From 50073c5a0e00389518ee414e3ef1ef1f5db1676d Mon Sep 17 00:00:00 2001 From: Liang Chen Date: Thu, 11 Apr 2013 18:05:00 +0800 Subject: [PATCH] Add rule for list_groups_for_user in policy.json Providing an initial policy rule for the list_groups_for_user operation in the sample policy.json file for the ease of configuration. Fixes bug #1167836 Change-Id: Id253729098a95d3b129babde1b3706f409a095dd --- etc/policy.json | 1 + tests/test_v3_identity.py | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/etc/policy.json b/etc/policy.json index 17da8eac45..f53161ef52 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -38,6 +38,7 @@ "identity:get_group": [["rule:admin_required"]], "identity:list_groups": [["rule:admin_required"]], + "identity:list_groups_for_user": [["rule:admin_or_owner"]], "identity:create_group": [["rule:admin_required"]], "identity:update_group": [["rule:admin_required"]], "identity:delete_group": [["rule:admin_required"]], diff --git a/tests/test_v3_identity.py b/tests/test_v3_identity.py index e9fe44c9d2..d212857b7f 100644 --- a/tests/test_v3_identity.py +++ b/tests/test_v3_identity.py @@ -349,6 +349,43 @@ class IdentityTestCase(test_v3.RestfulTestCase): self.put('/groups/%(group_id)s/users/%(user_id)s' % { 'group_id': self.group_id, 'user_id': self.user['id']}) + def test_list_groups_for_user(self): + """GET /users/{user_id}/groups""" + + self.user1 = self.new_user_ref( + domain_id=self.domain['id']) + self.user1['password'] = uuid.uuid4().hex + self.identity_api.create_user(self.user1['id'], self.user1) + self.user2 = self.new_user_ref( + domain_id=self.domain['id']) + self.user2['password'] = uuid.uuid4().hex + self.identity_api.create_user(self.user1['id'], self.user2) + self.put('/groups/%(group_id)s/users/%(user_id)s' % { + 'group_id': self.group_id, 'user_id': self.user1['id']}) + + #Scenarios below are written to test the default policy configuration + + #One should be allowed to list one's own groups + auth = self.build_authentication_request( + user_id=self.user1['id'], + password=self.user1['password']) + r = self.get('/users/%(user_id)s/groups' % { + 'user_id': self.user1['id']}, auth=auth) + self.assertValidGroupListResponse(r, ref=self.group) + + #Administrator is allowed to list others' groups + r = self.get('/users/%(user_id)s/groups' % { + 'user_id': self.user1['id']}) + self.assertValidGroupListResponse(r, ref=self.group) + + #Ordinary users should not be allowed to list other's groups + auth = self.build_authentication_request( + user_id=self.user2['id'], + password=self.user2['password']) + r = self.get('/users/%(user_id)s/groups' % { + 'user_id': self.user1['id']}, auth=auth, + expected_status=exception.ForbiddenAction.code) + def test_check_user_in_group(self): """HEAD /groups/{group_id}/users/{user_id}""" self.put('/groups/%(group_id)s/users/%(user_id)s' % {