throw BadAltAuth exception when alt auth == auth0.11.0

If we are expecting to replace a thing by switching to alternate auth,
but don't, this should be an exception. Otherwise it's easy to
obliviously not change to an alt auth element and be doing the wrong
thing.
Fixing and extending unit tests accordingly.

Change-Id: I738098c061c64d8bb68670ecd9ade616d3a9d5ab

4 files changed, 80 insertions, 9 deletions

diff --git a/tempest_lib/auth.py b/tempest_lib/auth.py
index 0a05445..c16d6dd 100644
--- a/tempest_lib/auth.py
+++ b/tempest_lib/auth.py
@@ -148,9 +148,15 @@ class AuthProvider(object):
                     auth_data=self.alt_auth_data)
                 alt_auth_req = dict(url=alt_url, headers=alt_headers,
                                     body=alt_body)
+                if auth_req[self.alt_part] == alt_auth_req[self.alt_part]:
+                    raise exceptions.BadAltAuth(part=self.alt_part)
                 auth_req[self.alt_part] = alt_auth_req[self.alt_part]
 
             else:
+                # If the requested part is not affected by auth, we are
+                # not altering auth as expected, raise an exception
+                if auth_req[self.alt_part] == orig_req[self.alt_part]:
+                    raise exceptions.BadAltAuth(part=self.alt_part)
                 # If alt auth data is None, skip auth in the requested part
                 auth_req[self.alt_part] = orig_req[self.alt_part]
 
diff --git a/tempest_lib/exceptions.py b/tempest_lib/exceptions.py
index 050ccc6..5873b4a 100644
--- a/tempest_lib/exceptions.py
+++ b/tempest_lib/exceptions.py
@@ -149,6 +149,17 @@ class InvalidStructure(TempestException):
     message = "Invalid structure of table with details"
 
 
+class BadAltAuth(TempestException):
+    """Used when trying and failing to change to alt creds.
+
+    If alt creds end up the same as primary creds, use this
+    exception. This is often going to be the case when you assume
+    project_id is in the url, but it's not.
+
+    """
+    message = "The alt auth looks the same as primary auth for %(part)s"
+
+
 class CommandFailed(Exception):
     def __init__(self, returncode, cmd, output, stderr):
         super(CommandFailed, self).__init__()
diff --git a/tempest_lib/tests/fake_identity.py b/tempest_lib/tests/fake_identity.py
index ad78f85..bac2676 100644
--- a/tempest_lib/tests/fake_identity.py
+++ b/tempest_lib/tests/fake_identity.py
@@ -50,11 +50,11 @@ ALT_IDENTITY_V2_RESPONSE = {
             "expires": "2020-01-01T00:00:10Z",
             "id": ALT_TOKEN,
             "tenant": {
-                "id": "fake_tenant_id"
+                "id": "fake_alt_tenant_id"
             },
         },
         "user": {
-            "id": "fake_user_id",
+            "id": "fake_alt_user_id",
         },
         "serviceCatalog": CATALOG_V2,
     },
diff --git a/tempest_lib/tests/test_auth.py b/tempest_lib/tests/test_auth.py
index 133a268..21399ed 100644
--- a/tempest_lib/tests/test_auth.py
+++ b/tempest_lib/tests/test_auth.py
@@ -124,6 +124,9 @@ class TestKeystoneV2AuthProvider(BaseAuthTestsSetUp):
                        fake_identity._fake_v2_response)
         self.target_url = 'test_api'
 
+    def _get_fake_identity(self):
+        return fake_identity.IDENTITY_V2_RESPONSE['access']
+
     def _get_fake_alt_identity(self):
         return fake_identity.ALT_IDENTITY_V2_RESPONSE['access']
 
@@ -175,14 +178,45 @@ class TestKeystoneV2AuthProvider(BaseAuthTestsSetUp):
         self._test_request_helper(filters, expected)
 
     def test_request_with_alt_auth_cleans_alt(self):
+        """Test alternate auth data for headers
+
+        Assert that when the alt data is provided for headers, after an
+        auth_request the data alt_data is cleaned-up.
+        """
         self.auth_provider.set_alt_auth_data(
-            'body',
+            'headers',
             (fake_identity.ALT_TOKEN, self._get_fake_alt_identity()))
-        self.test_request()
+        filters = {
+            'service': 'compute',
+            'endpoint_type': 'publicURL',
+            'region': 'fakeRegion'
+        }
+        self.auth_provider.auth_request('GET', self.target_url,
+                                        filters=filters)
+
         # Assert alt auth data is clear after it
         self.assertIsNone(self.auth_provider.alt_part)
         self.assertIsNone(self.auth_provider.alt_auth_data)
 
+    def test_request_with_identical_alt_auth(self):
+        """Test alternate but identical auth data for headers
+
+        Assert that when the alt data is provided, but it's actually
+        identical, an exception is raised.
+        """
+        self.auth_provider.set_alt_auth_data(
+            'headers',
+            (fake_identity.TOKEN, self._get_fake_identity()))
+        filters = {
+            'service': 'compute',
+            'endpoint_type': 'publicURL',
+            'region': 'fakeRegion'
+        }
+
+        self.assertRaises(exceptions.BadAltAuth,
+                          self.auth_provider.auth_request,
+                          'GET', self.target_url, filters=filters)
+
     def test_request_with_alt_part_without_alt_data(self):
         """Test empty alternate auth data
 
@@ -194,17 +228,34 @@ class TestKeystoneV2AuthProvider(BaseAuthTestsSetUp):
             'endpoint_type': 'publicURL',
             'region': 'fakeRegion'
         }
-        self.auth_provider.set_alt_auth_data('url', None)
+        self.auth_provider.set_alt_auth_data('headers', None)
 
         url, headers, body = self.auth_provider.auth_request('GET',
                                                              self.target_url,
                                                              filters=filters)
-
-        self.assertEqual(url, self.target_url)
-        self.assertEqual(self._get_token_from_fake_identity(),
-                         headers['X-Auth-Token'])
+        # The original headers where empty
+        self.assertNotEqual(url, self.target_url)
+        self.assertIsNone(headers)
         self.assertEqual(body, None)
 
+    def test_request_with_alt_part_without_alt_data_no_change(self):
+        """Test empty alternate auth data with no effect
+
+        Assert that when alt_part is defined, no auth_data is provided,
+        and the the corresponding original request element was not going to
+        be changed anyways, and exception is raised
+        """
+        filters = {
+            'service': 'compute',
+            'endpoint_type': 'publicURL',
+            'region': 'fakeRegion'
+        }
+        self.auth_provider.set_alt_auth_data('body', None)
+
+        self.assertRaises(exceptions.BadAltAuth,
+                          self.auth_provider.auth_request,
+                          'GET', self.target_url, filters=filters)
+
     def test_request_with_bad_service(self):
         filters = {
             'service': 'BAD_SERVICE',
@@ -344,6 +395,9 @@ class TestKeystoneV3AuthProvider(TestKeystoneV2AuthProvider):
         self.stubs.Set(v3_client.V3TokenClient, 'raw_request',
                        fake_identity._fake_v3_response)
 
+    def _get_fake_identity(self):
+        return fake_identity.IDENTITY_V3_RESPONSE['token']
+
     def _get_fake_alt_identity(self):
         return fake_identity.ALT_IDENTITY_V3['token']