Implement system reader for OAUTH1 consumers
This change updates the OAUTH1 policies to understand the reader role. This also adds tests for both the system reader and system member users. Change-Id: I330d4d3d7373cdafdce207acb1cbab4e774bac65 Partial-bug: #1805363
This commit is contained in:
parent
143c155ffb
commit
7a6c020a54
|
@ -10,25 +10,49 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_log import versionutils
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
|
|
||||||
from keystone.common.policies import base
|
from keystone.common.policies import base
|
||||||
|
|
||||||
|
deprecated_get_consumer = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'get_consumer',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED
|
||||||
|
)
|
||||||
|
deprecated_list_consumers = policy.DeprecatedRule(
|
||||||
|
name=base.IDENTITY % 'list_consumers',
|
||||||
|
check_str=base.RULE_ADMIN_REQUIRED
|
||||||
|
)
|
||||||
|
|
||||||
|
DEPRECATED_REASON = """
|
||||||
|
As of the Train release, the OAUTH1 consumer API understands how to
|
||||||
|
handle system-scoped tokens in addition to project tokens, making the API
|
||||||
|
more accessible to users without compromising security or manageability for
|
||||||
|
administrators. The new default policies for this API account for these changes
|
||||||
|
automatically.
|
||||||
|
"""
|
||||||
|
|
||||||
consumer_policies = [
|
consumer_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'get_consumer',
|
name=base.IDENTITY % 'get_consumer',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.SYSTEM_READER,
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
description='Show OAUTH1 consumer details.',
|
description='Show OAUTH1 consumer details.',
|
||||||
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
operations=[{'path': '/v3/OS-OAUTH1/consumers/{consumer_id}',
|
||||||
'method': 'GET'}]),
|
'method': 'GET'}],
|
||||||
|
deprecated_rule=deprecated_get_consumer,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'list_consumers',
|
name=base.IDENTITY % 'list_consumers',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.SYSTEM_READER,
|
||||||
scope_types=['system'],
|
scope_types=['system'],
|
||||||
description='List OAUTH1 consumers.',
|
description='List OAUTH1 consumers.',
|
||||||
operations=[{'path': '/v3/OS-OAUTH1/consumers',
|
operations=[{'path': '/v3/OS-OAUTH1/consumers',
|
||||||
'method': 'GET'}]),
|
'method': 'GET'}],
|
||||||
|
deprecated_rule=deprecated_list_consumers,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.TRAIN),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=base.IDENTITY % 'create_consumer',
|
name=base.IDENTITY % 'create_consumer',
|
||||||
check_str=base.RULE_ADMIN_REQUIRED,
|
check_str=base.RULE_ADMIN_REQUIRED,
|
||||||
|
|
|
@ -0,0 +1,138 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
import uuid
|
||||||
|
|
||||||
|
from six.moves import http_client
|
||||||
|
|
||||||
|
from keystone.common import provider_api
|
||||||
|
import keystone.conf
|
||||||
|
from keystone.tests.common import auth as common_auth
|
||||||
|
from keystone.tests import unit
|
||||||
|
from keystone.tests.unit import base_classes
|
||||||
|
from keystone.tests.unit import ksfixtures
|
||||||
|
|
||||||
|
CONF = keystone.conf.CONF
|
||||||
|
PROVIDERS = provider_api.ProviderAPIs
|
||||||
|
|
||||||
|
|
||||||
|
class _SystemUserOauth1ConsumerTests(object):
|
||||||
|
"""Common default functionality for all system users."""
|
||||||
|
|
||||||
|
def test_user_can_get_consumer(self):
|
||||||
|
ref = PROVIDERS.oauth_api.create_consumer(
|
||||||
|
{'id': uuid.uuid4().hex})
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.get('/v3/OS-OAUTH1/consumers/%s' % ref['id'],
|
||||||
|
headers=self.headers)
|
||||||
|
|
||||||
|
def test_user_can_list_consumers(self):
|
||||||
|
PROVIDERS.oauth_api.create_consumer(
|
||||||
|
{'id': uuid.uuid4().hex})
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.get('/v3/OS-OAUTH1/consumers',
|
||||||
|
headers=self.headers)
|
||||||
|
|
||||||
|
|
||||||
|
class _SystemReaderAndMemberOauth1ConsumerTests(object):
|
||||||
|
|
||||||
|
def test_user_cannot_create_consumer(self):
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.post('/v3/OS-OAUTH1/consumers',
|
||||||
|
json={'consumer': {}},
|
||||||
|
expected_status_code=http_client.FORBIDDEN,
|
||||||
|
headers=self.headers)
|
||||||
|
|
||||||
|
def test_user_cannot_update_consumer(self):
|
||||||
|
ref = PROVIDERS.oauth_api.create_consumer(
|
||||||
|
{'id': uuid.uuid4().hex})
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.patch('/v3/OS-OAUTH1/consumers/%s' % ref['id'],
|
||||||
|
json={'consumer': {'description': uuid.uuid4().hex}},
|
||||||
|
expected_status_code=http_client.FORBIDDEN,
|
||||||
|
headers=self.headers)
|
||||||
|
|
||||||
|
def test_user_cannot_delete_consumer(self):
|
||||||
|
ref = PROVIDERS.oauth_api.create_consumer(
|
||||||
|
{'id': uuid.uuid4().hex})
|
||||||
|
with self.test_client() as c:
|
||||||
|
c.delete('/v3/OS-OAUTH1/consumers/%s' % ref['id'],
|
||||||
|
expected_status_code=http_client.FORBIDDEN,
|
||||||
|
headers=self.headers)
|
||||||
|
|
||||||
|
|
||||||
|
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||||
|
common_auth.AuthTestMixin,
|
||||||
|
_SystemUserOauth1ConsumerTests,
|
||||||
|
_SystemReaderAndMemberOauth1ConsumerTests):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(SystemReaderTests, self).setUp()
|
||||||
|
self.loadapp()
|
||||||
|
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
||||||
|
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||||
|
|
||||||
|
system_reader = unit.new_user_ref(
|
||||||
|
domain_id=CONF.identity.default_domain_id
|
||||||
|
)
|
||||||
|
self.user_id = PROVIDERS.identity_api.create_user(
|
||||||
|
system_reader
|
||||||
|
)['id']
|
||||||
|
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||||
|
self.user_id, self.bootstrapper.reader_role_id
|
||||||
|
)
|
||||||
|
|
||||||
|
auth = self.build_authentication_request(
|
||||||
|
user_id=self.user_id, password=system_reader['password'],
|
||||||
|
system=True
|
||||||
|
)
|
||||||
|
|
||||||
|
# Grab a token using the persona we're testing and prepare headers
|
||||||
|
# for requests we'll be making in the tests.
|
||||||
|
with self.test_client() as c:
|
||||||
|
r = c.post('/v3/auth/tokens', json=auth)
|
||||||
|
self.token_id = r.headers['X-Subject-Token']
|
||||||
|
self.headers = {'X-Auth-Token': self.token_id}
|
||||||
|
|
||||||
|
|
||||||
|
class SystemMemberTests(base_classes.TestCaseWithBootstrap,
|
||||||
|
common_auth.AuthTestMixin,
|
||||||
|
_SystemUserOauth1ConsumerTests,
|
||||||
|
_SystemReaderAndMemberOauth1ConsumerTests):
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
super(SystemMemberTests, self).setUp()
|
||||||
|
self.loadapp()
|
||||||
|
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
||||||
|
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||||
|
|
||||||
|
system_member = unit.new_user_ref(
|
||||||
|
domain_id=CONF.identity.default_domain_id
|
||||||
|
)
|
||||||
|
self.user_id = PROVIDERS.identity_api.create_user(
|
||||||
|
system_member
|
||||||
|
)['id']
|
||||||
|
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||||
|
self.user_id, self.bootstrapper.member_role_id
|
||||||
|
)
|
||||||
|
|
||||||
|
auth = self.build_authentication_request(
|
||||||
|
user_id=self.user_id, password=system_member['password'],
|
||||||
|
system=True
|
||||||
|
)
|
||||||
|
|
||||||
|
# Grab a token using the persona we're testing and prepare headers
|
||||||
|
# for requests we'll be making in the tests.
|
||||||
|
with self.test_client() as c:
|
||||||
|
r = c.post('/v3/auth/tokens', json=auth)
|
||||||
|
self.token_id = r.headers['X-Subject-Token']
|
||||||
|
self.headers = {'X-Auth-Token': self.token_id}
|
Loading…
Reference in New Issue