From 4f5e462844b6bebf112b54b75db87165f9e3919b Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Thu, 29 Nov 2018 18:36:36 +0000 Subject: [PATCH] Update registered limit policies for system admin This change makes the policy definitions for admin registered limit operations consistent with the other registered limit policies. Subsequent patches will incorporate: - domain user test coverage - project user test coverage Change-Id: If0352220670fdf5c98d0820309817416466b1466 Related-Bug: 1805372 Related-Bug: 1805880 --- keystone/common/policies/registered_limit.py | 6 +- .../protection/v3/test_registered_limits.py | 122 ++++++++++++++++++ .../notes/bug-1805372-af4ebf4b19500b72.yaml | 25 ++++ 3 files changed, 150 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/bug-1805372-af4ebf4b19500b72.yaml diff --git a/keystone/common/policies/registered_limit.py b/keystone/common/policies/registered_limit.py index 92ac3cd4b7..b3c19a9b54 100644 --- a/keystone/common/policies/registered_limit.py +++ b/keystone/common/policies/registered_limit.py @@ -41,21 +41,21 @@ registered_limit_policies = [ 'method': 'HEAD'}]), policy.DocumentedRuleDefault( name=base.IDENTITY % 'create_registered_limits', - check_str=base.RULE_ADMIN_REQUIRED, + check_str='role:admin', scope_types=['system'], description='Create registered limits.', operations=[{'path': '/v3/registered_limits', 'method': 'POST'}]), policy.DocumentedRuleDefault( name=base.IDENTITY % 'update_registered_limit', - check_str=base.RULE_ADMIN_REQUIRED, + check_str='role:admin', scope_types=['system'], description='Update registered limit.', operations=[{'path': '/v3/registered_limits/{registered_limit_id}', 'method': 'PATCH'}]), policy.DocumentedRuleDefault( name=base.IDENTITY % 'delete_registered_limit', - check_str=base.RULE_ADMIN_REQUIRED, + check_str='role:admin', scope_types=['system'], description='Delete registered limit.', operations=[{'path': '/v3/registered_limits/{registered_limit_id}', diff --git a/keystone/tests/unit/protection/v3/test_registered_limits.py b/keystone/tests/unit/protection/v3/test_registered_limits.py index 42a4713850..c99ace0083 100644 --- a/keystone/tests/unit/protection/v3/test_registered_limits.py +++ b/keystone/tests/unit/protection/v3/test_registered_limits.py @@ -193,3 +193,125 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap, r = c.post('/v3/auth/tokens', json=auth) self.token_id = r.headers['X-Subject-Token'] self.headers = {'X-Auth-Token': self.token_id} + + +class SystemAdminTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin): + + def setUp(self): + super(SystemAdminTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + # Reuse the system administrator account created during + # ``keystone-manage bootstrap`` + self.user_id = self.bootstrapper.admin_user_id + auth = self.build_authentication_request( + user_id=self.user_id, + password=self.bootstrapper.admin_password, + system=True + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id} + + def test_user_can_get_a_registered_limit(self): + service = PROVIDERS.catalog_api.create_service( + uuid.uuid4().hex, unit.new_service_ref() + ) + + registered_limit = unit.new_registered_limit_ref( + service_id=service['id'], id=uuid.uuid4().hex + ) + limits = PROVIDERS.unified_limit_api.create_registered_limits( + [registered_limit] + ) + limit_id = limits[0]['id'] + + with self.test_client() as c: + r = c.get( + '/v3/registered_limits/%s' % limit_id, headers=self.headers + ) + self.assertEqual(limit_id, r.json['registered_limit']['id']) + + def test_user_can_list_registered_limits(self): + service = PROVIDERS.catalog_api.create_service( + uuid.uuid4().hex, unit.new_service_ref() + ) + + registered_limit = unit.new_registered_limit_ref( + service_id=service['id'], id=uuid.uuid4().hex + ) + limits = PROVIDERS.unified_limit_api.create_registered_limits( + [registered_limit] + ) + limit_id = limits[0]['id'] + + with self.test_client() as c: + r = c.get( + '/v3/registered_limits', headers=self.headers + ) + self.assertTrue(len(r.json['registered_limits']) == 1) + self.assertEqual(limit_id, r.json['registered_limits'][0]['id']) + + def test_user_can_create_registered_limits(self): + service = PROVIDERS.catalog_api.create_service( + uuid.uuid4().hex, unit.new_service_ref() + ) + + create = { + 'registered_limits': [ + unit.new_registered_limit_ref( + service_id=service['id'] + ) + ] + } + + with self.test_client() as c: + c.post('/v3/registered_limits', json=create, headers=self.headers) + + def test_user_can_update_registered_limits(self): + service = PROVIDERS.catalog_api.create_service( + uuid.uuid4().hex, unit.new_service_ref() + ) + + registered_limit = unit.new_registered_limit_ref( + service_id=service['id'], id=uuid.uuid4().hex + ) + limits = PROVIDERS.unified_limit_api.create_registered_limits( + [registered_limit] + ) + limit_id = limits[0]['id'] + + with self.test_client() as c: + update = { + 'registered_limit': {'default_limit': 5} + } + + c.patch( + '/v3/registered_limits/%s' % limit_id, json=update, + headers=self.headers + ) + + def test_user_can_delete_registered_limits(self): + service = PROVIDERS.catalog_api.create_service( + uuid.uuid4().hex, unit.new_service_ref() + ) + + registered_limit = unit.new_registered_limit_ref( + service_id=service['id'], id=uuid.uuid4().hex + ) + limits = PROVIDERS.unified_limit_api.create_registered_limits( + [registered_limit] + ) + limit_id = limits[0]['id'] + + with self.test_client() as c: + c.delete( + '/v3/registered_limits/%s' % limit_id, headers=self.headers + ) diff --git a/releasenotes/notes/bug-1805372-af4ebf4b19500b72.yaml b/releasenotes/notes/bug-1805372-af4ebf4b19500b72.yaml new file mode 100644 index 0000000000..7cab01bb31 --- /dev/null +++ b/releasenotes/notes/bug-1805372-af4ebf4b19500b72.yaml @@ -0,0 +1,25 @@ +--- +features: + - | + [`bug 1805372 `_] + The registered limit API now supports the ``admin``, ``member``, and + ``reader`` default roles. +upgrade: + - | + [`bug 1805372 `_] + The following registered limit policy check strings have changed + in favor of more clear and concise defaults: + + * ``identity:create_registered_limits`` + * ``identity:update_registered_limit`` + * ``identity:delete_registered_limit`` + + These policies are not being formally deprecated because the + unified limits API is still considered experiemental. Please + consider these new defaults if your deployment overrides the + registered limit policies. +security: + - | + [`bug 1805372 `_] + The registered limit API now uses system-scope and default + roles to provide better accessibility to users in a secure way.