Inhrerit roles project calls on keystoneclient v3

This patch allows the user to perform the Inherited roles from projects API calls through python-keystoneclient. Assign role to user on projects in a subtree PUT /OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects List user's inherited project roles on project GET /OS-INHERIT/projects/{project_id}/users/{user_id}/roles/inherited_to_projects Check if user has an inherited project role on project HEAD /OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects Revoke an inherited project role from user on project DELETE /OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects These same operations regarding groups instead of users are also available. Change-Id: I8396d80f031726bbd23f2cc2bb302a7691f98cba Closes-bug: 1446702
2015-03-25 11:24:38 -03:00 · 2015-03-25 11:24:38 -03:00 · 6dae40e7c6
parent eae8e83f5a
commit 6dae40e7c6
2 changed files with 123 additions and 2 deletions
--- a/keystoneclient/tests/unit/v3/test_roles.py
+++ b/keystoneclient/tests/unit/v3/test_roles.py
@ -59,6 +59,20 @@ class RoleTests(utils.TestCase, utils.CrudTests):
        self.manager.grant(role=ref['id'], domain=domain_id, user=user_id,
                           os_inherit_extension_inherited=True)

+    def test_project_role_grant_inherited(self):
+        user_id = uuid.uuid4().hex
+        project_id = uuid.uuid4().hex
+        ref = self.new_ref()
+
+        self.stub_url('PUT',
+                      ['OS-INHERIT', 'projects', project_id, 'users', user_id,
+                       self.collection_key, ref['id'],
+                       'inherited_to_projects'],
+                      status_code=204)
+
+        self.manager.grant(role=ref['id'], project=project_id, user=user_id,
+                           os_inherit_extension_inherited=True)
+
    def test_domain_group_role_grant(self):
        group_id = uuid.uuid4().hex
        domain_id = uuid.uuid4().hex
@ -85,6 +99,20 @@ class RoleTests(utils.TestCase, utils.CrudTests):
        self.manager.grant(role=ref['id'], domain=domain_id, group=group_id,
                           os_inherit_extension_inherited=True)

+    def test_project_group_role_grant_inherited(self):
+        group_id = uuid.uuid4().hex
+        project_id = uuid.uuid4().hex
+        ref = self.new_ref()
+
+        self.stub_url('PUT',
+                      ['OS-INHERIT', 'projects', project_id, 'groups',
+                       group_id, self.collection_key, ref['id'],
+                       'inherited_to_projects'],
+                      status_code=204)
+
+        self.manager.grant(role=ref['id'], project=project_id, group=group_id,
+                           os_inherit_extension_inherited=True)
+
    def test_domain_role_list(self):
        user_id = uuid.uuid4().hex
        domain_id = uuid.uuid4().hex
@ -113,6 +141,23 @@ class RoleTests(utils.TestCase, utils.CrudTests):
        self.assertThat(ref_list, matchers.HasLength(len(returned_list)))
        [self.assertIsInstance(r, self.model) for r in returned_list]

+    def test_project_user_role_list_inherited(self):
+        user_id = uuid.uuid4().hex
+        project_id = uuid.uuid4().hex
+        ref_list = [self.new_ref(), self.new_ref()]
+
+        self.stub_entity('GET',
+                         ['OS-INHERIT',
+                          'projects', project_id, 'users', user_id,
+                          self.collection_key, 'inherited_to_projects'],
+                         entity=ref_list)
+
+        returned_list = self.manager.list(project=project_id, user=user_id,
+                                          os_inherit_extension_inherited=True)
+
+        self.assertThat(ref_list, matchers.HasLength(len(returned_list)))
+        [self.assertIsInstance(r, self.model) for r in returned_list]
+
    def test_domain_group_role_list(self):
        group_id = uuid.uuid4().hex
        domain_id = uuid.uuid4().hex
@ -141,6 +186,23 @@ class RoleTests(utils.TestCase, utils.CrudTests):
        self.assertThat(ref_list, matchers.HasLength(len(returned_list)))
        [self.assertIsInstance(r, self.model) for r in returned_list]

+    def test_project_group_role_list_inherited(self):
+        group_id = uuid.uuid4().hex
+        project_id = uuid.uuid4().hex
+        ref_list = [self.new_ref(), self.new_ref()]
+
+        self.stub_entity('GET',
+                         ['OS-INHERIT',
+                          'projects', project_id, 'groups', group_id,
+                          self.collection_key, 'inherited_to_projects'],
+                         entity=ref_list)
+
+        returned_list = self.manager.list(project=project_id, group=group_id,
+                                          os_inherit_extension_inherited=True)
+
+        self.assertThat(ref_list, matchers.HasLength(len(returned_list)))
+        [self.assertIsInstance(r, self.model) for r in returned_list]
+
    def test_domain_role_check(self):
        user_id = uuid.uuid4().hex
        domain_id = uuid.uuid4().hex
@ -169,6 +231,21 @@ class RoleTests(utils.TestCase, utils.CrudTests):
        self.manager.check(role=ref['id'], domain=domain_id,
                           user=user_id, os_inherit_extension_inherited=True)

+    def test_project_role_check_inherited(self):
+        user_id = uuid.uuid4().hex
+        project_id = uuid.uuid4().hex
+        ref = self.new_ref()
+
+        self.stub_url('HEAD',
+                      ['OS-INHERIT',
+                       'projects', project_id, 'users', user_id,
+                       self.collection_key, ref['id'],
+                       'inherited_to_projects'],
+                      status_code=204)
+
+        self.manager.check(role=ref['id'], project=project_id,
+                           user=user_id, os_inherit_extension_inherited=True)
+
    def test_domain_group_role_check(self):
        return
        group_id = uuid.uuid4().hex
@ -197,6 +274,21 @@ class RoleTests(utils.TestCase, utils.CrudTests):
        self.manager.check(role=ref['id'], domain=domain_id,
                           group=group_id, os_inherit_extension_inherited=True)

+    def test_project_group_role_check_inherited(self):
+        group_id = uuid.uuid4().hex
+        project_id = uuid.uuid4().hex
+        ref = self.new_ref()
+
+        self.stub_url('HEAD',
+                      ['OS-INHERIT',
+                       'projects', project_id, 'groups', group_id,
+                       self.collection_key, ref['id'],
+                       'inherited_to_projects'],
+                      status_code=204)
+
+        self.manager.check(role=ref['id'], project=project_id,
+                           group=group_id, os_inherit_extension_inherited=True)
+
    def test_domain_role_revoke(self):
        user_id = uuid.uuid4().hex
        domain_id = uuid.uuid4().hex
@ -235,6 +327,20 @@ class RoleTests(utils.TestCase, utils.CrudTests):
        self.manager.revoke(role=ref['id'], domain=domain_id,
                            user=user_id, os_inherit_extension_inherited=True)

+    def test_project_role_revoke_inherited(self):
+        user_id = uuid.uuid4().hex
+        project_id = uuid.uuid4().hex
+        ref = self.new_ref()
+
+        self.stub_url('DELETE',
+                      ['OS-INHERIT', 'projects', project_id, 'users', user_id,
+                       self.collection_key, ref['id'],
+                       'inherited_to_projects'],
+                      status_code=204)
+
+        self.manager.revoke(role=ref['id'], project=project_id,
+                            user=user_id, os_inherit_extension_inherited=True)
+
    def test_domain_group_role_revoke_inherited(self):
        group_id = uuid.uuid4().hex
        domain_id = uuid.uuid4().hex
@ -250,6 +356,21 @@ class RoleTests(utils.TestCase, utils.CrudTests):
                            group=group_id,
                            os_inherit_extension_inherited=True)

+    def test_project_group_role_revoke_inherited(self):
+        group_id = uuid.uuid4().hex
+        project_id = uuid.uuid4().hex
+        ref = self.new_ref()
+
+        self.stub_url('DELETE',
+                      ['OS-INHERIT', 'projects', project_id, 'groups',
+                       group_id, self.collection_key, ref['id'],
+                       'inherited_to_projects'],
+                      status_code=204)
+
+        self.manager.revoke(role=ref['id'], project=project_id,
+                            group=group_id,
+                            os_inherit_extension_inherited=True)
+
    def test_project_role_grant(self):
        user_id = uuid.uuid4().hex
        project_id = uuid.uuid4().hex
--- a/keystoneclient/v3/roles.py
+++ b/keystoneclient/v3/roles.py
@ -50,8 +50,8 @@ class RoleManager(base.CrudManager):
            params['domain_id'] = base.getid(domain)
            base_url = '/domains/%(domain_id)s'

-            if use_inherit_extension:
-                base_url = '/OS-INHERIT' + base_url
+        if use_inherit_extension:
+            base_url = '/OS-INHERIT' + base_url

        if user:
            params['user_id'] = base.getid(user)