Browse Source

Test domain users against system assignment API

This commit ensures that domain users are not able to operate on
system role assignments in anyway since they lack the proper
authorization to do so.

 - project user test coverage

Change-Id: Ic27a158448e1098fdb1c0a14694793cc041e7eff
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit 8450d4a9cc)
changes/76/647676/1
Lance Bragstad 3 years ago
committed by Colleen Murphy
parent
commit
4ccb4c258f
  1. 103
      keystone/tests/unit/protection/v3/test_system_assignments.py

103
keystone/tests/unit/protection/v3/test_system_assignments.py

@ -10,6 +10,8 @@
# License for the specific language governing permissions and limitations
# under the License.
import uuid
from six.moves import http_client
from keystone.common import provider_api
@ -94,6 +96,71 @@ class _SystemMemberAndReaderSystemAssignmentTests(object):
)
class _DomainAndProjectUserSystemAssignmentTests(object):
def test_user_cannot_list_system_role_assignments(self):
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_user(
user['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
c.get(
'/v3/system/users/%s/roles' % user['id'], headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_check_user_system_role_assignments(self):
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_user(
user['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
c.get(
'/v3/system/users/%s/roles/%s' % (
user['id'], self.bootstrapper.member_role_id
), headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_grant_system_assignments(self):
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(CONF.identity.default_domain_id)
)
with self.test_client() as c:
c.put(
'/v3/system/users/%s/roles/%s' % (
user['id'], self.bootstrapper.member_role_id
), headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_revoke_system_assignments(self):
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_user(
user['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
c.delete(
'/v3/system/users/%s/roles/%s' % (
user['id'], self.bootstrapper.member_role_id
), headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserSystemAssignmentTests,
@ -222,3 +289,39 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
user['id'], self.bootstrapper.member_role_id
), headers=self.headers
)
class DomainUserTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_DomainAndProjectUserSystemAssignmentTests):
def setUp(self):
super(DomainUserTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
self.domain_id = domain['id']
domain_user = unit.new_user_ref(domain_id=self.domain_id)
self.domain_user_id = PROVIDERS.identity_api.create_user(
domain_user
)['id']
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.member_role_id, user_id=self.domain_user_id,
domain_id=self.domain_id
)
auth = self.build_authentication_request(
user_id=self.domain_user_id, password=domain_user['password'],
domain_id=self.domain_id
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
Loading…
Cancel
Save