From 6aebf179b8b1b48909ea57666f61bbc080bd6888 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Fri, 16 Aug 2019 10:38:43 -0700 Subject: [PATCH] Add tests for system member for trusts For trusts, a system member is essentially the same as a system reader: system members should not be able to create or delete trusts. This change adds tests to assert that, but no policy changes are required to account for the member role. Change-Id: I0acd55f4428708430740bf2c305f664e199dd304 Partial-bug: #1818846 Related-Bug: #968696 --- .../tests/unit/protection/v3/test_trusts.py | 77 ++++++++++++++----- 1 file changed, 56 insertions(+), 21 deletions(-) diff --git a/keystone/tests/unit/protection/v3/test_trusts.py b/keystone/tests/unit/protection/v3/test_trusts.py index c239a39398..6a8c162eb0 100644 --- a/keystone/tests/unit/protection/v3/test_trusts.py +++ b/keystone/tests/unit/protection/v3/test_trusts.py @@ -284,7 +284,34 @@ class _SystemUserTests(object): ) -class SystemReaderTests(TrustTests, _SystemUserTests): +class _SystemReaderMemberTests(_SystemUserTests): + """Tests for system readers and members.""" + + def test_user_cannot_create_trust(self): + json = {'trust': self.trust_data['trust']} + json['trust']['roles'] = self.trust_data['roles'] + + with self.test_client() as c: + c.post( + '/v3/OS-TRUST/trusts', + json=json, + headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_delete_trust(self): + ref = PROVIDERS.trust_api.create_trust( + self.trust_id, **self.trust_data) + + with self.test_client() as c: + c.delete( + '/v3/OS-TRUST/trusts/%s' % ref['id'], + headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + +class SystemReaderTests(TrustTests, _SystemReaderMemberTests): """Tests for system reader users.""" def setUp(self): @@ -314,28 +341,36 @@ class SystemReaderTests(TrustTests, _SystemUserTests): self.token_id = r.headers['X-Subject-Token'] self.headers = {'X-Auth-Token': self.token_id} - def test_user_cannot_create_trust(self): - json = {'trust': self.trust_data['trust']} - json['trust']['roles'] = self.trust_data['roles'] +class SystemMemberTests(TrustTests, _SystemReaderMemberTests): + """Tests for system member users.""" + + def setUp(self): + super(SystemMemberTests, self).setUp() + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + system_member = unit.new_user_ref( + domain_id=CONF.identity.default_domain_id + ) + self.user_id = PROVIDERS.identity_api.create_user( + system_member + )['id'] + PROVIDERS.assignment_api.create_system_grant_for_user( + self.user_id, self.bootstrapper.member_role_id + ) + + auth = self.build_authentication_request( + user_id=self.user_id, + password=system_member['password'], + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. with self.test_client() as c: - c.post( - '/v3/OS-TRUST/trusts', - json=json, - headers=self.headers, - expected_status_code=http_client.FORBIDDEN - ) - - def test_user_cannot_delete_trust(self): - ref = PROVIDERS.trust_api.create_trust( - self.trust_id, **self.trust_data) - - with self.test_client() as c: - c.delete( - '/v3/OS-TRUST/trusts/%s' % ref['id'], - headers=self.headers, - expected_status_code=http_client.FORBIDDEN - ) + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id} class SystemAdminTests(TrustTests, _AdminTestsMixin, _SystemUserTests):