Add CRUD support for application credentials

Add support for creating, retrieving, and deleting application
credentials. Application credentials do not support updates.

In order to provide a positive user experience for the `--role` option,
this patch also includes an improvement to the
`identity.common._get_token_resource()` function that allows it to
introspect the roles list within a token. This way there is no need to
make a request to keystone to retrieve a role object, which would fail
most of the time anyway due to keystone's default policy prohibiting
unprivileged users from retrieving roles.

bp application-credentials

Change-Id: I29e03b72acd931305cbdac5a9ff666854d05c6d7

1 files changed, 143 insertions, 0 deletions

diff --git a/openstackclient/tests/functional/identity/v3/test_application_credential.py b/openstackclient/tests/functional/identity/v3/test_application_credential.py
new file mode 100644
index 00000000..daf64607
--- /dev/null
+++ b/openstackclient/tests/functional/identity/v3/test_application_credential.py
@@ -0,0 +1,143 @@
+#    Copyright 2018 SUSE Linux GmbH
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import datetime
+
+from tempest.lib.common.utils import data_utils
+
+from openstackclient.tests.functional.identity.v3 import common
+
+
+class ApplicationCredentialTests(common.IdentityTests):
+
+    APPLICATION_CREDENTIAL_FIELDS = ['id', 'name', 'project_id',
+                                     'description', 'roles', 'expires_at',
+                                     'unrestricted']
+    APPLICATION_CREDENTIAL_LIST_HEADERS = ['ID', 'Name', 'Project ID',
+                                           'Description', 'Expires At']
+
+    def test_application_credential_create(self):
+        name = data_utils.rand_name('name')
+        raw_output = self.openstack('application credential create %(name)s'
+                                    % {'name': name})
+        self.addCleanup(
+            self.openstack,
+            'application credential delete %(name)s' % {'name': name})
+        items = self.parse_show(raw_output)
+        self.assert_show_fields(items, self.APPLICATION_CREDENTIAL_FIELDS)
+
+    def _create_role_assignments(self):
+        try:
+            user = self.openstack('configuration show -f value'
+                                  ' -c auth.username')
+        except Exception:
+            user = self.openstack('configuration show -f value'
+                                  ' -c auth.user_id')
+        try:
+            user_domain = self.openstack('configuration show -f value'
+                                         ' -c auth.user_domain_name')
+        except Exception:
+            user_domain = self.openstack('configuration show -f value'
+                                         ' -c auth.user_domain_id')
+        try:
+            project = self.openstack('configuration show -f value'
+                                     ' -c auth.project_name')
+        except Exception:
+            project = self.openstack('configuration show -f value'
+                                     ' -c auth.project_id')
+        try:
+            project_domain = self.openstack('configuration show -f value'
+                                            ' -c auth.project_domain_name')
+        except Exception:
+            project_domain = self.openstack('configuration show -f value'
+                                            ' -c auth.project_domain_id')
+        role1 = self._create_dummy_role()
+        role2 = self._create_dummy_role()
+        for role in role1, role2:
+            self.openstack('role add'
+                           ' --user %(user)s'
+                           ' --user-domain %(user_domain)s'
+                           ' --project %(project)s'
+                           ' --project-domain %(project_domain)s'
+                           ' %(role)s'
+                           % {'user': user,
+                              'user_domain': user_domain,
+                              'project': project,
+                              'project_domain': project_domain,
+                              'role': role})
+            self.addCleanup(self.openstack,
+                            'role remove'
+                            ' --user %(user)s'
+                            ' --user-domain %(user_domain)s'
+                            ' --project %(project)s'
+                            ' --project-domain %(project_domain)s'
+                            ' %(role)s'
+                            % {'user': user,
+                               'user_domain': user_domain,
+                               'project': project,
+                               'project_domain': project_domain,
+                               'role': role})
+        return role1, role2
+
+    def test_application_credential_create_with_options(self):
+        name = data_utils.rand_name('name')
+        secret = data_utils.rand_name('secret')
+        description = data_utils.rand_name('description')
+        tomorrow = (datetime.datetime.utcnow() +
+                    datetime.timedelta(days=1)).strftime('%Y-%m-%dT%H:%M:%S%z')
+        role1, role2 = self._create_role_assignments()
+        raw_output = self.openstack('application credential create %(name)s'
+                                    ' --secret %(secret)s'
+                                    ' --description %(description)s'
+                                    ' --expiration %(tomorrow)s'
+                                    ' --role %(role1)s'
+                                    ' --role %(role2)s'
+                                    ' --unrestricted'
+                                    % {'name': name,
+                                       'secret': secret,
+                                       'description': description,
+                                       'tomorrow': tomorrow,
+                                       'role1': role1,
+                                       'role2': role2})
+        self.addCleanup(
+            self.openstack,
+            'application credential delete %(name)s' % {'name': name})
+        items = self.parse_show(raw_output)
+        self.assert_show_fields(items, self.APPLICATION_CREDENTIAL_FIELDS)
+
+    def test_application_credential_delete(self):
+        name = data_utils.rand_name('name')
+        self.openstack('application credential create %(name)s'
+                       % {'name': name})
+        raw_output = self.openstack('application credential delete '
+                                    '%(name)s' % {'name': name})
+        self.assertEqual(0, len(raw_output))
+
+    def test_application_credential_list(self):
+        raw_output = self.openstack('application credential list')
+        items = self.parse_listing(raw_output)
+        self.assert_table_structure(
+            items, self.APPLICATION_CREDENTIAL_LIST_HEADERS)
+
+    def test_application_credential_show(self):
+        name = data_utils.rand_name('name')
+        raw_output = self.openstack('application credential create %(name)s'
+                                    % {'name': name})
+        self.addCleanup(
+            self.openstack,
+            'application credential delete %(name)s' % {'name': name})
+        raw_output = self.openstack('application credential show '
+                                    '%(name)s' % {'name': name})
+        items = self.parse_show(raw_output)
+        self.assert_show_fields(items, self.APPLICATION_CREDENTIAL_FIELDS)