Fix tests comparing tokens2014.1.3

There were tests that verified that the PKI token body could be
encrypted with CMS and compared to the token ID in the response.
This test isn't safe because the token body may be different than
the token encrypted with CMS since the order of items in the dict
can change.

The fix is to change the test to decode the PKI token ID and
compare that to the response body JSON instead.

Conflicts:
	keystone/tests/test_v3_auth.py

Change-Id: Icc649b96071ff084d5c76f2ea2bcf3ecb08a0351

1 files changed, 10 insertions, 4 deletions

diff --git a/keystone/tests/test_v3_auth.py b/keystone/tests/test_v3_auth.py
index a7e372ff4..531212dae 100644
--- a/keystone/tests/test_v3_auth.py
+++ b/keystone/tests/test_v3_auth.py
@@ -128,6 +128,9 @@ class TokenAPITests(object):
     def test_default_fixture_scope_token(self):
         self.assertIsNotNone(self.get_scoped_token())
 
+    def verify_token(self, *args, **kwargs):
+        return cms.verify_token(*args, **kwargs)
+
     def test_v3_token_id(self):
         auth_data = self.build_authentication_request(
             user_id=self.user['id'],
@@ -137,10 +140,13 @@ class TokenAPITests(object):
         token_id = resp.headers.get('X-Subject-Token')
         self.assertIn('expires_at', token_data['token'])
 
-        expected_token_id = cms.cms_sign_token(json.dumps(token_data),
-                                               CONF.signing.certfile,
-                                               CONF.signing.keyfile)
-        self.assertEqual(expected_token_id, token_id)
+        decoded_token = self.verify_token(token_id, CONF.signing.certfile,
+                                          CONF.signing.ca_certs)
+        decoded_token_dict = json.loads(decoded_token)
+
+        token_resp_dict = json.loads(resp.body)
+
+        self.assertEqual(decoded_token_dict, token_resp_dict)
         # should be able to validate hash PKI token as well
         hash_token_id = cms.cms_hash_token(token_id)
         headers = {'X-Subject-Token': hash_token_id}