"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "keystone/tests/protection/v3/test_grants.py" between
keystone-16.0.1.tar.gz and keystone-17.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Ussuri" series (latest release).

test_grants.py  (keystone-16.0.1):test_grants.py  (keystone-17.0.0)
skipping to change at line 15 skipping to change at line 15
# http://www.apache.org/licenses/LICENSE-2.0 # http://www.apache.org/licenses/LICENSE-2.0
# #
# Unless required by applicable law or agreed to in writing, software # Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
import uuid import uuid
import http.client
from oslo_serialization import jsonutils from oslo_serialization import jsonutils
from six.moves import http_client
from keystone.common.policies import grant as gp from keystone.common.policies import grant as gp
from keystone.common import provider_api from keystone.common import provider_api
import keystone.conf import keystone.conf
from keystone.tests.common import auth as common_auth from keystone.tests.common import auth as common_auth
from keystone.tests import unit from keystone.tests import unit
from keystone.tests.unit import base_classes from keystone.tests.unit import base_classes
from keystone.tests.unit import ksfixtures from keystone.tests.unit import ksfixtures
from keystone.tests.unit.ksfixtures import temporaryfile from keystone.tests.unit.ksfixtures import temporaryfile
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs PROVIDERS = provider_api.ProviderAPIs
class _SystemUserGrantTests(object): class _SystemUserGrantTests(object):
def test_user_can_list_grants_for_user_on_project(self): def test_can_list_grants_for_user_on_project(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=CONF.identity.default_domain_id) unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
skipping to change at line 55 skipping to change at line 55
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
r = c.get( r = c.get(
'/v3/projects/%s/users/%s/roles' % (project['id'], user['id']), '/v3/projects/%s/users/%s/roles' % (project['id'], user['id']),
headers=self.headers headers=self.headers
) )
self.assertEqual(1, len(r.json['roles'])) self.assertEqual(1, len(r.json['roles']))
def test_user_can_list_grants_for_user_on_domain(self): def test_can_list_grants_for_user_on_domain(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=CONF.identity.default_domain_id) unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=domain['id'] domain_id=domain['id']
) )
with self.test_client() as c: with self.test_client() as c:
r = c.get( r = c.get(
'/v3/domains/%s/users/%s/roles' % (domain['id'], user['id']), '/v3/domains/%s/users/%s/roles' % (domain['id'], user['id']),
headers=self.headers headers=self.headers
) )
self.assertEqual(1, len(r.json['roles'])) self.assertEqual(1, len(r.json['roles']))
def test_user_can_list_grants_for_group_on_project(self): def test_can_list_grants_for_group_on_project(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id) unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
skipping to change at line 100 skipping to change at line 100
) )
with self.test_client() as c: with self.test_client() as c:
r = c.get( r = c.get(
'/v3/projects/%s/groups/%s/roles' % ( '/v3/projects/%s/groups/%s/roles' % (
project['id'], group['id']), project['id'], group['id']),
headers=self.headers headers=self.headers
) )
self.assertEqual(1, len(r.json['roles'])) self.assertEqual(1, len(r.json['roles']))
def test_user_can_list_grants_for_group_on_domain(self): def test_can_list_grants_for_group_on_domain(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id) unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
domain_id=domain['id'] domain_id=domain['id']
) )
with self.test_client() as c: with self.test_client() as c:
r = c.get( r = c.get(
'/v3/domains/%s/groups/%s/roles' % (domain['id'], group['id']), '/v3/domains/%s/groups/%s/roles' % (domain['id'], group['id']),
headers=self.headers headers=self.headers
) )
self.assertEqual(1, len(r.json['roles'])) self.assertEqual(1, len(r.json['roles']))
def test_user_can_check_grant_for_user_on_project(self): def test_can_check_grant_for_user_on_project(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=CONF.identity.default_domain_id) unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
skipping to change at line 143 skipping to change at line 143
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.NO_CONTENT expected_status_code=http.client.NO_CONTENT
) )
def test_user_can_check_grant_for_user_on_domain(self): def test_can_check_grant_for_user_on_domain(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=CONF.identity.default_domain_id) unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=domain['id'] domain_id=domain['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain['id'], user['id'], self.bootstrapper.reader_role_id domain['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.NO_CONTENT expected_status_code=http.client.NO_CONTENT
) )
def test_user_can_check_grant_for_group_on_project(self): def test_can_check_grant_for_group_on_project(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id) unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
skipping to change at line 193 skipping to change at line 193
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.NO_CONTENT expected_status_code=http.client.NO_CONTENT
) )
def test_user_can_check_grant_for_group_on_domain(self): def test_can_check_grant_for_group_on_domain(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id) unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
domain_id=domain['id'] domain_id=domain['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain['id'], group['id'], self.bootstrapper.reader_role_id domain['id'], group['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.NO_CONTENT expected_status_code=http.client.NO_CONTENT
) )
class _SystemMemberAndReaderGrantTests(object): class _SystemMemberAndReaderGrantTests(object):
def test_user_cannot_create_grant_for_user_on_project(self): def test_cannot_create_grant_for_user_on_project(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=CONF.identity.default_domain_id) unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_user_on_domain(self): def test_cannot_create_grant_for_user_on_domain(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=CONF.identity.default_domain_id) unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain['id'], user['id'], self.bootstrapper.reader_role_id domain['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_group_on_project(self): def test_cannot_create_grant_for_group_on_project(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id) unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_group_on_domain(self): def test_cannot_create_grant_for_group_on_domain(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id) unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain['id'], group['id'], self.bootstrapper.reader_role_id domain['id'], group['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_user_on_project(self): def test_cannot_revoke_grant_from_user_on_project(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=CONF.identity.default_domain_id) unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
skipping to change at line 321 skipping to change at line 321
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_user_on_domain(self): def test_cannot_revoke_grant_from_user_on_domain(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=CONF.identity.default_domain_id) unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=domain['id'] domain_id=domain['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain['id'], user['id'], self.bootstrapper.reader_role_id domain['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_group_on_project(self): def test_cannot_revoke_grant_from_group_on_project(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id) unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
skipping to change at line 371 skipping to change at line 371
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_group_on_domain(self): def test_cannot_revoke_grant_from_group_on_domain(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id) unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
domain_id=domain['id'] domain_id=domain['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain['id'], group['id'], self.bootstrapper.reader_role_id domain['id'], group['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
class _DomainUserTests(object): class _DomainUserTests(object):
def test_user_can_list_grants_for_user_on_project(self): def test_can_list_grants_for_user_on_project(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id) unit.new_user_ref(domain_id=self.domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
r = c.get( r = c.get(
'/v3/projects/%s/users/%s/roles' % (project['id'], user['id']), '/v3/projects/%s/users/%s/roles' % (project['id'], user['id']),
headers=self.headers headers=self.headers
) )
self.assertEqual(1, len(r.json['roles'])) self.assertEqual(1, len(r.json['roles']))
def test_user_can_list_grants_for_user_on_domain(self): def test_can_list_grants_for_user_on_domain(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id) unit.new_user_ref(domain_id=self.domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=self.domain_id domain_id=self.domain_id
) )
with self.test_client() as c: with self.test_client() as c:
r = c.get( r = c.get(
'/v3/domains/%s/users/%s/roles' % (self.domain_id, user['id']), '/v3/domains/%s/users/%s/roles' % (self.domain_id, user['id']),
headers=self.headers headers=self.headers
) )
self.assertEqual(1, len(r.json['roles'])) self.assertEqual(1, len(r.json['roles']))
def test_user_can_list_grants_for_group_on_project(self): def test_can_list_grants_for_group_on_project(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id) unit.new_group_ref(domain_id=self.domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
skipping to change at line 459 skipping to change at line 459
) )
with self.test_client() as c: with self.test_client() as c:
r = c.get( r = c.get(
'/v3/projects/%s/groups/%s/roles' % ( '/v3/projects/%s/groups/%s/roles' % (
project['id'], group['id']), project['id'], group['id']),
headers=self.headers headers=self.headers
) )
self.assertEqual(1, len(r.json['roles'])) self.assertEqual(1, len(r.json['roles']))
def test_user_can_list_grants_for_group_on_domain(self): def test_can_list_grants_for_group_on_domain(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id) unit.new_group_ref(domain_id=self.domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
domain_id=self.domain_id domain_id=self.domain_id
) )
with self.test_client() as c: with self.test_client() as c:
r = c.get( r = c.get(
'/v3/domains/%s/groups/%s/roles' % ( '/v3/domains/%s/groups/%s/roles' % (
self.domain_id, group['id'] self.domain_id, group['id']
), headers=self.headers ), headers=self.headers
) )
self.assertEqual(1, len(r.json['roles'])) self.assertEqual(1, len(r.json['roles']))
def test_user_can_check_grant_for_user_on_project(self): def test_can_check_grant_for_user_on_project(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id) unit.new_user_ref(domain_id=self.domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=self.domain_id domain_id=self.domain_id
) )
) )
skipping to change at line 499 skipping to change at line 499
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.NO_CONTENT expected_status_code=http.client.NO_CONTENT
) )
def test_user_can_check_grant_for_user_on_domain(self): def test_can_check_grant_for_user_on_domain(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id) unit.new_user_ref(domain_id=self.domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=self.domain_id domain_id=self.domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
self.domain_id, user['id'], self.domain_id, user['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.NO_CONTENT expected_status_code=http.client.NO_CONTENT
) )
def test_user_can_check_grant_for_group_on_project(self): def test_can_check_grant_for_group_on_project(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id) unit.new_group_ref(domain_id=self.domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
skipping to change at line 544 skipping to change at line 544
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.NO_CONTENT expected_status_code=http.client.NO_CONTENT
) )
def test_user_can_check_grant_for_group_on_domain(self): def test_can_check_grant_for_group_on_domain(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id) unit.new_group_ref(domain_id=self.domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
domain_id=self.domain_id domain_id=self.domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
self.domain_id, group['id'], self.domain_id, group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.NO_CONTENT expected_status_code=http.client.NO_CONTENT
) )
def test_user_cannot_list_grants_for_user_other_domain_on_project_own_domain (self): def test_cannot_list_grants_for_user_other_domain_on_project_own_domain(self ): # noqa: E501
user_domain_id = CONF.identity.default_domain_id user_domain_id = CONF.identity.default_domain_id
project_domain_id = self.domain_id project_domain_id = self.domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/users/%s/roles' % (project['id'], user['id']), '/v3/projects/%s/users/%s/roles' % (project['id'], user['id']),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_list_grants_for_user_own_domain_on_project_other_domain (self): def test_cannot_list_grants_for_user_own_domain_on_project_other_domain(self ): # noqa: E501
user_domain_id = self.domain_id user_domain_id = self.domain_id
project_domain_id = CONF.identity.default_domain_id project_domain_id = CONF.identity.default_domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, uuid.uuid4().hex,
unit.new_project_ref(domain_id=project_domain_id) unit.new_project_ref(domain_id=project_domain_id)
skipping to change at line 613 skipping to change at line 613
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/users/%s/roles' % (project['id'], user['id']), '/v3/projects/%s/users/%s/roles' % (project['id'], user['id']),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_list_grants_for_user_own_domain_on_other_domain(self): def test_cannot_list_grants_for_user_own_domain_on_other_domain(self):
user_domain_id = self.domain_id user_domain_id = self.domain_id
domain_id = CONF.identity.default_domain_id domain_id = CONF.identity.default_domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/users/%s/roles' % (domain_id, user['id']), '/v3/domains/%s/users/%s/roles' % (domain_id, user['id']),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_list_grants_for_user_other_domain_on_own_domain(self): def test_cannot_list_grants_for_user_other_domain_on_own_domain(self):
user_domain_id = CONF.identity.default_domain_id user_domain_id = CONF.identity.default_domain_id
domain_id = self.domain_id domain_id = self.domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/users/%s/roles' % (domain_id, user['id']), '/v3/domains/%s/users/%s/roles' % (domain_id, user['id']),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_list_grants_for_group_other_domain_on_project_own_domai n(self): def test_cannot_list_grants_for_group_other_domain_on_project_own_domain(sel f): # noqa: E501
group_domain_id = CONF.identity.default_domain_id group_domain_id = CONF.identity.default_domain_id
project_domain_id = self.domain_id project_domain_id = self.domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id)
) )
skipping to change at line 678 skipping to change at line 678
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/groups/%s/roles' % ( '/v3/projects/%s/groups/%s/roles' % (
project['id'], group['id']), project['id'], group['id']),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_list_grants_for_group_own_domain_on_project_other_domai n(self): def test_cannot_list_grants_for_group_own_domain_on_project_other_domain(sel f): # noqa: E501
group_domain_id = self.domain_id group_domain_id = self.domain_id
project_domain_id = CONF.identity.default_domain_id project_domain_id = CONF.identity.default_domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, uuid.uuid4().hex,
unit.new_project_ref(domain_id=project_domain_id) unit.new_project_ref(domain_id=project_domain_id)
skipping to change at line 704 skipping to change at line 704
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/groups/%s/roles' % ( '/v3/projects/%s/groups/%s/roles' % (
project['id'], group['id']), project['id'], group['id']),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_list_grants_for_group_own_domain_on_other_domain(self): def test_cannot_list_grants_for_group_own_domain_on_other_domain(self):
group_domain_id = self.domain_id group_domain_id = self.domain_id
domain_id = CONF.identity.default_domain_id domain_id = CONF.identity.default_domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/groups/%s/roles' % ( '/v3/domains/%s/groups/%s/roles' % (
domain_id, group['id']), domain_id, group['id']),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_list_grants_for_group_other_domain_on_own_domain(self): def test_cannot_list_grants_for_group_other_domain_on_own_domain(self):
group_domain_id = CONF.identity.default_domain_id group_domain_id = CONF.identity.default_domain_id
domain_id = self.domain_id domain_id = self.domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/groups/%s/roles' % ( '/v3/domains/%s/groups/%s/roles' % (
domain_id, group['id']), domain_id, group['id']),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_check_grant_for_user_other_domain_on_project_own_domain (self): def test_cannot_check_grant_for_user_other_domain_on_project_own_domain(self ): # noqa: E501
user_domain_id = CONF.identity.default_domain_id user_domain_id = CONF.identity.default_domain_id
project_domain_id = self.domain_id project_domain_id = self.domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id)
) )
skipping to change at line 772 skipping to change at line 772
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], project['id'], user['id'],
self.bootstrapper.reader_role_id), self.bootstrapper.reader_role_id),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_check_grant_for_user_own_domain_on_project_other_domain (self): def test_cannot_check_grant_for_user_own_domain_on_project_other_domain(self ): # noqa: E501
user_domain_id = self.domain_id user_domain_id = self.domain_id
project_domain_id = CONF.identity.default_domain_id project_domain_id = CONF.identity.default_domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, uuid.uuid4().hex,
unit.new_project_ref(domain_id=project_domain_id) unit.new_project_ref(domain_id=project_domain_id)
skipping to change at line 799 skipping to change at line 799
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], project['id'], user['id'],
self.bootstrapper.reader_role_id), self.bootstrapper.reader_role_id),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_check_grant_for_user_own_domain_on_project_own_domain_w ith_role_other_domain(self): def test_cannot_check_grant_for_user_own_domain_on_project_own_domain_with_r ole_other_domain(self): # noqa: E501
user_domain_id = self.domain_id user_domain_id = self.domain_id
project_domain_id = self.domain_id project_domain_id = self.domain_id
role_domain_id = CONF.identity.default_domain_id role_domain_id = CONF.identity.default_domain_id
role = PROVIDERS.role_api.create_role( role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id)) uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
skipping to change at line 830 skipping to change at line 830
# for a project in a different domain, so we don't try to create it, # for a project in a different domain, so we don't try to create it,
# but we still need to test that checking the role results in a 403 and # but we still need to test that checking the role results in a 403 and
# not a 404 # not a 404
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], project['id'], user['id'],
role['id']), role['id']),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_check_grant_for_user_own_domain_on_other_domain(self): def test_cannot_check_grant_for_user_own_domain_on_other_domain(self):
user_domain_id = self.domain_id user_domain_id = self.domain_id
domain_id = CONF.identity.default_domain_id domain_id = CONF.identity.default_domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain_id, user['id'], domain_id, user['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_check_grant_for_user_other_domain_on_own_domain(self): def test_cannot_check_grant_for_user_other_domain_on_own_domain(self):
user_domain_id = CONF.identity.default_domain_id user_domain_id = CONF.identity.default_domain_id
domain_id = self.domain_id domain_id = self.domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain_id, user['id'], domain_id, user['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_check_grant_for_user_own_domain_on_own_domain_with_role _other_domain(self): def test_cannot_check_grant_for_user_own_domain_on_own_domain_with_role_othe r_domain(self): # noqa: E501
user_domain_id = self.domain_id user_domain_id = self.domain_id
domain_id = self.domain_id domain_id = self.domain_id
role_domain_id = CONF.identity.default_domain_id role_domain_id = CONF.identity.default_domain_id
role = PROVIDERS.role_api.create_role( role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, uuid.uuid4().hex,
unit.new_role_ref(domain_id=role_domain_id)) unit.new_role_ref(domain_id=role_domain_id))
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
skipping to change at line 904 skipping to change at line 904
# but we still need to test that checking the role results in a 403 and # but we still need to test that checking the role results in a 403 and
# not a 404 # not a 404
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain_id, user['id'], domain_id, user['id'],
role['id'] role['id']
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_check_grant_for_group_other_domain_on_project_own_domai n(self): def test_cannot_check_grant_for_group_other_domain_on_project_own_domain(sel f): # noqa: E501
group_domain_id = CONF.identity.default_domain_id group_domain_id = CONF.identity.default_domain_id
project_domain_id = self.domain_id project_domain_id = self.domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id)
) )
skipping to change at line 930 skipping to change at line 930
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], group['id'], project['id'], group['id'],
self.bootstrapper.reader_role_id), self.bootstrapper.reader_role_id),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_check_grant_for_group_own_domain_on_project_other_domai n(self): def test_cannot_check_grant_for_group_own_domain_on_project_other_domain(sel f): # noqa: E501
group_domain_id = self.domain_id group_domain_id = self.domain_id
project_domain_id = CONF.identity.default_domain_id project_domain_id = CONF.identity.default_domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id)
) )
skipping to change at line 956 skipping to change at line 956
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], group['id'], project['id'], group['id'],
self.bootstrapper.reader_role_id), self.bootstrapper.reader_role_id),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_check_grant_for_group_own_domain_on_project_own_domain_ with_role_other_domain(self): def test_cannot_check_grant_for_group_own_domain_on_project_own_domain_with_ role_other_domain(self): # noqa: E501
group_domain_id = self.domain_id group_domain_id = self.domain_id
project_domain_id = CONF.identity.default_domain_id project_domain_id = CONF.identity.default_domain_id
role_domain_id = CONF.identity.default_domain_id role_domain_id = CONF.identity.default_domain_id
role = PROVIDERS.role_api.create_role( role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, uuid.uuid4().hex,
unit.new_role_ref(domain_id=role_domain_id)) unit.new_role_ref(domain_id=role_domain_id))
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
skipping to change at line 987 skipping to change at line 987
# for a project in a different domain, so we don't try to create it, # for a project in a different domain, so we don't try to create it,
# but we still need to test that checking the role results in a 403 and # but we still need to test that checking the role results in a 403 and
# not a 404 # not a 404
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], group['id'], project['id'], group['id'],
role['id']), role['id']),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_check_grant_for_group_own_domain_on_other_domain(self): def test_cannot_check_grant_for_group_own_domain_on_other_domain(self):
group_domain_id = self.domain_id group_domain_id = self.domain_id
domain_id = CONF.identity.default_domain_id domain_id = CONF.identity.default_domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain_id, group['id'], domain_id, group['id'],
self.bootstrapper.reader_role_id), self.bootstrapper.reader_role_id),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_check_grant_for_group_other_domain_on_own_domain(self): def test_cannot_check_grant_for_group_other_domain_on_own_domain(self):
group_domain_id = CONF.identity.default_domain_id group_domain_id = CONF.identity.default_domain_id
domain_id = self.domain_id domain_id = self.domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain_id, group['id'], domain_id, group['id'],
self.bootstrapper.reader_role_id), self.bootstrapper.reader_role_id),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_check_grant_for_group_own_domain_on_own_domain_with_rol e_other_domain(self): def test_cannot_check_grant_for_group_own_domain_on_own_domain_with_role_oth er_domain(self): # noqa: E501
group_domain_id = self.domain_id group_domain_id = self.domain_id
domain_id = self.domain_id domain_id = self.domain_id
role_domain_id = CONF.identity.default_domain_id role_domain_id = CONF.identity.default_domain_id
role = PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_re role = PROVIDERS.role_api.create_role(
f(domain_id=role_domain_id)) uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
# NOTE(cmurphy) the grant for a domain-specific role cannot be created # NOTE(cmurphy) the grant for a domain-specific role cannot be created
# for a project in a different domain, so we don't try to create it, # for a project in a different domain, so we don't try to create it,
# but we still need to test that checking the role results in a 403 and # but we still need to test that checking the role results in a 403 and
# not a 404 # not a 404
with self.test_client() as c: with self.test_client() as c:
c.get( c.get(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain_id, group['id'], domain_id, group['id'],
role['id']), role['id']),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_user_other_domain_on_project_own_domai n(self): def test_cannot_create_grant_for_user_other_domain_on_project_own_domain(sel f): # noqa: E501
user_domain_id = CONF.identity.default_domain_id user_domain_id = CONF.identity.default_domain_id
project_domain_id = self.domain_id project_domain_id = self.domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=project_domain_id domain_id=project_domain_id
) )
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_user_own_domain_on_project_other_domai n(self): def test_cannot_create_grant_for_user_own_domain_on_project_other_domain(sel f): # noqa: E501
user_domain_id = self.domain_id user_domain_id = self.domain_id
project_domain_id = CONF.identity.default_domain_id project_domain_id = CONF.identity.default_domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=project_domain_id domain_id=project_domain_id
) )
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_cannot_create_grant_for_user_own_domain_on_project_own_domain_with_ role_other_domain(self): def test_cannot_create_grant_for_user_own_domain_on_project_own_domain_with_ role_other_domain(self): # noqa: E501
user_domain_id = self.domain_id user_domain_id = self.domain_id
project_domain_id = self.domain_id project_domain_id = self.domain_id
role_domain_id = CONF.identity.default_domain_id role_domain_id = CONF.identity.default_domain_id
role = PROVIDERS.role_api.create_role( role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id)) uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
skipping to change at line 1128 skipping to change at line 1129
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=project_domain_id domain_id=project_domain_id
) )
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], role['id'] project['id'], user['id'], role['id']
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_user_other_domain_on_own_domain(self): def test_cannot_create_grant_for_user_other_domain_on_own_domain(self):
user_domain_id = CONF.identity.default_domain_id user_domain_id = CONF.identity.default_domain_id
domain_id = self.domain_id domain_id = self.domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain_id, user['id'], self.bootstrapper.reader_role_id domain_id, user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_user_own_domain_on_other_domain(self): def test_cannot_create_grant_for_user_own_domain_on_other_domain(self):
user_domain_id = self.domain_id user_domain_id = self.domain_id
domain_id = CONF.identity.default_domain_id domain_id = CONF.identity.default_domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain_id, user['id'], self.bootstrapper.reader_role_id domain_id, user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_cannot_create_grant_for_user_own_domain_on_own_domain_with_role_oth er_domain(self): def test_cannot_create_grant_for_user_own_domain_on_own_domain_with_role_oth er_domain(self): # noqa: E501
user_domain_id = self.domain_id user_domain_id = self.domain_id
domain_id = self.domain_id domain_id = self.domain_id
role_domain_id = CONF.identity.default_domain_id role_domain_id = CONF.identity.default_domain_id
role = PROVIDERS.role_api.create_role( role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id)) uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain_id, user['id'], role['id'] domain_id, user['id'], role['id']
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_group_other_domain_on_project_own_doma in(self): def test_cannot_create_grant_for_group_other_domain_on_project_own_domain(se lf): # noqa: E501
group_domain_id = CONF.identity.default_domain_id group_domain_id = CONF.identity.default_domain_id
project_domain_id = self.domain_id project_domain_id = self.domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=project_domain_id domain_id=project_domain_id
skipping to change at line 1208 skipping to change at line 1209
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_group_own_domain_on_project_other_doma in(self): def test_cannot_create_grant_for_group_own_domain_on_project_other_domain(se lf): # noqa: E501
group_domain_id = self.domain_id group_domain_id = self.domain_id
project_domain_id = CONF.identity.default_domain_id project_domain_id = CONF.identity.default_domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=project_domain_id domain_id=project_domain_id
skipping to change at line 1233 skipping to change at line 1234
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_cannot_create_grant_for_group_own_domain_on_project_own_domain_with _role_other_domain(self): def test_cannot_create_grant_for_group_own_domain_on_project_own_domain_with _role_other_domain(self): # noqa: E501
group_domain_id = self.domain_id group_domain_id = self.domain_id
project_domain_id = self.domain_id project_domain_id = self.domain_id
role_domain_id = CONF.identity.default_domain_id role_domain_id = CONF.identity.default_domain_id
role = PROVIDERS.role_api.create_role( role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id)) uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
skipping to change at line 1262 skipping to change at line 1263
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
role['id'] role['id']
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_group_other_domain_on_own_domain(self) : def test_cannot_create_grant_for_group_other_domain_on_own_domain(self):
group_domain_id = CONF.identity.default_domain_id group_domain_id = CONF.identity.default_domain_id
domain_id = self.domain_id domain_id = self.domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain_id, group['id'], self.bootstrapper.reader_role_id domain_id, group['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_group_own_domain_on_other_domain(self) : def test_cannot_create_grant_for_group_own_domain_on_other_domain(self):
group_domain_id = self.domain_id group_domain_id = self.domain_id
domain_id = CONF.identity.default_domain_id domain_id = CONF.identity.default_domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain_id, group['id'], self.bootstrapper.reader_role_id domain_id, group['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_group_own_domain_on_own_domain_with_ro le_other_domain(self): def test_cannot_create_grant_for_group_own_domain_on_own_domain_with_role_ot her_domain(self): # noqa: E501
group_domain_id = self.domain_id group_domain_id = self.domain_id
domain_id = self.domain_id domain_id = self.domain_id
role_domain_id = CONF.identity.default_domain_id role_domain_id = CONF.identity.default_domain_id
role = PROVIDERS.role_api.create_role( role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id)) uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain_id, group['id'], role['id'] domain_id, group['id'], role['id']
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_user_other_domain_on_project_own_doma in(self): def test_cannot_revoke_grant_from_user_other_domain_on_project_own_domain(se lf): # noqa: E501
user_domain_id = CONF.identity.default_domain_id user_domain_id = CONF.identity.default_domain_id
project_domain_id = self.domain_id project_domain_id = self.domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=project_domain_id domain_id=project_domain_id
skipping to change at line 1345 skipping to change at line 1346
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_user_own_domain_on_project_other_doma in(self): def test_cannot_revoke_grant_from_user_own_domain_on_project_other_domain(se lf): # noqa: E501
user_domain_id = self.domain_id user_domain_id = self.domain_id
project_domain_id = CONF.identity.default_domain_id project_domain_id = CONF.identity.default_domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=project_domain_id domain_id=project_domain_id
skipping to change at line 1373 skipping to change at line 1374
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_user_other_domain_on_own_domain(self) : def test_cannot_revoke_grant_from_user_other_domain_on_own_domain(self):
user_domain_id = CONF.identity.default_domain_id user_domain_id = CONF.identity.default_domain_id
domain_id = self.domain_id domain_id = self.domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain_id, user['id'], self.bootstrapper.reader_role_id domain_id, user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_user_own_domain_on_other_domain(self) : def test_cannot_revoke_grant_from_user_own_domain_on_other_domain(self):
user_domain_id = self.domain_id user_domain_id = self.domain_id
domain_id = CONF.identity.default_domain_id domain_id = CONF.identity.default_domain_id
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain_id, user['id'], self.bootstrapper.reader_role_id domain_id, user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_user_own_domain_on_own_domain_with_ro le_other_domain(self): def test_cannot_revoke_grant_from_user_own_domain_on_own_domain_with_role_ot her_domain(self): # noqa: E501
user_domain_id = self.domain_id user_domain_id = self.domain_id
domain_id = self.domain_id domain_id = self.domain_id
role_domain_id = CONF.identity.default_domain_id role_domain_id = CONF.identity.default_domain_id
role = PROVIDERS.role_api.create_role( role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id)) uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=user_domain_id) unit.new_user_ref(domain_id=user_domain_id)
) )
skipping to change at line 1443 skipping to change at line 1444
role['id'], user_id=user['id'], role['id'], user_id=user['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain_id, user['id'], role['id'] domain_id, user['id'], role['id']
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_group_other_domain_on_project_own_dom ain(self): def test_cannot_revoke_grant_from_group_other_domain_on_project_own_domain(s elf): # noqa: E501
group_domain_id = CONF.identity.default_domain_id group_domain_id = CONF.identity.default_domain_id
project_domain_id = self.domain_id project_domain_id = self.domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=project_domain_id domain_id=project_domain_id
skipping to change at line 1473 skipping to change at line 1474
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_group_own_domain_on_project_other_dom ain(self): def test_cannot_revoke_grant_from_group_own_domain_on_project_other_domain(s elf): # noqa: E501
group_domain_id = self.domain_id group_domain_id = self.domain_id
project_domain_id = CONF.identity.default_domain_id project_domain_id = CONF.identity.default_domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=project_domain_id domain_id=project_domain_id
skipping to change at line 1503 skipping to change at line 1504
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_group_other_domain_on_own_domain(self ): def test_cannot_revoke_grant_from_group_other_domain_on_own_domain(self):
group_domain_id = CONF.identity.default_domain_id group_domain_id = CONF.identity.default_domain_id
domain_id = self.domain_id domain_id = self.domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain_id, group['id'], self.bootstrapper.reader_role_id domain_id, group['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_group_own_domain_on_other_domain(self ): def test_cannot_revoke_grant_from_group_own_domain_on_other_domain(self):
group_domain_id = self.domain_id group_domain_id = self.domain_id
domain_id = CONF.identity.default_domain_id domain_id = CONF.identity.default_domain_id
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain_id, group['id'], self.bootstrapper.reader_role_id domain_id, group['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_group_own_domain_on_own_domain_with_r ole_other_domain(self): def test_cannot_revoke_grant_from_group_own_domain_on_own_domain_with_role_o ther_domain(self): # noqa: E501
group_domain_id = self.domain_id group_domain_id = self.domain_id
domain_id = self.domain_id domain_id = self.domain_id
role_domain_id = CONF.identity.default_domain_id role_domain_id = CONF.identity.default_domain_id
role = PROVIDERS.role_api.create_role( role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, uuid.uuid4().hex,
unit.new_role_ref(domain_id=role_domain_id)) unit.new_role_ref(domain_id=role_domain_id))
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=group_domain_id) unit.new_group_ref(domain_id=group_domain_id)
skipping to change at line 1574 skipping to change at line 1575
role['id'], group_id=group['id'], role['id'], group_id=group['id'],
domain_id=domain_id domain_id=domain_id
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain_id, group['id'], role['id'] domain_id, group['id'], role['id']
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
class SystemReaderTests(base_classes.TestCaseWithBootstrap, class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin, common_auth.AuthTestMixin,
_SystemUserGrantTests, _SystemUserGrantTests,
_SystemMemberAndReaderGrantTests): _SystemMemberAndReaderGrantTests):
def setUp(self): def setUp(self):
super(SystemReaderTests, self).setUp() super(SystemReaderTests, self).setUp()
self.loadapp() self.loadapp()
skipping to change at line 1667 skipping to change at line 1668
system=True system=True
) )
# Grab a token using the persona we're testing and prepare headers # Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests. # for requests we'll be making in the tests.
with self.test_client() as c: with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth) r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token'] self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id} self.headers = {'X-Auth-Token': self.token_id}
def test_user_can_create_grant_for_user_on_project(self): def test_can_create_grant_for_user_on_project(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=CONF.identity.default_domain_id) unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers headers=self.headers
) )
def test_user_can_create_grant_for_user_on_domain(self): def test_can_create_grant_for_user_on_domain(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=CONF.identity.default_domain_id) unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain['id'], user['id'], self.bootstrapper.reader_role_id domain['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers headers=self.headers
) )
def test_user_can_create_grant_for_group_on_project(self): def test_can_create_grant_for_group_on_project(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id) unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers headers=self.headers
) )
def test_user_can_create_grant_for_group_on_domain(self): def test_can_create_grant_for_group_on_domain(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id) unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain['id'], group['id'], self.bootstrapper.reader_role_id domain['id'], group['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers headers=self.headers
) )
def test_user_can_revoke_grant_from_user_on_project(self): def test_can_revoke_grant_from_user_on_project(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=CONF.identity.default_domain_id) unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
skipping to change at line 1765 skipping to change at line 1766
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers headers=self.headers
) )
def test_user_can_revoke_grant_from_user_on_domain(self): def test_can_revoke_grant_from_user_on_domain(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=CONF.identity.default_domain_id) unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
skipping to change at line 1787 skipping to change at line 1788
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain['id'], user['id'], self.bootstrapper.reader_role_id domain['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers headers=self.headers
) )
def test_user_can_revoke_grant_from_group_on_project(self): def test_can_revoke_grant_from_group_on_project(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id) unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
skipping to change at line 1813 skipping to change at line 1814
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers headers=self.headers
) )
def test_user_can_revoke_grant_from_group_on_domain(self): def test_can_revoke_grant_from_group_on_domain(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id) unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
skipping to change at line 1837 skipping to change at line 1838
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain['id'], group['id'], self.bootstrapper.reader_role_id domain['id'], group['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers headers=self.headers
) )
class _DomainMemberAndReaderTests(object): class _DomainMemberAndReaderTests(object):
def test_user_cannot_create_grant_for_user_on_project(self): def test_cannot_create_grant_for_user_on_project(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id) unit.new_user_ref(domain_id=self.domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_user_on_domain(self): def test_cannot_create_grant_for_user_on_domain(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id) unit.new_user_ref(domain_id=self.domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain['id'], user['id'], self.bootstrapper.reader_role_id domain['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_group_on_project(self): def test_cannot_create_grant_for_group_on_project(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id) unit.new_group_ref(domain_id=self.domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_create_grant_for_group_on_domain(self): def test_cannot_create_grant_for_group_on_domain(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id) unit.new_group_ref(domain_id=self.domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain['id'], group['id'], self.bootstrapper.reader_role_id domain['id'], group['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_user_on_project(self): def test_cannot_revoke_grant_from_user_on_project(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id) unit.new_user_ref(domain_id=self.domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
project_id=project['id'] project_id=project['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_user_on_domain(self): def test_cannot_revoke_grant_from_user_on_domain(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id) unit.new_user_ref(domain_id=self.domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
domain_id=domain['id'] domain_id=domain['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/domains/%s/users/%s/roles/%s' % ( '/v3/domains/%s/users/%s/roles/%s' % (
domain['id'], user['id'], self.bootstrapper.reader_role_id domain['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_group_on_project(self): def test_cannot_revoke_grant_from_group_on_project(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id) unit.new_group_ref(domain_id=self.domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref( uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id domain_id=CONF.identity.default_domain_id
) )
) )
skipping to change at line 1983 skipping to change at line 1984
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
def test_user_cannot_revoke_grant_from_group_on_domain(self): def test_cannot_revoke_grant_from_group_on_domain(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id) unit.new_group_ref(domain_id=self.domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
domain_id=domain['id'] domain_id=domain['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain['id'], group['id'], self.bootstrapper.reader_role_id domain['id'], group['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
class DomainReaderTests(base_classes.TestCaseWithBootstrap, class DomainReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin, common_auth.AuthTestMixin,
_DomainUserTests, _DomainUserTests,
_DomainMemberAndReaderTests): _DomainMemberAndReaderTests):
def setUp(self): def setUp(self):
super(DomainReaderTests, self).setUp() super(DomainReaderTests, self).setUp()
self.loadapp() self.loadapp()
skipping to change at line 2135 skipping to change at line 2136
# broken behavior with better scope checking. # broken behavior with better scope checking.
with open(self.policy_file_name, 'w') as f: with open(self.policy_file_name, 'w') as f:
overridden_policies = { overridden_policies = {
'identity:list_grants': gp.SYSTEM_READER_OR_DOMAIN_READER_LIST, 'identity:list_grants': gp.SYSTEM_READER_OR_DOMAIN_READER_LIST,
'identity:check_grant': gp.SYSTEM_READER_OR_DOMAIN_READER, 'identity:check_grant': gp.SYSTEM_READER_OR_DOMAIN_READER,
'identity:create_grant': gp.SYSTEM_ADMIN_OR_DOMAIN_ADMIN, 'identity:create_grant': gp.SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
'identity:revoke_grant': gp.SYSTEM_ADMIN_OR_DOMAIN_ADMIN 'identity:revoke_grant': gp.SYSTEM_ADMIN_OR_DOMAIN_ADMIN
} }
f.write(jsonutils.dumps(overridden_policies)) f.write(jsonutils.dumps(overridden_policies))
def test_user_can_create_grant_for_user_on_project(self): def test_can_create_grant_for_user_on_project(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id) unit.new_user_ref(domain_id=self.domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers headers=self.headers
) )
def test_user_can_create_grant_for_group_on_project(self): def test_can_create_grant_for_user_own_domain_on_own_domain(self):
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id)
)
with self.test_client() as c:
c.put(
'/v3/domains/%s/users/%s/roles/%s' % (
self.domain_id, user['id'],
self.bootstrapper.reader_role_id
),
headers=self.headers
)
def test_can_create_grant_for_group_on_project(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id) unit.new_group_ref(domain_id=self.domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
) )
with self.test_client() as c: with self.test_client() as c:
c.put( c.put(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers headers=self.headers
) )
def test_user_can_revoke_grant_from_user_on_project(self): def test_can_create_grant_for_group_own_domain_on_own_domain(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id)
)
with self.test_client() as c:
c.put(
'/v3/domains/%s/groups/%s/roles/%s' % (
self.domain_id, group['id'],
self.bootstrapper.reader_role_id
),
headers=self.headers
)
def test_can_revoke_grant_from_user_on_project(self):
user = PROVIDERS.identity_api.create_user( user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id) unit.new_user_ref(domain_id=self.domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, user_id=user['id'], self.bootstrapper.reader_role_id, user_id=user['id'],
skipping to change at line 2193 skipping to change at line 2222
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/projects/%s/users/%s/roles/%s' % ( '/v3/projects/%s/users/%s/roles/%s' % (
project['id'], user['id'], self.bootstrapper.reader_role_id project['id'], user['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers headers=self.headers
) )
def test_user_can_revoke_grant_from_group_on_project(self): def test_can_revoke_grant_from_group_on_project(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id) unit.new_group_ref(domain_id=self.domain_id)
) )
project = PROVIDERS.resource_api.create_project( project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id) uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
skipping to change at line 2217 skipping to change at line 2246
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/projects/%s/groups/%s/roles/%s' % ( '/v3/projects/%s/groups/%s/roles/%s' % (
project['id'], project['id'],
group['id'], group['id'],
self.bootstrapper.reader_role_id self.bootstrapper.reader_role_id
), ),
headers=self.headers headers=self.headers
) )
def test_user_cannot_revoke_grant_from_group_on_domain(self): def test_cannot_revoke_grant_from_group_on_domain(self):
group = PROVIDERS.identity_api.create_group( group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id) unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
) )
domain = PROVIDERS.resource_api.create_domain( domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref() uuid.uuid4().hex, unit.new_domain_ref()
) )
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'], self.bootstrapper.reader_role_id, group_id=group['id'],
domain_id=domain['id'] domain_id=domain['id']
) )
with self.test_client() as c: with self.test_client() as c:
c.delete( c.delete(
'/v3/domains/%s/groups/%s/roles/%s' % ( '/v3/domains/%s/groups/%s/roles/%s' % (
domain['id'], group['id'], self.bootstrapper.reader_role_id domain['id'], group['id'], self.bootstrapper.reader_role_id
), ),
headers=self.headers, headers=self.headers,
expected_status_code=http_client.FORBIDDEN expected_status_code=http.client.FORBIDDEN
) )
 End of changes. 157 change blocks. 
157 lines changed or deleted 185 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)