diff --git a/keystone/common/policies/region.py b/keystone/common/policies/region.py index bbebc29c44..5b816e87a1 100644 --- a/keystone/common/policies/region.py +++ b/keystone/common/policies/region.py @@ -47,7 +47,7 @@ region_policies = [ # pass these policies. Since the administrative policies of regions # require and administrator, it makes sense to isolate those to # `system` scope. - scope_types=['system', 'project'], + scope_types=['system', 'domain', 'project'], description='Show region details.', operations=[{'path': '/v3/regions/{region_id}', 'method': 'GET'}, @@ -56,7 +56,7 @@ region_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_regions', check_str='', - scope_types=['system', 'project'], + scope_types=['system', 'domain', 'project'], description='List regions.', operations=[{'path': '/v3/regions', 'method': 'GET'}, diff --git a/keystone/tests/unit/protection/v3/test_regions.py b/keystone/tests/unit/protection/v3/test_regions.py index 8fbde351a5..7acb9adc79 100644 --- a/keystone/tests/unit/protection/v3/test_regions.py +++ b/keystone/tests/unit/protection/v3/test_regions.py @@ -80,6 +80,40 @@ class _SystemReaderAndMemberUserRegionTests(object): ) +class _DomainAndProjectUserRegionTests(object): + """Common default functionality for all domain and project users.""" + + def test_user_cannot_create_regions(self): + create = {'region': {'description': uuid.uuid4().hex}} + + with self.test_client() as c: + c.post( + '/v3/regions', json=create, headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_update_regions(self): + region = PROVIDERS.catalog_api.create_region(unit.new_region_ref()) + + with self.test_client() as c: + update = {'region': {'description': uuid.uuid4().hex}} + c.patch( + '/v3/regions/%s' % region['id'], json=update, + headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_delete_regions(self): + region = PROVIDERS.catalog_api.create_region(unit.new_region_ref()) + + with self.test_client() as c: + c.delete( + '/v3/regions/%s' % region['id'], + headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + class SystemReaderTests(base_classes.TestCaseWithBootstrap, common_auth.AuthTestMixin, _UserRegionTests, @@ -195,3 +229,39 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, with self.test_client() as c: c.delete('/v3/regions/%s' % region['id'], headers=self.headers) + + +class DomainUserTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _UserRegionTests, + _DomainAndProjectUserRegionTests): + + def setUp(self): + super(DomainUserTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + domain = PROVIDERS.resource_api.create_domain( + uuid.uuid4().hex, unit.new_domain_ref() + ) + self.domain_id = domain['id'] + domain_admin = unit.new_user_ref(domain_id=self.domain_id) + self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id'] + PROVIDERS.assignment_api.create_grant( + self.bootstrapper.admin_role_id, user_id=self.user_id, + domain_id=self.domain_id + ) + + auth = self.build_authentication_request( + user_id=self.user_id, + password=domain_admin['password'], + domain_id=self.domain_id + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id}