diff options
| author | Jenkins <jenkins@review.openstack.org> | 2015-11-26 01:23:10 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2015-11-26 01:23:10 +0000 |
| commit | 461642dec44b62b212741de038cf97e1f47a5c89 (patch) | |
| tree | f4e0b97ca2098f3c9341c8783bdd5887261ddd3f | |
| parent | 708b5996fb88957d45d044a89b8ba185ca45833f (diff) | |
| parent | 10613470f6b44bc4e1fd10b8b5629c4e0044b1fb (diff) | |
| download | keystone-461642dec44b62b212741de038cf97e1f47a5c89.tar.gz | |
Merge "Show that unscoped tokens are revoked when deleting role assignments" into stable/kilo
| -rw-r--r-- | keystone/tests/unit/test_auth.py | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/keystone/tests/unit/test_auth.py b/keystone/tests/unit/test_auth.py index 295e028d4..e66310442 100644 --- a/keystone/tests/unit/test_auth.py +++ b/keystone/tests/unit/test_auth.py @@ -413,6 +413,44 @@ class AuthWithToken(AuthTest): dict(is_admin=True, query_string={}), token_id=token_id) + def test_deleting_role_assignment_does_not_revoke_unscoped_token(self): + no_context = {} + admin_context = dict(is_admin=True, query_string={}) + + project = { + 'id': uuid.uuid4().hex, + 'name': uuid.uuid4().hex, + 'domain_id': DEFAULT_DOMAIN_ID} + self.resource_api.create_project(project['id'], project) + role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} + self.role_api.create_role(role['id'], role) + self.assignment_api.add_role_to_user_and_project( + self.user_foo['id'], project['id'], role['id']) + + # Get an unscoped token. + token = self.controller.authenticate(no_context, _build_user_auth( + username=self.user_foo['name'], + password=self.user_foo['password'])) + token_id = token['access']['token']['id'] + + # Ensure it is valid + self.controller.validate_token(admin_context, token_id=token_id) + + # Delete the role assignment, which should not invalidate the token, + # because we're not consuming it with just an unscoped token. + self.assignment_api.remove_role_from_user_and_project( + self.user_foo['id'], project['id'], role['id']) + + # Ensure it is still valid + # FIXME(dolph): Due to bug 1488208, the unscoped token is actually + # invalid. The assertRaises() should be removed and the token should + # validate without error. + self.assertRaises( + exception.TokenNotFound, + self.controller.validate_token, + admin_context, + token_id=token_id) + def test_only_original_audit_id_is_kept(self): context = {} |