keystone.tests.unit package¶

Subpackages¶

Submodules¶

keystone.tests.unit.core module¶

class keystone.tests.unit.core.BaseTestCase(*args, **kwargs)[source]¶

Bases: testtools.testcase.TestCase

Light weight base test class.

This is a placeholder that will eventually go away once the setup/teardown in TestCase is properly trimmed down to the bare essentials. This is really just a play to speed up the tests by eliminating unnecessary work.

cleanup_instance(*names)[source]¶

Create a function suitable for use with self.addCleanup.

Returns:	a callable that uses a closure to delete instance attributes

setUp()[source]¶

skip_if_env_not_set(env_var)[source]¶

skip_test_overrides(*args, **kwargs)[source]¶

class keystone.tests.unit.core.EggLoader(spec)[source]¶

Bases: paste.deploy.loadwsgi.EggLoader

find_egg_entry_point(object_type, name=None)[source]¶

class keystone.tests.unit.core.SQLDriverOverrides[source]¶

Bases: object

A mixin for consolidating sql-specific test overrides.

config_overrides()[source]¶

class keystone.tests.unit.core.TestCase(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.core.BaseTestCase

assertCloseEnoughForGovernmentWork(a, b, delta=3)[source]¶

Assert that two datetimes are nearly equal within a small delta.

Parameters:	delta – Maximum allowable time delta, defined in seconds.

assertNotEmpty(l)[source]¶

assertTimestampEqual(expected, value)[source]¶

assertUserDictEqual(expected, observed, message=”)[source]¶

Assert that a user dict is equal to another user dict.

User dictionaries have some variable values that should be ignored in the comparison. This method is a helper that strips those elements out when comparing the user dictionary. This normalized these differences that should not change the comparison.

config(config_files)[source]¶

config_files()[source]¶

config_overrides()[source]¶

ipv6_enabled¶

load_backends()[source]¶

Initialize each manager and assigns them to an attribute.

load_fixtures(fixtures)[source]¶

Hacky basic and naive fixture loading based on a python module.

Expects that the various APIs into the various services are already defined on self.

loadapp(config, name=’main’)[source]¶

make_request(path=’/’, **kwargs)[source]¶

setUp()[source]¶

skip_if_no_ipv6()[source]¶

exception keystone.tests.unit.core.UnexpectedExit[source]¶

Bases: exceptions.Exception

keystone.tests.unit.core.create_user(api, domain_id, **kwargs)[source]¶

Create a user via the API. Keep the created password.

The password is saved and restored when api.create_user() is called. Only use this routine if there is a requirement for the user object to have a valid password after api.create_user() is called.

class keystone.tests.unit.core.dirs[source]¶

Bases: object

static etc(*p)[source]¶

static root(*p)[source]¶

static tests(*p)[source]¶

static tests_conf(*p)[source]¶

static tmp(*p)[source]¶

keystone.tests.unit.core.new_cert_credential(user_id, project_id=None, blob=None, **kwargs)[source]¶

keystone.tests.unit.core.new_credential_ref(user_id, project_id=None, type=’cert’, **kwargs)[source]¶

keystone.tests.unit.core.new_domain_ref(**kwargs)[source]¶

keystone.tests.unit.core.new_ec2_credential(user_id, project_id=None, blob=None, **kwargs)[source]¶

keystone.tests.unit.core.new_endpoint_ref(service_id, interface=’public’, region_id=<object object>, **kwargs)[source]¶

keystone.tests.unit.core.new_endpoint_ref_with_region(service_id, region, interface=’public’, **kwargs)[source]¶

Define an endpoint_ref having a pre-3.2 form.

Contains the deprecated ‘region’ instead of ‘region_id’.

keystone.tests.unit.core.new_federated_user_ref(idp_id=None, protocol_id=None, **kwargs)[source]¶

keystone.tests.unit.core.new_group_ref(domain_id, **kwargs)[source]¶

keystone.tests.unit.core.new_policy_ref(**kwargs)[source]¶

keystone.tests.unit.core.new_project_ref(domain_id=None, is_domain=False, **kwargs)[source]¶

keystone.tests.unit.core.new_region_ref(parent_region_id=None, **kwargs)[source]¶

keystone.tests.unit.core.new_role_ref(**kwargs)[source]¶

keystone.tests.unit.core.new_service_ref(**kwargs)[source]¶

keystone.tests.unit.core.new_totp_credential(user_id, project_id=None, blob=None)[source]¶

keystone.tests.unit.core.new_trust_ref(trustor_user_id, trustee_user_id, project_id=None, impersonation=None, expires=None, role_ids=None, role_names=None, remaining_uses=None, allow_redelegation=False, redelegation_count=None, **kwargs)[source]¶

keystone.tests.unit.core.new_user_ref(domain_id, project_id=None, **kwargs)[source]¶

keystone.tests.unit.core.remove_test_databases()[source]¶

keystone.tests.unit.core.skip_if_cache_disabled(*sections)[source]¶

Skip a test if caching is disabled, this is a decorator.

Caching can be disabled either globally or for a specific section.

In the code fragment:

@skip_if_cache_is_disabled('assignment', 'token')
def test_method(*args):
    ...

The method test_method would be skipped if caching is disabled globally via the enabled option in the cache section of the configuration or if the caching option is set to false in either assignment or token sections of the configuration. This decorator can be used with no arguments to only check global caching.

If a specified configuration section does not define the caching option, this decorator makes the same assumption as the should_cache_fn in keystone.common.cache that caching should be enabled.

keystone.tests.unit.core.skip_if_cache_is_enabled(*sections)[source]¶

keystone.tests.unit.core.skip_if_no_multiple_domains_support(f)[source]¶

Decorator to skip tests for identity drivers limited to one domain.

keystone.tests.unit.default_fixtures module¶

keystone.tests.unit.fakeldap module¶

Fake LDAP server for test harness.

This class does very little error checking, and knows nothing about ldap class definitions. It implements the minimum emulation of the python ldap library to work with keystone.

class keystone.tests.unit.fakeldap.FakeLdap(conn=None)[source]¶

Bases: keystone.identity.backends.ldap.common.LDAPHandler

Emulate the python-ldap API.

The python-ldap API requires all strings to be UTF-8 encoded. This is assured by the caller of this interface (i.e. KeystoneLDAPHandler).

However, internally this emulation MUST process and store strings in a canonical form which permits operations on characters. Encoded strings do not provide the ability to operate on characters. Therefore this emulation accepts UTF-8 encoded strings, decodes them to unicode for operations internal to this emulation, and encodes them back to UTF-8 when returning values from the emulation.

add_s(dn, modlist)[source]¶

Add an object with the specified attributes at dn.

connect(url, page_size=0, alias_dereferencing=None, use_tls=False, tls_cacertfile=None, tls_cacertdir=None, tls_req_cert=’demand’, chase_referrals=None, debug_level=None, use_pool=None, pool_size=None, pool_retry_max=None, pool_retry_delay=None, pool_conn_timeout=None, pool_conn_lifetime=None, conn_timeout=None)[source]¶

delete_ext_s(dn, serverctrls, clientctrls=None)[source]¶

Remove the ldap object at specified dn.

delete_s(dn)[source]¶

Remove the ldap object at specified dn.

dn(dn)[source]¶

get_option(option)[source]¶

key(dn)[source]¶

modify_s(dn, modlist)[source]¶

Modify the object at dn using the attribute list.

Parameters:	dn – an LDAP DN modlist – a list of tuples in the following form: ([MOD_ADD | MOD_DELETE | MOD_REPACE], attribute, value)

result3(msgid=-1, all=1, timeout=None, resp_ctrl_classes=None)[source]¶

Execute async request.

Only msgid param is supported. Request info is fetched from global variable PendingRequests by msgid, executed using search_s and limited if requested.

search_ext(base, scope, filterstr=’(objectClass=*)’, attrlist=None, attrsonly=0, serverctrls=None, clientctrls=None, timeout=-1, sizelimit=0)[source]¶

search_s(base, scope, filterstr=’(objectClass=*)’, attrlist=None, attrsonly=0)[source]¶

Search for all matching objects under base using the query.

Args: base – dn to search under scope – search scope (base, subtree, onelevel) filterstr – filter objects by attrlist – attrs to return. Returns all attrs if not specified

set_option(option, invalue)[source]¶

simple_bind_s(who=”, cred=”, serverctrls=None, clientctrls=None)[source]¶

Provide for compatibility but this method is ignored.

unbind_s()[source]¶

Provide for compatibility but this method is ignored.

class keystone.tests.unit.fakeldap.FakeLdapNoSubtreeDelete(conn=None)[source]¶

Bases: keystone.tests.unit.fakeldap.FakeLdap

FakeLdap subclass that does not support subtree delete.

Same as FakeLdap except delete will throw the LDAP error ldap.NOT_ALLOWED_ON_NONLEAF if there is an attempt to delete an entry that has children.

delete_ext_s(dn, serverctrls, clientctrls=None)[source]¶

Remove the ldap object at specified dn.

class keystone.tests.unit.fakeldap.FakeLdapPool(uri, retry_max=None, retry_delay=None, conn=None)[source]¶

Bases: keystone.tests.unit.fakeldap.FakeLdap

Emulate the python-ldap API with pooled connections.

This class is used as connector class in PooledLDAPHandler.

get_lifetime()[source]¶

simple_bind_s(who=None, cred=None, serverctrls=None, clientctrls=None)[source]¶

unbind_ext_s()[source]¶

Added to extend FakeLdap as connector class.

class keystone.tests.unit.fakeldap.FakeShelve[source]¶

Bases: dict

sync()[source]¶

keystone.tests.unit.federation_fixtures module¶

keystone.tests.unit.filtering module¶

class keystone.tests.unit.filtering.FilterTests[source]¶

Bases: object

keystone.tests.unit.identity_mapping module¶

keystone.tests.unit.identity_mapping.list_id_mappings()[source]¶

List all id_mappings for testing purposes.

keystone.tests.unit.mapping_fixtures module¶

Fixtures for Federation Mapping.

keystone.tests.unit.rest module¶

class keystone.tests.unit.rest.RestfulTestCase(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.core.TestCase

Performs restful tests against the WSGI app over HTTP.

This class launches public & admin WSGI servers for every test, which can be accessed by calling public_request() or admin_request(), respectfully.

restful_request() and request() methods are also exposed if you need to bypass restful conventions or access HTTP details in your test implementation.

Three new asserts are provided:

• assertResponseSuccessful: called automatically for every request

  unless an expected_status is provided

• assertResponseStatus: called instead of assertResponseSuccessful,

  if an expected_status is provided

• assertValidResponseHeaders: validates that the response headers

  appear as expected

Requests are automatically serialized according to the defined content_type. Responses are automatically deserialized as well, and available in the response.body attribute. The original body content is available in the response.raw attribute.

admin_request(**kwargs)[source]¶

assertResponseStatus(response, expected_status)[source]¶

Assert a specific status code on the response.

Parameters:	response – httplib.HTTPResponse expected_status – The specific status result expected

example:

self.assertResponseStatus(response, http_client.NO_CONTENT)

assertResponseSuccessful(response)[source]¶

Assert that a status code lies inside the 2xx range.

Parameters:	response – httplib.HTTPResponse to be verified to have a status code between 200 and 299.

example:

self.assertResponseSuccessful(response)

assertValidErrorResponse(response, expected_status=400)[source]¶

Verify that the error response is valid.

Subclasses can override this function based on the expected response.

assertValidResponseHeaders(response)[source]¶

Ensure that response headers appear as expected.

auth_plugin_config_override(methods=None, **method_classes)[source]¶

content_type = ‘json’¶

get_admin_token()[source]¶

get_scoped_token(tenant_id=None)[source]¶

Convenience method so that we can test authenticated requests.

get_unscoped_token()[source]¶

Convenience method so that we can test authenticated requests.

public_request(**kwargs)[source]¶

request(app, path, body=None, headers=None, token=None, expected_status=None, **kwargs)[source]¶

restful_request(method=’GET’, headers=None, body=None, content_type=None, response_content_type=None, **kwargs)[source]¶

Serialize/deserialize json as request/response body.

Warning

• Existing Accept header will be overwritten.
• Existing Content-Type header will be overwritten.

setUp(app_conf=’keystone’)[source]¶

keystone.tests.unit.test_associate_project_endpoint_extension module¶

class keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterCRUDTestCase(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase

test_check_endpoint_project_association()[source]¶

HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.

Valid project and endpoint id test case.

test_check_endpoint_project_association_with_invalid_endpoint()[source]¶

HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.

Invalid endpoint id test case.

test_check_endpoint_project_association_with_invalid_project()[source]¶

HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.

Invalid project id test case.

test_create_endpoint_project_association()[source]¶

PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.

Valid endpoint and project id test case.

test_create_endpoint_project_association_invalidates_cache(*args, **kwargs)[source]¶

test_create_endpoint_project_association_with_invalid_endpoint()[source]¶

PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.

Invalid endpoint id test case.

test_create_endpoint_project_association_with_invalid_project()[source]¶

PUT OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.

Invalid project id test case.

test_create_endpoint_project_association_with_unexpected_body()[source]¶

PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.

Unexpected body in request. The body should be ignored.

test_endpoint_project_association_cleanup_when_endpoint_deleted()[source]¶

test_endpoint_project_association_cleanup_when_project_deleted()[source]¶

test_get_endpoint_project_association()[source]¶

GET /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.

Valid project and endpoint id test case.

test_get_endpoint_project_association_with_invalid_endpoint()[source]¶

GET /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.

Invalid endpoint id test case.

test_get_endpoint_project_association_with_invalid_project()[source]¶

GET /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.

Invalid project id test case.

test_list_endpoints_associated_with_invalid_project()[source]¶

GET & HEAD /OS-EP-FILTER/projects/{project_id}/endpoints.

Invalid project id test case.

test_list_endpoints_associated_with_valid_project()[source]¶

GET & HEAD /OS-EP-FILTER/projects/{project_id}/endpoints.

Valid project and endpoint id test case.

test_list_projects_associated_with_endpoint()[source]¶

GET & HEAD /OS-EP-FILTER/endpoints/{endpoint_id}/projects.

Valid endpoint-project association test case.

test_list_projects_associated_with_invalid_endpoint()[source]¶

GET & HEAD /OS-EP-FILTER/endpoints/{endpoint_id}/projects.

Invalid endpoint id test case.

test_list_projects_with_no_endpoint_project_association()[source]¶

GET & HEAD /OS-EP-FILTER/endpoints/{endpoint_id}/projects.

Valid endpoint id but no endpoint-project associations test case.

test_remove_endpoint_from_project_invalidates_cache(*args, **kwargs)[source]¶

test_remove_endpoint_project_association()[source]¶

DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.

Valid project id and endpoint id test case.

test_remove_endpoint_project_association_with_invalid_endpoint()[source]¶

DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.

Invalid endpoint id test case.

test_remove_endpoint_project_association_with_invalid_project()[source]¶

DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.

Invalid project id test case.

class keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_v3.RestfulTestCase

setUp()[source]¶

class keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTokenRequestTestCase(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase

test_default_scoped_token_using_endpoint_filter()[source]¶

Verify endpoints from default scoped token filtered.

test_disabled_endpoint()[source]¶

Test that a disabled endpoint is handled.

test_get_auth_catalog_using_endpoint_filter()[source]¶

test_invalid_endpoint_project_association()[source]¶

Verify an invalid endpoint-project association is handled.

test_multiple_endpoint_project_associations()[source]¶

test_project_scoped_token_using_endpoint_filter()[source]¶

Verify endpoints from project scoped token filtered.

test_scoped_token_with_no_catalog_using_endpoint_filter()[source]¶

Verify endpoint filter does not affect no catalog.

class keystone.tests.unit.test_associate_project_endpoint_extension.EndpointGroupCRUDTestCase(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase

DEFAULT_ENDPOINT_GROUP_BODY = {‘endpoint_group’: {‘description’: ‘endpoint group description’, ‘filters’: {‘interface’: ‘admin’}, ‘name’: ‘endpoint_group_name’}}¶

DEFAULT_ENDPOINT_GROUP_URL = ‘/OS-EP-FILTER/endpoint_groups’¶

test_add_endpoint_group_to_project()[source]¶

Create a valid endpoint group and project association.

test_add_endpoint_group_to_project_invalidates_catalog_cache(*args, **kwargs)[source]¶

test_add_endpoint_group_to_project_with_invalid_project_id()[source]¶

Create an invalid endpoint group and project association.

test_check_endpoint_group()[source]¶

HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}.

Valid endpoint_group_id test case.

test_check_endpoint_group_to_project()[source]¶

Test HEAD with a valid endpoint group and project association.

test_check_endpoint_group_to_project_with_invalid_project_id()[source]¶

Test HEAD with an invalid endpoint group and project association.

test_check_invalid_endpoint_group()[source]¶

HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}.

Invalid endpoint_group_id test case.

test_create_endpoint_group()[source]¶

POST /OS-EP-FILTER/endpoint_groups.

Valid endpoint group test case.

test_create_invalid_endpoint_group()[source]¶

POST /OS-EP-FILTER/endpoint_groups.

Invalid endpoint group creation test case.

test_delete_endpoint_group()[source]¶

GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.

Valid endpoint group test case.

test_delete_invalid_endpoint_group()[source]¶

GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.

Invalid endpoint group test case.

test_empty_endpoint_groups_in_project()[source]¶

Test when no endpoint groups associated with the project.

test_endpoint_group_project_cleanup_with_endpoint_group()[source]¶

test_endpoint_group_project_cleanup_with_project()[source]¶

test_get_endpoint_group()[source]¶

GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.

Valid endpoint group test case.

test_get_endpoint_group_in_project()[source]¶

Test retrieving project endpoint group association.

test_get_invalid_endpoint_group()[source]¶

GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.

Invalid endpoint group test case.

test_get_invalid_endpoint_group_in_project()[source]¶

Test retrieving project endpoint group association.

test_list_endpoint_groups()[source]¶

GET & HEAD /OS-EP-FILTER/endpoint_groups.

test_list_endpoint_groups_in_invalid_project()[source]¶

Test retrieving from invalid project.

test_list_endpoint_groups_in_project()[source]¶

GET & HEAD /OS-EP-FILTER/projects/{project_id}/endpoint_groups.

test_list_endpoints_associated_with_endpoint_group()[source]¶

GET & HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group}/endpoints.

Valid endpoint group test case.

test_list_endpoints_associated_with_project_endpoint_group()[source]¶

GET & HEAD /OS-EP-FILTER/projects/{project_id}/endpoints.

Valid project, endpoint id, and endpoint group test case.

test_list_projects_associated_with_endpoint_group()[source]¶

GET & HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group}/projects.

Valid endpoint group test case.

test_patch_endpoint_group()[source]¶

PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}.

Valid endpoint group patch test case.

test_patch_invalid_endpoint_group()[source]¶

PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}.

Valid endpoint group patch test case.

test_patch_nonexistent_endpoint_group()[source]¶

PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}.

Invalid endpoint group patch test case.

test_remove_endpoint_group_from_project_invalidates_cache(*args, **kwargs)[source]¶

test_remove_endpoint_group_with_project_association()[source]¶

test_removing_an_endpoint_group_project()[source]¶

class keystone.tests.unit.test_associate_project_endpoint_extension.JsonHomeTests(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase, keystone.tests.unit.test_v3.JsonHomeTestMixin

JSON_HOME_DATA = {‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/projects_associated_with_endpoint_group’: {‘href-template’: ‘/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects’, ‘href-vars’: {‘endpoint_group_id’: ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group’: {‘href-template’: ‘/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}’, ‘href-vars’: {‘endpoint_group_id’: ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint_groups’: {‘href-template’: ‘/OS-EP-FILTER/projects/{project_id}/endpoint_groups’, ‘href-vars’: {‘project_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/project_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_to_project_association’: {‘href-template’: ‘/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}’, ‘href-vars’: {‘project_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/project_id’, ‘endpoint_group_id’: ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoints_in_endpoint_group’: {‘href-template’: ‘/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints’, ‘href-vars’: {‘endpoint_group_id’: ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_projects’: {‘href-template’: ‘/OS-EP-FILTER/endpoints/{endpoint_id}/projects’, ‘href-vars’: {‘endpoint_id’: ‘https://docs.openstack.org/api/openstack-identity/3/param/endpoint_id’}}, ‘https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups’: {‘href’: ‘/OS-EP-FILTER/endpoint_groups’}}¶

keystone.tests.unit.test_auth module¶

class keystone.tests.unit.test_auth.AuthBadRequests(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_auth.AuthTest

test_authenticate_blank_auth()[source]¶

Verify sending blank ‘auth’ raises the right exception.

test_authenticate_blank_request_body()[source]¶

Verify sending empty json dict raises the right exception.

test_authenticate_fails_if_project_unsafe()[source]¶

Verify authenticate to a project with unsafe name fails.

test_authenticate_invalid_auth_content()[source]¶

Verify sending invalid ‘auth’ raises the right exception.

test_authenticate_password_too_large()[source]¶

Verify sending large ‘password’ raises the right exception.

test_authenticate_tenant_id_too_large()[source]¶

Verify sending large ‘tenantId’ raises the right exception.

test_authenticate_tenant_name_too_large()[source]¶

Verify sending large ‘tenantName’ raises the right exception.

test_authenticate_token_too_large()[source]¶

Verify sending large ‘token’ raises the right exception.

test_authenticate_user_id_too_large()[source]¶

Verify sending large ‘userId’ raises the right exception.

test_authenticate_username_too_large()[source]¶

Verify sending large ‘username’ raises the right exception.

test_empty_remote_user()[source]¶

Verify exception is raised when REMOTE_USER is an empty string.

test_empty_username_and_userid_in_auth()[source]¶

Verify that empty username and userID raises ValidationError.

test_no_credentials_in_auth()[source]¶

Verify that the method generator raises exception if no creds.

test_no_external_auth()[source]¶

Verify that _authenticate_external() raises exception if N/A.

test_no_token_in_auth()[source]¶

Verify that authenticate raises exception if no token.

class keystone.tests.unit.test_auth.AuthCatalog(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.test_auth.AuthTest

Test for the catalog provided in the auth response.

config_files()[source]¶

test_auth_catalog_disabled_endpoint()[source]¶

On authenticate, get a catalog that excludes disabled endpoints.

test_validate_catalog_disabled_endpoint()[source]¶

On validate, get back a catalog that excludes disabled endpoints.

class keystone.tests.unit.test_auth.AuthTest(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.core.TestCase

assertEqualTokens(a, b, enforce_audit_ids=True)[source]¶

Assert that two tokens are equal.

Compare two tokens except for their ids. This also truncates the time in the comparison.

setUp()[source]¶

class keystone.tests.unit.test_auth.AuthWithPasswordCredentials(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_auth.AuthTest

test_auth_empty_password()[source]¶

Verify exception is raised if empty password.

test_auth_invalid_user()[source]¶

Verify exception is raised if invalid user.

test_auth_no_password()[source]¶

Verify exception is raised if empty password.

test_auth_valid_user_invalid_password()[source]¶

Verify exception is raised if invalid password.

test_authenticate_blank_password_credentials()[source]¶

Sending empty dict as passwordCredentials raises 400 Bad Requset.

test_authenticate_no_username()[source]¶

Verify skipping username raises the right exception.

test_bind_without_remote_user()[source]¶

test_change_default_domain_id()[source]¶

class keystone.tests.unit.test_auth.AuthWithRemoteUser[source]¶

Bases: object

test_bind_with_kerberos()[source]¶

test_bind_without_config_opt()[source]¶

test_scoped_nometa_remote_authn()[source]¶

Verify getting a token with external authn and no metadata.

test_scoped_remote_authn()[source]¶

Verify getting a token with external authn.

test_scoped_remote_authn_invalid_user()[source]¶

Verify that external auth with invalid user fails.

test_unscoped_remote_authn()[source]¶

Verify getting an unscoped token with external authn.

test_unscoped_remote_authn_jsonless()[source]¶

Verify that external auth with invalid request fails.

class keystone.tests.unit.test_auth.AuthWithToken[source]¶

Bases: object

test_auth_bad_formatted_token()[source]¶

Verify exception is raised if invalid token.

test_auth_invalid_token()[source]¶

Verify exception is raised if invalid token.

test_auth_scoped_token_bad_project_with_debug()[source]¶

Authenticating with an invalid project fails.

test_auth_scoped_token_bad_project_without_debug()[source]¶

Authenticating with an invalid project fails.

test_auth_token_project_group_role()[source]¶

Verify getting a token in a tenant with group roles.

test_auth_unscoped_token_no_project()[source]¶

Verify getting an unscoped token with an unscoped token.

test_auth_unscoped_token_project()[source]¶

Verify getting a token in a tenant with an unscoped token.

test_belongs_to()[source]¶

test_belongs_to_no_tenant()[source]¶

test_deleting_role_assignment_does_not_revoke_unscoped_token()[source]¶

test_deleting_role_revokes_token()[source]¶

test_only_original_audit_id_is_kept()[source]¶

test_revoke_by_audit_chain_id_chained_token()[source]¶

test_revoke_by_audit_chain_id_original_token()[source]¶

test_token_auth_with_binding()[source]¶

test_unscoped_token()[source]¶

Verify getting an unscoped token with password creds.

class keystone.tests.unit.test_auth.AuthWithTrust[source]¶

Bases: object

assert_token_count_for_trust(trust, expected_value)[source]¶

build_v2_token_request(username, password, trust, tenant_id=None)[source]¶

config_overrides()[source]¶

create_trust(trust_data, trustor_name, expires_at=None, impersonation=True)[source]¶

disable_user(user)[source]¶

fetch_v2_token_from_trust(trust)[source]¶

fetch_v3_token_from_trust(trust, trustee)[source]¶

get_unscoped_token(username, password=’foo2’)[source]¶

setUp()[source]¶

test_create_trust()[source]¶

test_create_trust_bad_data_fails()[source]¶

test_create_trust_expires_bad()[source]¶

test_create_trust_expires_older_than_now()[source]¶

test_create_trust_impersonation()[source]¶

test_create_trust_no_impersonation()[source]¶

test_create_trust_no_roles()[source]¶

test_create_trust_without_project_id()[source]¶

Verify that trust can be created without project id.

Also, token can be generated with that trust.

test_create_v3_token_from_trust()[source]¶

test_delete_tokens_for_user_invalidates_tokens_from_trust()[source]¶

test_delete_trust_revokes_token()[source]¶

test_do_not_consume_remaining_uses_when_get_token_fails()[source]¶

test_expired_trust_get_token_fails()[source]¶

test_get_trust()[source]¶

test_token_from_trust()[source]¶

test_token_from_trust_cant_get_another_token()[source]¶

test_token_from_trust_with_no_role_fails()[source]¶

test_token_from_trust_with_wrong_role_fails()[source]¶

test_token_from_trust_wrong_project_fails()[source]¶

test_token_from_trust_wrong_user_fails()[source]¶

test_trust_get_token_fails_if_trustee_disabled()[source]¶

test_trust_get_token_fails_if_trustor_disabled()[source]¶

test_trust_get_token_fails_with_future_token_if_trustee_disabled()[source]¶

Test disabling trustee and using an unrevoked token.

This test simulates what happens when a token is generated after the disable event. Technically this should not happen, but it’s possible in a multinode deployment with only a slight clock skew.

test_v3_trust_token_get_token_fails()[source]¶

test_validate_trust_scoped_token_against_v2()[source]¶

test_validate_v3_trust_scoped_token_against_v2_succeeds()[source]¶

class keystone.tests.unit.test_auth.FernetAuthWithRemoteUser(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_auth.AuthWithRemoteUser, keystone.tests.unit.test_auth.AuthTest

config_overrides()[source]¶

test_bind_with_kerberos()[source]¶

class keystone.tests.unit.test_auth.FernetAuthWithToken(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_auth.AuthWithToken, keystone.tests.unit.test_auth.AuthTest

config_overrides()[source]¶

test_deleting_role_revokes_token()[source]¶

test_token_auth_with_binding()[source]¶

class keystone.tests.unit.test_auth.FernetAuthWithTrust(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_auth.AuthWithTrust, keystone.tests.unit.test_auth.AuthTest

config_overrides()[source]¶

test_delete_tokens_for_user_invalidates_tokens_from_trust()[source]¶

test_delete_trust_revokes_token()[source]¶

test_trust_get_token_fails_with_future_token_if_trustee_disabled()[source]¶

Test disabling trustee and using an unrevoked token.

This test simulates what happens when a Fernet token is generated after the disable event. Technically this should not happen, but it’s possible in a multinode deployment with only a slight clock skew.

class keystone.tests.unit.test_auth.NonDefaultAuthTest(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.core.TestCase

test_add_non_default_auth_method()[source]¶

class keystone.tests.unit.test_auth.TokenExpirationTest(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_auth.AuthTest

test_maintain_uuid_token_expiration()[source]¶

class keystone.tests.unit.test_auth.UUIDAuthWithRemoteUser(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_auth.AuthWithRemoteUser, keystone.tests.unit.test_auth.AuthTest

config_overrides()[source]¶

class keystone.tests.unit.test_auth.UUIDAuthWithToken(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_auth.AuthWithToken, keystone.tests.unit.test_auth.AuthTest

config_overrides()[source]¶

class keystone.tests.unit.test_auth.UUIDAuthWithTrust(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_auth.AuthWithTrust, keystone.tests.unit.test_auth.AuthTest

config_overrides()[source]¶

setUp()[source]¶

keystone.tests.unit.test_auth_plugin module¶

class keystone.tests.unit.test_auth_plugin.SimpleChallengeResponse[source]¶

Bases: keystone.auth.plugins.base.AuthMethodHandler

authenticate(context, auth_payload)[source]¶

class keystone.tests.unit.test_auth_plugin.TestAuthPlugin(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase

setUp()[source]¶

test_addition_auth_steps()[source]¶

test_duplicate_method()[source]¶

test_unsupported_auth_method()[source]¶

class keystone.tests.unit.test_auth_plugin.TestAuthPluginDynamicOptions(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_auth_plugin.TestAuthPlugin

config_files()[source]¶

config_overrides()[source]¶

class keystone.tests.unit.test_auth_plugin.TestMapped(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.core.TestCase

config_files()[source]¶

setUp()[source]¶

test_mapped_with_remote_user()[source]¶

test_supporting_multiple_methods()[source]¶

keystone.tests.unit.test_backend_endpoint_policy module¶

class keystone.tests.unit.test_backend_endpoint_policy.PolicyAssociationTests[source]¶

Bases: object

load_sample_data()[source]¶

Create sample data to test policy associations.

The following data is created:

• 3 regions, in a hierarchy, 0 -> 1 -> 2 (where 0 is top)
• 3 services
• 6 endpoints, 2 in each region, with a mixture of services: 0 - region 0, Service 0 1 - region 0, Service 1 2 - region 1, Service 1 3 - region 1, Service 2 4 - region 2, Service 2 5 - region 2, Service 0

test_delete_association_by_entity()[source]¶

test_invalid_policy_to_endpoint_association()[source]¶

test_overwriting_policy_to_endpoint_association()[source]¶

test_policy_to_endpoint_association_crud()[source]¶

test_policy_to_explicit_endpoint_association()[source]¶

test_policy_to_region_and_service_association()[source]¶

test_policy_to_service_association()[source]¶

keystone.tests.unit.test_backend_endpoint_policy_sql module¶

class keystone.tests.unit.test_backend_endpoint_policy_sql.SqlPolicyAssociationTable(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_sql.SqlModels

Set of tests for checking SQL Policy Association Mapping.

test_policy_association_mapping()[source]¶

class keystone.tests.unit.test_backend_endpoint_policy_sql.SqlPolicyAssociationTests(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.test_backend_endpoint_policy.PolicyAssociationTests

load_fixtures(fixtures)[source]¶

keystone.tests.unit.test_backend_federation_sql module¶

class keystone.tests.unit.test_backend_federation_sql.SqlFederation(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_sql.SqlModels

Set of tests for checking SQL Federation.

test_federated_protocol()[source]¶

test_identity_provider()[source]¶

test_idp_remote_ids()[source]¶

test_mapping()[source]¶

test_service_provider()[source]¶

keystone.tests.unit.test_backend_id_mapping_sql module¶

class keystone.tests.unit.test_backend_id_mapping_sql.SqlIDMapping(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_sql.SqlTests

clean_sample_data()[source]¶

load_sample_data()[source]¶

setUp()[source]¶

test_cache_when_id_mapping_crud(*args, **kwargs)[source]¶

test_create_duplicate_mapping()[source]¶

test_delete_public_id_is_silent()[source]¶

test_get_domain_mapping_list()[source]¶

test_id_mapping_crud()[source]¶

test_id_mapping_handles_unicode()[source]¶

test_invalid_public_key()[source]¶

test_invalidate_cache_when_purge_mappings(*args, **kwargs)[source]¶

test_purge_mappings()[source]¶

class keystone.tests.unit.test_backend_id_mapping_sql.SqlIDMappingTable(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_sql.SqlModels

Set of tests for checking SQL Identity ID Mapping.

test_id_mapping()[source]¶

keystone.tests.unit.test_backend_ldap module¶

class keystone.tests.unit.test_backend_ldap.AssignmentTests[source]¶

Bases: keystone.tests.unit.assignment.test_backends.AssignmentTests

test_del_role_assignment_by_domain_not_found()[source]¶

test_delete_group_grant_no_group()[source]¶

test_delete_group_removes_role_assignments()[source]¶

test_delete_role_with_user_and_group_grants()[source]¶

test_delete_user_grant_no_user()[source]¶

test_delete_user_with_project_association()[source]¶

test_delete_user_with_project_roles()[source]¶

test_get_and_remove_correct_role_grant_from_a_mix()[source]¶

test_get_and_remove_role_grant_by_group_and_cross_domain()[source]¶

test_get_and_remove_role_grant_by_user_and_cross_domain()[source]¶

test_get_and_remove_role_grant_by_user_and_domain()[source]¶

test_get_role_assignment_by_domain_not_found()[source]¶

test_get_roles_for_groups_on_domain()[source]¶

test_get_roles_for_groups_on_project()[source]¶

test_get_roles_for_user_and_domain()[source]¶

test_list_domains_for_groups()[source]¶

test_list_projects_for_groups()[source]¶

test_list_role_assignment_containing_names()[source]¶

test_multi_group_grants_on_project_domain()[source]¶

test_multi_role_grant_by_user_group_on_project_domain()[source]¶

test_role_grant_by_group_and_cross_domain_project()[source]¶

test_role_grant_by_user_and_cross_domain_project()[source]¶

class keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity[source]¶

Bases: keystone.tests.unit.test_backend_ldap.LDAPTestSetup, keystone.tests.unit.test_backend_ldap.IdentityTests, keystone.tests.unit.test_backend_ldap.AssignmentTests, keystone.tests.unit.test_backend_ldap.ResourceTests

config_files()[source]¶

config_overrides()[source]¶

get_config(domain_id)[source]¶

get_user_enabled_vals(user)[source]¶

new_user_ref(domain_id, project_id=None, **kwargs)[source]¶

test_add_user_group_deprecated(*args, **keywargs)[source]¶

test_authenticate_requires_simple_bind()[source]¶

test_build_tree()[source]¶

Regression test for building the tree names.

test_cache_layer_get_user(*args, **kwargs)[source]¶

test_cache_layer_get_user_by_name(*args, **kwargs)[source]¶

test_cache_layer_group_crud(*args, **kwargs)[source]¶

test_configurable_allowed_user_actions()[source]¶

test_create_project_with_domain_id_and_without_parent_id()[source]¶

Multiple domains are not supported.

test_create_project_with_domain_id_mismatch_to_parent_domain()[source]¶

Multiple domains are not supported.

test_create_user_none_mapping()[source]¶

test_get_and_remove_role_grant_by_group_and_domain()[source]¶

test_get_and_remove_role_grant_by_group_and_project()[source]¶

test_group_crud(*args, **keywargs)[source]¶

test_group_enabled_ignored_disable_error()[source]¶

test_list_domains()[source]¶

test_list_group_members_when_no_members()[source]¶

test_list_groups_by_name_and_with_filter()[source]¶

test_list_projects_for_user()[source]¶

test_list_projects_for_user_and_groups()[source]¶

test_list_projects_for_user_with_grants()[source]¶

test_list_role_assignment_by_domain()[source]¶

Multiple domain assignments are not supported.

test_list_role_assignment_by_user_with_domain_group_roles()[source]¶

Multiple domain assignments are not supported.

test_list_role_assignment_using_sourced_groups_with_domains()[source]¶

Multiple domain assignments are not supported.

test_list_role_assignments_unfiltered()[source]¶

test_list_users_by_name_and_with_filter()[source]¶

test_remove_foreign_assignments_when_deleting_a_domain()[source]¶

Multiple domains are not supported.

test_remove_role_grant_from_user_and_project()[source]¶

test_unignored_user_none_mapping()[source]¶

test_update_user_name()[source]¶

A user’s name cannot be changed through the LDAP driver.

test_user_crud(*args, **keywargs)[source]¶

test_user_enabled_ignored_disable_error()[source]¶

test_user_filter()[source]¶

test_user_id_comma()[source]¶

Even if the user has a , in their ID, groups can be listed.

test_user_id_comma_grants()[source]¶

List user and group grants, even with a comma in the user’s ID.

class keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity[source]¶

Bases: object

Mixin class with support methods for domain-specific config testing.

check_user(user, domain_id, expected_status)[source]¶

Check user is in correct backend.

As part of the tests, we want to force ourselves to manually select the driver for a given domain, to make sure the entity ended up in the correct backend.

create_users_across_domains()[source]¶

Create a set of users, each with a role on their own domain.

setup_initial_domains()[source]¶

test_authenticate_to_each_domain()[source]¶

Test that a user in each domain can authenticate.

class keystone.tests.unit.test_backend_ldap.DomainSpecificLDAPandSQLIdentity(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity, keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase, keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity

Class to test when all domains use specific configs, including SQL.

We define a set of domains and domain-specific backends:

• A separate LDAP backend for the default domain
• A separate SQL backend for domain1

Although the default driver still exists, we don’t use it.

DOMAIN_COUNT = 2¶

DOMAIN_SPECIFIC_COUNT = 2¶

assert_backends()[source]¶

config_overrides()[source]¶

get_config(domain_id)[source]¶

load_fixtures(fixtures)[source]¶

setUp()[source]¶

test_create_project_with_domain_id_and_without_parent_id()[source]¶

test_create_project_with_domain_id_mismatch_to_parent_domain()[source]¶

test_delete_domain()[source]¶

test_delete_domain_with_project_api()[source]¶

test_domain_segregation()[source]¶

Test that separate configs have segregated the domain.

Test Plan:

• Users were created in each domain as part of setup, now make sure you can only find a given user in its relevant domain/backend
• Make sure that for a backend that supports multiple domains you can get the users via any of its domains

test_get_domain_mapping_list_is_used()[source]¶

test_group_enabled_ignored_disable_error()[source]¶

test_list_domains()[source]¶

test_list_domains_filtered_and_limited()[source]¶

test_list_role_assignments_filtered_by_role()[source]¶

test_list_users()[source]¶

test_user_enabled_ignored_disable_error()[source]¶

test_user_id_comma()[source]¶

class keystone.tests.unit.test_backend_ldap.DomainSpecificSQLIdentity(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_ldap.DomainSpecificLDAPandSQLIdentity

Class to test simplest use of domain-specific SQL driver.

The simplest use of an SQL domain-specific backend is when it is used to augment the standard case when LDAP is the default driver defined in the main config file. This would allow, for example, service users to be stored in SQL while LDAP handles the rest. Hence we define:

• The default driver uses the LDAP backend for the default domain
• A separate SQL backend for domain1

DOMAIN_COUNT = 2¶

DOMAIN_SPECIFIC_COUNT = 1¶

assert_backends()[source]¶

config_overrides()[source]¶

get_config(domain_id)[source]¶

test_default_sql_plus_sql_specific_driver_fails()[source]¶

test_multiple_sql_specific_drivers_fails()[source]¶

class keystone.tests.unit.test_backend_ldap.IdentityTests[source]¶

Bases: keystone.tests.unit.identity.test_backends.IdentityTests

test_arbitrary_attributes_are_returned_from_get_user()[source]¶

test_create_duplicate_group_name_in_different_domains()[source]¶

test_create_duplicate_user_name_in_different_domains()[source]¶

test_delete_group_with_user_project_domain_links()[source]¶

test_delete_user_returns_not_found()[source]¶

test_delete_user_with_group_project_domain_links()[source]¶

test_move_group_between_domains()[source]¶

test_move_user_between_domains()[source]¶

test_new_arbitrary_attributes_are_returned_from_update_user()[source]¶

test_remove_user_from_group()[source]¶

test_remove_user_from_group_returns_not_found()[source]¶

test_updated_arbitrary_attributes_are_returned_from_update_user()[source]¶

class keystone.tests.unit.test_backend_ldap.LDAPIdentity(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity, keystone.tests.unit.core.TestCase

assert_backends()[source]¶

test_base_ldap_connection_deref_option()[source]¶

test_cache_layer_project_crud(*args, **kwargs)[source]¶

test_chase_referrals_off(*args, **keywargs)[source]¶

test_chase_referrals_on(*args, **keywargs)[source]¶

test_configurable_allowed_project_actions()[source]¶

test_create_domain()[source]¶

test_create_domain_case_sensitivity(*args, **kwargs)[source]¶

test_debug_level_set(*args, **keywargs)[source]¶

test_domain_rename_invalidates_get_domain_by_name_cache()[source]¶

test_get_default_domain_by_name()[source]¶

test_get_id_from_dn_for_multivalued_attribute_id(*args, **keywargs)[source]¶

test_id_attribute_not_found(*args, **keywargs)[source]¶

test_list_domains()[source]¶

test_list_groups_for_user_no_dn()[source]¶

test_list_groups_no_dn()[source]¶

test_list_users_no_dn()[source]¶

test_multi_role_grant_by_user_group_on_project_domain()[source]¶

test_parse_extra_attribute_mapping()[source]¶

test_project_crud()[source]¶

test_project_rename_invalidates_get_project_by_name_cache()[source]¶

test_update_is_domain_field()[source]¶

test_user_api_get_connection_no_user_password(*args, **keywargs)[source]¶

Bind anonymously when the user and password are blank.

test_user_description_attribute_mapping()[source]¶

test_user_enable_attribute_mask()[source]¶

test_user_enabled_attribute_handles_expired(*args, **keywargs)[source]¶

test_user_enabled_attribute_handles_utf8(*args, **keywargs)[source]¶

test_user_enabled_invert()[source]¶

test_user_enabled_invert_default_str_value(*args, **keywargs)[source]¶

test_user_extra_attribute_mapping()[source]¶

test_user_extra_attribute_mapping_description_is_returned()[source]¶

test_user_id_attribute_in_create()[source]¶

test_user_id_attribute_map()[source]¶

test_user_id_not_in_dn(*args, **keywargs)[source]¶

test_user_mixed_case_attribute(*args, **keywargs)[source]¶

test_user_name_in_dn(*args, **keywargs)[source]¶

test_user_with_missing_id()[source]¶

class keystone.tests.unit.test_backend_ldap.LDAPIdentityEnabledEmulation(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_ldap.LDAPIdentity

config_files()[source]¶

config_overrides()[source]¶

load_fixtures(fixtures)[source]¶

setUp()[source]¶

test_escape_member_dn()[source]¶

test_project_crud()[source]¶

test_user_auth_emulated()[source]¶

test_user_enable_attribute_mask()[source]¶

test_user_enabled_attribute_handles_utf8(*args, **keywargs)[source]¶

test_user_enabled_invert()[source]¶

test_user_enabled_invert_default_str_value()[source]¶

test_user_enabled_use_group_config()[source]¶

class keystone.tests.unit.test_backend_ldap.LDAPLimitTests(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.core.TestCase, keystone.tests.unit.identity.test_backends.LimitTests

config_files()[source]¶

config_overrides()[source]¶

setUp()[source]¶

class keystone.tests.unit.test_backend_ldap.LDAPMatchingRuleInChainTests(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_ldap.LDAPTestSetup, keystone.tests.unit.core.TestCase

assert_backends()[source]¶

config_files()[source]¶

config_overrides()[source]¶

setUp()[source]¶

test_get_group()[source]¶

test_list_groups()[source]¶

test_list_groups_for_user()[source]¶

test_list_user_groups()[source]¶

class keystone.tests.unit.test_backend_ldap.LDAPPosixGroupsTest(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_ldap.LDAPTestSetup, keystone.tests.unit.core.TestCase

assert_backends()[source]¶

config_files()[source]¶

config_overrides()[source]¶

test_posix_member_id()[source]¶

class keystone.tests.unit.test_backend_ldap.LDAPTestSetup[source]¶

Bases: object

Common setup for LDAP tests.

setUp()[source]¶

class keystone.tests.unit.test_backend_ldap.LdapFilterTests(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.identity.test_backends.FilterTests, keystone.tests.unit.test_backend_ldap.LDAPTestSetup, keystone.tests.unit.core.TestCase

assert_backends()[source]¶

config_files()[source]¶

config_overrides()[source]¶

test_list_users_in_group_exact_filtered()[source]¶

test_list_users_in_group_inexact_filtered()[source]¶

class keystone.tests.unit.test_backend_ldap.LdapIdentityWithMapping(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity, keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase

Class to test mapping of default LDAP backend.

The default configuration is not to enable mapping when using a single backend LDAP driver. However, a cloud provider might want to enable the mapping, hence hiding the LDAP IDs from any clients of keystone. Setting backward_compatible_ids to False will enable this mapping.

assert_backends()[source]¶

config_files()[source]¶

config_overrides()[source]¶

setUp()[source]¶

test_dynamic_mapping_build()[source]¶

Test to ensure entities not create via controller are mapped.

Many LDAP backends will, essentially, by Read Only. In these cases the mapping is not built by creating objects, rather from enumerating the entries. We test this here my manually deleting the mapping and then trying to re-read the entries.

test_list_domains()[source]¶

class keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentity(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity, keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase, keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity

Class to test common SQL plus individual LDAP backends.

We define a set of domains and domain-specific backends:

• A separate LDAP backend for the default domain
• A separate LDAP backend for domain1
• domain2 shares the same LDAP as domain1, but uses a different tree attach point
• An SQL backend for all other domains (which will include domain3 and domain4)

Normally one would expect that the default domain would be handled as part of the “other domains” - however the above provides better test coverage since most of the existing backend tests use the default domain.

assert_backends()[source]¶

config_overrides()[source]¶

enable_multi_domain()[source]¶

Enable the chosen form of multi domain configuration support.

This method enables the file-based configuration support. Child classes that wish to use the database domain configuration support should override this method and set the appropriate config_fixture option.

get_config(domain_id)[source]¶

load_fixtures(fixtures)[source]¶

test_create_project_with_domain_id_and_without_parent_id()[source]¶

test_create_project_with_domain_id_mismatch_to_parent_domain()[source]¶

test_delete_domain_with_user_added()[source]¶

test_domain_segregation()[source]¶

Test that separate configs have segregated the domain.

Test Plan:

• Users were created in each domain as part of setup, now make sure you can only find a given user in its relevant domain/backend
• Make sure that for a backend that supports multiple domains you can get the users via any of its domains

test_existing_uuids_work()[source]¶

Test that ‘uni-domain’ created IDs still work.

Throwing the switch to domain-specific backends should not cause existing identities to be inaccessible via ID.

test_group_enabled_ignored_disable_error()[source]¶

test_list_limit_domain_specific_inheritance(*args, **keywargs)[source]¶

test_list_limit_domain_specific_override(*args, **keywargs)[source]¶

test_list_role_assignment_by_domain()[source]¶

test_list_role_assignment_by_user_with_domain_group_roles()[source]¶

test_list_role_assignment_using_sourced_groups_with_domains()[source]¶

test_list_role_assignments_filtered_by_role()[source]¶

test_list_users()[source]¶

test_remove_foreign_assignments_when_deleting_a_domain()[source]¶

test_scanning_of_config_dir()[source]¶

Test the Manager class scans the config directory.

The setup for the main tests above load the domain configs directly so that the test overrides can be included. This test just makes sure that the standard config directory scanning does pick up the relevant domain config files.

test_user_enabled_ignored_disable_error()[source]¶

class keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentityDomainConfigsInSQL(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentity

Class to test the use of domain configs stored in the database.

Repeat the same tests as MultiLDAPandSQLIdentity, but instead of using the domain specific config files, store the domain specific values in the database.

assert_backends()[source]¶

enable_multi_domain()[source]¶

test_delete_domain_clears_sql_registration()[source]¶

Ensure registration is deleted when a domain is deleted.

test_domain_config_has_no_impact_if_database_support_disabled()[source]¶

Ensure database domain configs have no effect if disabled.

Set reading from database configs to false, restart the backends and then try and set and use database configs.

test_orphaned_registration_does_not_prevent_getting_sql_driver()[source]¶

Ensure we self heal an orphaned sql registration.

test_reloading_domain_config()[source]¶

Ensure domain drivers are reloaded on a config modification.

test_same_domain_gets_sql_driver()[source]¶

Ensure we can set an SQL driver if we have had it before.

test_setting_multiple_sql_driver_raises_exception()[source]¶

Ensure setting multiple domain specific sql drivers is prevented.

class keystone.tests.unit.test_backend_ldap.ResourceTests[source]¶

Bases: keystone.tests.unit.resource.test_backends.ResourceTests

test_cache_layer_domain_crud()[source]¶

test_cannot_enable_cascade_with_parent_disabled()[source]¶

test_check_hierarchy_depth()[source]¶

test_check_leaf_projects()[source]¶

test_create_domain_under_regular_project_hierarchy_fails()[source]¶

test_create_duplicate_project_name_in_different_domains()[source]¶

test_create_project_passing_is_domain_flag_true()[source]¶

test_create_project_under_disabled_one()[source]¶

test_create_project_with_invalid_parent()[source]¶

test_create_project_with_parent_id_and_without_domain_id()[source]¶

test_delete_hierarchical_leaf_project()[source]¶

test_delete_hierarchical_not_leaf_project()[source]¶

test_disable_hierarchical_leaf_project()[source]¶

test_disable_hierarchical_not_leaf_project()[source]¶

test_domain_crud()[source]¶

test_domain_delete_hierarchy()[source]¶

test_enable_project_with_disabled_parent()[source]¶

test_hierarchical_projects_crud()[source]¶

test_list_project_parents()[source]¶

test_list_projects_for_alternate_domain()[source]¶

test_list_projects_in_subtree()[source]¶

test_list_projects_in_subtree_with_circular_reference()[source]¶

test_move_project_between_domains()[source]¶

test_move_project_between_domains_with_clashing_names_fails()[source]¶

test_update_project_enabled_cascade()[source]¶

test_update_project_parent()[source]¶

keystone.tests.unit.test_backend_ldap_pool module¶

class keystone.tests.unit.test_backend_ldap_pool.LDAPIdentity(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_ldap_pool.LdapPoolCommonTestMixin, keystone.tests.unit.test_backend_ldap.LDAPIdentity, keystone.tests.unit.core.TestCase

Executes tests in existing base class with pooled LDAP handler.

config_files()[source]¶

setUp()[source]¶

test_utf8_encoded_is_used_in_pool(*args, **keywargs)[source]¶

class keystone.tests.unit.test_backend_ldap_pool.LdapPoolCommonTestMixin[source]¶

Bases: object

LDAP pool specific common tests used here and in live tests.

cleanup_pools()[source]¶

test_handler_with_end_user_auth_use_pool_not_enabled(*args, **keywargs)[source]¶

test_handler_with_use_pool_enabled()[source]¶

test_handler_with_use_pool_not_enabled(*args, **keywargs)[source]¶

test_max_connection_error_raised()[source]¶

test_password_change_with_pool()[source]¶

test_pool_connection_lifetime_set()[source]¶

test_pool_retry_delay_set()[source]¶

test_pool_retry_max_set()[source]¶

test_pool_size_expands_correctly()[source]¶

test_pool_size_set()[source]¶

test_pool_timeout_set()[source]¶

test_pool_use_pool_set()[source]¶

test_pool_use_tls_set()[source]¶

keystone.tests.unit.test_backend_rules module¶

class keystone.tests.unit.test_backend_rules.RulesPolicy(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.core.TestCase, keystone.tests.unit.policy.test_backends.PolicyTests

config_overrides()[source]¶

setUp()[source]¶

test_create()[source]¶

test_delete()[source]¶

test_delete_policy_returns_not_found()[source]¶

test_get()[source]¶

test_get_policy_returns_not_found()[source]¶

test_list()[source]¶

test_update()[source]¶

test_update_policy_returns_not_found()[source]¶

keystone.tests.unit.test_backend_sql module¶

class keystone.tests.unit.test_backend_sql.FakeTable(*args, **kwargs)[source]¶

Bases: sqlalchemy.ext.declarative.api.Base

col¶

insert(*args, **kwargs)[source]¶

lookup(*args, **kwargs)[source]¶

update(*args, **kwargs)[source]¶

class keystone.tests.unit.test_backend_sql.SqlCatalog(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.catalog.test_backends.CatalogTests

test_catalog_ignored_malformed_urls()[source]¶

test_create_endpoint_region_returns_not_found()[source]¶

test_create_region_invalid_id()[source]¶

test_create_region_invalid_parent_id()[source]¶

test_delete_region_with_endpoint()[source]¶

test_get_catalog_with_empty_public_url()[source]¶

test_v3_catalog_domain_scoped_token()[source]¶

test_v3_catalog_endpoint_filter_disabled()[source]¶

test_v3_catalog_endpoint_filter_enabled()[source]¶

class keystone.tests.unit.test_backend_sql.SqlCredential(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_sql.SqlTests

setUp()[source]¶

test_create_credential_is_encrypted_when_stored()[source]¶

test_list_credentials()[source]¶

test_list_credentials_for_user()[source]¶

test_list_credentials_for_user_and_type()[source]¶

test_list_credentials_is_decrypted()[source]¶

class keystone.tests.unit.test_backend_sql.SqlDecorators(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.core.TestCase

test_conflict_happend()[source]¶

test_initialization()[source]¶

test_initialization_fail()[source]¶

test_not_conflict_error()[source]¶

class keystone.tests.unit.test_backend_sql.SqlFilterTests(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.identity.test_backends.FilterTests

clean_up_entities()[source]¶

Clean up entity test data from Filter Test Cases.

test_filter_sql_injection_attack()[source]¶

Test against sql injection attack on filters.

Test Plan: - Attempt to get all entities back by passing a two-term attribute - Attempt to piggyback filter to damage DB (e.g. drop table)

test_list_entities_filtered_by_domain()[source]¶

class keystone.tests.unit.test_backend_sql.SqlIdentity(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.identity.test_backends.IdentityTests, keystone.tests.unit.assignment.test_backends.AssignmentTests, keystone.tests.unit.resource.test_backends.ResourceTests

test_create_null_user_name()[source]¶

test_create_project_case_sensitivity()[source]¶

test_create_user_case_sensitivity()[source]¶

test_create_user_with_null_password()[source]¶

test_delete_project_with_user_association()[source]¶

test_delete_user_with_project_association()[source]¶

test_hidden_project_domain_root_is_really_hidden()[source]¶

Ensure we cannot access the hidden root of all project domains.

Calling any of the driver methods should result in the same as would be returned if we passed a project that does not exist. We don’t test create_project, since we do not allow a caller of our API to specify their own ID for a new entity.

test_list_domains_for_user()[source]¶

test_list_domains_for_user_with_grants()[source]¶

test_list_domains_for_user_with_inherited_grants()[source]¶

Test that inherited roles on the domain are excluded.

Test Plan:

• Create two domains, one user, group and role
• Domain1 is given an inherited user role, Domain2 an inherited group role (for a group of which the user is a member)
• When listing domains for user, neither domain should be returned

test_list_groups_for_user()[source]¶

test_list_users_call_count()[source]¶

There should not be O(N) queries.

test_password_hashed()[source]¶

test_sql_user_to_dict_null_default_project_id()[source]¶

test_storing_null_domain_id_in_project_ref()[source]¶

Test the special storage of domain_id=None in sql resource driver.

The resource driver uses a special value in place of None for domain_id in the project record. This shouldn’t escape the driver. Hence we test the interface to ensure that you can store a domain_id of None, and that any special value used inside the driver does not escape through the interface.

test_update_project_returns_extra()[source]¶

Test for backward compatibility with an essex/folsom bug.

Non-indexed attributes were returned in an ‘extra’ attribute, instead of on the entity itself; for consistency and backwards compatibility, those attributes should be included twice.

This behavior is specific to the SQL driver.

test_update_user_returns_extra()[source]¶

Test for backwards-compatibility with an essex/folsom bug.

Non-indexed attributes were returned in an ‘extra’ attribute, instead of on the entity itself; for consistency and backwards compatibility, those attributes should be included twice.

This behavior is specific to the SQL driver.

test_update_user_with_null_password()[source]¶

class keystone.tests.unit.test_backend_sql.SqlImpliedRoles(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.assignment.test_backends.ImpliedRoleTests

class keystone.tests.unit.test_backend_sql.SqlInheritance(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.assignment.test_backends.InheritanceTests

class keystone.tests.unit.test_backend_sql.SqlLimitTests(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.identity.test_backends.LimitTests

setUp()[source]¶

class keystone.tests.unit.test_backend_sql.SqlModels(*args, **kwargs)[source]¶

Bases: keystone.tests.unit.test_backend_sql.SqlTests

assertExpectedSchema(table, expected_schema)[source]¶

Assert that a table’s schema is what we expect.

Parameters:	table (string) – the name of the table to inspect expected_schema (tuple) – a tuple of tuples containing the expected schema
Raises:	AssertionError – when the database schema doesn’t match the expected schema

The expected_schema format is simply:

(
    ('column name', sql type, qualifying detail),
    ...
)

The qualifying detail varies based on the type of the column:

- sql.Boolean columns must indicate the column's default value or
  None if there is no default
- Columns with a length, like sql.String, must indicate the
  column's length
- All other column types should use None

Example:

cols = (('id', sql.String, 64),
        ('enabled', sql.Boolean, True),
        ('extra', sql.JsonBlob, None))
self.assertExpectedSchema('table_name', cols)

select_table(name)[source]¶

test_federated_user_model()[source]¶

test_group_model()[source]¶

test_local_user_model()[source]¶

test_nonlocal_user_model()[source]¶

test_password_model()[source]¶

test_project_model()[source]¶

test_revocation_event_model()[source]¶

test_role_assignment_model()[source]¶

test_user_group_membership()[source]¶

test_user_model()[source]¶