From e29ff512bb2a5dde3f9eec2b2a2ec596384ec1a2 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Thu, 29 Nov 2018 18:44:40 +0000 Subject: [PATCH] Allow domain users to access the registered limits API This commit adds domain-scope to the scope_types for registered limit policies, allowing domain users to access those API when enforce_scope is enabled. This commit also introduces some tests that explicitly show how domain users are expected to behave with the registered limits API. A subsequent patch will do the same for project users. Change-Id: I7a04e1e2fc585340c9e061c915461ab13b9abec2 Related-Bug: 1805880 --- keystone/common/policies/registered_limit.py | 10 ++---- .../protection/v3/test_registered_limits.py | 35 +++++++++++++++++++ 2 files changed, 37 insertions(+), 8 deletions(-) diff --git a/keystone/common/policies/registered_limit.py b/keystone/common/policies/registered_limit.py index c10aeb8030..7dde90b3ef 100644 --- a/keystone/common/policies/registered_limit.py +++ b/keystone/common/policies/registered_limit.py @@ -18,13 +18,7 @@ registered_limit_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'get_registered_limit', check_str='', - # Getting a single registered limit or listing all registered limits - # should be information accessible to everyone. By setting - # scope_types=['system', 'project'] we're making it so that anyone with - # a role on the system or a project can obtain this information. - # Making changes to a registered limit should be considered a protected - # system-level API, as noted below with scope_types=['system']. - scope_types=['system', 'project'], + scope_types=['system', 'domain', 'project'], description='Show registered limit details.', operations=[{'path': '/v3/registered_limits/{registered_limit_id}', 'method': 'GET'}, @@ -33,7 +27,7 @@ registered_limit_policies = [ policy.DocumentedRuleDefault( name=base.IDENTITY % 'list_registered_limits', check_str='', - scope_types=['system', 'project'], + scope_types=['system', 'domain', 'project'], description='List registered limits.', operations=[{'path': '/v3/registered_limits', 'method': 'GET'}, diff --git a/keystone/tests/unit/protection/v3/test_registered_limits.py b/keystone/tests/unit/protection/v3/test_registered_limits.py index c99ace0083..bf3f44282b 100644 --- a/keystone/tests/unit/protection/v3/test_registered_limits.py +++ b/keystone/tests/unit/protection/v3/test_registered_limits.py @@ -315,3 +315,38 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap, c.delete( '/v3/registered_limits/%s' % limit_id, headers=self.headers ) + + +class DomainUserTests(base_classes.TestCaseWithBootstrap, + common_auth.AuthTestMixin, + _UserRegisteredLimitTests): + + def setUp(self): + super(DomainUserTests, self).setUp() + self.loadapp() + self.useFixture(ksfixtures.Policy(self.config_fixture)) + self.config_fixture.config(group='oslo_policy', enforce_scope=True) + + domain = PROVIDERS.resource_api.create_domain( + uuid.uuid4().hex, unit.new_domain_ref() + ) + self.domain_id = domain['id'] + domain_admin = unit.new_user_ref(domain_id=self.domain_id) + self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id'] + PROVIDERS.assignment_api.create_grant( + self.bootstrapper.admin_role_id, user_id=self.user_id, + domain_id=self.domain_id + ) + + auth = self.build_authentication_request( + user_id=self.user_id, + password=domain_admin['password'], + domain_id=self.domain_id + ) + + # Grab a token using the persona we're testing and prepare headers + # for requests we'll be making in the tests. + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + self.token_id = r.headers['X-Subject-Token'] + self.headers = {'X-Auth-Token': self.token_id}