From 5dbaaed88e4e034cca8d8ba80ecff585a376db5b Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Wed, 29 Jul 2020 19:22:29 -0700 Subject: [PATCH] Add client methods and tests for system grants Add tempest client methods and API tests for grant operations on the system scope, similar to the existing grant operations for users and groups on project and domain scopes. Change-Id: Ie430b2ef0cadf6af3813d82812cce27729d27af1 --- tempest/api/identity/admin/v3/test_roles.py | 37 ++++++++++ .../lib/services/identity/v3/roles_client.py | 55 ++++++++++++++ .../services/identity/v3/test_roles_client.py | 73 +++++++++++++++++++ 3 files changed, 165 insertions(+) diff --git a/tempest/api/identity/admin/v3/test_roles.py b/tempest/api/identity/admin/v3/test_roles.py index dd7d5af444..e5137f4038 100644 --- a/tempest/api/identity/admin/v3/test_roles.py +++ b/tempest/api/identity/admin/v3/test_roles.py @@ -142,6 +142,26 @@ class RolesV3TestJSON(base.BaseIdentityV3AdminTest): self.roles_client.delete_role_from_user_on_domain( self.domain['id'], self.user_body['id'], self.role['id']) + @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source, + 'Skipped because environment has an immutable user ' + 'source and solely provides read-only access to users.') + @decorators.idempotent_id('e5a81737-d294-424d-8189-8664858aae4c') + def test_grant_list_revoke_role_to_user_on_system(self): + self.roles_client.create_user_role_on_system( + self.user_body['id'], self.role['id']) + + roles = self.roles_client.list_user_roles_on_system( + self.user_body['id'])['roles'] + + self.assertEqual(1, len(roles)) + self.assertEqual(self.role['id'], roles[0]['id']) + + self.roles_client.check_user_role_existence_on_system( + self.user_body['id'], self.role['id']) + + self.roles_client.delete_role_from_user_on_system( + self.user_body['id'], self.role['id']) + @decorators.idempotent_id('cbf11737-1904-4690-9613-97bcbb3df1c4') @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source, 'Skipped because environment has an immutable user ' @@ -197,6 +217,23 @@ class RolesV3TestJSON(base.BaseIdentityV3AdminTest): self.roles_client.delete_role_from_group_on_domain( self.domain['id'], self.group_body['id'], self.role['id']) + @decorators.idempotent_id('c888fe4f-8018-48db-b959-542225c1b4b6') + def test_grant_list_revoke_role_to_group_on_system(self): + self.roles_client.create_group_role_on_system( + self.group_body['id'], self.role['id']) + + roles = self.roles_client.list_group_roles_on_system( + self.group_body['id'])['roles'] + + self.assertEqual(1, len(roles)) + self.assertEqual(self.role['id'], roles[0]['id']) + + self.roles_client.check_role_from_group_on_system_existence( + self.group_body['id'], self.role['id']) + + self.roles_client.delete_role_from_group_on_system( + self.group_body['id'], self.role['id']) + @decorators.idempotent_id('f5654bcc-08c4-4f71-88fe-05d64e06de94') def test_list_roles(self): """Test listing roles""" diff --git a/tempest/lib/services/identity/v3/roles_client.py b/tempest/lib/services/identity/v3/roles_client.py index 0d7593aa75..e41dc28c89 100644 --- a/tempest/lib/services/identity/v3/roles_client.py +++ b/tempest/lib/services/identity/v3/roles_client.py @@ -89,6 +89,13 @@ class RolesClient(rest_client.RestClient): self.expected_success(204, resp.status) return rest_client.ResponseBody(resp, body) + def create_user_role_on_system(self, user_id, role_id): + """Add roles to a user on the system.""" + resp, body = self.put('system/users/%s/roles/%s' % + (user_id, role_id), None) + self.expected_success(204, resp.status) + return rest_client.ResponseBody(resp, body) + def list_user_roles_on_project(self, project_id, user_id): """list roles of a user on a project.""" resp, body = self.get('projects/%s/users/%s/roles' % @@ -105,6 +112,13 @@ class RolesClient(rest_client.RestClient): body = json.loads(body) return rest_client.ResponseBody(resp, body) + def list_user_roles_on_system(self, user_id): + """list roles of a user on the system.""" + resp, body = self.get('system/users/%s/roles' % user_id) + self.expected_success(200, resp.status) + body = json.loads(body) + return rest_client.ResponseBody(resp, body) + def delete_role_from_user_on_project(self, project_id, user_id, role_id): """Delete role of a user on a project.""" resp, body = self.delete('projects/%s/users/%s/roles/%s' % @@ -119,6 +133,13 @@ class RolesClient(rest_client.RestClient): self.expected_success(204, resp.status) return rest_client.ResponseBody(resp, body) + def delete_role_from_user_on_system(self, user_id, role_id): + """Delete role of a user on the system.""" + resp, body = self.delete('system/users/%s/roles/%s' % + (user_id, role_id)) + self.expected_success(204, resp.status) + return rest_client.ResponseBody(resp, body) + def check_user_role_existence_on_project(self, project_id, user_id, role_id): """Check role of a user on a project.""" @@ -135,6 +156,12 @@ class RolesClient(rest_client.RestClient): self.expected_success(204, resp.status) return rest_client.ResponseBody(resp) + def check_user_role_existence_on_system(self, user_id, role_id): + """Check role of a user on the system.""" + resp, body = self.head('system/users/%s/roles/%s' % (user_id, role_id)) + self.expected_success(204, resp.status) + return rest_client.ResponseBody(resp) + def create_group_role_on_project(self, project_id, group_id, role_id): """Add roles to a group on a project.""" resp, body = self.put('projects/%s/groups/%s/roles/%s' % @@ -149,6 +176,13 @@ class RolesClient(rest_client.RestClient): self.expected_success(204, resp.status) return rest_client.ResponseBody(resp, body) + def create_group_role_on_system(self, group_id, role_id): + """Add roles to a group on the system.""" + resp, body = self.put('system/groups/%s/roles/%s' % + (group_id, role_id), None) + self.expected_success(204, resp.status) + return rest_client.ResponseBody(resp, body) + def list_group_roles_on_project(self, project_id, group_id): """list roles of a group on a project.""" resp, body = self.get('projects/%s/groups/%s/roles' % @@ -165,6 +199,13 @@ class RolesClient(rest_client.RestClient): body = json.loads(body) return rest_client.ResponseBody(resp, body) + def list_group_roles_on_system(self, group_id): + """list roles of a group on the system.""" + resp, body = self.get('system/groups/%s/roles' % group_id) + self.expected_success(200, resp.status) + body = json.loads(body) + return rest_client.ResponseBody(resp, body) + def delete_role_from_group_on_project(self, project_id, group_id, role_id): """Delete role of a group on a project.""" resp, body = self.delete('projects/%s/groups/%s/roles/%s' % @@ -179,6 +220,13 @@ class RolesClient(rest_client.RestClient): self.expected_success(204, resp.status) return rest_client.ResponseBody(resp, body) + def delete_role_from_group_on_system(self, group_id, role_id): + """Delete role of a group on the system.""" + resp, body = self.delete('system/groups/%s/roles/%s' % + (group_id, role_id)) + self.expected_success(204, resp.status) + return rest_client.ResponseBody(resp, body) + def check_role_from_group_on_project_existence(self, project_id, group_id, role_id): """Check role of a group on a project.""" @@ -195,6 +243,13 @@ class RolesClient(rest_client.RestClient): self.expected_success(204, resp.status) return rest_client.ResponseBody(resp) + def check_role_from_group_on_system_existence(self, group_id, role_id): + """Check role of a group on the system.""" + resp, body = self.head('system/groups/%s/roles/%s' % + (group_id, role_id)) + self.expected_success(204, resp.status) + return rest_client.ResponseBody(resp) + def create_role_inference_rule(self, prior_role, implies_role): """Create a role inference rule.""" resp, body = self.put('roles/%s/implies/%s' % diff --git a/tempest/tests/lib/services/identity/v3/test_roles_client.py b/tempest/tests/lib/services/identity/v3/test_roles_client.py index 8d6bb423a6..e9633107e1 100644 --- a/tempest/tests/lib/services/identity/v3/test_roles_client.py +++ b/tempest/tests/lib/services/identity/v3/test_roles_client.py @@ -225,6 +225,16 @@ class TestRolesClient(base.BaseServiceTest): role_id="1234", status=204) + def _test_create_user_role_on_system(self, bytes_body=False): + self.check_service_client_function( + self.client.create_user_role_on_system, + 'tempest.lib.common.rest_client.RestClient.put', + {}, + bytes_body, + user_id="123", + role_id="1234", + status=204) + def _test_list_user_roles_on_project(self, bytes_body=False): self.check_service_client_function( self.client.list_user_roles_on_project, @@ -243,6 +253,14 @@ class TestRolesClient(base.BaseServiceTest): domain_id="b344506af7644f6794d9cb316600b020", user_id="123") + def _test_list_user_roles_on_system(self, bytes_body=False): + self.check_service_client_function( + self.client.list_user_roles_on_system, + 'tempest.lib.common.rest_client.RestClient.get', + self.FAKE_LIST_ROLES, + bytes_body, + user_id="123") + def _test_create_group_role_on_project(self, bytes_body=False): self.check_service_client_function( self.client.create_group_role_on_project, @@ -265,6 +283,16 @@ class TestRolesClient(base.BaseServiceTest): role_id="1234", status=204) + def _test_create_group_role_on_system(self, bytes_body=False): + self.check_service_client_function( + self.client.create_group_role_on_system, + 'tempest.lib.common.rest_client.RestClient.put', + {}, + bytes_body, + group_id="123", + role_id="1234", + status=204) + def _test_list_group_roles_on_project(self, bytes_body=False): self.check_service_client_function( self.client.list_group_roles_on_project, @@ -283,6 +311,15 @@ class TestRolesClient(base.BaseServiceTest): domain_id="b344506af7644f6794d9cb316600b020", group_id="123") + def _test_list_group_roles_on_system(self, bytes_body=False): + self.check_service_client_function( + self.client.list_group_roles_on_system, + 'tempest.lib.common.rest_client.RestClient.get', + self.FAKE_LIST_ROLES, + bytes_body, + domain_id="b344506af7644f6794d9cb316600b020", + group_id="123") + def _test_create_role_inference_rule(self, bytes_body=False): self.check_service_client_function( self.client.create_role_inference_rule, @@ -405,6 +442,15 @@ class TestRolesClient(base.BaseServiceTest): role_id="1234", status=204) + def test_delete_role_from_user_on_system(self): + self.check_service_client_function( + self.client.delete_role_from_user_on_system, + 'tempest.lib.common.rest_client.RestClient.delete', + {}, + user_id="123", + role_id="1234", + status=204) + def test_delete_role_from_group_on_project(self): self.check_service_client_function( self.client.delete_role_from_group_on_project, @@ -425,6 +471,15 @@ class TestRolesClient(base.BaseServiceTest): role_id="1234", status=204) + def test_delete_role_from_group_on_system(self): + self.check_service_client_function( + self.client.delete_role_from_group_on_system, + 'tempest.lib.common.rest_client.RestClient.delete', + {}, + group_id="123", + role_id="1234", + status=204) + def test_check_user_role_existence_on_project(self): self.check_service_client_function( self.client.check_user_role_existence_on_project, @@ -445,6 +500,15 @@ class TestRolesClient(base.BaseServiceTest): role_id="1234", status=204) + def test_check_user_role_existence_on_system(self): + self.check_service_client_function( + self.client.check_user_role_existence_on_system, + 'tempest.lib.common.rest_client.RestClient.head', + {}, + user_id="123", + role_id="1234", + status=204) + def test_check_role_from_group_on_project_existence(self): self.check_service_client_function( self.client.check_role_from_group_on_project_existence, @@ -465,6 +529,15 @@ class TestRolesClient(base.BaseServiceTest): role_id="1234", status=204) + def test_check_role_from_group_on_system_existence(self): + self.check_service_client_function( + self.client.check_role_from_group_on_system_existence, + 'tempest.lib.common.rest_client.RestClient.head', + {}, + group_id="123", + role_id="1234", + status=204) + def test_create_role_inference_rule_with_str_body(self): self._test_create_role_inference_rule()