Implement system admin for implied roles

This change updates the create and delete actions for the implied roles policies to support the system-specific admin check string. For the time being, we're deferring adding support for the domain scope type and domain-specific check strings, but may add it in the future. Change-Id: I649f8f919fffc751aea750a5228f71cec8c6e184 Partial-bug: #1805371
2019-09-06 20:45:27 -07:00 · 2019-09-06 20:45:27 -07:00 · ee60db6f33
parent a73e057e25
commit ee60db6f33
2 changed files with 68 additions and 4 deletions
--- a/keystone/common/policies/implied_role.py
+++ b/keystone/common/policies/implied_role.py
@ -31,6 +31,14 @@ deprecated_check_implied_role = policy.DeprecatedRule(
    name=base.IDENTITY % 'check_implied_role',
    check_str=base.RULE_ADMIN_REQUIRED,
 )
+deprecated_create_implied_role = policy.DeprecatedRule(
+    name=base.IDENTITY % 'create_implied_role',
+    check_str=base.RULE_ADMIN_REQUIRED,
+)
+deprecated_delete_implied_role = policy.DeprecatedRule(
+    name=base.IDENTITY % 'delete_implied_role',
+    check_str=base.RULE_ADMIN_REQUIRED,
+)

 DEPRECATED_REASON = """
 As of the Train release, the implied role API understands how to
@ -78,7 +86,7 @@ implied_role_policies = [
        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'create_implied_role',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
        scope_types=['system'],
        description='Create an association between two roles. When a '
                    'relationship exists between a prior role and an implied '
@ -86,10 +94,13 @@ implied_role_policies = [
                    'also assumes the implied role.',
        operations=[
            {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
-             'method': 'PUT'}]),
+             'method': 'PUT'}],
+        deprecated_rule=deprecated_create_implied_role,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'delete_implied_role',
-        check_str=base.RULE_ADMIN_REQUIRED,
+        check_str=base.SYSTEM_ADMIN,
        scope_types=['system'],
        description='Delete the association between two roles. When a '
                    'relationship exists between a prior role and an implied '
@ -98,7 +109,10 @@ implied_role_policies = [
                    'will cause that effect to be eliminated.',
        operations=[
            {'path': '/v3/roles/{prior_role_id}/implies/{implied_role_id}',
-             'method': 'DELETE'}]),
+             'method': 'DELETE'}],
+        deprecated_rule=deprecated_delete_implied_role,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.TRAIN),
    policy.DocumentedRuleDefault(
        name=base.IDENTITY % 'list_role_inference_rules',
        check_str=base.SYSTEM_READER,
--- a/keystone/tests/unit/protection/v3/test_implied_roles.py
+++ b/keystone/tests/unit/protection/v3/test_implied_roles.py
@ -169,3 +169,53 @@ class SystemMemberTests(base_classes.TestCaseWithBootstrap,
            r = c.post('/v3/auth/tokens', json=auth)
            self.token_id = r.headers['X-Subject-Token']
            self.headers = {'X-Auth-Token': self.token_id}
+
+
+class SystemAdminTests(base_classes.TestCaseWithBootstrap,
+                       common_auth.AuthTestMixin,
+                       _ImpliedRolesSetupMixin,
+                       _SystemUserImpliedRoleTests):
+
+    def setUp(self):
+        super(SystemAdminTests, self).setUp()
+        self.loadapp()
+        self.useFixture(ksfixtures.Policy(self.config_fixture))
+        self.config_fixture.config(group='oslo_policy', enforce_scope=True)
+
+        self._create_test_roles()
+
+        # Reuse the system administrator account created during
+        # ``keystone-manage bootstrap``
+        self.user_id = self.bootstrapper.admin_user_id
+        auth = self.build_authentication_request(
+            user_id=self.user_id,
+            password=self.bootstrapper.admin_password,
+            system=True
+        )
+
+        # Grab a token using the persona we're testing and prepare headers
+        # for requests we'll be making in the tests.
+        with self.test_client() as c:
+            r = c.post('/v3/auth/tokens', json=auth)
+            self.token_id = r.headers['X-Subject-Token']
+            self.headers = {'X-Auth-Token': self.token_id}
+
+    def test_user_can_create_implied_roles(self):
+        with self.test_client() as c:
+            c.put(
+                '/v3/roles/%s/implies/%s' % (
+                    self.prior_role_id, self.implied_role_id),
+                headers=self.headers,
+                expected_status_code=http_client.CREATED
+            )
+
+    def test_user_can_delete_implied_roles(self):
+        PROVIDERS.role_api.create_implied_role(self.prior_role_id,
+                                               self.implied_role_id)
+
+        with self.test_client() as c:
+            c.delete(
+                '/v3/roles/%s/implies/%s' % (
+                    self.prior_role_id, self.implied_role_id),
+                headers=self.headers
+            )