Add test for authentication when project and domain name clash

Now that we store domains as a top level project, it is allowable to have a project name within than domain to clash with the domain name itself. This patch adds tests to ensure we can get a project scoped token to such a project, but not to the project acting as a domain. Change-Id: Ib7151633b3a09ab85daba85b0f9853f8c76b1cbf
chendave · Apr 27, 2016 · 37afc8e · 37afc8e
1 parent 5cd8356
commit 37afc8e
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/keystone/tests/unit/test_v3_auth.py b/keystone/tests/unit/test_v3_auth.py
@@ -3543,6 +3543,47 @@ def test_authenticate_fails_to_project_if_domain_unsafe(self):
         self.v3_create_token(auth_data,
                              expected_status=http_client.UNAUTHORIZED)
 
+    def test_project_scope_if_domain_and_project_name_clash(self):
+        """Authenticate to a project with the same name as its domain."""
+        domain = unit.new_project_ref(is_domain=True)
+        domain = self.resource_api.create_project(domain['id'], domain)
+        project = unit.new_project_ref(domain_id=domain['id'],
+                                       name=domain['name'])
+        self.resource_api.create_project(project['id'], project)
+        role_member = unit.new_role_ref()
+        self.role_api.create_role(role_member['id'], role_member)
+        self.assignment_api.add_role_to_user_and_project(
+            self.user['id'], project['id'], role_member['id'])
+
+        auth_data = self.build_authentication_request(
+            user_id=self.user['id'],
+            password=self.user['password'],
+            project_name=project['name'],
+            project_domain_name=domain['name'])
+
+        r = self.v3_create_token(auth_data)
+        self.assertEqual(project['id'], r.result['token']['project']['id'])
+
+    def test_project_scope_fails_if_domain_name_only_matches_request(self):
+        """Authenticate fails to a project when only domain name matches."""
+        domain = unit.new_project_ref(is_domain=True)
+        domain = self.resource_api.create_project(domain['id'], domain)
+        role_member = unit.new_role_ref()
+        self.role_api.create_role(role_member['id'], role_member)
+        self.assignment_api.create_grant(
+            role_member['id'],
+            user_id=self.user['id'],
+            domain_id=domain['id'])
+
+        auth_data = self.build_authentication_request(
+            user_id=self.user['id'],
+            password=self.user['password'],
+            project_name=domain['name'],
+            project_domain_name=domain['name'])
+
+        self.v3_create_token(auth_data,
+                             expected_status=http_client.UNAUTHORIZED)
+
 
 class TestAuthJSONExternal(test_v3.RestfulTestCase):
     content_type = 'json'