Add client methods and tests for system grants

Add tempest client methods and API tests for grant operations on the system scope, similar to the existing grant operations for users and groups on project and domain scopes. Change-Id: Ie430b2ef0cadf6af3813d82812cce27729d27af1
2020-07-29 19:22:29 -07:00 · 2020-07-29 19:22:29 -07:00 · 5dbaaed88e
parent cd0bbbdad3
commit 5dbaaed88e
3 changed files with 165 additions and 0 deletions
--- a/tempest/api/identity/admin/v3/test_roles.py
+++ b/tempest/api/identity/admin/v3/test_roles.py
@ -142,6 +142,26 @@ class RolesV3TestJSON(base.BaseIdentityV3AdminTest):
        self.roles_client.delete_role_from_user_on_domain(
            self.domain['id'], self.user_body['id'], self.role['id'])

+    @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
+                      'Skipped because environment has an immutable user '
+                      'source and solely provides read-only access to users.')
+    @decorators.idempotent_id('e5a81737-d294-424d-8189-8664858aae4c')
+    def test_grant_list_revoke_role_to_user_on_system(self):
+        self.roles_client.create_user_role_on_system(
+            self.user_body['id'], self.role['id'])
+
+        roles = self.roles_client.list_user_roles_on_system(
+            self.user_body['id'])['roles']
+
+        self.assertEqual(1, len(roles))
+        self.assertEqual(self.role['id'], roles[0]['id'])
+
+        self.roles_client.check_user_role_existence_on_system(
+            self.user_body['id'], self.role['id'])
+
+        self.roles_client.delete_role_from_user_on_system(
+            self.user_body['id'], self.role['id'])
+
    @decorators.idempotent_id('cbf11737-1904-4690-9613-97bcbb3df1c4')
    @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
                      'Skipped because environment has an immutable user '
@ -197,6 +217,23 @@ class RolesV3TestJSON(base.BaseIdentityV3AdminTest):
        self.roles_client.delete_role_from_group_on_domain(
            self.domain['id'], self.group_body['id'], self.role['id'])

+    @decorators.idempotent_id('c888fe4f-8018-48db-b959-542225c1b4b6')
+    def test_grant_list_revoke_role_to_group_on_system(self):
+        self.roles_client.create_group_role_on_system(
+            self.group_body['id'], self.role['id'])
+
+        roles = self.roles_client.list_group_roles_on_system(
+            self.group_body['id'])['roles']
+
+        self.assertEqual(1, len(roles))
+        self.assertEqual(self.role['id'], roles[0]['id'])
+
+        self.roles_client.check_role_from_group_on_system_existence(
+            self.group_body['id'], self.role['id'])
+
+        self.roles_client.delete_role_from_group_on_system(
+            self.group_body['id'], self.role['id'])
+
    @decorators.idempotent_id('f5654bcc-08c4-4f71-88fe-05d64e06de94')
    def test_list_roles(self):
        """Test listing roles"""
--- a/tempest/lib/services/identity/v3/roles_client.py
+++ b/tempest/lib/services/identity/v3/roles_client.py
@ -89,6 +89,13 @@ class RolesClient(rest_client.RestClient):
        self.expected_success(204, resp.status)
        return rest_client.ResponseBody(resp, body)

+    def create_user_role_on_system(self, user_id, role_id):
+        """Add roles to a user on the system."""
+        resp, body = self.put('system/users/%s/roles/%s' %
+                              (user_id, role_id), None)
+        self.expected_success(204, resp.status)
+        return rest_client.ResponseBody(resp, body)
+
    def list_user_roles_on_project(self, project_id, user_id):
        """list roles of a user on a project."""
        resp, body = self.get('projects/%s/users/%s/roles' %
@ -105,6 +112,13 @@ class RolesClient(rest_client.RestClient):
        body = json.loads(body)
        return rest_client.ResponseBody(resp, body)

+    def list_user_roles_on_system(self, user_id):
+        """list roles of a user on the system."""
+        resp, body = self.get('system/users/%s/roles' % user_id)
+        self.expected_success(200, resp.status)
+        body = json.loads(body)
+        return rest_client.ResponseBody(resp, body)
+
    def delete_role_from_user_on_project(self, project_id, user_id, role_id):
        """Delete role of a user on a project."""
        resp, body = self.delete('projects/%s/users/%s/roles/%s' %
@ -119,6 +133,13 @@ class RolesClient(rest_client.RestClient):
        self.expected_success(204, resp.status)
        return rest_client.ResponseBody(resp, body)

+    def delete_role_from_user_on_system(self, user_id, role_id):
+        """Delete role of a user on the system."""
+        resp, body = self.delete('system/users/%s/roles/%s' %
+                                 (user_id, role_id))
+        self.expected_success(204, resp.status)
+        return rest_client.ResponseBody(resp, body)
+
    def check_user_role_existence_on_project(self, project_id,
                                             user_id, role_id):
        """Check role of a user on a project."""
@ -135,6 +156,12 @@ class RolesClient(rest_client.RestClient):
        self.expected_success(204, resp.status)
        return rest_client.ResponseBody(resp)

+    def check_user_role_existence_on_system(self, user_id, role_id):
+        """Check role of a user on the system."""
+        resp, body = self.head('system/users/%s/roles/%s' % (user_id, role_id))
+        self.expected_success(204, resp.status)
+        return rest_client.ResponseBody(resp)
+
    def create_group_role_on_project(self, project_id, group_id, role_id):
        """Add roles to a group on a project."""
        resp, body = self.put('projects/%s/groups/%s/roles/%s' %
@ -149,6 +176,13 @@ class RolesClient(rest_client.RestClient):
        self.expected_success(204, resp.status)
        return rest_client.ResponseBody(resp, body)

+    def create_group_role_on_system(self, group_id, role_id):
+        """Add roles to a group on the system."""
+        resp, body = self.put('system/groups/%s/roles/%s' %
+                              (group_id, role_id), None)
+        self.expected_success(204, resp.status)
+        return rest_client.ResponseBody(resp, body)
+
    def list_group_roles_on_project(self, project_id, group_id):
        """list roles of a group on a project."""
        resp, body = self.get('projects/%s/groups/%s/roles' %
@ -165,6 +199,13 @@ class RolesClient(rest_client.RestClient):
        body = json.loads(body)
        return rest_client.ResponseBody(resp, body)

+    def list_group_roles_on_system(self, group_id):
+        """list roles of a group on the system."""
+        resp, body = self.get('system/groups/%s/roles' % group_id)
+        self.expected_success(200, resp.status)
+        body = json.loads(body)
+        return rest_client.ResponseBody(resp, body)
+
    def delete_role_from_group_on_project(self, project_id, group_id, role_id):
        """Delete role of a group on a project."""
        resp, body = self.delete('projects/%s/groups/%s/roles/%s' %
@ -179,6 +220,13 @@ class RolesClient(rest_client.RestClient):
        self.expected_success(204, resp.status)
        return rest_client.ResponseBody(resp, body)

+    def delete_role_from_group_on_system(self, group_id, role_id):
+        """Delete role of a group on the system."""
+        resp, body = self.delete('system/groups/%s/roles/%s' %
+                                 (group_id, role_id))
+        self.expected_success(204, resp.status)
+        return rest_client.ResponseBody(resp, body)
+
    def check_role_from_group_on_project_existence(self, project_id,
                                                   group_id, role_id):
        """Check role of a group on a project."""
@ -195,6 +243,13 @@ class RolesClient(rest_client.RestClient):
        self.expected_success(204, resp.status)
        return rest_client.ResponseBody(resp)

+    def check_role_from_group_on_system_existence(self, group_id, role_id):
+        """Check role of a group on the system."""
+        resp, body = self.head('system/groups/%s/roles/%s' %
+                               (group_id, role_id))
+        self.expected_success(204, resp.status)
+        return rest_client.ResponseBody(resp)
+
    def create_role_inference_rule(self, prior_role, implies_role):
        """Create a role inference rule."""
        resp, body = self.put('roles/%s/implies/%s' %
--- a/tempest/tests/lib/services/identity/v3/test_roles_client.py
+++ b/tempest/tests/lib/services/identity/v3/test_roles_client.py
@ -225,6 +225,16 @@ class TestRolesClient(base.BaseServiceTest):
            role_id="1234",
            status=204)

+    def _test_create_user_role_on_system(self, bytes_body=False):
+        self.check_service_client_function(
+            self.client.create_user_role_on_system,
+            'tempest.lib.common.rest_client.RestClient.put',
+            {},
+            bytes_body,
+            user_id="123",
+            role_id="1234",
+            status=204)
+
    def _test_list_user_roles_on_project(self, bytes_body=False):
        self.check_service_client_function(
            self.client.list_user_roles_on_project,
@ -243,6 +253,14 @@ class TestRolesClient(base.BaseServiceTest):
            domain_id="b344506af7644f6794d9cb316600b020",
            user_id="123")

+    def _test_list_user_roles_on_system(self, bytes_body=False):
+        self.check_service_client_function(
+            self.client.list_user_roles_on_system,
+            'tempest.lib.common.rest_client.RestClient.get',
+            self.FAKE_LIST_ROLES,
+            bytes_body,
+            user_id="123")
+
    def _test_create_group_role_on_project(self, bytes_body=False):
        self.check_service_client_function(
            self.client.create_group_role_on_project,
@ -265,6 +283,16 @@ class TestRolesClient(base.BaseServiceTest):
            role_id="1234",
            status=204)

+    def _test_create_group_role_on_system(self, bytes_body=False):
+        self.check_service_client_function(
+            self.client.create_group_role_on_system,
+            'tempest.lib.common.rest_client.RestClient.put',
+            {},
+            bytes_body,
+            group_id="123",
+            role_id="1234",
+            status=204)
+
    def _test_list_group_roles_on_project(self, bytes_body=False):
        self.check_service_client_function(
            self.client.list_group_roles_on_project,
@ -283,6 +311,15 @@ class TestRolesClient(base.BaseServiceTest):
            domain_id="b344506af7644f6794d9cb316600b020",
            group_id="123")

+    def _test_list_group_roles_on_system(self, bytes_body=False):
+        self.check_service_client_function(
+            self.client.list_group_roles_on_system,
+            'tempest.lib.common.rest_client.RestClient.get',
+            self.FAKE_LIST_ROLES,
+            bytes_body,
+            domain_id="b344506af7644f6794d9cb316600b020",
+            group_id="123")
+
    def _test_create_role_inference_rule(self, bytes_body=False):
        self.check_service_client_function(
            self.client.create_role_inference_rule,
@ -405,6 +442,15 @@ class TestRolesClient(base.BaseServiceTest):
            role_id="1234",
            status=204)

+    def test_delete_role_from_user_on_system(self):
+        self.check_service_client_function(
+            self.client.delete_role_from_user_on_system,
+            'tempest.lib.common.rest_client.RestClient.delete',
+            {},
+            user_id="123",
+            role_id="1234",
+            status=204)
+
    def test_delete_role_from_group_on_project(self):
        self.check_service_client_function(
            self.client.delete_role_from_group_on_project,
@ -425,6 +471,15 @@ class TestRolesClient(base.BaseServiceTest):
            role_id="1234",
            status=204)

+    def test_delete_role_from_group_on_system(self):
+        self.check_service_client_function(
+            self.client.delete_role_from_group_on_system,
+            'tempest.lib.common.rest_client.RestClient.delete',
+            {},
+            group_id="123",
+            role_id="1234",
+            status=204)
+
    def test_check_user_role_existence_on_project(self):
        self.check_service_client_function(
            self.client.check_user_role_existence_on_project,
@ -445,6 +500,15 @@ class TestRolesClient(base.BaseServiceTest):
            role_id="1234",
            status=204)

+    def test_check_user_role_existence_on_system(self):
+        self.check_service_client_function(
+            self.client.check_user_role_existence_on_system,
+            'tempest.lib.common.rest_client.RestClient.head',
+            {},
+            user_id="123",
+            role_id="1234",
+            status=204)
+
    def test_check_role_from_group_on_project_existence(self):
        self.check_service_client_function(
            self.client.check_role_from_group_on_project_existence,
@ -465,6 +529,15 @@ class TestRolesClient(base.BaseServiceTest):
            role_id="1234",
            status=204)

+    def test_check_role_from_group_on_system_existence(self):
+        self.check_service_client_function(
+            self.client.check_role_from_group_on_system_existence,
+            'tempest.lib.common.rest_client.RestClient.head',
+            {},
+            group_id="123",
+            role_id="1234",
+            status=204)
+
    def test_create_role_inference_rule_with_str_body(self):
        self._test_create_role_inference_rule()