openstack/openstacksdk
Code Issues Proposed changes

Identity: Support assigning inherited roles

Browse Source 
Change-Id: I7ab6a693f486b5093533e123e6f9d0cefa3c1a83
This commit is contained in:
0weng
2024-09-16 15:06:31 -07:00
committed by Oria Weng
parent d5ba0c42a9
commit aff5e358ac
9 changed files with 488 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
openstack/cloud/_identity.py
View File

@@ -1256,6 +1256,7 @@ class IdentityCloudMixin(openstackcloud._OpenStackCloudMixin):
project=None,
domain=None,
system=None,
inherited=False,
wait=False,
timeout=60,
):
@@ -1267,6 +1268,7 @@ class IdentityCloudMixin(openstackcloud._OpenStackCloudMixin):
:param string project: The name or id of the project.
:param string domain: The id of the domain. (v3)
:param bool system: The name of the system. (v3)
:param bool inherited: Whether the role assignment is inherited. (v3)
:param bool wait: Wait for role to be granted
:param int timeout: Timeout to wait for role to be granted
@@ -1303,40 +1305,46 @@ class IdentityCloudMixin(openstackcloud._OpenStackCloudMixin):
# Proceed with project - precedence over domain and system
if user:
has_role = self.identity.validate_user_has_project_role(
project, user, role
project, user, role, inherited=inherited
)
if has_role:
self.log.debug('Assignment already exists')
return False
self.identity.assign_project_role_to_user(project, user, role)
self.identity.assign_project_role_to_user(
project, user, role, inherited=inherited
)
else:
has_role = self.identity.validate_group_has_project_role(
project, group, role
project, group, role, inherited=inherited
)
if has_role:
self.log.debug('Assignment already exists')
return False
self.identity.assign_project_role_to_group(
project, group, role
project, group, role, inherited=inherited
)
elif domain:
# Proceed with domain - precedence over system
if user:
has_role = self.identity.validate_user_has_domain_role(
domain, user, role
domain, user, role, inherited=inherited
)
if has_role:
self.log.debug('Assignment already exists')
return False
self.identity.assign_domain_role_to_user(domain, user, role)
self.identity.assign_domain_role_to_user(
domain, user, role, inherited=inherited
)
else:
has_role = self.identity.validate_group_has_domain_role(
domain, group, role
domain, group, role, inherited=inherited
)
if has_role:
self.log.debug('Assignment already exists')
return False
self.identity.assign_domain_role_to_group(domain, group, role)
self.identity.assign_domain_role_to_group(
domain, group, role, inherited=inherited
)
else:
# Proceed with system
# System name must be 'all' due to checks performed in
@@ -1367,6 +1375,7 @@ class IdentityCloudMixin(openstackcloud._OpenStackCloudMixin):
project=None,
domain=None,
system=None,
inherited=False,
wait=False,
timeout=60,
):
@@ -1378,6 +1387,7 @@ class IdentityCloudMixin(openstackcloud._OpenStackCloudMixin):
:param string project: The name or id of the project.
:param string domain: The id of the domain. (v3)
:param bool system: The name of the system. (v3)
:param bool inherited: Whether the role assignment is inherited.
:param bool wait: Wait for role to be revoked
:param int timeout: Timeout to wait for role to be revoked
@@ -1411,45 +1421,45 @@ class IdentityCloudMixin(openstackcloud._OpenStackCloudMixin):
# Proceed with project - precedence over domain and system
if user:
has_role = self.identity.validate_user_has_project_role(
project, user, role
project, user, role, inherited=inherited
)
if not has_role:
self.log.debug('Assignment does not exists')
return False
self.identity.unassign_project_role_from_user(
project, user, role
project, user, role, inherited=inherited
)
else:
has_role = self.identity.validate_group_has_project_role(
project, group, role
project, group, role, inherited=inherited
)
if not has_role:
self.log.debug('Assignment does not exists')
return False
self.identity.unassign_project_role_from_group(
project, group, role
project, group, role, inherited=inherited
)
elif domain:
# Proceed with domain - precedence over system
if user:
has_role = self.identity.validate_user_has_domain_role(
domain, user, role
domain, user, role, inherited=inherited
)
if not has_role:
self.log.debug('Assignment does not exists')
return False
self.identity.unassign_domain_role_from_user(
domain, user, role
domain, user, role, inherited=inherited
)
else:
has_role = self.identity.validate_group_has_domain_role(
domain, group, role
domain, group, role, inherited=inherited
)
if not has_role:
self.log.debug('Assignment does not exists')
return False
self.identity.unassign_domain_role_from_group(
domain, group, role
domain, group, role, inherited=inherited
)
else:
# Proceed with system

80
openstack/identity/v3/_proxy.py
View File

@@ -1233,7 +1233,9 @@ class Proxy(proxy.Proxy):
"""
return self._list(_role_assignment.RoleAssignment, **query)
def assign_domain_role_to_user(self, domain, user, role):
def assign_domain_role_to_user(
self, domain, user, role, *, inherited=False
):
"""Assign role to user on a domain
:param domain: Either the ID of a domain or a
@@ -1242,14 +1244,17 @@ class Proxy(proxy.Proxy):
:class:`~openstack.identity.v3.user.User` instance.
:param role: Either the ID of a role or a
:class:`~openstack.identity.v3.role.Role` instance.
:param bool inherited: Whether the role assignment is inherited.
:return: ``None``
"""
domain = self._get_resource(_domain.Domain, domain)
user = self._get_resource(_user.User, user)
role = self._get_resource(_role.Role, role)
domain.assign_role_to_user(self, user, role)
domain.assign_role_to_user(self, user, role, inherited)
def unassign_domain_role_from_user(self, domain, user, role):
def unassign_domain_role_from_user(
self, domain, user, role, *, inherited=False
):
"""Unassign role from user on a domain
:param domain: Either the ID of a domain or a
@@ -1258,14 +1263,17 @@ class Proxy(proxy.Proxy):
:class:`~openstack.identity.v3.user.User` instance.
:param role: Either the ID of a role or a
:class:`~openstack.identity.v3.role.Role` instance.
:param bool inherited: Whether the role assignment is inherited.
:return: ``None``
"""
domain = self._get_resource(_domain.Domain, domain)
user = self._get_resource(_user.User, user)
role = self._get_resource(_role.Role, role)
domain.unassign_role_from_user(self, user, role)
domain.unassign_role_from_user(self, user, role, inherited)
def validate_user_has_domain_role(self, domain, user, role):
def validate_user_has_domain_role(
self, domain, user, role, *, inherited=False
):
"""Validates that a user has a role on a domain
:param domain: Either the ID of a domain or a
@@ -1279,9 +1287,11 @@ class Proxy(proxy.Proxy):
domain = self._get_resource(_domain.Domain, domain)
user = self._get_resource(_user.User, user)
role = self._get_resource(_role.Role, role)
return domain.validate_user_has_role(self, user, role)
return domain.validate_user_has_role(self, user, role, inherited)
def assign_domain_role_to_group(self, domain, group, role):
def assign_domain_role_to_group(
self, domain, group, role, *, inherited=False
):
"""Assign role to group on a domain
:param domain: Either the ID of a domain or a
@@ -1290,14 +1300,17 @@ class Proxy(proxy.Proxy):
:class:`~openstack.identity.v3.group.Group` instance.
:param role: Either the ID of a role or a
:class:`~openstack.identity.v3.role.Role` instance.
:param bool inherited: Whether the role assignment is inherited.
:return: ``None``
"""
domain = self._get_resource(_domain.Domain, domain)
group = self._get_resource(_group.Group, group)
role = self._get_resource(_role.Role, role)
domain.assign_role_to_group(self, group, role)
domain.assign_role_to_group(self, group, role, inherited)
def unassign_domain_role_from_group(self, domain, group, role):
def unassign_domain_role_from_group(
self, domain, group, role, *, inherited=False
):
"""Unassign role from group on a domain
:param domain: Either the ID of a domain or a
@@ -1306,14 +1319,17 @@ class Proxy(proxy.Proxy):
:class:`~openstack.identity.v3.group.Group` instance.
:param role: Either the ID of a role or a
:class:`~openstack.identity.v3.role.Role` instance.
:param bool inherited: Whether the role assignment is inherited.
:return: ``None``
"""
domain = self._get_resource(_domain.Domain, domain)
group = self._get_resource(_group.Group, group)
role = self._get_resource(_role.Role, role)
domain.unassign_role_from_group(self, group, role)
domain.unassign_role_from_group(self, group, role, inherited)
def validate_group_has_domain_role(self, domain, group, role):
def validate_group_has_domain_role(
self, domain, group, role, *, inherited=False
):
"""Validates that a group has a role on a domain
:param domain: Either the ID of a domain or a
@@ -1327,9 +1343,11 @@ class Proxy(proxy.Proxy):
domain = self._get_resource(_domain.Domain, domain)
group = self._get_resource(_group.Group, group)
role = self._get_resource(_role.Role, role)
return domain.validate_group_has_role(self, group, role)
return domain.validate_group_has_role(self, group, role, inherited)
def assign_project_role_to_user(self, project, user, role):
def assign_project_role_to_user(
self, project, user, role, *, inherited=False
):
"""Assign role to user on a project
:param project: Either the ID of a project or a
@@ -1339,14 +1357,17 @@ class Proxy(proxy.Proxy):
:class:`~openstack.identity.v3.user.User` instance.
:param role: Either the ID of a role or a
:class:`~openstack.identity.v3.role.Role` instance.
:param bool inherited: Whether the role assignment is inherited.
:return: ``None``
"""
project = self._get_resource(_project.Project, project)
user = self._get_resource(_user.User, user)
role = self._get_resource(_role.Role, role)
project.assign_role_to_user(self, user, role)
project.assign_role_to_user(self, user, role, inherited)
def unassign_project_role_from_user(self, project, user, role):
def unassign_project_role_from_user(
self, project, user, role, *, inherited=False
):
"""Unassign role from user on a project
:param project: Either the ID of a project or a
@@ -1356,14 +1377,17 @@ class Proxy(proxy.Proxy):
:class:`~openstack.identity.v3.user.User` instance.
:param role: Either the ID of a role or a
:class:`~openstack.identity.v3.role.Role` instance.
:param bool inherited: Whether the role assignment is inherited.
:return: ``None``
"""
project = self._get_resource(_project.Project, project)
user = self._get_resource(_user.User, user)
role = self._get_resource(_role.Role, role)
project.unassign_role_from_user(self, user, role)
project.unassign_role_from_user(self, user, role, inherited)
def validate_user_has_project_role(self, project, user, role):
def validate_user_has_project_role(
self, project, user, role, *, inherited=False
):
"""Validates that a user has a role on a project
:param project: Either the ID of a project or a
@@ -1378,9 +1402,11 @@ class Proxy(proxy.Proxy):
project = self._get_resource(_project.Project, project)
user = self._get_resource(_user.User, user)
role = self._get_resource(_role.Role, role)
return project.validate_user_has_role(self, user, role)
return project.validate_user_has_role(self, user, role, inherited)
def assign_project_role_to_group(self, project, group, role):
def assign_project_role_to_group(
self, project, group, role, *, inherited=False
):
"""Assign role to group on a project
:param project: Either the ID of a project or a
@@ -1390,14 +1416,17 @@ class Proxy(proxy.Proxy):
:class:`~openstack.identity.v3.group.Group` instance.
:param role: Either the ID of a role or a
:class:`~openstack.identity.v3.role.Role` instance.
:param bool inherited: Whether the role assignment is inherited.
:return: ``None``
"""
project = self._get_resource(_project.Project, project)
group = self._get_resource(_group.Group, group)
role = self._get_resource(_role.Role, role)
project.assign_role_to_group(self, group, role)
project.assign_role_to_group(self, group, role, inherited)
def unassign_project_role_from_group(self, project, group, role):
def unassign_project_role_from_group(
self, project, group, role, *, inherited=False
):
"""Unassign role from group on a project
:param project: Either the ID of a project or a
@@ -1407,14 +1436,17 @@ class Proxy(proxy.Proxy):
:class:`~openstack.identity.v3.group.Group` instance.
:param role: Either the ID of a role or a
:class:`~openstack.identity.v3.role.Role` instance.
:param bool inherited: Whether the role assignment is inherited.
:return: ``None``
"""
project = self._get_resource(_project.Project, project)
group = self._get_resource(_group.Group, group)
role = self._get_resource(_role.Role, role)
project.unassign_role_from_group(self, group, role)
project.unassign_role_from_group(self, group, role, inherited)
def validate_group_has_project_role(self, project, group, role):
def validate_group_has_project_role(
self, project, group, role, *, inherited=False
):
"""Validates that a group has a role on a project
:param project: Either the ID of a project or a
@@ -1429,7 +1461,7 @@ class Proxy(proxy.Proxy):
project = self._get_resource(_project.Project, project)
group = self._get_resource(_group.Group, group)
role = self._get_resource(_role.Role, role)
return project.validate_group_has_role(self, group, role)
return project.validate_group_has_role(self, group, role, inherited)
def assign_system_role_to_user(self, user, role, system):
"""Assign a role to user on a system

38
openstack/identity/v3/domain.py
View File

@@ -48,11 +48,18 @@ class Domain(resource.Resource):
#: The links related to the domain resource.
links = resource.Body('links')
def assign_role_to_user(self, session, user, role):
def assign_role_to_user(self, session, user, role, inherited):
"""Assign role to user on domain"""
url = utils.urljoin(
self.base_path, self.id, 'users', user.id, 'roles', role.id
self.base_path,
self.id,
'users',
user.id,
'roles',
role.id,
)
if inherited:
url = utils.urljoin('OS-INHERIT', url, 'inherited_to_projects')
resp = session.put(
url,
)
@@ -60,11 +67,13 @@ class Domain(resource.Resource):
return True
return False
def validate_user_has_role(self, session, user, role):
def validate_user_has_role(self, session, user, role, inherited):
"""Validates that a user has a role on a domain"""
url = utils.urljoin(
self.base_path, self.id, 'users', user.id, 'roles', role.id
)
if inherited:
url = utils.urljoin('OS-INHERIT', url, 'inherited_to_projects')
resp = session.head(
url,
)
@@ -72,11 +81,13 @@ class Domain(resource.Resource):
return True
return False
def unassign_role_from_user(self, session, user, role):
def unassign_role_from_user(self, session, user, role, inherited):
"""Unassigns a role from a user on a domain"""
url = utils.urljoin(
self.base_path, self.id, 'users', user.id, 'roles', role.id
)
if inherited:
url = utils.urljoin('OS-INHERIT', url, 'inherited_to_projects')
resp = session.delete(
url,
)
@@ -84,11 +95,18 @@ class Domain(resource.Resource):
return True
return False
def assign_role_to_group(self, session, group, role):
def assign_role_to_group(self, session, group, role, inherited):
"""Assign role to group on domain"""
url = utils.urljoin(
self.base_path, self.id, 'groups', group.id, 'roles', role.id
self.base_path,
self.id,
'groups',
group.id,
'roles',
role.id,
)
if inherited:
url = utils.urljoin('OS-INHERIT', url, 'inherited_to_projects')
resp = session.put(
url,
)
@@ -96,11 +114,13 @@ class Domain(resource.Resource):
return True
return False
def validate_group_has_role(self, session, group, role):
def validate_group_has_role(self, session, group, role, inherited):
"""Validates that a group has a role on a domain"""
url = utils.urljoin(
self.base_path, self.id, 'groups', group.id, 'roles', role.id
)
if inherited:
url = utils.urljoin('OS-INHERIT', url, 'inherited_to_projects')
resp = session.head(
url,
)
@@ -108,11 +128,13 @@ class Domain(resource.Resource):
return True
return False
def unassign_role_from_group(self, session, group, role):
def unassign_role_from_group(self, session, group, role, inherited):
"""Unassigns a role from a group on a domain"""
url = utils.urljoin(
self.base_path, self.id, 'groups', group.id, 'roles', role.id
)
if inherited:
url = utils.urljoin('OS-INHERIT', url, 'inherited_to_projects')
resp = session.delete(
url,
)

38
openstack/identity/v3/project.py
View File

@@ -62,11 +62,18 @@ class Project(resource.Resource, tag.TagMixin):
#: New in version 3.4
parent_id = resource.Body('parent_id')
def assign_role_to_user(self, session, user, role):
def assign_role_to_user(self, session, user, role, inherited):
"""Assign role to user on project"""
url = utils.urljoin(
self.base_path, self.id, 'users', user.id, 'roles', role.id
self.base_path,
self.id,
'users',
user.id,
'roles',
role.id,
)
if inherited:
url = utils.urljoin('OS-INHERIT', url, 'inherited_to_projects')
resp = session.put(
url,
)
@@ -74,11 +81,13 @@ class Project(resource.Resource, tag.TagMixin):
return True
return False
def validate_user_has_role(self, session, user, role):
def validate_user_has_role(self, session, user, role, inherited):
"""Validates that a user has a role on a project"""
url = utils.urljoin(
self.base_path, self.id, 'users', user.id, 'roles', role.id
)
if inherited:
url = utils.urljoin('OS-INHERIT', url, 'inherited_to_projects')
resp = session.head(
url,
)
@@ -86,11 +95,13 @@ class Project(resource.Resource, tag.TagMixin):
return True
return False
def unassign_role_from_user(self, session, user, role):
def unassign_role_from_user(self, session, user, role, inherited):
"""Unassigns a role from a user on a project"""
url = utils.urljoin(
self.base_path, self.id, 'users', user.id, 'roles', role.id
)
if inherited:
url = utils.urljoin('OS-INHERIT', url, 'inherited_to_projects')
resp = session.delete(
url,
)
@@ -98,11 +109,18 @@ class Project(resource.Resource, tag.TagMixin):
return True
return False
def assign_role_to_group(self, session, group, role):
def assign_role_to_group(self, session, group, role, inherited):
"""Assign role to group on project"""
url = utils.urljoin(
self.base_path, self.id, 'groups', group.id, 'roles', role.id
self.base_path,
self.id,
'groups',
group.id,
'roles',
role.id,
)
if inherited:
url = utils.urljoin('OS-INHERIT', url, 'inherited_to_projects')
resp = session.put(
url,
)
@@ -110,11 +128,13 @@ class Project(resource.Resource, tag.TagMixin):
return True
return False
def validate_group_has_role(self, session, group, role):
def validate_group_has_role(self, session, group, role, inherited):
"""Validates that a group has a role on a project"""
url = utils.urljoin(
self.base_path, self.id, 'groups', group.id, 'roles', role.id
)
if inherited:
url = utils.urljoin('OS-INHERIT', url, 'inherited_to_projects')
resp = session.head(
url,
)
@@ -122,11 +142,13 @@ class Project(resource.Resource, tag.TagMixin):
return True
return False
def unassign_role_from_group(self, session, group, role):
def unassign_role_from_group(self, session, group, role, inherited):
"""Unassigns a role from a group on a project"""
url = utils.urljoin(
self.base_path, self.id, 'groups', group.id, 'roles', role.id
)
if inherited:
url = utils.urljoin('OS-INHERIT', url, 'inherited_to_projects')
resp = session.delete(
url,
)

130
openstack/tests/unit/cloud/test_role_assignment.py
View File

@@ -19,6 +19,8 @@ from openstack.tests.unit import base
class TestRoleAssignment(base.TestCase):
IS_INHERITED = False
def _build_role_assignment_response(
self, role_id, scope_type, scope_id, entity_type, entity_id
):
@@ -119,7 +121,13 @@ class TestRoleAssignment(base.TestCase):
append=None,
base_url_append='v3',
qs_elements=None,
inherited=False,
):
if inherited:
base_url_append = base_url_append + '/OS-INHERIT'
if append and inherited:
append.append('inherited_to_projects')
return super().get_mock_url(
service_type,
interface,
@@ -318,6 +326,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -333,6 +342,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -345,6 +355,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.user_id,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -370,6 +381,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -385,6 +397,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -397,6 +410,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.name,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
@@ -419,6 +433,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -432,6 +447,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_id,
user=self.user_data.user_id,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -457,6 +473,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -470,6 +487,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.name,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -494,6 +512,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -509,6 +528,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -521,6 +541,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_id,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -546,6 +567,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -561,6 +583,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -573,6 +596,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_name,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -596,6 +620,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -609,6 +634,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_id,
group=self.group_data.group_id,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -634,6 +660,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -647,6 +674,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_name,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -672,6 +700,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -687,6 +716,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -699,6 +729,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.user_id,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -724,6 +755,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -739,6 +771,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -751,6 +784,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.name,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
@@ -773,6 +807,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -786,6 +821,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_id,
user=self.user_data.user_id,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -811,6 +847,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -824,6 +861,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.name,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -848,6 +886,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -863,6 +902,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -875,6 +915,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_id,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -900,6 +941,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -915,6 +957,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -927,6 +970,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_name,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -950,6 +994,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -963,6 +1008,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_id,
group=self.group_data.group_id,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -988,6 +1034,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -1001,6 +1048,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_name,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1026,6 +1074,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -1041,6 +1090,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -1053,6 +1103,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.user_id,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1078,6 +1129,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -1093,6 +1145,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -1105,6 +1158,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.name,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
@@ -1127,6 +1181,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -1140,6 +1195,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_id,
user=self.user_data.user_id,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1165,6 +1221,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -1178,6 +1235,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.name,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1202,6 +1260,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -1217,6 +1276,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -1229,6 +1289,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_id,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1254,6 +1315,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -1269,6 +1331,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -1281,6 +1344,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_name,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1304,6 +1368,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -1317,6 +1382,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_id,
group=self.group_data.group_id,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1342,6 +1408,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -1355,6 +1422,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_name,
project=self.project_data.project_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1380,6 +1448,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -1395,6 +1464,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -1407,6 +1477,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.user_id,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1432,6 +1503,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -1447,6 +1519,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -1459,6 +1532,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.name,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
@@ -1481,6 +1555,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -1494,6 +1569,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_id,
user=self.user_data.user_id,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1519,6 +1595,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -1532,6 +1609,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.name,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1556,6 +1634,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -1571,6 +1650,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -1583,6 +1663,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_id,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1608,6 +1689,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -1623,6 +1705,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -1635,6 +1718,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_name,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1658,6 +1742,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -1671,6 +1756,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_id,
group=self.group_data.group_id,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1696,6 +1782,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -1709,6 +1796,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_name,
domain=self.domain_data.domain_id,
inherited=self.IS_INHERITED,
)
)
self.assert_calls()
@@ -1747,6 +1835,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_name,
domain=self.domain_data.domain_name,
inherited=self.IS_INHERITED,
)
self.assert_calls()
@@ -1784,6 +1873,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
group=self.group_data.group_name,
domain=self.domain_data.domain_name,
inherited=self.IS_INHERITED,
)
self.assert_calls()
@@ -1796,7 +1886,10 @@ class TestRoleAssignment(base.TestCase):
exceptions.SDKException,
'Must specify either a user or a group',
):
self.cloud.grant_role(self.role_data.role_name)
self.cloud.grant_role(
self.role_data.role_name,
inherited=self.IS_INHERITED,
)
self.assert_calls()
def test_revoke_no_user_or_group_specified(self):
@@ -1808,7 +1901,10 @@ class TestRoleAssignment(base.TestCase):
exceptions.SDKException,
'Must specify either a user or a group',
):
self.cloud.revoke_role(self.role_data.role_name)
self.cloud.revoke_role(
self.role_data.role_name,
inherited=self.IS_INHERITED,
)
self.assert_calls()
def test_grant_no_user_or_group(self):
@@ -1825,7 +1921,9 @@ class TestRoleAssignment(base.TestCase):
'Must specify either a user or a group',
):
self.cloud.grant_role(
self.role_data.role_name, user=self.user_data.name
self.role_data.role_name,
user=self.user_data.name,
inherited=self.IS_INHERITED,
)
self.assert_calls()
@@ -1843,7 +1941,9 @@ class TestRoleAssignment(base.TestCase):
'Must specify either a user or a group',
):
self.cloud.revoke_role(
self.role_data.role_name, user=self.user_data.name
self.role_data.role_name,
user=self.user_data.name,
inherited=self.IS_INHERITED,
)
self.assert_calls()
@@ -1867,6 +1967,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.name,
group=self.group_data.group_name,
inherited=self.IS_INHERITED,
)
self.assert_calls()
@@ -1890,6 +1991,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.name,
group=self.group_data.group_name,
inherited=self.IS_INHERITED,
)
def test_grant_both_project_and_domain(self):
@@ -1917,6 +2019,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=404,
@@ -1932,6 +2035,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -1945,6 +2049,7 @@ class TestRoleAssignment(base.TestCase):
user=self.user_data.name,
project=self.project_data.project_name,
domain=self.domain_data.domain_name,
inherited=self.IS_INHERITED,
)
)
@@ -1973,6 +2078,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
complete_qs=True,
status_code=204,
@@ -1988,6 +2094,7 @@ class TestRoleAssignment(base.TestCase):
'roles',
self.role_data.role_id,
],
inherited=self.IS_INHERITED,
),
status_code=200,
),
@@ -2001,6 +2108,7 @@ class TestRoleAssignment(base.TestCase):
user=self.user_data.name,
project=self.project_data.project_name,
domain=self.domain_data.domain_name,
inherited=self.IS_INHERITED,
)
)
@@ -2019,7 +2127,9 @@ class TestRoleAssignment(base.TestCase):
'Must specify either a domain, project or system',
):
self.cloud.grant_role(
self.role_data.role_name, user=self.user_data.name
self.role_data.role_name,
user=self.user_data.name,
inherited=self.IS_INHERITED,
)
self.assert_calls()
@@ -2038,7 +2148,9 @@ class TestRoleAssignment(base.TestCase):
'Must specify either a domain, project or system',
):
self.cloud.revoke_role(
self.role_data.role_name, user=self.user_data.name
self.role_data.role_name,
user=self.user_data.name,
inherited=self.IS_INHERITED,
)
self.assert_calls()
@@ -2066,6 +2178,7 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.name,
domain='baddomain',
inherited=self.IS_INHERITED,
)
self.assert_calls()
@@ -2093,5 +2206,10 @@ class TestRoleAssignment(base.TestCase):
self.role_data.role_name,
user=self.user_data.name,
domain='baddomain',
inherited=self.IS_INHERITED,
)
self.assert_calls()
class TestInheritedRoleAssignment(TestRoleAssignment):
IS_INHERITED = True

114
openstack/tests/unit/identity/v3/test_domain.py
View File

@@ -84,12 +84,27 @@ class TestDomain(base.TestCase):
self.assertTrue(
sot.assign_role_to_user(
self.sess, user.User(id='1'), role.Role(id='2')
self.sess, user.User(id='1'), role.Role(id='2'), False
)
)
self.sess.put.assert_called_with('domains/IDENTIFIER/users/1/roles/2')
def test_assign_inherited_role_to_user_good(self):
sot = domain.Domain(**EXAMPLE)
resp = self.good_resp
self.sess.put = mock.Mock(return_value=resp)
self.assertTrue(
sot.assign_role_to_user(
self.sess, user.User(id='1'), role.Role(id='2'), True
)
)
self.sess.put.assert_called_with(
'OS-INHERIT/domains/IDENTIFIER/users/1/roles/2/inherited_to_projects'
)
def test_assign_role_to_user_bad(self):
sot = domain.Domain(**EXAMPLE)
resp = self.bad_resp
@@ -97,7 +112,7 @@ class TestDomain(base.TestCase):
self.assertFalse(
sot.assign_role_to_user(
self.sess, user.User(id='1'), role.Role(id='2')
self.sess, user.User(id='1'), role.Role(id='2'), False
)
)
@@ -108,12 +123,27 @@ class TestDomain(base.TestCase):
self.assertTrue(
sot.validate_user_has_role(
self.sess, user.User(id='1'), role.Role(id='2')
self.sess, user.User(id='1'), role.Role(id='2'), False
)
)
self.sess.head.assert_called_with('domains/IDENTIFIER/users/1/roles/2')
def test_validate_user_has_inherited_role_good(self):
sot = domain.Domain(**EXAMPLE)
resp = self.good_resp
self.sess.head = mock.Mock(return_value=resp)
self.assertTrue(
sot.validate_user_has_role(
self.sess, user.User(id='1'), role.Role(id='2'), True
)
)
self.sess.head.assert_called_with(
'OS-INHERIT/domains/IDENTIFIER/users/1/roles/2/inherited_to_projects'
)
def test_validate_user_has_role_bad(self):
sot = domain.Domain(**EXAMPLE)
resp = self.bad_resp
@@ -121,7 +151,7 @@ class TestDomain(base.TestCase):
self.assertFalse(
sot.validate_user_has_role(
self.sess, user.User(id='1'), role.Role(id='2')
self.sess, user.User(id='1'), role.Role(id='2'), False
)
)
@@ -132,7 +162,7 @@ class TestDomain(base.TestCase):
self.assertTrue(
sot.unassign_role_from_user(
self.sess, user.User(id='1'), role.Role(id='2')
self.sess, user.User(id='1'), role.Role(id='2'), False
)
)
@@ -140,6 +170,21 @@ class TestDomain(base.TestCase):
'domains/IDENTIFIER/users/1/roles/2'
)
def test_unassign_inherited_role_from_user_good(self):
sot = domain.Domain(**EXAMPLE)
resp = self.good_resp
self.sess.delete = mock.Mock(return_value=resp)
self.assertTrue(
sot.unassign_role_from_user(
self.sess, user.User(id='1'), role.Role(id='2'), True
)
)
self.sess.delete.assert_called_with(
'OS-INHERIT/domains/IDENTIFIER/users/1/roles/2/inherited_to_projects'
)
def test_unassign_role_from_user_bad(self):
sot = domain.Domain(**EXAMPLE)
resp = self.bad_resp
@@ -147,7 +192,7 @@ class TestDomain(base.TestCase):
self.assertFalse(
sot.unassign_role_from_user(
self.sess, user.User(id='1'), role.Role(id='2')
self.sess, user.User(id='1'), role.Role(id='2'), False
)
)
@@ -158,12 +203,27 @@ class TestDomain(base.TestCase):
self.assertTrue(
sot.assign_role_to_group(
self.sess, group.Group(id='1'), role.Role(id='2')
self.sess, group.Group(id='1'), role.Role(id='2'), False
)
)
self.sess.put.assert_called_with('domains/IDENTIFIER/groups/1/roles/2')
def test_assign_inherited_role_to_group_good(self):
sot = domain.Domain(**EXAMPLE)
resp = self.good_resp
self.sess.put = mock.Mock(return_value=resp)
self.assertTrue(
sot.assign_role_to_group(
self.sess, group.Group(id='1'), role.Role(id='2'), True
)
)
self.sess.put.assert_called_with(
'OS-INHERIT/domains/IDENTIFIER/groups/1/roles/2/inherited_to_projects'
)
def test_assign_role_to_group_bad(self):
sot = domain.Domain(**EXAMPLE)
resp = self.bad_resp
@@ -171,7 +231,7 @@ class TestDomain(base.TestCase):
self.assertFalse(
sot.assign_role_to_group(
self.sess, group.Group(id='1'), role.Role(id='2')
self.sess, group.Group(id='1'), role.Role(id='2'), False
)
)
@@ -182,7 +242,7 @@ class TestDomain(base.TestCase):
self.assertTrue(
sot.validate_group_has_role(
self.sess, group.Group(id='1'), role.Role(id='2')
self.sess, group.Group(id='1'), role.Role(id='2'), False
)
)
@@ -190,6 +250,21 @@ class TestDomain(base.TestCase):
'domains/IDENTIFIER/groups/1/roles/2'
)
def test_validate_group_has_inherited_role_good(self):
sot = domain.Domain(**EXAMPLE)
resp = self.good_resp
self.sess.head = mock.Mock(return_value=resp)
self.assertTrue(
sot.validate_group_has_role(
self.sess, group.Group(id='1'), role.Role(id='2'), True
)
)
self.sess.head.assert_called_with(
'OS-INHERIT/domains/IDENTIFIER/groups/1/roles/2/inherited_to_projects'
)
def test_validate_group_has_role_bad(self):
sot = domain.Domain(**EXAMPLE)
resp = self.bad_resp
@@ -197,7 +272,7 @@ class TestDomain(base.TestCase):
self.assertFalse(
sot.validate_group_has_role(
self.sess, group.Group(id='1'), role.Role(id='2')
self.sess, group.Group(id='1'), role.Role(id='2'), False
)
)
@@ -208,7 +283,7 @@ class TestDomain(base.TestCase):
self.assertTrue(
sot.unassign_role_from_group(
self.sess, group.Group(id='1'), role.Role(id='2')
self.sess, group.Group(id='1'), role.Role(id='2'), False
)
)
@@ -216,6 +291,21 @@ class TestDomain(base.TestCase):
'domains/IDENTIFIER/groups/1/roles/2'
)
def test_unassign_inherited_role_from_group_good(self):
sot = domain.Domain(**EXAMPLE)
resp = self.good_resp
self.sess.delete = mock.Mock(return_value=resp)
self.assertTrue(
sot.unassign_role_from_group(
self.sess, group.Group(id='1'), role.Role(id='2'), True
)
)
self.sess.delete.assert_called_with(
'OS-INHERIT/domains/IDENTIFIER/groups/1/roles/2/inherited_to_projects'
)
def test_unassign_role_from_group_bad(self):
sot = domain.Domain(**EXAMPLE)
resp = self.bad_resp
@@ -223,6 +313,6 @@ class TestDomain(base.TestCase):
self.assertFalse(
sot.unassign_role_from_group(
self.sess, group.Group(id='1'), role.Role(id='2')
self.sess, group.Group(id='1'), role.Role(id='2'), False
)
)

114
openstack/tests/unit/identity/v3/test_project.py
View File

@@ -97,12 +97,27 @@ class TestProject(base.TestCase):
self.assertTrue(
sot.assign_role_to_user(
self.sess, user.User(id='1'), role.Role(id='2')
self.sess, user.User(id='1'), role.Role(id='2'), False
)
)
self.sess.put.assert_called_with('projects/IDENTIFIER/users/1/roles/2')
def test_assign_inherited_role_to_user_good(self):
sot = project.Project(**EXAMPLE)
resp = self.good_resp
self.sess.put = mock.Mock(return_value=resp)
self.assertTrue(
sot.assign_role_to_user(
self.sess, user.User(id='1'), role.Role(id='2'), True
)
)
self.sess.put.assert_called_with(
'OS-INHERIT/projects/IDENTIFIER/users/1/roles/2/inherited_to_projects'
)
def test_assign_role_to_user_bad(self):
sot = project.Project(**EXAMPLE)
resp = self.bad_resp
@@ -110,7 +125,7 @@ class TestProject(base.TestCase):
self.assertFalse(
sot.assign_role_to_user(
self.sess, user.User(id='1'), role.Role(id='2')
self.sess, user.User(id='1'), role.Role(id='2'), False
)
)
@@ -121,7 +136,7 @@ class TestProject(base.TestCase):
self.assertTrue(
sot.validate_user_has_role(
self.sess, user.User(id='1'), role.Role(id='2')
self.sess, user.User(id='1'), role.Role(id='2'), False
)
)
@@ -129,6 +144,21 @@ class TestProject(base.TestCase):
'projects/IDENTIFIER/users/1/roles/2'
)
def test_validate_user_has_inherited_role_good(self):
sot = project.Project(**EXAMPLE)
resp = self.good_resp
self.sess.head = mock.Mock(return_value=resp)
self.assertTrue(
sot.validate_user_has_role(
self.sess, user.User(id='1'), role.Role(id='2'), True
)
)
self.sess.head.assert_called_with(
'OS-INHERIT/projects/IDENTIFIER/users/1/roles/2/inherited_to_projects'
)
def test_validate_user_has_role_bad(self):
sot = project.Project(**EXAMPLE)
resp = self.bad_resp
@@ -136,7 +166,7 @@ class TestProject(base.TestCase):
self.assertFalse(
sot.validate_user_has_role(
self.sess, user.User(id='1'), role.Role(id='2')
self.sess, user.User(id='1'), role.Role(id='2'), False
)
)
@@ -147,7 +177,7 @@ class TestProject(base.TestCase):
self.assertTrue(
sot.unassign_role_from_user(
self.sess, user.User(id='1'), role.Role(id='2')
self.sess, user.User(id='1'), role.Role(id='2'), False
)
)
@@ -155,6 +185,21 @@ class TestProject(base.TestCase):
'projects/IDENTIFIER/users/1/roles/2'
)
def test_unassign_inherited_role_from_user_good(self):
sot = project.Project(**EXAMPLE)
resp = self.good_resp
self.sess.delete = mock.Mock(return_value=resp)
self.assertTrue(
sot.unassign_role_from_user(
self.sess, user.User(id='1'), role.Role(id='2'), True
)
)
self.sess.delete.assert_called_with(
'OS-INHERIT/projects/IDENTIFIER/users/1/roles/2/inherited_to_projects'
)
def test_unassign_role_from_user_bad(self):
sot = project.Project(**EXAMPLE)
resp = self.bad_resp
@@ -162,7 +207,7 @@ class TestProject(base.TestCase):
self.assertFalse(
sot.unassign_role_from_user(
self.sess, user.User(id='1'), role.Role(id='2')
self.sess, user.User(id='1'), role.Role(id='2'), False
)
)
@@ -173,7 +218,7 @@ class TestProject(base.TestCase):
self.assertTrue(
sot.assign_role_to_group(
self.sess, group.Group(id='1'), role.Role(id='2')
self.sess, group.Group(id='1'), role.Role(id='2'), False
)
)
@@ -181,6 +226,21 @@ class TestProject(base.TestCase):
'projects/IDENTIFIER/groups/1/roles/2'
)
def test_assign_inherited_role_to_group_good(self):
sot = project.Project(**EXAMPLE)
resp = self.good_resp
self.sess.put = mock.Mock(return_value=resp)
self.assertTrue(
sot.assign_role_to_group(
self.sess, group.Group(id='1'), role.Role(id='2'), True
)
)
self.sess.put.assert_called_with(
'OS-INHERIT/projects/IDENTIFIER/groups/1/roles/2/inherited_to_projects'
)
def test_assign_role_to_group_bad(self):
sot = project.Project(**EXAMPLE)
resp = self.bad_resp
@@ -188,7 +248,7 @@ class TestProject(base.TestCase):
self.assertFalse(
sot.assign_role_to_group(
self.sess, group.Group(id='1'), role.Role(id='2')
self.sess, group.Group(id='1'), role.Role(id='2'), False
)
)
@@ -199,7 +259,7 @@ class TestProject(base.TestCase):
self.assertTrue(
sot.validate_group_has_role(
self.sess, group.Group(id='1'), role.Role(id='2')
self.sess, group.Group(id='1'), role.Role(id='2'), False
)
)
@@ -207,6 +267,21 @@ class TestProject(base.TestCase):
'projects/IDENTIFIER/groups/1/roles/2'
)
def test_validate_group_has_inherited_role_good(self):
sot = project.Project(**EXAMPLE)
resp = self.good_resp
self.sess.head = mock.Mock(return_value=resp)
self.assertTrue(
sot.validate_group_has_role(
self.sess, group.Group(id='1'), role.Role(id='2'), True
)
)
self.sess.head.assert_called_with(
'OS-INHERIT/projects/IDENTIFIER/groups/1/roles/2/inherited_to_projects'
)
def test_validate_group_has_role_bad(self):
sot = project.Project(**EXAMPLE)
resp = self.bad_resp
@@ -214,7 +289,7 @@ class TestProject(base.TestCase):
self.assertFalse(
sot.validate_group_has_role(
self.sess, group.Group(id='1'), role.Role(id='2')
self.sess, group.Group(id='1'), role.Role(id='2'), False
)
)
@@ -225,7 +300,7 @@ class TestProject(base.TestCase):
self.assertTrue(
sot.unassign_role_from_group(
self.sess, group.Group(id='1'), role.Role(id='2')
self.sess, group.Group(id='1'), role.Role(id='2'), False
)
)
@@ -233,6 +308,21 @@ class TestProject(base.TestCase):
'projects/IDENTIFIER/groups/1/roles/2'
)
def test_unassign_inherited_role_from_group_good(self):
sot = project.Project(**EXAMPLE)
resp = self.good_resp
self.sess.delete = mock.Mock(return_value=resp)
self.assertTrue(
sot.unassign_role_from_group(
self.sess, group.Group(id='1'), role.Role(id='2'), True
)
)
self.sess.delete.assert_called_with(
'OS-INHERIT/projects/IDENTIFIER/groups/1/roles/2/inherited_to_projects'
)
def test_unassign_role_from_group_bad(self):
sot = project.Project(**EXAMPLE)
resp = self.bad_resp
@@ -240,7 +330,7 @@ class TestProject(base.TestCase):
self.assertFalse(
sot.unassign_role_from_group(
self.sess, group.Group(id='1'), role.Role(id='2')
self.sess, group.Group(id='1'), role.Role(id='2'), False
)
)

12
openstack/tests/unit/identity/v3/test_proxy.py
View File

@@ -495,6 +495,7 @@ class TestIdentityProxyRoleAssignments(TestIdentityProxyBase):
self.proxy,
self.proxy._get_resource(user.User, 'uid'),
self.proxy._get_resource(role.Role, 'rid'),
False,
],
)
@@ -508,6 +509,7 @@ class TestIdentityProxyRoleAssignments(TestIdentityProxyBase):
self.proxy,
self.proxy._get_resource(user.User, 'uid'),
self.proxy._get_resource(role.Role, 'rid'),
False,
],
)
@@ -521,6 +523,7 @@ class TestIdentityProxyRoleAssignments(TestIdentityProxyBase):
self.proxy,
self.proxy._get_resource(user.User, 'uid'),
self.proxy._get_resource(role.Role, 'rid'),
False,
],
)
@@ -534,6 +537,7 @@ class TestIdentityProxyRoleAssignments(TestIdentityProxyBase):
self.proxy,
self.proxy._get_resource(group.Group, 'uid'),
self.proxy._get_resource(role.Role, 'rid'),
False,
],
)
@@ -547,6 +551,7 @@ class TestIdentityProxyRoleAssignments(TestIdentityProxyBase):
self.proxy,
self.proxy._get_resource(group.Group, 'uid'),
self.proxy._get_resource(role.Role, 'rid'),
False,
],
)
@@ -560,6 +565,7 @@ class TestIdentityProxyRoleAssignments(TestIdentityProxyBase):
self.proxy,
self.proxy._get_resource(group.Group, 'uid'),
self.proxy._get_resource(role.Role, 'rid'),
False,
],
)
@@ -573,6 +579,7 @@ class TestIdentityProxyRoleAssignments(TestIdentityProxyBase):
self.proxy,
self.proxy._get_resource(user.User, 'uid'),
self.proxy._get_resource(role.Role, 'rid'),
False,
],
)
@@ -586,6 +593,7 @@ class TestIdentityProxyRoleAssignments(TestIdentityProxyBase):
self.proxy,
self.proxy._get_resource(user.User, 'uid'),
self.proxy._get_resource(role.Role, 'rid'),
False,
],
)
@@ -599,6 +607,7 @@ class TestIdentityProxyRoleAssignments(TestIdentityProxyBase):
self.proxy,
self.proxy._get_resource(user.User, 'uid'),
self.proxy._get_resource(role.Role, 'rid'),
False,
],
)
@@ -612,6 +621,7 @@ class TestIdentityProxyRoleAssignments(TestIdentityProxyBase):
self.proxy,
self.proxy._get_resource(group.Group, 'uid'),
self.proxy._get_resource(role.Role, 'rid'),
False,
],
)
@@ -625,6 +635,7 @@ class TestIdentityProxyRoleAssignments(TestIdentityProxyBase):
self.proxy,
self.proxy._get_resource(group.Group, 'uid'),
self.proxy._get_resource(role.Role, 'rid'),
False,
],
)
@@ -638,6 +649,7 @@ class TestIdentityProxyRoleAssignments(TestIdentityProxyBase):
self.proxy,
self.proxy._get_resource(group.Group, 'uid'),
self.proxy._get_resource(role.Role, 'rid'),
False,
],
)

6
releasenotes/notes/identity-cloud-mixin-inherited-roles-ed66bb78ddeca2c9.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
features:
- |
Add support for granting inherited roles.
Roles assignments can be added to a user or group
on the system, a domain, or a project.