From 6037ac58de0fe599df9220a068e1ef054194187a Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Mon, 10 Dec 2018 18:45:25 +0000
Subject: [PATCH] Implement system member role project test coverage

This commit introduces explicit test coverage for system members,
making sure they are allowed to do readable and not writable project
operations.

Subsequent patches will incorporate:

  - system admin functionality
  - domain reader functionality
  - domain member test coverage
  - domain admin functionality
  - project user test coverage

Change-Id: I69ff308ea528d54e0db8e475d047e3dbf356ed2f
Related-Bug: 1805403
Related-Bug: 1750660
Related-Bug: 1806762
---
 .../tests/unit/protection/v3/test_projects.py | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/keystone/tests/unit/protection/v3/test_projects.py b/keystone/tests/unit/protection/v3/test_projects.py
index cf329857cb..ba2a25f43c 100644
--- a/keystone/tests/unit/protection/v3/test_projects.py
+++ b/keystone/tests/unit/protection/v3/test_projects.py
@@ -180,6 +180,40 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
             self.headers = {'X-Auth-Token': self.token_id}
 
 
+class SystemMemberTests(base_classes.TestCaseWithBootstrap,
+                        common_auth.AuthTestMixin,
+                        _SystemUserTests,
+                        _SystemMemberAndReaderProjectTests):
+
+    def setUp(self):
+        super(SystemMemberTests, self).setUp()
+        self.loadapp()
+        self.useFixture(ksfixtures.Policy(self.config_fixture))
+        self.config_fixture.config(group='oslo_policy', enforce_scope=True)
+
+        system_member = unit.new_user_ref(
+            domain_id=CONF.identity.default_domain_id
+        )
+        self.user_id = PROVIDERS.identity_api.create_user(
+            system_member
+        )['id']
+        PROVIDERS.assignment_api.create_system_grant_for_user(
+            self.user_id, self.bootstrapper.member_role_id
+        )
+
+        auth = self.build_authentication_request(
+            user_id=self.user_id, password=system_member['password'],
+            system=True
+        )
+
+        # Grab a token using the persona we're testing and prepare headers
+        # for requests we'll be making in the tests.
+        with self.test_client() as c:
+            r = c.post('/v3/auth/tokens', json=auth)
+            self.token_id = r.headers['X-Subject-Token']
+            self.headers = {'X-Auth-Token': self.token_id}
+
+
 class ProjectUserTests(base_classes.TestCaseWithBootstrap,
                        common_auth.AuthTestMixin):