Add tests for system member for trusts

For trusts, a system member is essentially the same as a system reader: system members should not be able to create or delete trusts. This change adds tests to assert that, but no policy changes are required to account for the member role. Change-Id: I0acd55f4428708430740bf2c305f664e199dd304 Partial-bug: #1818846 Related-Bug: #968696
2019-08-16 10:38:43 -07:00 · 2019-08-16 10:38:43 -07:00 · 6aebf179b8
parent ea7acd8036
commit 6aebf179b8
1 changed files with 56 additions and 21 deletions
--- a/keystone/tests/unit/protection/v3/test_trusts.py
+++ b/keystone/tests/unit/protection/v3/test_trusts.py
@ -284,7 +284,34 @@ class _SystemUserTests(object):
            )


-class SystemReaderTests(TrustTests, _SystemUserTests):
+class _SystemReaderMemberTests(_SystemUserTests):
+    """Tests for system readers and members."""
+
+    def test_user_cannot_create_trust(self):
+        json = {'trust': self.trust_data['trust']}
+        json['trust']['roles'] = self.trust_data['roles']
+
+        with self.test_client() as c:
+            c.post(
+                '/v3/OS-TRUST/trusts',
+                json=json,
+                headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_delete_trust(self):
+        ref = PROVIDERS.trust_api.create_trust(
+            self.trust_id, **self.trust_data)
+
+        with self.test_client() as c:
+            c.delete(
+                '/v3/OS-TRUST/trusts/%s' % ref['id'],
+                headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+
+class SystemReaderTests(TrustTests, _SystemReaderMemberTests):
    """Tests for system reader users."""

    def setUp(self):
@ -314,28 +341,36 @@ class SystemReaderTests(TrustTests, _SystemUserTests):
            self.token_id = r.headers['X-Subject-Token']
            self.headers = {'X-Auth-Token': self.token_id}

-    def test_user_cannot_create_trust(self):
-        json = {'trust': self.trust_data['trust']}
-        json['trust']['roles'] = self.trust_data['roles']

+class SystemMemberTests(TrustTests, _SystemReaderMemberTests):
+    """Tests for system member users."""
+
+    def setUp(self):
+        super(SystemMemberTests, self).setUp()
+        self.config_fixture.config(group='oslo_policy', enforce_scope=True)
+
+        system_member = unit.new_user_ref(
+            domain_id=CONF.identity.default_domain_id
+        )
+        self.user_id = PROVIDERS.identity_api.create_user(
+            system_member
+        )['id']
+        PROVIDERS.assignment_api.create_system_grant_for_user(
+            self.user_id, self.bootstrapper.member_role_id
+        )
+
+        auth = self.build_authentication_request(
+            user_id=self.user_id,
+            password=system_member['password'],
+            system=True
+        )
+
+        # Grab a token using the persona we're testing and prepare headers
+        # for requests we'll be making in the tests.
        with self.test_client() as c:
-            c.post(
-                '/v3/OS-TRUST/trusts',
-                json=json,
-                headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
-            )
-
-    def test_user_cannot_delete_trust(self):
-        ref = PROVIDERS.trust_api.create_trust(
-            self.trust_id, **self.trust_data)
-
-        with self.test_client() as c:
-            c.delete(
-                '/v3/OS-TRUST/trusts/%s' % ref['id'],
-                headers=self.headers,
-                expected_status_code=http_client.FORBIDDEN
-            )
+            r = c.post('/v3/auth/tokens', json=auth)
+            self.token_id = r.headers['X-Subject-Token']
+            self.headers = {'X-Auth-Token': self.token_id}


 class SystemAdminTests(TrustTests, _AdminTestsMixin, _SystemUserTests):