Reorganize role assignment tests for system users
The GET /v3/role_assignments API is a read-only API, making the behavior for all system users the same. They should all be able to list and filter role assignments for the entire deployment. This commit moves the existing system reader tests into a common class that can be reused by other test classes for system members and system administrators. Subsequent patches will: - add test coverage for system members - add test coverage for system admins - add functionality for domain readers - add functionality for domain members - add functionality for domain admins - add functionality for project readers - add functionality for project members - add functionality for project admins - remove the obsolete policies from policy.v3cloudsample.json Change-Id: Ic9b1ad3306bb272d3e24a00009014df16b36a65d Partial-Bug: 1750673 Partial-Bug: 1816833
This commit is contained in:
parent
ca835d913d
commit
63c6e6c397
|
@ -23,36 +23,8 @@ CONF = keystone.conf.CONF
|
||||||
PROVIDERS = provider_api.ProviderAPIs
|
PROVIDERS = provider_api.ProviderAPIs
|
||||||
|
|
||||||
|
|
||||||
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
class _AssignmentTestUtilities(object):
|
||||||
common_auth.AuthTestMixin):
|
"""Useful utilities for setting up test assignments and assertions."""
|
||||||
|
|
||||||
def setUp(self):
|
|
||||||
super(SystemReaderTests, self).setUp()
|
|
||||||
self.loadapp()
|
|
||||||
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
|
||||||
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
|
||||||
|
|
||||||
system_reader = unit.new_user_ref(
|
|
||||||
domain_id=CONF.identity.default_domain_id
|
|
||||||
)
|
|
||||||
self.user_id = PROVIDERS.identity_api.create_user(
|
|
||||||
system_reader
|
|
||||||
)['id']
|
|
||||||
PROVIDERS.assignment_api.create_system_grant_for_user(
|
|
||||||
self.user_id, self.bootstrapper.reader_role_id
|
|
||||||
)
|
|
||||||
|
|
||||||
auth = self.build_authentication_request(
|
|
||||||
user_id=self.user_id, password=system_reader['password'],
|
|
||||||
system=True
|
|
||||||
)
|
|
||||||
|
|
||||||
# Grab a token using the persona we're testing and prepare headers
|
|
||||||
# for requests we'll be making in the tests.
|
|
||||||
with self.test_client() as c:
|
|
||||||
r = c.post('/v3/auth/tokens', json=auth)
|
|
||||||
self.token_id = r.headers['X-Subject-Token']
|
|
||||||
self.headers = {'X-Auth-Token': self.token_id}
|
|
||||||
|
|
||||||
def _setup_test_role_assignments(self):
|
def _setup_test_role_assignments(self):
|
||||||
# Utility to create assignments and return important data for
|
# Utility to create assignments and return important data for
|
||||||
|
@ -140,127 +112,123 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||||
assignments.append(a)
|
assignments.append(a)
|
||||||
return assignments
|
return assignments
|
||||||
|
|
||||||
|
|
||||||
|
class _SystemUserTests(object):
|
||||||
|
"""Common functionality for system users regardless of default role."""
|
||||||
|
|
||||||
def test_user_can_list_all_role_assignments_in_the_deployment(self):
|
def test_user_can_list_all_role_assignments_in_the_deployment(self):
|
||||||
assignments = self._setup_test_role_assignments()
|
assignments = self._setup_test_role_assignments()
|
||||||
expected = [
|
|
||||||
# assignment of the user running the test case
|
# this assignment is created by keystone-manage bootstrap
|
||||||
{
|
self.expected.append({
|
||||||
'user_id': self.user_id,
|
'user_id': self.bootstrapper.admin_user_id,
|
||||||
'system': 'all',
|
'project_id': self.bootstrapper.project_id,
|
||||||
'role_id': self.bootstrapper.reader_role_id
|
'role_id': self.bootstrapper.admin_role_id
|
||||||
},
|
})
|
||||||
# this assignment is created by keystone-manage bootstrap
|
|
||||||
{
|
# this assignment is created by keystone-manage bootstrap
|
||||||
'user_id': self.bootstrapper.admin_user_id,
|
self.expected.append({
|
||||||
'project_id': self.bootstrapper.project_id,
|
'user_id': self.bootstrapper.admin_user_id,
|
||||||
'role_id': self.bootstrapper.admin_role_id
|
'system': 'all',
|
||||||
},
|
'role_id': self.bootstrapper.admin_role_id
|
||||||
# this assignment is created by keystone-manage bootstrap
|
})
|
||||||
{
|
self.expected.append({
|
||||||
'user_id': self.bootstrapper.admin_user_id,
|
'user_id': assignments['user_id'],
|
||||||
'system': 'all',
|
'project_id': assignments['project_id'],
|
||||||
'role_id': self.bootstrapper.admin_role_id
|
'role_id': assignments['role_id']
|
||||||
},
|
})
|
||||||
{
|
self.expected.append({
|
||||||
'user_id': assignments['user_id'],
|
'user_id': assignments['user_id'],
|
||||||
'project_id': assignments['project_id'],
|
'domain_id': assignments['domain_id'],
|
||||||
'role_id': assignments['role_id']
|
'role_id': assignments['role_id']
|
||||||
},
|
})
|
||||||
{
|
self.expected.append({
|
||||||
'user_id': assignments['user_id'],
|
'user_id': assignments['user_id'],
|
||||||
'domain_id': assignments['domain_id'],
|
'system': 'all',
|
||||||
'role_id': assignments['role_id']
|
'role_id': assignments['role_id']
|
||||||
},
|
})
|
||||||
{
|
self.expected.append({
|
||||||
'user_id': assignments['user_id'],
|
'group_id': assignments['group_id'],
|
||||||
'system': 'all',
|
'project_id': assignments['project_id'],
|
||||||
'role_id': assignments['role_id']
|
'role_id': assignments['role_id']
|
||||||
},
|
})
|
||||||
{
|
self.expected.append({
|
||||||
'group_id': assignments['group_id'],
|
'group_id': assignments['group_id'],
|
||||||
'project_id': assignments['project_id'],
|
'domain_id': assignments['domain_id'],
|
||||||
'role_id': assignments['role_id']
|
'role_id': assignments['role_id']
|
||||||
},
|
})
|
||||||
{
|
self.expected.append({
|
||||||
'group_id': assignments['group_id'],
|
'group_id': assignments['group_id'],
|
||||||
'domain_id': assignments['domain_id'],
|
'system': 'all',
|
||||||
'role_id': assignments['role_id']
|
'role_id': assignments['role_id']
|
||||||
},
|
})
|
||||||
{
|
|
||||||
'group_id': assignments['group_id'],
|
|
||||||
'system': 'all',
|
|
||||||
'role_id': assignments['role_id']
|
|
||||||
}
|
|
||||||
]
|
|
||||||
|
|
||||||
with self.test_client() as c:
|
with self.test_client() as c:
|
||||||
r = c.get('/v3/role_assignments', headers=self.headers)
|
r = c.get('/v3/role_assignments', headers=self.headers)
|
||||||
self.assertEqual(len(expected), len(r.json['role_assignments']))
|
self.assertEqual(
|
||||||
|
len(self.expected), len(r.json['role_assignments'])
|
||||||
|
)
|
||||||
actual = self._extract_role_assignments_from_response_body(r)
|
actual = self._extract_role_assignments_from_response_body(r)
|
||||||
for assignment in actual:
|
for assignment in actual:
|
||||||
self.assertIn(assignment, expected)
|
self.assertIn(assignment, self.expected)
|
||||||
|
|
||||||
def test_user_can_list_all_role_names_assignments_in_the_deployment(self):
|
def test_user_can_list_all_role_names_assignments_in_the_deployment(self):
|
||||||
assignments = self._setup_test_role_assignments()
|
assignments = self._setup_test_role_assignments()
|
||||||
expected = [
|
|
||||||
# assignment of the user running the test case
|
# this assignment is created by keystone-manage bootstrap
|
||||||
{
|
self.expected.append({
|
||||||
'user_id': self.user_id,
|
'user_id': self.bootstrapper.admin_user_id,
|
||||||
'system': 'all',
|
'project_id': self.bootstrapper.project_id,
|
||||||
'role_id': self.bootstrapper.reader_role_id
|
'role_id': self.bootstrapper.admin_role_id
|
||||||
},
|
})
|
||||||
# this assignment is created by keystone-manage bootstrap
|
|
||||||
{
|
# this assignment is created by keystone-manage bootstrap
|
||||||
'user_id': self.bootstrapper.admin_user_id,
|
self.expected.append({
|
||||||
'project_id': self.bootstrapper.project_id,
|
'user_id': self.bootstrapper.admin_user_id,
|
||||||
'role_id': self.bootstrapper.admin_role_id
|
'system': 'all',
|
||||||
},
|
'role_id': self.bootstrapper.admin_role_id
|
||||||
# this assignment is created by keystone-manage bootstrap
|
})
|
||||||
{
|
self.expected.append({
|
||||||
'user_id': self.bootstrapper.admin_user_id,
|
'user_id': assignments['user_id'],
|
||||||
'system': 'all',
|
'project_id': assignments['project_id'],
|
||||||
'role_id': self.bootstrapper.admin_role_id
|
'role_id': assignments['role_id']
|
||||||
},
|
})
|
||||||
{
|
self.expected.append({
|
||||||
'user_id': assignments['user_id'],
|
'user_id': assignments['user_id'],
|
||||||
'project_id': assignments['project_id'],
|
'domain_id': assignments['domain_id'],
|
||||||
'role_id': assignments['role_id']
|
'role_id': assignments['role_id']
|
||||||
},
|
})
|
||||||
{
|
self.expected.append({
|
||||||
'user_id': assignments['user_id'],
|
'user_id': assignments['user_id'],
|
||||||
'domain_id': assignments['domain_id'],
|
'system': 'all',
|
||||||
'role_id': assignments['role_id']
|
'role_id': assignments['role_id']
|
||||||
},
|
})
|
||||||
{
|
self.expected.append({
|
||||||
'user_id': assignments['user_id'],
|
'group_id': assignments['group_id'],
|
||||||
'system': 'all',
|
'project_id': assignments['project_id'],
|
||||||
'role_id': assignments['role_id']
|
'role_id': assignments['role_id']
|
||||||
},
|
})
|
||||||
{
|
self.expected.append({
|
||||||
'group_id': assignments['group_id'],
|
'group_id': assignments['group_id'],
|
||||||
'project_id': assignments['project_id'],
|
'domain_id': assignments['domain_id'],
|
||||||
'role_id': assignments['role_id']
|
'role_id': assignments['role_id']
|
||||||
},
|
})
|
||||||
{
|
self.expected.append({
|
||||||
'group_id': assignments['group_id'],
|
'group_id': assignments['group_id'],
|
||||||
'domain_id': assignments['domain_id'],
|
'system': 'all',
|
||||||
'role_id': assignments['role_id']
|
'role_id': assignments['role_id']
|
||||||
},
|
})
|
||||||
{
|
|
||||||
'group_id': assignments['group_id'],
|
|
||||||
'system': 'all',
|
|
||||||
'role_id': assignments['role_id']
|
|
||||||
}
|
|
||||||
]
|
|
||||||
|
|
||||||
with self.test_client() as c:
|
with self.test_client() as c:
|
||||||
r = c.get(
|
r = c.get(
|
||||||
'/v3/role_assignments?include_names=True', headers=self.headers
|
'/v3/role_assignments?include_names=True', headers=self.headers
|
||||||
)
|
)
|
||||||
self.assertEqual(len(expected), len(r.json['role_assignments']))
|
self.assertEqual(
|
||||||
|
len(self.expected), len(r.json['role_assignments'])
|
||||||
|
)
|
||||||
actual = self._extract_role_assignments_from_response_body(r)
|
actual = self._extract_role_assignments_from_response_body(r)
|
||||||
for assignment in actual:
|
for assignment in actual:
|
||||||
self.assertIn(assignment, expected)
|
self.assertIn(assignment, self.expected)
|
||||||
|
|
||||||
def test_user_can_filter_role_assignments_by_project(self):
|
def test_user_can_filter_role_assignments_by_project(self):
|
||||||
assignments = self._setup_test_role_assignments()
|
assignments = self._setup_test_role_assignments()
|
||||||
|
@ -316,40 +284,35 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||||
|
|
||||||
def test_user_can_filter_role_assignments_by_system(self):
|
def test_user_can_filter_role_assignments_by_system(self):
|
||||||
assignments = self._setup_test_role_assignments()
|
assignments = self._setup_test_role_assignments()
|
||||||
expected = [
|
|
||||||
# assignment of the user running the test case
|
# this assignment is created by keystone-manage bootstrap
|
||||||
{
|
self.expected.append({
|
||||||
'user_id': self.user_id,
|
'user_id': self.bootstrapper.admin_user_id,
|
||||||
'system': 'all',
|
'system': 'all',
|
||||||
'role_id': self.bootstrapper.reader_role_id
|
'role_id': self.bootstrapper.admin_role_id
|
||||||
},
|
})
|
||||||
# this assignment is created by keystone-manage bootstrap
|
self.expected.append({
|
||||||
{
|
'user_id': assignments['user_id'],
|
||||||
'user_id': self.bootstrapper.admin_user_id,
|
'system': 'all',
|
||||||
'system': 'all',
|
'role_id': assignments['role_id']
|
||||||
'role_id': self.bootstrapper.admin_role_id
|
})
|
||||||
},
|
self.expected.append({
|
||||||
{
|
'group_id': assignments['group_id'],
|
||||||
'user_id': assignments['user_id'],
|
'system': 'all',
|
||||||
'system': 'all',
|
'role_id': assignments['role_id']
|
||||||
'role_id': assignments['role_id']
|
})
|
||||||
},
|
|
||||||
{
|
|
||||||
'group_id': assignments['group_id'],
|
|
||||||
'system': 'all',
|
|
||||||
'role_id': assignments['role_id']
|
|
||||||
}
|
|
||||||
]
|
|
||||||
|
|
||||||
with self.test_client() as c:
|
with self.test_client() as c:
|
||||||
r = c.get(
|
r = c.get(
|
||||||
'/v3/role_assignments?scope.system=all',
|
'/v3/role_assignments?scope.system=all',
|
||||||
headers=self.headers
|
headers=self.headers
|
||||||
)
|
)
|
||||||
self.assertEqual(len(expected), len(r.json['role_assignments']))
|
self.assertEqual(
|
||||||
|
len(self.expected), len(r.json['role_assignments'])
|
||||||
|
)
|
||||||
actual = self._extract_role_assignments_from_response_body(r)
|
actual = self._extract_role_assignments_from_response_body(r)
|
||||||
for assignment in actual:
|
for assignment in actual:
|
||||||
self.assertIn(assignment, expected)
|
self.assertIn(assignment, self.expected)
|
||||||
|
|
||||||
def test_user_can_filter_role_assignments_by_user(self):
|
def test_user_can_filter_role_assignments_by_user(self):
|
||||||
assignments = self._setup_test_role_assignments()
|
assignments = self._setup_test_role_assignments()
|
||||||
|
@ -416,44 +379,37 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||||
|
|
||||||
def test_user_can_filter_role_assignments_by_role(self):
|
def test_user_can_filter_role_assignments_by_role(self):
|
||||||
assignments = self._setup_test_role_assignments()
|
assignments = self._setup_test_role_assignments()
|
||||||
expected = [
|
self.expected.append({
|
||||||
# assignment of the user running the test case
|
'user_id': assignments['user_id'],
|
||||||
{
|
'project_id': assignments['project_id'],
|
||||||
'user_id': self.user_id,
|
'role_id': assignments['role_id']
|
||||||
'system': 'all',
|
})
|
||||||
'role_id': self.bootstrapper.reader_role_id
|
self.expected.append({
|
||||||
},
|
'user_id': assignments['user_id'],
|
||||||
{
|
'domain_id': assignments['domain_id'],
|
||||||
'user_id': assignments['user_id'],
|
'role_id': assignments['role_id']
|
||||||
'project_id': assignments['project_id'],
|
})
|
||||||
'role_id': assignments['role_id']
|
self.expected.append({
|
||||||
},
|
'user_id': assignments['user_id'],
|
||||||
{
|
'system': 'all',
|
||||||
'user_id': assignments['user_id'],
|
'role_id': assignments['role_id']
|
||||||
'domain_id': assignments['domain_id'],
|
})
|
||||||
'role_id': assignments['role_id']
|
self.expected.append({
|
||||||
},
|
'group_id': assignments['group_id'],
|
||||||
{
|
'project_id': assignments['project_id'],
|
||||||
'user_id': assignments['user_id'],
|
'role_id': assignments['role_id']
|
||||||
'system': 'all',
|
})
|
||||||
'role_id': assignments['role_id']
|
self.expected.append({
|
||||||
},
|
'group_id': assignments['group_id'],
|
||||||
{
|
'domain_id': assignments['domain_id'],
|
||||||
'group_id': assignments['group_id'],
|
'role_id': assignments['role_id']
|
||||||
'project_id': assignments['project_id'],
|
})
|
||||||
'role_id': assignments['role_id']
|
self.expected.append({
|
||||||
},
|
'group_id': assignments['group_id'],
|
||||||
{
|
'system': 'all',
|
||||||
'group_id': assignments['group_id'],
|
'role_id': assignments['role_id']
|
||||||
'domain_id': assignments['domain_id'],
|
})
|
||||||
'role_id': assignments['role_id']
|
|
||||||
},
|
|
||||||
{
|
|
||||||
'group_id': assignments['group_id'],
|
|
||||||
'system': 'all',
|
|
||||||
'role_id': assignments['role_id']
|
|
||||||
}
|
|
||||||
]
|
|
||||||
role_id = assignments['role_id']
|
role_id = assignments['role_id']
|
||||||
|
|
||||||
with self.test_client() as c:
|
with self.test_client() as c:
|
||||||
|
@ -461,10 +417,12 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||||
'/v3/role_assignments?role.id=%s&include_names=True' % role_id,
|
'/v3/role_assignments?role.id=%s&include_names=True' % role_id,
|
||||||
headers=self.headers
|
headers=self.headers
|
||||||
)
|
)
|
||||||
self.assertEqual(len(expected), len(r.json['role_assignments']))
|
self.assertEqual(
|
||||||
|
len(self.expected), len(r.json['role_assignments'])
|
||||||
|
)
|
||||||
actual = self._extract_role_assignments_from_response_body(r)
|
actual = self._extract_role_assignments_from_response_body(r)
|
||||||
for assignment in actual:
|
for assignment in actual:
|
||||||
self.assertIn(assignment, expected)
|
self.assertIn(assignment, self.expected)
|
||||||
|
|
||||||
def test_user_can_filter_role_assignments_by_project_and_role(self):
|
def test_user_can_filter_role_assignments_by_project_and_role(self):
|
||||||
assignments = self._setup_test_role_assignments()
|
assignments = self._setup_test_role_assignments()
|
||||||
|
@ -520,24 +478,16 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||||
|
|
||||||
def test_user_can_filter_role_assignments_by_system_and_role(self):
|
def test_user_can_filter_role_assignments_by_system_and_role(self):
|
||||||
assignments = self._setup_test_role_assignments()
|
assignments = self._setup_test_role_assignments()
|
||||||
expected = [
|
self.expected.append({
|
||||||
# assignment of the user running the test case
|
'user_id': assignments['user_id'],
|
||||||
{
|
'system': 'all',
|
||||||
'user_id': self.user_id,
|
'role_id': assignments['role_id']
|
||||||
'system': 'all',
|
})
|
||||||
'role_id': self.bootstrapper.reader_role_id
|
self.expected.append({
|
||||||
},
|
'group_id': assignments['group_id'],
|
||||||
{
|
'system': 'all',
|
||||||
'user_id': assignments['user_id'],
|
'role_id': assignments['role_id']
|
||||||
'system': 'all',
|
})
|
||||||
'role_id': assignments['role_id']
|
|
||||||
},
|
|
||||||
{
|
|
||||||
'group_id': assignments['group_id'],
|
|
||||||
'system': 'all',
|
|
||||||
'role_id': assignments['role_id']
|
|
||||||
}
|
|
||||||
]
|
|
||||||
role_id = assignments['role_id']
|
role_id = assignments['role_id']
|
||||||
|
|
||||||
with self.test_client() as c:
|
with self.test_client() as c:
|
||||||
|
@ -545,10 +495,12 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||||
'/v3/role_assignments?scope.system=all&role.id=%s' % role_id,
|
'/v3/role_assignments?scope.system=all&role.id=%s' % role_id,
|
||||||
headers=self.headers
|
headers=self.headers
|
||||||
)
|
)
|
||||||
self.assertEqual(len(expected), len(r.json['role_assignments']))
|
self.assertEqual(
|
||||||
|
len(self.expected), len(r.json['role_assignments'])
|
||||||
|
)
|
||||||
actual = self._extract_role_assignments_from_response_body(r)
|
actual = self._extract_role_assignments_from_response_body(r)
|
||||||
for assignment in actual:
|
for assignment in actual:
|
||||||
self.assertIn(assignment, expected)
|
self.assertIn(assignment, self.expected)
|
||||||
|
|
||||||
def test_user_can_filter_role_assignments_by_user_and_role(self):
|
def test_user_can_filter_role_assignments_by_user_and_role(self):
|
||||||
assignments = self._setup_test_role_assignments()
|
assignments = self._setup_test_role_assignments()
|
||||||
|
@ -695,3 +647,45 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||||
actual = self._extract_role_assignments_from_response_body(r)
|
actual = self._extract_role_assignments_from_response_body(r)
|
||||||
for assignment in actual:
|
for assignment in actual:
|
||||||
self.assertIn(assignment, expected)
|
self.assertIn(assignment, expected)
|
||||||
|
|
||||||
|
|
||||||
|
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||||
|
common_auth.AuthTestMixin,
|
||||||
|
_AssignmentTestUtilities,
|
||||||
|
_SystemUserTests):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(SystemReaderTests, self).setUp()
|
||||||
|
self.loadapp()
|
||||||
|
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
||||||
|
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||||
|
|
||||||
|
system_reader = unit.new_user_ref(
|
||||||
|
domain_id=CONF.identity.default_domain_id
|
||||||
|
)
|
||||||
|
self.user_id = PROVIDERS.identity_api.create_user(
|
||||||
|
system_reader
|
||||||
|
)['id']
|
||||||
|
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||||
|
self.user_id, self.bootstrapper.reader_role_id
|
||||||
|
)
|
||||||
|
self.expected = [
|
||||||
|
# assignment of the user running the test case
|
||||||
|
{
|
||||||
|
'user_id': self.user_id,
|
||||||
|
'system': 'all',
|
||||||
|
'role_id': self.bootstrapper.reader_role_id
|
||||||
|
}
|
||||||
|
]
|
||||||
|
|
||||||
|
auth = self.build_authentication_request(
|
||||||
|
user_id=self.user_id, password=system_reader['password'],
|
||||||
|
system=True
|
||||||
|
)
|
||||||
|
|
||||||
|
# Grab a token using the persona we're testing and prepare headers
|
||||||
|
# for requests we'll be making in the tests.
|
||||||
|
with self.test_client() as c:
|
||||||
|
r = c.post('/v3/auth/tokens', json=auth)
|
||||||
|
self.token_id = r.headers['X-Subject-Token']
|
||||||
|
self.headers = {'X-Auth-Token': self.token_id}
|
||||||
|
|
Loading…
Reference in New Issue