diff --git a/.zuul.yaml b/.zuul.yaml index 799c05a..d44f208 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -47,14 +47,12 @@ - keystone-dsvm-py3-functional-2023-2 - keystone-dsvm-py3-functional-2023-1 - keystone-dsvm-py3-functional-zed - - keystone-protection-functional: - voting: false + - keystone-protection-functional gate: jobs: - keystone-dsvm-py3-functional - keystone-dsvm-py3-functional-federation-ubuntu-focal-k2k - - keystone-protection-functional: - voting: false + - keystone-protection-functional - job: name: keystone-dsvm-py3-functional-2023-2 diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py b/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py index b7dbb95..a04fcd9 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py @@ -181,16 +181,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_domain.py b/keystone_tempest_plugin/tests/rbac/v3/test_domain.py index 13f0b71..49f7556 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_domain.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_domain.py @@ -176,18 +176,6 @@ class DomainAdminTests(SystemReaderTests, base.BaseIdentityTest): credentials = ['domain_admin', 'system_admin'] - def test_identity_get_domain(self): - domain_id = self.admin_domains_client.create_domain( - name=data_utils.rand_name())['domain']['id'] - self.addCleanup(self.admin_domains_client.delete_domain, domain_id) - self.addCleanup(self.admin_domains_client.update_domain, - domain_id=domain_id, enabled=False) - self.do_request('show_domain', expected_status=exceptions.Forbidden, - domain_id=domain_id) - # user gets a 403 for nonexistent domain - self.do_request('show_domain', expected_status=exceptions.Forbidden, - domain_id=data_utils.rand_uuid_hex()) - def test_identity_list_domains(self): domain_id = self.admin_domains_client.create_domain( name=data_utils.rand_name())['domain']['id'] @@ -200,6 +188,18 @@ class DomainAdminTests(SystemReaderTests, base.BaseIdentityTest): class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest): + def test_identity_get_domain(self): + domain_id = self.admin_domains_client.create_domain( + name=data_utils.rand_name())['domain']['id'] + self.addCleanup(self.admin_domains_client.delete_domain, domain_id) + self.addCleanup(self.admin_domains_client.update_domain, + domain_id=domain_id, enabled=False) + self.do_request('show_domain', expected_status=exceptions.Forbidden, + domain_id=domain_id) + # user gets a 403 for nonexistent domain + self.do_request('show_domain', expected_status=exceptions.Forbidden, + domain_id=data_utils.rand_uuid_hex()) + credentials = ['domain_member', 'system_admin'] @@ -208,16 +208,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py b/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py index 8f1fdbf..ba2b612 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py @@ -366,16 +366,16 @@ class DomainReaderTests(DomainAdminTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py index 48dfb19..8dde1ea 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py @@ -230,16 +230,15 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): - +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py index 6cca108..305b6e2 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py @@ -506,16 +506,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_grant.py b/keystone_tempest_plugin/tests/rbac/v3/test_grant.py index e88b679..5e1a501 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_grant.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_grant.py @@ -1120,6 +1120,1637 @@ class DomainAdminTests(IdentityV3RbacGrantTest, base.BaseIdentityTest): credentials = ['domain_admin', 'system_admin'] + def test_identity_check_grant(self): + ################################################### + # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN # + ################################################### + # global role, project in own domain, user in own domain + self.do_request( + 'check_user_role_existence_on_project', + expected_status=204, + project_id=self.project_in_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + # global role, project in own domain, group in own domain + self.do_request( + 'check_role_from_group_on_project_existence', + expected_status=204, + project_id=self.project_in_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + # global role, own domain, user in own domain + self.do_request( + 'check_user_role_existence_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + # global role, own domain, group in own domain + self.do_request( + 'check_role_from_group_on_domain_existence', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + # role in own domain, project in own domain, user in own domain + self.do_request( + 'check_user_role_existence_on_project', + expected_status=204, + project_id=self.project_in_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + # role in own domain, project in own domain, group in own domain + self.do_request( + 'check_role_from_group_on_project_existence', + expected_status=204, + project_id=self.project_in_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + # role in own domain, domain in own domain, user in own domain + self.do_request( + 'check_user_role_existence_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + # role in own domain, domain in own domain, group in own domain + self.do_request( + 'check_role_from_group_on_domain_existence', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + # role in other domain, project in own domain, user in own domain + # (none created, should 404) + self.do_request( + 'check_user_role_existence_on_project', + expected_status=exceptions.NotFound, + project_id=self.project_in_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + # role in other domain, project in own domain, group in own domain + # (none created, should 404) + self.do_request( + 'check_role_from_group_on_project_existence', + expected_status=exceptions.NotFound, + project_id=self.project_in_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + # role in other domain, domain in own domain, user in own domain + # (none created, should 404) + self.do_request( + 'check_user_role_existence_on_domain', + expected_status=exceptions.NotFound, + domain_id=self.own_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + # role in other domain, domain in own domain, group in own domain + # (none created, should 404) + self.do_request( + 'check_role_from_group_on_domain_existence', + expected_status=exceptions.NotFound, + domain_id=self.own_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + ##################################################### + # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN # + ##################################################### + # global role, project in own domain, user in other domain + self.do_request( + 'check_user_role_existence_on_project', + expected_status=204, + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + # global role, project in own domain, group in other domain + self.do_request( + 'check_role_from_group_on_project_existence', + expected_status=204, + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + # global role, own domain, user in other domain + self.do_request( + 'check_user_role_existence_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + # global role, own domain, group in other domain + self.do_request( + 'check_role_from_group_on_domain_existence', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + # role in own domain, project in own domain, user in other domain + self.do_request( + 'check_user_role_existence_on_project', + expected_status=204, + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + # role in own domain, project in own domain, group in other domain + self.do_request( + 'check_role_from_group_on_project_existence', + expected_status=204, + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + # role in own domain, domain in own domain, user in other domain + self.do_request( + 'check_user_role_existence_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + # role in own domain, domain in own domain, group in other domain + self.do_request( + 'check_role_from_group_on_domain_existence', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + # role in other domain, project in own domain, user in other domain + # (none created, should 404) + self.do_request( + 'check_user_role_existence_on_project', + expected_status=exceptions.NotFound, + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # role in other domain, project in own domain, group in other domain + # (none created, should 404) + self.do_request( + 'check_role_from_group_on_project_existence', + expected_status=exceptions.NotFound, + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + # role in other domain, domain in own domain, user in other domain + # (none created, should 404) + self.do_request( + 'check_user_role_existence_on_domain', + expected_status=exceptions.NotFound, + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # role in other domain, domain in own domain, group in other domain + # (none created, should 404) + self.do_request( + 'check_role_from_group_on_domain_existence', + expected_status=exceptions.NotFound, + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + ##################################################### + # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN # + ##################################################### + # global role, project in other domain, user in own domain + self.do_request( + 'check_user_role_existence_on_project', + expected_status=204, + project_id=self.project_other_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + # global role, project in other domain, group in own domain + self.do_request( + 'check_role_from_group_on_project_existence', + expected_status=204, + project_id=self.project_other_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + # global role, other domain, user in own domain + self.do_request( + 'check_user_role_existence_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + # global role, other domain, group in own domain + self.do_request( + 'check_role_from_group_on_domain_existence', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + # role in own domain, project in other domain, user in own domain + # (none created, should 404) + self.do_request( + 'check_user_role_existence_on_project', + expected_status=exceptions.NotFound, + project_id=self.project_other_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + # role in own domain, project in other domain, group in own domain + # (none created, should 404) + self.do_request( + 'check_role_from_group_on_project_existence', + expected_status=exceptions.NotFound, + project_id=self.project_other_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + # role in own domain, other domain, user in own domain + # (none created, should 404) + self.do_request( + 'check_user_role_existence_on_domain', + expected_status=exceptions.NotFound, + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + # role in own domain, other domain, group in own domain + # (none created, should 404) + self.do_request( + 'check_role_from_group_on_domain_existence', + expected_status=exceptions.NotFound, + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + # role in other domain, project in other domain, user in own domain + self.do_request( + 'check_user_role_existence_on_project', + expected_status=204, + project_id=self.project_other_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + # role in other domain, project in other domain, group in own domain + self.do_request( + 'check_role_from_group_on_project_existence', + expected_status=204, + project_id=self.project_other_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + # role in other domain, other domain, user in own domain + self.do_request( + 'check_user_role_existence_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + # role in other domain, other domain, group in own domain + self.do_request( + 'check_role_from_group_on_domain_existence', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + ####################################################### + # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN # + ####################################################### + # global role, project in other domain, user in other domain + self.do_request( + 'check_user_role_existence_on_project', + expected_status=204, + project_id=self.project_other_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + # global role, project in other domain, group in other domain + self.do_request( + 'check_role_from_group_on_project_existence', + expected_status=204, + project_id=self.project_other_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + # global role, other domain, user in other domain + self.do_request( + 'check_user_role_existence_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + # global role, other domain, group in other domain + self.do_request( + 'check_role_from_group_on_domain_existence', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + # role in own domain, project in other domain, user in other domain + # (none created, should 404) + self.do_request( + 'check_user_role_existence_on_project', + expected_status=exceptions.NotFound, + project_id=self.project_other_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + # role in own domain, project in other domain, group in other domain + # (none created, should 404) + self.do_request( + 'check_role_from_group_on_project_existence', + expected_status=exceptions.NotFound, + project_id=self.project_other_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + # role in own domain, other domain, user in other domain + # (none created, should 404) + self.do_request( + 'check_user_role_existence_on_domain', + expected_status=exceptions.NotFound, + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + # role in own domain, other domain, group in other domain + # (none created, should 404) + self.do_request( + 'check_role_from_group_on_domain_existence', + expected_status=exceptions.NotFound, + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + # role in other domain, project in other domain, user in other domain + self.do_request( + 'check_user_role_existence_on_project', + expected_status=204, + project_id=self.project_other_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # role in other domain, project in other domain, group in other domain + self.do_request( + 'check_role_from_group_on_project_existence', + expected_status=204, + project_id=self.project_other_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + # role in other domain, other domain, user in other domain + self.do_request( + 'check_user_role_existence_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # role in other domain, other domain, group in other domain + self.do_request( + 'check_role_from_group_on_domain_existence', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + + def test_identity_list_grants(self): + ################################################### + # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN # + ################################################### + # project in other domain, user in other domain + self.do_request( + 'list_user_roles_on_project', + project_id=self.project_in_domain, + user_id=self.user_in_domain) + # project in other domain, group in other domain + self.do_request( + 'list_group_roles_on_project', + project_id=self.project_in_domain, + group_id=self.group_in_domain) + # other domain, user in other domain + self.do_request( + 'list_user_roles_on_domain', + domain_id=self.own_domain, + user_id=self.user_in_domain) + # other domain, group in other domain + self.do_request( + 'list_group_roles_on_domain', + domain_id=self.own_domain, + group_id=self.group_in_domain) + ##################################################### + # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN # + ##################################################### + # project in other domain, user in other domain + self.do_request( + 'list_user_roles_on_project', + project_id=self.project_in_domain, + user_id=self.user_other_domain) + # project in other domain, group in other domain + self.do_request( + 'list_group_roles_on_project', + project_id=self.project_in_domain, + group_id=self.group_other_domain) + # other domain, user in other domain + self.do_request( + 'list_user_roles_on_domain', + domain_id=self.own_domain, + user_id=self.user_other_domain) + # other domain, group in other domain + self.do_request( + 'list_group_roles_on_domain', + domain_id=self.own_domain, + group_id=self.group_other_domain) + ##################################################### + # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN # + ##################################################### + # project in other domain, user in other domain + self.do_request( + 'list_user_roles_on_project', + project_id=self.project_other_domain, + user_id=self.user_in_domain) + # project in other domain, group in other domain + self.do_request( + 'list_group_roles_on_project', + project_id=self.project_other_domain, + group_id=self.group_in_domain) + # other domain, user in other domain + self.do_request( + 'list_user_roles_on_domain', + domain_id=self.other_domain, + user_id=self.user_in_domain) + # other domain, group in other domain + self.do_request( + 'list_group_roles_on_domain', + domain_id=self.other_domain, + group_id=self.group_in_domain) + ####################################################### + # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN # + ####################################################### + # project in other domain, user in other domain + self.do_request( + 'list_user_roles_on_project', + project_id=self.project_other_domain, + user_id=self.user_other_domain) + # project in other domain, group in other domain + self.do_request( + 'list_group_roles_on_project', + project_id=self.project_other_domain, + group_id=self.group_other_domain) + # other domain, user in other domain + self.do_request( + 'list_user_roles_on_domain', + domain_id=self.other_domain, + user_id=self.user_other_domain) + # other domain, group in other domain + self.do_request( + 'list_group_roles_on_domain', + domain_id=self.other_domain, + group_id=self.group_other_domain) + + def test_identity_create_grant(self): + ################################################### + # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN # + ################################################### + # global role, project in own domain, user in own domain + self.do_request( + 'create_user_role_on_project', + expected_status=204, + project_id=self.project_in_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_project, + project_id=self.project_in_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + # global role, project in own domain, group in own domain + self.do_request( + 'create_group_role_on_project', + expected_status=204, + project_id=self.project_in_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_project, + project_id=self.project_in_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + # global role, own domain, user in own domain + self.do_request( + 'create_user_role_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_domain, + domain_id=self.own_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + # global role, own domain, group in own domain + self.do_request( + 'create_group_role_on_domain', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_domain, + domain_id=self.own_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + # role in own domain, project in own domain, user in own domain + self.do_request( + 'create_user_role_on_project', + expected_status=204, + project_id=self.project_in_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_project, + project_id=self.project_in_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + # role in own domain, project in own domain, group in own domain + self.do_request( + 'create_group_role_on_project', + expected_status=204, + project_id=self.project_in_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_project, + project_id=self.project_in_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + # role in own domain, own domain, user in own domain + self.do_request( + 'create_user_role_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_domain, + domain_id=self.own_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + # role in own domain, own domain, group in own domain + self.do_request( + 'create_group_role_on_domain', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_domain, + domain_id=self.own_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + # role in other domain, project in own domain, user in own domain + self.do_request( + 'create_user_role_on_project', + expected_status=exceptions.Forbidden, + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # role in other domain, project in own domain, group in own domain + self.do_request( + 'create_group_role_on_project', + expected_status=exceptions.Forbidden, + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + # role in other domain, own domain, user in own domain + self.do_request( + 'create_user_role_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_domain, + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # role in other domain, own domain, group in own domain + self.do_request( + 'create_group_role_on_domain', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_domain, + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + ##################################################### + # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN # + ##################################################### + # global role, project in own domain, user in other domain + self.do_request( + 'create_user_role_on_project', + expected_status=204, + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_project, + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + # global role, project in own domain, group in other domain + self.do_request( + 'create_group_role_on_project', + expected_status=204, + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_project, + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + # global role, own domain, user in other domain + self.do_request( + 'create_user_role_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_domain, + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + # global role, own domain, group in other domain + self.do_request( + 'create_group_role_on_domain', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_domain, + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + # role in own domain, project in own domain, user in other domain + self.do_request( + 'create_user_role_on_project', + expected_status=204, + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_project, + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + # role in own domain, project in own domain, group in other domain + self.do_request( + 'create_group_role_on_project', + expected_status=204, + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_project, + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + # role in own domain, own domain, user in other domain + self.do_request( + 'create_user_role_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_domain, + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + # role in own domain, own domain, group in other domain + self.do_request( + 'create_group_role_on_domain', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_domain, + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + # role in other domain, project in own domain, user in other domain + self.do_request( + 'create_user_role_on_project', + expected_status=exceptions.Forbidden, + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # role in other domain, project in own domain, group in other domain + self.do_request( + 'create_group_role_on_project', + expected_status=exceptions.Forbidden, + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + # role in other domain, own domain, user in other domain + self.do_request( + 'create_user_role_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # TODO(dmendiza): This test is a repeat form line 1705 + # Since grants are idempotent, after this second test there is only + # one object, which gets cleaned by the previous cleanup and makes + # the below cleanup fail. Not sure why we're testing the same + # data twice. Maybe we can delete this second test? + # self.addCleanup( + # self.admin_roles_client.delete_role_from_user_on_domain, + # domain_id=self.own_domain, + # user_id=self.user_other_domain, + # role_id=self.role_other_domain) + # role in other domain, own domain, group in other domain + self.do_request( + 'create_group_role_on_domain', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + # TODO(dmendiza): This test is also repeated from line 1710 + # self.addCleanup( + # self.admin_roles_client.delete_role_from_group_on_domain, + # domain_id=self.own_domain, + # group_id=self.group_other_domain, + # role_id=self.role_other_domain) + ##################################################### + # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN # + ##################################################### + # global role, project in other domain, user in own domain + self.do_request( + 'create_user_role_on_project', + expected_status=204, + project_id=self.project_other_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_project, + project_id=self.project_other_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + # global role, project in other domain, group in own domain + self.do_request( + 'create_group_role_on_project', + expected_status=204, + project_id=self.project_other_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_project, + project_id=self.project_other_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + # global role, other domain, user in own domain + self.do_request( + 'create_user_role_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_domain, + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + # global role, other domain, group in own domain + self.do_request( + 'create_group_role_on_domain', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_domain, + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + # role in own domain, project in other domain, user in own domain + self.do_request( + 'create_user_role_on_project', + expected_status=exceptions.Forbidden, + project_id=self.project_other_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + # role in own domain, project in other domain, group in own domain + self.do_request( + 'create_group_role_on_project', + expected_status=exceptions.Forbidden, + project_id=self.project_other_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + # role in own domain, other domain, user in own domain + self.do_request( + 'create_user_role_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_domain, + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + # role in own domain, other domain, group in own domain + self.do_request( + 'create_group_role_on_domain', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_domain, + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + # role in other domain, project in other domain, user in own domain + self.do_request( + 'create_user_role_on_project', + expected_status=204, + project_id=self.project_other_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_project, + project_id=self.project_other_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + # role in other domain, project in other domain, group in own domain + self.do_request( + 'create_group_role_on_project', + expected_status=204, + project_id=self.project_other_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_project, + project_id=self.project_other_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + # role in other domain, other domain, user in own domain + self.do_request( + 'create_user_role_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_domain, + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + # role in other domain, other domain, group in own domain + self.do_request( + 'create_group_role_on_domain', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_domain, + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + ####################################################### + # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN # + ####################################################### + # global role, project in other domain, user in other domain + self.do_request( + 'create_user_role_on_project', + expected_status=204, + project_id=self.project_other_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_project, + project_id=self.project_other_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + # global role, project in other domain, group in other domain + self.do_request( + 'create_group_role_on_project', + expected_status=204, + project_id=self.project_other_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_project, + project_id=self.project_other_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + # global role, other domain, user in other domain + self.do_request( + 'create_user_role_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_domain, + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + # global role, other domain, group in other domain + self.do_request( + 'create_group_role_on_domain', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_domain, + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + # role in own domain, project in other domain, user in other domain + self.do_request( + 'create_user_role_on_project', + expected_status=exceptions.Forbidden, + project_id=self.project_other_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + # role in own domain, project in other domain, group in other domain + self.do_request( + 'create_group_role_on_project', + expected_status=exceptions.Forbidden, + project_id=self.project_other_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + # role in own domain, other domain, user in other domain + self.do_request( + 'create_user_role_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_domain, + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + # role in own domain, other domain, group in other domain + self.do_request( + 'create_group_role_on_domain', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_domain, + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + # role in other domain, project in other domain, user in other domain + self.do_request( + 'create_user_role_on_project', + expected_status=204, + project_id=self.project_other_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_project, + project_id=self.project_other_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # role in other domain, project in other domain, group in other domain + self.do_request( + 'create_group_role_on_project', + expected_status=204, + project_id=self.project_other_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_project, + project_id=self.project_other_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + # role in other domain, other domain, user in other domain + self.do_request( + 'create_user_role_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_domain, + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # role in other domain, other domain, group in other domain + self.do_request( + 'create_group_role_on_domain', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_domain, + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + + def test_identity_revoke_grant(self): + ################################################### + # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN # + ################################################### + # global role, project in own domain, user in own domain + self.admin_roles_client.create_user_role_on_project( + project_id=self.project_in_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_user_on_project', + expected_status=204, + project_id=self.project_in_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + # global role, project in own domain, group in own domain + self.admin_roles_client.create_group_role_on_project( + project_id=self.project_in_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_group_on_project', + expected_status=204, + project_id=self.project_in_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + # global role, own domain, user in own domain + self.admin_roles_client.create_user_role_on_domain( + domain_id=self.own_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_user_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + # global role, own domain, group in own domain + self.admin_roles_client.create_group_role_on_domain( + domain_id=self.own_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_group_on_domain', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + # role in own domain, project in own domain, user in own domain + self.admin_roles_client.create_user_role_on_project( + project_id=self.project_in_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + self.do_request( + 'delete_role_from_user_on_project', + expected_status=204, + project_id=self.project_in_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + # role in own domain, project in own domain, group in own domain + self.admin_roles_client.create_group_role_on_project( + project_id=self.project_in_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + self.do_request( + 'delete_role_from_group_on_project', + expected_status=204, + project_id=self.project_in_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + # role in own domain, own domain, user in own domain + self.admin_roles_client.create_user_role_on_domain( + domain_id=self.own_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + self.do_request( + 'delete_role_from_user_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + # role in own domain, own domain, group in own domain + self.admin_roles_client.create_group_role_on_domain( + domain_id=self.own_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + self.do_request( + 'delete_role_from_group_on_domain', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + # role in other domain, project in own domain, user in own domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_user_on_project', + expected_status=exceptions.NotFound, + project_id=self.project_in_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + # role in other domain, project in own domain, group in own domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_group_on_project', + expected_status=exceptions.NotFound, + project_id=self.project_in_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + # role in other domain, own domain, user in own domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_user_on_domain', + expected_status=exceptions.NotFound, + domain_id=self.own_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + # role in other domain, own domain, group in own domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_group_on_domain', + expected_status=exceptions.NotFound, + domain_id=self.own_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + ##################################################### + # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN # + ##################################################### + # global role, project in own domain, user in other domain + self.admin_roles_client.create_user_role_on_project( + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_user_on_project', + expected_status=204, + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + # global role, project in own domain, group in other domain + self.admin_roles_client.create_group_role_on_project( + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_group_on_project', + expected_status=204, + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + # global role, own domain, user in other domain + self.admin_roles_client.create_user_role_on_domain( + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_user_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + # global role, own domain, group in other domain + self.admin_roles_client.create_group_role_on_domain( + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_group_on_domain', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + # role in own domain, project in own domain, user in other domain + self.admin_roles_client.create_user_role_on_project( + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + self.do_request( + 'delete_role_from_user_on_project', + expected_status=204, + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + # role in own domain, project in own domain, group in other domain + self.admin_roles_client.create_group_role_on_project( + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + self.do_request( + 'delete_role_from_group_on_project', + expected_status=204, + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + # role in own domain, own domain, user in other domain + self.admin_roles_client.create_user_role_on_domain( + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + self.do_request( + 'delete_role_from_user_on_domain', + expected_status=204, + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + # role in own domain, own domain, group in other domain + self.admin_roles_client.create_group_role_on_domain( + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + self.do_request( + 'delete_role_from_group_on_domain', + expected_status=204, + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + # role in other domain, project in own domain, user in other domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_user_on_project', + expected_status=exceptions.NotFound, + project_id=self.project_in_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # role in other domain, project in own domain, group in other domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_group_on_project', + expected_status=exceptions.NotFound, + project_id=self.project_in_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + # role in other domain, own domain, user in other domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_user_on_domain', + expected_status=exceptions.NotFound, + domain_id=self.own_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # role in other domain, own domain, group in other domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_group_on_domain', + expected_status=exceptions.NotFound, + domain_id=self.own_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + ##################################################### + # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN # + ##################################################### + # global role, project in other domain, user in own domain + self.admin_roles_client.create_user_role_on_project( + project_id=self.project_other_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_user_on_project', + expected_status=204, + project_id=self.project_other_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + # global role, project in other domain, group in own domain + self.admin_roles_client.create_group_role_on_project( + project_id=self.project_other_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_group_on_project', + expected_status=204, + project_id=self.project_other_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + # global role, other domain, user in own domain + self.admin_roles_client.create_user_role_on_domain( + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_user_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_id) + # global role, other domain, group in own domain + self.admin_roles_client.create_group_role_on_domain( + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_group_on_domain', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_id) + # role in own domain, project in other domain, user in own domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_user_on_project', + expected_status=exceptions.NotFound, + project_id=self.project_other_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + # role in own domain, project in other domain, group in own domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_group_on_project', + expected_status=exceptions.NotFound, + project_id=self.project_other_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + # role in own domain, other domain, user in own domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_user_on_domain', + expected_status=exceptions.NotFound, + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_own_domain) + # role in own domain, other domain, group in own domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_group_on_domain', + expected_status=exceptions.NotFound, + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_own_domain) + # role in other domain, project in other domain, user in own domain + self.admin_roles_client.create_user_role_on_project( + project_id=self.project_other_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + self.do_request( + 'delete_role_from_user_on_project', + expected_status=204, + project_id=self.project_other_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + # role in other domain, project in other domain, group in own domain + self.admin_roles_client.create_group_role_on_project( + project_id=self.project_other_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + self.do_request( + 'delete_role_from_group_on_project', + expected_status=204, + project_id=self.project_other_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + # role in other domain, other domain, user in own domain + self.admin_roles_client.create_user_role_on_domain( + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + self.do_request( + 'delete_role_from_user_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_in_domain, + role_id=self.role_other_domain) + # role in other domain, other domain, group in own domain + self.admin_roles_client.create_group_role_on_domain( + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + self.do_request( + 'delete_role_from_group_on_domain', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_in_domain, + role_id=self.role_other_domain) + ####################################################### + # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN # + ####################################################### + # global role, project in other domain, user in other domain + self.admin_roles_client.create_user_role_on_project( + project_id=self.project_other_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_user_on_project', + expected_status=204, + project_id=self.project_other_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + # global role, project in other domain, group in other domain + self.admin_roles_client.create_group_role_on_project( + project_id=self.project_other_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_group_on_project', + expected_status=204, + project_id=self.project_other_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + # global role, other domain, user in other domain + self.admin_roles_client.create_user_role_on_domain( + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_user_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_id) + # global role, other domain, group in other domain + self.admin_roles_client.create_group_role_on_domain( + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_group_on_domain', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_id) + # role in own domain, project in other domain, user in other domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_user_on_project', + expected_status=exceptions.NotFound, + project_id=self.project_other_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + # role in own domain, project in other domain, group in other domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_group_on_project', + expected_status=exceptions.NotFound, + project_id=self.project_other_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + # role in own domain, other domain, user in other domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_user_on_domain', + expected_status=exceptions.NotFound, + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_own_domain) + # role in own domain, other domain, group in other domain + # role assignment does not exist, should 404 + self.do_request( + 'delete_role_from_group_on_domain', + expected_status=exceptions.NotFound, + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_own_domain) + # role in other domain, project in other domain, user in other domain + self.admin_roles_client.create_user_role_on_project( + project_id=self.project_other_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + self.do_request( + 'delete_role_from_user_on_project', + expected_status=204, + project_id=self.project_other_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # role in other domain, project in other domain, group in other domain + self.admin_roles_client.create_group_role_on_project( + project_id=self.project_other_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + self.do_request( + 'delete_role_from_group_on_project', + expected_status=204, + project_id=self.project_other_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + # role in other domain, other domain, user in other domain + self.admin_roles_client.create_user_role_on_domain( + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + self.do_request( + 'delete_role_from_user_on_domain', + expected_status=204, + domain_id=self.other_domain, + user_id=self.user_other_domain, + role_id=self.role_other_domain) + # role in other domain, other domain, group in other domain + self.admin_roles_client.create_group_role_on_domain( + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + self.do_request( + 'delete_role_from_group_on_domain', + expected_status=204, + domain_id=self.other_domain, + group_id=self.group_other_domain, + role_id=self.role_other_domain) + + def test_identity_list_system_grants_for_user(self): + self.do_request('list_user_roles_on_system', + expected_status=exceptions.Forbidden, + user_id=self.user_other_domain) + self.do_request('list_user_roles_on_system', + expected_status=exceptions.Forbidden, + user_id=self.user_other_domain) + + def test_identity_check_system_grant_for_user(self): + self.do_request('check_user_role_existence_on_system', + exceptions.Forbidden, + user_id=self.user_other_domain, + role_id=self.role_id) + self.do_request('check_user_role_existence_on_system', + exceptions.Forbidden, + user_id=self.user_other_domain, + role_id=self.role_id) + + def test_identity_create_system_grant_for_user(self): + self.do_request( + 'create_user_role_on_system', + expected_status=exceptions.Forbidden, + user_id=self.user_in_domain, + role_id=self.role_id) + self.do_request( + 'create_user_role_on_system', + expected_status=exceptions.Forbidden, + user_id=self.user_other_domain, + role_id=self.role_id) + + def test_identity_revoke_system_grant_for_user(self): + # user in own domain + self.admin_roles_client.create_user_role_on_system( + user_id=self.user_in_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_system, + user_id=self.user_in_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_user_on_system', + expected_status=exceptions.Forbidden, + user_id=self.user_in_domain, + role_id=self.role_id) + # user in other domain + self.admin_roles_client.create_user_role_on_system( + user_id=self.user_other_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_user_on_system, + user_id=self.user_other_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_user_on_system', + expected_status=exceptions.Forbidden, + user_id=self.user_other_domain, + role_id=self.role_id) + + def test_identity_list_system_grants_for_group(self): + self.do_request('list_group_roles_on_system', + expected_status=exceptions.Forbidden, + group_id=self.group_in_domain) + self.do_request('list_group_roles_on_system', + expected_status=exceptions.Forbidden, + group_id=self.group_other_domain) + + def test_identity_check_system_grant_for_group(self): + self.do_request('check_role_from_group_on_system_existence', + exceptions.Forbidden, + group_id=self.group_other_domain, + role_id=self.role_id) + self.do_request('check_role_from_group_on_system_existence', + exceptions.Forbidden, + group_id=self.group_other_domain, + role_id=self.role_id) + + def test_identity_create_system_grant_for_group(self): + self.do_request( + 'create_group_role_on_system', + expected_status=exceptions.Forbidden, + group_id=self.group_in_domain, + role_id=self.role_id) + self.do_request( + 'create_group_role_on_system', + expected_status=exceptions.Forbidden, + group_id=self.group_other_domain, + role_id=self.role_id) + + def test_identity_revoke_system_grant_for_group(self): + # group in own domain + self.admin_roles_client.create_group_role_on_system( + group_id=self.group_in_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_system, + group_id=self.group_in_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_group_on_system', + expected_status=exceptions.Forbidden, + group_id=self.group_in_domain, + role_id=self.role_id) + # group in other domain + self.admin_roles_client.create_group_role_on_system( + group_id=self.group_other_domain, + role_id=self.role_id) + self.addCleanup( + self.admin_roles_client.delete_role_from_group_on_system, + group_id=self.group_other_domain, + role_id=self.role_id) + self.do_request( + 'delete_role_from_group_on_system', + expected_status=exceptions.Forbidden, + group_id=self.group_other_domain, + role_id=self.role_id) + + +class DomainMemberTests(DomainAdminTests): + + credentials = ['domain_member', 'system_admin'] + def test_identity_check_grant(self): ################################################### # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN # @@ -1593,971 +3224,6 @@ class DomainAdminTests(IdentityV3RbacGrantTest, base.BaseIdentityTest): domain_id=self.other_domain, group_id=self.group_other_domain) - def test_identity_create_grant(self): - ################################################### - # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN # - ################################################### - # global role, project in own domain, user in own domain - self.do_request( - 'create_user_role_on_project', - expected_status=204, - project_id=self.project_in_domain, - user_id=self.user_in_domain, - role_id=self.role_id) - # global role, project in own domain, group in own domain - self.do_request( - 'create_group_role_on_project', - expected_status=204, - project_id=self.project_in_domain, - group_id=self.group_in_domain, - role_id=self.role_id) - # global role, own domain, user in own domain - self.do_request( - 'create_user_role_on_domain', - expected_status=204, - domain_id=self.own_domain, - user_id=self.user_in_domain, - role_id=self.role_id) - # global role, own domain, group in own domain - self.do_request( - 'create_group_role_on_domain', - expected_status=204, - domain_id=self.own_domain, - group_id=self.group_in_domain, - role_id=self.role_id) - # role in own domain, project in own domain, user in own domain - self.do_request( - 'create_user_role_on_project', - expected_status=204, - project_id=self.project_in_domain, - user_id=self.user_in_domain, - role_id=self.role_own_domain) - # role in own domain, project in own domain, group in own domain - self.do_request( - 'create_group_role_on_project', - expected_status=204, - project_id=self.project_in_domain, - group_id=self.group_in_domain, - role_id=self.role_own_domain) - # role in own domain, own domain, user in own domain - self.do_request( - 'create_user_role_on_domain', - expected_status=204, - domain_id=self.own_domain, - user_id=self.user_in_domain, - role_id=self.role_own_domain) - # role in own domain, own domain, group in own domain - self.do_request( - 'create_group_role_on_domain', - expected_status=204, - domain_id=self.own_domain, - group_id=self.group_in_domain, - role_id=self.role_own_domain) - # role in other domain, project in own domain, user in own domain - self.do_request( - 'create_user_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - user_id=self.user_other_domain, - role_id=self.role_other_domain) - # role in other domain, project in own domain, group in own domain - self.do_request( - 'create_group_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - group_id=self.group_other_domain, - role_id=self.role_other_domain) - # role in other domain, own domain, user in own domain - self.do_request( - 'create_user_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - user_id=self.user_other_domain, - role_id=self.role_other_domain) - # role in other domain, own domain, group in own domain - self.do_request( - 'create_group_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - group_id=self.group_other_domain, - role_id=self.role_other_domain) - ##################################################### - # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN # - ##################################################### - # global role, project in own domain, user in other domain - self.do_request( - 'create_user_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - user_id=self.user_other_domain, - role_id=self.role_id) - # global role, project in own domain, group in other domain - self.do_request( - 'create_group_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - group_id=self.group_other_domain, - role_id=self.role_id) - # global role, own domain, user in other domain - self.do_request( - 'create_user_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - user_id=self.user_other_domain, - role_id=self.role_id) - # global role, own domain, group in other domain - self.do_request( - 'create_group_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - group_id=self.group_other_domain, - role_id=self.role_id) - # role in own domain, project in own domain, user in other domain - self.do_request( - 'create_user_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - user_id=self.user_other_domain, - role_id=self.role_own_domain) - # role in own domain, project in own domain, group in other domain - self.do_request( - 'create_group_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - group_id=self.group_other_domain, - role_id=self.role_own_domain) - # role in own domain, own domain, user in other domain - self.do_request( - 'create_user_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - user_id=self.user_other_domain, - role_id=self.role_own_domain) - # role in own domain, own domain, group in other domain - self.do_request( - 'create_group_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - group_id=self.group_other_domain, - role_id=self.role_own_domain) - # role in other domain, project in own domain, user in other domain - self.do_request( - 'create_user_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - user_id=self.user_other_domain, - role_id=self.role_other_domain) - # role in other domain, project in own domain, group in other domain - self.do_request( - 'create_group_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - group_id=self.group_other_domain, - role_id=self.role_other_domain) - # role in other domain, own domain, user in other domain - self.do_request( - 'create_user_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - user_id=self.user_other_domain, - role_id=self.role_other_domain) - # role in other domain, own domain, group in other domain - self.do_request( - 'create_group_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - group_id=self.group_other_domain, - role_id=self.role_other_domain) - ##################################################### - # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN # - ##################################################### - # global role, project in other domain, user in own domain - self.do_request( - 'create_user_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - user_id=self.user_in_domain, - role_id=self.role_id) - # global role, project in other domain, group in own domain - self.do_request( - 'create_group_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - group_id=self.group_in_domain, - role_id=self.role_id) - # global role, other domain, user in own domain - self.do_request( - 'create_user_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - user_id=self.user_in_domain, - role_id=self.role_id) - # global role, other domain, group in own domain - self.do_request( - 'create_group_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - group_id=self.group_in_domain, - role_id=self.role_id) - # role in own domain, project in other domain, user in own domain - self.do_request( - 'create_user_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - user_id=self.user_in_domain, - role_id=self.role_own_domain) - # role in own domain, project in other domain, group in own domain - self.do_request( - 'create_group_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - group_id=self.group_in_domain, - role_id=self.role_own_domain) - # role in own domain, other domain, user in own domain - self.do_request( - 'create_user_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - user_id=self.user_in_domain, - role_id=self.role_own_domain) - # role in own domain, other domain, group in own domain - self.do_request( - 'create_group_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - group_id=self.group_in_domain, - role_id=self.role_own_domain) - # role in other domain, project in other domain, user in own domain - self.do_request( - 'create_user_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - user_id=self.user_in_domain, - role_id=self.role_other_domain) - # role in other domain, project in other domain, group in own domain - self.do_request( - 'create_group_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - group_id=self.group_in_domain, - role_id=self.role_other_domain) - # role in other domain, other domain, user in own domain - self.do_request( - 'create_user_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - user_id=self.user_in_domain, - role_id=self.role_other_domain) - # role in other domain, other domain, group in own domain - self.do_request( - 'create_group_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - group_id=self.group_in_domain, - role_id=self.role_other_domain) - ####################################################### - # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN # - ####################################################### - # global role, project in other domain, user in other domain - self.do_request( - 'create_user_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - user_id=self.user_other_domain, - role_id=self.role_id) - # global role, project in other domain, group in other domain - self.do_request( - 'create_group_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - group_id=self.group_other_domain, - role_id=self.role_id) - # global role, other domain, user in other domain - self.do_request( - 'create_user_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - user_id=self.user_other_domain, - role_id=self.role_id) - # global role, other domain, group in other domain - self.do_request( - 'create_group_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - group_id=self.group_other_domain, - role_id=self.role_id) - # role in own domain, project in other domain, user in other domain - self.do_request( - 'create_user_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - user_id=self.user_other_domain, - role_id=self.role_own_domain) - # role in own domain, project in other domain, group in other domain - self.do_request( - 'create_group_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - group_id=self.group_other_domain, - role_id=self.role_own_domain) - # role in own domain, other domain, user in other domain - self.do_request( - 'create_user_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - user_id=self.user_other_domain, - role_id=self.role_own_domain) - # role in own domain, other domain, group in other domain - self.do_request( - 'create_group_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - group_id=self.group_other_domain, - role_id=self.role_own_domain) - # role in other domain, project in other domain, user in other domain - self.do_request( - 'create_user_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - user_id=self.user_other_domain, - role_id=self.role_other_domain) - # role in other domain, project in other domain, group in other domain - self.do_request( - 'create_group_role_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - group_id=self.group_other_domain, - role_id=self.role_other_domain) - # role in other domain, other domain, user in other domain - self.do_request( - 'create_user_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - user_id=self.user_other_domain, - role_id=self.role_other_domain) - # role in other domain, other domain, group in other domain - self.do_request( - 'create_group_role_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - group_id=self.group_other_domain, - role_id=self.role_other_domain) - - def test_identity_revoke_grant(self): - ################################################### - # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN # - ################################################### - # global role, project in own domain, user in own domain - self.admin_roles_client.create_user_role_on_project( - project_id=self.project_in_domain, - user_id=self.user_in_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_user_on_project', - expected_status=204, - project_id=self.project_in_domain, - user_id=self.user_in_domain, - role_id=self.role_id) - # global role, project in own domain, group in own domain - self.admin_roles_client.create_group_role_on_project( - project_id=self.project_in_domain, - group_id=self.group_in_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_group_on_project', - expected_status=204, - project_id=self.project_in_domain, - group_id=self.group_in_domain, - role_id=self.role_id) - # global role, own domain, user in own domain - self.admin_roles_client.create_user_role_on_domain( - domain_id=self.own_domain, - user_id=self.user_in_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_user_on_domain', - expected_status=204, - domain_id=self.own_domain, - user_id=self.user_in_domain, - role_id=self.role_id) - # global role, own domain, group in own domain - self.admin_roles_client.create_group_role_on_domain( - domain_id=self.own_domain, - group_id=self.group_in_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_group_on_domain', - expected_status=204, - domain_id=self.own_domain, - group_id=self.group_in_domain, - role_id=self.role_id) - # role in own domain, project in own domain, user in own domain - self.admin_roles_client.create_user_role_on_project( - project_id=self.project_in_domain, - user_id=self.user_in_domain, - role_id=self.role_own_domain) - self.do_request( - 'delete_role_from_user_on_project', - expected_status=204, - project_id=self.project_in_domain, - user_id=self.user_in_domain, - role_id=self.role_own_domain) - # role in own domain, project in own domain, group in own domain - self.admin_roles_client.create_group_role_on_project( - project_id=self.project_in_domain, - group_id=self.group_in_domain, - role_id=self.role_own_domain) - self.do_request( - 'delete_role_from_group_on_project', - expected_status=204, - project_id=self.project_in_domain, - group_id=self.group_in_domain, - role_id=self.role_own_domain) - # role in own domain, own domain, user in own domain - self.admin_roles_client.create_user_role_on_domain( - domain_id=self.own_domain, - user_id=self.user_in_domain, - role_id=self.role_own_domain) - self.do_request( - 'delete_role_from_user_on_domain', - expected_status=204, - domain_id=self.own_domain, - user_id=self.user_in_domain, - role_id=self.role_own_domain) - # role in own domain, own domain, group in own domain - self.admin_roles_client.create_group_role_on_domain( - domain_id=self.own_domain, - group_id=self.group_in_domain, - role_id=self.role_own_domain) - self.do_request( - 'delete_role_from_group_on_domain', - expected_status=204, - domain_id=self.own_domain, - group_id=self.group_in_domain, - role_id=self.role_own_domain) - # role in other domain, project in own domain, user in own domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_user_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - user_id=self.user_in_domain, - role_id=self.role_other_domain) - # role in other domain, project in own domain, group in own domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_group_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - group_id=self.group_in_domain, - role_id=self.role_other_domain) - # role in other domain, own domain, user in own domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_user_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - user_id=self.user_in_domain, - role_id=self.role_other_domain) - # role in other domain, own domain, group in own domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_group_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - group_id=self.group_in_domain, - role_id=self.role_other_domain) - ##################################################### - # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN # - ##################################################### - # global role, project in own domain, user in other domain - self.admin_roles_client.create_user_role_on_project( - project_id=self.project_in_domain, - user_id=self.user_other_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_user_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - user_id=self.user_other_domain, - role_id=self.role_id) - # global role, project in own domain, group in other domain - self.admin_roles_client.create_group_role_on_project( - project_id=self.project_in_domain, - group_id=self.group_other_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_group_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - group_id=self.group_other_domain, - role_id=self.role_id) - # global role, own domain, user in other domain - self.admin_roles_client.create_user_role_on_domain( - domain_id=self.own_domain, - user_id=self.user_other_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_user_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - user_id=self.user_other_domain, - role_id=self.role_id) - # global role, own domain, group in other domain - self.admin_roles_client.create_group_role_on_domain( - domain_id=self.own_domain, - group_id=self.group_other_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_group_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - group_id=self.group_other_domain, - role_id=self.role_id) - # role in own domain, project in own domain, user in other domain - self.admin_roles_client.create_user_role_on_project( - project_id=self.project_in_domain, - user_id=self.user_other_domain, - role_id=self.role_own_domain) - self.do_request( - 'delete_role_from_user_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - user_id=self.user_other_domain, - role_id=self.role_own_domain) - # role in own domain, project in own domain, group in other domain - self.admin_roles_client.create_group_role_on_project( - project_id=self.project_in_domain, - group_id=self.group_other_domain, - role_id=self.role_own_domain) - self.do_request( - 'delete_role_from_group_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - group_id=self.group_other_domain, - role_id=self.role_own_domain) - # role in own domain, own domain, user in other domain - self.admin_roles_client.create_user_role_on_domain( - domain_id=self.own_domain, - user_id=self.user_other_domain, - role_id=self.role_own_domain) - self.do_request( - 'delete_role_from_user_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - user_id=self.user_other_domain, - role_id=self.role_own_domain) - # role in own domain, own domain, group in other domain - self.admin_roles_client.create_group_role_on_domain( - domain_id=self.own_domain, - group_id=self.group_other_domain, - role_id=self.role_own_domain) - self.do_request( - 'delete_role_from_group_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - group_id=self.group_other_domain, - role_id=self.role_own_domain) - # role in other domain, project in own domain, user in other domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_user_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - user_id=self.user_other_domain, - role_id=self.role_other_domain) - # role in other domain, project in own domain, group in other domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_group_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_in_domain, - group_id=self.group_other_domain, - role_id=self.role_other_domain) - # role in other domain, own domain, user in other domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_user_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - user_id=self.user_other_domain, - role_id=self.role_other_domain) - # role in other domain, own domain, group in other domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_group_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.own_domain, - group_id=self.group_other_domain, - role_id=self.role_other_domain) - ##################################################### - # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN # - ##################################################### - # global role, project in other domain, user in own domain - self.admin_roles_client.create_user_role_on_project( - project_id=self.project_other_domain, - user_id=self.user_in_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_user_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - user_id=self.user_in_domain, - role_id=self.role_id) - # global role, project in other domain, group in own domain - self.admin_roles_client.create_group_role_on_project( - project_id=self.project_other_domain, - group_id=self.group_in_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_group_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - group_id=self.group_in_domain, - role_id=self.role_id) - # global role, other domain, user in own domain - self.admin_roles_client.create_user_role_on_domain( - domain_id=self.other_domain, - user_id=self.user_in_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_user_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - user_id=self.user_in_domain, - role_id=self.role_id) - # global role, other domain, group in own domain - self.admin_roles_client.create_group_role_on_domain( - domain_id=self.other_domain, - group_id=self.group_in_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_group_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - group_id=self.group_in_domain, - role_id=self.role_id) - # role in own domain, project in other domain, user in own domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_user_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - user_id=self.user_in_domain, - role_id=self.role_own_domain) - # role in own domain, project in other domain, group in own domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_group_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - group_id=self.group_in_domain, - role_id=self.role_own_domain) - # role in own domain, other domain, user in own domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_user_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - user_id=self.user_in_domain, - role_id=self.role_own_domain) - # role in own domain, other domain, group in own domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_group_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - group_id=self.group_in_domain, - role_id=self.role_own_domain) - # role in other domain, project in other domain, user in own domain - self.admin_roles_client.create_user_role_on_project( - project_id=self.project_other_domain, - user_id=self.user_in_domain, - role_id=self.role_other_domain) - self.do_request( - 'delete_role_from_user_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - user_id=self.user_in_domain, - role_id=self.role_other_domain) - # role in other domain, project in other domain, group in own domain - self.admin_roles_client.create_group_role_on_project( - project_id=self.project_other_domain, - group_id=self.group_in_domain, - role_id=self.role_other_domain) - self.do_request( - 'delete_role_from_group_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - group_id=self.group_in_domain, - role_id=self.role_other_domain) - # role in other domain, other domain, user in own domain - self.admin_roles_client.create_user_role_on_domain( - domain_id=self.other_domain, - user_id=self.user_in_domain, - role_id=self.role_other_domain) - self.do_request( - 'delete_role_from_user_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - user_id=self.user_in_domain, - role_id=self.role_other_domain) - # role in other domain, other domain, group in own domain - self.admin_roles_client.create_group_role_on_domain( - domain_id=self.other_domain, - group_id=self.group_in_domain, - role_id=self.role_other_domain) - self.do_request( - 'delete_role_from_group_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - group_id=self.group_in_domain, - role_id=self.role_other_domain) - ####################################################### - # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN # - ####################################################### - # global role, project in other domain, user in other domain - self.admin_roles_client.create_user_role_on_project( - project_id=self.project_other_domain, - user_id=self.user_other_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_user_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - user_id=self.user_other_domain, - role_id=self.role_id) - # global role, project in other domain, group in other domain - self.admin_roles_client.create_group_role_on_project( - project_id=self.project_other_domain, - group_id=self.group_other_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_group_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - group_id=self.group_other_domain, - role_id=self.role_id) - # global role, other domain, user in other domain - self.admin_roles_client.create_user_role_on_domain( - domain_id=self.other_domain, - user_id=self.user_other_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_user_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - user_id=self.user_other_domain, - role_id=self.role_id) - # global role, other domain, group in other domain - self.admin_roles_client.create_group_role_on_domain( - domain_id=self.other_domain, - group_id=self.group_other_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_group_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - group_id=self.group_other_domain, - role_id=self.role_id) - # role in own domain, project in other domain, user in other domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_user_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - user_id=self.user_other_domain, - role_id=self.role_own_domain) - # role in own domain, project in other domain, group in other domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_group_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - group_id=self.group_other_domain, - role_id=self.role_own_domain) - # role in own domain, other domain, user in other domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_user_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - user_id=self.user_other_domain, - role_id=self.role_own_domain) - # role in own domain, other domain, group in other domain - # role assignment does not exist, should 403 - self.do_request( - 'delete_role_from_group_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - group_id=self.group_other_domain, - role_id=self.role_own_domain) - # role in other domain, project in other domain, user in other domain - self.admin_roles_client.create_user_role_on_project( - project_id=self.project_other_domain, - user_id=self.user_other_domain, - role_id=self.role_other_domain) - self.do_request( - 'delete_role_from_user_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - user_id=self.user_other_domain, - role_id=self.role_other_domain) - # role in other domain, project in other domain, group in other domain - self.admin_roles_client.create_group_role_on_project( - project_id=self.project_other_domain, - group_id=self.group_other_domain, - role_id=self.role_other_domain) - self.do_request( - 'delete_role_from_group_on_project', - expected_status=exceptions.Forbidden, - project_id=self.project_other_domain, - group_id=self.group_other_domain, - role_id=self.role_other_domain) - # role in other domain, other domain, user in other domain - self.admin_roles_client.create_user_role_on_domain( - domain_id=self.other_domain, - user_id=self.user_other_domain, - role_id=self.role_other_domain) - self.do_request( - 'delete_role_from_user_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - user_id=self.user_other_domain, - role_id=self.role_other_domain) - # role in other domain, other domain, group in other domain - self.admin_roles_client.create_group_role_on_domain( - domain_id=self.other_domain, - group_id=self.group_other_domain, - role_id=self.role_other_domain) - self.do_request( - 'delete_role_from_group_on_domain', - expected_status=exceptions.Forbidden, - domain_id=self.other_domain, - group_id=self.group_other_domain, - role_id=self.role_other_domain) - - def test_identity_list_system_grants_for_user(self): - self.do_request('list_user_roles_on_system', - expected_status=exceptions.Forbidden, - user_id=self.user_other_domain) - self.do_request('list_user_roles_on_system', - expected_status=exceptions.Forbidden, - user_id=self.user_other_domain) - - def test_identity_check_system_grant_for_user(self): - self.do_request('check_user_role_existence_on_system', - exceptions.Forbidden, - user_id=self.user_other_domain, - role_id=self.role_id) - self.do_request('check_user_role_existence_on_system', - exceptions.Forbidden, - user_id=self.user_other_domain, - role_id=self.role_id) - - def test_identity_create_system_grant_for_user(self): - self.do_request( - 'create_user_role_on_system', - expected_status=exceptions.Forbidden, - user_id=self.user_in_domain, - role_id=self.role_id) - self.do_request( - 'create_user_role_on_system', - expected_status=exceptions.Forbidden, - user_id=self.user_other_domain, - role_id=self.role_id) - - def test_identity_revoke_system_grant_for_user(self): - # user in own domain - self.admin_roles_client.create_user_role_on_system( - user_id=self.user_in_domain, - role_id=self.role_id) - self.addCleanup( - self.admin_roles_client.delete_role_from_user_on_system, - user_id=self.user_in_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_user_on_system', - expected_status=exceptions.Forbidden, - user_id=self.user_in_domain, - role_id=self.role_id) - # user in other domain - self.admin_roles_client.create_user_role_on_system( - user_id=self.user_other_domain, - role_id=self.role_id) - self.addCleanup( - self.admin_roles_client.delete_role_from_user_on_system, - user_id=self.user_other_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_user_on_system', - expected_status=exceptions.Forbidden, - user_id=self.user_other_domain, - role_id=self.role_id) - - def test_identity_list_system_grants_for_group(self): - self.do_request('list_group_roles_on_system', - expected_status=exceptions.Forbidden, - group_id=self.group_in_domain) - self.do_request('list_group_roles_on_system', - expected_status=exceptions.Forbidden, - group_id=self.group_other_domain) - - def test_identity_check_system_grant_for_group(self): - self.do_request('check_role_from_group_on_system_existence', - exceptions.Forbidden, - group_id=self.group_other_domain, - role_id=self.role_id) - self.do_request('check_role_from_group_on_system_existence', - exceptions.Forbidden, - group_id=self.group_other_domain, - role_id=self.role_id) - - def test_identity_create_system_grant_for_group(self): - self.do_request( - 'create_group_role_on_system', - expected_status=exceptions.Forbidden, - group_id=self.group_in_domain, - role_id=self.role_id) - self.do_request( - 'create_group_role_on_system', - expected_status=exceptions.Forbidden, - group_id=self.group_other_domain, - role_id=self.role_id) - - def test_identity_revoke_system_grant_for_group(self): - # group in own domain - self.admin_roles_client.create_group_role_on_system( - group_id=self.group_in_domain, - role_id=self.role_id) - self.addCleanup( - self.admin_roles_client.delete_role_from_group_on_system, - group_id=self.group_in_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_group_on_system', - expected_status=exceptions.Forbidden, - group_id=self.group_in_domain, - role_id=self.role_id) - # group in other domain - self.admin_roles_client.create_group_role_on_system( - group_id=self.group_other_domain, - role_id=self.role_id) - self.addCleanup( - self.admin_roles_client.delete_role_from_group_on_system, - group_id=self.group_other_domain, - role_id=self.role_id) - self.do_request( - 'delete_role_from_group_on_system', - expected_status=exceptions.Forbidden, - group_id=self.group_other_domain, - role_id=self.role_id) - - -class DomainMemberTests(DomainAdminTests): - - credentials = ['domain_member', 'system_admin'] - def test_identity_create_grant(self): ################################################### # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN # @@ -3448,10 +4114,15 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(IdentityV3RbacGrantTest, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] + +class ProjectMemberTests(ProjectAdminTests): + + credentials = ['project_member', 'system_admin'] + def test_identity_check_grant(self): # global role, arbitrary project, arbitrary user self.do_request( @@ -3789,11 +4460,6 @@ class ProjectAdminTests(IdentityV3RbacGrantTest, base.BaseIdentityTest): role_id=self.role_id) -class ProjectMemberTests(ProjectAdminTests): - - credentials = ['project_member', 'system_admin'] - - class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_group.py b/keystone_tempest_plugin/tests/rbac/v3/test_group.py index c3ce1d9..d62e801 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_group.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_group.py @@ -422,20 +422,87 @@ class SystemReaderTests(SystemMemberTests): credentials = ['system_reader', 'system_admin'] -class DomainAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest): +class DomainAdminTests(SystemAdminTests): credentials = ['domain_admin', 'system_admin'] + def test_identity_list_groups(self): + group1 = self.admin_groups_client.create_group( + **self.group(domain_id=self.own_domain))['group'] + self.addCleanup(self.admin_groups_client.delete_group, group1['id']) + group2 = self.admin_groups_client.create_group( + **self.group(domain_id=self.other_domain))['group'] + self.addCleanup(self.admin_groups_client.delete_group, group2['id']) + resp = self.do_request('list_groups') + # user can get groups in own domain + self.assertIn(group1['id'], set(g['id'] for g in resp['groups'])) + # user cannot get groups in other domain + self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups'])) + + def test_identity_list_groups_for_user(self): + group1 = self.admin_groups_client.create_group( + **self.group(domain_id=self.own_domain))['group'] + self.addCleanup(self.admin_groups_client.delete_group, group1['id']) + user1 = self.admin_client.users_v3_client.create_user( + name=data_utils.rand_name('user'), + domain_id=self.own_domain)['user'] + self.addCleanup(self.admin_client.users_v3_client.delete_user, + user1['id']) + group2 = self.admin_groups_client.create_group( + **self.group(domain_id=self.other_domain))['group'] + self.addCleanup(self.admin_groups_client.delete_group, group2['id']) + user2 = self.admin_client.users_v3_client.create_user( + name=data_utils.rand_name('user'), + domain_id=self.other_domain)['user'] + self.addCleanup(self.admin_client.users_v3_client.delete_user, + user2['id']) + self.admin_groups_client.add_group_user(group1['id'], user1['id']) + self.admin_groups_client.add_group_user(group1['id'], user2['id']) + self.admin_groups_client.add_group_user(group2['id'], user1['id']) + self.admin_groups_client.add_group_user(group2['id'], user2['id']) + resp = self.do_request('list_user_groups', client=self.users_client, + user_id=user1['id']) + # user can list groups in own domain for user in own domain + self.assertIn(group1['id'], set(g['id'] for g in resp['groups'])) + # user cannot list groups in other domain for user in own domain + self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups'])) + # user cannot list groups for user in other domain + resp = self.do_request('list_user_groups', client=self.users_client, + user_id=user2['id']) + self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups'])) + # user gets a 404 for nonexistent user + self.do_request('list_user_groups', client=self.users_client, + expected_status=exceptions.NotFound, + user_id='fakeuser') + + def test_identity_list_users_in_group(self): + group = self.admin_groups_client.create_group(**self.group())['group'] + self.addCleanup(self.admin_groups_client.delete_group, group['id']) + user = self.admin_client.users_v3_client.create_user( + name=data_utils.rand_name('user'))['user'] + self.addCleanup(self.admin_client.users_v3_client.delete_user, + user['id']) + self.admin_groups_client.add_group_user(group['id'], user['id']) + resp = self.do_request('list_group_users', group_id=group['id']) + user_ids = set(u['id'] for u in resp['users']) + # request is allowed but the user will get filtered out on domain + # scoped request + self.assertEqual(0, len(user_ids)) + + +class DomainMemberTests(IdentityV3RbacGroupTest, base.BaseIdentityTest): + + credentials = ['domain_member', 'system_admin'] + def test_identity_create_group(self): - # user can create group in own domain - resp = self.do_request('create_group', expected_status=201, - **self.group(domain_id=self.own_domain)) - self.addCleanup(self.admin_groups_client.delete_group, - resp['group']['id']) + # user cannot create group in own domain + self.do_request('create_group', + expected_status=exceptions.Forbidden, + **self.group(domain_id=self.own_domain)) # user cannot create group in another domain - resp = self.do_request('create_group', - expected_status=exceptions.Forbidden, - **self.group(domain_id=self.other_domain)) + self.do_request('create_group', + expected_status=exceptions.Forbidden, + **self.group(domain_id=self.other_domain)) def test_identity_get_group(self): group = self.admin_groups_client.create_group( @@ -509,12 +576,13 @@ class DomainAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest): group2 = self.admin_groups_client.create_group( **self.group(domain_id=self.other_domain))['group'] self.addCleanup(self.admin_groups_client.delete_group, group2['id']) - # user can update a group in own domain + # user cannot update a group in own domain group_update = { 'group_id': group1['id'], 'description': data_utils.arbitrary_string } - self.do_request('update_group', **group_update) + self.do_request('update_group', expected_status=exceptions.Forbidden, + **group_update) # user cannot update a group in other domain group_update = { 'group_id': group2['id'], @@ -536,8 +604,8 @@ class DomainAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest): group2 = self.admin_groups_client.create_group( **self.group(domain_id=self.other_domain))['group'] self.addCleanup(self.admin_groups_client.delete_group, group2['id']) - # user can delete a group in own domain - self.do_request('delete_group', expected_status=204, + # user cannot delete a group in own domain + self.do_request('delete_group', expected_status=exceptions.Forbidden, group_id=group1['id']) # user cannot delete a group in other domain self.do_request('delete_group', expected_status=exceptions.Forbidden, @@ -577,197 +645,6 @@ class DomainAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest): expected_status=exceptions.Forbidden, group_id=group2['id']) - def test_identity_add_user_to_group(self): - group1 = self.admin_groups_client.create_group( - **self.group(self.own_domain))['group'] - self.addCleanup(self.admin_groups_client.delete_group, group1['id']) - group2 = self.admin_groups_client.create_group( - **self.group(self.other_domain))['group'] - self.addCleanup(self.admin_groups_client.delete_group, group2['id']) - user1 = self.admin_client.users_v3_client.create_user( - name=data_utils.rand_name('user'), - domain_id=self.own_domain)['user'] - self.addCleanup(self.admin_client.users_v3_client.delete_user, - user1['id']) - user2 = self.admin_client.users_v3_client.create_user( - name=data_utils.rand_name('user'), - domain_id=self.own_domain)['user'] - self.addCleanup(self.admin_client.users_v3_client.delete_user, - user2['id']) - # user can add a user in own domain to a group in own domain - self.do_request('add_group_user', expected_status=204, - group_id=group1['id'], user_id=user1['id']) - # user can add a user in another domain to a group in own domain - self.do_request('add_group_user', expected_status=204, - group_id=group1['id'], user_id=user2['id']) - # user cannot add a user in own domain to a group in another domain - self.do_request('add_group_user', expected_status=exceptions.Forbidden, - group_id=group2['id'], user_id=user1['id']) - # user cannot add a user in another domain to a group in another domain - self.do_request('add_group_user', expected_status=exceptions.Forbidden, - group_id=group2['id'], user_id=user2['id']) - # user gets a 403 for nonexistent group - self.do_request('add_group_user', expected_status=exceptions.Forbidden, - group_id='fakegroup', user_id=user1['id']) - # user gets a 403 for nonexistent user - self.do_request('add_group_user', expected_status=exceptions.Forbidden, - group_id=group1['id'], user_id='fakeuser') - - def test_identity_remove_user_from_group(self): - group1 = self.admin_groups_client.create_group( - **self.group(self.own_domain))['group'] - self.addCleanup(self.admin_groups_client.delete_group, group1['id']) - group2 = self.admin_groups_client.create_group( - **self.group(self.other_domain))['group'] - self.addCleanup(self.admin_groups_client.delete_group, group2['id']) - user1 = self.admin_client.users_v3_client.create_user( - name=data_utils.rand_name('user'), - domain_id=self.own_domain)['user'] - self.addCleanup(self.admin_client.users_v3_client.delete_user, - user1['id']) - user2 = self.admin_client.users_v3_client.create_user( - name=data_utils.rand_name('user'), - domain_id=self.own_domain)['user'] - self.addCleanup(self.admin_client.users_v3_client.delete_user, - user2['id']) - self.admin_groups_client.add_group_user(group1['id'], user1['id']) - self.admin_groups_client.add_group_user(group1['id'], user2['id']) - self.admin_groups_client.add_group_user(group2['id'], user1['id']) - self.admin_groups_client.add_group_user(group2['id'], user2['id']) - # user can remove a user in own domain from a group in own domain - self.do_request('delete_group_user', expected_status=204, - group_id=group1['id'], user_id=user1['id']) - # user can remove a user in another domain from a group in own - # domain - self.do_request('delete_group_user', expected_status=204, - group_id=group1['id'], user_id=user2['id']) - # user cannot remove a user in own domain from a group in another - # domain - self.do_request('delete_group_user', - expected_status=exceptions.Forbidden, - group_id=group2['id'], user_id=user1['id']) - # user cannot remove a user in another domain from a group in another - # domain - self.do_request('delete_group_user', - expected_status=exceptions.Forbidden, - group_id=group2['id'], user_id=user2['id']) - # user gets a 403 for nonexistent group - self.do_request('delete_group_user', - expected_status=exceptions.Forbidden, - group_id='fakegroup', user_id=user1['id']) - # user gets a 403 for nonexistent user - self.do_request('delete_group_user', - expected_status=exceptions.Forbidden, - group_id=group1['id'], user_id='fakeuser') - - def test_identity_check_user_in_group(self): - group1 = self.admin_groups_client.create_group( - **self.group(self.own_domain))['group'] - self.addCleanup(self.admin_groups_client.delete_group, group1['id']) - group2 = self.admin_groups_client.create_group( - **self.group(self.other_domain))['group'] - self.addCleanup(self.admin_groups_client.delete_group, group2['id']) - user1 = self.admin_client.users_v3_client.create_user( - name=data_utils.rand_name('user'), - domain_id=self.own_domain)['user'] - self.addCleanup(self.admin_client.users_v3_client.delete_user, - user1['id']) - user2 = self.admin_client.users_v3_client.create_user( - name=data_utils.rand_name('user'), - domain_id=self.own_domain)['user'] - self.addCleanup(self.admin_client.users_v3_client.delete_user, - user2['id']) - self.admin_groups_client.add_group_user(group1['id'], user1['id']) - self.admin_groups_client.add_group_user(group1['id'], user2['id']) - self.admin_groups_client.add_group_user(group2['id'], user1['id']) - self.admin_groups_client.add_group_user(group2['id'], user2['id']) - # user can check if a user in own domain is in a group in own domain - self.do_request('check_group_user_existence', expected_status=204, - group_id=group1['id'], user_id=user1['id']) - # user can check if a user in another domain is in a group in own - # domain - self.do_request('check_group_user_existence', - expected_status=204, - group_id=group1['id'], user_id=user2['id']) - # user cannot check if a user in own domain is in a group in another - # domain - self.do_request('check_group_user_existence', - expected_status=exceptions.Forbidden, - group_id=group2['id'], user_id=user1['id']) - # user cannot check if a user in another domain is in a group in - # another domain - self.do_request('check_group_user_existence', - expected_status=exceptions.Forbidden, - group_id=group2['id'], user_id=user2['id']) - # user gets a 403 for nonexistent group - self.do_request('check_group_user_existence', - expected_status=exceptions.Forbidden, - group_id='fakegroup', user_id=user1['id']) - # user gets a 403 for nonexistent user - self.do_request('check_group_user_existence', - expected_status=exceptions.Forbidden, - group_id=group1['id'], user_id='fakeuser') - - -class DomainMemberTests(DomainAdminTests): - - credentials = ['domain_member', 'system_admin'] - - def test_identity_create_group(self): - # user cannot create group in own domain - self.do_request('create_group', - expected_status=exceptions.Forbidden, - **self.group(domain_id=self.own_domain)) - # user cannot create group in another domain - self.do_request('create_group', - expected_status=exceptions.Forbidden, - **self.group(domain_id=self.other_domain)) - - def test_identity_update_group(self): - group1 = self.admin_groups_client.create_group( - **self.group(domain_id=self.own_domain))['group'] - self.addCleanup(self.admin_groups_client.delete_group, group1['id']) - group2 = self.admin_groups_client.create_group( - **self.group(domain_id=self.other_domain))['group'] - self.addCleanup(self.admin_groups_client.delete_group, group2['id']) - # user cannot update a group in own domain - group_update = { - 'group_id': group1['id'], - 'description': data_utils.arbitrary_string - } - self.do_request('update_group', expected_status=exceptions.Forbidden, - **group_update) - # user cannot update a group in other domain - group_update = { - 'group_id': group2['id'], - 'description': data_utils.arbitrary_string - } - self.do_request('update_group', expected_status=exceptions.Forbidden, - **group_update) - # user gets a 403 for nonexistent group - group_update = { - 'group_id': 'fakegroup', - 'description': data_utils.arbitrary_string - } - self.do_request('update_group', expected_status=exceptions.Forbidden, - **group_update) - - def test_identity_delete_group(self): - group1 = self.admin_groups_client.create_group( - **self.group(domain_id=self.own_domain))['group'] - group2 = self.admin_groups_client.create_group( - **self.group(domain_id=self.other_domain))['group'] - self.addCleanup(self.admin_groups_client.delete_group, group2['id']) - # user cannot delete a group in own domain - self.do_request('delete_group', expected_status=exceptions.Forbidden, - group_id=group1['id']) - # user cannot delete a group in other domain - self.do_request('delete_group', expected_status=exceptions.Forbidden, - group_id=group2['id']) - # user gets a 404 for nonexistent group - self.do_request('delete_group', expected_status=exceptions.NotFound, - group_id='fakegroup') - def test_identity_add_user_to_group(self): group1 = self.admin_groups_client.create_group( **self.group(self.own_domain))['group'] @@ -853,16 +730,69 @@ class DomainMemberTests(DomainAdminTests): expected_status=exceptions.Forbidden, group_id=group1['id'], user_id='fakeuser') + def test_identity_check_user_in_group(self): + group1 = self.admin_groups_client.create_group( + **self.group(self.own_domain))['group'] + self.addCleanup(self.admin_groups_client.delete_group, group1['id']) + group2 = self.admin_groups_client.create_group( + **self.group(self.other_domain))['group'] + self.addCleanup(self.admin_groups_client.delete_group, group2['id']) + user1 = self.admin_client.users_v3_client.create_user( + name=data_utils.rand_name('user'), + domain_id=self.own_domain)['user'] + self.addCleanup(self.admin_client.users_v3_client.delete_user, + user1['id']) + user2 = self.admin_client.users_v3_client.create_user( + name=data_utils.rand_name('user'), + domain_id=self.own_domain)['user'] + self.addCleanup(self.admin_client.users_v3_client.delete_user, + user2['id']) + self.admin_groups_client.add_group_user(group1['id'], user1['id']) + self.admin_groups_client.add_group_user(group1['id'], user2['id']) + self.admin_groups_client.add_group_user(group2['id'], user1['id']) + self.admin_groups_client.add_group_user(group2['id'], user2['id']) + # user can check if a user in own domain is in a group in own domain + self.do_request('check_group_user_existence', expected_status=204, + group_id=group1['id'], user_id=user1['id']) + # user can check if a user in another domain is in a group in own + # domain + self.do_request('check_group_user_existence', + expected_status=204, + group_id=group1['id'], user_id=user2['id']) + # user cannot check if a user in own domain is in a group in another + # domain + self.do_request('check_group_user_existence', + expected_status=exceptions.Forbidden, + group_id=group2['id'], user_id=user1['id']) + # user cannot check if a user in another domain is in a group in + # another domain + self.do_request('check_group_user_existence', + expected_status=exceptions.Forbidden, + group_id=group2['id'], user_id=user2['id']) + # user gets a 403 for nonexistent group + self.do_request('check_group_user_existence', + expected_status=exceptions.Forbidden, + group_id='fakegroup', user_id=user1['id']) + # user gets a 403 for nonexistent user + self.do_request('check_group_user_existence', + expected_status=exceptions.Forbidden, + group_id=group1['id'], user_id='fakeuser') + class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] + +class ProjectMemberTests(IdentityV3RbacGroupTest, base.BaseIdentityTest): + + credentials = ['project_member', 'system_admin'] + def test_identity_create_group(self): # user cannot create group in own domain self.do_request('create_group', expected_status=exceptions.Forbidden, @@ -1142,11 +1072,6 @@ class ProjectAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest): group_id=group1['id'], user_id='fakeuser') -class ProjectMemberTests(ProjectAdminTests): - - credentials = ['project_member', 'system_admin'] - - -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py b/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py index 819508c..fa6d9c1 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py @@ -268,16 +268,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py b/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py index 73765e4..f73d510 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py @@ -242,16 +242,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_limit.py b/keystone_tempest_plugin/tests/rbac/v3/test_limit.py index d2efc6c..456b850 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_limit.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_limit.py @@ -184,7 +184,8 @@ class SystemAdminTests(IdentityV3RbacLimitTests, base.BaseIdentityTest): def test_identity_list_limits(self): reg_limit_id = self.admin_limits_client.create_limits( - payload=self.limits())['limits'][0]['id'] + payload=self.limits(project_id=self.persona.credentials.project_id) + )['limits'][0]['id'] self.addCleanup( self.admin_limits_client.delete_limit, limit_id=reg_limit_id) @@ -303,20 +304,8 @@ class DomainAdminTests(IdentityV3RbacLimitTests, base.BaseIdentityTest): self.addCleanup( self.admin_limits_client.delete_limit, limit_id=reg_limit_1) - # project in own domain - reg_limit_2 = self.admin_limits_client.create_limits( - payload=self.limits(project_id=self.own_project) - )['limits'][0]['id'] - self.addCleanup( - self.admin_limits_client.delete_limit, - limit_id=reg_limit_2) - # cannot get limit for other project self.do_request('show_limit', - expected_status=exceptions.Forbidden, limit_id=reg_limit_1) - # can get limit for project in own domain - self.do_request('show_limit', - limit_id=reg_limit_2) def test_identity_update_limit(self): # cannot update limit for arbitrary project @@ -370,18 +359,40 @@ class DomainMemberTests(DomainAdminTests): credentials = ['domain_member', 'system_admin'] + def test_identity_get_limit(self): + # random project + reg_limit_1 = self.admin_limits_client.create_limits( + payload=self.limits())['limits'][0]['id'] + self.addCleanup( + self.admin_limits_client.delete_limit, + limit_id=reg_limit_1) + # project in own domain + reg_limit_2 = self.admin_limits_client.create_limits( + payload=self.limits(project_id=self.own_project) + )['limits'][0]['id'] + self.addCleanup( + self.admin_limits_client.delete_limit, + limit_id=reg_limit_2) + # cannot get limit for other project + self.do_request('show_limit', + expected_status=exceptions.Forbidden, + limit_id=reg_limit_1) + # can get limit for project in own domain + self.do_request('show_limit', + limit_id=reg_limit_2) + class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py b/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py index 00b2e6b..c519426 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py @@ -240,16 +240,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_policy.py b/keystone_tempest_plugin/tests/rbac/v3/test_policy.py index 53cdeb5..df5844f 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_policy.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_policy.py @@ -217,16 +217,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py b/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py index 5c3f514..a3cf76d 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py @@ -454,16 +454,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_project.py b/keystone_tempest_plugin/tests/rbac/v3/test_project.py index 81b64e6..8d975e7 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_project.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_project.py @@ -225,6 +225,134 @@ class DomainAdminTests(IdentityV3RbacProjectsTests, base.BaseIdentityTest): domain_id=self.own_domain )['project']['id'] self.addCleanup(self.admin_projects_client.delete_project, project_id) + # user can create project in other domain + project_id = self.do_request( + 'create_project', expected_status=201, name=data_utils.rand_name(), + domain_id=self.other_domain + )['project']['id'] + self.addCleanup(self.admin_projects_client.delete_project, project_id) + + def test_identity_get_project(self): + # user can get project in own domain + project_id = self.admin_projects_client.create_project( + name=data_utils.rand_name(), + domain_id=self.own_domain)['project']['id'] + self.addCleanup(self.admin_projects_client.delete_project, project_id) + self.do_request('show_project', project_id=project_id) + # user can get project in other domain + project_id = self.admin_projects_client.create_project( + name=data_utils.rand_name(), + domain_id=self.other_domain)['project']['id'] + self.addCleanup(self.admin_projects_client.delete_project, project_id) + self.do_request('show_project', project_id=project_id) + # user gets a 403 for nonexistent project + self.do_request('show_project', expected_status=exceptions.NotFound, + project_id=data_utils.rand_uuid_hex()) + + def test_identity_list_projects(self): + # user can list projects but cannot see project in other domain + own_project_id = self.admin_projects_client.create_project( + name=data_utils.rand_name(), + domain_id=self.own_domain)['project']['id'] + self.addCleanup(self.admin_projects_client.delete_project, + own_project_id) + other_project_id = self.admin_projects_client.create_project( + name=data_utils.rand_name(), + domain_id=self.other_domain)['project']['id'] + self.addCleanup(self.admin_projects_client.delete_project, + other_project_id) + resp = self.do_request('list_projects') + self.assertIn(own_project_id, [d['id'] for d in resp['projects']]) + self.assertNotIn(other_project_id, [d['id'] for d in resp['projects']]) + + def test_identity_list_user_projects(self): + # user can list projects for user in own domain + user_id = self.admin_client.users_v3_client.create_user( + name=data_utils.rand_name(), + domain_id=self.own_domain)['user']['id'] + self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id) + project_id = self.admin_projects_client.create_project( + name=data_utils.rand_name())['project']['id'] + self.addCleanup(self.admin_projects_client.delete_project, project_id) + role_id = self.admin_client.roles_v3_client.create_role( + name=data_utils.rand_name())['role']['id'] + self.addCleanup(self.admin_client.roles_v3_client.delete_role, + role_id) + self.admin_client.roles_v3_client.create_user_role_on_project( + project_id, user_id, role_id) + resp = self.do_request('list_user_projects', client=self.users_client, + user_id=user_id) + self.assertIn(project_id, [p['id'] for p in resp['projects']]) + # user can list projects for user in other domain + user_id = self.admin_client.users_v3_client.create_user( + name=data_utils.rand_name(), + domain_id=self.other_domain)['user']['id'] + self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id) + project_id = self.admin_projects_client.create_project( + name=data_utils.rand_name())['project']['id'] + self.addCleanup(self.admin_projects_client.delete_project, project_id) + role_id = self.admin_client.roles_v3_client.create_role( + name=data_utils.rand_name())['role']['id'] + self.addCleanup(self.admin_client.roles_v3_client.delete_role, + role_id) + self.admin_client.roles_v3_client.create_user_role_on_project( + project_id, user_id, role_id) + resp = self.do_request('list_user_projects', client=self.users_client, + user_id=user_id) + self.assertIn(project_id, [p['id'] for p in resp['projects']]) + # user can list projects for self + resp = self.do_request('list_user_projects', client=self.users_client, + user_id=self.persona.credentials.user_id) + self.assertEqual(0, len([p['id'] for p in resp['projects']])) + + def test_identity_update_project(self): + # user can update project in own domain + project_id = self.admin_projects_client.create_project( + name=data_utils.rand_name(), + domain_id=self.own_domain)['project']['id'] + self.addCleanup(self.admin_projects_client.delete_project, project_id) + self.do_request('update_project', + project_id=project_id, + description=data_utils.arbitrary_string()) + # user can update project in other domain + project_id = self.admin_projects_client.create_project( + name=data_utils.rand_name(), + domain_id=self.other_domain)['project']['id'] + self.addCleanup(self.admin_projects_client.delete_project, project_id) + self.do_request('update_project', + project_id=project_id, + description=data_utils.arbitrary_string()) + # user gets a 404 for nonexistent domain + self.do_request('update_project', expected_status=exceptions.NotFound, + project_id=data_utils.rand_uuid_hex(), + description=data_utils.arbitrary_string()) + + def test_identity_delete_project(self): + # user can delete project in own domain + project_id = self.admin_projects_client.create_project( + name=data_utils.rand_name(), + domain_id=self.own_domain)['project']['id'] + self.do_request('delete_project', expected_status=204, + project_id=project_id) + # user can delete project in other domain + project_id = self.admin_projects_client.create_project( + name=data_utils.rand_name(), + domain_id=self.other_domain)['project']['id'] + self.do_request('delete_project', expected_status=204, + project_id=project_id) + + +class DomainMemberTests(DomainAdminTests): + + credentials = ['domain_member', 'system_admin'] + + def test_identity_create_project(self): + # user cannot create project in own domain + self.do_request( + 'create_project', expected_status=exceptions.Forbidden, + name=data_utils.rand_name(), + domain_id=self.own_domain + ) # user cannot create project in other domain self.do_request( 'create_project', expected_status=exceptions.Forbidden, @@ -249,22 +377,6 @@ class DomainAdminTests(IdentityV3RbacProjectsTests, base.BaseIdentityTest): self.do_request('show_project', expected_status=exceptions.Forbidden, project_id=data_utils.rand_uuid_hex()) - def test_identity_list_projects(self): - # user can list projects but cannot see project in other domain - own_project_id = self.admin_projects_client.create_project( - name=data_utils.rand_name(), - domain_id=self.own_domain)['project']['id'] - self.addCleanup(self.admin_projects_client.delete_project, - own_project_id) - other_project_id = self.admin_projects_client.create_project( - name=data_utils.rand_name(), - domain_id=self.other_domain)['project']['id'] - self.addCleanup(self.admin_projects_client.delete_project, - other_project_id) - resp = self.do_request('list_projects') - self.assertIn(own_project_id, [d['id'] for d in resp['projects']]) - self.assertNotIn(other_project_id, [d['id'] for d in resp['projects']]) - def test_identity_list_user_projects(self): # user can list projects for user in own domain user_id = self.admin_client.users_v3_client.create_user( @@ -305,62 +417,6 @@ class DomainAdminTests(IdentityV3RbacProjectsTests, base.BaseIdentityTest): user_id=self.persona.credentials.user_id) self.assertEqual(0, len([p['id'] for p in resp['projects']])) - def test_identity_update_project(self): - # user can update project in own domain - project_id = self.admin_projects_client.create_project( - name=data_utils.rand_name(), - domain_id=self.own_domain)['project']['id'] - self.addCleanup(self.admin_projects_client.delete_project, project_id) - self.do_request('update_project', - project_id=project_id, - description=data_utils.arbitrary_string()) - # user cannot update project in other domain - project_id = self.admin_projects_client.create_project( - name=data_utils.rand_name(), - domain_id=self.other_domain)['project']['id'] - self.addCleanup(self.admin_projects_client.delete_project, project_id) - self.do_request('update_project', - expected_status=exceptions.Forbidden, - project_id=project_id, - description=data_utils.arbitrary_string()) - # user gets a 403 for nonexistent domain - self.do_request('update_project', expected_status=exceptions.Forbidden, - project_id=data_utils.rand_uuid_hex(), - description=data_utils.arbitrary_string()) - - def test_identity_delete_project(self): - # user can delete project in own domain - project_id = self.admin_projects_client.create_project( - name=data_utils.rand_name(), - domain_id=self.own_domain)['project']['id'] - self.do_request('delete_project', expected_status=204, - project_id=project_id) - # user cannot delete project in other domain - project_id = self.admin_projects_client.create_project( - name=data_utils.rand_name(), - domain_id=self.other_domain)['project']['id'] - self.addCleanup(self.admin_projects_client.delete_project, project_id) - self.do_request('delete_project', expected_status=exceptions.Forbidden, - project_id=project_id) - - -class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest): - - credentials = ['domain_member', 'system_admin'] - - def test_identity_create_project(self): - # user cannot create project in own domain - self.do_request( - 'create_project', expected_status=exceptions.Forbidden, - name=data_utils.rand_name(), - domain_id=self.own_domain - ) - # user cannot create project in other domain - self.do_request( - 'create_project', expected_status=exceptions.Forbidden, - name=data_utils.rand_name(), domain_id=self.other_domain - ) - def test_identity_update_project(self): # user cannot update project in own domain project_id = self.admin_projects_client.create_project( @@ -406,10 +462,39 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] + def test_identity_list_user_projects(self): + user_id = self.admin_client.users_v3_client.create_user( + name=data_utils.rand_name())['user']['id'] + self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id) + project_id = self.admin_projects_client.create_project( + name=data_utils.rand_name())['project']['id'] + self.addCleanup(self.admin_projects_client.delete_project, project_id) + role_id = self.admin_client.roles_v3_client.create_role( + name=data_utils.rand_name())['role']['id'] + self.addCleanup(self.admin_client.roles_v3_client.delete_role, + role_id) + self.admin_client.roles_v3_client.create_user_role_on_project( + project_id, user_id, role_id) + # user can list projects for arbitrary user + resp = self.do_request('list_user_projects', client=self.users_client, + user_id=user_id) + self.assertIn(project_id, [p['id'] for p in resp['projects']]) + # user can list projects for self + # Project Admin is assigned to a tempest project so we cant re-use + # the System Admin test. + resp = self.do_request('list_user_projects', client=self.users_client, + user_id=self.persona.credentials.user_id) + self.assertEqual(1, len([p['id'] for p in resp['projects']])) + + +class ProjectMemberTests(DomainReaderTests): + + credentials = ['project_member', 'system_admin'] + def test_identity_get_project(self): # user cannot get arbitrary project project_id = self.admin_projects_client.create_project( @@ -457,11 +542,6 @@ class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): [p['id'] for p in resp['projects']]) -class ProjectMemberTests(ProjectAdminTests): - - credentials = ['project_member', 'system_admin'] - - -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py b/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py index 442ca9e..34bb13e 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py @@ -236,16 +236,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py b/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py index 3e6c4a6..646fa86 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py @@ -241,6 +241,103 @@ class DomainAdminTests(IdentityV3RbacProjectTagTests, base.BaseIdentityTest): project_id=self.own_project_id, tag=tag ) + # user can add tags to project in other domain + tag = data_utils.rand_uuid_hex() + self.do_request( + 'update_project_tag', expected_status=201, + project_id=self.other_project_id, + tag=tag + ) + + def test_identity_get_project_tag(self): + # user can get tag for project in own domain + tag = data_utils.rand_uuid_hex() + self.admin_project_tags_client.update_project_tag( + project_id=self.own_project_id, tag=tag) + self.do_request('check_project_tag_existence', + expected_status=204, + project_id=self.own_project_id, tag=tag) + # user can get tag for project in other domain + tag = data_utils.rand_uuid_hex() + self.admin_project_tags_client.update_project_tag( + project_id=self.other_project_id, tag=tag) + self.do_request('check_project_tag_existence', + expected_status=204, + project_id=self.other_project_id, tag=tag) + + def test_identity_list_project_tags(self): + # user can list tags for project in own domain + tag = data_utils.rand_uuid_hex() + self.admin_project_tags_client.update_project_tag( + project_id=self.own_project_id, tag=tag) + resp = self.do_request('list_project_tags', + project_id=self.own_project_id) + self.assertIn(tag, resp['tags']) + # user can list tags for project in other domain + tag = data_utils.rand_uuid_hex() + self.admin_project_tags_client.update_project_tag( + project_id=self.other_project_id, tag=tag) + resp = self.do_request('list_project_tags', + project_id=self.other_project_id) + self.assertIn(tag, resp['tags']) + + def test_identity_update_project_tags(self): + # user can update tags for project in own domain + tag = data_utils.rand_uuid_hex() + self.do_request('update_all_project_tags', + project_id=self.own_project_id, + tags=[tag]) + # user can update tags for project in other domain + tag = data_utils.rand_uuid_hex() + self.do_request('update_all_project_tags', + project_id=self.other_project_id, + tags=[tag]) + + def test_identity_delete_project_tag(self): + # user can delete tag for project in own domain + tag = data_utils.rand_uuid_hex() + self.admin_project_tags_client.update_project_tag( + project_id=self.own_project_id, tag=tag) + self.do_request('delete_project_tag', expected_status=204, + project_id=self.own_project_id, + tag=tag) + # user can delete tag for project in other domain + tag = data_utils.rand_uuid_hex() + self.admin_project_tags_client.update_project_tag( + project_id=self.other_project_id, tag=tag) + self.do_request('delete_project_tag', + expected_status=204, + project_id=self.other_project_id, + tag=tag) + + def test_identity_delete_project_tags(self): + # user can delete tags for project in own domain + tag = data_utils.rand_uuid_hex() + self.admin_project_tags_client.update_project_tag( + project_id=self.own_project_id, tag=tag) + self.do_request('delete_all_project_tags', expected_status=204, + project_id=self.own_project_id) + # user can delete tags for project in other domain + tag = data_utils.rand_uuid_hex() + self.admin_project_tags_client.update_project_tag( + project_id=self.other_project_id, tag=tag) + self.do_request('delete_all_project_tags', + expected_status=204, + project_id=self.other_project_id) + + +class DomainMemberTests(DomainAdminTests): + + credentials = ['domain_member', 'system_admin'] + + def test_identity_create_project_tag(self): + # user cannot add tags to project in own domain + tag = data_utils.rand_uuid_hex() + self.do_request( + 'update_project_tag', expected_status=exceptions.Forbidden, + project_id=self.own_project_id, + tag=tag + ) # user cannot add tags to project in other domain tag = data_utils.rand_uuid_hex() self.do_request( @@ -281,72 +378,6 @@ class DomainAdminTests(IdentityV3RbacProjectTagTests, base.BaseIdentityTest): expected_status=exceptions.Forbidden, project_id=self.other_project_id) - def test_identity_update_project_tags(self): - # user can update tags for project in own domain - tag = data_utils.rand_uuid_hex() - self.do_request('update_all_project_tags', - project_id=self.own_project_id, - tags=[tag]) - # user cannot update tags for project in other domain - tag = data_utils.rand_uuid_hex() - self.do_request('update_all_project_tags', - expected_status=exceptions.Forbidden, - project_id=self.other_project_id, - tags=[tag]) - - def test_identity_delete_project_tag(self): - # user can delete tag for project in own domain - tag = data_utils.rand_uuid_hex() - self.admin_project_tags_client.update_project_tag( - project_id=self.own_project_id, tag=tag) - self.do_request('delete_project_tag', expected_status=204, - project_id=self.own_project_id, - tag=tag) - # user cannot delete tag for project in other domain - tag = data_utils.rand_uuid_hex() - self.admin_project_tags_client.update_project_tag( - project_id=self.other_project_id, tag=tag) - self.do_request('delete_project_tag', - expected_status=exceptions.Forbidden, - project_id=self.other_project_id, - tag=tag) - - def test_identity_delete_project_tags(self): - # user can delete tags for project in own domain - tag = data_utils.rand_uuid_hex() - self.admin_project_tags_client.update_project_tag( - project_id=self.own_project_id, tag=tag) - self.do_request('delete_all_project_tags', expected_status=204, - project_id=self.own_project_id) - # user cannot delete tags for project in other domain - tag = data_utils.rand_uuid_hex() - self.admin_project_tags_client.update_project_tag( - project_id=self.other_project_id, tag=tag) - self.do_request('delete_all_project_tags', - expected_status=exceptions.Forbidden, - project_id=self.other_project_id) - - -class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest): - - credentials = ['domain_member', 'system_admin'] - - def test_identity_create_project_tag(self): - # user cannot add tags to project in own domain - tag = data_utils.rand_uuid_hex() - self.do_request( - 'update_project_tag', expected_status=exceptions.Forbidden, - project_id=self.own_project_id, - tag=tag - ) - # user cannot add tags to project in other domain - tag = data_utils.rand_uuid_hex() - self.do_request( - 'update_project_tag', expected_status=exceptions.Forbidden, - project_id=self.other_project_id, - tag=tag - ) - def test_identity_update_project_tags(self): # user cannot update tags for project in own domain tag = data_utils.rand_uuid_hex() @@ -401,12 +432,17 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(IdentityV3RbacProjectTagTests, base.BaseIdentityTest): +class ProjectAdminTests(DomainAdminTests): credentials = ['project_admin', 'system_admin'] + +class ProjectMemberTests(DomainMemberTests): + + credentials = ['project_member', 'system_admin'] + def setUp(self): - super(ProjectAdminTests, self).setUp() + super().setUp() self.own_project_id = self.persona.credentials.project_id project_client = self.admin_client.projects_client self.other_project_id = project_client.create_project( @@ -414,16 +450,13 @@ class ProjectAdminTests(IdentityV3RbacProjectTagTests, base.BaseIdentityTest): self.addCleanup(project_client.delete_project, self.other_project_id) def test_identity_create_project_tag(self): - # user can add tags to own project + # user cannot add tags to own project tag = data_utils.rand_uuid_hex() self.do_request( - 'update_project_tag', expected_status=201, + 'update_project_tag', expected_status=exceptions.Forbidden, project_id=self.own_project_id, tag=tag ) - self.addCleanup(self.admin_project_tags_client.delete_project_tag, - project_id=self.own_project_id, - tag=tag) # user cannot add tags to arbitrary project tag = data_utils.rand_uuid_hex() self.do_request( @@ -470,75 +503,6 @@ class ProjectAdminTests(IdentityV3RbacProjectTagTests, base.BaseIdentityTest): expected_status=exceptions.Forbidden, project_id=self.other_project_id) - def test_identity_update_project_tags(self): - # user can update tags for own project - tag = data_utils.rand_uuid_hex() - self.do_request('update_all_project_tags', - project_id=self.own_project_id, - tags=[tag]) - self.addCleanup(self.admin_project_tags_client.delete_project_tag, - project_id=self.own_project_id, - tag=tag) - # user cannot update tags for arbitrary project - tag = data_utils.rand_uuid_hex() - self.do_request('update_all_project_tags', - expected_status=exceptions.Forbidden, - project_id=self.other_project_id, - tags=[tag]) - - def test_identity_delete_project_tag(self): - # user can delete tag for own project - tag = data_utils.rand_uuid_hex() - self.admin_project_tags_client.update_project_tag( - project_id=self.own_project_id, tag=tag) - self.do_request('delete_project_tag', expected_status=204, - project_id=self.own_project_id, - tag=tag) - # user cannot delete tag for arbitrary project - tag = data_utils.rand_uuid_hex() - self.admin_project_tags_client.update_project_tag( - project_id=self.other_project_id, tag=tag) - self.do_request('delete_project_tag', - expected_status=exceptions.Forbidden, - project_id=self.other_project_id, - tag=tag) - - def test_identity_delete_project_tags(self): - # user can delete tags for own project - tag = data_utils.rand_uuid_hex() - self.admin_project_tags_client.update_project_tag( - project_id=self.own_project_id, tag=tag) - self.do_request('delete_all_project_tags', expected_status=204, - project_id=self.own_project_id) - # user cannot delete tags for arbitrary project - tag = data_utils.rand_uuid_hex() - self.admin_project_tags_client.update_project_tag( - project_id=self.other_project_id, tag=tag) - self.do_request('delete_all_project_tags', - expected_status=exceptions.Forbidden, - project_id=self.other_project_id) - - -class ProjectMemberTests(ProjectAdminTests): - - credentials = ['project_member', 'system_admin'] - - def test_identity_create_project_tag(self): - # user cannot add tags to own project - tag = data_utils.rand_uuid_hex() - self.do_request( - 'update_project_tag', expected_status=exceptions.Forbidden, - project_id=self.own_project_id, - tag=tag - ) - # user cannot add tags to arbitrary project - tag = data_utils.rand_uuid_hex() - self.do_request( - 'update_project_tag', expected_status=exceptions.Forbidden, - project_id=self.other_project_id, - tag=tag - ) - def test_identity_update_project_tags(self): # user cannot update tags for own project tag = data_utils.rand_uuid_hex() diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py b/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py index 5f9d9a2..f766b1f 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py @@ -287,16 +287,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_region.py b/keystone_tempest_plugin/tests/rbac/v3/test_region.py index e58206a..ab5969e 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_region.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_region.py @@ -194,16 +194,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py b/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py index c18ed01..31e78e4 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py @@ -207,12 +207,12 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_role.py b/keystone_tempest_plugin/tests/rbac/v3/test_role.py index a9815e8..997731c 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_role.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_role.py @@ -375,16 +375,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py b/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py index 7b27294..14e164a 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py @@ -939,24 +939,53 @@ class DomainAdminTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest): # Should not see subtree assignments for project in other domain query = {'scope.project.id': self.project_other_domain, 'include_subtree': True} - self.do_request('list_role_assignments', - expected_status=exceptions.Forbidden, **query) + self.do_request('list_role_assignments', **query) class DomainMemberTests(DomainAdminTests): credentials = ['domain_member', 'system_admin'] + def test_identity_list_role_assignments_for_tree(self): + # Should see subtree assignments for project in own domain + subproject_id = self.admin_client.projects_client.create_project( + name=data_utils.rand_name('project'), + domain_id=self.own_domain, + parent_id=self.project_in_domain)['project']['id'] + self.addCleanup(self.admin_client.projects_client.delete_project, + subproject_id) + self.admin_client.roles_v3_client.create_user_role_on_project( + subproject_id, self.user_in_domain, self.role_id) + query = {'scope.project.id': self.project_in_domain, + 'include_subtree': True} + resp = self.do_request('list_role_assignments', **query) + actual = self._extract_role_assignments_from_response_body(resp) + expected_assignment = {'user_id': self.user_in_domain, + 'project_id': subproject_id, + 'role_id': self.role_id} + self.assertIn(expected_assignment, actual) + + # Should not see subtree assignments for project in other domain + query = {'scope.project.id': self.project_other_domain, + 'include_subtree': True} + self.do_request('list_role_assignments', + expected_status=exceptions.Forbidden, **query) + class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] + +class ProjectMemberTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest): + + credentials = ['project_member', 'system_admin'] + def test_identity_list_role_assignments(self): # Listing all assignments with no filters should fail self.do_request('list_role_assignments', @@ -1067,43 +1096,6 @@ class ProjectAdminTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest): self.do_request('list_role_assignments', expected_status=exceptions.Forbidden, **query) - def test_identity_list_role_assignments_for_tree(self): - # Should not see subtree assignments for project in own domain - query = {'scope.project.id': self.project_in_domain, - 'include_subtree': True} - self.do_request('list_role_assignments', - expected_status=exceptions.Forbidden, **query) - - # Should not see subtree assignments for project in other domain - query = {'scope.project.id': self.project_other_domain, - 'include_subtree': True} - self.do_request('list_role_assignments', - expected_status=exceptions.Forbidden, **query) - - # Should see subtree for own project - own_project = self.persona.credentials.project_id - subproject_id = self.admin_client.projects_client.create_project( - name=data_utils.rand_name('project'), - domain_id=self.own_domain, - parent_id=own_project)['project']['id'] - self.addCleanup(self.admin_client.projects_client.delete_project, - subproject_id) - self.admin_client.roles_v3_client.create_user_role_on_project( - subproject_id, self.user_other_domain, self.role_id) - query = {'scope.project.id': own_project, - 'include_subtree': True} - resp = self.do_request('list_role_assignments', **query) - expected_assignment = {'user_id': self.user_other_domain, - 'project_id': subproject_id, - 'role_id': self.role_id} - actual = self._extract_role_assignments_from_response_body(resp) - self.assertIn(expected_assignment, actual) - - -class ProjectMemberTests(ProjectAdminTests): - - credentials = ['project_member', 'system_admin'] - def test_identity_list_role_assignments_for_tree(self): # Should not see subtree assignments for project in own domain query = {'scope.project.id': self.project_in_domain, diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_service.py b/keystone_tempest_plugin/tests/rbac/v3/test_service.py index a6a9083..616741a 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_service.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_service.py @@ -218,16 +218,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py b/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py index 6cf54b9..668289b 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py @@ -235,16 +235,16 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] -class ProjectMemberTests(ProjectAdminTests): +class ProjectMemberTests(DomainReaderTests): credentials = ['project_member', 'system_admin'] -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_trust.py b/keystone_tempest_plugin/tests/rbac/v3/test_trust.py index c30f9eb..9165503 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_trust.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_trust.py @@ -367,7 +367,7 @@ class DomainReaderTests(DomainAdminTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(IdentityV3RbacTrustTest, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] @@ -395,6 +395,35 @@ class ProjectAdminTests(IdentityV3RbacTrustTest, base.BaseIdentityTest): expected_status=exceptions.Forbidden, **self.trust()) + +class ProjectMemberTests(IdentityV3RbacTrustTest, base.BaseIdentityTest): + + credentials = ['project_member', 'system_admin'] + + def setUp(self): + super(ProjectMemberTests, self).setUp() + self.role_id = self.member_role_id + + def test_identity_create_trust(self): + # user can create a trust for their own project + trustor_user_id = self.persona.credentials.user_id + project_id = self.persona.credentials.project_id + resp = self.do_request( + 'create_trust', + expected_status=201, + **self.trust( + trustor=trustor_user_id, + project_id=project_id, + roles=[{'id': self.role_id}]) + )['trust'] + self.addCleanup(self.client.delete_trust, resp['id']) + + # user cannot create trust with another user as trustor + self.do_request( + 'create_trust', + expected_status=exceptions.Forbidden, + **self.trust()) + def test_identity_get_trust(self): # user can get a trust for which they are trustor trustor_user_id = self.persona.credentials.user_id @@ -541,16 +570,7 @@ class ProjectAdminTests(IdentityV3RbacTrustTest, base.BaseIdentityTest): trust_id=trust_id) -class ProjectMemberTests(ProjectAdminTests): - - credentials = ['project_member', 'system_admin'] - - def setUp(self): - super(ProjectMemberTests, self).setUp() - self.role_id = self.member_role_id - - -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin'] diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_user.py b/keystone_tempest_plugin/tests/rbac/v3/test_user.py index 7dcfdc7..c031cfe 100644 --- a/keystone_tempest_plugin/tests/rbac/v3/test_user.py +++ b/keystone_tempest_plugin/tests/rbac/v3/test_user.py @@ -248,114 +248,22 @@ class SystemReaderTests(SystemMemberTests): credentials = ['system_reader', 'system_admin'] -class DomainAdminTests(IdentityV3RbacUserTest, base.BaseIdentityTest): +class DomainAdminTests(SystemAdminTests): credentials = ['domain_admin', 'system_admin'] - def setUp(self): - super(DomainAdminTests, self).setUp() - self.other_domain = self.admin_domains_client.create_domain( - name=data_utils.rand_name())['domain'] - self.addCleanup(self.admin_domains_client.delete_domain, - self.other_domain['id']) - self.addCleanup(self.admin_domains_client.update_domain, - domain_id=self.other_domain['id'], enabled=False) - - def test_identity_create_user(self): - user_create = self.user() - # create user in other domain - user_create['domain_id'] = self.other_domain['id'] - self.do_request('create_user', expected_status=exceptions.Forbidden, - **user_create) - # create user in own domain - user_create['domain_id'] = self.persona.credentials.domain_id - resp = self.do_request('create_user', - expected_status=201, - **user_create) - self.addCleanup(self.admin_users_client.delete_user, - resp['user']['id']) - - def test_identity_get_user(self): - user_create = self.user() - user_create['domain_id'] = self.other_domain['id'] - user = self.admin_users_client.create_user(**user_create)['user'] - self.addCleanup(self.admin_users_client.delete_user, user['id']) - # user cannot get user in other domain - self.do_request('show_user', expected_status=exceptions.Forbidden, - user_id=user['id']) - user_create['domain_id'] = self.persona.credentials.domain_id - user = self.admin_users_client.create_user(**user_create)['user'] - self.addCleanup(self.admin_users_client.delete_user, user['id']) - # user can get user in own domain - resp = self.do_request('show_user', user_id=user['id']) - self.assertEqual(resp['user']['id'], user['id']) - # user can get own user - user_id = self.persona.credentials.user_id - resp = self.do_request('show_user', user_id=user_id) - self.assertEqual(resp['user']['id'], user_id) - # user gets a 403 for nonexistent user - self.do_request('show_user', expected_status=exceptions.Forbidden, - user_id='fakeuser') - def test_identity_list_users(self): + # the /v3/users api filters the response for domain-scoped + # tokens to users only in the domain, so we can't re-use + # the test from SystemAdminTests user_create = self.user() - # create user in other domain - user_create['domain_id'] = self.other_domain['id'] + user_create['domain_id'] = self.persona.credentials.domain_id + # create user in default domain user1 = self.admin_users_client.create_user(**user_create)['user'] self.addCleanup(self.admin_users_client.delete_user, user1['id']) - # create user in own domain - user_create['domain_id'] = self.persona.credentials.domain_id - user2 = self.admin_users_client.create_user(**user_create)['user'] - self.addCleanup(self.admin_users_client.delete_user, user2['id']) resp = self.do_request('list_users') user_ids = set(u['id'] for u in resp['users']) - self.assertNotIn(user1['id'], user_ids) - self.assertIn(user2['id'], user_ids) - - def test_identity_update_user(self): - user_create = self.user() - # create user in other domain - user_create['domain_id'] = self.other_domain['id'] - user = self.admin_users_client.create_user(**user_create)['user'] - self.addCleanup(self.admin_users_client.delete_user, user['id']) - user_update = { - 'user_id': user['id'], - 'description': data_utils.arbitrary_string() - } - self.do_request('update_user', expected_status=exceptions.Forbidden, - **user_update) - # create user in own domain - user_create['domain_id'] = self.persona.credentials.domain_id - user = self.admin_users_client.create_user(**user_create)['user'] - self.addCleanup(self.admin_users_client.delete_user, user['id']) - user_update = { - 'user_id': user['id'], - 'description': data_utils.arbitrary_string() - } - self.do_request('update_user', **user_update) - # user gets a 403 for nonexistent user - user_update = { - 'user_id': 'fakeuser', - 'description': data_utils.arbitrary_string() - } - self.do_request('update_user', expected_status=exceptions.Forbidden, - **user_update) - - def test_identity_delete_user(self): - user_create = self.user() - # create user in other domain - user_create['domain_id'] = self.other_domain['id'] - user = self.admin_users_client.create_user(**user_create)['user'] - self.addCleanup(self.admin_users_client.delete_user, user['id']) - self.do_request('delete_user', expected_status=exceptions.Forbidden, - user_id=user['id']) - # create user in own domain - user_create['domain_id'] = self.persona.credentials.domain_id - user = self.admin_users_client.create_user(**user_create)['user'] - self.do_request('delete_user', expected_status=204, user_id=user['id']) - # user gets a 403 for nonexistent user - self.do_request('delete_user', expected_status=exceptions.Forbidden, - user_id='fakeuser') + self.assertIn(user1['id'], user_ids) class DomainMemberTests(IdentityV3RbacUserTest, base.BaseIdentityTest): @@ -475,10 +383,15 @@ class DomainReaderTests(DomainMemberTests): credentials = ['domain_reader', 'system_admin'] -class ProjectAdminTests(IdentityV3RbacUserTest, base.BaseIdentityTest): +class ProjectAdminTests(SystemAdminTests): credentials = ['project_admin', 'system_admin'] + +class ProjectMemberTests(IdentityV3RbacUserTest, base.BaseIdentityTest): + + credentials = ['project_member', 'system_admin'] + def test_identity_create_user(self): self.do_request('create_user', expected_status=exceptions.Forbidden, **self.user()) @@ -530,11 +443,6 @@ class ProjectAdminTests(IdentityV3RbacUserTest, base.BaseIdentityTest): user_id='fakeuser') -class ProjectMemberTests(ProjectAdminTests): - - credentials = ['project_member', 'system_admin'] - - -class ProjectReaderTests(ProjectAdminTests): +class ProjectReaderTests(ProjectMemberTests): credentials = ['project_reader', 'system_admin']