keystone.tests.unit package
Submodules
keystone.tests.unit.core module
-
exception keystone.tests.unit.core.BadLog[source]
Bases: exceptions.Exception
Raised on invalid call to logging (parameter mismatch).
-
class keystone.tests.unit.core.BaseTestCase(*args, **kwds)[source]
Bases: oslotest.base.BaseTestCase
Light weight base test class.
This is a placeholder that will eventually go away once the
setup/teardown in TestCase is properly trimmed down to the bare
essentials. This is really just a play to speed up the tests by
eliminating unnecessary work.
-
cleanup_instance(*names)[source]
Create a function suitable for use with self.addCleanup.
Returns: | a callable that uses a closure to delete instance attributes |
-
setUp()[source]
-
class keystone.tests.unit.core.SQLDriverOverrides[source]
Bases: object
A mixin for consolidating sql-specific test overrides.
-
config_overrides()[source]
-
class keystone.tests.unit.core.TestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.BaseTestCase
-
assertCloseEnoughForGovernmentWork(a, b, delta=3)[source]
Asserts that two datetimes are nearly equal within a small delta.
Parameters: | delta – Maximum allowable time delta, defined in seconds. |
-
assertDictContainsSubset(expected, actual, msg=None)[source]
Checks whether actual is a superset of expected.
-
assertDictEqual(d1, d2, msg=None)[source]
-
assertNotEmpty(l)[source]
-
assertRaisesRegexp(expected_exception, expected_regexp, callable_obj, *args, **kwargs)[source]
Asserts that the message in a raised exception matches a regexp.
-
auth_plugin_config_override(methods=None, **method_classes)[source]
-
clear_auth_plugin_registry()[source]
-
config(config_files)[source]
-
config_files()[source]
-
config_overrides()[source]
-
ipv6_enabled[source]
-
load_backends()[source]
Initializes each manager and assigns them to an attribute.
Override to load managers that aren’t loaded by default.
This is useful to load managers initialized by extensions. No extra
backends are loaded by default.
Returns: | dict of name -> manager |
-
load_fixtures(fixtures)[source]
Hacky basic and naive fixture loading based on a python module.
Expects that the various APIs into the various services are already
defined on self.
-
loadapp(config, name='main')[source]
-
setUp()[source]
-
skip_if_env_not_set(env_var)[source]
-
skip_if_no_ipv6()[source]
-
class keystone.tests.unit.core.TestClient(app=None, token=None)[source]
Bases: object
-
get(path, headers=None)[source]
-
post(path, headers=None, body=None)[source]
-
put(path, headers=None, body=None)[source]
-
request(method, path, headers=None, body=None)[source]
-
exception keystone.tests.unit.core.UnexpectedExit[source]
Bases: exceptions.Exception
-
class keystone.tests.unit.core.dirs[source]
Bases: object
-
static etc(*p)[source]
-
static root(*p)[source]
-
static tests(*p)[source]
-
static tests_conf(*p)[source]
-
static tmp(*p)[source]
-
keystone.tests.unit.core.generate_paste_config(extension_name)[source]
-
keystone.tests.unit.core.remove_generated_paste_config(extension_name)[source]
-
keystone.tests.unit.core.remove_test_databases()[source]
-
keystone.tests.unit.core.skip_if_cache_disabled(*sections)[source]
This decorator is used to skip a test if caching is disabled either
globally or for the specific section.
In the code fragment:
@skip_if_cache_is_disabled('assignment', 'token')
def test_method(*args):
...
The method test_method would be skipped if caching is disabled globally via
the enabled option in the cache section of the configuration or if
the caching option is set to false in either assignment or token
sections of the configuration. This decorator can be used with no
arguments to only check global caching.
If a specified configuration section does not define the caching option,
this decorator makes the same assumption as the should_cache_fn in
keystone.common.cache that caching should be enabled.
-
keystone.tests.unit.core.skip_if_no_multiple_domains_support(f)[source]
This decorator is used to skip a test if an identity driver
does not support multiple domains.
keystone.tests.unit.default_fixtures module
keystone.tests.unit.fakeldap module
Fake LDAP server for test harness.
This class does very little error checking, and knows nothing about ldap
class definitions. It implements the minimum emulation of the python ldap
library to work with nova.
-
class keystone.tests.unit.fakeldap.FakeLdap(conn=None)[source]
Bases: keystone.common.ldap.core.LDAPHandler
Emulate the python-ldap API.
The python-ldap API requires all strings to be UTF-8 encoded. This
is assured by the caller of this interface
(i.e. KeystoneLDAPHandler).
However, internally this emulation MUST process and store strings
in a canonical form which permits operations on
characters. Encoded strings do not provide the ability to operate
on characters. Therefore this emulation accepts UTF-8 encoded
strings, decodes them to unicode for operations internal to this
emulation, and encodes them back to UTF-8 when returning values
from the emulation.
-
add_s(dn, modlist)[source]
Add an object with the specified attributes at dn.
-
connect(url, page_size=0, alias_dereferencing=None, use_tls=False, tls_cacertfile=None, tls_cacertdir=None, tls_req_cert='demand', chase_referrals=None, debug_level=None, use_pool=None, pool_size=None, pool_retry_max=None, pool_retry_delay=None, pool_conn_timeout=None, pool_conn_lifetime=None)[source]
-
delete_ext_s(dn, serverctrls, clientctrls=None)[source]
Remove the ldap object at specified dn.
-
delete_s(dn)[source]
Remove the ldap object at specified dn.
-
dn(dn)[source]
-
get_option(option)[source]
-
key(dn)[source]
-
modify_s(dn, modlist)[source]
Modify the object at dn using the attribute list.
Parameters: |
- dn – an LDAP DN
- modlist – a list of tuples in the following form:
([MOD_ADD | MOD_DELETE | MOD_REPACE], attribute, value)
|
-
result3(msgid=-1, all=1, timeout=None, resp_ctrl_classes=None)[source]
-
search_ext(base, scope, filterstr='(objectClass=*)', attrlist=None, attrsonly=0, serverctrls=None, clientctrls=None, timeout=-1, sizelimit=0)[source]
-
search_s(base, scope, filterstr='(objectClass=*)', attrlist=None, attrsonly=0)[source]
Search for all matching objects under base using the query.
Args:
base – dn to search under
scope – search scope (base, subtree, onelevel)
filterstr – filter objects by
attrlist – attrs to return. Returns all attrs if not specified
-
set_option(option, invalue)[source]
-
simple_bind_s(who='', cred='', serverctrls=None, clientctrls=None)[source]
This method is ignored, but provided for compatibility.
-
unbind_s()[source]
This method is ignored, but provided for compatibility.
-
class keystone.tests.unit.fakeldap.FakeLdapNoSubtreeDelete(conn=None)[source]
Bases: keystone.tests.unit.fakeldap.FakeLdap
FakeLdap subclass that does not support subtree delete
Same as FakeLdap except delete will throw the LDAP error
ldap.NOT_ALLOWED_ON_NONLEAF if there is an attempt to delete
an entry that has children.
-
delete_ext_s(dn, serverctrls, clientctrls=None)[source]
Remove the ldap object at specified dn.
-
class keystone.tests.unit.fakeldap.FakeLdapPool(uri, retry_max=None, retry_delay=None, conn=None)[source]
Bases: keystone.tests.unit.fakeldap.FakeLdap
Emulate the python-ldap API with pooled connections using existing
FakeLdap logic.
This class is used as connector class in PooledLDAPHandler.
-
get_lifetime()[source]
-
simple_bind_s(who=None, cred=None, serverctrls=None, clientctrls=None)[source]
-
unbind_ext_s()[source]
Added to extend FakeLdap as connector class.
-
class keystone.tests.unit.fakeldap.FakeShelve[source]
Bases: dict
-
sync()[source]
keystone.tests.unit.federation_fixtures module
keystone.tests.unit.filtering module
-
class keystone.tests.unit.filtering.FilterTests[source]
Bases: object
keystone.tests.unit.identity_mapping module
-
keystone.tests.unit.identity_mapping.list_id_mappings()[source]
List all id_mappings for testing purposes.
keystone.tests.unit.mapping_fixtures module
Fixtures for Federation Mapping.
keystone.tests.unit.rest module
-
class keystone.tests.unit.rest.RestfulTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
Performs restful tests against the WSGI app over HTTP.
This class launches public & admin WSGI servers for every test, which can
be accessed by calling public_request() or admin_request(),
respectfully.
restful_request() and request() methods are also exposed if you
need to bypass restful conventions or access HTTP details in your test
implementation.
Three new asserts are provided:
- assertResponseSuccessful: called automatically for every request
unless an expected_status is provided
- assertResponseStatus: called instead of assertResponseSuccessful,
if an expected_status is provided
- assertValidResponseHeaders: validates that the response headers
appear as expected
Requests are automatically serialized according to the defined
content_type. Responses are automatically deserialized as well, and
available in the response.body attribute. The original body content is
available in the response.raw attribute.
-
admin_request(**kwargs)[source]
-
assertResponseStatus(response, expected_status)[source]
Asserts a specific status code on the response.
Parameters: |
- response – httplib.HTTPResponse
- expected_status – The specific status result expected
|
example:
self.assertResponseStatus(response, 204)
-
assertResponseSuccessful(response)[source]
Asserts that a status code lies inside the 2xx range.
Parameters: | response – httplib.HTTPResponse to be
verified to have a status code between 200 and 299. |
example:
self.assertResponseSuccessful(response)
-
assertValidErrorResponse(response, expected_status=400)[source]
Verify that the error response is valid.
Subclasses can override this function based on the expected response.
Ensures that response headers appear as expected.
-
content_type = 'json'
-
get_extensions()[source]
-
get_scoped_token(tenant_id=None)[source]
Convenience method so that we can test authenticated requests.
-
get_unscoped_token()[source]
Convenience method so that we can test authenticated requests.
-
public_request(**kwargs)[source]
-
request(app, path, body=None, headers=None, token=None, expected_status=None, **kwargs)[source]
-
restful_request(method='GET', headers=None, body=None, content_type=None, response_content_type=None, **kwargs)[source]
Serializes/deserializes json as request/response body.
Warning
- Existing Accept header will be overwritten.
- Existing Content-Type header will be overwritten.
-
setUp(app_conf='keystone')[source]
keystone.tests.unit.test_associate_project_endpoint_extension module
-
class keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterCRUDTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_associate_project_endpoint_extension.TestExtensionCase
-
test_check_endpoint_project_association()[source]
HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Valid project and endpoint id test case.
-
test_check_endpoint_project_association_with_invalid_endpoint()[source]
HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Invalid endpoint id test case.
-
test_check_endpoint_project_association_with_invalid_project()[source]
HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Invalid project id test case.
-
test_create_endpoint_project_association()[source]
PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Valid endpoint and project id test case.
-
test_create_endpoint_project_association_with_invalid_endpoint()[source]
PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Invalid endpoint id test case.
-
test_create_endpoint_project_association_with_invalid_project()[source]
PUT OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Invalid project id test case.
-
test_create_endpoint_project_association_with_unexpected_body()[source]
PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Unexpected body in request. The body should be ignored.
-
test_endpoint_project_association_cleanup_when_endpoint_deleted()[source]
-
test_endpoint_project_association_cleanup_when_project_deleted()[source]
-
test_list_endpoints_associated_with_invalid_project()[source]
GET /OS-EP-FILTER/projects/{project_id}/endpoints
Invalid project id test case.
-
test_list_endpoints_associated_with_valid_project()[source]
GET /OS-EP-FILTER/projects/{project_id}/endpoints
Valid project and endpoint id test case.
-
test_list_projects_associated_with_endpoint()[source]
GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects
Valid endpoint-project association test case.
-
test_list_projects_associated_with_invalid_endpoint()[source]
GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects
Invalid endpoint id test case.
-
test_list_projects_with_no_endpoint_project_association()[source]
GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects
Valid endpoint id but no endpoint-project associations test case.
-
test_remove_endpoint_project_association()[source]
DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Valid project id and endpoint id test case.
-
test_remove_endpoint_project_association_with_invalid_endpoint()[source]
DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Invalid endpoint id test case.
-
test_remove_endpoint_project_association_with_invalid_project()[source]
DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Invalid project id test case.
-
class keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTokenRequestTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_associate_project_endpoint_extension.TestExtensionCase
-
test_default_scoped_token_using_endpoint_filter()[source]
Verify endpoints from default scoped token filtered.
-
test_default_scoped_token_with_no_catalog_using_endpoint_filter()[source]
Verify endpoint filter when default scoped token returns no catalog.
Test that the default project scoped token response is valid for a
given endpoint-project association when no service catalog is returned.
-
test_default_scoped_token_with_no_endpoint_project_association()[source]
Verify endpoint filter when no endpoint-project association.
Test that the default project scoped token response is valid when
there are no endpoint-project associations defined.
-
test_disabled_endpoint()[source]
Test that a disabled endpoint is handled.
-
test_get_auth_catalog_using_endpoint_filter()[source]
-
test_invalid_endpoint_project_association()[source]
Verify an invalid endpoint-project association is handled.
-
test_multiple_endpoint_project_associations()[source]
-
test_project_scoped_token_using_endpoint_filter()[source]
Verify endpoints from project scoped token filtered.
-
test_project_scoped_token_with_no_catalog_using_endpoint_filter()[source]
Verify endpoint filter when project scoped token returns no catalog.
Test that the project scoped token response is valid for a given
endpoint-project association when no service catalog is returned.
-
test_project_scoped_token_with_no_endpoint_project_association()[source]
Verify endpoint filter when no endpoint-project association.
Test that the project scoped token response is valid when there are
no endpoint-project associations defined.
-
class keystone.tests.unit.test_associate_project_endpoint_extension.EndpointGroupCRUDTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_associate_project_endpoint_extension.TestExtensionCase
-
DEFAULT_ENDPOINT_GROUP_BODY = {'endpoint_group': {'description': 'endpoint group description', 'filters': {'interface': 'admin'}, 'name': 'endpoint_group_name'}}
-
DEFAULT_ENDPOINT_GROUP_URL = '/OS-EP-FILTER/endpoint_groups'
-
test_add_endpoint_group_to_project()[source]
Create a valid endpoint group and project association.
-
test_add_endpoint_group_to_project_with_invalid_project_id()[source]
Create an invalid endpoint group and project association.
-
test_check_endpoint_group()[source]
HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Valid endpoint_group_id test case.
-
test_check_endpoint_group_to_project()[source]
Test HEAD with a valid endpoint group and project association.
-
test_check_endpoint_group_to_project_with_invalid_project_id()[source]
Test HEAD with an invalid endpoint group and project association.
-
test_check_invalid_endpoint_group()[source]
HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Invalid endpoint_group_id test case.
-
test_create_endpoint_group()[source]
POST /OS-EP-FILTER/endpoint_groups
Valid endpoint group test case.
-
test_create_invalid_endpoint_group()[source]
POST /OS-EP-FILTER/endpoint_groups
Invalid endpoint group creation test case.
-
test_delete_endpoint_group()[source]
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}
Valid endpoint group test case.
-
test_delete_invalid_endpoint_group()[source]
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}
Invalid endpoint group test case.
-
test_endpoint_group_project_cleanup_with_endpoint_group()[source]
-
test_endpoint_group_project_cleanup_with_project()[source]
-
test_get_endpoint_group()[source]
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}
Valid endpoint group test case.
-
test_get_endpoint_group_in_project()[source]
Test retrieving project endpoint group association.
-
test_get_invalid_endpoint_group()[source]
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}
Invalid endpoint group test case.
-
test_get_invalid_endpoint_group_in_project()[source]
Test retrieving project endpoint group association.
-
test_list_endpoint_groups()[source]
GET /OS-EP-FILTER/endpoint_groups.
-
test_list_endpoints_associated_with_endpoint_group()[source]
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}/endpoints
Valid endpoint group test case.
-
test_list_endpoints_associated_with_project_endpoint_group()[source]
GET /OS-EP-FILTER/projects/{project_id}/endpoints
Valid project, endpoint id, and endpoint group test case.
-
test_list_projects_associated_with_endpoint_group()[source]
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}/projects
Valid endpoint group test case.
-
test_patch_endpoint_group()[source]
PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}
Valid endpoint group patch test case.
-
test_patch_invalid_endpoint_group()[source]
PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}
Valid endpoint group patch test case.
-
test_patch_nonexistent_endpoint_group()[source]
PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}
Invalid endpoint group patch test case.
-
test_removing_an_endpoint_group_project()[source]
-
class keystone.tests.unit.test_associate_project_endpoint_extension.JsonHomeTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_associate_project_endpoint_extension.TestExtensionCase, keystone.tests.unit.test_v3.JsonHomeTestMixin
-
JSON_HOME_DATA = {'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_projects': {'href-template': '/OS-EP-FILTER/endpoints/{endpoint_id}/projects', 'href-vars': {'endpoint_id': 'http://docs.openstack.org/api/openstack-identity/3/param/endpoint_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_to_project_association': {'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}', 'href-vars': {'endpoint_group_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id', 'project_id': 'http://docs.openstack.org/api/openstack-identity/3/param/project_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group': {'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}', 'href-vars': {'endpoint_group_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoints_in_endpoint_group': {'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints', 'href-vars': {'endpoint_group_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/projects_associated_with_endpoint_group': {'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects', 'href-vars': {'endpoint_group_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups': {'href': '/OS-EP-FILTER/endpoint_groups'}}
-
class keystone.tests.unit.test_associate_project_endpoint_extension.TestExtensionCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
EXTENSION_NAME = 'endpoint_filter'
-
EXTENSION_TO_ADD = 'endpoint_filter_extension'
-
config_overrides()[source]
-
setUp()[source]
keystone.tests.unit.test_auth module
-
class keystone.tests.unit.test_auth.AuthBadRequests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_auth.AuthTest
-
test_authenticate_blank_auth()[source]
Verify sending blank ‘auth’ raises the right exception.
-
test_authenticate_blank_request_body()[source]
Verify sending empty json dict raises the right exception.
-
test_authenticate_invalid_auth_content()[source]
Verify sending invalid ‘auth’ raises the right exception.
-
test_authenticate_password_too_large()[source]
Verify sending large ‘password’ raises the right exception.
-
test_authenticate_tenant_id_too_large()[source]
Verify sending large ‘tenantId’ raises the right exception.
-
test_authenticate_tenant_name_too_large()[source]
Verify sending large ‘tenantName’ raises the right exception.
-
test_authenticate_token_too_large()[source]
Verify sending large ‘token’ raises the right exception.
-
test_authenticate_user_id_too_large()[source]
Verify sending large ‘userId’ raises the right exception.
-
test_authenticate_username_too_large()[source]
Verify sending large ‘username’ raises the right exception.
-
test_empty_remote_user()[source]
Verify that _authenticate_external() raises exception if
REMOTE_USER is set as the empty string.
-
test_empty_username_and_userid_in_auth()[source]
Verify that empty username and userID raises ValidationError.
-
test_no_credentials_in_auth()[source]
Verify that _authenticate_local() raises exception if no creds.
-
test_no_external_auth()[source]
Verify that _authenticate_external() raises exception if N/A.
-
test_no_token_in_auth()[source]
Verify that _authenticate_token() raises exception if no token.
-
class keystone.tests.unit.test_auth.AuthCatalog(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.test_auth.AuthTest
Tests for the catalog provided in the auth response.
-
config_files()[source]
-
test_auth_catalog_disabled_endpoint()[source]
On authenticate, get a catalog that excludes disabled endpoints.
-
test_validate_catalog_disabled_endpoint()[source]
On validate, get back a catalog that excludes disabled endpoints.
-
class keystone.tests.unit.test_auth.AuthTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
assertEqualTokens(a, b, enforce_audit_ids=True)[source]
Assert that two tokens are equal.
Compare two tokens except for their ids. This also truncates
the time in the comparison.
-
setUp()[source]
-
class keystone.tests.unit.test_auth.AuthWithPasswordCredentials(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_auth.AuthTest
-
test_auth_empty_password()[source]
Verify exception is raised if empty password.
-
test_auth_invalid_user()[source]
Verify exception is raised if invalid user.
-
test_auth_no_password()[source]
Verify exception is raised if empty password.
-
test_auth_valid_user_invalid_password()[source]
Verify exception is raised if invalid password.
-
test_authenticate_blank_password_credentials()[source]
Sending empty dict as passwordCredentials raises a 400 error.
-
test_authenticate_no_username()[source]
Verify skipping username raises the right exception.
-
test_bind_without_remote_user()[source]
-
test_change_default_domain_id()[source]
-
class keystone.tests.unit.test_auth.AuthWithRemoteUser(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_auth.AuthTest
-
test_bind_with_kerberos()[source]
-
test_bind_without_config_opt()[source]
-
test_scoped_nometa_remote_authn()[source]
Verify getting a token with external authn and no metadata.
-
test_scoped_remote_authn()[source]
Verify getting a token with external authn.
-
test_scoped_remote_authn_invalid_user()[source]
Verify that external auth with invalid user fails.
-
test_unscoped_remote_authn()[source]
Verify getting an unscoped token with external authn.
-
test_unscoped_remote_authn_jsonless()[source]
Verify that external auth with invalid request fails.
-
class keystone.tests.unit.test_auth.AuthWithToken(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_auth.AuthTest
-
test_auth_bad_formatted_token()[source]
Verify exception is raised if invalid token.
-
test_auth_invalid_token()[source]
Verify exception is raised if invalid token.
-
test_auth_token_project_group_role()[source]
Verify getting a token in a tenant with group roles.
-
test_auth_unscoped_token_no_project()[source]
Verify getting an unscoped token with an unscoped token.
-
test_auth_unscoped_token_project()[source]
Verify getting a token in a tenant with an unscoped token.
-
test_belongs_to()[source]
-
test_belongs_to_no_tenant()[source]
-
test_deleting_role_revokes_token()[source]
-
test_only_original_audit_id_is_kept()[source]
-
test_revoke_by_audit_chain_id_chained_token()[source]
-
test_revoke_by_audit_chain_id_original_token()[source]
-
test_revoke_with_no_audit_info()[source]
-
test_token_auth_with_binding()[source]
-
test_unscoped_token()[source]
Verify getting an unscoped token with password creds.
-
class keystone.tests.unit.test_auth.AuthWithTrust(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_auth.AuthTest
-
assert_token_count_for_trust(trust, expected_value)[source]
-
build_v2_token_request(username, password, trust, tenant_id=None)[source]
-
config_overrides()[source]
-
create_trust(trust_data, trustor_name, expires_at=None, impersonation=True)[source]
-
disable_user(user)[source]
-
fetch_v2_token_from_trust(trust)[source]
-
fetch_v3_token_from_trust(trust, trustee)[source]
-
get_unscoped_token(username, password='foo2')[source]
-
setUp()[source]
-
test_create_trust()[source]
-
test_create_trust_bad_data_fails()[source]
-
test_create_trust_expires_bad()[source]
-
test_create_trust_impersonation()[source]
-
test_create_trust_no_impersonation()[source]
-
test_create_trust_no_roles()[source]
-
test_create_trust_without_project_id()[source]
Verify that trust can be created without project id and
token can be generated with that trust.
-
test_create_v3_token_from_trust()[source]
-
test_delete_tokens_for_user_invalidates_tokens_from_trust()[source]
-
test_delete_trust_revokes_token()[source]
-
test_do_not_consume_remaining_uses_when_get_token_fails()[source]
-
test_expired_trust_get_token_fails()[source]
-
test_get_trust()[source]
-
test_token_from_trust()[source]
-
test_token_from_trust_cant_get_another_token()[source]
-
test_token_from_trust_with_no_role_fails()[source]
-
test_token_from_trust_with_wrong_role_fails()[source]
-
test_token_from_trust_wrong_project_fails()[source]
-
test_token_from_trust_wrong_user_fails()[source]
-
test_trust_get_token_fails_if_trustee_disabled()[source]
-
test_trust_get_token_fails_if_trustor_disabled()[source]
-
test_v2_trust_token_contains_trustor_user_id_and_impersonation()[source]
-
test_v3_trust_token_get_token_fails()[source]
-
class keystone.tests.unit.test_auth.NonDefaultAuthTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
test_add_non_default_auth_method()[source]
-
class keystone.tests.unit.test_auth.TokenExpirationTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_auth.AuthTest
-
test_maintain_uuid_token_expiration()[source]
keystone.tests.unit.test_backend module
-
class keystone.tests.unit.test_backend.CatalogTests[source]
Bases: object
-
test_avoid_creating_circular_references_in_regions_update()[source]
-
test_cache_layer_delete_service_with_endpoint()[source]
-
test_cache_layer_region_crud(*args, **kwargs)[source]
-
test_cache_layer_service_crud(*args, **kwargs)[source]
-
test_circular_regions_can_be_deleted(*args, **keywargs)[source]
-
test_create_endpoint()[source]
-
test_create_endpoint_nonexistent_region()[source]
-
test_create_endpoint_nonexistent_service()[source]
-
test_create_region_invalid_parent_region_404()[source]
-
test_create_region_with_duplicate_id()[source]
-
test_delete_endpoint_404()[source]
-
test_delete_region_404()[source]
-
test_delete_service_404()[source]
-
test_delete_service_with_endpoint()[source]
-
test_get_catalog_endpoint_disabled()[source]
Get back only enabled endpoints when get the v2 catalog.
-
test_get_endpoint_404()[source]
-
test_get_region_404()[source]
-
test_get_service_404()[source]
-
test_get_v3_catalog_endpoint_disabled()[source]
Get back only enabled endpoints when get the v3 catalog.
-
test_invalidate_cache_when_updating_endpoint(*args, **kwargs)[source]
-
test_invalidate_cache_when_updating_region(*args, **kwargs)[source]
-
test_invalidate_cache_when_updating_service(*args, **kwargs)[source]
-
test_list_regions_filtered_by_parent_region_id()[source]
-
test_region_crud()[source]
-
test_service_crud()[source]
-
test_service_filtering()[source]
-
test_update_endpoint()[source]
-
test_update_endpoint_nonexistent_region()[source]
-
test_update_endpoint_nonexistent_service()[source]
-
class keystone.tests.unit.test_backend.FilterTests[source]
Bases: keystone.tests.unit.filtering.FilterTests
-
test_groups_for_user_filtered()[source]
Test use of filtering doesn’t break groups_for_user listing.
Some backends may use filtering to achieve the list of groups for a
user, so test that it can combine a second filter.
Test Plan:
- Create 10 groups, some with names we can filter on
- Create 2 users
- Assign 1 of those users to most of the groups, including some of the
well known named ones
- Assign the other user to other groups as spoilers
- Ensure that when we list groups for users with a filter on the group
name, both restrictions have been enforced on what is returned.
-
test_list_entities_filtered()[source]
-
test_list_users_inexact_filtered()[source]
-
class keystone.tests.unit.test_backend.IdentityTests[source]
Bases: object
-
create_user_dict(**attributes)[source]
-
test_add_duplicate_role_grant()[source]
-
test_add_role_to_user_and_project_404()[source]
-
test_add_role_to_user_and_project_no_user()[source]
-
test_add_user_to_group()[source]
-
test_add_user_to_group_404()[source]
-
test_add_user_to_project()[source]
-
test_add_user_to_project_404()[source]
-
test_add_user_to_project_missing_default_role()[source]
-
test_add_user_to_project_no_user()[source]
-
test_arbitrary_attributes_are_returned_from_create_user()[source]
-
test_arbitrary_attributes_are_returned_from_get_user()[source]
-
test_attribute_update()[source]
-
test_authenticate()[source]
-
test_authenticate_and_get_roles_no_metadata()[source]
-
test_authenticate_bad_password()[source]
-
test_authenticate_bad_user()[source]
-
test_authenticate_if_no_password_set()[source]
-
test_cache_layer_domain_crud(*args, **kwargs)[source]
-
test_cache_layer_get_user(*args, **kwargs)[source]
-
test_cache_layer_get_user_by_name(*args, **kwargs)[source]
-
test_cache_layer_group_crud(*args, **kwargs)[source]
-
test_cache_layer_project_crud(*args, **kwargs)[source]
-
test_check_hierarchy_depth()[source]
-
test_check_leaf_projects()[source]
-
test_check_user_in_group()[source]
-
test_check_user_in_group_404()[source]
-
test_check_user_not_in_group()[source]
-
test_create_domain_case_sensitivity(*args, **kwargs)[source]
-
test_create_duplicate_group_name_fails()[source]
-
test_create_duplicate_group_name_in_different_domains()[source]
-
test_create_duplicate_project_id_fails()[source]
-
test_create_duplicate_project_name_fails()[source]
-
test_create_duplicate_project_name_in_different_domains()[source]
-
test_create_duplicate_user_name_fails()[source]
-
test_create_duplicate_user_name_in_different_domains()[source]
-
test_create_grant_no_group()[source]
-
test_create_grant_no_user()[source]
-
test_create_invalid_domain_fails()[source]
-
test_create_leaf_project_with_invalid_domain()[source]
-
test_create_project_blank_name_fails()[source]
-
test_create_project_doesnt_modify_passed_in_dict()[source]
-
test_create_project_invalid_enabled_type_string()[source]
-
test_create_project_invalid_name_fails()[source]
-
test_create_project_long_name_fails()[source]
-
test_create_project_under_disabled_one()[source]
-
test_create_project_with_invalid_parent()[source]
-
test_create_project_with_no_enabled_field()[source]
-
test_create_unicode_user_name()[source]
-
test_create_update_delete_unicode_project()[source]
-
test_create_user_blank_name_fails()[source]
-
test_create_user_doesnt_modify_passed_in_dict()[source]
-
test_create_user_invalid_enabled_type_string()[source]
-
test_create_user_invalid_name_fails()[source]
-
test_create_user_long_name_fails()[source]
-
test_create_user_missed_password()[source]
-
test_create_user_none_password()[source]
-
test_del_role_assignment_by_domain_not_found()[source]
-
test_del_role_assignment_by_project_not_found()[source]
-
test_delete_domain_with_user_group_project_links()[source]
-
test_delete_group_grant_no_group()[source]
-
test_delete_group_removes_role_assignments()[source]
-
test_delete_group_with_user_project_domain_links()[source]
-
test_delete_hierarchical_leaf_project()[source]
-
test_delete_hierarchical_not_leaf_project()[source]
-
test_delete_project_404()[source]
-
test_delete_project_with_role_assignments()[source]
-
test_delete_role_404()[source]
-
test_delete_role_check_role_grant()[source]
-
test_delete_role_with_user_and_group_grants()[source]
-
test_delete_user_404()[source]
-
test_delete_user_grant_no_user()[source]
-
test_delete_user_with_group_project_domain_links()[source]
-
test_delete_user_with_project_association()[source]
-
test_delete_user_with_project_roles()[source]
-
test_disable_hierarchical_leaf_project()[source]
-
test_disable_hierarchical_not_leaf_project()[source]
-
test_domain_crud()[source]
-
test_domain_delete_hierarchy()[source]
-
test_domain_rename_invalidates_get_domain_by_name_cache(*args, **kwargs)[source]
-
test_enable_project_with_disabled_parent()[source]
-
test_get_and_remove_correct_role_grant_from_a_mix()[source]
-
test_get_and_remove_role_grant_by_group_and_cross_domain()[source]
-
test_get_and_remove_role_grant_by_group_and_domain()[source]
-
test_get_and_remove_role_grant_by_group_and_project()[source]
-
test_get_and_remove_role_grant_by_user_and_cross_domain()[source]
-
test_get_and_remove_role_grant_by_user_and_domain()[source]
-
test_get_default_domain_by_name(*args, **kwargs)[source]
-
test_get_group_by_name()[source]
-
test_get_group_by_name_404()[source]
-
test_get_not_default_domain_by_name()[source]
-
test_get_project()[source]
-
test_get_project_404()[source]
-
test_get_project_by_name()[source]
-
test_get_project_by_name_404()[source]
-
test_get_project_user_ids_404()[source]
-
test_get_role_assignment_by_domain_not_found()[source]
-
test_get_role_assignment_by_project_not_found()[source]
-
test_get_role_by_user_and_project()[source]
-
test_get_role_by_user_and_project_with_user_in_group()[source]
Test for get role by user and project, user was added into a group.
Test Plan:
- Create a user, a project & a group, add this user to group
- Create roles and grant them to user and project
- Check the role list get by the user and project was as expected
-
test_get_role_grant_by_user_and_project()[source]
-
test_get_roles_for_groups_on_domain()[source]
Test retrieving group domain roles.
Test Plan:
- Create a domain, three groups and three roles
- Assign one an inherited and the others a non-inherited group role
to the domain
- Ensure that only the non-inherited roles are returned on the domain
-
test_get_roles_for_groups_on_project()[source]
Test retrieving group project roles.
Test Plan:
- Create two domains, two projects, six groups and six roles
- Project1 is in Domain1, Project2 is in Domain2
- Domain2/Project2 are spoilers
- Assign a different direct group role to each project as well
as both an inherited and non-inherited role to each domain
- Get the group roles for Project 1 - depending on whether we have
enabled inheritance, we should either get back just the direct role
or both the direct one plus the inherited domain role from Domain 1
-
test_get_roles_for_user_and_domain()[source]
Test for getting roles for user on a domain.
Test Plan:
- Create a domain, with 2 users
- Check no roles yet exit
- Give user1 two roles on the domain, user2 one role
- Get roles on user1 and the domain - maybe sure we only
get back the 2 roles on user1
- Delete both roles from user1
- Check we get no roles back for user1 on domain
-
test_get_roles_for_user_and_domain_404()[source]
Test errors raised when getting roles for user on a domain.
Test Plan:
- Check non-existing user gives UserNotFound
- Check non-existing domain gives DomainNotFound
-
test_get_roles_for_user_and_project_404()[source]
-
test_get_user()[source]
-
test_get_user_404()[source]
-
test_get_user_by_name()[source]
-
test_get_user_by_name_404()[source]
-
test_grant_crud_throws_exception_if_invalid_role()[source]
Ensure RoleNotFound thrown if role does not exist.
-
test_group_crud()[source]
-
test_hierarchical_projects_crud()[source]
-
test_list_domains()[source]
-
test_list_domains_for_groups()[source]
Test retrieving domains for a list of groups.
Test Plan:
- Create three domains, three groups and one role
- Assign a non-inherited group role to two domains, and an inherited
group role to the third
- Ensure only the domains with non-inherited roles are returned
-
test_list_group_role_assignment()[source]
-
test_list_groups()[source]
-
test_list_groups_for_user()[source]
-
test_list_project_parents()[source]
-
test_list_projects()[source]
-
test_list_projects_for_alternate_domain(*args, **kwargs)[source]
-
test_list_projects_for_domain()[source]
-
test_list_projects_for_groups()[source]
Test retrieving projects for a list of groups.
Test Plan:
- Create two domains, four projects, seven groups and seven roles
- Project1-3 are in Domain1, Project4 is in Domain2
- Domain2/Project4 are spoilers
- Project1 and 2 have direct group roles, Project3 has no direct
roles but should inherit a group role from Domain1
- Get the projects for the group roles that are assigned to Project1
Project2 and the inherited one on Domain1. Depending on whether we
have enabled inheritance, we should either get back just the projects
with direct roles (Project 1 and 2) or also Project3 due to its
inherited role from Domain1.
-
test_list_projects_for_user()[source]
-
test_list_projects_for_user_with_grants()[source]
-
test_list_projects_in_subtree()[source]
-
test_list_projects_with_multiple_filters()[source]
-
test_list_role_assignments_bad_role()[source]
-
test_list_role_assignments_unfiltered()[source]
Test for unfiltered listing role assignments.
Test Plan:
- Create a domain, with a user, group & project
- Find how many role assignments already exist (from default
fixtures)
- Create a grant of each type (user/group on project/domain)
- Check the number of assignments has gone up by 4 and that
the entries we added are in the list returned
- Check that if we list assignments by role_id, then we get back
assignments that only contain that role.
-
test_list_user_ids_for_project()[source]
-
test_list_user_ids_for_project_no_duplicates()[source]
-
test_list_user_project_ids_404()[source]
-
test_list_users()[source]
-
test_list_users_in_group()[source]
-
test_list_users_in_group_404()[source]
-
test_move_group_between_domains()[source]
-
test_move_group_between_domains_with_clashing_names_fails()[source]
-
test_move_project_between_domains()[source]
-
test_move_project_between_domains_with_clashing_names_fails()[source]
-
test_move_user_between_domains()[source]
-
test_move_user_between_domains_with_clashing_names_fails()[source]
-
test_multi_group_grants_on_project_domain()[source]
Test multiple group roles for user on project and domain.
Test Plan:
- Create 6 roles
- Create a domain, with a project, user and two groups
- Make the user a member of both groups
- Check no roles yet exit
- Assign a role to each user and both groups on both the
project and domain
- Get a list of effective roles for the user on both the
project and domain, checking we get back the correct three
roles
-
test_multi_role_grant_by_user_group_on_project_domain()[source]
-
test_new_arbitrary_attributes_are_returned_from_update_user()[source]
-
test_project_add_and_remove_user_role()[source]
-
test_project_crud(*args, **kwargs)[source]
-
test_project_rename_invalidates_get_project_by_name_cache(*args, **kwargs)[source]
-
test_project_update_and_project_get_return_same_response()[source]
-
test_project_update_missing_attrs_with_a_falsey_value()[source]
-
test_project_update_missing_attrs_with_a_value()[source]
-
test_remove_role_from_user_and_project()[source]
-
test_remove_role_grant_from_user_and_project()[source]
-
test_remove_user_from_group()[source]
-
test_remove_user_from_group_404()[source]
-
test_remove_user_from_project()[source]
-
test_remove_user_from_project_404()[source]
-
test_remove_user_from_project_race_delete_role()[source]
-
test_remove_user_role_not_assigned()[source]
-
test_rename_duplicate_project_name_fails()[source]
-
test_rename_duplicate_user_name_fails()[source]
-
test_role_grant_by_group_and_cross_domain_project()[source]
-
test_role_grant_by_user_and_cross_domain_project()[source]
-
test_update_project_404()[source]
-
test_update_project_blank_name_fails()[source]
-
test_update_project_enable()[source]
-
test_update_project_id_does_nothing()[source]
-
test_update_project_invalid_enabled_type_string()[source]
-
test_update_project_invalid_name_fails()[source]
-
test_update_project_long_name_fails()[source]
-
test_update_project_parent()[source]
-
test_update_role_no_name()[source]
-
test_update_role_same_name()[source]
-
test_update_user_404()[source]
-
test_update_user_blank_name_fails()[source]
-
test_update_user_enable()[source]
-
test_update_user_enable_fails()[source]
-
test_update_user_id_fails()[source]
-
test_update_user_invalid_name_fails()[source]
-
test_update_user_long_name_fails()[source]
-
test_update_user_name()[source]
-
test_updated_arbitrary_attributes_are_returned_from_update_user()[source]
-
test_user_crud()[source]
-
test_user_update_and_user_get_return_same_response()[source]
-
class keystone.tests.unit.test_backend.InheritanceTests[source]
Bases: object
-
test_inherited_role_grants_for_group()[source]
Test inherited group roles.
Test Plan:
- Enable OS-INHERIT extension
- Create 4 roles
- Create a domain, with a project, user and two groups
- Make the user a member of both groups
- Check no roles yet exit
- Assign a direct user role to the project and a (non-inherited)
group role on the domain
- Get a list of effective roles - should only get the one direct role
- Now add two inherited group roles to the domain
- Get a list of effective roles - should have three roles, one
direct and two by virtue of inherited group roles
-
test_inherited_role_grants_for_user()[source]
Test inherited user roles.
Test Plan:
- Enable OS-INHERIT extension
- Create 3 roles
- Create a domain, with a project and a user
- Check no roles yet exit
- Assign a direct user role to the project and a (non-inherited)
user role to the domain
- Get a list of effective roles - should only get the one direct role
- Now add an inherited user role to the domain
- Get a list of effective roles - should have two roles, one
direct and one by virtue of the inherited user role
- Also get effective roles for the domain - the role marked as
inherited should not show up
-
test_list_projects_for_user_with_inherited_grants()[source]
Test inherited user roles.
Test Plan:
- Enable OS-INHERIT extension
- Create a domain, with two projects and a user
- Assign an inherited user role on the domain, as well as a direct
user role to a separate project in a different domain
- Get a list of projects for user, should return all three projects
-
test_list_projects_for_user_with_inherited_group_grants()[source]
Test inherited group roles.
Test Plan:
- Enable OS-INHERIT extension
- Create two domains, each with two projects
- Create a user and group
- Make the user a member of the group
- Assign a user role two projects, an inherited
group role to one domain and an inherited regular role on
the other domain
- Get a list of projects for user, should return both pairs of projects
from the domain, plus the one separate project
-
test_list_projects_for_user_with_inherited_group_project_grants()[source]
Test inherited role assignments for groups on nested projects.
Test Plan:
- Enable OS-INHERIT extension
- Create a hierarchy of projects with one root and one leaf project
- Assign an inherited group role on root project
- Assign a non-inherited group role on root project
- Get a list of projects for user, should return both projects
- Disable OS-INHERIT extension
- Get a list of projects for user, should return only root project
-
test_list_projects_for_user_with_inherited_user_project_grants()[source]
Test inherited role assignments for users on nested projects.
Test Plan:
- Enable OS-INHERIT extension
- Create a hierarchy of projects with one root and one leaf project
- Assign an inherited user role on root project
- Assign a non-inherited user role on root project
- Get a list of projects for user, should return both projects
- Disable OS-INHERIT extension
- Get a list of projects for user, should return only root project
-
class keystone.tests.unit.test_backend.LimitTests[source]
Bases: keystone.tests.unit.filtering.FilterTests
-
ENTITIES = ['user', 'group', 'project']
-
clean_up_domain()[source]
Clean up domain test data from Limit Test Cases.
-
clean_up_entities()[source]
Clean up entity test data from Limit Test Cases.
-
setUp()[source]
Setup for Limit Test Cases.
-
test_list_groups_filtered_and_limited()[source]
-
test_list_projects_filtered_and_limited()[source]
-
test_list_users_filtered_and_limited()[source]
-
class keystone.tests.unit.test_backend.PolicyTests[source]
Bases: object
-
assertEqualPolicies(a, b)[source]
-
test_create()[source]
-
test_delete()[source]
-
test_delete_policy_404()[source]
-
test_get()[source]
-
test_get_policy_404()[source]
-
test_list()[source]
-
test_update()[source]
-
test_update_policy_404()[source]
-
class keystone.tests.unit.test_backend.TokenCacheInvalidation[source]
Bases: object
-
test_delete_scoped_token_by_id()[source]
-
test_delete_scoped_token_by_user()[source]
-
test_delete_scoped_token_by_user_and_tenant()[source]
-
test_delete_unscoped_token()[source]
-
class keystone.tests.unit.test_backend.TokenTests[source]
Bases: object
-
check_list_revoked_tokens(token_ids)[source]
-
create_token_sample_data(token_id=None, tenant_id=None, trust_id=None, user_id=None, expires=None)[source]
-
delete_token()[source]
-
test_create_unicode_token_id()[source]
-
test_create_unicode_user_id()[source]
-
test_delete_token_404()[source]
-
test_delete_tokens()[source]
-
test_delete_tokens_trust()[source]
-
test_expired_token()[source]
-
test_flush_expired_token()[source]
-
test_get_token_404()[source]
-
test_list_revoked_tokens_for_multiple_tokens()[source]
-
test_list_revoked_tokens_for_single_token()[source]
-
test_list_revoked_tokens_returns_empty_list()[source]
-
test_null_expires_token()[source]
-
test_predictable_revoked_pki_token_id_default()[source]
-
test_predictable_revoked_pki_token_id_sha256()[source]
-
test_predictable_revoked_uuid_token_id()[source]
-
test_revocation_list_cache(*args, **kwargs)[source]
-
test_token_crud()[source]
-
test_token_expire_timezone()[source]
-
test_token_list()[source]
-
test_token_list_trust()[source]
-
class keystone.tests.unit.test_backend.TrustTests[source]
Bases: object
-
create_sample_trust(new_id, remaining_uses=None)[source]
-
test_consume_use()[source]
-
test_create_trust()[source]
-
test_delete_trust()[source]
-
test_delete_trust_not_found()[source]
-
test_get_deleted_trust()[source]
-
test_get_trust()[source]
-
test_list_trust_by_trustee()[source]
-
test_list_trust_by_trustor()[source]
-
test_list_trusts()[source]
-
test_trust_has_remaining_uses_negative()[source]
-
test_trust_has_remaining_uses_positive()[source]
keystone.tests.unit.test_backend_endpoint_policy module
-
class keystone.tests.unit.test_backend_endpoint_policy.PolicyAssociationTests[source]
Bases: object
-
load_sample_data()[source]
Create sample data to test policy associations.
The following data is created:
- 3 regions, in a hierarchy, 0 -> 1 -> 2 (where 0 is top)
- 3 services
- 6 endpoints, 2 in each region, with a mixture of services:
0 - region 0, Service 0
1 - region 0, Service 1
2 - region 1, Service 1
3 - region 1, Service 2
4 - region 2, Service 2
5 - region 2, Service 0
-
test_delete_association_by_entity()[source]
-
test_invalid_policy_to_endpoint_association()[source]
-
test_overwriting_policy_to_endpoint_association()[source]
-
test_policy_to_endpoint_association_crud()[source]
-
test_policy_to_explicit_endpoint_association()[source]
-
test_policy_to_region_and_service_association()[source]
-
test_policy_to_service_association()[source]
keystone.tests.unit.test_backend_ldap module
-
class keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity[source]
Bases: keystone.tests.unit.test_backend.IdentityTests
-
clear_database()[source]
-
config_files()[source]
-
config_overrides()[source]
-
get_config(domain_id)[source]
-
get_user_enabled_vals(user)[source]
-
reload_backends(domain_id)[source]
-
setUp()[source]
-
test_arbitrary_attributes_are_returned_from_get_user()[source]
-
test_authenticate_requires_simple_bind()[source]
-
test_build_tree()[source]
Regression test for building the tree names
-
test_cache_layer_domain_crud()[source]
-
test_cache_layer_group_crud(*args, **kwargs)[source]
-
test_configurable_allowed_user_actions()[source]
-
test_configurable_forbidden_create_existing_user()[source]
-
test_configurable_forbidden_user_actions()[source]
-
test_create_duplicate_group_name_in_different_domains()[source]
-
test_create_duplicate_project_name_in_different_domains()[source]
-
test_create_duplicate_user_name_in_different_domains()[source]
-
test_create_user_none_mapping()[source]
-
test_create_user_with_boolean_string_names()[source]
-
test_del_role_assignment_by_domain_not_found()[source]
-
test_delete_group_with_user_project_domain_links()[source]
-
test_delete_role_with_user_and_group_grants()[source]
-
test_delete_user_with_group_project_domain_links()[source]
-
test_domain_delete_hierarchy()[source]
-
test_get_and_remove_correct_role_grant_from_a_mix()[source]
-
test_get_and_remove_role_grant_by_group_and_cross_domain()[source]
-
test_get_and_remove_role_grant_by_group_and_domain()[source]
-
test_get_and_remove_role_grant_by_group_and_project()[source]
-
test_get_and_remove_role_grant_by_user_and_cross_domain()[source]
-
test_get_and_remove_role_grant_by_user_and_domain()[source]
-
test_get_role_assignment_by_domain_not_found()[source]
-
test_get_roles_for_groups_on_domain()[source]
-
test_get_roles_for_groups_on_project()[source]
-
test_get_roles_for_user_and_domain()[source]
-
test_group_crud()[source]
-
test_group_enabled_ignored_disable_error()[source]
-
test_list_domains()[source]
-
test_list_domains_for_groups()[source]
-
test_list_domains_non_default_domain_id()[source]
-
test_list_group_members_dumb_member()[source]
-
test_list_group_members_missing_entry()[source]
List group members with deleted user.
If a group has a deleted entry for a member, the non-deleted members
are returned.
-
test_list_group_members_when_no_members()[source]
-
test_list_projects_for_groups()[source]
-
test_list_projects_for_user()[source]
-
test_list_projects_for_user_and_groups()[source]
-
test_list_projects_for_user_with_grants()[source]
-
test_list_role_assignments_dumb_member()[source]
-
test_list_role_assignments_unfiltered()[source]
-
test_list_user_ids_for_project_dumb_member()[source]
-
test_move_group_between_domains()[source]
-
test_move_group_between_domains_with_clashing_names_fails()[source]
-
test_move_project_between_domains()[source]
-
test_move_project_between_domains_with_clashing_names_fails()[source]
-
test_move_user_between_domains()[source]
-
test_move_user_between_domains_with_clashing_names_fails()[source]
-
test_multi_group_grants_on_project_domain()[source]
-
test_multi_role_grant_by_user_group_on_project_domain()[source]
-
test_new_arbitrary_attributes_are_returned_from_update_user()[source]
-
test_project_enabled_ignored_disable_error()[source]
-
test_remove_role_grant_from_user_and_project()[source]
-
test_role_grant_by_group_and_cross_domain_project()[source]
-
test_role_grant_by_user_and_cross_domain_project()[source]
-
test_unignored_user_none_mapping()[source]
-
test_update_user_name()[source]
A user’s name cannot be changed through the LDAP driver.
-
test_updated_arbitrary_attributes_are_returned_from_update_user()[source]
-
test_user_enabled_ignored_disable_error()[source]
-
test_user_filter()[source]
-
test_user_id_comma()[source]
Even if the user has a , in their ID, groups can be listed.
-
test_user_id_comma_grants()[source]
Even if the user has a , in their ID, can get user and group grants.
-
class keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity[source]
Bases: object
Mixin class with support methods for domain-specific config testing.
-
check_user(user, domain_id, expected_status)[source]
Check user is in correct backend.
As part of the tests, we want to force ourselves to manually
select the driver for a given domain, to make sure the entity
ended up in the correct backend.
-
create_user(domain_id)[source]
-
create_users_across_domains()[source]
Create a set of users, each with a role on their own domain.
-
setup_initial_domains()[source]
-
test_authenticate_to_each_domain()[source]
Test that a user in each domain can authenticate.
-
class keystone.tests.unit.test_backend_ldap.DomainSpecificLDAPandSQLIdentity(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity, keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase, keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity
Class to test when all domains use specific configs, including SQL.
We define a set of domains and domain-specific backends:
- A separate LDAP backend for the default domain
- A separate SQL backend for domain1
Although the default driver still exists, we don’t use it.
-
config_overrides()[source]
-
get_config(domain_id)[source]
-
initial_setup()[source]
-
reload_backends(domain_id)[source]
-
setUp()[source]
-
test_add_role_grant_to_user_and_project_404()[source]
-
test_domain_crud()[source]
-
test_domain_segregation()[source]
Test that separate configs have segregated the domain.
Test Plan:
- Users were created in each domain as part of setup, now make sure
you can only find a given user in its relevant domain/backend
- Make sure that for a backend that supports multiple domains
you can get the users via any of its domains
-
test_get_role_grants_for_user_and_project_404()[source]
-
test_get_roles_for_user_and_project_user_group_same_id()[source]
-
test_group_enabled_ignored_disable_error()[source]
-
test_list_domains()[source]
-
test_list_domains_non_default_domain_id()[source]
-
test_list_projects_for_user_with_grants()[source]
-
test_list_users()[source]
-
test_project_enabled_ignored_disable_error()[source]
-
test_user_enabled_ignored_disable_error()[source]
-
test_user_id_comma()[source]
-
test_user_id_comma_grants()[source]
-
class keystone.tests.unit.test_backend_ldap.DomainSpecificSQLIdentity(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_ldap.DomainSpecificLDAPandSQLIdentity
Class to test simplest use of domain-specific SQL driver.
The simplest use of an SQL domain-specific backend is when it is used to
augment the standard case when LDAP is the default driver defined in the
main config file. This would allow, for example, service users to be
stored in SQL while LDAP handles the rest. Hence we define:
- The default driver uses the LDAP backend for the default domain
- A separate SQL backend for domain1
-
config_overrides()[source]
-
get_config(domain_id)[source]
-
initial_setup()[source]
-
reload_backends(domain_id)[source]
-
test_default_sql_plus_sql_specific_driver_fails()[source]
-
test_multiple_sql_specific_drivers_fails()[source]
-
class keystone.tests.unit.test_backend_ldap.LDAPIdentity(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity, keystone.tests.unit.core.TestCase
-
load_fixtures(fixtures)[source]
-
setUp()[source]
-
test_base_ldap_connection_deref_option()[source]
-
test_cache_layer_domain_crud()[source]
-
test_cache_layer_project_crud(*args, **kwargs)[source]
-
test_chase_referrals_off(*args, **keywargs)[source]
-
test_chase_referrals_on(*args, **keywargs)[source]
-
test_check_hierarchy_depth()[source]
-
test_check_leaf_projects()[source]
-
test_configurable_allowed_project_actions()[source]
-
test_configurable_forbidden_project_actions()[source]
-
test_configurable_subtree_delete()[source]
-
test_create_domain_case_sensitivity(*args, **kwargs)[source]
-
test_create_leaf_project_with_invalid_domain()[source]
-
test_create_project_under_disabled_one()[source]
-
test_create_project_with_invalid_parent()[source]
-
test_debug_level_set(*args, **keywargs)[source]
-
test_delete_hierarchical_leaf_project()[source]
-
test_delete_hierarchical_not_leaf_project()[source]
-
test_disable_hierarchical_leaf_project()[source]
-
test_disable_hierarchical_not_leaf_project()[source]
-
test_domain_crud()[source]
-
test_domain_rename_invalidates_get_domain_by_name_cache()[source]
-
test_dumb_member()[source]
-
test_enable_project_with_disabled_parent()[source]
-
test_get_default_domain_by_name()[source]
-
test_get_id_from_dn_for_multivalued_attribute_id(*args, **keywargs)[source]
-
test_hierarchical_projects_crud()[source]
-
test_id_attribute_not_found(*args, **keywargs)[source]
-
test_is_dumb_member()[source]
-
test_is_dumb_member_not_dumb()[source]
-
test_is_dumb_member_upper_case_keys()[source]
-
test_is_dumb_member_with_false_use_dumb_member()[source]
-
test_list_groups_for_user_no_dn()[source]
-
test_list_groups_no_dn()[source]
-
test_list_project_parents()[source]
-
test_list_projects_for_alternate_domain()[source]
-
test_list_projects_in_subtree()[source]
-
test_list_users_no_dn()[source]
-
test_multi_role_grant_by_user_group_on_project_domain()[source]
-
test_project_attribute_ignore()[source]
-
test_project_attribute_mapping()[source]
-
test_project_crud()[source]
-
test_project_filter()[source]
-
test_project_rename_invalidates_get_project_by_name_cache()[source]
-
test_update_project_parent()[source]
-
test_user_api_get_connection_no_user_password(*args, **keywargs)[source]
Don’t bind in case the user and password are blank.
-
test_user_enable_attribute_mask()[source]
-
test_user_enabled_attribute_handles_expired(*args, **keywargs)[source]
-
test_user_enabled_attribute_handles_utf8(*args, **keywargs)[source]
-
test_user_enabled_invert()[source]
-
test_user_enabled_invert_default_str_value(*args, **keywargs)[source]
-
test_user_enabled_invert_no_enabled_value(*args, **keywargs)[source]
-
test_user_id_attribute_in_create()[source]
-
test_user_id_attribute_map()[source]
-
test_user_id_not_in_dn(*args, **keywargs)[source]
-
test_user_mixed_case_attribute(*args, **keywargs)[source]
-
test_user_name_in_dn(*args, **keywargs)[source]
-
test_wrong_alias_dereferencing()[source]
-
test_wrong_ldap_scope()[source]
-
class keystone.tests.unit.test_backend_ldap.LDAPIdentityEnabledEmulation(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_ldap.LDAPIdentity
-
config_files()[source]
-
config_overrides()[source]
-
load_fixtures(fixtures)[source]
-
setUp()[source]
-
test_project_crud()[source]
-
test_user_auth_emulated()[source]
-
test_user_crud()[source]
-
test_user_enable_attribute_mask()[source]
-
test_user_enabled_attribute_handles_utf8(*args, **keywargs)[source]
-
test_user_enabled_invert()[source]
-
test_user_enabled_invert_default_str_value()[source]
-
test_user_enabled_invert_no_enabled_value()[source]
-
class keystone.tests.unit.test_backend_ldap.LdapFilterTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend.FilterTests, keystone.tests.unit.core.TestCase
-
clear_database()[source]
-
config_files()[source]
-
config_overrides()[source]
-
setUp()[source]
-
class keystone.tests.unit.test_backend_ldap.LdapIdentitySqlAssignment(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity, keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase
-
config_files()[source]
-
config_overrides()[source]
-
setUp()[source]
-
test_create_domain()[source]
-
test_domain_crud()[source]
-
test_get_and_remove_role_grant_by_group_and_domain()[source]
-
test_list_domains()[source]
-
test_list_domains_non_default_domain_id()[source]
-
test_project_enabled_ignored_disable_error()[source]
-
class keystone.tests.unit.test_backend_ldap.LdapIdentitySqlAssignmentWithMapping(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_ldap.LdapIdentitySqlAssignment
Class to test mapping of default LDAP backend.
The default configuration is not to enable mapping when using a single
backend LDAP driver. However, a cloud provider might want to enable
the mapping, hence hiding the LDAP IDs from any clients of keystone.
Setting backward_compatible_ids to False will enable this mapping.
-
config_overrides()[source]
-
test_dynamic_mapping_build()[source]
Test to ensure entities not create via controller are mapped.
Many LDAP backends will, essentially, by Read Only. In these cases
the mapping is not built by creating objects, rather from enumerating
the entries. We test this here my manually deleting the mapping and
then trying to re-read the entries.
-
test_get_roles_for_user_and_project_user_group_same_id()[source]
-
class keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentity(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity, keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase, keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity
Class to test common SQL plus individual LDAP backends.
We define a set of domains and domain-specific backends:
- A separate LDAP backend for the default domain
- A separate LDAP backend for domain1
- domain2 shares the same LDAP as domain1, but uses a different
tree attach point
- An SQL backend for all other domains (which will include domain3
and domain4)
Normally one would expect that the default domain would be handled as
part of the “other domains” - however the above provides better
test coverage since most of the existing backend tests use the default
domain.
-
config_overrides()[source]
-
enable_multi_domain()[source]
Enable the chosen form of multi domain configuration support.
This method enables the file-based configuration support. Child classes
that wish to use the database domain configuration support should
override this method and set the appropriate config_fixture option.
-
get_config(domain_id)[source]
-
reload_backends(domain_id)[source]
-
setUp()[source]
-
test_delete_domain_with_user_added()[source]
-
test_domain_segregation()[source]
Test that separate configs have segregated the domain.
Test Plan:
- Users were created in each domain as part of setup, now make sure
you can only find a given user in its relevant domain/backend
- Make sure that for a backend that supports multiple domains
you can get the users via any of its domains
-
test_existing_uuids_work()[source]
Test that ‘uni-domain’ created IDs still work.
Throwing the switch to domain-specific backends should not cause
existing identities to be inaccessible via ID.
-
test_group_enabled_ignored_disable_error()[source]
-
test_list_domains()[source]
-
test_list_domains_non_default_domain_id()[source]
-
test_list_users()[source]
-
test_project_enabled_ignored_disable_error()[source]
-
test_scanning_of_config_dir()[source]
Test the Manager class scans the config directory.
The setup for the main tests above load the domain configs directly
so that the test overrides can be included. This test just makes sure
that the standard config directory scanning does pick up the relevant
domain config files.
-
test_user_enabled_ignored_disable_error()[source]
-
class keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentityDomainConfigsInSQL(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentity
Class to test the use of domain configs stored in the database.
Repeat the same tests as MultiLDAPandSQLIdentity, but instead of using the
domain specific config files, store the domain specific values in the
database.
-
enable_multi_domain()[source]
-
test_domain_config_has_no_impact_if_database_support_disabled()[source]
Ensure database domain configs have no effect if disabled.
Set reading from database configs to false, restart the backends
and then try and set and use database configs.
-
test_reloading_domain_config()[source]
Ensure domain drivers are reloaded on a config modification.
-
test_setting_sql_driver_raises_exception()[source]
Ensure setting of domain specific sql driver is prevented.
-
keystone.tests.unit.test_backend_ldap.create_group_container(identity_api)[source]
keystone.tests.unit.test_backend_sql module
-
class keystone.tests.unit.test_backend_sql.DeprecatedDecorators(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_sql.SqlTests
-
test_assignment_to_resource_api()[source]
Test that calling one of the methods does call LOG.deprecated.
This method is really generic to the type of backend, but we need
one to execute the test, so the SQL backend is as good as any.
-
test_assignment_to_role_api()[source]
Test that calling one of the methods does call LOG.deprecated.
This method is really generic to the type of backend, but we need
one to execute the test, so the SQL backend is as good as any.
-
class keystone.tests.unit.test_backend_sql.FakeTable(*args, **kwargs)[source]
Bases: sqlalchemy.ext.declarative.api.Base
-
col
-
insert(*args, **kwargs)[source]
-
lookup(*args, **kwargs)[source]
-
update(*args, **kwargs)[source]
-
class keystone.tests.unit.test_backend_sql.SqlCatalog(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.test_backend.CatalogTests
-
test_catalog_ignored_malformed_urls()[source]
-
test_create_endpoint_region_404()[source]
-
test_create_region_invalid_id()[source]
-
test_create_region_invalid_parent_id()[source]
-
test_delete_region_with_endpoint()[source]
-
test_get_catalog_with_empty_public_url()[source]
-
class keystone.tests.unit.test_backend_sql.SqlCredential(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_sql.SqlTests
-
setUp()[source]
-
test_list_credentials()[source]
-
test_list_credentials_for_user()[source]
-
class keystone.tests.unit.test_backend_sql.SqlDecorators(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
test_conflict_happend()[source]
-
test_initialization()[source]
-
test_initialization_fail()[source]
-
test_non_ascii_init()[source]
-
test_not_conflict_error()[source]
-
class keystone.tests.unit.test_backend_sql.SqlFilterTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.test_backend.FilterTests
-
clean_up_entities()[source]
Clean up entity test data from Filter Test Cases.
-
test_filter_sql_injection_attack()[source]
Test against sql injection attack on filters
Test Plan:
- Attempt to get all entities back by passing a two-term attribute
- Attempt to piggyback filter to damage DB (e.g. drop table)
-
test_groups_for_user_filtered()[source]
-
test_list_entities_filtered_by_domain()[source]
-
class keystone.tests.unit.test_backend_sql.SqlIdentity(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.test_backend.IdentityTests
-
test_create_null_project_name()[source]
-
test_create_null_user_name()[source]
-
test_create_project_case_sensitivity()[source]
-
test_create_user_case_sensitivity()[source]
-
test_delete_project_with_user_association()[source]
-
test_delete_user_with_project_association()[source]
-
test_list_domains_for_user()[source]
-
test_list_domains_for_user_with_grants()[source]
-
test_list_domains_for_user_with_inherited_grants()[source]
Test that inherited roles on the domain are excluded.
Test Plan:
- Create two domains, one user, group and role
- Domain1 is given an inherited user role, Domain2 an inherited
group role (for a group of which the user is a member)
- When listing domains for user, neither domain should be returned
-
test_metadata_removed_on_delete_project()[source]
-
test_metadata_removed_on_delete_user()[source]
-
test_password_hashed()[source]
-
test_sql_user_to_dict_null_default_project_id()[source]
This tests for backwards-compatibility with an essex/folsom bug.
Non-indexed attributes were returned in an ‘extra’ attribute, instead
of on the entity itself; for consistency and backwards compatibility,
those attributes should be included twice.
This behavior is specific to the SQL driver.
This tests for backwards-compatibility with an essex/folsom bug.
Non-indexed attributes were returned in an ‘extra’ attribute, instead
of on the entity itself; for consistency and backwards compatibility,
those attributes should be included twice.
This behavior is specific to the SQL driver.
-
class keystone.tests.unit.test_backend_sql.SqlInheritance(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.test_backend.InheritanceTests
-
class keystone.tests.unit.test_backend_sql.SqlLimitTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.test_backend.LimitTests
-
setUp()[source]
-
class keystone.tests.unit.test_backend_sql.SqlModels(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_sql.SqlTests
-
assertExpectedSchema(table, cols)[source]
-
select_table(name)[source]
-
test_domain_model()[source]
-
test_group_model()[source]
-
test_project_model()[source]
-
test_role_assignment_model()[source]
-
test_user_group_membership()[source]
-
test_user_model()[source]
-
class keystone.tests.unit.test_backend_sql.SqlModuleInitialization(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
test_initialize_module(*args, **keywargs)[source]
-
class keystone.tests.unit.test_backend_sql.SqlPolicy(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.test_backend.PolicyTests
-
class keystone.tests.unit.test_backend_sql.SqlTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase
-
config_files()[source]
-
setUp()[source]
-
class keystone.tests.unit.test_backend_sql.SqlToken(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.test_backend.TokenTests
-
test_expiry_range_batched()[source]
-
test_expiry_range_strategy_ibm_db_sa()[source]
-
test_expiry_range_strategy_mysql()[source]
-
test_expiry_range_strategy_sqlite()[source]
-
test_flush_expired_tokens_batch()[source]
-
test_flush_expired_tokens_batch_mysql()[source]
-
test_token_revocation_list_uses_right_columns()[source]
-
class keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.test_backend.TokenCacheInvalidation
-
setUp()[source]
-
class keystone.tests.unit.test_backend_sql.SqlTrust(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.test_backend.TrustTests
keystone.tests.unit.test_backend_templated module
-
class keystone.tests.unit.test_backend_templated.TestTemplatedCatalog(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase, keystone.tests.unit.test_backend.CatalogTests
-
DEFAULT_FIXTURE = {'RegionOne': {'compute': {'adminURL': 'http://localhost:8774/v1.1/bar', 'id': '2', 'internalURL': 'http://localhost:8774/v1.1/bar', 'name': "'Compute Service'", 'publicURL': 'http://localhost:8774/v1.1/bar'}, 'identity': {'adminURL': 'http://localhost:35357/v2.0', 'id': '1', 'internalURL': 'http://localhost:35357/v2.0', 'name': "'Identity Service'", 'publicURL': 'http://localhost:5000/v2.0'}}}
-
assert_catalogs_equal(expected, observed)[source]
-
config_overrides()[source]
-
setUp()[source]
-
test_catalog_ignored_malformed_urls()[source]
-
test_get_catalog()[source]
-
test_get_catalog_endpoint_disabled()[source]
-
test_get_catalog_ignores_endpoints_with_invalid_urls()[source]
-
test_get_v3_catalog()[source]
-
test_get_v3_catalog_endpoint_disabled()[source]
-
test_list_regions_filtered_by_parent_region_id()[source]
-
test_service_filtering()[source]
keystone.tests.unit.test_cache module
-
class keystone.tests.unit.test_cache.CacheIsolatingProxy(*args, **kwargs)[source]
Bases: dogpile.cache.proxy.ProxyBackend
Proxy that forces a memory copy of stored values.
The default in-memory cache-region does not perform a copy on values it
is meant to cache. Therefore if the value is modified after set or after
get, the cached value also is modified. This proxy does a copy as the last
thing before storing data.
-
get(key)[source]
-
set(key, value)[source]
-
class keystone.tests.unit.test_cache.CacheNoopBackendTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
config_overrides()[source]
-
setUp()[source]
-
test_noop_backend()[source]
-
class keystone.tests.unit.test_cache.CacheRegionTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
setUp()[source]
-
test_cache_debug_proxy()[source]
-
test_cache_dictionary_config_builder()[source]
Validate we build a sane dogpile.cache dictionary config.
-
test_cache_fallthrough_expiration_time_fn()[source]
-
test_cache_no_fallthrough_expiration_time_fn()[source]
-
test_cache_region_no_error_multiple_config()[source]
-
test_configure_non_region_object_raises_error()[source]
-
test_region_built_with_proxy_direct_cache_test()[source]
-
test_should_cache_fn_global_cache_disabled()[source]
-
test_should_cache_fn_global_cache_disabled_section_cache_enabled()[source]
-
test_should_cache_fn_global_cache_enabled()[source]
-
test_should_cache_fn_global_cache_enabled_section_cache_disabled()[source]
-
test_should_cache_fn_global_cache_enabled_section_cache_enabled()[source]
-
class keystone.tests.unit.test_cache.TestProxy(*args, **kwargs)[source]
Bases: dogpile.cache.proxy.ProxyBackend
-
get(key)[source]
-
class keystone.tests.unit.test_cache.TestProxyValue(value)[source]
Bases: object
keystone.tests.unit.test_cache_backend_mongo module
-
class keystone.tests.unit.test_cache_backend_mongo.MockCollection(db, name)[source]
Bases: object
-
ensure_index(key_or_list, *args, **kwargs)[source]
-
find(spec=None, *args, **kwargs)[source]
-
find_and_modify(spec, document, upsert=False, **kwargs)[source]
-
find_one(spec_or_id=None, *args, **kwargs)[source]
-
index_information()[source]
-
insert(data, manipulate=True, **kwargs)[source]
-
remove(spec_or_id=None, search_filter=None)[source]
Remove objects matching spec_or_id from the collection.
-
save(data, manipulate=True, **kwargs)[source]
-
update(spec, document, upsert=False, **kwargs)[source]
-
class keystone.tests.unit.test_cache_backend_mongo.MockCursor(collection, dataset_factory)[source]
Bases: object
-
next()
-
class keystone.tests.unit.test_cache_backend_mongo.MockMongoClient(*args, **kwargs)[source]
Bases: object
-
class keystone.tests.unit.test_cache_backend_mongo.MockMongoDB(dbname)[source]
Bases: object
-
add_son_manipulator(manipulator)[source]
-
authenticate(username, password)[source]
-
class keystone.tests.unit.test_cache_backend_mongo.MongoCache(*args, **kwds)[source]
Bases: keystone.tests.unit.core.BaseTestCase
-
setUp()[source]
-
test_additional_crud_method_arguments_support()[source]
Additional arguments should works across find/insert/update.
-
test_backend_delete_data()[source]
-
test_backend_get_missing_data()[source]
-
test_backend_multi_delete_data()[source]
-
test_backend_multi_get_data()[source]
-
test_backend_multi_set_data()[source]
-
test_backend_multi_set_get_with_blanks_none()[source]
-
test_backend_multi_set_should_update_existing()[source]
-
test_backend_set_blank_as_data()[source]
-
test_backend_set_data()[source]
-
test_backend_set_data_with_int_as_valid_ttl()[source]
-
test_backend_set_data_with_string_as_valid_ttl()[source]
-
test_backend_set_none_as_data()[source]
-
test_backend_set_same_key_multiple_times()[source]
-
test_cache_configuration_values_assertion()[source]
-
test_correct_read_preference()[source]
-
test_correct_write_concern()[source]
-
test_incorrect_mongo_ttl_seconds()[source]
-
test_incorrect_read_preference()[source]
-
test_incorrect_write_concern()[source]
-
test_missing_cache_collection_name()[source]
-
test_missing_db_hosts()[source]
-
test_missing_db_name()[source]
-
test_missing_replica_set_name()[source]
-
test_multiple_region_cache_configuration()[source]
-
test_provided_replica_set_name()[source]
-
test_typical_configuration()[source]
-
class keystone.tests.unit.test_cache_backend_mongo.MyTransformer[source]
Bases: keystone.common.cache.backends.mongo.BaseTransform
Added here just to check manipulator logic is used correctly.
-
transform_incoming(son, collection)[source]
-
transform_outgoing(son, collection)[source]
-
keystone.tests.unit.test_cache_backend_mongo.get_collection(db_name, collection_name)[source]
-
keystone.tests.unit.test_cache_backend_mongo.pymongo_override()[source]
keystone.tests.unit.test_contrib_ec2 module
-
class keystone.tests.unit.test_contrib_ec2.TestCredentialEc2(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
setUp()[source]
-
test_signature_validate_invalid_signature()[source]
Signature is not signed on the correct data.
-
test_signature_validate_no_host_port()[source]
Test signature validation with the access/secret provided.
-
test_signature_validate_no_signature()[source]
Signature is not presented in signature reference data.
-
test_signature_validate_with_host_port()[source]
Test signature validation when host is bound with port.
Host is bound with a port, generally, the port here is not the
standard port for the protocol, like ‘80’ for HTTP and port 443
for HTTPS, the port is not omitted by the client library.
-
test_signature_validate_with_missed_host_port()[source]
Test signature validation when host is bound with well-known port.
Host is bound with a port, but the port is well-know port like ‘80’
for HTTP and port 443 for HTTPS, sometimes, client library omit
the port but then make the request with the port.
see (How to create the string to sign): ‘http://docs.aws.amazon.com/
general/latest/gr/signature-version-2.html’.
Since “credentials[‘host’]” is not set by client library but is
taken from “req.host”, so caused the differences.
keystone.tests.unit.test_ec2_token_middleware module
-
class keystone.tests.unit.test_ec2_token_middleware.EC2TokenMiddlewareTestBase(*args, **kwds)[source]
Bases: keystone.tests.unit.core.BaseTestCase
-
test_symbols()[source]
Verify ec2 middleware symbols.
Verify that the keystone version of ec2_token middleware forwards the
public symbols from the keystonemiddleware version of the ec2_token
middleware for backwards compatibility.
keystone.tests.unit.test_exception module
-
class keystone.tests.unit.test_exception.ExceptionTestCase(*args, **kwds)[source]
Bases: keystone.tests.unit.core.BaseTestCase
-
assertValidJsonRendering(e)[source]
-
test_403_title()[source]
-
test_all_json_renderings()[source]
Everything callable in the exception module should be renderable.
... except for the base error class (exception.Error), which is not
user-facing.
This test provides a custom message to bypass docstring parsing, which
should be tested separately.
-
test_invalid_unicode_string()[source]
-
test_not_found()[source]
-
test_unicode_message()[source]
-
test_unicode_string()[source]
-
test_validation_error()[source]
-
class keystone.tests.unit.test_exception.SecurityErrorTestCase(*args, **kwds)[source]
Bases: keystone.tests.unit.test_exception.ExceptionTestCase
Tests whether security-related info is exposed to the API user.
-
setUp()[source]
-
test_forbidden_action_exposure()[source]
-
test_forbidden_action_exposure_in_debug()[source]
-
test_forbidden_exposure()[source]
-
test_forbidden_exposure_in_debug()[source]
-
test_unauthorized_exposure()[source]
-
test_unauthorized_exposure_in_debug()[source]
-
test_unicode_argument_message()[source]
-
class keystone.tests.unit.test_exception.UnexpectedExceptionTestCase(*args, **kwds)[source]
Bases: keystone.tests.unit.test_exception.ExceptionTestCase
Tests if internal info is exposed to the API user on UnexpectedError.
-
exception SubClassExc(message=None, **kwargs)[source]
Bases: keystone.exception.UnexpectedError
-
debug_message_format = 'Debug Message: %(debug_info)s'
-
UnexpectedExceptionTestCase.setUp()[source]
-
UnexpectedExceptionTestCase.test_unexpected_error_custom_message_debug()[source]
-
UnexpectedExceptionTestCase.test_unexpected_error_custom_message_no_debug()[source]
-
UnexpectedExceptionTestCase.test_unexpected_error_debug()[source]
-
UnexpectedExceptionTestCase.test_unexpected_error_no_debug()[source]
-
UnexpectedExceptionTestCase.test_unexpected_error_subclass_debug()[source]
-
UnexpectedExceptionTestCase.test_unexpected_error_subclass_no_debug()[source]
keystone.tests.unit.test_hacking_checks module
-
class keystone.tests.unit.test_hacking_checks.BaseStyleCheck(*args, **kwargs)[source]
Bases: testtools.testcase.TestCase
-
assert_has_errors(code, expected_errors=None)[source]
-
get_checker()[source]
Returns the checker to be used for tests in this class.
-
get_fixture()[source]
-
run_check(*args, **keywargs)[source]
-
setUp()[source]
-
class keystone.tests.unit.test_hacking_checks.TestAssertingNoneEquality(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck
-
get_checker()[source]
-
test()[source]
Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck
-
class keystone.tests.unit.test_hacking_checks.TestCheckForDebugLoggingIssues(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck
-
get_checker()[source]
-
test_for_translations()[source]
-
class keystone.tests.unit.test_hacking_checks.TestCheckForMutableDefaultArgs(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck
-
get_checker()[source]
-
test()[source]
-
class keystone.tests.unit.test_hacking_checks.TestCheckForNonDebugLoggingIssues(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck
-
assert_has_errors(code, expected_errors=None)[source]
-
get_checker()[source]
-
get_fixture()[source]
-
test_for_translations()[source]
-
class keystone.tests.unit.test_hacking_checks.TestCheckOsloNamespaceImports(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck
-
get_checker()[source]
-
test()[source]
-
class keystone.tests.unit.test_hacking_checks.TestDictConstructorWithSequenceCopy(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck
-
get_checker()[source]
-
test()[source]
keystone.tests.unit.test_kvs module
-
class keystone.tests.unit.test_kvs.KVSBackendFixture(arguments)[source]
Bases: keystone.common.kvs.backends.inmemdb.MemoryBackend
-
get_mutex(key)[source]
-
classmethod key_mangler(key)[source]
-
class keystone.tests.unit.test_kvs.KVSBackendForcedKeyMangleFixture(arguments)[source]
Bases: keystone.tests.unit.test_kvs.KVSBackendFixture
-
classmethod key_mangler(key)[source]
-
use_backend_key_mangler = True
-
class keystone.tests.unit.test_kvs.KVSTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
setUp()[source]
-
test_kvs_backend_registration_does_not_reregister_backends()[source]
-
test_kvs_basic_configuration()[source]
-
test_kvs_basic_get_set_delete()[source]
-
test_kvs_key_mangler_configuration_backend()[source]
-
test_kvs_key_mangler_configuration_disabled()[source]
-
test_kvs_key_mangler_configuration_forced_backend()[source]
-
test_kvs_key_mangler_fallthrough_default()[source]
-
test_kvs_key_mangler_set_on_backend()[source]
-
test_kvs_locking_context_handler()[source]
-
test_kvs_locking_context_handler_locking_disabled()[source]
-
test_kvs_memcache_key_mangler_set_to_none()[source]
-
test_kvs_memcache_manager_no_expiry_keys()[source]
-
test_kvs_memcache_set_arguments_and_memcache_expires_ttl()[source]
-
test_kvs_memcached_manager_invalid_dogpile_memcached_backend()[source]
-
test_kvs_memcached_manager_valid_dogpile_memcached_backend()[source]
-
test_kvs_multi_get_set_delete()[source]
-
test_kvs_proxy_configuration()[source]
-
test_kvs_with_lock_action_context_manager()[source]
-
test_kvs_with_lock_action_context_manager_no_lock()[source]
-
test_kvs_with_lock_action_context_manager_timeout()[source]
-
test_kvs_with_lock_action_mismatched_keys()[source]
-
test_memcached_lock_max_lock_attempts()[source]
-
test_noncallable_key_mangler_set_on_driver_raises_type_error()[source]
-
class keystone.tests.unit.test_kvs.MutexFixture(storage_dict, key, timeout)[source]
Bases: object
-
acquire(wait=True)[source]
-
release()[source]
-
class keystone.tests.unit.test_kvs.RegionProxy2Fixture(*args, **kwargs)[source]
Bases: dogpile.cache.proxy.ProxyBackend
A test dogpile.cache proxy that does nothing.
-
class keystone.tests.unit.test_kvs.RegionProxyFixture(*args, **kwargs)[source]
Bases: dogpile.cache.proxy.ProxyBackend
A test dogpile.cache proxy that does nothing.
-
class keystone.tests.unit.test_kvs.TestMemcacheDriver(arguments)[source]
Bases: dogpile.cache.api.CacheBackend
A test dogpile.cache backend that conforms to the mixin-mechanism for
overriding set and set_multi methods on dogpile memcached drivers.
-
set(key, value)[source]
-
set_multi(mapping)[source]
-
class test_client[source]
Bases: object
-
add(key, value, expiry_time)[source]
-
delete(key)[source]
-
set(key, value, **set_arguments)[source]
-
set_multi(mapping, **set_arguments)[source]
-
class keystone.tests.unit.test_kvs.TestMemcachedBackend(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
test_invalid_backend_fails_initialization(*args, **keywargs)[source]
keystone.tests.unit.test_singular_plural module
-
class keystone.tests.unit.test_singular_plural.TestSingularPlural[source]
Bases: object
-
test_keyword_arg_condition_or_methods()[source]
Raise if we see a keyword arg called ‘condition’ or ‘methods’.
keystone.tests.unit.test_sql_migrate_extensions module
To run these tests against a live database:
Modify the file keystone/tests/unit/config_files/backend_sql.conf to use
the connection for your live database.
Set up a blank, live database.
Run the tests using:
tox -e py27 -- keystone.tests.unit.test_sql_migrate_extensions
WARNING:
Your database will be wiped.
Do not do this against a Database with valuable data as
all data will be lost.
-
class keystone.tests.unit.test_sql_migrate_extensions.EndpointFilterExtension(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
-
repo_package()[source]
-
test_upgrade()[source]
-
upgrade(version)[source]
-
class keystone.tests.unit.test_sql_migrate_extensions.EndpointPolicyExtension(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
-
repo_package()[source]
-
test_upgrade()[source]
-
class keystone.tests.unit.test_sql_migrate_extensions.FederationExtension(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
Test class for ensuring the Federation SQL.
-
insert_dict(session, table_name, d)[source]
Naively inserts key-value pairs into a table, given a dictionary.
-
repo_package()[source]
-
setUp()[source]
-
test_add_relay_state_column()[source]
-
test_fixup_service_provider_attributes()[source]
-
test_service_provider_attributes_cannot_be_null()[source]
-
test_upgrade()[source]
-
class keystone.tests.unit.test_sql_migrate_extensions.RevokeExtension(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
-
repo_package()[source]
-
test_upgrade()[source]
-
class keystone.tests.unit.test_sql_migrate_extensions.SqlUpgradeExampleExtension(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
-
repo_package()[source]
-
test_upgrade()[source]
-
class keystone.tests.unit.test_sql_migrate_extensions.SqlUpgradeOAuth1Extension(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
-
repo_package()[source]
-
test_upgrade()[source]
-
upgrade(version)[source]
keystone.tests.unit.test_sql_upgrade module
To run these tests against a live database:
Modify the file keystone/tests/unit/config_files/backend_sql.conf to use
the connection for your live database.
Set up a blank, live database
Run the tests using:
tox -e py27 -- keystone.tests.unit.test_sql_upgrade
WARNING:
Your database will be wiped.
Do not do this against a database with valuable data as
all data will be lost.
-
class keystone.tests.unit.test_sql_upgrade.SqlMigrateBase(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase
-
assertTableColumns(table_name, expected_cols)[source]
Asserts that the table contains the expected set of columns.
-
assertTableDoesNotExist(table_name)[source]
Asserts that a given table exists cannot be selected by name.
-
assertTableExists(table_name)[source]
-
config_files()[source]
-
initial_db_version[source]
-
initialize_sql()[source]
-
repo_package()[source]
-
select_table(name)[source]
-
setUp()[source]
-
tearDown()[source]
-
upgrade(*args, **kwargs)[source]
-
class keystone.tests.unit.test_sql_upgrade.SqlUpgradeTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
-
check_initial_table_structure()[source]
-
does_fk_exist(table, fk_column)[source]
-
insert_dict(session, table_name, d, table=None)[source]
Naively inserts key-value pairs into a table, given a dictionary.
-
populate_tenant_table(with_desc_enab=False, with_desc_enab_domain=False)[source]
-
populate_user_table(with_pass_enab=False, with_pass_enab_domain=False)[source]
-
test_add_actor_id_index()[source]
-
test_add_domain_config()[source]
-
test_blank_db_to_start()[source]
-
test_domain_fk()[source]
-
test_drop_assignment_role_fk()[source]
-
test_drop_assignment_role_id_index_mysql()[source]
-
test_drop_region_url_upgrade()[source]
-
test_endpoint_region_migration()[source]
-
test_endpoint_region_upgrade_columns()[source]
-
test_fixup_service_name_value_upgrade()[source]
Update service name data from extra to empty string.
-
test_id_mapping()[source]
-
test_project_parent_id_upgrade()[source]
-
test_region_url_upgrade()[source]
-
test_start_version_db_init_version()[source]
-
test_token_user_id_and_trust_id_index_upgrade()[source]
-
test_upgrade_add_initial_tables()[source]
-
class keystone.tests.unit.test_sql_upgrade.VersionTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
-
test_assert_not_schema_downgrade()[source]
-
test_core_initial()[source]
Get the version before migrated, it’s the initial DB version.
-
test_core_max()[source]
When get the version after upgrading, it’s the new version.
-
test_extension_federation_upgraded_values()[source]
-
test_extension_initial()[source]
When get the initial version of an extension, it’s 0.
-
test_extension_migrated()[source]
When get the version after migrating an extension, it’s not 0.
-
test_extension_not_controlled()[source]
When get the version before controlling, raises DbMigrationError.
-
test_initial_with_extension_version_None()[source]
When performing a default migration, also migrate extensions.
-
test_initial_with_extension_version_max()[source]
When migrating to max version, do not migrate extensions.
-
test_unexpected_extension()[source]
The version for an extension that doesn’t exist raises ImportError.
-
test_unversioned_extension()[source]
The version for extensions without migrations raise an exception.
keystone.tests.unit.test_ssl module
-
class keystone.tests.unit.test_ssl.SSLTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
get_HTTPSConnection(*args)[source]
Simple helper to configure HTTPSConnection objects.
-
setUp()[source]
-
test_1way_ssl_ok()[source]
Make sure both public and admin API work with 1-way SSL.
-
test_1way_ssl_with_ipv6_ok()[source]
Make sure both public and admin API work with 1-way ipv6 & SSL.
-
test_2way_ssl_fail()[source]
Expect to fail when client does not present proper certificate.
-
test_2way_ssl_ok()[source]
Make sure both public and admin API work with 2-way SSL.
Requires client certificate.
-
test_2way_ssl_with_ipv6_ok()[source]
Make sure both public and admin API work with 2-way ipv6 & SSL.
Requires client certificate.
keystone.tests.unit.test_token_bind module
-
class keystone.tests.unit.test_token_bind.BindTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
Test binding tokens to a Principal.
Even though everything in this file references kerberos the same concepts
will apply to all future binding mechanisms.
-
assert_kerberos_bind(tokens, bind_level, use_kerberos=True, success=True)[source]
-
setUp()[source]
-
test_bind_disabled_with_kerb_user()[source]
-
test_bind_named_with_kerb_user()[source]
-
test_bind_named_with_regular_token()[source]
-
test_bind_named_with_unknown_bind()[source]
-
test_bind_named_with_unknown_scheme()[source]
-
test_bind_named_without_kerb_user()[source]
-
test_bind_permissive_with_kerb_user()[source]
-
test_bind_permissive_with_regular_token()[source]
-
test_bind_permissive_with_unknown_bind()[source]
-
test_bind_permissive_without_kerb_user()[source]
-
test_bind_required_with_kerb_user()[source]
-
test_bind_required_with_regular_token()[source]
-
test_bind_required_with_unknown_bind()[source]
-
test_bind_required_without_kerb_user()[source]
-
test_bind_strict_with_kerb_user()[source]
-
test_bind_strict_with_regular_token()[source]
-
test_bind_strict_with_unknown_bind()[source]
-
test_bind_strict_without_kerb_user()[source]
keystone.tests.unit.test_url_middleware module
-
class keystone.tests.unit.test_url_middleware.FakeApp[source]
Bases: object
Fakes a WSGI app URL normalized.
-
class keystone.tests.unit.test_url_middleware.UrlMiddlewareTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
setUp()[source]
-
start_fake_response(status, headers)[source]
-
test_rewrite_empty_path()[source]
Tests empty path is rewritten to root.
-
test_trailing_slash_normalization()[source]
Tests /v2.0/tokens and /v2.0/tokens/ normalized URLs match.
keystone.tests.unit.test_v2 module
-
class keystone.tests.unit.test_v2.CoreApiTests[source]
Bases: object
-
assertNoRoles(r)[source]
Helper method to assert No Roles
This needs to be overridden by child classes
based on their content type.
-
assertValidError(error)[source]
-
assertValidExtension(extension)[source]
-
assertValidExtensionLink(link)[source]
-
assertValidRole(tenant)[source]
-
assertValidTenant(tenant)[source]
-
assertValidUser(user)[source]
-
assertValidVersion(version)[source]
-
test_admin_extensions()[source]
-
test_admin_extensions_404()[source]
-
test_admin_multiple_choice()[source]
-
test_admin_not_found()[source]
-
test_admin_osksadm_extension()[source]
-
test_admin_version()[source]
-
test_authenticate()[source]
-
test_authenticate_unscoped()[source]
-
test_authenticating_a_user_with_no_password()[source]
-
test_create_update_user_invalid_enabled_type()[source]
-
test_create_update_user_valid_enabled_type()[source]
-
test_endpoints()[source]
-
test_error_response()[source]
This triggers assertValidErrorResponse by convention.
-
test_get_tenant()[source]
-
test_get_tenant_by_name()[source]
-
test_get_tenants_for_token()[source]
-
test_get_user()[source]
-
test_get_user_by_name()[source]
-
test_get_user_roles_with_tenant()[source]
-
test_invalid_parameter_error_response()[source]
-
test_invalid_token_404()[source]
-
test_public_extensions()[source]
-
test_public_multiple_choice()[source]
-
test_public_not_found()[source]
-
test_public_osksadm_extension_404()[source]
-
test_public_version()[source]
-
test_remove_role_revokes_token()[source]
-
test_update_user_tenant()[source]
-
test_update_user_with_invalid_tenant()[source]
-
test_update_user_with_invalid_tenant_no_prev_tenant()[source]
-
test_update_user_with_old_tenant()[source]
-
test_validate_token()[source]
-
test_validate_token_belongs_to()[source]
-
test_validate_token_head()[source]
The same call as above, except using HEAD.
There’s no response to validate here, but this is included for the
sake of completely covering the core API.
-
test_validate_token_no_belongs_to_still_returns_catalog()[source]
-
test_validate_token_service_role()[source]
-
class keystone.tests.unit.test_v2.LegacyV2UsernameTests[source]
Bases: object
Tests to show the broken username behavior in V2.
The V2 API is documented to use username instead of name. The
API forced used to use name and left the username to fall into the
extra field.
These tests ensure this behavior works so fixes to username/name
will be backward compatible.
-
create_user(**user_attrs)[source]
Creates a users and returns the response object.
Parameters: | user_attrs – attributes added to the request body (optional) |
The response for creating a user will contain the extra fields.
The response for getting a user will contain the extra fields.
-
test_update_returns_new_username_when_adding_username()[source]
The response for updating a user will contain the extra fields.
This is specifically testing for updating a username when a value
was not previously set.
-
test_update_returns_new_username_when_updating_username()[source]
The response for updating a user will contain the extra fields.
This tests updating a username that was previously set.
-
test_updated_username_is_returned()[source]
Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username
and not name.
-
test_username_can_be_used_instead_of_name_create()[source]
-
test_username_can_be_used_instead_of_name_update()[source]
-
test_username_is_always_returned_create()[source]
Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username
and not name.
-
test_username_is_always_returned_get()[source]
Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username
and not name.
-
test_username_is_always_returned_get_by_name()[source]
Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username
and not name.
-
test_username_is_always_returned_update_no_username_provided()[source]
Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username
and not name.
-
class keystone.tests.unit.test_v2.RestfulTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.rest.RestfulTestCase
-
setUp()[source]
-
class keystone.tests.unit.test_v2.RevokeApiTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v2.V2TestCase
-
config_overrides()[source]
-
test_fetch_revocation_list_admin_200()[source]
-
test_fetch_revocation_list_md5()[source]
-
test_fetch_revocation_list_sha256()[source]
-
class keystone.tests.unit.test_v2.TestFernetTokenProviderV2(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v2.RestfulTestCase
-
config_overrides()[source]
-
new_project_ref()[source]
-
setUp()[source]
-
test_authenticate_scoped_token()[source]
-
test_authenticate_unscoped_token()[source]
-
test_token_authentication_and_validation()[source]
Test token authentication for Fernet token provider.
Verify that token authentication returns validate response code and
valid token belongs to project.
-
test_validate_scoped_token()[source]
-
test_validate_unscoped_token()[source]
-
class keystone.tests.unit.test_v2.V2TestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v2.RestfulTestCase, keystone.tests.unit.test_v2.CoreApiTests, keystone.tests.unit.test_v2.LegacyV2UsernameTests
-
assertNoRoles(r)[source]
-
assertValidAuthenticationResponse(r, require_service_catalog=False)[source]
-
assertValidEndpointListResponse(r)[source]
-
assertValidErrorResponse(r)[source]
-
assertValidExtension(extension, expected)[source]
-
assertValidExtensionListResponse(r, expected)[source]
-
assertValidExtensionResponse(r, expected)[source]
-
assertValidMultipleChoiceResponse(r)[source]
-
assertValidRevocationListResponse(response)[source]
-
assertValidRoleListResponse(r)[source]
-
assertValidTenantListResponse(r)[source]
-
assertValidTenantResponse(r)[source]
-
assertValidUser(user)[source]
-
assertValidUserResponse(r)[source]
-
assertValidVersion(version)[source]
-
assertValidVersionResponse(r)[source]
-
get_user_attribute_from_response(r, attribute_name)[source]
-
get_user_from_response(r)[source]
-
test_authenticating_a_user_with_an_OSKSADM_password()[source]
-
test_create_update_user_invalid_enabled_type()[source]
-
test_fetch_revocation_list_admin_200()[source]
-
test_fetch_revocation_list_md5()[source]
If the server is configured for md5, then the revocation list has
tokens hashed with MD5.
-
test_fetch_revocation_list_nonadmin_fails()[source]
-
test_fetch_revocation_list_sha256()[source]
If the server is configured for sha256, then the revocation list has
tokens hashed with SHA256
-
test_service_crud_requires_auth()[source]
Service CRUD should 401 without an X-Auth-Token (bug 1006822).
-
test_updating_a_user_with_an_OSKSADM_password()[source]
-
test_user_role_list_requires_auth()[source]
User role list should 401 without an X-Auth-Token (bug 1006815).
keystone.tests.unit.test_v2_controller module
-
class keystone.tests.unit.test_v2_controller.TenantTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
Tests for the V2 Tenant controller.
These tests exercise keystone.assignment.controllers.Tenant.
-
setUp()[source]
-
test_get_project_users_no_user()[source]
get_project_users when user doesn’t exist.
When a user that’s not known to identity has a role on a project,
then get_project_users just skips that user.
-
test_list_projects_default_domain()[source]
Test that list projects only returns those in the default domain.
keystone.tests.unit.test_v3 module
-
class keystone.tests.unit.test_v3.AuthContextMiddlewareTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
test_admin_token_auth_context()[source]
-
test_auth_context_build_by_middleware()[source]
-
test_auth_context_override()[source]
-
class keystone.tests.unit.test_v3.AuthTestMixin[source]
Bases: object
To hold auth building helper functions.
-
build_auth_scope(project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, domain_id=None, domain_name=None, trust_id=None, unscoped=None)[source]
-
build_authentication_request(token=None, user_id=None, username=None, user_domain_id=None, user_domain_name=None, password=None, kerberos=False, **kwargs)[source]
Build auth dictionary.
It will create an auth dictionary based on all the arguments
that it receives.
-
build_password_auth(user_id=None, username=None, user_domain_id=None, user_domain_name=None, password=None)[source]
-
build_token_auth(token)[source]
-
class keystone.tests.unit.test_v3.JsonHomeTestMixin[source]
Bases: object
JSON Home test
Mixin this class to provide a test for the JSON-Home response for an
extension.
The base class must set JSON_HOME_DATA to a dict of relationship URLs
(rels) to the JSON-Home data for the relationship. The rels and associated
data must be in the response.
-
test_get_json_home()[source]
-
class keystone.tests.unit.test_v3.RestfulTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.rest.RestfulTestCase, keystone.tests.unit.test_v3.AuthTestMixin
-
assertDictContainsSubset(expected, actual)[source]
“Asserts if dictionary actual is a superset of expected.
Tests whether the key/value pairs in dictionary actual are a superset
of those in expected.
-
assertEqualTokens(a, b)[source]
Assert that two tokens are equal.
Compare two tokens except for their ids. This also truncates
the time in the comparison.
-
assertRoleAssignmentInListResponse(resp, ref, expected=1)[source]
-
assertRoleAssignmentNotInListResponse(resp, ref)[source]
-
assertValidCatalog(entity)[source]
-
assertValidCatalogResponse(resp, *args, **kwargs)[source]
-
assertValidCredential(entity, ref=None)[source]
-
assertValidCredentialListResponse(resp, *args, **kwargs)[source]
-
assertValidCredentialResponse(resp, *args, **kwargs)[source]
-
assertValidDomain(entity, ref=None)[source]
-
assertValidDomainListResponse(resp, *args, **kwargs)[source]
-
assertValidDomainResponse(resp, *args, **kwargs)[source]
-
assertValidDomainScopedTokenResponse(r, *args, **kwargs)[source]
-
assertValidEndpoint(entity, ref=None)[source]
-
assertValidEndpointListResponse(resp, *args, **kwargs)[source]
-
assertValidEndpointResponse(resp, *args, **kwargs)[source]
-
assertValidEntity(entity, ref=None, keys_to_check=None)[source]
Make assertions common to all API entities.
If a reference is provided, the entity will also be compared against
the reference.
-
assertValidErrorResponse(r)[source]
-
assertValidGroup(entity, ref=None)[source]
-
assertValidGroupListResponse(resp, *args, **kwargs)[source]
-
assertValidGroupResponse(resp, *args, **kwargs)[source]
-
assertValidISO8601ExtendedFormatDatetime(dt)[source]
-
assertValidListLinks(links, resource_url=None)[source]
-
assertValidListResponse(resp, key, entity_validator, ref=None, expected_length=None, keys_to_check=None, resource_url=None)[source]
Make assertions common to all API list responses.
If a reference is provided, it’s ID will be searched for in the
response, and asserted to be equal.
-
assertValidPolicy(entity, ref=None)[source]
-
assertValidPolicyListResponse(resp, *args, **kwargs)[source]
-
assertValidPolicyResponse(resp, *args, **kwargs)[source]
-
assertValidProject(entity, ref=None)[source]
-
assertValidProjectListResponse(resp, *args, **kwargs)[source]
-
assertValidProjectResponse(resp, *args, **kwargs)[source]
-
assertValidProjectScopedTokenResponse(r, *args, **kwargs)[source]
-
assertValidProjectTrustScopedTokenResponse(r, *args, **kwargs)[source]
-
assertValidRegion(entity, ref=None)[source]
-
assertValidRegionListResponse(resp, *args, **kwargs)[source]
-
assertValidRegionResponse(resp, *args, **kwargs)[source]
-
assertValidResponse(resp, key, entity_validator, *args, **kwargs)[source]
Make assertions common to all API responses.
-
assertValidRole(entity, ref=None)[source]
-
assertValidRoleAssignment(entity, ref=None)[source]
-
assertValidRoleAssignmentListResponse(resp, expected_length=None, resource_url=None)[source]
-
assertValidRoleListResponse(resp, *args, **kwargs)[source]
-
assertValidRoleResponse(resp, *args, **kwargs)[source]
-
assertValidScopedTokenResponse(r, *args, **kwargs)[source]
-
assertValidService(entity, ref=None)[source]
-
assertValidServiceListResponse(resp, *args, **kwargs)[source]
-
assertValidServiceResponse(resp, *args, **kwargs)[source]
-
assertValidTokenResponse(r, user=None)[source]
-
assertValidTrust(entity, ref=None, summary=False)[source]
-
assertValidTrustListResponse(resp, *args, **kwargs)[source]
-
assertValidTrustResponse(resp, *args, **kwargs)[source]
-
assertValidTrustSummary(entity, ref=None)[source]
-
assertValidUnscopedTokenResponse(r, *args, **kwargs)[source]
-
assertValidUser(entity, ref=None)[source]
-
assertValidUserListResponse(resp, *args, **kwargs)[source]
-
assertValidUserResponse(resp, *args, **kwargs)[source]
-
build_external_auth_request(remote_user, remote_domain=None, auth_data=None, kerberos=False)[source]
-
config_files()[source]
-
create_new_default_project_for_user(user_id, domain_id, enable_project=True)[source]
-
delete(path, **kwargs)[source]
-
generate_paste_config()[source]
-
get(path, **kwargs)[source]
-
get_extensions()[source]
-
get_requested_token(auth)[source]
Request the specific token we want.
-
get_scoped_token()[source]
Convenience method so that we can test authenticated requests.
-
head(path, **kwargs)[source]
-
load_backends()[source]
-
load_fixtures(fixtures)[source]
-
load_sample_data()[source]
-
new_credential_ref(user_id, project_id=None, cred_type=None)[source]
-
new_domain_ref()[source]
-
new_endpoint_ref(service_id, interface='public', **kwargs)[source]
-
new_group_ref(domain_id)[source]
-
new_policy_ref()[source]
-
new_project_ref(domain_id, parent_id=None)[source]
-
new_ref()[source]
Populates a ref with attributes common to all API entities.
-
new_region_ref()[source]
-
new_role_ref()[source]
-
new_service_ref()[source]
-
new_trust_ref(trustor_user_id, trustee_user_id, project_id=None, impersonation=None, expires=None, role_ids=None, role_names=None, remaining_uses=None, allow_redelegation=False)[source]
-
new_user_ref(domain_id, project_id=None)[source]
-
patch(path, **kwargs)[source]
-
post(path, **kwargs)[source]
-
put(path, **kwargs)[source]
-
remove_generated_paste_config()[source]
-
setUp(app_conf='keystone')[source]
Setup for v3 Restful Test Cases.
-
v3_authenticate_token(auth, expected_status=201)[source]
-
v3_noauth_request(path, **kwargs)[source]
-
v3_request(path, **kwargs)[source]
-
class keystone.tests.unit.test_v3.VersionTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
test_get_version()[source]
keystone.tests.unit.test_v3_assignment module
-
class keystone.tests.unit.test_v3_assignment.AssignmentInheritanceDisabledTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test inheritance crud and its effects.
-
config_overrides()[source]
-
test_crud_inherited_role_grants_failed_if_disabled()[source]
-
class keystone.tests.unit.test_v3_assignment.AssignmentInheritanceTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test inheritance crud and its effects.
-
config_overrides()[source]
-
test_crud_user_inherited_domain_role_grants()[source]
-
test_filtered_role_assignments_for_inherited_grants()[source]
Call GET /role_assignments?scope.OS-INHERIT:inherited_to.
Test Plan:
- Create 5 roles
- Create a domain with a user, group and two projects
- Assign three direct spoiler roles to projects
- Issue the URL to add an inherited user role to the domain
- Issue the URL to add an inherited group role to the domain
- Issue the URL to filter by inherited roles - this should
return just the 2 inherited roles.
-
test_get_effective_role_assignments_for_project_hierarchy()[source]
Call GET /role_assignments?effective.
Test Plan:
- Create 2 roles
- Create a hierarchy of projects with one root and one leaf project
- Issue the URL to add a non-inherited user role to the root project
- Issue the URL to add an inherited user role to the root project
- Issue the URL to get effective role assignments - this should return
1 role (non-inherited) on the root project and 1 role (inherited) on
the leaf project.
-
test_get_inherited_role_assignments_for_project_hierarchy()[source]
Call GET /role_assignments?scope.OS-INHERIT:inherited_to.
Test Plan:
- Create 2 roles
- Create a hierarchy of projects with one root and one leaf project
- Issue the URL to add a non-inherited user role to the root project
- Issue the URL to add an inherited user role to the root project
- Issue the URL to filter inherited to projects role assignments - this
should return 1 role (inherited) on the root project.
-
test_get_role_assignments_for_project_hierarchy()[source]
Call GET /role_assignments.
Test Plan:
- Create 2 roles
- Create a hierarchy of projects with one root and one leaf project
- Issue the URL to add a non-inherited user role to the root project
- Issue the URL to add an inherited user role to the root project
- Issue the URL to get all role assignments - this should return just
2 roles (non-inherited and inherited) in the root project.
-
test_get_token_from_inherited_group_domain_role_grants()[source]
-
test_get_token_from_inherited_group_project_role_grants()[source]
-
test_get_token_from_inherited_user_domain_role_grants()[source]
-
test_get_token_from_inherited_user_project_role_grants()[source]
-
test_list_role_assignments_for_disabled_inheritance_extension()[source]
Call GET /role_assignments with inherited domain grants.
Test Plan:
- Issue the URL to add inherited role to the domain
- Issue the URL to check effective roles on project include the
inherited role
- Disable the extension
- Re-check the effective roles, proving the inherited role no longer
shows up.
-
test_list_role_assignments_for_inherited_domain_grants()[source]
Call GET /role_assignments with inherited domain grants.
Test Plan:
- Create 4 roles
- Create a domain with a user and two projects
- Assign two direct roles to project1
- Assign a spoiler role to project2
- Issue the URL to add inherited role to the domain
- Issue the URL to check it is indeed on the domain
- Issue the URL to check effective roles on project1 - this
should return 3 roles.
-
test_list_role_assignments_for_inherited_group_domain_grants()[source]
Call GET /role_assignments with inherited group domain grants.
Test Plan:
- Create 4 roles
- Create a domain with a user and two projects
- Assign two direct roles to project1
- Assign a spoiler role to project2
- Issue the URL to add inherited role to the domain
- Issue the URL to check it is indeed on the domain
- Issue the URL to check effective roles on project1 - this
should return 3 roles.
-
class keystone.tests.unit.test_v3_assignment.AssignmentTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test domains, projects, roles and role assignments.
-
setUp()[source]
-
test_check_effective_values_for_role_assignments()[source]
Call GET /role_assignments?effective=value.
Check the various ways of specifying the ‘effective’
query parameter. If the ‘effective’ query parameter
is included then this should always be treated as meaning ‘True’
unless it is specified as:
{url}?effective=0
This is by design to match the agreed way of handling
policy checking on query/filter parameters.
Test Plan:
- Create two extra user for tests
- Add these users to a group
- Add a role assignment for the group on a domain
- Get a list of all role assignments, checking one has been added
- Then issue various request with different ways of defining
the ‘effective’ query parameter. As we have tested the
correctness of the data coming back when we get effective roles
in other tests, here we just use the count of entities to
know if we are getting effective roles or not
-
test_create_domain()[source]
Call POST /domains.
-
test_create_domain_400()[source]
Call POST /domains.
-
test_create_domain_case_sensitivity()[source]
Call POST /domains` twice with upper() and lower() cased name.
-
test_create_hierarchical_project()[source]
Call POST /projects.
-
test_create_member_role()[source]
Call POST /roles.
-
test_create_project()[source]
Call POST /projects.
-
test_create_project_400()[source]
Call POST /projects.
-
test_create_role()[source]
Call POST /roles.
-
test_create_role_400()[source]
Call POST /roles.
-
test_crud_group_domain_role_grants()[source]
-
test_crud_group_domain_role_grants_no_group()[source]
Grant role on a domain to a group that doesn’t exist, 404 result.
When grant a role on a domain to a group that doesn’t exist, the server
returns 404 Not Found for the group.
-
test_crud_group_project_role_grants()[source]
-
test_crud_group_project_role_grants_no_group()[source]
Grant role on a project to a group that doesn’t exist, 404 result.
When grant a role on a project to a group that doesn’t exist, the
server returns 404 Not Found for the group.
-
test_crud_user_domain_role_grants()[source]
-
test_crud_user_domain_role_grants_no_user()[source]
Grant role on a domain to a user that doesn’t exist, 404 result.
When grant a role on a domain to a user that doesn’t exist, the server
returns 404 Not Found for the user.
-
test_crud_user_project_role_grants()[source]
-
test_crud_user_project_role_grants_no_user()[source]
Grant role on a project to a user that doesn’t exist, 404 result.
When grant a role on a project to a user that doesn’t exist, the server
returns 404 Not Found for the user.
-
test_delete_default_domain_fails()[source]
-
test_delete_domain()[source]
Call DELETE /domains/{domain_id}.
The sample data set up already has a user, group, project
and credential that is part of self.domain. Since the user
we will authenticate with is in this domain, we create a
another set of entities in a second domain. Deleting this
second domain should delete all these new entities. In addition,
all the entities in the regular self.domain should be unaffected
by the delete.
Test Plan:
- Create domain2 and a 2nd set of entities
- Disable domain2
- Delete domain2
- Check entities in domain2 have been deleted
- Check entities in self.domain are unaffected
-
test_delete_domain_hierarchy()[source]
Call DELETE /domains/{domain_id}.
-
test_delete_enabled_domain_fails()[source]
Call DELETE /domains/{domain_id} (when domain enabled).
-
test_delete_new_default_domain_fails()[source]
-
test_delete_not_leaf_project()[source]
Call DELETE /projects/{project_id}.
-
test_delete_old_default_domain()[source]
-
test_delete_project()[source]
Call DELETE /projects/{project_id}
As well as making sure the delete succeeds, we ensure
that any credentials that reference this projects are
also deleted, while other credentials are unaffected.
-
test_delete_role()[source]
Call DELETE /roles/{role_id}.
-
test_delete_user_and_check_role_assignment_fails()[source]
Call DELETE on the user and check the role assignment.
-
test_delete_user_before_removing_role_assignment_succeeds()[source]
Call DELETE on the user before the role assignment.
-
test_disable_domain()[source]
Call PATCH /domains/{domain_id} (set enabled=False).
-
test_disable_leaf_project()[source]
Call PATCH /projects/{project_id}.
-
test_disable_not_leaf_project()[source]
Call PATCH /projects/{project_id}.
-
test_filtered_role_assignments()[source]
Call GET /role_assignments?filters.
Test Plan:
- Create extra users, group, role and project for tests
- Make the following assignments:
Give group1, role1 on project1 and domain
Give user1, role2 on project1 and domain
Make User1 a member of Group1
- Test a series of single filter list calls, checking that
the correct results are obtained
- Test a multi-filtered list call
- Test listing all effective roles for a given user
- Test the equivalent of the list of roles in a project scoped
token (all effective roles for a user on a project)
-
test_forbid_operations_on_defined_federated_domain()[source]
Make sure one cannot operate on a user-defined federated domain.
This includes operations like create, update, delete.
-
test_forbid_operations_on_federated_domain()[source]
Make sure one cannot operate on federated domain.
This includes operations like create, update, delete
on domain identified by id and name where difference variations of
id ‘Federated’ are used.
-
test_get_domain()[source]
Call GET /domains/{domain_id}.
-
test_get_effective_role_assignments()[source]
Call GET /role_assignments?effective.
Test Plan:
- Create two extra user for tests
- Add these users to a group
- Add a role assignment for the group on a domain
- Get a list of all role assignments, checking one has been added
- Then get a list of all effective role assignments - the group
assignment should have turned into assignments on the domain
for each of the group members.
-
test_get_project()[source]
Call GET /projects/{project_id}.
-
test_get_project_with_parents_as_ids()[source]
Call GET /projects/{project_id}?parents_as_ids.
-
test_get_project_with_parents_as_list_and_parents_as_ids()[source]
Call GET /projects/{project_id}?parents_as_list&parents_as_ids.
-
test_get_project_with_parents_as_list_with_full_access()[source]
GET /projects/{project_id}?parents_as_list with full access.
Test plan:
- Create ‘parent’, ‘project’ and ‘subproject’ projects;
- Assign a user a role on each one of those projects;
- Check that calling parents_as_list on ‘subproject’ returns both
‘project’ and ‘parent’.
-
test_get_project_with_parents_as_list_with_partial_access()[source]
GET /projects/{project_id}?parents_as_list with partial access.
Test plan:
- Create ‘parent’, ‘project’ and ‘subproject’ projects;
- Assign a user a role on ‘parent’ and ‘subproject’;
- Check that calling parents_as_list on ‘subproject’ only returns
‘parent’.
-
test_get_project_with_subtree_as_ids()[source]
Call GET /projects/{project_id}?subtree_as_ids.
This test creates a more complex hierarchy to test if the structured
dictionary returned by using the subtree_as_ids query param
correctly represents the hierarchy.
The hierarchy contains 5 projects with the following structure:
+--A--+
| |
+--B--+ C
| |
D E
-
test_get_project_with_subtree_as_list_and_subtree_as_ids()[source]
Call GET /projects/{project_id}?subtree_as_list&subtree_as_ids.
-
test_get_project_with_subtree_as_list_with_full_access()[source]
GET /projects/{project_id}?subtree_as_list with full access.
Test plan:
- Create ‘parent’, ‘project’ and ‘subproject’ projects;
- Assign a user a role on each one of those projects;
- Check that calling subtree_as_list on ‘parent’ returns both ‘parent’
and ‘subproject’.
-
test_get_project_with_subtree_as_list_with_partial_access()[source]
GET /projects/{project_id}?subtree_as_list with partial access.
Test plan:
- Create ‘parent’, ‘project’ and ‘subproject’ projects;
- Assign a user a role on ‘parent’ and ‘subproject’;
- Check that calling subtree_as_list on ‘parent’ returns ‘subproject’.
-
test_get_role()[source]
Call GET /roles/{role_id}.
-
test_get_role_assignments()[source]
Call GET /role_assignments.
The sample data set up already has a user, group and project
that is part of self.domain. We use these plus a new user
we create as our data set, making sure we ignore any
role assignments that are already in existence.
Since we don’t yet support a first class entity for role
assignments, we are only testing the LIST API. To create
and delete the role assignments we use the old grant APIs.
Test Plan:
- Create extra user for tests
- Get a list of all existing role assignments
- Add a new assignment for each of the four combinations, i.e.
group+domain, user+domain, group+project, user+project, using
the same role each time
- Get a new list of all role assignments, checking these four new
ones have been added
- Then delete the four we added
- Get a new list of all role assignments, checking the four have
been removed
-
test_list_domains()[source]
Call GET /domains.
-
test_list_projects()[source]
Call GET /projects.
-
test_list_roles()[source]
Call GET /roles.
-
test_set_federated_domain_when_config_empty()[source]
Make sure we are operable even if config value is not properly
set.
This includes operations like create, update, delete.
-
test_token_revoked_once_domain_disabled()[source]
Test token from a disabled domain has been invalidated.
Test that a token that was valid for an enabled domain
becomes invalid once that domain is disabled.
-
test_token_revoked_once_group_role_grant_revoked()[source]
Test token is revoked when group role grant is revoked
When a role granted to a group is revoked for a given scope,
all tokens related to this scope and belonging to one of the members
of this group should be revoked.
The revocation should be independently to the presence
of the revoke API.
-
test_update_domain()[source]
Call PATCH /domains/{domain_id}.
-
test_update_project()[source]
Call PATCH /projects/{project_id}.
-
test_update_project_domain_id()[source]
Call PATCH /projects/{project_id} with domain_id.
-
test_update_project_parent_id()[source]
Call PATCH /projects/{project_id}.
-
test_update_role()[source]
Call PATCH /roles/{role_id}.
-
class keystone.tests.unit.test_v3_assignment.AssignmentV3toV2MethodsTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
Test domain V3 to V2 conversion methods.
-
test_v2controller_filter_domain()[source]
-
test_v2controller_filter_domain_id()[source]
-
test_v2controller_filter_project_parent_id()[source]
-
test_v3_to_v2_project_method()[source]
-
test_v3_to_v2_project_method_list()[source]
-
test_v3controller_filter_domain_id()[source]
-
class keystone.tests.unit.test_v3_assignment.RoleAssignmentBaseTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Base class for testing /v3/role_assignments API behavior.
-
MAX_HIERARCHY_BREADTH = 3
-
MAX_HIERARCHY_DEPTH = 4
-
get_role_assignments(expected_status=200, **filters)[source]
Returns the result from querying role assignment API + queried URL.
Calls GET /v3/role_assignments?<params> and returns its result, where
<params> is the HTTP query parameters form of effective option plus
filters, if provided. Queried URL is returned as well.
Returns: | a tuple containing the list role assignments API response and
queried URL. |
-
load_sample_data()[source]
Creates sample data to be used on tests.
Created data are i) a role and ii) a domain containing: a project
hierarchy and 3 users within 3 groups.
-
class keystone.tests.unit.test_v3_assignment.RoleAssignmentDirectTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_assignment.RoleAssignmentBaseTestCase
Class for testing direct assignments on /v3/role_assignments API.
Direct assignments on a domain or project have effect on them directly,
instead of on their project hierarchy, i.e they are non-inherited. In
addition, group direct assignments are not expanded to group’s users.
Tests on this class make assertions on the representation and API filtering
of direct assignments.
-
test_get_role_assignments_by_domain(**filters)[source]
-
test_get_role_assignments_by_domain_and_group(**filters)[source]
-
test_get_role_assignments_by_domain_and_user(**filters)[source]
-
test_get_role_assignments_by_domain_group_and_role(**filters)[source]
-
test_get_role_assignments_by_domain_user_and_role(**filters)[source]
-
test_get_role_assignments_by_group(**filters)[source]
-
test_get_role_assignments_by_project(**filters)[source]
-
test_get_role_assignments_by_project_and_group(**filters)[source]
-
test_get_role_assignments_by_project_and_user(**filters)[source]
-
test_get_role_assignments_by_project_group_and_role(**filters)[source]
-
test_get_role_assignments_by_project_user_and_role(**filters)[source]
-
test_get_role_assignments_by_role(**filters)[source]
-
test_get_role_assignments_by_user(**filters)[source]
-
class keystone.tests.unit.test_v3_assignment.RoleAssignmentEffectiveTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_assignment.RoleAssignmentInheritedTestCase
Class for testing inheritance effects on /v3/role_assignments API.
Inherited assignments on a domain or project have no effect on them
directly, but on the projects under them instead.
Tests on this class make assertions on the effect of inherited assignments
and API filtering.
-
class keystone.tests.unit.test_v3_assignment.RoleAssignmentFailureTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_assignment.RoleAssignmentBaseTestCase
Class for testing invalid query params on /v3/role_assignments API.
Querying domain and project, or user and group results in a HTTP 400, since
a role assignment must contain only a single pair of (actor, target). In
addition, since filtering on role assignments applies only to the final
result, effective mode cannot be combined with i) group or ii) domain and
inherited, because it would always result in an empty list.
-
test_get_role_assignments_by_domain_and_project()[source]
-
test_get_role_assignments_by_effective_and_group()[source]
-
test_get_role_assignments_by_effective_and_inherited()[source]
-
test_get_role_assignments_by_user_and_group()[source]
-
class keystone.tests.unit.test_v3_assignment.RoleAssignmentInheritedTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_assignment.RoleAssignmentDirectTestCase
Class for testing inherited assignments on /v3/role_assignments API.
Inherited assignments on a domain or project have no effect on them
directly, but on the projects under them instead.
Tests on this class do not make assertions on the effect of inherited
assignments, but in their representation and API filtering.
-
config_overrides()[source]
keystone.tests.unit.test_v3_auth module
-
class keystone.tests.unit.test_v3_auth.AllowRescopeScopedTokenDisabledTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
config_overrides()[source]
-
test_rescoped_domain_token_disabled()[source]
-
test_rescoping_v2_to_v2_disabled()[source]
-
test_rescoping_v2_to_v3_disabled()[source]
-
test_rescoping_v3_to_v2_disabled()[source]
-
test_rescoping_v3_to_v3_disabled()[source]
-
class keystone.tests.unit.test_v3_auth.TestAPIProtectionWithoutAuthContextMiddleware(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
test_api_protection_with_no_auth_context_in_env()[source]
-
class keystone.tests.unit.test_v3_auth.TestAuth(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
get_v2_token(tenant_id=None)[source]
-
test_auth_catalog_attributes()[source]
-
test_auth_catalog_disabled_endpoint()[source]
On authenticate, get a catalog that excludes disabled endpoints.
-
test_auth_catalog_disabled_service()[source]
On authenticate, get a catalog that excludes disabled services.
-
test_auth_methods_with_different_identities_fails()[source]
-
test_auth_token_cross_domain_group_and_project()[source]
Verify getting a token in cross domain group/project roles.
-
test_auth_with_bind_token()[source]
-
test_auth_with_id()[source]
-
test_authenticating_a_user_with_no_password()[source]
-
test_bind_not_set_with_remote_user()[source]
-
test_default_project_id_scoped_token_with_user_id()[source]
-
test_default_project_id_scoped_token_with_user_id_no_catalog()[source]
-
test_disabled_default_project_domain_result_in_unscoped_token()[source]
-
test_disabled_default_project_result_in_unscoped_token()[source]
-
test_disabled_scope_project_domain_result_in_401()[source]
-
test_domain_id_scoped_token_with_user_domain_id()[source]
-
test_domain_id_scoped_token_with_user_domain_name()[source]
-
test_domain_id_scoped_token_with_user_id()[source]
-
test_domain_name_scoped_token_with_user_domain_id()[source]
-
test_domain_name_scoped_token_with_user_domain_name()[source]
-
test_domain_name_scoped_token_with_user_id()[source]
-
test_domain_scope_failed()[source]
-
test_domain_scope_token_with_group_role()[source]
-
test_domain_scope_token_with_name()[source]
-
test_explicit_unscoped_token()[source]
-
test_implicit_project_id_scoped_token_with_user_id_no_catalog()[source]
-
test_invalid_domain_id()[source]
-
test_invalid_domain_name()[source]
-
test_invalid_password()[source]
-
test_invalid_user_id()[source]
-
test_invalid_user_name()[source]
-
test_no_access_to_default_project_result_in_unscoped_token()[source]
-
test_project_id_scoped_token_with_user_domain_id()[source]
-
test_project_id_scoped_token_with_user_domain_name()[source]
-
test_project_id_scoped_token_with_user_id()[source]
-
test_project_id_scoped_token_with_user_id_401()[source]
-
test_remote_user_and_explicit_external()[source]
-
test_remote_user_and_password()[source]
-
test_remote_user_bad_password()[source]
-
test_remote_user_no_domain()[source]
-
test_remote_user_no_realm()[source]
-
test_unscoped_token_with_user_domain_id()[source]
-
test_unscoped_token_with_user_domain_name()[source]
-
test_unscoped_token_with_user_id()[source]
-
test_user_and_group_roles_scoped_token()[source]
Test correct roles are returned in scoped token.
Test Plan:
- Create a domain, with 1 project, 2 users (user1 and user2)
and 2 groups (group1 and group2)
- Make user1 a member of group1, user2 a member of group2
- Create 8 roles, assigning them to each of the 8 combinations
of users/groups on domain/project
- Get a project scoped token for user1, checking that the right
two roles are returned (one directly assigned, one by virtue
of group membership)
- Repeat this for a domain scoped token
- Make user1 also a member of group2
- Get another scoped token making sure the additional role
shows up
- User2 is just here as a spoiler, to make sure we don’t get
any roles uniquely assigned to it returned in any of our
tokens
-
test_v2_v3_bind_token_intermix()[source]
-
test_validate_v2_scoped_token_with_v3_api()[source]
-
test_validate_v2_unscoped_token_with_v3_api()[source]
-
test_verify_with_bound_token()[source]
-
class keystone.tests.unit.test_v3_auth.TestAuthContext(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
setUp()[source]
-
test_identity_attribute_conflict()[source]
-
test_identity_attribute_conflict_with_none_value()[source]
-
test_non_identity_attribute_conflict_override()[source]
-
test_pick_lowest_expires_at()[source]
-
class keystone.tests.unit.test_v3_auth.TestAuthExternalDisabled(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
config_overrides()[source]
-
test_remote_user_disabled()[source]
-
class keystone.tests.unit.test_v3_auth.TestAuthExternalDomain(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
config_overrides()[source]
-
content_type = 'json'
-
test_project_id_scoped_with_remote_user()[source]
-
test_remote_user_with_realm()[source]
-
test_unscoped_bind_with_remote_user()[source]
-
class keystone.tests.unit.test_v3_auth.TestAuthExternalLegacyDefaultDomain(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
config_overrides()[source]
-
content_type = 'json'
-
test_remote_user_no_domain()[source]
-
test_remote_user_no_realm()[source]
-
class keystone.tests.unit.test_v3_auth.TestAuthExternalLegacyDomain(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
config_overrides()[source]
-
content_type = 'json'
-
test_project_id_scoped_with_remote_user()[source]
-
test_remote_user_with_realm()[source]
-
test_unscoped_bind_with_remote_user()[source]
-
class keystone.tests.unit.test_v3_auth.TestAuthFernetTokenProvider(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_auth.TestAuth
-
config_overrides()[source]
-
setUp()[source]
-
test_auth_with_bind_token()[source]
-
test_v2_v3_bind_token_intermix()[source]
-
test_verify_with_bound_token()[source]
-
class keystone.tests.unit.test_v3_auth.TestAuthInfo(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.AuthTestMixin, testtools.testcase.TestCase
-
setUp()[source]
-
test_both_project_and_domain_in_scope()[source]
-
test_get_method_data_invalid_method()[source]
-
test_get_method_names_duplicates()[source]
-
test_missing_auth_method_data()[source]
-
test_missing_auth_methods()[source]
-
test_project_name_no_domain()[source]
-
test_unsupported_auth_method()[source]
-
class keystone.tests.unit.test_v3_auth.TestAuthJSONExternal(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
auth_plugin_config_override(methods=None, **method_classes)[source]
-
config_overrides()[source]
-
content_type = 'json'
-
test_remote_user_no_method()[source]
-
class keystone.tests.unit.test_v3_auth.TestAuthKerberos(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_auth.TestAuthExternalDomain
-
config_overrides()[source]
-
class keystone.tests.unit.test_v3_auth.TestAuthSpecificData(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
test_get_catalog_domain_scoped_token()[source]
Call GET /auth/catalog with a domain-scoped token.
-
test_get_catalog_no_token()[source]
Call GET /auth/catalog without a token.
-
test_get_catalog_project_scoped_token()[source]
Call GET /auth/catalog with a project-scoped token.
-
test_get_catalog_unscoped_token()[source]
Call GET /auth/catalog with an unscoped token.
-
test_get_domains_project_scoped_token()[source]
-
test_get_projects_project_scoped_token()[source]
-
class keystone.tests.unit.test_v3_auth.TestFernetTokenProvider(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
config_overrides()[source]
-
setUp()[source]
-
test_domain_scoped_token_invalid_after_disabling_domain()[source]
-
test_domain_scoped_token_is_invalid_after_deleting_grant()[source]
-
test_domain_scoped_token_is_invalid_after_disabling_user()[source]
-
test_project_scoped_token_invalid_after_changing_user_password()[source]
-
test_project_scoped_token_invalid_after_disabling_project()[source]
-
test_project_scoped_token_is_invalid_after_disabling_user()[source]
-
test_rescope_unscoped_token_with_trust()[source]
-
test_revoke_project_scoped_token()[source]
-
test_revoke_trust_scoped_token()[source]
-
test_revoke_unscoped_token()[source]
-
test_trust_scoped_token_invalid_after_changing_trustee_password()[source]
-
test_trust_scoped_token_invalid_after_changing_trustor_password()[source]
-
test_trust_scoped_token_invalid_after_disabled_trustor_domain()[source]
-
test_trust_scoped_token_is_invalid_after_disabling_trustee()[source]
-
test_trust_scoped_token_is_invalid_after_disabling_trustor()[source]
-
test_unscoped_token_is_invalid_after_changing_user_password()[source]
-
test_unscoped_token_is_invalid_after_disabling_user()[source]
-
test_unscoped_token_is_invalid_after_disabling_user_domain()[source]
-
test_unscoped_token_is_invalid_after_enabling_disabled_user()[source]
-
test_v2_validate_domain_scoped_token_returns_401()[source]
Test raised exception when validating a domain scoped token.
Test that validating an domain scoped token in v2.0
returns unauthorized.
-
test_v2_validate_trust_scoped_token()[source]
Test raised exception when validating a trust scoped token.
Test that validating an trust scoped token in v2.0 returns
unauthorized.
-
test_v2_validate_unscoped_token_returns_401()[source]
Test raised exception when validating unscoped token.
Test that validating an unscoped token in v2.0 of a v3 user of a
non-default domain returns unauthorized.
-
test_validate_a_trust_scoped_token()[source]
-
test_validate_domain_scoped_token()[source]
-
test_validate_project_scoped_token()[source]
-
test_validate_tampered_project_scoped_token_fails()[source]
-
test_validate_tampered_trust_scoped_token_fails()[source]
-
test_validate_tampered_unscoped_token_fails()[source]
-
test_validate_unscoped_token()[source]
-
class keystone.tests.unit.test_v3_auth.TestPKITokenAPIs(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3_auth.TokenAPITests
-
config_overrides()[source]
-
setUp()[source]
-
class keystone.tests.unit.test_v3_auth.TestPKIZTokenAPIs(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3_auth.TokenAPITests
-
config_overrides()[source]
-
setUp()[source]
-
verify_token(*args, **kwargs)[source]
-
class keystone.tests.unit.test_v3_auth.TestTokenRevokeApi(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_auth.TestTokenRevokeById
-
EXTENSION_NAME = 'revoke'
-
EXTENSION_TO_ADD = 'revoke_extension'
Test token revocation on the v3 Identity API.
-
assertDomainInList(events_response, domain_id)[source]
-
assertEventDataInList(events, **kwargs)[source]
-
assertValidDeletedProjectResponse(events_response, project_id)[source]
-
assertValidRevokedTokenResponse(events_response, **kwargs)[source]
-
config_overrides()[source]
-
test_disable_domain_shows_in_event_list()[source]
-
test_list_delete_project_shows_in_event_list()[source]
-
test_list_delete_token_shows_in_event_list()[source]
-
test_list_with_filter()[source]
-
test_revoke_by_id_false_410()[source]
-
test_revoke_token()[source]
-
test_revoke_v2_token()[source]
-
class keystone.tests.unit.test_v3_auth.TestTokenRevokeById(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test token revocation on the v3 Identity API.
-
config_overrides()[source]
-
get_v2_token(token=None, project_id=None)[source]
-
role_data_fixtures()[source]
-
setUp()[source]
Setup for Token Revoking Test Cases.
As well as the usual housekeeping, create a set of domains,
users, groups, roles and projects for the subsequent tests:
- Two domains: A & B
- Three users (1, 2 and 3)
- Three groups (1, 2 and 3)
- Two roles (1 and 2)
- DomainA owns user1, domainB owns user2 and user3
- DomainA owns group1 and group2, domainB owns group3
- User1 and user2 are members of group1
- User3 is a member of group2
- Two projects: A & B, both in domainA
- Group1 has role1 on Project A and B, meaning that user1 and user2
will get these roles by virtue of membership
- User1, 2 and 3 have role1 assigned to projectA
- Group1 has role1 on Project A and B, meaning that user1 and user2
will get role1 (duplicated) by virtue of membership
- User1 has role2 assigned to domainA
-
test_deleting_group_grant_revokes_tokens()[source]
Test deleting a group grant revokes tokens.
Test Plan:
- Get a token for user1, scoped to ProjectA
- Get a token for user2, scoped to ProjectA
- Get a token for user3, scoped to ProjectA
- Delete the grant group1 has on ProjectA
- Check tokens for user1 & user2 are no longer valid,
since user1 and user2 are members of group1
- Check token for user3 is still valid
-
test_deleting_project_deletes_grants()[source]
-
test_deleting_project_revokes_token()[source]
-
test_deleting_role_revokes_token()[source]
Test deleting a role revokes token.
- Add some additional test data, namely:
- A third project (project C)
- Three additional users - user4 owned by domainB and user5 and 6
owned by domainA (different domain ownership should not affect
the test results, just provided to broaden test coverage)
- User5 is a member of group1
- Group1 gets an additional assignment - role1 on projectB as
well as its existing role1 on projectA
- User4 has role2 on Project C
- User6 has role1 on projectA and domainA
- This allows us to create 5 tokens by virtue of different types
of role assignment:
- user1, scoped to ProjectA by virtue of user role1 assignment
- user5, scoped to ProjectB by virtue of group role1 assignment
- user4, scoped to ProjectC by virtue of user role2 assignment
- user6, scoped to ProjectA by virtue of user role1 assignment
- user6, scoped to DomainA by virtue of user role1 assignment
- role1 is then deleted
- Check the tokens on Project A and B, and DomainA are revoked,
but not the one for Project C
-
test_deleting_user_grant_revokes_token()[source]
Test deleting a user grant revokes token.
Test Plan:
- Get a token for user1, scoped to ProjectA
- Delete the grant user1 has on ProjectA
- Check token is no longer valid
-
test_disabling_project_revokes_token()[source]
-
test_domain_group_role_assignment_maintains_token()[source]
Test domain-group role assignment maintains existing token.
Test Plan:
- Get a token for user1, scoped to ProjectA
- Create a grant for group1 on DomainB
- Check token is still longer valid
-
test_domain_user_role_assignment_maintains_token()[source]
Test user-domain role assignment maintains existing token.
Test Plan:
- Get a token for user1, scoped to ProjectA
- Create a grant for user1 on DomainB
- Check token is still valid
-
test_group_membership_changes_revokes_token()[source]
Test add/removal to/from group revokes token.
Test Plan:
- Get a token for user1, scoped to ProjectA
- Get a token for user2, scoped to ProjectA
- Remove user1 from group1
- Check token for user1 is no longer valid
- Check token for user2 is still valid, even though
user2 is also part of group1
- Add user2 to group2
- Check token for user2 is now no longer valid
-
test_removing_role_assignment_does_not_affect_other_users()[source]
Revoking a role from one user should not affect other users.
-
test_revoke_token_from_token()[source]
-
test_revoke_token_from_token_v2()[source]
-
test_revoke_v2_token_no_check()[source]
-
test_unscoped_token_remains_valid_after_role_assignment()[source]
-
class keystone.tests.unit.test_v3_auth.TestTokenRevokeSelfAndAdmin(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test token revoke using v3 Identity API by token owner and admin.
-
config_overrides()[source]
-
load_sample_data()[source]
Load Sample Data for Test Cases.
Two domains, domainA and domainB
Two users in domainA, userNormalA and userAdminA
One user in domainB, userAdminB
-
test_adminA_revokes_userA_token()[source]
-
test_adminB_fails_revoking_userA_token()[source]
-
test_user_revokes_own_token()[source]
-
class keystone.tests.unit.test_v3_auth.TestTrustAuth(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
EXTENSION_NAME = 'revoke'
-
EXTENSION_TO_ADD = 'revoke_extension'
-
assertTrustTokensRevoked(trust_id)[source]
-
config_overrides()[source]
-
disable_user(user)[source]
-
setUp()[source]
-
test_change_password_invalidates_trust_tokens()[source]
-
test_consume_trust_once()[source]
-
test_create_expired_trust()[source]
-
test_create_one_time_use_trust()[source]
-
test_create_trust_400()[source]
-
test_create_trust_no_roles()[source]
-
test_create_trust_project_404()[source]
-
test_create_trust_role_id_404()[source]
-
test_create_trust_role_name_404()[source]
-
test_create_trust_trustee_404()[source]
-
test_create_trust_trustor_trustee_backwards()[source]
-
test_create_trust_with_bad_values_for_remaining_uses()[source]
-
test_create_unlimited_use_trust()[source]
-
test_create_unscoped_trust()[source]
-
test_delete_trust()[source]
-
test_delete_trust_revokes_tokens()[source]
-
test_do_not_consume_remaining_uses_when_get_token_fails()[source]
-
test_exercise_trust_scoped_token_with_impersonation()[source]
-
test_exercise_trust_scoped_token_without_impersonation()[source]
-
test_impersonation_token_cannot_create_new_trust()[source]
-
test_invalid_trust_request_without_impersonation()[source]
-
test_invalid_trust_request_without_trustee()[source]
-
test_list_trusts()[source]
-
test_trust_chained()[source]
Test that a trust token can’t be used to execute another trust.
To do this, we create an A->B->C hierarchy of trusts, then attempt to
execute the trusts in series (C->B->A).
-
test_trust_crud()[source]
-
test_trust_deleted_grant()[source]
-
test_trust_get_token_fails_if_trustee_disabled()[source]
-
test_trust_get_token_fails_if_trustor_disabled()[source]
-
test_trustee_can_do_role_ops()[source]
-
test_v3_v2_intermix()[source]
-
test_v3_v2_intermix_project_not_in_default_domaini_failed()[source]
-
test_v3_v2_intermix_trustor_not_in_default_domain_failed()[source]
-
test_v3_v2_intermix_trustor_not_in_default_domaini_failed()[source]
-
class keystone.tests.unit.test_v3_auth.TestTrustChain(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
assert_trust_tokens_revoked(trust_id)[source]
-
assert_user_authenticate(user)[source]
-
config_overrides()[source]
-
setUp()[source]
-
test_delete_broken_chain()[source]
-
test_delete_trust_cascade()[source]
-
test_intermediate_user_deleted()[source]
-
test_intermediate_user_disabled()[source]
-
test_trustor_roles_revoked()[source]
-
class keystone.tests.unit.test_v3_auth.TestTrustOptional(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
config_overrides()[source]
-
test_auth_with_scope_in_trust_403()[source]
-
test_trusts_404()[source]
-
class keystone.tests.unit.test_v3_auth.TestTrustRedelegation(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Redelegation valid and secure
Redelegation is a hierarchical structure of trusts between initial trustor
and a group of users allowed to impersonate trustor and act in his name.
Hierarchy is created in a process of trusting already trusted permissions
and organized as an adjacency list using ‘redelegated_trust_id’ field.
Redelegation is valid if each subsequent trust in a chain passes ‘not more’
permissions than being redelegated.
- Trust constraints are:
- roles - set of roles trusted by trustor
- expiration_time
- allow_redelegation - a flag
- redelegation_count - decreasing value restricting length of trust chain
- remaining_uses - DISALLOWED when allow_redelegation == True
- Trust becomes invalid in case:
- trust roles were revoked from trustor
- one of the users in the delegation chain was disabled or deleted
- expiration time passed
- one of the parent trusts has become invalid
- one of the parent trusts was deleted
-
config_overrides()[source]
-
setUp()[source]
-
test_depleted_redelegation_count_error()[source]
-
test_max_redelegation_count_constraint()[source]
-
test_modified_redelegation_count_error()[source]
-
test_redelegate_new_role_fails()[source]
-
test_redelegate_with_role_by_name()[source]
-
test_redelegation_expiry()[source]
-
test_redelegation_remaining_uses()[source]
-
test_redelegation_terminator()[source]
-
test_roles_subset()[source]
-
class keystone.tests.unit.test_v3_auth.TestUUIDTokenAPIs(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3_auth.TokenAPITests
-
config_overrides()[source]
-
setUp()[source]
-
test_v3_token_id()[source]
-
test_v3_v2_hashed_pki_token_intermix()[source]
-
class keystone.tests.unit.test_v3_auth.TokenAPITests[source]
Bases: object
-
doSetUp()[source]
-
test_check_token()[source]
-
test_default_fixture_scope_token()[source]
-
test_rescoping_token()[source]
-
test_v2_v3_token_intermix()[source]
-
test_v2_v3_unscoped_token_intermix()[source]
-
test_v3_token_id()[source]
-
test_v3_v2_hashed_pki_token_intermix()[source]
-
test_v3_v2_intermix_domain_scoped_token_failed()[source]
-
test_v3_v2_intermix_new_default_domain()[source]
-
test_v3_v2_intermix_non_default_domain_failed()[source]
-
test_v3_v2_intermix_non_default_project_failed()[source]
-
test_v3_v2_token_intermix()[source]
-
test_v3_v2_unscoped_token_intermix()[source]
-
test_validate_token()[source]
-
test_validate_token_nocatalog()[source]
-
verify_token(*args, **kwargs)[source]
keystone.tests.unit.test_v3_catalog module
-
class keystone.tests.unit.test_v3_catalog.CatalogTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test service & endpoint CRUD.
-
test_create_endpoint_enabled_false()[source]
Call POST /endpoints with enabled: false.
-
test_create_endpoint_enabled_str_false()[source]
Call POST /endpoints with enabled: ‘False’.
-
test_create_endpoint_enabled_str_random()[source]
Call POST /endpoints with enabled: ‘puppies’.
-
test_create_endpoint_enabled_str_true()[source]
Call POST /endpoints with enabled: ‘True’.
-
test_create_endpoint_enabled_true()[source]
Call POST /endpoints with enabled: true.
-
test_create_endpoint_no_enabled()[source]
Call POST /endpoints.
-
test_create_endpoint_on_v2()[source]
-
test_create_endpoint_with_empty_url()[source]
Call POST /endpoints.
-
test_create_endpoint_with_invalid_region_id()[source]
Call POST /endpoints.
-
test_create_endpoint_with_no_region()[source]
EndpointV3 allows to creates the endpoint without region.
-
test_create_endpoint_with_region()[source]
EndpointV3 creates the region before creating the endpoint, if
endpoint is provided with ‘region’ and no ‘region_id’
-
test_create_region()[source]
Call POST /regions with an ID in the request body.
-
test_create_region_with_conflicting_ids()[source]
Call PUT /regions/{region_id} with conflicting region IDs.
-
test_create_region_with_duplicate_id()[source]
Call PUT /regions/{region_id}.
-
test_create_region_with_empty_id()[source]
Call POST /regions with an empty ID in the request body.
-
test_create_region_with_id()[source]
Call PUT /regions/{region_id} w/o an ID in the request body.
-
test_create_region_with_matching_ids()[source]
Call PUT /regions/{region_id} with an ID in the request body.
-
test_create_region_without_description()[source]
Call POST /regions without description in the request body.
-
test_create_region_without_id()[source]
Call POST /regions without an ID in the request body.
-
test_create_regions_with_same_description_string()[source]
Call POST /regions with same description in the request bodies.
-
test_create_regions_without_descriptions()[source]
Call POST /regions with no description in the request bodies.
-
test_create_service()[source]
Call POST /services.
-
test_create_service_enabled_false()[source]
Call POST /services.
-
test_create_service_enabled_str_false()[source]
Call POST /services.
-
test_create_service_enabled_str_random()[source]
Call POST /services.
-
test_create_service_enabled_str_true()[source]
Call POST /services.
-
test_create_service_enabled_true()[source]
Call POST /services.
-
test_create_service_no_enabled()[source]
Call POST /services.
-
test_create_service_no_name()[source]
Call POST /services.
-
test_delete_endpoint()[source]
Call DELETE /endpoints/{endpoint_id}.
-
test_delete_region()[source]
Call DELETE /regions/{region_id}.
-
test_delete_service()[source]
Call DELETE /services/{service_id}.
-
test_filter_list_services_by_name()[source]
Call GET /services?name=<some name>.
-
test_filter_list_services_by_type()[source]
Call GET /services?type=<some type>.
-
test_get_endpoint()[source]
Call GET /endpoints/{endpoint_id}.
-
test_get_region()[source]
Call GET /regions/{region_id}.
-
test_get_service()[source]
Call GET /services/{service_id}.
-
test_list_endpoints()[source]
Call GET /endpoints.
-
test_list_regions()[source]
Call GET /regions.
-
test_list_regions_filtered_by_parent_region_id()[source]
Call GET /regions?parent_region_id={parent_region_id}.
-
test_list_services()[source]
Call GET /services.
-
test_update_endpoint()[source]
Call PATCH /endpoints/{endpoint_id}.
-
test_update_endpoint_enabled_false()[source]
Call PATCH /endpoints/{endpoint_id} with enabled: False.
-
test_update_endpoint_enabled_str_false()[source]
Call PATCH /endpoints/{endpoint_id} with enabled: ‘False’.
-
test_update_endpoint_enabled_str_random()[source]
Call PATCH /endpoints/{endpoint_id} with enabled: ‘kitties’.
-
test_update_endpoint_enabled_str_true()[source]
Call PATCH /endpoints/{endpoint_id} with enabled: ‘True’.
-
test_update_endpoint_enabled_true()[source]
Call PATCH /endpoints/{endpoint_id} with enabled: True.
-
test_update_region()[source]
Call PATCH /regions/{region_id}.
-
test_update_region_with_null_description()[source]
Call PATCH /regions/{region_id}.
-
test_update_region_without_description_keeps_original()[source]
Call PATCH /regions/{region_id}.
-
test_update_service()[source]
Call PATCH /services/{service_id}.
-
class keystone.tests.unit.test_v3_catalog.TestCatalogAPISQL(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
Tests for the catalog Manager against the SQL backend.
-
config_overrides()[source]
-
new_endpoint_ref(service_id)[source]
-
setUp()[source]
-
test_get_catalog_always_returns_service_name()[source]
-
test_get_catalog_ignores_endpoints_with_invalid_urls()[source]
-
class keystone.tests.unit.test_v3_catalog.TestCatalogAPISQLRegions(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
Tests for the catalog Manager against the SQL backend.
-
assertValidCatalogEndpoint(entity, ref=None)[source]
-
config_overrides()[source]
-
new_endpoint_ref(service_id)[source]
-
setUp()[source]
-
test_get_catalog_returns_proper_endpoints_with_no_region()[source]
-
test_get_catalog_returns_proper_endpoints_with_region()[source]
keystone.tests.unit.test_v3_controller module
-
class keystone.tests.unit.test_v3_controller.V3ControllerTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
Tests for the V3Controller class.
-
setUp()[source]
-
test_check_immutable_params()[source]
Pass valid parameters to the method and expect no failure.
-
test_check_immutable_params_fail()[source]
Pass invalid parameter to the method and expect failure.
keystone.tests.unit.test_v3_credential module
-
class keystone.tests.unit.test_v3_credential.CredentialBaseTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
class keystone.tests.unit.test_v3_credential.CredentialTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_credential.CredentialBaseTestCase
Test credential CRUD.
-
setUp()[source]
-
test_create_credential()[source]
Call POST /credentials.
-
test_create_credential_with_admin_token()[source]
-
test_create_ec2_credential()[source]
Call POST /credentials for creating ec2 credential.
-
test_create_ec2_credential_with_invalid_blob()[source]
Call POST /credentials for creating ec2
credential with invalid blob.
-
test_create_ec2_credential_with_missing_project_id()[source]
Call POST /credentials for creating ec2
credential with missing project_id.
-
test_create_non_ec2_credential()[source]
Call POST /credentials for creating non-ec2 credential.
-
test_credential_api_delete_credentials_for_project()[source]
-
test_credential_api_delete_credentials_for_user()[source]
-
test_delete_credential()[source]
Call DELETE /credentials/{credential_id}.
-
test_get_credential()[source]
Call GET /credentials/{credential_id}.
-
test_get_ec2_dict_blob()[source]
Ensure non-JSON blob data is correctly converted.
-
test_list_credentials()[source]
Call GET /credentials.
-
test_list_credentials_filtered_by_user_id()[source]
Call GET /credentials?user_id={user_id}.
-
test_list_ec2_dict_blob()[source]
Ensure non-JSON blob data is correctly converted.
-
test_update_credential()[source]
Call PATCH /credentials/{credential_id}.
-
class keystone.tests.unit.test_v3_credential.TestCredentialEc2(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_credential.CredentialBaseTestCase
Test v3 credential compatibility with ec2tokens.
-
setUp()[source]
-
test_ec2_create_credential()[source]
Test ec2 credential creation.
-
test_ec2_credential_signature_validate()[source]
Test signature validation with a v3 ec2 credential.
-
test_ec2_credential_signature_validate_legacy()[source]
Test signature validation with a legacy v3 ec2 credential.
-
test_ec2_delete_credential()[source]
Test ec2 credential deletion.
-
test_ec2_get_credential()[source]
-
test_ec2_list_credentials()[source]
Test ec2 credential listing.
-
class keystone.tests.unit.test_v3_credential.TestCredentialTrustScoped(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test credential with trust scoped token.
-
config_overrides()[source]
-
setUp()[source]
-
test_trust_scoped_ec2_credential()[source]
Call POST /credentials for creating ec2 credential.
keystone.tests.unit.test_v3_domain_config module
-
class keystone.tests.unit.test_v3_domain_config.DomainConfigTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test domain config support.
-
setUp()[source]
-
test_create_config()[source]
Call PUT /domains/{domain_id}/config.
-
test_create_config_twice()[source]
Check multiple creates don’t throw error
-
test_delete_config()[source]
Call DELETE /domains{domain_id}/config.
-
test_delete_config_by_group()[source]
Call DELETE /domains{domain_id}/config/{group}.
-
test_get_config_by_group()[source]
Call GET & HEAD /domains{domain_id}/config/{group}.
-
test_get_config_by_option()[source]
Call GET & HEAD /domains{domain_id}/config/{group}/{option}.
-
test_get_head_config()[source]
Call GET & HEAD for /domains{domain_id}/config.
-
test_get_non_existant_config()[source]
Call GET /domains{domain_id}/config when no config defined.
-
test_get_non_existant_config_group()[source]
Call GET /domains{domain_id}/config/{group_not_exist}.
-
test_get_non_existant_config_option()[source]
Call GET /domains{domain_id}/config/group/{option_not_exist}.
-
test_update_config()[source]
Call PATCH /domains/{domain_id}/config.
-
test_update_config_group()[source]
Call PATCH /domains/{domain_id}/config/{group}.
-
test_update_config_invalid_group()[source]
Call PATCH /domains/{domain_id}/config/{invalid_group}.
-
test_update_config_invalid_option()[source]
Call PATCH /domains/{domain_id}/config/{group}/{invalid}.
-
test_update_config_option()[source]
Call PATCH /domains/{domain_id}/config/{group}/{option}.
keystone.tests.unit.test_v3_endpoint_policy module
-
class keystone.tests.unit.test_v3_endpoint_policy.EndpointPolicyTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_endpoint_policy.TestExtensionCase
Test endpoint policy CRUD.
In general, the controller layer of the endpoint policy extension is really
just marshalling the data around the underlying manager calls. Given that
the manager layer is tested in depth by the backend tests, the tests we
execute here concentrate on ensuring we are correctly passing and
presenting the data.
-
assert_head_and_get_return_same_response(url, expected_status)[source]
-
setUp()[source]
-
test_crud_for_policy_for_explicit_endpoint()[source]
PUT, HEAD and DELETE for explicit endpoint policy.
-
test_crud_for_policy_for_region_and_service()[source]
PUT, HEAD and DELETE for region and service endpoint policy.
-
test_crud_for_policy_for_service()[source]
PUT, HEAD and DELETE for service endpoint policy.
-
test_endpoint_association_cleanup_when_endpoint_deleted()[source]
-
test_get_policy_for_endpoint()[source]
GET /endpoints/{endpoint_id}/policy.
-
test_list_endpoints_for_policy()[source]
GET /policies/%(policy_id}/endpoints.
-
test_region_service_association_cleanup_when_region_deleted()[source]
-
test_region_service_association_cleanup_when_service_deleted()[source]
-
test_service_association_cleanup_when_policy_deleted()[source]
-
test_service_association_cleanup_when_service_deleted()[source]
-
class keystone.tests.unit.test_v3_endpoint_policy.JsonHomeTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_endpoint_policy.TestExtensionCase, keystone.tests.unit.test_v3.JsonHomeTestMixin
-
EXTENSION_LOCATION = 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel'
-
JSON_HOME_DATA = {'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/endpoint_policy': {'href-template': '/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy', 'href-vars': {'endpoint_id': 'http://docs.openstack.org/api/openstack-identity/3/param/endpoint_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/service_policy_association': {'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}', 'href-vars': {'service_id': 'http://docs.openstack.org/api/openstack-identity/3/param/service_id', 'policy_id': 'http://docs.openstack.org/api/openstack-identity/3/param/policy_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/endpoint_policy_association': {'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}', 'href-vars': {'endpoint_id': 'http://docs.openstack.org/api/openstack-identity/3/param/endpoint_id', 'policy_id': 'http://docs.openstack.org/api/openstack-identity/3/param/policy_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/policy_endpoints': {'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints', 'href-vars': {'policy_id': 'http://docs.openstack.org/api/openstack-identity/3/param/policy_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/region_and_service_policy_association': {'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}', 'href-vars': {'service_id': 'http://docs.openstack.org/api/openstack-identity/3/param/service_id', 'region_id': 'http://docs.openstack.org/api/openstack-identity/3/param/region_id', 'policy_id': 'http://docs.openstack.org/api/openstack-identity/3/param/policy_id'}}}
-
PARAM_LOCATION = 'http://docs.openstack.org/api/openstack-identity/3/param'
-
class keystone.tests.unit.test_v3_endpoint_policy.TestExtensionCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
EXTENSION_NAME = 'endpoint_policy'
-
EXTENSION_TO_ADD = 'endpoint_policy_extension'
keystone.tests.unit.test_v3_federation module
-
class keystone.tests.unit.test_v3_federation.FederatedIdentityProviderTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_federation.FederationTests
A test class for Identity Providers.
-
base_url(suffix=None)[source]
-
default_body = {'enabled': True, 'description': None}
-
idp_keys = ['description', 'enabled']
-
test_assign_protocol_to_idp()[source]
Assign a protocol to existing IdP.
-
test_assign_protocol_to_nonexistent_idp()[source]
Assign protocol to IdP that doesn’t exist.
Expect HTTP 404 code.
-
test_check_idp_uniqueness()[source]
Add same IdP twice.
Expect HTTP 409 code for the latter call.
-
test_create_idp()[source]
Creates the IdentityProvider entity associated to remote_ids.
-
test_create_idp_remote()[source]
Creates the IdentityProvider entity associated to remote_ids.
-
test_create_idp_remote_empty()[source]
Creates an IdP with empty remote_ids.
-
test_create_idp_remote_none()[source]
Creates an IdP with a None remote_ids.
-
test_create_idp_remote_repeated()[source]
Creates two IdentityProvider entities with some remote_ids
A remote_id is the same for both so the second IdP is not
created because of the uniqueness of the remote_ids
Expect HTTP 409 code for the latter call.
-
test_delete_existing_idp()[source]
Create and later delete IdP.
Expect HTTP 404 for the GET IdP call.
-
test_delete_nonexisting_idp()[source]
Delete nonexisting IdP.
Expect HTTP 404 for the GET IdP call.
-
test_delete_protocol()[source]
Delete protocol.
Expect HTTP 404 code for the GET call after the protocol is deleted.
-
test_get_idp()[source]
Create and later fetch IdP.
-
test_get_nonexisting_idp()[source]
Fetch nonexisting IdP entity.
Expected HTTP 404 status code.
-
test_get_protocol()[source]
Create and later fetch protocol tied to IdP.
-
test_list_idps(iterations=5)[source]
Lists all available IdentityProviders.
This test collects ids of created IdPs and
intersects it with the list of all available IdPs.
List of all IdPs can be a superset of IdPs created in this test,
because other tests also create IdPs.
-
test_list_protocols()[source]
Create set of protocols and later list them.
Compare input and output id sets.
-
test_protocol_composite_pk()[source]
Test whether Keystone let’s add two entities with identical
names, however attached to different IdPs.
- Add IdP and assign it protocol with predefined name
- Add another IdP and assign it a protocol with same name.
Expect HTTP 201 code
-
test_protocol_idp_pk_uniqueness()[source]
Test whether Keystone checks for unique idp/protocol values.
Add same protocol twice, expect Keystone to reject a latter call and
return HTTP 409 code.
-
test_update_idp_clean_remote_ids()[source]
Update IdP’s remote_ids parameter with an empty list.
-
test_update_idp_immutable_attributes()[source]
Update IdP’s immutable parameters.
Expect HTTP 403 code.
-
test_update_idp_mutable_attributes()[source]
Update IdP’s mutable parameters.
-
test_update_idp_remote_ids()[source]
Update IdP’s remote_ids parameter.
-
test_update_nonexistent_idp()[source]
Update nonexistent IdP
Expect HTTP 404 code.
-
test_update_protocols_attribute()[source]
Update protocol’s attribute.
-
class keystone.tests.unit.test_v3_federation.FederatedSetupMixin[source]
Bases: object
-
ACTION = 'authenticate'
-
ASSERTION_PREFIX = 'PREFIX_'
-
AUTH_METHOD = 'saml2'
-
IDP = 'ORG_IDP'
-
IDP_WITH_REMOTE = 'ORG_IDP_REMOTE'
-
PROTOCOL = 'saml2'
-
REMOTE_IDS = ['entityID_IDP1', 'entityID_IDP2']
-
REMOTE_ID_ATTR = '96ed5868fe1244abb27a14d3bab8c43d'
-
UNSCOPED_V3_SAML2_REQ = {'identity': {'methods': ['saml2'], 'saml2': {'identity_provider': 'ORG_IDP', 'protocol': 'saml2'}}}
-
USER = 'user@ORGANIZATION'
-
idp_ref(id=None)[source]
-
load_federation_sample_data()[source]
Inject additional data.
-
mapping_ref(rules=None)[source]
-
proto_ref(mapping_id=None)[source]
-
class keystone.tests.unit.test_v3_federation.FederatedTokenTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_federation.FederationTests, keystone.tests.unit.test_v3_federation.FederatedSetupMixin
-
auth_plugin_config_override()[source]
-
load_fixtures(fixtures)[source]
-
setUp()[source]
-
test_assertion_prefix_parameter()[source]
Test parameters filtering based on the prefix.
With assertion_prefix set to fixed, non default value,
issue an unscoped token from assertion EMPLOYEE_ASSERTION_PREFIXED.
Expect server to return unscoped token.
-
test_assertion_prefix_parameter_expect_fail()[source]
Test parameters filtering based on the prefix.
With assertion_prefix default value set to empty string
issue an unscoped token from assertion EMPLOYEE_ASSERTION.
Next, configure assertion_prefix to value UserName.
Try issuing unscoped token with EMPLOYEE_ASSERTION.
Expect server to raise exception.Unathorized exception.
-
test_empty_blacklist_passess_all_values()[source]
Test a mapping with empty blacklist specified
Not adding a blacklist keyword to the mapping rules has the same
effect as adding an empty blacklist.
In both cases, the mapping engine will not discard any groups that are
associated with apache environment variables.
This test checks scenario where an empty blacklist was specified.
Expected result is to allow any value.
- The test scenario is as follows:
- Create group EXISTS
- Create group NO_EXISTS
- Set mapping rules for existing IdP with a blacklist
that passes through as REMOTE_USER_GROUPS
- Issue unscoped token with groups EXISTS and NO_EXISTS
assigned
-
test_empty_whitelist_discards_all_values()[source]
Test that empty whitelist blocks all the values
Not adding a whitelist keyword to the mapping value is different
than adding empty whitelist. The former case will simply pass all the
values, whereas the latter would discard all the values.
This test checks scenario where an empty whitelist was specified.
The expected result is that no groups are matched.
- The test scenario is as follows:
- Create group EXISTS
- Set mapping rules for existing IdP with an empty whitelist
that whould discard any values from the assertion
- Try issuing unscoped token, expect server to raise
exception.MissingGroups as no groups were matched and ephemeral
user does not have any group assigned.
-
test_full_workflow()[source]
Test ‘standard’ workflow for granting access tokens.
- Issue unscoped token
- List available projects based on groups
- Scope token to one of available projects
-
test_issue_token_for_local_user_user_not_found()[source]
-
test_issue_token_from_rules_without_user()[source]
-
test_issue_token_with_nonexistent_group()[source]
Inject assertion that matches rule issuing bad group id.
Expect server to find out that some groups are missing in the
backend and raise exception.MappedGroupNotFound exception.
-
test_issue_unscoped_token()[source]
-
test_issue_unscoped_token_disabled_idp()[source]
Checks if authentication works with disabled identity providers.
Test plan:
1) Disable default IdP
2) Try issuing unscoped token for that IdP
3) Expect server to forbid authentication
-
test_issue_unscoped_token_for_local_user()[source]
-
test_issue_unscoped_token_group_names_in_mapping()[source]
-
test_issue_unscoped_token_malformed_environment()[source]
Test whether non string objects are filtered out.
Put non string objects into the environment, inject
correct assertion and try to get an unscoped token.
Expect server not to fail on using split() method on
non string objects and return token id in the HTTP header.
-
test_issue_unscoped_token_no_groups()[source]
-
test_issue_unscoped_token_notify()[source]
-
test_issue_unscoped_token_with_remote()[source]
-
test_issue_unscoped_token_with_remote_default_overwritten()[source]
Test that protocol remote_id_attribute has higher priority.
Make sure the parameter stored under protocol section has higher
priority over parameter from default federation configuration
section.
-
test_issue_unscoped_token_with_remote_different()[source]
-
test_issue_unscoped_token_with_remote_no_attribute()[source]
-
test_issue_unscoped_token_with_remote_unavailable()[source]
-
test_issue_unscoped_token_with_remote_user_as_empty_string()[source]
-
test_issue_unscoped_token_with_saml2_remote()[source]
-
test_issue_unscoped_tokens_nonexisting_group()[source]
-
test_list_domains()[source]
-
test_list_projects()[source]
-
test_list_projects_for_inherited_project_assignment()[source]
-
test_lists_with_missing_group_in_backend()[source]
Test a mapping that points to a group that does not exist
For explicit mappings, we expect the group to exist in the backend,
but for lists, specifically blacklists, a missing group is expected
as many groups will be specified by the IdP that are not Keystone
groups.
- The test scenario is as follows:
- Create group EXISTS
- Set mapping rules for existing IdP with a blacklist
that passes through as REMOTE_USER_GROUPS
- Issue unscoped token with on group EXISTS id in it
-
test_not_adding_blacklist_passess_all_values()[source]
Test a mapping without blacklist specified.
Not adding a blacklist keyword to the mapping rules has the same
effect as adding an empty blacklist. In both cases all values will
be accepted and passed.
This test checks scenario where an blacklist was not specified.
Expected result is to allow any value.
- The test scenario is as follows:
- Create group EXISTS
- Create group NO_EXISTS
- Set mapping rules for existing IdP with a blacklist
that passes through as REMOTE_USER_GROUPS
- Issue unscoped token with on groups EXISTS and NO_EXISTS
assigned
-
test_not_setting_whitelist_accepts_all_values()[source]
Test that not setting whitelist passes
Not adding a whitelist keyword to the mapping value is different
than adding empty whitelist. The former case will simply pass all the
values, whereas the latter would discard all the values.
This test checks a scenario where a whitelist was not specified.
Expected result is that no groups are ignored.
- The test scenario is as follows:
- Create group EXISTS
- Set mapping rules for existing IdP with an empty whitelist
that whould discard any values from the assertion
- Issue an unscoped token and make sure ephemeral user is a member of
two groups.
-
test_scope_to_bad_project()[source]
Scope unscoped token with a project we don’t have access to.
-
test_scope_to_domain_multiple_tokens()[source]
Issue multiple tokens scoping to different domains.
The new tokens should be scoped to:
-
test_scope_to_domain_once()[source]
-
test_scope_to_domain_with_only_inherited_roles_fails()[source]
Try to scope to a domain that has no direct roles.
-
test_scope_to_project_multiple_times()[source]
Try to scope the unscoped token multiple times.
The new tokens should be scoped to:
- Customers’ project
- Employees’ project
-
test_scope_to_project_once()[source]
-
test_scope_to_project_once_notify()[source]
-
test_scope_to_project_with_only_inherited_roles()[source]
Try to scope token whose only roles are inherited.
-
test_scope_token_from_nonexistent_unscoped_token()[source]
Try to scope token from non-existent unscoped token.
-
test_scope_token_with_idp_disabled()[source]
Scope token issued by disabled IdP.
Try scoping the token issued by an IdP which is disabled now. Expect
server to refuse scoping operation.
This test confirms correct behaviour when IdP was enabled and unscoped
token was issued, but disabled before user tries to scope the token.
Here we assume the unscoped token was already issued and start from
the moment where IdP is being disabled and unscoped token is being
used.
Test plan:
1) Disable IdP
2) Try scoping unscoped token
-
test_scoped_token_has_user_domain()[source]
-
test_unscoped_token_has_user_domain()[source]
-
test_v2_auth_with_federation_token_fails()[source]
Test that using a federation token with v2 auth fails.
If an admin sets up a federated Keystone environment, and a user
incorrectly configures a service (like Nova) to only use v2 auth, the
returned message should be informative.
-
test_workflow_with_groups_deletion()[source]
Test full workflow with groups deletion before token scoping.
- The test scenario is as follows:
- Create group group
- Create and assign roles to group and project_all
- Patch mapping rules for existing IdP so it issues group id
- Issue unscoped token with group‘s id
- Delete group group
- Scope token to project_all
- Expect HTTP 500 response
-
class keystone.tests.unit.test_v3_federation.FederatedTokenTestsMethodToken(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_federation.FederatedTokenTests
Test federation operation with unified scoping auth method.
Test all the operations with auth method set to token as a new, unified
way for scoping all the tokens.
-
AUTH_METHOD = 'token'
-
auth_plugin_config_override()[source]
-
class keystone.tests.unit.test_v3_federation.FederationTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
EXTENSION_NAME = 'federation'
-
EXTENSION_TO_ADD = 'federation_extension'
-
class keystone.tests.unit.test_v3_federation.FernetFederatedTokenTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_federation.FederationTests, keystone.tests.unit.test_v3_federation.FederatedSetupMixin
-
AUTH_METHOD = 'token'
-
auth_plugin_config_override()[source]
-
load_fixtures(fixtures)[source]
-
test_federated_unscoped_token()[source]
-
test_federated_unscoped_token_with_multiple_groups()[source]
-
test_fernet_full_workflow()[source]
Test ‘standard’ workflow for granting Fernet access tokens.
- Issue unscoped token
- List available projects based on groups
- Scope token to one of available projects
-
test_validate_federated_unscoped_token()[source]
-
class keystone.tests.unit.test_v3_federation.IdPMetadataGenerationTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_federation.FederationTests
A class for testing Identity Provider Metadata generation.
-
METADATA_URL = '/OS-FEDERATION/saml2/metadata'
-
config_overrides()[source]
-
setUp()[source]
-
test_check_entity_id()[source]
-
test_check_idp_sso()[source]
-
test_get_metadata()[source]
-
test_get_metadata_with_no_metadata_file_configured()[source]
-
test_metadata_invalid_contact_type()[source]
-
test_metadata_invalid_idp_entity_id()[source]
-
test_metadata_invalid_idp_sso_endpoint()[source]
-
test_metadata_no_contact_person()[source]
-
test_metadata_no_organization()[source]
-
test_metadata_validity()[source]
Call md.EntityDescriptor method that does internal verification.
-
test_serialize_metadata_object()[source]
Check whether serialization doesn’t raise any exceptions.
-
class keystone.tests.unit.test_v3_federation.JsonHomeTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_federation.FederationTests, keystone.tests.unit.test_v3.JsonHomeTestMixin
-
JSON_HOME_DATA = {'http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider': {'href-template': '/OS-FEDERATION/identity_providers/{idp_id}', 'href-vars': {'idp_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/param/idp_id'}}}
-
class keystone.tests.unit.test_v3_federation.K2KServiceCatalogTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_federation.FederationTests
-
SP1 = 'SP1'
-
SP2 = 'SP2'
-
SP3 = 'SP3'
-
setUp()[source]
-
sp_ref()[source]
-
sp_response(id, ref)[source]
-
test_no_service_providers_in_token()[source]
Test service catalog with disabled service providers.
There should be no entry service_providers in the catalog.
Test passes providing no attribute was raised.
-
test_service_providers_in_token()[source]
Check if service providers are listed in service catalog.
-
test_service_provides_in_token_disabled_sp()[source]
Test behaviour with disabled service providers.
Disabled service providers should not be listed in the service
catalog.
-
class keystone.tests.unit.test_v3_federation.MappingCRUDTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_federation.FederationTests
A class for testing CRUD operations for Mappings.
-
MAPPING_URL = '/OS-FEDERATION/mappings/'
-
assertValidMapping(entity, ref=None)[source]
-
assertValidMappingListResponse(resp, *args, **kwargs)[source]
-
assertValidMappingResponse(resp, *args, **kwargs)[source]
-
test_create_mapping_bad_requirements()[source]
-
test_create_mapping_bad_value()[source]
-
test_create_mapping_empty_map()[source]
-
test_create_mapping_missing_local()[source]
-
test_create_mapping_missing_type()[source]
-
test_create_mapping_no_remote_objects()[source]
-
test_create_mapping_no_rules()[source]
-
test_create_mapping_with_blacklist_and_whitelist()[source]
Test for adding whitelist and blacklist in the rule
Server should respond with HTTP 400 error upon discovering both
whitelist and blacklist keywords in the same rule.
-
test_create_mapping_wrong_type()[source]
-
test_delete_mapping_dne()[source]
-
test_get_mapping_dne()[source]
-
test_mapping_create()[source]
-
test_mapping_delete()[source]
-
test_mapping_get()[source]
-
test_mapping_list()[source]
-
test_mapping_update()[source]
-
class keystone.tests.unit.test_v3_federation.MappingRuleEngineTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_federation.FederationTests
A class for testing the mapping rule engine.
-
assertValidMappedUserObject(mapped_properties, user_type='ephemeral', domain_id=None)[source]
Check whether mapped properties object has ‘user’ within.
According to today’s rules, RuleProcessor does not have to issue user’s
id or name. What’s actually required is user’s type and for ephemeral
users that would be service domain named ‘Federated’.
-
test_create_user_object_with_bad_mapping()[source]
Test if user object is created even with bad mapping.
User objects will be created by mapping engine always as long as there
is corresponding local rule. This test shows, that even with assertion
where no group names nor ids are matched, but there is ‘blind’ rule for
mapping user, such object will be created.
In this test MAPPING_EHPEMERAL_USER expects UserName set to jsmith
whereas value from assertion is ‘tbo’.
-
test_local_user_local_domain()[source]
Test that local users can have non-service domains assigned.
-
test_mapping_federated_domain_specified()[source]
Test mapping engine when domain ‘ephemeral’ is explicitely set.
For that, we use mapping rule MAPPING_EPHEMERAL_USER and assertion
EMPLOYEE_ASSERTION
-
test_rule_engine_any_one_of_and_direct_mapping()[source]
Should return user’s name and group id EMPLOYEE_GROUP_ID.
The ADMIN_ASSERTION should successfully have a match in MAPPING_LARGE.
They will test the case where any_one_of is valid, and there is
a direct mapping for the users name.
-
test_rule_engine_any_one_of_many_rules()[source]
Should return group CONTRACTOR_GROUP_ID.
The CONTRACTOR_ASSERTION should successfully have a match in
MAPPING_SMALL. This will test the case where many rules
must be matched, including an any_one_of, and a direct
mapping.
-
test_rule_engine_blacklist_and_direct_groups_mapping()[source]
Should return user’s group Developer.
The EMPLOYEE_ASSERTION_MULTIPLE_GROUPS should successfully have a match
in MAPPING_GROUPS_BLACKLIST. It will test the case where ‘blacklist’
correctly filters out Manager and Developer and only allows Contractor.
-
test_rule_engine_blacklist_and_direct_groups_mapping_multiples()[source]
Tests matching multiple values before the blacklist.
Verifies that the local indexes are correct when matching multiple
remote values for a field when the field occurs before the blacklist
entry in the remote rules.
-
test_rule_engine_blacklist_direct_group_mapping_missing_domain()[source]
Test if the local rule is rejected upon missing domain value
This is a variation with a blacklist filter.
-
test_rule_engine_discards_nonstring_objects()[source]
Check whether RuleProcessor discards non string objects.
Despite the fact that assertion is malformed and contains
non string objects, RuleProcessor should correctly discard them and
successfully have a match in MAPPING_LARGE.
-
test_rule_engine_fails_after_discarding_nonstring()[source]
Check whether RuleProcessor discards non string objects.
Expect RuleProcessor to discard non string object, which
is required for a correct rule match. RuleProcessor will result with
empty list of groups.
-
test_rule_engine_no_groups_allowed()[source]
Should return user mapped to no groups.
The EMPLOYEE_ASSERTION should successfully have a match
in MAPPING_GROUPS_WHITELIST, but ‘whitelist’ should filter out
the group values from the assertion and thus map to no groups.
-
test_rule_engine_no_regex_match()[source]
Should deny authorization, the email of the tester won’t match.
This will not match since the email in the assertion will fail
the regex test. It is set to match any @example.com address.
But the incoming value is set to eviltester@example.org.
RuleProcessor should return list of empty group_ids.
-
test_rule_engine_not_any_of_and_direct_mapping()[source]
Should return user’s name and email.
The CUSTOMER_ASSERTION should successfully have a match in
MAPPING_LARGE. This will test the case where a requirement
has not_any_of, and direct mapping to a username, no group.
-
test_rule_engine_not_any_of_many_rules()[source]
Should return group EMPLOYEE_GROUP_ID.
The EMPLOYEE_ASSERTION should successfully have a match in
MAPPING_SMALL. This will test the case where many remote
rules must be matched, including a not_any_of.
-
test_rule_engine_not_any_of_regex_verify_fail()[source]
Should deny authorization.
The email in the assertion will fail the regex test.
It is set to reject any @example.org address, but the
incoming value is set to evildeveloper@example.org.
RuleProcessor should return list of empty group_ids.
-
test_rule_engine_not_any_of_regex_verify_pass()[source]
Should return group DEVELOPER_GROUP_ID.
The DEVELOPER_ASSERTION should successfully have a match in
MAPPING_DEVELOPER_REGEX. This will test the case where many
remote rules must be matched, including a not_any_of, with
regex set to True.
-
test_rule_engine_regex_many_groups()[source]
Should return group CONTRACTOR_GROUP_ID.
The TESTER_ASSERTION should successfully have a match in
MAPPING_TESTER_REGEX. This will test the case where many groups
are in the assertion, and a regex value is used to try and find
a match.
-
test_rule_engine_regex_match_and_many_groups()[source]
Should return group DEVELOPER_GROUP_ID and TESTER_GROUP_ID.
The TESTER_ASSERTION should successfully have a match in
MAPPING_LARGE. This will test a successful regex match
for an any_one_of evaluation type, and will have many
groups returned.
-
test_rule_engine_returns_group_names()[source]
Check whether RuleProcessor returns group names with their domains.
RuleProcessor should return ‘group_names’ entry with a list of
dictionaries with two entries ‘name’ and ‘domain’ identifying group by
its name and domain.
-
test_rule_engine_whitelist_and_direct_groups_mapping()[source]
Should return user’s groups Developer and Contractor.
The EMPLOYEE_ASSERTION_MULTIPLE_GROUPS should successfully have a match
in MAPPING_GROUPS_WHITELIST. It will test the case where ‘whitelist’
correctly filters out Manager and only allows Developer and Contractor.
-
test_rule_engine_whitelist_direct_group_mapping_missing_domain()[source]
Test if the local rule is rejected upon missing domain value
This is a variation with a whitelist filter.
-
test_set_ephemeral_domain_to_ephemeral_users()[source]
Test auto assigning service domain to ephemeral users.
Test that ephemeral users will always become members of federated
service domain. The check depends on type value which must be set
to ephemeral in case of ephemeral user.
-
test_user_identification_id()[source]
Test varius mapping options and how users are identified.
This test calls mapped.setup_username() for propagating user object.
Test plan:
- Check if the user has proper domain (‘federated’) set
- Check if the user has propert type set (‘ephemeral’)
- Check if user’s id is properly mapped from the assertion
- Check if user’s name is properly set and equal to id, as it was not
explicitely specified in the mapping.
-
test_user_identification_id_and_name()[source]
Test varius mapping options and how users are identified.
This test calls mapped.setup_username() for propagating user object.
Test plan:
- Check if the user has proper domain (‘federated’) set
- Check if the user has proper type set (‘ephemeral’)
- Check if user’s name is properly mapped from the assertion
- Check if user’s id is properly set and and equal to value hardcoded
in the mapping
-
test_user_identifications_name()[source]
Test varius mapping options and how users are identified.
This test calls mapped.setup_username() for propagating user object.
Test plan:
- Check if the user has proper domain (‘federated’) set
- Check if the user has property type set (‘ephemeral’)
- Check if user’s name is properly mapped from the assertion
- Check if user’s id is properly set and equal to name, as it was not
explicitely specified in the mapping.
-
test_user_identifications_name_and_federated_domain()[source]
Test varius mapping options and how users are identified.
This test calls mapped.setup_username() for propagating user object.
Test plan:
- Check if the user has proper domain (‘federated’) set
- Check if the user has propert type set (‘ephemeral’)
- Check if user’s name is properly mapped from the assertion
- Check if user’s id is properly set and equal to name, as it was not
explicitely specified in the mapping.
-
class keystone.tests.unit.test_v3_federation.SAMLGenerationTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_federation.FederationTests
-
ASSERTION_VERSION = '2.0'
-
ECP_GENERATION_ROUTE = '/auth/OS-FEDERATION/saml2/ecp'
-
ISSUER = 'https://acme.com/FIM/sps/openstack/saml20'
-
PROJECT = 'development'
-
RECIPIENT = 'http://beta.com/Shibboleth.sso/SAML2/POST'
-
ROLES = ['admin', 'member']
-
SAML_GENERATION_ROUTE = '/auth/OS-FEDERATION/saml2'
-
SERVICE_PROVDIER_ID = 'ACME'
-
SP_AUTH_URL = 'http://beta.com:5000/v3/OS-FEDERATION/identity_providers/BETA/protocols/saml2/auth'
-
SUBJECT = 'test_user'
-
setUp()[source]
-
sp_ref()[source]
-
test_assertion_using_explicit_namespace_prefixes()[source]
-
test_generate_ecp_route()[source]
Test that the ECP generation endpoint produces XML.
The ECP endpoint /v3/auth/OS-FEDERATION/saml2/ecp should take the same
input as the SAML generation endpoint (scoped token ID + Service
Provider ID).
The controller should return a SAML assertion that is wrapped in a
SOAP envelope.
-
test_generate_saml_route()[source]
Test that the SAML generation endpoint produces XML.
The SAML endpoint /v3/auth/OS-FEDERATION/saml2 should take as input,
a scoped token ID, and a Service Provider ID.
The controller should fetch details about the user from the token,
and details about the service provider from its ID.
This should be enough information to invoke the SAML generator and
provide a valid SAML (XML) document back.
-
test_invalid_scope_body()[source]
Test that missing the scope in request body raises an exception.
Raises exception.SchemaValidationError() - error code 400
-
test_invalid_token_body()[source]
Test that missing the token in request body raises an exception.
Raises exception.SchemaValidationError() - error code 400
-
test_not_project_scoped_token()[source]
Ensure SAML generation fails when passing domain-scoped tokens.
The server should return a 403 Forbidden Action.
-
test_saml_signing()[source]
Test that the SAML generator produces a SAML object.
Test the SAML generator directly by passing known arguments, the result
should be a SAML object that consistently includes attributes based on
the known arguments that were passed in.
-
test_samlize_token_values()[source]
Test the SAML generator produces a SAML object.
Test the SAML generator directly by passing known arguments, the result
should be a SAML object that consistently includes attributes based on
the known arguments that were passed in.
-
test_sp_disabled()[source]
Try generating assertion for disabled Service Provider.
-
test_sp_not_found()[source]
Test SAML generation with an invalid service provider ID.
Raises exception.ServiceProviderNotFound() - error code 404
-
test_token_not_found()[source]
Test that an invalid token in the request body raises an exception.
Raises exception.TokenNotFound() - error code 404
-
test_valid_saml_xml()[source]
Test the generated SAML object can become valid XML.
Test the generator directly by passing known arguments, the result
should be a SAML object that consistently includes attributes based on
the known arguments that were passed in.
-
test_verify_assertion_object()[source]
Test that the Assertion object is built properly.
The Assertion doesn’t need to be signed in this test, so
_sign_assertion method is patched and doesn’t alter the assertion.
-
class keystone.tests.unit.test_v3_federation.ServiceProviderTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_federation.FederationTests
A test class for Service Providers.
-
COLLECTION_NAME = 'service_providers'
-
MEMBER_NAME = 'service_provider'
-
SERVICE_PROVIDER_ID = 'ACME'
-
SP_KEYS = ['auth_url', 'id', 'enabled', 'description', 'relay_state_prefix', 'sp_url']
-
base_url(suffix=None)[source]
-
setUp()[source]
-
sp_ref()[source]
-
test_create_service_provider()[source]
-
test_create_service_provider_fail()[source]
Try adding SP object with unallowed attribute.
-
test_create_sp_relay_state_default()[source]
Create an SP without relay state, should default to ss:mem.
-
test_create_sp_relay_state_non_default()[source]
Create an SP with custom relay state.
-
test_delete_service_provider()[source]
-
test_delete_service_provider_404()[source]
-
test_get_service_provider()[source]
-
test_get_service_provider_fail()[source]
-
test_list_service_providers()[source]
Test listing of service provider objects.
Add two new service providers. List all available service providers.
Expect to get list of three service providers (one created by setUp())
Test if attributes match.
-
test_update_service_provider()[source]
Update existing service provider.
Update default existing service provider and make sure it has been
properly changed.
-
test_update_service_provider_404()[source]
-
test_update_service_provider_immutable_parameters()[source]
Update immutable attributes in service provider.
In this particular case the test will try to change id attribute.
The server should return an HTTP 403 error code.
-
test_update_service_provider_unknown_parameter()[source]
-
test_update_sp_relay_state()[source]
Update an SP with custome relay state.
-
class keystone.tests.unit.test_v3_federation.WebSSOTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_federation.FederatedTokenTests
A class for testing Web SSO.
-
ORIGIN = 'http%3A%2F%2Fhorizon.com'
-
PROTOCOL_REMOTE_ID_ATTR = 'dc5240f4311e4357988871c0e1a68545'
-
SSO_TEMPLATE_NAME = 'sso_callback_template.html'
-
SSO_TEMPLATE_PATH = '/home/zigo/sources/openstack/kilo/keystone/build-area/keystone-2015.1.0/etc/sso_callback_template.html'
-
SSO_URL = '/auth/OS-FEDERATION/websso/'
-
TRUSTED_DASHBOARD = 'http://horizon.com'
-
config_overrides()[source]
-
setUp()[source]
-
test_federated_sso_auth()[source]
-
test_federated_sso_auth_bad_remote_id()[source]
-
test_federated_sso_auth_with_protocol_specific_remote_id()[source]
-
test_federated_sso_missing_query()[source]
-
test_federated_sso_missing_query_bad_remote_id()[source]
-
test_federated_sso_missing_remote_id()[source]
-
test_federated_sso_untrusted_dashboard()[source]
-
test_federated_sso_untrusted_dashboard_bad_remote_id()[source]
-
test_render_callback_template()[source]
-
keystone.tests.unit.test_v3_federation.dummy_validator(*args, **kwargs)[source]
keystone.tests.unit.test_v3_filters module
-
class keystone.tests.unit.test_v3_filters.IdentityTestFilteredCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.filtering.FilterTests, keystone.tests.unit.test_v3.RestfulTestCase
Test filter enforcement on the v3 Identity API.
-
load_sample_data()[source]
Create sample data for these tests.
As well as the usual housekeeping, create a set of domains,
users, roles and projects for the subsequent tests:
- Three domains: A,B & C. C is disabled.
- DomainA has user1, DomainB has user2 and user3
- DomainA has group1 and group2, DomainB has group3
- User1 has a role on DomainA
Remember that there will also be a fourth domain in existence,
the default domain.
-
setUp()[source]
Setup for Identity Filter Test Cases.
-
test_filter_sql_injection_attack()[source]
GET /users?name=<injected sql_statement>
Test Plan:
- Attempt to get all entities back by passing a two-term attribute
- Attempt to piggyback filter to damage DB (e.g. drop table)
-
test_inexact_filters()[source]
-
test_invalid_filter_is_ignored()[source]
GET /domains?enableds&name=myname
Test Plan:
- Update policy for no protection on api
- Filter by name and ‘enableds’, which does not exist
- Assert ‘enableds’ is ignored
-
test_list_filtered_domains()[source]
GET /domains?enabled=0
Test Plan:
- Update policy for no protection on api
- Filter by the ‘enabled’ boolean to get disabled domains, which
should return just domainC
- Try the filter using different ways of specifying True/False
to test that our handling of booleans in filter matching is
correct
-
test_list_users_filtered_by_domain()[source]
GET /users?domain_id=mydomain (filtered)
Test Plan:
- Update policy so api is unprotected
- Use an un-scoped token to make sure we can filter the
users by domainB, getting back the 2 users in that domain
-
test_list_users_filtered_by_funny_name()[source]
GET /users?name=%myname%
Test Plan:
- Update policy so api is unprotected
- Update a user with name that has filter escape characters
- Ensure we can filter on it
-
test_multiple_filters()[source]
GET /domains?enabled&name=myname
Test Plan:
- Update policy for no protection on api
- Filter by the ‘enabled’ boolean and name - this should
return a single domain
-
class keystone.tests.unit.test_v3_filters.IdentityTestListLimitCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_filters.IdentityTestFilteredCase
Test list limiting enforcement on the v3 Identity API.
-
clean_up_entity(entity)[source]
Clean up entity test data from Identity Limit Test Cases.
-
clean_up_policy()[source]
Clean up policy test data from Identity Limit Test Cases.
-
clean_up_service()[source]
Clean up service test data from Identity Limit Test Cases.
-
content_type = 'json'
-
setUp()[source]
Setup for Identity Limit Test Cases.
-
test_at_limit()[source]
Check truncated attribute not set when list at max size.
-
test_groups_list_limit()[source]
-
test_no_limit()[source]
Check truncated attribute not set when list not limited.
-
test_non_driver_list_limit()[source]
Check list can be limited without driver level support.
Policy limiting is not done at the driver level (since it
really isn’t worth doing it there). So use this as a test
for ensuring the controller level will successfully limit
in this case.
-
test_projects_list_limit()[source]
-
test_services_list_limit()[source]
-
test_users_list_limit()[source]
keystone.tests.unit.test_v3_identity module
-
class keystone.tests.unit.test_v3_identity.IdentityTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test users and groups.
-
setUp()[source]
-
test_add_user_to_group()[source]
Call PUT /groups/{group_id}/users/{user_id}.
-
test_admin_password_reset()[source]
-
test_check_user_in_group()[source]
Call HEAD /groups/{group_id}/users/{user_id}.
-
test_create_group()[source]
Call POST /groups.
-
test_create_group_400()[source]
Call POST /groups.
-
test_create_user()[source]
Call POST /users.
-
test_create_user_400()[source]
Call POST /users.
-
test_create_user_without_domain()[source]
Call POST /users without specifying domain.
According to the identity-api specification, if you do not
explicitly specific the domain_id in the entity, it should
take the domain scope of the token as the domain_id.
-
test_delete_group()[source]
Call DELETE /groups/{group_id}.
-
test_delete_user()[source]
Call DELETE /users/{user_id}.
As well as making sure the delete succeeds, we ensure
that any credentials that reference this user are
also deleted, while other credentials are unaffected.
In addition, no tokens should remain valid for this user.
-
test_get_group()[source]
Call GET /groups/{group_id}.
-
test_get_user()[source]
Call GET /users/{user_id}.
-
test_get_user_with_default_project()[source]
Call GET /users/{user_id} making sure of default_project_id.
-
test_list_groups()[source]
Call GET /groups.
-
test_list_groups_for_user()[source]
Call GET /users/{user_id}/groups.
-
test_list_users()[source]
Call GET /users.
-
test_list_users_in_group()[source]
Call GET /groups/{group_id}/users.
-
test_list_users_no_default_project()[source]
Call GET /users making sure no default_project_id.
-
test_list_users_with_multiple_backends()[source]
Call GET /users when multiple backends is enabled.
In this scenario, the controller requires a domain to be specified
either as a filter or by using a domain scoped token.
-
test_list_users_with_static_admin_token_and_multiple_backends()[source]
-
test_remove_user_from_group()[source]
Call DELETE /groups/{group_id}/users/{user_id}.
-
test_update_group()[source]
Call PATCH /groups/{group_id}.
-
test_update_group_domain_id()[source]
Call PATCH /groups/{group_id} with domain_id.
-
test_update_user()[source]
Call PATCH /users/{user_id}.
-
test_update_user_domain_id()[source]
Call PATCH /users/{user_id} with domain_id.
-
class keystone.tests.unit.test_v3_identity.IdentityV3toV2MethodsTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
Test users V3 to V2 conversion methods.
-
setUp()[source]
-
test_v3_to_v2_user_method()[source]
-
test_v3_to_v2_user_method_list()[source]
-
class keystone.tests.unit.test_v3_identity.UserSelfServiceChangingPasswordsTestCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
change_password(expected_status, **kwargs)[source]
Returns a test response for a change password request.
-
get_request_token(password, expected_status)[source]
-
setUp()[source]
-
test_changing_password()[source]
-
test_changing_password_with_disabled_user_fails()[source]
-
test_changing_password_with_incorrect_password_fails()[source]
-
test_changing_password_with_missing_original_password_fails()[source]
-
test_changing_password_with_missing_password_fails()[source]
keystone.tests.unit.test_v3_oauth1 module
-
class keystone.tests.unit.test_v3_oauth1.AccessTokenCRUDTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_oauth1.OAuthFlowTests
-
test_delete_access_token_dne()[source]
-
test_get_access_token_dne()[source]
-
test_get_role_in_access_token()[source]
-
test_get_role_in_access_token_dne()[source]
-
test_get_single_access_token()[source]
-
test_list_all_roles_in_access_token()[source]
-
test_list_and_delete_access_tokens()[source]
-
test_list_no_access_tokens()[source]
-
class keystone.tests.unit.test_v3_oauth1.AuthTokenTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_oauth1.OAuthFlowTests
-
test_change_user_password_also_deletes_tokens()[source]
-
test_delete_access_token_also_revokes_token()[source]
-
test_delete_keystone_tokens_by_consumer_id()[source]
-
test_deleting_consumer_also_deletes_tokens()[source]
-
test_deleting_project_also_invalidates_tokens()[source]
-
test_keystone_token_is_valid()[source]
-
test_oauth_token_cannot_authorize_request_token()[source]
-
test_oauth_token_cannot_create_new_trust()[source]
-
test_oauth_token_cannot_list_request_tokens()[source]
-
test_token_chaining_is_not_allowed()[source]
-
test_trust_token_cannot_authorize_request_token()[source]
-
test_trust_token_cannot_list_request_tokens()[source]
-
class keystone.tests.unit.test_v3_oauth1.ConsumerCRUDTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_oauth1.OAuth1Tests
-
test_consumer_create()[source]
-
test_consumer_create_no_description()[source]
-
test_consumer_create_none_desc_1()[source]
-
test_consumer_create_none_desc_2()[source]
-
test_consumer_create_normalize_field()[source]
-
test_consumer_delete()[source]
-
test_consumer_get()[source]
-
test_consumer_get_bad_id()[source]
-
test_consumer_list()[source]
-
test_consumer_update()[source]
-
test_consumer_update_bad_id()[source]
-
test_consumer_update_bad_secret()[source]
-
test_consumer_update_normalize_field()[source]
-
class keystone.tests.unit.test_v3_oauth1.JsonHomeTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_oauth1.OAuth1Tests, keystone.tests.unit.test_v3.JsonHomeTestMixin
-
JSON_HOME_DATA = {'http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers': {'href': '/OS-OAUTH1/consumers'}}
-
class keystone.tests.unit.test_v3_oauth1.MaliciousOAuth1Tests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_oauth1.OAuth1Tests
-
test_bad_authorizing_roles()[source]
-
test_bad_consumer_id()[source]
-
test_bad_consumer_secret()[source]
-
test_bad_request_token_key()[source]
-
test_bad_requested_project_id()[source]
-
test_bad_verifier()[source]
-
test_expired_authorizing_request_token()[source]
-
test_expired_creating_keystone_token()[source]
-
class keystone.tests.unit.test_v3_oauth1.OAuth1Tests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
-
CONSUMER_URL = '/OS-OAUTH1/consumers'
-
EXTENSION_NAME = 'oauth1'
-
EXTENSION_TO_ADD = 'oauth1_extension'
-
setUp()[source]
-
class keystone.tests.unit.test_v3_oauth1.OAuthCADFNotificationTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_oauth1.OAuthNotificationTests
-
setUp()[source]
Repeat the tests for CADF notifications
-
class keystone.tests.unit.test_v3_oauth1.OAuthFlowTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_oauth1.OAuth1Tests
-
auth_plugin_config_override()[source]
-
test_oauth_flow()[source]
-
class keystone.tests.unit.test_v3_oauth1.OAuthNotificationTests(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3_oauth1.OAuth1Tests, keystone.tests.unit.common.test_notifications.BaseNotificationTest
-
test_create_consumer()[source]
-
test_delete_consumer()[source]
-
test_oauth_flow_notifications()[source]
Test to ensure notifications are sent for oauth tokens
This test is very similar to test_oauth_flow, however
there are additional checks in this test for ensuring that
notifications for request token creation, and access token
creation/deletion are emitted.
-
test_update_consumer()[source]
keystone.tests.unit.test_v3_protection module
-
class keystone.tests.unit.test_v3_protection.IdentityTestPolicySample(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test policy enforcement of the policy.json file.
-
load_sample_data()[source]
-
test_admin_check_user_token()[source]
-
test_admin_revoke_user_token()[source]
-
test_admin_validate_user_token()[source]
-
test_user_check_other_user_token_rejected()[source]
-
test_user_check_same_token()[source]
-
test_user_check_user_token()[source]
-
test_user_revoke_other_user_token_rejected()[source]
-
test_user_revoke_same_token()[source]
-
test_user_revoke_user_token()[source]
-
test_user_validate_other_user_token_rejected()[source]
-
test_user_validate_same_token()[source]
-
test_user_validate_user_token()[source]
-
class keystone.tests.unit.test_v3_protection.IdentityTestProtectedCase(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test policy enforcement on the v3 Identity API.
-
load_sample_data()[source]
-
setUp()[source]
Setup for Identity Protection Test Cases.
As well as the usual housekeeping, create a set of domains,
users, roles and projects for the subsequent tests:
- Three domains: A,B & C. C is disabled.
- DomainA has user1, DomainB has user2 and user3
- DomainA has group1 and group2, DomainB has group3
- User1 has two roles on DomainA
- User2 has one role on DomainA
Remember that there will also be a fourth domain in existence,
the default domain.
-
test_get_user_protected_match_id()[source]
GET /users/{id} (match payload)
Test Plan:
- Update policy to protect api by user_id
- List users with user_id of user1 as filter, to check that
this will correctly match user_id in the flattened
payload
-
test_get_user_protected_match_target()[source]
GET /users/{id} (match target)
Test Plan:
- Update policy to protect api by domain_id
- Try and read a user who is in DomainB with a token scoped
to Domain A - this should fail
- Retry this for a user who is in Domain A, which should succeed.
- Finally, try getting a user that does not exist, which should
still return UserNotFound
-
test_list_groups_protected_by_domain()[source]
GET /groups?domain_id=mydomain (protected)
Test Plan:
- Update policy to protect api by domain_id
- List groups using a token scoped to domainA and make sure
we only get back the two groups that are in domainA
- Try and read the groups from domainB - this should fail since
we don’t have a token scoped for domainB
-
test_list_groups_protected_by_domain_and_filtered()[source]
GET /groups?domain_id=mydomain&name=myname (protected)
Test Plan:
- Update policy to protect api by domain_id
- List groups using a token scoped to domainA with a filter
specifying both domainA and the name of group.
- We should only get back the group in domainA that matches
the name
-
test_list_users_filtered_by_domain()[source]
GET /users?domain_id=mydomain (filtered)
Test Plan:
- Update policy so api is unprotected
- Use an un-scoped token to make sure we can filter the
users by domainB, getting back the 2 users in that domain
-
test_list_users_protected_by_domain()[source]
GET /users?domain_id=mydomain (protected)
Test Plan:
- Update policy to protect api by domain_id
- List groups using a token scoped to domainA with a filter
specifying domainA - we should only get back the one user
that is in domainA.
- Try and read the users from domainB - this should fail since
we don’t have a token scoped for domainB
-
test_list_users_unprotected()[source]
GET /users (unprotected)
Test Plan:
- Update policy so api is unprotected
- Use an un-scoped token to make sure we can get back all
the users independent of domain
-
test_revoke_grant_protected_match_target()[source]
DELETE /domains/{id}/users/{id}/roles/{id} (match target)
Test Plan:
- Update policy to protect api by domain_id of entities in
the grant
- Try and delete the existing grant that has a user who is
from a different domain - this should fail.
- Retry this for a user who is in Domain A, which should succeed.
-
class keystone.tests.unit.test_v3_protection.IdentityTestv3CloudPolicySample(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test policy enforcement of the sample v3 cloud policy file.
-
load_sample_data()[source]
-
setUp()[source]
Setup for v3 Cloud Policy Sample Test Cases.
The following data is created:
- Three domains: domainA, domainB and admin_domain
- One project, which name is ‘project’
- domainA has three users: domain_admin_user, project_admin_user and
just_a_user:
- domain_admin_user has role ‘admin’ on domainA,
- project_admin_user has role ‘admin’ on the project,
- just_a_user has a non-admin role on both domainA and the project.
- admin_domain has user cloud_admin_user, with an ‘admin’ role
on admin_domain.
We test various api protection rules from the cloud sample policy
file to make sure the sample is valid and that we correctly enforce it.
-
test_admin_check_user_token()[source]
-
test_admin_revoke_user_token()[source]
-
test_admin_validate_user_token()[source]
-
test_cloud_admin()[source]
-
test_domain_grants()[source]
-
test_domain_grants_by_cloud_admin()[source]
-
test_get_and_delete_ec2_credentials()[source]
Tests getting and deleting ec2 credentials through the ec2 API.
-
test_list_user_credentials()[source]
-
test_project_grants()[source]
-
test_project_grants_by_domain_admin()[source]
-
test_project_management()[source]
-
test_project_management_by_cloud_admin()[source]
-
test_user_check_other_user_token_rejected()[source]
-
test_user_check_same_token()[source]
-
test_user_check_user_token()[source]
-
test_user_management()[source]
-
test_user_management_by_cloud_admin()[source]
-
test_user_revoke_other_user_token_rejected()[source]
-
test_user_revoke_same_token()[source]
-
test_user_revoke_user_token()[source]
-
test_user_validate_other_user_token_rejected()[source]
-
test_user_validate_same_token()[source]
-
test_user_validate_user_token()[source]
keystone.tests.unit.test_validation module
-
class keystone.tests.unit.test_validation.CredentialValidationTestCase(*args, **kwargs)[source]
Bases: testtools.testcase.TestCase
Test for V3 Credential API validation.
-
setUp()[source]
-
test_validate_credential_ec2_without_project_id_fails()[source]
Validate project_id is required for ec2.
Test that a SchemaValidationError is raised when type is ec2
and no project_id is provided in create request.
-
test_validate_credential_non_ec2_without_project_id_succeeds()[source]
Validate project_id is not required for non-ec2.
Test that create request without project_id succeeds for any
non-ec2 credential.
-
test_validate_credential_succeeds()[source]
Test that we validate a credential request.
-
test_validate_credential_update_succeeds()[source]
Test that a credential request is properly validated.
Validate credential update with extra parameters.
-
test_validate_credential_update_without_parameters_fails()[source]
Exception is raised on update without parameters.
Validate create request with extra parameters.
-
test_validate_credential_with_project_id_succeeds()[source]
Test that credential request works for all types.
-
test_validate_credential_without_blob_fails()[source]
Exception raised without blob in create request.
-
test_validate_credential_without_type_fails()[source]
Exception raised without type in create request.
-
test_validate_credential_without_user_id_fails()[source]
Exception raised without user_id in create request.
-
class keystone.tests.unit.test_validation.DomainValidationTestCase(*args, **kwargs)[source]
Bases: testtools.testcase.TestCase
Test for V3 Domain API validation.
-
setUp()[source]
-
test_validate_domain_request()[source]
Make sure we successfully validate a create domain request.
-
test_validate_domain_request_with_enabled()[source]
Validate enabled as boolean-like values for domains.
-
test_validate_domain_request_with_invalid_description_fails()[source]
Exception is raised when description is a non-string value.
-
test_validate_domain_request_with_invalid_enabled_fails()[source]
Exception is raised when enabled isn’t a boolean-like value.
-
test_validate_domain_request_with_name_too_long()[source]
Exception is raised when name is too long.
-
test_validate_domain_request_with_name_too_short()[source]
Exception raised when name is too short.
-
test_validate_domain_request_with_valid_description()[source]
Test that we validate description in create domain requests.
-
test_validate_domain_request_without_name_fails()[source]
Make sure we raise an exception when name isn’t included.
-
test_validate_domain_update_request()[source]
Test that we validate a domain update request.
-
test_validate_domain_update_request_with_name_too_long_fails()[source]
Exception raised when updating a domain with name too long.
-
test_validate_domain_update_request_with_name_too_short_fails()[source]
Exception raised when updating a domain with name too short.
-
test_validate_domain_update_request_with_no_parameters_fails()[source]
Exception is raised when updating a domain without parameters.
-
class keystone.tests.unit.test_validation.EndpointGroupValidationTestCase(*args, **kwargs)[source]
Bases: testtools.testcase.TestCase
Test for V3 Endpoint Group API validation.
-
setUp()[source]
-
test_validate_create_endpoint_group_fails_with_invalid_filters()[source]
Validate invalid filters value in endpoint group parameters.
This test ensures that exception is raised when non-dict values is
used as filters in endpoint group create request.
-
test_validate_endpoint_group_create_fails_without_filters()[source]
Exception raised when filters isn’t in endpoint group request.
-
test_validate_endpoint_group_create_fails_without_name()[source]
Exception raised when name isn’t in endpoint group request.
-
test_validate_endpoint_group_create_succeeds_with_req_parameters()[source]
Validate required endpoint group parameters.
This test ensure that validation succeeds with only the required
parameters passed for creating an endpoint group.
-
test_validate_endpoint_group_create_succeeds_with_valid_filters()[source]
Validate dict values as filters in endpoint group create requests.
-
test_validate_endpoint_group_request_succeeds()[source]
Test that we validate an endpoint group request.
-
test_validate_endpoint_group_update_fails_with_invalid_filters()[source]
Exception raised when passing invalid filters in request.
-
test_validate_endpoint_group_update_fails_with_no_parameters()[source]
Exception raised when no parameters on endpoint group update.
-
test_validate_endpoint_group_update_request_succeeds()[source]
Test that we validate an endpoint group update request.
-
test_validate_endpoint_group_update_succeeds_with_name()[source]
Validate request with only name in endpoint group update.
This test ensures that passing only a name passes validation
on update endpoint group request.
-
test_validate_endpoint_group_update_succeeds_with_valid_filters()[source]
Validate filters as dict values.
-
class keystone.tests.unit.test_validation.EndpointValidationTestCase(*args, **kwargs)[source]
Bases: testtools.testcase.TestCase
Test for V3 Endpoint API validation.
-
setUp()[source]
-
test_validate_create_endpoint_fails_with_invalid_enabled()[source]
Exception raised when boolean-like values as enabled.
-
test_validate_endpoint_create_fails_with_invalid_interface()[source]
Exception raised with invalid interface.
-
test_validate_endpoint_create_fails_with_invalid_url()[source]
Exception raised when passing invalid url in request.
-
test_validate_endpoint_create_fails_without_interface()[source]
Exception raised when interface isn’t in endpoint request.
-
test_validate_endpoint_create_fails_without_service_id()[source]
Exception raised when service_id isn’t in endpoint request.
-
test_validate_endpoint_create_fails_without_url()[source]
Exception raised when url isn’t in endpoint request.
Test that extra parameters pass validation on create endpoint.
-
test_validate_endpoint_create_succeeds_with_required_parameters()[source]
Validate an endpoint request with only the required parameters.
-
test_validate_endpoint_create_succeeds_with_url()[source]
Validate url attribute in endpoint create request.
-
test_validate_endpoint_create_succeeds_with_valid_enabled()[source]
Validate an endpoint with boolean values.
Validate boolean values as enabled in endpoint create requests.
-
test_validate_endpoint_request_succeeds()[source]
Test that we validate an endpoint request.
-
test_validate_endpoint_update_fails_with_invalid_enabled()[source]
Exception raised when enabled is boolean-like value.
-
test_validate_endpoint_update_fails_with_invalid_interface()[source]
Exception raised when invalid interface on endpoint update.
-
test_validate_endpoint_update_fails_with_invalid_url()[source]
Exception raised when passing invalid url in request.
-
test_validate_endpoint_update_fails_with_no_parameters()[source]
Exception raised when no parameters on endpoint update.
-
test_validate_endpoint_update_request_succeeds()[source]
Test that we validate an endpoint update request.
Test that extra parameters pass validation on update endpoint.
-
test_validate_endpoint_update_succeeds_with_url()[source]
Validate url attribute in endpoint update request.
-
test_validate_endpoint_update_succeeds_with_valid_enabled()[source]
Validate enabled as boolean values.
-
class keystone.tests.unit.test_validation.EntityValidationTestCase(*args, **kwargs)[source]
Bases: testtools.testcase.TestCase
-
setUp()[source]
-
test_create_entity_with_all_valid_parameters_validates()[source]
Validate all parameter values against test schema.
-
test_create_entity_with_invalid_email_fails()[source]
Validate invalid email address.
Test that an exception is raised when validating improperly
formatted email addresses.
-
test_create_entity_with_invalid_enabled_format_raises_exception()[source]
Validate invalid enabled formats.
Test that an exception is raised when passing invalid boolean-like
values as enabled.
-
test_create_entity_with_invalid_id_strings()[source]
Exception raised when using invalid id strings.
-
test_create_entity_with_invalid_urls_fails()[source]
Test that an exception is raised when validating improper urls.
-
test_create_entity_with_name_too_long_raises_exception()[source]
Validate long names.
Validate that an exception is raised when validating a string of 255+
characters passed in as a name.
-
test_create_entity_with_name_too_short_raises_exception()[source]
Validate short names.
Test that an exception is raised when passing a string of length
zero as a name parameter.
-
test_create_entity_with_null_id_string()[source]
Validate that None is an acceptable optional string type.
-
test_create_entity_with_null_string_succeeds()[source]
Exception raised when passing None on required id strings.
-
test_create_entity_with_only_required_valid_parameters_validates()[source]
Validate correct for only parameters values against test schema.
-
test_create_entity_with_unicode_name_validates()[source]
Test that we successfully validate a unicode string.
-
test_create_entity_with_valid_email_validates()[source]
Validate email address
Test that we successfully validate properly formatted email
addresses.
-
test_create_entity_with_valid_enabled_formats_validates()[source]
Validate valid enabled formats.
Test that we have successful validation on boolean values for
enabled.
-
test_create_entity_with_valid_id_strings()[source]
Validate acceptable id strings.
-
test_create_entity_with_valid_urls_validates()[source]
Test that proper urls are successfully validated.
-
test_update_entity_with_a_null_optional_parameter_validates()[source]
Optional parameters can be null to removed the value.
-
test_update_entity_with_a_required_null_parameter_fails()[source]
The name parameter can’t be null.
-
test_update_entity_with_a_valid_optional_parameter_validates()[source]
Succeeds with only a single valid optional parameter.
-
test_update_entity_with_a_valid_required_parameter_validates()[source]
Succeed if a valid required parameter is provided.
-
test_update_entity_with_all_parameters_valid_validates()[source]
Simulate updating an entity by ID.
-
test_update_entity_with_invalid_optional_parameter_fails()[source]
Fails when an optional parameter is invalid.
-
test_update_entity_with_invalid_required_parameter_fails()[source]
Fail if a provided required parameter is invalid.
-
test_update_entity_with_no_parameters_fails()[source]
At least one parameter needs to be present for an update.
-
class keystone.tests.unit.test_validation.PolicyValidationTestCase(*args, **kwargs)[source]
Bases: testtools.testcase.TestCase
Test for V3 Policy API validation.
-
setUp()[source]
Validate policy create with extra parameters.
-
test_validate_policy_create_with_invalid_type_fails()[source]
Exception raised when blob and type are boolean.
-
test_validate_policy_succeeds()[source]
Test that we validate a create policy request.
-
test_validate_policy_update_succeeds()[source]
Test that we validate a policy update request.
Validate policy update request with extra parameters.
-
test_validate_policy_update_with_invalid_type_fails()[source]
Exception raised when invalid type on policy update.
-
test_validate_policy_update_without_parameters_fails()[source]
Exception raised when updating policy without parameters.
-
test_validate_policy_without_blob_fails()[source]
Exception raised without blob in request.
-
test_validate_policy_without_type_fails()[source]
Exception raised without type in request.
-
class keystone.tests.unit.test_validation.ProjectValidationTestCase(*args, **kwargs)[source]
Bases: testtools.testcase.TestCase
Test for V3 Project API validation.
-
setUp()[source]
-
test_validate_project_request()[source]
Test that we validate a project with name in request.
-
test_validate_project_request_with_enabled()[source]
Validate enabled as boolean-like values for projects.
-
test_validate_project_request_with_invalid_description_fails()[source]
Exception is raised when description as a non-string value.
-
test_validate_project_request_with_invalid_enabled_fails()[source]
Exception is raised when enabled isn’t a boolean-like value.
-
test_validate_project_request_with_invalid_parent_id_fails()[source]
Exception is raised when parent_id as a non-id value.
-
test_validate_project_request_with_name_too_long()[source]
Exception is raised when name is too long.
-
test_validate_project_request_with_name_too_short()[source]
Exception raised when name is too short.
-
test_validate_project_request_with_valid_description()[source]
Test that we validate description in create project requests.
-
test_validate_project_request_with_valid_parent_id()[source]
Test that we validate parent_id in create project requests.
-
test_validate_project_request_without_name_fails()[source]
Validate project request fails without name.
-
test_validate_project_update_request()[source]
Test that we validate a project update request.
-
test_validate_project_update_request_with_name_too_long_fails()[source]
Exception raised when updating a project with name too long.
-
test_validate_project_update_request_with_name_too_short_fails()[source]
Exception raised when updating a project with name too short.
-
test_validate_project_update_request_with_no_parameters_fails()[source]
Exception is raised when updating project without parameters.
-
test_validate_project_update_request_with_null_domain_id_fails()[source]
-
class keystone.tests.unit.test_validation.RegionValidationTestCase(*args, **kwargs)[source]
Bases: testtools.testcase.TestCase
Test for V3 Region API validation.
-
setUp()[source]
-
test_validate_region_create_request_with_parameters()[source]
Test that we validate a region request with parameters.
Validate create region request with extra values.
-
test_validate_region_create_with_uuid()[source]
Test that we validate a region request with a UUID as the id.
-
test_validate_region_request()[source]
Test that we validate a basic region request.
-
test_validate_region_update_fails_with_no_parameters()[source]
Exception raised when passing no parameters in a region update.
-
test_validate_region_update_succeeds()[source]
Test that we validate a region update request.
Validate extra attributes in the region update request.
-
class keystone.tests.unit.test_validation.RoleValidationTestCase(*args, **kwargs)[source]
Bases: testtools.testcase.TestCase
Test for V3 Role API validation.
-
setUp()[source]
-
test_validate_role_create_when_name_is_not_string_fails()[source]
Exception is raised on role create with a non-string name.
-
test_validate_role_create_without_name_raises_exception()[source]
Test that we raise an exception when name isn’t included.
-
test_validate_role_request()[source]
Test we can successfully validate a create role request.
-
test_validate_role_update_fails_with_invalid_name_fails()[source]
Exception when validating an update request with invalid name.
-
test_validate_role_update_request()[source]
Test that we validate a role update request.
-
class keystone.tests.unit.test_validation.ServiceProviderValidationTestCase(*args, **kwargs)[source]
Bases: testtools.testcase.TestCase
Test for V3 Service Provider API validation.
-
setUp()[source]
-
test_validate_sp_request()[source]
Test that we validate auth_url and sp_url in request.
-
test_validate_sp_request_with_enabled()[source]
Validate enabled as boolean-like values.
Exception raised when passing extra fields in the body.
-
test_validate_sp_request_with_invalid_auth_url_fails()[source]
Validate request fails with invalid auth_url.
-
test_validate_sp_request_with_invalid_description_fails()[source]
Exception is raised when description as a non-string value.
-
test_validate_sp_request_with_invalid_enabled_fails()[source]
Exception is raised when enabled isn’t a boolean-like value.
-
test_validate_sp_request_with_invalid_sp_url_fails()[source]
Validate request fails with invalid sp_url.
-
test_validate_sp_request_with_valid_description()[source]
Test that we validate description in create requests.
-
test_validate_sp_request_without_auth_url_fails()[source]
Validate request fails without auth_url.
-
test_validate_sp_request_without_sp_url_fails()[source]
Validate request fails without sp_url.
-
test_validate_sp_update_request()[source]
Test that we validate a update request.
-
test_validate_sp_update_request_with_invalid_auth_url_fails()[source]
Exception raised when updating with invalid auth_url.
-
test_validate_sp_update_request_with_invalid_sp_url_fails()[source]
Exception raised when updating with invalid sp_url.
-
test_validate_sp_update_request_with_no_parameters_fails()[source]
Exception is raised when updating without parameters.
-
class keystone.tests.unit.test_validation.ServiceValidationTestCase(*args, **kwargs)[source]
Bases: testtools.testcase.TestCase
Test for V3 Service API validation.
-
setUp()[source]
-
test_validate_service_create_fails_when_name_too_long()[source]
Exception raised when name is greater than 255 characters.
-
test_validate_service_create_fails_when_name_too_short()[source]
Exception is raised when name is too short.
-
test_validate_service_create_fails_when_type_too_long()[source]
Exception is raised when type is too long.
-
test_validate_service_create_fails_when_type_too_short()[source]
Exception is raised when type is too short.
-
test_validate_service_create_fails_with_invalid_enabled()[source]
Exception raised when boolean-like parameters as enabled
On service create, make sure an exception is raised if enabled is
not a boolean value.
-
test_validate_service_create_fails_without_type()[source]
Exception raised when trying to create a service without type.
-
test_validate_service_create_succeeds()[source]
Test that we validate a service create request.
Test that extra parameters pass validation on create service.
-
test_validate_service_create_succeeds_with_required_parameters()[source]
Validate a service create request with the required parameters.
-
test_validate_service_create_succeeds_with_valid_enabled()[source]
Validate boolean values as enabled values on service create.
-
test_validate_service_update_fails_with_invalid_enabled()[source]
Exception raised when boolean-like values as enabled.
-
test_validate_service_update_fails_with_name_too_long()[source]
Exception is raised when name is too long on update.
-
test_validate_service_update_fails_with_name_too_short()[source]
Exception is raised when name is too short on update.
-
test_validate_service_update_fails_with_no_parameters()[source]
Exception raised when updating a service without values.
-
test_validate_service_update_fails_with_type_too_long()[source]
Exception is raised when type is too long on update.
-
test_validate_service_update_fails_with_type_too_short()[source]
Exception is raised when type is too short on update.
-
test_validate_service_update_request_succeeds()[source]
Test that we validate a service update request.
Validate updating a service with extra parameters.
-
test_validate_service_update_succeeds_with_valid_enabled()[source]
Validate boolean formats as enabled on service update.
-
class keystone.tests.unit.test_validation.TrustValidationTestCase(*args, **kwargs)[source]
Bases: testtools.testcase.TestCase
Test for V3 Trust API validation.
-
setUp()[source]
-
test_validate_trust_succeeds()[source]
Test that we can validate a trust request.
-
test_validate_trust_with_all_parameters_succeeds()[source]
Test that we can validate a trust request with all parameters.
Test that we can validate a trust request with extra parameters.
-
test_validate_trust_with_invalid_expires_at_fails()[source]
Validate trust request with invalid expires_at fails.
-
test_validate_trust_with_invalid_impersonation_fails()[source]
Validate trust request with invalid impersonation fails.
-
test_validate_trust_with_invalid_role_type_fails()[source]
Validate trust request with invalid roles fails.
-
test_validate_trust_with_list_of_valid_roles_succeeds()[source]
Validate trust request with a list of valid roles.
-
test_validate_trust_with_null_remaining_uses_succeeds()[source]
Validate trust request with null remaining_uses.
-
test_validate_trust_with_period_in_user_id_string()[source]
Validate trust request with a period in the user id string.
-
test_validate_trust_with_remaining_uses_succeeds()[source]
Validate trust request with remaining_uses succeeds.
-
test_validate_trust_with_role_types_succeeds()[source]
Validate trust request with roles succeeds.
-
test_validate_trust_without_impersonation_fails()[source]
Validate trust request fails without impersonation.
-
test_validate_trust_without_trustee_id_fails()[source]
Validate trust request fails without trustee_id.
-
test_validate_trust_without_trustor_id_fails()[source]
Validate trust request fails without trustor_id.
keystone.tests.unit.test_wsgi module
-
class keystone.tests.unit.test_wsgi.ApplicationTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_wsgi.BaseWSGITest
-
test_application_local_config()[source]
-
test_attribute_missing_from_request()[source]
-
test_no_required_attributes_present()[source]
-
test_query_string_available()[source]
-
test_render_exception()[source]
-
test_render_exception_host()[source]
-
test_render_response()[source]
-
test_render_response_custom_status()[source]
-
test_render_response_head_with_body()[source]
-
test_render_response_no_body()[source]
-
test_require_attribute_fail_if_attribute_not_present()[source]
-
test_response_content_type()[source]
-
test_successful_require_attribute()[source]
-
test_successful_require_multiple_attributes()[source]
-
class keystone.tests.unit.test_wsgi.BaseWSGITest(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
setUp()[source]
-
class keystone.tests.unit.test_wsgi.ExtensionRouterTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_wsgi.BaseWSGITest
-
test_extensionrouter_local_config()[source]
-
class keystone.tests.unit.test_wsgi.FakeApp(*args, **kwargs)[source]
Bases: keystone.common.wsgi.Application
-
index(context)[source]
-
class keystone.tests.unit.test_wsgi.FakeAttributeCheckerApp(*args, **kwargs)[source]
Bases: keystone.common.wsgi.Application
-
assert_attribute(body, attr)[source]
Asserts that the given request has a certain attribute.
-
assert_attributes(body, attr)[source]
Asserts that the given request has a certain set attributes.
-
index(context)[source]
-
class keystone.tests.unit.test_wsgi.LocalizedResponseTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
test_get_localized_response(*args, **keywargs)[source]
-
test_request_match_default()[source]
-
test_request_match_language_expected(*args, **keywargs)[source]
-
test_request_match_language_unexpected(*args, **keywargs)[source]
-
test_static_translated_string_is_lazy_translatable()[source]
-
class keystone.tests.unit.test_wsgi.MiddlewareTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.test_wsgi.BaseWSGITest
-
test_middleware_bad_request()[source]
-
test_middleware_exception_error()[source]
-
test_middleware_local_config()[source]
-
test_middleware_request()[source]
-
test_middleware_response()[source]
-
test_middleware_type_error()[source]
-
class keystone.tests.unit.test_wsgi.RouterTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
setUp()[source]
-
test_invalid_status()[source]
-
class keystone.tests.unit.test_wsgi.ServerTest(*args, **kwargs)[source]
Bases: keystone.tests.unit.core.TestCase
-
setUp()[source]
-
test_keepalive_and_keepidle_set(*args, **keywargs)[source]
-
test_keepalive_set(*args, **keywargs)[source]
-
test_keepalive_unset(*args, **keywargs)[source]
keystone.tests.unit.utils module
Useful utilities for tests.
-
keystone.tests.unit.utils.new_uuid()[source]
Return a string UUID.
-
keystone.tests.unit.utils.timezone(func)[source]
-
keystone.tests.unit.utils.wip(message)[source]
Mark a test as work in progress.
Based on code by Nat Pryce:
https://gist.github.com/npryce/997195#file-wip-py
The test will always be run. If the test fails then a TestSkipped
exception is raised. If the test passes an AssertionError exception
is raised so that the developer knows they made the test pass. This
is a reminder to remove the decorator.
Parameters: | message – a string message to help clarify why the test is
marked as a work in progress |
- usage:
>>> @wip('waiting on bug #000000')
>>> def test():
>>> pass
Module contents