Browse Source

Merge "Add tests for domain users for trusts"

changes/61/681161/1
Zuul 1 week ago
parent
commit
96de25c671
1 changed files with 133 additions and 0 deletions
  1. 133
    0
      keystone/tests/unit/protection/v3/test_trusts.py

+ 133
- 0
keystone/tests/unit/protection/v3/test_trusts.py View File

@@ -942,3 +942,136 @@ class ProjectUserTests(TrustTests):
942 942
                 headers=self.other_headers,
943 943
                 expected_status_code=http_client.FORBIDDEN
944 944
             )
945
+
946
+
947
+class DomainUserTests(TrustTests):
948
+    """Tests for all domain users.
949
+
950
+    Domain users should not be able to interact with trusts at all.
951
+    """
952
+
953
+    def setUp(self):
954
+        super(DomainUserTests, self).setUp()
955
+        self.config_fixture.config(group='oslo_policy', enforce_scope=True)
956
+        domain_admin = unit.new_user_ref(domain_id=self.domain_id)
957
+        self.user_id = PROVIDERS.identity_api.create_user(
958
+            domain_admin)['id']
959
+        PROVIDERS.assignment_api.create_grant(
960
+            self.bootstrapper.admin_role_id, user_id=self.user_id,
961
+            domain_id=self.domain_id
962
+        )
963
+
964
+        auth = self.build_authentication_request(
965
+            user_id=self.user_id,
966
+            password=domain_admin['password'],
967
+            domain_id=self.domain_id
968
+        )
969
+        # Grab a token using another persona who has no trusts associated with
970
+        # them
971
+        with self.test_client() as c:
972
+            r = c.post('/v3/auth/tokens', json=auth)
973
+            self.token_id = r.headers['X-Subject-Token']
974
+            self.headers = {'X-Auth-Token': self.token_id}
975
+
976
+    def test_trustor_cannot_list_trusts_for_trustee(self):
977
+        PROVIDERS.trust_api.create_trust(
978
+            self.trust_id, **self.trust_data)
979
+
980
+        with self.test_client() as c:
981
+            c.get(
982
+                ('/v3/OS-TRUST/trusts?trustee_user_id=%s' %
983
+                 self.trustee_user_id),
984
+                headers=self.headers,
985
+                expected_status_code=http_client.FORBIDDEN
986
+            )
987
+
988
+    def test_trustee_cannot_list_trusts_for_trustor(self):
989
+        PROVIDERS.trust_api.create_trust(
990
+            self.trust_id, **self.trust_data)
991
+
992
+        with self.test_client() as c:
993
+            c.get(
994
+                ('/v3/OS-TRUST/trusts?trustor_user_id=%s' %
995
+                 self.trustor_user_id),
996
+                headers=self.headers,
997
+                expected_status_code=http_client.FORBIDDEN
998
+            )
999
+
1000
+    def test_user_cannot_list_all_trusts(self):
1001
+        PROVIDERS.trust_api.create_trust(
1002
+            self.trust_id, **self.trust_data)
1003
+
1004
+        with self.test_client() as c:
1005
+            c.get(
1006
+                '/v3/OS-TRUST/trusts',
1007
+                headers=self.headers,
1008
+                expected_status_code=http_client.FORBIDDEN
1009
+            )
1010
+
1011
+    def test_user_cannot_get_trust(self):
1012
+        ref = PROVIDERS.trust_api.create_trust(
1013
+            self.trust_id, **self.trust_data)
1014
+
1015
+        with self.test_client() as c:
1016
+            c.get(
1017
+                '/v3/OS-TRUST/trusts/%s' % ref['id'],
1018
+                headers=self.headers,
1019
+                expected_status_code=http_client.FORBIDDEN
1020
+            )
1021
+
1022
+    def test_user_can_get_non_existent_trust_not_found(self):
1023
+        trust_id = uuid.uuid4().hex
1024
+        with self.test_client() as c:
1025
+            c.get(
1026
+                '/v3/OS-TRUST/trusts/%s' % trust_id,
1027
+                headers=self.headers,
1028
+                expected_status_code=http_client.NOT_FOUND
1029
+            )
1030
+
1031
+    def test_user_cannot_create_trust(self):
1032
+        trust_data = self.trust_data['trust']
1033
+        trust_data['trustor_user_id'] = self.user_id
1034
+        json = {'trust': trust_data}
1035
+        json['trust']['roles'] = self.trust_data['roles']
1036
+
1037
+        with self.test_client() as c:
1038
+            c.post(
1039
+                '/v3/OS-TRUST/trusts',
1040
+                json=json,
1041
+                headers=self.headers,
1042
+                expected_status_code=http_client.FORBIDDEN
1043
+            )
1044
+
1045
+    def test_user_cannot_delete_trust(self):
1046
+        ref = PROVIDERS.trust_api.create_trust(
1047
+            self.trust_id, **self.trust_data)
1048
+
1049
+        with self.test_client() as c:
1050
+            c.delete(
1051
+                '/v3/OS-TRUST/trusts/%s' % ref['id'],
1052
+                headers=self.headers,
1053
+                expected_status_code=http_client.FORBIDDEN
1054
+            )
1055
+
1056
+    def test_user_cannot_list_trust_roles(self):
1057
+        PROVIDERS.trust_api.create_trust(
1058
+            self.trust_id, **self.trust_data)
1059
+
1060
+        with self.test_client() as c:
1061
+            c.get(
1062
+                '/v3/OS-TRUST/trusts/%s/roles' % self.trust_id,
1063
+                headers=self.headers,
1064
+                expected_status_code=http_client.FORBIDDEN
1065
+            )
1066
+
1067
+    def test_user_cannot_get_trust_role(self):
1068
+        PROVIDERS.trust_api.create_trust(
1069
+            self.trust_id, **self.trust_data)
1070
+
1071
+        with self.test_client() as c:
1072
+            c.head(
1073
+                ('/v3/OS-TRUST/trusts/%s/roles/%s' %
1074
+                 (self.trust_id, self.bootstrapper.member_role_id)),
1075
+                headers=self.headers,
1076
+                expected_status_code=http_client.FORBIDDEN
1077
+            )

Loading…
Cancel
Save