Add tests for domain users for trusts
Users with any role on a domain have no ability to use trusts. That privilege is only granted to project users, who may create trusts for their own project and list and delete their own trusts, and system users, who may audit and clean up trusts. This change adds tests to verify that behavior. Change-Id: I8404c062cc07ef83bf77fdd9178919aff0a0d6d5 Partial-bug: #1818850
This commit is contained in:
parent
6aebf179b8
commit
686ec6dda6
|
@ -942,3 +942,136 @@ class ProjectUserTests(TrustTests):
|
|||
headers=self.other_headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
|
||||
class DomainUserTests(TrustTests):
|
||||
"""Tests for all domain users.
|
||||
|
||||
Domain users should not be able to interact with trusts at all.
|
||||
"""
|
||||
|
||||
def setUp(self):
|
||||
super(DomainUserTests, self).setUp()
|
||||
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||
domain_admin = unit.new_user_ref(domain_id=self.domain_id)
|
||||
self.user_id = PROVIDERS.identity_api.create_user(
|
||||
domain_admin)['id']
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.bootstrapper.admin_role_id, user_id=self.user_id,
|
||||
domain_id=self.domain_id
|
||||
)
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.user_id,
|
||||
password=domain_admin['password'],
|
||||
domain_id=self.domain_id
|
||||
)
|
||||
# Grab a token using another persona who has no trusts associated with
|
||||
# them
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=auth)
|
||||
self.token_id = r.headers['X-Subject-Token']
|
||||
self.headers = {'X-Auth-Token': self.token_id}
|
||||
|
||||
def test_trustor_cannot_list_trusts_for_trustee(self):
|
||||
PROVIDERS.trust_api.create_trust(
|
||||
self.trust_id, **self.trust_data)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
('/v3/OS-TRUST/trusts?trustee_user_id=%s' %
|
||||
self.trustee_user_id),
|
||||
headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_trustee_cannot_list_trusts_for_trustor(self):
|
||||
PROVIDERS.trust_api.create_trust(
|
||||
self.trust_id, **self.trust_data)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
('/v3/OS-TRUST/trusts?trustor_user_id=%s' %
|
||||
self.trustor_user_id),
|
||||
headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_list_all_trusts(self):
|
||||
PROVIDERS.trust_api.create_trust(
|
||||
self.trust_id, **self.trust_data)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/OS-TRUST/trusts',
|
||||
headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_get_trust(self):
|
||||
ref = PROVIDERS.trust_api.create_trust(
|
||||
self.trust_id, **self.trust_data)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/OS-TRUST/trusts/%s' % ref['id'],
|
||||
headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_can_get_non_existent_trust_not_found(self):
|
||||
trust_id = uuid.uuid4().hex
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/OS-TRUST/trusts/%s' % trust_id,
|
||||
headers=self.headers,
|
||||
expected_status_code=http_client.NOT_FOUND
|
||||
)
|
||||
|
||||
def test_user_cannot_create_trust(self):
|
||||
trust_data = self.trust_data['trust']
|
||||
trust_data['trustor_user_id'] = self.user_id
|
||||
json = {'trust': trust_data}
|
||||
json['trust']['roles'] = self.trust_data['roles']
|
||||
|
||||
with self.test_client() as c:
|
||||
c.post(
|
||||
'/v3/OS-TRUST/trusts',
|
||||
json=json,
|
||||
headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_delete_trust(self):
|
||||
ref = PROVIDERS.trust_api.create_trust(
|
||||
self.trust_id, **self.trust_data)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/OS-TRUST/trusts/%s' % ref['id'],
|
||||
headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_list_trust_roles(self):
|
||||
PROVIDERS.trust_api.create_trust(
|
||||
self.trust_id, **self.trust_data)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/OS-TRUST/trusts/%s/roles' % self.trust_id,
|
||||
headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_get_trust_role(self):
|
||||
PROVIDERS.trust_api.create_trust(
|
||||
self.trust_id, **self.trust_data)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.head(
|
||||
('/v3/OS-TRUST/trusts/%s/roles/%s' %
|
||||
(self.trust_id, self.bootstrapper.member_role_id)),
|
||||
headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue