openstack/keystone
Code Issues Proposed changes

Merge "Add rule for list_groups_for_user in policy.json"

Browse Source
This commit is contained in:
Jenkins 2013-04-23 17:10:34 +00:00 committed by Gerrit Code Review
commit 4960ce161c
2 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
etc/policy.json
View File

@ -38,6 +38,7 @@
"identity:get_group": [["rule:admin_required"]], "identity:get_group": [["rule:admin_required"]],
"identity:list_groups": [["rule:admin_required"]], "identity:list_groups": [["rule:admin_required"]],
"identity:list_groups_for_user": [["rule:admin_or_owner"]],
"identity:create_group": [["rule:admin_required"]], "identity:create_group": [["rule:admin_required"]],
"identity:update_group": [["rule:admin_required"]], "identity:update_group": [["rule:admin_required"]],
"identity:delete_group": [["rule:admin_required"]], "identity:delete_group": [["rule:admin_required"]],

37
tests/test_v3_identity.py
View File

@ -349,6 +349,43 @@ class IdentityTestCase(test_v3.RestfulTestCase):
self.put('/groups/%(group_id)s/users/%(user_id)s' % { self.put('/groups/%(group_id)s/users/%(user_id)s' % {
'group_id': self.group_id, 'user_id': self.user['id']}) 'group_id': self.group_id, 'user_id': self.user['id']})
def test_list_groups_for_user(self):
"""GET /users/{user_id}/groups"""
self.user1 = self.new_user_ref(
domain_id=self.domain['id'])
self.user1['password'] = uuid.uuid4().hex
self.identity_api.create_user(self.user1['id'], self.user1)
self.user2 = self.new_user_ref(
domain_id=self.domain['id'])
self.user2['password'] = uuid.uuid4().hex
self.identity_api.create_user(self.user1['id'], self.user2)
self.put('/groups/%(group_id)s/users/%(user_id)s' % {
'group_id': self.group_id, 'user_id': self.user1['id']})
#Scenarios below are written to test the default policy configuration
#One should be allowed to list one's own groups
auth = self.build_authentication_request(
user_id=self.user1['id'],
password=self.user1['password'])
r = self.get('/users/%(user_id)s/groups' % {
'user_id': self.user1['id']}, auth=auth)
self.assertValidGroupListResponse(r, ref=self.group)
#Administrator is allowed to list others' groups
r = self.get('/users/%(user_id)s/groups' % {
'user_id': self.user1['id']})
self.assertValidGroupListResponse(r, ref=self.group)
#Ordinary users should not be allowed to list other's groups
auth = self.build_authentication_request(
user_id=self.user2['id'],
password=self.user2['password'])
r = self.get('/users/%(user_id)s/groups' % {
'user_id': self.user1['id']}, auth=auth,
expected_status=exception.ForbiddenAction.code)
def test_check_user_in_group(self): def test_check_user_in_group(self):
"""HEAD /groups/{group_id}/users/{user_id}""" """HEAD /groups/{group_id}/users/{user_id}"""
self.put('/groups/%(group_id)s/users/%(user_id)s' % { self.put('/groups/%(group_id)s/users/%(user_id)s' % {