diff --git a/keystone/tests/unit/protection/v3/test_protocols.py b/keystone/tests/unit/protection/v3/test_protocols.py index d6620bc52c..8fe586c109 100644 --- a/keystone/tests/unit/protection/v3/test_protocols.py +++ b/keystone/tests/unit/protection/v3/test_protocols.py @@ -126,6 +126,89 @@ class _SystemReaderAndMemberProtocolTests(object): ) +class _DomainAndProjectUserProtocolTests(object): + + def test_user_cannot_create_protocols(self): + identity_provider = unit.new_identity_provider_ref() + identity_provider = PROVIDERS.federation_api.create_idp( + identity_provider['id'], identity_provider + ) + + mapping = PROVIDERS.federation_api.create_mapping( + uuid.uuid4().hex, unit.new_mapping_ref() + ) + + protocol_id = 'saml2' + create = {'protocol': {'mapping_id': mapping['id']}} + + with self.test_client() as c: + path = ( + '/v3/OS-FEDERATION/identity_providers/%s/protocols/%s' % + (identity_provider['id'], protocol_id) + ) + c.put( + path, json=create, headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_update_protocols(self): + protocol, mapping, identity_provider = self._create_protocol_and_deps() + + new_mapping = PROVIDERS.federation_api.create_mapping( + uuid.uuid4().hex, unit.new_mapping_ref() + ) + + update = {'protocol': {'mapping_id': new_mapping['id']}} + with self.test_client() as c: + path = ( + '/v3/OS-FEDERATION/identity_providers/%s/protocols/%s' % + (identity_provider['id'], protocol['id']) + ) + c.patch( + path, json=update, headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_delete_protocol(self): + protocol, mapping, identity_provider = self._create_protocol_and_deps() + + with self.test_client() as c: + path = ( + '/v3/OS-FEDERATION/identity_providers/%s/protocols/%s' % + (identity_provider['id'], protocol['id']) + ) + c.delete( + path, headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_list_protocols(self): + protocol, mapping, identity_provider = self._create_protocol_and_deps() + + with self.test_client() as c: + path = ( + '/v3/OS-FEDERATION/identity_providers/%s/protocols' % + identity_provider['id'] + ) + c.get( + path, headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + def test_user_cannot_get_a_protocol(self): + protocol, mapping, identity_provider = self._create_protocol_and_deps() + + with self.test_client() as c: + path = ( + '/v3/OS-FEDERATION/identity_providers/%s/protocols/%s' % + (identity_provider['id'], protocol['id']) + ) + c.get( + path, headers=self.headers, + expected_status_code=http_client.FORBIDDEN + ) + + class SystemReaderTests(base_classes.TestCaseWithBootstrap, common_auth.AuthTestMixin, _CommonUtilities, @@ -270,3 +353,39 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, (identity_provider['id'], protocol['id']) ) c.delete(path, headers=self.headers) + + +class DomainUserTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _CommonUtilities, + _DomainAndProjectUserProtocolTests): + + def setUp(self): + super(DomainUserTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + domain = PROVIDERS.resource_api.create_domain( + uuid.uuid4().hex, unit.new_domain_ref() + ) + self.domain_id = domain['id'] + domain_admin = unit.new_user_ref(domain_id=self.domain_id) + self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id'] + PROVIDERS.assignment_api.create_grant( + self.bootstrapper.admin_role_id, user_id=self.user_id, + domain_id=self.domain_id + ) + + auth = self.build_authentication_request( + user_id=self.user_id, + password=domain_admin['password'], + domain_id=self.domain_id + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id}