diff options
| author | Zuul <zuul@review.opendev.org> | 2020-02-12 05:47:01 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2020-02-12 05:47:02 +0000 |
| commit | b3cbf60c3c764bd9e0cf6168156e5de71c081449 (patch) | |
| tree | 7a074bc81b6ef456c2208acb489ed43b8e29faa6 /keystone/tests/unit/test_cli.py | |
| parent | 37aee24a01f6dcb636b06facd718ef7b628576cb (diff) | |
| parent | da28046944aaa5b6068d2cc8f14e72ef1de6c012 (diff) | |
| download | keystone-b3cbf60c3c764bd9e0cf6168156e5de71c081449.tar.gz | |
Merge "Default to bootstrapping roles as immutable"
Diffstat (limited to 'keystone/tests/unit/test_cli.py')
| -rw-r--r-- | keystone/tests/unit/test_cli.py | 37 |
1 files changed, 33 insertions, 4 deletions
diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index 14b42ed56..272f8183c 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -223,9 +223,9 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): self.bootstrap.reader_role_id) member_role = PROVIDERS.role_api.get_role( self.bootstrap.member_role_id) - self.assertEqual(admin_role['options'], {}) - self.assertEqual(member_role['options'], {}) - self.assertEqual(reader_role['options'], {}) + self.assertEqual(admin_role['options'], {'immutable': True}) + self.assertEqual(member_role['options'], {'immutable': True}) + self.assertEqual(reader_role['options'], {'immutable': True}) def test_bootstrap_is_not_idempotent_when_password_does_change(self): # NOTE(lbragstad): Ensure bootstrap isn't idempotent when run with @@ -299,7 +299,7 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): user_id, self.bootstrap.password) - def test_bootstrap_with_immutable_roles(self): + def test_bootstrap_with_explicit_immutable_roles(self): CONF(args=['bootstrap', '--bootstrap-password', uuid.uuid4().hex, '--immutable-roles'], @@ -314,6 +314,35 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): self.assertTrue(member_role['options']['immutable']) self.assertTrue(reader_role['options']['immutable']) + def test_bootstrap_with_default_immutable_roles(self): + CONF(args=['bootstrap', + '--bootstrap-password', uuid.uuid4().hex], + project='keystone') + self._do_test_bootstrap(self.bootstrap) + admin_role = PROVIDERS.role_api.get_role(self.bootstrap.role_id) + reader_role = PROVIDERS.role_api.get_role( + self.bootstrap.reader_role_id) + member_role = PROVIDERS.role_api.get_role( + self.bootstrap.member_role_id) + self.assertTrue(admin_role['options']['immutable']) + self.assertTrue(member_role['options']['immutable']) + self.assertTrue(reader_role['options']['immutable']) + + def test_bootstrap_with_no_immutable_roles(self): + CONF(args=['bootstrap', + '--bootstrap-password', uuid.uuid4().hex, + '--no-immutable-roles'], + project='keystone') + self._do_test_bootstrap(self.bootstrap) + admin_role = PROVIDERS.role_api.get_role(self.bootstrap.role_id) + reader_role = PROVIDERS.role_api.get_role( + self.bootstrap.reader_role_id) + member_role = PROVIDERS.role_api.get_role( + self.bootstrap.member_role_id) + self.assertNotIn('immutable', admin_role['options']) + self.assertNotIn('immutable', member_role['options']) + self.assertNotIn('immutable', reader_role['options']) + def test_bootstrap_with_ambiguous_role_names(self): # bootstrap system to create the default admin role self._do_test_bootstrap(self.bootstrap) |