keystone.tests.unit package

Subpackages

Submodules

keystone.tests.unit.core module

class keystone.tests.unit.core.BaseTestCase(*args, **kwargs)[source]

Bases: testtools.testcase.TestCase

Light weight base test class.

This is a placeholder that will eventually go away once the setup/teardown in TestCase is properly trimmed down to the bare essentials. This is really just a play to speed up the tests by eliminating unnecessary work.

cleanup_instance(*names)[source]

Create a function suitable for use with self.addCleanup.

Returns:a callable that uses a closure to delete instance attributes
setUp()[source]
class keystone.tests.unit.core.EggLoader(spec)[source]

Bases: paste.deploy.loadwsgi.EggLoader

find_egg_entry_point(object_type, name=None)[source]
class keystone.tests.unit.core.SQLDriverOverrides[source]

Bases: object

A mixin for consolidating sql-specific test overrides.

config_overrides()[source]
use_specific_sql_driver_version(driver_path, versionless_backend, version_suffix)[source]

Add this versioned driver to the list that will be loaded.

Parameters:
  • driver_path – The path to the drivers, e.g. ‘keystone.assignment’
  • versionless_backend – The name of the versionless drivers, e.g. ‘backends’
  • version_suffix – The suffix for the version , e.g. V8_

This method assumes that versioned drivers are named: <version_suffix><name of versionless driver>, e.g. ‘V8_backends’.

class keystone.tests.unit.core.TestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

assertCloseEnoughForGovernmentWork(a, b, delta=3)[source]

Asserts that two datetimes are nearly equal within a small delta.

Parameters:delta – Maximum allowable time delta, defined in seconds.
assertNotEmpty(l)[source]
assertRaisesRegexp(expected_exception, expected_regexp, callable_obj, *args, **kwargs)[source]

Asserts that the message in a raised exception matches a regexp.

auth_plugin_config_override(methods=None, **method_classes)[source]
clear_auth_plugin_registry()[source]
config(config_files)[source]
config_files()[source]
config_overrides()[source]
ipv6_enabled[source]
load_backends()[source]

Initializes each manager and assigns them to an attribute.

load_extra_backends()[source]

Override to load managers that aren’t loaded by default.

This is useful to load managers initialized by extensions. No extra backends are loaded by default.

Returns:dict of name -> manager
load_fixtures(fixtures)[source]

Hacky basic and naive fixture loading based on a python module.

Expects that the various APIs into the various services are already defined on self.

loadapp(config, name='main')[source]
setUp()[source]
skip_if_env_not_set(env_var)[source]
skip_if_no_ipv6()[source]
exception keystone.tests.unit.core.UnexpectedExit[source]

Bases: exceptions.Exception

keystone.tests.unit.core.create_user(api, domain_id, **kwargs)[source]

Create a user via the API. Keep the created password.

The password is saved and restored when api.create_user() is called. Only use this routine if there is a requirement for the user object to have a valid password after api.create_user() is called.

class keystone.tests.unit.core.dirs[source]

Bases: object

static etc(*p)[source]
static root(*p)[source]
static tests(*p)[source]
static tests_conf(*p)[source]
static tmp(*p)[source]
keystone.tests.unit.core.generate_paste_config(extension_name)[source]
keystone.tests.unit.core.new_cert_credential(user_id, project_id=None, blob=None, **kwargs)[source]
keystone.tests.unit.core.new_credential_ref(user_id, project_id=None, type='cert', **kwargs)[source]
keystone.tests.unit.core.new_domain_ref(**kwargs)[source]
keystone.tests.unit.core.new_ec2_credential(user_id, project_id=None, blob=None, **kwargs)[source]
keystone.tests.unit.core.new_endpoint_ref(service_id, interface='public', region_id=<object object at 0x7f77a9aa9930>, **kwargs)[source]
keystone.tests.unit.core.new_endpoint_ref_with_region(service_id, region, interface='public', **kwargs)[source]

Define an endpoint_ref having a pre-3.2 form.

Contains the deprecated ‘region’ instead of ‘region_id’.

keystone.tests.unit.core.new_federated_user_ref(idp_id=None, protocol_id=None, **kwargs)[source]
keystone.tests.unit.core.new_group_ref(domain_id, **kwargs)[source]
keystone.tests.unit.core.new_policy_ref(**kwargs)[source]
keystone.tests.unit.core.new_project_ref(domain_id=None, is_domain=False, **kwargs)[source]
keystone.tests.unit.core.new_region_ref(parent_region_id=None, **kwargs)[source]
keystone.tests.unit.core.new_role_ref(**kwargs)[source]
keystone.tests.unit.core.new_service_ref(**kwargs)[source]
keystone.tests.unit.core.new_totp_credential(user_id, project_id=None, blob=None)[source]
keystone.tests.unit.core.new_trust_ref(trustor_user_id, trustee_user_id, project_id=None, impersonation=None, expires=None, role_ids=None, role_names=None, remaining_uses=None, allow_redelegation=False, redelegation_count=None, **kwargs)[source]
keystone.tests.unit.core.new_user_ref(domain_id, project_id=None, **kwargs)[source]
keystone.tests.unit.core.remove_generated_paste_config(extension_name)[source]
keystone.tests.unit.core.remove_test_databases()[source]
keystone.tests.unit.core.skip_if_cache_disabled(*sections)[source]

This decorator is used to skip a test if caching is disabled.

Caching can be disabled either globally or for a specific section.

In the code fragment:

@skip_if_cache_is_disabled('assignment', 'token')
def test_method(*args):
    ...

The method test_method would be skipped if caching is disabled globally via the enabled option in the cache section of the configuration or if the caching option is set to false in either assignment or token sections of the configuration. This decorator can be used with no arguments to only check global caching.

If a specified configuration section does not define the caching option, this decorator makes the same assumption as the should_cache_fn in keystone.common.cache that caching should be enabled.

keystone.tests.unit.core.skip_if_cache_is_enabled(*sections)[source]
keystone.tests.unit.core.skip_if_no_multiple_domains_support(f)[source]

Decorator to skip tests for identity drivers limited to one domain.

keystone.tests.unit.default_fixtures module

keystone.tests.unit.fakeldap module

Fake LDAP server for test harness.

This class does very little error checking, and knows nothing about ldap class definitions. It implements the minimum emulation of the python ldap library to work with keystone.

class keystone.tests.unit.fakeldap.FakeLdap(conn=None)[source]

Bases: keystone.common.ldap.core.LDAPHandler

Emulate the python-ldap API.

The python-ldap API requires all strings to be UTF-8 encoded. This is assured by the caller of this interface (i.e. KeystoneLDAPHandler).

However, internally this emulation MUST process and store strings in a canonical form which permits operations on characters. Encoded strings do not provide the ability to operate on characters. Therefore this emulation accepts UTF-8 encoded strings, decodes them to unicode for operations internal to this emulation, and encodes them back to UTF-8 when returning values from the emulation.

add_s(dn, modlist)[source]

Add an object with the specified attributes at dn.

connect(url, page_size=0, alias_dereferencing=None, use_tls=False, tls_cacertfile=None, tls_cacertdir=None, tls_req_cert='demand', chase_referrals=None, debug_level=None, use_pool=None, pool_size=None, pool_retry_max=None, pool_retry_delay=None, pool_conn_timeout=None, pool_conn_lifetime=None)[source]
delete_ext_s(dn, serverctrls, clientctrls=None)[source]

Remove the ldap object at specified dn.

delete_s(dn)[source]

Remove the ldap object at specified dn.

dn(dn)[source]
get_option(option)[source]
key(dn)[source]
modify_s(dn, modlist)[source]

Modify the object at dn using the attribute list.

Parameters:
  • dn – an LDAP DN
  • modlist – a list of tuples in the following form: ([MOD_ADD | MOD_DELETE | MOD_REPACE], attribute, value)
result3(msgid=-1, all=1, timeout=None, resp_ctrl_classes=None)[source]

Execute async request

Only msgid param is supported. Request info is fetched from global variable PendingRequests by msgid, executed using search_s and limited if requested.

search_ext(base, scope, filterstr='(objectClass=*)', attrlist=None, attrsonly=0, serverctrls=None, clientctrls=None, timeout=-1, sizelimit=0)[source]
search_s(base, scope, filterstr='(objectClass=*)', attrlist=None, attrsonly=0)[source]

Search for all matching objects under base using the query.

Args: base – dn to search under scope – search scope (base, subtree, onelevel) filterstr – filter objects by attrlist – attrs to return. Returns all attrs if not specified

set_option(option, invalue)[source]
simple_bind_s(who='', cred='', serverctrls=None, clientctrls=None)[source]

This method is ignored, but provided for compatibility.

unbind_s()[source]

This method is ignored, but provided for compatibility.

class keystone.tests.unit.fakeldap.FakeLdapNoSubtreeDelete(conn=None)[source]

Bases: keystone.tests.unit.fakeldap.FakeLdap

FakeLdap subclass that does not support subtree delete

Same as FakeLdap except delete will throw the LDAP error ldap.NOT_ALLOWED_ON_NONLEAF if there is an attempt to delete an entry that has children.

delete_ext_s(dn, serverctrls, clientctrls=None)[source]

Remove the ldap object at specified dn.

class keystone.tests.unit.fakeldap.FakeLdapPool(uri, retry_max=None, retry_delay=None, conn=None)[source]

Bases: keystone.tests.unit.fakeldap.FakeLdap

Emulate the python-ldap API with pooled connections.

This class is used as connector class in PooledLDAPHandler.

get_lifetime()[source]
simple_bind_s(who=None, cred=None, serverctrls=None, clientctrls=None)[source]
unbind_ext_s()[source]

Added to extend FakeLdap as connector class.

class keystone.tests.unit.fakeldap.FakeShelve[source]

Bases: dict

sync()[source]

keystone.tests.unit.federation_fixtures module

keystone.tests.unit.filtering module

class keystone.tests.unit.filtering.FilterTests[source]

Bases: object

keystone.tests.unit.identity_mapping module

keystone.tests.unit.identity_mapping.list_id_mappings()[source]

List all id_mappings for testing purposes.

keystone.tests.unit.mapping_fixtures module

Fixtures for Federation Mapping.

keystone.tests.unit.rest module

class keystone.tests.unit.rest.RestfulTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

Performs restful tests against the WSGI app over HTTP.

This class launches public & admin WSGI servers for every test, which can be accessed by calling public_request() or admin_request(), respectfully.

restful_request() and request() methods are also exposed if you need to bypass restful conventions or access HTTP details in your test implementation.

Three new asserts are provided:

  • assertResponseSuccessful: called automatically for every request

    unless an expected_status is provided

  • assertResponseStatus: called instead of assertResponseSuccessful,

    if an expected_status is provided

  • assertValidResponseHeaders: validates that the response headers

    appear as expected

Requests are automatically serialized according to the defined content_type. Responses are automatically deserialized as well, and available in the response.body attribute. The original body content is available in the response.raw attribute.

admin_request(**kwargs)[source]
assertResponseStatus(response, expected_status)[source]

Asserts a specific status code on the response.

Parameters:
  • responsehttplib.HTTPResponse
  • expected_status – The specific status result expected

example:

self.assertResponseStatus(response, http_client.NO_CONTENT)
assertResponseSuccessful(response)[source]

Asserts that a status code lies inside the 2xx range.

Parameters:responsehttplib.HTTPResponse to be verified to have a status code between 200 and 299.

example:

self.assertResponseSuccessful(response)
assertValidErrorResponse(response, expected_status=400)[source]

Verify that the error response is valid.

Subclasses can override this function based on the expected response.

assertValidResponseHeaders(response)[source]

Ensures that response headers appear as expected.

content_type = 'json'
get_admin_token()[source]
get_extensions()[source]
get_scoped_token(tenant_id=None)[source]

Convenience method so that we can test authenticated requests.

get_unscoped_token()[source]

Convenience method so that we can test authenticated requests.

public_request(**kwargs)[source]
request(app, path, body=None, headers=None, token=None, expected_status=None, **kwargs)[source]
restful_request(method='GET', headers=None, body=None, content_type=None, response_content_type=None, **kwargs)[source]

Serializes/deserializes json as request/response body.

Warning

  • Existing Accept header will be overwritten.
  • Existing Content-Type header will be overwritten.
setUp(app_conf='keystone')[source]

keystone.tests.unit.test_associate_project_endpoint_extension module

class keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterCRUDTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase

test_check_endpoint_project_association()[source]

HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Valid project and endpoint id test case.

test_check_endpoint_project_association_with_invalid_endpoint()[source]

HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Invalid endpoint id test case.

test_check_endpoint_project_association_with_invalid_project()[source]

HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Invalid project id test case.

test_create_endpoint_project_association()[source]

PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Valid endpoint and project id test case.

test_create_endpoint_project_association_invalidates_cache(*args, **kwargs)[source]
test_create_endpoint_project_association_with_invalid_endpoint()[source]

PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Invalid endpoint id test case.

test_create_endpoint_project_association_with_invalid_project()[source]

PUT OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Invalid project id test case.

test_create_endpoint_project_association_with_unexpected_body()[source]

PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Unexpected body in request. The body should be ignored.

test_endpoint_project_association_cleanup_when_endpoint_deleted()[source]
test_endpoint_project_association_cleanup_when_project_deleted()[source]
test_list_endpoints_associated_with_invalid_project()[source]

GET /OS-EP-FILTER/projects/{project_id}/endpoints

Invalid project id test case.

test_list_endpoints_associated_with_valid_project()[source]

GET /OS-EP-FILTER/projects/{project_id}/endpoints

Valid project and endpoint id test case.

test_list_projects_associated_with_endpoint()[source]

GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects

Valid endpoint-project association test case.

test_list_projects_associated_with_invalid_endpoint()[source]

GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects

Invalid endpoint id test case.

test_list_projects_with_no_endpoint_project_association()[source]

GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects

Valid endpoint id but no endpoint-project associations test case.

test_remove_endpoint_from_project_invalidates_cache(*args, **kwargs)[source]
test_remove_endpoint_project_association()[source]

DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Valid project id and endpoint id test case.

test_remove_endpoint_project_association_with_invalid_endpoint()[source]

DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Invalid endpoint id test case.

test_remove_endpoint_project_association_with_invalid_project()[source]

DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Invalid project id test case.

class keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterDeprecateTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

test_exception_happens(*args, **keywargs)[source]
class keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

config_overrides()[source]
setUp()[source]
class keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTokenRequestTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase

test_default_scoped_token_using_endpoint_filter()[source]

Verify endpoints from default scoped token filtered.

test_disabled_endpoint()[source]

Test that a disabled endpoint is handled.

test_get_auth_catalog_using_endpoint_filter()[source]
test_invalid_endpoint_project_association()[source]

Verify an invalid endpoint-project association is handled.

test_multiple_endpoint_project_associations()[source]
test_project_scoped_token_using_endpoint_filter()[source]

Verify endpoints from project scoped token filtered.

test_scoped_token_with_no_catalog_using_endpoint_filter()[source]

Verify endpoint filter does not affect no catalog.

class keystone.tests.unit.test_associate_project_endpoint_extension.EndpointGroupCRUDTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase

DEFAULT_ENDPOINT_GROUP_BODY = {'endpoint_group': {'description': 'endpoint group description', 'filters': {'interface': 'admin'}, 'name': 'endpoint_group_name'}}
DEFAULT_ENDPOINT_GROUP_URL = '/OS-EP-FILTER/endpoint_groups'
test_add_endpoint_group_to_project()[source]

Create a valid endpoint group and project association.

test_add_endpoint_group_to_project_invalidates_catalog_cache(*args, **kwargs)[source]
test_add_endpoint_group_to_project_with_invalid_project_id()[source]

Create an invalid endpoint group and project association.

test_check_endpoint_group()[source]

HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

Valid endpoint_group_id test case.

test_check_endpoint_group_to_project()[source]

Test HEAD with a valid endpoint group and project association.

test_check_endpoint_group_to_project_with_invalid_project_id()[source]

Test HEAD with an invalid endpoint group and project association.

test_check_invalid_endpoint_group()[source]

HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

Invalid endpoint_group_id test case.

test_create_endpoint_group()[source]

POST /OS-EP-FILTER/endpoint_groups

Valid endpoint group test case.

test_create_invalid_endpoint_group()[source]

POST /OS-EP-FILTER/endpoint_groups

Invalid endpoint group creation test case.

test_delete_endpoint_group()[source]

GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}

Valid endpoint group test case.

test_delete_invalid_endpoint_group()[source]

GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}

Invalid endpoint group test case.

test_empty_endpoint_groups_in_project()[source]

Test when no endpoint groups associated with the project.

test_endpoint_group_project_cleanup_with_endpoint_group()[source]
test_endpoint_group_project_cleanup_with_project()[source]
test_get_endpoint_group()[source]

GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}

Valid endpoint group test case.

test_get_endpoint_group_in_project()[source]

Test retrieving project endpoint group association.

test_get_invalid_endpoint_group()[source]

GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}

Invalid endpoint group test case.

test_get_invalid_endpoint_group_in_project()[source]

Test retrieving project endpoint group association.

test_list_endpoint_groups()[source]

GET /OS-EP-FILTER/endpoint_groups.

test_list_endpoint_groups_in_invalid_project()[source]

Test retrieving from invalid project.

test_list_endpoint_groups_in_project()[source]

GET /OS-EP-FILTER/projects/{project_id}/endpoint_groups.

test_list_endpoints_associated_with_endpoint_group()[source]

GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}/endpoints

Valid endpoint group test case.

test_list_endpoints_associated_with_project_endpoint_group()[source]

GET /OS-EP-FILTER/projects/{project_id}/endpoints

Valid project, endpoint id, and endpoint group test case.

test_list_projects_associated_with_endpoint_group()[source]

GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}/projects

Valid endpoint group test case.

test_patch_endpoint_group()[source]

PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}

Valid endpoint group patch test case.

test_patch_invalid_endpoint_group()[source]

PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}

Valid endpoint group patch test case.

test_patch_nonexistent_endpoint_group()[source]

PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}

Invalid endpoint group patch test case.

test_remove_endpoint_group_from_project_invalidates_cache(*args, **kwargs)[source]
test_remove_endpoint_group_with_project_association()[source]
test_removing_an_endpoint_group_project()[source]
class keystone.tests.unit.test_associate_project_endpoint_extension.JsonHomeTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase, keystone.tests.unit.test_v3.JsonHomeTestMixin

JSON_HOME_DATA = {'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group': {'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}', 'href-vars': {'endpoint_group_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint_groups': {'href-template': '/OS-EP-FILTER/projects/{project_id}/endpoint_groups', 'href-vars': {'project_id': 'http://docs.openstack.org/api/openstack-identity/3/param/project_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_projects': {'href-template': '/OS-EP-FILTER/endpoints/{endpoint_id}/projects', 'href-vars': {'endpoint_id': 'http://docs.openstack.org/api/openstack-identity/3/param/endpoint_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/projects_associated_with_endpoint_group': {'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects', 'href-vars': {'endpoint_group_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoints_in_endpoint_group': {'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints', 'href-vars': {'endpoint_group_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups': {'href': '/OS-EP-FILTER/endpoint_groups'}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_to_project_association': {'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}', 'href-vars': {'endpoint_group_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id', 'project_id': 'http://docs.openstack.org/api/openstack-identity/3/param/project_id'}}}

keystone.tests.unit.test_auth module

class keystone.tests.unit.test_auth.AuthBadRequests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_auth.AuthTest

test_authenticate_blank_auth()[source]

Verify sending blank ‘auth’ raises the right exception.

test_authenticate_blank_request_body()[source]

Verify sending empty json dict raises the right exception.

test_authenticate_fails_if_project_unsafe()[source]

Verify authenticate to a project with unsafe name fails.

test_authenticate_invalid_auth_content()[source]

Verify sending invalid ‘auth’ raises the right exception.

test_authenticate_password_too_large()[source]

Verify sending large ‘password’ raises the right exception.

test_authenticate_tenant_id_too_large()[source]

Verify sending large ‘tenantId’ raises the right exception.

test_authenticate_tenant_name_too_large()[source]

Verify sending large ‘tenantName’ raises the right exception.

test_authenticate_token_too_large()[source]

Verify sending large ‘token’ raises the right exception.

test_authenticate_user_id_too_large()[source]

Verify sending large ‘userId’ raises the right exception.

test_authenticate_username_too_large()[source]

Verify sending large ‘username’ raises the right exception.

test_empty_remote_user()[source]

Verify exception is raised when REMOTE_USER is an empty string.

test_empty_username_and_userid_in_auth()[source]

Verify that empty username and userID raises ValidationError.

test_no_credentials_in_auth()[source]

Verify that _authenticate_local() raises exception if no creds.

test_no_external_auth()[source]

Verify that _authenticate_external() raises exception if N/A.

test_no_token_in_auth()[source]

Verify that _authenticate_token() raises exception if no token.

class keystone.tests.unit.test_auth.AuthCatalog(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.test_auth.AuthTest

Tests for the catalog provided in the auth response.

config_files()[source]
test_auth_catalog_disabled_endpoint()[source]

On authenticate, get a catalog that excludes disabled endpoints.

test_validate_catalog_disabled_endpoint()[source]

On validate, get back a catalog that excludes disabled endpoints.

class keystone.tests.unit.test_auth.AuthTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

assertEqualTokens(a, b, enforce_audit_ids=True)[source]

Assert that two tokens are equal.

Compare two tokens except for their ids. This also truncates the time in the comparison.

setUp()[source]
class keystone.tests.unit.test_auth.AuthWithPasswordCredentials(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_auth.AuthTest

test_auth_empty_password()[source]

Verify exception is raised if empty password.

test_auth_invalid_user()[source]

Verify exception is raised if invalid user.

test_auth_no_password()[source]

Verify exception is raised if empty password.

test_auth_valid_user_invalid_password()[source]

Verify exception is raised if invalid password.

test_authenticate_blank_password_credentials()[source]

Sending empty dict as passwordCredentials raises 400 Bad Requset.

test_authenticate_no_username()[source]

Verify skipping username raises the right exception.

test_bind_without_remote_user()[source]
test_change_default_domain_id()[source]
class keystone.tests.unit.test_auth.AuthWithRemoteUser(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_auth.AuthTest

test_bind_with_kerberos()[source]
test_bind_without_config_opt()[source]
test_scoped_nometa_remote_authn()[source]

Verify getting a token with external authn and no metadata.

test_scoped_remote_authn()[source]

Verify getting a token with external authn.

test_scoped_remote_authn_invalid_user()[source]

Verify that external auth with invalid user fails.

test_unscoped_remote_authn()[source]

Verify getting an unscoped token with external authn.

test_unscoped_remote_authn_jsonless()[source]

Verify that external auth with invalid request fails.

class keystone.tests.unit.test_auth.AuthWithToken(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_auth.AuthTest

test_auth_bad_formatted_token()[source]

Verify exception is raised if invalid token.

test_auth_invalid_token()[source]

Verify exception is raised if invalid token.

test_auth_scoped_token_bad_project_with_debug()[source]

Authenticating with an invalid project fails.

test_auth_scoped_token_bad_project_without_debug()[source]

Authenticating with an invalid project fails.

test_auth_token_project_group_role()[source]

Verify getting a token in a tenant with group roles.

test_auth_unscoped_token_no_project()[source]

Verify getting an unscoped token with an unscoped token.

test_auth_unscoped_token_project()[source]

Verify getting a token in a tenant with an unscoped token.

test_belongs_to()[source]
test_belongs_to_no_tenant()[source]
test_deleting_role_assignment_does_not_revoke_unscoped_token()[source]
test_deleting_role_revokes_token()[source]
test_only_original_audit_id_is_kept()[source]
test_revoke_by_audit_chain_id_chained_token()[source]
test_revoke_by_audit_chain_id_original_token()[source]
test_revoke_with_no_audit_info()[source]
test_token_auth_with_binding()[source]
test_unscoped_token()[source]

Verify getting an unscoped token with password creds.

class keystone.tests.unit.test_auth.AuthWithTrust(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_auth.AuthTest

assert_token_count_for_trust(trust, expected_value)[source]
build_v2_token_request(username, password, trust, tenant_id=None)[source]
config_overrides()[source]
create_trust(trust_data, trustor_name, expires_at=None, impersonation=True)[source]
disable_user(user)[source]
fetch_v2_token_from_trust(trust)[source]
fetch_v3_token_from_trust(trust, trustee)[source]
get_unscoped_token(username, password='foo2')[source]
setUp()[source]
test_create_trust()[source]
test_create_trust_bad_data_fails()[source]
test_create_trust_expires_bad()[source]
test_create_trust_expires_older_than_now()[source]
test_create_trust_impersonation()[source]
test_create_trust_no_impersonation()[source]
test_create_trust_no_roles()[source]
test_create_trust_without_project_id()[source]

Verify that trust can be created without project id.

Also, token can be generated with that trust.

test_create_v3_token_from_trust()[source]
test_delete_tokens_for_user_invalidates_tokens_from_trust()[source]
test_delete_trust_revokes_token()[source]
test_do_not_consume_remaining_uses_when_get_token_fails()[source]
test_expired_trust_get_token_fails()[source]
test_get_trust()[source]
test_get_trust_without_auth_context()[source]

Verify a trust cannot be retrieved if auth context is missing.

test_token_from_trust()[source]
test_token_from_trust_cant_get_another_token()[source]
test_token_from_trust_with_no_role_fails()[source]
test_token_from_trust_with_wrong_role_fails()[source]
test_token_from_trust_wrong_project_fails()[source]
test_token_from_trust_wrong_user_fails()[source]
test_trust_get_token_fails_if_trustee_disabled()[source]
test_trust_get_token_fails_if_trustor_disabled()[source]
test_v3_trust_token_get_token_fails()[source]
class keystone.tests.unit.test_auth.FernetAuthWithToken(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_auth.AuthWithToken

config_overrides()[source]
test_deleting_role_revokes_token()[source]
test_revoke_with_no_audit_info()[source]
test_token_auth_with_binding()[source]
class keystone.tests.unit.test_auth.NonDefaultAuthTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

test_add_non_default_auth_method()[source]
class keystone.tests.unit.test_auth.TokenExpirationTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_auth.AuthTest

test_maintain_uuid_token_expiration()[source]

keystone.tests.unit.test_auth_plugin module

class keystone.tests.unit.test_auth_plugin.SimpleChallengeResponse[source]

Bases: keystone.auth.core.AuthMethodHandler

authenticate(context, auth_payload, user_context)[source]
class keystone.tests.unit.test_auth_plugin.TestAuthPlugin(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase

config_overrides()[source]
setUp()[source]
test_addition_auth_steps()[source]
test_duplicate_method()[source]
test_unsupported_auth_method()[source]
class keystone.tests.unit.test_auth_plugin.TestAuthPluginDynamicOptions(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_auth_plugin.TestAuthPlugin

config_files()[source]
config_overrides()[source]
class keystone.tests.unit.test_auth_plugin.TestMapped(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

auth_plugin_config_override(methods=None, **method_classes)[source]
config_files()[source]
setUp()[source]
test_mapped_with_remote_user()[source]
test_supporting_multiple_methods()[source]

keystone.tests.unit.test_backend_endpoint_policy module

class keystone.tests.unit.test_backend_endpoint_policy.PolicyAssociationTests[source]

Bases: object

load_sample_data()[source]

Create sample data to test policy associations.

The following data is created:

  • 3 regions, in a hierarchy, 0 -> 1 -> 2 (where 0 is top)
  • 3 services
  • 6 endpoints, 2 in each region, with a mixture of services: 0 - region 0, Service 0 1 - region 0, Service 1 2 - region 1, Service 1 3 - region 1, Service 2 4 - region 2, Service 2 5 - region 2, Service 0
test_delete_association_by_entity()[source]
test_invalid_policy_to_endpoint_association()[source]
test_overwriting_policy_to_endpoint_association()[source]
test_policy_to_endpoint_association_crud()[source]
test_policy_to_explicit_endpoint_association()[source]
test_policy_to_region_and_service_association()[source]
test_policy_to_service_association()[source]

keystone.tests.unit.test_backend_endpoint_policy_sql module

class keystone.tests.unit.test_backend_endpoint_policy_sql.SqlPolicyAssociationTable(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlModels

Set of tests for checking SQL Policy Association Mapping.

test_policy_association_mapping()[source]
class keystone.tests.unit.test_backend_endpoint_policy_sql.SqlPolicyAssociationTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.test_backend_endpoint_policy.PolicyAssociationTests

load_fixtures(fixtures)[source]

keystone.tests.unit.test_backend_federation_sql module

class keystone.tests.unit.test_backend_federation_sql.SqlFederation(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlModels

Set of tests for checking SQL Federation.

test_federated_protocol()[source]
test_identity_provider()[source]
test_idp_remote_ids()[source]
test_mapping()[source]
test_service_provider()[source]

keystone.tests.unit.test_backend_id_mapping_sql module

class keystone.tests.unit.test_backend_id_mapping_sql.SqlIDMapping(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests

clean_sample_data()[source]
load_sample_data()[source]
setUp()[source]
test_delete_public_id_is_silent()[source]
test_id_mapping_crud()[source]
test_id_mapping_handles_unicode()[source]
test_invalid_public_key()[source]
test_purge_mappings()[source]
class keystone.tests.unit.test_backend_id_mapping_sql.SqlIDMappingTable(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlModels

Set of tests for checking SQL Identity ID Mapping.

test_id_mapping()[source]

keystone.tests.unit.test_backend_kvs module

class keystone.tests.unit.test_backend_kvs.KvsToken(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase, keystone.tests.unit.token.test_backends.TokenTests

setUp()[source]
test_cleanup_user_index_on_create()[source]
test_flush_expired_token()[source]
class keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase, keystone.tests.unit.token.test_backends.TokenCacheInvalidation

config_overrides()[source]
setUp()[source]

keystone.tests.unit.test_backend_ldap module

class keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity[source]

Bases: keystone.tests.unit.identity.test_backends.IdentityTests, keystone.tests.unit.assignment.test_backends.AssignmentTests, keystone.tests.unit.resource.test_backends.ResourceTests

config_files()[source]
config_overrides()[source]
get_config(domain_id)[source]
get_user_enabled_vals(user)[source]
new_user_ref(domain_id, project_id=None, **kwargs)[source]
setUp()[source]
test_add_remove_user_group_deprecated(*args, **keywargs)[source]
test_arbitrary_attributes_are_returned_from_get_user()[source]
test_authenticate_requires_simple_bind()[source]
test_build_tree()[source]

Regression test for building the tree names.

test_cache_layer_domain_crud()[source]
test_cache_layer_group_crud(*args, **kwargs)[source]
test_configurable_allowed_user_actions()[source]
test_configurable_forbidden_create_existing_user()[source]
test_configurable_forbidden_user_actions()[source]
test_create_duplicate_group_name_in_different_domains()[source]
test_create_duplicate_project_name_in_different_domains()[source]
test_create_duplicate_user_name_in_different_domains()[source]
test_create_project_with_domain_id_and_without_parent_id()[source]

Multiple domains are not supported.

test_create_project_with_domain_id_mismatch_to_parent_domain()[source]

Multiple domains are not supported.

test_create_user_none_mapping()[source]
test_create_user_with_boolean_string_names()[source]
test_del_role_assignment_by_domain_not_found()[source]
test_delete_role_with_user_and_group_grants()[source]
test_domain_crud()[source]
test_domain_delete_hierarchy()[source]
test_get_and_remove_correct_role_grant_from_a_mix()[source]
test_get_and_remove_role_grant_by_group_and_cross_domain()[source]
test_get_and_remove_role_grant_by_group_and_domain()[source]
test_get_and_remove_role_grant_by_group_and_project()[source]
test_get_and_remove_role_grant_by_user_and_cross_domain()[source]
test_get_and_remove_role_grant_by_user_and_domain()[source]
test_get_role_assignment_by_domain_not_found()[source]
test_get_roles_for_groups_on_domain()[source]
test_get_roles_for_groups_on_project()[source]
test_get_roles_for_user_and_domain()[source]
test_group_crud(*args, **keywargs)[source]
test_group_enabled_ignored_disable_error()[source]
test_list_domains()[source]
test_list_domains_for_groups()[source]
test_list_group_members_dumb_member()[source]
test_list_group_members_missing_entry()[source]

List group members with deleted user.

If a group has a deleted entry for a member, the non-deleted members are returned.

test_list_group_members_when_no_members()[source]
test_list_groups_by_name_and_with_filter()[source]
test_list_projects_for_groups()[source]
test_list_projects_for_user()[source]
test_list_projects_for_user_and_groups()[source]
test_list_projects_for_user_with_grants()[source]
test_list_role_assignment_by_domain()[source]

Multiple domain assignments are not supported.

test_list_role_assignment_by_user_with_domain_group_roles()[source]

Multiple domain assignments are not supported.

test_list_role_assignment_containing_names()[source]
test_list_role_assignment_using_sourced_groups_with_domains()[source]

Multiple domain assignments are not supported.

test_list_role_assignments_dumb_member()[source]
test_list_role_assignments_unfiltered()[source]
test_list_user_ids_for_project_dumb_member()[source]
test_list_users_by_name_and_with_filter()[source]
test_move_group_between_domains()[source]
test_move_group_between_domains_with_clashing_names_fails()[source]
test_move_project_between_domains()[source]
test_move_project_between_domains_with_clashing_names_fails()[source]
test_move_user_between_domains()[source]
test_move_user_between_domains_with_clashing_names_fails()[source]
test_multi_group_grants_on_project_domain()[source]
test_multi_role_grant_by_user_group_on_project_domain()[source]
test_new_arbitrary_attributes_are_returned_from_update_user()[source]
test_project_enabled_ignored_disable_error()[source]
test_remove_foreign_assignments_when_deleting_a_domain()[source]

Multiple domains are not supported.

test_remove_role_grant_from_user_and_project()[source]
test_role_grant_by_group_and_cross_domain_project()[source]
test_role_grant_by_user_and_cross_domain_project()[source]
test_unignored_user_none_mapping()[source]
test_update_user_name()[source]

A user’s name cannot be changed through the LDAP driver.

test_updated_arbitrary_attributes_are_returned_from_update_user()[source]
test_user_enabled_ignored_disable_error()[source]
test_user_filter()[source]
test_user_id_comma()[source]

Even if the user has a , in their ID, groups can be listed.

test_user_id_comma_grants()[source]

List user and group grants, even with a comma in the user’s ID.

class keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity[source]

Bases: object

Mixin class with support methods for domain-specific config testing.

check_user(user, domain_id, expected_status)[source]

Check user is in correct backend.

As part of the tests, we want to force ourselves to manually select the driver for a given domain, to make sure the entity ended up in the correct backend.

create_users_across_domains()[source]

Create a set of users, each with a role on their own domain.

setup_initial_domains()[source]
test_authenticate_to_each_domain()[source]

Test that a user in each domain can authenticate.

class keystone.tests.unit.test_backend_ldap.DomainSpecificLDAPandSQLIdentity(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity, keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase, keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity

Class to test when all domains use specific configs, including SQL.

We define a set of domains and domain-specific backends:

  • A separate LDAP backend for the default domain
  • A separate SQL backend for domain1

Although the default driver still exists, we don’t use it.

config_overrides()[source]
get_config(domain_id)[source]
initial_setup(sqldb)[source]
setUp()[source]
test_add_role_grant_to_user_and_project_returns_not_found()[source]
test_create_project_with_domain_id_and_without_parent_id()[source]
test_create_project_with_domain_id_mismatch_to_parent_domain()[source]
test_delete_domain()[source]
test_delete_domain_with_project_api()[source]
test_domain_crud()[source]
test_domain_segregation()[source]

Test that separate configs have segregated the domain.

Test Plan:

  • Users were created in each domain as part of setup, now make sure you can only find a given user in its relevant domain/backend
  • Make sure that for a backend that supports multiple domains you can get the users via any of its domains
test_get_role_grants_for_user_and_project_returns_not_found()[source]
test_get_roles_for_user_and_project_user_group_same_id()[source]
test_group_enabled_ignored_disable_error()[source]
test_list_domains()[source]
test_list_domains_non_default_domain_id()[source]
test_list_projects_for_user_with_grants()[source]
test_list_role_assignments_filtered_by_role()[source]
test_list_users()[source]
test_not_delete_domain_with_enabled_subdomains()[source]
test_project_enabled_ignored_disable_error()[source]
test_user_enabled_ignored_disable_error()[source]
test_user_id_comma()[source]
test_user_id_comma_grants()[source]
class keystone.tests.unit.test_backend_ldap.DomainSpecificSQLIdentity(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_ldap.DomainSpecificLDAPandSQLIdentity

Class to test simplest use of domain-specific SQL driver.

The simplest use of an SQL domain-specific backend is when it is used to augment the standard case when LDAP is the default driver defined in the main config file. This would allow, for example, service users to be stored in SQL while LDAP handles the rest. Hence we define:

  • The default driver uses the LDAP backend for the default domain
  • A separate SQL backend for domain1
config_overrides()[source]
get_config(domain_id)[source]
initial_setup(sqldb)[source]
test_default_sql_plus_sql_specific_driver_fails()[source]
test_multiple_sql_specific_drivers_fails()[source]
class keystone.tests.unit.test_backend_ldap.LDAPIdentity(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity, keystone.tests.unit.core.TestCase

load_fixtures(fixtures)[source]
setUp()[source]
test_base_ldap_connection_deref_option()[source]
test_cache_layer_domain_crud()[source]
test_cache_layer_project_crud(*args, **kwargs)[source]
test_cannot_enable_cascade_with_parent_disabled()[source]
test_chase_referrals_off(*args, **keywargs)[source]
test_chase_referrals_on(*args, **keywargs)[source]
test_check_hierarchy_depth()[source]
test_check_leaf_projects()[source]
test_configurable_allowed_project_actions()[source]
test_configurable_forbidden_project_actions()[source]
test_configurable_subtree_delete()[source]
test_create_domain()[source]
test_create_domain_case_sensitivity(*args, **kwargs)[source]
test_create_domain_under_regular_project_hierarchy_fails()[source]
test_create_leaf_project_with_invalid_domain()[source]
test_create_not_is_domain_project_under_is_domain_hierarchy()[source]
test_create_project_passing_is_domain_flag_true()[source]
test_create_project_under_disabled_one()[source]
test_create_project_with_invalid_parent()[source]
test_create_project_with_parent_id_and_without_domain_id()[source]
test_debug_level_set(*args, **keywargs)[source]
test_delete_hierarchical_leaf_project()[source]
test_delete_hierarchical_not_leaf_project()[source]
test_delete_is_domain_project()[source]
test_disable_hierarchical_leaf_project()[source]
test_disable_hierarchical_not_leaf_project()[source]
test_domain_rename_invalidates_get_domain_by_name_cache()[source]
test_dumb_member()[source]
test_enable_project_with_disabled_parent()[source]
test_get_default_domain_by_name()[source]
test_get_id_from_dn_for_multivalued_attribute_id(*args, **keywargs)[source]
test_hierarchical_projects_crud()[source]
test_id_attribute_not_found(*args, **keywargs)[source]
test_is_dumb_member()[source]
test_is_dumb_member_not_dumb()[source]
test_is_dumb_member_upper_case_keys()[source]
test_is_dumb_member_with_false_use_dumb_member()[source]
test_list_domains()[source]
test_list_groups_for_user_no_dn()[source]
test_list_groups_no_dn()[source]
test_list_project_parents()[source]
test_list_projects_for_alternate_domain()[source]
test_list_projects_in_subtree()[source]
test_list_projects_in_subtree_with_circular_reference()[source]
test_list_users_no_dn()[source]
test_multi_role_grant_by_user_group_on_project_domain()[source]
test_parse_extra_attribute_mapping()[source]
test_project_attribute_ignore()[source]
test_project_attribute_mapping()[source]
test_project_crud()[source]
test_project_filter()[source]
test_project_rename_invalidates_get_project_by_name_cache()[source]
test_update_is_domain_field()[source]
test_update_project_enabled_cascade()[source]
test_update_project_parent()[source]
test_user_api_get_connection_no_user_password(*args, **keywargs)[source]

Don’t bind in case the user and password are blank.

test_user_description_attribute_mapping()[source]
test_user_enable_attribute_mask()[source]
test_user_enabled_attribute_handles_expired(*args, **keywargs)[source]
test_user_enabled_attribute_handles_utf8(*args, **keywargs)[source]
test_user_enabled_invert()[source]
test_user_enabled_invert_default_str_value(*args, **keywargs)[source]
test_user_enabled_invert_no_enabled_value(*args, **keywargs)[source]
test_user_extra_attribute_mapping()[source]
test_user_extra_attribute_mapping_description_is_returned()[source]
test_user_id_attribute_in_create()[source]
test_user_id_attribute_map()[source]
test_user_id_not_in_dn(*args, **keywargs)[source]
test_user_mixed_case_attribute(*args, **keywargs)[source]
test_user_name_in_dn(*args, **keywargs)[source]
test_user_with_missing_id()[source]
test_wrong_alias_dereferencing()[source]
test_wrong_ldap_scope()[source]
class keystone.tests.unit.test_backend_ldap.LDAPIdentityEnabledEmulation(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_ldap.LDAPIdentity

config_files()[source]
config_overrides()[source]
load_fixtures(fixtures)[source]
setUp()[source]
test_escape_member_dn()[source]
test_project_crud()[source]
test_user_auth_emulated()[source]
test_user_crud(*args, **keywargs)[source]
test_user_enable_attribute_mask()[source]
test_user_enabled_attribute_handles_utf8(*args, **keywargs)[source]
test_user_enabled_invert()[source]
test_user_enabled_invert_default_str_value()[source]
test_user_enabled_invert_no_enabled_value()[source]
test_user_enabled_use_group_config()[source]
class keystone.tests.unit.test_backend_ldap.LDAPLimitTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase, keystone.tests.unit.identity.test_backends.LimitTests

config_files()[source]
config_overrides()[source]
setUp()[source]
test_list_projects_filtered_and_limited()[source]
class keystone.tests.unit.test_backend_ldap.LDAPPosixGroupsTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

config_files()[source]
config_overrides()[source]
load_fixtures(fixtures)[source]
setUp()[source]
test_posix_member_id()[source]
class keystone.tests.unit.test_backend_ldap.LdapFilterTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.identity.test_backends.FilterTests, keystone.tests.unit.core.TestCase

config_files()[source]
config_overrides()[source]
setUp()[source]
test_list_users_in_group_exact_filtered(*args, **kwargs)[source]
test_list_users_in_group_inexact_filtered(*args, **kwargs)[source]
class keystone.tests.unit.test_backend_ldap.LdapIdentityWithMapping(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity, keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase

Class to test mapping of default LDAP backend.

The default configuration is not to enable mapping when using a single backend LDAP driver. However, a cloud provider might want to enable the mapping, hence hiding the LDAP IDs from any clients of keystone. Setting backward_compatible_ids to False will enable this mapping.

config_files()[source]
config_overrides()[source]
setUp()[source]
test_dynamic_mapping_build()[source]

Test to ensure entities not create via controller are mapped.

Many LDAP backends will, essentially, by Read Only. In these cases the mapping is not built by creating objects, rather from enumerating the entries. We test this here my manually deleting the mapping and then trying to re-read the entries.

test_get_roles_for_user_and_project_user_group_same_id()[source]
test_list_domains()[source]
class keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentity(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity, keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase, keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity

Class to test common SQL plus individual LDAP backends.

We define a set of domains and domain-specific backends:

  • A separate LDAP backend for the default domain
  • A separate LDAP backend for domain1
  • domain2 shares the same LDAP as domain1, but uses a different tree attach point
  • An SQL backend for all other domains (which will include domain3 and domain4)

Normally one would expect that the default domain would be handled as part of the “other domains” - however the above provides better test coverage since most of the existing backend tests use the default domain.

assert_backends()[source]
config_overrides()[source]
enable_multi_domain()[source]

Enable the chosen form of multi domain configuration support.

This method enables the file-based configuration support. Child classes that wish to use the database domain configuration support should override this method and set the appropriate config_fixture option.

get_config(domain_id)[source]
setUp()[source]
test_create_project_with_domain_id_and_without_parent_id()[source]
test_create_project_with_domain_id_mismatch_to_parent_domain()[source]
test_delete_domain_with_user_added()[source]
test_domain_segregation()[source]

Test that separate configs have segregated the domain.

Test Plan:

  • Users were created in each domain as part of setup, now make sure you can only find a given user in its relevant domain/backend
  • Make sure that for a backend that supports multiple domains you can get the users via any of its domains
test_existing_uuids_work()[source]

Test that ‘uni-domain’ created IDs still work.

Throwing the switch to domain-specific backends should not cause existing identities to be inaccessible via ID.

test_group_enabled_ignored_disable_error()[source]
test_list_limit_domain_specific_inheritance(*args, **keywargs)[source]
test_list_limit_domain_specific_override(*args, **keywargs)[source]
test_list_role_assignment_by_domain()[source]
test_list_role_assignment_by_user_with_domain_group_roles()[source]
test_list_role_assignment_using_sourced_groups_with_domains()[source]
test_list_role_assignments_filtered_by_role()[source]
test_list_users()[source]
test_project_enabled_ignored_disable_error()[source]
test_remove_foreign_assignments_when_deleting_a_domain()[source]
test_scanning_of_config_dir()[source]

Test the Manager class scans the config directory.

The setup for the main tests above load the domain configs directly so that the test overrides can be included. This test just makes sure that the standard config directory scanning does pick up the relevant domain config files.

test_user_enabled_ignored_disable_error()[source]
class keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentityDomainConfigsInSQL(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentity

Class to test the use of domain configs stored in the database.

Repeat the same tests as MultiLDAPandSQLIdentity, but instead of using the domain specific config files, store the domain specific values in the database.

assert_backends()[source]
enable_multi_domain()[source]
test_delete_domain_clears_sql_registration()[source]

Ensure registration is deleted when a domain is deleted.

test_domain_config_has_no_impact_if_database_support_disabled()[source]

Ensure database domain configs have no effect if disabled.

Set reading from database configs to false, restart the backends and then try and set and use database configs.

test_orphaned_registration_does_not_prevent_getting_sql_driver()[source]

Ensure we self heal an orphaned sql registration.

test_reloading_domain_config()[source]

Ensure domain drivers are reloaded on a config modification.

test_same_domain_gets_sql_driver()[source]

Ensure we can set an SQL driver if we have had it before.

test_setting_multiple_sql_driver_raises_exception()[source]

Ensure setting multiple domain specific sql drivers is prevented.

keystone.tests.unit.test_backend_ldap.create_group_container(identity_api)[source]

keystone.tests.unit.test_backend_ldap_pool module

class keystone.tests.unit.test_backend_ldap_pool.LDAPIdentity(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_ldap_pool.LdapPoolCommonTestMixin, keystone.tests.unit.test_backend_ldap.LDAPIdentity, keystone.tests.unit.core.TestCase

Executes tests in existing base class with pooled LDAP handler.

config_files()[source]
setUp()[source]
test_utf8_encoded_is_used_in_pool(*args, **keywargs)[source]
class keystone.tests.unit.test_backend_ldap_pool.LdapPoolCommonTestMixin[source]

Bases: object

LDAP pool specific common tests used here and in live tests.

cleanup_pools()[source]
test_handler_with_end_user_auth_use_pool_not_enabled(*args, **keywargs)[source]
test_handler_with_use_pool_enabled()[source]
test_handler_with_use_pool_not_enabled(*args, **keywargs)[source]
test_max_connection_error_raised()[source]
test_password_change_with_pool()[source]
test_pool_connection_lifetime_set()[source]
test_pool_retry_delay_set()[source]
test_pool_retry_max_set()[source]
test_pool_size_expands_correctly()[source]
test_pool_size_set()[source]
test_pool_timeout_set()[source]
test_pool_use_pool_set()[source]
test_pool_use_tls_set()[source]

keystone.tests.unit.test_backend_rules module

class keystone.tests.unit.test_backend_rules.RulesPolicy(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase, keystone.tests.unit.policy.test_backends.PolicyTests

config_overrides()[source]
setUp()[source]
test_create()[source]
test_delete()[source]
test_delete_policy_returns_not_found()[source]
test_get()[source]
test_get_policy_returns_not_found()[source]
test_list()[source]
test_update()[source]
test_update_policy_returns_not_found()[source]

keystone.tests.unit.test_backend_sql module

class keystone.tests.unit.test_backend_sql.FakeTable(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base

col
insert(*args, **kwargs)[source]
lookup(*args, **kwargs)[source]
update(*args, **kwargs)[source]
class keystone.tests.unit.test_backend_sql.SqlCatalog(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.catalog.test_backends.CatalogTests

test_catalog_ignored_malformed_urls()[source]
test_create_endpoint_region_returns_not_found()[source]
test_create_region_invalid_id()[source]
test_create_region_invalid_parent_id()[source]
test_delete_region_with_endpoint()[source]
test_get_catalog_with_empty_public_url()[source]
class keystone.tests.unit.test_backend_sql.SqlCredential(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests

setUp()[source]
test_list_credentials()[source]
test_list_credentials_for_user()[source]
test_list_credentials_for_user_and_type()[source]
class keystone.tests.unit.test_backend_sql.SqlDecorators(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

test_conflict_happend()[source]
test_initialization()[source]
test_initialization_fail()[source]
test_not_conflict_error()[source]
class keystone.tests.unit.test_backend_sql.SqlFilterTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.identity.test_backends.FilterTests

clean_up_entities()[source]

Clean up entity test data from Filter Test Cases.

test_filter_sql_injection_attack()[source]

Test against sql injection attack on filters

Test Plan: - Attempt to get all entities back by passing a two-term attribute - Attempt to piggyback filter to damage DB (e.g. drop table)

test_list_entities_filtered_by_domain()[source]
class keystone.tests.unit.test_backend_sql.SqlIdentity(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.identity.test_backends.IdentityTests, keystone.tests.unit.assignment.test_backends.AssignmentTests, keystone.tests.unit.resource.test_backends.ResourceTests

test_create_federated_user_unique_constraint()[source]
test_create_null_project_name()[source]
test_create_null_user_name()[source]
test_create_project_case_sensitivity()[source]
test_create_user_case_sensitivity()[source]
test_create_user_with_null_password()[source]
test_delete_project_with_user_association()[source]
test_delete_user_with_project_association()[source]
test_get_federated_user()[source]
test_hidden_project_domain_root_is_really_hidden()[source]

Ensure we cannot access the hidden root of all project domains.

Calling any of the driver methods should result in the same as would be returned if we passed a project that does not exist. We don’t test create_project, since we do not allow a caller of our API to specify their own ID for a new entity.

test_list_domains_for_user()[source]
test_list_domains_for_user_with_grants()[source]
test_list_domains_for_user_with_inherited_grants()[source]

Test that inherited roles on the domain are excluded.

Test Plan:

  • Create two domains, one user, group and role
  • Domain1 is given an inherited user role, Domain2 an inherited group role (for a group of which the user is a member)
  • When listing domains for user, neither domain should be returned
test_password_hashed()[source]
test_sql_user_to_dict_null_default_project_id()[source]
test_storing_null_domain_id_in_project_ref()[source]

Test the special storage of domain_id=None in sql resource driver.

The resource driver uses a special value in place of None for domain_id in the project record. This shouldn’t escape the driver. Hence we test the interface to ensure that you can store a domain_id of None, and that any special value used inside the driver does not escape through the interface.

test_update_federated_user_display_name()[source]
test_update_project_returns_extra()[source]

This tests for backwards-compatibility with an essex/folsom bug.

Non-indexed attributes were returned in an ‘extra’ attribute, instead of on the entity itself; for consistency and backwards compatibility, those attributes should be included twice.

This behavior is specific to the SQL driver.

test_update_user_returns_extra()[source]

This tests for backwards-compatibility with an essex/folsom bug.

Non-indexed attributes were returned in an ‘extra’ attribute, instead of on the entity itself; for consistency and backwards compatibility, those attributes should be included twice.

This behavior is specific to the SQL driver.

test_update_user_with_null_password()[source]
class keystone.tests.unit.test_backend_sql.SqlImpliedRoles(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.assignment.test_backends.ImpliedRoleTests

class keystone.tests.unit.test_backend_sql.SqlInheritance(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.assignment.test_backends.InheritanceTests

class keystone.tests.unit.test_backend_sql.SqlLimitTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.identity.test_backends.LimitTests

setUp()[source]
class keystone.tests.unit.test_backend_sql.SqlModels(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests

assertExpectedSchema(table, expected_schema)[source]

Assert that a table’s schema is what we expect.

Parameters:
  • table (string) – the name of the table to inspect
  • expected_schema (tuple) – a tuple of tuples containing the expected schema
Raises AssertionError:
 

when the database schema doesn’t match the expected schema

The expected_schema format is simply:

(
    ('column name', sql type, qualifying detail),
    ...
)

The qualifying detail varies based on the type of the column:

- sql.Boolean columns must indicate the column's default value or
  None if there is no default
- Columns with a length, like sql.String, must indicate the
  column's length
- All other column types should use None

Example:

cols = (('id', sql.String, 64),
        ('enabled', sql.Boolean, True),
        ('extra', sql.JsonBlob, None))
self.assertExpectedSchema('table_name', cols)
select_table(name)[source]
test_domain_model()[source]
test_federated_user_model()[source]
test_group_model()[source]
test_local_user_model()[source]
test_password_model()[source]
test_project_model()[source]
test_revocation_event_model()[source]
test_role_assignment_model()[source]
test_user_group_membership()[source]
test_user_model()[source]
class keystone.tests.unit.test_backend_sql.SqlModuleInitialization(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

test_initialize_module(*args, **keywargs)[source]
class keystone.tests.unit.test_backend_sql.SqlPolicy(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.policy.test_backends.PolicyTests

class keystone.tests.unit.test_backend_sql.SqlTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase

config_files()[source]
setUp()[source]
class keystone.tests.unit.test_backend_sql.SqlToken(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.token.test_backends.TokenTests

test_expiry_range_batched()[source]
test_expiry_range_strategy_ibm_db_sa()[source]
test_expiry_range_strategy_mysql()[source]
test_expiry_range_strategy_sqlite()[source]
test_flush_expired_tokens_batch()[source]
test_flush_expired_tokens_batch_mysql()[source]
test_token_revocation_list_uses_right_columns()[source]
class keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidation(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.token.test_backends.TokenCacheInvalidation

setUp()[source]
class keystone.tests.unit.test_backend_sql.SqlTrust(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.trust.test_backends.TrustTests

keystone.tests.unit.test_backend_templated module

class keystone.tests.unit.test_backend_templated.TestTemplatedCatalog(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase, keystone.tests.unit.catalog.test_backends.CatalogTests

DEFAULT_FIXTURE = {'RegionOne': {'compute': {'adminURL': 'http://localhost:8774/v1.1/bar', 'id': '2', 'name': "'Compute Service'", 'internalURL': 'http://localhost:8774/v1.1/bar', 'publicURL': 'http://localhost:8774/v1.1/bar'}, 'identity': {'adminURL': 'http://localhost:35357/v2.0', 'id': '1', 'name': "'Identity Service'", 'internalURL': 'http://localhost:35357/v2.0', 'publicURL': 'http://localhost:5000/v2.0'}}}
assert_catalogs_equal(expected, observed)[source]
config_overrides()[source]
setUp()[source]
test_avoid_creating_circular_references_in_regions_update()[source]
test_cache_layer_delete_service_with_endpoint()[source]
test_cache_layer_region_crud(*args, **kwargs)[source]
test_cache_layer_service_crud(*args, **kwargs)[source]
test_catalog_ignored_malformed_urls(*args, **kwargs)[source]
test_circular_regions_can_be_deleted(*args, **keywargs)[source]
test_create_endpoint()[source]
test_create_endpoint_nonexistent_region()[source]
test_create_region_invalid_parent_region_returns_not_found()[source]
test_create_region_with_duplicate_id()[source]
test_delete_endpoint_returns_not_found()[source]
test_delete_region_returns_not_found()[source]
test_delete_service_returns_not_found()[source]
test_delete_service_with_endpoint()[source]
test_get_catalog()[source]
test_get_catalog_endpoint_disabled()[source]
test_get_catalog_ignores_endpoints_with_invalid_urls()[source]
test_get_endpoint_returns_not_found()[source]
test_get_v3_catalog()[source]
test_get_v3_catalog_endpoint_disabled()[source]
test_invalidate_cache_when_updating_endpoint(*args, **kwargs)[source]
test_invalidate_cache_when_updating_region(*args, **kwargs)[source]
test_invalidate_cache_when_updating_service(*args, **kwargs)[source]
test_list_endpoints()[source]
test_list_regions_filtered_by_parent_region_id()[source]
test_list_services_with_hints()[source]
test_region_crud()[source]
test_service_crud()[source]
test_service_filtering()[source]
test_update_endpoint()[source]
test_update_endpoint_nonexistent_region()[source]
test_update_endpoint_nonexistent_service()[source]

keystone.tests.unit.test_catalog module

class keystone.tests.unit.test_catalog.TestV2CatalogAPISQL(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

config_overrides()[source]
create_endpoint(service_id, **kwargs)[source]
setUp()[source]
test_get_catalog_always_returns_service_name()[source]
test_get_catalog_ignores_endpoints_with_invalid_urls()[source]
class keystone.tests.unit.test_catalog.V2CatalogTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.rest.RestfulTestCase

config_overrides()[source]
setUp()[source]
test_endpoint_create()[source]
test_endpoint_create_with_empty_adminurl()[source]
test_endpoint_create_with_empty_internalurl()[source]
test_endpoint_create_with_empty_publicurl()[source]
test_endpoint_create_with_empty_service_id()[source]
test_endpoint_create_with_invalid_url()[source]

Test the invalid cases: substitutions is not exactly right.

test_endpoint_create_with_null_adminurl()[source]
test_endpoint_create_with_null_internalurl()[source]
test_endpoint_create_with_null_publicurl()[source]
test_endpoint_create_with_null_service_id()[source]
test_endpoint_create_with_valid_url()[source]

Create endpoint with valid URL should be tested, too.

test_pure_v3_endpoint_with_publicurl_visible_from_v2()[source]

Test pure v3 endpoint can be fetched via v2.0 API.

For those who are using v2.0 APIs, endpoints created by v3 API should also be visible as there are no differences about the endpoints except the format or the internal implementation. Since publicURL is required for v2.0 API, so only v3 endpoints of the service which have the public interface endpoint will be converted into v2.0 endpoints.

test_pure_v3_endpoint_without_publicurl_invisible_from_v2()[source]

Test that the v2.0 API can’t fetch v3 endpoints without publicURLs.

v2.0 API will return endpoints created by v3 API, but publicURL is required for the service in the v2.0 API, therefore v3 endpoints of a service which don’t have publicURL will be ignored.

keystone.tests.unit.test_cert_setup module

class keystone.tests.unit.test_cert_setup.CertSetupTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.rest.RestfulTestCase

config_overrides()[source]
setUp()[source]
test_can_handle_missing_certs()[source]
test_create_pki_certs(rebuild=False)[source]
test_create_pki_certs_twice_without_rebuild()[source]
test_create_ssl_certs(rebuild=False)[source]
test_create_ssl_certs_twice_without_rebuild()[source]
test_failure()[source]
test_fetch_signing_cert(rebuild=False)[source]
test_fetch_signing_cert_when_rebuild()[source]
test_pki_certs_rebuild()[source]
test_rebuild_pki_certs_remove_error(*args, **keywargs)[source]
test_rebuild_ssl_certs_remove_error(*args, **keywargs)[source]
test_ssl_certs_rebuild()[source]
class keystone.tests.unit.test_cert_setup.TestExecCommand(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

test_running_a_successful_command(*args, **keywargs)[source]
test_running_an_invalid_command(*args, **keywargs)[source]

keystone.tests.unit.test_cli module

class keystone.tests.unit.test_cli.CliBootStrapTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase

config(config_files)[source]
config_files()[source]
setUp()[source]
test_bootstrap()[source]
test_bootstrap_is_idempotent_when_password_does_not_change()[source]
test_bootstrap_is_not_idempotent_when_password_does_change()[source]
test_bootstrap_recovers_user()[source]
class keystone.tests.unit.test_cli.CliBootStrapTestCaseWithEnvironment(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_cli.CliBootStrapTestCase

config(config_files)[source]
setUp()[source]
test_assignment_created_with_project_exists()[source]
test_assignment_created_with_region_exists()[source]
test_assignment_created_with_role_exists()[source]
test_assignment_created_with_user_exists()[source]
test_endpoints_created_with_endpoint_exists()[source]
test_endpoints_created_with_service_exists()[source]
class keystone.tests.unit.test_cli.CliDomainConfigAllTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase

cleanup()[source]
cleanup_domains()[source]
config(config_files)[source]
config_files()[source]
setUp()[source]
setup_initial_domains()[source]
test_config_upload()[source]
class keystone.tests.unit.test_cli.CliDomainConfigInvalidDomainTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_cli.CliDomainConfigAllTestCase

config(config_files)[source]
test_config_upload()[source]
class keystone.tests.unit.test_cli.CliDomainConfigNoOptionsTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_cli.CliDomainConfigAllTestCase

config(config_files)[source]
test_config_upload()[source]
class keystone.tests.unit.test_cli.CliDomainConfigSingleDomainTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_cli.CliDomainConfigAllTestCase

config(config_files)[source]
test_config_upload()[source]
test_no_overwrite_config()[source]
class keystone.tests.unit.test_cli.CliDomainConfigTooManyOptionsTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_cli.CliDomainConfigAllTestCase

config(config_files)[source]
test_config_upload()[source]
class keystone.tests.unit.test_cli.CliTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase

config_files()[source]
test_token_flush()[source]
class keystone.tests.unit.test_cli.TestDomainConfigFinder(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

setUp()[source]
test_finder_ignores_files(*args, **keywargs)[source]

keystone.tests.unit.test_config module

class keystone.tests.unit.test_config.ConfigTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

config_files()[source]
test_config_default()[source]
test_paste_config()[source]
class keystone.tests.unit.test_config.DeprecatedOverrideTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

Test using the deprecated AND new name for renamed options.

config_files()[source]
test_sql()[source]
class keystone.tests.unit.test_config.DeprecatedTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

Test using the original (deprecated) name for renamed options.

config_files()[source]
test_sql()[source]

keystone.tests.unit.test_contrib_s3_core module

class keystone.tests.unit.test_contrib_s3_core.S3ContribCore(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
test_bad_signature_v1()[source]
test_bad_signature_v4()[source]
test_bad_token_v4()[source]
test_good_signature_v1()[source]
test_good_signature_v4()[source]

keystone.tests.unit.test_contrib_simple_cert module

class keystone.tests.unit.test_contrib_simple_cert.BaseTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

CA_PATH = '/v3/OS-SIMPLE-CERT/ca'
CERT_PATH = '/v3/OS-SIMPLE-CERT/certificates'
class keystone.tests.unit.test_contrib_simple_cert.TestSimpleCert(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_contrib_simple_cert.BaseTestCase

request_cert(path)[source]
test_ca_cert()[source]
test_missing_file()[source]
test_signing_cert()[source]

keystone.tests.unit.test_credential module

class keystone.tests.unit.test_credential.V2CredentialEc2Controller(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
test_check_non_admin_user()[source]

Checking if user is admin causes uncaught error.

When checking if a user is an admin, keystone.exception.Unauthorized is raised but not caught if the user is not an admin.

test_signature_validate_invalid_signature()[source]

Signature is not signed on the correct data.

test_signature_validate_no_host_port()[source]

Test signature validation with the access/secret provided.

test_signature_validate_no_signature()[source]

Signature is not presented in signature reference data.

test_signature_validate_with_host_port()[source]

Test signature validation when host is bound with port.

Host is bound with a port, generally, the port here is not the standard port for the protocol, like ‘80’ for HTTP and port 443 for HTTPS, the port is not omitted by the client library.

test_signature_validate_with_missed_host_port()[source]

Test signature validation when host is bound with well-known port.

Host is bound with a port, but the port is well-know port like ‘80’ for HTTP and port 443 for HTTPS, sometimes, client library omit the port but then make the request with the port. see (How to create the string to sign): ‘http://docs.aws.amazon.com/ general/latest/gr/signature-version-2.html’.

Since “credentials[‘host’]” is not set by client library but is taken from “req.host”, so caused the differences.

class keystone.tests.unit.test_credential.V2CredentialEc2TestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.rest.RestfulTestCase

assertValidErrorResponse(r)[source]
setUp()[source]
test_ec2_cannot_get_non_ec2_credential()[source]
test_ec2_list_credentials()[source]

keystone.tests.unit.test_driver_hints module

class keystone.tests.unit.test_driver_hints.ListHintsTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

test_create_iterate_satisfy()[source]
test_limits()[source]
test_multiple_creates()[source]

keystone.tests.unit.test_entry_points module

class keystone.tests.unit.test_entry_points.TestPasteDeploymentEntryPoints(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

test_entry_point_middleware()[source]

Assert that our list of expected middleware is present.

keystone.tests.unit.test_exception module

class keystone.tests.unit.test_exception.ExceptionTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

assertValidJsonRendering(e)[source]
test_all_json_renderings()[source]

Everything callable in the exception module should be renderable.

... except for the base error class (exception.Error), which is not user-facing.

This test provides a custom message to bypass docstring parsing, which should be tested separately.

test_forbidden_title()[source]
test_invalid_unicode_string()[source]
test_not_found()[source]
test_unicode_message()[source]
test_unicode_string()[source]
test_validation_error()[source]
class keystone.tests.unit.test_exception.SecurityErrorTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_exception.ExceptionTestCase

Tests whether security-related info is exposed to the API user.

setUp()[source]
test_forbidden_action_exposure()[source]
test_forbidden_action_exposure_in_debug()[source]
test_forbidden_action_no_message()[source]
test_forbidden_exposure()[source]
test_forbidden_exposure_in_debug()[source]
test_unauthorized_exposure()[source]
test_unauthorized_exposure_in_debug()[source]
test_unicode_argument_message()[source]
class keystone.tests.unit.test_exception.UnexpectedExceptionTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_exception.ExceptionTestCase

Tests if internal info is exposed to the API user on UnexpectedError.

exception SubClassExc(message=None, **kwargs)[source]

Bases: keystone.exception.UnexpectedError

debug_message_format = 'Debug Message: %(debug_info)s'
UnexpectedExceptionTestCase.setUp()[source]
UnexpectedExceptionTestCase.test_unexpected_error_custom_message_binary_debug()[source]
UnexpectedExceptionTestCase.test_unexpected_error_custom_message_debug()[source]
UnexpectedExceptionTestCase.test_unexpected_error_custom_message_exception_debug()[source]
UnexpectedExceptionTestCase.test_unexpected_error_custom_message_no_debug()[source]
UnexpectedExceptionTestCase.test_unexpected_error_debug()[source]
UnexpectedExceptionTestCase.test_unexpected_error_no_debug()[source]
UnexpectedExceptionTestCase.test_unexpected_error_subclass_debug()[source]
UnexpectedExceptionTestCase.test_unexpected_error_subclass_no_debug()[source]

keystone.tests.unit.test_hacking_checks module

class keystone.tests.unit.test_hacking_checks.BaseLoggingCheck(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck

assert_has_errors(code, expected_errors=None)[source]
get_checker()[source]
get_fixture()[source]
class keystone.tests.unit.test_hacking_checks.BaseStyleCheck(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

assert_has_errors(code, expected_errors=None)[source]
get_checker()[source]

Returns the checker to be used for tests in this class.

get_fixture()[source]
run_check(*args, **keywargs)[source]
setUp()[source]
class keystone.tests.unit.test_hacking_checks.TestAssertingNoneEquality(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck

get_checker()[source]
test()[source]
class keystone.tests.unit.test_hacking_checks.TestBlockCommentsBeginWithASpace(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck

get_checker()[source]
test()[source]
class keystone.tests.unit.test_hacking_checks.TestCheckForDebugLoggingIssues(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_hacking_checks.BaseLoggingCheck

test_for_translations()[source]
class keystone.tests.unit.test_hacking_checks.TestCheckForMutableDefaultArgs(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck

get_checker()[source]
test()[source]
class keystone.tests.unit.test_hacking_checks.TestCheckForNonDebugLoggingIssues(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_hacking_checks.BaseLoggingCheck

test_for_translations()[source]
class keystone.tests.unit.test_hacking_checks.TestDictConstructorWithSequenceCopy(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_hacking_checks.BaseStyleCheck

get_checker()[source]
test()[source]
class keystone.tests.unit.test_hacking_checks.TestLoggingWithWarn(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_hacking_checks.BaseLoggingCheck

test()[source]

keystone.tests.unit.test_ipv6 module

class keystone.tests.unit.test_ipv6.IPv6TestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
test_ipv6_ok()[source]

Make sure both public and admin API work with ipv6.

keystone.tests.unit.test_kvs module

class keystone.tests.unit.test_kvs.KVSBackendFixture(arguments)[source]

Bases: keystone.common.kvs.backends.inmemdb.MemoryBackend

get_mutex(key)[source]
classmethod key_mangler(key)[source]
class keystone.tests.unit.test_kvs.KVSBackendForcedKeyMangleFixture(arguments)[source]

Bases: keystone.tests.unit.test_kvs.KVSBackendFixture

classmethod key_mangler(key)[source]
use_backend_key_mangler = True
class keystone.tests.unit.test_kvs.KVSTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
test_kvs_backend_registration_does_not_reregister_backends()[source]
test_kvs_basic_configuration()[source]
test_kvs_basic_get_set_delete()[source]
test_kvs_key_mangler_configuration_backend()[source]
test_kvs_key_mangler_configuration_disabled()[source]
test_kvs_key_mangler_configuration_forced_backend()[source]
test_kvs_key_mangler_fallthrough_default()[source]
test_kvs_key_mangler_set_on_backend()[source]
test_kvs_locking_context_handler()[source]
test_kvs_locking_context_handler_locking_disabled()[source]
test_kvs_memcache_key_mangler_set_to_none()[source]
test_kvs_memcache_manager_no_expiry_keys()[source]
test_kvs_memcache_set_arguments_and_memcache_expires_ttl()[source]
test_kvs_memcached_manager_invalid_dogpile_memcached_backend()[source]
test_kvs_memcached_manager_valid_dogpile_memcached_backend()[source]
test_kvs_multi_get_set_delete()[source]
test_kvs_proxy_configuration()[source]
test_kvs_with_lock_action_context_manager()[source]
test_kvs_with_lock_action_context_manager_no_lock()[source]
test_kvs_with_lock_action_context_manager_timeout()[source]
test_kvs_with_lock_action_mismatched_keys()[source]
test_memcached_lock_max_lock_attempts()[source]
test_noncallable_key_mangler_set_on_driver_raises_type_error()[source]
class keystone.tests.unit.test_kvs.MutexFixture(storage_dict, key, timeout)[source]

Bases: object

acquire(wait=True)[source]
release()[source]
class keystone.tests.unit.test_kvs.RegionProxy2Fixture(*args, **kwargs)[source]

Bases: dogpile.cache.proxy.ProxyBackend

A test dogpile.cache proxy that does nothing.

class keystone.tests.unit.test_kvs.RegionProxyFixture(*args, **kwargs)[source]

Bases: dogpile.cache.proxy.ProxyBackend

A test dogpile.cache proxy that does nothing.

class keystone.tests.unit.test_kvs.TestMemcacheDriver(arguments)[source]

Bases: dogpile.cache.api.CacheBackend

A test dogpile.cache backend.

This test backend conforms to the mixin-mechanism for overriding set and set_multi methods on dogpile memcached drivers.

set(key, value)[source]
set_multi(mapping)[source]
class test_client[source]

Bases: object

add(key, value, expiry_time)[source]
delete(key)[source]
set(key, value, **set_arguments)[source]
set_multi(mapping, **set_arguments)[source]
class keystone.tests.unit.test_kvs.TestMemcachedBackend(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

test_invalid_backend_fails_initialization(*args, **keywargs)[source]

keystone.tests.unit.test_ldap_livetest module

class keystone.tests.unit.test_ldap_livetest.LiveLDAPIdentity(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_ldap.LDAPIdentity

clear_database()[source]
config_files()[source]
setUp()[source]
test_build_tree()[source]

Regression test for building the tree names.

test_create_project_case_sensitivity()[source]
test_create_user_case_sensitivity()[source]
test_ldap_dereferencing()[source]
test_list_groups_for_user_filtered()[source]
test_project_update_missing_attrs_with_a_falsey_value()[source]
test_user_enable_attribute_mask()[source]
keystone.tests.unit.test_ldap_livetest.create_object(dn, attrs)[source]

keystone.tests.unit.test_ldap_pool_livetest module

class keystone.tests.unit.test_ldap_pool_livetest.LiveLDAPPoolIdentity(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_ldap_pool.LdapPoolCommonTestMixin, keystone.tests.unit.test_ldap_livetest.LiveLDAPIdentity

Executes existing LDAP live test with pooled LDAP handler.

Also executes common pool specific tests via Mixin class.

config_files()[source]
setUp()[source]
test_assert_connector_used_not_fake_ldap_pool()[source]
test_async_search_and_result3()[source]
test_password_change_with_auth_pool_disabled()[source]
test_password_change_with_auth_pool_enabled_long_lifetime()[source]
test_password_change_with_auth_pool_enabled_no_lifetime()[source]
test_pool_size_expands_correctly()[source]

keystone.tests.unit.test_ldap_tls_livetest module

class keystone.tests.unit.test_ldap_tls_livetest.LiveTLSLDAPIdentity(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_ldap_livetest.LiveLDAPIdentity

config_files()[source]
test_tls_bad_certdir()[source]
test_tls_bad_certfile()[source]
test_tls_certdir_demand_option()[source]
test_tls_certfile_demand_option()[source]
keystone.tests.unit.test_ldap_tls_livetest.create_object(dn, attrs)[source]

keystone.tests.unit.test_middleware module

class keystone.tests.unit.test_middleware.AdminTokenAuthMiddlewareTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_middleware.MiddlewareRequestTestBase

MIDDLEWARE_CLASS

alias of AdminTokenAuthMiddleware

config_overrides()[source]
test_request_admin()[source]
test_request_non_admin()[source]
class keystone.tests.unit.test_middleware.AuthContextMiddlewareTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.test_middleware.MiddlewareRequestTestBase

MIDDLEWARE_CLASS

alias of AuthContextMiddleware

setUp()[source]
test_client_issuer_not_trusted()[source]
test_context_already_exists()[source]
test_create_idp_id_attri_not_found_fail()[source]
test_create_idp_id_success()[source]
test_domain_disable_fail()[source]
test_empty_trusted_issuer_list()[source]
test_ephemeral_any_user_success()[source]

Verify ephemeral user does not need a specified user.

Keystone is not looking to match the user, but a corresponding group.

test_ephemeral_incorrect_mapping_fail()[source]

Test ephemeral user picking up the non-ephemeral user mapping.

Looking up the mapping with protocol Id ‘x509’ will load up the non-ephemeral user mapping, results unauthenticated.

test_ephemeral_invalid_scope_fail()[source]
test_ephemeral_no_group_found_fail()[source]
test_ephemeral_success()[source]
test_ephemeral_with_default_user_type_success()[source]
test_has_only_issuer_and_project_domain_id_request()[source]
test_has_only_issuer_and_project_domain_name_request()[source]
test_has_only_issuer_and_project_name_request()[source]
test_invalid_user_fail()[source]
test_mapping_with_userid_and_domainid_success()[source]
test_mapping_with_userid_and_domainname_success()[source]
test_mapping_with_username_and_domainid_success()[source]
test_missing_both_domain_and_project_request()[source]
test_missing_domain_data_fail()[source]
test_no_issuer_attribute_request()[source]
test_no_tokenless_attributes_request()[source]
test_not_applicable_to_token_request()[source]
test_only_domain_id_fail()[source]
test_only_domain_name_fail()[source]
test_proj_scope_with_proj_id_and_proj_dom_id_success()[source]
test_proj_scope_with_proj_id_only_success()[source]
test_proj_scope_with_proj_name_and_proj_dom_id_success()[source]
test_proj_scope_with_proj_name_and_proj_dom_name_success()[source]
test_proj_scope_with_proj_name_only_fail()[source]
test_user_disable_fail()[source]
test_userid_success()[source]
class keystone.tests.unit.test_middleware.JsonBodyMiddlewareTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_middleware.MiddlewareRequestTestBase

MIDDLEWARE_CLASS

alias of JsonBodyMiddleware

test_malformed_json()[source]
test_no_content_type()[source]
test_not_dict_body()[source]
test_request_with_params()[source]
test_unrecognized_content_type()[source]
test_unrecognized_content_type_without_body()[source]
class keystone.tests.unit.test_middleware.MiddlewareRequestTestBase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

MIDDLEWARE_CLASS = None
class keystone.tests.unit.test_middleware.TokenAuthMiddlewareTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_middleware.MiddlewareRequestTestBase

MIDDLEWARE_CLASS

alias of TokenAuthMiddleware

test_request()[source]

keystone.tests.unit.test_no_admin_token_auth module

class keystone.tests.unit.test_no_admin_token_auth.TestNoAdminTokenAuth(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
test_request_no_admin_token_auth()[source]

keystone.tests.unit.test_policy module

class keystone.tests.unit.test_policy.DefaultPolicyTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
test_default_not_found()[source]
test_not_found_policy_calls_default()[source]
test_policy_called()[source]
class keystone.tests.unit.test_policy.PolicyFileTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
test_modified_policy_reloads()[source]
class keystone.tests.unit.test_policy.PolicyJsonTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

test_all_targets_documented()[source]
test_json_examples_have_matching_entries()[source]
class keystone.tests.unit.test_policy.PolicyTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
test_early_AND_enforcement()[source]
test_early_OR_enforcement()[source]
test_enforce_bad_action_throws()[source]
test_enforce_good_action()[source]
test_enforce_nonexistent_action_throws()[source]
test_ignore_case_role_check()[source]
test_templatized_enforcement()[source]

keystone.tests.unit.test_revoke module

class keystone.tests.unit.test_revoke.RevokeTests[source]

Bases: object

test_expired_events_removed_validate_token_success(*args, **keywargs)[source]
test_list()[source]
test_list_since()[source]
test_past_expiry_are_removed()[source]
test_revoke_by_expiration_project_and_domain_fails()[source]
class keystone.tests.unit.test_revoke.RevokeTreeTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

remove_event(event)[source]
setUp()[source]
test_by_domain_domain()[source]
test_by_domain_project()[source]
test_by_domain_user()[source]
test_by_project_and_user_and_role()[source]
test_by_project_grant()[source]
test_by_user_domain()[source]
test_by_user_expiration()[source]
test_by_user_project()[source]
test_cleanup()[source]
test_revoke_by_audit_chain_id()[source]
test_revoke_by_audit_id()[source]
test_revoke_by_user()[source]
test_revoke_by_user_matches_trustee()[source]
test_revoke_by_user_matches_trustor()[source]
class keystone.tests.unit.test_revoke.SqlRevokeTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_backend_sql.SqlTests, keystone.tests.unit.test_revoke.RevokeTests

config_overrides()[source]

keystone.tests.unit.test_sql_livetest module

class keystone.tests.unit.test_sql_livetest.Db2MigrateTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_sql_upgrade.SqlUpgradeTests

config_files()[source]
setUp()[source]
class keystone.tests.unit.test_sql_livetest.MysqlMigrateTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_sql_upgrade.SqlUpgradeTests

config_files()[source]
setUp()[source]
class keystone.tests.unit.test_sql_livetest.PostgresqlMigrateTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_sql_upgrade.SqlUpgradeTests

config_files()[source]
setUp()[source]

keystone.tests.unit.test_sql_migrate_extensions module

To run these tests against a live database:

  1. Modify the file keystone/tests/unit/config_files/backend_sql.conf to use the connection for your live database.

  2. Set up a blank, live database.

  3. Run the tests using:

    tox -e py27 -- keystone.tests.unit.test_sql_migrate_extensions
    

WARNING:

Your database will be wiped.

Do not do this against a Database with valuable data as
all data will be lost.
class keystone.tests.unit.test_sql_migrate_extensions.EndpointFilterExtension(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase

ENDPOINT_FILTER_MIGRATIONS = 2
repo_package()[source]
test_upgrade()[source]
class keystone.tests.unit.test_sql_migrate_extensions.EndpointPolicyExtension(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase

ENDPOINT_POLICY_MIGRATIONS = 1
repo_package()[source]
test_upgrade()[source]
class keystone.tests.unit.test_sql_migrate_extensions.FederationExtension(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase

FEDERATION_MIGRATIONS = 8
repo_package()[source]
test_upgrade()[source]
class keystone.tests.unit.test_sql_migrate_extensions.RevokeExtension(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase

REVOKE_MIGRATIONS = 2
repo_package()[source]
test_upgrade()[source]
class keystone.tests.unit.test_sql_migrate_extensions.SqlUpgradeOAuth1Extension(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase

OAUTH1_MIGRATIONS = 5
repo_package()[source]
test_upgrade()[source]

keystone.tests.unit.test_sql_upgrade module

To run these tests against a live database:

  1. Modify the file keystone/tests/unit/config_files/backend_sql.conf to use the connection for your live database.

  2. Set up a blank, live database

  3. Run the tests using:

    tox -e py27 -- keystone.tests.unit.test_sql_upgrade
    

WARNING:

Your database will be wiped.

Do not do this against a database with valuable data as
all data will be lost.
class keystone.tests.unit.test_sql_upgrade.MigrationHelpersGetInitVersionTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

test_get_init_version_no_path(*args, **keywargs)[source]
test_get_init_version_with_path(*args, **keywargs)[source]
test_get_init_version_with_path_initial_version_0(*args, **keywargs)[source]
class keystone.tests.unit.test_sql_upgrade.SqlMigrateBase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.core.TestCase

assertTableColumns(table_name, expected_cols)[source]

Asserts that the table contains the expected set of columns.

assertTableCountsMatch(table1_name, table2_name)[source]
assertTableDoesNotExist(table_name)[source]

Asserts that a given table exists cannot be selected by name.

assertTableExists(table_name)[source]
config_files()[source]
initialize_sql()[source]
repo_package()[source]
select_table(name)[source]
setUp()[source]
upgrade(*args, **kwargs)[source]
class keystone.tests.unit.test_sql_upgrade.SqlUpgradeTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase

check_initial_table_structure()[source]
does_constraint_exist(table_name, constraint_name)[source]
does_fk_exist(table, fk_column)[source]
does_index_exist(table_name, index_name)[source]
does_pk_exist(table, pk_column)[source]

Checks whether a column is primary key on a table.

insert_dict(session, table_name, d, table=None)[source]

Naively inserts key-value pairs into a table, given a dictionary.

test_add_config_registration()[source]
test_add_domain_specific_roles()[source]

Check database upgraded successfully for domain specific roles.

The following items need to be checked:

  • The domain_id column has been added
  • That it has been added to the uniqueness constraints
  • Existing roles have their domain_id columns set to the specific string of ‘<<null>>’
test_add_federated_user_table()[source]
test_add_int_pkey_to_revocation_event_table()[source]
test_add_local_user_and_password_tables()[source]
test_add_root_of_all_domains()[source]
test_add_trust_unique_constraint_upgrade()[source]
test_blank_db_to_start()[source]
test_create_federation_tables()[source]
test_create_oauth_tables()[source]
test_create_revoke_table()[source]
test_domain_as_project_upgrade()[source]
test_endpoint_filter_already_migrated(*args, **keywargs)[source]
test_endpoint_filter_upgrade()[source]
test_endpoint_policy_already_migrated(*args, **keywargs)[source]
test_endpoint_policy_upgrade()[source]
test_federation_already_migrated(*args, **keywargs)[source]
test_implied_roles_fk_on_delete_cascade()[source]
test_implied_roles_upgrade()[source]
test_insert_assignment_inherited_pk()[source]
test_kilo_squash()[source]
test_migrate_data_to_local_user_and_password_tables()[source]
test_migrate_user_skip_user_already_exist_in_local_user()[source]
test_migrate_user_with_null_password_to_password_tables()[source]
test_migration_88_drops_unique_constraint()[source]
test_migration_88_inconsistent_constraint_name()[source]
test_migration_91_drops_unique_constraint()[source]
test_migration_91_inconsistent_constraint_name()[source]
test_migration_96()[source]
test_migration_96_constraint_exists()[source]
test_migration_97()[source]
test_migration_97_constraint_exists()[source]
test_migration_97_inconsistent_constraint_exists()[source]
test_oauth1_already_migrated(*args, **keywargs)[source]
test_project_is_domain_upgrade()[source]
test_revoke_already_migrated(*args, **keywargs)[source]
test_start_version_db_init_version()[source]
test_upgrade_add_initial_tables()[source]
class keystone.tests.unit.test_sql_upgrade.VersionTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_sql_upgrade.SqlMigrateBase

test_assert_not_schema_downgrade()[source]
test_core_initial()[source]

Get the version before migrated, it’s the initial DB version.

test_core_max()[source]

When get the version after upgrading, it’s the new version.

test_extension_not_controlled()[source]

When get the version before controlling, raises DbMigrationError.

test_unexpected_extension()[source]

The version for a non-existent extension raises ImportError.

test_unversioned_extension()[source]

The version for extensions without migrations raise an exception.

keystone.tests.unit.test_ssl module

class keystone.tests.unit.test_ssl.SSLTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

get_HTTPSConnection(*args)[source]

Simple helper to configure HTTPSConnection objects.

setUp()[source]
test_1way_ssl_ok()[source]

Make sure both public and admin API work with 1-way SSL.

test_1way_ssl_with_ipv6_ok()[source]

Make sure both public and admin API work with 1-way ipv6 & SSL.

test_2way_ssl_fail()[source]

Expect to fail when client does not present proper certificate.

test_2way_ssl_ok()[source]

Make sure both public and admin API work with 2-way SSL.

Requires client certificate.

test_2way_ssl_with_ipv6_ok()[source]

Make sure both public and admin API work with 2-way ipv6 & SSL.

Requires client certificate.

keystone.tests.unit.test_token_bind module

class keystone.tests.unit.test_token_bind.BindTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

Test binding tokens to a Principal.

Even though everything in this file references kerberos the same concepts will apply to all future binding mechanisms.

assert_kerberos_bind(tokens, bind_level, use_kerberos=True, success=True)[source]
setUp()[source]
test_bind_disabled_with_kerb_user()[source]
test_bind_named_with_kerb_user()[source]
test_bind_named_with_regular_token()[source]
test_bind_named_with_unknown_bind()[source]
test_bind_named_with_unknown_scheme()[source]
test_bind_named_without_kerb_user()[source]
test_bind_permissive_with_kerb_user()[source]
test_bind_permissive_with_regular_token()[source]
test_bind_permissive_with_unknown_bind()[source]
test_bind_permissive_without_kerb_user()[source]
test_bind_required_with_kerb_user()[source]
test_bind_required_with_regular_token()[source]
test_bind_required_with_unknown_bind()[source]
test_bind_required_without_kerb_user()[source]
test_bind_strict_with_kerb_user()[source]
test_bind_strict_with_regular_token()[source]
test_bind_strict_with_unknown_bind()[source]
test_bind_strict_without_kerb_user()[source]

keystone.tests.unit.test_token_provider module

class keystone.tests.unit.test_token_provider.PKIProviderTests[source]

Bases: object

setUp()[source]
test_get_token_id_error_handling()[source]
class keystone.tests.unit.test_token_provider.TestPKIProviderWithEventlet(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_token_provider.PKIProviderTests, keystone.tests.unit.core.TestCase

setUp()[source]
class keystone.tests.unit.test_token_provider.TestPKIProviderWithStdlib(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_token_provider.PKIProviderTests, keystone.tests.unit.core.TestCase

setUp()[source]
class keystone.tests.unit.test_token_provider.TestTokenProvider(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
test_get_token_version()[source]
test_no_token_raises_token_not_found()[source]
test_provider_token_expiration_validation()[source]
test_supported_token_providers()[source]
test_unsupported_token_provider()[source]
keystone.tests.unit.test_token_provider.create_v2_token()[source]
keystone.tests.unit.test_token_provider.create_v3_token()[source]

keystone.tests.unit.test_url_middleware module

class keystone.tests.unit.test_url_middleware.FakeApp[source]

Bases: object

Fakes a WSGI app URL normalized.

class keystone.tests.unit.test_url_middleware.UrlMiddlewareTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
start_fake_response(status, headers)[source]
test_rewrite_empty_path()[source]

Tests empty path is rewritten to root.

test_trailing_slash_normalization()[source]

Tests /v2.0/tokens and /v2.0/tokens/ normalized URLs match.

keystone.tests.unit.test_v2 module

class keystone.tests.unit.test_v2.CoreApiTests[source]

Bases: object

assertNoRoles(r)[source]

Helper method to assert No Roles

This needs to be overridden by child classes based on their content type.

assertValidError(error)[source]
assertValidExtension(extension)[source]
assertValidRole(tenant)[source]
assertValidTenant(tenant)[source]
assertValidUser(user)[source]
assertValidVersion(version)[source]
test_admin_extensions()[source]
test_admin_extensions_returns_not_found()[source]
test_admin_multiple_choice()[source]
test_admin_not_found()[source]
test_admin_osksadm_extension()[source]
test_admin_version()[source]
test_authenticate()[source]
test_authenticate_unscoped()[source]
test_authenticating_a_user_with_no_password()[source]
test_create_update_user_invalid_enabled_type()[source]
test_create_update_user_valid_enabled_type()[source]
test_endpoints()[source]
test_error_response()[source]

This triggers assertValidErrorResponse by convention.

test_get_tenant()[source]
test_get_tenant_by_name()[source]
test_get_tenants_for_token()[source]
test_get_user()[source]
test_get_user_by_name()[source]
test_get_user_roles_with_tenant()[source]
test_get_user_roles_without_tenant()[source]
test_invalid_parameter_error_response()[source]
test_invalid_token_returns_not_found()[source]
test_public_extensions()[source]
test_public_multiple_choice()[source]
test_public_not_found()[source]
test_public_osksadm_extension_returns_not_found()[source]
test_public_version()[source]
test_remove_role_revokes_token()[source]
test_update_user_tenant()[source]
test_update_user_with_invalid_tenant()[source]
test_update_user_with_invalid_tenant_no_prev_tenant()[source]
test_update_user_with_old_tenant()[source]
test_validate_token()[source]
test_validate_token_belongs_to()[source]
test_validate_token_head()[source]

The same call as above, except using HEAD.

There’s no response to validate here, but this is included for the sake of completely covering the core API.

test_validate_token_no_belongs_to_still_returns_catalog()[source]
test_validate_token_service_role()[source]
test_www_authenticate_header()[source]
test_www_authenticate_header_host()[source]
class keystone.tests.unit.test_v2.LegacyV2UsernameTests[source]

Bases: object

Tests to show the broken username behavior in V2.

The V2 API is documented to use username instead of name. The API forced used to use name and left the username to fall into the extra field.

These tests ensure this behavior works so fixes to username/name will be backward compatible.

create_user(**user_attrs)[source]

Creates a users and returns the response object.

Parameters:user_attrs – attributes added to the request body (optional)
test_create_with_extra_username()[source]

The response for creating a user will contain the extra fields.

test_get_returns_username_from_extra()[source]

The response for getting a user will contain the extra fields.

test_update_returns_new_username_when_adding_username()[source]

The response for updating a user will contain the extra fields.

This is specifically testing for updating a username when a value was not previously set.

test_update_returns_new_username_when_updating_username()[source]

The response for updating a user will contain the extra fields.

This tests updating a username that was previously set.

test_updated_username_is_returned()[source]

Username is set as the value of name if no username is provided.

This matches the v2.0 spec where we really should be using username and not name.

test_username_can_be_used_instead_of_name_create()[source]
test_username_can_be_used_instead_of_name_update()[source]
test_username_is_always_returned_create()[source]

Username is set as the value of name if no username is provided.

This matches the v2.0 spec where we really should be using username and not name.

test_username_is_always_returned_get()[source]

Username is set as the value of name if no username is provided.

This matches the v2.0 spec where we really should be using username and not name.

test_username_is_always_returned_get_by_name()[source]

Username is set as the value of name if no username is provided.

This matches the v2.0 spec where we really should be using username and not name.

test_username_is_always_returned_update_no_username_provided()[source]

Username is set as the value of name if no username is provided.

This matches the v2.0 spec where we really should be using username and not name.

class keystone.tests.unit.test_v2.RestfulTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.rest.RestfulTestCase

setUp()[source]
class keystone.tests.unit.test_v2.RevokeApiTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v2.V2TestCase

config_overrides()[source]
test_fetch_revocation_list_admin_200()[source]
test_fetch_revocation_list_md5()[source]
test_fetch_revocation_list_sha256()[source]
class keystone.tests.unit.test_v2.TestFernetTokenProviderV2(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v2.RestfulTestCase

assertValidScopedTokenResponse(r)[source]
assertValidUnscopedTokenResponse(r)[source]
config_overrides()[source]
new_project_ref()[source]
setUp()[source]
test_authenticate_scoped_token()[source]
test_authenticate_unscoped_token()[source]
test_rescoped_tokens_maintain_original_expiration()[source]
test_token_authentication_and_validation()[source]

Test token authentication for Fernet token provider.

Verify that token authentication returns validate response code and valid token belongs to project.

test_validate_scoped_token()[source]
test_validate_unscoped_token()[source]
class keystone.tests.unit.test_v2.V2TestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v2.RestfulTestCase, keystone.tests.unit.test_v2.CoreApiTests, keystone.tests.unit.test_v2.LegacyV2UsernameTests

assertNoRoles(r)[source]
assertValidAuthenticationResponse(r, require_service_catalog=False)[source]
assertValidEndpointListResponse(r)[source]
assertValidErrorResponse(r)[source]
assertValidExtension(extension, expected)[source]
assertValidExtensionListResponse(r, expected)[source]
assertValidExtensionResponse(r, expected)[source]
assertValidMultipleChoiceResponse(r)[source]
assertValidRevocationListResponse(response)[source]
assertValidRoleListResponse(r)[source]
assertValidTenantListResponse(r)[source]
assertValidTenantResponse(r)[source]
assertValidUser(user)[source]
assertValidUserResponse(r)[source]
assertValidVersion(version)[source]
assertValidVersionResponse(r)[source]
config_overrides()[source]
get_user_attribute_from_response(r, attribute_name)[source]
get_user_from_response(r)[source]
test_authenticating_a_user_with_an_OSKSADM_password()[source]
test_create_update_user_invalid_enabled_type()[source]
test_fetch_revocation_list_admin_200()[source]
test_fetch_revocation_list_md5()[source]

Hash for tokens in revocation list and server config should match.

If the server is configured for md5, then the revocation list has tokens hashed with MD5.

test_fetch_revocation_list_nonadmin_fails()[source]
test_fetch_revocation_list_sha256()[source]

Hash for tokens in revocation list and server config should match.

If the server is configured for sha256, then the revocation list has tokens hashed with SHA256.

test_service_crud_requires_auth()[source]

Service CRUD should return unauthorized without an X-Auth-Token.

test_updating_a_user_with_an_OSKSADM_password()[source]
test_user_role_list_requires_auth()[source]

User role list return unauthorized without an X-Auth-Token.

keystone.tests.unit.test_v2_controller module

class keystone.tests.unit.test_v2_controller.TenantTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

Tests for the V2 Tenant controller.

These tests exercise keystone.assignment.controllers.Tenant.

setUp()[source]
test_create_is_domain_project_fails()[source]

Test that the creation of a project acting as a domain fails.

test_create_project_passing_is_domain_false_fails()[source]

Test that passing is_domain=False is not allowed.

test_delete_is_domain_project_not_found()[source]

Test that delete is_domain project is not allowed in v2.

test_get_is_domain_project_not_found()[source]

Test that get project does not return is_domain projects.

test_get_project_users_no_user()[source]

get_project_users when user doesn’t exist.

When a user that’s not known to identity has a role on a project, then get_project_users just skips that user.

test_list_is_domain_project_not_found()[source]

Test v2 get_all_projects having projects that act as a domain.

In v2 no project with the is_domain flag enabled should be returned.

test_list_projects_default_domain()[source]

Test that list projects only returns those in the default domain.

test_update_is_domain_project_not_found()[source]

Test that update is_domain project is not allowed in v2.

keystone.tests.unit.test_v3 module

class keystone.tests.unit.test_v3.AssignmentTestMixin[source]

Bases: object

To hold assignment helper functions.

build_role_assignment_entity(link=None, prior_role_link=None, **attribs)[source]

Build and return a role assignment entity with provided attributes.

Provided attributes are expected to contain: domain_id or project_id, user_id or group_id, role_id and, optionally, inherited_to_projects.

build_role_assignment_entity_include_names(domain_ref=None, role_ref=None, group_ref=None, user_ref=None, project_ref=None, inherited_assignment=None)[source]

Build and return a role assignment entity with provided attributes.

The expected attributes are: domain_ref or project_ref, user_ref or group_ref, role_ref and, optionally, inherited_to_projects.

Build and return a role assignment link with provided attributes.

Provided attributes are expected to contain: domain_id or project_id, user_id or group_id, role_id and, optionally, inherited_to_projects.

build_role_assignment_query_url(effective=False, **filters)[source]

Build and return a role assignment query url with provided params.

Available filters are: domain_id, project_id, user_id, group_id, role_id and inherited_to_projects.

class keystone.tests.unit.test_v3.AuthContextMiddlewareAdminTokenTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

EXTENSION_TO_ADD = 'admin_token_auth'
config_overrides()[source]
test_admin_auth_context()[source]
test_admin_token_auth_context_deprecated(*args, **keywargs)[source]
class keystone.tests.unit.test_v3.AuthContextMiddlewareTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

test_auth_context_build_by_middleware()[source]
test_auth_context_override()[source]
test_domain_scoped_token_auth_context()[source]
test_oslo_context()[source]
test_project_scoped_token_auth_context()[source]
test_unscoped_token_auth_context()[source]
class keystone.tests.unit.test_v3.AuthTestMixin[source]

Bases: object

To hold auth building helper functions.

build_auth_scope(project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, domain_id=None, domain_name=None, trust_id=None, unscoped=None)[source]
build_authentication_request(token=None, user_id=None, username=None, user_domain_id=None, user_domain_name=None, password=None, kerberos=False, **kwargs)[source]

Build auth dictionary.

It will create an auth dictionary based on all the arguments that it receives.

build_password_auth(user_id=None, username=None, user_domain_id=None, user_domain_name=None, password=None)[source]
build_token_auth(token)[source]
class keystone.tests.unit.test_v3.JsonHomeTestMixin[source]

Bases: object

JSON Home test

Mixin this class to provide a test for the JSON-Home response for an extension.

The base class must set JSON_HOME_DATA to a dict of relationship URLs (rels) to the JSON-Home data for the relationship. The rels and associated data must be in the response.

test_get_json_home()[source]
class keystone.tests.unit.test_v3.RestfulTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.SQLDriverOverrides, keystone.tests.unit.rest.RestfulTestCase, keystone.tests.common.auth.AuthTestMixin

assertEqualTokens(a, b)[source]

Assert that two tokens are equal.

Compare two tokens except for their ids. This also truncates the time in the comparison.

assertRoleAssignmentInListResponse(resp, ref, expected=1)[source]
assertRoleAssignmentNotInListResponse(resp, ref)[source]
assertRoleInListResponse(resp, ref, expected=1)[source]
assertRoleNotInListResponse(resp, ref)[source]
assertValidCatalog(entity)[source]
assertValidCatalogResponse(resp, *args, **kwargs)[source]
assertValidCredential(entity, ref=None)[source]
assertValidCredentialListResponse(resp, *args, **kwargs)[source]
assertValidCredentialResponse(resp, *args, **kwargs)[source]
assertValidDomain(entity, ref=None)[source]
assertValidDomainListResponse(resp, *args, **kwargs)[source]
assertValidDomainResponse(resp, *args, **kwargs)[source]
assertValidDomainScopedTokenResponse(r, *args, **kwargs)[source]
assertValidEndpoint(entity, ref=None)[source]
assertValidEndpointListResponse(resp, *args, **kwargs)[source]
assertValidEndpointResponse(resp, *args, **kwargs)[source]
assertValidEntity(entity, ref=None, keys_to_check=None)[source]

Make assertions common to all API entities.

If a reference is provided, the entity will also be compared against the reference.

assertValidErrorResponse(r)[source]
assertValidGroup(entity, ref=None)[source]
assertValidGroupListResponse(resp, *args, **kwargs)[source]
assertValidGroupResponse(resp, *args, **kwargs)[source]
assertValidISO8601ExtendedFormatDatetime(dt)[source]
assertValidListResponse(resp, key, entity_validator, ref=None, expected_length=None, keys_to_check=None, resource_url=None)[source]

Make assertions common to all API list responses.

If a reference is provided, it’s ID will be searched for in the response, and asserted to be equal.

assertValidPolicy(entity, ref=None)[source]
assertValidPolicyListResponse(resp, *args, **kwargs)[source]
assertValidPolicyResponse(resp, *args, **kwargs)[source]
assertValidProject(entity, ref=None)[source]
assertValidProjectListResponse(resp, *args, **kwargs)[source]
assertValidProjectResponse(resp, *args, **kwargs)[source]
assertValidProjectScopedTokenResponse(r, *args, **kwargs)[source]
assertValidRegion(entity, ref=None)[source]
assertValidRegionListResponse(resp, *args, **kwargs)[source]
assertValidRegionResponse(resp, *args, **kwargs)[source]
assertValidResponse(resp, key, entity_validator, *args, **kwargs)[source]

Make assertions common to all API responses.

assertValidRole(entity, ref=None)[source]
assertValidRoleAssignment(entity, ref=None)[source]
assertValidRoleAssignmentListResponse(resp, expected_length=None, resource_url=None)[source]
assertValidRoleListResponse(resp, *args, **kwargs)[source]
assertValidRoleResponse(resp, *args, **kwargs)[source]
assertValidScopedTokenResponse(r, *args, **kwargs)[source]
assertValidService(entity, ref=None)[source]
assertValidServiceListResponse(resp, *args, **kwargs)[source]
assertValidServiceProvider(entity, ref=None, *args, **kwargs)[source]
assertValidServiceProviderListResponse(resp, *args, **kwargs)[source]
assertValidServiceResponse(resp, *args, **kwargs)[source]
assertValidTokenResponse(r, user=None)[source]
assertValidTrust(entity, ref=None, summary=False)[source]
assertValidTrustListResponse(resp, *args, **kwargs)[source]
assertValidTrustResponse(resp, *args, **kwargs)[source]
assertValidTrustSummary(entity, ref=None)[source]
assertValidUnscopedTokenResponse(r, *args, **kwargs)[source]
assertValidUser(entity, ref=None)[source]
assertValidUserListResponse(resp, *args, **kwargs)[source]
assertValidUserResponse(resp, *args, **kwargs)[source]
build_external_auth_request(remote_user, remote_domain=None, auth_data=None, kerberos=False)[source]
config_files()[source]
create_new_default_project_for_user(user_id, domain_id, enable_project=True)[source]
delete(path, expected_status=204, **kwargs)[source]
generate_paste_config()[source]
generate_token_schema(domain_scoped=False, project_scoped=False)[source]

Return a dictionary of token properties to validate against.

get(path, expected_status=200, **kwargs)[source]
get_admin_token()[source]

Convenience method so that we can test authenticated requests.

get_domain_scoped_token()[source]

Convenience method for requesting domain scoped token.

get_extensions()[source]
get_requested_token(auth)[source]

Request the specific token we want.

get_scoped_token()[source]

Convenience method so that we can test authenticated requests.

get_unscoped_token()[source]

Convenience method so that we can test authenticated requests.

head(path, expected_status=204, **kwargs)[source]
load_backends()[source]
load_fixtures(fixtures)[source]
load_sample_data(create_region_and_endpoints=True)[source]
patch(path, expected_status=200, **kwargs)[source]
post(path, expected_status=201, **kwargs)[source]
put(path, expected_status=204, **kwargs)[source]
remove_generated_paste_config()[source]
setUp(app_conf='keystone')[source]

Setup for v3 Restful Test Cases.

v3_create_token(auth, expected_status=201)[source]
v3_noauth_request(path, **kwargs)[source]
v3_request(path, **kwargs)[source]
class keystone.tests.unit.test_v3.VersionTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

test_get_version()[source]

keystone.tests.unit.test_v3_assignment module

class keystone.tests.unit.test_v3_assignment.AssignmentInheritanceDisabledTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Test inheritance crud and its effects.

config_overrides()[source]
test_crud_inherited_role_grants_failed_if_disabled()[source]
class keystone.tests.unit.test_v3_assignment.AssignmentInheritanceTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3.AssignmentTestMixin

Test inheritance crud and its effects.

config_overrides()[source]
test_crud_inherited_and_direct_assignment_on_domains()[source]
test_crud_inherited_and_direct_assignment_on_projects()[source]
test_crud_user_inherited_domain_role_grants()[source]
test_filtered_role_assignments_for_inherited_grants()[source]

Call GET /role_assignments?scope.OS-INHERIT:inherited_to.

Test Plan:

  • Create 5 roles
  • Create a domain with a user, group and two projects
  • Assign three direct spoiler roles to projects
  • Issue the URL to add an inherited user role to the domain
  • Issue the URL to add an inherited group role to the domain
  • Issue the URL to filter by inherited roles - this should return just the 2 inherited roles.
test_get_effective_role_assignments_for_project_hierarchy()[source]

Call GET /role_assignments?effective.

Test Plan:

  • Create 2 roles
  • Create a hierarchy of projects with one root and one leaf project
  • Issue the URL to add a non-inherited user role to the root project
  • Issue the URL to add an inherited user role to the root project
  • Issue the URL to get effective role assignments - this should return 1 role (non-inherited) on the root project and 1 role (inherited) on the leaf project.
test_get_effective_role_assignments_for_project_tree()[source]

Get role_assignment ?project_id=X?include_subtree=True?effective``.

Test Plan:

  • Create 2 roles and a hierarchy of projects with one root and 4 levels of child project
  • Issue the URL to add a non-inherited user role to the root project and a level 1 project
  • Issue the URL to add an inherited user role on the level 2 project
  • Issue the URL to get effective role assignments for the level 1 project and it’s subtree - this should return a role (non-inherited) on the level 1 project and roles (inherited) on each of the level 2, 3 and 4 projects
test_get_inherited_role_assignments_for_project_hierarchy()[source]

Call GET /role_assignments?scope.OS-INHERIT:inherited_to.

Test Plan:

  • Create 2 roles
  • Create a hierarchy of projects with one root and one leaf project
  • Issue the URL to add a non-inherited user role to the root project
  • Issue the URL to add an inherited user role to the root project
  • Issue the URL to filter inherited to projects role assignments - this should return 1 role (inherited) on the root project.
test_get_role_assignments_for_project_hierarchy()[source]

Call GET /role_assignments.

Test Plan:

  • Create 2 roles
  • Create a hierarchy of projects with one root and one leaf project
  • Issue the URL to add a non-inherited user role to the root project
  • Issue the URL to add an inherited user role to the root project
  • Issue the URL to get all role assignments - this should return just 2 roles (non-inherited and inherited) in the root project.
test_get_role_assignments_for_project_tree()[source]

Get role_assignment?scope.project.id=X?include_subtree``.

Test Plan:

  • Create 2 roles and a hierarchy of projects with one root and one leaf
  • Issue the URL to add a non-inherited user role to the root project and the leaf project
  • Issue the URL to get role assignments for the root project but not the subtree - this should return just the root assignment
  • Issue the URL to get role assignments for the root project and it’s subtree - this should return both assignments
  • Check that explicitly setting include_subtree to False is the equivalent to not including it at all in the query.
test_get_token_from_inherited_group_domain_role_grants()[source]
test_get_token_from_inherited_group_project_role_grants()[source]
test_get_token_from_inherited_user_domain_role_grants()[source]
test_get_token_from_inherited_user_project_role_grants()[source]
test_list_role_assignments_for_disabled_inheritance_extension()[source]

Call GET /role_assignments with inherited domain grants.

Test Plan:

  • Issue the URL to add inherited role to the domain
  • Issue the URL to check effective roles on project include the inherited role
  • Disable the extension
  • Re-check the effective roles, proving the inherited role no longer shows up.
test_list_role_assignments_for_inherited_domain_grants()[source]

Call GET /role_assignments with inherited domain grants.

Test Plan:

  • Create 4 roles
  • Create a domain with a user and two projects
  • Assign two direct roles to project1
  • Assign a spoiler role to project2
  • Issue the URL to add inherited role to the domain
  • Issue the URL to check it is indeed on the domain
  • Issue the URL to check effective roles on project1 - this should return 3 roles.
test_list_role_assignments_for_inherited_group_domain_grants()[source]

Call GET /role_assignments with inherited group domain grants.

Test Plan:

  • Create 4 roles
  • Create a domain with a user and two projects
  • Assign two direct roles to project1
  • Assign a spoiler role to project2
  • Issue the URL to add inherited role to the domain
  • Issue the URL to check it is indeed on the domain
  • Issue the URL to check effective roles on project1 - this should return 3 roles.
test_list_role_assignments_include_names()[source]

Call GET /role_assignments with include names.

Test Plan:

  • Create a domain with a group and a user
  • Create a project with a group and a user
test_project_id_specified_if_include_subtree_specified()[source]

When using include_subtree, you must specify a project ID.

class keystone.tests.unit.test_v3_assignment.AssignmentTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3.AssignmentTestMixin

Test roles and role assignments.

setUp()[source]
test_check_effective_values_for_role_assignments()[source]

Call GET /role_assignments?effective=value.

Check the various ways of specifying the ‘effective’ query parameter. If the ‘effective’ query parameter is included then this should always be treated as meaning ‘True’ unless it is specified as:

{url}?effective=0

This is by design to match the agreed way of handling policy checking on query/filter parameters.

Test Plan:

  • Create two extra user for tests
  • Add these users to a group
  • Add a role assignment for the group on a domain
  • Get a list of all role assignments, checking one has been added
  • Then issue various request with different ways of defining the ‘effective’ query parameter. As we have tested the correctness of the data coming back when we get effective roles in other tests, here we just use the count of entities to know if we are getting effective roles or not
test_create_member_role()[source]

Call POST /roles.

test_create_role()[source]

Call POST /roles.

test_create_role_bad_request()[source]

Call POST /roles.

test_crud_group_domain_role_grants()[source]
test_crud_group_domain_role_grants_no_group()[source]

Grant role on a domain to a group that doesn’t exist.

When grant a role on a domain to a group that doesn’t exist, the server returns 404 Not Found for the group.

test_crud_group_project_role_grants()[source]
test_crud_group_project_role_grants_no_group()[source]

Grant role on a project to a group that doesn’t exist.

When grant a role on a project to a group that doesn’t exist, the server returns 404 Not Found for the group.

test_crud_user_domain_role_grants()[source]
test_crud_user_domain_role_grants_no_user()[source]

Grant role on a domain to a user that doesn’t exist.

When grant a role on a domain to a user that doesn’t exist, the server returns 404 Not Found for the user.

test_crud_user_project_role_grants()[source]
test_crud_user_project_role_grants_no_user()[source]

Grant role on a project to a user that doesn’t exist.

When grant a role on a project to a user that doesn’t exist, the server returns Not Found for the user.

test_delete_grant_from_group_and_domain_invalidates_cache(*args, **kwargs)[source]
test_delete_grant_from_group_and_project_invalidates_cache(*args, **kwargs)[source]
test_delete_grant_from_user_and_domain_invalidates_cache(*args, **kwargs)[source]
test_delete_grant_from_user_and_project_invalidate_cache(*args, **kwargs)[source]
test_delete_role()[source]

Call DELETE /roles/{role_id}.

test_delete_user_and_check_role_assignment_fails()[source]

Call DELETE on the user and check the role assignment.

test_delete_user_before_removing_role_assignment_succeeds()[source]

Call DELETE on the user before the role assignment.

test_filtered_role_assignments()[source]

Call GET /role_assignments?filters.

Test Plan:

  • Create extra users, group, role and project for tests
  • Make the following assignments: Give group1, role1 on project1 and domain Give user1, role2 on project1 and domain Make User1 a member of Group1
  • Test a series of single filter list calls, checking that the correct results are obtained
  • Test a multi-filtered list call
  • Test listing all effective roles for a given user
  • Test the equivalent of the list of roles in a project scoped token (all effective roles for a user on a project)
test_get_effective_role_assignments()[source]

Call GET /role_assignments?effective.

Test Plan:

  • Create two extra user for tests
  • Add these users to a group
  • Add a role assignment for the group on a domain
  • Get a list of all role assignments, checking one has been added
  • Then get a list of all effective role assignments - the group assignment should have turned into assignments on the domain for each of the group members.
test_get_role()[source]

Call GET /roles/{role_id}.

test_get_role_assignments()[source]

Call GET /role_assignments.

The sample data set up already has a user, group and project that is part of self.domain. We use these plus a new user we create as our data set, making sure we ignore any role assignments that are already in existence.

Since we don’t yet support a first class entity for role assignments, we are only testing the LIST API. To create and delete the role assignments we use the old grant APIs.

Test Plan:

  • Create extra user for tests
  • Get a list of all existing role assignments
  • Add a new assignment for each of the four combinations, i.e. group+domain, user+domain, group+project, user+project, using the same role each time
  • Get a new list of all role assignments, checking these four new ones have been added
  • Then delete the four we added
  • Get a new list of all role assignments, checking the four have been removed
test_list_roles()[source]

Call GET /roles.

test_token_revoked_once_group_role_grant_revoked()[source]

Test token is revoked when group role grant is revoked

When a role granted to a group is revoked for a given scope, all tokens related to this scope and belonging to one of the members of this group should be revoked.

The revocation should be independently to the presence of the revoke API.

test_update_role()[source]

Call PATCH /roles/{role_id}.

class keystone.tests.unit.test_v3_assignment.DomainSpecificRoleTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.core.TestCase

setUp()[source]
test_delete_domain_specific_roles()[source]
test_get_and_list_domain_specific_roles()[source]
test_update_domain_specific_roles()[source]
class keystone.tests.unit.test_v3_assignment.ImpliedRolesTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3.AssignmentTestMixin, keystone.tests.unit.core.TestCase

test_CRD_implied_roles()[source]
test_list_all_rules()[source]
test_list_implied_roles_none()[source]
test_list_role_assignments_with_implied_roles()[source]

Call GET /role_assignments with implied role grant.

Test Plan:

  • Create a domain with a user and a project
  • Create 3 roles
  • Role 0 implies role 1 and role 1 implies role 2
  • Assign the top role to the project
  • Issue the URL to check effective roles on project - this should return all 3 roles.
  • Check the links of the 3 roles indicate the prior role where appropriate
test_root_role_as_implied_role_forbidden()[source]

Test root role is forbidden to be set as an implied role.

Create 2 roles that are prohibited from being an implied role. Create 1 additional role which should be accepted as an implied role. Assure the prohibited role names cannot be set as an implied role. Assure the accepted role name which is not a member of the prohibited implied role list can be successfully set an implied role.

test_trusts_from_domain_specific_implied_role()[source]
test_trusts_from_implied_role()[source]
class keystone.tests.unit.test_v3_assignment.ListUserProjectsTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Tests for /users/<user>/projects

load_sample_data()[source]
test_list_all()[source]
test_list_by_domain_id()[source]
test_list_disabled()[source]
test_list_enabled()[source]
class keystone.tests.unit.test_v3_assignment.RoleAssignmentBaseTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3.AssignmentTestMixin

Base class for testing /v3/role_assignments API behavior.

MAX_HIERARCHY_BREADTH = 3
MAX_HIERARCHY_DEPTH = 4
get_role_assignments(expected_status=200, **filters)[source]

Returns the result from querying role assignment API + queried URL.

Calls GET /v3/role_assignments?<params> and returns its result, where <params> is the HTTP query parameters form of effective option plus filters, if provided. Queried URL is returned as well.

Returns:a tuple containing the list role assignments API response and queried URL.
load_sample_data()[source]

Creates sample data to be used on tests.

Created data are i) a role and ii) a domain containing: a project hierarchy and 3 users within 3 groups.

class keystone.tests.unit.test_v3_assignment.RoleAssignmentDirectTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_assignment.RoleAssignmentBaseTestCase

Class for testing direct assignments on /v3/role_assignments API.

Direct assignments on a domain or project have effect on them directly, instead of on their project hierarchy, i.e they are non-inherited. In addition, group direct assignments are not expanded to group’s users.

Tests on this class make assertions on the representation and API filtering of direct assignments.

test_get_role_assignments_by_domain(**filters)[source]
test_get_role_assignments_by_domain_and_group(**filters)[source]
test_get_role_assignments_by_domain_and_user(**filters)[source]
test_get_role_assignments_by_domain_group_and_role(**filters)[source]
test_get_role_assignments_by_domain_user_and_role(**filters)[source]
test_get_role_assignments_by_group(**filters)[source]
test_get_role_assignments_by_project(**filters)[source]
test_get_role_assignments_by_project_and_group(**filters)[source]
test_get_role_assignments_by_project_and_user(**filters)[source]
test_get_role_assignments_by_project_group_and_role(**filters)[source]
test_get_role_assignments_by_project_user_and_role(**filters)[source]
test_get_role_assignments_by_role(**filters)[source]
test_get_role_assignments_by_user(**filters)[source]
class keystone.tests.unit.test_v3_assignment.RoleAssignmentEffectiveTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_assignment.RoleAssignmentInheritedTestCase

Class for testing inheritance effects on /v3/role_assignments API.

Inherited assignments on a domain or project have no effect on them directly, but on the projects under them instead.

Tests on this class make assertions on the effect of inherited assignments and API filtering.

class keystone.tests.unit.test_v3_assignment.RoleAssignmentFailureTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_assignment.RoleAssignmentBaseTestCase

Class for testing invalid query params on /v3/role_assignments API.

Querying domain and project, or user and group results in a HTTP 400 Bad Request, since a role assignment must contain only a single pair of (actor, target). In addition, since filtering on role assignments applies only to the final result, effective mode cannot be combined with i) group or ii) domain and inherited, because it would always result in an empty list.

test_get_role_assignments_by_domain_and_project()[source]
test_get_role_assignments_by_effective_and_group()[source]
test_get_role_assignments_by_effective_and_inherited()[source]
test_get_role_assignments_by_user_and_group()[source]
class keystone.tests.unit.test_v3_assignment.RoleAssignmentInheritedTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_assignment.RoleAssignmentDirectTestCase

Class for testing inherited assignments on /v3/role_assignments API.

Inherited assignments on a domain or project have no effect on them directly, but on the projects under them instead.

Tests on this class do not make assertions on the effect of inherited assignments, but in their representation and API filtering.

config_overrides()[source]

keystone.tests.unit.test_v3_auth module

class keystone.tests.unit.test_v3_auth.AllowRescopeScopedTokenDisabledTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

config_overrides()[source]
test_rescoped_domain_token_disabled()[source]
test_rescoping_v2_to_v2_disabled()[source]
test_rescoping_v2_to_v3_disabled()[source]
test_rescoping_v3_to_v2_disabled()[source]
test_rescoping_v3_to_v3_disabled()[source]
class keystone.tests.unit.test_v3_auth.RevokeContribTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

test_exception_happens(*args, **keywargs)[source]
class keystone.tests.unit.test_v3_auth.TestAPIProtectionWithoutAuthContextMiddleware(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

test_api_protection_with_no_auth_context_in_env()[source]
class keystone.tests.unit.test_v3_auth.TestAuth(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

get_v2_token(tenant_id=None)[source]
test_auth_catalog_attributes()[source]
test_auth_catalog_disabled_endpoint()[source]

On authenticate, get a catalog that excludes disabled endpoints.

test_auth_catalog_disabled_service()[source]

On authenticate, get a catalog that excludes disabled services.

test_auth_methods_with_different_identities_fails()[source]
test_auth_token_cross_domain_group_and_project()[source]

Verify getting a token in cross domain group/project roles.

test_auth_with_bind_token()[source]
test_auth_with_id()[source]
test_authenticate_fails_if_domain_unsafe()[source]

Verify authenticate to a domain with unsafe name fails.

test_authenticate_fails_if_project_unsafe()[source]

Verify authenticate to a project with unsafe name fails.

test_authenticate_fails_to_project_if_domain_unsafe()[source]

Verify authenticate to a project using unsafe domain name fails.

test_authenticating_a_user_with_no_password()[source]
test_bind_not_set_with_remote_user()[source]
test_default_project_id_scoped_token_with_user_id()[source]
test_default_project_id_scoped_token_with_user_id_no_catalog()[source]
test_disabled_default_project_domain_result_in_unscoped_token()[source]
test_disabled_default_project_result_in_unscoped_token()[source]
test_disabled_scope_project_domain_result_in_401()[source]
test_domain_id_scoped_token_with_user_domain_id()[source]
test_domain_id_scoped_token_with_user_domain_name()[source]
test_domain_id_scoped_token_with_user_id()[source]
test_domain_name_scoped_token_with_user_domain_id()[source]
test_domain_name_scoped_token_with_user_domain_name()[source]
test_domain_name_scoped_token_with_user_id()[source]
test_domain_scope_failed()[source]
test_domain_scope_token_with_group_role()[source]
test_domain_scope_token_with_name()[source]
test_explicit_unscoped_token()[source]
test_implicit_project_id_scoped_token_with_user_id_no_catalog()[source]
test_invalid_domain_id()[source]
test_invalid_domain_name()[source]
test_invalid_password()[source]
test_invalid_user_id()[source]
test_invalid_user_name()[source]
test_no_access_to_default_project_result_in_unscoped_token()[source]
test_project_id_scoped_token_with_user_domain_id()[source]
test_project_id_scoped_token_with_user_domain_name()[source]
test_project_id_scoped_token_with_user_id()[source]
test_project_id_scoped_token_with_user_id_unauthorized()[source]
test_remote_user_and_explicit_external()[source]
test_remote_user_and_password()[source]
test_remote_user_bad_password()[source]
test_remote_user_no_domain()[source]
test_remote_user_no_realm()[source]
test_unscoped_token_with_user_domain_id()[source]
test_unscoped_token_with_user_domain_name()[source]
test_unscoped_token_with_user_id()[source]
test_user_and_group_roles_scoped_token()[source]

Test correct roles are returned in scoped token.

Test Plan:

  • Create a domain, with 1 project, 2 users (user1 and user2) and 2 groups (group1 and group2)
  • Make user1 a member of group1, user2 a member of group2
  • Create 8 roles, assigning them to each of the 8 combinations of users/groups on domain/project
  • Get a project scoped token for user1, checking that the right two roles are returned (one directly assigned, one by virtue of group membership)
  • Repeat this for a domain scoped token
  • Make user1 also a member of group2
  • Get another scoped token making sure the additional role shows up
  • User2 is just here as a spoiler, to make sure we don’t get any roles uniquely assigned to it returned in any of our tokens
test_v2_v3_bind_token_intermix()[source]
test_validate_v2_scoped_token_with_v3_api()[source]
test_validate_v2_unscoped_token_with_v3_api()[source]
test_verify_with_bound_token()[source]
class keystone.tests.unit.test_v3_auth.TestAuthContext(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
test_identity_attribute_conflict()[source]
test_identity_attribute_conflict_with_none_value()[source]
test_non_identity_attribute_conflict_override()[source]
test_pick_lowest_expires_at()[source]
class keystone.tests.unit.test_v3_auth.TestAuthExternalDefaultDomain(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

config_overrides()[source]
content_type = 'json'
test_project_id_scoped_with_remote_user()[source]
test_remote_user_with_default_domain()[source]
test_unscoped_bind_with_remote_user()[source]
class keystone.tests.unit.test_v3_auth.TestAuthExternalDisabled(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

config_overrides()[source]
test_remote_user_disabled()[source]
class keystone.tests.unit.test_v3_auth.TestAuthExternalDomain(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

config_overrides()[source]
content_type = 'json'
test_project_id_scoped_with_remote_user()[source]
test_remote_user_with_realm()[source]
test_unscoped_bind_with_remote_user()[source]
class keystone.tests.unit.test_v3_auth.TestAuthFernetTokenProvider(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_auth.TestAuth

config_overrides()[source]
setUp()[source]
test_auth_with_bind_token()[source]
test_v2_v3_bind_token_intermix()[source]
test_verify_with_bound_token()[source]
class keystone.tests.unit.test_v3_auth.TestAuthInfo(*args, **kwargs)[source]

Bases: keystone.tests.common.auth.AuthTestMixin, testtools.testcase.TestCase

setUp()[source]
test_both_project_and_domain_in_scope()[source]
test_get_method_data_invalid_method()[source]
test_get_method_names_duplicates()[source]
test_missing_auth_method_data()[source]
test_missing_auth_methods()[source]
test_project_name_no_domain()[source]
test_unsupported_auth_method()[source]
class keystone.tests.unit.test_v3_auth.TestAuthJSONExternal(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

auth_plugin_config_override(methods=None, **method_classes)[source]
content_type = 'json'
test_remote_user_no_method()[source]
class keystone.tests.unit.test_v3_auth.TestAuthKerberos(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_auth.TestAuthExternalDomain

config_overrides()[source]
class keystone.tests.unit.test_v3_auth.TestAuthSpecificData(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

test_get_catalog_domain_scoped_token()[source]

Call GET /auth/catalog with a domain-scoped token.

test_get_catalog_no_token()[source]

Call GET /auth/catalog without a token.

test_get_catalog_project_scoped_token()[source]

Call GET /auth/catalog with a project-scoped token.

test_get_catalog_unscoped_token()[source]

Call GET /auth/catalog with an unscoped token.

test_get_domains_project_scoped_token()[source]
test_get_projects_project_scoped_token()[source]
class keystone.tests.unit.test_v3_auth.TestAuthTOTP(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

auth_plugin_config_override()[source]
cleanup()[source]
setUp()[source]
test_with_a_corrupt_totp_credential()[source]
test_with_a_valid_passcode()[source]
test_with_an_invalid_passcode_and_user_credentials()[source]
test_with_an_invalid_passcode_with_no_user_credentials()[source]
test_with_multiple_credentials()[source]
test_with_multiple_users()[source]
test_with_multiple_users_and_invalid_credentials()[source]

Prevent logging in with someone else’s credentials.

It’s very easy to forget to limit the credentials query by user. Let’s just test it for a sanity check.

test_with_username_and_domain_id()[source]
class keystone.tests.unit.test_v3_auth.TestFernetTokenAPIs(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3_auth.TokenAPITests, keystone.tests.unit.test_v3_auth.TokenDataTests

config_overrides()[source]
setUp()[source]
test_validate_tampered_project_scoped_token_fails()[source]
test_validate_tampered_trust_scoped_token_fails()[source]
test_validate_tampered_unscoped_token_fails()[source]
class keystone.tests.unit.test_v3_auth.TestFetchRevocationList(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Test fetch token revocation list on the v3 Identity API.

config_overrides()[source]
test_audit_id_only_no_tokens()[source]
test_audit_id_only_token()[source]
test_ids_no_tokens()[source]
test_ids_token()[source]
class keystone.tests.unit.test_v3_auth.TestPKITokenAPIs(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3_auth.TokenAPITests, keystone.tests.unit.test_v3_auth.TokenDataTests

config_overrides()[source]
setUp()[source]
test_v3_token_id()[source]
test_v3_v2_hashed_pki_token_intermix()[source]
verify_token(*args, **kwargs)[source]
class keystone.tests.unit.test_v3_auth.TestPKIZTokenAPIs(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_auth.TestPKITokenAPIs

config_overrides()[source]
verify_token(*args, **kwargs)[source]
class keystone.tests.unit.test_v3_auth.TestTokenRevokeApi(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_auth.TestTokenRevokeById

Test token revocation on the v3 Identity API.

assertDomainAndProjectInList(events_response, domain_id)[source]
assertEventDataInList(events, **kwargs)[source]
assertValidDeletedProjectResponse(events_response, project_id)[source]
assertValidRevokedTokenResponse(events_response, **kwargs)[source]
config_overrides()[source]
test_disable_domain_shows_in_event_list()[source]
test_list_delete_project_shows_in_event_list()[source]
test_list_delete_token_shows_in_event_list()[source]
test_list_with_filter()[source]
test_revoke_by_id_false_returns_gone()[source]
test_revoke_token()[source]
test_revoke_v2_token()[source]
class keystone.tests.unit.test_v3_auth.TestTokenRevokeByAssignment(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_auth.TestTokenRevokeById

config_overrides()[source]
test_removing_role_assignment_keeps_other_project_token_groups()[source]

Test assignment isolation.

Revoking a group role from one project should not invalidate all group users’ tokens

class keystone.tests.unit.test_v3_auth.TestTokenRevokeById(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Test token revocation on the v3 Identity API.

config_overrides()[source]
get_v2_token(token=None, project_id=None)[source]
role_data_fixtures()[source]
setUp()[source]

Setup for Token Revoking Test Cases.

As well as the usual housekeeping, create a set of domains, users, groups, roles and projects for the subsequent tests:

  • Two domains: A & B
  • Three users (1, 2 and 3)
  • Three groups (1, 2 and 3)
  • Two roles (1 and 2)
  • DomainA owns user1, domainB owns user2 and user3
  • DomainA owns group1 and group2, domainB owns group3
  • User1 and user2 are members of group1
  • User3 is a member of group2
  • Two projects: A & B, both in domainA
  • Group1 has role1 on Project A and B, meaning that user1 and user2 will get these roles by virtue of membership
  • User1, 2 and 3 have role1 assigned to projectA
  • Group1 has role1 on Project A and B, meaning that user1 and user2 will get role1 (duplicated) by virtue of membership
  • User1 has role2 assigned to domainA
test_deleting_group_grant_revokes_tokens()[source]

Test deleting a group grant revokes tokens.

Test Plan:

  • Get a token for user1, scoped to ProjectA
  • Get a token for user2, scoped to ProjectA
  • Get a token for user3, scoped to ProjectA
  • Delete the grant group1 has on ProjectA
  • Check tokens for user1 & user2 are no longer valid, since user1 and user2 are members of group1
  • Check token for user3 is invalid too
test_deleting_project_deletes_grants()[source]
test_deleting_project_revokes_token()[source]
test_deleting_role_revokes_token()[source]

Test deleting a role revokes token.

Add some additional test data, namely:

  • A third project (project C)
  • Three additional users - user4 owned by domainB and user5 and 6 owned by domainA (different domain ownership should not affect the test results, just provided to broaden test coverage)
  • User5 is a member of group1
  • Group1 gets an additional assignment - role1 on projectB as well as its existing role1 on projectA
  • User4 has role2 on Project C
  • User6 has role1 on projectA and domainA
  • This allows us to create 5 tokens by virtue of different types of role assignment: - user1, scoped to ProjectA by virtue of user role1 assignment - user5, scoped to ProjectB by virtue of group role1 assignment - user4, scoped to ProjectC by virtue of user role2 assignment - user6, scoped to ProjectA by virtue of user role1 assignment - user6, scoped to DomainA by virtue of user role1 assignment
  • role1 is then deleted
  • Check the tokens on Project A and B, and DomainA are revoked, but not the one for Project C
test_deleting_user_grant_revokes_token()[source]

Test deleting a user grant revokes token.

Test Plan:

  • Get a token for user1, scoped to ProjectA
  • Delete the grant user1 has on ProjectA
  • Check token is no longer valid
test_disabling_project_revokes_token()[source]
test_domain_group_role_assignment_maintains_token()[source]

Test domain-group role assignment maintains existing token.

Test Plan:

  • Get a token for user1, scoped to ProjectA
  • Create a grant for group1 on DomainB
  • Check token is still longer valid
test_domain_user_role_assignment_maintains_token()[source]

Test user-domain role assignment maintains existing token.

Test Plan:

  • Get a token for user1, scoped to ProjectA
  • Create a grant for user1 on DomainB
  • Check token is still valid
test_group_membership_changes_revokes_token()[source]

Test add/removal to/from group revokes token.

Test Plan:

  • Get a token for user1, scoped to ProjectA
  • Get a token for user2, scoped to ProjectA
  • Remove user1 from group1
  • Check token for user1 is no longer valid
  • Check token for user2 is still valid, even though user2 is also part of group1
  • Add user2 to group2
  • Check token for user2 is now no longer valid
test_removing_role_assignment_does_not_affect_other_users()[source]

Revoking a role from one user should not affect other users.

test_revoke_token_from_token()[source]
test_revoke_token_from_token_v2()[source]
test_revoke_v2_token_no_check()[source]
test_unscoped_token_remains_valid_after_role_assignment()[source]
class keystone.tests.unit.test_v3_auth.TestTokenRevokeSelfAndAdmin(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Test token revoke using v3 Identity API by token owner and admin.

load_sample_data()[source]

Load Sample Data for Test Cases.

Two domains, domainA and domainB Two users in domainA, userNormalA and userAdminA One user in domainB, userAdminB

test_adminA_revokes_userA_token()[source]
test_adminB_fails_revoking_userA_token()[source]
test_user_revokes_own_token()[source]
class keystone.tests.unit.test_v3_auth.TestTrustAuthFernetTokenProvider(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_auth.TrustAPIBehavior, keystone.tests.unit.test_v3_auth.TestTrustChain

config_overrides()[source]
class keystone.tests.unit.test_v3_auth.TestTrustAuthPKITokenProvider(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_auth.TrustAPIBehavior, keystone.tests.unit.test_v3_auth.TestTrustChain

config_overrides()[source]
class keystone.tests.unit.test_v3_auth.TestTrustAuthPKIZTokenProvider(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_auth.TrustAPIBehavior, keystone.tests.unit.test_v3_auth.TestTrustChain

config_overrides()[source]
class keystone.tests.unit.test_v3_auth.TestTrustChain(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

assert_trust_tokens_revoked(trust_id)[source]
assert_user_authenticate(user)[source]
config_overrides()[source]
setUp()[source]
test_delete_broken_chain()[source]
test_delete_trust_cascade()[source]
test_intermediate_user_deleted()[source]
test_intermediate_user_disabled()[source]
test_trustor_roles_revoked()[source]
class keystone.tests.unit.test_v3_auth.TestTrustOptional(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

config_overrides()[source]
test_auth_with_scope_in_trust_forbidden()[source]
test_trusts_returns_not_found()[source]
class keystone.tests.unit.test_v3_auth.TestUUIDTokenAPIs(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3_auth.TokenAPITests, keystone.tests.unit.test_v3_auth.TokenDataTests

config_overrides()[source]
setUp()[source]
test_v3_token_id()[source]
class keystone.tests.unit.test_v3_auth.TokenAPITests[source]

Bases: object

doSetUp()[source]
test_chained_implied_role_shows_in_v3_token()[source]
test_check_token()[source]
test_create_implied_role_shows_in_v3_domain_token()[source]
test_create_implied_role_shows_in_v3_project_token()[source]
test_default_fixture_scope_token()[source]
test_delete_implied_role_do_not_show_in_v3_token()[source]
test_domain_scoped_token_invalid_after_disabling_domain()[source]
test_domain_scoped_token_is_invalid_after_deleting_grant()[source]
test_domain_scoped_token_is_invalid_after_disabling_user()[source]
test_domain_scpecific_roles_do_not_show_v3_token()[source]
test_group_assigned_implied_role_shows_in_v3_token()[source]
test_implied_role_disabled_by_config()[source]
test_is_admin_token_by_ids()[source]
test_is_admin_token_by_names()[source]
test_multiple_implied_roles_show_in_v3_token()[source]
test_only_admin_project_set_acts_as_non_admin()[source]
test_project_scoped_token_invalid_after_changing_user_password()[source]
test_project_scoped_token_invalid_after_disabling_project()[source]
test_project_scoped_token_is_invalid_after_deleting_grant()[source]
test_project_scoped_token_is_invalid_after_disabling_user()[source]
test_remove_all_roles_from_scope_result_in_404()[source]
test_rescope_unscoped_token_with_trust()[source]
test_rescoping_token()[source]
test_revoke_project_scoped_token()[source]
test_revoke_trust_scoped_token()[source]
test_revoke_unscoped_token()[source]
test_token_for_non_admin_domain_same_project_name_is_not_admin()[source]
test_token_for_non_admin_project_is_not_admin()[source]
test_trust_scoped_token_invalid_after_changing_trustee_password()[source]
test_trust_scoped_token_invalid_after_changing_trustor_password()[source]
test_trust_scoped_token_invalid_after_disabled_trustor_domain()[source]
test_trust_scoped_token_is_invalid_after_disabling_trustee()[source]
test_trust_scoped_token_is_invalid_after_disabling_trustor()[source]
test_unrelated_implied_roles_do_not_change_v3_token()[source]
test_unscoped_token_is_invalid_after_changing_user_password()[source]
test_unscoped_token_is_invalid_after_disabling_user()[source]
test_unscoped_token_is_invalid_after_disabling_user_domain()[source]
test_unscoped_token_is_invalid_after_enabling_disabled_user()[source]
test_v2_token_deleted_on_v3()[source]
test_v2_v3_token_intermix()[source]
test_v2_v3_unscoped_token_intermix()[source]
test_v2_validate_domain_scoped_token_returns_unauthorized()[source]
test_v2_validate_trust_scoped_token()[source]
test_v3_v2_intermix_domain_scope_failed()[source]
test_v3_v2_intermix_domain_scoped_token_failed()[source]
test_v3_v2_intermix_new_default_domain()[source]
test_v3_v2_intermix_non_default_project_succeed()[source]
test_v3_v2_intermix_non_default_user_succeed()[source]
test_v3_v2_token_intermix()[source]
test_v3_v2_unscoped_token_intermix()[source]
test_validate_a_trust_scoped_token()[source]
test_validate_a_trust_scoped_token_impersonated()[source]
test_validate_domain_scoped_token()[source]
test_validate_missing_auth_token()[source]
test_validate_missing_subject_token()[source]
test_validate_project_scoped_token()[source]
test_validate_token()[source]
test_validate_token_nocatalog()[source]
test_validate_unscoped_token()[source]
class keystone.tests.unit.test_v3_auth.TokenDataTests[source]

Bases: object

Test the data in specific token types.

test_domain_scoped_token_format()[source]
test_extra_data_in_domain_scoped_token_fails_validation()[source]
test_extra_data_in_project_scoped_token_fails_validation()[source]
test_extra_data_in_unscoped_token_fails_validation()[source]
test_project_scoped_token_format()[source]
test_unscoped_token_format()[source]
class keystone.tests.unit.test_v3_auth.TrustAPIBehavior(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Redelegation valid and secure

Redelegation is a hierarchical structure of trusts between initial trustor and a group of users allowed to impersonate trustor and act in his name. Hierarchy is created in a process of trusting already trusted permissions and organized as an adjacency list using ‘redelegated_trust_id’ field. Redelegation is valid if each subsequent trust in a chain passes ‘not more’ permissions than being redelegated.

Trust constraints are:
  • roles - set of roles trusted by trustor
  • expiration_time
  • allow_redelegation - a flag
  • redelegation_count - decreasing value restricting length of trust chain
  • remaining_uses - DISALLOWED when allow_redelegation == True
Trust becomes invalid in case:
  • trust roles were revoked from trustor
  • one of the users in the delegation chain was disabled or deleted
  • expiration time passed
  • one of the parent trusts has become invalid
  • one of the parent trusts was deleted
assertTrustTokensRevoked(trust_id)[source]
config_overrides()[source]
disable_user(user)[source]
setUp()[source]
test_change_password_invalidates_trust_tokens()[source]
test_consume_trust_once()[source]
test_create_one_time_use_trust()[source]
test_create_trust_no_roles()[source]
test_create_unlimited_use_trust()[source]
test_create_unscoped_trust()[source]
test_delete_trust()[source]
test_delete_trust_revokes_tokens()[source]
test_depleted_redelegation_count_error()[source]
test_do_not_consume_remaining_uses_when_get_token_fails()[source]
test_impersonation_token_cannot_create_new_trust()[source]
test_max_redelegation_count_constraint()[source]
test_modified_redelegation_count_error()[source]
test_redelegate_new_role_fails()[source]
test_redelegate_with_role_by_name()[source]
test_redelegation_expiry()[source]
test_redelegation_remaining_uses()[source]
test_redelegation_terminator()[source]
test_redelegation_without_impersonation()[source]
test_roles_subset()[source]
test_trust_chained()[source]

Test that a trust token can’t be used to execute another trust.

To do this, we create an A->B->C hierarchy of trusts, then attempt to execute the trusts in series (C->B->A).

test_trust_deleted_grant()[source]
test_trust_get_token_fails_if_trustee_disabled()[source]
test_trust_get_token_fails_if_trustor_disabled()[source]
test_trustee_can_do_role_ops()[source]

keystone.tests.unit.test_v3_catalog module

class keystone.tests.unit.test_v3_catalog.CatalogTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Test service & endpoint CRUD.

test_create_endpoint_enabled_false()[source]

Call POST /endpoints with enabled: false.

test_create_endpoint_enabled_str_false()[source]

Call POST /endpoints with enabled: ‘False’.

test_create_endpoint_enabled_str_random()[source]

Call POST /endpoints with enabled: ‘puppies’.

test_create_endpoint_enabled_str_true()[source]

Call POST /endpoints with enabled: ‘True’.

test_create_endpoint_enabled_true()[source]

Call POST /endpoints with enabled: true.

test_create_endpoint_no_enabled()[source]

Call POST /endpoints.

test_create_endpoint_on_v2()[source]
test_create_endpoint_with_empty_url()[source]

Call POST /endpoints.

test_create_endpoint_with_invalid_region_id()[source]

Call POST /endpoints.

test_create_endpoint_with_no_region()[source]

EndpointV3 allows to creates the endpoint without region.

test_create_endpoint_with_region()[source]

EndpointV3 creates the region before creating the endpoint.

This occurs when endpoint is provided with ‘region’ and no ‘region_id’.

test_create_region()[source]

Call POST /regions with an ID in the request body.

test_create_region_with_conflicting_ids()[source]

Call PUT /regions/{region_id} with conflicting region IDs.

test_create_region_with_duplicate_id()[source]

Call PUT /regions/{region_id}.

test_create_region_with_empty_id()[source]

Call POST /regions with an empty ID in the request body.

test_create_region_with_id()[source]

Call PUT /regions/{region_id} w/o an ID in the request body.

test_create_region_with_matching_ids()[source]

Call PUT /regions/{region_id} with an ID in the request body.

test_create_region_without_description()[source]

Call POST /regions without description in the request body.

test_create_region_without_id()[source]

Call POST /regions without an ID in the request body.

test_create_regions_with_same_description_string()[source]

Call POST /regions with duplicate descriptions.

test_create_regions_without_descriptions()[source]

Call POST /regions with no description.

test_create_service()[source]

Call POST /services.

test_create_service_enabled_false()[source]

Call POST /services.

test_create_service_enabled_str_false()[source]

Call POST /services.

test_create_service_enabled_str_random()[source]

Call POST /services.

test_create_service_enabled_str_true()[source]

Call POST /services.

test_create_service_enabled_true()[source]

Call POST /services.

test_create_service_no_enabled()[source]

Call POST /services.

test_create_service_no_name()[source]

Call POST /services.

test_delete_endpoint()[source]

Call DELETE /endpoints/{endpoint_id}.

test_delete_region()[source]

Call DELETE /regions/{region_id}.

test_delete_service()[source]

Call DELETE /services/{service_id}.

test_deleting_endpoint_with_space_in_url()[source]
test_endpoint_create_with_invalid_url()[source]

Test the invalid cases: substitutions is not exactly right.

test_endpoint_create_with_valid_url()[source]

Create endpoint with valid url should be tested,too.

test_endpoint_create_with_valid_url_project_id()[source]

Create endpoint with valid url should be tested,too.

test_filter_list_services_by_name()[source]

Call GET /services?name=<some name>.

test_filter_list_services_by_name_with_list_limit()[source]

Call GET /services?name=<some name>.

test_filter_list_services_by_type()[source]

Call GET /services?type=<some type>.

test_get_endpoint()[source]

Call GET /endpoints/{endpoint_id}.

test_get_region()[source]

Call GET /regions/{region_id}.

test_get_service()[source]

Call GET /services/{service_id}.

test_list_endpoints()[source]

Call GET /endpoints.

test_list_endpoints_filtered_by_interface()[source]

Call GET /endpoints?interface={interface}.

test_list_endpoints_filtered_by_parent_region_id()[source]

Call GET /endpoints?region_id={region_id}.

Ensure passing the parent_region_id as filter returns an empty list.

test_list_endpoints_filtered_by_region_id()[source]

Call GET /endpoints?region_id={region_id}.

test_list_endpoints_filtered_by_service_id()[source]

Call GET /endpoints?service_id={service_id}.

test_list_endpoints_with_multiple_filters()[source]

Call GET /endpoints?interface={interface}....

Ensure passing different combinations of interface, region_id and service_id as filters will return the correct result.

test_list_endpoints_with_random_filter_values()[source]

Call GET /endpoints?interface={interface}....

Ensure passing random values for: interface, region_id and service_id will return an empty list.

test_list_regions()[source]

Call GET /regions.

test_list_regions_filtered_by_parent_region_id()[source]

Call GET /regions?parent_region_id={parent_region_id}.

test_list_services()[source]

Call GET /services.

test_update_endpoint()[source]

Call PATCH /endpoints/{endpoint_id}.

test_update_endpoint_enabled_false()[source]

Call PATCH /endpoints/{endpoint_id} with enabled: False.

test_update_endpoint_enabled_str_false()[source]

Call PATCH /endpoints/{endpoint_id} with enabled: ‘False’.

test_update_endpoint_enabled_str_random()[source]

Call PATCH /endpoints/{endpoint_id} with enabled: ‘kitties’.

test_update_endpoint_enabled_str_true()[source]

Call PATCH /endpoints/{endpoint_id} with enabled: ‘True’.

test_update_endpoint_enabled_true()[source]

Call PATCH /endpoints/{endpoint_id} with enabled: True.

test_update_region()[source]

Call PATCH /regions/{region_id}.

test_update_region_with_null_description()[source]

Call PATCH /regions/{region_id}.

test_update_region_without_description_keeps_original()[source]

Call PATCH /regions/{region_id}.

test_update_service()[source]

Call PATCH /services/{service_id}.

class keystone.tests.unit.test_v3_catalog.TestCatalogAPISQL(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

Tests for the catalog Manager against the SQL backend.

config_overrides()[source]
create_endpoint(service_id, **kwargs)[source]
setUp()[source]
test_get_catalog_always_returns_service_name()[source]
test_get_catalog_ignores_endpoints_with_invalid_urls()[source]
class keystone.tests.unit.test_v3_catalog.TestCatalogAPISQLRegions(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

Tests for the catalog Manager against the SQL backend.

assertValidCatalogEndpoint(entity, ref=None)[source]
config_overrides()[source]
setUp()[source]
test_get_catalog_returns_proper_endpoints_with_no_region()[source]
test_get_catalog_returns_proper_endpoints_with_region()[source]
class keystone.tests.unit.test_v3_catalog.TestCatalogAPITemplatedProject(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Templated Catalog doesn’t support full API.

Eg. No region/endpoint creation.

config_overrides()[source]
load_fixtures(fixtures)[source]
test_project_delete()[source]

Deleting a project should not result in an 500 ISE.

The EndpointFilter extension of the Catalog API will create a notification when a project is deleted (attempting to clean up project->endpoint relationships). In the case of a templated catalog, no deletions (via catalog_api.delete_association_by_project) can be performed and result in a NotImplemented exception. We catch this exception and ignore it since it is expected.

keystone.tests.unit.test_v3_credential module

class keystone.tests.unit.test_v3_credential.CredentialBaseTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

class keystone.tests.unit.test_v3_credential.CredentialTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_credential.CredentialBaseTestCase

Test credential CRUD.

setUp()[source]
test_create_credential()[source]

Call POST /credentials.

test_create_credential_with_admin_token()[source]
test_create_ec2_credential()[source]

Call POST /credentials for creating ec2 credential.

test_create_ec2_credential_with_invalid_blob()[source]

Test creating ec2 credential with invalid blob.

Call POST /credentials.

test_create_ec2_credential_with_missing_project_id()[source]

Test Creating ec2 credential with missing project_id.

Call POST /credentials.

test_create_non_ec2_credential()[source]

Test creating non-ec2 credential.

Call POST /credentials.

test_credential_api_delete_credentials_for_project()[source]
test_credential_api_delete_credentials_for_user()[source]
test_delete_credential()[source]

Call DELETE /credentials/{credential_id}.

test_get_credential()[source]

Call GET /credentials/{credential_id}.

test_get_ec2_dict_blob()[source]

Ensure non-JSON blob data is correctly converted.

test_list_credentials()[source]

Call GET /credentials.

test_list_credentials_filtered_by_type()[source]

Call GET  /credentials?type={type}.

test_list_credentials_filtered_by_type_and_user_id()[source]

Call GET  /credentials?user_id={user_id}&type={type}.

test_list_credentials_filtered_by_user_id()[source]

Call GET  /credentials?user_id={user_id}.

test_list_ec2_dict_blob()[source]

Ensure non-JSON blob data is correctly converted.

test_update_credential()[source]

Call PATCH /credentials/{credential_id}.

class keystone.tests.unit.test_v3_credential.TestCredentialEc2(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_credential.CredentialBaseTestCase

Test v3 credential compatibility with ec2tokens.

setUp()[source]
test_ec2_cannot_get_non_ec2_credential()[source]
test_ec2_create_credential()[source]

Test ec2 credential creation.

test_ec2_credential_signature_validate()[source]

Test signature validation with a v3 ec2 credential.

test_ec2_credential_signature_validate_legacy()[source]

Test signature validation with a legacy v3 ec2 credential.

test_ec2_delete_credential()[source]

Test ec2 credential deletion.

test_ec2_get_credential()[source]
test_ec2_list_credentials()[source]

Test ec2 credential listing.

class keystone.tests.unit.test_v3_credential.TestCredentialTrustScoped(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Test credential with trust scoped token.

config_overrides()[source]
setUp()[source]
test_trust_scoped_ec2_credential()[source]

Test creating trust scoped ec2 credential.

Call POST /credentials.

keystone.tests.unit.test_v3_domain_config module

class keystone.tests.unit.test_v3_domain_config.DomainConfigTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Test domain config support.

setUp()[source]
test_create_config()[source]

Call PUT /domains/{domain_id}/config.

test_create_config_invalid_domain()[source]

Call PUT /domains/{domain_id}/config

While creating Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.

test_create_config_twice()[source]

Check multiple creates don’t throw error

test_delete_config()[source]

Call DELETE /domains{domain_id}/config.

test_delete_config_by_group()[source]

Call DELETE /domains{domain_id}/config/{group}.

test_delete_config_by_group_invalid_domain()[source]

Call DELETE /domains{domain_id}/config/{group}

While deleting Identity API-based domain config by group with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.

test_delete_config_invalid_domain()[source]

Call DELETE /domains{domain_id}/config

While deleting Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.

test_get_config_by_group()[source]

Call GET & HEAD /domains{domain_id}/config/{group}.

test_get_config_by_group_invalid_domain()[source]

Call GET & HEAD /domains{domain_id}/config/{group}

While retrieving Identity API-based domain config by group with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.

test_get_config_by_option()[source]

Call GET & HEAD /domains{domain_id}/config/{group}/{option}.

test_get_config_by_option_invalid_domain()[source]

Call GET & HEAD /domains{domain_id}/config/{group}/{option}

While retrieving Identity API-based domain config by option with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.

test_get_config_default()[source]

Call GET /domains/config/default.

test_get_config_default_by_group()[source]

Call GET /domains/config/{group}/default.

test_get_config_default_by_invalid_group()[source]

Call GET for /domains/config/{bad-group}/default.

test_get_config_default_by_invalid_option()[source]

Call GET for /domains/config/{group}/{bad-option}/default.

test_get_config_default_by_option()[source]

Call GET /domains/config/{group}/{option}/default.

test_get_head_config()[source]

Call GET & HEAD for /domains{domain_id}/config.

test_get_non_existant_config()[source]

Call GET /domains{domain_id}/config when no config defined.

test_get_non_existant_config_group()[source]

Call GET /domains{domain_id}/config/{group_not_exist}.

test_get_non_existant_config_group_invalid_domain()[source]

Call GET /domains{domain_id}/config/{group_not_exist}

While retrieving non-existent Identity API-based domain config group with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.

test_get_non_existant_config_invalid_domain()[source]

Call GET /domains{domain_id}/config when no config defined

While retrieving non-existent Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.

test_get_non_existant_config_option()[source]

Call GET /domains{domain_id}/config/group/{option_not_exist}.

test_get_non_existant_config_option_invalid_domain()[source]

Call GET /domains{domain_id}/config/group/{option_not_exist}

While retrieving non-existent Identity API-based domain config option with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.

test_update_config()[source]

Call PATCH /domains/{domain_id}/config.

test_update_config_group()[source]

Call PATCH /domains/{domain_id}/config/{group}.

test_update_config_group_invalid_domain()[source]

Call PATCH /domains/{domain_id}/config/{group}

While updating Identity API-based domain config group with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.

test_update_config_invalid_domain()[source]

Call PATCH /domains/{domain_id}/config

While updating Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.

test_update_config_invalid_group()[source]

Call PATCH /domains/{domain_id}/config/{invalid_group}.

test_update_config_invalid_group_invalid_domain()[source]

Call PATCH /domains/{domain_id}/config/{invalid_group}

While updating Identity API-based domain config with an invalid group and an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.

test_update_config_invalid_option()[source]

Call PATCH /domains/{domain_id}/config/{group}/{invalid}.

test_update_config_invalid_option_invalid_domain()[source]

Call PATCH /domains/{domain_id}/config/{group}/{invalid}

While updating Identity API-based domain config with an invalid option and an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.

test_update_config_option()[source]

Call PATCH /domains/{domain_id}/config/{group}/{option}.

test_update_config_option_invalid_domain()[source]

Call PATCH /domains/{domain_id}/config/{group}/{option}

While updating Identity API-based domain config option with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.

keystone.tests.unit.test_v3_endpoint_policy module

class keystone.tests.unit.test_v3_endpoint_policy.EndpointPolicyTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Test endpoint policy CRUD.

In general, the controller layer of the endpoint policy extension is really just marshalling the data around the underlying manager calls. Given that the manager layer is tested in depth by the backend tests, the tests we execute here concentrate on ensuring we are correctly passing and presenting the data.

assert_head_and_get_return_same_response(url, expected_status)[source]
setUp()[source]
test_crud_for_policy_for_explicit_endpoint()[source]

PUT, HEAD and DELETE for explicit endpoint policy.

test_crud_for_policy_for_region_and_service()[source]

PUT, HEAD and DELETE for region and service endpoint policy.

test_crud_for_policy_for_service()[source]

PUT, HEAD and DELETE for service endpoint policy.

test_endpoint_association_cleanup_when_endpoint_deleted()[source]
test_get_policy_for_endpoint()[source]

GET /endpoints/{endpoint_id}/policy.

test_list_endpoints_for_policy()[source]

GET /policies/%(policy_id}/endpoints.

test_region_service_association_cleanup_when_region_deleted()[source]
test_region_service_association_cleanup_when_service_deleted()[source]
test_service_association_cleanup_when_policy_deleted()[source]
test_service_association_cleanup_when_service_deleted()[source]
class keystone.tests.unit.test_v3_endpoint_policy.JsonHomeTests[source]

Bases: keystone.tests.unit.test_v3.JsonHomeTestMixin

EXTENSION_LOCATION = 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel'
JSON_HOME_DATA = {'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/endpoint_policy': {'href-template': '/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy', 'href-vars': {'endpoint_id': 'http://docs.openstack.org/api/openstack-identity/3/param/endpoint_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/service_policy_association': {'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}', 'href-vars': {'service_id': 'http://docs.openstack.org/api/openstack-identity/3/param/service_id', 'policy_id': 'http://docs.openstack.org/api/openstack-identity/3/param/policy_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/endpoint_policy_association': {'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}', 'href-vars': {'endpoint_id': 'http://docs.openstack.org/api/openstack-identity/3/param/endpoint_id', 'policy_id': 'http://docs.openstack.org/api/openstack-identity/3/param/policy_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/policy_endpoints': {'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints', 'href-vars': {'policy_id': 'http://docs.openstack.org/api/openstack-identity/3/param/policy_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/region_and_service_policy_association': {'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}', 'href-vars': {'service_id': 'http://docs.openstack.org/api/openstack-identity/3/param/service_id', 'region_id': 'http://docs.openstack.org/api/openstack-identity/3/param/region_id', 'policy_id': 'http://docs.openstack.org/api/openstack-identity/3/param/policy_id'}}}
PARAM_LOCATION = 'http://docs.openstack.org/api/openstack-identity/3/param'

keystone.tests.unit.test_v3_federation module

class keystone.tests.unit.test_v3_federation.FederatedIdentityProviderTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

A test class for Identity Providers.

base_url(suffix=None)[source]
default_body = {'enabled': True, 'description': None}
idp_keys = ['description', 'enabled']
test_assign_protocol_to_idp()[source]

Assign a protocol to existing IdP.

test_assign_protocol_to_nonexistent_idp()[source]

Assign protocol to IdP that doesn’t exist.

Expect HTTP 404 Not Found code.

test_check_idp_uniqueness()[source]

Add same IdP twice.

Expect HTTP 409 Conflict code for the latter call.

test_create_idp()[source]

Creates the IdentityProvider entity associated to remote_ids.

test_create_idp_remote()[source]

Creates the IdentityProvider entity associated to remote_ids.

test_create_idp_remote_empty()[source]

Creates an IdP with empty remote_ids.

test_create_idp_remote_none()[source]

Creates an IdP with a None remote_ids.

test_create_idp_remote_repeated()[source]

Creates two IdentityProvider entities with some remote_ids

A remote_id is the same for both so the second IdP is not created because of the uniqueness of the remote_ids

Expect HTTP 409 Conflict code for the latter call.

test_delete_existing_idp()[source]

Create and later delete IdP.

Expect HTTP 404 Not Found for the GET IdP call.

test_delete_idp_also_deletes_assigned_protocols()[source]

Deleting an IdP will delete its assigned protocol.

test_delete_nonexisting_idp()[source]

Delete nonexisting IdP.

Expect HTTP 404 Not Found for the GET IdP call.

test_delete_protocol()[source]

Delete protocol.

Expect HTTP 404 Not Found code for the GET call after the protocol is deleted.

test_filter_list_idp_by_enabled()[source]
test_filter_list_idp_by_id()[source]
test_get_idp()[source]

Create and later fetch IdP.

test_get_nonexisting_idp()[source]

Fetch nonexisting IdP entity.

Expected HTTP 404 Not Found status code.

test_get_protocol()[source]

Create and later fetch protocol tied to IdP.

test_list_idps(iterations=5)[source]

Lists all available IdentityProviders.

This test collects ids of created IdPs and intersects it with the list of all available IdPs. List of all IdPs can be a superset of IdPs created in this test, because other tests also create IdPs.

test_list_protocols()[source]

Create set of protocols and later list them.

Compare input and output id sets.

test_protocol_composite_pk()[source]

Test that Keystone can add two entities.

The entities have identical names, however, attached to different IdPs.

  1. Add IdP and assign it protocol with predefined name
  2. Add another IdP and assign it a protocol with same name.

Expect HTTP 201 code

test_protocol_idp_pk_uniqueness()[source]

Test whether Keystone checks for unique idp/protocol values.

Add same protocol twice, expect Keystone to reject a latter call and return HTTP 409 Conflict code.

test_update_idp_clean_remote_ids()[source]

Update IdP’s remote_ids parameter with an empty list.

test_update_idp_immutable_attributes()[source]

Update IdP’s immutable parameters.

Expect HTTP BAD REQUEST.

test_update_idp_mutable_attributes()[source]

Update IdP’s mutable parameters.

test_update_idp_remote_ids()[source]

Update IdP’s remote_ids parameter.

test_update_idp_remote_repeated()[source]

Update an IdentityProvider entity reusing a remote_id.

A remote_id is the same for both so the second IdP is not updated because of the uniqueness of the remote_ids.

Expect HTTP 409 Conflict code for the latter call.

test_update_nonexistent_idp()[source]

Update nonexistent IdP

Expect HTTP 404 Not Found code.

test_update_protocols_attribute()[source]

Update protocol’s attribute.

class keystone.tests.unit.test_v3_federation.FederatedSetupMixin[source]

Bases: object

ACTION = 'authenticate'
ASSERTION_PREFIX = 'PREFIX_'
AUTH_METHOD = 'saml2'
IDP = 'ORG_IDP'
IDP_WITH_REMOTE = 'ORG_IDP_REMOTE'
PROTOCOL = 'saml2'
REMOTE_IDS = ['entityID_IDP1', 'entityID_IDP2']
REMOTE_ID_ATTR = 'bb03101f399a4f75b149a8ea1819c046'
UNSCOPED_V3_SAML2_REQ = {'identity': {'methods': ['saml2'], 'saml2': {'identity_provider': 'ORG_IDP', 'protocol': 'saml2'}}}
USER = 'user@ORGANIZATION'
assertValidMappedUser(token)[source]

Check if user object meets all the criteria.

idp_ref(id=None)[source]
load_federation_sample_data()[source]

Inject additional data.

mapping_ref(rules=None)[source]
proto_ref(mapping_id=None)[source]
class keystone.tests.unit.test_v3_federation.FederatedTokenTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3_federation.FederatedSetupMixin

auth_plugin_config_override()[source]
load_fixtures(fixtures)[source]
setUp()[source]
test_assertion_prefix_parameter()[source]

Test parameters filtering based on the prefix.

With assertion_prefix set to fixed, non default value, issue an unscoped token from assertion EMPLOYEE_ASSERTION_PREFIXED. Expect server to return unscoped token.

test_assertion_prefix_parameter_expect_fail()[source]

Test parameters filtering based on the prefix.

With assertion_prefix default value set to empty string issue an unscoped token from assertion EMPLOYEE_ASSERTION. Next, configure assertion_prefix to value UserName. Try issuing unscoped token with EMPLOYEE_ASSERTION. Expect server to raise exception.Unathorized exception.

test_empty_blacklist_passess_all_values()[source]

Test a mapping with empty blacklist specified

Not adding a blacklist keyword to the mapping rules has the same effect as adding an empty blacklist. In both cases, the mapping engine will not discard any groups that are associated with apache environment variables.

This test checks scenario where an empty blacklist was specified. Expected result is to allow any value.

The test scenario is as follows:
  • Create group EXISTS
  • Create group NO_EXISTS
  • Set mapping rules for existing IdP with a blacklist that passes through as REMOTE_USER_GROUPS
  • Issue unscoped token with groups EXISTS and NO_EXISTS assigned
test_empty_whitelist_discards_all_values()[source]

Test that empty whitelist blocks all the values

Not adding a whitelist keyword to the mapping value is different than adding empty whitelist. The former case will simply pass all the values, whereas the latter would discard all the values.

This test checks scenario where an empty whitelist was specified. The expected result is that no groups are matched.

The test scenario is as follows:
  • Create group EXISTS
  • Set mapping rules for existing IdP with an empty whitelist that whould discard any values from the assertion
  • Try issuing unscoped token, expect server to raise exception.MissingGroups as no groups were matched and ephemeral user does not have any group assigned.
test_full_workflow(*args, **kwargs)[source]

Test ‘standard’ workflow for granting access tokens.

  • Issue unscoped token
  • List available projects based on groups
  • Scope token to one of available projects
test_issue_token_for_local_user_user_not_found()[source]
test_issue_token_from_rules_without_user()[source]
test_issue_token_with_nonexistent_group()[source]

Inject assertion that matches rule issuing bad group id.

Expect server to find out that some groups are missing in the backend and raise exception.MappedGroupNotFound exception.

test_issue_unscoped_token()[source]
test_issue_unscoped_token_disabled_idp()[source]

Checks if authentication works with disabled identity providers.

Test plan: 1) Disable default IdP 2) Try issuing unscoped token for that IdP 3) Expect server to forbid authentication

test_issue_unscoped_token_for_local_user()[source]
test_issue_unscoped_token_group_names_in_mapping()[source]
test_issue_unscoped_token_malformed_environment()[source]

Test whether non string objects are filtered out.

Put non string objects into the environment, inject correct assertion and try to get an unscoped token. Expect server not to fail on using split() method on non string objects and return token id in the HTTP header.

test_issue_unscoped_token_no_groups()[source]
test_issue_unscoped_token_notify()[source]
test_issue_unscoped_token_with_remote()[source]
test_issue_unscoped_token_with_remote_default_overwritten()[source]

Test that protocol remote_id_attribute has higher priority.

Make sure the parameter stored under protocol section has higher priority over parameter from default federation configuration section.

test_issue_unscoped_token_with_remote_different()[source]
test_issue_unscoped_token_with_remote_no_attribute()[source]
test_issue_unscoped_token_with_remote_unavailable()[source]
test_issue_unscoped_token_with_remote_user_as_empty_string()[source]
test_issue_unscoped_token_with_saml2_remote()[source]
test_issue_unscoped_tokens_nonexisting_group()[source]
test_list_domains()[source]
test_list_projects()[source]
test_list_projects_for_inherited_project_assignment()[source]
test_lists_with_missing_group_in_backend()[source]

Test a mapping that points to a group that does not exist

For explicit mappings, we expect the group to exist in the backend, but for lists, specifically blacklists, a missing group is expected as many groups will be specified by the IdP that are not Keystone groups.

The test scenario is as follows:
  • Create group EXISTS
  • Set mapping rules for existing IdP with a blacklist that passes through as REMOTE_USER_GROUPS
  • Issue unscoped token with on group EXISTS id in it
test_not_adding_blacklist_passess_all_values()[source]

Test a mapping without blacklist specified.

Not adding a blacklist keyword to the mapping rules has the same effect as adding an empty blacklist. In both cases all values will be accepted and passed.

This test checks scenario where an blacklist was not specified. Expected result is to allow any value.

The test scenario is as follows:
  • Create group EXISTS
  • Create group NO_EXISTS
  • Set mapping rules for existing IdP with a blacklist that passes through as REMOTE_USER_GROUPS
  • Issue unscoped token with on groups EXISTS and NO_EXISTS assigned
test_not_setting_whitelist_accepts_all_values()[source]

Test that not setting whitelist passes

Not adding a whitelist keyword to the mapping value is different than adding empty whitelist. The former case will simply pass all the values, whereas the latter would discard all the values.

This test checks a scenario where a whitelist was not specified. Expected result is that no groups are ignored.

The test scenario is as follows:
  • Create group EXISTS
  • Set mapping rules for existing IdP with an empty whitelist that whould discard any values from the assertion
  • Issue an unscoped token and make sure ephemeral user is a member of two groups.
test_scope_to_bad_project()[source]

Scope unscoped token with a project we don’t have access to.

test_scope_to_domain_multiple_tokens()[source]

Issue multiple tokens scoping to different domains.

The new tokens should be scoped to:

  • domainA
  • domainB
  • domainC
test_scope_to_domain_once()[source]
test_scope_to_domain_with_only_inherited_roles_fails()[source]

Try to scope to a domain that has no direct roles.

test_scope_to_project_multiple_times()[source]

Try to scope the unscoped token multiple times.

The new tokens should be scoped to:

  • Customers’ project
  • Employees’ project
test_scope_to_project_once()[source]
test_scope_to_project_once_notify()[source]
test_scope_to_project_with_only_inherited_roles()[source]

Try to scope token whose only roles are inherited.

test_scope_token_from_nonexistent_unscoped_token()[source]

Try to scope token from non-existent unscoped token.

test_scope_token_with_idp_disabled()[source]

Scope token issued by disabled IdP.

Try scoping the token issued by an IdP which is disabled now. Expect server to refuse scoping operation.

This test confirms correct behaviour when IdP was enabled and unscoped token was issued, but disabled before user tries to scope the token. Here we assume the unscoped token was already issued and start from the moment where IdP is being disabled and unscoped token is being used.

Test plan: 1) Disable IdP 2) Try scoping unscoped token

test_scoped_token_has_user_domain()[source]
test_unscoped_token_has_user_domain()[source]
test_user_name_and_id_in_federation_token()[source]
test_v2_auth_with_federation_token_fails()[source]

Test that using a federation token with v2 auth fails.

If an admin sets up a federated Keystone environment, and a user incorrectly configures a service (like Nova) to only use v2 auth, the returned message should be informative.

test_workflow_with_groups_deletion()[source]

Test full workflow with groups deletion before token scoping.

The test scenario is as follows:
  • Create group group
  • Create and assign roles to group and project_all
  • Patch mapping rules for existing IdP so it issues group id
  • Issue unscoped token with group‘s id
  • Delete group group
  • Scope token to project_all
  • Expect HTTP 500 response
class keystone.tests.unit.test_v3_federation.FederatedTokenTestsMethodToken(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_federation.FederatedTokenTests

Test federation operation with unified scoping auth method.

Test all the operations with auth method set to token as a new, unified way for scoping all the tokens.

AUTH_METHOD = 'token'
auth_plugin_config_override()[source]
test_full_workflow(*args, **kwargs)[source]

Test ‘standard’ workflow for granting access tokens.

  • Issue unscoped token
  • List available projects based on groups
  • Scope token to one of available projects
class keystone.tests.unit.test_v3_federation.FederatedUserTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3_federation.FederatedSetupMixin

Tests for federated users

Tests new shadow users functionality

auth_plugin_config_override()[source]
load_fixtures(fixtures)[source]
setUp()[source]
test_user_id_persistense()[source]

Ensure user_id is persistend for multiple federated authn calls.

class keystone.tests.unit.test_v3_federation.FederationTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

test_exception_happens(*args, **keywargs)[source]
class keystone.tests.unit.test_v3_federation.FernetFederatedTokenTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3_federation.FederatedSetupMixin

AUTH_METHOD = 'token'
auth_plugin_config_override()[source]
config_overrides()[source]
load_fixtures(fixtures)[source]
test_federated_unscoped_token()[source]
test_federated_unscoped_token_with_multiple_groups()[source]
test_fernet_full_workflow()[source]

Test ‘standard’ workflow for granting Fernet access tokens.

  • Issue unscoped token
  • List available projects based on groups
  • Scope token to one of available projects
test_validate_federated_unscoped_token()[source]
class keystone.tests.unit.test_v3_federation.IdPMetadataGenerationTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

A class for testing Identity Provider Metadata generation.

METADATA_URL = '/OS-FEDERATION/saml2/metadata'
config_overrides()[source]
setUp()[source]
test_check_entity_id()[source]
test_check_idp_sso()[source]
test_get_metadata()[source]
test_get_metadata_with_no_metadata_file_configured()[source]
test_metadata_invalid_contact_type()[source]
test_metadata_invalid_idp_entity_id()[source]
test_metadata_invalid_idp_sso_endpoint()[source]
test_metadata_no_contact_person()[source]
test_metadata_no_organization()[source]
test_metadata_validity()[source]

Call md.EntityDescriptor method that does internal verification.

test_serialize_metadata_object()[source]

Check whether serialization doesn’t raise any exceptions.

class keystone.tests.unit.test_v3_federation.JsonHomeTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3.JsonHomeTestMixin

JSON_HOME_DATA = {'http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider': {'href-template': '/OS-FEDERATION/identity_providers/{idp_id}', 'href-vars': {'idp_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/param/idp_id'}}}
class keystone.tests.unit.test_v3_federation.K2KServiceCatalogTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

SP1 = 'SP1'
SP2 = 'SP2'
SP3 = 'SP3'
setUp()[source]
sp_ref()[source]
sp_response(id, ref)[source]
test_no_service_providers_in_token()[source]

Test service catalog with disabled service providers.

There should be no entry service_providers in the catalog. Test passes providing no attribute was raised.

test_service_providers_in_token()[source]

Check if service providers are listed in service catalog.

test_service_provides_in_token_disabled_sp()[source]

Test behaviour with disabled service providers.

Disabled service providers should not be listed in the service catalog.

class keystone.tests.unit.test_v3_federation.MappingCRUDTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

A class for testing CRUD operations for Mappings.

MAPPING_URL = '/OS-FEDERATION/mappings/'
assertValidMapping(entity, ref=None)[source]
assertValidMappingListResponse(resp, *args, **kwargs)[source]
assertValidMappingResponse(resp, *args, **kwargs)[source]
test_create_mapping_bad_requirements()[source]
test_create_mapping_bad_value()[source]
test_create_mapping_empty_map()[source]
test_create_mapping_extra_remote_properties_any_one_of()[source]
test_create_mapping_extra_remote_properties_just_type()[source]
test_create_mapping_extra_remote_properties_not_any_of()[source]
test_create_mapping_extra_rules_properties()[source]
test_create_mapping_missing_local()[source]
test_create_mapping_missing_type()[source]
test_create_mapping_no_remote_objects()[source]
test_create_mapping_no_rules()[source]
test_create_mapping_with_bad_user_type()[source]
test_create_mapping_with_blacklist_and_whitelist()[source]

Test for adding whitelist and blacklist in the rule

Server should respond with HTTP 400 Bad Request error upon discovering both whitelist and blacklist keywords in the same rule.

test_create_mapping_with_ephemeral()[source]
test_create_mapping_with_local_user_and_local_domain()[source]
test_create_mapping_wrong_type()[source]
test_delete_mapping_dne()[source]
test_get_mapping_dne()[source]
test_mapping_create()[source]
test_mapping_delete()[source]
test_mapping_get()[source]
test_mapping_list()[source]
test_mapping_update()[source]
class keystone.tests.unit.test_v3_federation.SAMLGenerationTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

ASSERTION_FILE = 'signed_saml2_assertion.xml'
ASSERTION_VERSION = '2.0'
ECP_GENERATION_ROUTE = '/auth/OS-FEDERATION/saml2/ecp'
ISSUER = 'https://acme.com/FIM/sps/openstack/saml20'
PROJECT = 'development'
PROJECT_DOMAIN = 'project_domain'
RECIPIENT = 'http://beta.com/Shibboleth.sso/SAML2/POST'
ROLES = ['admin', 'member']
SAML_GENERATION_ROUTE = '/auth/OS-FEDERATION/saml2'
SERVICE_PROVDIER_ID = 'ACME'
SP_AUTH_URL = 'http://beta.com:5000/v3/OS-FEDERATION/identity_providers/BETA/protocols/saml2/auth'
SUBJECT = 'test_user'
SUBJECT_DOMAIN = 'user_domain'
setUp()[source]
sp_ref()[source]
test__sign_assertion(*args, **keywargs)[source]
test__sign_assertion_exc(*args, **keywargs)[source]
test__sign_assertion_fileutils_exc(*args, **keywargs)[source]
test_assertion_using_explicit_namespace_prefixes()[source]
test_generate_ecp_route()[source]

Test that the ECP generation endpoint produces XML.

The ECP endpoint /v3/auth/OS-FEDERATION/saml2/ecp should take the same input as the SAML generation endpoint (scoped token ID + Service Provider ID). The controller should return a SAML assertion that is wrapped in a SOAP envelope.

test_generate_saml_route()[source]

Test that the SAML generation endpoint produces XML.

The SAML endpoint /v3/auth/OS-FEDERATION/saml2 should take as input, a scoped token ID, and a Service Provider ID. The controller should fetch details about the user from the token, and details about the service provider from its ID. This should be enough information to invoke the SAML generator and provide a valid SAML (XML) document back.

test_invalid_scope_body()[source]

Test that missing the scope in request body raises an exception.

Raises exception.SchemaValidationError() - error 400 Bad Request

test_invalid_token_body()[source]

Test that missing the token in request body raises an exception.

Raises exception.SchemaValidationError() - error 400 Bad Request

test_not_project_scoped_token()[source]

Ensure SAML generation fails when passing domain-scoped tokens.

The server should return a 403 Forbidden Action.

test_saml_signing()[source]

Test that the SAML generator produces a SAML object.

Test the SAML generator directly by passing known arguments, the result should be a SAML object that consistently includes attributes based on the known arguments that were passed in.

test_samlize_token_values()[source]

Test the SAML generator produces a SAML object.

Test the SAML generator directly by passing known arguments, the result should be a SAML object that consistently includes attributes based on the known arguments that were passed in.

test_sp_disabled()[source]

Try generating assertion for disabled Service Provider.

test_sp_not_found()[source]

Test SAML generation with an invalid service provider ID.

Raises exception.ServiceProviderNotFound() - error Not Found 404

test_token_not_found()[source]

Test that an invalid token in the request body raises an exception.

Raises exception.TokenNotFound() - error Not Found 404

test_valid_saml_xml()[source]

Test the generated SAML object can become valid XML.

Test the generator directly by passing known arguments, the result should be a SAML object that consistently includes attributes based on the known arguments that were passed in.

test_verify_assertion_object()[source]

Test that the Assertion object is built properly.

The Assertion doesn’t need to be signed in this test, so _sign_assertion method is patched and doesn’t alter the assertion.

class keystone.tests.unit.test_v3_federation.ServiceProviderTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

A test class for Service Providers.

COLLECTION_NAME = 'service_providers'
MEMBER_NAME = 'service_provider'
SERVICE_PROVIDER_ID = 'ACME'
SP_KEYS = ['auth_url', 'id', 'enabled', 'description', 'relay_state_prefix', 'sp_url']
base_url(suffix=None)[source]
setUp()[source]
sp_ref()[source]
test_create_service_provider()[source]
test_create_service_provider_fail()[source]

Try adding SP object with unallowed attribute.

test_create_sp_relay_state_default()[source]

Create an SP without relay state, should default to ss:mem.

test_create_sp_relay_state_non_default()[source]

Create an SP with custom relay state.

test_delete_service_provider()[source]
test_delete_service_provider_returns_not_found()[source]
test_filter_list_sp_by_enabled()[source]
test_filter_list_sp_by_id()[source]
test_get_service_provider()[source]
test_get_service_provider_fail()[source]
test_list_service_providers()[source]

Test listing of service provider objects.

Add two new service providers. List all available service providers. Expect to get list of three service providers (one created by setUp()) Test if attributes match.

test_update_service_provider()[source]

Update existing service provider.

Update default existing service provider and make sure it has been properly changed.

test_update_service_provider_immutable_parameters()[source]

Update immutable attributes in service provider.

In this particular case the test will try to change id attribute. The server should return an HTTP 403 Forbidden error code.

test_update_service_provider_returns_not_found()[source]
test_update_service_provider_unknown_parameter()[source]
test_update_sp_relay_state()[source]

Update an SP with custom relay state.

class keystone.tests.unit.test_v3_federation.WebSSOTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_federation.FederatedTokenTests

A class for testing Web SSO.

ORIGIN = 'http%3A%2F%2Fhorizon.com'
PROTOCOL_REMOTE_ID_ATTR = '2a744323b7464ff19aaacb6726ffa79d'
SSO_TEMPLATE_NAME = 'sso_callback_template.html'
SSO_TEMPLATE_PATH = '/home/jenkins/workspace/keystone-docs-ubuntu-trusty/etc/sso_callback_template.html'
SSO_URL = '/auth/OS-FEDERATION/websso/'
TRUSTED_DASHBOARD = 'http://horizon.com'
config_overrides()[source]
setUp()[source]
test_federated_sso_auth()[source]
test_federated_sso_auth_bad_remote_id()[source]
test_federated_sso_auth_with_protocol_specific_remote_id()[source]
test_federated_sso_missing_query()[source]
test_federated_sso_missing_query_bad_remote_id()[source]
test_federated_sso_missing_remote_id()[source]
test_federated_sso_untrusted_dashboard()[source]
test_federated_sso_untrusted_dashboard_bad_remote_id()[source]
test_get_sso_origin_host_case_insensitive()[source]
test_identity_provider_specific_federated_authentication()[source]
test_render_callback_template()[source]
keystone.tests.unit.test_v3_federation.dummy_validator(*args, **kwargs)[source]

keystone.tests.unit.test_v3_filters module

class keystone.tests.unit.test_v3_filters.IdentityTestFilteredCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.filtering.FilterTests, keystone.tests.unit.test_v3.RestfulTestCase

Test filter enforcement on the v3 Identity API.

load_sample_data()[source]

Create sample data for these tests.

As well as the usual housekeeping, create a set of domains, users, roles and projects for the subsequent tests:

  • Three domains: A,B & C. C is disabled.
  • DomainA has user1, DomainB has user2 and user3
  • DomainA has group1 and group2, DomainB has group3
  • User1 has a role on DomainA

Remember that there will also be a fourth domain in existence, the default domain.

setUp()[source]

Setup for Identity Filter Test Cases.

test_filter_sql_injection_attack()[source]

GET /users?name=<injected sql_statement>

Test Plan:

  • Attempt to get all entities back by passing a two-term attribute
  • Attempt to piggyback filter to damage DB (e.g. drop table)
test_inexact_filters()[source]
test_invalid_filter_is_ignored()[source]

GET /domains?enableds&name=myname

Test Plan:

  • Update policy for no protection on api
  • Filter by name and ‘enableds’, which does not exist
  • Assert ‘enableds’ is ignored
test_list_filtered_domains()[source]

GET /domains?enabled=0

Test Plan:

  • Update policy for no protection on api
  • Filter by the ‘enabled’ boolean to get disabled domains, which should return just domainC
  • Try the filter using different ways of specifying True/False to test that our handling of booleans in filter matching is correct
test_list_users_filtered_by_domain()[source]

GET /users?domain_id=mydomain (filtered)

Test Plan:

  • Update policy so api is unprotected
  • Use an un-scoped token to make sure we can filter the users by domainB, getting back the 2 users in that domain
test_list_users_filtered_by_funny_name()[source]

GET /users?name=%myname%

Test Plan:

  • Update policy so api is unprotected
  • Update a user with name that has filter escape characters
  • Ensure we can filter on it
test_multiple_filters()[source]

GET /domains?enabled&name=myname

Test Plan:

  • Update policy for no protection on api
  • Filter by the ‘enabled’ boolean and name - this should return a single domain
class keystone.tests.unit.test_v3_filters.IdentityTestListLimitCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_filters.IdentityTestFilteredCase

Test list limiting enforcement on the v3 Identity API.

clean_up_entity(entity)[source]

Clean up entity test data from Identity Limit Test Cases.

clean_up_policy()[source]

Clean up policy test data from Identity Limit Test Cases.

clean_up_service()[source]

Clean up service test data from Identity Limit Test Cases.

content_type = 'json'
setUp()[source]

Setup for Identity Limit Test Cases.

test_at_limit()[source]

Check truncated attribute not set when list at max size.

test_groups_list_limit()[source]
test_no_limit()[source]

Check truncated attribute not set when list not limited.

test_non_driver_list_limit()[source]

Check list can be limited without driver level support.

Policy limiting is not done at the driver level (since it really isn’t worth doing it there). So use this as a test for ensuring the controller level will successfully limit in this case.

test_projects_list_limit()[source]
test_services_list_limit()[source]
test_users_list_limit()[source]

keystone.tests.unit.test_v3_identity module

class keystone.tests.unit.test_v3_identity.IdentityTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Test users and groups.

setUp()[source]
test_add_user_to_group()[source]

Call PUT /groups/{group_id}/users/{user_id}.

test_admin_password_reset()[source]
test_check_user_in_group()[source]

Call HEAD /groups/{group_id}/users/{user_id}.

test_create_group()[source]

Call POST /groups.

test_create_group_bad_request()[source]

Call POST /groups.

test_create_user()[source]

Call POST /users.

test_create_user_bad_domain_id()[source]

Call POST /users.

test_create_user_bad_request()[source]

Call POST /users.

test_create_user_password_not_logged()[source]
test_create_user_with_admin_token_and_domain()[source]

Call POST /users with admin token and domain id.

test_create_user_without_domain()[source]

Call POST /users without specifying domain.

According to the identity-api specification, if you do not explicitly specific the domain_id in the entity, it should take the domain scope of the token as the domain_id.

test_delete_group()[source]

Call DELETE /groups/{group_id}.

test_delete_user()[source]

Call DELETE /users/{user_id}.

As well as making sure the delete succeeds, we ensure that any credentials that reference this user are also deleted, while other credentials are unaffected. In addition, no tokens should remain valid for this user.

test_get_group()[source]

Call GET /groups/{group_id}.

test_get_user()[source]

Call GET /users/{user_id}.

test_get_user_with_default_project()[source]

Call GET /users/{user_id} making sure of default_project_id.

test_list_groups()[source]

Call GET /groups.

test_list_groups_for_user()[source]

Call GET /users/{user_id}/groups.

test_list_users()[source]

Call GET /users.

test_list_users_in_group()[source]

Call GET /groups/{group_id}/users.

test_list_users_no_default_project()[source]

Call GET /users making sure no default_project_id.

test_list_users_with_multiple_backends()[source]

Call GET /users when multiple backends is enabled.

In this scenario, the controller requires a domain to be specified either as a filter or by using a domain scoped token.

test_remove_user_from_group()[source]

Call DELETE /groups/{group_id}/users/{user_id}.

test_shadow_existing_federated_user()[source]
test_shadow_federated_user()[source]
test_update_group()[source]

Call PATCH /groups/{group_id}.

test_update_group_domain_id()[source]

Call PATCH /groups/{group_id} with domain_id.

test_update_password_not_logged()[source]
test_update_user()[source]

Call PATCH /users/{user_id}.

test_update_user_domain_id()[source]

Call PATCH /users/{user_id} with domain_id.

test_user_management_normalized_keys()[source]

Illustrate the inconsistent handling of hyphens in keys.

To quote Morgan in bug 1526244:

the reason this is converted from “domain-id” to “domain_id” is because of how we process/normalize data. The way we have to handle specific data types for known columns requires avoiding “-” in the actual python code since “-” is not valid for attributes in python w/o significant use of “getattr” etc.

In short, historically we handle some things in conversions. The use of “extras” has long been a poor design choice that leads to odd/strange inconsistent behaviors because of other choices made in handling data from within the body. (In many cases we convert from “-” to “_” throughout openstack)

Source: https://bugs.launchpad.net/keystone/+bug/1526244/comments/9

class keystone.tests.unit.test_v3_identity.IdentityTestCaseStaticAdminToken(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

EXTENSION_TO_ADD = 'admin_token_auth'
config_overrides()[source]
test_create_user_with_admin_token_and_no_domain()[source]

Call POST /users with admin token but no domain id.

It should not be possible to use the admin token to create a user while not explicitly passing the domain in the request body.

test_list_users_with_static_admin_token_and_multiple_backends()[source]
class keystone.tests.unit.test_v3_identity.IdentityV3toV2MethodsTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

Test users V3 to V2 conversion methods.

new_user_ref(**kwargs)[source]

Construct a bare bones user ref.

Omits all optional components.

setUp()[source]
test_v3_to_v2_user_method()[source]
test_v3_to_v2_user_method_list()[source]
class keystone.tests.unit.test_v3_identity.UserSelfServiceChangingPasswordsTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

change_password(expected_status, **kwargs)[source]

Returns a test response for a change password request.

get_request_token(password, expected_status)[source]
setUp()[source]
test_changing_password()[source]
test_changing_password_not_logged()[source]
test_changing_password_with_disabled_user_fails()[source]
test_changing_password_with_incorrect_password_fails()[source]
test_changing_password_with_missing_original_password_fails()[source]
test_changing_password_with_missing_password_fails()[source]

keystone.tests.unit.test_v3_oauth1 module

class keystone.tests.unit.test_v3_oauth1.AccessTokenCRUDTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_oauth1.OAuthFlowTests

test_delete_access_token_dne()[source]
test_get_access_token_dne()[source]
test_get_role_in_access_token()[source]
test_get_role_in_access_token_dne()[source]
test_get_single_access_token()[source]
test_list_all_roles_in_access_token()[source]
test_list_and_delete_access_tokens()[source]
test_list_no_access_tokens()[source]
class keystone.tests.unit.test_v3_oauth1.AuthTokenTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_oauth1.OAuthFlowTests

test_change_user_password_also_deletes_tokens()[source]
test_delete_access_token_also_revokes_token()[source]
test_delete_keystone_tokens_by_consumer_id()[source]
test_deleting_consumer_also_deletes_tokens()[source]
test_deleting_project_also_invalidates_tokens()[source]
test_keystone_token_is_valid()[source]
test_oauth_token_cannot_authorize_request_token()[source]
test_oauth_token_cannot_create_new_trust()[source]
test_oauth_token_cannot_list_request_tokens()[source]
test_token_chaining_is_not_allowed()[source]
test_trust_token_cannot_authorize_request_token()[source]
test_trust_token_cannot_list_request_tokens()[source]
class keystone.tests.unit.test_v3_oauth1.ConsumerCRUDTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_oauth1.OAuth1Tests

test_consumer_create()[source]
test_consumer_create_no_description()[source]
test_consumer_create_none_desc_1()[source]
test_consumer_create_none_desc_2()[source]
test_consumer_create_normalize_field()[source]
test_consumer_delete()[source]
test_consumer_get()[source]
test_consumer_get_bad_id()[source]
test_consumer_list()[source]
test_consumer_update()[source]
test_consumer_update_bad_id()[source]
test_consumer_update_bad_secret()[source]
test_consumer_update_normalize_field()[source]
class keystone.tests.unit.test_v3_oauth1.FernetAuthTokenTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_oauth1.AuthTokenTests

config_overrides()[source]
test_delete_keystone_tokens_by_consumer_id()[source]
class keystone.tests.unit.test_v3_oauth1.JsonHomeTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_oauth1.OAuth1Tests, keystone.tests.unit.test_v3.JsonHomeTestMixin

JSON_HOME_DATA = {'http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers': {'href': '/OS-OAUTH1/consumers'}}
class keystone.tests.unit.test_v3_oauth1.MaliciousOAuth1Tests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_oauth1.OAuth1Tests

test_bad_authorizing_roles()[source]
test_bad_consumer_id()[source]
test_bad_consumer_secret()[source]
test_bad_request_token_key()[source]
test_bad_requested_project_id()[source]
test_bad_verifier()[source]
test_expired_authorizing_request_token()[source]
test_expired_creating_keystone_token()[source]
test_missing_oauth_headers()[source]
class keystone.tests.unit.test_v3_oauth1.OAuth1ContribTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

test_exception_happens(*args, **keywargs)[source]
class keystone.tests.unit.test_v3_oauth1.OAuth1Tests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

CONSUMER_URL = '/OS-OAUTH1/consumers'
setUp()[source]
class keystone.tests.unit.test_v3_oauth1.OAuthCADFNotificationTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_oauth1.OAuthNotificationTests

setUp()[source]

Repeat the tests for CADF notifications.

class keystone.tests.unit.test_v3_oauth1.OAuthFlowTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_oauth1.OAuth1Tests

test_oauth_flow()[source]
class keystone.tests.unit.test_v3_oauth1.OAuthNotificationTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3_oauth1.OAuth1Tests, keystone.tests.unit.common.test_notifications.BaseNotificationTest

test_create_consumer()[source]
test_delete_consumer()[source]
test_oauth_flow_notifications()[source]

Test to ensure notifications are sent for oauth tokens

This test is very similar to test_oauth_flow, however there are additional checks in this test for ensuring that notifications for request token creation, and access token creation/deletion are emitted.

test_update_consumer()[source]

keystone.tests.unit.test_v3_os_revoke module

class keystone.tests.unit.test_v3_os_revoke.OSRevokeTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3.JsonHomeTestMixin

JSON_HOME_DATA = {'http://docs.openstack.org/api/openstack-identity/3/ext/OS-REVOKE/1.0/rel/events': {'href': '/OS-REVOKE/events'}}
assertReportedEventMatchesRecorded(event, sample, before_time)[source]
test_disabled_domain_in_list()[source]
test_disabled_project_in_list()[source]
test_get_empty_list()[source]
test_list_since_invalid()[source]
test_list_since_valid()[source]
test_revoked_list_self_url()[source]
test_revoked_token_in_list()[source]
test_since_future_time_no_events()[source]

keystone.tests.unit.test_v3_policy module

class keystone.tests.unit.test_v3_policy.PolicyTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Test policy CRUD.

setUp()[source]
test_create_policy()[source]

Call POST /policies.

test_delete_policy()[source]

Call DELETE /policies/{policy_id}.

test_get_policy()[source]

Call GET /policies/{policy_id}.

test_list_policies()[source]

Call GET /policies.

test_update_policy()[source]

Call PATCH /policies/{policy_id}.

keystone.tests.unit.test_v3_protection module

class keystone.tests.unit.test_v3_protection.IdentityTestPolicySample(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Test policy enforcement of the policy.json file.

load_sample_data()[source]
test_admin_check_user_token()[source]
test_admin_revoke_user_token()[source]
test_admin_validate_user_token()[source]
test_user_check_other_user_token_rejected()[source]
test_user_check_same_token()[source]
test_user_check_user_token()[source]
test_user_revoke_other_user_token_rejected()[source]
test_user_revoke_same_token()[source]
test_user_revoke_user_token()[source]
test_user_validate_other_user_token_rejected()[source]
test_user_validate_same_token()[source]
test_user_validate_user_token()[source]
class keystone.tests.unit.test_v3_protection.IdentityTestProtectedCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Test policy enforcement on the v3 Identity API.

load_sample_data()[source]
setUp()[source]

Setup for Identity Protection Test Cases.

As well as the usual housekeeping, create a set of domains, users, roles and projects for the subsequent tests:

  • Three domains: A,B & C. C is disabled.
  • DomainA has user1, DomainB has user2 and user3
  • DomainA has group1 and group2, DomainB has group3
  • User1 has two roles on DomainA
  • User2 has one role on DomainA

Remember that there will also be a fourth domain in existence, the default domain.

test_get_user_protected_match_id()[source]

GET /users/{id} (match payload)

Test Plan:

  • Update policy to protect api by user_id
  • List users with user_id of user1 as filter, to check that this will correctly match user_id in the flattened payload
test_get_user_protected_match_target()[source]

GET /users/{id} (match target)

Test Plan:

  • Update policy to protect api by domain_id
  • Try and read a user who is in DomainB with a token scoped to Domain A - this should fail
  • Retry this for a user who is in Domain A, which should succeed.
  • Finally, try getting a user that does not exist, which should still return UserNotFound
test_list_groups_protected_by_domain()[source]

GET /groups?domain_id=mydomain (protected)

Test Plan:

  • Update policy to protect api by domain_id
  • List groups using a token scoped to domainA and make sure we only get back the two groups that are in domainA
  • Try and read the groups from domainB - this should fail since we don’t have a token scoped for domainB
test_list_groups_protected_by_domain_and_filtered()[source]

GET /groups?domain_id=mydomain&name=myname (protected)

Test Plan:

  • Update policy to protect api by domain_id
  • List groups using a token scoped to domainA with a filter specifying both domainA and the name of group.
  • We should only get back the group in domainA that matches the name
test_list_users_filtered_by_domain()[source]

GET /users?domain_id=mydomain (filtered)

Test Plan:

  • Update policy so api is unprotected
  • Use an un-scoped token to make sure we can filter the users by domainB, getting back the 2 users in that domain
test_list_users_protected_by_domain()[source]

GET /users?domain_id=mydomain (protected)

Test Plan:

  • Update policy to protect api by domain_id
  • List groups using a token scoped to domainA with a filter specifying domainA - we should only get back the one user that is in domainA.
  • Try and read the users from domainB - this should fail since we don’t have a token scoped for domainB
test_list_users_unprotected()[source]

GET /users (unprotected)

Test Plan:

  • Update policy so api is unprotected
  • Use an un-scoped token to make sure we can get back all the users independent of domain
test_revoke_grant_protected_match_target()[source]

DELETE /domains/{id}/users/{id}/roles/{id} (match target)

Test Plan:

  • Update policy to protect api by domain_id of entities in the grant
  • Try and delete the existing grant that has a user who is from a different domain - this should fail.
  • Retry this for a user who is in Domain A, which should succeed.
class keystone.tests.unit.test_v3_protection.IdentityTestv3CloudPolicySample(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3.AssignmentTestMixin

Test policy enforcement of the sample v3 cloud policy file.

load_sample_data()[source]
setUp()[source]

Setup for v3 Cloud Policy Sample Test Cases.

The following data is created:

  • Three domains: domainA, domainB and admin_domain
  • One project, which name is ‘project’
  • domainA has three users: domain_admin_user, project_admin_user and just_a_user:
    • domain_admin_user has role ‘admin’ on domainA,
    • project_admin_user has role ‘admin’ on the project,
    • just_a_user has a non-admin role on both domainA and the project.
  • admin_domain has admin_project, and user cloud_admin_user, with an ‘admin’ role on admin_project.

We test various api protection rules from the cloud sample policy file to make sure the sample is valid and that we correctly enforce it.

test_admin_check_user_token()[source]
test_admin_project()[source]
test_admin_project_list_assignments_of_project()[source]
test_admin_project_validate_user_token()[source]
test_admin_revoke_user_token()[source]
test_admin_validate_user_token()[source]
test_cloud_admin()[source]
test_cloud_admin_list_assignments_of_domain()[source]
test_cloud_admin_list_assignments_of_project()[source]
test_domain_admin_get_domain()[source]
test_domain_admin_list_assignment_tree()[source]
test_domain_admin_list_assignments_of_another_domain_failed()[source]
test_domain_admin_list_assignments_of_domain()[source]
test_domain_admin_list_assignments_of_project(*args, **kwargs)[source]
test_domain_grants()[source]
test_domain_grants_by_cloud_admin()[source]
test_domain_grants_by_cloud_admin_for_domain_specific_role()[source]
test_domain_grants_by_domain_admin_for_domain_specific_role()[source]
test_domain_grants_by_non_admin_for_domain_specific_role()[source]
test_domain_role_management_no_admin_no_rights()[source]
test_domain_role_management_with_cloud_admin()[source]
test_domain_role_management_with_domain_admin()[source]
test_domain_role_management_with_project_admin()[source]
test_domain_user_list_assignments_of_domain_failed()[source]
test_domain_user_list_assignments_of_project_failed()[source]
test_get_and_delete_ec2_credentials()[source]

Tests getting and deleting ec2 credentials through the ec2 API.

test_list_user_credentials()[source]
test_project_admin_get_project()[source]
test_project_grants()[source]
test_project_grants_by_domain_admin()[source]
test_project_grants_by_domain_admin_for_domain_specific_role()[source]
test_project_grants_by_non_admin_for_domain_specific_role()[source]
test_project_grants_by_project_admin_for_domain_specific_role()[source]
test_project_management()[source]
test_project_management_by_cloud_admin()[source]
test_role_management_no_admin_no_rights()[source]
test_role_management_with_cloud_admin()[source]
test_role_management_with_domain_admin()[source]
test_role_management_with_project_admin()[source]
test_user_check_other_user_token_rejected()[source]
test_user_check_same_token()[source]
test_user_check_user_token()[source]
test_user_management()[source]
test_user_management_by_cloud_admin()[source]
test_user_management_normalized_keys()[source]

Illustrate the inconsistent handling of hyphens in keys.

To quote Morgan in bug 1526244:

the reason this is converted from “domain-id” to “domain_id” is because of how we process/normalize data. The way we have to handle specific data types for known columns requires avoiding “-” in the actual python code since “-” is not valid for attributes in python w/o significant use of “getattr” etc.

In short, historically we handle some things in conversions. The use of “extras” has long been a poor design choice that leads to odd/strange inconsistent behaviors because of other choices made in handling data from within the body. (In many cases we convert from “-” to “_” throughout openstack)

Source: https://bugs.launchpad.net/keystone/+bug/1526244/comments/9

test_user_revoke_other_user_token_rejected()[source]
test_user_revoke_same_token()[source]
test_user_revoke_user_token()[source]
test_user_validate_other_user_token_rejected()[source]
test_user_validate_same_token()[source]
test_user_validate_user_token()[source]
test_user_with_a_role_get_project()[source]

keystone.tests.unit.test_v3_resource module

class keystone.tests.unit.test_v3_resource.ResourceTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase, keystone.tests.unit.test_v3.AssignmentTestMixin

Test domains and projects.

test_create_domain()[source]

Call POST /domains.

test_create_domain_bad_request()[source]

Call POST /domains.

test_create_domain_case_sensitivity()[source]

Call POST /domains` twice with upper() and lower() cased name.

test_create_domain_creates_is_domain_project()[source]

Check a project that acts as a domain is created.

Call POST /domains.

test_create_domain_unsafe()[source]

Call POST /domains with unsafe names.

test_create_domain_unsafe_default()[source]

Check default for unsafe names for POST /domains.

test_create_hierarchical_project()[source]

Call POST /projects.

test_create_is_domain_project_creates_domain()[source]

Call POST /projects is_domain and check a domain is created.

test_create_project()[source]

Call POST /projects.

test_create_project_bad_request()[source]

Call POST /projects.

test_create_project_invalid_domain_id()[source]

Call POST /projects.

test_create_project_unsafe()[source]

Call POST /projects with unsafe names.

test_create_project_unsafe_default()[source]

Check default for unsafe names for POST /projects.

test_create_project_with_parent_id_and_no_domain_id(*args, **kwargs)[source]

Call POST /projects.

test_create_project_with_parent_id_none_and_domain_id_none()[source]

Call POST /projects.

test_create_project_without_parent_id_and_without_domain_id()[source]

Call POST /projects.

test_delete_default_domain()[source]
test_delete_domain()[source]

Call DELETE /domains/{domain_id}.

The sample data set up already has a user and project that is part of self.domain. Additionally we will create a group and a credential within it. Since the user we will authenticate with is in this domain, we create a another set of entities in a second domain. Deleting this second domain should delete all these new entities. In addition, all the entities in the regular self.domain should be unaffected by the delete.

Test Plan:

  • Create domain2 and a 2nd set of entities
  • Disable domain2
  • Delete domain2
  • Check entities in domain2 have been deleted
  • Check entities in self.domain are unaffected
test_delete_domain_deletes_is_domain_project()[source]

Check the project that acts as a domain is deleted.

Call DELETE /domains.

test_delete_domain_hierarchy()[source]

Call DELETE /domains/{domain_id}.

test_delete_enabled_domain_fails()[source]

Call DELETE /domains/{domain_id} (when domain enabled).

test_delete_not_leaf_project()[source]

Call DELETE /projects/{project_id}.

test_delete_project()[source]

Call DELETE /projects/{project_id}

As well as making sure the delete succeeds, we ensure that any credentials that reference this projects are also deleted, while other credentials are unaffected.

test_disable_domain()[source]

Call PATCH /domains/{domain_id} (set enabled=False).

test_disable_leaf_project()[source]

Call PATCH /projects/{project_id}.

test_disable_not_leaf_project()[source]

Call PATCH /projects/{project_id}.

test_forbid_operations_on_defined_federated_domain()[source]

Make sure one cannot operate on a user-defined federated domain.

This includes operations like create, update, delete.

test_forbid_operations_on_federated_domain()[source]

Make sure one cannot operate on federated domain.

This includes operations like create, update, delete on domain identified by id and name where difference variations of id ‘Federated’ are used.

test_get_domain()[source]

Call GET /domains/{domain_id}.

test_get_project()[source]

Call GET /projects/{project_id}.

test_get_project_with_parents_as_ids()[source]

Call GET /projects/{project_id}?parents_as_ids.

test_get_project_with_parents_as_list_and_parents_as_ids()[source]

Attempt to list a project’s parents as both a list and as IDs.

This uses GET /projects/{project_id}?parents_as_list&parents_as_ids which should fail with a Bad Request due to the conflicting query strings.

test_get_project_with_parents_as_list_with_full_access()[source]

GET /projects/{project_id}?parents_as_list with full access.

Test plan:

  • Create ‘parent’, ‘project’ and ‘subproject’ projects;
  • Assign a user a role on each one of those projects;
  • Check that calling parents_as_list on ‘subproject’ returns both ‘project’ and ‘parent’.
test_get_project_with_parents_as_list_with_invalid_id()[source]

Call GET /projects/{project_id}?parents_as_list.

test_get_project_with_parents_as_list_with_partial_access()[source]

GET /projects/{project_id}?parents_as_list with partial access.

Test plan:

  • Create ‘parent’, ‘project’ and ‘subproject’ projects;
  • Assign a user a role on ‘parent’ and ‘subproject’;
  • Check that calling parents_as_list on ‘subproject’ only returns ‘parent’.
test_get_project_with_subtree_as_ids()[source]

Call GET /projects/{project_id}?subtree_as_ids.

This test creates a more complex hierarchy to test if the structured dictionary returned by using the subtree_as_ids query param correctly represents the hierarchy.

The hierarchy contains 5 projects with the following structure:

   +--A--+
   |     |
+--B--+  C
|     |
D     E
test_get_project_with_subtree_as_list_and_subtree_as_ids()[source]

Attempt to get a project subtree as both a list and as IDs.

This uses GET /projects/{project_id}?subtree_as_list&subtree_as_ids which should fail with a bad request due to the conflicting query strings.

test_get_project_with_subtree_as_list_with_full_access()[source]

GET /projects/{project_id}?subtree_as_list with full access.

Test plan:

  • Create ‘parent’, ‘project’ and ‘subproject’ projects;
  • Assign a user a role on each one of those projects;
  • Check that calling subtree_as_list on ‘parent’ returns both ‘parent’ and ‘subproject’.
test_get_project_with_subtree_as_list_with_invalid_id()[source]

Call GET /projects/{project_id}?subtree_as_list.

test_get_project_with_subtree_as_list_with_partial_access()[source]

GET /projects/{project_id}?subtree_as_list with partial access.

Test plan:

  • Create ‘parent’, ‘project’ and ‘subproject’ projects;
  • Assign a user a role on ‘parent’ and ‘subproject’;
  • Check that calling subtree_as_list on ‘parent’ returns ‘subproject’.
test_list_domains()[source]

Call GET /domains.

test_list_project_is_domain_filter()[source]

Call GET /projects?is_domain=True/False.

test_list_project_is_domain_filter_default()[source]

Default project list should not see projects acting as domains

test_list_projects()[source]

Call GET /projects.

test_list_projects_filtering_by_parent_id()[source]

Call GET /projects?parent_id={project_id}.

test_token_revoked_once_domain_disabled()[source]

Test token from a disabled domain has been invalidated.

Test that a token that was valid for an enabled domain becomes invalid once that domain is disabled.

test_update_domain()[source]

Call PATCH /domains/{domain_id}.

test_update_domain_unsafe()[source]

Call POST /domains/{domain_id} with unsafe names.

test_update_domain_unsafe_default()[source]

Check default for unsafe names for POST /domains.

test_update_domain_updates_is_domain_project()[source]

Check the project that acts as a domain is updated.

Call PATCH /domains.

test_update_project()[source]

Call PATCH /projects/{project_id}.

test_update_project_domain_id()[source]

Call PATCH /projects/{project_id} with domain_id.

test_update_project_is_domain_not_allowed()[source]

Call PATCH /projects/{project_id} with is_domain.

The is_domain flag is immutable.

test_update_project_parent_id()[source]

Call PATCH /projects/{project_id}.

test_update_project_unsafe()[source]

Call POST /projects/{project_id} with unsafe names.

test_update_project_unsafe_default()[source]

Check default for unsafe names for POST /projects.

class keystone.tests.unit.test_v3_resource.ResourceV3toV2MethodsTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

Test domain V3 to V2 conversion methods.

test_v2controller_filter_domain()[source]
test_v2controller_filter_domain_id()[source]
test_v2controller_filter_project_parent_id()[source]
test_v3_to_v2_project_method()[source]
test_v3_to_v2_project_method_list()[source]
test_v3controller_filter_domain_id()[source]

keystone.tests.unit.test_v3_trust module

class keystone.tests.unit.test_v3_trust.TestTrustOperations(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_v3.RestfulTestCase

Test module for create, read, update and delete operations on trusts.

This module is specific to tests for trust CRUD operations. All other tests related to trusts that are authentication or authorization specific should live in in the keystone/tests/unit/test_v3_auth.py module.

setUp()[source]
test_create_trust_bad_request()[source]
test_create_trust_with_bad_remaining_uses_returns_bad_request()[source]
test_create_trust_with_non_existant_project_returns_not_found()[source]
test_create_trust_with_non_existant_role_id_returns_not_found()[source]
test_create_trust_with_non_existant_role_name_returns_not_found()[source]
test_create_trust_with_non_existant_trustee_returns_not_found()[source]
test_create_trust_with_trustee_as_trustor_returns_forbidden()[source]
test_create_trust_without_impersonation_returns_bad_request()[source]
test_create_trust_without_trustee_returns_bad_request()[source]
test_delete_trust()[source]
test_exercise_trust_scoped_token_with_impersonation()[source]
test_exercise_trust_scoped_token_without_impersonation()[source]
test_list_trusts()[source]
test_trust_crud()[source]
test_v3_v2_intermix_project_not_in_default_domain_failed()[source]
test_v3_v2_intermix_trustor_not_in_default_domain_failed()[source]
test_validate_trust_scoped_token_against_v2_returns_unauthorized()[source]

keystone.tests.unit.test_validation module

class keystone.tests.unit.test_validation.CredentialValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Credential API validation.

setUp()[source]
test_validate_credential_ec2_without_project_id_fails()[source]

Validate project_id is required for ec2.

Test that a SchemaValidationError is raised when type is ec2 and no project_id is provided in create request.

test_validate_credential_non_ec2_without_project_id_succeeds()[source]

Validate project_id is not required for non-ec2.

Test that create request without project_id succeeds for any non-ec2 credential.

test_validate_credential_succeeds()[source]

Test that we validate a credential request.

test_validate_credential_update_succeeds()[source]

Test that a credential request is properly validated.

test_validate_credential_update_with_extra_parameters_succeeds()[source]

Validate credential update with extra parameters.

test_validate_credential_update_without_parameters_fails()[source]

Exception is raised on update without parameters.

test_validate_credential_with_extra_parameters_succeeds()[source]

Validate create request with extra parameters.

test_validate_credential_with_project_id_succeeds()[source]

Test that credential request works for all types.

test_validate_credential_without_blob_fails()[source]

Exception raised without blob in create request.

test_validate_credential_without_type_fails()[source]

Exception raised without type in create request.

test_validate_credential_without_user_id_fails()[source]

Exception raised without user_id in create request.

class keystone.tests.unit.test_validation.DomainValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Domain API validation.

setUp()[source]
test_validate_domain_request()[source]

Make sure we successfully validate a create domain request.

test_validate_domain_request_with_enabled()[source]

Validate enabled as boolean-like values for domains.

test_validate_domain_request_with_invalid_description_fails()[source]

Exception is raised when description is a non-string value.

test_validate_domain_request_with_invalid_enabled_fails()[source]

Exception is raised when enabled isn’t a boolean-like value.

test_validate_domain_request_with_name_too_long()[source]

Exception is raised when name is too long.

test_validate_domain_request_with_name_too_short()[source]

Exception raised when name is too short.

test_validate_domain_request_with_valid_description()[source]

Test that we validate description in create domain requests.

test_validate_domain_request_without_name_fails()[source]

Make sure we raise an exception when name isn’t included.

test_validate_domain_update_request()[source]

Test that we validate a domain update request.

test_validate_domain_update_request_with_name_too_long_fails()[source]

Exception raised when updating a domain with name too long.

test_validate_domain_update_request_with_name_too_short_fails()[source]

Exception raised when updating a domain with name too short.

test_validate_domain_update_request_with_no_parameters_fails()[source]

Exception is raised when updating a domain without parameters.

class keystone.tests.unit.test_validation.EndpointGroupValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Endpoint Group API validation.

setUp()[source]
test_validate_create_endpoint_group_fails_with_invalid_filters()[source]

Validate invalid filters value in endpoint group parameters.

This test ensures that exception is raised when non-dict values is used as filters in endpoint group create request.

test_validate_endpoint_group_create_fails_without_filters()[source]

Exception raised when filters isn’t in endpoint group request.

test_validate_endpoint_group_create_fails_without_name()[source]

Exception raised when name isn’t in endpoint group request.

test_validate_endpoint_group_create_succeeds_with_req_parameters()[source]

Validate required endpoint group parameters.

This test ensure that validation succeeds with only the required parameters passed for creating an endpoint group.

test_validate_endpoint_group_create_succeeds_with_valid_filters()[source]

Validate filters in endpoint group create requests.

test_validate_endpoint_group_request_succeeds()[source]

Test that we validate an endpoint group request.

test_validate_endpoint_group_update_fails_with_invalid_filters()[source]

Exception raised when passing invalid filters in request.

test_validate_endpoint_group_update_fails_with_no_parameters()[source]

Exception raised when no parameters on endpoint group update.

test_validate_endpoint_group_update_request_succeeds()[source]

Test that we validate an endpoint group update request.

test_validate_endpoint_group_update_succeeds_with_name()[source]

Validate request with only name in endpoint group update.

This test ensures that passing only a name passes validation on update endpoint group request.

test_validate_endpoint_group_update_succeeds_with_valid_filters()[source]

Validate filters as dict values.

class keystone.tests.unit.test_validation.EndpointValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Endpoint API validation.

setUp()[source]
test_validate_create_endpoint_fails_with_invalid_enabled()[source]

Exception raised when boolean-like values as enabled.

test_validate_endpoint_create_fails_with_invalid_interface()[source]

Exception raised with invalid interface.

test_validate_endpoint_create_fails_with_invalid_region_id()[source]

Exception raised when passing invalid region(_id) in request.

test_validate_endpoint_create_fails_with_invalid_url()[source]

Exception raised when passing invalid url in request.

test_validate_endpoint_create_fails_without_interface()[source]

Exception raised when interface isn’t in endpoint request.

test_validate_endpoint_create_fails_without_service_id()[source]

Exception raised when service_id isn’t in endpoint request.

test_validate_endpoint_create_fails_without_url()[source]

Exception raised when url isn’t in endpoint request.

test_validate_endpoint_create_succeeds_with_extra_parameters()[source]

Test that extra parameters pass validation on create endpoint.

test_validate_endpoint_create_succeeds_with_required_parameters()[source]

Validate an endpoint request with only the required parameters.

test_validate_endpoint_create_succeeds_with_url()[source]

Validate url attribute in endpoint create request.

test_validate_endpoint_create_succeeds_with_valid_enabled()[source]

Validate an endpoint with boolean values.

Validate boolean values as enabled in endpoint create requests.

test_validate_endpoint_request_succeeds()[source]

Test that we validate an endpoint request.

test_validate_endpoint_update_fails_with_invalid_enabled()[source]

Exception raised when enabled is boolean-like value.

test_validate_endpoint_update_fails_with_invalid_interface()[source]

Exception raised when invalid interface on endpoint update.

test_validate_endpoint_update_fails_with_invalid_region_id()[source]

Exception raised when passing invalid region(_id) in request.

test_validate_endpoint_update_fails_with_invalid_url()[source]

Exception raised when passing invalid url in request.

test_validate_endpoint_update_fails_with_no_parameters()[source]

Exception raised when no parameters on endpoint update.

test_validate_endpoint_update_request_succeeds()[source]

Test that we validate an endpoint update request.

test_validate_endpoint_update_succeeds_with_extra_parameters()[source]

Test that extra parameters pass validation on update endpoint.

test_validate_endpoint_update_succeeds_with_url()[source]

Validate url attribute in endpoint update request.

test_validate_endpoint_update_succeeds_with_valid_enabled()[source]

Validate enabled as boolean values.

class keystone.tests.unit.test_validation.EntityValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

setUp()[source]
test_create_entity_with_all_valid_parameters_validates()[source]

Validate all parameter values against test schema.

test_create_entity_with_invalid_email_fails()[source]

Validate invalid email address.

Test that an exception is raised when validating improperly formatted email addresses.

test_create_entity_with_invalid_enabled_format_raises_exception()[source]

Validate invalid enabled formats.

Test that an exception is raised when passing invalid boolean-like values as enabled.

test_create_entity_with_invalid_id_strings()[source]

Exception raised when using invalid id strings.

test_create_entity_with_invalid_urls_fails()[source]

Test that an exception is raised when validating improper urls.

test_create_entity_with_name_too_long_raises_exception()[source]

Validate long names.

Validate that an exception is raised when validating a string of 255+ characters passed in as a name.

test_create_entity_with_name_too_short_raises_exception()[source]

Validate short names.

Test that an exception is raised when passing a string of length zero as a name parameter.

test_create_entity_with_null_id_string()[source]

Validate that None is an acceptable optional string type.

test_create_entity_with_null_string_succeeds()[source]

Exception raised when passing None on required id strings.

test_create_entity_with_only_required_valid_parameters_validates()[source]

Validate correct for only parameters values against test schema.

test_create_entity_with_unicode_name_validates()[source]

Test that we successfully validate a unicode string.

test_create_entity_with_valid_email_validates()[source]

Validate email address

Test that we successfully validate properly formatted email addresses.

test_create_entity_with_valid_enabled_formats_validates()[source]

Validate valid enabled formats.

Test that we have successful validation on boolean values for enabled.

test_create_entity_with_valid_id_strings()[source]

Validate acceptable id strings.

test_create_entity_with_valid_urls_validates()[source]

Test that proper urls are successfully validated.

test_update_entity_with_a_null_optional_parameter_validates()[source]

Optional parameters can be null to removed the value.

test_update_entity_with_a_required_null_parameter_fails()[source]

The name parameter can’t be null.

test_update_entity_with_a_valid_optional_parameter_validates()[source]

Succeeds with only a single valid optional parameter.

test_update_entity_with_a_valid_required_parameter_validates()[source]

Succeed if a valid required parameter is provided.

test_update_entity_with_all_parameters_valid_validates()[source]

Simulate updating an entity by ID.

test_update_entity_with_invalid_optional_parameter_fails()[source]

Fails when an optional parameter is invalid.

test_update_entity_with_invalid_required_parameter_fails()[source]

Fail if a provided required parameter is invalid.

test_update_entity_with_no_parameters_fails()[source]

At least one parameter needs to be present for an update.

class keystone.tests.unit.test_validation.FederationProtocolValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Federation Protocol API validation.

setUp()[source]
test_validate_protocol_request_fails_with_invalid_mapping_id()[source]

Exception raised when mapping_id is not string.

test_validate_protocol_request_fails_with_invalid_params()[source]

Exception raised when unknown parameter is found.

test_validate_protocol_request_no_parameters()[source]

Test that schema validation with empty request body.

test_validate_protocol_request_succeeds()[source]

Test that we validate a protocol request successfully.

test_validate_protocol_request_succeeds_with_nonuuid_mapping_id()[source]

Test that we allow underscore in mapping_id value.

class keystone.tests.unit.test_validation.GroupValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Group API validation.

setUp()[source]
test_validate_group_create_fails_when_group_name_is_too_short()[source]

Exception raised when group name is equal to zero.

test_validate_group_create_fails_without_group_name()[source]

Exception raised when group name is not provided in request.

test_validate_group_create_succeeds()[source]

Validate create group requests.

test_validate_group_create_succeeds_with_all_parameters()[source]

Validate create group requests with all parameters.

test_validate_group_create_succeeds_with_extra_parameters()[source]

Validate extra attributes on group create requests.

test_validate_group_update_fails_with_no_parameters()[source]

Exception raised when no parameters passed in on update.

test_validate_group_update_succeeds()[source]

Validate group update requests.

test_validate_group_update_succeeds_with_extra_parameters()[source]

Validate group update requests with extra parameters.

class keystone.tests.unit.test_validation.IdentityProviderValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Identity Provider API validation.

setUp()[source]
test_validate_idp_request_fails_with_invalid_params()[source]

Exception raised when unknown parameter is found.

test_validate_idp_request_no_parameters()[source]

Test that schema validation with empty request body.

test_validate_idp_request_remote_id_nullable()[source]

Test that remote_ids could be explicitly set to None

test_validate_idp_request_succeeds()[source]

Test that we validate an identity provider request.

test_validate_idp_request_with_duplicated_remote_id()[source]

Exception is raised when the duplicated remote_ids is found.

test_validate_idp_request_with_enabled()[source]

Validate enabled as boolean-like values.

test_validate_idp_request_with_invalid_description_fails()[source]

Exception is raised when description as a non-string value.

test_validate_idp_request_with_invalid_enabled_fails()[source]

Exception is raised when enabled isn’t a boolean-like value.

test_validate_idp_request_with_invalid_remote_id_fails()[source]

Exception is raised when remote_ids is not a array.

class keystone.tests.unit.test_validation.OAuth1ValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Identity OAuth1 API validation.

setUp()[source]
test_validate_consumer_request_succeeds()[source]

Test that we validate a consumer request successfully.

test_validate_consumer_request_with_invalid_description_fails()[source]

Exception is raised when description as a non-string value.

test_validate_consumer_request_with_no_parameters()[source]

Test that schema validation with empty request body.

test_validate_consumer_request_with_none_desc()[source]

Test that schema validation with None desc.

test_validate_update_consumer_request_fails_with_secret()[source]

Exception raised when secret is given.

class keystone.tests.unit.test_validation.PolicyValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Policy API validation.

setUp()[source]
test_validate_policy_create_with_extra_parameters_succeeds()[source]

Validate policy create with extra parameters.

test_validate_policy_create_with_invalid_type_fails()[source]

Exception raised when blob and type are boolean.

test_validate_policy_succeeds()[source]

Test that we validate a create policy request.

test_validate_policy_update_succeeds()[source]

Test that we validate a policy update request.

test_validate_policy_update_with_extra_parameters_succeeds()[source]

Validate policy update request with extra parameters.

test_validate_policy_update_with_invalid_type_fails()[source]

Exception raised when invalid type on policy update.

test_validate_policy_update_without_parameters_fails()[source]

Exception raised when updating policy without parameters.

test_validate_policy_without_blob_fails()[source]

Exception raised without blob in request.

test_validate_policy_without_type_fails()[source]

Exception raised without type in request.

class keystone.tests.unit.test_validation.ProjectValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Project API validation.

setUp()[source]
test_validate_project_create_request_with_valid_domain_id()[source]

Test that we validate domain_id in create project requests.

test_validate_project_request()[source]

Test that we validate a project with name in request.

test_validate_project_request_with_enabled()[source]

Validate enabled as boolean-like values for projects.

test_validate_project_request_with_invalid_description_fails()[source]

Exception is raised when description as a non-string value.

test_validate_project_request_with_invalid_domain_id_fails()[source]

Exception is raised when domain_id is a non-id value.

test_validate_project_request_with_invalid_enabled_fails()[source]

Exception is raised when enabled isn’t a boolean-like value.

test_validate_project_request_with_invalid_parent_id_fails()[source]

Exception is raised when parent_id as a non-id value.

test_validate_project_request_with_name_too_long()[source]

Exception is raised when name is too long.

test_validate_project_request_with_name_too_short()[source]

Exception raised when name is too short.

test_validate_project_request_with_valid_description()[source]

Test that we validate description in create project requests.

test_validate_project_request_with_valid_parent_id()[source]

Test that we validate parent_id in create project requests.

test_validate_project_request_without_name_fails()[source]

Validate project request fails without name.

test_validate_project_update_request()[source]

Test that we validate a project update request.

test_validate_project_update_request_with_name_too_long_fails()[source]

Exception raised when updating a project with name too long.

test_validate_project_update_request_with_name_too_short_fails()[source]

Exception raised when updating a project with name too short.

test_validate_project_update_request_with_no_parameters_fails()[source]

Exception is raised when updating project without parameters.

class keystone.tests.unit.test_validation.RegionValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Region API validation.

setUp()[source]
test_validate_region_create_fails_with_invalid_region_id()[source]

Exception raised when passing invalid id in request.

test_validate_region_create_request_with_parameters()[source]

Test that we validate a region request with parameters.

test_validate_region_create_succeeds_with_extra_parameters()[source]

Validate create region request with extra values.

test_validate_region_create_succeeds_with_no_parameters()[source]

Validate create region request with no parameters.

test_validate_region_create_with_uuid()[source]

Test that we validate a region request with a UUID as the id.

test_validate_region_request()[source]

Test that we validate a basic region request.

test_validate_region_update_fails_with_no_parameters()[source]

Exception raised when passing no parameters in a region update.

test_validate_region_update_succeeds()[source]

Test that we validate a region update request.

test_validate_region_update_succeeds_with_extra_parameters()[source]

Validate extra attributes in the region update request.

class keystone.tests.unit.test_validation.RoleValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Role API validation.

setUp()[source]
test_validate_role_create_when_name_is_not_string_fails()[source]

Exception is raised on role create with a non-string name.

test_validate_role_create_without_name_raises_exception()[source]

Test that we raise an exception when name isn’t included.

test_validate_role_request()[source]

Test we can successfully validate a create role request.

test_validate_role_update_fails_with_invalid_name_fails()[source]

Exception when validating an update request with invalid name.

test_validate_role_update_request()[source]

Test that we validate a role update request.

class keystone.tests.unit.test_validation.ServiceProviderValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Service Provider API validation.

setUp()[source]
test_validate_sp_request()[source]

Test that we validate auth_url and sp_url in request.

test_validate_sp_request_with_enabled()[source]

Validate enabled as boolean-like values.

test_validate_sp_request_with_extra_field_fails()[source]

Exception raised when passing extra fields in the body.

test_validate_sp_request_with_invalid_auth_url_fails()[source]

Validate request fails with invalid auth_url.

test_validate_sp_request_with_invalid_description_fails()[source]

Exception is raised when description as a non-string value.

test_validate_sp_request_with_invalid_enabled_fails()[source]

Exception is raised when enabled isn’t a boolean-like value.

test_validate_sp_request_with_invalid_sp_url_fails()[source]

Validate request fails with invalid sp_url.

test_validate_sp_request_with_valid_description()[source]

Test that we validate description in create requests.

test_validate_sp_request_without_auth_url_fails()[source]

Validate request fails without auth_url.

test_validate_sp_request_without_sp_url_fails()[source]

Validate request fails without sp_url.

test_validate_sp_update_request()[source]

Test that we validate a update request.

test_validate_sp_update_request_with_invalid_auth_url_fails()[source]

Exception raised when updating with invalid auth_url.

test_validate_sp_update_request_with_invalid_sp_url_fails()[source]

Exception raised when updating with invalid sp_url.

test_validate_sp_update_request_with_no_parameters_fails()[source]

Exception is raised when updating without parameters.

class keystone.tests.unit.test_validation.ServiceValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Service API validation.

setUp()[source]
test_validate_service_create_fails_when_name_too_long()[source]

Exception raised when name is greater than 255 characters.

test_validate_service_create_fails_when_name_too_short()[source]

Exception is raised when name is too short.

test_validate_service_create_fails_when_type_too_long()[source]

Exception is raised when type is too long.

test_validate_service_create_fails_when_type_too_short()[source]

Exception is raised when type is too short.

test_validate_service_create_fails_with_invalid_enabled()[source]

Exception raised when boolean-like parameters as enabled

On service create, make sure an exception is raised if enabled is not a boolean value.

test_validate_service_create_fails_without_type()[source]

Exception raised when trying to create a service without type.

test_validate_service_create_succeeds()[source]

Test that we validate a service create request.

test_validate_service_create_succeeds_with_extra_parameters()[source]

Test that extra parameters pass validation on create service.

test_validate_service_create_succeeds_with_required_parameters()[source]

Validate a service create request with the required parameters.

test_validate_service_create_succeeds_with_valid_enabled()[source]

Validate boolean values as enabled values on service create.

test_validate_service_update_fails_with_invalid_enabled()[source]

Exception raised when boolean-like values as enabled.

test_validate_service_update_fails_with_name_too_long()[source]

Exception is raised when name is too long on update.

test_validate_service_update_fails_with_name_too_short()[source]

Exception is raised when name is too short on update.

test_validate_service_update_fails_with_no_parameters()[source]

Exception raised when updating a service without values.

test_validate_service_update_fails_with_type_too_long()[source]

Exception is raised when type is too long on update.

test_validate_service_update_fails_with_type_too_short()[source]

Exception is raised when type is too short on update.

test_validate_service_update_request_succeeds()[source]

Test that we validate a service update request.

test_validate_service_update_succeeds_with_extra_parameters()[source]

Validate updating a service with extra parameters.

test_validate_service_update_succeeds_with_valid_enabled()[source]

Validate boolean formats as enabled on service update.

class keystone.tests.unit.test_validation.TrustValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 Trust API validation.

setUp()[source]
test_validate_trust_succeeds()[source]

Test that we can validate a trust request.

test_validate_trust_with_all_parameters_succeeds()[source]

Test that we can validate a trust request with all parameters.

test_validate_trust_with_extra_parameters_succeeds()[source]

Test that we can validate a trust request with extra parameters.

test_validate_trust_with_invalid_expires_at_fails()[source]

Validate trust request with invalid expires_at fails.

test_validate_trust_with_invalid_impersonation_fails()[source]

Validate trust request with invalid impersonation fails.

test_validate_trust_with_invalid_role_type_fails()[source]

Validate trust request with invalid roles fails.

test_validate_trust_with_list_of_valid_roles_succeeds()[source]

Validate trust request with a list of valid roles.

test_validate_trust_with_null_remaining_uses_succeeds()[source]

Validate trust request with null remaining_uses.

test_validate_trust_with_period_in_user_id_string()[source]

Validate trust request with a period in the user id string.

test_validate_trust_with_remaining_uses_succeeds()[source]

Validate trust request with remaining_uses succeeds.

test_validate_trust_with_role_types_succeeds()[source]

Validate trust request with roles succeeds.

test_validate_trust_without_impersonation_fails()[source]

Validate trust request fails without impersonation.

test_validate_trust_without_trustee_id_fails()[source]

Validate trust request fails without trustee_id.

test_validate_trust_without_trustor_id_fails()[source]

Validate trust request fails without trustor_id.

class keystone.tests.unit.test_validation.UserValidationTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

Test for V3 User API validation.

setUp()[source]
test_validate_user_create_fails_with_invalid_enabled_formats()[source]

Exception raised when enabled is not an acceptable format.

test_validate_user_create_fails_with_invalid_password_type()[source]

Exception raised when user password is of the wrong type.

test_validate_user_create_fails_with_name_of_wrong_type()[source]

Exception raised when validating a username of wrong type.

test_validate_user_create_fails_with_name_of_zero_length()[source]

Exception raised when validating a username with length of zero.

test_validate_user_create_fails_without_name()[source]

Exception raised when validating a user without name.

test_validate_user_create_request_succeeds()[source]

Test that validating a user create request succeeds.

test_validate_user_create_succeeds_with_extra_attributes()[source]

Validate extra parameters on user create requests.

test_validate_user_create_succeeds_with_null_description()[source]

Validate that description can be nullable on create user.

test_validate_user_create_succeeds_with_null_password()[source]

Validate that password is nullable on create user.

test_validate_user_create_succeeds_with_password_of_zero_length()[source]

Validate empty password on user create requests.

test_validate_user_create_succeeds_with_valid_enabled_formats()[source]

Validate acceptable enabled formats in create user requests.

test_validate_user_create_with_all_valid_parameters_succeeds()[source]

Test that validating a user create request succeeds.

test_validate_user_update_fails_with_no_parameters()[source]

Exception raised when updating nothing.

test_validate_user_update_succeeds()[source]

Validate an update user request.

test_validate_user_update_succeeds_with_extra_parameters()[source]

Validate user update requests with extra parameters.

class keystone.tests.unit.test_validation.ValidatedDecoratorTests(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.BaseTestCase

create_entity(*args, **kwargs)[source]

Used to test cases where validated param is the only param.

create_entity_optional_body(*args, **kwargs)[source]

Used to test cases where there is an optional body.

entity_schema = {'required': ['name'], 'type': 'object', 'properties': {'name': {'minLength': 1, 'type': 'string', 'maxLength': 255}}}
invalid_entity = {'name': 1.0}
test_calling_create_with_empty_entity_arg_succeeds()[source]

Test the case when client passing in an empty entity reference.

test_calling_create_with_empty_entity_kwarg_succeeds()[source]

Test the case when client passing in an empty kwarg reference.

test_calling_create_with_entity_arg_as_None_fails(*args, **kwargs)[source]
test_calling_create_with_invalid_entity_fails(*args, **kwargs)[source]
test_calling_create_with_kwarg_as_None_fails(*args, **kwargs)[source]
test_calling_create_with_valid_entity_arg_succeeds()[source]
test_calling_create_with_valid_entity_kwarg_succeeds()[source]
test_calling_create_without_an_entity_fails(*args, **kwargs)[source]
test_calling_update_with_empty_entity_kwarg_succeeds()[source]

Test the case when client passing in an empty entity reference.

test_calling_update_with_invalid_entity_fails(*args, **kwargs)[source]
test_calling_update_with_valid_entity_succeeds()[source]
test_using_the_wrong_name_with_the_decorator_fails()[source]
update_entity(*args, **kwargs)[source]

Used to test cases where validated param is not the only param.

valid_entity = {'name': 'de84047e91dd452cb7bb0af964fdb1b9'}
keystone.tests.unit.test_validation.expected_validation_failure(msg)[source]

keystone.tests.unit.test_versions module

class keystone.tests.unit.test_versions.TestClient(app=None, token=None)[source]

Bases: object

get(path, headers=None)[source]
post(path, headers=None, body=None)[source]
put(path, headers=None, body=None)[source]
request(method, path, headers=None, body=None)[source]
class keystone.tests.unit.test_versions.VersionBehindSslTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

config_overrides()[source]
setUp()[source]
test_versions_with_header()[source]
test_versions_without_headers()[source]
class keystone.tests.unit.test_versions.VersionSingleAppTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

Tests running with a single application loaded.

These are important because when Keystone is running in Apache httpd there’s only one application loaded for each instance.

config_overrides()[source]
setUp()[source]
test_admin()[source]
test_public()[source]
class keystone.tests.unit.test_versions.VersionTestCase(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

config_overrides()[source]
setUp()[source]
test_accept_type_handling()[source]
test_admin_version_v2()[source]
test_admin_version_v3(*args, **kwargs)[source]
test_admin_versions()[source]
test_extension_property_method_returns_none()[source]
test_json_home_root()[source]
test_json_home_v3()[source]
test_no_json_home_document_returned_when_v3_disabled(*args, **keywargs)[source]
test_public_version_v2()[source]
test_public_version_v3()[source]
test_public_versions()[source]
test_use_site_url_if_endpoint_unset()[source]
test_use_site_url_if_endpoint_unset_v2()[source]
test_use_site_url_if_endpoint_unset_v3()[source]
test_v2_disabled(*args, **keywargs)[source]
test_v3_disabled(*args, **keywargs)[source]

keystone.tests.unit.test_wsgi module

class keystone.tests.unit.test_wsgi.ApplicationTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_wsgi.BaseWSGITest

test_application_local_config()[source]
test_attribute_missing_from_request()[source]
test_base_url()[source]
test_headers_available()[source]
test_improperly_encoded_params()[source]
test_no_required_attributes_present()[source]
test_properly_encoded_params()[source]
test_query_string_available()[source]
test_render_exception()[source]
test_render_exception_host()[source]
test_render_response()[source]
test_render_response_custom_headers()[source]
test_render_response_custom_status()[source]
test_render_response_head_with_body()[source]
test_render_response_no_body()[source]
test_render_response_non_str_headers_converted()[source]
test_require_attribute_fail_if_attribute_not_present()[source]
test_response_content_type()[source]
test_successful_require_attribute()[source]
test_successful_require_multiple_attributes()[source]
class keystone.tests.unit.test_wsgi.BaseWSGITest(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
class keystone.tests.unit.test_wsgi.ExtensionRouterTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_wsgi.BaseWSGITest

test_extensionrouter_local_config()[source]
class keystone.tests.unit.test_wsgi.FakeApp(*args, **kwargs)[source]

Bases: keystone.common.wsgi.Application

index(context)[source]
class keystone.tests.unit.test_wsgi.FakeAttributeCheckerApp(*args, **kwargs)[source]

Bases: keystone.common.wsgi.Application

assert_attribute(body, attr)[source]

Asserts that the given request has a certain attribute.

assert_attributes(body, attr)[source]

Asserts that the given request has a certain set attributes.

index(context)[source]
class keystone.tests.unit.test_wsgi.LocalizedResponseTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

test_get_localized_response(*args, **keywargs)[source]
test_request_match_default()[source]
test_request_match_language_expected(*args, **keywargs)[source]
test_request_match_language_unexpected(*args, **keywargs)[source]
test_static_translated_string_is_lazy_translatable()[source]
class keystone.tests.unit.test_wsgi.MiddlewareTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.test_wsgi.BaseWSGITest

test_middleware_bad_request()[source]
test_middleware_exception_error()[source]
test_middleware_request()[source]
test_middleware_response()[source]
test_middleware_type_error()[source]
class keystone.tests.unit.test_wsgi.RouterTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
test_invalid_status()[source]
class keystone.tests.unit.test_wsgi.ServerTest(*args, **kwargs)[source]

Bases: keystone.tests.unit.core.TestCase

setUp()[source]
test_client_socket_timeout()[source]
test_keepalive_and_keepidle_set(*args, **keywargs)[source]
test_keepalive_set(*args, **keywargs)[source]
test_keepalive_unset(*args, **keywargs)[source]
test_wsgi_keep_alive()[source]

keystone.tests.unit.utils module

Useful utilities for tests.

keystone.tests.unit.utils.new_uuid()[source]

Return a string UUID.

keystone.tests.unit.utils.timezone(func)[source]
keystone.tests.unit.utils.wip(message)[source]

Mark a test as work in progress.

Based on code by Nat Pryce: https://gist.github.com/npryce/997195#file-wip-py

The test will always be run. If the test fails then a TestSkipped exception is raised. If the test passes an AssertionError exception is raised so that the developer knows they made the test pass. This is a reminder to remove the decorator.

Parameters:message – a string message to help clarify why the test is marked as a work in progress
usage:
>>> @wip('waiting on bug #000000')
>>> def test():
>>>     pass

Module contents

Table Of Contents

Previous topic

keystone.tests.hacking package

Next topic

keystone.tests.unit.assignment package

Project Source

This Page