diff options
| author | morgan fainberg <morgan.fainberg@gmail.com> | 2018-09-18 10:54:59 -0700 |
|---|---|---|
| committer | Morgan Fainberg <morgan.fainberg@gmail.com> | 2018-10-09 23:23:03 -0700 |
| commit | d97832e8e826e37171b727072c720a9b589998dd (patch) | |
| tree | c0da33ed74c8518561731fbd00cbe38790d9d747 /keystone/tests | |
| parent | 8e33c782320ae1014f9b69b484b5b6c3cf0593f6 (diff) | |
| download | keystone-d97832e8e826e37171b727072c720a9b589998dd.tar.gz | |
Convert auth to flask native dispatching
Convert the /auth paths to flask native dispatching.
A minor change to additional_urls was implemented to ensure all
urls are added at once instead of individually (causing an over-
write issue within flask as a single resource may only have a
single set of URL mappings).
Alternate URLs now support adding alternate JSON Home rel links.
This is to support the case of OS-FEDERATION auth routes moving
to /auth. The old JSON Home entries must exist but reference
the new paths.
This port includes the following test changes (needed due to the
way flask handles requests and the way requests are passed through
the auth system):
* Implemented keystone.common.render_token (module)
containing render_token_response_from_model and use it instead
of keystone.common.controller.render_token_response_from_model.
Minor differences occur in render_token_response_from_model in
the keystone.common.render_token module, this is simply
for referencing data from flask instead of the request object.
* Test cases have been modified to no longer rely on the auth
controller(s) directly
* Test cases now use "make_request" as a context manager
since authenticate/authenticate_for_token directly
reference the flask contexts and must have an explicit
context pushed.
* Test cases no longer pass request objects into methods
such as authenticate/authenticate_for_token or similar
methods on the auth plugins
* Test cases for federation reference the token model now
where possible instead of the rendered token response.
Rendered token responses are generated where needed.
* Auth Plugin Configuration is done in test core as well.
This is because Auth controller does not exist.
NOTE: This is a massive change, but must of these changes
were now easily uncoupled because of how far reaching auth
is.
Change-Id: I636928102875760726cc3493775a2be48e774fd7
Partial-Bug: #1776504
Diffstat (limited to 'keystone/tests')
| -rw-r--r-- | keystone/tests/unit/application_credential/test_backends.py | 6 | ||||
| -rw-r--r-- | keystone/tests/unit/common/test_notifications.py | 83 | ||||
| -rw-r--r-- | keystone/tests/unit/contrib/federation/test_utils.py | 44 | ||||
| -rw-r--r-- | keystone/tests/unit/core.py | 20 | ||||
| -rw-r--r-- | keystone/tests/unit/identity/shadow_users/test_backend.py | 16 | ||||
| -rw-r--r-- | keystone/tests/unit/identity/test_backend_sql.py | 414 | ||||
| -rw-r--r-- | keystone/tests/unit/identity/test_backends.py | 86 | ||||
| -rw-r--r-- | keystone/tests/unit/server/test_keystone_flask.py | 19 | ||||
| -rw-r--r-- | keystone/tests/unit/test_auth_plugin.py | 52 | ||||
| -rw-r--r-- | keystone/tests/unit/test_backend_ldap.py | 26 | ||||
| -rw-r--r-- | keystone/tests/unit/test_backend_ldap_pool.py | 26 | ||||
| -rw-r--r-- | keystone/tests/unit/test_cli.py | 16 | ||||
| -rw-r--r-- | keystone/tests/unit/test_ldap_pool_livetest.py | 13 | ||||
| -rw-r--r-- | keystone/tests/unit/test_v3.py | 13 | ||||
| -rw-r--r-- | keystone/tests/unit/test_v3_federation.py | 438 |
15 files changed, 647 insertions, 625 deletions
diff --git a/keystone/tests/unit/application_credential/test_backends.py b/keystone/tests/unit/application_credential/test_backends.py index f25dde888..a798a9c14 100644 --- a/keystone/tests/unit/application_credential/test_backends.py +++ b/keystone/tests/unit/application_credential/test_backends.py @@ -257,13 +257,11 @@ class ApplicationCredentialTests(object): app_cred = self._new_app_cred_data(self.user_foo['id'], project_id=self.tenant_bar['id']) resp = self.app_cred_api.create_application_credential(app_cred) - self.app_cred_api.authenticate( - self.make_request(), resp['id'], resp['secret']) + self.app_cred_api.authenticate(resp['id'], resp['secret']) def test_authenticate_not_found(self): self.assertRaises(AssertionError, self.app_cred_api.authenticate, - self.make_request(), uuid.uuid4().hex, uuid.uuid4().hex) @@ -275,7 +273,6 @@ class ApplicationCredentialTests(object): resp = self.app_cred_api.create_application_credential(app_cred) self.assertRaises(AssertionError, self.app_cred_api.authenticate, - self.make_request(), resp['id'], resp['secret']) @@ -287,6 +284,5 @@ class ApplicationCredentialTests(object): self.assertNotEqual(badpass, resp['secret']) self.assertRaises(AssertionError, self.app_cred_api.authenticate, - self.make_request(), resp['id'], badpass) diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py index 490874083..355679ae5 100644 --- a/keystone/tests/unit/common/test_notifications.py +++ b/keystone/tests/unit/common/test_notifications.py @@ -745,25 +745,26 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest): user_ref = unit.new_user_ref(domain_id=self.domain_id, password=password) user_ref = PROVIDERS.identity_api.create_user(user_ref) - PROVIDERS.identity_api.authenticate( - self.make_request(), user_ref['id'], password - ) + with self.make_request(): + PROVIDERS.identity_api.authenticate(user_ref['id'], password) freezer.stop() reason_type = (exception.PasswordExpired.message_format % {'user_id': user_ref['id']}) expected_reason = {'reasonCode': '401', 'reasonType': reason_type} - self.assertRaises(exception.PasswordExpired, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=user_ref['id'], - password=password) + with self.make_request(): + self.assertRaises(exception.PasswordExpired, + PROVIDERS.identity_api.authenticate, + user_id=user_ref['id'], + password=password) self._assert_last_audit(None, 'authenticate', None, cadftaxonomy.ACCOUNT_USER, reason=expected_reason) def test_locked_out_user_sends_notification(self): + # TODO(morgan): skip this test until users is ported to flask. + self.skipTest('Users are not handled via flask.') password = uuid.uuid4().hex new_password = uuid.uuid4().hex expected_responses = [AssertionError, AssertionError, AssertionError, @@ -776,12 +777,12 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest): expected_reason = {'reasonCode': '401', 'reasonType': reason_type} for ex in expected_responses: - self.assertRaises(ex, - PROVIDERS.identity_api.change_password, - self.make_request(), - user_id=user_ref['id'], - original_password=new_password, - new_password=new_password) + with self.make_request(): + self.assertRaises(ex, + PROVIDERS.identity_api.change_password, + user_id=user_ref['id'], + original_password=new_password, + new_password=new_password) self._assert_last_audit(None, 'authenticate', None, cadftaxonomy.ACCOUNT_USER, @@ -801,16 +802,17 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest): user_ref = unit.new_user_ref(domain_id=self.domain_id, password=password) user_ref = PROVIDERS.identity_api.create_user(user_ref) - PROVIDERS.identity_api.change_password( - self.make_request(), user_id=user_ref['id'], - original_password=password, new_password=new_password - ) - self.assertRaises(exception.PasswordValidationError, - PROVIDERS.identity_api.change_password, - self.make_request(), - user_id=user_ref['id'], - original_password=new_password, - new_password=password) + with self.make_request(): + PROVIDERS.identity_api.change_password( + user_id=user_ref['id'], + original_password=password, new_password=new_password + ) + with self.make_request(): + self.assertRaises(exception.PasswordValidationError, + PROVIDERS.identity_api.change_password, + user_id=user_ref['id'], + original_password=new_password, + new_password=password) self._assert_last_audit(user_ref['id'], UPDATED_OPERATION, 'user', cadftaxonomy.SECURITY_ACCOUNT_USER, @@ -828,12 +830,12 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest): user_ref = unit.new_user_ref(domain_id=self.domain_id, password=password) user_ref = PROVIDERS.identity_api.create_user(user_ref) - self.assertRaises(exception.PasswordValidationError, - PROVIDERS.identity_api.change_password, - self.make_request(), - user_id=user_ref['id'], - original_password=password, - new_password=invalid_password) + with self.make_request(): + self.assertRaises(exception.PasswordValidationError, + PROVIDERS.identity_api.change_password, + user_id=user_ref['id'], + original_password=password, + new_password=invalid_password) self._assert_last_audit(user_ref['id'], UPDATED_OPERATION, 'user', cadftaxonomy.SECURITY_ACCOUNT_USER, @@ -858,16 +860,17 @@ class CADFNotificationsForPCIDSSEvents(BaseNotificationTest): {'min_age_days': min_days, 'days_left': days_left}) expected_reason = {'reasonCode': '400', 'reasonType': reason_type} - PROVIDERS.identity_api.change_password( - self.make_request(), user_id=user_ref['id'], - original_password=password, new_password=new_password - ) - self.assertRaises(exception.PasswordValidationError, - PROVIDERS.identity_api.change_password, - self.make_request(), - user_id=user_ref['id'], - original_password=new_password, - new_password=next_password) + with self.make_request(): + PROVIDERS.identity_api.change_password( + user_id=user_ref['id'], + original_password=password, new_password=new_password + ) + with self.make_request(): + self.assertRaises(exception.PasswordValidationError, + PROVIDERS.identity_api.change_password, + user_id=user_ref['id'], + original_password=new_password, + new_password=next_password) self._assert_last_audit(user_ref['id'], UPDATED_OPERATION, 'user', cadftaxonomy.SECURITY_ACCOUNT_USER, diff --git a/keystone/tests/unit/contrib/federation/test_utils.py b/keystone/tests/unit/contrib/federation/test_utils.py index 5b9b3ed31..4f59e9df6 100644 --- a/keystone/tests/unit/contrib/federation/test_utils.py +++ b/keystone/tests/unit/contrib/federation/test_utils.py @@ -10,11 +10,11 @@ # License for the specific language governing permissions and limitations # under the License. +import flask import uuid from oslo_config import fixture as config_fixture from oslo_serialization import jsonutils -import webob from keystone.auth.plugins import mapped import keystone.conf @@ -31,6 +31,13 @@ FAKE_MAPPING_ID = uuid.uuid4().hex class MappingRuleEngineTests(unit.BaseTestCase): """A class for testing the mapping rule engine.""" + def setUp(self): + super(MappingRuleEngineTests, self).setUp() + # create dummy app so we can setup a request context for our + # tests. + self.flask_app = flask.Flask(__name__) + self.cleanup_instance('flask_app') + def assertValidMappedUserObject(self, mapped_properties, user_type='ephemeral', domain_id=None): @@ -510,7 +517,7 @@ class MappingRuleEngineTests(unit.BaseTestCase): self.assertValidMappedUserObject(mapped_properties) self.assertEqual('jsmith', mapped_properties['user']['name']) unique_id, display_name = mapped.get_user_unique_id_and_display_name( - {}, mapped_properties) + mapped_properties) self.assertEqual('jsmith', unique_id) self.assertEqual('jsmith', display_name) @@ -533,7 +540,7 @@ class MappingRuleEngineTests(unit.BaseTestCase): self.assertIsNotNone(mapped_properties) self.assertValidMappedUserObject(mapped_properties) unique_id, display_name = mapped.get_user_unique_id_and_display_name( - {}, mapped_properties) + mapped_properties) self.assertEqual('tbo', display_name) self.assertEqual('abc123%40example.com', unique_id) @@ -549,15 +556,15 @@ class MappingRuleEngineTests(unit.BaseTestCase): as it was not explicitly specified in the mapping. """ - request = webob.Request.blank('/') mapping = mapping_fixtures.MAPPING_USER_IDS rp = mapping_utils.RuleProcessor(FAKE_MAPPING_ID, mapping['rules']) assertion = mapping_fixtures.ADMIN_ASSERTION mapped_properties = rp.process(assertion) self.assertIsNotNone(mapped_properties) self.assertValidMappedUserObject(mapped_properties) - unique_id, display_name = mapped.get_user_unique_id_and_display_name( - request, mapped_properties) + with self.flask_app.test_request_context(): + unique_id, display_name = ( + mapped.get_user_unique_id_and_display_name(mapped_properties)) self.assertEqual('bob', unique_id) self.assertEqual('bob', display_name) @@ -566,13 +573,14 @@ class MappingRuleEngineTests(unit.BaseTestCase): mapping = mapping_fixtures.MAPPING_USER_IDS assertion = mapping_fixtures.ADMIN_ASSERTION FAKE_MAPPING_ID = uuid.uuid4().hex - request = webob.Request.blank('/', remote_user='remote_user') rp = mapping_utils.RuleProcessor(FAKE_MAPPING_ID, mapping['rules']) mapped_properties = rp.process(assertion) self.assertIsNotNone(mapped_properties) self.assertValidMappedUserObject(mapped_properties) - unique_id, display_name = mapped.get_user_unique_id_and_display_name( - request, mapped_properties) + with self.flask_app.test_request_context( + environ_base={'REMOTE_USER': 'remote_user'}): + unique_id, display_name = ( + mapped.get_user_unique_id_and_display_name(mapped_properties)) self.assertEqual('bob', unique_id) self.assertEqual('remote_user', display_name) @@ -597,7 +605,6 @@ class MappingRuleEngineTests(unit.BaseTestCase): not to change it. """ - request = webob.Request.blank('/') testcases = [(mapping_fixtures.CUSTOMER_ASSERTION, 'bwilliams'), (mapping_fixtures.EMPLOYEE_ASSERTION, 'tbo')] for assertion, exp_user_name in testcases: @@ -607,8 +614,7 @@ class MappingRuleEngineTests(unit.BaseTestCase): self.assertIsNotNone(mapped_properties) self.assertValidMappedUserObject(mapped_properties) unique_id, display_name = ( - mapped.get_user_unique_id_and_display_name(request, - mapped_properties) + mapped.get_user_unique_id_and_display_name(mapped_properties) ) self.assertEqual(exp_user_name, display_name) self.assertEqual('abc123%40example.com', unique_id) @@ -821,12 +827,14 @@ class TestUnicodeAssertionData(unit.BaseTestCase): # pulled from the HTTP headers. These bytes may be decodable as # ISO-8859-1 according to Section 3.2.4 of RFC 7230. Let's assume # that our web server plugins are correctly encoding the data. - request = webob.Request.blank( - '/path', - environ=mapping_fixtures.UNICODE_NAME_ASSERTION) - data = mapping_utils.get_assertion_params_from_env(request) - # NOTE(dstanek): keystone.auth.plugins.mapped - return dict(data) + # Create a dummy application + app = flask.Flask(__name__) + with app.test_request_context( + path='/path', + environ_overrides=mapping_fixtures.UNICODE_NAME_ASSERTION): + data = mapping_utils.get_assertion_params_from_env() + # NOTE(dstanek): keystone.auth.plugins.mapped + return dict(data) def test_unicode(self): mapping = self._pull_mapping_rules_from_the_database() diff --git a/keystone/tests/unit/core.py b/keystone/tests/unit/core.py index 67c6e1d7e..10ebf831f 100644 --- a/keystone/tests/unit/core.py +++ b/keystone/tests/unit/core.py @@ -15,6 +15,7 @@ from __future__ import absolute_import import atexit import base64 +import contextlib import datetime import functools import hashlib @@ -46,7 +47,6 @@ import keystone.api from keystone.common import context from keystone.common import json_home from keystone.common import provider_api -from keystone.common import request from keystone.common import sql import keystone.conf from keystone import exception @@ -684,19 +684,27 @@ class TestCase(BaseTestCase): def _policy_fixture(self): return ksfixtures.Policy(dirs.etc('policy.json'), self.config_fixture) + @contextlib.contextmanager def make_request(self, path='/', **kwargs): + # standup a fake app and request context with a passed in/known + # environment. + is_admin = kwargs.pop('is_admin', False) environ = kwargs.setdefault('environ', {}) + query_string = kwargs.pop('query_string', None) + if query_string: + # Make sure query string is properly added to the context + path = '{path}?{qs}'.format(path=path, qs=query_string) if not environ.get(context.REQUEST_CONTEXT_ENV): environ[context.REQUEST_CONTEXT_ENV] = context.RequestContext( is_admin=is_admin, authenticated=kwargs.pop('authenticated', True)) - req = request.Request.blank(path=path, **kwargs) - req.context_dict['is_admin'] = is_admin - - return req + # Create a dummy flask app to work with + app = flask.Flask(__name__) + with app.test_request_context(path=path, environ_overrides=environ): + yield def config_overrides(self): # NOTE(morganfainberg): enforce config_overrides can only ever be @@ -779,6 +787,8 @@ class TestCase(BaseTestCase): new=mocked_register_auth_plugin_opt)) self.config_overrides() + # explicitly load auth configuration + keystone.conf.auth.setup_authentication() # NOTE(morganfainberg): ensure config_overrides has been called. self.addCleanup(self._assert_config_overrides_called) diff --git a/keystone/tests/unit/identity/shadow_users/test_backend.py b/keystone/tests/unit/identity/shadow_users/test_backend.py index 487c1f749..ee89edf40 100644 --- a/keystone/tests/unit/identity/shadow_users/test_backend.py +++ b/keystone/tests/unit/identity/shadow_users/test_backend.py @@ -121,10 +121,10 @@ class ShadowUsersBackendTests(object): now = datetime.datetime.utcnow().date() password = uuid.uuid4().hex user = self._create_user(password) - user_auth = PROVIDERS.identity_api.authenticate( - self.make_request(), - user_id=user['id'], - password=password) + with self.make_request(): + user_auth = PROVIDERS.identity_api.authenticate( + user_id=user['id'], + password=password) user_ref = self._get_user_ref(user_auth['id']) self.assertGreaterEqual(now, user_ref.last_active_at) @@ -133,10 +133,10 @@ class ShadowUsersBackendTests(object): disable_user_account_days_inactive=None) password = uuid.uuid4().hex user = self._create_user(password) - user_auth = PROVIDERS.identity_api.authenticate( - self.make_request(), - user_id=user['id'], - password=password) + with self.make_request(): + user_auth = PROVIDERS.identity_api.authenticate( + user_id=user['id'], + password=password) user_ref = self._get_user_ref(user_auth['id']) self.assertIsNone(user_ref.last_active_at) diff --git a/keystone/tests/unit/identity/test_backend_sql.py b/keystone/tests/unit/identity/test_backend_sql.py index 6e3152571..7c43cfe4e 100644 --- a/keystone/tests/unit/identity/test_backend_sql.py +++ b/keystone/tests/unit/identity/test_backend_sql.py @@ -272,21 +272,21 @@ class DisableInactiveUserTests(test_backend_sql.SqlTests): datetime.datetime.utcnow() - datetime.timedelta(days=self.max_inactive_days + 1)) user = self._create_user(self.user_dict, last_active_at.date()) - self.assertRaises(exception.UserDisabled, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=user['id'], - password=self.password) - # verify that the user is actually disabled - user = PROVIDERS.identity_api.get_user(user['id']) - self.assertFalse(user['enabled']) - # set the user to enabled and authenticate - user['enabled'] = True - PROVIDERS.identity_api.update_user(user['id'], user) - user = PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=user['id'], password=self.password - ) - self.assertTrue(user['enabled']) + with self.make_request(): + self.assertRaises(exception.UserDisabled, + PROVIDERS.identity_api.authenticate, + user_id=user['id'], + password=self.password) + # verify that the user is actually disabled + user = PROVIDERS.identity_api.get_user(user['id']) + self.assertFalse(user['enabled']) + # set the user to enabled and authenticate + user['enabled'] = True + PROVIDERS.identity_api.update_user(user['id'], user) + user = PROVIDERS.identity_api.authenticate( + user_id=user['id'], password=self.password + ) + self.assertTrue(user['enabled']) def test_authenticate_user_not_disabled_due_to_inactivity(self): # create user and set last_active_at just below the max @@ -294,9 +294,10 @@ class DisableInactiveUserTests(test_backend_sql.SqlTests): datetime.datetime.utcnow() - datetime.timedelta(days=self.max_inactive_days - 1)).date() user = self._create_user(self.user_dict, last_active_at) - user = PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=user['id'], password=self.password - ) + with self.make_request(): + user = PROVIDERS.identity_api.authenticate( + user_id=user['id'], password=self.password + ) self.assertTrue(user['enabled']) def test_get_user_disabled_due_to_inactivity(self): @@ -392,22 +393,21 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests): password = uuid.uuid4().hex user = self._create_user(password) # Attempt to change to the same password - self.assertRaises(exception.PasswordValidationError, - PROVIDERS.identity_api.change_password, - self.make_request(), - user_id=user['id'], - original_password=password, - new_password=password) - # Attempt to change to a unique password - new_password = uuid.uuid4().hex - self.assertValidChangePassword(user['id'], password, new_password) - # Attempt to change back to the initial password - self.assertRaises(exception.PasswordValidationError, - PROVIDERS.identity_api.change_password, - self.make_request(), - user_id=user['id'], - original_password=new_password, - new_password=password) + with self.make_request(): + self.assertRaises(exception.PasswordValidationError, + PROVIDERS.identity_api.change_password, + user_id=user['id'], + original_password=password, + new_password=password) + # Attempt to change to a unique password + new_password = uuid.uuid4().hex + self.assertValidChangePassword(user['id'], password, new_password) + # Attempt to change back to the initial password + self.assertRaises(exception.PasswordValidationError, + PROVIDERS.identity_api.change_password, + user_id=user['id'], + original_password=new_password, + new_password=password) def test_validate_password_history_with_valid_password(self): passwords = [uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex, @@ -441,12 +441,12 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests): # Self-service change password self.assertValidChangePassword(user['id'], passwords[0], passwords[1]) # Attempt to update with a previous password - self.assertRaises(exception.PasswordValidationError, - PROVIDERS.identity_api.change_password, - self.make_request(), - user_id=user['id'], - original_password=passwords[1], - new_password=passwords[0]) + with self.make_request(): + self.assertRaises(exception.PasswordValidationError, + PROVIDERS.identity_api.change_password, + user_id=user['id'], + original_password=passwords[1], + new_password=passwords[0]) def test_disable_password_history_and_repeat_same_password(self): self.config_fixture.config(group='security_compliance', @@ -462,22 +462,23 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests): user = self._create_user(passwords[0]) # Attempt to change password to a unique password user['password'] = passwords[1] - PROVIDERS.identity_api.update_user(user['id'], user) - PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=user['id'], password=passwords[1] - ) - # Attempt to change password with the same password - user['password'] = passwords[1] - PROVIDERS.identity_api.update_user(user['id'], user) - PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=user['id'], password=passwords[1] - ) - # Attempt to change password with the initial password - user['password'] = passwords[0] - PROVIDERS.identity_api.update_user(user['id'], user) - PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=user['id'], password=passwords[0] - ) + with self.make_request(): + PROVIDERS.identity_api.update_user(user['id'], user) + PROVIDERS.identity_api.authenticate( + user_id=user['id'], password=passwords[1] + ) + # Attempt to change password with the same password + user['password'] = passwords[1] + PROVIDERS.identity_api.update_user(user['id'], user) + PROVIDERS.identity_api.authenticate( + user_id=user['id'], password=passwords[1] + ) + # Attempt to change password with the initial password + user['password'] = passwords[0] + PROVIDERS.identity_api.update_user(user['id'], user) + PROVIDERS.identity_api.authenticate( + user_id=user['id'], password=passwords[0] + ) def test_truncate_passwords(self): user = self._create_user(uuid.uuid4().hex) @@ -535,13 +536,14 @@ class PasswordHistoryValidationTests(test_backend_sql.SqlTests): return PROVIDERS.identity_api.create_user(user) def assertValidChangePassword(self, user_id, password, new_password): - PROVIDERS.identity_api.change_password( - self.make_request(), user_id=user_id, original_password=password, - new_password=new_password - ) - PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=user_id, password=new_password - ) + with self.make_request(): + PROVIDERS.identity_api.change_password( + user_id=user_id, original_password=password, + new_password=new_password + ) + PROVIDERS.identity_api.authenticate( + user_id=user_id, password=new_password + ) def _add_passwords_to_history(self, user, n): for _ in range(n): @@ -573,24 +575,23 @@ class LockingOutUserTests(test_backend_sql.SqlTests): self.user = PROVIDERS.identity_api.create_user(user_dict) def test_locking_out_user_after_max_failed_attempts(self): - # authenticate with wrong password - self.assertRaises(AssertionError, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=self.user['id'], - password=uuid.uuid4().hex) - # authenticate with correct password - PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=self.user['id'], - password=self.password - ) - # test locking out user after max failed attempts - self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=self.user['id'], - password=uuid.uuid4().hex) + with self.make_request(): + # authenticate with wrong password + self.assertRaises(AssertionError, + PROVIDERS.identity_api.authenticate, + user_id=self.user['id'], + password=uuid.uuid4().hex) + # authenticate with correct password + PROVIDERS.identity_api.authenticate( + user_id=self.user['id'], + password=self.password + ) + # test locking out user after max failed attempts + self._fail_auth_repeatedly(self.user['id']) + self.assertRaises(exception.AccountLocked, + PROVIDERS.identity_api.authenticate, + user_id=self.user['id'], + password=uuid.uuid4().hex) def test_lock_out_for_ignored_user(self): # mark the user as exempt from failed password attempts @@ -601,90 +602,89 @@ class LockingOutUserTests(test_backend_sql.SqlTests): # fail authentication repeatedly the max number of times self._fail_auth_repeatedly(self.user['id']) # authenticate with wrong password, account should not be locked - self.assertRaises(AssertionError, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=self.user['id'], - password=uuid.uuid4().hex) - # authenticate with correct password, account should not be locked - PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=self.user['id'], - password=self.password - ) + with self.make_request(): + self.assertRaises(AssertionError, + PROVIDERS.identity_api.authenticate, + user_id=self.user['id'], + password=uuid.uuid4().hex) + # authenticate with correct password, account should not be locked + PROVIDERS.identity_api.authenticate( + user_id=self.user['id'], + password=self.password + ) def test_set_enabled_unlocks_user(self): - # lockout user - self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=self.user['id'], - password=uuid.uuid4().hex) - # set enabled, user should be unlocked - self.user['enabled'] = True - PROVIDERS.identity_api.update_user(self.user['id'], self.user) - user_ret = PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=self.user['id'], - password=self.password - ) - self.assertTrue(user_ret['enabled']) - - def test_lockout_duration(self): - # freeze time - with freezegun.freeze_time(datetime.datetime.utcnow()) as frozen_time: + with self.make_request(): # lockout user self._fail_auth_repeatedly(self.user['id']) self.assertRaises(exception.AccountLocked, PROVIDERS.identity_api.authenticate, - self.make_request(), user_id=self.user['id'], password=uuid.uuid4().hex) - # freeze time past the duration, user should be unlocked and failed - # auth count should get reset - frozen_time.tick(delta=datetime.timedelta( - seconds=CONF.security_compliance.lockout_duration + 1)) - PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=self.user['id'], + # set enabled, user should be unlocked + self.user['enabled'] = True + PROVIDERS.identity_api.update_user(self.user['id'], self.user) + user_ret = PROVIDERS.identity_api.authenticate( + user_id=self.user['id'], password=self.password ) - # test failed auth count was reset by authenticating with the wrong - # password, should raise an assertion error and not account locked - self.assertRaises(AssertionError, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=self.user['id'], - password=uuid.uuid4().hex) + self.assertTrue(user_ret['enabled']) + + def test_lockout_duration(self): + # freeze time + with freezegun.freeze_time(datetime.datetime.utcnow()) as frozen_time: + with self.make_request(): + # lockout user + self._fail_auth_repeatedly(self.user['id']) + self.assertRaises(exception.AccountLocked, + PROVIDERS.identity_api.authenticate, + user_id=self.user['id'], + password=uuid.uuid4().hex) + # freeze time past the duration, user should be unlocked and + # failed auth count should get reset + frozen_time.tick(delta=datetime.timedelta( + seconds=CONF.security_compliance.lockout_duration + 1)) + PROVIDERS.identity_api.authenticate( + user_id=self.user['id'], + password=self.password + ) + # test failed auth count was reset by authenticating with the + # wrong password, should raise an assertion error and not + # account locked + self.assertRaises(AssertionError, + PROVIDERS.identity_api.authenticate, + user_id=self.user['id'], + password=uuid.uuid4().hex) def test_lockout_duration_failed_auth_cnt_resets(self): # freeze time with freezegun.freeze_time(datetime.datetime.utcnow()) as frozen_time: - # lockout user - self._fail_auth_repeatedly(self.user['id']) - self.assertRaises(exception.AccountLocked, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=self.user['id'], - password=uuid.uuid4().hex) - # freeze time past the duration, failed_auth_cnt should reset - frozen_time.tick(delta=datetime.timedelta( - seconds=CONF.security_compliance.lockout_duration + 1)) - # repeat failed auth the max times - self._fail_auth_repeatedly(self.user['id']) - # test user account is locked - self.assertRaises(exception.AccountLocked, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=self.user['id'], - password=uuid.uuid4().hex) + with self.make_request(): + # lockout user + self._fail_auth_repeatedly(self.user['id']) + self.assertRaises(exception.AccountLocked, + PROVIDERS.identity_api.authenticate, + user_id=self.user['id'], + password=uuid.uuid4().hex) + # freeze time past the duration, failed_auth_cnt should reset + frozen_time.tick(delta=datetime.timedelta( + seconds=CONF.security_compliance.lockout_duration + 1)) + # repeat failed auth the max times + self._fail_auth_repeatedly(self.user['id']) + # test user account is locked + self.assertRaises(exception.AccountLocked, + PROVIDERS.identity_api.authenticate, + user_id=self.user['id'], + password=uuid.uuid4().hex) def _fail_auth_repeatedly(self, user_id): wrong_password = uuid.uuid4().hex for _ in range(CONF.security_compliance.lockout_failure_attempts): - self.assertRaises(AssertionError, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=user_id, - password=wrong_password) + with self.make_request(): + self.assertRaises(AssertionError, + PROVIDERS.identity_api.authenticate, + user_id=user_id, + password=wrong_password) class PasswordExpiresValidationTests(test_backend_sql.SqlTests): @@ -705,11 +705,11 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests): ) user = self._create_user(self.user_dict, password_created_at) # test password is expired - self.assertRaises(exception.PasswordExpired, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=user['id'], - password=self.password) + with self.make_request(): + self.assertRaises(exception.PasswordExpired, + PROVIDERS.identity_api.authenticate, + user_id=user['id'], + password=self.password) def test_authenticate_with_non_expired_password(self): # set password created_at so that the password will not expire @@ -720,9 +720,10 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests): ) user = self._create_user(self.user_dict, password_created_at) # test password is not expired - PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=user['id'], password=self.password - ) + with self.make_request(): + PROVIDERS.identity_api.authenticate( + user_id=user['id'], password=self.password + ) def test_authenticate_with_expired_password_for_ignore_user_option(self): # set user to have the 'ignore_password_expiry' option set to False @@ -735,22 +736,22 @@ class PasswordExpiresValidationTests(test_backend_sql.SqlTests): days=CONF.security_compliance.password_expires_days + 1) ) user = self._create_user(self.user_dict, password_created_at) - self.assertRaises(exception.PasswordExpired, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=user['id'], - password=self.password) - - # update user to explicitly have the expiry option to True - user['options'][ - iro.IGNORE_PASSWORD_EXPIRY_OPT.option_name] = True - user = PROVIDERS.identity_api.update_user( - user['id'], user - ) - # test password is not expired due to ignore option - PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=user['id'], password=self.password - ) + with self.make_request(): + self.assertRaises(exception.PasswordExpired, + PROVIDERS.identity_api.authenticate, + user_id=user['id'], + password=self.password) + + # update user to explicitly have the expiry option to True + user['options'][ + iro.IGNORE_PASSWORD_EXPIRY_OPT.option_name] = True + user = PROVIDERS.identity_api.update_user( + user['id'], user + ) + # test password is not expired due to ignore option + PROVIDERS.identity_api.authenticate( + user_id=user['id'], password=self.password + ) def _get_test_user_dict(self, password): test_user_dict = { @@ -790,12 +791,12 @@ class MinimumPasswordAgeTests(test_backend_sql.SqlTests): self.assertValidChangePassword(self.user['id'], self.initial_password, new_password) # user cannot change password before min age - self.assertRaises(exception.PasswordAgeValidationError, - PROVIDERS.identity_api.change_password, - self.make_request(), - user_id=self.user['id'], - original_password=new_password, - new_password=uuid.uuid4().hex) + with self.make_request(): + self.assertRaises(exception.PasswordAgeValidationError, + PROVIDERS.identity_api.change_password, + user_id=self.user['id'], + original_password=new_password, + new_password=uuid.uuid4().hex) def test_user_can_change_password_after_min_age(self): # user can change password after create @@ -818,12 +819,13 @@ class MinimumPasswordAgeTests(test_backend_sql.SqlTests): self.assertValidChangePassword(self.user['id'], self.initial_password, new_password) # user cannot change password before min age - self.assertRaises(exception.PasswordAgeValidationError, - PROVIDERS.identity_api.change_password, - self.make_request(), - user_id=self.user['id'], - original_password=new_password, - new_password=uuid.uuid4().hex) + + with self.make_request(): + self.assertRaises(exception.PasswordAgeValidationError, + PROVIDERS.identity_api.change_password, + user_id=self.user['id'], + original_password=new_password, + new_password=uuid.uuid4().hex) # admin reset new_password = uuid.uuid4().hex self.user['password'] = new_password @@ -833,13 +835,14 @@ class MinimumPasswordAgeTests(test_backend_sql.SqlTests): uuid.uuid4().hex) def assertValidChangePassword(self, user_id, password, new_password): - PROVIDERS.identity_api.change_password( - self.make_request(), user_id=user_id, original_password=password, - new_password=new_password - ) - PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=user_id, password=new_password - ) + with self.make_request(): + PROVIDERS.identity_api.change_password( + user_id=user_id, original_password=password, + new_password=new_password + ) + PROVIDERS.identity_api.authenticate( + user_id=user_id, password=new_password + ) def _create_new_user(self, password): user = { @@ -881,16 +884,17 @@ class ChangePasswordRequiredAfterFirstUse(test_backend_sql.SqlTests): return PROVIDERS.identity_api.create_user(user_dict) def assertPasswordIsExpired(self, user_id, password): - self.assertRaises(exception.PasswordExpired, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=user_id, - password=password) + with self.make_request(): + self.assertRaises(exception.PasswordExpired, + PROVIDERS.identity_api.authenticate, + user_id=user_id, + password=password) def assertPasswordIsNotExpired(self, user_id, password): - PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=user_id, password=password - ) + with self.make_request(): + PROVIDERS.identity_api.authenticate( + user_id=user_id, password=password + ) def test_password_expired_after_create(self): # create user, password expired @@ -899,9 +903,10 @@ class ChangePasswordRequiredAfterFirstUse(test_backend_sql.SqlTests): self.assertPasswordIsExpired(user['id'], initial_password) # change password (self-service), password not expired new_password = uuid.uuid4().hex - PROVIDERS.identity_api.change_password( - self.make_request(), user['id'], initial_password, new_password - ) + with self.make_request(): + PROVIDERS.identity_api.change_password( + user['id'], initial_password, new_password + ) self.assertPasswordIsNotExpired(user['id'], new_password) def test_password_expired_after_reset(self): @@ -920,9 +925,10 @@ class ChangePasswordRequiredAfterFirstUse(test_backend_sql.SqlTests): self.assertPasswordIsExpired(user['id'], admin_password) # change password (self-service), password not expired new_password = uuid.uuid4().hex - PROVIDERS.identity_api.change_password( - self.make_request(), user['id'], admin_password, new_password - ) + with self.make_request(): + PROVIDERS.identity_api.change_password( + user['id'], admin_password, new_password + ) self.assertPasswordIsNotExpired(user['id'], new_password) def test_password_not_expired_when_feature_disabled(self): diff --git a/keystone/tests/unit/identity/test_backends.py b/keystone/tests/unit/identity/test_backends.py index b402fe138..64a95a1ff 100644 --- a/keystone/tests/unit/identity/test_backends.py +++ b/keystone/tests/unit/identity/test_backends.py @@ -43,25 +43,25 @@ class IdentityTests(object): return domain_id def test_authenticate_bad_user(self): - self.assertRaises(AssertionError, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=uuid.uuid4().hex, - password=self.user_foo['password']) + with self.make_request(): + self.assertRaises(AssertionError, + PROVIDERS.identity_api.authenticate, + user_id=uuid.uuid4().hex, + password=self.user_foo['password']) def test_authenticate_bad_password(self): - self.assertRaises(AssertionError, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=self.user_foo['id'], - password=uuid.uuid4().hex) + with self.make_request(): + self.assertRaises(AssertionError, + PROVIDERS.identity_api.authenticate, + user_id=self.user_foo['id'], + password=uuid.uuid4().hex) def test_authenticate(self): - user_ref = PROVIDERS.identity_api.authenticate( - self.make_request(), - user_id=self.user_sna['id'], - password=self.user_sna['password']) - # NOTE(termie): the password field is left in user_sna to make + with self.make_request(): + user_ref = PROVIDERS.identity_api.authenticate( + user_id=self.user_sna['id'], + password=self.user_sna['password']) + # NOTE(termie): the password field is left in user_sna to make # it easier to authenticate in tests, but should # not be returned by the api self.user_sna.pop('password') @@ -83,10 +83,10 @@ class IdentityTests(object): PROVIDERS.assignment_api.add_role_to_user_and_project( new_user['id'], self.tenant_baz['id'], role_member['id'] ) - user_ref = PROVIDERS.identity_api.authenticate( - self.make_request(), - user_id=new_user['id'], - password=user['password']) + with self.make_request(): + user_ref = PROVIDERS.identity_api.authenticate( + user_id=new_user['id'], + password=user['password']) self.assertNotIn('password', user_ref) # NOTE(termie): the password field is left in user_sna to make # it easier to authenticate in tests, but should @@ -103,11 +103,11 @@ class IdentityTests(object): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) PROVIDERS.identity_api.create_user(user) - self.assertRaises(AssertionError, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=id_, - password='password') + with self.make_request(): + self.assertRaises(AssertionError, + PROVIDERS.identity_api.authenticate, + user_id=id_, + password='password') def test_create_unicode_user_name(self): unicode_name = u'name \u540d\u5b57' @@ -394,16 +394,15 @@ class IdentityTests(object): PROVIDERS.identity_api.get_user(user['id']) # Make sure the user is not allowed to login # with a password that is empty string or None - self.assertRaises(AssertionError, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=user['id'], - password='') - self.assertRaises(AssertionError, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=user['id'], - password=None) + with self.make_request(): + self.assertRaises(AssertionError, + PROVIDERS.identity_api.authenticate, + user_id=user['id'], + password='') + self.assertRaises(AssertionError, + PROVIDERS.identity_api.authenticate, + user_id=user['id'], + password=None) def test_create_user_none_password(self): user = unit.new_user_ref(password=None, @@ -412,16 +411,15 @@ class IdentityTests(object): PROVIDERS.identity_api.get_user(user['id']) # Make sure the user is not allowed to login # with a password that is empty string or None - self.assertRaises(AssertionError, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=user['id'], - password='') - self.assertRaises(AssertionError, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=user['id'], - password=None) + with self.make_request(): + self.assertRaises(AssertionError, + PROVIDERS.identity_api.authenticate, + user_id=user['id'], + password='') + self.assertRaises(AssertionError, + PROVIDERS.identity_api.authenticate, + user_id=user['id'], + password=None) def test_create_user_invalid_name_fails(self): user = unit.new_user_ref(name=None, diff --git a/keystone/tests/unit/server/test_keystone_flask.py b/keystone/tests/unit/server/test_keystone_flask.py index a0deff326..69ea3343d 100644 --- a/keystone/tests/unit/server/test_keystone_flask.py +++ b/keystone/tests/unit/server/test_keystone_flask.py @@ -15,6 +15,7 @@ import uuid import fixtures import flask import flask_restful +import functools from oslo_policy import policy from oslo_serialization import jsonutils from testtools import matchers @@ -402,11 +403,19 @@ class TestKeystoneFlaskCommon(rest.RestfulTestCase): expected_status_code=420) def test_construct_resource_map(self): + resource_name = 'arguments' param_relation = json_home.build_v3_parameter_relation( 'argument_id') + alt_rel_func = functools.partial( + json_home.build_v3_extension_resource_relation, + extension_name='extension', extension_version='1.0') url = '/v3/arguments/<string:argument_id>' - old_url = ['/v3/old_arguments/<string:argument_id>'] - resource_name = 'arguments' + old_url = [dict( + url='/v3/old_arguments/<string:argument_id>', + json_home=flask_common.construct_json_home_data( + rel='arguments', + resource_relation_func=alt_rel_func) + )] mapping = flask_common.construct_resource_map( resource=_TestResourceWithCollectionInfo, @@ -420,13 +429,17 @@ class TestKeystoneFlaskCommon(rest.RestfulTestCase): self.assertEqual(_TestResourceWithCollectionInfo, mapping.resource) self.assertEqual(url, mapping.url) - self.assertEqual(old_url, mapping.alternate_urls) self.assertEqual(json_home.build_v3_resource_relation(resource_name), mapping.json_home_data.rel) self.assertEqual(json_home.Status.EXPERIMENTAL, mapping.json_home_data.status) self.assertEqual({'argument_id': param_relation}, mapping.json_home_data.path_vars) + # Check the alternate URL data is populated sanely + self.assertEqual(1, len(mapping.alternate_urls)) + alt_url_data = mapping.alternate_urls[0] + self.assertEqual(old_url[0]['url'], alt_url_data['url']) + self.assertEqual(old_url[0]['json_home'], alt_url_data['json_home']) def test_instantiate_and_register_to_app(self): # Test that automatic instantiation and registration to app works. diff --git a/keystone/tests/unit/test_auth_plugin.py b/keystone/tests/unit/test_auth_plugin.py index 42ae4cc5d..f3598ba5d 100644 --- a/keystone/tests/unit/test_auth_plugin.py +++ b/keystone/tests/unit/test_auth_plugin.py @@ -17,6 +17,7 @@ import uuid import mock import stevedore +from keystone.api._shared import authentication from keystone import auth from keystone.auth.plugins import base from keystone.auth.plugins import mapped @@ -32,7 +33,7 @@ DEMO_USER_ID = uuid.uuid4().hex class SimpleChallengeResponse(base.AuthMethodHandler): - def authenticate(self, context, auth_payload): + def authenticate(self, auth_payload): response_data = {} if 'response' in auth_payload: if auth_payload['response'] != EXPECTED_RESPONSE: @@ -50,9 +51,6 @@ class SimpleChallengeResponse(base.AuthMethodHandler): class TestAuthPlugin(unit.SQLDriverOverrides, unit.TestCase): - def setUp(self): - super(TestAuthPlugin, self).setUp() - self.api = auth.controllers.Auth() def test_unsupported_auth_method(self): method_name = uuid.uuid4().hex @@ -85,7 +83,8 @@ class TestAuthPlugin(unit.SQLDriverOverrides, unit.TestCase): auth_info = auth.core.AuthInfo.create(auth_data) auth_context = auth.core.AuthContext(method_names=[]) try: - self.api.authenticate(self.make_request(), auth_info, auth_context) + with self.make_request(): + authentication.authenticate(auth_info, auth_context) except exception.AdditionalAuthRequired as e: self.assertIn('methods', e.authentication) self.assertIn(METHOD_NAME, e.authentication['methods']) @@ -99,7 +98,8 @@ class TestAuthPlugin(unit.SQLDriverOverrides, unit.TestCase): auth_data = {'identity': auth_data} auth_info = auth.core.AuthInfo.create(auth_data) auth_context = auth.core.AuthContext(method_names=[]) - self.api.authenticate(self.make_request(), auth_info, auth_context) + with self.make_request(): + authentication.authenticate(auth_info, auth_context) self.assertEqual(DEMO_USER_ID, auth_context['user_id']) # test incorrect response @@ -109,11 +109,11 @@ class TestAuthPlugin(unit.SQLDriverOverrides, unit.TestCase): auth_data = {'identity': auth_data} auth_info = auth.core.AuthInfo.create(auth_data) auth_context = auth.core.AuthContext(method_names=[]) - self.assertRaises(exception.Unauthorized, - self.api.authenticate, - self.make_request(), - auth_info, - auth_context) + with self.make_request(): + self.assertRaises(exception.Unauthorized, + authentication.authenticate, + auth_info, + auth_context) def test_duplicate_method(self): # Having the same method twice doesn't cause load_auth_methods to fail. @@ -138,9 +138,6 @@ class TestAuthPluginDynamicOptions(TestAuthPlugin): class TestMapped(unit.TestCase): - def setUp(self): - super(TestMapped, self).setUp() - self.api = auth.controllers.Auth() def config_files(self): config_files = super(TestMapped, self).config_files() @@ -151,7 +148,6 @@ class TestMapped(unit.TestCase): with mock.patch.object(auth.plugins.mapped.Mapped, 'authenticate', return_value=None) as authenticate: - request = self.make_request() auth_data = { 'identity': { 'methods': [method_name], @@ -162,10 +158,10 @@ class TestMapped(unit.TestCase): auth_context = auth.core.AuthContext( method_names=[], user_id=uuid.uuid4().hex) - self.api.authenticate(request, auth_info, auth_context) + with self.make_request(): + authentication.authenticate(auth_info, auth_context) # make sure Mapped plugin got invoked with the correct payload - ((context, auth_payload), - kwargs) = authenticate.call_args + ((auth_payload,), kwargs) = authenticate.call_args self.assertEqual(method_name, auth_payload['protocol']) def test_mapped_with_remote_user(self): @@ -186,11 +182,10 @@ class TestMapped(unit.TestCase): 'authenticate', return_value=None) as authenticate: auth_info = auth.core.AuthInfo.create(auth_data) - request = self.make_request(environ={'REMOTE_USER': 'foo@idp.com'}) - self.api.authenticate(request, auth_info, auth_context) + with self.make_request(environ={'REMOTE_USER': 'foo@idp.com'}): + authentication.authenticate(auth_info, auth_context) # make sure Mapped plugin got invoked with the correct payload - ((context, auth_payload), - kwargs) = authenticate.call_args + ((auth_payload,), kwargs) = authenticate.call_args self.assertEqual(method_name, auth_payload['protocol']) @mock.patch('keystone.auth.plugins.mapped.PROVIDERS') @@ -203,15 +198,18 @@ class TestMapped(unit.TestCase): mock_providers.role_api = mock.Mock() test_mapped = mapped.Mapped() - request = self.make_request() auth_payload = {'identity_provider': 'test_provider'} - self.assertRaises(exception.ValidationError, test_mapped.authenticate, - request, auth_payload) + with self.make_request(): + self.assertRaises( + exception.ValidationError, test_mapped.authenticate, + auth_payload) auth_payload = {'protocol': 'saml2'} - self.assertRaises(exception.ValidationError, test_mapped.authenticate, - request, auth_payload) + with self.make_request(): + self.assertRaises( + exception.ValidationError, test_mapped.authenticate, + auth_payload) def test_supporting_multiple_methods(self): method_names = ('saml2', 'openid', 'x509', 'mapped') diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py index 381dd9476..d8e2a82b6 100644 --- a/keystone/tests/unit/test_backend_ldap.py +++ b/keystone/tests/unit/test_backend_ldap.py @@ -765,11 +765,11 @@ class BaseLDAPIdentity(LDAPTestSetup, IdentityTests, AssignmentTests, driver.user.LDAP_USER = None driver.user.LDAP_PASSWORD = None - self.assertRaises(AssertionError, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=user['id'], - password=None) + with self.make_request(): + self.assertRaises(AssertionError, + PROVIDERS.identity_api.authenticate, + user_id=user['id'], + password=None) @mock.patch.object(versionutils, 'report_deprecated_feature') def test_user_crud(self, mock_deprecator): @@ -1988,10 +1988,10 @@ class LDAPIdentityEnabledEmulation(LDAPIdentity, unit.TestCase): driver = PROVIDERS.identity_api._select_identity_driver( CONF.identity.default_domain_id) driver.user.enabled_emulation_dn = 'cn=test,dc=test' - PROVIDERS.identity_api.authenticate( - self.make_request(), - user_id=self.user_foo['id'], - password=self.user_foo['password']) + with self.make_request(): + PROVIDERS.identity_api.authenticate( + user_id=self.user_foo['id'], + password=self.user_foo['password']) def test_user_enable_attribute_mask(self): self.skip_test_overrides( @@ -2334,10 +2334,10 @@ class BaseMultiLDAPandSQLIdentity(object): for user_num in range(self.domain_count): user = 'user%s' % user_num - PROVIDERS.identity_api.authenticate( - self.make_request(), - user_id=users[user]['id'], - password=users[user]['password']) + with self.make_request(): + PROVIDERS.identity_api.authenticate( + user_id=users[user]['id'], + password=users[user]['password']) class MultiLDAPandSQLIdentity(BaseLDAPIdentity, unit.SQLDriverOverrides, diff --git a/keystone/tests/unit/test_backend_ldap_pool.py b/keystone/tests/unit/test_backend_ldap_pool.py index 959872f2a..1754942fb 100644 --- a/keystone/tests/unit/test_backend_ldap_pool.py +++ b/keystone/tests/unit/test_backend_ldap_pool.py @@ -176,10 +176,10 @@ class LdapPoolCommonTestMixin(object): # authenticate so that connection is added to pool before password # change - user_ref = PROVIDERS.identity_api.authenticate( - self.make_request(), - user_id=self.user_sna['id'], - password=self.user_sna['password']) + with self.make_request(): + user_ref = PROVIDERS.identity_api.authenticate( + user_id=self.user_sna['id'], + password=self.user_sna['password']) self.user_sna.pop('password') self.user_sna['enabled'] = True @@ -191,10 +191,10 @@ class LdapPoolCommonTestMixin(object): # now authenticate again to make sure new password works with # connection pool - user_ref2 = PROVIDERS.identity_api.authenticate( - self.make_request(), - user_id=self.user_sna['id'], - password=new_password) + with self.make_request(): + user_ref2 = PROVIDERS.identity_api.authenticate( + user_id=self.user_sna['id'], + password=new_password) user_ref.pop('password') self.assertUserDictEqual(user_ref, user_ref2) @@ -202,11 +202,11 @@ class LdapPoolCommonTestMixin(object): # Authentication with old password would not work here as there # is only one connection in pool which get bind again with updated # password..so no old bind is maintained in this case. - self.assertRaises(AssertionError, - PROVIDERS.identity_api.authenticate, - self.make_request(), - user_id=self.user_sna['id'], - password=old_password) + with self.make_request(): + self.assertRaises(AssertionError, + PROVIDERS.identity_api.authenticate, + user_id=self.user_sna['id'], + password=old_password) class LDAPIdentity(LdapPoolCommonTestMixin, diff --git a/keystone/tests/unit/test_cli.py b/keystone/tests/unit/test_cli.py index 71679aea4..9e6f11dec 100644 --- a/keystone/tests/unit/test_cli.py +++ b/keystone/tests/unit/test_cli.py @@ -150,10 +150,10 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): self.assertEqual(system_roles[0]['id'], admin_role['id']) # NOTE(morganfainberg): Pass an empty context, it isn't used by # `authenticate` method. - PROVIDERS.identity_api.authenticate( - self.make_request(), - user['id'], - bootstrap.password) + with self.make_request(): + PROVIDERS.identity_api.authenticate( + user['id'], + bootstrap.password) if bootstrap.region_id: region = PROVIDERS.catalog_api.get_region(bootstrap.region_id) @@ -284,10 +284,10 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase): self._do_test_bootstrap(self.bootstrap) # Sanity check that the original password works again. - PROVIDERS.identity_api.authenticate( - self.make_request(), - user_id, - self.bootstrap.password) + with self.make_request(): + PROVIDERS.identity_api.authenticate( + user_id, + self.bootstrap.password) class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase): diff --git a/keystone/tests/unit/test_ldap_pool_livetest.py b/keystone/tests/unit/test_ldap_pool_livetest.py index e143b9867..c96ccb715 100644 --- a/keystone/tests/unit/test_ldap_pool_livetest.py +++ b/keystone/tests/unit/test_ldap_pool_livetest.py @@ -109,10 +109,10 @@ class LiveLDAPPoolIdentity(test_backend_ldap_pool.LdapPoolCommonTestMixin, CONF.identity.default_domain_id, password=password) - PROVIDERS.identity_api.authenticate( - self.make_request(), - user_id=user['id'], - password=password) + with self.make_request(): + PROVIDERS.identity_api.authenticate( + user_id=user['id'], + password=password) return PROVIDERS.identity_api.get_user(user['id']) @@ -179,8 +179,9 @@ class LiveLDAPPoolIdentity(test_backend_ldap_pool.LdapPoolCommonTestMixin, # successfully which is not desired if password change is frequent # use case in a deployment. # This can happen in multiple concurrent connections case only. - user_ref = PROVIDERS.identity_api.authenticate( - self.make_request(), user_id=user['id'], password=old_password) + with self.make_request(): + user_ref = PROVIDERS.identity_api.authenticate( + user_id=user['id'], password=old_password) self.assertDictEqual(user, user_ref) diff --git a/keystone/tests/unit/test_v3.py b/keystone/tests/unit/test_v3.py index 097be065a..9e971a910 100644 --- a/keystone/tests/unit/test_v3.py +++ b/keystone/tests/unit/test_v3.py @@ -21,7 +21,6 @@ from six.moves import http_client from testtools import matchers import webtest -from keystone import auth from keystone.common import authorization from keystone.common import cache from keystone.common import provider_api @@ -1215,18 +1214,6 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase, for attribute in attributes: self.assertIsNotNone(entity.get(attribute)) - def build_external_auth_request(self, remote_user, - remote_domain=None, auth_data=None, - kerberos=False): - environment = self.build_external_auth_environ( - remote_user, remote_domain) - if not auth_data: - auth_data = self.build_authentication_request( - kerberos=kerberos)['auth'] - auth_info = auth.core.AuthInfo.create(auth_data) - auth_context = auth.core.AuthContext(method_names=[]) - return self.make_request(environ=environment), auth_info, auth_context - def build_external_auth_environ(self, remote_user, remote_domain=None): environment = {'REMOTE_USER': remote_user, 'AUTH_TYPE': 'Negotiate'} if remote_domain: diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py index 9ad289aca..0b81c3de0 100644 --- a/keystone/tests/unit/test_v3_federation.py +++ b/keystone/tests/unit/test_v3_federation.py @@ -19,6 +19,7 @@ from testtools import matchers import uuid import fixtures +import flask from lxml import etree import mock from oslo_serialization import jsonutils @@ -32,12 +33,12 @@ xmldsig = importutils.try_import("saml2.xmldsig") if not xmldsig: xmldsig = importutils.try_import("xmldsig") -from keystone.auth import controllers as auth_controllers -from keystone.common import controller +from keystone.api._shared import authentication +from keystone.api import auth as auth_api from keystone.common import provider_api +from keystone.common import render_token import keystone.conf from keystone import exception -from keystone.federation import controllers as federation_controllers from keystone.federation import idp as keystone_idp from keystone.models import token_model from keystone import notifications @@ -149,13 +150,13 @@ class FederatedSetupMixin(object): idp=None, assertion='EMPLOYEE_ASSERTION', environment=None): - api = federation_controllers.Auth() environment = environment or {} environment.update(getattr(mapping_fixtures, assertion)) - request = self.make_request(environ=environment) - if idp is None: - idp = self.IDP - r = api.federated_authentication(request, idp, self.PROTOCOL) + with self.make_request(environ=environment): + if idp is None: + idp = self.IDP + r = authentication.federated_authenticate_for_token( + protocol_id=self.PROTOCOL, identity_provider=idp) return r def idp_ref(self, id=None): @@ -198,9 +199,9 @@ class FederatedSetupMixin(object): } } - def _inject_assertion(self, request, variant): + def _inject_assertion(self, variant): assertion = getattr(mapping_fixtures, variant) - request.context_dict['environment'].update(assertion) + flask.request.environ.update(assertion) def load_federation_sample_data(self): """Inject additional data.""" @@ -759,60 +760,65 @@ class FederatedSetupMixin(object): PROVIDERS.federation_api.create_protocol( self.idp_with_remote['id'], self.proto_saml['id'], self.proto_saml ) - # Generate fake tokens - request = self.make_request() - self.tokens = {} - VARIANTS = ('EMPLOYEE_ASSERTION', 'CUSTOMER_ASSERTION', - 'ADMIN_ASSERTION') - api = auth_controllers.Auth() - for variant in VARIANTS: - self._inject_assertion(request, variant) - r = api.authenticate_for_token(request, self.UNSCOPED_V3_SAML2_REQ) - self.tokens[variant] = r.headers.get('X-Subject-Token') + with self.make_request(): + self.tokens = {} + VARIANTS = ('EMPLOYEE_ASSERTION', 'CUSTOMER_ASSERTION', + 'ADMIN_ASSERTION') + for variant in VARIANTS: + self._inject_assertion(variant) + r = authentication.authenticate_for_token( + self.UNSCOPED_V3_SAML2_REQ) + self.tokens[variant] = r.id - self.TOKEN_SCOPE_PROJECT_FROM_NONEXISTENT_TOKEN = self._scope_request( - uuid.uuid4().hex, 'project', self.proj_customers['id']) + self.TOKEN_SCOPE_PROJECT_FROM_NONEXISTENT_TOKEN = ( + self._scope_request( + uuid.uuid4().hex, 'project', self.proj_customers['id'])) - self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_EMPLOYEE = self._scope_request( - self.tokens['EMPLOYEE_ASSERTION'], 'project', - self.proj_employees['id']) + self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_EMPLOYEE = ( + self._scope_request( + self.tokens['EMPLOYEE_ASSERTION'], 'project', + self.proj_employees['id'])) - self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_ADMIN = self._scope_request( - self.tokens['ADMIN_ASSERTION'], 'project', - self.proj_employees['id']) + self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_ADMIN = self._scope_request( + self.tokens['ADMIN_ASSERTION'], 'project', + self.proj_employees['id']) - self.TOKEN_SCOPE_PROJECT_CUSTOMER_FROM_ADMIN = self._scope_request( - self.tokens['ADMIN_ASSERTION'], 'project', - self.proj_customers['id']) + self.TOKEN_SCOPE_PROJECT_CUSTOMER_FROM_ADMIN = self._scope_request( + self.tokens['ADMIN_ASSERTION'], 'project', + self.proj_customers['id']) - self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_CUSTOMER = self._scope_request( - self.tokens['CUSTOMER_ASSERTION'], 'project', - self.proj_employees['id']) + self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_CUSTOMER = ( + self._scope_request( + self.tokens['CUSTOMER_ASSERTION'], 'project', + self.proj_employees['id'])) - self.TOKEN_SCOPE_PROJECT_INHERITED_FROM_CUSTOMER = self._scope_request( - self.tokens['CUSTOMER_ASSERTION'], 'project', - self.project_inherited['id']) + self.TOKEN_SCOPE_PROJECT_INHERITED_FROM_CUSTOMER = ( + self._scope_request( + self.tokens['CUSTOMER_ASSERTION'], 'project', + self.project_inherited['id'])) - self.TOKEN_SCOPE_DOMAIN_A_FROM_CUSTOMER = self._scope_request( - self.tokens['CUSTOMER_ASSERTION'], 'domain', self.domainA['id']) + self.TOKEN_SCOPE_DOMAIN_A_FROM_CUSTOMER = self._scope_request( + self.tokens['CUSTOMER_ASSERTION'], 'domain', + self.domainA['id']) - self.TOKEN_SCOPE_DOMAIN_B_FROM_CUSTOMER = self._scope_request( - self.tokens['CUSTOMER_ASSERTION'], 'domain', - self.domainB['id']) + self.TOKEN_SCOPE_DOMAIN_B_FROM_CUSTOMER = self._scope_request( + self.tokens['CUSTOMER_ASSERTION'], 'domain', + self.domainB['id']) - self.TOKEN_SCOPE_DOMAIN_D_FROM_CUSTOMER = self._scope_request( - self.tokens['CUSTOMER_ASSERTION'], 'domain', self.domainD['id']) + self.TOKEN_SCOPE_DOMAIN_D_FROM_CUSTOMER = self._scope_request( + self.tokens['CUSTOMER_ASSERTION'], 'domain', + self.domainD['id']) - self.TOKEN_SCOPE_DOMAIN_A_FROM_ADMIN = self._scope_request( - self.tokens['ADMIN_ASSERTION'], 'domain', self.domainA['id']) + self.TOKEN_SCOPE_DOMAIN_A_FROM_ADMIN = self._scope_request( + self.tokens['ADMIN_ASSERTION'], 'domain', self.domainA['id']) - self.TOKEN_SCOPE_DOMAIN_B_FROM_ADMIN = self._scope_request( - self.tokens['ADMIN_ASSERTION'], 'domain', self.domainB['id']) + self.TOKEN_SCOPE_DOMAIN_B_FROM_ADMIN = self._scope_request( + self.tokens['ADMIN_ASSERTION'], 'domain', self.domainB['id']) - self.TOKEN_SCOPE_DOMAIN_C_FROM_ADMIN = self._scope_request( - self.tokens['ADMIN_ASSERTION'], 'domain', - self.domainC['id']) + self.TOKEN_SCOPE_DOMAIN_C_FROM_ADMIN = self._scope_request( + self.tokens['ADMIN_ASSERTION'], 'domain', + self.domainC['id']) class FederatedIdentityProviderTests(test_v3.RestfulTestCase): @@ -1866,7 +1872,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): super(FederatedTokenTests, self).setUp() self._notifications = [] - def fake_saml_notify(action, request, user_id, group_ids, + def fake_saml_notify(action, user_id, group_ids, identity_provider, protocol, token_id, outcome): note = { 'action': action, @@ -1902,12 +1908,12 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): def test_issue_unscoped_token(self): r = self._issue_unscoped_token() - self.assertIsNotNone(r.headers.get('X-Subject-Token')) - self.assertValidMappedUser(r.json['token']) + token_resp = render_token.render_token_response_from_model(r)['token'] + self.assertValidMappedUser(token_resp) def test_issue_the_same_unscoped_token_with_user_deleted(self): r = self._issue_unscoped_token() - token = r.json['token'] + token = render_token.render_token_response_from_model(r)['token'] user1 = token['user'] user_id1 = user1.pop('id') @@ -1916,7 +1922,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): PROVIDERS.identity_api.delete_user(user_id1) r = self._issue_unscoped_token() - token = r.json['token'] + token = render_token.render_token_response_from_model(r)['token'] user2 = token['user'] user_id2 = user2.pop('id') @@ -1942,42 +1948,37 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): def test_issue_unscoped_token_group_names_in_mapping(self): r = self._issue_unscoped_token(assertion='ANOTHER_CUSTOMER_ASSERTION') ref_groups = set([self.group_customers['id'], self.group_admins['id']]) - token_resp = r.json_body - token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] + token_groups = r.federated_groups token_groups = set([group['id'] for group in token_groups]) self.assertEqual(ref_groups, token_groups) def test_issue_unscoped_tokens_nonexisting_group(self): - r = self._issue_unscoped_token(assertion='ANOTHER_TESTER_ASSERTION') - self.assertIsNotNone(r.headers.get('X-Subject-Token')) + self._issue_unscoped_token(assertion='ANOTHER_TESTER_ASSERTION') def test_issue_unscoped_token_with_remote_no_attribute(self): - r = self._issue_unscoped_token(idp=self.IDP_WITH_REMOTE, - environment={ - self.REMOTE_ID_ATTR: - self.REMOTE_IDS[0] - }) - self.assertIsNotNone(r.headers.get('X-Subject-Token')) + self._issue_unscoped_token(idp=self.IDP_WITH_REMOTE, + environment={ + self.REMOTE_ID_ATTR: + self.REMOTE_IDS[0] + }) def test_issue_unscoped_token_with_remote(self): self.config_fixture.config(group='federation', remote_id_attribute=self.REMOTE_ID_ATTR) - r = self._issue_unscoped_token(idp=self.IDP_WITH_REMOTE, - environment={ - self.REMOTE_ID_ATTR: - self.REMOTE_IDS[0] - }) - self.assertIsNotNone(r.headers.get('X-Subject-Token')) + self._issue_unscoped_token(idp=self.IDP_WITH_REMOTE, + environment={ + self.REMOTE_ID_ATTR: + self.REMOTE_IDS[0] + }) def test_issue_unscoped_token_with_saml2_remote(self): self.config_fixture.config(group='saml2', remote_id_attribute=self.REMOTE_ID_ATTR) - r = self._issue_unscoped_token(idp=self.IDP_WITH_REMOTE, - environment={ - self.REMOTE_ID_ATTR: - self.REMOTE_IDS[0] - }) - self.assertIsNotNone(r.headers.get('X-Subject-Token')) + self._issue_unscoped_token(idp=self.IDP_WITH_REMOTE, + environment={ + self.REMOTE_ID_ATTR: + self.REMOTE_IDS[0] + }) def test_issue_unscoped_token_with_remote_different(self): self.config_fixture.config(group='federation', @@ -2001,12 +2002,11 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): remote_id_attribute=self.REMOTE_ID_ATTR) self.config_fixture.config(group='federation', remote_id_attribute=uuid.uuid4().hex) - r = self._issue_unscoped_token(idp=self.IDP_WITH_REMOTE, - environment={ - self.REMOTE_ID_ATTR: - self.REMOTE_IDS[0] - }) - self.assertIsNotNone(r.headers.get('X-Subject-Token')) + self._issue_unscoped_token(idp=self.IDP_WITH_REMOTE, + environment={ + self.REMOTE_ID_ATTR: + self.REMOTE_IDS[0] + }) def test_issue_unscoped_token_with_remote_unavailable(self): self.config_fixture.config(group='federation', @@ -2020,14 +2020,11 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): def test_issue_unscoped_token_with_remote_user_as_empty_string(self): # make sure that REMOTE_USER set as the empty string won't interfere - r = self._issue_unscoped_token(environment={'REMOTE_USER': ''}) - self.assertIsNotNone(r.headers.get('X-Subject-Token')) + self._issue_unscoped_token(environment={'REMOTE_USER': ''}) def test_issue_unscoped_token_no_groups(self): r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION') - self.assertIsNotNone(r.headers.get('X-Subject-Token')) - token_resp = r.json_body - token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] + token_groups = r.federated_groups self.assertEqual(0, len(token_groups)) def test_issue_scoped_token_no_groups(self): @@ -2037,11 +2034,9 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): """ # issue unscoped token with no groups r = self._issue_unscoped_token(assertion='USER_NO_GROUPS_ASSERTION') - self.assertIsNotNone(r.headers.get('X-Subject-Token')) - token_resp = r.json_body - token_groups = token_resp['token']['user']['OS-FEDERATION']['groups'] + token_groups = r.federated_groups self.assertEqual(0, len(token_groups)) - unscoped_token = r.headers.get('X-Subject-Token') + unscoped_token = r.id # let admin get roles in a project self.proj_employees @@ -2068,16 +2063,14 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): non string objects and return token id in the HTTP header. """ - api = auth_controllers.Auth() environ = { 'malformed_object': object(), 'another_bad_idea': tuple(range(10)), 'yet_another_bad_param': dict(zip(uuid.uuid4().hex, range(32))) } environ.update(mapping_fixtures.EMPLOYEE_ASSERTION) - request = self.make_request(environ=environ) - r = api.authenticate_for_token(request, self.UNSCOPED_V3_SAML2_REQ) - self.assertIsNotNone(r.headers.get('X-Subject-Token')) + with self.make_request(environ=environ): + authentication.authenticate_for_token(self.UNSCOPED_V3_SAML2_REQ) def test_scope_to_project_once_notify(self): r = self.v3_create_token( @@ -2208,12 +2201,11 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): expected_status=http_client.NOT_FOUND) def test_issue_token_from_rules_without_user(self): - api = auth_controllers.Auth() environ = copy.deepcopy(mapping_fixtures.BAD_TESTER_ASSERTION) - request = self.make_request(environ=environ) - self.assertRaises(exception.Unauthorized, - api.authenticate_for_token, - request, self.UNSCOPED_V3_SAML2_REQ) + with self.make_request(environ=environ): + self.assertRaises(exception.Unauthorized, + authentication.authenticate_for_token, + self.UNSCOPED_V3_SAML2_REQ) def test_issue_token_with_nonexistent_group(self): """Inject assertion that matches rule issuing bad group id. @@ -2356,11 +2348,11 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): """ r = self._issue_unscoped_token() - token_resp = r.json_body['token'] + token_resp = render_token.render_token_response_from_model(r)['token'] # NOTE(lbragstad): Ensure only 'saml2' is in the method list. - self.assertListEqual(['saml2'], token_resp['methods']) + self.assertListEqual(['saml2'], r.methods) self.assertValidMappedUser(token_resp) - employee_unscoped_token_id = r.headers.get('X-Subject-Token') + employee_unscoped_token_id = r.id r = self.get('/auth/projects', token=employee_unscoped_token_id) projects = r.result['projects'] random_project = random.randint(0, len(projects) - 1) @@ -2432,14 +2424,13 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules) r = self._issue_unscoped_token(assertion='TESTER_ASSERTION') - token_id = r.headers.get('X-Subject-Token') # delete group PROVIDERS.identity_api.delete_group(group['id']) # scope token to project_all, expect HTTP 500 scoped_token = self._scope_request( - token_id, 'project', + r.id, 'project', self.project_all['id']) self.v3_create_token( @@ -2498,7 +2489,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): } PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules) r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION') - assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups'] + assigned_group_ids = r.federated_groups self.assertEqual(1, len(assigned_group_ids)) self.assertEqual(group['id'], assigned_group_ids[0]['id']) @@ -2571,7 +2562,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): } PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules) r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION') - assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups'] + assigned_group_ids = r.federated_groups self.assertEqual(len(group_ids), len(assigned_group_ids)) for group in assigned_group_ids: self.assertIn(group['id'], group_ids) @@ -2644,7 +2635,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): } PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules) r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION') - assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups'] + assigned_group_ids = r.federated_groups self.assertEqual(len(group_ids), len(assigned_group_ids)) for group in assigned_group_ids: self.assertIn(group['id'], group_ids) @@ -2706,7 +2697,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): } PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules) r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION') - assigned_groups = r.json['token']['user']['OS-FEDERATION']['groups'] + assigned_groups = r.federated_groups self.assertEqual(len(assigned_groups), 0) def test_not_setting_whitelist_accepts_all_values(self): @@ -2776,7 +2767,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): } PROVIDERS.federation_api.update_mapping(self.mapping['id'], rules) r = self._issue_unscoped_token(assertion='UNMATCHED_GROUP_ASSERTION') - assigned_group_ids = r.json['token']['user']['OS-FEDERATION']['groups'] + assigned_group_ids = r.federated_groups self.assertEqual(len(group_ids), len(assigned_group_ids)) for group in assigned_group_ids: self.assertIn(group['id'], group_ids) @@ -2791,8 +2782,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): """ self.config_fixture.config(group='federation', assertion_prefix=self.ASSERTION_PREFIX) - r = self._issue_unscoped_token(assertion='EMPLOYEE_ASSERTION_PREFIXED') - self.assertIsNotNone(r.headers.get('X-Subject-Token')) + self._issue_unscoped_token(assertion='EMPLOYEE_ASSERTION_PREFIXED') def test_assertion_prefix_parameter_expect_fail(self): """Test parameters filtering based on the prefix. @@ -2804,8 +2794,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): Expect server to raise exception.Unathorized exception. """ - r = self._issue_unscoped_token() - self.assertIsNotNone(r.headers.get('X-Subject-Token')) + self._issue_unscoped_token() self.config_fixture.config(group='federation', assertion_prefix='UserName') @@ -2814,23 +2803,24 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): def test_unscoped_token_has_user_domain(self): r = self._issue_unscoped_token() - self._check_domains_are_valid(r.json_body['token']) + self._check_domains_are_valid( + render_token.render_token_response_from_model(r)['token']) def test_scoped_token_has_user_domain(self): r = self.v3_create_token( self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_EMPLOYEE) - self._check_domains_are_valid(r.result['token']) + self._check_domains_are_valid(r.json_body['token']) def test_issue_unscoped_token_for_local_user(self): r = self._issue_unscoped_token(assertion='LOCAL_USER_ASSERTION') - token_resp = r.json_body['token'] - self.assertListEqual(['saml2'], token_resp['methods']) - self.assertEqual(self.user['id'], token_resp['user']['id']) - self.assertEqual(self.user['name'], token_resp['user']['name']) - self.assertEqual(self.domain['id'], token_resp['user']['domain']['id']) + self.assertListEqual(['saml2'], r.methods) + self.assertEqual(self.user['id'], r.user_id) + self.assertEqual(self.user['name'], r.user['name']) + self.assertEqual(self.domain['id'], r.user_domain['id']) # Make sure the token is not scoped - self.assertNotIn('project', token_resp) - self.assertNotIn('domain', token_resp) + self.assertIsNone(r.domain_id) + self.assertIsNone(r.project_id) + self.assertTrue(r.unscoped) def test_issue_token_for_local_user_user_not_found(self): self.assertRaises(exception.Unauthorized, @@ -2839,11 +2829,10 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): def test_user_name_and_id_in_federation_token(self): r = self._issue_unscoped_token(assertion='EMPLOYEE_ASSERTION') - token = r.json_body['token'] self.assertEqual( mapping_fixtures.EMPLOYEE_ASSERTION['UserName'], - token['user']['name']) - self.assertNotEqual(token['user']['name'], token['user']['id']) + r.user['name']) + self.assertNotEqual(r.user['name'], r.user_id) r = self.v3_create_token( self.TOKEN_SCOPE_PROJECT_EMPLOYEE_FROM_EMPLOYEE) token = r.json_body['token'] @@ -2878,18 +2867,18 @@ class FernetFederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): def test_federated_unscoped_token(self): resp = self._issue_unscoped_token() - self.assertEqual(204, len(resp.headers['X-Subject-Token'])) - self.assertValidMappedUser(resp.json_body['token']) + self.assertValidMappedUser( + render_token.render_token_response_from_model(resp)['token']) def test_federated_unscoped_token_with_multiple_groups(self): assertion = 'ANOTHER_CUSTOMER_ASSERTION' resp = self._issue_unscoped_token(assertion=assertion) - self.assertEqual(226, len(resp.headers['X-Subject-Token'])) - self.assertValidMappedUser(resp.json_body['token']) + self.assertValidMappedUser( + render_token.render_token_response_from_model(resp)['token']) def test_validate_federated_unscoped_token(self): resp = self._issue_unscoped_token() - unscoped_token = resp.headers.get('X-Subject-Token') + unscoped_token = resp.id # assert that the token we received is valid self.get('/auth/tokens/', headers={'X-Subject-Token': unscoped_token}) @@ -2902,8 +2891,9 @@ class FernetFederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): """ resp = self._issue_unscoped_token() - self.assertValidMappedUser(resp.json_body['token']) - unscoped_token = resp.headers.get('X-Subject-Token') + self.assertValidMappedUser( + render_token.render_token_response_from_model(resp)['token']) + unscoped_token = resp.id resp = self.get('/auth/projects', token=unscoped_token) projects = resp.result['projects'] random_project = random.randint(0, len(projects) - 1) @@ -2941,11 +2931,11 @@ class FederatedTokenTestsMethodToken(FederatedTokenTests): """ r = self._issue_unscoped_token() - token_resp = r.json_body['token'] + token_resp = render_token.render_token_response_from_model(r)['token'] # NOTE(lbragstad): Ensure only 'saml2' is in the method list. - self.assertListEqual(['saml2'], token_resp['methods']) + self.assertListEqual(['saml2'], r.methods) self.assertValidMappedUser(token_resp) - employee_unscoped_token_id = r.headers.get('X-Subject-Token') + employee_unscoped_token_id = r.id r = self.get('/auth/projects', token=employee_unscoped_token_id) projects = r.result['projects'] random_project = random.randint(0, len(projects) - 1) @@ -2979,11 +2969,11 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin): def test_user_id_persistense(self): """Ensure user_id is persistend for multiple federated authn calls.""" r = self._issue_unscoped_token() - user_id = r.json_body['token']['user']['id'] + user_id = r.user_id self.assertNotEmpty(PROVIDERS.identity_api.get_user(user_id)) r = self._issue_unscoped_token() - user_id2 = r.json_body['token']['user']['id'] + user_id2 = r.user_id self.assertNotEmpty(PROVIDERS.identity_api.get_user(user_id2)) self.assertEqual(user_id, user_id2) @@ -3272,7 +3262,7 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin): # Authenticate to create a new federated_user entry with a foreign # key pointing to the protocol r = self._issue_unscoped_token() - user_id = r.json_body['token']['user']['id'] + user_id = r.user_id self.assertNotEmpty(PROVIDERS.identity_api.get_user(user_id)) # Now we should be able to delete the protocol @@ -3280,10 +3270,10 @@ class FederatedUserTests(test_v3.RestfulTestCase, FederatedSetupMixin): def _authenticate_via_saml(self): r = self._issue_unscoped_token() - unscoped_token = r.headers['X-Subject-Token'] - token_resp = r.json_body['token'] + unscoped_token = r.id + token_resp = render_token.render_token_response_from_model(r)['token'] self.assertValidMappedUser(token_resp) - return token_resp['user']['id'], unscoped_token + return r.user_id, unscoped_token class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin): @@ -3351,8 +3341,9 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin): self.assertNotIn(project['name'], self.expected_results) response = self._issue_unscoped_token() - self.assertValidMappedUser(response.json_body['token']) - unscoped_token = response.headers.get('X-Subject-Token') + self.assertValidMappedUser( + render_token.render_token_response_from_model(response)['token']) + unscoped_token = response.id response = self.get('/auth/projects', token=unscoped_token) projects = response.json_body['projects'] for project in projects: @@ -3364,8 +3355,9 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin): def test_shadow_mapping_create_projects_role_assignments(self): response = self._issue_unscoped_token() - self.assertValidMappedUser(response.json_body['token']) - unscoped_token = response.headers.get('X-Subject-Token') + self.assertValidMappedUser( + render_token.render_token_response_from_model(response)['token']) + unscoped_token = response.id response = self.get('/auth/projects', token=unscoped_token) projects = response.json_body['projects'] for project in projects: @@ -3391,8 +3383,9 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin): def test_shadow_mapping_creates_project_in_identity_provider_domain(self): response = self._issue_unscoped_token() - self.assertValidMappedUser(response.json_body['token']) - unscoped_token = response.headers.get('X-Subject-Token') + self.assertValidMappedUser( + render_token.render_token_response_from_model(response)['token']) + unscoped_token = response.id response = self.get('/auth/projects', token=unscoped_token) projects = response.json_body['projects'] for project in projects: @@ -3401,12 +3394,13 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin): def test_shadow_mapping_is_idempotent(self): """Test that projects remain idempotent for every federated auth.""" response = self._issue_unscoped_token() - self.assertValidMappedUser(response.json_body['token']) - unscoped_token = response.headers.get('X-Subject-Token') + self.assertValidMappedUser( + render_token.render_token_response_from_model(response)['token']) + unscoped_token = response.id response = self.get('/auth/projects', token=unscoped_token) project_ids = [p['id'] for p in response.json_body['projects']] response = self._issue_unscoped_token() - unscoped_token = response.headers.get('X-Subject-Token') + unscoped_token = response.id response = self.get('/auth/projects', token=unscoped_token) projects = response.json_body['projects'] for project in projects: @@ -3438,8 +3432,8 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin): ) PROVIDERS.role_api.create_role(member_role_ref['id'], member_role_ref) response = self._issue_unscoped_token() - user_id = response.json_body['token']['user']['id'] - unscoped_token = response.headers.get('X-Subject-Token') + user_id = response.user_id + unscoped_token = response.id response = self.get('/auth/projects', token=unscoped_token) projects = response.json_body['projects'] staging_project = PROVIDERS.resource_api.get_project_by_name( @@ -3500,7 +3494,7 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin): ) response = self._issue_unscoped_token() # user_id = response.json_body['token']['user']['id'] - unscoped_token = response.headers.get('X-Subject-Token') + unscoped_token = response.id response = self.get('/auth/projects', token=unscoped_token) projects = response.json_body['projects'] self.expected_results = { @@ -3532,8 +3526,8 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin): # to them. This test verifies that this is no longer true. # Authenticate once to create the projects response = self._issue_unscoped_token() - self.assertValidMappedUser(response.json_body['token']) - unscoped_token = response.headers.get('X-Subject-Token') + self.assertValidMappedUser( + render_token.render_token_response_from_model(response)['token']) # Assign admin role to newly-created project to another user staging_project = PROVIDERS.resource_api.get_project_by_name( @@ -3548,8 +3542,9 @@ class ShadowMappingTests(test_v3.RestfulTestCase, FederatedSetupMixin): # Authenticate again with the federated user and verify roles response = self._issue_unscoped_token() - self.assertValidMappedUser(response.json_body['token']) - unscoped_token = response.headers.get('X-Subject-Token') + self.assertValidMappedUser( + render_token.render_token_response_from_model(response)['token']) + unscoped_token = response.id scope = self._scope_request( unscoped_token, 'project', staging_project['id'] ) @@ -4602,10 +4597,6 @@ class WebSSOTests(FederatedTokenTests): ORIGIN = urllib.parse.quote_plus(TRUSTED_DASHBOARD) PROTOCOL_REMOTE_ID_ATTR = uuid.uuid4().hex - def setUp(self): - super(WebSSOTests, self).setUp() - self.api = federation_controllers.Auth() - def config_overrides(self): super(WebSSOTests, self).config_overrides() self.config_fixture.config( @@ -4616,34 +4607,39 @@ class WebSSOTests(FederatedTokenTests): def test_render_callback_template(self): token_id = uuid.uuid4().hex - resp = self.api.render_html_response(self.TRUSTED_DASHBOARD, token_id) + with self.make_request(): + resp = ( + auth_api._AuthFederationWebSSOBase._render_template_response( + self.TRUSTED_DASHBOARD, token_id)) # The expected value in the assertions bellow need to be 'str' in # Python 2 and 'bytes' in Python 3 - self.assertIn(token_id.encode('utf-8'), resp.body) - self.assertIn(self.TRUSTED_DASHBOARD.encode('utf-8'), resp.body) + self.assertIn(token_id.encode('utf-8'), resp.data) + self.assertIn(self.TRUSTED_DASHBOARD.encode('utf-8'), resp.data) def test_federated_sso_auth(self): environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0], 'QUERY_STRING': 'origin=%s' % self.ORIGIN} environment.update(mapping_fixtures.EMPLOYEE_ASSERTION) - request = self.make_request(environ=environment) - resp = self.api.federated_sso_auth(request, self.PROTOCOL) - # `resp.body` will be `str` in Python 2 and `bytes` in Python 3 + with self.make_request(environ=environment): + resp = auth_api.AuthFederationWebSSOResource._perform_auth( + self.PROTOCOL) + # `resp.data` will be `str` in Python 2 and `bytes` in Python 3 # which is why expected value: `self.TRUSTED_DASHBOARD` # needs to be encoded - self.assertIn(self.TRUSTED_DASHBOARD.encode('utf-8'), resp.body) + self.assertIn(self.TRUSTED_DASHBOARD.encode('utf-8'), resp.data) def test_get_sso_origin_host_case_insensitive(self): # test lowercase hostname in trusted_dashboard environ = {'QUERY_STRING': 'origin=http://horizon.com'} - request = self.make_request(environ=environ) - host = self.api._get_sso_origin_host(request) - self.assertEqual("http://horizon.com", host) - # test uppercase hostname in trusted_dashboard - self.config_fixture.config(group='federation', - trusted_dashboard=['http://Horizon.com']) - host = self.api._get_sso_origin_host(request) - self.assertEqual("http://horizon.com", host) + with self.make_request(environ=environ): + host = auth_api._get_sso_origin_host() + self.assertEqual("http://horizon.com", host) + # test uppercase hostname in trusted_dashboard + self.config_fixture.config( + group='federation', + trusted_dashboard=['http://Horizon.com']) + host = auth_api._get_sso_origin_host() + self.assertEqual("http://horizon.com", host) def test_federated_sso_auth_with_protocol_specific_remote_id(self): self.config_fixture.config( @@ -4653,76 +4649,82 @@ class WebSSOTests(FederatedTokenTests): environment = {self.PROTOCOL_REMOTE_ID_ATTR: self.REMOTE_IDS[0], 'QUERY_STRING': 'origin=%s' % self.ORIGIN} environment.update(mapping_fixtures.EMPLOYEE_ASSERTION) - request = self.make_request(environ=environment) - resp = self.api.federated_sso_auth(request, self.PROTOCOL) - # `resp.body` will be `str` in Python 2 and `bytes` in Python 3 + with self.make_request(environ=environment): + resp = auth_api.AuthFederationWebSSOResource._perform_auth( + self.PROTOCOL) + # `resp.data` will be `str` in Python 2 and `bytes` in Python 3 # which is why expected value: `self.TRUSTED_DASHBOARD` # needs to be encoded - self.assertIn(self.TRUSTED_DASHBOARD.encode('utf-8'), resp.body) + self.assertIn(self.TRUSTED_DASHBOARD.encode('utf-8'), resp.data) def test_federated_sso_auth_bad_remote_id(self): environment = {self.REMOTE_ID_ATTR: self.IDP, 'QUERY_STRING': 'origin=%s' % self.ORIGIN} environment.update(mapping_fixtures.EMPLOYEE_ASSERTION) - request = self.make_request(environ=environment) - self.assertRaises(exception.IdentityProviderNotFound, - self.api.federated_sso_auth, - request, self.PROTOCOL) + with self.make_request(environ=environment): + self.assertRaises( + exception.IdentityProviderNotFound, + auth_api.AuthFederationWebSSOResource._perform_auth, + self.PROTOCOL) def test_federated_sso_missing_query(self): environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0]} environment.update(mapping_fixtures.EMPLOYEE_ASSERTION) - request = self.make_request(environ=environment) - self.assertRaises(exception.ValidationError, - self.api.federated_sso_auth, - request, self.PROTOCOL) + with self.make_request(environ=environment): + self.assertRaises( + exception.ValidationError, + auth_api.AuthFederationWebSSOResource._perform_auth, + self.PROTOCOL) def test_federated_sso_missing_query_bad_remote_id(self): environment = {self.REMOTE_ID_ATTR: self.IDP} environment.update(mapping_fixtures.EMPLOYEE_ASSERTION) - request = self.make_request(environ=environment) - self.assertRaises(exception.ValidationError, - self.api.federated_sso_auth, - request, self.PROTOCOL) + with self.make_request(environ=environment): + self.assertRaises( + exception.ValidationError, + auth_api.AuthFederationWebSSOResource._perform_auth, + self.PROTOCOL) def test_federated_sso_untrusted_dashboard(self): environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0], 'QUERY_STRING': 'origin=%s' % uuid.uuid4().hex} environment.update(mapping_fixtures.EMPLOYEE_ASSERTION) - request = self.make_request(environ=environment) - self.assertRaises(exception.Unauthorized, - self.api.federated_sso_auth, - request, self.PROTOCOL) + with self.make_request(environ=environment): + self.assertRaises( + exception.Unauthorized, + auth_api.AuthFederationWebSSOResource._perform_auth, + self.PROTOCOL) def test_federated_sso_untrusted_dashboard_bad_remote_id(self): environment = {self.REMOTE_ID_ATTR: self.IDP, 'QUERY_STRING': 'origin=%s' % uuid.uuid4().hex} environment.update(mapping_fixtures.EMPLOYEE_ASSERTION) - request = self.make_request(environ=environment) - self.assertRaises(exception.Unauthorized, - self.api.federated_sso_auth, - request, self.PROTOCOL) + with self.make_request(environ=environment): + self.assertRaises( + exception.Unauthorized, + auth_api.AuthFederationWebSSOResource._perform_auth, + self.PROTOCOL) def test_federated_sso_missing_remote_id(self): environment = copy.deepcopy(mapping_fixtures.EMPLOYEE_ASSERTION) - request = self.make_request(environ=environment, - query_string='origin=%s' % self.ORIGIN) - self.assertRaises(exception.Unauthorized, - self.api.federated_sso_auth, - request, self.PROTOCOL) + with self.make_request(environ=environment, + query_string='origin=%s' % self.ORIGIN): + self.assertRaises( + exception.Unauthorized, + auth_api.AuthFederationWebSSOResource._perform_auth, + self.PROTOCOL) def test_identity_provider_specific_federated_authentication(self): environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0]} environment.update(mapping_fixtures.EMPLOYEE_ASSERTION) - request = self.make_request(environ=environment, - query_string='origin=%s' % self.ORIGIN) - resp = self.api.federated_idp_specific_sso_auth(request, - self.idp['id'], - self.PROTOCOL) - # `resp.body` will be `str` in Python 2 and `bytes` in Python 3 + with self.make_request(environ=environment, + query_string='origin=%s' % self.ORIGIN): + resp = auth_api.AuthFederationWebSSOIDPsResource._perform_auth( + self.idp['id'], self.PROTOCOL) + # `resp.data` will be `str` in Python 2 and `bytes` in Python 3 # which is why the expected value: `self.TRUSTED_DASHBOARD` # needs to be encoded - self.assertIn(self.TRUSTED_DASHBOARD.encode('utf-8'), resp.body) + self.assertIn(self.TRUSTED_DASHBOARD.encode('utf-8'), resp.data) class K2KServiceCatalogTests(test_v3.RestfulTestCase): @@ -4779,7 +4781,7 @@ class K2KServiceCatalogTests(test_v3.RestfulTestCase): model = token_model.TokenModel() model.user_id = self.user_id model.methods = ['password'] - token = controller.render_token_response_from_model(model) + token = render_token.render_token_response_from_model(model) ref = {} for r in (self.sp_alpha, self.sp_beta, self.sp_gamma): ref.update(r) @@ -4799,7 +4801,7 @@ class K2KServiceCatalogTests(test_v3.RestfulTestCase): model = token_model.TokenModel() model.user_id = self.user_id model.methods = ['password'] - token = controller.render_token_response_from_model(model) + token = render_token.render_token_response_from_model(model) ref = {} for r in (self.sp_beta, self.sp_gamma): ref.update(r) @@ -4819,7 +4821,7 @@ class K2KServiceCatalogTests(test_v3.RestfulTestCase): model = token_model.TokenModel() model.user_id = self.user_id model.methods = ['password'] - token = controller.render_token_response_from_model(model) + token = render_token.render_token_response_from_model(model) self.assertNotIn('service_providers', token['token'], message=('Expected Service Catalog not to have ' 'service_providers')) |