Test domain users against system assignment API
This commit ensures that domain users are not able to operate on system role assignments in anyway since they lack the proper authorization to do so. - project user test coverage Change-Id: Ic27a158448e1098fdb1c0a14694793cc041e7eff Related-Bug: 1805368 Related-Bug: 1750669 Related-Bug: 1806762
This commit is contained in:
parent
8f4e179c69
commit
8450d4a9cc
|
@ -10,6 +10,8 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import uuid
|
||||
|
||||
from six.moves import http_client
|
||||
|
||||
from keystone.common import provider_api
|
||||
|
@ -94,6 +96,71 @@ class _SystemMemberAndReaderSystemAssignmentTests(object):
|
|||
)
|
||||
|
||||
|
||||
class _DomainAndProjectUserSystemAssignmentTests(object):
|
||||
|
||||
def test_user_cannot_list_system_role_assignments(self):
|
||||
user = PROVIDERS.identity_api.create_user(
|
||||
unit.new_user_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||
user['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/system/users/%s/roles' % user['id'], headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_check_user_system_role_assignments(self):
|
||||
user = PROVIDERS.identity_api.create_user(
|
||||
unit.new_user_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||
user['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/system/users/%s/roles/%s' % (
|
||||
user['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_grant_system_assignments(self):
|
||||
user = PROVIDERS.identity_api.create_user(
|
||||
unit.new_user_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.put(
|
||||
'/v3/system/users/%s/roles/%s' % (
|
||||
user['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_revoke_system_assignments(self):
|
||||
user = PROVIDERS.identity_api.create_user(
|
||||
unit.new_user_ref(CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||
user['id'], self.bootstrapper.member_role_id
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/system/users/%s/roles/%s' % (
|
||||
user['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
|
||||
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
_SystemUserSystemAssignmentTests,
|
||||
|
@ -222,3 +289,39 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
|
|||
user['id'], self.bootstrapper.member_role_id
|
||||
), headers=self.headers
|
||||
)
|
||||
|
||||
|
||||
class DomainUserTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
_DomainAndProjectUserSystemAssignmentTests):
|
||||
|
||||
def setUp(self):
|
||||
super(DomainUserTests, self).setUp()
|
||||
self.loadapp()
|
||||
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
||||
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||
|
||||
domain = PROVIDERS.resource_api.create_domain(
|
||||
uuid.uuid4().hex, unit.new_domain_ref()
|
||||
)
|
||||
self.domain_id = domain['id']
|
||||
domain_user = unit.new_user_ref(domain_id=self.domain_id)
|
||||
self.domain_user_id = PROVIDERS.identity_api.create_user(
|
||||
domain_user
|
||||
)['id']
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.bootstrapper.member_role_id, user_id=self.domain_user_id,
|
||||
domain_id=self.domain_id
|
||||
)
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.domain_user_id, password=domain_user['password'],
|
||||
domain_id=self.domain_id
|
||||
)
|
||||
|
||||
# Grab a token using the persona we're testing and prepare headers
|
||||
# for requests we'll be making in the tests.
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=auth)
|
||||
self.token_id = r.headers['X-Subject-Token']
|
||||
self.headers = {'X-Auth-Token': self.token_id}
|
||||
|
|
Loading…
Reference in New Issue