"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/unit/test_v3_trust.py" (13 May 2020, 24200 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_v3_trust.py": 16.0.1_vs_17.0.0.

    1 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 # not use this file except in compliance with the License. You may obtain
    3 # a copy of the License at
    4 #
    5 #      http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 # Unless required by applicable law or agreed to in writing, software
    8 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 # License for the specific language governing permissions and limitations
   11 # under the License.
   12 
   13 import datetime
   14 import uuid
   15 
   16 import http.client
   17 
   18 from keystone.common import provider_api
   19 import keystone.conf
   20 from keystone import exception
   21 from keystone.tests import unit
   22 from keystone.tests.unit import test_v3
   23 
   24 CONF = keystone.conf.CONF
   25 PROVIDERS = provider_api.ProviderAPIs
   26 
   27 
   28 class TestTrustOperations(test_v3.RestfulTestCase):
   29     """Test module for create, read, update and delete operations on trusts.
   30 
   31     This module is specific to tests for trust CRUD operations. All other tests
   32     related to trusts that are authentication or authorization specific should
   33     live in the keystone/tests/unit/test_v3_auth.py module.
   34 
   35     """
   36 
   37     def setUp(self):
   38         super(TestTrustOperations, self).setUp()
   39         # create a trustee to delegate stuff to
   40         self.trustee_user = unit.create_user(PROVIDERS.identity_api,
   41                                              domain_id=self.domain_id)
   42         self.trustee_user_id = self.trustee_user['id']
   43 
   44     def test_create_trust_bad_request(self):
   45         # The server returns a 403 Forbidden rather than a 400 Bad Request, see
   46         # bug 1133435
   47         self.post('/OS-TRUST/trusts', body={'trust': {}},
   48                   expected_status=http.client.FORBIDDEN)
   49 
   50     def test_create_trust_with_invalid_expiration_fails(self):
   51         # create a new trust
   52         ref = unit.new_trust_ref(
   53             trustor_user_id=self.user_id,
   54             trustee_user_id=self.trustee_user_id,
   55             project_id=self.project_id,
   56             role_ids=[self.role_id])
   57 
   58         ref['expires_at'] = 'bad'
   59         self.post(
   60             '/OS-TRUST/trusts',
   61             body={'trust': ref},
   62             expected_status=http.client.BAD_REQUEST
   63         )
   64 
   65         ref['expires_at'] = ''
   66         self.post(
   67             '/OS-TRUST/trusts',
   68             body={'trust': ref},
   69             expected_status=http.client.BAD_REQUEST
   70         )
   71 
   72         ref['expires_at'] = 'Z'
   73         self.post(
   74             '/OS-TRUST/trusts',
   75             body={'trust': ref},
   76             expected_status=http.client.BAD_REQUEST
   77         )
   78 
   79     def test_trusts_do_not_implement_updates(self):
   80         with self.test_client() as c:
   81             # create a new trust
   82             token = self.get_scoped_token()
   83             ref = unit.new_trust_ref(
   84                 trustor_user_id=self.user_id,
   85                 trustee_user_id=self.trustee_user_id,
   86                 project_id=self.project_id,
   87                 role_ids=[self.role_id])
   88             r = c.post('/v3/OS-TRUST/trusts',
   89                        json={'trust': ref},
   90                        headers={'X-Auth-Token': token})
   91             trust_id = r.json['trust']['id']
   92             c.patch(
   93                 '/v3/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust_id},
   94                 json={'trust': ref},
   95                 headers={'X-Auth-Token': token},
   96                 expected_status_code=http.client.METHOD_NOT_ALLOWED)
   97             c.put(
   98                 '/v3/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust_id},
   99                 json={'trust': ref},
  100                 headers={'X-Auth-Token': token},
  101                 expected_status_code=http.client.METHOD_NOT_ALLOWED)
  102 
  103     def test_trust_crud(self):
  104         # create a new trust
  105         ref = unit.new_trust_ref(
  106             trustor_user_id=self.user_id,
  107             trustee_user_id=self.trustee_user_id,
  108             project_id=self.project_id,
  109             role_ids=[self.role_id])
  110         r = self.post('/OS-TRUST/trusts', body={'trust': ref})
  111         trust = self.assertValidTrustResponse(r, ref)
  112 
  113         # get the trust
  114         r = self.get(
  115             '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})
  116         self.assertValidTrustResponse(r, ref)
  117 
  118         # validate roles on the trust
  119         r = self.get(
  120             '/OS-TRUST/trusts/%(trust_id)s/roles' % {
  121                 'trust_id': trust['id']})
  122         roles = self.assertValidRoleListResponse(r, self.role)
  123         self.assertIn(self.role['id'], [x['id'] for x in roles])
  124         self.head(
  125             '/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
  126                 'trust_id': trust['id'],
  127                 'role_id': self.role['id']},
  128             expected_status=http.client.OK)
  129         r = self.get(
  130             '/OS-TRUST/trusts/%(trust_id)s/roles/%(role_id)s' % {
  131                 'trust_id': trust['id'],
  132                 'role_id': self.role['id']})
  133         self.assertValidRoleResponse(r, self.role)
  134 
  135         # list all trusts
  136         r = self.get('/OS-TRUST/trusts')
  137         self.assertValidTrustListResponse(r, trust)
  138 
  139         # delete the trust
  140         self.delete(
  141             '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']})
  142 
  143         # ensure the trust is not found
  144         self.get(
  145             '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
  146             expected_status=http.client.NOT_FOUND)
  147 
  148     def test_list_trusts(self):
  149         # create three trusts with the same trustor and trustee
  150         ref = unit.new_trust_ref(
  151             trustor_user_id=self.user_id,
  152             trustee_user_id=self.trustee_user_id,
  153             project_id=self.project_id,
  154             impersonation=False,
  155             expires=dict(minutes=1),
  156             role_ids=[self.role_id])
  157         for i in range(3):
  158             ref['expires_at'] = datetime.datetime.utcnow().replace(
  159                 year=2032).strftime(unit.TIME_FORMAT)
  160             r = self.post('/OS-TRUST/trusts', body={'trust': ref})
  161             self.assertValidTrustResponse(r, ref)
  162 
  163         # list all trusts
  164         list_url = '/OS-TRUST/trusts'
  165         r = self.get(list_url)
  166         self.head(list_url, expected_status=http.client.OK)
  167         trusts = r.result['trusts']
  168         self.assertEqual(3, len(trusts))
  169         self.assertValidTrustListResponse(r)
  170 
  171         # list all trusts for the trustor
  172         list_for_trustor_url = (
  173             '/OS-TRUST/trusts?trustor_user_id=%s' % self.user_id
  174         )
  175         r = self.get(list_for_trustor_url)
  176         self.head(list_for_trustor_url, expected_status=http.client.OK)
  177         trusts = r.result['trusts']
  178         self.assertEqual(3, len(trusts))
  179         self.assertValidTrustListResponse(r)
  180 
  181         # list all trusts as the trustor as the trustee.
  182         list_as_trustor_url = (
  183             '/OS-TRUST/trusts?trustee_user_id=%s' % self.user_id
  184         )
  185         r = self.get(list_as_trustor_url)
  186         self.head(list_as_trustor_url, expected_status=http.client.OK)
  187         trusts = r.result['trusts']
  188         self.assertEqual(0, len(trusts))
  189 
  190         # list all trusts as the trustee is forbidden
  191         list_all_as_trustee_url = (
  192             '/OS-TRUST/trusts?trustee_user_id=%s' % self.trustee_user_id
  193         )
  194         r = self.get(
  195             list_all_as_trustee_url,
  196             expected_status=http.client.FORBIDDEN
  197         )
  198         self.head(
  199             list_all_as_trustee_url,
  200             expected_status=http.client.FORBIDDEN
  201         )
  202 
  203     def test_create_trust_with_expiration_in_the_past_fails(self):
  204         ref = unit.new_trust_ref(
  205             trustor_user_id=self.user_id,
  206             trustee_user_id=self.trustee_user_id,
  207             project_id=self.project_id,
  208             impersonation=False,
  209             expires='2010-06-04T08:44:31.999999Z',
  210             role_ids=[self.role_id]
  211         )
  212 
  213         self.post(
  214             '/OS-TRUST/trusts',
  215             body={'trust': ref},
  216             expected_status=http.client.BAD_REQUEST
  217         )
  218 
  219     def test_delete_trust(self):
  220         # create a trust
  221         ref = unit.new_trust_ref(
  222             trustor_user_id=self.user_id,
  223             trustee_user_id=self.trustee_user_id,
  224             project_id=self.project_id,
  225             impersonation=False,
  226             expires=dict(minutes=1),
  227             role_ids=[self.role_id])
  228         r = self.post('/OS-TRUST/trusts', body={'trust': ref})
  229         trust = self.assertValidTrustResponse(r, ref)
  230 
  231         # delete the trust
  232         self.delete('/OS-TRUST/trusts/%(trust_id)s' % {
  233             'trust_id': trust['id']})
  234 
  235         # ensure the trust isn't found
  236         self.get('/OS-TRUST/trusts/%(trust_id)s' % {
  237             'trust_id': trust['id']},
  238             expected_status=http.client.NOT_FOUND)
  239 
  240     def test_create_trust_without_trustee_returns_bad_request(self):
  241         ref = unit.new_trust_ref(
  242             trustor_user_id=self.user_id,
  243             trustee_user_id=self.trustee_user_id,
  244             project_id=self.project_id,
  245             role_ids=[self.role_id])
  246 
  247         # trustee_user_id is required to create a trust
  248         del ref['trustee_user_id']
  249 
  250         self.post('/OS-TRUST/trusts',
  251                   body={'trust': ref},
  252                   expected_status=http.client.BAD_REQUEST)
  253 
  254     def test_create_trust_without_impersonation_returns_bad_request(self):
  255         ref = unit.new_trust_ref(
  256             trustor_user_id=self.user_id,
  257             trustee_user_id=self.trustee_user_id,
  258             project_id=self.project_id,
  259             role_ids=[self.role_id])
  260 
  261         # impersonation is required to create a trust
  262         del ref['impersonation']
  263 
  264         self.post('/OS-TRUST/trusts',
  265                   body={'trust': ref},
  266                   expected_status=http.client.BAD_REQUEST)
  267 
  268     def test_create_trust_with_bad_remaining_uses_returns_bad_request(self):
  269         # negative numbers, strings, non-integers, and 0 are not value values
  270         for value in [-1, 0, "a bad value", 7.2]:
  271             ref = unit.new_trust_ref(
  272                 trustor_user_id=self.user_id,
  273                 trustee_user_id=self.trustee_user_id,
  274                 project_id=self.project_id,
  275                 remaining_uses=value,
  276                 role_ids=[self.role_id])
  277             self.post('/OS-TRUST/trusts',
  278                       body={'trust': ref},
  279                       expected_status=http.client.BAD_REQUEST)
  280 
  281     def test_create_trust_with_non_existant_trustee_returns_not_found(self):
  282         ref = unit.new_trust_ref(
  283             trustor_user_id=self.user_id,
  284             trustee_user_id=uuid.uuid4().hex,
  285             project_id=self.project_id,
  286             role_ids=[self.role_id])
  287         self.post('/OS-TRUST/trusts', body={'trust': ref},
  288                   expected_status=http.client.NOT_FOUND)
  289 
  290     def test_create_trust_with_trustee_as_trustor_returns_forbidden(self):
  291         ref = unit.new_trust_ref(
  292             trustor_user_id=self.trustee_user_id,
  293             trustee_user_id=self.user_id,
  294             project_id=self.project_id,
  295             role_ids=[self.role_id])
  296         # NOTE(lbragstad): This fails because the user making the request isn't
  297         # the trustor defined in the request.
  298         self.post('/OS-TRUST/trusts', body={'trust': ref},
  299                   expected_status=http.client.FORBIDDEN)
  300 
  301     def test_create_trust_with_non_existant_project_returns_not_found(self):
  302         ref = unit.new_trust_ref(
  303             trustor_user_id=self.user_id,
  304             trustee_user_id=self.trustee_user_id,
  305             project_id=uuid.uuid4().hex,
  306             role_ids=[self.role_id])
  307         self.post('/OS-TRUST/trusts', body={'trust': ref},
  308                   expected_status=http.client.NOT_FOUND)
  309 
  310     def test_create_trust_with_non_existant_role_id_returns_not_found(self):
  311         ref = unit.new_trust_ref(
  312             trustor_user_id=self.user_id,
  313             trustee_user_id=self.trustee_user_id,
  314             project_id=self.project_id,
  315             role_ids=[uuid.uuid4().hex])
  316         self.post('/OS-TRUST/trusts', body={'trust': ref},
  317                   expected_status=http.client.NOT_FOUND)
  318 
  319     def test_create_trust_with_extra_attributes_fails(self):
  320         ref = unit.new_trust_ref(trustor_user_id=self.user_id,
  321                                  trustee_user_id=self.trustee_user_id,
  322                                  project_id=self.project_id,
  323                                  role_ids=[self.role_id])
  324         ref['roles'].append({'fake_key': 'fake_value'})
  325 
  326         self.post('/OS-TRUST/trusts', body={'trust': ref},
  327                   expected_status=http.client.BAD_REQUEST)
  328 
  329     def test_create_trust_with_non_existant_role_name_returns_not_found(self):
  330         ref = unit.new_trust_ref(
  331             trustor_user_id=self.user_id,
  332             trustee_user_id=self.trustee_user_id,
  333             project_id=self.project_id,
  334             role_names=[uuid.uuid4().hex])
  335         self.post('/OS-TRUST/trusts', body={'trust': ref},
  336                   expected_status=http.client.NOT_FOUND)
  337 
  338     def test_create_trust_with_role_name_ambiguous_returns_bad_request(self):
  339         # Create second role with the same name
  340         role_ref = unit.new_role_ref(name=self.role['name'],
  341                                      domain_id=uuid.uuid4().hex)
  342         self.post('/roles', body={'role': role_ref})
  343 
  344         ref = unit.new_trust_ref(
  345             trustor_user_id=self.user_id,
  346             trustee_user_id=self.trustee_user_id,
  347             project_id=self.project_id,
  348             role_names=[self.role['name']]
  349         )
  350         self.post('/OS-TRUST/trusts', body={'trust': ref},
  351                   expected_status=http.client.BAD_REQUEST)
  352 
  353     def test_exercise_trust_scoped_token_without_impersonation(self):
  354         # create a new trust
  355         ref = unit.new_trust_ref(
  356             trustor_user_id=self.user_id,
  357             trustee_user_id=self.trustee_user_id,
  358             project_id=self.project_id,
  359             impersonation=False,
  360             expires=dict(minutes=1),
  361             role_ids=[self.role_id])
  362         resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
  363         trust = self.assertValidTrustResponse(resp)
  364 
  365         # get a trust-scoped token as the trustee
  366         auth_data = self.build_authentication_request(
  367             user_id=self.trustee_user['id'],
  368             password=self.trustee_user['password'],
  369             trust_id=trust['id'])
  370         resp = self.v3_create_token(auth_data)
  371         resp_body = resp.json_body['token']
  372 
  373         self.assertValidProjectScopedTokenResponse(resp,
  374                                                    self.trustee_user)
  375         self.assertEqual(self.trustee_user['id'], resp_body['user']['id'])
  376         self.assertEqual(self.trustee_user['name'], resp_body['user']['name'])
  377         self.assertEqual(self.domain['id'], resp_body['user']['domain']['id'])
  378         self.assertEqual(self.domain['name'],
  379                          resp_body['user']['domain']['name'])
  380         self.assertEqual(self.project['id'], resp_body['project']['id'])
  381         self.assertEqual(self.project['name'], resp_body['project']['name'])
  382 
  383     def test_exercise_trust_scoped_token_with_impersonation(self):
  384         # create a new trust
  385         ref = unit.new_trust_ref(
  386             trustor_user_id=self.user_id,
  387             trustee_user_id=self.trustee_user_id,
  388             project_id=self.project_id,
  389             impersonation=True,
  390             expires=dict(minutes=1),
  391             role_ids=[self.role_id])
  392         resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
  393         trust = self.assertValidTrustResponse(resp)
  394 
  395         # get a trust-scoped token as the trustee
  396         auth_data = self.build_authentication_request(
  397             user_id=self.trustee_user['id'],
  398             password=self.trustee_user['password'],
  399             trust_id=trust['id'])
  400         resp = self.v3_create_token(auth_data)
  401         resp_body = resp.json_body['token']
  402 
  403         self.assertValidProjectScopedTokenResponse(resp, self.user)
  404         self.assertEqual(self.user['id'], resp_body['user']['id'])
  405         self.assertEqual(self.user['name'], resp_body['user']['name'])
  406         self.assertEqual(self.domain['id'], resp_body['user']['domain']['id'])
  407         self.assertEqual(self.domain['name'],
  408                          resp_body['user']['domain']['name'])
  409         self.assertEqual(self.project['id'], resp_body['project']['id'])
  410         self.assertEqual(self.project['name'], resp_body['project']['name'])
  411 
  412     def test_forbidden_trust_impersonation_in_redelegation(self):
  413         """Test forbiddance of impersonation in trust redelegation.
  414 
  415         Check that trustee not allowed to create a trust (with impersonation
  416         set to true) from a redelegated trust (with impersonation set to false)
  417         """
  418         # create trust
  419         ref = unit.new_trust_ref(
  420             trustor_user_id=self.user_id,
  421             trustee_user_id=self.trustee_user_id,
  422             project_id=self.project_id,
  423             impersonation=False,
  424             role_ids=[self.role_id],
  425             allow_redelegation=True)
  426         resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
  427 
  428         trust = self.assertValidTrustResponse(resp)
  429 
  430         auth_data = self.build_authentication_request(
  431             user_id=self.trustee_user_id,
  432             password=self.trustee_user['password'],
  433             trust_id=trust['id'])
  434         resp = self.v3_create_token(auth_data)
  435 
  436         # create third-party user, which will be trustee in trust created from
  437         # redelegated trust
  438         third_party_trustee = unit.create_user(PROVIDERS.identity_api,
  439                                                domain_id=self.domain_id)
  440         third_party_trustee_id = third_party_trustee['id']
  441 
  442         # create trust from redelegated trust
  443         ref = unit.new_trust_ref(
  444             trustor_user_id=self.trustee_user_id,
  445             trustee_user_id=third_party_trustee_id,
  446             project_id=self.project_id,
  447             impersonation=True,
  448             role_ids=[self.role_id])
  449         ref['redelegated_trust_id'] = trust['id']
  450         self.admin_request(path='/v3/OS-TRUST/trusts',
  451                            body={'trust': ref},
  452                            token=resp.headers.get('X-Subject-Token'),
  453                            method='POST',
  454                            expected_status=http.client.FORBIDDEN)
  455 
  456     def test_trust_deleted_when_user_deleted(self):
  457         # create trust
  458         ref = unit.new_trust_ref(
  459             trustor_user_id=self.user_id,
  460             trustee_user_id=self.trustee_user_id,
  461             project_id=self.project_id,
  462             impersonation=False,
  463             role_ids=[self.role_id],
  464             allow_redelegation=True)
  465         resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
  466 
  467         trust = self.assertValidTrustResponse(resp)
  468 
  469         # list all trusts
  470         r = self.get('/OS-TRUST/trusts')
  471         self.assertEqual(1, len(r.result['trusts']))
  472 
  473         # delete the trustee will delete the trust
  474         self.delete(
  475             '/users/%(user_id)s' % {'user_id': trust['trustee_user_id']})
  476 
  477         self.get(
  478             '/OS-TRUST/trusts/%(trust_id)s' % {'trust_id': trust['id']},
  479             expected_status=http.client.NOT_FOUND)
  480 
  481         # create another user as the new trustee
  482         trustee_user = unit.create_user(PROVIDERS.identity_api,
  483                                         domain_id=self.domain_id)
  484         trustee_user_id = trustee_user['id']
  485         # create the trust again
  486         ref['trustee_user_id'] = trustee_user_id
  487         resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
  488 
  489         trust = self.assertValidTrustResponse(resp)
  490         r = self.get('/OS-TRUST/trusts')
  491         self.assertEqual(1, len(r.result['trusts']))
  492 
  493         # delete the trustor will delete the trust
  494         self.delete(
  495             '/users/%(user_id)s' % {'user_id': trust['trustor_user_id']})
  496 
  497         # call the backend method directly to bypass authentication since the
  498         # user has been deleted.
  499         self.assertRaises(exception.TrustNotFound,
  500                           PROVIDERS.trust_api.get_trust,
  501                           trust['id'])
  502 
  503     def test_trust_deleted_when_project_deleted(self):
  504         # create trust
  505         ref = unit.new_trust_ref(
  506             trustor_user_id=self.user_id,
  507             trustee_user_id=self.trustee_user_id,
  508             project_id=self.project_id,
  509             impersonation=False,
  510             role_ids=[self.role_id],
  511             allow_redelegation=True)
  512         resp = self.post('/OS-TRUST/trusts', body={'trust': ref})
  513 
  514         trust = self.assertValidTrustResponse(resp)
  515 
  516         # list all trusts
  517         r = self.get('/OS-TRUST/trusts')
  518         self.assertEqual(1, len(r.result['trusts']))
  519 
  520         # delete the project will delete the trust.
  521         self.delete(
  522             '/projects/%(project_id)s' % {'project_id': trust['project_id']})
  523 
  524         # call the backend method directly to bypass authentication since the
  525         # user no longer has the assignment on the project.
  526         self.assertRaises(exception.TrustNotFound,
  527                           PROVIDERS.trust_api.get_trust,
  528                           trust['id'])
  529 
  530 
  531 class TrustsWithApplicationCredentials(test_v3.RestfulTestCase):
  532 
  533     def setUp(self):
  534         super(TrustsWithApplicationCredentials, self).setUp()
  535         self.trustee_user = unit.create_user(PROVIDERS.identity_api,
  536                                              domain_id=self.domain_id)
  537         self.trustee_user_id = self.trustee_user['id']
  538 
  539     def config_overrides(self):
  540         super(TrustsWithApplicationCredentials, self).config_overrides()
  541         self.config_fixture.config(group='auth',
  542                                    methods='password,application_credential')
  543 
  544     def test_create_trust_with_application_credential(self):
  545         app_cred = {
  546             'id': uuid.uuid4().hex,
  547             'user_id': self.user_id,
  548             'project_id': self.project_id,
  549             'name': uuid.uuid4().hex,
  550             'roles': [{'id': self.role_id}],
  551             'secret': uuid.uuid4().hex
  552         }
  553         app_cred_api = PROVIDERS.application_credential_api
  554         app_cred_api.create_application_credential(app_cred)
  555         auth_data = self.build_authentication_request(
  556             app_cred_id=app_cred['id'], secret=app_cred['secret'])
  557         token_data = self.v3_create_token(auth_data,
  558                                           expected_status=http.client.CREATED)
  559         trust_body = unit.new_trust_ref(trustor_user_id=self.user_id,
  560                                         trustee_user_id=self.trustee_user_id,
  561                                         project_id=self.project_id,
  562                                         role_ids=[self.role_id])
  563         self.post(
  564             path='/OS-TRUST/trusts',
  565             body={'trust': trust_body},
  566             token=token_data.headers['x-subject-token'],
  567             expected_status=http.client.FORBIDDEN)
  568 
  569     def test_delete_trust_with_application_credential(self):
  570         ref = unit.new_trust_ref(
  571             trustor_user_id=self.user_id,
  572             trustee_user_id=self.trustee_user_id,
  573             project_id=self.project_id,
  574             impersonation=False,
  575             expires=dict(minutes=1),
  576             role_ids=[self.role_id])
  577         r = self.post('/OS-TRUST/trusts', body={'trust': ref})
  578         trust = self.assertValidTrustResponse(r, ref)
  579 
  580         app_cred = {
  581             'id': uuid.uuid4().hex,
  582             'user_id': self.user_id,
  583             'project_id': self.project_id,
  584             'name': uuid.uuid4().hex,
  585             'roles': [{'id': self.role_id}],
  586             'secret': uuid.uuid4().hex
  587         }
  588         app_cred_api = PROVIDERS.application_credential_api
  589         app_cred_api.create_application_credential(app_cred)
  590         auth_data = self.build_authentication_request(
  591             app_cred_id=app_cred['id'], secret=app_cred['secret'])
  592         token_data = self.v3_create_token(auth_data,
  593                                           expected_status=http.client.CREATED)
  594         # delete the trust
  595         self.delete(path='/OS-TRUST/trusts/%(trust_id)s' % {
  596             'trust_id': trust['id']},
  597             token=token_data.headers['x-subject-token'],
  598             expected_status=http.client.FORBIDDEN)