Browse Source

Updated Cloudsample

Uses configuration options to determine if a token is for the admin
project and should be granted admin privileges.

Closes-Bug: 968696

Change-Id: Ib23452e171dc90115c77fa5a4b9dc4649054eb0e
tags/9.0.0.0b2
Adam Young 3 years ago
parent
commit
9804081a80
2 changed files with 76 additions and 3 deletions
  1. 1
    1
      etc/policy.v3cloudsample.json
  2. 75
    2
      keystone/tests/unit/test_v3_protection.py

+ 1
- 1
etc/policy.v3cloudsample.json View File

@@ -1,6 +1,6 @@
1 1
 {
2 2
     "admin_required": "role:admin",
3
-    "cloud_admin": "rule:admin_required and domain_id:admin_domain_id",
3
+    "cloud_admin": "(role:admin and token.is_admin_project:True) or ( rule:admin_required and domain_id:admin_domain_id)",
4 4
     "service_role": "role:service",
5 5
     "service_or_admin": "rule:admin_required or rule:service_role",
6 6
     "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",

+ 75
- 2
keystone/tests/unit/test_v3_protection.py View File

@@ -572,8 +572,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
572 572
           - domain_admin_user has role 'admin' on domainA,
573 573
           - project_admin_user has role 'admin' on the project,
574 574
           - just_a_user has a non-admin role on both domainA and the project.
575
-        - admin_domain has user cloud_admin_user, with an 'admin' role
576
-          on admin_domain.
575
+        - admin_domain has admin_project, and user cloud_admin_user, with an
576
+        'admin' role on admin_project.
577 577
 
578 578
         We test various api protection rules from the cloud sample policy
579 579
         file to make sure the sample is valid and that we correctly enforce it.
@@ -591,6 +591,13 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
591 591
             group='oslo_policy',
592 592
             policy_file=unit.dirs.etc('policy.v3cloudsample.json'))
593 593
 
594
+        self.config_fixture.config(
595
+            group='resource',
596
+            admin_project_name=self.admin_project['name'])
597
+        self.config_fixture.config(
598
+            group='resource',
599
+            admin_project_domain_name=self.admin_domain['name'])
600
+
594 601
     def load_sample_data(self):
595 602
         # Start by creating a couple of domains
596 603
         self._populate_default_domain()
@@ -603,6 +610,11 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
603 610
         self.resource_api.create_domain(self.admin_domain['id'],
604 611
                                         self.admin_domain)
605 612
 
613
+        self.admin_project = unit.new_project_ref(
614
+            domain_id=self.admin_domain['id'])
615
+        self.resource_api.create_project(self.admin_project['id'],
616
+                                         self.admin_project)
617
+
606 618
         # And our users
607 619
         self.cloud_admin_user = unit.create_user(
608 620
             self.identity_api,
@@ -958,6 +970,32 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
958 970
         self.assertRoleAssignmentInListResponse(r, project_admin_entity)
959 971
         self.assertRoleAssignmentInListResponse(r, project_user_entity)
960 972
 
973
+    def test_admin_project_list_assignments_of_project(self):
974
+        self.auth = self.build_authentication_request(
975
+            user_id=self.project_admin_user['id'],
976
+            password=self.project_admin_user['password'],
977
+            project_id=self.project['id'])
978
+
979
+        collection_url = self.build_role_assignment_query_url(
980
+            project_id=self.project['id'])
981
+        r = self.get(collection_url, auth=self.auth)
982
+        self.assertValidRoleAssignmentListResponse(
983
+            r, expected_length=2, resource_url=collection_url)
984
+
985
+        project_admin_entity = self.build_role_assignment_entity(
986
+            project_id=self.project['id'],
987
+            user_id=self.project_admin_user['id'],
988
+            role_id=self.admin_role['id'],
989
+            inherited_to_projects=False)
990
+        project_user_entity = self.build_role_assignment_entity(
991
+            project_id=self.project['id'],
992
+            user_id=self.just_a_user['id'],
993
+            role_id=self.role['id'],
994
+            inherited_to_projects=False)
995
+
996
+        self.assertRoleAssignmentInListResponse(r, project_admin_entity)
997
+        self.assertRoleAssignmentInListResponse(r, project_user_entity)
998
+
961 999
     @unit.utils.wip('waiting on bug #1437407')
962 1000
     def test_domain_admin_list_assignments_of_project(self):
963 1001
         self.auth = self.build_authentication_request(
@@ -1012,6 +1050,22 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
1012 1050
 
1013 1051
         self._test_domain_management()
1014 1052
 
1053
+    def test_admin_project(self):
1054
+        self.auth = self.build_authentication_request(
1055
+            user_id=self.project_admin_user['id'],
1056
+            password=self.project_admin_user['password'],
1057
+            project_id=self.project['id'])
1058
+
1059
+        self._test_domain_management(
1060
+            expected=exception.ForbiddenAction.code)
1061
+
1062
+        self.auth = self.build_authentication_request(
1063
+            user_id=self.cloud_admin_user['id'],
1064
+            password=self.cloud_admin_user['password'],
1065
+            domain_id=self.admin_domain['id'])
1066
+
1067
+        self._test_domain_management()
1068
+
1015 1069
     def test_domain_admin_get_domain(self):
1016 1070
         self.auth = self.build_authentication_request(
1017 1071
             user_id=self.domain_admin_user['id'],
@@ -1138,6 +1192,25 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
1138 1192
         self.get('/auth/tokens', token=admin_token,
1139 1193
                  headers={'X-Subject-Token': user_token})
1140 1194
 
1195
+    def test_admin_project_validate_user_token(self):
1196
+        # An admin can validate a user's token.
1197
+        # This is GET /v3/auth/tokens
1198
+
1199
+        admin_auth = self.build_authentication_request(
1200
+            user_id=self.project_admin_user['id'],
1201
+            password=self.project_admin_user['password'],
1202
+            project_id=self.project['id'])
1203
+
1204
+        admin_token = self.get_requested_token(admin_auth)
1205
+
1206
+        user_auth = self.build_authentication_request(
1207
+            user_id=self.just_a_user['id'],
1208
+            password=self.just_a_user['password'])
1209
+        user_token = self.get_requested_token(user_auth)
1210
+
1211
+        self.get('/auth/tokens', token=admin_token,
1212
+                 headers={'X-Subject-Token': user_token})
1213
+
1141 1214
     def test_user_check_same_token(self):
1142 1215
         # Given a non-admin user token, the token can be used to check
1143 1216
         # itself.

Loading…
Cancel
Save