diff --git a/tempest/api/identity/admin/v3/test_roles.py b/tempest/api/identity/admin/v3/test_roles.py index dd7d5af444..e5137f4038 100644 --- a/tempest/api/identity/admin/v3/test_roles.py +++ b/tempest/api/identity/admin/v3/test_roles.py @@ -142,6 +142,26 @@ class RolesV3TestJSON(base.BaseIdentityV3AdminTest): self.roles_client.delete_role_from_user_on_domain( self.domain['id'], self.user_body['id'], self.role['id']) + @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source, + 'Skipped because environment has an immutable user ' + 'source and solely provides read-only access to users.') + @decorators.idempotent_id('e5a81737-d294-424d-8189-8664858aae4c') + def test_grant_list_revoke_role_to_user_on_system(self): + self.roles_client.create_user_role_on_system( + self.user_body['id'], self.role['id']) + + roles = self.roles_client.list_user_roles_on_system( + self.user_body['id'])['roles'] + + self.assertEqual(1, len(roles)) + self.assertEqual(self.role['id'], roles[0]['id']) + + self.roles_client.check_user_role_existence_on_system( + self.user_body['id'], self.role['id']) + + self.roles_client.delete_role_from_user_on_system( + self.user_body['id'], self.role['id']) + @decorators.idempotent_id('cbf11737-1904-4690-9613-97bcbb3df1c4') @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source, 'Skipped because environment has an immutable user ' @@ -197,6 +217,23 @@ class RolesV3TestJSON(base.BaseIdentityV3AdminTest): self.roles_client.delete_role_from_group_on_domain( self.domain['id'], self.group_body['id'], self.role['id']) + @decorators.idempotent_id('c888fe4f-8018-48db-b959-542225c1b4b6') + def test_grant_list_revoke_role_to_group_on_system(self): + self.roles_client.create_group_role_on_system( + self.group_body['id'], self.role['id']) + + roles = self.roles_client.list_group_roles_on_system( + self.group_body['id'])['roles'] + + self.assertEqual(1, len(roles)) + self.assertEqual(self.role['id'], roles[0]['id']) + + self.roles_client.check_role_from_group_on_system_existence( + self.group_body['id'], self.role['id']) + + self.roles_client.delete_role_from_group_on_system( + self.group_body['id'], self.role['id']) + @decorators.idempotent_id('f5654bcc-08c4-4f71-88fe-05d64e06de94') def test_list_roles(self): """Test listing roles""" diff --git a/tempest/lib/services/identity/v3/roles_client.py b/tempest/lib/services/identity/v3/roles_client.py index 0d7593aa75..e41dc28c89 100644 --- a/tempest/lib/services/identity/v3/roles_client.py +++ b/tempest/lib/services/identity/v3/roles_client.py @@ -89,6 +89,13 @@ class RolesClient(rest_client.RestClient): self.expected_success(204, resp.status) return rest_client.ResponseBody(resp, body) + def create_user_role_on_system(self, user_id, role_id): + """Add roles to a user on the system.""" + resp, body = self.put('system/users/%s/roles/%s' % + (user_id, role_id), None) + self.expected_success(204, resp.status) + return rest_client.ResponseBody(resp, body) + def list_user_roles_on_project(self, project_id, user_id): """list roles of a user on a project.""" resp, body = self.get('projects/%s/users/%s/roles' % @@ -105,6 +112,13 @@ class RolesClient(rest_client.RestClient): body = json.loads(body) return rest_client.ResponseBody(resp, body) + def list_user_roles_on_system(self, user_id): + """list roles of a user on the system.""" + resp, body = self.get('system/users/%s/roles' % user_id) + self.expected_success(200, resp.status) + body = json.loads(body) + return rest_client.ResponseBody(resp, body) + def delete_role_from_user_on_project(self, project_id, user_id, role_id): """Delete role of a user on a project.""" resp, body = self.delete('projects/%s/users/%s/roles/%s' % @@ -119,6 +133,13 @@ class RolesClient(rest_client.RestClient): self.expected_success(204, resp.status) return rest_client.ResponseBody(resp, body) + def delete_role_from_user_on_system(self, user_id, role_id): + """Delete role of a user on the system.""" + resp, body = self.delete('system/users/%s/roles/%s' % + (user_id, role_id)) + self.expected_success(204, resp.status) + return rest_client.ResponseBody(resp, body) + def check_user_role_existence_on_project(self, project_id, user_id, role_id): """Check role of a user on a project.""" @@ -135,6 +156,12 @@ class RolesClient(rest_client.RestClient): self.expected_success(204, resp.status) return rest_client.ResponseBody(resp) + def check_user_role_existence_on_system(self, user_id, role_id): + """Check role of a user on the system.""" + resp, body = self.head('system/users/%s/roles/%s' % (user_id, role_id)) + self.expected_success(204, resp.status) + return rest_client.ResponseBody(resp) + def create_group_role_on_project(self, project_id, group_id, role_id): """Add roles to a group on a project.""" resp, body = self.put('projects/%s/groups/%s/roles/%s' % @@ -149,6 +176,13 @@ class RolesClient(rest_client.RestClient): self.expected_success(204, resp.status) return rest_client.ResponseBody(resp, body) + def create_group_role_on_system(self, group_id, role_id): + """Add roles to a group on the system.""" + resp, body = self.put('system/groups/%s/roles/%s' % + (group_id, role_id), None) + self.expected_success(204, resp.status) + return rest_client.ResponseBody(resp, body) + def list_group_roles_on_project(self, project_id, group_id): """list roles of a group on a project.""" resp, body = self.get('projects/%s/groups/%s/roles' % @@ -165,6 +199,13 @@ class RolesClient(rest_client.RestClient): body = json.loads(body) return rest_client.ResponseBody(resp, body) + def list_group_roles_on_system(self, group_id): + """list roles of a group on the system.""" + resp, body = self.get('system/groups/%s/roles' % group_id) + self.expected_success(200, resp.status) + body = json.loads(body) + return rest_client.ResponseBody(resp, body) + def delete_role_from_group_on_project(self, project_id, group_id, role_id): """Delete role of a group on a project.""" resp, body = self.delete('projects/%s/groups/%s/roles/%s' % @@ -179,6 +220,13 @@ class RolesClient(rest_client.RestClient): self.expected_success(204, resp.status) return rest_client.ResponseBody(resp, body) + def delete_role_from_group_on_system(self, group_id, role_id): + """Delete role of a group on the system.""" + resp, body = self.delete('system/groups/%s/roles/%s' % + (group_id, role_id)) + self.expected_success(204, resp.status) + return rest_client.ResponseBody(resp, body) + def check_role_from_group_on_project_existence(self, project_id, group_id, role_id): """Check role of a group on a project.""" @@ -195,6 +243,13 @@ class RolesClient(rest_client.RestClient): self.expected_success(204, resp.status) return rest_client.ResponseBody(resp) + def check_role_from_group_on_system_existence(self, group_id, role_id): + """Check role of a group on the system.""" + resp, body = self.head('system/groups/%s/roles/%s' % + (group_id, role_id)) + self.expected_success(204, resp.status) + return rest_client.ResponseBody(resp) + def create_role_inference_rule(self, prior_role, implies_role): """Create a role inference rule.""" resp, body = self.put('roles/%s/implies/%s' % diff --git a/tempest/tests/lib/services/identity/v3/test_roles_client.py b/tempest/tests/lib/services/identity/v3/test_roles_client.py index 8d6bb423a6..e9633107e1 100644 --- a/tempest/tests/lib/services/identity/v3/test_roles_client.py +++ b/tempest/tests/lib/services/identity/v3/test_roles_client.py @@ -225,6 +225,16 @@ class TestRolesClient(base.BaseServiceTest): role_id="1234", status=204) + def _test_create_user_role_on_system(self, bytes_body=False): + self.check_service_client_function( + self.client.create_user_role_on_system, + 'tempest.lib.common.rest_client.RestClient.put', + {}, + bytes_body, + user_id="123", + role_id="1234", + status=204) + def _test_list_user_roles_on_project(self, bytes_body=False): self.check_service_client_function( self.client.list_user_roles_on_project, @@ -243,6 +253,14 @@ class TestRolesClient(base.BaseServiceTest): domain_id="b344506af7644f6794d9cb316600b020", user_id="123") + def _test_list_user_roles_on_system(self, bytes_body=False): + self.check_service_client_function( + self.client.list_user_roles_on_system, + 'tempest.lib.common.rest_client.RestClient.get', + self.FAKE_LIST_ROLES, + bytes_body, + user_id="123") + def _test_create_group_role_on_project(self, bytes_body=False): self.check_service_client_function( self.client.create_group_role_on_project, @@ -265,6 +283,16 @@ class TestRolesClient(base.BaseServiceTest): role_id="1234", status=204) + def _test_create_group_role_on_system(self, bytes_body=False): + self.check_service_client_function( + self.client.create_group_role_on_system, + 'tempest.lib.common.rest_client.RestClient.put', + {}, + bytes_body, + group_id="123", + role_id="1234", + status=204) + def _test_list_group_roles_on_project(self, bytes_body=False): self.check_service_client_function( self.client.list_group_roles_on_project, @@ -283,6 +311,15 @@ class TestRolesClient(base.BaseServiceTest): domain_id="b344506af7644f6794d9cb316600b020", group_id="123") + def _test_list_group_roles_on_system(self, bytes_body=False): + self.check_service_client_function( + self.client.list_group_roles_on_system, + 'tempest.lib.common.rest_client.RestClient.get', + self.FAKE_LIST_ROLES, + bytes_body, + domain_id="b344506af7644f6794d9cb316600b020", + group_id="123") + def _test_create_role_inference_rule(self, bytes_body=False): self.check_service_client_function( self.client.create_role_inference_rule, @@ -405,6 +442,15 @@ class TestRolesClient(base.BaseServiceTest): role_id="1234", status=204) + def test_delete_role_from_user_on_system(self): + self.check_service_client_function( + self.client.delete_role_from_user_on_system, + 'tempest.lib.common.rest_client.RestClient.delete', + {}, + user_id="123", + role_id="1234", + status=204) + def test_delete_role_from_group_on_project(self): self.check_service_client_function( self.client.delete_role_from_group_on_project, @@ -425,6 +471,15 @@ class TestRolesClient(base.BaseServiceTest): role_id="1234", status=204) + def test_delete_role_from_group_on_system(self): + self.check_service_client_function( + self.client.delete_role_from_group_on_system, + 'tempest.lib.common.rest_client.RestClient.delete', + {}, + group_id="123", + role_id="1234", + status=204) + def test_check_user_role_existence_on_project(self): self.check_service_client_function( self.client.check_user_role_existence_on_project, @@ -445,6 +500,15 @@ class TestRolesClient(base.BaseServiceTest): role_id="1234", status=204) + def test_check_user_role_existence_on_system(self): + self.check_service_client_function( + self.client.check_user_role_existence_on_system, + 'tempest.lib.common.rest_client.RestClient.head', + {}, + user_id="123", + role_id="1234", + status=204) + def test_check_role_from_group_on_project_existence(self): self.check_service_client_function( self.client.check_role_from_group_on_project_existence, @@ -465,6 +529,15 @@ class TestRolesClient(base.BaseServiceTest): role_id="1234", status=204) + def test_check_role_from_group_on_system_existence(self): + self.check_service_client_function( + self.client.check_role_from_group_on_system_existence, + 'tempest.lib.common.rest_client.RestClient.head', + {}, + group_id="123", + role_id="1234", + status=204) + def test_create_role_inference_rule_with_str_body(self): self._test_create_role_inference_rule()