Move role_assignments_client to tempest lib

This patch adds unit tests for the role_assignments_client and also
moves it to the lib.

Additionally, the method is refactored to be generic and handle the
full set of the role_assignments API parameters.

Change-Id: I1452d4f7be927f87f180badee377afa116d55ed6

releasenotes/notes/add-role-assignments-client-as-a-library-d34b4fdf376984ad.yaml

@@ -0,0 +1,6 @@
+---
+features:
+    - Define the identity service role_assignments_client as a library.
+      Add role_assignments_client to the library interface so the other
+      projects can use this module as a stable library without any
+      maintenance changes.

tempest/api/identity/admin/v3/test_inherits.py

@@ -168,15 +168,16 @@ class InheritsV3TestJSON(BaseInheritsV3Test):
             self.domain['id'], self.user['id'], src_role['id'])
 
         # List "effective" role assignments from user on the parent project
-        assignments = (
-            self.role_assignments.list_user_project_effective_assignments(
-                self.project['id'], self.user['id']))['role_assignments']
+        params = {'scope.project.id': self.project['id'],
+                  'user.id': self.user['id']}
+        assignments = self.role_assignments.list_role_assignments(
+            effective=True, **params)['role_assignments']
         self.assertNotEmpty(assignments)
 
         # List "effective" role assignments from user on the leaf project
-        assignments = (
-            self.role_assignments.list_user_project_effective_assignments(
-                leaf_project['id'], self.user['id']))['role_assignments']
+        params['scope.project.id'] = leaf_project['id']
+        assignments = self.role_assignments.list_role_assignments(
+            effective=True, **params)['role_assignments']
         self.assertNotEmpty(assignments)
 
         # Revoke role from domain
@@ -185,16 +186,16 @@ class InheritsV3TestJSON(BaseInheritsV3Test):
 
         # List "effective" role assignments from user on the parent project
         # should return an empty list
-        assignments = (
-            self.role_assignments.list_user_project_effective_assignments(
-                self.project['id'], self.user['id']))['role_assignments']
+        params['scope.project.id'] = self.project['id']
+        assignments = self.role_assignments.list_role_assignments(
+            effective=True, **params)['role_assignments']
         self.assertEmpty(assignments)
 
         # List "effective" role assignments from user on the leaf project
         # should return an empty list
-        assignments = (
-            self.role_assignments.list_user_project_effective_assignments(
-                leaf_project['id'], self.user['id']))['role_assignments']
+        params['scope.project.id'] = leaf_project['id']
+        assignments = self.role_assignments.list_role_assignments(
+            effective=True, **params)['role_assignments']
         self.assertEmpty(assignments)
 
     @test.idempotent_id('9f02ccd9-9b57-46b4-8f77-dd5a736f3a06')
@@ -217,9 +218,10 @@ class InheritsV3TestJSON(BaseInheritsV3Test):
             self.project['id'], self.user['id'], src_role['id'])
 
         # List "effective" role assignments from user on the leaf project
-        assignments = (
-            self.role_assignments.list_user_project_effective_assignments(
-                leaf_project['id'], self.user['id']))['role_assignments']
+        params = {'scope.project.id': leaf_project['id'],
+                  'user.id': self.user['id']}
+        assignments = self.role_assignments.list_role_assignments(
+            effective=True, **params)['role_assignments']
         self.assertNotEmpty(assignments)
 
         # Revoke role from parent project
@@ -228,7 +230,6 @@ class InheritsV3TestJSON(BaseInheritsV3Test):
 
         # List "effective" role assignments from user on the leaf project
         # should return an empty list
-        assignments = (
-            self.role_assignments.list_user_project_effective_assignments(
-                leaf_project['id'], self.user['id']))['role_assignments']
+        assignments = self.role_assignments.list_role_assignments(
+            effective=True, **params)['role_assignments']
         self.assertEmpty(assignments)

tempest/lib/services/identity/v3/role_assignments_client.py

@@ -0,0 +1,47 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from oslo_serialization import jsonutils as json
+from six.moves.urllib import parse as urllib
+
+from tempest.lib.common import rest_client
+
+
+class RoleAssignmentsClient(rest_client.RestClient):
+    api_version = "v3"
+
+    def list_role_assignments(self, effective=False, **kwargs):
+        """List role assignments.
+
+        For a full list of available parameters, please refer to the official
+        API reference:
+        http://developer.openstack.org/api-ref/identity/v3/?expanded=list-effective-role-assignments-detail
+
+        :param effective: If True, returns the effective assignments, including
+                          any assignments gained by virtue of group membership.
+        """
+        url = 'role_assignments'
+        if kwargs:
+            # NOTE(rodrigods): "effective" is a key-only query parameter and
+            # is treated below.
+            if 'effective' in kwargs:
+                del kwargs['effective']
+            url += '?%s' % urllib.urlencode(kwargs)
+        if effective:
+            url += '&effective'
+
+        resp, body = self.get(url)
+        self.expected_success(200, resp.status)
+        body = json.loads(body)
+        return rest_client.ResponseBody(resp, body)

tempest/services/identity/v3/__init__.py

@@ -22,14 +22,14 @@ from tempest.lib.services.identity.v3.inherited_roles_client import \
 from tempest.lib.services.identity.v3.policies_client import PoliciesClient
 from tempest.lib.services.identity.v3.projects_client import ProjectsClient
 from tempest.lib.services.identity.v3.regions_client import RegionsClient
+from tempest.lib.services.identity.v3.role_assignments_client import \
+    RoleAssignmentsClient
 from tempest.lib.services.identity.v3.roles_client import RolesClient
 from tempest.lib.services.identity.v3.services_client import ServicesClient
 from tempest.lib.services.identity.v3.token_client import V3TokenClient
 from tempest.lib.services.identity.v3.trusts_client import TrustsClient
 from tempest.lib.services.identity.v3.users_client import UsersClient
 from tempest.services.identity.v3.json.domains_client import DomainsClient
-from tempest.services.identity.v3.json.role_assignments_client import \
-    RoleAssignmentsClient
 
 __all__ = ['CredentialsClient', 'EndPointsClient', 'GroupsClient',
            'IdentityClient', 'InheritedRolesClient', 'PoliciesClient',

tempest/services/identity/v3/json/role_assignments_client.py

@@ -1,31 +0,0 @@
-# Copyright 2016 Red Hat, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-from oslo_serialization import jsonutils as json
-
-from tempest.lib.common import rest_client
-
-
-class RoleAssignmentsClient(rest_client.RestClient):
-    api_version = "v3"
-
-    def list_user_project_effective_assignments(
-            self, project_id, user_id):
-        """List the effective role assignments for a user in a project."""
-        resp, body = self.get(
-            "role_assignments?scope.project.id=%s&user.id=%s&effective" %
-            (project_id, user_id))
-        self.expected_success(200, resp.status)
-        body = json.loads(body)
-        return rest_client.ResponseBody(resp, body)

tempest/tests/lib/services/identity/v3/test_role_assignments_client.py

@@ -0,0 +1,206 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from tempest.lib.services.identity.v3 import role_assignments_client
+from tempest.tests.lib import fake_auth_provider
+from tempest.tests.lib.services import base
+
+
+class TestRoleAssignmentsClient(base.BaseServiceTest):
+
+    FAKE_USER_ID = "313234"
+    FAKE_GROUP_ID = "101112"
+
+    FAKE_ROLE1_ID = "123456"
+    FAKE_ROLE2_ID = "123457"
+
+    FAKE_PROJECT_ID = "456789"
+    FAKE_DOMAIN_ID = "102030"
+
+    FAKE_USER_PROJECT_ASSIGNMENT = {
+        "links": {
+            "assignment": "http://example.com/identity/v3/projects/"
+                          "%s/users/%s/roles/%s" % (FAKE_PROJECT_ID,
+                                                    FAKE_USER_ID,
+                                                    FAKE_ROLE2_ID)
+        },
+        "role": {
+            "id": FAKE_ROLE2_ID
+        },
+        "scope": {
+            "project": {
+                "id": FAKE_PROJECT_ID
+            }
+        },
+        "user": {
+            "id": FAKE_USER_ID
+        }
+    }
+
+    FAKE_GROUP_PROJECT_ASSIGNMENT = {
+        "links": {
+            "assignment": "http://example.com/identity/v3/projects/"
+                          "%s/groups/%s/roles/%s" % (FAKE_PROJECT_ID,
+                                                     FAKE_GROUP_ID,
+                                                     FAKE_ROLE1_ID)
+        },
+        "role": {
+            "id": FAKE_ROLE1_ID
+        },
+        "scope": {
+            "project": {
+                "id": FAKE_PROJECT_ID
+            }
+        },
+        "group": {
+            "id": FAKE_GROUP_ID
+        }
+    }
+
+    FAKE_USER_PROJECT_EFFECTIVE_ASSIGNMENT = {
+        "links": {
+            "assignment": "http://example.com/identity/v3/projects/"
+                          "%s/groups/%s/roles/%s" % (FAKE_PROJECT_ID,
+                                                     FAKE_GROUP_ID,
+                                                     FAKE_ROLE1_ID),
+            "membership": "http://example.com/identity/v3/groups/"
+                          "%s/users/%s" % (FAKE_GROUP_ID, FAKE_USER_ID)
+        },
+        "role": {
+            "id": FAKE_ROLE1_ID
+        },
+        "scope": {
+            "project": {
+                "id": FAKE_PROJECT_ID
+            }
+        },
+        "user": {
+            "id": FAKE_USER_ID
+        }
+    }
+
+    FAKE_USER_DOMAIN_ASSIGNMENT = {
+        "links": {
+            "assignment": "http://example.com/identity/v3/domains/"
+                          "%s/users/%s/roles/%s" % (FAKE_DOMAIN_ID,
+                                                    FAKE_USER_ID,
+                                                    FAKE_ROLE1_ID)
+        },
+        "role": {
+            "id": FAKE_ROLE1_ID
+        },
+        "scope": {
+            "domain": {
+                "id": FAKE_DOMAIN_ID
+            }
+        },
+        "user": {
+            "id": FAKE_USER_ID
+        }
+    }
+
+    FAKE_GROUP_PROJECT_ASSIGNMENTS = {
+        "role_assignments": [
+            FAKE_GROUP_PROJECT_ASSIGNMENT
+        ],
+        "links": {
+            "self": "http://example.com/identity/v3/role_assignments?"
+                    "scope.project.id=%s&group.id=%s&effective" % (
+                        FAKE_PROJECT_ID, FAKE_GROUP_ID),
+            "previous": None,
+            "next": None
+        }
+    }
+
+    FAKE_USER_PROJECT_EFFECTIVE_ASSIGNMENTS = {
+        "role_assignments": [
+            FAKE_USER_PROJECT_ASSIGNMENT,
+            FAKE_USER_PROJECT_EFFECTIVE_ASSIGNMENT
+        ],
+        "links": {
+            "self": "http://example.com/identity/v3/role_assignments?"
+                    "scope.project.id=%s&user.id=%s&effective" % (
+                        FAKE_PROJECT_ID, FAKE_USER_ID),
+            "previous": None,
+            "next": None
+        }
+    }
+
+    FAKE_USER_DOMAIN_ASSIGNMENTS = {
+        "role_assignments": [
+            FAKE_USER_DOMAIN_ASSIGNMENT
+        ],
+        "links": {
+            "self": "http://example.com/identity/v3/role_assignments?"
+                    "scope.domain.id=%s&user.id=%s&effective" % (
+                        FAKE_DOMAIN_ID, FAKE_USER_ID),
+            "previous": None,
+            "next": None
+        }
+    }
+
+    def setUp(self):
+        super(TestRoleAssignmentsClient, self).setUp()
+        fake_auth = fake_auth_provider.FakeAuthProvider()
+        self.client = role_assignments_client.RoleAssignmentsClient(
+            fake_auth, 'identity', 'regionOne')
+
+    def _test_list_user_project_effective_assignments(self, bytes_body=False):
+        params = {'scope.project.id': self.FAKE_PROJECT_ID,
+                  'user.id': self.FAKE_USER_ID}
+        self.check_service_client_function(
+            self.client.list_role_assignments,
+            'tempest.lib.common.rest_client.RestClient.get',
+            self.FAKE_USER_PROJECT_EFFECTIVE_ASSIGNMENTS,
+            bytes_body,
+            effective=True,
+            **params)
+
+    def test_list_user_project_effective_assignments_with_str_body(self):
+        self._test_list_user_project_effective_assignments()
+
+    def test_list_user_project_effective_assignments_with_bytes_body(self):
+        self._test_list_user_project_effective_assignments(bytes_body=True)
+
+    def _test_list_group_project_assignments(self, bytes_body=False):
+        params = {'scope.project.id': self.FAKE_PROJECT_ID,
+                  'group.id': self.FAKE_GROUP_ID}
+        self.check_service_client_function(
+            self.client.list_role_assignments,
+            'tempest.lib.common.rest_client.RestClient.get',
+            self.FAKE_GROUP_PROJECT_ASSIGNMENTS,
+            bytes_body,
+            **params)
+
+    def test_list_group_project_assignments_with_str_body(self):
+        self._test_list_group_project_assignments()
+
+    def test_list_group_project_assignments_with_bytes_body(self):
+        self._test_list_group_project_assignments(bytes_body=True)
+
+    def _test_list_user_domain_assignments(self, bytes_body=False):
+        params = {'scope.domain.id': self.FAKE_DOMAIN_ID,
+                  'user.id': self.FAKE_USER_ID}
+        self.check_service_client_function(
+            self.client.list_role_assignments,
+            'tempest.lib.common.rest_client.RestClient.get',
+            self.FAKE_GROUP_PROJECT_ASSIGNMENTS,
+            bytes_body,
+            **params)
+
+    def test_list_user_domain_assignments_with_str_body(self):
+        self._test_list_user_domain_assignments()
+
+    def test_list_user_domain_assignments_with_bytes_body(self):
+        self._test_list_user_domain_assignments(bytes_body=True)