keystone.tests.unit.core.
BaseTestCase
(*args, **kwargs)[source]¶Bases: testtools.testcase.TestCase
Light weight base test class.
This is a placeholder that will eventually go away once the setup/teardown in TestCase is properly trimmed down to the bare essentials. This is really just a play to speed up the tests by eliminating unnecessary work.
keystone.tests.unit.core.
SQLDriverOverrides
[source]¶Bases: object
A mixin for consolidating sql-specific test overrides.
keystone.tests.unit.core.
TestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
assertCloseEnoughForGovernmentWork
(a, b, delta=3)[source]¶Assert that two datetimes are nearly equal within a small delta.
Parameters: | delta – Maximum allowable time delta, defined in seconds. |
---|
assertUserDictEqual
(expected, observed, message=”)[source]¶Assert that a user dict is equal to another user dict.
User dictionaries have some variable values that should be ignored in the comparison. This method is a helper that strips those elements out when comparing the user dictionary. This normalized these differences that should not change the comparison.
ipv6_enabled
¶keystone.tests.unit.core.
create_user
(api, domain_id, **kwargs)[source]¶Create a user via the API. Keep the created password.
The password is saved and restored when api.create_user() is called. Only use this routine if there is a requirement for the user object to have a valid password after api.create_user() is called.
keystone.tests.unit.core.
new_cert_credential
(user_id, project_id=None, blob=None, **kwargs)[source]¶keystone.tests.unit.core.
new_credential_ref
(user_id, project_id=None, type=’cert’, **kwargs)[source]¶keystone.tests.unit.core.
new_endpoint_ref
(service_id, interface=’public’, region_id=<object object>, **kwargs)[source]¶keystone.tests.unit.core.
new_endpoint_ref_with_region
(service_id, region, interface=’public’, **kwargs)[source]¶Define an endpoint_ref having a pre-3.2 form.
Contains the deprecated ‘region’ instead of ‘region_id’.
keystone.tests.unit.core.
new_trust_ref
(trustor_user_id, trustee_user_id, project_id=None, impersonation=None, expires=None, role_ids=None, role_names=None, remaining_uses=None, allow_redelegation=False, redelegation_count=None, **kwargs)[source]¶keystone.tests.unit.core.
skip_if_cache_disabled
(*sections)[source]¶Skip a test if caching is disabled, this is a decorator.
Caching can be disabled either globally or for a specific section.
In the code fragment:
@skip_if_cache_is_disabled('assignment', 'token')
def test_method(*args):
...
The method test_method would be skipped if caching is disabled globally via the enabled option in the cache section of the configuration or if the caching option is set to false in either assignment or token sections of the configuration. This decorator can be used with no arguments to only check global caching.
If a specified configuration section does not define the caching option, this decorator makes the same assumption as the should_cache_fn in keystone.common.cache that caching should be enabled.
Fake LDAP server for test harness.
This class does very little error checking, and knows nothing about ldap class definitions. It implements the minimum emulation of the python ldap library to work with keystone.
keystone.tests.unit.fakeldap.
FakeLdap
(conn=None)[source]¶Bases: keystone.identity.backends.ldap.common.LDAPHandler
Emulate the python-ldap API.
The python-ldap API requires all strings to be UTF-8 encoded. This is assured by the caller of this interface (i.e. KeystoneLDAPHandler).
However, internally this emulation MUST process and store strings in a canonical form which permits operations on characters. Encoded strings do not provide the ability to operate on characters. Therefore this emulation accepts UTF-8 encoded strings, decodes them to unicode for operations internal to this emulation, and encodes them back to UTF-8 when returning values from the emulation.
connect
(url, page_size=0, alias_dereferencing=None, use_tls=False, tls_cacertfile=None, tls_cacertdir=None, tls_req_cert=’demand’, chase_referrals=None, debug_level=None, use_pool=None, pool_size=None, pool_retry_max=None, pool_retry_delay=None, pool_conn_timeout=None, pool_conn_lifetime=None, conn_timeout=None)[source]¶modify_s
(dn, modlist)[source]¶Modify the object at dn using the attribute list.
Parameters: |
|
---|
result3
(msgid=-1, all=1, timeout=None, resp_ctrl_classes=None)[source]¶Execute async request.
Only msgid param is supported. Request info is fetched from global variable PendingRequests by msgid, executed using search_s and limited if requested.
search_ext
(base, scope, filterstr=’(objectClass=*)’, attrlist=None, attrsonly=0, serverctrls=None, clientctrls=None, timeout=-1, sizelimit=0)[source]¶search_s
(base, scope, filterstr=’(objectClass=*)’, attrlist=None, attrsonly=0)[source]¶Search for all matching objects under base using the query.
Args: base – dn to search under scope – search scope (base, subtree, onelevel) filterstr – filter objects by attrlist – attrs to return. Returns all attrs if not specified
keystone.tests.unit.fakeldap.
FakeLdapNoSubtreeDelete
(conn=None)[source]¶Bases: keystone.tests.unit.fakeldap.FakeLdap
FakeLdap subclass that does not support subtree delete.
Same as FakeLdap except delete will throw the LDAP error ldap.NOT_ALLOWED_ON_NONLEAF if there is an attempt to delete an entry that has children.
keystone.tests.unit.fakeldap.
FakeLdapPool
(uri, retry_max=None, retry_delay=None, conn=None)[source]¶Bases: keystone.tests.unit.fakeldap.FakeLdap
Emulate the python-ldap API with pooled connections.
This class is used as connector class in PooledLDAPHandler.
Fixtures for Federation Mapping.
keystone.tests.unit.rest.
RestfulTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
Performs restful tests against the WSGI app over HTTP.
This class launches public & admin WSGI servers for every test, which can
be accessed by calling public_request()
or admin_request()
,
respectfully.
restful_request()
and request()
methods are also exposed if you
need to bypass restful conventions or access HTTP details in your test
implementation.
Three new asserts are provided:
assertResponseSuccessful
: called automatically for every requestexpected_status
is providedassertResponseStatus
: called instead of assertResponseSuccessful
,expected_status
is providedassertValidResponseHeaders
: validates that the response headersRequests are automatically serialized according to the defined
content_type
. Responses are automatically deserialized as well, and
available in the response.body
attribute. The original body content is
available in the response.raw
attribute.
assertResponseStatus
(response, expected_status)[source]¶Assert a specific status code on the response.
Parameters: |
|
---|
example:
self.assertResponseStatus(response, http_client.NO_CONTENT)
assertResponseSuccessful
(response)[source]¶Assert that a status code lies inside the 2xx range.
Parameters: | response – httplib.HTTPResponse to be
verified to have a status code between 200 and 299. |
---|
example:
self.assertResponseSuccessful(response)
assertValidErrorResponse
(response, expected_status=400)[source]¶Verify that the error response is valid.
Subclasses can override this function based on the expected response.
content_type
= ‘json’¶get_scoped_token
(tenant_id=None)[source]¶Convenience method so that we can test authenticated requests.
keystone.tests.unit.test_associate_project_endpoint_extension.
EndpointFilterCRUDTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase
test_check_endpoint_project_association
()[source]¶HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Valid project and endpoint id test case.
test_check_endpoint_project_association_with_invalid_endpoint
()[source]¶HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid endpoint id test case.
test_check_endpoint_project_association_with_invalid_project
()[source]¶HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid project id test case.
test_create_endpoint_project_association
()[source]¶PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Valid endpoint and project id test case.
test_create_endpoint_project_association_with_invalid_endpoint
()[source]¶PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid endpoint id test case.
test_create_endpoint_project_association_with_invalid_project
()[source]¶PUT OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid project id test case.
test_create_endpoint_project_association_with_unexpected_body
()[source]¶PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Unexpected body in request. The body should be ignored.
test_get_endpoint_project_association
()[source]¶GET /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Valid project and endpoint id test case.
test_get_endpoint_project_association_with_invalid_endpoint
()[source]¶GET /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid endpoint id test case.
test_get_endpoint_project_association_with_invalid_project
()[source]¶GET /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid project id test case.
test_list_endpoints_associated_with_invalid_project
()[source]¶GET & HEAD /OS-EP-FILTER/projects/{project_id}/endpoints.
Invalid project id test case.
test_list_endpoints_associated_with_valid_project
()[source]¶GET & HEAD /OS-EP-FILTER/projects/{project_id}/endpoints.
Valid project and endpoint id test case.
test_list_projects_associated_with_endpoint
()[source]¶GET & HEAD /OS-EP-FILTER/endpoints/{endpoint_id}/projects.
Valid endpoint-project association test case.
test_list_projects_associated_with_invalid_endpoint
()[source]¶GET & HEAD /OS-EP-FILTER/endpoints/{endpoint_id}/projects.
Invalid endpoint id test case.
test_list_projects_with_no_endpoint_project_association
()[source]¶GET & HEAD /OS-EP-FILTER/endpoints/{endpoint_id}/projects.
Valid endpoint id but no endpoint-project associations test case.
test_remove_endpoint_project_association
()[source]¶DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Valid project id and endpoint id test case.
keystone.tests.unit.test_associate_project_endpoint_extension.
EndpointFilterTestCase
(*args, **kwargs)[source]¶keystone.tests.unit.test_associate_project_endpoint_extension.
EndpointFilterTokenRequestTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase
test_default_scoped_token_using_endpoint_filter
()[source]¶Verify endpoints from default scoped token filtered.
test_invalid_endpoint_project_association
()[source]¶Verify an invalid endpoint-project association is handled.
keystone.tests.unit.test_associate_project_endpoint_extension.
EndpointGroupCRUDTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase
DEFAULT_ENDPOINT_GROUP_BODY
= {‘endpoint_group’: {‘description’: ‘endpoint group description’, ‘filters’: {‘interface’: ‘admin’}, ‘name’: ‘endpoint_group_name’}}¶DEFAULT_ENDPOINT_GROUP_URL
= ‘/OS-EP-FILTER/endpoint_groups’¶test_add_endpoint_group_to_project
()[source]¶Create a valid endpoint group and project association.
test_add_endpoint_group_to_project_with_invalid_project_id
()[source]¶Create an invalid endpoint group and project association.
test_check_endpoint_group
()[source]¶HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}.
Valid endpoint_group_id test case.
test_check_endpoint_group_to_project
()[source]¶Test HEAD with a valid endpoint group and project association.
test_check_endpoint_group_to_project_with_invalid_project_id
()[source]¶Test HEAD with an invalid endpoint group and project association.
test_check_invalid_endpoint_group
()[source]¶HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}.
Invalid endpoint_group_id test case.
test_create_endpoint_group
()[source]¶POST /OS-EP-FILTER/endpoint_groups.
Valid endpoint group test case.
test_create_invalid_endpoint_group
()[source]¶POST /OS-EP-FILTER/endpoint_groups.
Invalid endpoint group creation test case.
test_delete_endpoint_group
()[source]¶GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Valid endpoint group test case.
test_delete_invalid_endpoint_group
()[source]¶GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Invalid endpoint group test case.
test_empty_endpoint_groups_in_project
()[source]¶Test when no endpoint groups associated with the project.
test_get_endpoint_group
()[source]¶GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Valid endpoint group test case.
test_get_invalid_endpoint_group
()[source]¶GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Invalid endpoint group test case.
test_get_invalid_endpoint_group_in_project
()[source]¶Test retrieving project endpoint group association.
test_list_endpoint_groups_in_project
()[source]¶GET & HEAD /OS-EP-FILTER/projects/{project_id}/endpoint_groups.
test_list_endpoints_associated_with_endpoint_group
()[source]¶GET & HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group}/endpoints.
Valid endpoint group test case.
test_list_endpoints_associated_with_project_endpoint_group
()[source]¶GET & HEAD /OS-EP-FILTER/projects/{project_id}/endpoints.
Valid project, endpoint id, and endpoint group test case.
test_list_projects_associated_with_endpoint_group
()[source]¶GET & HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group}/projects.
Valid endpoint group test case.
test_patch_endpoint_group
()[source]¶PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Valid endpoint group patch test case.
test_patch_invalid_endpoint_group
()[source]¶PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Valid endpoint group patch test case.
keystone.tests.unit.test_associate_project_endpoint_extension.
JsonHomeTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase
, keystone.tests.unit.test_v3.JsonHomeTestMixin
JSON_HOME_DATA
= {‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/projects_associated_with_endpoint_group’: {‘href-template’: ‘/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects’, ‘href-vars’: {‘endpoint_group_id’: ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group’: {‘href-template’: ‘/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}’, ‘href-vars’: {‘endpoint_group_id’: ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint_groups’: {‘href-template’: ‘/OS-EP-FILTER/projects/{project_id}/endpoint_groups’, ‘href-vars’: {‘project_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/project_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_to_project_association’: {‘href-template’: ‘/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}’, ‘href-vars’: {‘project_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/project_id’, ‘endpoint_group_id’: ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoints_in_endpoint_group’: {‘href-template’: ‘/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints’, ‘href-vars’: {‘endpoint_group_id’: ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_projects’: {‘href-template’: ‘/OS-EP-FILTER/endpoints/{endpoint_id}/projects’, ‘href-vars’: {‘endpoint_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/endpoint_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups’: {‘href’: ‘/OS-EP-FILTER/endpoint_groups’}}¶keystone.tests.unit.test_auth.
AuthBadRequests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_auth.AuthTest
test_authenticate_blank_request_body
()[source]¶Verify sending empty json dict raises the right exception.
test_authenticate_fails_if_project_unsafe
()[source]¶Verify authenticate to a project with unsafe name fails.
test_authenticate_invalid_auth_content
()[source]¶Verify sending invalid ‘auth’ raises the right exception.
test_authenticate_password_too_large
()[source]¶Verify sending large ‘password’ raises the right exception.
test_authenticate_tenant_id_too_large
()[source]¶Verify sending large ‘tenantId’ raises the right exception.
test_authenticate_tenant_name_too_large
()[source]¶Verify sending large ‘tenantName’ raises the right exception.
test_authenticate_token_too_large
()[source]¶Verify sending large ‘token’ raises the right exception.
test_authenticate_user_id_too_large
()[source]¶Verify sending large ‘userId’ raises the right exception.
test_authenticate_username_too_large
()[source]¶Verify sending large ‘username’ raises the right exception.
test_empty_username_and_userid_in_auth
()[source]¶Verify that empty username and userID raises ValidationError.
keystone.tests.unit.test_auth.
AuthCatalog
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.SQLDriverOverrides
, keystone.tests.unit.test_auth.AuthTest
Test for the catalog provided in the auth response.
keystone.tests.unit.test_auth.
AuthTest
(*args, **kwargs)[source]¶keystone.tests.unit.test_auth.
AuthWithPasswordCredentials
(*args, **kwargs)[source]¶keystone.tests.unit.test_auth.
AuthWithRemoteUser
[source]¶Bases: object
keystone.tests.unit.test_auth.
AuthWithToken
[source]¶Bases: object
test_auth_scoped_token_bad_project_with_debug
()[source]¶Authenticating with an invalid project fails.
test_auth_scoped_token_bad_project_without_debug
()[source]¶Authenticating with an invalid project fails.
test_auth_unscoped_token_no_project
()[source]¶Verify getting an unscoped token with an unscoped token.
keystone.tests.unit.test_auth.
AuthWithTrust
[source]¶Bases: object
test_create_trust_without_project_id
()[source]¶Verify that trust can be created without project id.
Also, token can be generated with that trust.
test_trust_get_token_fails_with_future_token_if_trustee_disabled
()[source]¶Test disabling trustee and using an unrevoked token.
This test simulates what happens when a token is generated after the disable event. Technically this should not happen, but it’s possible in a multinode deployment with only a slight clock skew.
keystone.tests.unit.test_auth.
FernetAuthWithRemoteUser
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_auth.AuthWithRemoteUser
, keystone.tests.unit.test_auth.AuthTest
keystone.tests.unit.test_auth.
FernetAuthWithToken
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_auth.AuthWithToken
, keystone.tests.unit.test_auth.AuthTest
keystone.tests.unit.test_auth.
FernetAuthWithTrust
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_auth.AuthWithTrust
, keystone.tests.unit.test_auth.AuthTest
test_trust_get_token_fails_with_future_token_if_trustee_disabled
()[source]¶Test disabling trustee and using an unrevoked token.
This test simulates what happens when a Fernet token is generated after the disable event. Technically this should not happen, but it’s possible in a multinode deployment with only a slight clock skew.
keystone.tests.unit.test_auth.
UUIDAuthWithRemoteUser
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_auth.AuthWithRemoteUser
, keystone.tests.unit.test_auth.AuthTest
keystone.tests.unit.test_auth.
UUIDAuthWithToken
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_auth.AuthWithToken
, keystone.tests.unit.test_auth.AuthTest
keystone.tests.unit.test_auth.
UUIDAuthWithTrust
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_auth.AuthWithTrust
, keystone.tests.unit.test_auth.AuthTest
keystone.tests.unit.test_auth_plugin.
TestAuthPlugin
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.SQLDriverOverrides
, keystone.tests.unit.core.TestCase
keystone.tests.unit.test_backend_endpoint_policy.
PolicyAssociationTests
[source]¶Bases: object
load_sample_data
()[source]¶Create sample data to test policy associations.
The following data is created:
keystone.tests.unit.test_backend_endpoint_policy_sql.
SqlPolicyAssociationTable
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlModels
Set of tests for checking SQL Policy Association Mapping.
keystone.tests.unit.test_backend_endpoint_policy_sql.
SqlPolicyAssociationTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.test_backend_endpoint_policy.PolicyAssociationTests
keystone.tests.unit.test_backend_federation_sql.
SqlFederation
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlModels
Set of tests for checking SQL Federation.
keystone.tests.unit.test_backend_id_mapping_sql.
SqlIDMappingTable
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlModels
Set of tests for checking SQL Identity ID Mapping.
keystone.tests.unit.test_backend_ldap.
AssignmentTests
[source]¶Bases: keystone.tests.unit.assignment.test_backends.AssignmentTests
keystone.tests.unit.test_backend_ldap.
BaseLDAPIdentity
[source]¶Bases: keystone.tests.unit.test_backend_ldap.LDAPTestSetup
, keystone.tests.unit.test_backend_ldap.IdentityTests
, keystone.tests.unit.test_backend_ldap.AssignmentTests
, keystone.tests.unit.test_backend_ldap.ResourceTests
test_create_project_with_domain_id_and_without_parent_id
()[source]¶Multiple domains are not supported.
test_create_project_with_domain_id_mismatch_to_parent_domain
()[source]¶Multiple domains are not supported.
test_list_role_assignment_by_user_with_domain_group_roles
()[source]¶Multiple domain assignments are not supported.
test_list_role_assignment_using_sourced_groups_with_domains
()[source]¶Multiple domain assignments are not supported.
keystone.tests.unit.test_backend_ldap.
BaseMultiLDAPandSQLIdentity
[source]¶Bases: object
Mixin class with support methods for domain-specific config testing.
keystone.tests.unit.test_backend_ldap.
DomainSpecificLDAPandSQLIdentity
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity
, keystone.tests.unit.core.SQLDriverOverrides
, keystone.tests.unit.core.TestCase
, keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity
Class to test when all domains use specific configs, including SQL.
We define a set of domains and domain-specific backends:
Although the default driver still exists, we don’t use it.
DOMAIN_COUNT
= 2¶DOMAIN_SPECIFIC_COUNT
= 2¶test_domain_segregation
()[source]¶Test that separate configs have segregated the domain.
Test Plan:
keystone.tests.unit.test_backend_ldap.
DomainSpecificSQLIdentity
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_ldap.DomainSpecificLDAPandSQLIdentity
Class to test simplest use of domain-specific SQL driver.
The simplest use of an SQL domain-specific backend is when it is used to augment the standard case when LDAP is the default driver defined in the main config file. This would allow, for example, service users to be stored in SQL while LDAP handles the rest. Hence we define:
DOMAIN_COUNT
= 2¶DOMAIN_SPECIFIC_COUNT
= 1¶keystone.tests.unit.test_backend_ldap.
IdentityTests
[source]¶Bases: keystone.tests.unit.identity.test_backends.IdentityTests
keystone.tests.unit.test_backend_ldap.
LDAPIdentity
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity
, keystone.tests.unit.core.TestCase
keystone.tests.unit.test_backend_ldap.
LDAPLimitTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
, keystone.tests.unit.identity.test_backends.LimitTests
keystone.tests.unit.test_backend_ldap.
LDAPMatchingRuleInChainTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_ldap.LDAPTestSetup
, keystone.tests.unit.core.TestCase
keystone.tests.unit.test_backend_ldap.
LDAPPosixGroupsTest
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_ldap.LDAPTestSetup
, keystone.tests.unit.core.TestCase
keystone.tests.unit.test_backend_ldap.
LDAPTestSetup
[source]¶Bases: object
Common setup for LDAP tests.
keystone.tests.unit.test_backend_ldap.
LdapFilterTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.identity.test_backends.FilterTests
, keystone.tests.unit.test_backend_ldap.LDAPTestSetup
, keystone.tests.unit.core.TestCase
keystone.tests.unit.test_backend_ldap.
LdapIdentityWithMapping
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity
, keystone.tests.unit.core.SQLDriverOverrides
, keystone.tests.unit.core.TestCase
Class to test mapping of default LDAP backend.
The default configuration is not to enable mapping when using a single backend LDAP driver. However, a cloud provider might want to enable the mapping, hence hiding the LDAP IDs from any clients of keystone. Setting backward_compatible_ids to False will enable this mapping.
test_dynamic_mapping_build
()[source]¶Test to ensure entities not create via controller are mapped.
Many LDAP backends will, essentially, by Read Only. In these cases the mapping is not built by creating objects, rather from enumerating the entries. We test this here my manually deleting the mapping and then trying to re-read the entries.
keystone.tests.unit.test_backend_ldap.
MultiLDAPandSQLIdentity
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity
, keystone.tests.unit.core.SQLDriverOverrides
, keystone.tests.unit.core.TestCase
, keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity
Class to test common SQL plus individual LDAP backends.
We define a set of domains and domain-specific backends:
Normally one would expect that the default domain would be handled as part of the “other domains” - however the above provides better test coverage since most of the existing backend tests use the default domain.
enable_multi_domain
()[source]¶Enable the chosen form of multi domain configuration support.
This method enables the file-based configuration support. Child classes that wish to use the database domain configuration support should override this method and set the appropriate config_fixture option.
test_domain_segregation
()[source]¶Test that separate configs have segregated the domain.
Test Plan:
test_existing_uuids_work
()[source]¶Test that ‘uni-domain’ created IDs still work.
Throwing the switch to domain-specific backends should not cause existing identities to be inaccessible via ID.
test_scanning_of_config_dir
()[source]¶Test the Manager class scans the config directory.
The setup for the main tests above load the domain configs directly so that the test overrides can be included. This test just makes sure that the standard config directory scanning does pick up the relevant domain config files.
keystone.tests.unit.test_backend_ldap.
MultiLDAPandSQLIdentityDomainConfigsInSQL
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentity
Class to test the use of domain configs stored in the database.
Repeat the same tests as MultiLDAPandSQLIdentity, but instead of using the domain specific config files, store the domain specific values in the database.
test_delete_domain_clears_sql_registration
()[source]¶Ensure registration is deleted when a domain is deleted.
test_domain_config_has_no_impact_if_database_support_disabled
()[source]¶Ensure database domain configs have no effect if disabled.
Set reading from database configs to false, restart the backends and then try and set and use database configs.
test_orphaned_registration_does_not_prevent_getting_sql_driver
()[source]¶Ensure we self heal an orphaned sql registration.
test_reloading_domain_config
()[source]¶Ensure domain drivers are reloaded on a config modification.
keystone.tests.unit.test_backend_ldap.
ResourceTests
[source]¶Bases: keystone.tests.unit.resource.test_backends.ResourceTests
keystone.tests.unit.test_backend_ldap_pool.
LDAPIdentity
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_ldap_pool.LdapPoolCommonTestMixin
, keystone.tests.unit.test_backend_ldap.LDAPIdentity
, keystone.tests.unit.core.TestCase
Executes tests in existing base class with pooled LDAP handler.
keystone.tests.unit.test_backend_rules.
RulesPolicy
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
, keystone.tests.unit.policy.test_backends.PolicyTests
keystone.tests.unit.test_backend_sql.
FakeTable
(*args, **kwargs)[source]¶Bases: sqlalchemy.ext.declarative.api.Base
col
¶keystone.tests.unit.test_backend_sql.
SqlCatalog
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.catalog.test_backends.CatalogTests
keystone.tests.unit.test_backend_sql.
SqlFilterTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.identity.test_backends.FilterTests
keystone.tests.unit.test_backend_sql.
SqlIdentity
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.identity.test_backends.IdentityTests
, keystone.tests.unit.assignment.test_backends.AssignmentTests
, keystone.tests.unit.resource.test_backends.ResourceTests
Ensure we cannot access the hidden root of all project domains.
Calling any of the driver methods should result in the same as would be returned if we passed a project that does not exist. We don’t test create_project, since we do not allow a caller of our API to specify their own ID for a new entity.
test_list_domains_for_user_with_inherited_grants
()[source]¶Test that inherited roles on the domain are excluded.
Test Plan:
test_storing_null_domain_id_in_project_ref
()[source]¶Test the special storage of domain_id=None in sql resource driver.
The resource driver uses a special value in place of None for domain_id in the project record. This shouldn’t escape the driver. Hence we test the interface to ensure that you can store a domain_id of None, and that any special value used inside the driver does not escape through the interface.
test_update_project_returns_extra
()[source]¶Test for backward compatibility with an essex/folsom bug.
Non-indexed attributes were returned in an ‘extra’ attribute, instead of on the entity itself; for consistency and backwards compatibility, those attributes should be included twice.
This behavior is specific to the SQL driver.
test_update_user_returns_extra
()[source]¶Test for backwards-compatibility with an essex/folsom bug.
Non-indexed attributes were returned in an ‘extra’ attribute, instead of on the entity itself; for consistency and backwards compatibility, those attributes should be included twice.
This behavior is specific to the SQL driver.
keystone.tests.unit.test_backend_sql.
SqlImpliedRoles
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.assignment.test_backends.ImpliedRoleTests
keystone.tests.unit.test_backend_sql.
SqlInheritance
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.assignment.test_backends.InheritanceTests
keystone.tests.unit.test_backend_sql.
SqlLimitTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.identity.test_backends.LimitTests
keystone.tests.unit.test_backend_sql.
SqlModels
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
assertExpectedSchema
(table, expected_schema)[source]¶Assert that a table’s schema is what we expect.
Parameters: |
|
---|---|
Raises: | AssertionError – when the database schema doesn’t match the expected schema |
The expected_schema format is simply:
(
('column name', sql type, qualifying detail),
...
)
The qualifying detail varies based on the type of the column:
- sql.Boolean columns must indicate the column's default value or
None if there is no default
- Columns with a length, like sql.String, must indicate the
column's length
- All other column types should use None
Example:
cols = (('id', sql.String, 64),
('enabled', sql.Boolean, True),
('extra', sql.JsonBlob, None))
self.assertExpectedSchema('table_name', cols)
keystone.tests.unit.test_backend_sql.
SqlPolicy
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.policy.test_backends.PolicyTests
keystone.tests.unit.test_backend_sql.
SqlTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.SQLDriverOverrides
, keystone.tests.unit.core.TestCase
keystone.tests.unit.test_backend_sql.
SqlToken
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.token.test_backends.TokenTests
keystone.tests.unit.test_backend_sql.
SqlTokenCacheInvalidationWithUUID
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.token.test_backends.TokenCacheInvalidation
keystone.tests.unit.test_backend_sql.
SqlTrust
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.trust.test_backends.TrustTests
keystone.tests.unit.test_backend_templated.
TestTemplatedCatalog
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
, keystone.tests.unit.catalog.test_backends.CatalogTests
DEFAULT_FIXTURE
= {‘RegionOne’: {‘identity’: {‘publicURL’: ‘http://localhost:5000/v2.0’, ‘adminURL’: ‘http://localhost:35357/v2.0’, ‘name’: “‘Identity Service’”, ‘id’: ‘1’, ‘internalURL’: ‘http://localhost:35357/v2.0’}, ‘compute’: {‘publicURL’: ‘http://localhost:8774/v1.1/bar’, ‘adminURL’: ‘http://localhost:8774/v1.1/bar’, ‘name’: “‘Compute Service’”, ‘id’: ‘2’, ‘internalURL’: ‘http://localhost:8774/v1.1/bar’}}}¶keystone.tests.unit.test_catalog.
V2CatalogTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.rest.RestfulTestCase
test_endpoint_create_with_invalid_url
()[source]¶Test the invalid cases: substitutions is not exactly right.
test_endpoint_create_with_valid_url
()[source]¶Create endpoint with valid URL should be tested, too.
test_pure_v3_endpoint_with_publicurl_visible_from_v2
()[source]¶Test pure v3 endpoint can be fetched via v2.0 API.
For those who are using v2.0 APIs, endpoints created by v3 API should also be visible as there are no differences about the endpoints except the format or the internal implementation. Since publicURL is required for v2.0 API, so only v3 endpoints of the service which have the public interface endpoint will be converted into v2.0 endpoints.
test_pure_v3_endpoint_without_publicurl_invisible_from_v2
()[source]¶Test that the v2.0 API can’t fetch v3 endpoints without publicURLs.
v2.0 API will return endpoints created by v3 API, but publicURL is required for the service in the v2.0 API, therefore v3 endpoints of a service which don’t have publicURL will be ignored.
keystone.tests.unit.test_cli.
CliBootStrapTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.SQLDriverOverrides
, keystone.tests.unit.core.TestCase
keystone.tests.unit.test_cli.
CliDomainConfigAllTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.SQLDriverOverrides
, keystone.tests.unit.core.TestCase
keystone.tests.unit.test_cli.
CliDomainConfigInvalidDomainTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_cli.CliDomainConfigAllTestCase
keystone.tests.unit.test_cli.
CliDomainConfigNoOptionsTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_cli.CliDomainConfigAllTestCase
keystone.tests.unit.test_cli.
CliDomainConfigSingleDomainTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_cli.CliDomainConfigAllTestCase
keystone.tests.unit.test_cli.
CliDomainConfigTooManyOptionsTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_cli.CliDomainConfigAllTestCase
keystone.tests.unit.test_cli.
CliTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.SQLDriverOverrides
, keystone.tests.unit.core.TestCase
keystone.tests.unit.test_cli.
TestMappingPopulate
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.SQLDriverOverrides
, keystone.tests.unit.core.TestCase
keystone.tests.unit.test_config.
DeprecatedOverrideTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
Test using the deprecated AND new name for renamed options.
keystone.tests.unit.test_contrib_simple_cert.
BaseTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
CA_PATH
= ‘/v3/OS-SIMPLE-CERT/ca’¶CERT_PATH
= ‘/v3/OS-SIMPLE-CERT/certificates’¶keystone.tests.unit.test_credential.
V2CredentialEc2Controller
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
test_check_non_admin_user
()[source]¶Checking if user is admin causes uncaught error.
When checking if a user is an admin, keystone.exception.Unauthorized is raised but not caught if the user is not an admin.
test_signature_validate_no_host_port
()[source]¶Test signature validation with the access/secret provided.
test_signature_validate_no_signature
()[source]¶Signature is not presented in signature reference data.
test_signature_validate_with_host_port
()[source]¶Test signature validation when host is bound with port.
Host is bound with a port, generally, the port here is not the standard port for the protocol, like ‘80’ for HTTP and port 443 for HTTPS, the port is not omitted by the client library.
test_signature_validate_with_missed_host_port
()[source]¶Test signature validation when host is bound with well-known port.
Host is bound with a port, but the port is well-know port like ‘80’ for HTTP and port 443 for HTTPS, sometimes, client library omit the port but then make the request with the port. see (How to create the string to sign): ‘http://docs.aws.amazon.com/ general/latest/gr/signature-version-2.html’.
Since “credentials[‘host’]” is not set by client library but is taken from “req.host”, so caused the differences.
keystone.tests.unit.test_exception.
ExceptionTestCase
(*args, **kwargs)[source]¶keystone.tests.unit.test_exception.
SecurityErrorTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_exception.ExceptionTestCase
Test whether security-related info is exposed to the API user.
keystone.tests.unit.test_exception.
TestSecurityErrorTranslation
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test i18n for SecurityError exceptions.
CustomError
(message=None, **kwargs)[source]¶Bases: keystone.exception.Error
message_format
= ‘We had a failure in the %(place)r’¶CustomSecurityError
(message=None, **kwargs)[source]¶Bases: keystone.exception.SecurityError
message_format
= ‘We had a failure in the %(place)r’¶keystone.tests.unit.test_exception.
UnexpectedExceptionTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_exception.ExceptionTestCase
Test if internal info is exposed to the API user on UnexpectedError.
SubClassExc
(message=None, **kwargs)[source]¶Bases: keystone.exception.UnexpectedError
debug_message_format
= ‘Debug Message: %(debug_info)s’¶keystone.tests.unit.test_hacking_checks.
TestBlockCommentsBeginWithASpace
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck
keystone.tests.unit.test_hacking_checks.
TestCheckForMutableDefaultArgs
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck
keystone.tests.unit.test_hacking_checks.
TestDictConstructorWithSequenceCopy
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck
keystone.tests.unit.test_ldap_pool_livetest.
LiveLDAPPoolIdentity
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_ldap_pool.LdapPoolCommonTestMixin
, keystone.tests.unit.test_ldap_livetest.LiveLDAPIdentity
Executes existing LDAP live test with pooled LDAP handler.
Also executes common pool specific tests via Mixin class.
keystone.tests.unit.test_ldap_tls_livetest.
LiveTLSLDAPIdentity
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_ldap_livetest.LiveLDAPIdentity
keystone.tests.unit.test_middleware.
AuthContextMiddlewareTest
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.test_middleware.MiddlewareRequestTestBase
MIDDLEWARE_CLASS
¶alias of AuthContextMiddleware
test_ephemeral_any_user_success
()[source]¶Verify ephemeral user does not need a specified user.
Keystone is not looking to match the user, but a corresponding group.
keystone.tests.unit.test_middleware.
JsonBodyMiddlewareTest
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_middleware.MiddlewareRequestTestBase
MIDDLEWARE_CLASS
¶alias of JsonBodyMiddleware
keystone.tests.unit.test_middleware.
MiddlewareRequestTestBase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
MIDDLEWARE_CLASS
= None¶keystone.tests.unit.test_revoke.
FernetSqlRevokeTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.test_revoke.RevokeTests
keystone.tests.unit.test_revoke.
UUIDSqlRevokeTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_backend_sql.SqlTests
, keystone.tests.unit.test_revoke.RevokeTests
keystone.tests.unit.test_shadow_users.
ShadowUsersTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
, keystone.tests.unit.identity.shadow_users.test_backend.ShadowUsersBackendTests
, keystone.tests.unit.identity.shadow_users.test_core.ShadowUsersCoreTests
keystone.tests.unit.test_sql_banned_operations.
BannedDBSchemaOperations
(banned_ops=None, migration_repo=’/home/jenkins/workspace/keystone-docs-ubuntu-xenial/keystone/common/sql/migrate_repo/__init__.py’)[source]¶Bases: fixtures.fixture.Fixture
Ban some operations for migrations.
keystone.tests.unit.test_sql_banned_operations.
DBOperationNotAllowed
[source]¶Bases: exceptions.Exception
keystone.tests.unit.test_sql_banned_operations.
KeystoneMigrationsCheckers
[source]¶Bases: oslo_db.sqlalchemy.test_migrations.WalkVersionsMixin
Walk over and test all sqlalchemy-migrate migrations.
INIT_VERSION
¶REPOSITORY
¶banned_ops
= {‘Column’: [‘alter’, ‘drop’], ‘Table’: [‘alter’, ‘drop’]}¶downgrade
= False¶exceptions
= [102, 106]¶first_version
= 101¶migrate_engine
¶migrate_file
= ‘/home/jenkins/workspace/keystone-docs-ubuntu-xenial/keystone/common/sql/migrate_repo/__init__.py’¶migrate_up
(version, with_data=False)[source]¶Check that migrations don’t cause downtime.
Schema migrations can be done online, allowing for rolling upgrades.
migration_api
¶snake_walk
= False¶keystone.tests.unit.test_sql_banned_operations.
TestBannedDBSchemaOperations
(*args, **kwargs)[source]¶Bases: testtools.testcase.TestCase
Test the BannedDBSchemaOperations fixture.
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneContractSchemaMigrations
[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.KeystoneMigrationsCheckers
banned_ops
= {‘Column’: [‘create’], ‘Table’: [‘create’, ‘insert’, ‘delete’]}¶exceptions
= [2, 4, 13]¶first_version
= 1¶migrate_file
= ‘/home/jenkins/workspace/keystone-docs-ubuntu-xenial/keystone/common/sql/contract_repo/__init__.py’¶keystone.tests.unit.test_sql_banned_operations.
TestKeystoneContractSchemaMigrationsMySQL
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.TestKeystoneContractSchemaMigrations
, oslo_db.sqlalchemy.test_base.MySQLOpportunisticTestCase
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneContractSchemaMigrationsPostgreSQL
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.TestKeystoneContractSchemaMigrations
, oslo_db.sqlalchemy.test_base.PostgreSQLOpportunisticTestCase
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneContractSchemaMigrationsSQLite
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.TestKeystoneContractSchemaMigrations
, oslo_db.sqlalchemy.test_base.DbTestCase
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneDataMigrations
[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.KeystoneMigrationsCheckers
banned_ops
= {‘Column’: [‘create’, ‘alter’, ‘drop’], ‘Table’: [‘create’, ‘alter’, ‘drop’]}¶exceptions
= [2, 4]¶first_version
= 1¶migrate_file
= ‘/home/jenkins/workspace/keystone-docs-ubuntu-xenial/keystone/common/sql/data_migration_repo/__init__.py’¶keystone.tests.unit.test_sql_banned_operations.
TestKeystoneDataMigrationsMySQL
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.TestKeystoneDataMigrations
, oslo_db.sqlalchemy.test_base.MySQLOpportunisticTestCase
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneDataMigrationsPostgreSQL
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.TestKeystoneDataMigrations
, oslo_db.sqlalchemy.test_base.PostgreSQLOpportunisticTestCase
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneDataMigrationsSQLite
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.TestKeystoneDataMigrations
, oslo_db.sqlalchemy.test_base.DbTestCase
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneExpandSchemaMigrations
[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.KeystoneMigrationsCheckers
banned_ops
= {‘Column’: [‘alter’, ‘drop’], ‘Table’: [‘alter’, ‘drop’, ‘insert’, ‘delete’]}¶exceptions
= [2, 3, 4]¶first_version
= 1¶migrate_file
= ‘/home/jenkins/workspace/keystone-docs-ubuntu-xenial/keystone/common/sql/expand_repo/__init__.py’¶keystone.tests.unit.test_sql_banned_operations.
TestKeystoneExpandSchemaMigrationsMySQL
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.TestKeystoneExpandSchemaMigrations
, oslo_db.sqlalchemy.test_base.MySQLOpportunisticTestCase
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneExpandSchemaMigrationsPostgreSQL
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.TestKeystoneExpandSchemaMigrations
, oslo_db.sqlalchemy.test_base.PostgreSQLOpportunisticTestCase
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneMigrationsMySQL
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.KeystoneMigrationsCheckers
, oslo_db.sqlalchemy.test_base.MySQLOpportunisticTestCase
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneMigrationsPostgreSQL
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.KeystoneMigrationsCheckers
, oslo_db.sqlalchemy.test_base.PostgreSQLOpportunisticTestCase
keystone.tests.unit.test_sql_banned_operations.
TestKeystoneMigrationsSQLite
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_banned_operations.KeystoneMigrationsCheckers
, oslo_db.sqlalchemy.test_base.DbTestCase
Test for SQL migration extensions.
To run these tests against a live database:
Set up a blank, live database.
Export database information to environment variable
OS_TEST_DBAPI_ADMIN_CONNECTION
. For example:
export OS_TEST_DBAPI_ADMIN_CONNECTION=postgresql://localhost/postgres?host=
/var/folders/7k/pwdhb_mj2cv4zyr0kyrlzjx40000gq/T/tmpMGqN8C&port=9824
Run the tests using:
tox -e py27 -- keystone.tests.unit.test_sql_upgrade
For further information, see oslo.db documentation.
WARNING:
Your database will be wiped.
Do not do this against a database with valuable data as
all data will be lost.
keystone.tests.unit.test_sql_upgrade.
FullMigration
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
, keystone.tests.unit.core.TestCase
Test complete orchestration between all database phases.
keystone.tests.unit.test_sql_upgrade.
MySQLOpportunisticContractSchemaUpgradeTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.SqlContractSchemaUpgradeTests
FIXTURE
¶alias of MySQLOpportunisticFixture
keystone.tests.unit.test_sql_upgrade.
MySQLOpportunisticDataMigrationUpgradeTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.SqlDataMigrationUpgradeTests
FIXTURE
¶alias of MySQLOpportunisticFixture
keystone.tests.unit.test_sql_upgrade.
MySQLOpportunisticExpandSchemaUpgradeTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.SqlExpandSchemaUpgradeTests
FIXTURE
¶alias of MySQLOpportunisticFixture
keystone.tests.unit.test_sql_upgrade.
MySQLOpportunisticFullMigration
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.FullMigration
FIXTURE
¶alias of MySQLOpportunisticFixture
keystone.tests.unit.test_sql_upgrade.
MySQLOpportunisticUpgradeTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.SqlLegacyRepoUpgradeTests
FIXTURE
¶alias of MySQLOpportunisticFixture
keystone.tests.unit.test_sql_upgrade.
PostgreSQLOpportunisticContractSchemaUpgradeTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.SqlContractSchemaUpgradeTests
FIXTURE
¶alias of PostgreSQLOpportunisticFixture
keystone.tests.unit.test_sql_upgrade.
PostgreSQLOpportunisticDataMigrationUpgradeTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.SqlDataMigrationUpgradeTests
FIXTURE
¶alias of PostgreSQLOpportunisticFixture
keystone.tests.unit.test_sql_upgrade.
PostgreSQLOpportunisticExpandSchemaUpgradeTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.SqlExpandSchemaUpgradeTests
FIXTURE
¶alias of PostgreSQLOpportunisticFixture
keystone.tests.unit.test_sql_upgrade.
PostgreSQLOpportunisticFullMigration
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.FullMigration
FIXTURE
¶alias of PostgreSQLOpportunisticFixture
keystone.tests.unit.test_sql_upgrade.
PostgreSQLOpportunisticUpgradeTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.SqlLegacyRepoUpgradeTests
FIXTURE
¶alias of PostgreSQLOpportunisticFixture
keystone.tests.unit.test_sql_upgrade.
SqlContractSchemaUpgradeTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
, keystone.tests.unit.core.TestCase
keystone.tests.unit.test_sql_upgrade.
SqlLegacyRepoUpgradeTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
test_add_domain_specific_roles
()[source]¶Check database upgraded successfully for domain specific roles.
The following items need to be checked:
keystone.tests.unit.test_sql_upgrade.
SqlMigrateBase
(*args, **kwargs)[source]¶Bases: oslo_db.sqlalchemy.test_base.DbTestCase
assertTableColumns
(table_name, expected_cols)[source]¶Assert that the table contains the expected set of columns.
assertTableDoesNotExist
(table_name)[source]¶Assert that a given table exists cannot be selected by name.
insert_dict
(session, table_name, d, table=None)[source]¶Naively inserts key-value pairs into a table, given a dictionary.
metadata
¶A collection of tables and their associated schemas.
keystone.tests.unit.test_sql_upgrade.
VersionTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase
test_migrate_repos_file_names_have_prefix
()[source]¶Migration files should be unique to avoid caching errors.
This test enforces migration files to include a prefix (expand, migrate, contract) in order to keep them unique. Here is the required format: [version]_[prefix]_[description]. For example: 001_expand_add_created_column.py
test_migrate_repos_stay_in_lockstep
()[source]¶Rolling upgrade repositories should always stay in lockstep.
By maintaining a single “latest” version number in each of the three migration repositories (expand, data migrate, and contract), we can trivially prevent operators from “doing the wrong thing”, such as running upgrades operations out of order (for example, you should not be able to run data migration 5 until schema expansion 5 has been run).
For example, even if your rolling upgrade task only involves adding a new column with a reasonable default, and doesn’t require any triggers, data migration, etc, you still need to create “empty” upgrade steps in the data migration and contract repositories with the same version number as the expansion.
For more information, see “Database Migrations” here:
test_these_are_not_the_migrations_you_are_looking_for
()[source]¶Keystone has shifted to rolling upgrades.
New database migrations should no longer land in the legacy migration
repository. Instead, new database migrations should be divided into
three discrete steps: schema expansion, data migration, and schema
contraction. These migrations live in a new set of database migration
repositories, called expand_repo
, data_migration_repo
, and
contract_repo
.
For more information, see “Database Migrations” here:
keystone.tests.unit.test_token_bind.
BindTest
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
Test binding tokens to a Principal.
Even though everything in this file references kerberos the same concepts will apply to all future binding mechanisms.
keystone.tests.unit.test_url_middleware.
FakeApp
[source]¶Bases: object
Fakes a WSGI app URL normalized.
keystone.tests.unit.test_v2.
CoreApiTests
[source]¶Bases: object
assertNoRoles
(r)[source]¶Helper method to assert No Roles.
This needs to be overridden by child classes based on their content type.
keystone.tests.unit.test_v2.
LegacyV2UsernameTests
[source]¶Bases: object
Test to show the broken username behavior in V2.
The V2 API is documented to use username instead of name. The API forced used to use name and left the username to fall into the extra field.
These tests ensure this behavior works so fixes to username/name will be backward compatible.
create_user
(**user_attrs)[source]¶Create a users and returns the response object.
Parameters: | user_attrs – attributes added to the request body (optional) |
---|
test_create_with_extra_username
()[source]¶The response for creating a user will contain the extra fields.
test_get_returns_username_from_extra
()[source]¶The response for getting a user will contain the extra fields.
test_update_returns_new_username_when_adding_username
()[source]¶The response for updating a user will contain the extra fields.
This is specifically testing for updating a username when a value was not previously set.
test_update_returns_new_username_when_updating_username
()[source]¶The response for updating a user will contain the extra fields.
This tests updating a username that was previously set.
test_updated_username_is_returned
()[source]¶Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username and not name.
test_username_is_always_returned_create
()[source]¶Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username and not name.
test_username_is_always_returned_get
()[source]¶Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username and not name.
keystone.tests.unit.test_v2.
TestFernetTokenProviderV2
(*args, **kwargs)[source]¶keystone.tests.unit.test_v2.
V2TestCase
[source]¶Bases: object
keystone.tests.unit.test_v2.
V2TestCaseFernet
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v2.V2TestCase
, keystone.tests.unit.test_v2.RestfulTestCase
, keystone.tests.unit.test_v2.CoreApiTests
, keystone.tests.unit.test_v2.LegacyV2UsernameTests
keystone.tests.unit.test_v2.
V2TestCaseUUID
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v2.V2TestCase
, keystone.tests.unit.test_v2.RestfulTestCase
, keystone.tests.unit.test_v2.CoreApiTests
, keystone.tests.unit.test_v2.LegacyV2UsernameTests
keystone.tests.unit.test_v2_controller.
TenantTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
Test for the V2 Tenant controller.
These tests exercise keystone.assignment.controllers.Tenant
.
test_create_is_domain_project_fails
()[source]¶Test that the creation of a project acting as a domain fails.
test_create_project_passing_is_domain_false_fails
()[source]¶Test that passing is_domain=False is not allowed.
test_delete_is_domain_project_not_found
()[source]¶Test that delete is_domain project is not allowed in v2.
test_get_is_domain_project_not_found
()[source]¶Test that get project does not return is_domain projects.
test_get_project_users_no_user
()[source]¶Test the user’s existence for get_project_users.
When a user that’s not known to identity has a role on a project, then get_project_users just skips that user.
test_list_is_domain_project_not_found
()[source]¶Test v2 get_all_projects having projects that act as a domain.
In v2 no project with the is_domain flag enabled should be returned.
keystone.tests.unit.test_v2_validation.
RoleValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V2 Roles API Validation.
keystone.tests.unit.test_v2_validation.
ServiceValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V2 Service API Validation.
keystone.tests.unit.test_v2_validation.
TenantValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for v2 Tenant API Validation.
test_validate_tenant_create_fails_with_invalid_name
()[source]¶Exception when validating a create request with invalid name.
test_validate_tenant_create_with_invalid_enabled_fails
()[source]¶Exception is raised when enabled isn’t a boolean-like value.
test_validate_tenant_update_fails_with_invalid_name
()[source]¶Exception when validating an update request with invalid name.
keystone.tests.unit.test_v2_validation.
UserValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V2 User API Validation.
keystone.tests.unit.test_v3.
AssignmentTestMixin
[source]¶Bases: object
To hold assignment helper functions.
build_role_assignment_entity
(link=None, prior_role_link=None, **attribs)[source]¶Build and return a role assignment entity with provided attributes.
Provided attributes are expected to contain: domain_id or project_id, user_id or group_id, role_id and, optionally, inherited_to_projects.
build_role_assignment_entity_include_names
(domain_ref=None, role_ref=None, group_ref=None, user_ref=None, project_ref=None, inherited_assignment=None)[source]¶Build and return a role assignment entity with provided attributes.
The expected attributes are: domain_ref or project_ref, user_ref or group_ref, role_ref and, optionally, inherited_to_projects.
keystone.tests.unit.test_v3.
JsonHomeTestMixin
[source]¶Bases: object
JSON Home test.
Mixin this class to provide a test for the JSON-Home response for an extension.
The base class must set JSON_HOME_DATA to a dict of relationship URLs (rels) to the JSON-Home data for the relationship. The rels and associated data must be in the response.
keystone.tests.unit.test_v3.
RestfulTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.SQLDriverOverrides
, keystone.tests.unit.rest.RestfulTestCase
, keystone.tests.common.auth.AuthTestMixin
assertEqualTokens
(a, b)[source]¶Assert that two tokens are equal.
Compare two tokens except for their ids. This also truncates the time in the comparison.
assertValidEntity
(entity, ref=None, keys_to_check=None)[source]¶Make assertions common to all API entities.
If a reference is provided, the entity will also be compared against the reference.
assertValidListResponse
(resp, key, entity_validator, ref=None, expected_length=None, keys_to_check=None, resource_url=None)[source]¶Make assertions common to all API list responses.
If a reference is provided, it’s ID will be searched for in the response, and asserted to be equal.
assertValidResponse
(resp, key, entity_validator, *args, **kwargs)[source]¶Make assertions common to all API responses.
build_external_auth_request
(remote_user, remote_domain=None, auth_data=None, kerberos=False)[source]¶keystone.tests.unit.test_v3_assignment.
AssignmentInheritanceTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3.AssignmentTestMixin
Test inheritance crud and its effects.
test_filtered_role_assignments_for_inherited_grants
()[source]¶Call GET /role_assignments?scope.OS-INHERIT:inherited_to
.
Test Plan:
test_get_effective_role_assignments_for_project_hierarchy
()[source]¶Call GET /role_assignments?effective
.
Test Plan:
test_get_effective_role_assignments_for_project_tree
()[source]¶Get role_assignment ?project_id=X&include_subtree=True&effective“.
Test Plan:
test_get_inherited_role_assignments_for_project_hierarchy
()[source]¶Call GET /role_assignments?scope.OS-INHERIT:inherited_to
.
Test Plan:
test_get_role_assignments_for_project_hierarchy
()[source]¶Call GET /role_assignments
.
Test Plan:
test_get_role_assignments_for_project_tree
()[source]¶Get role_assignment?scope.project.id=X&include_subtree“.
Test Plan:
test_list_inherited_role_assignments_include_names
()[source]¶Call GET /role_assignments?include_names
.
Test goal: ensure calling list role assignments including names honors the inherited role assignments flag.
Test plan: - Create a role and a domain with a user; - Create a inherited role assignment; - List role assignments for that user; - List role assignments for that user including names.
test_list_role_assignments_for_disabled_inheritance_extension
()[source]¶Call GET /role_assignments with inherited domain grants
.
Test Plan:
test_list_role_assignments_for_inherited_domain_grants
()[source]¶Call GET /role_assignments with inherited domain grants
.
Test Plan:
test_list_role_assignments_for_inherited_group_domain_grants
()[source]¶Call GET /role_assignments with inherited group domain grants
.
Test Plan:
keystone.tests.unit.test_v3_assignment.
AssignmentTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3.AssignmentTestMixin
Test roles and role assignments.
test_check_effective_values_for_role_assignments
()[source]¶Call GET & HEAD /role_assignments?effective=value
.
Check the various ways of specifying the ‘effective’ query parameter. If the ‘effective’ query parameter is included then this should always be treated as meaning ‘True’ unless it is specified as:
{url}?effective=0
This is by design to match the agreed way of handling policy checking on query/filter parameters.
Test Plan:
test_crud_group_domain_role_grants_no_group
()[source]¶Grant role on a domain to a group that doesn’t exist.
When grant a role on a domain to a group that doesn’t exist, the server returns 404 Not Found for the group.
test_crud_group_project_role_grants_no_group
()[source]¶Grant role on a project to a group that doesn’t exist.
When grant a role on a project to a group that doesn’t exist, the server returns 404 Not Found for the group.
test_crud_user_domain_role_grants_no_user
()[source]¶Grant role on a domain to a user that doesn’t exist.
When grant a role on a domain to a user that doesn’t exist, the server returns 404 Not Found for the user.
test_crud_user_project_role_grants_no_user
()[source]¶Grant role on a project to a user that doesn’t exist.
When grant a role on a project to a user that doesn’t exist, the server returns Not Found for the user.
test_delete_user_and_check_role_assignment_fails
()[source]¶Call DELETE
on the user and check the role assignment.
test_delete_user_before_removing_role_assignment_succeeds
()[source]¶Call DELETE
on the user before the role assignment.
test_filtered_role_assignments
()[source]¶Call GET /role_assignments?filters
.
Test Plan:
test_get_effective_role_assignments
()[source]¶Call GET /role_assignments?effective
.
Test Plan:
test_get_head_role_assignments
()[source]¶Call GET & HEAD /role_assignments
.
The sample data set up already has a user, group and project that is part of self.domain. We use these plus a new user we create as our data set, making sure we ignore any role assignments that are already in existence.
Since we don’t yet support a first class entity for role assignments, we are only testing the LIST API. To create and delete the role assignments we use the old grant APIs.
Test Plan:
keystone.tests.unit.test_v3_assignment.
DomainSpecificRoleTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.core.TestCase
keystone.tests.unit.test_v3_assignment.
ImpliedRolesTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3.AssignmentTestMixin
, keystone.tests.unit.core.TestCase
test_list_role_assignments_with_implied_roles
()[source]¶Call GET /role_assignments
with implied role grant.
Test Plan:
test_root_role_as_implied_role_forbidden
()[source]¶Test root role is forbidden to be set as an implied role.
Create 2 roles that are prohibited from being an implied role. Create 1 additional role which should be accepted as an implied role. Assure the prohibited role names cannot be set as an implied role. Assure the accepted role name which is not a member of the prohibited implied role list can be successfully set an implied role.
keystone.tests.unit.test_v3_assignment.
ListUserProjectsTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test for /users/<user>/projects.
keystone.tests.unit.test_v3_assignment.
RoleAssignmentBaseTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3.AssignmentTestMixin
Base class for testing /v3/role_assignments API behavior.
MAX_HIERARCHY_BREADTH
= 3¶MAX_HIERARCHY_DEPTH
= 4¶get_role_assignments
(expected_status=200, **filters)[source]¶Return the result from querying role assignment API + queried URL.
Calls GET /v3/role_assignments?<params> and returns its result, where <params> is the HTTP query parameters form of effective option plus filters, if provided. Queried URL is returned as well.
Returns: | a tuple containing the list role assignments API response and queried URL. |
---|
keystone.tests.unit.test_v3_assignment.
RoleAssignmentDirectTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_assignment.RoleAssignmentBaseTestCase
Class for testing direct assignments on /v3/role_assignments API.
Direct assignments on a domain or project have effect on them directly, instead of on their project hierarchy, i.e they are non-inherited. In addition, group direct assignments are not expanded to group’s users.
Tests on this class make assertions on the representation and API filtering of direct assignments.
keystone.tests.unit.test_v3_assignment.
RoleAssignmentEffectiveTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_assignment.RoleAssignmentInheritedTestCase
Class for testing inheritance effects on /v3/role_assignments API.
Inherited assignments on a domain or project have no effect on them directly, but on the projects under them instead.
Tests on this class make assertions on the effect of inherited assignments and API filtering.
keystone.tests.unit.test_v3_assignment.
RoleAssignmentFailureTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_assignment.RoleAssignmentBaseTestCase
Class for testing invalid query params on /v3/role_assignments API.
Querying domain and project, or user and group results in a HTTP 400 Bad Request, since a role assignment must contain only a single pair of (actor, target). In addition, since filtering on role assignments applies only to the final result, effective mode cannot be combined with i) group or ii) domain and inherited, because it would always result in an empty list.
keystone.tests.unit.test_v3_assignment.
RoleAssignmentInheritedTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_assignment.RoleAssignmentDirectTestCase
Class for testing inherited assignments on /v3/role_assignments API.
Inherited assignments on a domain or project have no effect on them directly, but on the projects under them instead.
Tests on this class do not make assertions on the effect of inherited assignments, but in their representation and API filtering.
keystone.tests.unit.test_v3_auth.
AllowRescopeScopedTokenDisabledTests
(*args, **kwargs)[source]¶keystone.tests.unit.test_v3_auth.
AuthExternalDomainBehavior
[source]¶Bases: object
content_type
= ‘json’¶keystone.tests.unit.test_v3_auth.
TestAuthExternalDefaultDomain
[source]¶Bases: object
content_type
= ‘json’¶keystone.tests.unit.test_v3_auth.
TestAuthExternalDomainBehaviorWithUUID
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_auth.AuthExternalDomainBehavior
, keystone.tests.unit.test_v3.RestfulTestCase
keystone.tests.unit.test_v3_auth.
TestAuthInfo
(*args, **kwargs)[source]¶Bases: keystone.tests.common.auth.AuthTestMixin
, testtools.testcase.TestCase
keystone.tests.unit.test_v3_auth.
TestAuthJSONExternal
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
content_type
= ‘json’¶keystone.tests.unit.test_v3_auth.
TestAuthSpecificData
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
test_get_catalog_with_domain_scoped_token
()[source]¶Call GET /auth/catalog
with a domain-scoped token.
test_get_catalog_with_project_scoped_token
()[source]¶Call GET /auth/catalog
with a project-scoped token.
test_head_catalog_with_domain_scoped_token
()[source]¶Call HEAD /auth/catalog
with a domain-scoped token.
keystone.tests.unit.test_v3_auth.
TestAuthTOTP
(*args, **kwargs)[source]¶keystone.tests.unit.test_v3_auth.
TestFernetTokenAPIs
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3_auth.TokenAPITests
, keystone.tests.unit.test_v3_auth.TokenDataTests
keystone.tests.unit.test_v3_auth.
TestFetchRevocationList
[source]¶Bases: object
Test fetch token revocation list on the v3 Identity API.
keystone.tests.unit.test_v3_auth.
TestTokenRevokeApi
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_auth.TestTokenRevokeById
Test token revocation on the v3 Identity API.
keystone.tests.unit.test_v3_auth.
TestTokenRevokeById
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test token revocation on the v3 Identity API.
setUp
()[source]¶Setup for Token Revoking Test Cases.
As well as the usual housekeeping, create a set of domains, users, groups, roles and projects for the subsequent tests:
test_deleting_group_grant_revokes_tokens
()[source]¶Test deleting a group grant revokes tokens.
Test Plan:
test_deleting_role_revokes_token
()[source]¶Test deleting a role revokes token.
Add some additional test data, namely:
test_deleting_user_grant_revokes_token
()[source]¶Test deleting a user grant revokes token.
Test Plan:
test_domain_group_role_assignment_maintains_token
()[source]¶Test domain-group role assignment maintains existing token.
Test Plan:
test_domain_user_role_assignment_maintains_token
()[source]¶Test user-domain role assignment maintains existing token.
Test Plan:
test_group_membership_changes_revokes_token
()[source]¶Test add/removal to/from group revokes token.
Test Plan:
keystone.tests.unit.test_v3_auth.
TestTokenRevokeSelfAndAdmin
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test token revoke using v3 Identity API by token owner and admin.
keystone.tests.unit.test_v3_auth.
TestTrustAuthFernetTokenProvider
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_auth.TrustAPIBehavior
, keystone.tests.unit.test_v3_auth.TestTrustChain
keystone.tests.unit.test_v3_auth.
TestUUIDTokenAPIs
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3_auth.TokenAPITests
, keystone.tests.unit.test_v3_auth.TokenDataTests
keystone.tests.unit.test_v3_auth.
TokenAPITests
[source]¶Bases: object
test_auth_token_cross_domain_group_and_project
()[source]¶Verify getting a token in cross domain group/project roles.
test_create_domain_token_fails_if_domain_name_unsafe
()[source]¶Verify authenticate to a domain with unsafe name fails.
test_create_project_scoped_token_fails_if_domain_name_unsafe
()[source]¶Verify authenticate to a project using unsafe domain name fails.
test_create_project_scoped_token_fails_if_project_name_unsafe
()[source]¶Verify authenticate to a project with unsafe name fails.
test_create_project_token_with_same_domain_and_project_name
()[source]¶Authenticate to a project with the same name as its domain.
test_project_scoped_token_catalog_excludes_disabled_service
()[source]¶On authenticate, get a catalog that excludes disabled services.
test_user_and_group_roles_scoped_token
()[source]¶Test correct roles are returned in scoped token.
Test Plan:
keystone.tests.unit.test_v3_auth.
TokenDataTests
[source]¶Bases: object
Test the data in specific token types.
keystone.tests.unit.test_v3_auth.
TrustAPIBehavior
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Redelegation valid and secure.
Redelegation is a hierarchical structure of trusts between initial trustor and a group of users allowed to impersonate trustor and act in his name. Hierarchy is created in a process of trusting already trusted permissions and organized as an adjacency list using ‘redelegated_trust_id’ field. Redelegation is valid if each subsequent trust in a chain passes ‘not more’ permissions than being redelegated.
keystone.tests.unit.test_v3_auth.
UUIDAuthExternalDefaultDomain
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_auth.TestAuthExternalDefaultDomain
, keystone.tests.unit.test_v3.RestfulTestCase
keystone.tests.unit.test_v3_auth.
UUIDAuthKerberos
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_auth.AuthExternalDomainBehavior
, keystone.tests.unit.test_v3.RestfulTestCase
keystone.tests.unit.test_v3_auth.
UUIDFetchRevocationList
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_auth.TestFetchRevocationList
, keystone.tests.unit.test_v3.RestfulTestCase
keystone.tests.unit.test_v3_catalog.
CatalogTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test service & endpoint CRUD.
test_create_endpoint_with_no_region
()[source]¶EndpointV3 allows to creates the endpoint without region.
test_create_endpoint_with_region
()[source]¶EndpointV3 creates the region before creating the endpoint.
This occurs when endpoint is provided with ‘region’ and no ‘region_id’.
test_create_region_with_conflicting_ids
()[source]¶Call PUT /regions/{region_id}
with conflicting region IDs.
test_create_region_with_empty_id
()[source]¶Call POST /regions
with an empty ID in the request body.
test_create_region_with_matching_ids
()[source]¶Call PUT /regions/{region_id}
with an ID in the request body.
test_create_region_without_description
()[source]¶Call POST /regions
without description in the request body.
test_create_regions_with_same_description_string
()[source]¶Call POST /regions
with duplicate descriptions.
test_endpoint_create_with_invalid_url
()[source]¶Test the invalid cases: substitutions is not exactly right.
test_endpoint_create_with_valid_url_project_id
()[source]¶Create endpoint with valid url should be tested,too.
test_list_endpoints_filtered_by_parent_region_id
()[source]¶Call GET /endpoints?region_id={region_id}
.
Ensure passing the parent_region_id as filter returns an empty list.
test_list_endpoints_with_multiple_filters
()[source]¶Call GET /endpoints?interface={interface}...
.
Ensure passing different combinations of interface, region_id and service_id as filters will return the correct result.
test_list_endpoints_with_random_filter_values
()[source]¶Call GET /endpoints?interface={interface}...
.
Ensure passing random values for: interface, region_id and service_id will return an empty list.
test_list_regions_filtered_by_parent_region_id
()[source]¶Call GET /regions?parent_region_id={parent_region_id}
.
test_update_endpoint_enabled_false
()[source]¶Call PATCH /endpoints/{endpoint_id}
with enabled: False.
test_update_endpoint_enabled_str_false
()[source]¶Call PATCH /endpoints/{endpoint_id}
with enabled: ‘False’.
test_update_endpoint_enabled_str_random
()[source]¶Call PATCH /endpoints/{endpoint_id}
with enabled: ‘kitties’.
test_update_endpoint_enabled_str_true
()[source]¶Call PATCH /endpoints/{endpoint_id}
with enabled: ‘True’.
keystone.tests.unit.test_v3_catalog.
TestCatalogAPISQL
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
Test for the catalog Manager against the SQL backend.
keystone.tests.unit.test_v3_catalog.
TestCatalogAPISQLRegions
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
Test for the catalog Manager against the SQL backend.
keystone.tests.unit.test_v3_catalog.
TestCatalogAPITemplatedProject
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Templated Catalog doesn’t support full API.
Eg. No region/endpoint creation.
test_project_delete
()[source]¶Deleting a project should not result in an 500 ISE.
Deleting a project will create a notification, which the EndpointFilter functionality will use to clean up any project->endpoint and project->endpoint_group relationships. The templated catalog does not support such relationships, but the act of attempting to delete them should not cause a NotImplemented exception to be exposed to an API caller.
Deleting an endpoint has a similar notification and clean up mechanism, but since we do not allow deletion of endpoints with the templated catalog, there is no testing to do for that action.
keystone.tests.unit.test_v3_credential.
CredentialTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_credential.CredentialBaseTestCase
Test credential CRUD.
test_create_ec2_credential_with_invalid_blob
()[source]¶Test creating ec2 credential with invalid blob.
Call POST /credentials
.
test_create_ec2_credential_with_missing_project_id
()[source]¶Test Creating ec2 credential with missing project_id.
Call POST /credentials
.
test_list_credentials_filtered_by_type_and_user_id
()[source]¶Call GET /credentials?user_id={user_id}&type={type}
.
keystone.tests.unit.test_v3_credential.
TestCredentialEc2
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_credential.CredentialBaseTestCase
Test v3 credential compatibility with ec2tokens.
test_ec2_credential_signature_validate
()[source]¶Test signature validation with a v3 ec2 credential.
keystone.tests.unit.test_v3_credential.
TestCredentialTrustScoped
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test credential with trust scoped token.
keystone.tests.unit.test_v3_domain_config.
DomainConfigTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test domain config support.
test_create_config_invalid_domain
()[source]¶Call PUT /domains/{domain_id}/config
.
While creating Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
test_delete_config_by_group_invalid_domain
()[source]¶Call DELETE /domains{domain_id}/config/{group}
.
While deleting Identity API-based domain config by group with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.
test_delete_config_invalid_domain
()[source]¶Call DELETE /domains{domain_id}/config
.
While deleting Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
test_get_head_config_by_group_invalid_domain
()[source]¶Call GET & HEAD /domains{domain_id}/config/{group}
.
While retrieving Identity API-based domain config by group with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.
test_get_head_config_by_option
()[source]¶Call GET & HEAD /domains{domain_id}/config/{group}/{option}
.
test_get_head_config_by_option_invalid_domain
()[source]¶Call GET & HEAD /domains{domain_id}/config/{group}/{option}
.
While retrieving Identity API-based domain config by option with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.
test_get_head_config_default_by_invalid_group
()[source]¶Call GET & HEAD for /domains/config/{bad-group}/default
.
test_get_head_config_default_by_option
()[source]¶Call GET & HEAD /domains/config/{group}/{option}/default
.
test_get_head_config_default_for_invalid_option
()[source]¶Returning invalid configuration options is invalid.
test_get_head_non_existant_config
()[source]¶Call GET /domains{domain_id}/config when no config defined
.
test_get_head_non_existant_config_group
()[source]¶Call GET /domains/{domain_id}/config/{group_not_exist}
.
test_get_head_non_existant_config_group_invalid_domain
()[source]¶Call GET & HEAD /domains/{domain_id}/config/{group}
.
While retrieving non-existent Identity API-based domain config group with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
test_get_head_non_existant_config_invalid_domain
()[source]¶Call GET & HEAD /domains/{domain_id}/config with invalid domain
.
While retrieving non-existent Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.
test_get_head_non_existant_config_option
()[source]¶Test that Not Found is returned when option doesn’t exist.
Call GET & HEAD /domains/{domain_id}/config/{group}/{opt_not_exist}
and ensure a Not Found is returned because the option isn’t defined
within the group.
test_get_head_non_existant_config_option_with_invalid_domain
()[source]¶Test that Domain Not Found is returned with invalid domain.
Call GET & HEAD /domains/{domain_id}/config/{group}/{opt_not_exist}
While retrieving non-existent Identity API-based domain config option with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
test_update_config_group_invalid_domain
()[source]¶Call PATCH /domains/{domain_id}/config/{group}
.
While updating Identity API-based domain config group with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
test_update_config_invalid_domain
()[source]¶Call PATCH /domains/{domain_id}/config
.
While updating Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
test_update_config_invalid_group_invalid_domain
()[source]¶Call PATCH /domains/{domain_id}/config/{invalid_group}
.
While updating Identity API-based domain config with an invalid group and an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
test_update_config_invalid_option
()[source]¶Call PATCH /domains/{domain_id}/config/{group}/{invalid}
.
keystone.tests.unit.test_v3_domain_config.
SecurityRequirementsTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
test_delete_non_whitelisted_security_compliance_options_fails
()[source]¶The security compliance options shouldn’t be deleteable.
test_delete_security_compliance_group_fails
()[source]¶The security compliance group shouldn’t be deleteable.
test_delete_security_compliance_password_regex_description_fails
()[source]¶The security compliance options shouldn’t be deleteable.
test_delete_security_compliance_password_regex_fails
()[source]¶The security compliance options shouldn’t be deleteable.
test_get_head_security_compliance_config_for_default_domain
()[source]¶Ask for all security compliance configuration options.
Support for enforcing security compliance per domain currently doesn’t exist. Make sure when we ask for security compliance information, it’s only for the default domain and that it only returns whitelisted options.
test_get_non_whitelisted_security_compliance_opt_fails
()[source]¶We only support exposing a subset of security compliance options.
Given that security compliance information is sensitive in nature, we should make sure that only the options we want to expose are readable via the API.
test_get_security_compliance_config_for_non_default_domain_fails
()[source]¶Getting security compliance opts for other domains should fail.
Support for enforcing security compliance rules per domain currently does not exist, so exposing security compliance information for any domain other than the default domain should not be allowed.
test_get_security_compliance_config_with_user_from_other_domain
()[source]¶Make sure users from other domains can access password requirements.
Even though a user is in a separate domain, they should be able to see the security requirements for the deployment. This is because security compliance is not yet implemented on a per domain basis. Once that happens, then this should no longer be possible since a user should only care about the security compliance requirements for the domain that they are in.
test_get_security_compliance_password_regex
()[source]¶Ask for the security compliance password regular expression.
test_get_security_compliance_password_regex_desc_returns_none
()[source]¶When an option isn’t set, we should explicitly return None.
test_get_security_compliance_password_regex_description
()[source]¶Ask for the security compliance password regex description.
test_get_security_compliance_password_regex_returns_none
()[source]¶When an option isn’t set, we should explicitly return None.
test_update_non_whitelisted_security_compliance_option_fails
()[source]¶Updating security compliance options through the API is not allowed.
Requests to update anything in the security compliance group through the API should be Forbidden. This ensures that we are covering cases where the option being updated isn’t in the white list.
test_update_security_compliance_config_group_fails
()[source]¶Make sure that updates to the entire security group section fail.
We should only allow the ability to modify a deployments security compliance rules through configuration. Especially since it’s only enforced on the default domain.
keystone.tests.unit.test_v3_endpoint_policy.
EndpointPolicyTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test endpoint policy CRUD.
In general, the controller layer of the endpoint policy extension is really just marshalling the data around the underlying manager calls. Given that the manager layer is tested in depth by the backend tests, the tests we execute here concentrate on ensuring we are correctly passing and presenting the data.
test_crud_for_policy_for_explicit_endpoint
()[source]¶PUT, HEAD and DELETE for explicit endpoint policy.
keystone.tests.unit.test_v3_endpoint_policy.
JsonHomeTests
[source]¶Bases: keystone.tests.unit.test_v3.JsonHomeTestMixin
EXTENSION_LOCATION
= ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel’¶JSON_HOME_DATA
= {‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/policy_endpoints’: {‘href-template’: ‘/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints’, ‘href-vars’: {‘policy_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/policy_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/region_and_service_policy_association’: {‘href-template’: ‘/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}’, ‘href-vars’: {‘policy_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/policy_id’, ‘service_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/service_id’, ‘region_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/region_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/endpoint_policy_association’: {‘href-template’: ‘/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}’, ‘href-vars’: {‘endpoint_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/endpoint_id’, ‘policy_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/policy_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/endpoint_policy’: {‘href-template’: ‘/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy’, ‘href-vars’: {‘endpoint_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/endpoint_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/service_policy_association’: {‘href-template’: ‘/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}’, ‘href-vars’: {‘policy_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/policy_id’, ‘service_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/service_id’}}}¶PARAM_LOCATION
= ‘https://docs.openstack.org/api/openstack-identity/3/param’¶keystone.tests.unit.test_v3_federation.
FederatedIdentityProviderTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
A test class for Identity Providers.
default_body
= {‘description’: None, ‘enabled’: True}¶idp_keys
= [‘description’, ‘enabled’]¶test_assign_protocol_to_nonexistent_idp
()[source]¶Assign protocol to IdP that doesn’t exist.
Expect HTTP 404 Not Found code.
test_check_idp_uniqueness
()[source]¶Add same IdP twice.
Expect HTTP 409 Conflict code for the latter call.
test_create_idp_remote_repeated
()[source]¶Create two IdentityProvider entities with some remote_ids.
A remote_id is the same for both so the second IdP is not created because of the uniqueness of the remote_ids
Expect HTTP 409 Conflict code for the latter call.
test_create_idp_without_domain_id
()[source]¶Create the IdentityProvider entity associated to remote_ids.
test_delete_existing_idp
()[source]¶Create and later delete IdP.
Expect HTTP 404 Not Found for the GET IdP call.
test_delete_idp_also_deletes_assigned_protocols
()[source]¶Deleting an IdP will delete its assigned protocol.
test_delete_nonexisting_idp
()[source]¶Delete nonexisting IdP.
Expect HTTP 404 Not Found for the GET IdP call.
test_delete_protocol
()[source]¶Delete protocol.
Expect HTTP 404 Not Found code for the GET call after the protocol is deleted.
test_get_nonexisting_idp
()[source]¶Fetch nonexisting IdP entity.
Expected HTTP 404 Not Found status code.
test_list_head_idps
(iterations=5)[source]¶List all available IdentityProviders.
This test collects ids of created IdPs and intersects it with the list of all available IdPs. List of all IdPs can be a superset of IdPs created in this test, because other tests also create IdPs.
test_list_head_protocols
()[source]¶Create set of protocols and later list them.
Compare input and output id sets.
test_protocol_composite_pk
()[source]¶Test that Keystone can add two entities.
The entities have identical names, however, attached to different IdPs.
Expect HTTP 201 code
test_protocol_idp_pk_uniqueness
()[source]¶Test whether Keystone checks for unique idp/protocol values.
Add same protocol twice, expect Keystone to reject a latter call and return HTTP 409 Conflict code.
test_update_idp_immutable_attributes
()[source]¶Update IdP’s immutable parameters.
Expect HTTP BAD REQUEST.
keystone.tests.unit.test_v3_federation.
FederatedSetupMixin
[source]¶Bases: object
ACTION
= ‘authenticate’¶ASSERTION_PREFIX
= ‘PREFIX_’¶AUTH_METHOD
= ‘saml2’¶IDP
= ‘ORG_IDP’¶IDP_WITH_REMOTE
= ‘ORG_IDP_REMOTE’¶PROTOCOL
= ‘saml2’¶REMOTE_IDS
= [‘entityID_IDP1’, ‘entityID_IDP2’]¶REMOTE_ID_ATTR
= ‘24284493095b47d094a77803e3e3495b’¶UNSCOPED_V3_SAML2_REQ
= {‘identity’: {‘saml2’: {‘identity_provider’: ‘ORG_IDP’, ‘protocol’: ‘saml2’}, ‘methods’: [‘saml2’]}}¶USER
= ‘user@ORGANIZATION’¶keystone.tests.unit.test_v3_federation.
FederatedTokenTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3_federation.FederatedSetupMixin
test_assertion_prefix_parameter
()[source]¶Test parameters filtering based on the prefix.
With assertion_prefix
set to fixed, non default value,
issue an unscoped token from assertion EMPLOYEE_ASSERTION_PREFIXED.
Expect server to return unscoped token.
test_assertion_prefix_parameter_expect_fail
()[source]¶Test parameters filtering based on the prefix.
With assertion_prefix
default value set to empty string
issue an unscoped token from assertion EMPLOYEE_ASSERTION.
Next, configure assertion_prefix
to value UserName
.
Try issuing unscoped token with EMPLOYEE_ASSERTION.
Expect server to raise exception.Unathorized exception.
test_empty_blacklist_passess_all_values
()[source]¶Test a mapping with empty blacklist specified.
Not adding a blacklist
keyword to the mapping rules has the same
effect as adding an empty blacklist
.
In both cases, the mapping engine will not discard any groups that are
associated with apache environment variables.
This test checks scenario where an empty blacklist was specified. Expected result is to allow any value.
EXISTS
NO_EXISTS
EXISTS
and NO_EXISTS
assignedtest_empty_whitelist_discards_all_values
()[source]¶Test that empty whitelist blocks all the values.
Not adding a whitelist
keyword to the mapping value is different
than adding empty whitelist. The former case will simply pass all the
values, whereas the latter would discard all the values.
This test checks scenario where an empty whitelist was specified. The expected result is that no groups are matched.
EXISTS
test_full_workflow
()[source]¶Test ‘standard’ workflow for granting access tokens.
test_issue_scoped_token_no_groups
()[source]¶Verify that token without groups cannot get scoped to project.
This test is required because of bug 1677723.
test_issue_token_with_nonexistent_group
()[source]¶Inject assertion that matches rule issuing bad group id.
Expect server to find out that some groups are missing in the backend and raise exception.MappedGroupNotFound exception.
test_issue_unscoped_token_disabled_idp
()[source]¶Check if authentication works with disabled identity providers.
Test plan: 1) Disable default IdP 2) Try issuing unscoped token for that IdP 3) Expect server to forbid authentication
test_issue_unscoped_token_malformed_environment
()[source]¶Test whether non string objects are filtered out.
Put non string objects into the environment, inject correct assertion and try to get an unscoped token. Expect server not to fail on using split() method on non string objects and return token id in the HTTP header.
test_issue_unscoped_token_with_remote_default_overwritten
()[source]¶Test that protocol remote_id_attribute has higher priority.
Make sure the parameter stored under protocol
section has higher
priority over parameter from default federation
configuration
section.
test_lists_with_missing_group_in_backend
()[source]¶Test a mapping that points to a group that does not exist.
For explicit mappings, we expect the group to exist in the backend, but for lists, specifically blacklists, a missing group is expected as many groups will be specified by the IdP that are not Keystone groups.
EXISTS
EXISTS
id in ittest_not_adding_blacklist_passess_all_values
()[source]¶Test a mapping without blacklist specified.
Not adding a blacklist
keyword to the mapping rules has the same
effect as adding an empty blacklist
. In both cases all values will
be accepted and passed.
This test checks scenario where an blacklist was not specified. Expected result is to allow any value.
EXISTS
NO_EXISTS
EXISTS
and NO_EXISTS
assignedtest_not_setting_whitelist_accepts_all_values
()[source]¶Test that not setting whitelist passes.
Not adding a whitelist
keyword to the mapping value is different
than adding empty whitelist. The former case will simply pass all the
values, whereas the latter would discard all the values.
This test checks a scenario where a whitelist
was not specified.
Expected result is that no groups are ignored.
EXISTS
test_scope_to_domain_multiple_tokens
()[source]¶Issue multiple tokens scoping to different domains.
The new tokens should be scoped to:
test_scope_to_domain_with_only_inherited_roles_fails
()[source]¶Try to scope to a domain that has no direct roles.
test_scope_to_project_multiple_times
()[source]¶Try to scope the unscoped token multiple times.
The new tokens should be scoped to:
test_scope_to_project_with_only_inherited_roles
()[source]¶Try to scope token whose only roles are inherited.
test_scope_token_from_nonexistent_unscoped_token
()[source]¶Try to scope token from non-existent unscoped token.
test_scope_token_with_idp_disabled
()[source]¶Scope token issued by disabled IdP.
Try scoping the token issued by an IdP which is disabled now. Expect server to refuse scoping operation.
This test confirms correct behaviour when IdP was enabled and unscoped token was issued, but disabled before user tries to scope the token. Here we assume the unscoped token was already issued and start from the moment where IdP is being disabled and unscoped token is being used.
Test plan: 1) Disable IdP 2) Try scoping unscoped token
test_v2_auth_with_federation_token_fails
()[source]¶Test that using a federation token with v2 auth fails.
If an admin sets up a federated Keystone environment, and a user incorrectly configures a service (like Nova) to only use v2 auth, the returned message should be informative.
test_workflow_with_groups_deletion
()[source]¶Test full workflow with groups deletion before token scoping.
group
group
and project_all
group
’s idgroup
project_all
keystone.tests.unit.test_v3_federation.
FederatedTokenTestsMethodToken
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_federation.FederatedTokenTests
Test federation operation with unified scoping auth method.
Test all the operations with auth method set to token
as a new, unified
way for scoping all the tokens.
AUTH_METHOD
= ‘token’¶keystone.tests.unit.test_v3_federation.
FederatedUserTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3_federation.FederatedSetupMixin
Test for federated users.
Tests new shadow users functionality
keystone.tests.unit.test_v3_federation.
FernetFederatedTokenTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3_federation.FederatedSetupMixin
AUTH_METHOD
= ‘token’¶keystone.tests.unit.test_v3_federation.
IdPMetadataGenerationTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
A class for testing Identity Provider Metadata generation.
METADATA_URL
= ‘/OS-FEDERATION/saml2/metadata’¶keystone.tests.unit.test_v3_federation.
JsonHomeTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3.JsonHomeTestMixin
JSON_HOME_DATA
= {‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider’: {‘href-template’: ‘/OS-FEDERATION/identity_providers/{idp_id}’, ‘href-vars’: {‘idp_id’: ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/param/idp_id’}}}¶keystone.tests.unit.test_v3_federation.
K2KServiceCatalogTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
SP1
= ‘SP1’¶SP2
= ‘SP2’¶SP3
= ‘SP3’¶test_no_service_providers_in_token
()[source]¶Test service catalog with disabled service providers.
There should be no entry service_providers
in the catalog.
Test passes providing no attribute was raised.
keystone.tests.unit.test_v3_federation.
MappingCRUDTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
A class for testing CRUD operations for Mappings.
MAPPING_URL
= ‘/OS-FEDERATION/mappings/’¶test_create_mapping_with_blacklist_and_whitelist
()[source]¶Test for adding whitelist and blacklist in the rule.
Server should respond with HTTP 400 Bad Request error upon discovering
both whitelist
and blacklist
keywords in the same rule.
test_create_shadow_mapping_without_name_fails
()[source]¶Validate project mappings contain the project name when created.
test_create_shadow_mapping_without_roles_fails
()[source]¶Validate that mappings with projects contain roles when created.
keystone.tests.unit.test_v3_federation.
SAMLGenerationTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
ASSERTION_FILE
= ‘signed_saml2_assertion.xml’¶ASSERTION_VERSION
= ‘2.0’¶ECP_GENERATION_ROUTE
= ‘/auth/OS-FEDERATION/saml2/ecp’¶ISSUER
= ‘https://acme.com/FIM/sps/openstack/saml20’¶PROJECT
= ‘development’¶PROJECT_DOMAIN
= ‘project_domain’¶RECIPIENT
= ‘http://beta.com/Shibboleth.sso/SAML2/POST’¶ROLES
= [‘admin’, ‘member’]¶SAML_GENERATION_ROUTE
= ‘/auth/OS-FEDERATION/saml2’¶SERVICE_PROVDIER_ID
= ‘ACME’¶SP_AUTH_URL
= ‘http://beta.com:5000/v3/OS-FEDERATION/identity_providers/BETA/protocols/saml2/auth’¶SUBJECT
= ‘test_user’¶SUBJECT_DOMAIN
= ‘user_domain’¶test_generate_ecp_route
()[source]¶Test that the ECP generation endpoint produces XML.
The ECP endpoint /v3/auth/OS-FEDERATION/saml2/ecp should take the same input as the SAML generation endpoint (scoped token ID + Service Provider ID). The controller should return a SAML assertion that is wrapped in a SOAP envelope.
test_generate_saml_route
()[source]¶Test that the SAML generation endpoint produces XML.
The SAML endpoint /v3/auth/OS-FEDERATION/saml2 should take as input, a scoped token ID, and a Service Provider ID. The controller should fetch details about the user from the token, and details about the service provider from its ID. This should be enough information to invoke the SAML generator and provide a valid SAML (XML) document back.
test_invalid_scope_body
()[source]¶Test that missing the scope in request body raises an exception.
Raises exception.SchemaValidationError() - error 400 Bad Request
test_invalid_token_body
()[source]¶Test that missing the token in request body raises an exception.
Raises exception.SchemaValidationError() - error 400 Bad Request
test_not_project_scoped_token
()[source]¶Ensure SAML generation fails when passing domain-scoped tokens.
The server should return a 403 Forbidden Action.
test_saml_signing
()[source]¶Test that the SAML generator produces a SAML object.
Test the SAML generator directly by passing known arguments, the result should be a SAML object that consistently includes attributes based on the known arguments that were passed in.
test_samlize_token_values
()[source]¶Test the SAML generator produces a SAML object.
Test the SAML generator directly by passing known arguments, the result should be a SAML object that consistently includes attributes based on the known arguments that were passed in.
test_sp_not_found
()[source]¶Test SAML generation with an invalid service provider ID.
Raises exception.ServiceProviderNotFound() - error Not Found 404
test_token_not_found
()[source]¶Test that an invalid token in the request body raises an exception.
Raises exception.TokenNotFound() - error Not Found 404
keystone.tests.unit.test_v3_federation.
ServiceProviderTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
A test class for Service Providers.
COLLECTION_NAME
= ‘service_providers’¶MEMBER_NAME
= ‘service_provider’¶SERVICE_PROVIDER_ID
= ‘ACME’¶SP_KEYS
= [‘auth_url’, ‘id’, ‘enabled’, ‘description’, ‘relay_state_prefix’, ‘sp_url’]¶test_create_sp_relay_state_default
()[source]¶Create an SP without relay state, should default to ss:mem.
test_list_head_service_providers
()[source]¶Test listing of service provider objects.
Add two new service providers. List all available service providers. Expect to get list of three service providers (one created by setUp()) Test if attributes match.
test_update_service_provider
()[source]¶Update existing service provider.
Update default existing service provider and make sure it has been properly changed.
keystone.tests.unit.test_v3_federation.
ShadowMappingTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3_federation.FederatedSetupMixin
Test class dedicated to auto-provisioning resources at login.
A shadow mapping is a mapping that contains extra properties about that specific federated user’s situation based on attributes from the assertion. For example, a shadow mapping can tell us that a user should have specific role assignments on certain projects within a domain. When a federated user authenticates, the shadow mapping will create these entities before returning the authenticated response to the user. This test class is dedicated to testing specific aspects of shadow mapping when performing federated authentication.
keystone.tests.unit.test_v3_federation.
WebSSOTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_federation.FederatedTokenTests
A class for testing Web SSO.
ORIGIN
= ‘http%3A%2F%2Fhorizon.com’¶PROTOCOL_REMOTE_ID_ATTR
= ‘e998ae9ba8614e35a562f11a3fc6b4da’¶SSO_TEMPLATE_NAME
= ‘sso_callback_template.html’¶SSO_TEMPLATE_PATH
= ‘/home/jenkins/workspace/keystone-docs-ubuntu-xenial/etc/sso_callback_template.html’¶SSO_URL
= ‘/auth/OS-FEDERATION/websso/’¶TRUSTED_DASHBOARD
= ‘http://horizon.com’¶keystone.tests.unit.test_v3_filters.
IdentityPasswordExpiryFilteredTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.filtering.FilterTests
, keystone.tests.unit.test_v3.RestfulTestCase
Test password expiring filter on the v3 Identity API.
load_sample_data
()[source]¶Create sample data for password expiry tests.
The test environment will consist of a single domain, containing a single project. It will create three users and one group. Each user is going to be given a role assignment on the project and the domain. Two of the three users are going to be placed into the group, which won’t have any role assignments to either the project or the domain.
test_list_users_by_password_expires_after
()[source]¶Ensure users can be filtered on gt and gte.
GET /users?password_expires_at=gt:{timestamp} GET /users?password_expires_at=gte:{timestamp}
test_list_users_by_password_expires_at
()[source]¶Ensure users can be filtered on no operator, eq and neq.
GET /users?password_expires_at={timestamp} GET /users?password_expires_at=eq:{timestamp}
test_list_users_by_password_expires_before
()[source]¶Ensure users can be filtered on lt and lte.
GET /users?password_expires_at=lt:{timestamp} GET /users?password_expires_at=lte:{timestamp}
test_list_users_by_password_expires_interval
()[source]¶Ensure users can be filtered on time intervals.
GET /users?password_expires_at=lt:{timestamp}>:{timestamp} GET /users?password_expires_at=lte:{timestamp}>e:{timestamp}
Time intervals are defined by using lt or lte and gt or gte, where the lt/lte time is greater than the gt/gte time.
test_list_users_by_password_expires_with_bad_operator_fails
()[source]¶Ensure an invalid operator returns a Bad Request.
GET /users?password_expires_at={invalid_operator}:{timestamp} GET /users?password_expires_at={operator}:{timestamp}& {invalid_operator}:{timestamp}
test_list_users_by_password_expires_with_bad_timestamp_fails
()[source]¶Ensure a invalid timestamp returns a Bad Request.
GET /users?password_expires_at={invalid_timestamp} GET /users?password_expires_at={operator}:{timestamp}& {operator}:{invalid_timestamp}
test_list_users_in_group_by_password_expires_after
()[source]¶Ensure users in a group can be filtered on with gt and gte.
GET /groups/{groupid}/users?password_expires_at=gt:{timestamp} GET /groups/{groupid}/users?password_expires_at=gte:{timestamp}
test_list_users_in_group_by_password_expires_at
()[source]¶Ensure users in a group can be filtered on no operator, eq, and neq.
GET /groups/{groupid}/users?password_expires_at={timestamp} GET /groups/{groupid}/users?password_expires_at=eq:{timestamp}
test_list_users_in_group_by_password_expires_bad_operator_fails
()[source]¶Ensure an invalid operator returns a Bad Request.
GET /groups/{groupid}/users?password_expires_at= {invalid_operator}:{timestamp} GET /groups/{group_id}/users?password_expires_at= {operator}:{timestamp}&{invalid_operator}:{timestamp}
test_list_users_in_group_by_password_expires_bad_timestamp_fails
()[source]¶Ensure and invalid timestamp returns a Bad Request.
GET /groups/{groupid}/users?password_expires_at={invalid_timestamp} GET /groups/{groupid}/users?password_expires_at={operator}:{timestamp}& {operator}:{invalid_timestamp}
test_list_users_in_group_by_password_expires_before
()[source]¶Ensure users in a group can be filtered on with lt and lte.
GET /groups/{groupid}/users?password_expires_at=lt:{timestamp} GET /groups/{groupid}/users?password_expires_at=lte:{timestamp}
test_list_users_in_group_by_password_expires_interval
()[source]¶Ensure users in a group can be filtered on time intervals.
GET /groups/{groupid}/users?password_expires_at= lt:{timestamp}>:{timestamp} GET /groups/{groupid}/users?password_expires_at= lte:{timestamp}>e:{timestamp}
Time intervals are defined by using lt or lte and gt or gte, where the lt/lte time is greater than the gt/gte time.
keystone.tests.unit.test_v3_filters.
IdentityTestFilteredCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.filtering.FilterTests
, keystone.tests.unit.test_v3.RestfulTestCase
Test filter enforcement on the v3 Identity API.
load_sample_data
()[source]¶Create sample data for these tests.
As well as the usual housekeeping, create a set of domains, users, roles and projects for the subsequent tests:
Remember that there will also be a fourth domain in existence, the default domain.
test_filter_sql_injection_attack
()[source]¶GET /users?name=<injected sql_statement>.
Test Plan:
test_invalid_filter_is_ignored
()[source]¶GET /domains?enableds&name=myname.
Test Plan:
test_list_filtered_domains
()[source]¶GET /domains?enabled=0.
Test Plan:
test_list_users_filtered_by_domain
()[source]¶GET /users?domain_id=mydomain (filtered).
Test Plan:
keystone.tests.unit.test_v3_filters.
IdentityTestListLimitCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_filters.IdentityTestFilteredCase
Test list limiting enforcement on the v3 Identity API.
content_type
= ‘json’¶keystone.tests.unit.test_v3_identity.
ChangePasswordTestCase
(*args, **kwargs)[source]¶keystone.tests.unit.test_v3_identity.
IdentityTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test users and groups.
test_create_user_with_admin_token_and_domain
()[source]¶Call POST /users
with admin token and domain id.
test_create_user_without_domain
()[source]¶Call POST /users
without specifying domain.
According to the identity-api specification, if you do not explicitly specific the domain_id in the entity, it should take the domain scope of the token as the domain_id.
test_delete_user
()[source]¶Call DELETE /users/{user_id}
.
As well as making sure the delete succeeds, we ensure that any credentials that reference this user are also deleted, while other credentials are unaffected. In addition, no tokens should remain valid for this user.
test_get_user_does_not_include_extra_attributes
()[source]¶Call GET /users/{user_id}
extra attributes are not included.
test_get_user_includes_required_attributes
()[source]¶Call GET /users/{user_id}
required attributes are included.
test_get_user_with_default_project
()[source]¶Call GET /users/{user_id}
making sure of default_project_id.
test_list_users_with_multiple_backends
()[source]¶Call GET /users
when multiple backends is enabled.
In this scenario, the controller requires a domain to be specified either as a filter or by using a domain scoped token.
test_setting_default_project_id_to_domain_failed
()[source]¶Call POST and PATCH /users
default_project_id=domain_id.
Make sure we validate the default_project_id if it is specified. It cannot be set to a domain_id, even for a project acting as domain right now. That’s because we haven’t sort out the issuing project-scoped token for project acting as domain bit yet. Once we got that sorted out, we can relax this constraint.
test_update_group_domain_id
()[source]¶Call PATCH /groups/{group_id}
with domain_id.
A group’s domain_id is immutable. Ensure that any attempts to update the domain_id of a group fails.
test_update_user_domain_id
()[source]¶Call PATCH /users/{user_id}
with domain_id.
A user’s domain_id is immutable. Ensure that any attempts to update the domain_id of a user fails.
test_user_management_normalized_keys
()[source]¶Illustrate the inconsistent handling of hyphens in keys.
To quote Morgan in bug 1526244:
the reason this is converted from “domain-id” to “domain_id” is because of how we process/normalize data. The way we have to handle specific data types for known columns requires avoiding “-” in the actual python code since “-” is not valid for attributes in python w/o significant use of “getattr” etc.
In short, historically we handle some things in conversions. The use of “extras” has long been a poor design choice that leads to odd/strange inconsistent behaviors because of other choices made in handling data from within the body. (In many cases we convert from “-” to “_” throughout openstack)
Source: https://bugs.launchpad.net/keystone/+bug/1526244/comments/9
keystone.tests.unit.test_v3_identity.
IdentityTestCaseStaticAdminToken
(*args, **kwargs)[source]¶keystone.tests.unit.test_v3_identity.
IdentityV3toV2MethodsTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
Test users V3 to V2 conversion methods.
keystone.tests.unit.test_v3_identity.
PasswordValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_identity.ChangePasswordTestCase
keystone.tests.unit.test_v3_identity.
UserSelfServiceChangingPasswordsTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_identity.ChangePasswordTestCase
keystone.tests.unit.test_v3_oauth1.
FernetAuthTokenTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_oauth1.AuthTokenTests
, keystone.tests.unit.test_v3_oauth1.OAuthFlowTests
keystone.tests.unit.test_v3_oauth1.
JsonHomeTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_oauth1.OAuth1Tests
, keystone.tests.unit.test_v3.JsonHomeTestMixin
JSON_HOME_DATA
= {‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers’: {‘href’: ‘/OS-OAUTH1/consumers’}}¶keystone.tests.unit.test_v3_oauth1.
MaliciousOAuth1Tests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_oauth1.OAuth1Tests
keystone.tests.unit.test_v3_oauth1.
OAuth1Tests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
CONSUMER_URL
= ‘/OS-OAUTH1/consumers’¶keystone.tests.unit.test_v3_oauth1.
OAuthCADFNotificationTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_oauth1.OAuthNotificationTests
keystone.tests.unit.test_v3_oauth1.
OAuthNotificationTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_oauth1.OAuth1Tests
, keystone.tests.unit.common.test_notifications.BaseNotificationTest
keystone.tests.unit.test_v3_oauth1.
UUIDAuthTokenTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_oauth1.AuthTokenTests
, keystone.tests.unit.test_v3_oauth1.OAuthFlowTests
keystone.tests.unit.test_v3_os_revoke.
OSRevokeTests
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3.JsonHomeTestMixin
JSON_HOME_DATA
= {‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-REVOKE/1.0/rel/events’: {‘href’: ‘/OS-REVOKE/events’}}¶keystone.tests.unit.test_v3_policy.
PolicyTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test policy CRUD.
keystone.tests.unit.test_v3_protection.
IdentityTestImpliedDomainSpecificRoles
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3_protection.IdentityTestv3CloudPolicySample
Test Domain specific Implied Roles via the REST API.
keystone.tests.unit.test_v3_protection.
IdentityTestPolicySample
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test policy enforcement of the policy.json file.
keystone.tests.unit.test_v3_protection.
IdentityTestProtectedCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test policy enforcement on the v3 Identity API.
setUp
()[source]¶Setup for Identity Protection Test Cases.
As well as the usual housekeeping, create a set of domains, users, roles and projects for the subsequent tests:
Remember that there will also be a fourth domain in existence, the default domain.
test_get_user_protected_match_id
()[source]¶GET /users/{id} (match payload).
Test Plan:
test_get_user_protected_match_target
()[source]¶GET /users/{id} (match target).
Test Plan:
test_list_groups_protected_by_domain
()[source]¶GET /groups?domain_id=mydomain (protected).
Test Plan:
test_list_groups_protected_by_domain_and_filtered
()[source]¶GET /groups?domain_id=mydomain&name=myname (protected).
Test Plan:
test_list_users_filtered_by_domain
()[source]¶GET /users?domain_id=mydomain (filtered).
Test Plan:
test_list_users_protected_by_domain
()[source]¶GET /users?domain_id=mydomain (protected).
Test Plan:
test_list_users_unprotected
()[source]¶GET /users (unprotected).
Test Plan:
test_revoke_grant_protected_match_target
()[source]¶DELETE /domains/{id}/users/{id}/roles/{id} (match target).
Test Plan:
keystone.tests.unit.test_v3_protection.
IdentityTestv3CloudPolicySample
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3.AssignmentTestMixin
Test policy enforcement of the sample v3 cloud policy file.
setUp
()[source]¶Setup for v3 Cloud Policy Sample Test Cases.
The following data is created:
We test various api protection rules from the cloud sample policy file to make sure the sample is valid and that we correctly enforce it.
test_get_and_delete_ec2_credentials
()[source]¶Test getting and deleting ec2 credentials through the ec2 API.
test_user_management_normalized_keys
()[source]¶Illustrate the inconsistent handling of hyphens in keys.
To quote Morgan in bug 1526244:
the reason this is converted from “domain-id” to “domain_id” is because of how we process/normalize data. The way we have to handle specific data types for known columns requires avoiding “-” in the actual python code since “-” is not valid for attributes in python w/o significant use of “getattr” etc.
In short, historically we handle some things in conversions. The use of “extras” has long been a poor design choice that leads to odd/strange inconsistent behaviors because of other choices made in handling data from within the body. (In many cases we convert from “-” to “_” throughout openstack)
Source: https://bugs.launchpad.net/keystone/+bug/1526244/comments/9
keystone.tests.unit.test_v3_resource.
ResourceTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
, keystone.tests.unit.test_v3.AssignmentTestMixin
Test domains and projects.
test_create_domain_case_sensitivity
()[source]¶Call POST /domains` twice with upper() and lower() cased name.
test_create_domain_creates_is_domain_project
()[source]¶Check a project that acts as a domain is created.
Call POST /domains
.
test_create_is_domain_project_creates_domain
()[source]¶Call POST /projects
is_domain and check a domain is created.
test_delete_domain
()[source]¶Call DELETE /domains/{domain_id}
.
The sample data set up already has a user and project that is part of self.domain. Additionally we will create a group and a credential within it. Since we will authenticate in this domain, we create another set of entities in a second domain. Deleting this second domain should delete all these new entities. In addition, all the entities in the regular self.domain should be unaffected by the delete.
Test Plan:
test_delete_domain_deletes_is_domain_project
()[source]¶Check the project that acts as a domain is deleted.
Call DELETE /domains
.
test_delete_project
()[source]¶Call DELETE /projects/{project_id}
.
As well as making sure the delete succeeds, we ensure that any credentials that reference this projects are also deleted, while other credentials are unaffected.
test_forbid_operations_on_defined_federated_domain
()[source]¶Make sure one cannot operate on a user-defined federated domain.
This includes operations like create, update, delete.
test_forbid_operations_on_federated_domain
()[source]¶Make sure one cannot operate on federated domain.
This includes operations like create, update, delete on domain identified by id and name where difference variations of id ‘Federated’ are used.
test_get_project_with_parents_as_list_and_parents_as_ids
()[source]¶Attempt to list a project’s parents as both a list and as IDs.
This uses GET /projects/{project_id}?parents_as_list&parents_as_ids
which should fail with a Bad Request due to the conflicting query
strings.
test_get_project_with_parents_as_list_with_full_access
()[source]¶GET /projects/{project_id}?parents_as_list
with full access.
Test plan:
test_get_project_with_parents_as_list_with_invalid_id
()[source]¶Call GET /projects/{project_id}?parents_as_list
.
test_get_project_with_parents_as_list_with_partial_access
()[source]¶GET /projects/{project_id}?parents_as_list
with partial access.
Test plan:
test_get_project_with_subtree_as_ids
()[source]¶Call GET /projects/{project_id}?subtree_as_ids
.
This test creates a more complex hierarchy to test if the structured
dictionary returned by using the subtree_as_ids
query param
correctly represents the hierarchy.
The hierarchy contains 5 projects with the following structure:
+--A--+
| |
+--B--+ C
| |
D E
test_get_project_with_subtree_as_list_and_subtree_as_ids
()[source]¶Attempt to get a project subtree as both a list and as IDs.
This uses GET /projects/{project_id}?subtree_as_list&subtree_as_ids
which should fail with a bad request due to the conflicting query
strings.
test_get_project_with_subtree_as_list_with_full_access
()[source]¶GET /projects/{project_id}?subtree_as_list
with full access.
Test plan:
test_get_project_with_subtree_as_list_with_invalid_id
()[source]¶Call GET /projects/{project_id}?subtree_as_list
.
test_get_project_with_subtree_as_list_with_partial_access
()[source]¶GET /projects/{project_id}?subtree_as_list
with partial access.
Test plan:
test_list_project_is_domain_filter_default
()[source]¶Default project list should not see projects acting as domains.
test_token_revoked_once_domain_disabled
()[source]¶Test token from a disabled domain has been invalidated.
Test that a token that was valid for an enabled domain becomes invalid once that domain is disabled.
test_update_domain_updates_is_domain_project
()[source]¶Check the project that acts as a domain is updated.
Call PATCH /domains
.
test_update_project_domain_id
()[source]¶Call PATCH /projects/{project_id}
with domain_id.
A projects’s domain_id is immutable. Ensure that any attempts to update the domain_id of a project fails.
keystone.tests.unit.test_v3_resource.
ResourceV3toV2MethodsTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
Test domain V3 to V2 conversion methods.
keystone.tests.unit.test_v3_trust.
TestTrustOperations
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.test_v3.RestfulTestCase
Test module for create, read, update and delete operations on trusts.
This module is specific to tests for trust CRUD operations. All other tests related to trusts that are authentication or authorization specific should live in the keystone/tests/unit/test_v3_auth.py module.
keystone.tests.unit.test_validation.
CredentialValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Credential API validation.
test_validate_credential_ec2_without_project_id_fails
()[source]¶Validate project_id is required for ec2.
Test that a SchemaValidationError is raised when type is ec2 and no project_id is provided in create request.
test_validate_credential_non_ec2_without_project_id_succeeds
()[source]¶Validate project_id is not required for non-ec2.
Test that create request without project_id succeeds for any non-ec2 credential.
test_validate_credential_update_succeeds
()[source]¶Test that a credential request is properly validated.
test_validate_credential_update_with_extra_parameters_succeeds
()[source]¶Validate credential update with extra parameters.
test_validate_credential_update_without_parameters_fails
()[source]¶Exception is raised on update without parameters.
test_validate_credential_with_extra_parameters_succeeds
()[source]¶Validate create request with extra parameters.
test_validate_credential_with_project_id_succeeds
()[source]¶Test that credential request works for all types.
test_validate_credential_without_blob_fails
()[source]¶Exception raised without blob in create request.
keystone.tests.unit.test_validation.
DomainValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Domain API validation.
test_validate_domain_create_fails_with_invalid_name
()[source]¶Exception when validating a create request with invalid name.
test_validate_domain_request_with_enabled
()[source]¶Validate enabled as boolean-like values for domains.
test_validate_domain_request_with_invalid_description_fails
()[source]¶Exception is raised when description is a non-string value.
test_validate_domain_request_with_invalid_enabled_fails
()[source]¶Exception is raised when enabled isn’t a boolean-like value.
test_validate_domain_request_with_name_too_long
()[source]¶Exception is raised when name is too long.
test_validate_domain_request_with_valid_description
()[source]¶Test that we validate description in create domain requests.
test_validate_domain_request_without_name_fails
()[source]¶Make sure we raise an exception when name isn’t included.
test_validate_domain_update_fails_with_invalid_name
()[source]¶Exception when validating an update request with invalid name.
keystone.tests.unit.test_validation.
EndpointGroupValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Endpoint Group API validation.
test_validate_create_endpoint_group_fails_with_invalid_filters
()[source]¶Validate invalid filters value in endpoint group parameters.
This test ensures that exception is raised when non-dict values is used as filters in endpoint group create request.
test_validate_endpoint_group_create_fails_without_filters
()[source]¶Exception raised when filters isn’t in endpoint group request.
test_validate_endpoint_group_create_fails_without_name
()[source]¶Exception raised when name isn’t in endpoint group request.
test_validate_endpoint_group_create_succeeds_with_req_parameters
()[source]¶Validate required endpoint group parameters.
This test ensure that validation succeeds with only the required parameters passed for creating an endpoint group.
test_validate_endpoint_group_create_succeeds_with_valid_filters
()[source]¶Validate filters in endpoint group create requests.
test_validate_endpoint_group_request_succeeds
()[source]¶Test that we validate an endpoint group request.
test_validate_endpoint_group_update_fails_with_invalid_filters
()[source]¶Exception raised when passing invalid filters in request.
test_validate_endpoint_group_update_fails_with_no_parameters
()[source]¶Exception raised when no parameters on endpoint group update.
test_validate_endpoint_group_update_request_succeeds
()[source]¶Test that we validate an endpoint group update request.
keystone.tests.unit.test_validation.
EndpointValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Endpoint API validation.
test_validate_create_endpoint_fails_with_invalid_enabled
()[source]¶Exception raised when boolean-like values as enabled.
test_validate_endpoint_create_fails_with_invalid_interface
()[source]¶Exception raised with invalid interface.
test_validate_endpoint_create_fails_with_invalid_region_id
()[source]¶Exception raised when passing invalid region(_id) in request.
test_validate_endpoint_create_fails_with_invalid_url
()[source]¶Exception raised when passing invalid url in request.
test_validate_endpoint_create_fails_without_interface
()[source]¶Exception raised when interface isn’t in endpoint request.
test_validate_endpoint_create_fails_without_service_id
()[source]¶Exception raised when service_id isn’t in endpoint request.
test_validate_endpoint_create_fails_without_url
()[source]¶Exception raised when url isn’t in endpoint request.
test_validate_endpoint_create_succeeds_with_extra_parameters
()[source]¶Test that extra parameters pass validation on create endpoint.
test_validate_endpoint_create_succeeds_with_required_parameters
()[source]¶Validate an endpoint request with only the required parameters.
test_validate_endpoint_create_succeeds_with_url
()[source]¶Validate url attribute in endpoint create request.
test_validate_endpoint_create_succeeds_with_valid_enabled
()[source]¶Validate an endpoint with boolean values.
Validate boolean values as enabled in endpoint create requests.
test_validate_endpoint_update_fails_with_invalid_enabled
()[source]¶Exception raised when enabled is boolean-like value.
test_validate_endpoint_update_fails_with_invalid_interface
()[source]¶Exception raised when invalid interface on endpoint update.
test_validate_endpoint_update_fails_with_invalid_region_id
()[source]¶Exception raised when passing invalid region(_id) in request.
test_validate_endpoint_update_fails_with_invalid_url
()[source]¶Exception raised when passing invalid url in request.
test_validate_endpoint_update_fails_with_no_parameters
()[source]¶Exception raised when no parameters on endpoint update.
test_validate_endpoint_update_request_succeeds
()[source]¶Test that we validate an endpoint update request.
test_validate_endpoint_update_succeeds_with_extra_parameters
()[source]¶Test that extra parameters pass validation on update endpoint.
keystone.tests.unit.test_validation.
EntityValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
test_create_entity_with_all_valid_parameters_validates
()[source]¶Validate all parameter values against test schema.
test_create_entity_with_invalid_email_fails
()[source]¶Validate invalid email address.
Test that an exception is raised when validating improperly formatted email addresses.
test_create_entity_with_invalid_enabled_format_raises_exception
()[source]¶Validate invalid enabled formats.
Test that an exception is raised when passing invalid boolean-like values as enabled.
test_create_entity_with_invalid_id_strings
()[source]¶Exception raised when using invalid id strings.
test_create_entity_with_invalid_urls_fails
()[source]¶Test that an exception is raised when validating improper urls.
test_create_entity_with_name_too_long_raises_exception
()[source]¶Validate long names.
Validate that an exception is raised when validating a string of 255+ characters passed in as a name.
test_create_entity_with_name_too_short_raises_exception
()[source]¶Validate short names.
Test that an exception is raised when passing a string of length zero as a name parameter.
test_create_entity_with_null_id_string
()[source]¶Validate that None is an acceptable optional string type.
test_create_entity_with_null_string_succeeds
()[source]¶Exception raised when passing None on required id strings.
test_create_entity_with_only_required_valid_parameters_validates
()[source]¶Validate correct for only parameters values against test schema.
test_create_entity_with_unicode_name_validates
()[source]¶Test that we successfully validate a unicode string.
test_create_entity_with_valid_email_validates
()[source]¶Validate email address.
Test that we successfully validate properly formatted email addresses.
test_create_entity_with_valid_enabled_formats_validates
()[source]¶Validate valid enabled formats.
Test that we have successful validation on boolean values for enabled.
test_create_entity_with_valid_urls_validates
()[source]¶Test that proper urls are successfully validated.
test_update_entity_with_a_null_optional_parameter_validates
()[source]¶Optional parameters can be null to removed the value.
test_update_entity_with_a_required_null_parameter_fails
()[source]¶The name parameter can’t be null.
test_update_entity_with_a_valid_optional_parameter_validates
()[source]¶Succeed with only a single valid optional parameter.
test_update_entity_with_a_valid_required_parameter_validates
()[source]¶Succeed if a valid required parameter is provided.
test_update_entity_with_all_parameters_valid_validates
()[source]¶Simulate updating an entity by ID.
test_update_entity_with_invalid_optional_parameter_fails
()[source]¶Fail when an optional parameter is invalid.
keystone.tests.unit.test_validation.
FederationProtocolValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Federation Protocol API validation.
test_validate_protocol_request_fails_with_invalid_mapping_id
()[source]¶Exception raised when mapping_id is not string.
test_validate_protocol_request_fails_with_invalid_params
()[source]¶Exception raised when unknown parameter is found.
test_validate_protocol_request_no_parameters
()[source]¶Test that schema validation with empty request body.
test_validate_protocol_request_succeeds
()[source]¶Test that we validate a protocol request successfully.
test_validate_protocol_request_succeeds_on_update
()[source]¶Test that we validate a protocol update request successfully.
test_validate_protocol_request_succeeds_with_nonuuid_mapping_id
()[source]¶Test that we allow underscore in mapping_id value.
test_validate_update_protocol_request_fails_with_invalid_id
()[source]¶Test that updating a protocol with a non-string mapping_id fail.
test_validate_update_protocol_request_fails_with_invalid_params
()[source]¶Exception raised when unknown parameter in protocol update.
keystone.tests.unit.test_validation.
GroupValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Group API validation.
test_validate_group_create_fails_with_invalid_name
()[source]¶Exception when validating a create request with invalid name.
test_validate_group_create_fails_without_group_name
()[source]¶Exception raised when group name is not provided in request.
test_validate_group_create_succeeds_with_all_parameters
()[source]¶Validate create group requests with all parameters.
test_validate_group_create_succeeds_with_extra_parameters
()[source]¶Validate extra attributes on group create requests.
test_validate_group_update_fails_with_invalid_name
()[source]¶Exception when validating an update request with invalid name.
keystone.tests.unit.test_validation.
IdentityProviderValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Identity Provider API validation.
test_validate_idp_request_fails_with_invalid_params
()[source]¶Exception raised when unknown parameter is found.
test_validate_idp_request_no_parameters
()[source]¶Test that schema validation with empty request body.
test_validate_idp_request_remote_id_nullable
()[source]¶Test that remote_ids could be explicitly set to None.
test_validate_idp_request_with_duplicated_remote_id
()[source]¶Exception is raised when the duplicated remote_ids is found.
test_validate_idp_request_with_invalid_description_fails
()[source]¶Exception is raised when description as a non-string value.
keystone.tests.unit.test_validation.
OAuth1ValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Identity OAuth1 API validation.
test_validate_consumer_request_succeeds
()[source]¶Test that we validate a consumer request successfully.
test_validate_consumer_request_with_invalid_description_fails
()[source]¶Exception is raised when description as a non-string value.
test_validate_consumer_request_with_no_parameters
()[source]¶Test that schema validation with empty request body.
keystone.tests.unit.test_validation.
PolicyValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Policy API validation.
test_validate_policy_create_with_extra_parameters_succeeds
()[source]¶Validate policy create with extra parameters.
test_validate_policy_create_with_invalid_type_fails
()[source]¶Exception raised when blob and type are boolean.
test_validate_policy_update_with_extra_parameters_succeeds
()[source]¶Validate policy update request with extra parameters.
test_validate_policy_update_with_invalid_type_fails
()[source]¶Exception raised when invalid type on policy update.
keystone.tests.unit.test_validation.
ProjectValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Project API validation.
test_validate_project_create_fails_with_invalid_name
()[source]¶Exception when validating a create request with invalid name.
test_validate_project_create_request_with_valid_domain_id
()[source]¶Test that we validate domain_id in create project requests.
test_validate_project_request_with_enabled
()[source]¶Validate enabled as boolean-like values for projects.
test_validate_project_request_with_invalid_description_fails
()[source]¶Exception is raised when description as a non-string value.
test_validate_project_request_with_invalid_domain_id_fails
()[source]¶Exception is raised when domain_id is a non-id value.
test_validate_project_request_with_invalid_enabled_fails
()[source]¶Exception is raised when enabled isn’t a boolean-like value.
test_validate_project_request_with_invalid_parent_id_fails
()[source]¶Exception is raised when parent_id as a non-id value.
test_validate_project_request_with_name_too_long
()[source]¶Exception is raised when name is too long.
test_validate_project_request_with_valid_description
()[source]¶Test that we validate description in create project requests.
test_validate_project_request_with_valid_parent_id
()[source]¶Test that we validate parent_id in create project requests.
test_validate_project_request_without_name_fails
()[source]¶Validate project request fails without name.
test_validate_project_update_fails_with_invalid_name
()[source]¶Exception when validating an update request with invalid name.
keystone.tests.unit.test_validation.
RegionValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Region API validation.
test_validate_region_create_fails_with_invalid_region_id
()[source]¶Exception raised when passing invalid id in request.
test_validate_region_create_request_with_parameters
()[source]¶Test that we validate a region request with parameters.
test_validate_region_create_succeeds_with_extra_parameters
()[source]¶Validate create region request with extra values.
test_validate_region_create_succeeds_with_no_parameters
()[source]¶Validate create region request with no parameters.
test_validate_region_create_with_uuid
()[source]¶Test that we validate a region request with a UUID as the id.
keystone.tests.unit.test_validation.
RoleValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Role API validation.
test_validate_role_create_fails_with_invalid_name
()[source]¶Exception when validating a create request with invalid name.
test_validate_role_create_request_with_name_too_long_fails
()[source]¶Exception raised when creating a role with name too long.
test_validate_role_create_without_name_raises_exception
()[source]¶Test that we raise an exception when name isn’t included.
keystone.tests.unit.test_validation.
ServiceProviderValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Service Provider API validation.
test_validate_sp_request_with_extra_field_fails
()[source]¶Exception raised when passing extra fields in the body.
test_validate_sp_request_with_invalid_auth_url_fails
()[source]¶Validate request fails with invalid auth_url.
test_validate_sp_request_with_invalid_description_fails
()[source]¶Exception is raised when description as a non-string value.
test_validate_sp_request_with_invalid_enabled_fails
()[source]¶Exception is raised when enabled isn’t a boolean-like value.
test_validate_sp_request_with_invalid_sp_url_fails
()[source]¶Validate request fails with invalid sp_url.
test_validate_sp_request_with_valid_description
()[source]¶Test that we validate description in create requests.
test_validate_sp_update_request_with_invalid_auth_url_fails
()[source]¶Exception raised when updating with invalid auth_url.
keystone.tests.unit.test_validation.
ServiceValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Service API validation.
test_validate_service_create_fails_when_name_too_long
()[source]¶Exception raised when name is greater than 255 characters.
test_validate_service_create_fails_when_name_too_short
()[source]¶Exception is raised when name is too short.
test_validate_service_create_fails_when_type_too_long
()[source]¶Exception is raised when type is too long.
test_validate_service_create_fails_when_type_too_short
()[source]¶Exception is raised when type is too short.
test_validate_service_create_fails_with_invalid_enabled
()[source]¶Exception raised when boolean-like parameters as enabled.
On service create, make sure an exception is raised if enabled is not a boolean value.
test_validate_service_create_fails_without_type
()[source]¶Exception raised when trying to create a service without type.
test_validate_service_create_succeeds_with_extra_parameters
()[source]¶Test that extra parameters pass validation on create service.
test_validate_service_create_succeeds_with_required_parameters
()[source]¶Validate a service create request with the required parameters.
test_validate_service_create_succeeds_with_valid_enabled
()[source]¶Validate boolean values as enabled values on service create.
test_validate_service_update_fails_with_invalid_enabled
()[source]¶Exception raised when boolean-like values as enabled.
test_validate_service_update_fails_with_name_too_long
()[source]¶Exception is raised when name is too long on update.
test_validate_service_update_fails_with_name_too_short
()[source]¶Exception is raised when name is too short on update.
test_validate_service_update_fails_with_no_parameters
()[source]¶Exception raised when updating a service without values.
test_validate_service_update_fails_with_type_too_long
()[source]¶Exception is raised when type is too long on update.
test_validate_service_update_fails_with_type_too_short
()[source]¶Exception is raised when type is too short on update.
test_validate_service_update_request_succeeds
()[source]¶Test that we validate a service update request.
keystone.tests.unit.test_validation.
TrustValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 Trust API validation.
test_validate_trust_with_all_parameters_succeeds
()[source]¶Test that we can validate a trust request with all parameters.
test_validate_trust_with_extra_parameters_succeeds
()[source]¶Test that we can validate a trust request with extra parameters.
test_validate_trust_with_invalid_expires_at_fails
()[source]¶Validate trust request with invalid expires_at fails.
test_validate_trust_with_invalid_impersonation_fails
()[source]¶Validate trust request with invalid impersonation fails.
test_validate_trust_with_invalid_role_type_fails
()[source]¶Validate trust request with invalid roles fails.
test_validate_trust_with_list_of_valid_roles_succeeds
()[source]¶Validate trust request with a list of valid roles.
test_validate_trust_with_null_remaining_uses_succeeds
()[source]¶Validate trust request with null remaining_uses.
test_validate_trust_with_period_in_user_id_string
()[source]¶Validate trust request with a period in the user id string.
test_validate_trust_with_remaining_uses_succeeds
()[source]¶Validate trust request with remaining_uses succeeds.
test_validate_trust_without_impersonation_fails
()[source]¶Validate trust request fails without impersonation.
keystone.tests.unit.test_validation.
UserValidationTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.BaseTestCase
Test for V3 User API validation.
test_validate_user_create_fails_with_invalid_enabled_formats
()[source]¶Exception raised when enabled is not an acceptable format.
test_validate_user_create_fails_with_invalid_name
()[source]¶Exception when validating a create request with invalid name.
test_validate_user_create_fails_with_invalid_password_type
()[source]¶Exception raised when user password is of the wrong type.
test_validate_user_create_fails_without_name
()[source]¶Exception raised when validating a user without name.
test_validate_user_create_request_succeeds
()[source]¶Test that validating a user create request succeeds.
test_validate_user_create_succeeds_with_extra_attributes
()[source]¶Validate extra parameters on user create requests.
test_validate_user_create_succeeds_with_null_description
()[source]¶Validate that description can be nullable on create user.
test_validate_user_create_succeeds_with_null_password
()[source]¶Validate that password is nullable on create user.
test_validate_user_create_succeeds_with_password_of_zero_length
()[source]¶Validate empty password on user create requests.
test_validate_user_create_succeeds_with_valid_enabled_formats
()[source]¶Validate acceptable enabled formats in create user requests.
test_validate_user_create_with_all_valid_parameters_succeeds
()[source]¶Test that validating a user create request succeeds.
test_validate_user_update_fails_with_invalid_name
()[source]¶Exception when validating an update request with invalid name.
keystone.tests.unit.test_versions.
VersionSingleAppTestCase
(*args, **kwargs)[source]¶Bases: keystone.tests.unit.core.TestCase
Test running with a single application loaded.
These are important because when Keystone is running in Apache httpd there’s only one application loaded for each instance.
Useful utilities for tests.
keystone.tests.unit.utils.
wip
(message, expected_exception=<type ‘exceptions.Exception’>, bug=None)[source]¶Mark a test as work in progress.
Based on code by Nat Pryce: https://gist.github.com/npryce/997195#file-wip-py
The test will always be run. If the test fails then a TestSkipped exception is raised. If the test passes an AssertionError exception is raised so that the developer knows they made the test pass. This is a reminder to remove the decorator.
Parameters: |
|
---|
>>> @wip('Expected Error', expected_exception=Exception, bug="#000000")
>>> def test():
>>> pass
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.