Test domain users against system assignment API

This commit ensures that domain users are not able to operate on system role assignments in anyway since they lack the proper authorization to do so. - project user test coverage Change-Id: Ic27a158448e1098fdb1c0a14694793cc041e7eff Related-Bug: 1805368 Related-Bug: 1750669 Related-Bug: 1806762 (cherry picked from commit 8450d4a9cc)
2019-03-20 21:49:32 +00:00 · 2019-03-20 21:49:32 +00:00 · 4ccb4c258f
parent ad108dafe2
commit 4ccb4c258f
1 changed files with 103 additions and 0 deletions
--- a/keystone/tests/unit/protection/v3/test_system_assignments.py
+++ b/keystone/tests/unit/protection/v3/test_system_assignments.py
@ -10,6 +10,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+import uuid
+
 from six.moves import http_client

 from keystone.common import provider_api
@ -94,6 +96,71 @@ class _SystemMemberAndReaderSystemAssignmentTests(object):
            )


+class _DomainAndProjectUserSystemAssignmentTests(object):
+
+    def test_user_cannot_list_system_role_assignments(self):
+        user = PROVIDERS.identity_api.create_user(
+            unit.new_user_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_user(
+            user['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.get(
+                '/v3/system/users/%s/roles' % user['id'], headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_check_user_system_role_assignments(self):
+        user = PROVIDERS.identity_api.create_user(
+            unit.new_user_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_user(
+            user['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.get(
+                '/v3/system/users/%s/roles/%s' % (
+                    user['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_grant_system_assignments(self):
+        user = PROVIDERS.identity_api.create_user(
+            unit.new_user_ref(CONF.identity.default_domain_id)
+        )
+
+        with self.test_client() as c:
+            c.put(
+                '/v3/system/users/%s/roles/%s' % (
+                    user['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_revoke_system_assignments(self):
+        user = PROVIDERS.identity_api.create_user(
+            unit.new_user_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_user(
+            user['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.delete(
+                '/v3/system/users/%s/roles/%s' % (
+                    user['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+
 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
                        common_auth.AuthTestMixin,
                        _SystemUserSystemAssignmentTests,
@ -222,3 +289,39 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
                    user['id'], self.bootstrapper.member_role_id
                ), headers=self.headers
            )
+
+
+class DomainUserTests(base_classes.TestCaseWithBootstrap,
+                      common_auth.AuthTestMixin,
+                      _DomainAndProjectUserSystemAssignmentTests):
+
+    def setUp(self):
+        super(DomainUserTests, self).setUp()
+        self.loadapp()
+        self.useFixture(ksfixtures.Policy(self.config_fixture))
+        self.config_fixture.config(group='oslo_policy', enforce_scope=True)
+
+        domain = PROVIDERS.resource_api.create_domain(
+            uuid.uuid4().hex, unit.new_domain_ref()
+        )
+        self.domain_id = domain['id']
+        domain_user = unit.new_user_ref(domain_id=self.domain_id)
+        self.domain_user_id = PROVIDERS.identity_api.create_user(
+            domain_user
+        )['id']
+        PROVIDERS.assignment_api.create_grant(
+            self.bootstrapper.member_role_id, user_id=self.domain_user_id,
+            domain_id=self.domain_id
+        )
+
+        auth = self.build_authentication_request(
+            user_id=self.domain_user_id, password=domain_user['password'],
+            domain_id=self.domain_id
+        )
+
+        # Grab a token using the persona we're testing and prepare headers
+        # for requests we'll be making in the tests.
+        with self.test_client() as c:
+            r = c.post('/v3/auth/tokens', json=auth)
+            self.token_id = r.headers['X-Subject-Token']
+            self.headers = {'X-Auth-Token': self.token_id}