Test domain users against system assignment API
This commit ensures that domain users are not able to operate on
system role assignments in anyway since they lack the proper
authorization to do so.
- project user test coverage
Change-Id: Ic27a158448e1098fdb1c0a14694793cc041e7eff
Related-Bug: 1805368
Related-Bug: 1750669
Related-Bug: 1806762
(cherry picked from commit 8450d4a9cc
)
This commit is contained in:
parent
ad108dafe2
commit
4ccb4c258f
|
@ -10,6 +10,8 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import uuid
|
||||
|
||||
from six.moves import http_client
|
||||
|
||||
from keystone.common import provider_api
|
||||
|
@ -94,6 +96,71 @@ class _SystemMemberAndReaderSystemAssignmentTests(object):
|
|||
)
|
||||
|
||||
|
||||
class _DomainAndProjectUserSystemAssignmentTests(object):
|
||||
|
||||
def test_user_cannot_list_system_role_assignments(self):
|
||||
user = PROVIDERS.identity_api.create_user(
|
||||
unit.new_user_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||
user['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/system/users/%s/roles' % user['id'], headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_check_user_system_role_assignments(self):
|
||||
user = PROVIDERS.identity_api.create_user(
|
||||
unit.new_user_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||
user['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/system/users/%s/roles/%s' % (
|
||||
user['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_grant_system_assignments(self):
|
||||
user = PROVIDERS.identity_api.create_user(
|
||||
unit.new_user_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.put(
|
||||
'/v3/system/users/%s/roles/%s' % (
|
||||
user['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_revoke_system_assignments(self):
|
||||
user = PROVIDERS.identity_api.create_user(
|
||||
unit.new_user_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||
user['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/system/users/%s/roles/%s' % (
|
||||
user['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
|
||||
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
_SystemUserSystemAssignmentTests,
|
||||
|
@ -222,3 +289,39 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
|
|||
user['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers
|
||||
)
|
||||
|
||||
|
||||
class DomainUserTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
_DomainAndProjectUserSystemAssignmentTests):
|
||||
|
||||
def setUp(self):
|
||||
super(DomainUserTests, self).setUp()
|
||||
self.loadapp()
|
||||
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
||||
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||
|
||||
domain = PROVIDERS.resource_api.create_domain(
|
||||
uuid.uuid4().hex, unit.new_domain_ref()
|
||||
)
|
||||
self.domain_id = domain['id']
|
||||
domain_user = unit.new_user_ref(domain_id=self.domain_id)
|
||||
self.domain_user_id = PROVIDERS.identity_api.create_user(
|
||||
domain_user
|
||||
)['id']
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.bootstrapper.member_role_id, user_id=self.domain_user_id,
|
||||
domain_id=self.domain_id
|
||||
)
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.domain_user_id, password=domain_user['password'],
|
||||
domain_id=self.domain_id
|
||||
)
|
||||
|
||||
# Grab a token using the persona we're testing and prepare headers
|
||||
# for requests we'll be making in the tests.
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=auth)
|
||||
self.token_id = r.headers['X-Subject-Token']
|
||||
self.headers = {'X-Auth-Token': self.token_id}
|
||||
|
|
Loading…
Reference in New Issue