Add tests for role management with v3policy file

In the upcoming patches for domain specific roles, we will modify the policy rules for role manipulation (e.g. a domain admin in domainA should not be able to manipulate domain specific roles in domain B). However, it turns out we don't test the currect role protection with the v3policy sample at all! This patch therefore adds this testing, so that in the follow-on patches for domain specific roles we can show that we have not affected the rights to manipulate global roles. Partially Implements: blueprint domain-specific-roles Change-Id: Ifdce381857fd7ad4cc2e5183d136907f8f3bf561
2015-12-27 16:04:32 +00:00 · 2015-12-27 16:04:32 +00:00 · aa3dbce6f4
parent d93843b3be
commit aa3dbce6f4
1 changed files with 74 additions and 0 deletions
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@ -747,6 +747,32 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
        self.delete(member_url, auth=self.auth,
                    expected_status=status_no_data)

+    def _role_management_cases(self, read_status_OK=False, expected=None):
+        # Set the different status values for different types of call depending
+        # on whether we expect the calls to fail or not.
+        status_OK, status_created, status_no_data = self._stati(expected)
+        entity_url = '/roles/%s' % self.role['id']
+        list_url = '/roles'
+
+        if read_status_OK:
+            self.get(entity_url, auth=self.auth)
+            self.get(list_url, auth=self.auth)
+        else:
+            self.get(entity_url, auth=self.auth,
+                     expected_status=status_OK)
+            self.get(list_url, auth=self.auth,
+                     expected_status=status_OK)
+
+        role = {'name': 'Updated'}
+        self.patch(entity_url, auth=self.auth, body={'role': role},
+                   expected_status=status_OK)
+        self.delete(entity_url, auth=self.auth,
+                    expected_status=status_no_data)
+
+        role_ref = unit.new_role_ref()
+        self.post('/roles', auth=self.auth, body={'role': role_ref},
+                  expected_status=status_created)
+
    def test_user_management(self):
        # First, authenticate with a user that does not have the domain
        # admin role - shouldn't be able to do much.
@ -1480,3 +1506,51 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
        resp = self.get('/projects/%s' % self.project['id'], auth=admin_auth)
        self.assertEqual(self.project['id'],
                         jsonutils.loads(resp.body)['project']['id'])
+
+    def test_role_management_no_admin_no_rights(self):
+        # A non-admin domain user shouldn't be able to manipulate roles
+        self.auth = self.build_authentication_request(
+            user_id=self.just_a_user['id'],
+            password=self.just_a_user['password'],
+            domain_id=self.domainA['id'])
+
+        self._role_management_cases(expected=exception.ForbiddenAction.code)
+
+        # ...and nor should non-admin project user
+        self.auth = self.build_authentication_request(
+            user_id=self.just_a_user['id'],
+            password=self.just_a_user['password'],
+            project_id=self.project['id'])
+
+        self._role_management_cases(expected=exception.ForbiddenAction.code)
+
+    def test_role_management_with_project_admin(self):
+        # A project admin user should be able to get and list, but not be able
+        # to create/update/delete global roles
+        self.auth = self.build_authentication_request(
+            user_id=self.project_admin_user['id'],
+            password=self.project_admin_user['password'],
+            project_id=self.project['id'])
+
+        self._role_management_cases(read_status_OK=True,
+                                    expected=exception.ForbiddenAction.code)
+
+    def test_role_management_with_domain_admin(self):
+        # A domain admin user should be able to get and list, but not be able
+        # to create/update/delete global roles
+        self.auth = self.build_authentication_request(
+            user_id=self.domain_admin_user['id'],
+            password=self.domain_admin_user['password'],
+            domain_id=self.domainA['id'])
+
+        self._role_management_cases(read_status_OK=True,
+                                    expected=exception.ForbiddenAction.code)
+
+    def test_role_management_with_cloud_admin(self):
+        # A cloud admin user should have rights to manipulate global roles
+        self.auth = self.build_authentication_request(
+            user_id=self.cloud_admin_user['id'],
+            password=self.cloud_admin_user['password'],
+            project_id=self.admin_project['id'])
+
+        self._role_management_cases()