Consistent and Secure RBAC (Phase 1)
This patch updates the RBAC tests to test the new policy changes in Keystone that allow users with the "admin" (aka root) role to access system-level APIs previously available only to the system-admin persona. The changes affect both the project-admin and domain-admin personas. All the relevant policy changes have been made in keystone. Depends-On: https://review.opendev.org/c/openstack/keystone/+/908524 Change-Id: I43c6da5bce9552948692eef8d71408d74382cc4e
This commit is contained in:
parent
4c4cdfebce
commit
b2aa462f0e
|
@ -47,14 +47,12 @@
|
|||
- keystone-dsvm-py3-functional-2023-2
|
||||
- keystone-dsvm-py3-functional-2023-1
|
||||
- keystone-dsvm-py3-functional-zed
|
||||
- keystone-protection-functional:
|
||||
voting: false
|
||||
- keystone-protection-functional
|
||||
gate:
|
||||
jobs:
|
||||
- keystone-dsvm-py3-functional
|
||||
- keystone-dsvm-py3-functional-federation-ubuntu-focal-k2k
|
||||
- keystone-protection-functional:
|
||||
voting: false
|
||||
- keystone-protection-functional
|
||||
|
||||
- job:
|
||||
name: keystone-dsvm-py3-functional-2023-2
|
||||
|
|
|
@ -181,16 +181,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -176,18 +176,6 @@ class DomainAdminTests(SystemReaderTests, base.BaseIdentityTest):
|
|||
|
||||
credentials = ['domain_admin', 'system_admin']
|
||||
|
||||
def test_identity_get_domain(self):
|
||||
domain_id = self.admin_domains_client.create_domain(
|
||||
name=data_utils.rand_name())['domain']['id']
|
||||
self.addCleanup(self.admin_domains_client.delete_domain, domain_id)
|
||||
self.addCleanup(self.admin_domains_client.update_domain,
|
||||
domain_id=domain_id, enabled=False)
|
||||
self.do_request('show_domain', expected_status=exceptions.Forbidden,
|
||||
domain_id=domain_id)
|
||||
# user gets a 403 for nonexistent domain
|
||||
self.do_request('show_domain', expected_status=exceptions.Forbidden,
|
||||
domain_id=data_utils.rand_uuid_hex())
|
||||
|
||||
def test_identity_list_domains(self):
|
||||
domain_id = self.admin_domains_client.create_domain(
|
||||
name=data_utils.rand_name())['domain']['id']
|
||||
|
@ -200,6 +188,18 @@ class DomainAdminTests(SystemReaderTests, base.BaseIdentityTest):
|
|||
|
||||
class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
|
||||
|
||||
def test_identity_get_domain(self):
|
||||
domain_id = self.admin_domains_client.create_domain(
|
||||
name=data_utils.rand_name())['domain']['id']
|
||||
self.addCleanup(self.admin_domains_client.delete_domain, domain_id)
|
||||
self.addCleanup(self.admin_domains_client.update_domain,
|
||||
domain_id=domain_id, enabled=False)
|
||||
self.do_request('show_domain', expected_status=exceptions.Forbidden,
|
||||
domain_id=domain_id)
|
||||
# user gets a 403 for nonexistent domain
|
||||
self.do_request('show_domain', expected_status=exceptions.Forbidden,
|
||||
domain_id=data_utils.rand_uuid_hex())
|
||||
|
||||
credentials = ['domain_member', 'system_admin']
|
||||
|
||||
|
||||
|
@ -208,16 +208,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -366,16 +366,16 @@ class DomainReaderTests(DomainAdminTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -230,16 +230,15 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
||||
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -506,16 +506,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -422,20 +422,87 @@ class SystemReaderTests(SystemMemberTests):
|
|||
credentials = ['system_reader', 'system_admin']
|
||||
|
||||
|
||||
class DomainAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
|
||||
class DomainAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['domain_admin', 'system_admin']
|
||||
|
||||
def test_identity_list_groups(self):
|
||||
group1 = self.admin_groups_client.create_group(
|
||||
**self.group(domain_id=self.own_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
|
||||
group2 = self.admin_groups_client.create_group(
|
||||
**self.group(domain_id=self.other_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
|
||||
resp = self.do_request('list_groups')
|
||||
# user can get groups in own domain
|
||||
self.assertIn(group1['id'], set(g['id'] for g in resp['groups']))
|
||||
# user cannot get groups in other domain
|
||||
self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
|
||||
|
||||
def test_identity_list_groups_for_user(self):
|
||||
group1 = self.admin_groups_client.create_group(
|
||||
**self.group(domain_id=self.own_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
|
||||
user1 = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name('user'),
|
||||
domain_id=self.own_domain)['user']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user,
|
||||
user1['id'])
|
||||
group2 = self.admin_groups_client.create_group(
|
||||
**self.group(domain_id=self.other_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
|
||||
user2 = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name('user'),
|
||||
domain_id=self.other_domain)['user']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user,
|
||||
user2['id'])
|
||||
self.admin_groups_client.add_group_user(group1['id'], user1['id'])
|
||||
self.admin_groups_client.add_group_user(group1['id'], user2['id'])
|
||||
self.admin_groups_client.add_group_user(group2['id'], user1['id'])
|
||||
self.admin_groups_client.add_group_user(group2['id'], user2['id'])
|
||||
resp = self.do_request('list_user_groups', client=self.users_client,
|
||||
user_id=user1['id'])
|
||||
# user can list groups in own domain for user in own domain
|
||||
self.assertIn(group1['id'], set(g['id'] for g in resp['groups']))
|
||||
# user cannot list groups in other domain for user in own domain
|
||||
self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
|
||||
# user cannot list groups for user in other domain
|
||||
resp = self.do_request('list_user_groups', client=self.users_client,
|
||||
user_id=user2['id'])
|
||||
self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
|
||||
# user gets a 404 for nonexistent user
|
||||
self.do_request('list_user_groups', client=self.users_client,
|
||||
expected_status=exceptions.NotFound,
|
||||
user_id='fakeuser')
|
||||
|
||||
def test_identity_list_users_in_group(self):
|
||||
group = self.admin_groups_client.create_group(**self.group())['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group['id'])
|
||||
user = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name('user'))['user']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user,
|
||||
user['id'])
|
||||
self.admin_groups_client.add_group_user(group['id'], user['id'])
|
||||
resp = self.do_request('list_group_users', group_id=group['id'])
|
||||
user_ids = set(u['id'] for u in resp['users'])
|
||||
# request is allowed but the user will get filtered out on domain
|
||||
# scoped request
|
||||
self.assertEqual(0, len(user_ids))
|
||||
|
||||
|
||||
class DomainMemberTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
|
||||
|
||||
credentials = ['domain_member', 'system_admin']
|
||||
|
||||
def test_identity_create_group(self):
|
||||
# user can create group in own domain
|
||||
resp = self.do_request('create_group', expected_status=201,
|
||||
**self.group(domain_id=self.own_domain))
|
||||
self.addCleanup(self.admin_groups_client.delete_group,
|
||||
resp['group']['id'])
|
||||
# user cannot create group in own domain
|
||||
self.do_request('create_group',
|
||||
expected_status=exceptions.Forbidden,
|
||||
**self.group(domain_id=self.own_domain))
|
||||
# user cannot create group in another domain
|
||||
resp = self.do_request('create_group',
|
||||
expected_status=exceptions.Forbidden,
|
||||
**self.group(domain_id=self.other_domain))
|
||||
self.do_request('create_group',
|
||||
expected_status=exceptions.Forbidden,
|
||||
**self.group(domain_id=self.other_domain))
|
||||
|
||||
def test_identity_get_group(self):
|
||||
group = self.admin_groups_client.create_group(
|
||||
|
@ -509,12 +576,13 @@ class DomainAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
|
|||
group2 = self.admin_groups_client.create_group(
|
||||
**self.group(domain_id=self.other_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
|
||||
# user can update a group in own domain
|
||||
# user cannot update a group in own domain
|
||||
group_update = {
|
||||
'group_id': group1['id'],
|
||||
'description': data_utils.arbitrary_string
|
||||
}
|
||||
self.do_request('update_group', **group_update)
|
||||
self.do_request('update_group', expected_status=exceptions.Forbidden,
|
||||
**group_update)
|
||||
# user cannot update a group in other domain
|
||||
group_update = {
|
||||
'group_id': group2['id'],
|
||||
|
@ -536,8 +604,8 @@ class DomainAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
|
|||
group2 = self.admin_groups_client.create_group(
|
||||
**self.group(domain_id=self.other_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
|
||||
# user can delete a group in own domain
|
||||
self.do_request('delete_group', expected_status=204,
|
||||
# user cannot delete a group in own domain
|
||||
self.do_request('delete_group', expected_status=exceptions.Forbidden,
|
||||
group_id=group1['id'])
|
||||
# user cannot delete a group in other domain
|
||||
self.do_request('delete_group', expected_status=exceptions.Forbidden,
|
||||
|
@ -577,197 +645,6 @@ class DomainAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
|
|||
expected_status=exceptions.Forbidden,
|
||||
group_id=group2['id'])
|
||||
|
||||
def test_identity_add_user_to_group(self):
|
||||
group1 = self.admin_groups_client.create_group(
|
||||
**self.group(self.own_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
|
||||
group2 = self.admin_groups_client.create_group(
|
||||
**self.group(self.other_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
|
||||
user1 = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name('user'),
|
||||
domain_id=self.own_domain)['user']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user,
|
||||
user1['id'])
|
||||
user2 = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name('user'),
|
||||
domain_id=self.own_domain)['user']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user,
|
||||
user2['id'])
|
||||
# user can add a user in own domain to a group in own domain
|
||||
self.do_request('add_group_user', expected_status=204,
|
||||
group_id=group1['id'], user_id=user1['id'])
|
||||
# user can add a user in another domain to a group in own domain
|
||||
self.do_request('add_group_user', expected_status=204,
|
||||
group_id=group1['id'], user_id=user2['id'])
|
||||
# user cannot add a user in own domain to a group in another domain
|
||||
self.do_request('add_group_user', expected_status=exceptions.Forbidden,
|
||||
group_id=group2['id'], user_id=user1['id'])
|
||||
# user cannot add a user in another domain to a group in another domain
|
||||
self.do_request('add_group_user', expected_status=exceptions.Forbidden,
|
||||
group_id=group2['id'], user_id=user2['id'])
|
||||
# user gets a 403 for nonexistent group
|
||||
self.do_request('add_group_user', expected_status=exceptions.Forbidden,
|
||||
group_id='fakegroup', user_id=user1['id'])
|
||||
# user gets a 403 for nonexistent user
|
||||
self.do_request('add_group_user', expected_status=exceptions.Forbidden,
|
||||
group_id=group1['id'], user_id='fakeuser')
|
||||
|
||||
def test_identity_remove_user_from_group(self):
|
||||
group1 = self.admin_groups_client.create_group(
|
||||
**self.group(self.own_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
|
||||
group2 = self.admin_groups_client.create_group(
|
||||
**self.group(self.other_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
|
||||
user1 = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name('user'),
|
||||
domain_id=self.own_domain)['user']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user,
|
||||
user1['id'])
|
||||
user2 = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name('user'),
|
||||
domain_id=self.own_domain)['user']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user,
|
||||
user2['id'])
|
||||
self.admin_groups_client.add_group_user(group1['id'], user1['id'])
|
||||
self.admin_groups_client.add_group_user(group1['id'], user2['id'])
|
||||
self.admin_groups_client.add_group_user(group2['id'], user1['id'])
|
||||
self.admin_groups_client.add_group_user(group2['id'], user2['id'])
|
||||
# user can remove a user in own domain from a group in own domain
|
||||
self.do_request('delete_group_user', expected_status=204,
|
||||
group_id=group1['id'], user_id=user1['id'])
|
||||
# user can remove a user in another domain from a group in own
|
||||
# domain
|
||||
self.do_request('delete_group_user', expected_status=204,
|
||||
group_id=group1['id'], user_id=user2['id'])
|
||||
# user cannot remove a user in own domain from a group in another
|
||||
# domain
|
||||
self.do_request('delete_group_user',
|
||||
expected_status=exceptions.Forbidden,
|
||||
group_id=group2['id'], user_id=user1['id'])
|
||||
# user cannot remove a user in another domain from a group in another
|
||||
# domain
|
||||
self.do_request('delete_group_user',
|
||||
expected_status=exceptions.Forbidden,
|
||||
group_id=group2['id'], user_id=user2['id'])
|
||||
# user gets a 403 for nonexistent group
|
||||
self.do_request('delete_group_user',
|
||||
expected_status=exceptions.Forbidden,
|
||||
group_id='fakegroup', user_id=user1['id'])
|
||||
# user gets a 403 for nonexistent user
|
||||
self.do_request('delete_group_user',
|
||||
expected_status=exceptions.Forbidden,
|
||||
group_id=group1['id'], user_id='fakeuser')
|
||||
|
||||
def test_identity_check_user_in_group(self):
|
||||
group1 = self.admin_groups_client.create_group(
|
||||
**self.group(self.own_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
|
||||
group2 = self.admin_groups_client.create_group(
|
||||
**self.group(self.other_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
|
||||
user1 = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name('user'),
|
||||
domain_id=self.own_domain)['user']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user,
|
||||
user1['id'])
|
||||
user2 = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name('user'),
|
||||
domain_id=self.own_domain)['user']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user,
|
||||
user2['id'])
|
||||
self.admin_groups_client.add_group_user(group1['id'], user1['id'])
|
||||
self.admin_groups_client.add_group_user(group1['id'], user2['id'])
|
||||
self.admin_groups_client.add_group_user(group2['id'], user1['id'])
|
||||
self.admin_groups_client.add_group_user(group2['id'], user2['id'])
|
||||
# user can check if a user in own domain is in a group in own domain
|
||||
self.do_request('check_group_user_existence', expected_status=204,
|
||||
group_id=group1['id'], user_id=user1['id'])
|
||||
# user can check if a user in another domain is in a group in own
|
||||
# domain
|
||||
self.do_request('check_group_user_existence',
|
||||
expected_status=204,
|
||||
group_id=group1['id'], user_id=user2['id'])
|
||||
# user cannot check if a user in own domain is in a group in another
|
||||
# domain
|
||||
self.do_request('check_group_user_existence',
|
||||
expected_status=exceptions.Forbidden,
|
||||
group_id=group2['id'], user_id=user1['id'])
|
||||
# user cannot check if a user in another domain is in a group in
|
||||
# another domain
|
||||
self.do_request('check_group_user_existence',
|
||||
expected_status=exceptions.Forbidden,
|
||||
group_id=group2['id'], user_id=user2['id'])
|
||||
# user gets a 403 for nonexistent group
|
||||
self.do_request('check_group_user_existence',
|
||||
expected_status=exceptions.Forbidden,
|
||||
group_id='fakegroup', user_id=user1['id'])
|
||||
# user gets a 403 for nonexistent user
|
||||
self.do_request('check_group_user_existence',
|
||||
expected_status=exceptions.Forbidden,
|
||||
group_id=group1['id'], user_id='fakeuser')
|
||||
|
||||
|
||||
class DomainMemberTests(DomainAdminTests):
|
||||
|
||||
credentials = ['domain_member', 'system_admin']
|
||||
|
||||
def test_identity_create_group(self):
|
||||
# user cannot create group in own domain
|
||||
self.do_request('create_group',
|
||||
expected_status=exceptions.Forbidden,
|
||||
**self.group(domain_id=self.own_domain))
|
||||
# user cannot create group in another domain
|
||||
self.do_request('create_group',
|
||||
expected_status=exceptions.Forbidden,
|
||||
**self.group(domain_id=self.other_domain))
|
||||
|
||||
def test_identity_update_group(self):
|
||||
group1 = self.admin_groups_client.create_group(
|
||||
**self.group(domain_id=self.own_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
|
||||
group2 = self.admin_groups_client.create_group(
|
||||
**self.group(domain_id=self.other_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
|
||||
# user cannot update a group in own domain
|
||||
group_update = {
|
||||
'group_id': group1['id'],
|
||||
'description': data_utils.arbitrary_string
|
||||
}
|
||||
self.do_request('update_group', expected_status=exceptions.Forbidden,
|
||||
**group_update)
|
||||
# user cannot update a group in other domain
|
||||
group_update = {
|
||||
'group_id': group2['id'],
|
||||
'description': data_utils.arbitrary_string
|
||||
}
|
||||
self.do_request('update_group', expected_status=exceptions.Forbidden,
|
||||
**group_update)
|
||||
# user gets a 403 for nonexistent group
|
||||
group_update = {
|
||||
'group_id': 'fakegroup',
|
||||
'description': data_utils.arbitrary_string
|
||||
}
|
||||
self.do_request('update_group', expected_status=exceptions.Forbidden,
|
||||
**group_update)
|
||||
|
||||
def test_identity_delete_group(self):
|
||||
group1 = self.admin_groups_client.create_group(
|
||||
**self.group(domain_id=self.own_domain))['group']
|
||||
group2 = self.admin_groups_client.create_group(
|
||||
**self.group(domain_id=self.other_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
|
||||
# user cannot delete a group in own domain
|
||||
self.do_request('delete_group', expected_status=exceptions.Forbidden,
|
||||
group_id=group1['id'])
|
||||
# user cannot delete a group in other domain
|
||||
self.do_request('delete_group', expected_status=exceptions.Forbidden,
|
||||
group_id=group2['id'])
|
||||
# user gets a 404 for nonexistent group
|
||||
self.do_request('delete_group', expected_status=exceptions.NotFound,
|
||||
group_id='fakegroup')
|
||||
|
||||
def test_identity_add_user_to_group(self):
|
||||
group1 = self.admin_groups_client.create_group(
|
||||
**self.group(self.own_domain))['group']
|
||||
|
@ -853,16 +730,69 @@ class DomainMemberTests(DomainAdminTests):
|
|||
expected_status=exceptions.Forbidden,
|
||||
group_id=group1['id'], user_id='fakeuser')
|
||||
|
||||
def test_identity_check_user_in_group(self):
|
||||
group1 = self.admin_groups_client.create_group(
|
||||
**self.group(self.own_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
|
||||
group2 = self.admin_groups_client.create_group(
|
||||
**self.group(self.other_domain))['group']
|
||||
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
|
||||
user1 = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name('user'),
|
||||
domain_id=self.own_domain)['user']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user,
|
||||
user1['id'])
|
||||
user2 = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name('user'),
|
||||
domain_id=self.own_domain)['user']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user,
|
||||
user2['id'])
|
||||
self.admin_groups_client.add_group_user(group1['id'], user1['id'])
|
||||
self.admin_groups_client.add_group_user(group1['id'], user2['id'])
|
||||
self.admin_groups_client.add_group_user(group2['id'], user1['id'])
|
||||
self.admin_groups_client.add_group_user(group2['id'], user2['id'])
|
||||
# user can check if a user in own domain is in a group in own domain
|
||||
self.do_request('check_group_user_existence', expected_status=204,
|
||||
group_id=group1['id'], user_id=user1['id'])
|
||||
# user can check if a user in another domain is in a group in own
|
||||
# domain
|
||||
self.do_request('check_group_user_existence',
|
||||
expected_status=204,
|
||||
group_id=group1['id'], user_id=user2['id'])
|
||||
# user cannot check if a user in own domain is in a group in another
|
||||
# domain
|
||||
self.do_request('check_group_user_existence',
|
||||
expected_status=exceptions.Forbidden,
|
||||
group_id=group2['id'], user_id=user1['id'])
|
||||
# user cannot check if a user in another domain is in a group in
|
||||
# another domain
|
||||
self.do_request('check_group_user_existence',
|
||||
expected_status=exceptions.Forbidden,
|
||||
group_id=group2['id'], user_id=user2['id'])
|
||||
# user gets a 403 for nonexistent group
|
||||
self.do_request('check_group_user_existence',
|
||||
expected_status=exceptions.Forbidden,
|
||||
group_id='fakegroup', user_id=user1['id'])
|
||||
# user gets a 403 for nonexistent user
|
||||
self.do_request('check_group_user_existence',
|
||||
expected_status=exceptions.Forbidden,
|
||||
group_id=group1['id'], user_id='fakeuser')
|
||||
|
||||
|
||||
class DomainReaderTests(DomainMemberTests):
|
||||
|
||||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
def test_identity_create_group(self):
|
||||
# user cannot create group in own domain
|
||||
self.do_request('create_group', expected_status=exceptions.Forbidden,
|
||||
|
@ -1142,11 +1072,6 @@ class ProjectAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
|
|||
group_id=group1['id'], user_id='fakeuser')
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -268,16 +268,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -242,16 +242,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -184,7 +184,8 @@ class SystemAdminTests(IdentityV3RbacLimitTests, base.BaseIdentityTest):
|
|||
|
||||
def test_identity_list_limits(self):
|
||||
reg_limit_id = self.admin_limits_client.create_limits(
|
||||
payload=self.limits())['limits'][0]['id']
|
||||
payload=self.limits(project_id=self.persona.credentials.project_id)
|
||||
)['limits'][0]['id']
|
||||
self.addCleanup(
|
||||
self.admin_limits_client.delete_limit,
|
||||
limit_id=reg_limit_id)
|
||||
|
@ -303,20 +304,8 @@ class DomainAdminTests(IdentityV3RbacLimitTests, base.BaseIdentityTest):
|
|||
self.addCleanup(
|
||||
self.admin_limits_client.delete_limit,
|
||||
limit_id=reg_limit_1)
|
||||
# project in own domain
|
||||
reg_limit_2 = self.admin_limits_client.create_limits(
|
||||
payload=self.limits(project_id=self.own_project)
|
||||
)['limits'][0]['id']
|
||||
self.addCleanup(
|
||||
self.admin_limits_client.delete_limit,
|
||||
limit_id=reg_limit_2)
|
||||
# cannot get limit for other project
|
||||
self.do_request('show_limit',
|
||||
expected_status=exceptions.Forbidden,
|
||||
limit_id=reg_limit_1)
|
||||
# can get limit for project in own domain
|
||||
self.do_request('show_limit',
|
||||
limit_id=reg_limit_2)
|
||||
|
||||
def test_identity_update_limit(self):
|
||||
# cannot update limit for arbitrary project
|
||||
|
@ -370,18 +359,40 @@ class DomainMemberTests(DomainAdminTests):
|
|||
|
||||
credentials = ['domain_member', 'system_admin']
|
||||
|
||||
def test_identity_get_limit(self):
|
||||
# random project
|
||||
reg_limit_1 = self.admin_limits_client.create_limits(
|
||||
payload=self.limits())['limits'][0]['id']
|
||||
self.addCleanup(
|
||||
self.admin_limits_client.delete_limit,
|
||||
limit_id=reg_limit_1)
|
||||
# project in own domain
|
||||
reg_limit_2 = self.admin_limits_client.create_limits(
|
||||
payload=self.limits(project_id=self.own_project)
|
||||
)['limits'][0]['id']
|
||||
self.addCleanup(
|
||||
self.admin_limits_client.delete_limit,
|
||||
limit_id=reg_limit_2)
|
||||
# cannot get limit for other project
|
||||
self.do_request('show_limit',
|
||||
expected_status=exceptions.Forbidden,
|
||||
limit_id=reg_limit_1)
|
||||
# can get limit for project in own domain
|
||||
self.do_request('show_limit',
|
||||
limit_id=reg_limit_2)
|
||||
|
||||
|
||||
class DomainReaderTests(DomainMemberTests):
|
||||
|
||||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
|
|
@ -240,16 +240,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -217,16 +217,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -454,16 +454,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -225,6 +225,134 @@ class DomainAdminTests(IdentityV3RbacProjectsTests, base.BaseIdentityTest):
|
|||
domain_id=self.own_domain
|
||||
)['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project, project_id)
|
||||
# user can create project in other domain
|
||||
project_id = self.do_request(
|
||||
'create_project', expected_status=201, name=data_utils.rand_name(),
|
||||
domain_id=self.other_domain
|
||||
)['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project, project_id)
|
||||
|
||||
def test_identity_get_project(self):
|
||||
# user can get project in own domain
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.own_domain)['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project, project_id)
|
||||
self.do_request('show_project', project_id=project_id)
|
||||
# user can get project in other domain
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.other_domain)['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project, project_id)
|
||||
self.do_request('show_project', project_id=project_id)
|
||||
# user gets a 403 for nonexistent project
|
||||
self.do_request('show_project', expected_status=exceptions.NotFound,
|
||||
project_id=data_utils.rand_uuid_hex())
|
||||
|
||||
def test_identity_list_projects(self):
|
||||
# user can list projects but cannot see project in other domain
|
||||
own_project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.own_domain)['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project,
|
||||
own_project_id)
|
||||
other_project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.other_domain)['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project,
|
||||
other_project_id)
|
||||
resp = self.do_request('list_projects')
|
||||
self.assertIn(own_project_id, [d['id'] for d in resp['projects']])
|
||||
self.assertNotIn(other_project_id, [d['id'] for d in resp['projects']])
|
||||
|
||||
def test_identity_list_user_projects(self):
|
||||
# user can list projects for user in own domain
|
||||
user_id = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.own_domain)['user']['id']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name())['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project, project_id)
|
||||
role_id = self.admin_client.roles_v3_client.create_role(
|
||||
name=data_utils.rand_name())['role']['id']
|
||||
self.addCleanup(self.admin_client.roles_v3_client.delete_role,
|
||||
role_id)
|
||||
self.admin_client.roles_v3_client.create_user_role_on_project(
|
||||
project_id, user_id, role_id)
|
||||
resp = self.do_request('list_user_projects', client=self.users_client,
|
||||
user_id=user_id)
|
||||
self.assertIn(project_id, [p['id'] for p in resp['projects']])
|
||||
# user can list projects for user in other domain
|
||||
user_id = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.other_domain)['user']['id']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name())['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project, project_id)
|
||||
role_id = self.admin_client.roles_v3_client.create_role(
|
||||
name=data_utils.rand_name())['role']['id']
|
||||
self.addCleanup(self.admin_client.roles_v3_client.delete_role,
|
||||
role_id)
|
||||
self.admin_client.roles_v3_client.create_user_role_on_project(
|
||||
project_id, user_id, role_id)
|
||||
resp = self.do_request('list_user_projects', client=self.users_client,
|
||||
user_id=user_id)
|
||||
self.assertIn(project_id, [p['id'] for p in resp['projects']])
|
||||
# user can list projects for self
|
||||
resp = self.do_request('list_user_projects', client=self.users_client,
|
||||
user_id=self.persona.credentials.user_id)
|
||||
self.assertEqual(0, len([p['id'] for p in resp['projects']]))
|
||||
|
||||
def test_identity_update_project(self):
|
||||
# user can update project in own domain
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.own_domain)['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project, project_id)
|
||||
self.do_request('update_project',
|
||||
project_id=project_id,
|
||||
description=data_utils.arbitrary_string())
|
||||
# user can update project in other domain
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.other_domain)['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project, project_id)
|
||||
self.do_request('update_project',
|
||||
project_id=project_id,
|
||||
description=data_utils.arbitrary_string())
|
||||
# user gets a 404 for nonexistent domain
|
||||
self.do_request('update_project', expected_status=exceptions.NotFound,
|
||||
project_id=data_utils.rand_uuid_hex(),
|
||||
description=data_utils.arbitrary_string())
|
||||
|
||||
def test_identity_delete_project(self):
|
||||
# user can delete project in own domain
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.own_domain)['project']['id']
|
||||
self.do_request('delete_project', expected_status=204,
|
||||
project_id=project_id)
|
||||
# user can delete project in other domain
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.other_domain)['project']['id']
|
||||
self.do_request('delete_project', expected_status=204,
|
||||
project_id=project_id)
|
||||
|
||||
|
||||
class DomainMemberTests(DomainAdminTests):
|
||||
|
||||
credentials = ['domain_member', 'system_admin']
|
||||
|
||||
def test_identity_create_project(self):
|
||||
# user cannot create project in own domain
|
||||
self.do_request(
|
||||
'create_project', expected_status=exceptions.Forbidden,
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.own_domain
|
||||
)
|
||||
# user cannot create project in other domain
|
||||
self.do_request(
|
||||
'create_project', expected_status=exceptions.Forbidden,
|
||||
|
@ -249,22 +377,6 @@ class DomainAdminTests(IdentityV3RbacProjectsTests, base.BaseIdentityTest):
|
|||
self.do_request('show_project', expected_status=exceptions.Forbidden,
|
||||
project_id=data_utils.rand_uuid_hex())
|
||||
|
||||
def test_identity_list_projects(self):
|
||||
# user can list projects but cannot see project in other domain
|
||||
own_project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.own_domain)['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project,
|
||||
own_project_id)
|
||||
other_project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.other_domain)['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project,
|
||||
other_project_id)
|
||||
resp = self.do_request('list_projects')
|
||||
self.assertIn(own_project_id, [d['id'] for d in resp['projects']])
|
||||
self.assertNotIn(other_project_id, [d['id'] for d in resp['projects']])
|
||||
|
||||
def test_identity_list_user_projects(self):
|
||||
# user can list projects for user in own domain
|
||||
user_id = self.admin_client.users_v3_client.create_user(
|
||||
|
@ -305,62 +417,6 @@ class DomainAdminTests(IdentityV3RbacProjectsTests, base.BaseIdentityTest):
|
|||
user_id=self.persona.credentials.user_id)
|
||||
self.assertEqual(0, len([p['id'] for p in resp['projects']]))
|
||||
|
||||
def test_identity_update_project(self):
|
||||
# user can update project in own domain
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.own_domain)['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project, project_id)
|
||||
self.do_request('update_project',
|
||||
project_id=project_id,
|
||||
description=data_utils.arbitrary_string())
|
||||
# user cannot update project in other domain
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.other_domain)['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project, project_id)
|
||||
self.do_request('update_project',
|
||||
expected_status=exceptions.Forbidden,
|
||||
project_id=project_id,
|
||||
description=data_utils.arbitrary_string())
|
||||
# user gets a 403 for nonexistent domain
|
||||
self.do_request('update_project', expected_status=exceptions.Forbidden,
|
||||
project_id=data_utils.rand_uuid_hex(),
|
||||
description=data_utils.arbitrary_string())
|
||||
|
||||
def test_identity_delete_project(self):
|
||||
# user can delete project in own domain
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.own_domain)['project']['id']
|
||||
self.do_request('delete_project', expected_status=204,
|
||||
project_id=project_id)
|
||||
# user cannot delete project in other domain
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.other_domain)['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project, project_id)
|
||||
self.do_request('delete_project', expected_status=exceptions.Forbidden,
|
||||
project_id=project_id)
|
||||
|
||||
|
||||
class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
|
||||
|
||||
credentials = ['domain_member', 'system_admin']
|
||||
|
||||
def test_identity_create_project(self):
|
||||
# user cannot create project in own domain
|
||||
self.do_request(
|
||||
'create_project', expected_status=exceptions.Forbidden,
|
||||
name=data_utils.rand_name(),
|
||||
domain_id=self.own_domain
|
||||
)
|
||||
# user cannot create project in other domain
|
||||
self.do_request(
|
||||
'create_project', expected_status=exceptions.Forbidden,
|
||||
name=data_utils.rand_name(), domain_id=self.other_domain
|
||||
)
|
||||
|
||||
def test_identity_update_project(self):
|
||||
# user cannot update project in own domain
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
|
@ -406,10 +462,39 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
def test_identity_list_user_projects(self):
|
||||
user_id = self.admin_client.users_v3_client.create_user(
|
||||
name=data_utils.rand_name())['user']['id']
|
||||
self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
name=data_utils.rand_name())['project']['id']
|
||||
self.addCleanup(self.admin_projects_client.delete_project, project_id)
|
||||
role_id = self.admin_client.roles_v3_client.create_role(
|
||||
name=data_utils.rand_name())['role']['id']
|
||||
self.addCleanup(self.admin_client.roles_v3_client.delete_role,
|
||||
role_id)
|
||||
self.admin_client.roles_v3_client.create_user_role_on_project(
|
||||
project_id, user_id, role_id)
|
||||
# user can list projects for arbitrary user
|
||||
resp = self.do_request('list_user_projects', client=self.users_client,
|
||||
user_id=user_id)
|
||||
self.assertIn(project_id, [p['id'] for p in resp['projects']])
|
||||
# user can list projects for self
|
||||
# Project Admin is assigned to a tempest project so we cant re-use
|
||||
# the System Admin test.
|
||||
resp = self.do_request('list_user_projects', client=self.users_client,
|
||||
user_id=self.persona.credentials.user_id)
|
||||
self.assertEqual(1, len([p['id'] for p in resp['projects']]))
|
||||
|
||||
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
def test_identity_get_project(self):
|
||||
# user cannot get arbitrary project
|
||||
project_id = self.admin_projects_client.create_project(
|
||||
|
@ -457,11 +542,6 @@ class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
|||
[p['id'] for p in resp['projects']])
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -236,16 +236,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -241,6 +241,103 @@ class DomainAdminTests(IdentityV3RbacProjectTagTests, base.BaseIdentityTest):
|
|||
project_id=self.own_project_id,
|
||||
tag=tag
|
||||
)
|
||||
# user can add tags to project in other domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request(
|
||||
'update_project_tag', expected_status=201,
|
||||
project_id=self.other_project_id,
|
||||
tag=tag
|
||||
)
|
||||
|
||||
def test_identity_get_project_tag(self):
|
||||
# user can get tag for project in own domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.own_project_id, tag=tag)
|
||||
self.do_request('check_project_tag_existence',
|
||||
expected_status=204,
|
||||
project_id=self.own_project_id, tag=tag)
|
||||
# user can get tag for project in other domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.other_project_id, tag=tag)
|
||||
self.do_request('check_project_tag_existence',
|
||||
expected_status=204,
|
||||
project_id=self.other_project_id, tag=tag)
|
||||
|
||||
def test_identity_list_project_tags(self):
|
||||
# user can list tags for project in own domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.own_project_id, tag=tag)
|
||||
resp = self.do_request('list_project_tags',
|
||||
project_id=self.own_project_id)
|
||||
self.assertIn(tag, resp['tags'])
|
||||
# user can list tags for project in other domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.other_project_id, tag=tag)
|
||||
resp = self.do_request('list_project_tags',
|
||||
project_id=self.other_project_id)
|
||||
self.assertIn(tag, resp['tags'])
|
||||
|
||||
def test_identity_update_project_tags(self):
|
||||
# user can update tags for project in own domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request('update_all_project_tags',
|
||||
project_id=self.own_project_id,
|
||||
tags=[tag])
|
||||
# user can update tags for project in other domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request('update_all_project_tags',
|
||||
project_id=self.other_project_id,
|
||||
tags=[tag])
|
||||
|
||||
def test_identity_delete_project_tag(self):
|
||||
# user can delete tag for project in own domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.own_project_id, tag=tag)
|
||||
self.do_request('delete_project_tag', expected_status=204,
|
||||
project_id=self.own_project_id,
|
||||
tag=tag)
|
||||
# user can delete tag for project in other domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.other_project_id, tag=tag)
|
||||
self.do_request('delete_project_tag',
|
||||
expected_status=204,
|
||||
project_id=self.other_project_id,
|
||||
tag=tag)
|
||||
|
||||
def test_identity_delete_project_tags(self):
|
||||
# user can delete tags for project in own domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.own_project_id, tag=tag)
|
||||
self.do_request('delete_all_project_tags', expected_status=204,
|
||||
project_id=self.own_project_id)
|
||||
# user can delete tags for project in other domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.other_project_id, tag=tag)
|
||||
self.do_request('delete_all_project_tags',
|
||||
expected_status=204,
|
||||
project_id=self.other_project_id)
|
||||
|
||||
|
||||
class DomainMemberTests(DomainAdminTests):
|
||||
|
||||
credentials = ['domain_member', 'system_admin']
|
||||
|
||||
def test_identity_create_project_tag(self):
|
||||
# user cannot add tags to project in own domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request(
|
||||
'update_project_tag', expected_status=exceptions.Forbidden,
|
||||
project_id=self.own_project_id,
|
||||
tag=tag
|
||||
)
|
||||
# user cannot add tags to project in other domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request(
|
||||
|
@ -281,72 +378,6 @@ class DomainAdminTests(IdentityV3RbacProjectTagTests, base.BaseIdentityTest):
|
|||
expected_status=exceptions.Forbidden,
|
||||
project_id=self.other_project_id)
|
||||
|
||||
def test_identity_update_project_tags(self):
|
||||
# user can update tags for project in own domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request('update_all_project_tags',
|
||||
project_id=self.own_project_id,
|
||||
tags=[tag])
|
||||
# user cannot update tags for project in other domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request('update_all_project_tags',
|
||||
expected_status=exceptions.Forbidden,
|
||||
project_id=self.other_project_id,
|
||||
tags=[tag])
|
||||
|
||||
def test_identity_delete_project_tag(self):
|
||||
# user can delete tag for project in own domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.own_project_id, tag=tag)
|
||||
self.do_request('delete_project_tag', expected_status=204,
|
||||
project_id=self.own_project_id,
|
||||
tag=tag)
|
||||
# user cannot delete tag for project in other domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.other_project_id, tag=tag)
|
||||
self.do_request('delete_project_tag',
|
||||
expected_status=exceptions.Forbidden,
|
||||
project_id=self.other_project_id,
|
||||
tag=tag)
|
||||
|
||||
def test_identity_delete_project_tags(self):
|
||||
# user can delete tags for project in own domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.own_project_id, tag=tag)
|
||||
self.do_request('delete_all_project_tags', expected_status=204,
|
||||
project_id=self.own_project_id)
|
||||
# user cannot delete tags for project in other domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.other_project_id, tag=tag)
|
||||
self.do_request('delete_all_project_tags',
|
||||
expected_status=exceptions.Forbidden,
|
||||
project_id=self.other_project_id)
|
||||
|
||||
|
||||
class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
|
||||
|
||||
credentials = ['domain_member', 'system_admin']
|
||||
|
||||
def test_identity_create_project_tag(self):
|
||||
# user cannot add tags to project in own domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request(
|
||||
'update_project_tag', expected_status=exceptions.Forbidden,
|
||||
project_id=self.own_project_id,
|
||||
tag=tag
|
||||
)
|
||||
# user cannot add tags to project in other domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request(
|
||||
'update_project_tag', expected_status=exceptions.Forbidden,
|
||||
project_id=self.other_project_id,
|
||||
tag=tag
|
||||
)
|
||||
|
||||
def test_identity_update_project_tags(self):
|
||||
# user cannot update tags for project in own domain
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
|
@ -401,12 +432,17 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(IdentityV3RbacProjectTagTests, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(DomainAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(DomainMemberTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectAdminTests, self).setUp()
|
||||
super().setUp()
|
||||
self.own_project_id = self.persona.credentials.project_id
|
||||
project_client = self.admin_client.projects_client
|
||||
self.other_project_id = project_client.create_project(
|
||||
|
@ -414,16 +450,13 @@ class ProjectAdminTests(IdentityV3RbacProjectTagTests, base.BaseIdentityTest):
|
|||
self.addCleanup(project_client.delete_project, self.other_project_id)
|
||||
|
||||
def test_identity_create_project_tag(self):
|
||||
# user can add tags to own project
|
||||
# user cannot add tags to own project
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request(
|
||||
'update_project_tag', expected_status=201,
|
||||
'update_project_tag', expected_status=exceptions.Forbidden,
|
||||
project_id=self.own_project_id,
|
||||
tag=tag
|
||||
)
|
||||
self.addCleanup(self.admin_project_tags_client.delete_project_tag,
|
||||
project_id=self.own_project_id,
|
||||
tag=tag)
|
||||
# user cannot add tags to arbitrary project
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request(
|
||||
|
@ -470,75 +503,6 @@ class ProjectAdminTests(IdentityV3RbacProjectTagTests, base.BaseIdentityTest):
|
|||
expected_status=exceptions.Forbidden,
|
||||
project_id=self.other_project_id)
|
||||
|
||||
def test_identity_update_project_tags(self):
|
||||
# user can update tags for own project
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request('update_all_project_tags',
|
||||
project_id=self.own_project_id,
|
||||
tags=[tag])
|
||||
self.addCleanup(self.admin_project_tags_client.delete_project_tag,
|
||||
project_id=self.own_project_id,
|
||||
tag=tag)
|
||||
# user cannot update tags for arbitrary project
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request('update_all_project_tags',
|
||||
expected_status=exceptions.Forbidden,
|
||||
project_id=self.other_project_id,
|
||||
tags=[tag])
|
||||
|
||||
def test_identity_delete_project_tag(self):
|
||||
# user can delete tag for own project
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.own_project_id, tag=tag)
|
||||
self.do_request('delete_project_tag', expected_status=204,
|
||||
project_id=self.own_project_id,
|
||||
tag=tag)
|
||||
# user cannot delete tag for arbitrary project
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.other_project_id, tag=tag)
|
||||
self.do_request('delete_project_tag',
|
||||
expected_status=exceptions.Forbidden,
|
||||
project_id=self.other_project_id,
|
||||
tag=tag)
|
||||
|
||||
def test_identity_delete_project_tags(self):
|
||||
# user can delete tags for own project
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.own_project_id, tag=tag)
|
||||
self.do_request('delete_all_project_tags', expected_status=204,
|
||||
project_id=self.own_project_id)
|
||||
# user cannot delete tags for arbitrary project
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.admin_project_tags_client.update_project_tag(
|
||||
project_id=self.other_project_id, tag=tag)
|
||||
self.do_request('delete_all_project_tags',
|
||||
expected_status=exceptions.Forbidden,
|
||||
project_id=self.other_project_id)
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
def test_identity_create_project_tag(self):
|
||||
# user cannot add tags to own project
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request(
|
||||
'update_project_tag', expected_status=exceptions.Forbidden,
|
||||
project_id=self.own_project_id,
|
||||
tag=tag
|
||||
)
|
||||
# user cannot add tags to arbitrary project
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
self.do_request(
|
||||
'update_project_tag', expected_status=exceptions.Forbidden,
|
||||
project_id=self.other_project_id,
|
||||
tag=tag
|
||||
)
|
||||
|
||||
def test_identity_update_project_tags(self):
|
||||
# user cannot update tags for own project
|
||||
tag = data_utils.rand_uuid_hex()
|
||||
|
|
|
@ -287,16 +287,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -194,16 +194,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -207,12 +207,12 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
|
|
@ -375,16 +375,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -939,24 +939,53 @@ class DomainAdminTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest):
|
|||
# Should not see subtree assignments for project in other domain
|
||||
query = {'scope.project.id': self.project_other_domain,
|
||||
'include_subtree': True}
|
||||
self.do_request('list_role_assignments',
|
||||
expected_status=exceptions.Forbidden, **query)
|
||||
self.do_request('list_role_assignments', **query)
|
||||
|
||||
|
||||
class DomainMemberTests(DomainAdminTests):
|
||||
|
||||
credentials = ['domain_member', 'system_admin']
|
||||
|
||||
def test_identity_list_role_assignments_for_tree(self):
|
||||
# Should see subtree assignments for project in own domain
|
||||
subproject_id = self.admin_client.projects_client.create_project(
|
||||
name=data_utils.rand_name('project'),
|
||||
domain_id=self.own_domain,
|
||||
parent_id=self.project_in_domain)['project']['id']
|
||||
self.addCleanup(self.admin_client.projects_client.delete_project,
|
||||
subproject_id)
|
||||
self.admin_client.roles_v3_client.create_user_role_on_project(
|
||||
subproject_id, self.user_in_domain, self.role_id)
|
||||
query = {'scope.project.id': self.project_in_domain,
|
||||
'include_subtree': True}
|
||||
resp = self.do_request('list_role_assignments', **query)
|
||||
actual = self._extract_role_assignments_from_response_body(resp)
|
||||
expected_assignment = {'user_id': self.user_in_domain,
|
||||
'project_id': subproject_id,
|
||||
'role_id': self.role_id}
|
||||
self.assertIn(expected_assignment, actual)
|
||||
|
||||
# Should not see subtree assignments for project in other domain
|
||||
query = {'scope.project.id': self.project_other_domain,
|
||||
'include_subtree': True}
|
||||
self.do_request('list_role_assignments',
|
||||
expected_status=exceptions.Forbidden, **query)
|
||||
|
||||
|
||||
class DomainReaderTests(DomainMemberTests):
|
||||
|
||||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
def test_identity_list_role_assignments(self):
|
||||
# Listing all assignments with no filters should fail
|
||||
self.do_request('list_role_assignments',
|
||||
|
@ -1067,43 +1096,6 @@ class ProjectAdminTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest):
|
|||
self.do_request('list_role_assignments',
|
||||
expected_status=exceptions.Forbidden, **query)
|
||||
|
||||
def test_identity_list_role_assignments_for_tree(self):
|
||||
# Should not see subtree assignments for project in own domain
|
||||
query = {'scope.project.id': self.project_in_domain,
|
||||
'include_subtree': True}
|
||||
self.do_request('list_role_assignments',
|
||||
expected_status=exceptions.Forbidden, **query)
|
||||
|
||||
# Should not see subtree assignments for project in other domain
|
||||
query = {'scope.project.id': self.project_other_domain,
|
||||
'include_subtree': True}
|
||||
self.do_request('list_role_assignments',
|
||||
expected_status=exceptions.Forbidden, **query)
|
||||
|
||||
# Should see subtree for own project
|
||||
own_project = self.persona.credentials.project_id
|
||||
subproject_id = self.admin_client.projects_client.create_project(
|
||||
name=data_utils.rand_name('project'),
|
||||
domain_id=self.own_domain,
|
||||
parent_id=own_project)['project']['id']
|
||||
self.addCleanup(self.admin_client.projects_client.delete_project,
|
||||
subproject_id)
|
||||
self.admin_client.roles_v3_client.create_user_role_on_project(
|
||||
subproject_id, self.user_other_domain, self.role_id)
|
||||
query = {'scope.project.id': own_project,
|
||||
'include_subtree': True}
|
||||
resp = self.do_request('list_role_assignments', **query)
|
||||
expected_assignment = {'user_id': self.user_other_domain,
|
||||
'project_id': subproject_id,
|
||||
'role_id': self.role_id}
|
||||
actual = self._extract_role_assignments_from_response_body(resp)
|
||||
self.assertIn(expected_assignment, actual)
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
def test_identity_list_role_assignments_for_tree(self):
|
||||
# Should not see subtree assignments for project in own domain
|
||||
query = {'scope.project.id': self.project_in_domain,
|
||||
|
|
|
@ -218,16 +218,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -235,16 +235,16 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
class ProjectMemberTests(DomainReaderTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
|
@ -367,7 +367,7 @@ class DomainReaderTests(DomainAdminTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(IdentityV3RbacTrustTest, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
@ -395,6 +395,35 @@ class ProjectAdminTests(IdentityV3RbacTrustTest, base.BaseIdentityTest):
|
|||
expected_status=exceptions.Forbidden,
|
||||
**self.trust())
|
||||
|
||||
|
||||
class ProjectMemberTests(IdentityV3RbacTrustTest, base.BaseIdentityTest):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectMemberTests, self).setUp()
|
||||
self.role_id = self.member_role_id
|
||||
|
||||
def test_identity_create_trust(self):
|
||||
# user can create a trust for their own project
|
||||
trustor_user_id = self.persona.credentials.user_id
|
||||
project_id = self.persona.credentials.project_id
|
||||
resp = self.do_request(
|
||||
'create_trust',
|
||||
expected_status=201,
|
||||
**self.trust(
|
||||
trustor=trustor_user_id,
|
||||
project_id=project_id,
|
||||
roles=[{'id': self.role_id}])
|
||||
)['trust']
|
||||
self.addCleanup(self.client.delete_trust, resp['id'])
|
||||
|
||||
# user cannot create trust with another user as trustor
|
||||
self.do_request(
|
||||
'create_trust',
|
||||
expected_status=exceptions.Forbidden,
|
||||
**self.trust())
|
||||
|
||||
def test_identity_get_trust(self):
|
||||
# user can get a trust for which they are trustor
|
||||
trustor_user_id = self.persona.credentials.user_id
|
||||
|
@ -541,16 +570,7 @@ class ProjectAdminTests(IdentityV3RbacTrustTest, base.BaseIdentityTest):
|
|||
trust_id=trust_id)
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
def setUp(self):
|
||||
super(ProjectMemberTests, self).setUp()
|
||||
self.role_id = self.member_role_id
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
||||
|
|
|
@ -248,114 +248,22 @@ class SystemReaderTests(SystemMemberTests):
|
|||
credentials = ['system_reader', 'system_admin']
|
||||
|
||||
|
||||
class DomainAdminTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
|
||||
class DomainAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['domain_admin', 'system_admin']
|
||||
|
||||
def setUp(self):
|
||||
super(DomainAdminTests, self).setUp()
|
||||
self.other_domain = self.admin_domains_client.create_domain(
|
||||
name=data_utils.rand_name())['domain']
|
||||
self.addCleanup(self.admin_domains_client.delete_domain,
|
||||
self.other_domain['id'])
|
||||
self.addCleanup(self.admin_domains_client.update_domain,
|
||||
domain_id=self.other_domain['id'], enabled=False)
|
||||
|
||||
def test_identity_create_user(self):
|
||||
user_create = self.user()
|
||||
# create user in other domain
|
||||
user_create['domain_id'] = self.other_domain['id']
|
||||
self.do_request('create_user', expected_status=exceptions.Forbidden,
|
||||
**user_create)
|
||||
# create user in own domain
|
||||
user_create['domain_id'] = self.persona.credentials.domain_id
|
||||
resp = self.do_request('create_user',
|
||||
expected_status=201,
|
||||
**user_create)
|
||||
self.addCleanup(self.admin_users_client.delete_user,
|
||||
resp['user']['id'])
|
||||
|
||||
def test_identity_get_user(self):
|
||||
user_create = self.user()
|
||||
user_create['domain_id'] = self.other_domain['id']
|
||||
user = self.admin_users_client.create_user(**user_create)['user']
|
||||
self.addCleanup(self.admin_users_client.delete_user, user['id'])
|
||||
# user cannot get user in other domain
|
||||
self.do_request('show_user', expected_status=exceptions.Forbidden,
|
||||
user_id=user['id'])
|
||||
user_create['domain_id'] = self.persona.credentials.domain_id
|
||||
user = self.admin_users_client.create_user(**user_create)['user']
|
||||
self.addCleanup(self.admin_users_client.delete_user, user['id'])
|
||||
# user can get user in own domain
|
||||
resp = self.do_request('show_user', user_id=user['id'])
|
||||
self.assertEqual(resp['user']['id'], user['id'])
|
||||
# user can get own user
|
||||
user_id = self.persona.credentials.user_id
|
||||
resp = self.do_request('show_user', user_id=user_id)
|
||||
self.assertEqual(resp['user']['id'], user_id)
|
||||
# user gets a 403 for nonexistent user
|
||||
self.do_request('show_user', expected_status=exceptions.Forbidden,
|
||||
user_id='fakeuser')
|
||||
|
||||
def test_identity_list_users(self):
|
||||
# the /v3/users api filters the response for domain-scoped
|
||||
# tokens to users only in the domain, so we can't re-use
|
||||
# the test from SystemAdminTests
|
||||
user_create = self.user()
|
||||
# create user in other domain
|
||||
user_create['domain_id'] = self.other_domain['id']
|
||||
user_create['domain_id'] = self.persona.credentials.domain_id
|
||||
# create user in default domain
|
||||
user1 = self.admin_users_client.create_user(**user_create)['user']
|
||||
self.addCleanup(self.admin_users_client.delete_user, user1['id'])
|
||||
# create user in own domain
|
||||
user_create['domain_id'] = self.persona.credentials.domain_id
|
||||
user2 = self.admin_users_client.create_user(**user_create)['user']
|
||||
self.addCleanup(self.admin_users_client.delete_user, user2['id'])
|
||||
resp = self.do_request('list_users')
|
||||
user_ids = set(u['id'] for u in resp['users'])
|
||||
self.assertNotIn(user1['id'], user_ids)
|
||||
self.assertIn(user2['id'], user_ids)
|
||||
|
||||
def test_identity_update_user(self):
|
||||
user_create = self.user()
|
||||
# create user in other domain
|
||||
user_create['domain_id'] = self.other_domain['id']
|
||||
user = self.admin_users_client.create_user(**user_create)['user']
|
||||
self.addCleanup(self.admin_users_client.delete_user, user['id'])
|
||||
user_update = {
|
||||
'user_id': user['id'],
|
||||
'description': data_utils.arbitrary_string()
|
||||
}
|
||||
self.do_request('update_user', expected_status=exceptions.Forbidden,
|
||||
**user_update)
|
||||
# create user in own domain
|
||||
user_create['domain_id'] = self.persona.credentials.domain_id
|
||||
user = self.admin_users_client.create_user(**user_create)['user']
|
||||
self.addCleanup(self.admin_users_client.delete_user, user['id'])
|
||||
user_update = {
|
||||
'user_id': user['id'],
|
||||
'description': data_utils.arbitrary_string()
|
||||
}
|
||||
self.do_request('update_user', **user_update)
|
||||
# user gets a 403 for nonexistent user
|
||||
user_update = {
|
||||
'user_id': 'fakeuser',
|
||||
'description': data_utils.arbitrary_string()
|
||||
}
|
||||
self.do_request('update_user', expected_status=exceptions.Forbidden,
|
||||
**user_update)
|
||||
|
||||
def test_identity_delete_user(self):
|
||||
user_create = self.user()
|
||||
# create user in other domain
|
||||
user_create['domain_id'] = self.other_domain['id']
|
||||
user = self.admin_users_client.create_user(**user_create)['user']
|
||||
self.addCleanup(self.admin_users_client.delete_user, user['id'])
|
||||
self.do_request('delete_user', expected_status=exceptions.Forbidden,
|
||||
user_id=user['id'])
|
||||
# create user in own domain
|
||||
user_create['domain_id'] = self.persona.credentials.domain_id
|
||||
user = self.admin_users_client.create_user(**user_create)['user']
|
||||
self.do_request('delete_user', expected_status=204, user_id=user['id'])
|
||||
# user gets a 403 for nonexistent user
|
||||
self.do_request('delete_user', expected_status=exceptions.Forbidden,
|
||||
user_id='fakeuser')
|
||||
self.assertIn(user1['id'], user_ids)
|
||||
|
||||
|
||||
class DomainMemberTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
|
||||
|
@ -475,10 +383,15 @@ class DomainReaderTests(DomainMemberTests):
|
|||
credentials = ['domain_reader', 'system_admin']
|
||||
|
||||
|
||||
class ProjectAdminTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
|
||||
class ProjectAdminTests(SystemAdminTests):
|
||||
|
||||
credentials = ['project_admin', 'system_admin']
|
||||
|
||||
|
||||
class ProjectMemberTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
def test_identity_create_user(self):
|
||||
self.do_request('create_user', expected_status=exceptions.Forbidden,
|
||||
**self.user())
|
||||
|
@ -530,11 +443,6 @@ class ProjectAdminTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
|
|||
user_id='fakeuser')
|
||||
|
||||
|
||||
class ProjectMemberTests(ProjectAdminTests):
|
||||
|
||||
credentials = ['project_member', 'system_admin']
|
||||
|
||||
|
||||
class ProjectReaderTests(ProjectAdminTests):
|
||||
class ProjectReaderTests(ProjectMemberTests):
|
||||
|
||||
credentials = ['project_reader', 'system_admin']
|
||||
|
|
Loading…
Reference in New Issue