Updated Cloudsample
Uses configuration options to determine if a token is for the admin project and should be granted admin privileges. Closes-Bug: 968696 Change-Id: Ib23452e171dc90115c77fa5a4b9dc4649054eb0e
This commit is contained in:
Adam Young
parent
79f141b81a
commit
9804081a80
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"admin_required": "role:admin",
|
"admin_required": "role:admin",
|
||||||
"cloud_admin": "rule:admin_required and domain_id:admin_domain_id",
|
"cloud_admin": "(role:admin and token.is_admin_project:True) or ( rule:admin_required and domain_id:admin_domain_id)",
|
||||||
"service_role": "role:service",
|
"service_role": "role:service",
|
||||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||||
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
||||||
|
|
|
||||||
|
|
@ -572,8 +572,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
||||||
- domain_admin_user has role 'admin' on domainA,
|
- domain_admin_user has role 'admin' on domainA,
|
||||||
- project_admin_user has role 'admin' on the project,
|
- project_admin_user has role 'admin' on the project,
|
||||||
- just_a_user has a non-admin role on both domainA and the project.
|
- just_a_user has a non-admin role on both domainA and the project.
|
||||||
- admin_domain has user cloud_admin_user, with an 'admin' role
|
- admin_domain has admin_project, and user cloud_admin_user, with an
|
||||||
on admin_domain.
|
'admin' role on admin_project.
|
||||||
|
|
||||||
We test various api protection rules from the cloud sample policy
|
We test various api protection rules from the cloud sample policy
|
||||||
file to make sure the sample is valid and that we correctly enforce it.
|
file to make sure the sample is valid and that we correctly enforce it.
|
||||||
|
|
@ -591,6 +591,13 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
||||||
group='oslo_policy',
|
group='oslo_policy',
|
||||||
policy_file=unit.dirs.etc('policy.v3cloudsample.json'))
|
policy_file=unit.dirs.etc('policy.v3cloudsample.json'))
|
||||||
|
|
||||||
|
self.config_fixture.config(
|
||||||
|
group='resource',
|
||||||
|
admin_project_name=self.admin_project['name'])
|
||||||
|
self.config_fixture.config(
|
||||||
|
group='resource',
|
||||||
|
admin_project_domain_name=self.admin_domain['name'])
|
||||||
|
|
||||||
def load_sample_data(self):
|
def load_sample_data(self):
|
||||||
# Start by creating a couple of domains
|
# Start by creating a couple of domains
|
||||||
self._populate_default_domain()
|
self._populate_default_domain()
|
||||||
|
|
@ -603,6 +610,11 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
||||||
self.resource_api.create_domain(self.admin_domain['id'],
|
self.resource_api.create_domain(self.admin_domain['id'],
|
||||||
self.admin_domain)
|
self.admin_domain)
|
||||||
|
|
||||||
|
self.admin_project = unit.new_project_ref(
|
||||||
|
domain_id=self.admin_domain['id'])
|
||||||
|
self.resource_api.create_project(self.admin_project['id'],
|
||||||
|
self.admin_project)
|
||||||
|
|
||||||
# And our users
|
# And our users
|
||||||
self.cloud_admin_user = unit.create_user(
|
self.cloud_admin_user = unit.create_user(
|
||||||
self.identity_api,
|
self.identity_api,
|
||||||
|
|
@ -958,6 +970,32 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
||||||
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
|
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
|
||||||
self.assertRoleAssignmentInListResponse(r, project_user_entity)
|
self.assertRoleAssignmentInListResponse(r, project_user_entity)
|
||||||
|
|
||||||
|
def test_admin_project_list_assignments_of_project(self):
|
||||||
|
self.auth = self.build_authentication_request(
|
||||||
|
user_id=self.project_admin_user['id'],
|
||||||
|
password=self.project_admin_user['password'],
|
||||||
|
project_id=self.project['id'])
|
||||||
|
|
||||||
|
collection_url = self.build_role_assignment_query_url(
|
||||||
|
project_id=self.project['id'])
|
||||||
|
r = self.get(collection_url, auth=self.auth)
|
||||||
|
self.assertValidRoleAssignmentListResponse(
|
||||||
|
r, expected_length=2, resource_url=collection_url)
|
||||||
|
|
||||||
|
project_admin_entity = self.build_role_assignment_entity(
|
||||||
|
project_id=self.project['id'],
|
||||||
|
user_id=self.project_admin_user['id'],
|
||||||
|
role_id=self.admin_role['id'],
|
||||||
|
inherited_to_projects=False)
|
||||||
|
project_user_entity = self.build_role_assignment_entity(
|
||||||
|
project_id=self.project['id'],
|
||||||
|
user_id=self.just_a_user['id'],
|
||||||
|
role_id=self.role['id'],
|
||||||
|
inherited_to_projects=False)
|
||||||
|
|
||||||
|
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
|
||||||
|
self.assertRoleAssignmentInListResponse(r, project_user_entity)
|
||||||
|
|
||||||
@unit.utils.wip('waiting on bug #1437407')
|
@unit.utils.wip('waiting on bug #1437407')
|
||||||
def test_domain_admin_list_assignments_of_project(self):
|
def test_domain_admin_list_assignments_of_project(self):
|
||||||
self.auth = self.build_authentication_request(
|
self.auth = self.build_authentication_request(
|
||||||
|
|
@ -1012,6 +1050,22 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
||||||
|
|
||||||
self._test_domain_management()
|
self._test_domain_management()
|
||||||
|
|
||||||
|
def test_admin_project(self):
|
||||||
|
self.auth = self.build_authentication_request(
|
||||||
|
user_id=self.project_admin_user['id'],
|
||||||
|
password=self.project_admin_user['password'],
|
||||||
|
project_id=self.project['id'])
|
||||||
|
|
||||||
|
self._test_domain_management(
|
||||||
|
expected=exception.ForbiddenAction.code)
|
||||||
|
|
||||||
|
self.auth = self.build_authentication_request(
|
||||||
|
user_id=self.cloud_admin_user['id'],
|
||||||
|
password=self.cloud_admin_user['password'],
|
||||||
|
domain_id=self.admin_domain['id'])
|
||||||
|
|
||||||
|
self._test_domain_management()
|
||||||
|
|
||||||
def test_domain_admin_get_domain(self):
|
def test_domain_admin_get_domain(self):
|
||||||
self.auth = self.build_authentication_request(
|
self.auth = self.build_authentication_request(
|
||||||
user_id=self.domain_admin_user['id'],
|
user_id=self.domain_admin_user['id'],
|
||||||
|
|
@ -1138,6 +1192,25 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
||||||
self.get('/auth/tokens', token=admin_token,
|
self.get('/auth/tokens', token=admin_token,
|
||||||
headers={'X-Subject-Token': user_token})
|
headers={'X-Subject-Token': user_token})
|
||||||
|
|
||||||
|
def test_admin_project_validate_user_token(self):
|
||||||
|
# An admin can validate a user's token.
|
||||||
|
# This is GET /v3/auth/tokens
|
||||||
|
|
||||||
|
admin_auth = self.build_authentication_request(
|
||||||
|
user_id=self.project_admin_user['id'],
|
||||||
|
password=self.project_admin_user['password'],
|
||||||
|
project_id=self.project['id'])
|
||||||
|
|
||||||
|
admin_token = self.get_requested_token(admin_auth)
|
||||||
|
|
||||||
|
user_auth = self.build_authentication_request(
|
||||||
|
user_id=self.just_a_user['id'],
|
||||||
|
password=self.just_a_user['password'])
|
||||||
|
user_token = self.get_requested_token(user_auth)
|
||||||
|
|
||||||
|
self.get('/auth/tokens', token=admin_token,
|
||||||
|
headers={'X-Subject-Token': user_token})
|
||||||
|
|
||||||
def test_user_check_same_token(self):
|
def test_user_check_same_token(self):
|
||||||
# Given a non-admin user token, the token can be used to check
|
# Given a non-admin user token, the token can be used to check
|
||||||
# itself.
|
# itself.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue