openstack
/
tempest
Code Issues Proposed changes
tempest/tempest/api/identity/admin/v2/test_roles_negative.py

289 lines
13 KiB
Python
Raw Blame History

# Copyright 2013 Huawei Technologies Co.,LTD.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from tempest.api.identity import base
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from tempest.lib import exceptions as lib_exc
class RolesNegativeTestJSON(base.BaseIdentityV2AdminTest):
"""Negative tests of keystone roles via v2 API"""
def _get_role_params(self):
user = self.setup_test_user()
tenant = self.tenants_client.show_tenant(user['tenantId'])['tenant']
role = self.setup_test_role()
return (user, tenant, role)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('d5d5f1df-f8ca-4de0-b2ef-259c1cc67025')
def test_list_roles_by_unauthorized_user(self):
"""Test Non-admin user should not be able to list roles via v2 API"""
self.assertRaises(lib_exc.Forbidden,
self.non_admin_roles_client.list_roles)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('11a3c7da-df6c-40c2-abc2-badd682edf9f')
def test_list_roles_request_without_token(self):
"""Test listing roles without a valid token via v2 API should fail"""
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(lib_exc.Unauthorized, self.roles_client.list_roles)
self.client.auth_provider.clear_auth()
@decorators.attr(type=['negative'])
@decorators.idempotent_id('c0b89e56-accc-4c73-85f8-9c0f866104c1')
def test_role_create_blank_name(self):
"""Test creating a role with a blank name via v2 API is not allowed"""
self.assertRaises(lib_exc.BadRequest, self.roles_client.create_role,
name='')
@decorators.attr(type=['negative'])
@decorators.idempotent_id('585c8998-a8a4-4641-a5dd-abef7a8ced00')
def test_create_role_by_unauthorized_user(self):
"""Test non-admin user should not be able to create role via v2 API"""
role_name = data_utils.rand_name(name='role')
self.assertRaises(lib_exc.Forbidden,
self.non_admin_roles_client.create_role,
name=role_name)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('a7edd17a-e34a-4aab-8bb7-fa6f498645b8')
def test_create_role_request_without_token(self):
"""Test creating role without a valid token via v2 API should fail"""
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
role_name = data_utils.rand_name(name='role')
self.assertRaises(lib_exc.Unauthorized,
self.roles_client.create_role, name=role_name)
self.client.auth_provider.clear_auth()
@decorators.attr(type=['negative'])
@decorators.idempotent_id('c0cde2c8-81c1-4bb0-8fe2-cf615a3547a8')
def test_role_create_duplicate(self):
"""Test role names should be unique via v2 API"""
role_name = data_utils.rand_name(name='role-dup')
body = self.roles_client.create_role(name=role_name)['role']
role1_id = body.get('id')
self.addCleanup(self.roles_client.delete_role, role1_id)
self.assertRaises(lib_exc.Conflict, self.roles_client.create_role,
name=role_name)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('15347635-b5b1-4a87-a280-deb2bd6d865e')
def test_delete_role_by_unauthorized_user(self):
"""Test non-admin user should not be able to delete role via v2 API"""
role_name = data_utils.rand_name(name='role')
body = self.roles_client.create_role(name=role_name)['role']
self.addCleanup(self.roles_client.delete_role, body['id'])
role_id = body.get('id')
self.assertRaises(lib_exc.Forbidden,
self.non_admin_roles_client.delete_role, role_id)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('44b60b20-70de-4dac-beaf-a3fc2650a16b')
def test_delete_role_request_without_token(self):
"""Test deleting role without a valid token via v2 API should fail"""
role_name = data_utils.rand_name(name='role')
body = self.roles_client.create_role(name=role_name)['role']
self.addCleanup(self.roles_client.delete_role, body['id'])
role_id = body.get('id')
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(lib_exc.Unauthorized,
self.roles_client.delete_role,
role_id)
self.client.auth_provider.clear_auth()
@decorators.attr(type=['negative'])
@decorators.idempotent_id('38373691-8551-453a-b074-4260ad8298ef')
def test_delete_role_non_existent(self):
"""Test deleting a non existent role via v2 API should fail"""
non_existent_role = data_utils.rand_uuid_hex()
self.assertRaises(lib_exc.NotFound, self.roles_client.delete_role,
non_existent_role)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('391df5cf-3ec3-46c9-bbe5-5cb58dd4dc41')
def test_assign_user_role_by_unauthorized_user(self):
"""Test non-admin user assigning a role to user via v2 API
Non-admin user should not be authorized to assign a role to user via
v2 API.
"""
(user, tenant, role) = self._get_role_params()
self.assertRaises(
lib_exc.Forbidden,
self.non_admin_roles_client.create_user_role_on_project,
tenant['id'], user['id'], role['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('f0d2683c-5603-4aee-95d7-21420e87cfd8')
def test_assign_user_role_request_without_token(self):
"""Test assigning a role to a user without a valid token via v2 API
Assigning a role to a user without a valid token via v2 API should
fail.
"""
(user, tenant, role) = self._get_role_params()
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(
lib_exc.Unauthorized,
self.roles_client.create_user_role_on_project, tenant['id'],
user['id'], role['id'])
self.client.auth_provider.clear_auth()
@decorators.attr(type=['negative'])
@decorators.idempotent_id('99b297f6-2b5d-47c7-97a9-8b6bb4f91042')
def test_assign_user_role_for_non_existent_role(self):
"""Test assigning a non existent role to user via v2 API
Assigning a non existent role to user via v2 API should fail.
"""
(user, tenant, _) = self._get_role_params()
non_existent_role = data_utils.rand_uuid_hex()
self.assertRaises(lib_exc.NotFound,
self.roles_client.create_user_role_on_project,
tenant['id'], user['id'], non_existent_role)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('b2285aaa-9e76-4704-93a9-7a8acd0a6c8f')
def test_assign_user_role_for_non_existent_tenant(self):
"""Test assigning a role on a non existent tenant via v2 API
Assigning a role on a non existent tenant via v2 API should fail.
"""
(user, _, role) = self._get_role_params()
non_existent_tenant = data_utils.rand_uuid_hex()
self.assertRaises(lib_exc.NotFound,
self.roles_client.create_user_role_on_project,
non_existent_tenant, user['id'], role['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('5c3132cd-c4c8-4402-b5ea-71eb44e97793')
def test_assign_duplicate_user_role(self):
"""Test duplicate user role should not get assigned via v2 API"""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
self.assertRaises(lib_exc.Conflict,
self.roles_client.create_user_role_on_project,
tenant['id'], user['id'], role['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('d0537987-0977-448f-a435-904c15de7298')
def test_remove_user_role_by_unauthorized_user(self):
"""Test non-admin user removing a user's role via v2 API
Non-admin user should not be authorized to remove a user's role via
v2 API
"""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
self.assertRaises(
lib_exc.Forbidden,
self.non_admin_roles_client.delete_role_from_user_on_project,
tenant['id'], user['id'], role['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('cac81cf4-c1d2-47dc-90d3-f2b7eb572286')
def test_remove_user_role_request_without_token(self):
"""Test removing a user's role without a valid token via v2 API
Removing a user's role without a valid token via v2 API should fail.
"""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
self.assertRaises(lib_exc.Unauthorized,
self.roles_client.delete_role_from_user_on_project,
tenant['id'], user['id'], role['id'])
self.client.auth_provider.clear_auth()
@decorators.attr(type=['negative'])
@decorators.idempotent_id('ab32d759-cd16-41f1-a86e-44405fa9f6d2')
def test_remove_user_role_non_existent_role(self):
"""Test deleting a non existent role from a user via v2 API
Deleting a non existent role from a user via v2 API should fail.
"""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
non_existent_role = data_utils.rand_uuid_hex()
self.assertRaises(lib_exc.NotFound,
self.roles_client.delete_role_from_user_on_project,
tenant['id'], user['id'], non_existent_role)
@decorators.attr(type=['negative'])
@decorators.idempotent_id('67a679ec-03dd-4551-bbfc-d1c93284f023')
def test_remove_user_role_non_existent_tenant(self):
"""Test removing a role from a non existent tenant via v2 API
Removing a role from a non existent tenant via v2 API should fail.
"""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
non_existent_tenant = data_utils.rand_uuid_hex()
self.assertRaises(lib_exc.NotFound,
self.roles_client.delete_role_from_user_on_project,
non_existent_tenant, user['id'], role['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('7391ab4c-06f3-477a-a64a-c8e55ce89837')
def test_list_user_roles_by_unauthorized_user(self):
"""Test non-admin user listing a user's roles via v2 API
Non-admin user should not be authorized to list a user's roles via v2
API.
"""
(user, tenant, role) = self._get_role_params()
self.roles_client.create_user_role_on_project(tenant['id'],
user['id'],
role['id'])
self.assertRaises(
lib_exc.Forbidden,
self.non_admin_roles_client.list_user_roles_on_project,
tenant['id'], user['id'])
@decorators.attr(type=['negative'])
@decorators.idempotent_id('682adfb2-fd5f-4b0a-a9ca-322e9bebb907')
def test_list_user_roles_request_without_token(self):
"""Test listing user's roles without a valid token via v2 API
Listing user's roles without a valid token via v2 API should fail
"""
(user, tenant, _) = self._get_role_params()
token = self.client.auth_provider.get_token()
self.client.delete_token(token)
try:
self.assertRaises(lib_exc.Unauthorized,
self.roles_client.list_user_roles_on_project,
tenant['id'],
user['id'])
finally:
self.client.auth_provider.clear_auth()
View Git Blame Copy Permalink