keystone.tests.unit package¶
Subpackages¶
- keystone.tests.unit.assignment package
- keystone.tests.unit.auth package
- keystone.tests.unit.backend package
- Subpackages
- keystone.tests.unit.backend.legacy_drivers package
- Submodules
- keystone.tests.unit.backend.core_ldap module
- keystone.tests.unit.backend.core_sql module
- Module contents
- Subpackages
- keystone.tests.unit.catalog package
- keystone.tests.unit.common package
- Submodules
- keystone.tests.unit.common.test_authorization module
- keystone.tests.unit.common.test_cache module
- keystone.tests.unit.common.test_injection module
- keystone.tests.unit.common.test_json_home module
- keystone.tests.unit.common.test_manager module
- keystone.tests.unit.common.test_notifications module
- keystone.tests.unit.common.test_sql_core module
- keystone.tests.unit.common.test_utils module
- Module contents
- keystone.tests.unit.contrib package
- keystone.tests.unit.credential package
- keystone.tests.unit.external package
- keystone.tests.unit.identity package
- keystone.tests.unit.ksfixtures package
- Submodules
- keystone.tests.unit.ksfixtures.auth_plugins module
- keystone.tests.unit.ksfixtures.backendloader module
- keystone.tests.unit.ksfixtures.cache module
- keystone.tests.unit.ksfixtures.database module
- keystone.tests.unit.ksfixtures.hacking module
- keystone.tests.unit.ksfixtures.key_repository module
- keystone.tests.unit.ksfixtures.ldapdb module
- keystone.tests.unit.ksfixtures.policy module
- keystone.tests.unit.ksfixtures.temporaryfile module
- Module contents
- keystone.tests.unit.policy package
- keystone.tests.unit.resource package
- keystone.tests.unit.schema package
- keystone.tests.unit.tests package
- keystone.tests.unit.token package
- Submodules
- keystone.tests.unit.token.test_backends module
- keystone.tests.unit.token.test_fernet_provider module
- keystone.tests.unit.token.test_pki_provider module
- keystone.tests.unit.token.test_pkiz_provider module
- keystone.tests.unit.token.test_provider module
- keystone.tests.unit.token.test_token_data_helper module
- keystone.tests.unit.token.test_token_model module
- keystone.tests.unit.token.test_uuid_provider module
- Module contents
- keystone.tests.unit.trust package
Submodules¶
keystone.tests.unit.core module¶
-
class
keystone.tests.unit.core.BaseTestCase(*args, **kwargs)[source]¶ Bases:
testtools.testcase.TestCaseLight weight base test class.
This is a placeholder that will eventually go away once the setup/teardown in TestCase is properly trimmed down to the bare essentials. This is really just a play to speed up the tests by eliminating unnecessary work.
-
class
keystone.tests.unit.core.SQLDriverOverrides[source]¶ Bases:
objectA mixin for consolidating sql-specific test overrides.
-
use_specific_sql_driver_version(driver_path, versionless_backend, version_suffix)[source]¶ Add this versioned driver to the list that will be loaded.
Parameters: - driver_path – The path to the drivers, e.g. ‘keystone.assignment’
- versionless_backend – The name of the versionless drivers, e.g. ‘backends’
- version_suffix – The suffix for the version , e.g.
V8_
This method assumes that versioned drivers are named: <version_suffix><name of versionless driver>, e.g. ‘V8_backends’.
-
-
class
keystone.tests.unit.core.TestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase-
assertCloseEnoughForGovernmentWork(a, b, delta=3)[source]¶ Assert that two datetimes are nearly equal within a small delta.
Parameters: delta – Maximum allowable time delta, defined in seconds.
-
assertRaisesRegexp(expected_exception, expected_regexp, callable_obj, *args, **kwargs)[source]¶ Assert that the message in a raised exception matches a regexp.
-
ipv6_enabled¶
-
-
keystone.tests.unit.core.create_user(api, domain_id, **kwargs)[source]¶ Create a user via the API. Keep the created password.
The password is saved and restored when api.create_user() is called. Only use this routine if there is a requirement for the user object to have a valid password after api.create_user() is called.
-
keystone.tests.unit.core.new_cert_credential(user_id, project_id=None, blob=None, **kwargs)[source]¶
-
keystone.tests.unit.core.new_credential_ref(user_id, project_id=None, type='cert', **kwargs)[source]¶
-
keystone.tests.unit.core.new_endpoint_ref(service_id, interface='public', region_id=<object object>, **kwargs)[source]¶
-
keystone.tests.unit.core.new_endpoint_ref_with_region(service_id, region, interface='public', **kwargs)[source]¶ Define an endpoint_ref having a pre-3.2 form.
Contains the deprecated ‘region’ instead of ‘region_id’.
-
keystone.tests.unit.core.new_trust_ref(trustor_user_id, trustee_user_id, project_id=None, impersonation=None, expires=None, role_ids=None, role_names=None, remaining_uses=None, allow_redelegation=False, redelegation_count=None, **kwargs)[source]¶
-
keystone.tests.unit.core.skip_if_cache_disabled(*sections)[source]¶ Skip a test if caching is disabled, this is a decorator.
Caching can be disabled either globally or for a specific section.
In the code fragment:
@skip_if_cache_is_disabled('assignment', 'token') def test_method(*args): ...
The method test_method would be skipped if caching is disabled globally via the enabled option in the cache section of the configuration or if the caching option is set to false in either assignment or token sections of the configuration. This decorator can be used with no arguments to only check global caching.
If a specified configuration section does not define the caching option, this decorator makes the same assumption as the should_cache_fn in keystone.common.cache that caching should be enabled.
keystone.tests.unit.default_fixtures module¶
keystone.tests.unit.fakeldap module¶
Fake LDAP server for test harness.
This class does very little error checking, and knows nothing about ldap class definitions. It implements the minimum emulation of the python ldap library to work with keystone.
-
class
keystone.tests.unit.fakeldap.FakeLdap(conn=None)[source]¶ Bases:
keystone.identity.backends.ldap.common.LDAPHandlerEmulate the python-ldap API.
The python-ldap API requires all strings to be UTF-8 encoded. This is assured by the caller of this interface (i.e. KeystoneLDAPHandler).
However, internally this emulation MUST process and store strings in a canonical form which permits operations on characters. Encoded strings do not provide the ability to operate on characters. Therefore this emulation accepts UTF-8 encoded strings, decodes them to unicode for operations internal to this emulation, and encodes them back to UTF-8 when returning values from the emulation.
-
connect(url, page_size=0, alias_dereferencing=None, use_tls=False, tls_cacertfile=None, tls_cacertdir=None, tls_req_cert='demand', chase_referrals=None, debug_level=None, use_pool=None, pool_size=None, pool_retry_max=None, pool_retry_delay=None, pool_conn_timeout=None, pool_conn_lifetime=None)[source]¶
-
modify_s(dn, modlist)[source]¶ Modify the object at dn using the attribute list.
Parameters: - dn – an LDAP DN
- modlist – a list of tuples in the following form: ([MOD_ADD | MOD_DELETE | MOD_REPACE], attribute, value)
-
result3(msgid=-1, all=1, timeout=None, resp_ctrl_classes=None)[source]¶ Execute async request.
Only msgid param is supported. Request info is fetched from global variable PendingRequests by msgid, executed using search_s and limited if requested.
-
search_ext(base, scope, filterstr='(objectClass=*)', attrlist=None, attrsonly=0, serverctrls=None, clientctrls=None, timeout=-1, sizelimit=0)[source]¶
-
search_s(base, scope, filterstr='(objectClass=*)', attrlist=None, attrsonly=0)[source]¶ Search for all matching objects under base using the query.
Args: base – dn to search under scope – search scope (base, subtree, onelevel) filterstr – filter objects by attrlist – attrs to return. Returns all attrs if not specified
-
-
class
keystone.tests.unit.fakeldap.FakeLdapNoSubtreeDelete(conn=None)[source]¶ Bases:
keystone.tests.unit.fakeldap.FakeLdapFakeLdap subclass that does not support subtree delete.
Same as FakeLdap except delete will throw the LDAP error ldap.NOT_ALLOWED_ON_NONLEAF if there is an attempt to delete an entry that has children.
-
class
keystone.tests.unit.fakeldap.FakeLdapPool(uri, retry_max=None, retry_delay=None, conn=None)[source]¶ Bases:
keystone.tests.unit.fakeldap.FakeLdapEmulate the python-ldap API with pooled connections.
This class is used as connector class in PooledLDAPHandler.
keystone.tests.unit.federation_fixtures module¶
keystone.tests.unit.filtering module¶
keystone.tests.unit.identity_mapping module¶
keystone.tests.unit.mapping_fixtures module¶
Fixtures for Federation Mapping.
keystone.tests.unit.rest module¶
-
class
keystone.tests.unit.rest.RestfulTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCasePerforms restful tests against the WSGI app over HTTP.
This class launches public & admin WSGI servers for every test, which can be accessed by calling
public_request()oradmin_request(), respectfully.restful_request()andrequest()methods are also exposed if you need to bypass restful conventions or access HTTP details in your test implementation.Three new asserts are provided:
assertResponseSuccessful: called automatically for every requestunless an
expected_statusis provided
assertResponseStatus: called instead ofassertResponseSuccessful,if an
expected_statusis provided
assertValidResponseHeaders: validates that the response headersappear as expected
Requests are automatically serialized according to the defined
content_type. Responses are automatically deserialized as well, and available in theresponse.bodyattribute. The original body content is available in theresponse.rawattribute.-
assertResponseStatus(response, expected_status)[source]¶ Assert a specific status code on the response.
Parameters: - response –
httplib.HTTPResponse - expected_status – The specific
statusresult expected
example:
self.assertResponseStatus(response, http_client.NO_CONTENT)
- response –
-
assertResponseSuccessful(response)[source]¶ Assert that a status code lies inside the 2xx range.
Parameters: response – httplib.HTTPResponseto be verified to have a status code between 200 and 299.example:
self.assertResponseSuccessful(response)
-
assertValidErrorResponse(response, expected_status=400)[source]¶ Verify that the error response is valid.
Subclasses can override this function based on the expected response.
-
content_type= 'json'¶
-
get_scoped_token(tenant_id=None)[source]¶ Convenience method so that we can test authenticated requests.
keystone.tests.unit.test_associate_project_endpoint_extension module¶
-
class
keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterCRUDTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase-
test_check_endpoint_project_association()[source]¶ HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Valid project and endpoint id test case.
-
test_check_endpoint_project_association_with_invalid_endpoint()[source]¶ HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid endpoint id test case.
-
test_check_endpoint_project_association_with_invalid_project()[source]¶ HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid project id test case.
-
test_create_endpoint_project_association()[source]¶ PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Valid endpoint and project id test case.
-
test_create_endpoint_project_association_with_invalid_endpoint()[source]¶ PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid endpoint id test case.
-
test_create_endpoint_project_association_with_invalid_project()[source]¶ PUT OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Invalid project id test case.
-
test_create_endpoint_project_association_with_unexpected_body()[source]¶ PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Unexpected body in request. The body should be ignored.
-
test_list_endpoints_associated_with_invalid_project()[source]¶ GET /OS-EP-FILTER/projects/{project_id}/endpoints.
Invalid project id test case.
-
test_list_endpoints_associated_with_valid_project()[source]¶ GET /OS-EP-FILTER/projects/{project_id}/endpoints.
Valid project and endpoint id test case.
-
test_list_projects_associated_with_endpoint()[source]¶ GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects.
Valid endpoint-project association test case.
-
test_list_projects_associated_with_invalid_endpoint()[source]¶ GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects.
Invalid endpoint id test case.
-
test_list_projects_with_no_endpoint_project_association()[source]¶ GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects.
Valid endpoint id but no endpoint-project associations test case.
-
test_remove_endpoint_project_association()[source]¶ DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}.
Valid project id and endpoint id test case.
-
-
class
keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterDeprecateTestCase(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTokenRequestTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase-
test_default_scoped_token_using_endpoint_filter()[source]¶ Verify endpoints from default scoped token filtered.
-
test_invalid_endpoint_project_association()[source]¶ Verify an invalid endpoint-project association is handled.
-
-
class
keystone.tests.unit.test_associate_project_endpoint_extension.EndpointGroupCRUDTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase-
DEFAULT_ENDPOINT_GROUP_BODY= {'endpoint_group': {'description': 'endpoint group description', 'filters': {'interface': 'admin'}, 'name': 'endpoint_group_name'}}¶
-
DEFAULT_ENDPOINT_GROUP_URL= '/OS-EP-FILTER/endpoint_groups'¶
-
test_add_endpoint_group_to_project()[source]¶ Create a valid endpoint group and project association.
-
test_add_endpoint_group_to_project_with_invalid_project_id()[source]¶ Create an invalid endpoint group and project association.
-
test_check_endpoint_group()[source]¶ HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}.
Valid endpoint_group_id test case.
-
test_check_endpoint_group_to_project()[source]¶ Test HEAD with a valid endpoint group and project association.
-
test_check_endpoint_group_to_project_with_invalid_project_id()[source]¶ Test HEAD with an invalid endpoint group and project association.
-
test_check_invalid_endpoint_group()[source]¶ HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}.
Invalid endpoint_group_id test case.
-
test_create_endpoint_group()[source]¶ POST /OS-EP-FILTER/endpoint_groups.
Valid endpoint group test case.
-
test_create_invalid_endpoint_group()[source]¶ POST /OS-EP-FILTER/endpoint_groups.
Invalid endpoint group creation test case.
-
test_delete_endpoint_group()[source]¶ GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Valid endpoint group test case.
-
test_delete_invalid_endpoint_group()[source]¶ GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Invalid endpoint group test case.
-
test_empty_endpoint_groups_in_project()[source]¶ Test when no endpoint groups associated with the project.
-
test_get_endpoint_group()[source]¶ GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Valid endpoint group test case.
-
test_get_invalid_endpoint_group()[source]¶ GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Invalid endpoint group test case.
-
test_get_invalid_endpoint_group_in_project()[source]¶ Test retrieving project endpoint group association.
-
test_list_endpoint_groups_in_project()[source]¶ GET /OS-EP-FILTER/projects/{project_id}/endpoint_groups.
-
test_list_endpoints_associated_with_endpoint_group()[source]¶ GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}/endpoints.
Valid endpoint group test case.
-
test_list_endpoints_associated_with_project_endpoint_group()[source]¶ GET /OS-EP-FILTER/projects/{project_id}/endpoints.
Valid project, endpoint id, and endpoint group test case.
-
test_list_projects_associated_with_endpoint_group()[source]¶ GET /OS-EP-FILTER/endpoint_groups/{endpoint_group}/projects.
Valid endpoint group test case.
-
test_patch_endpoint_group()[source]¶ PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Valid endpoint group patch test case.
-
test_patch_invalid_endpoint_group()[source]¶ PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group}.
Valid endpoint group patch test case.
-
-
class
keystone.tests.unit.test_associate_project_endpoint_extension.JsonHomeTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_associate_project_endpoint_extension.EndpointFilterTestCase,keystone.tests.unit.test_v3.JsonHomeTestMixin-
JSON_HOME_DATA= {'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_projects': {'href-template': '/OS-EP-FILTER/endpoints/{endpoint_id}/projects', 'href-vars': {'endpoint_id': 'http://docs.openstack.org/api/openstack-identity/3/param/endpoint_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_to_project_association': {'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}', 'href-vars': {'endpoint_group_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id', 'project_id': 'http://docs.openstack.org/api/openstack-identity/3/param/project_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group': {'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}', 'href-vars': {'endpoint_group_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint_groups': {'href-template': '/OS-EP-FILTER/projects/{project_id}/endpoint_groups', 'href-vars': {'project_id': 'http://docs.openstack.org/api/openstack-identity/3/param/project_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoints_in_endpoint_group': {'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints', 'href-vars': {'endpoint_group_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/projects_associated_with_endpoint_group': {'href-template': '/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects', 'href-vars': {'endpoint_group_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/param/endpoint_group_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups': {'href': '/OS-EP-FILTER/endpoint_groups'}}¶
-
keystone.tests.unit.test_auth module¶
-
class
keystone.tests.unit.test_auth.AuthBadRequests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthTest-
test_authenticate_blank_request_body()[source]¶ Verify sending empty json dict raises the right exception.
-
test_authenticate_fails_if_project_unsafe()[source]¶ Verify authenticate to a project with unsafe name fails.
-
test_authenticate_invalid_auth_content()[source]¶ Verify sending invalid ‘auth’ raises the right exception.
-
test_authenticate_password_too_large()[source]¶ Verify sending large ‘password’ raises the right exception.
-
test_authenticate_tenant_id_too_large()[source]¶ Verify sending large ‘tenantId’ raises the right exception.
-
test_authenticate_tenant_name_too_large()[source]¶ Verify sending large ‘tenantName’ raises the right exception.
-
test_authenticate_token_too_large()[source]¶ Verify sending large ‘token’ raises the right exception.
-
test_authenticate_user_id_too_large()[source]¶ Verify sending large ‘userId’ raises the right exception.
-
test_authenticate_username_too_large()[source]¶ Verify sending large ‘username’ raises the right exception.
-
test_empty_username_and_userid_in_auth()[source]¶ Verify that empty username and userID raises ValidationError.
-
-
class
keystone.tests.unit.test_auth.AuthCatalog(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides,keystone.tests.unit.test_auth.AuthTestTest for the catalog provided in the auth response.
-
class
keystone.tests.unit.test_auth.AuthTest(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_auth.AuthWithPasswordCredentials(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_auth.AuthWithRemoteUser[source]¶ Bases:
object
-
class
keystone.tests.unit.test_auth.AuthWithToken[source]¶ Bases:
object-
test_auth_scoped_token_bad_project_with_debug()[source]¶ Authenticating with an invalid project fails.
-
test_auth_scoped_token_bad_project_without_debug()[source]¶ Authenticating with an invalid project fails.
-
test_auth_unscoped_token_no_project()[source]¶ Verify getting an unscoped token with an unscoped token.
-
-
class
keystone.tests.unit.test_auth.AuthWithTrust[source]¶ Bases:
object-
test_create_trust_without_project_id()[source]¶ Verify that trust can be created without project id.
Also, token can be generated with that trust.
-
test_trust_get_token_fails_with_future_token_if_trustee_disabled()[source]¶ Test disabling trustee and using an unrevoked token.
This test simulates what happens when a token is generated after the disable event. Technically this should not happen, but it’s possible in a multinode deployment with only a slight clock skew.
-
-
class
keystone.tests.unit.test_auth.FernetAuthWithRemoteUser(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithRemoteUser,keystone.tests.unit.test_auth.AuthTest
-
class
keystone.tests.unit.test_auth.FernetAuthWithToken(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithToken,keystone.tests.unit.test_auth.AuthTest
-
class
keystone.tests.unit.test_auth.FernetAuthWithTrust(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithTrust,keystone.tests.unit.test_auth.AuthTest-
test_trust_get_token_fails_with_future_token_if_trustee_disabled()[source]¶ Test disabling trustee and using an unrevoked token.
This test simulates what happens when a Fernet token is generated after the disable event. Technically this should not happen, but it’s possible in a multinode deployment with only a slight clock skew.
-
-
class
keystone.tests.unit.test_auth.PKIAuthWithRemoteUser(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithRemoteUser,keystone.tests.unit.test_auth.AuthTest
-
class
keystone.tests.unit.test_auth.PKIAuthWithToken(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithToken,keystone.tests.unit.test_auth.AuthTest
-
class
keystone.tests.unit.test_auth.PKIZAuthWithRemoteUser(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithRemoteUser,keystone.tests.unit.test_auth.AuthTest
-
class
keystone.tests.unit.test_auth.PKIZAuthWithToken(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithToken,keystone.tests.unit.test_auth.AuthTest
-
class
keystone.tests.unit.test_auth.UUIDAuthWithRemoteUser(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithRemoteUser,keystone.tests.unit.test_auth.AuthTest
-
class
keystone.tests.unit.test_auth.UUIDAuthWithToken(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithToken,keystone.tests.unit.test_auth.AuthTest
-
class
keystone.tests.unit.test_auth.UUIDAuthWithTrust(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_auth.AuthWithTrust,keystone.tests.unit.test_auth.AuthTest
keystone.tests.unit.test_auth_plugin module¶
-
class
keystone.tests.unit.test_auth_plugin.TestAuthPlugin(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides,keystone.tests.unit.core.TestCase
keystone.tests.unit.test_backend_endpoint_policy module¶
-
class
keystone.tests.unit.test_backend_endpoint_policy.PolicyAssociationTests[source]¶ Bases:
object-
load_sample_data()[source]¶ Create sample data to test policy associations.
The following data is created:
- 3 regions, in a hierarchy, 0 -> 1 -> 2 (where 0 is top)
- 3 services
- 6 endpoints, 2 in each region, with a mixture of services: 0 - region 0, Service 0 1 - region 0, Service 1 2 - region 1, Service 1 3 - region 1, Service 2 4 - region 2, Service 2 5 - region 2, Service 0
-
keystone.tests.unit.test_backend_endpoint_policy_sql module¶
-
class
keystone.tests.unit.test_backend_endpoint_policy_sql.SqlPolicyAssociationTable(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlModelsSet of tests for checking SQL Policy Association Mapping.
-
class
keystone.tests.unit.test_backend_endpoint_policy_sql.SqlPolicyAssociationTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.test_backend_endpoint_policy.PolicyAssociationTests
keystone.tests.unit.test_backend_federation_sql module¶
-
class
keystone.tests.unit.test_backend_federation_sql.SqlFederation(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlModelsSet of tests for checking SQL Federation.
keystone.tests.unit.test_backend_id_mapping_sql module¶
-
class
keystone.tests.unit.test_backend_id_mapping_sql.SqlIDMappingTable(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlModelsSet of tests for checking SQL Identity ID Mapping.
keystone.tests.unit.test_backend_kvs module¶
-
class
keystone.tests.unit.test_backend_kvs.KvsToken(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase,keystone.tests.unit.token.test_backends.TokenTests
-
class
keystone.tests.unit.test_backend_kvs.KvsTokenCacheInvalidation(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase,keystone.tests.unit.token.test_backends.TokenCacheInvalidation
keystone.tests.unit.test_backend_ldap module¶
-
class
keystone.tests.unit.test_backend_ldap.AssignmentTests[source]¶ Bases:
keystone.tests.unit.assignment.test_backends.AssignmentTests
-
class
keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.IdentityTests,keystone.tests.unit.test_backend_ldap.AssignmentTests,keystone.tests.unit.test_backend_ldap.ResourceTests-
test_create_project_with_domain_id_and_without_parent_id()[source]¶ Multiple domains are not supported.
-
test_create_project_with_domain_id_mismatch_to_parent_domain()[source]¶ Multiple domains are not supported.
-
test_list_group_members_missing_entry()[source]¶ List group members with deleted user.
If a group has a deleted entry for a member, the non-deleted members are returned.
-
test_list_role_assignment_by_user_with_domain_group_roles()[source]¶ Multiple domain assignments are not supported.
-
test_list_role_assignment_using_sourced_groups_with_domains()[source]¶ Multiple domain assignments are not supported.
-
-
class
keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentity[source]¶ Bases:
objectMixin class with support methods for domain-specific config testing.
-
class
keystone.tests.unit.test_backend_ldap.DomainSpecificLDAPandSQLIdentity(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity,keystone.tests.unit.core.SQLDriverOverrides,keystone.tests.unit.core.TestCase,keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentityClass to test when all domains use specific configs, including SQL.
We define a set of domains and domain-specific backends:
- A separate LDAP backend for the default domain
- A separate SQL backend for domain1
Although the default driver still exists, we don’t use it.
-
DOMAIN_COUNT= 2¶
-
DOMAIN_SPECIFIC_COUNT= 2¶
-
test_domain_segregation()[source]¶ Test that separate configs have segregated the domain.
Test Plan:
- Users were created in each domain as part of setup, now make sure you can only find a given user in its relevant domain/backend
- Make sure that for a backend that supports multiple domains you can get the users via any of its domains
-
class
keystone.tests.unit.test_backend_ldap.DomainSpecificSQLIdentity(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.DomainSpecificLDAPandSQLIdentityClass to test simplest use of domain-specific SQL driver.
The simplest use of an SQL domain-specific backend is when it is used to augment the standard case when LDAP is the default driver defined in the main config file. This would allow, for example, service users to be stored in SQL while LDAP handles the rest. Hence we define:
- The default driver uses the LDAP backend for the default domain
- A separate SQL backend for domain1
-
DOMAIN_COUNT= 2¶
-
DOMAIN_SPECIFIC_COUNT= 1¶
-
class
keystone.tests.unit.test_backend_ldap.IdentityTests[source]¶ Bases:
keystone.tests.unit.identity.test_backends.IdentityTests
-
class
keystone.tests.unit.test_backend_ldap.LDAPIdentity(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity,keystone.tests.unit.core.TestCase
-
class
keystone.tests.unit.test_backend_ldap.LDAPLimitTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase,keystone.tests.unit.identity.test_backends.LimitTests
-
class
keystone.tests.unit.test_backend_ldap.LDAPTestSetup(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCaseCommon setup for LDAP tests.
-
class
keystone.tests.unit.test_backend_ldap.LdapFilterTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.identity.test_backends.FilterTests,keystone.tests.unit.test_backend_ldap.LDAPTestSetup
-
class
keystone.tests.unit.test_backend_ldap.LdapIdentityWithMapping(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity,keystone.tests.unit.core.SQLDriverOverrides,keystone.tests.unit.core.TestCaseClass to test mapping of default LDAP backend.
The default configuration is not to enable mapping when using a single backend LDAP driver. However, a cloud provider might want to enable the mapping, hence hiding the LDAP IDs from any clients of keystone. Setting backward_compatible_ids to False will enable this mapping.
-
test_dynamic_mapping_build()[source]¶ Test to ensure entities not create via controller are mapped.
Many LDAP backends will, essentially, by Read Only. In these cases the mapping is not built by creating objects, rather from enumerating the entries. We test this here my manually deleting the mapping and then trying to re-read the entries.
-
-
class
keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentity(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.BaseLDAPIdentity,keystone.tests.unit.core.SQLDriverOverrides,keystone.tests.unit.core.TestCase,keystone.tests.unit.test_backend_ldap.BaseMultiLDAPandSQLIdentityClass to test common SQL plus individual LDAP backends.
We define a set of domains and domain-specific backends:
- A separate LDAP backend for the default domain
- A separate LDAP backend for domain1
- domain2 shares the same LDAP as domain1, but uses a different tree attach point
- An SQL backend for all other domains (which will include domain3 and domain4)
Normally one would expect that the default domain would be handled as part of the “other domains” - however the above provides better test coverage since most of the existing backend tests use the default domain.
-
enable_multi_domain()[source]¶ Enable the chosen form of multi domain configuration support.
This method enables the file-based configuration support. Child classes that wish to use the database domain configuration support should override this method and set the appropriate config_fixture option.
-
test_domain_segregation()[source]¶ Test that separate configs have segregated the domain.
Test Plan:
- Users were created in each domain as part of setup, now make sure you can only find a given user in its relevant domain/backend
- Make sure that for a backend that supports multiple domains you can get the users via any of its domains
-
test_existing_uuids_work()[source]¶ Test that ‘uni-domain’ created IDs still work.
Throwing the switch to domain-specific backends should not cause existing identities to be inaccessible via ID.
-
test_scanning_of_config_dir()[source]¶ Test the Manager class scans the config directory.
The setup for the main tests above load the domain configs directly so that the test overrides can be included. This test just makes sure that the standard config directory scanning does pick up the relevant domain config files.
-
class
keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentityDomainConfigsInSQL(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap.MultiLDAPandSQLIdentityClass to test the use of domain configs stored in the database.
Repeat the same tests as MultiLDAPandSQLIdentity, but instead of using the domain specific config files, store the domain specific values in the database.
-
test_delete_domain_clears_sql_registration()[source]¶ Ensure registration is deleted when a domain is deleted.
-
test_domain_config_has_no_impact_if_database_support_disabled()[source]¶ Ensure database domain configs have no effect if disabled.
Set reading from database configs to false, restart the backends and then try and set and use database configs.
-
test_orphaned_registration_does_not_prevent_getting_sql_driver()[source]¶ Ensure we self heal an orphaned sql registration.
-
test_reloading_domain_config()[source]¶ Ensure domain drivers are reloaded on a config modification.
-
-
class
keystone.tests.unit.test_backend_ldap.ResourceTests[source]¶ Bases:
keystone.tests.unit.resource.test_backends.ResourceTests
keystone.tests.unit.test_backend_ldap_pool module¶
-
class
keystone.tests.unit.test_backend_ldap_pool.LDAPIdentity(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap_pool.LdapPoolCommonTestMixin,keystone.tests.unit.test_backend_ldap.LDAPIdentity,keystone.tests.unit.core.TestCaseExecutes tests in existing base class with pooled LDAP handler.
keystone.tests.unit.test_backend_rules module¶
-
class
keystone.tests.unit.test_backend_rules.RulesPolicy(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase,keystone.tests.unit.policy.test_backends.PolicyTests
keystone.tests.unit.test_backend_sql module¶
-
class
keystone.tests.unit.test_backend_sql.FakeTable(*args, **kwargs)[source]¶ Bases:
sqlalchemy.ext.declarative.api.Base-
col¶
-
-
class
keystone.tests.unit.test_backend_sql.SqlCatalog(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.catalog.test_backends.CatalogTests
-
class
keystone.tests.unit.test_backend_sql.SqlFilterTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.identity.test_backends.FilterTests
-
class
keystone.tests.unit.test_backend_sql.SqlIdentity(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.identity.test_backends.IdentityTests,keystone.tests.unit.identity.test_backends.ShadowUsersTests,keystone.tests.unit.assignment.test_backends.AssignmentTests,keystone.tests.unit.resource.test_backends.ResourceTestsEnsure we cannot access the hidden root of all project domains.
Calling any of the driver methods should result in the same as would be returned if we passed a project that does not exist. We don’t test create_project, since we do not allow a caller of our API to specify their own ID for a new entity.
-
test_list_domains_for_user_with_inherited_grants()[source]¶ Test that inherited roles on the domain are excluded.
Test Plan:
- Create two domains, one user, group and role
- Domain1 is given an inherited user role, Domain2 an inherited group role (for a group of which the user is a member)
- When listing domains for user, neither domain should be returned
-
test_storing_null_domain_id_in_project_ref()[source]¶ Test the special storage of domain_id=None in sql resource driver.
The resource driver uses a special value in place of None for domain_id in the project record. This shouldn’t escape the driver. Hence we test the interface to ensure that you can store a domain_id of None, and that any special value used inside the driver does not escape through the interface.
-
test_update_project_returns_extra()[source]¶ Test for backward compatibility with an essex/folsom bug.
Non-indexed attributes were returned in an ‘extra’ attribute, instead of on the entity itself; for consistency and backwards compatibility, those attributes should be included twice.
This behavior is specific to the SQL driver.
-
test_update_user_returns_extra()[source]¶ Test for backwards-compatibility with an essex/folsom bug.
Non-indexed attributes were returned in an ‘extra’ attribute, instead of on the entity itself; for consistency and backwards compatibility, those attributes should be included twice.
This behavior is specific to the SQL driver.
-
class
keystone.tests.unit.test_backend_sql.SqlImpliedRoles(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.assignment.test_backends.ImpliedRoleTests
-
class
keystone.tests.unit.test_backend_sql.SqlInheritance(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.assignment.test_backends.InheritanceTests
-
class
keystone.tests.unit.test_backend_sql.SqlLimitTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.identity.test_backends.LimitTests
-
class
keystone.tests.unit.test_backend_sql.SqlModels(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests-
assertExpectedSchema(table, expected_schema)[source]¶ Assert that a table’s schema is what we expect.
Parameters: - table (string) – the name of the table to inspect
- expected_schema (tuple) – a tuple of tuples containing the expected schema
Raises: AssertionError – when the database schema doesn’t match the expected schema
The expected_schema format is simply:
( ('column name', sql type, qualifying detail), ... )
The qualifying detail varies based on the type of the column:
- sql.Boolean columns must indicate the column's default value or None if there is no default - Columns with a length, like sql.String, must indicate the column's length - All other column types should use None
Example:
cols = (('id', sql.String, 64), ('enabled', sql.Boolean, True), ('extra', sql.JsonBlob, None)) self.assertExpectedSchema('table_name', cols)
-
-
class
keystone.tests.unit.test_backend_sql.SqlPolicy(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.policy.test_backends.PolicyTests
-
class
keystone.tests.unit.test_backend_sql.SqlTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides,keystone.tests.unit.core.TestCase
-
class
keystone.tests.unit.test_backend_sql.SqlToken(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.token.test_backends.TokenTests
-
class
keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidationWithPKI(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.token.test_backends.TokenCacheInvalidation
-
class
keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidationWithPKIZ(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.token.test_backends.TokenCacheInvalidation
-
class
keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidationWithUUID(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.token.test_backends.TokenCacheInvalidation
-
class
keystone.tests.unit.test_backend_sql.SqlTrust(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.trust.test_backends.TrustTests
keystone.tests.unit.test_backend_templated module¶
-
class
keystone.tests.unit.test_backend_templated.TestTemplatedCatalog(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase,keystone.tests.unit.catalog.test_backends.CatalogTests-
DEFAULT_FIXTURE= {'RegionOne': {'compute': {'adminURL': 'http://localhost:8774/v1.1/bar', 'id': '2', 'internalURL': 'http://localhost:8774/v1.1/bar', 'name': "'Compute Service'", 'publicURL': 'http://localhost:8774/v1.1/bar'}, 'identity': {'adminURL': 'http://localhost:35357/v2.0', 'id': '1', 'internalURL': 'http://localhost:35357/v2.0', 'name': "'Identity Service'", 'publicURL': 'http://localhost:5000/v2.0'}}}¶
-
keystone.tests.unit.test_catalog module¶
-
class
keystone.tests.unit.test_catalog.V2CatalogTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.rest.RestfulTestCase-
test_endpoint_create_with_invalid_url()[source]¶ Test the invalid cases: substitutions is not exactly right.
-
test_endpoint_create_with_valid_url()[source]¶ Create endpoint with valid URL should be tested, too.
-
test_pure_v3_endpoint_with_publicurl_visible_from_v2()[source]¶ Test pure v3 endpoint can be fetched via v2.0 API.
For those who are using v2.0 APIs, endpoints created by v3 API should also be visible as there are no differences about the endpoints except the format or the internal implementation. Since publicURL is required for v2.0 API, so only v3 endpoints of the service which have the public interface endpoint will be converted into v2.0 endpoints.
-
test_pure_v3_endpoint_without_publicurl_invisible_from_v2()[source]¶ Test that the v2.0 API can’t fetch v3 endpoints without publicURLs.
v2.0 API will return endpoints created by v3 API, but publicURL is required for the service in the v2.0 API, therefore v3 endpoints of a service which don’t have publicURL will be ignored.
-
keystone.tests.unit.test_cert_setup module¶
keystone.tests.unit.test_cli module¶
-
class
keystone.tests.unit.test_cli.CliBootStrapTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides,keystone.tests.unit.core.TestCase
-
class
keystone.tests.unit.test_cli.CliDomainConfigAllTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides,keystone.tests.unit.core.TestCase
-
class
keystone.tests.unit.test_cli.CliDomainConfigInvalidDomainTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_cli.CliDomainConfigAllTestCase
-
class
keystone.tests.unit.test_cli.CliDomainConfigNoOptionsTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_cli.CliDomainConfigAllTestCase
-
class
keystone.tests.unit.test_cli.CliDomainConfigSingleDomainTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_cli.CliDomainConfigAllTestCase
-
class
keystone.tests.unit.test_cli.CliDomainConfigTooManyOptionsTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_cli.CliDomainConfigAllTestCase
-
class
keystone.tests.unit.test_cli.CliTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides,keystone.tests.unit.core.TestCase
keystone.tests.unit.test_config module¶
-
class
keystone.tests.unit.test_config.DeprecatedOverrideTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCaseTest using the deprecated AND new name for renamed options.
keystone.tests.unit.test_contrib_s3_core module¶
keystone.tests.unit.test_contrib_simple_cert module¶
-
class
keystone.tests.unit.test_contrib_simple_cert.BaseTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase-
CA_PATH= '/v3/OS-SIMPLE-CERT/ca'¶
-
CERT_PATH= '/v3/OS-SIMPLE-CERT/certificates'¶
-
keystone.tests.unit.test_credential module¶
-
class
keystone.tests.unit.test_credential.V2CredentialEc2Controller(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase-
test_check_non_admin_user()[source]¶ Checking if user is admin causes uncaught error.
When checking if a user is an admin, keystone.exception.Unauthorized is raised but not caught if the user is not an admin.
-
test_signature_validate_no_host_port()[source]¶ Test signature validation with the access/secret provided.
-
test_signature_validate_no_signature()[source]¶ Signature is not presented in signature reference data.
-
test_signature_validate_with_host_port()[source]¶ Test signature validation when host is bound with port.
Host is bound with a port, generally, the port here is not the standard port for the protocol, like ‘80’ for HTTP and port 443 for HTTPS, the port is not omitted by the client library.
-
test_signature_validate_with_missed_host_port()[source]¶ Test signature validation when host is bound with well-known port.
Host is bound with a port, but the port is well-know port like ‘80’ for HTTP and port 443 for HTTPS, sometimes, client library omit the port but then make the request with the port. see (How to create the string to sign): ‘http://docs.aws.amazon.com/ general/latest/gr/signature-version-2.html’.
Since “credentials[‘host’]” is not set by client library but is taken from “req.host”, so caused the differences.
-
keystone.tests.unit.test_driver_hints module¶
keystone.tests.unit.test_entry_points module¶
keystone.tests.unit.test_exception module¶
-
class
keystone.tests.unit.test_exception.ExceptionTestCase(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_exception.SecurityErrorTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_exception.ExceptionTestCaseTest whether security-related info is exposed to the API user.
-
class
keystone.tests.unit.test_exception.TestSecurityErrorTranslation(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest i18n for SecurityError exceptions.
-
exception
CustomError(message=None, **kwargs)[source]¶ Bases:
keystone.exception.Error-
message_format= u'We had a failure in the %(place)r'¶
-
-
exception
TestSecurityErrorTranslation.CustomSecurityError(message=None, **kwargs)[source]¶ Bases:
keystone.exception.SecurityError-
message_format= u'We had a failure in the %(place)r'¶
-
-
exception
-
class
keystone.tests.unit.test_exception.UnexpectedExceptionTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_exception.ExceptionTestCaseTest if internal info is exposed to the API user on UnexpectedError.
-
exception
SubClassExc(message=None, **kwargs)[source]¶ Bases:
keystone.exception.UnexpectedError-
debug_message_format= 'Debug Message: %(debug_info)s'¶
-
-
exception
keystone.tests.unit.test_hacking_checks module¶
keystone.tests.unit.test_kvs module¶
-
class
keystone.tests.unit.test_kvs.KVSBackendForcedKeyMangleFixture(arguments)[source]¶ Bases:
keystone.tests.unit.test_kvs.KVSBackendFixture-
use_backend_key_mangler= True¶
-
-
class
keystone.tests.unit.test_kvs.RegionProxy2Fixture(*args, **kwargs)[source]¶ Bases:
dogpile.cache.proxy.ProxyBackendA test dogpile.cache proxy that does nothing.
-
class
keystone.tests.unit.test_kvs.RegionProxyFixture(*args, **kwargs)[source]¶ Bases:
dogpile.cache.proxy.ProxyBackendA test dogpile.cache proxy that does nothing.
-
class
keystone.tests.unit.test_kvs.TestCacheRegionInit(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCaseIllustrate the race condition on cache initialization.
This case doesn’t actually expose the error, it just simulates unprotected code behaviour, when race condition leads to re-configuration of shared KVS backend object. What, in turn, results in an exception.
-
kvs_backend= 'openstack.kvs.Memory'¶
-
store_name= 'test-kvs'¶
-
-
class
keystone.tests.unit.test_kvs.TestMemcacheDriver(arguments)[source]¶ Bases:
dogpile.cache.api.CacheBackendA test dogpile.cache backend.
This test backend conforms to the mixin-mechanism for overriding set and set_multi methods on dogpile memcached drivers.
keystone.tests.unit.test_ldap_livetest module¶
keystone.tests.unit.test_ldap_pool_livetest module¶
-
class
keystone.tests.unit.test_ldap_pool_livetest.LiveLDAPPoolIdentity(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_ldap_pool.LdapPoolCommonTestMixin,keystone.tests.unit.test_ldap_livetest.LiveLDAPIdentityExecutes existing LDAP live test with pooled LDAP handler.
Also executes common pool specific tests via Mixin class.
keystone.tests.unit.test_ldap_tls_livetest module¶
-
class
keystone.tests.unit.test_ldap_tls_livetest.LiveTLSLDAPIdentity(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_ldap_livetest.LiveLDAPIdentity
keystone.tests.unit.test_middleware module¶
-
class
keystone.tests.unit.test_middleware.AdminTokenAuthMiddlewareTest(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_middleware.MiddlewareRequestTestBase-
MIDDLEWARE_CLASS¶ alias of
AdminTokenAuthMiddleware
-
-
class
keystone.tests.unit.test_middleware.AuthContextMiddlewareTest(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.test_middleware.MiddlewareRequestTestBase-
MIDDLEWARE_CLASS¶ alias of
AuthContextMiddleware
-
test_ephemeral_any_user_success()[source]¶ Verify ephemeral user does not need a specified user.
Keystone is not looking to match the user, but a corresponding group.
-
-
class
keystone.tests.unit.test_middleware.JsonBodyMiddlewareTest(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_middleware.MiddlewareRequestTestBase-
MIDDLEWARE_CLASS¶ alias of
JsonBodyMiddleware
-
-
class
keystone.tests.unit.test_middleware.MiddlewareRequestTestBase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCase-
MIDDLEWARE_CLASS= None¶
-
keystone.tests.unit.test_no_admin_token_auth module¶
keystone.tests.unit.test_policy module¶
keystone.tests.unit.test_revoke module¶
-
class
keystone.tests.unit.test_revoke.SqlRevokeTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_backend_sql.SqlTests,keystone.tests.unit.test_revoke.RevokeTests
keystone.tests.unit.test_sql_banned_operations module¶
keystone.tests.unit.test_sql_upgrade module¶
keystone.tests.unit.test_token_bind module¶
-
class
keystone.tests.unit.test_token_bind.BindTest(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCaseTest binding tokens to a Principal.
Even though everything in this file references kerberos the same concepts will apply to all future binding mechanisms.
keystone.tests.unit.test_token_provider module¶
-
class
keystone.tests.unit.test_token_provider.TestPKIProviderWithStdlib(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_token_provider.PKIProviderTests,keystone.tests.unit.core.TestCase
keystone.tests.unit.test_url_middleware module¶
-
class
keystone.tests.unit.test_url_middleware.FakeApp[source]¶ Bases:
objectFakes a WSGI app URL normalized.
keystone.tests.unit.test_v2 module¶
-
class
keystone.tests.unit.test_v2.CoreApiTests[source]¶ Bases:
object-
assertNoRoles(r)[source]¶ Helper method to assert No Roles.
This needs to be overridden by child classes based on their content type.
-
-
class
keystone.tests.unit.test_v2.LegacyV2UsernameTests[source]¶ Bases:
objectTest to show the broken username behavior in V2.
The V2 API is documented to use username instead of name. The API forced used to use name and left the username to fall into the extra field.
These tests ensure this behavior works so fixes to username/name will be backward compatible.
-
create_user(**user_attrs)[source]¶ Create a users and returns the response object.
Parameters: user_attrs – attributes added to the request body (optional)
-
test_create_with_extra_username()[source]¶ The response for creating a user will contain the extra fields.
-
test_get_returns_username_from_extra()[source]¶ The response for getting a user will contain the extra fields.
-
test_update_returns_new_username_when_adding_username()[source]¶ The response for updating a user will contain the extra fields.
This is specifically testing for updating a username when a value was not previously set.
-
test_update_returns_new_username_when_updating_username()[source]¶ The response for updating a user will contain the extra fields.
This tests updating a username that was previously set.
-
test_updated_username_is_returned()[source]¶ Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username and not name.
-
test_username_is_always_returned_create()[source]¶ Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username and not name.
-
test_username_is_always_returned_get()[source]¶ Username is set as the value of name if no username is provided.
This matches the v2.0 spec where we really should be using username and not name.
-
-
class
keystone.tests.unit.test_v2.RevokeApiTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v2.V2TestCase,keystone.tests.unit.test_v2.RestfulTestCase,keystone.tests.unit.test_v2.CoreApiTests,keystone.tests.unit.test_v2.LegacyV2UsernameTests
-
class
keystone.tests.unit.test_v2.TestFernetTokenProviderV2(*args, **kwargs)[source]¶
-
class
keystone.tests.unit.test_v2.V2TestCase[source]¶ Bases:
object-
test_fetch_revocation_list_md5()[source]¶ Hash for tokens in revocation list and server config should match.
If the server is configured for md5, then the revocation list has tokens hashed with MD5.
-
test_fetch_revocation_list_sha256()[source]¶ Hash for tokens in revocation list and server config should match.
If the server is configured for sha256, then the revocation list has tokens hashed with SHA256.
-
-
class
keystone.tests.unit.test_v2.V2TestCaseFernet(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v2.V2TestCase,keystone.tests.unit.test_v2.RestfulTestCase,keystone.tests.unit.test_v2.CoreApiTests,keystone.tests.unit.test_v2.LegacyV2UsernameTests
-
class
keystone.tests.unit.test_v2.V2TestCaseUUID(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v2.V2TestCase,keystone.tests.unit.test_v2.RestfulTestCase,keystone.tests.unit.test_v2.CoreApiTests,keystone.tests.unit.test_v2.LegacyV2UsernameTests
keystone.tests.unit.test_v2_controller module¶
-
class
keystone.tests.unit.test_v2_controller.TenantTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCaseTest for the V2 Tenant controller.
These tests exercise
keystone.assignment.controllers.Tenant.-
test_create_is_domain_project_fails()[source]¶ Test that the creation of a project acting as a domain fails.
-
test_create_project_passing_is_domain_false_fails()[source]¶ Test that passing is_domain=False is not allowed.
-
test_delete_is_domain_project_not_found()[source]¶ Test that delete is_domain project is not allowed in v2.
-
test_get_is_domain_project_not_found()[source]¶ Test that get project does not return is_domain projects.
-
test_get_project_users_no_user()[source]¶ Test the user’s existence for get_project_users.
When a user that’s not known to identity has a role on a project, then get_project_users just skips that user.
-
test_list_is_domain_project_not_found()[source]¶ Test v2 get_all_projects having projects that act as a domain.
In v2 no project with the is_domain flag enabled should be returned.
-
keystone.tests.unit.test_v2_validation module¶
-
class
keystone.tests.unit.test_v2_validation.RoleValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V2 Roles API Validation.
-
class
keystone.tests.unit.test_v2_validation.ServiceValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V2 Service API Validation.
-
class
keystone.tests.unit.test_v2_validation.TenantValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for v2 Tenant API Validation.
-
test_validate_tenant_create_fails_with_invalid_name()[source]¶ Exception when validating a create request with invalid name.
-
test_validate_tenant_create_with_invalid_enabled_fails()[source]¶ Exception is raised when enabled isn’t a boolean-like value.
-
test_validate_tenant_update_fails_with_invalid_name()[source]¶ Exception when validating an update request with invalid name.
-
-
class
keystone.tests.unit.test_v2_validation.UserValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V2 User API Validation.
keystone.tests.unit.test_v3 module¶
-
class
keystone.tests.unit.test_v3.AssignmentTestMixin[source]¶ Bases:
objectTo hold assignment helper functions.
-
build_role_assignment_entity(link=None, prior_role_link=None, **attribs)[source]¶ Build and return a role assignment entity with provided attributes.
Provided attributes are expected to contain: domain_id or project_id, user_id or group_id, role_id and, optionally, inherited_to_projects.
-
build_role_assignment_entity_include_names(domain_ref=None, role_ref=None, group_ref=None, user_ref=None, project_ref=None, inherited_assignment=None)[source]¶ Build and return a role assignment entity with provided attributes.
The expected attributes are: domain_ref or project_ref, user_ref or group_ref, role_ref and, optionally, inherited_to_projects.
-
-
class
keystone.tests.unit.test_v3.AuthContextMiddlewareAdminTokenTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase-
EXTENSION_TO_ADD= 'admin_token_auth'¶
-
-
class
keystone.tests.unit.test_v3.AuthTestMixin[source]¶ Bases:
objectTo hold auth building helper functions.
-
build_auth_scope(project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, domain_id=None, domain_name=None, trust_id=None, unscoped=None, is_domain=None)[source]¶
-
build_authentication_request(token=None, user_id=None, username=None, user_domain_id=None, user_domain_name=None, password=None, kerberos=False, **kwargs)[source]¶ Build auth dictionary.
It will create an auth dictionary based on all the arguments that it receives.
-
-
class
keystone.tests.unit.test_v3.JsonHomeTestMixin[source]¶ Bases:
objectJSON Home test.
Mixin this class to provide a test for the JSON-Home response for an extension.
The base class must set JSON_HOME_DATA to a dict of relationship URLs (rels) to the JSON-Home data for the relationship. The rels and associated data must be in the response.
-
class
keystone.tests.unit.test_v3.RestfulTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.SQLDriverOverrides,keystone.tests.unit.rest.RestfulTestCase,keystone.tests.common.auth.AuthTestMixin-
assertEqualTokens(a, b)[source]¶ Assert that two tokens are equal.
Compare two tokens except for their ids. This also truncates the time in the comparison.
-
assertValidEntity(entity, ref=None, keys_to_check=None)[source]¶ Make assertions common to all API entities.
If a reference is provided, the entity will also be compared against the reference.
-
assertValidListResponse(resp, key, entity_validator, ref=None, expected_length=None, keys_to_check=None, resource_url=None)[source]¶ Make assertions common to all API list responses.
If a reference is provided, it’s ID will be searched for in the response, and asserted to be equal.
-
assertValidResponse(resp, key, entity_validator, *args, **kwargs)[source]¶ Make assertions common to all API responses.
-
build_external_auth_request(remote_user, remote_domain=None, auth_data=None, kerberos=False)[source]¶
-
keystone.tests.unit.test_v3_assignment module¶
keystone.tests.unit.test_v3_auth module¶
keystone.tests.unit.test_v3_catalog module¶
-
class
keystone.tests.unit.test_v3_catalog.CatalogTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCaseTest service & endpoint CRUD.
-
test_create_endpoint_with_no_region()[source]¶ EndpointV3 allows to creates the endpoint without region.
-
test_create_endpoint_with_region()[source]¶ EndpointV3 creates the region before creating the endpoint.
This occurs when endpoint is provided with ‘region’ and no ‘region_id’.
-
test_create_region_with_conflicting_ids()[source]¶ Call
PUT /regions/{region_id}with conflicting region IDs.
-
test_create_region_with_empty_id()[source]¶ Call
POST /regionswith an empty ID in the request body.
-
test_create_region_with_matching_ids()[source]¶ Call
PUT /regions/{region_id}with an ID in the request body.
-
test_create_region_without_description()[source]¶ Call
POST /regionswithout description in the request body.
-
test_create_regions_with_same_description_string()[source]¶ Call
POST /regionswith duplicate descriptions.
-
test_endpoint_create_with_invalid_url()[source]¶ Test the invalid cases: substitutions is not exactly right.
-
test_endpoint_create_with_valid_url_project_id()[source]¶ Create endpoint with valid url should be tested,too.
-
test_list_endpoints_filtered_by_parent_region_id()[source]¶ Call
GET /endpoints?region_id={region_id}.Ensure passing the parent_region_id as filter returns an empty list.
-
test_list_endpoints_with_multiple_filters()[source]¶ Call
GET /endpoints?interface={interface}....Ensure passing different combinations of interface, region_id and service_id as filters will return the correct result.
-
test_list_endpoints_with_random_filter_values()[source]¶ Call
GET /endpoints?interface={interface}....Ensure passing random values for: interface, region_id and service_id will return an empty list.
-
test_list_regions_filtered_by_parent_region_id()[source]¶ Call
GET /regions?parent_region_id={parent_region_id}.
-
test_update_endpoint_enabled_false()[source]¶ Call
PATCH /endpoints/{endpoint_id}with enabled: False.
-
test_update_endpoint_enabled_str_false()[source]¶ Call
PATCH /endpoints/{endpoint_id}with enabled: ‘False’.
-
test_update_endpoint_enabled_str_random()[source]¶ Call
PATCH /endpoints/{endpoint_id}with enabled: ‘kitties’.
-
test_update_endpoint_enabled_str_true()[source]¶ Call
PATCH /endpoints/{endpoint_id}with enabled: ‘True’.
-
-
class
keystone.tests.unit.test_v3_catalog.TestCatalogAPISQL(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCaseTest for the catalog Manager against the SQL backend.
-
class
keystone.tests.unit.test_v3_catalog.TestCatalogAPISQLRegions(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCaseTest for the catalog Manager against the SQL backend.
-
class
keystone.tests.unit.test_v3_catalog.TestCatalogAPITemplatedProject(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCaseTemplated Catalog doesn’t support full API.
Eg. No region/endpoint creation.
-
test_project_delete()[source]¶ Deleting a project should not result in an 500 ISE.
Deleting a project will create a notification, which the EndpointFilter functionality will use to clean up any project->endpoint and project->endpoint_group relationships. The templated catalog does not support such relationships, but the act of attempting to delete them should not cause a NotImplemented exception to be exposed to an API caller.
Deleting an endpoint has a similar notification and clean up mechanism, but since we do not allow deletion of endpoints with the templated catalog, there is no testing to do for that action.
-
keystone.tests.unit.test_v3_credential module¶
-
class
keystone.tests.unit.test_v3_credential.CredentialTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_credential.CredentialBaseTestCaseTest credential CRUD.
-
test_create_ec2_credential_with_invalid_blob()[source]¶ Test creating ec2 credential with invalid blob.
Call
POST /credentials.
-
test_create_ec2_credential_with_missing_project_id()[source]¶ Test Creating ec2 credential with missing project_id.
Call
POST /credentials.
-
test_list_credentials_filtered_by_type_and_user_id()[source]¶ Call
GET /credentials?user_id={user_id}&type={type}.
-
-
class
keystone.tests.unit.test_v3_credential.TestCredentialEc2(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_credential.CredentialBaseTestCaseTest v3 credential compatibility with ec2tokens.
-
test_ec2_credential_signature_validate()[source]¶ Test signature validation with a v3 ec2 credential.
-
-
class
keystone.tests.unit.test_v3_credential.TestCredentialTrustScoped(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCaseTest credential with trust scoped token.
keystone.tests.unit.test_v3_domain_config module¶
-
class
keystone.tests.unit.test_v3_domain_config.DomainConfigTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCaseTest domain config support.
-
test_create_config_invalid_domain()[source]¶ Call
PUT /domains/{domain_id}/config.While creating Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_delete_config_by_group_invalid_domain()[source]¶ Call
DELETE /domains{domain_id}/config/{group}.While deleting Identity API-based domain config by group with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.
-
test_delete_config_invalid_domain()[source]¶ Call
DELETE /domains{domain_id}/config.While deleting Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_get_config_by_group_invalid_domain()[source]¶ Call
GET & HEAD /domains{domain_id}/config/{group}.While retrieving Identity API-based domain config by group with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.
-
test_get_config_by_option_invalid_domain()[source]¶ Call
GET & HEAD /domains{domain_id}/config/{group}/{option}.While retrieving Identity API-based domain config by option with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.
-
test_get_config_default_by_invalid_group()[source]¶ Call
GET for /domains/config/{bad-group}/default.
-
test_get_config_default_by_invalid_option()[source]¶ Call
GET for /domains/config/{group}/{bad-option}/default.
-
test_get_non_existant_config_group()[source]¶ Call
GET /domains{domain_id}/config/{group_not_exist}.
-
test_get_non_existant_config_group_invalid_domain()[source]¶ Call
GET /domains{domain_id}/config/{group_not_exist}.While retrieving non-existent Identity API-based domain config group with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_get_non_existant_config_invalid_domain()[source]¶ Call
GET /domains{domain_id}/config when no config defined.While retrieving non-existent Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response 404 domain not found.
-
test_get_non_existant_config_option()[source]¶ Call
GET /domains{domain_id}/config/group/{option_not_exist}.
-
test_get_non_existant_config_option_invalid_domain()[source]¶ Call
GET /domains{domain_id}/config/group/{option_not_exist}.While retrieving non-existent Identity API-based domain config option with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_update_config_group_invalid_domain()[source]¶ Call
PATCH /domains/{domain_id}/config/{group}.While updating Identity API-based domain config group with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_update_config_invalid_domain()[source]¶ Call
PATCH /domains/{domain_id}/config.While updating Identity API-based domain config with an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_update_config_invalid_group_invalid_domain()[source]¶ Call
PATCH /domains/{domain_id}/config/{invalid_group}.While updating Identity API-based domain config with an invalid group and an invalid domain id provided, the request shall be rejected with a response, 404 domain not found.
-
test_update_config_invalid_option()[source]¶ Call
PATCH /domains/{domain_id}/config/{group}/{invalid}.
-
keystone.tests.unit.test_v3_endpoint_policy module¶
-
class
keystone.tests.unit.test_v3_endpoint_policy.EndpointPolicyTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCaseTest endpoint policy CRUD.
In general, the controller layer of the endpoint policy extension is really just marshalling the data around the underlying manager calls. Given that the manager layer is tested in depth by the backend tests, the tests we execute here concentrate on ensuring we are correctly passing and presenting the data.
-
test_crud_for_policy_for_explicit_endpoint()[source]¶ PUT, HEAD and DELETE for explicit endpoint policy.
-
-
class
keystone.tests.unit.test_v3_endpoint_policy.JsonHomeTests[source]¶ Bases:
keystone.tests.unit.test_v3.JsonHomeTestMixin-
EXTENSION_LOCATION= 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel'¶
-
JSON_HOME_DATA= {'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/endpoint_policy': {'href-template': '/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy', 'href-vars': {'endpoint_id': 'http://docs.openstack.org/api/openstack-identity/3/param/endpoint_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/service_policy_association': {'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}', 'href-vars': {'service_id': 'http://docs.openstack.org/api/openstack-identity/3/param/service_id', 'policy_id': 'http://docs.openstack.org/api/openstack-identity/3/param/policy_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/endpoint_policy_association': {'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}', 'href-vars': {'endpoint_id': 'http://docs.openstack.org/api/openstack-identity/3/param/endpoint_id', 'policy_id': 'http://docs.openstack.org/api/openstack-identity/3/param/policy_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/policy_endpoints': {'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints', 'href-vars': {'policy_id': 'http://docs.openstack.org/api/openstack-identity/3/param/policy_id'}}, 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-ENDPOINT-POLICY/1.0/rel/region_and_service_policy_association': {'href-template': '/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}', 'href-vars': {'service_id': 'http://docs.openstack.org/api/openstack-identity/3/param/service_id', 'region_id': 'http://docs.openstack.org/api/openstack-identity/3/param/region_id', 'policy_id': 'http://docs.openstack.org/api/openstack-identity/3/param/policy_id'}}}¶
-
PARAM_LOCATION= 'http://docs.openstack.org/api/openstack-identity/3/param'¶
-
keystone.tests.unit.test_v3_federation module¶
-
class
keystone.tests.unit.test_v3_federation.FederatedIdentityProviderTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCaseA test class for Identity Providers.
-
default_body= {'enabled': True, 'description': None}¶
-
idp_keys= ['description', 'enabled']¶
-
test_assign_protocol_to_nonexistent_idp()[source]¶ Assign protocol to IdP that doesn’t exist.
Expect HTTP 404 Not Found code.
-
test_check_idp_uniqueness()[source]¶ Add same IdP twice.
Expect HTTP 409 Conflict code for the latter call.
-
test_create_idp_remote_repeated()[source]¶ Create two IdentityProvider entities with some remote_ids.
A remote_id is the same for both so the second IdP is not created because of the uniqueness of the remote_ids
Expect HTTP 409 Conflict code for the latter call.
-
test_delete_existing_idp()[source]¶ Create and later delete IdP.
Expect HTTP 404 Not Found for the GET IdP call.
-
test_delete_idp_also_deletes_assigned_protocols()[source]¶ Deleting an IdP will delete its assigned protocol.
-
test_delete_nonexisting_idp()[source]¶ Delete nonexisting IdP.
Expect HTTP 404 Not Found for the GET IdP call.
-
test_delete_protocol()[source]¶ Delete protocol.
Expect HTTP 404 Not Found code for the GET call after the protocol is deleted.
-
test_get_nonexisting_idp()[source]¶ Fetch nonexisting IdP entity.
Expected HTTP 404 Not Found status code.
-
test_list_idps(iterations=5)[source]¶ List all available IdentityProviders.
This test collects ids of created IdPs and intersects it with the list of all available IdPs. List of all IdPs can be a superset of IdPs created in this test, because other tests also create IdPs.
-
test_list_protocols()[source]¶ Create set of protocols and later list them.
Compare input and output id sets.
-
test_protocol_composite_pk()[source]¶ Test that Keystone can add two entities.
The entities have identical names, however, attached to different IdPs.
- Add IdP and assign it protocol with predefined name
- Add another IdP and assign it a protocol with same name.
Expect HTTP 201 code
-
test_protocol_idp_pk_uniqueness()[source]¶ Test whether Keystone checks for unique idp/protocol values.
Add same protocol twice, expect Keystone to reject a latter call and return HTTP 409 Conflict code.
-
test_update_idp_immutable_attributes()[source]¶ Update IdP’s immutable parameters.
Expect HTTP BAD REQUEST.
-
-
class
keystone.tests.unit.test_v3_federation.FederatedSetupMixin[source]¶ Bases:
object-
ACTION= 'authenticate'¶
-
ASSERTION_PREFIX= 'PREFIX_'¶
-
AUTH_METHOD= 'saml2'¶
-
IDP= 'ORG_IDP'¶
-
IDP_WITH_REMOTE= 'ORG_IDP_REMOTE'¶
-
PROTOCOL= 'saml2'¶
-
REMOTE_IDS= ['entityID_IDP1', 'entityID_IDP2']¶
-
REMOTE_ID_ATTR= 'adc41a7d763c47d880106517900f55ca'¶
-
UNSCOPED_V3_SAML2_REQ= {'identity': {'methods': ['saml2'], 'saml2': {'identity_provider': 'ORG_IDP', 'protocol': 'saml2'}}}¶
-
USER= 'user@ORGANIZATION'¶
-
-
class
keystone.tests.unit.test_v3_federation.FederatedTokenTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase,keystone.tests.unit.test_v3_federation.FederatedSetupMixin-
test_assertion_prefix_parameter()[source]¶ Test parameters filtering based on the prefix.
With
assertion_prefixset to fixed, non default value, issue an unscoped token from assertion EMPLOYEE_ASSERTION_PREFIXED. Expect server to return unscoped token.
-
test_assertion_prefix_parameter_expect_fail()[source]¶ Test parameters filtering based on the prefix.
With
assertion_prefixdefault value set to empty string issue an unscoped token from assertion EMPLOYEE_ASSERTION. Next, configureassertion_prefixto valueUserName. Try issuing unscoped token with EMPLOYEE_ASSERTION. Expect server to raise exception.Unathorized exception.
-
test_empty_blacklist_passess_all_values()[source]¶ Test a mapping with empty blacklist specified.
Not adding a
blacklistkeyword to the mapping rules has the same effect as adding an emptyblacklist. In both cases, the mapping engine will not discard any groups that are associated with apache environment variables.This test checks scenario where an empty blacklist was specified. Expected result is to allow any value.
- The test scenario is as follows:
- Create group
EXISTS - Create group
NO_EXISTS - Set mapping rules for existing IdP with a blacklist that passes through as REMOTE_USER_GROUPS
- Issue unscoped token with groups
EXISTSandNO_EXISTSassigned
- Create group
-
test_empty_whitelist_discards_all_values()[source]¶ Test that empty whitelist blocks all the values.
Not adding a
whitelistkeyword to the mapping value is different than adding empty whitelist. The former case will simply pass all the values, whereas the latter would discard all the values.This test checks scenario where an empty whitelist was specified. The expected result is that no groups are matched.
- The test scenario is as follows:
- Create group
EXISTS - Set mapping rules for existing IdP with an empty whitelist that whould discard any values from the assertion
- Try issuing unscoped token, no groups were matched and that the federated user does not have any group assigned.
- Create group
-
test_full_workflow(*args, **kwargs)[source]¶ Test ‘standard’ workflow for granting access tokens.
- Issue unscoped token
- List available projects based on groups
- Scope token to one of available projects
-
test_issue_token_with_nonexistent_group()[source]¶ Inject assertion that matches rule issuing bad group id.
Expect server to find out that some groups are missing in the backend and raise exception.MappedGroupNotFound exception.
-
test_issue_unscoped_token_disabled_idp()[source]¶ Check if authentication works with disabled identity providers.
Test plan: 1) Disable default IdP 2) Try issuing unscoped token for that IdP 3) Expect server to forbid authentication
-
test_issue_unscoped_token_malformed_environment()[source]¶ Test whether non string objects are filtered out.
Put non string objects into the environment, inject correct assertion and try to get an unscoped token. Expect server not to fail on using split() method on non string objects and return token id in the HTTP header.
-
test_issue_unscoped_token_with_remote_default_overwritten()[source]¶ Test that protocol remote_id_attribute has higher priority.
Make sure the parameter stored under
protocolsection has higher priority over parameter from defaultfederationconfiguration section.
-
test_lists_with_missing_group_in_backend()[source]¶ Test a mapping that points to a group that does not exist.
For explicit mappings, we expect the group to exist in the backend, but for lists, specifically blacklists, a missing group is expected as many groups will be specified by the IdP that are not Keystone groups.
- The test scenario is as follows:
- Create group
EXISTS - Set mapping rules for existing IdP with a blacklist that passes through as REMOTE_USER_GROUPS
- Issue unscoped token with on group
EXISTSid in it
- Create group
-
test_not_adding_blacklist_passess_all_values()[source]¶ Test a mapping without blacklist specified.
Not adding a
blacklistkeyword to the mapping rules has the same effect as adding an emptyblacklist. In both cases all values will be accepted and passed.This test checks scenario where an blacklist was not specified. Expected result is to allow any value.
- The test scenario is as follows:
- Create group
EXISTS - Create group
NO_EXISTS - Set mapping rules for existing IdP with a blacklist that passes through as REMOTE_USER_GROUPS
- Issue unscoped token with on groups
EXISTSandNO_EXISTSassigned
- Create group
-
test_not_setting_whitelist_accepts_all_values()[source]¶ Test that not setting whitelist passes.
Not adding a
whitelistkeyword to the mapping value is different than adding empty whitelist. The former case will simply pass all the values, whereas the latter would discard all the values.This test checks a scenario where a
whitelistwas not specified. Expected result is that no groups are ignored.- The test scenario is as follows:
- Create group
EXISTS - Set mapping rules for existing IdP with an empty whitelist that whould discard any values from the assertion
- Issue an unscoped token and make sure ephemeral user is a member of two groups.
- Create group
-
test_scope_to_domain_multiple_tokens()[source]¶ Issue multiple tokens scoping to different domains.
The new tokens should be scoped to:
- domainA
- domainB
- domainC
-
test_scope_to_domain_with_only_inherited_roles_fails()[source]¶ Try to scope to a domain that has no direct roles.
-
test_scope_to_project_multiple_times()[source]¶ Try to scope the unscoped token multiple times.
The new tokens should be scoped to:
- Customers’ project
- Employees’ project
-
test_scope_to_project_with_only_inherited_roles()[source]¶ Try to scope token whose only roles are inherited.
-
test_scope_token_from_nonexistent_unscoped_token()[source]¶ Try to scope token from non-existent unscoped token.
-
test_scope_token_with_idp_disabled()[source]¶ Scope token issued by disabled IdP.
Try scoping the token issued by an IdP which is disabled now. Expect server to refuse scoping operation.
This test confirms correct behaviour when IdP was enabled and unscoped token was issued, but disabled before user tries to scope the token. Here we assume the unscoped token was already issued and start from the moment where IdP is being disabled and unscoped token is being used.
Test plan: 1) Disable IdP 2) Try scoping unscoped token
-
test_v2_auth_with_federation_token_fails()[source]¶ Test that using a federation token with v2 auth fails.
If an admin sets up a federated Keystone environment, and a user incorrectly configures a service (like Nova) to only use v2 auth, the returned message should be informative.
-
test_workflow_with_groups_deletion()[source]¶ Test full workflow with groups deletion before token scoping.
- The test scenario is as follows:
- Create group
group - Create and assign roles to
groupandproject_all - Patch mapping rules for existing IdP so it issues group id
- Issue unscoped token with
group‘s id - Delete group
group - Scope token to
project_all - Expect HTTP 500 response
- Create group
-
-
class
keystone.tests.unit.test_v3_federation.FederatedTokenTestsMethodToken(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_federation.FederatedTokenTestsTest federation operation with unified scoping auth method.
Test all the operations with auth method set to
tokenas a new, unified way for scoping all the tokens.-
AUTH_METHOD= 'token'¶
-
-
class
keystone.tests.unit.test_v3_federation.FederatedUserTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase,keystone.tests.unit.test_v3_federation.FederatedSetupMixinTest for federated users.
Tests new shadow users functionality
-
class
keystone.tests.unit.test_v3_federation.FernetFederatedTokenTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase,keystone.tests.unit.test_v3_federation.FederatedSetupMixin-
AUTH_METHOD= 'token'¶
-
-
class
keystone.tests.unit.test_v3_federation.IdPMetadataGenerationTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCaseA class for testing Identity Provider Metadata generation.
-
METADATA_URL= '/OS-FEDERATION/saml2/metadata'¶
-
-
class
keystone.tests.unit.test_v3_federation.JsonHomeTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase,keystone.tests.unit.test_v3.JsonHomeTestMixin-
JSON_HOME_DATA= {'http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider': {'href-template': '/OS-FEDERATION/identity_providers/{idp_id}', 'href-vars': {'idp_id': 'http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/param/idp_id'}}}¶
-
-
class
keystone.tests.unit.test_v3_federation.K2KServiceCatalogTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase-
SP1= 'SP1'¶
-
SP2= 'SP2'¶
-
SP3= 'SP3'¶
-
test_no_service_providers_in_token()[source]¶ Test service catalog with disabled service providers.
There should be no entry
service_providersin the catalog. Test passes providing no attribute was raised.
-
-
class
keystone.tests.unit.test_v3_federation.MappingCRUDTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCaseA class for testing CRUD operations for Mappings.
-
MAPPING_URL= '/OS-FEDERATION/mappings/'¶
-
-
class
keystone.tests.unit.test_v3_federation.SAMLGenerationTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase-
ASSERTION_FILE= 'signed_saml2_assertion.xml'¶
-
ASSERTION_VERSION= '2.0'¶
-
ECP_GENERATION_ROUTE= '/auth/OS-FEDERATION/saml2/ecp'¶
-
ISSUER= 'https://acme.com/FIM/sps/openstack/saml20'¶
-
PROJECT= 'development'¶
-
PROJECT_DOMAIN= 'project_domain'¶
-
RECIPIENT= 'http://beta.com/Shibboleth.sso/SAML2/POST'¶
-
ROLES= ['admin', 'member']¶
-
SAML_GENERATION_ROUTE= '/auth/OS-FEDERATION/saml2'¶
-
SERVICE_PROVDIER_ID= 'ACME'¶
-
SP_AUTH_URL= 'http://beta.com:5000/v3/OS-FEDERATION/identity_providers/BETA/protocols/saml2/auth'¶
-
SUBJECT= 'test_user'¶
-
SUBJECT_DOMAIN= 'user_domain'¶
-
test_generate_ecp_route()[source]¶ Test that the ECP generation endpoint produces XML.
The ECP endpoint /v3/auth/OS-FEDERATION/saml2/ecp should take the same input as the SAML generation endpoint (scoped token ID + Service Provider ID). The controller should return a SAML assertion that is wrapped in a SOAP envelope.
-
test_generate_saml_route()[source]¶ Test that the SAML generation endpoint produces XML.
The SAML endpoint /v3/auth/OS-FEDERATION/saml2 should take as input, a scoped token ID, and a Service Provider ID. The controller should fetch details about the user from the token, and details about the service provider from its ID. This should be enough information to invoke the SAML generator and provide a valid SAML (XML) document back.
-
test_invalid_scope_body()[source]¶ Test that missing the scope in request body raises an exception.
Raises exception.SchemaValidationError() - error 400 Bad Request
-
test_invalid_token_body()[source]¶ Test that missing the token in request body raises an exception.
Raises exception.SchemaValidationError() - error 400 Bad Request
-
test_not_project_scoped_token()[source]¶ Ensure SAML generation fails when passing domain-scoped tokens.
The server should return a 403 Forbidden Action.
-
test_saml_signing()[source]¶ Test that the SAML generator produces a SAML object.
Test the SAML generator directly by passing known arguments, the result should be a SAML object that consistently includes attributes based on the known arguments that were passed in.
-
test_samlize_token_values()[source]¶ Test the SAML generator produces a SAML object.
Test the SAML generator directly by passing known arguments, the result should be a SAML object that consistently includes attributes based on the known arguments that were passed in.
-
test_sp_not_found()[source]¶ Test SAML generation with an invalid service provider ID.
Raises exception.ServiceProviderNotFound() - error Not Found 404
-
test_token_not_found()[source]¶ Test that an invalid token in the request body raises an exception.
Raises exception.TokenNotFound() - error Not Found 404
-
-
class
keystone.tests.unit.test_v3_federation.ServiceProviderTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCaseA test class for Service Providers.
-
COLLECTION_NAME= 'service_providers'¶
-
MEMBER_NAME= 'service_provider'¶
-
SERVICE_PROVIDER_ID= 'ACME'¶
-
SP_KEYS= ['auth_url', 'id', 'enabled', 'description', 'relay_state_prefix', 'sp_url']¶
-
test_create_sp_relay_state_default()[source]¶ Create an SP without relay state, should default to ss:mem.
-
test_list_service_providers()[source]¶ Test listing of service provider objects.
Add two new service providers. List all available service providers. Expect to get list of three service providers (one created by setUp()) Test if attributes match.
-
test_update_service_provider()[source]¶ Update existing service provider.
Update default existing service provider and make sure it has been properly changed.
-
-
class
keystone.tests.unit.test_v3_federation.WebSSOTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_federation.FederatedTokenTestsA class for testing Web SSO.
-
ORIGIN= 'http%3A%2F%2Fhorizon.com'¶
-
PROTOCOL_REMOTE_ID_ATTR= '9c528c341a1840c4af4867e56f650f47'¶
-
SSO_TEMPLATE_NAME= 'sso_callback_template.html'¶
-
SSO_TEMPLATE_PATH= '/home/abuild/rpmbuild/BUILD/keystone-10.0.2.dev1/etc/sso_callback_template.html'¶
-
SSO_URL= '/auth/OS-FEDERATION/websso/'¶
-
TRUSTED_DASHBOARD= 'http://horizon.com'¶
-
keystone.tests.unit.test_v3_filters module¶
keystone.tests.unit.test_v3_identity module¶
keystone.tests.unit.test_v3_oauth1 module¶
-
class
keystone.tests.unit.test_v3_oauth1.FernetAuthTokenTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_oauth1.AuthTokenTests,keystone.tests.unit.test_v3_oauth1.OAuthFlowTests
-
class
keystone.tests.unit.test_v3_oauth1.JsonHomeTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_oauth1.OAuth1Tests,keystone.tests.unit.test_v3.JsonHomeTestMixin-
JSON_HOME_DATA= {'http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers': {'href': '/OS-OAUTH1/consumers'}}¶
-
-
class
keystone.tests.unit.test_v3_oauth1.MaliciousOAuth1Tests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_oauth1.OAuth1Tests
-
class
keystone.tests.unit.test_v3_oauth1.OAuth1Tests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase-
CONSUMER_URL= '/OS-OAUTH1/consumers'¶
-
-
class
keystone.tests.unit.test_v3_oauth1.OAuthCADFNotificationTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_oauth1.OAuthNotificationTests
-
class
keystone.tests.unit.test_v3_oauth1.OAuthNotificationTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_oauth1.OAuth1Tests,keystone.tests.unit.common.test_notifications.BaseNotificationTest
-
class
keystone.tests.unit.test_v3_oauth1.UUIDAuthTokenTests(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3_oauth1.AuthTokenTests,keystone.tests.unit.test_v3_oauth1.OAuthFlowTests
keystone.tests.unit.test_v3_os_revoke module¶
keystone.tests.unit.test_v3_policy module¶
-
class
keystone.tests.unit.test_v3_policy.PolicyTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCaseTest policy CRUD.
keystone.tests.unit.test_v3_protection module¶
-
class
keystone.tests.unit.test_v3_protection.IdentityTestPolicySample(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCaseTest policy enforcement of the policy.json file.
-
class
keystone.tests.unit.test_v3_protection.IdentityTestProtectedCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCaseTest policy enforcement on the v3 Identity API.
-
setUp()[source]¶ Setup for Identity Protection Test Cases.
As well as the usual housekeeping, create a set of domains, users, roles and projects for the subsequent tests:
- Three domains: A,B & C. C is disabled.
- DomainA has user1, DomainB has user2 and user3
- DomainA has group1 and group2, DomainB has group3
- User1 has two roles on DomainA
- User2 has one role on DomainA
Remember that there will also be a fourth domain in existence, the default domain.
-
test_get_user_protected_match_id()[source]¶ GET /users/{id} (match payload).
Test Plan:
- Update policy to protect api by user_id
- List users with user_id of user1 as filter, to check that this will correctly match user_id in the flattened payload
-
test_get_user_protected_match_target()[source]¶ GET /users/{id} (match target).
Test Plan:
- Update policy to protect api by domain_id
- Try and read a user who is in DomainB with a token scoped to Domain A - this should fail
- Retry this for a user who is in Domain A, which should succeed.
- Finally, try getting a user that does not exist, which should still return UserNotFound
-
test_list_groups_protected_by_domain()[source]¶ GET /groups?domain_id=mydomain (protected).
Test Plan:
- Update policy to protect api by domain_id
- List groups using a token scoped to domainA and make sure we only get back the two groups that are in domainA
- Try and read the groups from domainB - this should fail since we don’t have a token scoped for domainB
-
test_list_groups_protected_by_domain_and_filtered()[source]¶ GET /groups?domain_id=mydomain&name=myname (protected).
Test Plan:
- Update policy to protect api by domain_id
- List groups using a token scoped to domainA with a filter specifying both domainA and the name of group.
- We should only get back the group in domainA that matches the name
-
test_list_users_filtered_by_domain()[source]¶ GET /users?domain_id=mydomain (filtered).
Test Plan:
- Update policy so api is unprotected
- Use an un-scoped token to make sure we can filter the users by domainB, getting back the 2 users in that domain
-
test_list_users_protected_by_domain()[source]¶ GET /users?domain_id=mydomain (protected).
Test Plan:
- Update policy to protect api by domain_id
- List groups using a token scoped to domainA with a filter specifying domainA - we should only get back the one user that is in domainA.
- Try and read the users from domainB - this should fail since we don’t have a token scoped for domainB
-
test_list_users_unprotected()[source]¶ GET /users (unprotected).
Test Plan:
- Update policy so api is unprotected
- Use an un-scoped token to make sure we can get back all the users independent of domain
-
test_revoke_grant_protected_match_target()[source]¶ DELETE /domains/{id}/users/{id}/roles/{id} (match target).
Test Plan:
- Update policy to protect api by domain_id of entities in the grant
- Try and delete the existing grant that has a user who is from a different domain - this should fail.
- Retry this for a user who is in Domain A, which should succeed.
-
-
class
keystone.tests.unit.test_v3_protection.IdentityTestv3CloudPolicySample(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase,keystone.tests.unit.test_v3.AssignmentTestMixinTest policy enforcement of the sample v3 cloud policy file.
-
setUp()[source]¶ Setup for v3 Cloud Policy Sample Test Cases.
The following data is created:
- Three domains: domainA, domainB and admin_domain
- One project, which name is ‘project’
- domainA has three users: domain_admin_user, project_admin_user and
just_a_user:
- domain_admin_user has role ‘admin’ on domainA,
- project_admin_user has role ‘admin’ on the project,
- just_a_user has a non-admin role on both domainA and the project.
- admin_domain has admin_project, and user cloud_admin_user, with an ‘admin’ role on admin_project.
- domainA has two groups (group1, group2), domainB has one group (group3)
We test various api protection rules from the cloud sample policy file to make sure the sample is valid and that we correctly enforce it.
-
test_get_and_delete_ec2_credentials()[source]¶ Test getting and deleting ec2 credentials through the ec2 API.
-
test_user_management_normalized_keys()[source]¶ Illustrate the inconsistent handling of hyphens in keys.
To quote Morgan in bug 1526244:
the reason this is converted from “domain-id” to “domain_id” is because of how we process/normalize data. The way we have to handle specific data types for known columns requires avoiding “-” in the actual python code since “-” is not valid for attributes in python w/o significant use of “getattr” etc.
In short, historically we handle some things in conversions. The use of “extras” has long been a poor design choice that leads to odd/strange inconsistent behaviors because of other choices made in handling data from within the body. (In many cases we convert from “-” to “_” throughout openstack)
Source: https://bugs.launchpad.net/keystone/+bug/1526244/comments/9
-
keystone.tests.unit.test_v3_resource module¶
-
class
keystone.tests.unit.test_v3_resource.ResourceTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCase,keystone.tests.unit.test_v3.AssignmentTestMixinTest domains and projects.
-
test_create_domain_case_sensitivity()[source]¶ Call POST /domains` twice with upper() and lower() cased name.
-
test_create_domain_creates_is_domain_project()[source]¶ Check a project that acts as a domain is created.
Call
POST /domains.
-
test_create_is_domain_project_creates_domain()[source]¶ Call
POST /projectsis_domain and check a domain is created.
-
test_delete_domain()[source]¶ Call
DELETE /domains/{domain_id}.The sample data set up already has a user and project that is part of self.domain. Additionally we will create a group and a credential within it. Since the user we will authenticate with is in this domain, we create a another set of entities in a second domain. Deleting this second domain should delete all these new entities. In addition, all the entities in the regular self.domain should be unaffected by the delete.
Test Plan:
- Create domain2 and a 2nd set of entities
- Disable domain2
- Delete domain2
- Check entities in domain2 have been deleted
- Check entities in self.domain are unaffected
-
test_delete_domain_deletes_is_domain_project()[source]¶ Check the project that acts as a domain is deleted.
Call
DELETE /domains.
-
test_delete_project()[source]¶ Call
DELETE /projects/{project_id}.As well as making sure the delete succeeds, we ensure that any credentials that reference this projects are also deleted, while other credentials are unaffected.
-
test_forbid_operations_on_defined_federated_domain()[source]¶ Make sure one cannot operate on a user-defined federated domain.
This includes operations like create, update, delete.
-
test_forbid_operations_on_federated_domain()[source]¶ Make sure one cannot operate on federated domain.
This includes operations like create, update, delete on domain identified by id and name where difference variations of id ‘Federated’ are used.
-
test_get_project_with_parents_as_list_and_parents_as_ids()[source]¶ Attempt to list a project’s parents as both a list and as IDs.
This uses
GET /projects/{project_id}?parents_as_list&parents_as_idswhich should fail with a Bad Request due to the conflicting query strings.
-
test_get_project_with_parents_as_list_with_full_access()[source]¶ GET /projects/{project_id}?parents_as_listwith full access.Test plan:
- Create ‘parent’, ‘project’ and ‘subproject’ projects;
- Assign a user a role on each one of those projects;
- Check that calling parents_as_list on ‘subproject’ returns both ‘project’ and ‘parent’.
-
test_get_project_with_parents_as_list_with_invalid_id()[source]¶ Call
GET /projects/{project_id}?parents_as_list.
-
test_get_project_with_parents_as_list_with_partial_access()[source]¶ GET /projects/{project_id}?parents_as_listwith partial access.Test plan:
- Create ‘parent’, ‘project’ and ‘subproject’ projects;
- Assign a user a role on ‘parent’ and ‘subproject’;
- Check that calling parents_as_list on ‘subproject’ only returns ‘parent’.
-
test_get_project_with_subtree_as_ids()[source]¶ Call
GET /projects/{project_id}?subtree_as_ids.This test creates a more complex hierarchy to test if the structured dictionary returned by using the
subtree_as_idsquery param correctly represents the hierarchy.The hierarchy contains 5 projects with the following structure:
+--A--+ | | +--B--+ C | | D E
-
test_get_project_with_subtree_as_list_and_subtree_as_ids()[source]¶ Attempt to get a project subtree as both a list and as IDs.
This uses
GET /projects/{project_id}?subtree_as_list&subtree_as_idswhich should fail with a bad request due to the conflicting query strings.
-
test_get_project_with_subtree_as_list_with_full_access()[source]¶ GET /projects/{project_id}?subtree_as_listwith full access.Test plan:
- Create ‘parent’, ‘project’ and ‘subproject’ projects;
- Assign a user a role on each one of those projects;
- Check that calling subtree_as_list on ‘parent’ returns both ‘parent’ and ‘subproject’.
-
test_get_project_with_subtree_as_list_with_invalid_id()[source]¶ Call
GET /projects/{project_id}?subtree_as_list.
-
test_get_project_with_subtree_as_list_with_partial_access()[source]¶ GET /projects/{project_id}?subtree_as_listwith partial access.Test plan:
- Create ‘parent’, ‘project’ and ‘subproject’ projects;
- Assign a user a role on ‘parent’ and ‘subproject’;
- Check that calling subtree_as_list on ‘parent’ returns ‘subproject’.
-
test_list_project_is_domain_filter_default()[source]¶ Default project list should not see projects acting as domains.
-
test_token_revoked_once_domain_disabled()[source]¶ Test token from a disabled domain has been invalidated.
Test that a token that was valid for an enabled domain becomes invalid once that domain is disabled.
-
test_update_domain_updates_is_domain_project()[source]¶ Check the project that acts as a domain is updated.
Call
PATCH /domains.
-
-
class
keystone.tests.unit.test_v3_resource.ResourceV3toV2MethodsTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCaseTest domain V3 to V2 conversion methods.
keystone.tests.unit.test_v3_trust module¶
-
class
keystone.tests.unit.test_v3_trust.TestTrustOperations(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.test_v3.RestfulTestCaseTest module for create, read, update and delete operations on trusts.
This module is specific to tests for trust CRUD operations. All other tests related to trusts that are authentication or authorization specific should live in the keystone/tests/unit/test_v3_auth.py module.
-
test_forbidden_trust_impersonation_in_redelegation()[source]¶ Test forbiddance of impersonation in trust redelegation.
Check that trustee not allowed to create a trust (with impersonation set to true) from a redelegated trust (with impersonation set to false)
-
keystone.tests.unit.test_validation module¶
-
class
keystone.tests.unit.test_validation.CredentialValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Credential API validation.
-
test_validate_credential_ec2_without_project_id_fails()[source]¶ Validate project_id is required for ec2.
Test that a SchemaValidationError is raised when type is ec2 and no project_id is provided in create request.
-
test_validate_credential_non_ec2_without_project_id_succeeds()[source]¶ Validate project_id is not required for non-ec2.
Test that create request without project_id succeeds for any non-ec2 credential.
-
test_validate_credential_update_succeeds()[source]¶ Test that a credential request is properly validated.
-
test_validate_credential_update_with_extra_parameters_succeeds()[source]¶ Validate credential update with extra parameters.
-
test_validate_credential_update_without_parameters_fails()[source]¶ Exception is raised on update without parameters.
-
test_validate_credential_with_extra_parameters_succeeds()[source]¶ Validate create request with extra parameters.
-
test_validate_credential_with_project_id_succeeds()[source]¶ Test that credential request works for all types.
-
test_validate_credential_without_blob_fails()[source]¶ Exception raised without blob in create request.
-
-
class
keystone.tests.unit.test_validation.DomainValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Domain API validation.
-
test_validate_domain_create_fails_with_invalid_name()[source]¶ Exception when validating a create request with invalid name.
-
test_validate_domain_request_with_enabled()[source]¶ Validate enabled as boolean-like values for domains.
-
test_validate_domain_request_with_invalid_description_fails()[source]¶ Exception is raised when description is a non-string value.
-
test_validate_domain_request_with_invalid_enabled_fails()[source]¶ Exception is raised when enabled isn’t a boolean-like value.
-
test_validate_domain_request_with_name_too_long()[source]¶ Exception is raised when name is too long.
-
test_validate_domain_request_with_valid_description()[source]¶ Test that we validate description in create domain requests.
-
test_validate_domain_request_without_name_fails()[source]¶ Make sure we raise an exception when name isn’t included.
-
test_validate_domain_update_fails_with_invalid_name()[source]¶ Exception when validating an update request with invalid name.
-
-
class
keystone.tests.unit.test_validation.EndpointGroupValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Endpoint Group API validation.
-
test_validate_create_endpoint_group_fails_with_invalid_filters()[source]¶ Validate invalid filters value in endpoint group parameters.
This test ensures that exception is raised when non-dict values is used as filters in endpoint group create request.
-
test_validate_endpoint_group_create_fails_without_filters()[source]¶ Exception raised when filters isn’t in endpoint group request.
-
test_validate_endpoint_group_create_fails_without_name()[source]¶ Exception raised when name isn’t in endpoint group request.
-
test_validate_endpoint_group_create_succeeds_with_req_parameters()[source]¶ Validate required endpoint group parameters.
This test ensure that validation succeeds with only the required parameters passed for creating an endpoint group.
-
test_validate_endpoint_group_create_succeeds_with_valid_filters()[source]¶ Validate filters in endpoint group create requests.
-
test_validate_endpoint_group_request_succeeds()[source]¶ Test that we validate an endpoint group request.
-
test_validate_endpoint_group_update_fails_with_invalid_filters()[source]¶ Exception raised when passing invalid filters in request.
-
test_validate_endpoint_group_update_fails_with_no_parameters()[source]¶ Exception raised when no parameters on endpoint group update.
-
test_validate_endpoint_group_update_request_succeeds()[source]¶ Test that we validate an endpoint group update request.
-
-
class
keystone.tests.unit.test_validation.EndpointValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Endpoint API validation.
-
test_validate_create_endpoint_fails_with_invalid_enabled()[source]¶ Exception raised when boolean-like values as enabled.
-
test_validate_endpoint_create_fails_with_invalid_interface()[source]¶ Exception raised with invalid interface.
-
test_validate_endpoint_create_fails_with_invalid_region_id()[source]¶ Exception raised when passing invalid region(_id) in request.
-
test_validate_endpoint_create_fails_with_invalid_url()[source]¶ Exception raised when passing invalid url in request.
-
test_validate_endpoint_create_fails_without_interface()[source]¶ Exception raised when interface isn’t in endpoint request.
-
test_validate_endpoint_create_fails_without_service_id()[source]¶ Exception raised when service_id isn’t in endpoint request.
-
test_validate_endpoint_create_fails_without_url()[source]¶ Exception raised when url isn’t in endpoint request.
-
test_validate_endpoint_create_succeeds_with_extra_parameters()[source]¶ Test that extra parameters pass validation on create endpoint.
-
test_validate_endpoint_create_succeeds_with_required_parameters()[source]¶ Validate an endpoint request with only the required parameters.
-
test_validate_endpoint_create_succeeds_with_url()[source]¶ Validate url attribute in endpoint create request.
-
test_validate_endpoint_create_succeeds_with_valid_enabled()[source]¶ Validate an endpoint with boolean values.
Validate boolean values as enabled in endpoint create requests.
-
test_validate_endpoint_update_fails_with_invalid_enabled()[source]¶ Exception raised when enabled is boolean-like value.
-
test_validate_endpoint_update_fails_with_invalid_interface()[source]¶ Exception raised when invalid interface on endpoint update.
-
test_validate_endpoint_update_fails_with_invalid_region_id()[source]¶ Exception raised when passing invalid region(_id) in request.
-
test_validate_endpoint_update_fails_with_invalid_url()[source]¶ Exception raised when passing invalid url in request.
-
test_validate_endpoint_update_fails_with_no_parameters()[source]¶ Exception raised when no parameters on endpoint update.
-
test_validate_endpoint_update_request_succeeds()[source]¶ Test that we validate an endpoint update request.
-
test_validate_endpoint_update_succeeds_with_extra_parameters()[source]¶ Test that extra parameters pass validation on update endpoint.
-
-
class
keystone.tests.unit.test_validation.EntityValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCase-
test_create_entity_with_all_valid_parameters_validates()[source]¶ Validate all parameter values against test schema.
-
test_create_entity_with_invalid_email_fails()[source]¶ Validate invalid email address.
Test that an exception is raised when validating improperly formatted email addresses.
-
test_create_entity_with_invalid_enabled_format_raises_exception()[source]¶ Validate invalid enabled formats.
Test that an exception is raised when passing invalid boolean-like values as enabled.
-
test_create_entity_with_invalid_id_strings()[source]¶ Exception raised when using invalid id strings.
-
test_create_entity_with_invalid_urls_fails()[source]¶ Test that an exception is raised when validating improper urls.
-
test_create_entity_with_name_too_long_raises_exception()[source]¶ Validate long names.
Validate that an exception is raised when validating a string of 255+ characters passed in as a name.
-
test_create_entity_with_name_too_short_raises_exception()[source]¶ Validate short names.
Test that an exception is raised when passing a string of length zero as a name parameter.
-
test_create_entity_with_null_id_string()[source]¶ Validate that None is an acceptable optional string type.
-
test_create_entity_with_null_string_succeeds()[source]¶ Exception raised when passing None on required id strings.
-
test_create_entity_with_only_required_valid_parameters_validates()[source]¶ Validate correct for only parameters values against test schema.
-
test_create_entity_with_unicode_name_validates()[source]¶ Test that we successfully validate a unicode string.
-
test_create_entity_with_valid_email_validates()[source]¶ Validate email address.
Test that we successfully validate properly formatted email addresses.
-
test_create_entity_with_valid_enabled_formats_validates()[source]¶ Validate valid enabled formats.
Test that we have successful validation on boolean values for enabled.
-
test_create_entity_with_valid_urls_validates()[source]¶ Test that proper urls are successfully validated.
-
test_update_entity_with_a_null_optional_parameter_validates()[source]¶ Optional parameters can be null to removed the value.
-
test_update_entity_with_a_required_null_parameter_fails()[source]¶ The name parameter can’t be null.
-
test_update_entity_with_a_valid_optional_parameter_validates()[source]¶ Succeed with only a single valid optional parameter.
-
test_update_entity_with_a_valid_required_parameter_validates()[source]¶ Succeed if a valid required parameter is provided.
-
test_update_entity_with_all_parameters_valid_validates()[source]¶ Simulate updating an entity by ID.
-
test_update_entity_with_invalid_optional_parameter_fails()[source]¶ Fail when an optional parameter is invalid.
-
-
class
keystone.tests.unit.test_validation.FederationProtocolValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Federation Protocol API validation.
-
test_validate_protocol_request_fails_with_invalid_mapping_id()[source]¶ Exception raised when mapping_id is not string.
-
test_validate_protocol_request_fails_with_invalid_params()[source]¶ Exception raised when unknown parameter is found.
-
test_validate_protocol_request_no_parameters()[source]¶ Test that schema validation with empty request body.
-
test_validate_protocol_request_succeeds()[source]¶ Test that we validate a protocol request successfully.
-
test_validate_protocol_request_succeeds_on_update()[source]¶ Test that we validate a protocol update request successfully.
-
test_validate_protocol_request_succeeds_with_nonuuid_mapping_id()[source]¶ Test that we allow underscore in mapping_id value.
-
test_validate_update_protocol_request_fails_with_invalid_id()[source]¶ Test that updating a protocol with a non-string mapping_id fail.
-
test_validate_update_protocol_request_fails_with_invalid_params()[source]¶ Exception raised when unknown parameter in protocol update.
-
-
class
keystone.tests.unit.test_validation.GroupValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Group API validation.
-
test_validate_group_create_fails_with_invalid_name()[source]¶ Exception when validating a create request with invalid name.
-
test_validate_group_create_fails_without_group_name()[source]¶ Exception raised when group name is not provided in request.
-
test_validate_group_create_succeeds_with_all_parameters()[source]¶ Validate create group requests with all parameters.
-
test_validate_group_create_succeeds_with_extra_parameters()[source]¶ Validate extra attributes on group create requests.
-
test_validate_group_update_fails_with_invalid_name()[source]¶ Exception when validating an update request with invalid name.
-
-
class
keystone.tests.unit.test_validation.IdentityProviderValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Identity Provider API validation.
-
test_validate_idp_request_fails_with_invalid_params()[source]¶ Exception raised when unknown parameter is found.
-
test_validate_idp_request_no_parameters()[source]¶ Test that schema validation with empty request body.
-
test_validate_idp_request_remote_id_nullable()[source]¶ Test that remote_ids could be explicitly set to None.
-
test_validate_idp_request_with_duplicated_remote_id()[source]¶ Exception is raised when the duplicated remote_ids is found.
-
test_validate_idp_request_with_invalid_description_fails()[source]¶ Exception is raised when description as a non-string value.
-
-
class
keystone.tests.unit.test_validation.OAuth1ValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Identity OAuth1 API validation.
-
test_validate_consumer_request_succeeds()[source]¶ Test that we validate a consumer request successfully.
-
test_validate_consumer_request_with_invalid_description_fails()[source]¶ Exception is raised when description as a non-string value.
-
test_validate_consumer_request_with_no_parameters()[source]¶ Test that schema validation with empty request body.
-
-
class
keystone.tests.unit.test_validation.PolicyValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Policy API validation.
-
test_validate_policy_create_with_extra_parameters_succeeds()[source]¶ Validate policy create with extra parameters.
-
test_validate_policy_create_with_invalid_type_fails()[source]¶ Exception raised when blob and type are boolean.
-
test_validate_policy_update_with_extra_parameters_succeeds()[source]¶ Validate policy update request with extra parameters.
-
test_validate_policy_update_with_invalid_type_fails()[source]¶ Exception raised when invalid type on policy update.
-
-
class
keystone.tests.unit.test_validation.ProjectValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Project API validation.
-
test_validate_project_create_fails_with_invalid_name()[source]¶ Exception when validating a create request with invalid name.
-
test_validate_project_create_request_with_valid_domain_id()[source]¶ Test that we validate domain_id in create project requests.
-
test_validate_project_request_with_enabled()[source]¶ Validate enabled as boolean-like values for projects.
-
test_validate_project_request_with_invalid_description_fails()[source]¶ Exception is raised when description as a non-string value.
-
test_validate_project_request_with_invalid_domain_id_fails()[source]¶ Exception is raised when domain_id is a non-id value.
-
test_validate_project_request_with_invalid_enabled_fails()[source]¶ Exception is raised when enabled isn’t a boolean-like value.
-
test_validate_project_request_with_invalid_parent_id_fails()[source]¶ Exception is raised when parent_id as a non-id value.
-
test_validate_project_request_with_name_too_long()[source]¶ Exception is raised when name is too long.
-
test_validate_project_request_with_valid_description()[source]¶ Test that we validate description in create project requests.
-
test_validate_project_request_with_valid_parent_id()[source]¶ Test that we validate parent_id in create project requests.
-
test_validate_project_request_without_name_fails()[source]¶ Validate project request fails without name.
-
test_validate_project_update_fails_with_invalid_name()[source]¶ Exception when validating an update request with invalid name.
-
-
class
keystone.tests.unit.test_validation.RegionValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Region API validation.
-
test_validate_region_create_fails_with_invalid_region_id()[source]¶ Exception raised when passing invalid id in request.
-
test_validate_region_create_request_with_parameters()[source]¶ Test that we validate a region request with parameters.
-
test_validate_region_create_succeeds_with_extra_parameters()[source]¶ Validate create region request with extra values.
-
test_validate_region_create_succeeds_with_no_parameters()[source]¶ Validate create region request with no parameters.
-
test_validate_region_create_with_uuid()[source]¶ Test that we validate a region request with a UUID as the id.
-
-
class
keystone.tests.unit.test_validation.RoleValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Role API validation.
-
test_validate_role_create_fails_with_invalid_name()[source]¶ Exception when validating a create request with invalid name.
-
test_validate_role_create_request_with_name_too_long_fails()[source]¶ Exception raised when creating a role with name too long.
-
test_validate_role_create_without_name_raises_exception()[source]¶ Test that we raise an exception when name isn’t included.
-
-
class
keystone.tests.unit.test_validation.ServiceProviderValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Service Provider API validation.
-
test_validate_sp_request_with_extra_field_fails()[source]¶ Exception raised when passing extra fields in the body.
-
test_validate_sp_request_with_invalid_auth_url_fails()[source]¶ Validate request fails with invalid auth_url.
-
test_validate_sp_request_with_invalid_description_fails()[source]¶ Exception is raised when description as a non-string value.
-
test_validate_sp_request_with_invalid_enabled_fails()[source]¶ Exception is raised when enabled isn’t a boolean-like value.
-
test_validate_sp_request_with_invalid_sp_url_fails()[source]¶ Validate request fails with invalid sp_url.
-
test_validate_sp_request_with_valid_description()[source]¶ Test that we validate description in create requests.
-
test_validate_sp_update_request_with_invalid_auth_url_fails()[source]¶ Exception raised when updating with invalid auth_url.
-
-
class
keystone.tests.unit.test_validation.ServiceValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Service API validation.
-
test_validate_service_create_fails_when_name_too_long()[source]¶ Exception raised when name is greater than 255 characters.
-
test_validate_service_create_fails_when_name_too_short()[source]¶ Exception is raised when name is too short.
-
test_validate_service_create_fails_when_type_too_long()[source]¶ Exception is raised when type is too long.
-
test_validate_service_create_fails_when_type_too_short()[source]¶ Exception is raised when type is too short.
-
test_validate_service_create_fails_with_invalid_enabled()[source]¶ Exception raised when boolean-like parameters as enabled.
On service create, make sure an exception is raised if enabled is not a boolean value.
-
test_validate_service_create_fails_without_type()[source]¶ Exception raised when trying to create a service without type.
-
test_validate_service_create_succeeds_with_extra_parameters()[source]¶ Test that extra parameters pass validation on create service.
-
test_validate_service_create_succeeds_with_required_parameters()[source]¶ Validate a service create request with the required parameters.
-
test_validate_service_create_succeeds_with_valid_enabled()[source]¶ Validate boolean values as enabled values on service create.
-
test_validate_service_update_fails_with_invalid_enabled()[source]¶ Exception raised when boolean-like values as enabled.
-
test_validate_service_update_fails_with_name_too_long()[source]¶ Exception is raised when name is too long on update.
-
test_validate_service_update_fails_with_name_too_short()[source]¶ Exception is raised when name is too short on update.
-
test_validate_service_update_fails_with_no_parameters()[source]¶ Exception raised when updating a service without values.
-
test_validate_service_update_fails_with_type_too_long()[source]¶ Exception is raised when type is too long on update.
-
test_validate_service_update_fails_with_type_too_short()[source]¶ Exception is raised when type is too short on update.
-
test_validate_service_update_request_succeeds()[source]¶ Test that we validate a service update request.
-
-
class
keystone.tests.unit.test_validation.TrustValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 Trust API validation.
-
test_validate_trust_with_all_parameters_succeeds()[source]¶ Test that we can validate a trust request with all parameters.
-
test_validate_trust_with_extra_parameters_succeeds()[source]¶ Test that we can validate a trust request with extra parameters.
-
test_validate_trust_with_invalid_expires_at_fails()[source]¶ Validate trust request with invalid expires_at fails.
-
test_validate_trust_with_invalid_impersonation_fails()[source]¶ Validate trust request with invalid impersonation fails.
-
test_validate_trust_with_invalid_role_type_fails()[source]¶ Validate trust request with invalid roles fails.
-
test_validate_trust_with_list_of_valid_roles_succeeds()[source]¶ Validate trust request with a list of valid roles.
-
test_validate_trust_with_null_remaining_uses_succeeds()[source]¶ Validate trust request with null remaining_uses.
-
test_validate_trust_with_period_in_user_id_string()[source]¶ Validate trust request with a period in the user id string.
-
test_validate_trust_with_remaining_uses_succeeds()[source]¶ Validate trust request with remaining_uses succeeds.
-
test_validate_trust_without_impersonation_fails()[source]¶ Validate trust request fails without impersonation.
-
-
class
keystone.tests.unit.test_validation.UserValidationTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.BaseTestCaseTest for V3 User API validation.
-
test_validate_user_create_fails_with_invalid_enabled_formats()[source]¶ Exception raised when enabled is not an acceptable format.
-
test_validate_user_create_fails_with_invalid_name()[source]¶ Exception when validating a create request with invalid name.
-
test_validate_user_create_fails_with_invalid_password_type()[source]¶ Exception raised when user password is of the wrong type.
-
test_validate_user_create_fails_without_name()[source]¶ Exception raised when validating a user without name.
-
test_validate_user_create_request_succeeds()[source]¶ Test that validating a user create request succeeds.
-
test_validate_user_create_succeeds_with_extra_attributes()[source]¶ Validate extra parameters on user create requests.
-
test_validate_user_create_succeeds_with_null_description()[source]¶ Validate that description can be nullable on create user.
-
test_validate_user_create_succeeds_with_null_password()[source]¶ Validate that password is nullable on create user.
-
test_validate_user_create_succeeds_with_password_of_zero_length()[source]¶ Validate empty password on user create requests.
-
test_validate_user_create_succeeds_with_valid_enabled_formats()[source]¶ Validate acceptable enabled formats in create user requests.
-
test_validate_user_create_with_all_valid_parameters_succeeds()[source]¶ Test that validating a user create request succeeds.
-
test_validate_user_update_fails_with_invalid_name()[source]¶ Exception when validating an update request with invalid name.
-
keystone.tests.unit.test_versions module¶
-
class
keystone.tests.unit.test_versions.VersionSingleAppTestCase(*args, **kwargs)[source]¶ Bases:
keystone.tests.unit.core.TestCaseTest running with a single application loaded.
These are important because when Keystone is running in Apache httpd there’s only one application loaded for each instance.
keystone.tests.unit.test_wsgi module¶
keystone.tests.unit.utils module¶
Useful utilities for tests.
-
keystone.tests.unit.utils.wip(message, expected_exception=<type 'exceptions.Exception'>, bug=None)[source]¶ Mark a test as work in progress.
Based on code by Nat Pryce: https://gist.github.com/npryce/997195#file-wip-py
The test will always be run. If the test fails then a TestSkipped exception is raised. If the test passes an AssertionError exception is raised so that the developer knows they made the test pass. This is a reminder to remove the decorator.
Parameters: - message – a string message to help clarify why the test is marked as a work in progress
- expected_exception – an exception class that will be checked for when @wip verifies an exception is raised. The test will fail if a different exception is raised. Default is “any” exception is valid
- bug – (optional) a string for tracking the bug and what bug should cause the @wip decorator to be removed from the testcase
- Usage:
>>> @wip('Expected Error', expected_exception=Exception, bug="#000000") >>> def test(): >>> pass