Browse Source

Implement system member role user test coverage

This commit introduces explicit test coverage for system members,
making sure they are allowed to do readable and not writable user
operations.

Subsequent patches will incorporate:

  - system admin functionality
  - domain reader functionality
  - domain member test coverage
  - domain admin functionality
  - project user test coverage

Change-Id: Ibc837225154ba7bcd2f93938565b41ff0e8f4803
Partial-Bug: 1805406
Partial-Bug: 1748027
Partial-Bug: 968696
tags/15.0.0.0rc1
Lance Bragstad 1 year ago
parent
commit
4f724f2d93
1 changed files with 72 additions and 32 deletions
  1. +72
    -32
      keystone/tests/unit/protection/v3/test_users.py

+ 72
- 32
keystone/tests/unit/protection/v3/test_users.py View File

@@ -71,38 +71,8 @@ class _SystemUserTests(object):
self.assertIn(user_id, returned_user_ids)


class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_CommonUserTests,
_SystemUserTests):

def setUp(self):
super(SystemReaderTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)

system_reader = unit.new_user_ref(
domain_id=CONF.identity.default_domain_id
)
self.user_id = PROVIDERS.identity_api.create_user(
system_reader
)['id']
PROVIDERS.assignment_api.create_system_grant_for_user(
self.user_id, self.bootstrapper.reader_role_id
)

auth = self.build_authentication_request(
user_id=self.user_id, password=system_reader['password'],
system=True
)

# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class _SystemMemberAndReaderUserTests(object):
"""Common functionality for system readers and system members."""

def test_user_cannot_create_users(self):
create = {
@@ -160,3 +130,73 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
'/v3/users/%s' % uuid.uuid4().hex, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)


class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_CommonUserTests,
_SystemUserTests,
_SystemMemberAndReaderUserTests):

def setUp(self):
super(SystemReaderTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)

system_reader = unit.new_user_ref(
domain_id=CONF.identity.default_domain_id
)
self.user_id = PROVIDERS.identity_api.create_user(
system_reader
)['id']
PROVIDERS.assignment_api.create_system_grant_for_user(
self.user_id, self.bootstrapper.reader_role_id
)

auth = self.build_authentication_request(
user_id=self.user_id, password=system_reader['password'],
system=True
)

# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}


class SystemMemberTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_CommonUserTests,
_SystemUserTests,
_SystemMemberAndReaderUserTests):

def setUp(self):
super(SystemMemberTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)

system_member = unit.new_user_ref(
domain_id=CONF.identity.default_domain_id
)
self.user_id = PROVIDERS.identity_api.create_user(
system_member
)['id']
PROVIDERS.assignment_api.create_system_grant_for_user(
self.user_id, self.bootstrapper.member_role_id
)

auth = self.build_authentication_request(
user_id=self.user_id, password=system_member['password'],
system=True
)

# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}

Loading…
Cancel
Save