpoint_create_fails_without_service_id
()[source]¶ Exception raised when service_id isn’t in endpoint request.
-
test_validate_endpoint_create_fails_without_url
()[source]¶ Exception raised when url isn’t in endpoint request.
-
test_validate_endpoint_create_succeeds_with_extra_parameters
()[source]¶ Test that extra parameters pass validation on create endpoint.
-
test_validate_endpoint_create_succeeds_with_required_parameters
()[source]¶ Validate an endpoint request with only the required parameters.
-
test_validate_endpoint_create_succeeds_with_url
()[source]¶ Validate url attribute in endpoint create request.
-
test_validate_endpoint_create_succeeds_with_valid_enabled
()[source]¶ Validate an endpoint with boolean values.
Validate boolean values as enabled in endpoint create requests.
-
test_validate_endpoint_update_fails_with_invalid_enabled
()[source]¶ Exception raised when enabled is boolean-like value.
-
test_validate_endpoint_update_fails_with_invalid_interface
()[source]¶ Exception raised when invalid interface on endpoint update.
-
test_validate_endpoint_update_fails_with_invalid_region_id
()[source]¶ Exception raised when passing invalid region(_id) in request.
-
test_validate_endpoint_update_fails_with_invalid_url
()[source]¶ Exception raised when passing invalid url in request.
-
test_validate_endpoint_update_fails_with_no_parameters
()[source]¶ Exception raised when no parameters on endpoint update.
-
test_validate_endpoint_update_request_succeeds
()[source]¶ Test that we validate an endpoint update request.
-
test_validate_endpoint_update_succeeds_with_extra_parameters
()[source]¶ Test that extra parameters pass validation on update endpoint.
-
-
class
keystone.tests.unit.test_validation.
EntityValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
-
test_create_entity_with_all_valid_parameters_validates
()[source]¶ Validate all parameter values against test schema.
-
test_create_entity_with_invalid_email_fails
()[source]¶ Validate invalid email address.
Test that an exception is raised when validating improperly formatted email addresses.
-
test_create_entity_with_invalid_enabled_format_raises_exception
()[source]¶ Validate invalid enabled formats.
Test that an exception is raised when passing invalid boolean-like values as enabled.
-
test_create_entity_with_invalid_id_strings
()[source]¶ Exception raised when using invalid id strings.
-
test_create_entity_with_invalid_urls_fails
()[source]¶ Test that an exception is raised when validating improper urls.
-
test_create_entity_with_name_too_long_raises_exception
()[source]¶ Validate long names.
Validate that an exception is raised when validating a string of 255+ characters passed in as a name.
-
test_create_entity_with_name_too_short_raises_exception
()[source]¶ Validate short names.
Test that an exception is raised when passing a string of length zero as a name parameter.
-
test_create_entity_with_null_id_string
()[source]¶ Validate that None is an acceptable optional string type.
-
test_create_entity_with_null_string_succeeds
()[source]¶ Exception raised when passing None on required id strings.
-
test_create_entity_with_only_required_valid_parameters_validates
()[source]¶ Validate correct for only parameters values against test schema.
-
test_create_entity_with_unicode_name_validates
()[source]¶ Test that we successfully validate a unicode string.
-
test_create_entity_with_valid_email_validates
()[source]¶ Validate email address.
Test that we successfully validate properly formatted email addresses.
-
test_create_entity_with_valid_enabled_formats_validates
()[source]¶ Validate valid enabled formats.
Test that we have successful validation on boolean values for enabled.
-
test_create_entity_with_valid_urls_validates
()[source]¶ Test that proper urls are successfully validated.
-
test_update_entity_with_a_null_optional_parameter_validates
()[source]¶ Optional parameters can be null to removed the value.
-
test_update_entity_with_a_required_null_parameter_fails
()[source]¶ The name parameter can’t be null.
-
test_update_entity_with_a_valid_optional_parameter_validates
()[source]¶ Succeed with only a single valid optional parameter.
-
test_update_entity_with_a_valid_required_parameter_validates
()[source]¶ Succeed if a valid required parameter is provided.
-
test_update_entity_with_all_parameters_valid_validates
()[source]¶ Simulate updating an entity by ID.
-
test_update_entity_with_invalid_optional_parameter_fails
()[source]¶ Fail when an optional parameter is invalid.
-
-
class
keystone.tests.unit.test_validation.
FederationProtocolValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Federation Protocol API validation.
-
test_validate_protocol_request_fails_with_invalid_mapping_id
()[source]¶ Exception raised when mapping_id is not string.
-
test_validate_protocol_request_fails_with_invalid_params
()[source]¶ Exception raised when unknown parameter is found.
-
test_validate_protocol_request_no_parameters
()[source]¶ Test that schema validation with empty request body.
-
test_validate_protocol_request_succeeds
()[source]¶ Test that we validate a protocol request successfully.
-
test_validate_protocol_request_succeeds_on_update
()[source]¶ Test that we validate a protocol update request successfully.
-
test_validate_protocol_request_succeeds_with_nonuuid_mapping_id
()[source]¶ Test that we allow underscore in mapping_id value.
-
test_validate_update_protocol_request_fails_with_invalid_id
()[source]¶ Test that updating a protocol with a non-string mapping_id fail.
-
test_validate_update_protocol_request_fails_with_invalid_params
()[source]¶ Exception raised when unknown parameter in protocol update.
-
-
class
keystone.tests.unit.test_validation.
GroupValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Group API validation.
-
test_validate_group_create_fails_with_invalid_name
()[source]¶ Exception when validating a create request with invalid name.
-
test_validate_group_create_fails_without_group_name
()[source]¶ Exception raised when group name is not provided in request.
-
test_validate_group_create_succeeds_with_all_parameters
()[source]¶ Validate create group requests with all parameters.
-
test_validate_group_create_succeeds_with_extra_parameters
()[source]¶ Validate extra attributes on group create requests.
-
test_validate_group_update_fails_with_invalid_name
()[source]¶ Exception when validating an update request with invalid name.
-
-
class
keystone.tests.unit.test_validation.
IdentityProviderValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Identity Provider API validation.
-
test_validate_idp_request_fails_with_invalid_params
()[source]¶ Exception raised when unknown parameter is found.
-
test_validate_idp_request_no_parameters
()[source]¶ Test that schema validation with empty request body.
-
test_validate_idp_request_remote_id_nullable
()[source]¶ Test that remote_ids could be explicitly set to None.
-
test_validate_idp_request_with_duplicated_remote_id
()[source]¶ Exception is raised when the duplicated remote_ids is found.
-
test_validate_idp_request_with_invalid_description_fails
()[source]¶ Exception is raised when description as a non-string value.
-
-
class
keystone.tests.unit.test_validation.
OAuth1ValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Identity OAuth1 API validation.
-
test_validate_consumer_request_succeeds
()[source]¶ Test that we validate a consumer request successfully.
-
test_validate_consumer_request_with_invalid_description_fails
()[source]¶ Exception is raised when description as a non-string value.
-
test_validate_consumer_request_with_no_parameters
()[source]¶ Test that schema validation with empty request body.
-
-
class
keystone.tests.unit.test_validation.
PolicyValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Policy API validation.
-
test_validate_policy_create_with_extra_parameters_succeeds
()[source]¶ Validate policy create with extra parameters.
-
test_validate_policy_create_with_invalid_type_fails
()[source]¶ Exception raised when blob and type are boolean.
-
test_validate_policy_update_with_extra_parameters_succeeds
()[source]¶ Validate policy update request with extra parameters.
-
test_validate_policy_update_with_invalid_type_fails
()[source]¶ Exception raised when invalid type on policy update.
-
-
class
keystone.tests.unit.test_validation.
ProjectValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Project API validation.
-
test_validate_project_create_fails_with_invalid_name
()[source]¶ Exception when validating a create request with invalid name.
-
test_validate_project_create_request_with_valid_domain_id
()[source]¶ Test that we validate domain_id in create project requests.
-
test_validate_project_request_with_enabled
()[source]¶ Validate enabled as boolean-like values for projects.
-
test_validate_project_request_with_invalid_description_fails
()[source]¶ Exception is raised when description as a non-string value.
-
test_validate_project_request_with_invalid_domain_id_fails
()[source]¶ Exception is raised when domain_id is a non-id value.
-
test_validate_project_request_with_invalid_enabled_fails
()[source]¶ Exception is raised when enabled isn’t a boolean-like value.
-
test_validate_project_request_with_invalid_parent_id_fails
()[source]¶ Exception is raised when parent_id as a non-id value.
-
test_validate_project_request_with_name_too_long
()[source]¶ Exception is raised when name is too long.
-
test_validate_project_request_with_valid_description
()[source]¶ Test that we validate description in create project requests.
-
test_validate_project_request_with_valid_parent_id
()[source]¶ Test that we validate parent_id in create project requests.
-
test_validate_project_request_without_name_fails
()[source]¶ Validate project request fails without name.
-
test_validate_project_update_fails_with_invalid_name
()[source]¶ Exception when validating an update request with invalid name.
-
-
class
keystone.tests.unit.test_validation.
RegionValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Region API validation.
-
test_validate_region_create_fails_with_invalid_region_id
()[source]¶ Exception raised when passing invalid id in request.
-
test_validate_region_create_request_with_parameters
()[source]¶ Test that we validate a region request with parameters.
-
test_validate_region_create_succeeds_with_extra_parameters
()[source]¶ Validate create region request with extra values.
-
test_validate_region_create_succeeds_with_no_parameters
()[source]¶ Validate create region request with no parameters.
-
test_validate_region_create_with_uuid
()[source]¶ Test that we validate a region request with a UUID as the id.
-
-
class
keystone.tests.unit.test_validation.
RoleValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Role API validation.
-
test_validate_role_create_fails_with_invalid_name
()[source]¶ Exception when validating a create request with invalid name.
-
test_validate_role_create_request_with_name_too_long_fails
()[source]¶ Exception raised when creating a role with name too long.
-
test_validate_role_create_without_name_raises_exception
()[source]¶ Test that we raise an exception when name isn’t included.
-
-
class
keystone.tests.unit.test_validation.
ServiceProviderValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Service Provider API validation.
-
test_validate_sp_request_with_extra_field_fails
()[source]¶ Exception raised when passing extra fields in the body.
-
test_validate_sp_request_with_invalid_auth_url_fails
()[source]¶ Validate request fails with invalid auth_url.
-
test_validate_sp_request_with_invalid_description_fails
()[source]¶ Exception is raised when description as a non-string value.
-
test_validate_sp_request_with_invalid_enabled_fails
()[source]¶ Exception is raised when enabled isn’t a boolean-like value.
-
test_validate_sp_request_with_invalid_sp_url_fails
()[source]¶ Validate request fails with invalid sp_url.
-
test_validate_sp_request_with_valid_description
()[source]¶ Test that we validate description in create requests.
-
test_validate_sp_update_request_with_invalid_auth_url_fails
()[source]¶ Exception raised when updating with invalid auth_url.
-
-
class
keystone.tests.unit.test_validation.
ServiceValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Service API validation.
-
test_validate_service_create_fails_when_name_too_long
()[source]¶ Exception raised when name is greater than 255 characters.
-
test_validate_service_create_fails_when_name_too_short
()[source]¶ Exception is raised when name is too short.
-
test_validate_service_create_fails_when_type_too_long
()[source]¶ Exception is raised when type is too long.
-
test_validate_service_create_fails_when_type_too_short
()[source]¶ Exception is raised when type is too short.
-
test_validate_service_create_fails_with_invalid_enabled
()[source]¶ Exception raised when boolean-like parameters as enabled.
On service create, make sure an exception is raised if enabled is not a boolean value.
-
test_validate_service_create_fails_without_type
()[source]¶ Exception raised when trying to create a service without type.
-
test_validate_service_create_succeeds_with_extra_parameters
()[source]¶ Test that extra parameters pass validation on create service.
-
test_validate_service_create_succeeds_with_required_parameters
()[source]¶ Validate a service create request with the required parameters.
-
test_validate_service_create_succeeds_with_valid_enabled
()[source]¶ Validate boolean values as enabled values on service create.
-
test_validate_service_update_fails_with_invalid_enabled
()[source]¶ Exception raised when boolean-like values as enabled.
-
test_validate_service_update_fails_with_name_too_long
()[source]¶ Exception is raised when name is too long on update.
-
test_validate_service_update_fails_with_name_too_short
()[source]¶ Exception is raised when name is too short on update.
-
test_validate_service_update_fails_with_no_parameters
()[source]¶ Exception raised when updating a service without values.
-
test_validate_service_update_fails_with_type_too_long
()[source]¶ Exception is raised when type is too long on update.
-
test_validate_service_update_fails_with_type_too_short
()[source]¶ Exception is raised when type is too short on update.
-
test_validate_service_update_request_succeeds
()[source]¶ Test that we validate a service update request.
-
-
class
keystone.tests.unit.test_validation.
TrustValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 Trust API validation.
-
test_validate_trust_with_all_parameters_succeeds
()[source]¶ Test that we can validate a trust request with all parameters.
-
test_validate_trust_with_extra_parameters_succeeds
()[source]¶ Test that we can validate a trust request with extra parameters.
-
test_validate_trust_with_invalid_expires_at_fails
()[source]¶ Validate trust request with invalid expires_at fails.
-
test_validate_trust_with_invalid_impersonation_fails
()[source]¶ Validate trust request with invalid impersonation fails.
-
test_validate_trust_with_invalid_role_type_fails
()[source]¶ Validate trust request with invalid roles fails.
-
test_validate_trust_with_list_of_valid_roles_succeeds
()[source]¶ Validate trust request with a list of valid roles.
-
test_validate_trust_with_null_remaining_uses_succeeds
()[source]¶ Validate trust request with null remaining_uses.
-
test_validate_trust_with_period_in_user_id_string
()[source]¶ Validate trust request with a period in the user id string.
-
test_validate_trust_with_remaining_uses_succeeds
()[source]¶ Validate trust request with remaining_uses succeeds.
-
test_validate_trust_without_impersonation_fails
()[source]¶ Validate trust request fails without impersonation.
-
-
class
keystone.tests.unit.test_validation.
UserValidationTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase
Test for V3 User API validation.
-
test_validate_user_create_fails_with_invalid_enabled_formats
()[source]¶ Exception raised when enabled is not an acceptable format.
-
test_validate_user_create_fails_with_invalid_name
()[source]¶ Exception when validating a create request with invalid name.
-
test_validate_user_create_fails_with_invalid_password_type
()[source]¶ Exception raised when user password is of the wrong type.
-
test_validate_user_create_fails_without_name
()[source]¶ Exception raised when validating a user without name.
-
test_validate_user_create_request_succeeds
()[source]¶ Test that validating a user create request succeeds.
-
test_validate_user_create_succeeds_with_extra_attributes
()[source]¶ Validate extra parameters on user create requests.
-
test_validate_user_create_succeeds_with_null_description
()[source]¶ Validate that description can be nullable on create user.
-
test_validate_user_create_succeeds_with_null_password
()[source]¶ Validate that password is nullable on create user.
-
test_validate_user_create_succeeds_with_password_of_zero_length
()[source]¶ Validate empty password on user create requests.
-
test_validate_user_create_succeeds_with_valid_enabled_formats
()[source]¶ Validate acceptable enabled formats in create user requests.
-
test_validate_user_create_with_all_valid_parameters_succeeds
()[source]¶ Test that validating a user create request succeeds.
-
test_validate_user_update_fails_with_invalid_name
()[source]¶ Exception when validating an update request with invalid name.
-
keystone.tests.unit.test_versions module¶
-
class
keystone.tests.unit.test_versions.
VersionSingleAppTestCase
(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase
Test running with a single application loaded.
These are important because when Keystone is running in Apache httpd there’s only one application loaded for each instance.
keystone.tests.unit.test_wsgi module¶
keystone.tests.unit.utils module¶
Useful utilities for tests.
-
keystone.tests.unit.utils.
wip
(message, expected_exception=<type 'exceptions.Exception'>, bug=None)[source]¶ Mark a test as work in progress.
Based on code by Nat Pryce: https://gist.github.com/npryce/997195#file-wip-py
The test will always be run. If the test fails then a TestSkipped exception is raised. If the test passes an AssertionError exception is raised so that the developer knows they made the test pass. This is a reminder to remove the decorator.
Parameters: - message – a string message to help clarify why the test is marked as a work in progress
- expected_exception – an exception class that will be checked for when @wip verifies an exception is raised. The test will fail if a different exception is raised. Default is “any” exception is valid
- bug – (optional) a string for tracking the bug and what bug should cause the @wip decorator to be removed from the testcase
- Usage:
>>> @wip('Expected Error', expected_exception=Exception, bug="#000000") >>> def test(): >>> pass