"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/protection/v3/test_credentials.py" (13 May 2020, 49130 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_credentials.py": 16.0.1_vs_17.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 import uuid
   14 
   15 import http.client
   16 from oslo_serialization import jsonutils
   17 
   18 from keystone.common.policies import base as bp
   19 from keystone.common import provider_api
   20 import keystone.conf
   21 from keystone.tests.common import auth as common_auth
   22 from keystone.tests import unit
   23 from keystone.tests.unit import base_classes
   24 from keystone.tests.unit import ksfixtures
   25 from keystone.tests.unit.ksfixtures import temporaryfile
   26 
   27 CONF = keystone.conf.CONF
   28 PROVIDERS = provider_api.ProviderAPIs
   29 
   30 
   31 class _UserCredentialTests(object):
   32     """Test cases for anyone that has a valid user token."""
   33 
   34     def test_user_can_create_credentials_for_themselves(self):
   35         create = {
   36             'credential': {
   37                 'blob': uuid.uuid4().hex,
   38                 'user_id': self.user_id,
   39                 'type': uuid.uuid4().hex
   40             }
   41         }
   42         with self.test_client() as c:
   43             c.post('/v3/credentials', json=create, headers=self.headers)
   44 
   45     def test_user_can_get_their_credentials(self):
   46         with self.test_client() as c:
   47             create = {
   48                 'credential': {
   49                     'blob': uuid.uuid4().hex,
   50                     'type': uuid.uuid4().hex,
   51                     'user_id': self.user_id
   52                 }
   53             }
   54             r = c.post('/v3/credentials', json=create, headers=self.headers)
   55             credential_id = r.json['credential']['id']
   56 
   57             path = '/v3/credentials/%s' % credential_id
   58             r = c.get(path, headers=self.headers)
   59             self.assertEqual(
   60                 self.user_id, r.json['credential']['user_id']
   61             )
   62 
   63     def test_user_can_list_their_credentials(self):
   64         with self.test_client() as c:
   65             expected = []
   66             for _ in range(2):
   67                 create = {
   68                     'credential': {
   69                         'blob': uuid.uuid4().hex,
   70                         'type': uuid.uuid4().hex,
   71                         'user_id': self.user_id
   72                     }
   73                 }
   74                 r = c.post(
   75                     '/v3/credentials', json=create, headers=self.headers
   76                 )
   77                 expected.append(r.json['credential'])
   78 
   79             r = c.get('/v3/credentials', headers=self.headers)
   80             for credential in expected:
   81                 self.assertIn(credential, r.json['credentials'])
   82 
   83     def test_user_can_filter_their_credentials_by_type_and_user(self):
   84         with self.test_client() as c:
   85             credential_type = uuid.uuid4().hex
   86             create = {
   87                 'credential': {
   88                     'blob': uuid.uuid4().hex,
   89                     'type': credential_type,
   90                     'user_id': self.user_id
   91                 }
   92             }
   93             r = c.post(
   94                 '/v3/credentials', json=create, headers=self.headers
   95             )
   96             expected_credential_id = r.json['credential']['id']
   97 
   98             create = {
   99                 'credential': {
  100                     'blob': uuid.uuid4().hex,
  101                     'type': uuid.uuid4().hex,
  102                     'user_id': self.user_id
  103                 }
  104             }
  105             r = c.post(
  106                 '/v3/credentials', json=create, headers=self.headers
  107             )
  108 
  109             path = '/v3/credentials?type=%s' % credential_type
  110             r = c.get(path, headers=self.headers)
  111             self.assertEqual(
  112                 expected_credential_id, r.json['credentials'][0]['id']
  113             )
  114 
  115             path = '/v3/credentials?user=%s' % self.user_id
  116             r = c.get(path, headers=self.headers)
  117             self.assertEqual(
  118                 expected_credential_id, r.json['credentials'][0]['id']
  119             )
  120 
  121     def test_user_can_update_their_credential(self):
  122         with self.test_client() as c:
  123             create = {
  124                 'credential': {
  125                     'blob': uuid.uuid4().hex,
  126                     'type': uuid.uuid4().hex,
  127                     'user_id': self.user_id
  128                 }
  129             }
  130 
  131             r = c.post('/v3/credentials', json=create, headers=self.headers)
  132             credential_id = r.json['credential']['id']
  133 
  134             updated_blob = uuid.uuid4().hex
  135             update = {'credential': {'blob': updated_blob}}
  136             path = '/v3/credentials/%s' % credential_id
  137             r = c.patch(path, json=update, headers=self.headers)
  138             self.assertEqual(updated_blob, r.json['credential']['blob'])
  139 
  140     def test_user_can_delete_their_credentials(self):
  141         with self.test_client() as c:
  142             create = {
  143                 'credential': {
  144                     'blob': uuid.uuid4().hex,
  145                     'type': uuid.uuid4().hex,
  146                     'user_id': self.user_id
  147                 }
  148             }
  149             r = c.post('/v3/credentials', json=create, headers=self.headers)
  150             credential_id = r.json['credential']['id']
  151 
  152             path = '/v3/credentials/%s' % credential_id
  153             c.delete(path, headers=self.headers)
  154 
  155 
  156 class _ProjectUsersTests(object):
  157     """Users who have project role authorization observe the same behavior."""
  158 
  159     def test_user_cannot_get_credentials_for_other_users(self):
  160         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  161         user_password = user['password']
  162         user = PROVIDERS.identity_api.create_user(user)
  163         project = unit.new_project_ref(
  164             domain_id=CONF.identity.default_domain_id
  165         )
  166         project = PROVIDERS.resource_api.create_project(project['id'], project)
  167         PROVIDERS.assignment_api.create_grant(
  168             self.bootstrapper.member_role_id, user_id=user['id'],
  169             project_id=project['id']
  170         )
  171         user_auth = self.build_authentication_request(
  172             user_id=user['id'], password=user_password,
  173             project_id=project['id']
  174         )
  175 
  176         with self.test_client() as c:
  177             r = c.post('/v3/auth/tokens', json=user_auth)
  178             token_id = r.headers['X-Subject-Token']
  179             headers = {'X-Auth-Token': token_id}
  180 
  181             create = {
  182                 'credential': {
  183                     'blob': uuid.uuid4().hex,
  184                     'type': uuid.uuid4().hex,
  185                     'user_id': user['id']
  186                 }
  187             }
  188             r = c.post('/v3/credentials', json=create, headers=headers)
  189             credential_id = r.json['credential']['id']
  190 
  191         with self.test_client() as c:
  192             path = '/v3/credentials/%s' % credential_id
  193             c.get(
  194                 path, headers=self.headers,
  195                 expected_status_code=http.client.FORBIDDEN
  196             )
  197 
  198     def test_user_cannot_get_non_existant_credential_forbidden(self):
  199         with self.test_client() as c:
  200             c.get(
  201                 '/v3/credentials/%s' % uuid.uuid4().hex, headers=self.headers,
  202                 expected_status_code=http.client.FORBIDDEN
  203             )
  204 
  205     def test_user_cannot_list_credentials_for_other_users(self):
  206         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  207         user_password = user['password']
  208         user = PROVIDERS.identity_api.create_user(user)
  209         project = unit.new_project_ref(
  210             domain_id=CONF.identity.default_domain_id
  211         )
  212         project = PROVIDERS.resource_api.create_project(project['id'], project)
  213         PROVIDERS.assignment_api.create_grant(
  214             self.bootstrapper.member_role_id, user_id=user['id'],
  215             project_id=project['id']
  216         )
  217         user_auth = self.build_authentication_request(
  218             user_id=user['id'], password=user_password,
  219             project_id=project['id']
  220         )
  221 
  222         with self.test_client() as c:
  223             r = c.post('/v3/auth/tokens', json=user_auth)
  224             token_id = r.headers['X-Subject-Token']
  225             headers = {'X-Auth-Token': token_id}
  226 
  227             create = {
  228                 'credential': {
  229                     'blob': uuid.uuid4().hex,
  230                     'type': uuid.uuid4().hex,
  231                     'user_id': user['id']
  232                 }
  233             }
  234             c.post('/v3/credentials', json=create, headers=headers)
  235 
  236         with self.test_client() as c:
  237             path = '/v3/credentials?user_id=%s' % user['id']
  238             r = c.get(path, headers=self.headers)
  239             self.assertEqual([], r.json['credentials'])
  240 
  241     def test_user_cannot_filter_credentials_by_type_for_others(self):
  242         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  243         user_password = user['password']
  244         user = PROVIDERS.identity_api.create_user(user)
  245         project = unit.new_project_ref(
  246             domain_id=CONF.identity.default_domain_id
  247         )
  248         project = PROVIDERS.resource_api.create_project(project['id'], project)
  249         PROVIDERS.assignment_api.create_grant(
  250             self.bootstrapper.member_role_id, user_id=user['id'],
  251             project_id=project['id']
  252         )
  253         user_auth = self.build_authentication_request(
  254             user_id=user['id'], password=user_password,
  255             project_id=project['id']
  256         )
  257 
  258         credential_type = uuid.uuid4().hex
  259         with self.test_client() as c:
  260             r = c.post('/v3/auth/tokens', json=user_auth)
  261             token_id = r.headers['X-Subject-Token']
  262             headers = {'X-Auth-Token': token_id}
  263 
  264             create = {
  265                 'credential': {
  266                     'blob': uuid.uuid4().hex,
  267                     'type': credential_type,
  268                     'user_id': user['id']
  269                 }
  270             }
  271             c.post('/v3/credentials', json=create, headers=headers)
  272 
  273         with self.test_client() as c:
  274             path = '/v3/credentials?type=%s' % credential_type
  275             r = c.get(path, headers=self.headers)
  276             self.assertEqual(0, len(r.json['credentials']))
  277 
  278     def test_user_cannot_filter_credentials_by_user_for_others(self):
  279         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  280         user_password = user['password']
  281         user = PROVIDERS.identity_api.create_user(user)
  282         project = unit.new_project_ref(
  283             domain_id=CONF.identity.default_domain_id
  284         )
  285         project = PROVIDERS.resource_api.create_project(project['id'], project)
  286         PROVIDERS.assignment_api.create_grant(
  287             self.bootstrapper.member_role_id, user_id=user['id'],
  288             project_id=project['id']
  289         )
  290         user_auth = self.build_authentication_request(
  291             user_id=user['id'], password=user_password,
  292             project_id=project['id']
  293         )
  294 
  295         with self.test_client() as c:
  296             r = c.post('/v3/auth/tokens', json=user_auth)
  297             token_id = r.headers['X-Subject-Token']
  298             headers = {'X-Auth-Token': token_id}
  299 
  300             expected_cred_ids = []
  301             for _ in range(2):
  302                 create = {
  303                     'credential': {
  304                         'blob': uuid.uuid4().hex,
  305                         'type': uuid.uuid4().hex,
  306                         'user_id': user['id']
  307                     }
  308                 }
  309                 r = c.post('/v3/credentials', json=create, headers=headers)
  310                 expected_cred_ids.append(r.json['credential']['id'])
  311 
  312         with self.test_client() as c:
  313             path = '/v3/credentials?user_id=%s' % user['id']
  314             r = c.get(path, headers=self.headers)
  315             self.assertEqual([], r.json['credentials'])
  316 
  317     def test_user_cannot_update_credentials_for_others(self):
  318         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  319         user_password = user['password']
  320         user = PROVIDERS.identity_api.create_user(user)
  321         project = unit.new_project_ref(
  322             domain_id=CONF.identity.default_domain_id
  323         )
  324         project = PROVIDERS.resource_api.create_project(project['id'], project)
  325         PROVIDERS.assignment_api.create_grant(
  326             self.bootstrapper.member_role_id, user_id=user['id'],
  327             project_id=project['id']
  328         )
  329         user_auth = self.build_authentication_request(
  330             user_id=user['id'], password=user_password,
  331             project_id=project['id']
  332         )
  333 
  334         with self.test_client() as c:
  335             r = c.post('/v3/auth/tokens', json=user_auth)
  336             token_id = r.headers['X-Subject-Token']
  337             headers = {'X-Auth-Token': token_id}
  338 
  339             create = {
  340                 'credential': {
  341                     'blob': uuid.uuid4().hex,
  342                     'type': uuid.uuid4().hex,
  343                     'user_id': user['id']
  344                 }
  345             }
  346             r = c.post('/v3/credentials', json=create, headers=headers)
  347             credential_id = r.json['credential']['id']
  348 
  349         with self.test_client() as c:
  350             update = {'credential': {'blob': uuid.uuid4().hex}}
  351             path = '/v3/credentials/%s' % credential_id
  352             c.patch(
  353                 path, json=update, headers=self.headers,
  354                 expected_status_code=http.client.FORBIDDEN
  355             )
  356 
  357     def test_user_cannot_update_non_existant_credential_forbidden(self):
  358         with self.test_client() as c:
  359             update = {'credential': {'blob': uuid.uuid4().hex}}
  360 
  361             c.patch(
  362                 '/v3/credentials/%s' % uuid.uuid4().hex, json=update,
  363                 headers=self.headers,
  364                 expected_status_code=http.client.FORBIDDEN
  365             )
  366 
  367     def test_user_cannot_create_credentials_for_other_users(self):
  368         user = PROVIDERS.identity_api.create_user(
  369             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  370         )
  371 
  372         with self.test_client() as c:
  373             create = {
  374                 'credential': {
  375                     'blob': uuid.uuid4().hex,
  376                     'type': uuid.uuid4().hex,
  377                     'user_id': user['id']
  378                 }
  379             }
  380             c.post(
  381                 '/v3/credentials', json=create, headers=self.headers,
  382                 expected_status_code=http.client.FORBIDDEN
  383             )
  384 
  385     def test_user_cannot_delete_credentials_for_others(self):
  386         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  387         user_password = user['password']
  388         user = PROVIDERS.identity_api.create_user(user)
  389         project = unit.new_project_ref(
  390             domain_id=CONF.identity.default_domain_id
  391         )
  392         project = PROVIDERS.resource_api.create_project(project['id'], project)
  393         PROVIDERS.assignment_api.create_grant(
  394             self.bootstrapper.member_role_id, user_id=user['id'],
  395             project_id=project['id']
  396         )
  397         user_auth = self.build_authentication_request(
  398             user_id=user['id'], password=user_password,
  399             project_id=project['id']
  400         )
  401 
  402         with self.test_client() as c:
  403             r = c.post('/v3/auth/tokens', json=user_auth)
  404             token_id = r.headers['X-Subject-Token']
  405             headers = {'X-Auth-Token': token_id}
  406 
  407             create = {
  408                 'credential': {
  409                     'blob': uuid.uuid4().hex,
  410                     'type': uuid.uuid4().hex,
  411                     'user_id': user['id']
  412                 }
  413             }
  414             r = c.post('/v3/credentials', json=create, headers=headers)
  415             credential_id = r.json['credential']['id']
  416 
  417         with self.test_client() as c:
  418             path = '/v3/credentials/%s' % credential_id
  419             c.delete(
  420                 path, headers=self.headers,
  421                 expected_status_code=http.client.FORBIDDEN
  422             )
  423 
  424     def test_user_cannot_delete_non_existant_credential_forbidden(self):
  425         with self.test_client() as c:
  426             c.delete(
  427                 '/v3/credentials/%s' % uuid.uuid4().hex, headers=self.headers,
  428                 expected_status_code=http.client.FORBIDDEN
  429             )
  430 
  431 
  432 class _SystemUserCredentialTests(object):
  433     """Tests that are common across all system users."""
  434 
  435     def test_user_can_list_credentials_for_other_users(self):
  436         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  437         user_password = user['password']
  438         user = PROVIDERS.identity_api.create_user(user)
  439         project = unit.new_project_ref(
  440             domain_id=CONF.identity.default_domain_id
  441         )
  442         project = PROVIDERS.resource_api.create_project(project['id'], project)
  443         PROVIDERS.assignment_api.create_grant(
  444             self.bootstrapper.member_role_id, user_id=user['id'],
  445             project_id=project['id']
  446         )
  447         user_auth = self.build_authentication_request(
  448             user_id=user['id'], password=user_password,
  449             project_id=project['id']
  450         )
  451 
  452         with self.test_client() as c:
  453             r = c.post('/v3/auth/tokens', json=user_auth)
  454             token_id = r.headers['X-Subject-Token']
  455             headers = {'X-Auth-Token': token_id}
  456 
  457             create = {
  458                 'credential': {
  459                     'blob': uuid.uuid4().hex,
  460                     'type': uuid.uuid4().hex,
  461                     'user_id': user['id']
  462                 }
  463             }
  464             r = c.post('/v3/credentials', json=create, headers=headers)
  465             credential_id = r.json['credential']['id']
  466 
  467         with self.test_client() as c:
  468             r = c.get('/v3/credentials', headers=self.headers)
  469             self.assertEqual(1, len(r.json['credentials']))
  470             self.assertEqual(credential_id, r.json['credentials'][0]['id'])
  471             self.assertEqual(user['id'], r.json['credentials'][0]['user_id'])
  472 
  473     def test_user_cannot_get_non_existant_credential_not_found(self):
  474         with self.test_client() as c:
  475             c.get(
  476                 '/v3/credentials/%s' % uuid.uuid4().hex, headers=self.headers,
  477                 expected_status_code=http.client.NOT_FOUND
  478             )
  479 
  480     def test_user_can_filter_credentials_by_type_for_others(self):
  481         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  482         user_password = user['password']
  483         user = PROVIDERS.identity_api.create_user(user)
  484         project = unit.new_project_ref(
  485             domain_id=CONF.identity.default_domain_id
  486         )
  487         project = PROVIDERS.resource_api.create_project(project['id'], project)
  488         PROVIDERS.assignment_api.create_grant(
  489             self.bootstrapper.member_role_id, user_id=user['id'],
  490             project_id=project['id']
  491         )
  492         user_auth = self.build_authentication_request(
  493             user_id=user['id'], password=user_password,
  494             project_id=project['id']
  495         )
  496 
  497         credential_type = uuid.uuid4().hex
  498         with self.test_client() as c:
  499             r = c.post('/v3/auth/tokens', json=user_auth)
  500             token_id = r.headers['X-Subject-Token']
  501             headers = {'X-Auth-Token': token_id}
  502 
  503             create = {
  504                 'credential': {
  505                     'blob': uuid.uuid4().hex,
  506                     'type': credential_type,
  507                     'user_id': user['id']
  508                 }
  509             }
  510             r = c.post('/v3/credentials', json=create, headers=headers)
  511             credential_id = r.json['credential']['id']
  512 
  513             create = {
  514                 'credential': {
  515                     'blob': uuid.uuid4().hex,
  516                     'type': uuid.uuid4().hex,
  517                     'user_id': user['id']
  518                 }
  519             }
  520             c.post('/v3/credentials', json=create, headers=headers)
  521 
  522         with self.test_client() as c:
  523             path = '/v3/credentials?type=%s' % credential_type
  524             r = c.get(path, headers=self.headers)
  525             self.assertEqual(1, len(r.json['credentials']))
  526             self.assertEqual(credential_id, r.json['credentials'][0]['id'])
  527             self.assertEqual(user['id'], r.json['credentials'][0]['user_id'])
  528 
  529     def test_user_can_filter_credentials_by_user_for_others(self):
  530         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  531         user_password = user['password']
  532         user = PROVIDERS.identity_api.create_user(user)
  533         project = unit.new_project_ref(
  534             domain_id=CONF.identity.default_domain_id
  535         )
  536         project = PROVIDERS.resource_api.create_project(project['id'], project)
  537         PROVIDERS.assignment_api.create_grant(
  538             self.bootstrapper.member_role_id, user_id=user['id'],
  539             project_id=project['id']
  540         )
  541         user_auth = self.build_authentication_request(
  542             user_id=user['id'], password=user_password,
  543             project_id=project['id']
  544         )
  545 
  546         with self.test_client() as c:
  547             r = c.post('/v3/auth/tokens', json=user_auth)
  548             token_id = r.headers['X-Subject-Token']
  549             headers = {'X-Auth-Token': token_id}
  550 
  551             expected_cred_ids = []
  552             for _ in range(2):
  553                 create = {
  554                     'credential': {
  555                         'blob': uuid.uuid4().hex,
  556                         'type': uuid.uuid4().hex,
  557                         'user_id': user['id']
  558                     }
  559                 }
  560                 r = c.post('/v3/credentials', json=create, headers=headers)
  561                 expected_cred_ids.append(r.json['credential']['id'])
  562 
  563         with self.test_client() as c:
  564             path = '/v3/credentials?user_id=%s' % user['id']
  565             r = c.get(path, headers=self.headers)
  566             self.assertEqual(2, len(r.json['credentials']))
  567             for credential in r.json['credentials']:
  568                 self.assertIn(credential['id'], expected_cred_ids)
  569                 self.assertEqual(user['id'], credential['user_id'])
  570 
  571 
  572 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
  573                         common_auth.AuthTestMixin,
  574                         _UserCredentialTests,
  575                         _SystemUserCredentialTests):
  576 
  577     def setUp(self):
  578         super(SystemReaderTests, self).setUp()
  579         self.loadapp()
  580         self.useFixture(ksfixtures.Policy(self.config_fixture))
  581         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  582 
  583         system_reader = unit.new_user_ref(
  584             domain_id=CONF.identity.default_domain_id
  585         )
  586         self.user_id = PROVIDERS.identity_api.create_user(
  587             system_reader
  588         )['id']
  589         PROVIDERS.assignment_api.create_system_grant_for_user(
  590             self.user_id, self.bootstrapper.reader_role_id
  591         )
  592 
  593         auth = self.build_authentication_request(
  594             user_id=self.user_id, password=system_reader['password'],
  595             system=True
  596         )
  597 
  598         # Grab a token using the persona we're testing and prepare headers
  599         # for requests we'll be making in the tests.
  600         with self.test_client() as c:
  601             r = c.post('/v3/auth/tokens', json=auth)
  602             self.token_id = r.headers['X-Subject-Token']
  603             self.headers = {'X-Auth-Token': self.token_id}
  604 
  605     def test_user_cannot_create_credentials_for_other_users(self):
  606         user = PROVIDERS.identity_api.create_user(
  607             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  608         )
  609 
  610         with self.test_client() as c:
  611             create = {
  612                 'credential': {
  613                     'blob': uuid.uuid4().hex,
  614                     'type': uuid.uuid4().hex,
  615                     'user_id': user['id']
  616                 }
  617             }
  618             c.post(
  619                 '/v3/credentials', json=create, headers=self.headers,
  620                 expected_status_code=http.client.FORBIDDEN
  621             )
  622 
  623     def test_user_cannot_update_credentials_for_others(self):
  624         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  625         user_password = user['password']
  626         user = PROVIDERS.identity_api.create_user(user)
  627         project = unit.new_project_ref(
  628             domain_id=CONF.identity.default_domain_id
  629         )
  630         project = PROVIDERS.resource_api.create_project(project['id'], project)
  631         PROVIDERS.assignment_api.create_grant(
  632             self.bootstrapper.member_role_id, user_id=user['id'],
  633             project_id=project['id']
  634         )
  635         user_auth = self.build_authentication_request(
  636             user_id=user['id'], password=user_password,
  637             project_id=project['id']
  638         )
  639 
  640         with self.test_client() as c:
  641             r = c.post('/v3/auth/tokens', json=user_auth)
  642             token_id = r.headers['X-Subject-Token']
  643             headers = {'X-Auth-Token': token_id}
  644 
  645             create = {
  646                 'credential': {
  647                     'blob': uuid.uuid4().hex,
  648                     'type': uuid.uuid4().hex,
  649                     'user_id': user['id']
  650                 }
  651             }
  652             r = c.post('/v3/credentials', json=create, headers=headers)
  653             credential_id = r.json['credential']['id']
  654 
  655         with self.test_client() as c:
  656             update = {'credential': {'blob': uuid.uuid4().hex}}
  657             path = '/v3/credentials/%s' % credential_id
  658             c.patch(
  659                 path, json=update, headers=self.headers,
  660                 expected_status_code=http.client.FORBIDDEN
  661             )
  662 
  663     def test_user_cannot_update_non_existant_credential_forbidden(self):
  664         with self.test_client() as c:
  665             update = {'credential': {'blob': uuid.uuid4().hex}}
  666 
  667             c.patch(
  668                 '/v3/credentials/%s' % uuid.uuid4().hex, json=update,
  669                 headers=self.headers,
  670                 expected_status_code=http.client.FORBIDDEN
  671             )
  672 
  673     def test_user_cannot_delete_credentials_for_others(self):
  674         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  675         user_password = user['password']
  676         user = PROVIDERS.identity_api.create_user(user)
  677         project = unit.new_project_ref(
  678             domain_id=CONF.identity.default_domain_id
  679         )
  680         project = PROVIDERS.resource_api.create_project(project['id'], project)
  681         PROVIDERS.assignment_api.create_grant(
  682             self.bootstrapper.member_role_id, user_id=user['id'],
  683             project_id=project['id']
  684         )
  685         user_auth = self.build_authentication_request(
  686             user_id=user['id'], password=user_password,
  687             project_id=project['id']
  688         )
  689 
  690         with self.test_client() as c:
  691             r = c.post('/v3/auth/tokens', json=user_auth)
  692             token_id = r.headers['X-Subject-Token']
  693             headers = {'X-Auth-Token': token_id}
  694 
  695             create = {
  696                 'credential': {
  697                     'blob': uuid.uuid4().hex,
  698                     'type': uuid.uuid4().hex,
  699                     'user_id': user['id']
  700                 }
  701             }
  702             r = c.post('/v3/credentials', json=create, headers=headers)
  703             credential_id = r.json['credential']['id']
  704 
  705         with self.test_client() as c:
  706             path = '/v3/credentials/%s' % credential_id
  707             c.delete(
  708                 path, headers=self.headers,
  709                 expected_status_code=http.client.FORBIDDEN
  710             )
  711 
  712     def test_user_cannot_delete_non_existant_credential_forbidden(self):
  713         with self.test_client() as c:
  714             c.delete(
  715                 '/v3/credentials/%s' % uuid.uuid4().hex, headers=self.headers,
  716                 expected_status_code=http.client.FORBIDDEN
  717             )
  718 
  719 
  720 class SystemMemberTests(base_classes.TestCaseWithBootstrap,
  721                         common_auth.AuthTestMixin,
  722                         _UserCredentialTests,
  723                         _SystemUserCredentialTests):
  724 
  725     def setUp(self):
  726         super(SystemMemberTests, self).setUp()
  727         self.loadapp()
  728         self.useFixture(ksfixtures.Policy(self.config_fixture))
  729         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  730 
  731         system_member = unit.new_user_ref(
  732             domain_id=CONF.identity.default_domain_id
  733         )
  734         self.user_id = PROVIDERS.identity_api.create_user(
  735             system_member
  736         )['id']
  737         PROVIDERS.assignment_api.create_system_grant_for_user(
  738             self.user_id, self.bootstrapper.member_role_id
  739         )
  740 
  741         auth = self.build_authentication_request(
  742             user_id=self.user_id, password=system_member['password'],
  743             system=True
  744         )
  745 
  746         # Grab a token using the persona we're testing and prepare headers
  747         # for requests we'll be making in the tests.
  748         with self.test_client() as c:
  749             r = c.post('/v3/auth/tokens', json=auth)
  750             self.token_id = r.headers['X-Subject-Token']
  751             self.headers = {'X-Auth-Token': self.token_id}
  752 
  753     def test_user_cannot_create_credentials_for_other_users(self):
  754         user = PROVIDERS.identity_api.create_user(
  755             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  756         )
  757 
  758         with self.test_client() as c:
  759             create = {
  760                 'credential': {
  761                     'blob': uuid.uuid4().hex,
  762                     'type': uuid.uuid4().hex,
  763                     'user_id': user['id']
  764                 }
  765             }
  766             c.post(
  767                 '/v3/credentials', json=create, headers=self.headers,
  768                 expected_status_code=http.client.FORBIDDEN
  769             )
  770 
  771     def test_user_cannot_update_credentials_for_others(self):
  772         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  773         user_password = user['password']
  774         user = PROVIDERS.identity_api.create_user(user)
  775         project = unit.new_project_ref(
  776             domain_id=CONF.identity.default_domain_id
  777         )
  778         project = PROVIDERS.resource_api.create_project(project['id'], project)
  779         PROVIDERS.assignment_api.create_grant(
  780             self.bootstrapper.member_role_id, user_id=user['id'],
  781             project_id=project['id']
  782         )
  783         user_auth = self.build_authentication_request(
  784             user_id=user['id'], password=user_password,
  785             project_id=project['id']
  786         )
  787 
  788         with self.test_client() as c:
  789             r = c.post('/v3/auth/tokens', json=user_auth)
  790             token_id = r.headers['X-Subject-Token']
  791             headers = {'X-Auth-Token': token_id}
  792 
  793             create = {
  794                 'credential': {
  795                     'blob': uuid.uuid4().hex,
  796                     'type': uuid.uuid4().hex,
  797                     'user_id': user['id']
  798                 }
  799             }
  800             r = c.post('/v3/credentials', json=create, headers=headers)
  801             credential_id = r.json['credential']['id']
  802 
  803         with self.test_client() as c:
  804             update = {'credential': {'blob': uuid.uuid4().hex}}
  805             path = '/v3/credentials/%s' % credential_id
  806             c.patch(
  807                 path, json=update, headers=self.headers,
  808                 expected_status_code=http.client.FORBIDDEN
  809             )
  810 
  811     def test_user_cannot_update_non_existant_credential_forbidden(self):
  812         with self.test_client() as c:
  813             update = {'credential': {'blob': uuid.uuid4().hex}}
  814 
  815             c.patch(
  816                 '/v3/credentials/%s' % uuid.uuid4().hex, json=update,
  817                 headers=self.headers,
  818                 expected_status_code=http.client.FORBIDDEN
  819             )
  820 
  821     def test_user_cannot_delete_credentials_for_others(self):
  822         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  823         user_password = user['password']
  824         user = PROVIDERS.identity_api.create_user(user)
  825         project = unit.new_project_ref(
  826             domain_id=CONF.identity.default_domain_id
  827         )
  828         project = PROVIDERS.resource_api.create_project(project['id'], project)
  829         PROVIDERS.assignment_api.create_grant(
  830             self.bootstrapper.member_role_id, user_id=user['id'],
  831             project_id=project['id']
  832         )
  833         user_auth = self.build_authentication_request(
  834             user_id=user['id'], password=user_password,
  835             project_id=project['id']
  836         )
  837 
  838         with self.test_client() as c:
  839             r = c.post('/v3/auth/tokens', json=user_auth)
  840             token_id = r.headers['X-Subject-Token']
  841             headers = {'X-Auth-Token': token_id}
  842 
  843             create = {
  844                 'credential': {
  845                     'blob': uuid.uuid4().hex,
  846                     'type': uuid.uuid4().hex,
  847                     'user_id': user['id']
  848                 }
  849             }
  850             r = c.post('/v3/credentials', json=create, headers=headers)
  851             credential_id = r.json['credential']['id']
  852 
  853         with self.test_client() as c:
  854             path = '/v3/credentials/%s' % credential_id
  855             c.delete(
  856                 path, headers=self.headers,
  857                 expected_status_code=http.client.FORBIDDEN
  858             )
  859 
  860     def test_user_cannot_delete_non_existant_credential_forbidden(self):
  861         with self.test_client() as c:
  862             c.delete(
  863                 '/v3/credentials/%s' % uuid.uuid4().hex, headers=self.headers,
  864                 expected_status_code=http.client.FORBIDDEN
  865             )
  866 
  867 
  868 class SystemAdminTests(base_classes.TestCaseWithBootstrap,
  869                        common_auth.AuthTestMixin,
  870                        _UserCredentialTests,
  871                        _SystemUserCredentialTests):
  872 
  873     def setUp(self):
  874         super(SystemAdminTests, self).setUp()
  875         self.loadapp()
  876         self.useFixture(ksfixtures.Policy(self.config_fixture))
  877         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  878 
  879         # Reuse the system administrator account created during
  880         # ``keystone-manage bootstrap``
  881         self.user_id = self.bootstrapper.admin_user_id
  882         auth = self.build_authentication_request(
  883             user_id=self.user_id,
  884             password=self.bootstrapper.admin_password,
  885             system=True
  886         )
  887 
  888         # Grab a token using the persona we're testing and prepare headers
  889         # for requests we'll be making in the tests.
  890         with self.test_client() as c:
  891             r = c.post('/v3/auth/tokens', json=auth)
  892             self.token_id = r.headers['X-Subject-Token']
  893             self.headers = {'X-Auth-Token': self.token_id}
  894 
  895     def test_user_can_create_credentials_for_other_users(self):
  896         user = PROVIDERS.identity_api.create_user(
  897             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  898         )
  899 
  900         with self.test_client() as c:
  901             create = {
  902                 'credential': {
  903                     'blob': uuid.uuid4().hex,
  904                     'type': uuid.uuid4().hex,
  905                     'user_id': user['id']
  906                 }
  907             }
  908             c.post('/v3/credentials', json=create, headers=self.headers)
  909 
  910     def test_user_can_update_credentials_for_others(self):
  911         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  912         user_password = user['password']
  913         user = PROVIDERS.identity_api.create_user(user)
  914         project = unit.new_project_ref(
  915             domain_id=CONF.identity.default_domain_id
  916         )
  917         project = PROVIDERS.resource_api.create_project(project['id'], project)
  918         PROVIDERS.assignment_api.create_grant(
  919             self.bootstrapper.member_role_id, user_id=user['id'],
  920             project_id=project['id']
  921         )
  922         user_auth = self.build_authentication_request(
  923             user_id=user['id'], password=user_password,
  924             project_id=project['id']
  925         )
  926 
  927         with self.test_client() as c:
  928             r = c.post('/v3/auth/tokens', json=user_auth)
  929             token_id = r.headers['X-Subject-Token']
  930             headers = {'X-Auth-Token': token_id}
  931 
  932             create = {
  933                 'credential': {
  934                     'blob': uuid.uuid4().hex,
  935                     'type': uuid.uuid4().hex,
  936                     'user_id': user['id']
  937                 }
  938             }
  939             r = c.post('/v3/credentials', json=create, headers=headers)
  940             credential_id = r.json['credential']['id']
  941 
  942         with self.test_client() as c:
  943             path = '/v3/credentials/%s' % credential_id
  944             updated_blob = uuid.uuid4().hex
  945             update = {'credential': {'blob': updated_blob}}
  946             r = c.patch(path, json=update, headers=self.headers)
  947             self.assertEqual(updated_blob, r.json['credential']['blob'])
  948             self.assertEqual(user['id'], r.json['credential']['user_id'])
  949 
  950     def test_user_cannot_update_non_existant_credential_not_found(self):
  951         with self.test_client() as c:
  952             update = {'credential': {'blob': uuid.uuid4().hex}}
  953 
  954             c.patch(
  955                 '/v3/credentials/%s' % uuid.uuid4().hex, json=update,
  956                 headers=self.headers,
  957                 expected_status_code=http.client.NOT_FOUND
  958             )
  959 
  960     def test_user_can_delete_credentials_for_others(self):
  961         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  962         user_password = user['password']
  963         user = PROVIDERS.identity_api.create_user(user)
  964         project = unit.new_project_ref(
  965             domain_id=CONF.identity.default_domain_id
  966         )
  967         project = PROVIDERS.resource_api.create_project(project['id'], project)
  968         PROVIDERS.assignment_api.create_grant(
  969             self.bootstrapper.member_role_id, user_id=user['id'],
  970             project_id=project['id']
  971         )
  972         user_auth = self.build_authentication_request(
  973             user_id=user['id'], password=user_password,
  974             project_id=project['id']
  975         )
  976 
  977         with self.test_client() as c:
  978             r = c.post('/v3/auth/tokens', json=user_auth)
  979             token_id = r.headers['X-Subject-Token']
  980             headers = {'X-Auth-Token': token_id}
  981 
  982             create = {
  983                 'credential': {
  984                     'blob': uuid.uuid4().hex,
  985                     'type': uuid.uuid4().hex,
  986                     'user_id': user['id']
  987                 }
  988             }
  989             r = c.post('/v3/credentials', json=create, headers=headers)
  990             credential_id = r.json['credential']['id']
  991 
  992         with self.test_client() as c:
  993             path = '/v3/credentials/%s' % credential_id
  994             c.delete(path, headers=self.headers)
  995 
  996     def test_user_cannot_delete_non_existant_credential_not_found(self):
  997         with self.test_client() as c:
  998             c.delete(
  999                 '/v3/credentials/%s' % uuid.uuid4().hex, headers=self.headers,
 1000                 expected_status_code=http.client.NOT_FOUND
 1001             )
 1002 
 1003 
 1004 class ProjectReaderTests(base_classes.TestCaseWithBootstrap,
 1005                          common_auth.AuthTestMixin,
 1006                          _UserCredentialTests,
 1007                          _ProjectUsersTests):
 1008 
 1009     def setUp(self):
 1010         super(ProjectReaderTests, self).setUp()
 1011         self.loadapp()
 1012         self.useFixture(ksfixtures.Policy(self.config_fixture))
 1013         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
 1014 
 1015         project_reader = unit.new_user_ref(
 1016             domain_id=CONF.identity.default_domain_id
 1017         )
 1018         self.user_id = PROVIDERS.identity_api.create_user(
 1019             project_reader
 1020         )['id']
 1021         project = unit.new_project_ref(
 1022             domain_id=CONF.identity.default_domain_id
 1023         )
 1024         self.project_id = PROVIDERS.resource_api.create_project(
 1025             project['id'], project
 1026         )['id']
 1027         PROVIDERS.assignment_api.create_grant(
 1028             self.bootstrapper.reader_role_id, user_id=self.user_id,
 1029             project_id=self.project_id
 1030         )
 1031 
 1032         auth = self.build_authentication_request(
 1033             user_id=self.user_id,
 1034             password=project_reader['password'],
 1035             project_id=self.project_id
 1036         )
 1037 
 1038         # Grab a token using the persona we're testing and prepare headers
 1039         # for requests we'll be making in the tests.
 1040         with self.test_client() as c:
 1041             r = c.post('/v3/auth/tokens', json=auth)
 1042             self.token_id = r.headers['X-Subject-Token']
 1043             self.headers = {'X-Auth-Token': self.token_id}
 1044 
 1045 
 1046 class ProjectMemberTests(base_classes.TestCaseWithBootstrap,
 1047                          common_auth.AuthTestMixin,
 1048                          _UserCredentialTests,
 1049                          _ProjectUsersTests):
 1050 
 1051     def setUp(self):
 1052         super(ProjectMemberTests, self).setUp()
 1053         self.loadapp()
 1054         self.useFixture(ksfixtures.Policy(self.config_fixture))
 1055         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
 1056 
 1057         project_member = unit.new_user_ref(
 1058             domain_id=CONF.identity.default_domain_id
 1059         )
 1060         self.user_id = PROVIDERS.identity_api.create_user(
 1061             project_member
 1062         )['id']
 1063         project = unit.new_project_ref(
 1064             domain_id=CONF.identity.default_domain_id
 1065         )
 1066         self.project_id = PROVIDERS.resource_api.create_project(
 1067             project['id'], project
 1068         )['id']
 1069         PROVIDERS.assignment_api.create_grant(
 1070             self.bootstrapper.member_role_id, user_id=self.user_id,
 1071             project_id=self.project_id
 1072         )
 1073 
 1074         auth = self.build_authentication_request(
 1075             user_id=self.user_id,
 1076             password=project_member['password'],
 1077             project_id=self.project_id
 1078         )
 1079 
 1080         # Grab a token using the persona we're testing and prepare headers
 1081         # for requests we'll be making in the tests.
 1082         with self.test_client() as c:
 1083             r = c.post('/v3/auth/tokens', json=auth)
 1084             self.token_id = r.headers['X-Subject-Token']
 1085             self.headers = {'X-Auth-Token': self.token_id}
 1086 
 1087 
 1088 class ProjectAdminTests(base_classes.TestCaseWithBootstrap,
 1089                         common_auth.AuthTestMixin,
 1090                         _UserCredentialTests,
 1091                         _ProjectUsersTests):
 1092 
 1093     def setUp(self):
 1094         super(ProjectAdminTests, self).setUp()
 1095         self.loadapp()
 1096 
 1097         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
 1098         self.policy_file_name = self.policy_file.file_name
 1099         self.useFixture(
 1100             ksfixtures.Policy(
 1101                 self.config_fixture, policy_file=self.policy_file_name
 1102             )
 1103         )
 1104         self._override_policy()
 1105         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
 1106 
 1107         # Reuse the system administrator account created during
 1108         # ``keystone-manage bootstrap``
 1109         self.user_id = self.bootstrapper.admin_user_id
 1110         auth = self.build_authentication_request(
 1111             user_id=self.user_id,
 1112             password=self.bootstrapper.admin_password,
 1113             project_id=self.bootstrapper.project_id
 1114         )
 1115 
 1116         # Grab a token using the persona we're testing and prepare headers
 1117         # for requests we'll be making in the tests.
 1118         with self.test_client() as c:
 1119             r = c.post('/v3/auth/tokens', json=auth)
 1120             self.token_id = r.headers['X-Subject-Token']
 1121             self.headers = {'X-Auth-Token': self.token_id}
 1122 
 1123     def _override_policy(self):
 1124         # TODO(lbragstad): Remove this once the deprecated policies in
 1125         # keystone.common.policies.credentials have been removed. This is only
 1126         # here to make sure we test the new policies instead of the deprecated
 1127         # ones. Oslo.policy will OR deprecated policies with new policies to
 1128         # maintain compatibility and give operators a chance to update
 1129         # permissions or update policies without breaking users. This will
 1130         # cause these specific tests to fail since we're trying to correct this
 1131         # broken behavior with better scope checking.
 1132         with open(self.policy_file_name, 'w') as f:
 1133             overridden_policies = {
 1134                 'identity:get_credential': bp.SYSTEM_READER_OR_CRED_OWNER,
 1135                 'identity:list_credentials': bp.SYSTEM_READER_OR_CRED_OWNER,
 1136                 'identity:create_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER,
 1137                 'identity:update_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER,
 1138                 'identity:delete_credential': bp.SYSTEM_ADMIN_OR_CRED_OWNER
 1139             }
 1140             f.write(jsonutils.dumps(overridden_policies))
 1141 
 1142 
 1143 class ProjectReaderTestsEnforceScopeFalse(base_classes.TestCaseWithBootstrap,
 1144                                           common_auth.AuthTestMixin,
 1145                                           _UserCredentialTests,
 1146                                           _ProjectUsersTests):
 1147 
 1148     def setUp(self):
 1149         super(ProjectReaderTestsEnforceScopeFalse, self).setUp()
 1150         self.loadapp()
 1151         self.useFixture(ksfixtures.Policy(self.config_fixture))
 1152         self.config_fixture.config(group='oslo_policy', enforce_scope=False)
 1153 
 1154         project_reader = unit.new_user_ref(
 1155             domain_id=CONF.identity.default_domain_id
 1156         )
 1157         self.user_id = PROVIDERS.identity_api.create_user(
 1158             project_reader
 1159         )['id']
 1160         project = unit.new_project_ref(
 1161             domain_id=CONF.identity.default_domain_id
 1162         )
 1163         self.project_id = PROVIDERS.resource_api.create_project(
 1164             project['id'], project
 1165         )['id']
 1166         PROVIDERS.assignment_api.create_grant(
 1167             self.bootstrapper.reader_role_id, user_id=self.user_id,
 1168             project_id=self.project_id
 1169         )
 1170 
 1171         auth = self.build_authentication_request(
 1172             user_id=self.user_id,
 1173             password=project_reader['password'],
 1174             project_id=self.project_id
 1175         )
 1176 
 1177         # Grab a token using the persona we're testing and prepare headers
 1178         # for requests we'll be making in the tests.
 1179         with self.test_client() as c:
 1180             r = c.post('/v3/auth/tokens', json=auth)
 1181             self.token_id = r.headers['X-Subject-Token']
 1182             self.headers = {'X-Auth-Token': self.token_id}
 1183 
 1184 
 1185 class ProjectMemberTestsEnforceScopeFalse(base_classes.TestCaseWithBootstrap,
 1186                                           common_auth.AuthTestMixin,
 1187                                           _UserCredentialTests,
 1188                                           _ProjectUsersTests):
 1189 
 1190     def setUp(self):
 1191         super(ProjectMemberTestsEnforceScopeFalse, self).setUp()
 1192         self.loadapp()
 1193         self.useFixture(ksfixtures.Policy(self.config_fixture))
 1194         self.config_fixture.config(group='oslo_policy', enforce_scope=False)
 1195 
 1196         project_member = unit.new_user_ref(
 1197             domain_id=CONF.identity.default_domain_id
 1198         )
 1199         self.user_id = PROVIDERS.identity_api.create_user(
 1200             project_member
 1201         )['id']
 1202         project = unit.new_project_ref(
 1203             domain_id=CONF.identity.default_domain_id
 1204         )
 1205         self.project_id = PROVIDERS.resource_api.create_project(
 1206             project['id'], project
 1207         )['id']
 1208         PROVIDERS.assignment_api.create_grant(
 1209             self.bootstrapper.member_role_id, user_id=self.user_id,
 1210             project_id=self.project_id
 1211         )
 1212 
 1213         auth = self.build_authentication_request(
 1214             user_id=self.user_id,
 1215             password=project_member['password'],
 1216             project_id=self.project_id
 1217         )
 1218 
 1219         # Grab a token using the persona we're testing and prepare headers
 1220         # for requests we'll be making in the tests.
 1221         with self.test_client() as c:
 1222             r = c.post('/v3/auth/tokens', json=auth)
 1223             self.token_id = r.headers['X-Subject-Token']
 1224             self.headers = {'X-Auth-Token': self.token_id}
 1225 
 1226 
 1227 class ProjectAdminTestsEnforceScopeFalse(base_classes.TestCaseWithBootstrap,
 1228                                          common_auth.AuthTestMixin,
 1229                                          _UserCredentialTests,
 1230                                          _SystemUserCredentialTests):
 1231 
 1232     def setUp(self):
 1233         super(ProjectAdminTestsEnforceScopeFalse, self).setUp()
 1234         self.loadapp()
 1235         self.useFixture(ksfixtures.Policy(self.config_fixture))
 1236         self.config_fixture.config(group='oslo_policy', enforce_scope=False)
 1237 
 1238         # Reuse the system administrator account created during
 1239         # ``keystone-manage bootstrap``
 1240         self.user_id = self.bootstrapper.admin_user_id
 1241         auth = self.build_authentication_request(
 1242             user_id=self.user_id,
 1243             password=self.bootstrapper.admin_password,
 1244             project_id=self.bootstrapper.project_id
 1245         )
 1246 
 1247         # Grab a token using the persona we're testing and prepare headers
 1248         # for requests we'll be making in the tests.
 1249         with self.test_client() as c:
 1250             r = c.post('/v3/auth/tokens', json=auth)
 1251             self.token_id = r.headers['X-Subject-Token']
 1252             self.headers = {'X-Auth-Token': self.token_id}