# Copyright 2013 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import time
import testtools
from tempest.api.identity import base
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
CONF = config.CONF
[docs]
class UsersV3TestJSON(base.BaseIdentityV3AdminTest):
"""Test keystone users"""
@classmethod
def skip_checks(cls):
super(UsersV3TestJSON, cls).skip_checks()
if CONF.identity_feature_enabled.immutable_user_source:
raise cls.skipException('Skipped because environment has an '
'immutable user source and solely '
'provides read-only access to users.')
[docs]
@decorators.idempotent_id('b537d090-afb9-4519-b95d-270b0708e87e')
def test_user_update(self):
"""Test case to check if updating of user attributes is successful"""
prefix = CONF.resource_name_prefix
# Creating first user
u_name = data_utils.rand_name(name='user', prefix=prefix)
u_desc = u_name + 'description'
u_email = u_name + '@testmail.tm'
u_password = data_utils.rand_password()
user = self.users_client.create_user(
name=u_name, description=u_desc, password=u_password,
email=u_email, enabled=False)['user']
# Delete the User at the end of this method
self.addCleanup(self.users_client.delete_user, user['id'])
# Creating second project for updation
project = self.setup_test_project()
# Updating user details with new values
update_kwargs = {'name': data_utils.rand_name('user2', prefix=prefix),
'description': data_utils.rand_name('desc2'),
'project_id': project['id'],
'email': 'user2@testmail.tm',
'enabled': False}
updated_user = self.users_client.update_user(
user['id'], **update_kwargs)['user']
for field in update_kwargs:
self.assertEqual(update_kwargs[field], updated_user[field])
# GET by id after updating
new_user_get = self.users_client.show_user(user['id'])['user']
# Assert response body of GET after updation
for field in update_kwargs:
self.assertEqual(update_kwargs[field], new_user_get[field])
[docs]
@decorators.idempotent_id('2d223a0e-e457-4a70-9fb1-febe027a0ff9')
def test_update_user_password(self):
"""Test updating user password"""
# Creating User to check password updation
u_name = data_utils.rand_name(
name='user', prefix=CONF.resource_name_prefix)
original_password = data_utils.rand_password()
user = self.users_client.create_user(
name=u_name, password=original_password)['user']
# Delete the User at the end all test methods
self.addCleanup(self.users_client.delete_user, user['id'])
# Update user with new password
new_password = data_utils.rand_password()
self.users_client.update_user_password(
user['id'], password=new_password,
original_password=original_password)
# NOTE(morganfainberg): Fernet tokens are not subsecond aware and
# Keystone should only be precise to the second. Sleep to ensure
# we are passing the second boundary.
time.sleep(1)
resp = self.token.auth(user_id=user['id'],
password=new_password).response
subject_token = resp['x-subject-token']
# Perform GET Token to verify and confirm password is updated
token_details = self.client.show_token(subject_token)['token']
self.assertEqual(token_details['user']['id'], user['id'])
self.assertEqual(token_details['user']['name'], u_name)
[docs]
@decorators.idempotent_id('a831e70c-e35b-430b-92ed-81ebbc5437b8')
def test_list_user_projects(self):
"""Test listing the projects that a user has access upon"""
assigned_project_ids = list()
fetched_project_ids = list()
u_project = self.setup_test_project()
# Create a user.
u_name = data_utils.rand_name(
name='user', prefix=CONF.resource_name_prefix)
u_desc = u_name + 'description'
u_email = u_name + '@testmail.tm'
u_password = data_utils.rand_password()
user_body = self.users_client.create_user(
name=u_name, description=u_desc, password=u_password,
email=u_email, enabled=False, project_id=u_project['id'])['user']
# Delete the User at the end of this method
self.addCleanup(self.users_client.delete_user, user_body['id'])
# Creating Role
role_body = self.setup_test_role()
user = self.users_client.show_user(user_body['id'])['user']
role = self.roles_client.show_role(role_body['id'])['role']
for _ in range(2):
# Creating project so as to assign role
project_body = self.setup_test_project()
project = self.projects_client.show_project(
project_body['id'])['project']
# Assigning roles to user on project
self.roles_client.create_user_role_on_project(project['id'],
user['id'],
role['id'])
assigned_project_ids.append(project['id'])
body = self.users_client.list_user_projects(user['id'])['projects']
for i in body:
fetched_project_ids.append(i['id'])
# verifying the project ids in list
missing_projects =\
[p for p in assigned_project_ids
if p not in fetched_project_ids]
self.assertEmpty(missing_projects,
"Failed to find project %s in fetched list" %
', '.join(m_project for m_project
in missing_projects))
[docs]
@decorators.idempotent_id('c10dcd90-461d-4b16-8e23-4eb836c00644')
def test_get_user(self):
"""Test getting a user detail"""
user = self.setup_test_user()
fetched_user = self.users_client.show_user(user['id'])['user']
self.assertEqual(user['id'], fetched_user['id'])
[docs]
@testtools.skipUnless(CONF.identity_feature_enabled.security_compliance,
'Security compliance not available.')
@decorators.idempotent_id('568cd46c-ee6c-4ab4-a33a-d3791931979e')
def test_password_history_not_enforced_in_admin_reset(self):
"""Test setting same password when password history is not enforced"""
old_password = self.os_primary.credentials.password
user_id = self.os_primary.credentials.user_id
new_password = data_utils.rand_password()
self.users_client.update_user(user_id, password=new_password)
# To be safe, we add this cleanup to restore the original password in
# case something goes wrong before it is restored later.
self.addCleanup(
self.users_client.update_user, user_id, password=old_password)
# Check authorization with new password
self.token.auth(user_id=user_id, password=new_password)
if CONF.identity.user_unique_last_password_count > 1:
# The password history is not enforced via the admin reset route.
# We can set the same password.
self.users_client.update_user(user_id, password=new_password)
# Restore original password
self.users_client.update_user(user_id, password=old_password)
# Check authorization with old password
self.token.auth(user_id=user_id, password=old_password)