Browse Source

Merge "Add tests for domain users for policy association"

changes/61/681161/1
Zuul 1 week ago
parent
commit
e9cdc24d35
1 changed files with 233 additions and 0 deletions
  1. 233
    0
      keystone/tests/unit/protection/v3/test_policy_association.py

+ 233
- 0
keystone/tests/unit/protection/v3/test_policy_association.py View File

@@ -226,6 +226,204 @@ class _SystemReaderAndMemberPoliciesAssociationTests(object):
226 226
             )
227 227
 
228 228
 
229
+class _DomainAndProjectUserPolicyAssociationsTests(object):
230
+
231
+    def test_user_cannot_check_policy_association_for_endpoint(self):
232
+        policy = unit.new_policy_ref()
233
+        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
234
+
235
+        service = PROVIDERS.catalog_api.create_service(
236
+            uuid.uuid4().hex, unit.new_service_ref()
237
+        )
238
+        endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
239
+        endpoint = PROVIDERS.catalog_api.create_endpoint(
240
+            endpoint['id'], endpoint
241
+        )
242
+
243
+        PROVIDERS.endpoint_policy_api.create_policy_association(
244
+            policy['id'], endpoint['id'])
245
+
246
+        with self.test_client() as c:
247
+            c.get('/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s'
248
+                  % (policy['id'], endpoint['id']),
249
+                  headers=self.headers,
250
+                  expected_status_code=http_client.FORBIDDEN)
251
+
252
+    def test_user_cannot_check_policy_association_for_service(self):
253
+        policy = unit.new_policy_ref()
254
+        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
255
+
256
+        service = PROVIDERS.catalog_api.create_service(
257
+            uuid.uuid4().hex, unit.new_service_ref()
258
+        )
259
+
260
+        PROVIDERS.endpoint_policy_api.create_policy_association(
261
+            policy['id'], service_id=service['id'])
262
+
263
+        with self.test_client() as c:
264
+            c.get('/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s'
265
+                  % (policy['id'], service['id']),
266
+                  headers=self.headers,
267
+                  expected_status_code=http_client.FORBIDDEN)
268
+
269
+    def test_user_cannot_check_policy_association_for_region_and_service(self):
270
+        policy = unit.new_policy_ref()
271
+        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
272
+
273
+        service = PROVIDERS.catalog_api.create_service(
274
+            uuid.uuid4().hex, unit.new_service_ref()
275
+        )
276
+
277
+        region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
278
+
279
+        PROVIDERS.endpoint_policy_api.create_policy_association(
280
+            policy['id'], service_id=service['id'], region_id=region['id']
281
+        )
282
+
283
+        with self.test_client() as c:
284
+            c.get('/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s'
285
+                  % (policy['id'], service['id'], region['id']),
286
+                  headers=self.headers,
287
+                  expected_status_code=http_client.FORBIDDEN)
288
+
289
+    def test_user_cannot_get_policy_for_endpoint(self):
290
+        policy = unit.new_policy_ref()
291
+        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
292
+        service = PROVIDERS.catalog_api.create_service(
293
+            uuid.uuid4().hex, unit.new_service_ref()
294
+        )
295
+        endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
296
+        endpoint = PROVIDERS.catalog_api.create_endpoint(
297
+            endpoint['id'], endpoint
298
+        )
299
+        PROVIDERS.endpoint_policy_api.create_policy_association(
300
+            policy['id'], endpoint['id']
301
+        )
302
+        with self.test_client() as c:
303
+            c.get('/v3/endpoints/%s/OS-ENDPOINT-POLICY/policy'
304
+                  % (endpoint['id']),
305
+                  headers=self.headers,
306
+                  expected_status_code=http_client.FORBIDDEN)
307
+
308
+    def test_user_cannot_list_endpoints_for_policy(self):
309
+        policy = unit.new_policy_ref()
310
+        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
311
+        service = PROVIDERS.catalog_api.create_service(
312
+            uuid.uuid4().hex, unit.new_service_ref()
313
+        )
314
+        endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
315
+        endpoint = PROVIDERS.catalog_api.create_endpoint(
316
+            endpoint['id'], endpoint
317
+        )
318
+        PROVIDERS.endpoint_policy_api.create_policy_association(
319
+            policy['id'], endpoint['id']
320
+        )
321
+        with self.test_client() as c:
322
+            c.get('/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints'
323
+                  % (policy['id']), headers=self.headers,
324
+                  expected_status_code=http_client.FORBIDDEN
325
+                  )
326
+
327
+    def test_user_cannot_create_policy_association_for_endpoint(self):
328
+        policy = unit.new_policy_ref()
329
+        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
330
+        service = PROVIDERS.catalog_api.create_service(
331
+            uuid.uuid4().hex, unit.new_service_ref()
332
+        )
333
+        endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
334
+        endpoint = PROVIDERS.catalog_api.create_endpoint(
335
+            endpoint['id'], endpoint
336
+        )
337
+
338
+        with self.test_client() as c:
339
+            c.put(
340
+                '/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s'
341
+                % (policy['id'], endpoint['id']),
342
+                headers=self.headers,
343
+                expected_status_code=http_client.FORBIDDEN
344
+            )
345
+
346
+    def test_user_cannot_delete_policy_association_for_endpoint(self):
347
+        policy = unit.new_policy_ref()
348
+        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
349
+        service = PROVIDERS.catalog_api.create_service(
350
+            uuid.uuid4().hex, unit.new_service_ref()
351
+        )
352
+        endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
353
+        endpoint = PROVIDERS.catalog_api.create_endpoint(
354
+            endpoint['id'], endpoint
355
+        )
356
+
357
+        with self.test_client() as c:
358
+            c.delete(
359
+                '/v3/policies/%s/OS-ENDPOINT-POLICY/endpoints/%s'
360
+                % (policy['id'], endpoint['id']),
361
+                headers=self.headers,
362
+                expected_status_code=http_client.FORBIDDEN
363
+            )
364
+
365
+    def test_user_cannot_create_policy_association_for_service(self):
366
+        policy = unit.new_policy_ref()
367
+        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
368
+        service = PROVIDERS.catalog_api.create_service(
369
+            uuid.uuid4().hex, unit.new_service_ref()
370
+        )
371
+        with self.test_client() as c:
372
+            c.put(
373
+                '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s'
374
+                % (policy['id'], service['id']),
375
+                headers=self.headers,
376
+                expected_status_code=http_client.FORBIDDEN
377
+            )
378
+
379
+    def test_user_cannot_delete_policy_association_for_service(self):
380
+        policy = unit.new_policy_ref()
381
+        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
382
+        service = PROVIDERS.catalog_api.create_service(
383
+            uuid.uuid4().hex, unit.new_service_ref()
384
+        )
385
+
386
+        with self.test_client() as c:
387
+            c.delete(
388
+                '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s'
389
+                % (policy['id'], service['id']),
390
+                headers=self.headers,
391
+                expected_status_code=http_client.FORBIDDEN
392
+            )
393
+
394
+    def test_user_cannot_create_policy_association_for_region_and_service(self):
395
+        policy = unit.new_policy_ref()
396
+        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
397
+        service = PROVIDERS.catalog_api.create_service(
398
+            uuid.uuid4().hex, unit.new_service_ref()
399
+        )
400
+        region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
401
+
402
+        with self.test_client() as c:
403
+            c.put(
404
+                '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s'
405
+                % (policy['id'], service['id'], region['id']),
406
+                headers=self.headers,
407
+                expected_status_code=http_client.FORBIDDEN
408
+            )
409
+
410
+    def test_user_cannot_delete_policy_association_for_region_and_service(self):
411
+        policy = unit.new_policy_ref()
412
+        policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
413
+        service = PROVIDERS.catalog_api.create_service(
414
+            uuid.uuid4().hex, unit.new_service_ref()
415
+        )
416
+        region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
417
+
418
+        with self.test_client() as c:
419
+            c.delete(
420
+                '/v3/policies/%s/OS-ENDPOINT-POLICY/services/%s/regions/%s'
421
+                % (policy['id'], service['id'], region['id']),
422
+                headers=self.headers,
423
+                expected_status_code=http_client.FORBIDDEN
424
+            )
425
+
426
+
229 427
 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
230 428
                         common_auth.AuthTestMixin,
231 429
                         _SystemUserPoliciesAssociationTests,
@@ -418,3 +616,38 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
418 616
                 headers=self.headers,
419 617
                 expected_status_code=http_client.NO_CONTENT
420 618
             )
619
+
620
+
621
+class DomainUserTests(base_classes.TestCaseWithBootstrap,
622
+                      common_auth.AuthTestMixin,
623
+                      _DomainAndProjectUserPolicyAssociationsTests):
624
+
625
+    def setUp(self):
626
+        super(DomainUserTests, self).setUp()
627
+        self.loadapp()
628
+        self.useFixture(ksfixtures.Policy(self.config_fixture))
629
+        self.config_fixture.config(group='oslo_policy', enforce_scope=True)
630
+
631
+        domain = PROVIDERS.resource_api.create_domain(
632
+            uuid.uuid4().hex, unit.new_domain_ref()
633
+        )
634
+        self.domain_id = domain['id']
635
+        domain_admin = unit.new_user_ref(domain_id=self.domain_id)
636
+        self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
637
+        PROVIDERS.assignment_api.create_grant(
638
+            self.bootstrapper.admin_role_id, user_id=self.user_id,
639
+            domain_id=self.domain_id
640
+        )
641
+
642
+        auth = self.build_authentication_request(
643
+            user_id=self.user_id,
644
+            password=domain_admin['password'],
645
+            domain_id=self.domain_id
646
+        )
647
+
648
+        # Grab a token using the persona we're testing and prepare headers
649
+        # for requests we'll be making in the tests.
650
+        with self.test_client() as c:
651
+            r = c.post('/v3/auth/tokens', json=auth)
652
+            self.token_id = r.headers['X-Subject-Token']
653
+            self.headers = {'X-Auth-Token': self.token_id}

Loading…
Cancel
Save