"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "keystone/tests/unit/test_v3_assignment.py" between
keystone-16.0.1.tar.gz and keystone-17.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Ussuri" series (latest release).

test_v3_assignment.py  (keystone-16.0.1):test_v3_assignment.py  (keystone-17.0.0)
skipping to change at line 18 skipping to change at line 18
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
import datetime import datetime
import random import random
import uuid import uuid
import freezegun import freezegun
from six.moves import http_client import http.client
from six.moves import range
from testtools import matchers from testtools import matchers
from keystone.common import provider_api from keystone.common import provider_api
import keystone.conf import keystone.conf
from keystone import exception from keystone import exception
from keystone.resource.backends import base as resource_base from keystone.resource.backends import base as resource_base
from keystone.tests import unit from keystone.tests import unit
from keystone.tests.unit import test_v3 from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils from keystone.tests.unit import utils as test_utils
skipping to change at line 88 skipping to change at line 87
"""Call ``POST /roles``.""" """Call ``POST /roles``."""
ref = unit.new_role_ref() ref = unit.new_role_ref()
r = self.post( r = self.post(
'/roles', '/roles',
body={'role': ref}) body={'role': ref})
return self.assertValidRoleResponse(r, ref) return self.assertValidRoleResponse(r, ref)
def test_create_role_bad_request(self): def test_create_role_bad_request(self):
"""Call ``POST /roles``.""" """Call ``POST /roles``."""
self.post('/roles', body={'role': {}}, self.post('/roles', body={'role': {}},
expected_status=http_client.BAD_REQUEST) expected_status=http.client.BAD_REQUEST)
def test_list_head_roles(self): def test_list_head_roles(self):
"""Call ``GET & HEAD /roles``.""" """Call ``GET & HEAD /roles``."""
resource_url = '/roles' resource_url = '/roles'
r = self.get(resource_url) r = self.get(resource_url)
self.assertValidRoleListResponse(r, ref=self.role, self.assertValidRoleListResponse(r, ref=self.role,
resource_url=resource_url) resource_url=resource_url)
self.head(resource_url, expected_status=http_client.OK) self.head(resource_url, expected_status=http.client.OK)
def test_get_head_role(self): def test_get_head_role(self):
"""Call ``GET & HEAD /roles/{role_id}``.""" """Call ``GET & HEAD /roles/{role_id}``."""
resource_url = '/roles/%(role_id)s' % { resource_url = '/roles/%(role_id)s' % {
'role_id': self.role_id} 'role_id': self.role_id}
r = self.get(resource_url) r = self.get(resource_url)
self.assertValidRoleResponse(r, self.role) self.assertValidRoleResponse(r, self.role)
self.head(resource_url, expected_status=http_client.OK) self.head(resource_url, expected_status=http.client.OK)
def test_update_role(self): def test_update_role(self):
"""Call ``PATCH /roles/{role_id}``.""" """Call ``PATCH /roles/{role_id}``."""
ref = unit.new_role_ref() ref = unit.new_role_ref()
del ref['id'] del ref['id']
r = self.patch('/roles/%(role_id)s' % { r = self.patch('/roles/%(role_id)s' % {
'role_id': self.role_id}, 'role_id': self.role_id},
body={'role': ref}) body={'role': ref})
self.assertValidRoleResponse(r, ref) self.assertValidRoleResponse(r, ref)
skipping to change at line 141 skipping to change at line 140
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': role['id']} 'role_id': role['id']}
# There is a role assignment for self.user on self.project # There is a role assignment for self.user on self.project
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, ref=self.role, self.assertValidRoleListResponse(r, ref=self.role,
expected_length=1) expected_length=1)
self.put(member_url) self.put(member_url)
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, ref=role, self.assertValidRoleListResponse(r, ref=role,
resource_url=collection_url, resource_url=collection_url,
expected_length=2) expected_length=2)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.delete(member_url) self.delete(member_url)
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, ref=self.role, expected_length=1) self.assertValidRoleListResponse(r, ref=self.role, expected_length=1)
self.assertIn(collection_url, r.result['links']['self']) self.assertIn(collection_url, r.result['links']['self'])
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
def test_crud_user_project_role_grants_no_user(self): def test_crud_user_project_role_grants_no_user(self):
"""Grant role on a project to a user that doesn't exist. """Grant role on a project to a user that doesn't exist.
When grant a role on a project to a user that doesn't exist, the server When grant a role on a project to a user that doesn't exist, the server
returns Not Found for the user. returns Not Found for the user.
""" """
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
collection_url = ( collection_url = (
'/projects/%(project_id)s/users/%(user_id)s/roles' % { '/projects/%(project_id)s/users/%(user_id)s/roles' % {
'project_id': self.project['id'], 'user_id': user_id}) 'project_id': self.project['id'], 'user_id': user_id})
member_url = '%(collection_url)s/%(role_id)s' % { member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
self.put(member_url, expected_status=http_client.NOT_FOUND) self.put(member_url, expected_status=http.client.NOT_FOUND)
self.head(member_url, expected_status=http_client.NOT_FOUND) self.head(member_url, expected_status=http.client.NOT_FOUND)
self.get(member_url, expected_status=http_client.NOT_FOUND) self.get(member_url, expected_status=http.client.NOT_FOUND)
def test_crud_user_domain_role_grants(self): def test_crud_user_domain_role_grants(self):
time = datetime.datetime.utcnow() time = datetime.datetime.utcnow()
with freezegun.freeze_time(time) as frozen_datetime: with freezegun.freeze_time(time) as frozen_datetime:
collection_url = ( collection_url = (
'/domains/%(domain_id)s/users/%(user_id)s/roles' % { '/domains/%(domain_id)s/users/%(user_id)s/roles' % {
'domain_id': self.domain_id, 'domain_id': self.domain_id,
'user_id': self.user['id']}) 'user_id': self.user['id']})
member_url = '%(collection_url)s/%(role_id)s' % { member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
self.put(member_url) self.put(member_url)
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, ref=self.role, self.assertValidRoleListResponse(r, ref=self.role,
resource_url=collection_url) resource_url=collection_url)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.delete(member_url) self.delete(member_url)
# NOTE(lbragstad): Make sure we wait a second before we ask for the # NOTE(lbragstad): Make sure we wait a second before we ask for the
# roles. This ensures the token we use isn't considered revoked # roles. This ensures the token we use isn't considered revoked
# because it was issued within the same second as a revocation # because it was issued within the same second as a revocation
# event. # event.
frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, expected_length=0, self.assertValidRoleListResponse(r, expected_length=0,
resource_url=collection_url) resource_url=collection_url)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
def test_crud_user_domain_role_grants_no_user(self): def test_crud_user_domain_role_grants_no_user(self):
"""Grant role on a domain to a user that doesn't exist. """Grant role on a domain to a user that doesn't exist.
When grant a role on a domain to a user that doesn't exist, the server When grant a role on a domain to a user that doesn't exist, the server
returns 404 Not Found for the user. returns 404 Not Found for the user.
""" """
user_id = uuid.uuid4().hex user_id = uuid.uuid4().hex
collection_url = ( collection_url = (
'/domains/%(domain_id)s/users/%(user_id)s/roles' % { '/domains/%(domain_id)s/users/%(user_id)s/roles' % {
'domain_id': self.domain_id, 'user_id': user_id}) 'domain_id': self.domain_id, 'user_id': user_id})
member_url = '%(collection_url)s/%(role_id)s' % { member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
self.put(member_url, expected_status=http_client.NOT_FOUND) self.put(member_url, expected_status=http.client.NOT_FOUND)
self.head(member_url, expected_status=http_client.NOT_FOUND) self.head(member_url, expected_status=http.client.NOT_FOUND)
self.get(member_url, expected_status=http_client.NOT_FOUND) self.get(member_url, expected_status=http.client.NOT_FOUND)
def test_crud_group_project_role_grants(self): def test_crud_group_project_role_grants(self):
time = datetime.datetime.utcnow() time = datetime.datetime.utcnow()
with freezegun.freeze_time(time) as frozen_datetime: with freezegun.freeze_time(time) as frozen_datetime:
collection_url = ( collection_url = (
'/projects/%(project_id)s/groups/%(group_id)s/roles' % { '/projects/%(project_id)s/groups/%(group_id)s/roles' % {
'project_id': self.project_id, 'project_id': self.project_id,
'group_id': self.group_id}) 'group_id': self.group_id})
member_url = '%(collection_url)s/%(role_id)s' % { member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
self.put(member_url) self.put(member_url)
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, ref=self.role, self.assertValidRoleListResponse(r, ref=self.role,
resource_url=collection_url) resource_url=collection_url)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.delete(member_url) self.delete(member_url)
# NOTE(lbragstad): Make sure we wait a second before we ask for the # NOTE(lbragstad): Make sure we wait a second before we ask for the
# roles. This ensures the token we use isn't considered revoked # roles. This ensures the token we use isn't considered revoked
# because it was issued within the same second as a revocation # because it was issued within the same second as a revocation
# event. # event.
frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, expected_length=0, self.assertValidRoleListResponse(r, expected_length=0,
resource_url=collection_url) resource_url=collection_url)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
def test_crud_group_project_role_grants_no_group(self): def test_crud_group_project_role_grants_no_group(self):
"""Grant role on a project to a group that doesn't exist. """Grant role on a project to a group that doesn't exist.
When grant a role on a project to a group that doesn't exist, the When grant a role on a project to a group that doesn't exist, the
server returns 404 Not Found for the group. server returns 404 Not Found for the group.
""" """
group_id = uuid.uuid4().hex group_id = uuid.uuid4().hex
collection_url = ( collection_url = (
'/projects/%(project_id)s/groups/%(group_id)s/roles' % { '/projects/%(project_id)s/groups/%(group_id)s/roles' % {
'project_id': self.project_id, 'project_id': self.project_id,
'group_id': group_id}) 'group_id': group_id})
member_url = '%(collection_url)s/%(role_id)s' % { member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
self.put(member_url, expected_status=http_client.NOT_FOUND) self.put(member_url, expected_status=http.client.NOT_FOUND)
self.head(member_url, expected_status=http_client.NOT_FOUND) self.head(member_url, expected_status=http.client.NOT_FOUND)
self.get(member_url, expected_status=http_client.NOT_FOUND) self.get(member_url, expected_status=http.client.NOT_FOUND)
def test_crud_group_domain_role_grants(self): def test_crud_group_domain_role_grants(self):
time = datetime.datetime.utcnow() time = datetime.datetime.utcnow()
with freezegun.freeze_time(time) as frozen_datetime: with freezegun.freeze_time(time) as frozen_datetime:
collection_url = ( collection_url = (
'/domains/%(domain_id)s/groups/%(group_id)s/roles' % { '/domains/%(domain_id)s/groups/%(group_id)s/roles' % {
'domain_id': self.domain_id, 'domain_id': self.domain_id,
'group_id': self.group_id}) 'group_id': self.group_id})
member_url = '%(collection_url)s/%(role_id)s' % { member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
self.put(member_url) self.put(member_url)
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, ref=self.role, self.assertValidRoleListResponse(r, ref=self.role,
resource_url=collection_url) resource_url=collection_url)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.delete(member_url) self.delete(member_url)
# NOTE(lbragstad): Make sure we wait a second before we ask for the # NOTE(lbragstad): Make sure we wait a second before we ask for the
# roles. This ensures the token we use isn't considered revoked # roles. This ensures the token we use isn't considered revoked
# because it was issued within the same second as a revocation # because it was issued within the same second as a revocation
# event. # event.
frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, expected_length=0, self.assertValidRoleListResponse(r, expected_length=0,
resource_url=collection_url) resource_url=collection_url)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
def test_crud_group_domain_role_grants_no_group(self): def test_crud_group_domain_role_grants_no_group(self):
"""Grant role on a domain to a group that doesn't exist. """Grant role on a domain to a group that doesn't exist.
When grant a role on a domain to a group that doesn't exist, the server When grant a role on a domain to a group that doesn't exist, the server
returns 404 Not Found for the group. returns 404 Not Found for the group.
""" """
group_id = uuid.uuid4().hex group_id = uuid.uuid4().hex
collection_url = ( collection_url = (
'/domains/%(domain_id)s/groups/%(group_id)s/roles' % { '/domains/%(domain_id)s/groups/%(group_id)s/roles' % {
'domain_id': self.domain_id, 'domain_id': self.domain_id,
'group_id': group_id}) 'group_id': group_id})
member_url = '%(collection_url)s/%(role_id)s' % { member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
self.put(member_url, expected_status=http_client.NOT_FOUND) self.put(member_url, expected_status=http.client.NOT_FOUND)
self.head(member_url, expected_status=http_client.NOT_FOUND) self.head(member_url, expected_status=http.client.NOT_FOUND)
self.get(member_url, expected_status=http_client.NOT_FOUND) self.get(member_url, expected_status=http.client.NOT_FOUND)
def _create_new_user_and_assign_role_on_project(self): def _create_new_user_and_assign_role_on_project(self):
"""Create a new user and assign user a role on a project.""" """Create a new user and assign user a role on a project."""
# Create a new user # Create a new user
new_user = unit.new_user_ref(domain_id=self.domain_id) new_user = unit.new_user_ref(domain_id=self.domain_id)
user_ref = PROVIDERS.identity_api.create_user(new_user) user_ref = PROVIDERS.identity_api.create_user(new_user)
# Assign the user a role on the project # Assign the user a role on the project
collection_url = ( collection_url = (
'/projects/%(project_id)s/users/%(user_id)s/roles' % { '/projects/%(project_id)s/users/%(user_id)s/roles' % {
'project_id': self.project_id, 'project_id': self.project_id,
'user_id': user_ref['id']}) 'user_id': user_ref['id']})
member_url = ('%(collection_url)s/%(role_id)s' % { member_url = ('%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id}) 'role_id': self.role_id})
self.put(member_url) self.put(member_url)
# Check the user has the role assigned # Check the user has the role assigned
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
return member_url, user_ref return member_url, user_ref
def test_delete_user_before_removing_role_assignment_succeeds(self): def test_delete_user_before_removing_role_assignment_succeeds(self):
"""Call ``DELETE`` on the user before the role assignment.""" """Call ``DELETE`` on the user before the role assignment."""
member_url, user = self._create_new_user_and_assign_role_on_project() member_url, user = self._create_new_user_and_assign_role_on_project()
# Delete the user from identity backend # Delete the user from identity backend
PROVIDERS.identity_api.driver.delete_user(user['id']) PROVIDERS.identity_api.driver.delete_user(user['id'])
# Clean up the role assignment # Clean up the role assignment
self.delete(member_url) self.delete(member_url)
# Make sure the role is gone # Make sure the role is gone
self.head(member_url, expected_status=http_client.NOT_FOUND) self.head(member_url, expected_status=http.client.NOT_FOUND)
def test_delete_group_before_removing_role_assignment_succeeds(self): def test_delete_group_before_removing_role_assignment_succeeds(self):
# Disable the cache so that we perform a fresh check of the identity # Disable the cache so that we perform a fresh check of the identity
# backend when attempting to remove the role assignment. # backend when attempting to remove the role assignment.
self.config_fixture.config(group='cache', enabled=False) self.config_fixture.config(group='cache', enabled=False)
# Create a new group # Create a new group
group = unit.new_group_ref(domain_id=self.domain_id) group = unit.new_group_ref(domain_id=self.domain_id)
group_ref = PROVIDERS.identity_api.create_group(group) group_ref = PROVIDERS.identity_api.create_group(group)
skipping to change at line 376 skipping to change at line 375
'/projects/%(project_id)s/groups/%(group_id)s/roles' % { '/projects/%(project_id)s/groups/%(group_id)s/roles' % {
'project_id': self.project_id, 'project_id': self.project_id,
'group_id': group_ref['id']}) 'group_id': group_ref['id']})
member_url = ('%(collection_url)s/%(role_id)s' % { member_url = ('%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id}) 'role_id': self.role_id})
self.put(member_url) self.put(member_url)
# Check the user has the role assigned # Check the user has the role assigned
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
# Simulate removing the group via LDAP by directly removing it from the # Simulate removing the group via LDAP by directly removing it from the
# identity backend. # identity backend.
PROVIDERS.identity_api.driver.delete_group(group_ref['id']) PROVIDERS.identity_api.driver.delete_group(group_ref['id'])
# Ensure we can clean up the role assignment even though the group # Ensure we can clean up the role assignment even though the group
# doesn't exist # doesn't exist
self.delete(member_url) self.delete(member_url)
def test_delete_user_before_removing_system_assignments_succeeds(self): def test_delete_user_before_removing_system_assignments_succeeds(self):
skipping to change at line 417 skipping to change at line 416
) )
def test_delete_user_and_check_role_assignment_fails(self): def test_delete_user_and_check_role_assignment_fails(self):
"""Call ``DELETE`` on the user and check the role assignment.""" """Call ``DELETE`` on the user and check the role assignment."""
member_url, user = self._create_new_user_and_assign_role_on_project() member_url, user = self._create_new_user_and_assign_role_on_project()
# Delete the user from identity backend # Delete the user from identity backend
PROVIDERS.identity_api.delete_user(user['id']) PROVIDERS.identity_api.delete_user(user['id'])
# We should get a 404 Not Found when looking for the user in the # We should get a 404 Not Found when looking for the user in the
# identity backend because we're not performing a delete operation on # identity backend because we're not performing a delete operation on
# the role. # the role.
self.head(member_url, expected_status=http_client.NOT_FOUND) self.head(member_url, expected_status=http.client.NOT_FOUND)
def test_token_revoked_once_group_role_grant_revoked(self): def test_token_revoked_once_group_role_grant_revoked(self):
"""Test token invalid when direct & indirect role on user is revoked. """Test token invalid when direct & indirect role on user is revoked.
When a role granted to a group is revoked for a given scope, When a role granted to a group is revoked for a given scope,
and user direct role is revoked, then tokens created and user direct role is revoked, then tokens created
by user will be invalid. by user will be invalid.
""" """
time = datetime.datetime.utcnow() time = datetime.datetime.utcnow()
skipping to change at line 451 skipping to change at line 450
auth_body = self.build_authentication_request( auth_body = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=self.project['id']) project_id=self.project['id'])
token_resp = self.post('/auth/tokens', body=auth_body) token_resp = self.post('/auth/tokens', body=auth_body)
token = token_resp.headers.get('x-subject-token') token = token_resp.headers.get('x-subject-token')
# validates the returned token; it should be valid. # validates the returned token; it should be valid.
self.head('/auth/tokens', self.head('/auth/tokens',
headers={'x-subject-token': token}, headers={'x-subject-token': token},
expected_status=http_client.OK) expected_status=http.client.OK)
frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
# revokes the grant from group on project. # revokes the grant from group on project.
PROVIDERS.assignment_api.delete_grant( PROVIDERS.assignment_api.delete_grant(
role_id=self.role['id'], project_id=self.project['id'], role_id=self.role['id'], project_id=self.project['id'],
group_id=self.group['id']) group_id=self.group['id'])
# revokes the direct role form user on project # revokes the direct role form user on project
PROVIDERS.assignment_api.delete_grant( PROVIDERS.assignment_api.delete_grant(
role_id=self.role['id'], project_id=self.project['id'], role_id=self.role['id'], project_id=self.project['id'],
user_id=self.user['id'] user_id=self.user['id']
) )
frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
# validates the same token again; it should not longer be valid. # validates the same token again; it should not longer be valid.
self.head('/auth/tokens', token=token, self.head('/auth/tokens', token=token,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
def test_delete_group_before_removing_system_assignments_succeeds(self): def test_delete_group_before_removing_system_assignments_succeeds(self):
system_role = self._create_new_role() system_role = self._create_new_role()
group = self._create_group() group = self._create_group()
path = ( path = (
'/system/groups/%(group_id)s/roles/%(role_id)s' % '/system/groups/%(group_id)s/roles/%(role_id)s' %
{'group_id': group['id'], 'role_id': system_role} {'group_id': group['id'], 'role_id': system_role}
) )
self.put(path) self.put(path)
skipping to change at line 511 skipping to change at line 510
'user_id': self.user['id']}) 'user_id': self.user['id']})
member_url = '%(collection_url)s/%(role_id)s' % { member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
# create the user a grant on the new project # create the user a grant on the new project
self.put(member_url) self.put(member_url)
# check the grant that was just created # check the grant that was just created
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
resp = self.get(collection_url) resp = self.get(collection_url)
self.assertValidRoleListResponse(resp, ref=self.role, self.assertValidRoleListResponse(resp, ref=self.role,
resource_url=collection_url) resource_url=collection_url)
# delete the grant # delete the grant
self.delete(member_url) self.delete(member_url)
# get the collection and ensure there are no roles on the project # get the collection and ensure there are no roles on the project
resp = self.get(collection_url) resp = self.get(collection_url)
self.assertListEqual(resp.json_body['roles'], []) self.assertListEqual(resp.json_body['roles'], [])
skipping to change at line 542 skipping to change at line 541
'user_id': self.user['id']}) 'user_id': self.user['id']})
member_url = '%(collection_url)s/%(role_id)s' % { member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
# create the user a grant on the new domain # create the user a grant on the new domain
self.put(member_url) self.put(member_url)
# check the grant that was just created # check the grant that was just created
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
resp = self.get(collection_url) resp = self.get(collection_url)
self.assertValidRoleListResponse(resp, ref=self.role, self.assertValidRoleListResponse(resp, ref=self.role,
resource_url=collection_url) resource_url=collection_url)
# delete the grant # delete the grant
self.delete(member_url) self.delete(member_url)
# get the collection and ensure there are no roles on the domain # get the collection and ensure there are no roles on the domain
resp = self.get(collection_url) resp = self.get(collection_url)
self.assertListEqual(resp.json_body['roles'], []) self.assertListEqual(resp.json_body['roles'], [])
skipping to change at line 573 skipping to change at line 572
'group_id': self.group['id']}) 'group_id': self.group['id']})
member_url = '%(collection_url)s/%(role_id)s' % { member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
# create the group a grant on the new project # create the group a grant on the new project
self.put(member_url) self.put(member_url)
# check the grant that was just created # check the grant that was just created
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
resp = self.get(collection_url) resp = self.get(collection_url)
self.assertValidRoleListResponse(resp, ref=self.role, self.assertValidRoleListResponse(resp, ref=self.role,
resource_url=collection_url) resource_url=collection_url)
# delete the grant # delete the grant
self.delete(member_url) self.delete(member_url)
# get the collection and ensure there are no roles on the project # get the collection and ensure there are no roles on the project
resp = self.get(collection_url) resp = self.get(collection_url)
self.assertListEqual(resp.json_body['roles'], []) self.assertListEqual(resp.json_body['roles'], [])
skipping to change at line 604 skipping to change at line 603
'group_id': self.group['id']}) 'group_id': self.group['id']})
member_url = '%(collection_url)s/%(role_id)s' % { member_url = '%(collection_url)s/%(role_id)s' % {
'collection_url': collection_url, 'collection_url': collection_url,
'role_id': self.role_id} 'role_id': self.role_id}
# create the group a grant on the new domain # create the group a grant on the new domain
self.put(member_url) self.put(member_url)
# check the grant that was just created # check the grant that was just created
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
resp = self.get(collection_url) resp = self.get(collection_url)
self.assertValidRoleListResponse(resp, ref=self.role, self.assertValidRoleListResponse(resp, ref=self.role,
resource_url=collection_url) resource_url=collection_url)
# delete the grant # delete the grant
self.delete(member_url) self.delete(member_url)
# get the collection and ensure there are no roles on the domain # get the collection and ensure there are no roles on the domain
resp = self.get(collection_url) resp = self.get(collection_url)
self.assertListEqual(resp.json_body['roles'], []) self.assertListEqual(resp.json_body['roles'], [])
skipping to change at line 659 skipping to change at line 658
user1 = unit.new_user_ref(domain_id=self.domain['id']) user1 = unit.new_user_ref(domain_id=self.domain['id'])
user1 = PROVIDERS.identity_api.create_user(user1) user1 = PROVIDERS.identity_api.create_user(user1)
role = unit.new_role_ref() role = unit.new_role_ref()
PROVIDERS.role_api.create_role(role['id'], role) PROVIDERS.role_api.create_role(role['id'], role)
collection_url = '/role_assignments' collection_url = '/role_assignments'
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
r, resource_url=collection_url) r, resource_url=collection_url)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
existing_assignments = len(r.result.get('role_assignments')) existing_assignments = len(r.result.get('role_assignments'))
# Now add one of each of the four types of assignment, making sure # Now add one of each of the four types of assignment, making sure
# that we get them all back. # that we get them all back.
gd_entity = self.build_role_assignment_entity( gd_entity = self.build_role_assignment_entity(
domain_id=self.domain_id, domain_id=self.domain_id,
group_id=self.group_id, group_id=self.group_id,
role_id=role['id']) role_id=role['id'])
self.put(gd_entity['links']['assignment']) self.put(gd_entity['links']['assignment'])
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
r, r,
expected_length=existing_assignments + 1, expected_length=existing_assignments + 1,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, gd_entity) self.assertRoleAssignmentInListResponse(r, gd_entity)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
ud_entity = self.build_role_assignment_entity( ud_entity = self.build_role_assignment_entity(
domain_id=self.domain_id, domain_id=self.domain_id,
user_id=user1['id'], user_id=user1['id'],
role_id=role['id']) role_id=role['id'])
self.put(ud_entity['links']['assignment']) self.put(ud_entity['links']['assignment'])
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
r, r,
expected_length=existing_assignments + 2, expected_length=existing_assignments + 2,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, ud_entity) self.assertRoleAssignmentInListResponse(r, ud_entity)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
gp_entity = self.build_role_assignment_entity( gp_entity = self.build_role_assignment_entity(
project_id=self.project_id, group_id=self.group_id, project_id=self.project_id, group_id=self.group_id,
role_id=role['id']) role_id=role['id'])
self.put(gp_entity['links']['assignment']) self.put(gp_entity['links']['assignment'])
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
r, r,
expected_length=existing_assignments + 3, expected_length=existing_assignments + 3,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, gp_entity) self.assertRoleAssignmentInListResponse(r, gp_entity)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
up_entity = self.build_role_assignment_entity( up_entity = self.build_role_assignment_entity(
project_id=self.project_id, user_id=user1['id'], project_id=self.project_id, user_id=user1['id'],
role_id=role['id']) role_id=role['id'])
self.put(up_entity['links']['assignment']) self.put(up_entity['links']['assignment'])
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
r, r,
expected_length=existing_assignments + 4, expected_length=existing_assignments + 4,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, up_entity) self.assertRoleAssignmentInListResponse(r, up_entity)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
# Now delete the four we added and make sure they are removed # Now delete the four we added and make sure they are removed
# from the collection. # from the collection.
self.delete(gd_entity['links']['assignment']) self.delete(gd_entity['links']['assignment'])
self.delete(ud_entity['links']['assignment']) self.delete(ud_entity['links']['assignment'])
self.delete(gp_entity['links']['assignment']) self.delete(gp_entity['links']['assignment'])
self.delete(up_entity['links']['assignment']) self.delete(up_entity['links']['assignment'])
frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
r, r,
expected_length=existing_assignments, expected_length=existing_assignments,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentNotInListResponse(r, gd_entity) self.assertRoleAssignmentNotInListResponse(r, gd_entity)
self.assertRoleAssignmentNotInListResponse(r, ud_entity) self.assertRoleAssignmentNotInListResponse(r, ud_entity)
self.assertRoleAssignmentNotInListResponse(r, gp_entity) self.assertRoleAssignmentNotInListResponse(r, gp_entity)
self.assertRoleAssignmentNotInListResponse(r, up_entity) self.assertRoleAssignmentNotInListResponse(r, up_entity)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
def test_get_effective_role_assignments(self): def test_get_effective_role_assignments(self):
"""Call ``GET /role_assignments?effective``. """Call ``GET /role_assignments?effective``.
Test Plan: Test Plan:
- Create two extra user for tests - Create two extra user for tests
- Add these users to a group - Add these users to a group
- Add a role assignment for the group on a domain - Add a role assignment for the group on a domain
- Get a list of all role assignments, checking one has been added - Get a list of all role assignments, checking one has been added
skipping to change at line 825 skipping to change at line 824
""" """
user1 = unit.create_user(PROVIDERS.identity_api, user1 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id']) domain_id=self.domain['id'])
user2 = unit.create_user(PROVIDERS.identity_api, user2 = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domain['id']) domain_id=self.domain['id'])
PROVIDERS.identity_api.add_user_to_group(user1['id'], self.group['id']) PROVIDERS.identity_api.add_user_to_group(user1['id'], self.group['id'])
PROVIDERS.identity_api.add_user_to_group(user2['id'], self.group['id']) PROVIDERS.identity_api.add_user_to_group(user2['id'], self.group['id'])
collection_url = '/role_assignments' collection_url = '/role_assignments'
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
resource_url=collection_url) resource_url=collection_url)
existing_assignments = len(r.result.get('role_assignments')) existing_assignments = len(r.result.get('role_assignments'))
gd_entity = self.build_role_assignment_entity(domain_id=self.domain_id, gd_entity = self.build_role_assignment_entity(domain_id=self.domain_id,
group_id=self.group_id, group_id=self.group_id,
role_id=self.role_id) role_id=self.role_id)
self.put(gd_entity['links']['assignment']) self.put(gd_entity['links']['assignment'])
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
r, r,
expected_length=existing_assignments + 1, expected_length=existing_assignments + 1,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, gd_entity) self.assertRoleAssignmentInListResponse(r, gd_entity)
# Now re-read the collection asking for effective roles, # Now re-read the collection asking for effective roles,
# using the most common way of defining "effective'. This # using the most common way of defining "effective'. This
# should mean the group assignment is translated into the two # should mean the group assignment is translated into the two
# member user assignments # member user assignments
collection_url = '/role_assignments?effective' collection_url = '/role_assignments?effective'
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
r, r,
expected_length=existing_assignments + 2, expected_length=existing_assignments + 2,
resource_url=collection_url) resource_url=collection_url)
# Now set 'effective' to false explicitly - should get # Now set 'effective' to false explicitly - should get
# back the regular roles # back the regular roles
collection_url = '/role_assignments?effective=0' collection_url = '/role_assignments?effective=0'
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
r, r,
expected_length=existing_assignments + 1, expected_length=existing_assignments + 1,
resource_url=collection_url) resource_url=collection_url)
# Now try setting 'effective' to 'False' explicitly- this is # Now try setting 'effective' to 'False' explicitly- this is
# NOT supported as a way of setting a query or filter # NOT supported as a way of setting a query or filter
# parameter to false by design. Hence we should get back # parameter to false by design. Hence we should get back
# effective roles. # effective roles.
collection_url = '/role_assignments?effective=False' collection_url = '/role_assignments?effective=False'
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
r, r,
expected_length=existing_assignments + 2, expected_length=existing_assignments + 2,
resource_url=collection_url) resource_url=collection_url)
# Now set 'effective' to True explicitly # Now set 'effective' to True explicitly
collection_url = '/role_assignments?effective=True' collection_url = '/role_assignments?effective=True'
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
r, r,
expected_length=existing_assignments + 2, expected_length=existing_assignments + 2,
resource_url=collection_url) resource_url=collection_url)
def test_filtered_role_assignments(self): def test_filtered_role_assignments(self):
"""Call ``GET /role_assignments?filters``. """Call ``GET /role_assignments?filters``.
Test Plan: Test Plan:
skipping to change at line 964 skipping to change at line 963
us2_entity = self.build_role_assignment_entity( us2_entity = self.build_role_assignment_entity(
system='all', system='all',
user_id=user2['id'], user_id=user2['id'],
role_id=self.role2['id']) role_id=self.role2['id'])
self.put(us2_entity['links']['assignment']) self.put(us2_entity['links']['assignment'])
# Now list by various filters to make sure we get back the right ones # Now list by various filters to make sure we get back the right ones
collection_url = ('/role_assignments?scope.project.id=%s' % collection_url = ('/role_assignments?scope.project.id=%s' %
project1['id']) project1['id'])
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
expected_length=2, expected_length=2,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, up_entity) self.assertRoleAssignmentInListResponse(r, up_entity)
self.assertRoleAssignmentInListResponse(r, gp_entity) self.assertRoleAssignmentInListResponse(r, gp_entity)
collection_url = ('/role_assignments?scope.domain.id=%s' % collection_url = ('/role_assignments?scope.domain.id=%s' %
self.domain['id']) self.domain['id'])
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
expected_length=2, expected_length=2,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, ud_entity) self.assertRoleAssignmentInListResponse(r, ud_entity)
self.assertRoleAssignmentInListResponse(r, gd_entity) self.assertRoleAssignmentInListResponse(r, gd_entity)
collection_url = '/role_assignments?user.id=%s' % user1['id'] collection_url = '/role_assignments?user.id=%s' % user1['id']
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
expected_length=3, expected_length=3,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, up_entity) self.assertRoleAssignmentInListResponse(r, up_entity)
self.assertRoleAssignmentInListResponse(r, ud_entity) self.assertRoleAssignmentInListResponse(r, ud_entity)
collection_url = '/role_assignments?group.id=%s' % group1['id'] collection_url = '/role_assignments?group.id=%s' % group1['id']
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
expected_length=3, expected_length=3,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, gd_entity) self.assertRoleAssignmentInListResponse(r, gd_entity)
self.assertRoleAssignmentInListResponse(r, gp_entity) self.assertRoleAssignmentInListResponse(r, gp_entity)
collection_url = '/role_assignments?role.id=%s' % self.role1['id'] collection_url = '/role_assignments?role.id=%s' % self.role1['id']
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
expected_length=3, expected_length=3,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, gd_entity) self.assertRoleAssignmentInListResponse(r, gd_entity)
self.assertRoleAssignmentInListResponse(r, gp_entity) self.assertRoleAssignmentInListResponse(r, gp_entity)
self.assertRoleAssignmentInListResponse(r, gs_entity) self.assertRoleAssignmentInListResponse(r, gs_entity)
collection_url = '/role_assignments?role.id=%s' % self.role2['id'] collection_url = '/role_assignments?role.id=%s' % self.role2['id']
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
expected_length=4, expected_length=4,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, ud_entity) self.assertRoleAssignmentInListResponse(r, ud_entity)
self.assertRoleAssignmentInListResponse(r, up_entity) self.assertRoleAssignmentInListResponse(r, up_entity)
self.assertRoleAssignmentInListResponse(r, us_entity) self.assertRoleAssignmentInListResponse(r, us_entity)
# Let's try combining two filers together.... # Let's try combining two filers together....
collection_url = ( collection_url = (
'/role_assignments?user.id=%(user_id)s' '/role_assignments?user.id=%(user_id)s'
'&scope.project.id=%(project_id)s' % { '&scope.project.id=%(project_id)s' % {
'user_id': user1['id'], 'user_id': user1['id'],
'project_id': project1['id']}) 'project_id': project1['id']})
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
expected_length=1, expected_length=1,
resource_url=collection_url) resource_url=collection_url)
self.assertRoleAssignmentInListResponse(r, up_entity) self.assertRoleAssignmentInListResponse(r, up_entity)
# Now for a harder one - filter for user with effective # Now for a harder one - filter for user with effective
# roles - this should return role assignment that were directly # roles - this should return role assignment that were directly
# assigned as well as by virtue of group membership # assigned as well as by virtue of group membership
collection_url = ('/role_assignments?effective&user.id=%s' % collection_url = ('/role_assignments?effective&user.id=%s' %
user1['id']) user1['id'])
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
expected_length=4, expected_length=4,
resource_url=collection_url) resource_url=collection_url)
# Should have the two direct roles... # Should have the two direct roles...
self.assertRoleAssignmentInListResponse(r, up_entity) self.assertRoleAssignmentInListResponse(r, up_entity)
self.assertRoleAssignmentInListResponse(r, ud_entity) self.assertRoleAssignmentInListResponse(r, ud_entity)
# ...and the two via group membership... # ...and the two via group membership...
gp1_link = self.build_role_assignment_link( gp1_link = self.build_role_assignment_link(
project_id=project1['id'], project_id=project1['id'],
group_id=group1['id'], group_id=group1['id'],
skipping to change at line 1075 skipping to change at line 1074
# ...and for the grand-daddy of them all, simulate the request # ...and for the grand-daddy of them all, simulate the request
# that would generate the list of effective roles in a project # that would generate the list of effective roles in a project
# scoped token. # scoped token.
collection_url = ( collection_url = (
'/role_assignments?effective&user.id=%(user_id)s' '/role_assignments?effective&user.id=%(user_id)s'
'&scope.project.id=%(project_id)s' % { '&scope.project.id=%(project_id)s' % {
'user_id': user1['id'], 'user_id': user1['id'],
'project_id': project1['id']}) 'project_id': project1['id']})
r = self.get(collection_url, expected_status=http_client.OK) r = self.get(collection_url, expected_status=http.client.OK)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
expected_length=2, expected_length=2,
resource_url=collection_url) resource_url=collection_url)
# Should have one direct role and one from group membership... # Should have one direct role and one from group membership...
self.assertRoleAssignmentInListResponse(r, up_entity) self.assertRoleAssignmentInListResponse(r, up_entity)
self.assertRoleAssignmentInListResponse(r, up1_entity) self.assertRoleAssignmentInListResponse(r, up1_entity)
def test_list_system_role_assignments(self): def test_list_system_role_assignments(self):
# create a bunch of roles # create a bunch of roles
user_system_role_id = self._create_new_role() user_system_role_id = self._create_new_role()
skipping to change at line 1278 skipping to change at line 1277
# Create a role # Create a role
self.role = unit.new_role_ref() self.role = unit.new_role_ref()
self.role_id = self.role['id'] self.role_id = self.role['id']
PROVIDERS.role_api.create_role(self.role_id, self.role) PROVIDERS.role_api.create_role(self.role_id, self.role)
# Set default user and group to be used on tests # Set default user and group to be used on tests
self.default_user_id = self.user_ids[0] self.default_user_id = self.user_ids[0]
self.default_group_id = self.group_ids[0] self.default_group_id = self.group_ids[0]
def get_role_assignments(self, expected_status=http_client.OK, **filters): def get_role_assignments(self, expected_status=http.client.OK, **filters):
"""Return the result from querying role assignment API + queried URL. """Return the result from querying role assignment API + queried URL.
Calls GET /v3/role_assignments?<params> and returns its result, where Calls GET /v3/role_assignments?<params> and returns its result, where
<params> is the HTTP query parameters form of effective option plus <params> is the HTTP query parameters form of effective option plus
filters, if provided. Queried URL is returned as well. filters, if provided. Queried URL is returned as well.
:returns: a tuple containing the list role assignments API response and :returns: a tuple containing the list role assignments API response and
queried URL. queried URL.
""" """
skipping to change at line 1321 skipping to change at line 1320
Request, since a role assignment must contain only a single pair of (actor, Request, since a role assignment must contain only a single pair of (actor,
target). In addition, since filtering on role assignments applies only to target). In addition, since filtering on role assignments applies only to
the final result, effective mode cannot be combined with i) group or ii) the final result, effective mode cannot be combined with i) group or ii)
domain and inherited, because it would always result in an empty list. domain and inherited, because it would always result in an empty list.
""" """
def test_get_role_assignments_by_domain_and_project(self): def test_get_role_assignments_by_domain_and_project(self):
self.get_role_assignments(domain_id=self.domain_id, self.get_role_assignments(domain_id=self.domain_id,
project_id=self.project_id, project_id=self.project_id,
expected_status=http_client.BAD_REQUEST) expected_status=http.client.BAD_REQUEST)
def test_get_role_assignments_by_user_and_group(self): def test_get_role_assignments_by_user_and_group(self):
self.get_role_assignments(user_id=self.default_user_id, self.get_role_assignments(user_id=self.default_user_id,
group_id=self.default_group_id, group_id=self.default_group_id,
expected_status=http_client.BAD_REQUEST) expected_status=http.client.BAD_REQUEST)
def test_get_role_assignments_by_effective_and_inherited(self): def test_get_role_assignments_by_effective_and_inherited(self):
self.get_role_assignments(domain_id=self.domain_id, effective=True, self.get_role_assignments(domain_id=self.domain_id, effective=True,
inherited_to_projects=True, inherited_to_projects=True,
expected_status=http_client.BAD_REQUEST) expected_status=http.client.BAD_REQUEST)
def test_get_role_assignments_by_effective_and_group(self): def test_get_role_assignments_by_effective_and_group(self):
self.get_role_assignments(effective=True, self.get_role_assignments(effective=True,
group_id=self.default_group_id, group_id=self.default_group_id,
expected_status=http_client.BAD_REQUEST) expected_status=http.client.BAD_REQUEST)
class RoleAssignmentDirectTestCase(RoleAssignmentBaseTestCase): class RoleAssignmentDirectTestCase(RoleAssignmentBaseTestCase):
"""Class for testing direct assignments on /v3/role_assignments API. """Class for testing direct assignments on /v3/role_assignments API.
Direct assignments on a domain or project have effect on them directly, Direct assignments on a domain or project have effect on them directly,
instead of on their project hierarchy, i.e they are non-inherited. In instead of on their project hierarchy, i.e they are non-inherited. In
addition, group direct assignments are not expanded to group's users. addition, group direct assignments are not expanded to group's users.
Tests on this class make assertions on the representation and API filtering Tests on this class make assertions on the representation and API filtering
of direct assignments. of direct assignments.
skipping to change at line 1596 skipping to change at line 1595
user_id=user['id'], user_id=user['id'],
password=user['password'], password=user['password'],
domain_id=self.domain_id) domain_id=self.domain_id)
project_auth_data = self.build_authentication_request( project_auth_data = self.build_authentication_request(
user_id=user['id'], user_id=user['id'],
password=user['password'], password=user['password'],
project_id=self.project_id) project_id=self.project_id)
# Check the user cannot get a domain nor a project token # Check the user cannot get a domain nor a project token
self.v3_create_token(domain_auth_data, self.v3_create_token(domain_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
self.v3_create_token(project_auth_data, self.v3_create_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
# Grant non-inherited role for user on domain # Grant non-inherited role for user on domain
non_inher_ud_link = self.build_role_assignment_link( non_inher_ud_link = self.build_role_assignment_link(
domain_id=self.domain_id, user_id=user['id'], role_id=self.role_id) domain_id=self.domain_id, user_id=user['id'], role_id=self.role_id)
self.put(non_inher_ud_link) self.put(non_inher_ud_link)
# Check the user can get only a domain token # Check the user can get only a domain token
self.v3_create_token(domain_auth_data) self.v3_create_token(domain_auth_data)
self.v3_create_token(project_auth_data, self.v3_create_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
# Create inherited role # Create inherited role
inherited_role = unit.new_role_ref(name='inherited') inherited_role = unit.new_role_ref(name='inherited')
PROVIDERS.role_api.create_role(inherited_role['id'], inherited_role) PROVIDERS.role_api.create_role(inherited_role['id'], inherited_role)
# Grant inherited role for user on domain # Grant inherited role for user on domain
inher_ud_link = self.build_role_assignment_link( inher_ud_link = self.build_role_assignment_link(
domain_id=self.domain_id, user_id=user['id'], domain_id=self.domain_id, user_id=user['id'],
role_id=inherited_role['id'], inherited_to_projects=True) role_id=inherited_role['id'], inherited_to_projects=True)
self.put(inher_ud_link) self.put(inher_ud_link)
skipping to change at line 1630 skipping to change at line 1629
# Check the user can get both a domain and a project token # Check the user can get both a domain and a project token
self.v3_create_token(domain_auth_data) self.v3_create_token(domain_auth_data)
self.v3_create_token(project_auth_data) self.v3_create_token(project_auth_data)
# Delete inherited grant # Delete inherited grant
self.delete(inher_ud_link) self.delete(inher_ud_link)
# Check the user can only get a domain token # Check the user can only get a domain token
self.v3_create_token(domain_auth_data) self.v3_create_token(domain_auth_data)
self.v3_create_token(project_auth_data, self.v3_create_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
# Delete non-inherited grant # Delete non-inherited grant
self.delete(non_inher_ud_link) self.delete(non_inher_ud_link)
# Check the user cannot get a domain token anymore # Check the user cannot get a domain token anymore
self.v3_create_token(domain_auth_data, self.v3_create_token(domain_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
def test_get_token_from_inherited_group_domain_role_grants(self): def test_get_token_from_inherited_group_domain_role_grants(self):
# Create a new group and put a new user in it to # Create a new group and put a new user in it to
# ensure that no grant is loaded from sample data # ensure that no grant is loaded from sample data
user = unit.create_user( user = unit.create_user(
PROVIDERS.identity_api, domain_id=self.domain_id PROVIDERS.identity_api, domain_id=self.domain_id
) )
group = unit.new_group_ref(domain_id=self.domain['id']) group = unit.new_group_ref(domain_id=self.domain['id'])
group = PROVIDERS.identity_api.create_group(group) group = PROVIDERS.identity_api.create_group(group)
skipping to change at line 1662 skipping to change at line 1661
user_id=user['id'], user_id=user['id'],
password=user['password'], password=user['password'],
domain_id=self.domain_id) domain_id=self.domain_id)
project_auth_data = self.build_authentication_request( project_auth_data = self.build_authentication_request(
user_id=user['id'], user_id=user['id'],
password=user['password'], password=user['password'],
project_id=self.project_id) project_id=self.project_id)
# Check the user cannot get a domain nor a project token # Check the user cannot get a domain nor a project token
self.v3_create_token(domain_auth_data, self.v3_create_token(domain_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
self.v3_create_token(project_auth_data, self.v3_create_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
# Grant non-inherited role for user on domain # Grant non-inherited role for user on domain
non_inher_gd_link = self.build_role_assignment_link( non_inher_gd_link = self.build_role_assignment_link(
domain_id=self.domain_id, user_id=user['id'], role_id=self.role_id) domain_id=self.domain_id, user_id=user['id'], role_id=self.role_id)
self.put(non_inher_gd_link) self.put(non_inher_gd_link)
# Check the user can get only a domain token # Check the user can get only a domain token
self.v3_create_token(domain_auth_data) self.v3_create_token(domain_auth_data)
self.v3_create_token(project_auth_data, self.v3_create_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
# Create inherited role # Create inherited role
inherited_role = unit.new_role_ref(name='inherited') inherited_role = unit.new_role_ref(name='inherited')
PROVIDERS.role_api.create_role(inherited_role['id'], inherited_role) PROVIDERS.role_api.create_role(inherited_role['id'], inherited_role)
# Grant inherited role for user on domain # Grant inherited role for user on domain
inher_gd_link = self.build_role_assignment_link( inher_gd_link = self.build_role_assignment_link(
domain_id=self.domain_id, user_id=user['id'], domain_id=self.domain_id, user_id=user['id'],
role_id=inherited_role['id'], inherited_to_projects=True) role_id=inherited_role['id'], inherited_to_projects=True)
self.put(inher_gd_link) self.put(inher_gd_link)
skipping to change at line 1696 skipping to change at line 1695
# Check the user can get both a domain and a project token # Check the user can get both a domain and a project token
self.v3_create_token(domain_auth_data) self.v3_create_token(domain_auth_data)
self.v3_create_token(project_auth_data) self.v3_create_token(project_auth_data)
# Delete inherited grant # Delete inherited grant
self.delete(inher_gd_link) self.delete(inher_gd_link)
# Check the user can only get a domain token # Check the user can only get a domain token
self.v3_create_token(domain_auth_data) self.v3_create_token(domain_auth_data)
self.v3_create_token(project_auth_data, self.v3_create_token(project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
# Delete non-inherited grant # Delete non-inherited grant
self.delete(non_inher_gd_link) self.delete(non_inher_gd_link)
# Check the user cannot get a domain token anymore # Check the user cannot get a domain token anymore
self.v3_create_token(domain_auth_data, self.v3_create_token(domain_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
def _test_crud_inherited_and_direct_assignment_on_target(self, target_url): def _test_crud_inherited_and_direct_assignment_on_target(self, target_url):
time = datetime.datetime.utcnow() time = datetime.datetime.utcnow()
with freezegun.freeze_time(time) as frozen_datetime: with freezegun.freeze_time(time) as frozen_datetime:
# Create a new role to avoid assignments loaded from sample data # Create a new role to avoid assignments loaded from sample data
role = unit.new_role_ref() role = unit.new_role_ref()
PROVIDERS.role_api.create_role(role['id'], role) PROVIDERS.role_api.create_role(role['id'], role)
# Define URLs # Define URLs
direct_url = '%s/users/%s/roles/%s' % ( direct_url = '%s/users/%s/roles/%s' % (
target_url, self.user_id, role['id']) target_url, self.user_id, role['id'])
inherited_url = ('/OS-INHERIT/%s/inherited_to_projects' % inherited_url = ('/OS-INHERIT/%s/inherited_to_projects' %
direct_url.lstrip('/')) direct_url.lstrip('/'))
# Create the direct assignment # Create the direct assignment
self.put(direct_url) self.put(direct_url)
# Check the direct assignment exists, but the inherited one does # Check the direct assignment exists, but the inherited one does
# not # not
self.head(direct_url) self.head(direct_url)
self.head(inherited_url, expected_status=http_client.NOT_FOUND) self.head(inherited_url, expected_status=http.client.NOT_FOUND)
# Now add the inherited assignment # Now add the inherited assignment
self.put(inherited_url) self.put(inherited_url)
# Check both the direct and inherited assignment exist # Check both the direct and inherited assignment exist
self.head(direct_url) self.head(direct_url)
self.head(inherited_url) self.head(inherited_url)
# Delete indirect assignment # Delete indirect assignment
self.delete(inherited_url) self.delete(inherited_url)
frozen_datetime.tick(delta=datetime.timedelta(seconds=1)) frozen_datetime.tick(delta=datetime.timedelta(seconds=1))
# Check the direct assignment exists, but the inherited one does # Check the direct assignment exists, but the inherited one does
# not # not
self.head(direct_url) self.head(direct_url)
self.head(inherited_url, expected_status=http_client.NOT_FOUND) self.head(inherited_url, expected_status=http.client.NOT_FOUND)
# Now delete the inherited assignment # Now delete the inherited assignment
self.delete(direct_url) self.delete(direct_url)
# Check that none of them exist # Check that none of them exist
self.head(direct_url, expected_status=http_client.NOT_FOUND) self.head(direct_url, expected_status=http.client.NOT_FOUND)
self.head(inherited_url, expected_status=http_client.NOT_FOUND) self.head(inherited_url, expected_status=http.client.NOT_FOUND)
def test_crud_inherited_and_direct_assignment_on_domains(self): def test_crud_inherited_and_direct_assignment_on_domains(self):
self._test_crud_inherited_and_direct_assignment_on_target( self._test_crud_inherited_and_direct_assignment_on_target(
'/domains/%s' % self.domain_id) '/domains/%s' % self.domain_id)
def test_crud_inherited_and_direct_assignment_on_projects(self): def test_crud_inherited_and_direct_assignment_on_projects(self):
self._test_crud_inherited_and_direct_assignment_on_target( self._test_crud_inherited_and_direct_assignment_on_target(
'/projects/%s' % self.project_id) '/projects/%s' % self.project_id)
def test_crud_user_inherited_domain_role_grants(self): def test_crud_user_inherited_domain_role_grants(self):
skipping to change at line 1778 skipping to change at line 1777
'user_id': self.user['id']}) 'user_id': self.user['id']})
member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % { member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % {
'collection_url': base_collection_url, 'collection_url': base_collection_url,
'role_id': role_list[0]['id']} 'role_id': role_list[0]['id']}
collection_url = base_collection_url + '/inherited_to_projects' collection_url = base_collection_url + '/inherited_to_projects'
self.put(member_url) self.put(member_url)
# Check we can read it back # Check we can read it back
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, ref=role_list[0], self.assertValidRoleListResponse(r, ref=role_list[0],
resource_url=collection_url) resource_url=collection_url)
# Now delete and check its gone # Now delete and check its gone
self.delete(member_url) self.delete(member_url)
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, expected_length=0, self.assertValidRoleListResponse(r, expected_length=0,
resource_url=collection_url) resource_url=collection_url)
skipping to change at line 1840 skipping to change at line 1839
'/OS-INHERIT/domains/%(domain_id)s/users/%(user_id)s/roles' % { '/OS-INHERIT/domains/%(domain_id)s/users/%(user_id)s/roles' % {
'domain_id': domain['id'], 'domain_id': domain['id'],
'user_id': user1['id']}) 'user_id': user1['id']})
member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % { member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % {
'collection_url': base_collection_url, 'collection_url': base_collection_url,
'role_id': role_list[3]['id']} 'role_id': role_list[3]['id']}
collection_url = base_collection_url + '/inherited_to_projects' collection_url = base_collection_url + '/inherited_to_projects'
self.put(member_url) self.put(member_url)
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, ref=role_list[3], self.assertValidRoleListResponse(r, ref=role_list[3],
resource_url=collection_url) resource_url=collection_url)
# Now use the list domain role assignments api to check if this # Now use the list domain role assignments api to check if this
# is included # is included
collection_url = ( collection_url = (
'/role_assignments?user.id=%(user_id)s' '/role_assignments?user.id=%(user_id)s'
'&scope.domain.id=%(domain_id)s' % { '&scope.domain.id=%(domain_id)s' % {
'user_id': user1['id'], 'user_id': user1['id'],
skipping to change at line 1946 skipping to change at line 1945
rs_group = self.get(collection_url_group) rs_group = self.get(collection_url_group)
collection_url_user = ( collection_url_user = (
'/role_assignments?include_names&user.id=%(user_id)s' % { '/role_assignments?include_names&user.id=%(user_id)s' % {
'user_id': user1['id']}) 'user_id': user1['id']})
rs_user = self.get(collection_url_user) rs_user = self.get(collection_url_user)
collection_url_role = ( collection_url_role = (
'/role_assignments?include_names&role.id=%(role_id)s' % { '/role_assignments?include_names&role.id=%(role_id)s' % {
'role_id': role1['id']}) 'role_id': role1['id']})
rs_role = self.get(collection_url_role) rs_role = self.get(collection_url_role)
# Make sure all entities were created successfully # Make sure all entities were created successfully
self.assertEqual(http_client.OK, rs_domain.status_int) self.assertEqual(http.client.OK, rs_domain.status_int)
self.assertEqual(http_client.OK, rs_project.status_int) self.assertEqual(http.client.OK, rs_project.status_int)
self.assertEqual(http_client.OK, rs_group.status_int) self.assertEqual(http.client.OK, rs_group.status_int)
self.assertEqual(http_client.OK, rs_user.status_int) self.assertEqual(http.client.OK, rs_user.status_int)
# Make sure we can get back the correct number of entities # Make sure we can get back the correct number of entities
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
rs_domain, rs_domain,
expected_length=2, expected_length=2,
resource_url=collection_url_domain) resource_url=collection_url_domain)
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
rs_project, rs_project,
expected_length=2, expected_length=2,
resource_url=collection_url_project) resource_url=collection_url_project)
self.assertValidRoleAssignmentListResponse( self.assertValidRoleAssignmentListResponse(
skipping to change at line 2145 skipping to change at line 2144
'/OS-INHERIT/domains/%(domain_id)s/users/%(user_id)s/roles' % { '/OS-INHERIT/domains/%(domain_id)s/users/%(user_id)s/roles' % {
'domain_id': domain['id'], 'domain_id': domain['id'],
'user_id': user1['id']}) 'user_id': user1['id']})
member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % { member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % {
'collection_url': base_collection_url, 'collection_url': base_collection_url,
'role_id': role_list[3]['id']} 'role_id': role_list[3]['id']}
collection_url = base_collection_url + '/inherited_to_projects' collection_url = base_collection_url + '/inherited_to_projects'
self.put(member_url) self.put(member_url)
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, ref=role_list[3], self.assertValidRoleListResponse(r, ref=role_list[3],
resource_url=collection_url) resource_url=collection_url)
# Get effective list role assignments - the role should # Get effective list role assignments - the role should
# turn into a project role, along with the two direct roles that are # turn into a project role, along with the two direct roles that are
# on the project # on the project
collection_url = ( collection_url = (
'/role_assignments?effective&user.id=%(user_id)s' '/role_assignments?effective&user.id=%(user_id)s'
'&scope.project.id=%(project_id)s' % { '&scope.project.id=%(project_id)s' % {
skipping to change at line 2235 skipping to change at line 2234
'/OS-INHERIT/domains/%(domain_id)s/groups/%(group_id)s/roles' % { '/OS-INHERIT/domains/%(domain_id)s/groups/%(group_id)s/roles' % {
'domain_id': domain['id'], 'domain_id': domain['id'],
'group_id': group1['id']}) 'group_id': group1['id']})
member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % { member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % {
'collection_url': base_collection_url, 'collection_url': base_collection_url,
'role_id': role_list[3]['id']} 'role_id': role_list[3]['id']}
collection_url = base_collection_url + '/inherited_to_projects' collection_url = base_collection_url + '/inherited_to_projects'
self.put(member_url) self.put(member_url)
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, ref=role_list[3], self.assertValidRoleListResponse(r, ref=role_list[3],
resource_url=collection_url) resource_url=collection_url)
# Now use the list domain role assignments api to check if this # Now use the list domain role assignments api to check if this
# is included # is included
collection_url = ( collection_url = (
'/role_assignments?group.id=%(group_id)s' '/role_assignments?group.id=%(group_id)s'
'&scope.domain.id=%(domain_id)s' % { '&scope.domain.id=%(domain_id)s' % {
'group_id': group1['id'], 'group_id': group1['id'],
skipping to change at line 2329 skipping to change at line 2328
'/OS-INHERIT/domains/%(domain_id)s/users/%(user_id)s/roles' % { '/OS-INHERIT/domains/%(domain_id)s/users/%(user_id)s/roles' % {
'domain_id': domain['id'], 'domain_id': domain['id'],
'user_id': user1['id']}) 'user_id': user1['id']})
member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % { member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % {
'collection_url': base_collection_url, 'collection_url': base_collection_url,
'role_id': role_list[3]['id']} 'role_id': role_list[3]['id']}
collection_url = base_collection_url + '/inherited_to_projects' collection_url = base_collection_url + '/inherited_to_projects'
self.put(member_url) self.put(member_url)
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, ref=role_list[3], self.assertValidRoleListResponse(r, ref=role_list[3],
resource_url=collection_url) resource_url=collection_url)
base_collection_url = ( base_collection_url = (
'/OS-INHERIT/domains/%(domain_id)s/groups/%(group_id)s/roles' % { '/OS-INHERIT/domains/%(domain_id)s/groups/%(group_id)s/roles' % {
'domain_id': domain['id'], 'domain_id': domain['id'],
'group_id': group1['id']}) 'group_id': group1['id']})
member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % { member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % {
'collection_url': base_collection_url, 'collection_url': base_collection_url,
'role_id': role_list[4]['id']} 'role_id': role_list[4]['id']}
collection_url = base_collection_url + '/inherited_to_projects' collection_url = base_collection_url + '/inherited_to_projects'
self.put(member_url) self.put(member_url)
self.head(member_url) self.head(member_url)
self.get(member_url, expected_status=http_client.NO_CONTENT) self.get(member_url, expected_status=http.client.NO_CONTENT)
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleListResponse(r, ref=role_list[4], self.assertValidRoleListResponse(r, ref=role_list[4],
resource_url=collection_url) resource_url=collection_url)
# Now use the list role assignments api to get a list of inherited # Now use the list role assignments api to get a list of inherited
# roles on the domain - should get back the two roles # roles on the domain - should get back the two roles
collection_url = ( collection_url = (
'/role_assignments?scope.OS-INHERIT:inherited_to=projects') '/role_assignments?scope.OS-INHERIT:inherited_to=projects')
r = self.get(collection_url) r = self.get(collection_url)
self.assertValidRoleAssignmentListResponse(r, self.assertValidRoleAssignmentListResponse(r,
skipping to change at line 2410 skipping to change at line 2409
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=root_id) project_id=root_id)
leaf_project_auth_data = self.build_authentication_request( leaf_project_auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=leaf_id) project_id=leaf_id)
# Check the user cannot get a token on root nor leaf project # Check the user cannot get a token on root nor leaf project
self.v3_create_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
self.v3_create_token(leaf_project_auth_data, self.v3_create_token(leaf_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
# Grant non-inherited role for user on leaf project # Grant non-inherited role for user on leaf project
non_inher_up_link = self.build_role_assignment_link( non_inher_up_link = self.build_role_assignment_link(
project_id=leaf_id, user_id=self.user['id'], project_id=leaf_id, user_id=self.user['id'],
role_id=non_inherited_role_id) role_id=non_inherited_role_id)
self.put(non_inher_up_link) self.put(non_inher_up_link)
# Check the user can only get a token on leaf project # Check the user can only get a token on leaf project
self.v3_create_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
self.v3_create_token(leaf_project_auth_data) self.v3_create_token(leaf_project_auth_data)
# Grant inherited role for user on root project # Grant inherited role for user on root project
inher_up_link = self.build_role_assignment_link( inher_up_link = self.build_role_assignment_link(
project_id=root_id, user_id=self.user['id'], project_id=root_id, user_id=self.user['id'],
role_id=inherited_role_id, inherited_to_projects=True) role_id=inherited_role_id, inherited_to_projects=True)
self.put(inher_up_link) self.put(inher_up_link)
# Check the user still can get a token only on leaf project # Check the user still can get a token only on leaf project
self.v3_create_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
self.v3_create_token(leaf_project_auth_data) self.v3_create_token(leaf_project_auth_data)
# Delete non-inherited grant # Delete non-inherited grant
self.delete(non_inher_up_link) self.delete(non_inher_up_link)
# Check the inherited role still applies for leaf project # Check the inherited role still applies for leaf project
self.v3_create_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
self.v3_create_token(leaf_project_auth_data) self.v3_create_token(leaf_project_auth_data)
# Delete inherited grant # Delete inherited grant
self.delete(inher_up_link) self.delete(inher_up_link)
# Check the user cannot get a token on leaf project anymore # Check the user cannot get a token on leaf project anymore
self.v3_create_token(leaf_project_auth_data, self.v3_create_token(leaf_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
def test_get_token_from_inherited_group_project_role_grants(self): def test_get_token_from_inherited_group_project_role_grants(self):
# Create default scenario # Create default scenario
root_id, leaf_id, non_inherited_role_id, inherited_role_id = ( root_id, leaf_id, non_inherited_role_id, inherited_role_id = (
self._setup_hierarchical_projects_scenario()) self._setup_hierarchical_projects_scenario())
# Create group and add user to it # Create group and add user to it
group = unit.new_group_ref(domain_id=self.domain['id']) group = unit.new_group_ref(domain_id=self.domain['id'])
group = PROVIDERS.identity_api.create_group(group) group = PROVIDERS.identity_api.create_group(group)
PROVIDERS.identity_api.add_user_to_group(self.user['id'], group['id']) PROVIDERS.identity_api.add_user_to_group(self.user['id'], group['id'])
skipping to change at line 2473 skipping to change at line 2472
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=root_id) project_id=root_id)
leaf_project_auth_data = self.build_authentication_request( leaf_project_auth_data = self.build_authentication_request(
user_id=self.user['id'], user_id=self.user['id'],
password=self.user['password'], password=self.user['password'],
project_id=leaf_id) project_id=leaf_id)
# Check the user cannot get a token on root nor leaf project # Check the user cannot get a token on root nor leaf project
self.v3_create_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
self.v3_create_token(leaf_project_auth_data, self.v3_create_token(leaf_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
# Grant non-inherited role for group on leaf project # Grant non-inherited role for group on leaf project
non_inher_gp_link = self.build_role_assignment_link( non_inher_gp_link = self.build_role_assignment_link(
project_id=leaf_id, group_id=group['id'], project_id=leaf_id, group_id=group['id'],
role_id=non_inherited_role_id) role_id=non_inherited_role_id)
self.put(non_inher_gp_link) self.put(non_inher_gp_link)
# Check the user can only get a token on leaf project # Check the user can only get a token on leaf project
self.v3_create_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
self.v3_create_token(leaf_project_auth_data) self.v3_create_token(leaf_project_auth_data)
# Grant inherited role for group on root project # Grant inherited role for group on root project
inher_gp_link = self.build_role_assignment_link( inher_gp_link = self.build_role_assignment_link(
project_id=root_id, group_id=group['id'], project_id=root_id, group_id=group['id'],
role_id=inherited_role_id, inherited_to_projects=True) role_id=inherited_role_id, inherited_to_projects=True)
self.put(inher_gp_link) self.put(inher_gp_link)
# Check the user still can get a token only on leaf project # Check the user still can get a token only on leaf project
self.v3_create_token(root_project_auth_data, self.v3_create_token(root_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
self.v3_create_token(leaf_project_auth_data) self.v3_create_token(leaf_project_auth_data)
# Delete no-inherited grant # Delete no-inherited grant
self.delete(non_inher_gp_link) self.delete(non_inher_gp_link)
# Check the inherited role still applies for leaf project # Check the inherited role still applies for leaf project
self.v3_create_token(leaf_project_auth_data) self.v3_create_token(leaf_project_auth_data)
# Delete inherited grant # Delete inherited grant
self.delete(inher_gp_link) self.delete(inher_gp_link)
# Check the user cannot get a token on leaf project anymore # Check the user cannot get a token on leaf project anymore
self.v3_create_token(leaf_project_auth_data, self.v3_create_token(leaf_project_auth_data,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
def test_get_role_assignments_for_project_hierarchy(self): def test_get_role_assignments_for_project_hierarchy(self):
"""Call ``GET /role_assignments``. """Call ``GET /role_assignments``.
Test Plan: Test Plan:
- Create 2 roles - Create 2 roles
- Create a hierarchy of projects with one root and one leaf project - Create a hierarchy of projects with one root and one leaf project
- Issue the URL to add a non-inherited user role to the root project - Issue the URL to add a non-inherited user role to the root project
- Issue the URL to add an inherited user role to the root project - Issue the URL to add an inherited user role to the root project
skipping to change at line 2618 skipping to change at line 2617
role_id=non_inherited_role_id) role_id=non_inherited_role_id)
self.assertRoleAssignmentNotInListResponse(r, non_inher_up_entity) self.assertRoleAssignmentNotInListResponse(r, non_inher_up_entity)
# Assert that the user has inherited role on leaf project # Assert that the user has inherited role on leaf project
inher_up_entity['scope']['project']['id'] = leaf_id inher_up_entity['scope']['project']['id'] = leaf_id
self.assertRoleAssignmentInListResponse(r, inher_up_entity) self.assertRoleAssignmentInListResponse(r, inher_up_entity)
def test_project_id_specified_if_include_subtree_specified(self): def test_project_id_specified_if_include_subtree_specified(self):
"""When using include_subtree, you must specify a project ID.""" """When using include_subtree, you must specify a project ID."""
r = self.get('/role_assignments?include_subtree=True', r = self.get('/role_assignments?include_subtree=True',
expected_status=http_client.BAD_REQUEST) expected_status=http.client.BAD_REQUEST)
error_msg = ("scope.project.id must be specified if include_subtree " error_msg = ("scope.project.id must be specified if include_subtree "
"is also specified") "is also specified")
self.assertEqual(error_msg, r.result['error']['message']) self.assertEqual(error_msg, r.result['error']['message'])
r = self.get('/role_assignments?scope.project.id&' r = self.get('/role_assignments?scope.project.id&'
'include_subtree=True', 'include_subtree=True',
expected_status=http_client.BAD_REQUEST) expected_status=http.client.BAD_REQUEST)
self.assertEqual(error_msg, r.result['error']['message']) self.assertEqual(error_msg, r.result['error']['message'])
def test_get_role_assignments_for_project_tree(self): def test_get_role_assignments_for_project_tree(self):
"""Get role_assignment?scope.project.id=X&include_subtree``. """Get role_assignment?scope.project.id=X&include_subtree``.
Test Plan: Test Plan:
- Create 2 roles and a hierarchy of projects with one root and one leaf - Create 2 roles and a hierarchy of projects with one root and one leaf
- Issue the URL to add a non-inherited user role to the root project - Issue the URL to add a non-inherited user role to the root project
and the leaf project and the leaf project
skipping to change at line 2831 skipping to change at line 2830
def _create_role(self): def _create_role(self):
"""Call ``POST /roles``.""" """Call ``POST /roles``."""
ref = unit.new_role_ref() ref = unit.new_role_ref()
r = self.post('/roles', body={'role': ref}) r = self.post('/roles', body={'role': ref})
return self.assertValidRoleResponse(r, ref) return self.assertValidRoleResponse(r, ref)
def test_list_implied_roles_none(self): def test_list_implied_roles_none(self):
self.prior = self._create_role() self.prior = self._create_role()
url = '/roles/%s/implies' % (self.prior['id']) url = '/roles/%s/implies' % (self.prior['id'])
response = self.get(url).json["role_inference"] response = self.get(url).json["role_inference"]
self.head(url, expected_status=http_client.OK) self.head(url, expected_status=http.client.OK)
self.assertEqual(self.prior['id'], response['prior_role']['id']) self.assertEqual(self.prior['id'], response['prior_role']['id'])
self.assertEqual(0, len(response['implies'])) self.assertEqual(0, len(response['implies']))
def _create_implied_role(self, prior, implied): def _create_implied_role(self, prior, implied):
self.put('/roles/%s/implies/%s' % (prior['id'], implied['id']), self.put('/roles/%s/implies/%s' % (prior['id'], implied['id']),
expected_status=http_client.CREATED) expected_status=http.client.CREATED)
def _delete_implied_role(self, prior, implied): def _delete_implied_role(self, prior, implied):
self.delete('/roles/%s/implies/%s' % (prior['id'], implied['id'])) self.delete('/roles/%s/implies/%s' % (prior['id'], implied['id']))
def _setup_prior_two_implied(self): def _setup_prior_two_implied(self):
self.prior = self._create_role() self.prior = self._create_role()
self.implied1 = self._create_role() self.implied1 = self._create_role()
self._create_implied_role(self.prior, self.implied1) self._create_implied_role(self.prior, self.implied1)
self.implied2 = self._create_role() self.implied2 = self._create_role()
self._create_implied_role(self.prior, self.implied2) self._create_implied_role(self.prior, self.implied2)
skipping to change at line 2900 skipping to change at line 2899
self.prior['id'], self.implied1['id']) self.prior['id'], self.implied1['id'])
self._assert_expected_role_inference_rule_response( self._assert_expected_role_inference_rule_response(
self.prior['id'], self.implied2['id']) self.prior['id'], self.implied2['id'])
def _assert_one_role_implied(self): def _assert_one_role_implied(self):
self._assert_expected_implied_role_response( self._assert_expected_implied_role_response(
self.prior['id'], [self.implied1['id']]) self.prior['id'], [self.implied1['id']])
self.get('/roles/%s/implies/%s' % self.get('/roles/%s/implies/%s' %
(self.prior['id'], self.implied2['id']), (self.prior['id'], self.implied2['id']),
expected_status=http_client.NOT_FOUND) expected_status=http.client.NOT_FOUND)
def _assert_two_rules_defined(self): def _assert_two_rules_defined(self):
r = self.get('/role_inferences/') r = self.get('/role_inferences/')
rules = r.result['role_inferences'] rules = r.result['role_inferences']
self.assertEqual(self.prior['id'], rules[0]['prior_role']['id']) self.assertEqual(self.prior['id'], rules[0]['prior_role']['id'])
self.assertEqual(2, len(rules[0]['implies'])) self.assertEqual(2, len(rules[0]['implies']))
implied_ids = [implied['id'] for implied in rules[0]['implies']] implied_ids = [implied['id'] for implied in rules[0]['implies']]
implied_names = [implied['name'] for implied in rules[0]['implies']] implied_names = [implied['name'] for implied in rules[0]['implies']]
skipping to change at line 3056 skipping to change at line 3055
prohibited_names = [prohibited_name1, prohibited_name2] prohibited_names = [prohibited_name1, prohibited_name2]
self.config_fixture.config(group='assignment', self.config_fixture.config(group='assignment',
prohibited_implied_role=prohibited_names) prohibited_implied_role=prohibited_names)
prior_role = self._create_role() prior_role = self._create_role()
prohibited_role1 = self._create_named_role(prohibited_name1) prohibited_role1 = self._create_named_role(prohibited_name1)
url = '/roles/{prior_role_id}/implies/{implied_role_id}'.format( url = '/roles/{prior_role_id}/implies/{implied_role_id}'.format(
prior_role_id=prior_role['id'], prior_role_id=prior_role['id'],
implied_role_id=prohibited_role1['id']) implied_role_id=prohibited_role1['id'])
self.put(url, expected_status=http_client.FORBIDDEN) self.put(url, expected_status=http.client.FORBIDDEN)
prohibited_role2 = self._create_named_role(prohibited_name2) prohibited_role2 = self._create_named_role(prohibited_name2)
url = '/roles/{prior_role_id}/implies/{implied_role_id}'.format( url = '/roles/{prior_role_id}/implies/{implied_role_id}'.format(
prior_role_id=prior_role['id'], prior_role_id=prior_role['id'],
implied_role_id=prohibited_role2['id']) implied_role_id=prohibited_role2['id'])
self.put(url, expected_status=http_client.FORBIDDEN) self.put(url, expected_status=http.client.FORBIDDEN)
accepted_role1 = self._create_named_role(accepted_name1) accepted_role1 = self._create_named_role(accepted_name1)
url = '/roles/{prior_role_id}/implies/{implied_role_id}'.format( url = '/roles/{prior_role_id}/implies/{implied_role_id}'.format(
prior_role_id=prior_role['id'], prior_role_id=prior_role['id'],
implied_role_id=accepted_role1['id']) implied_role_id=accepted_role1['id'])
self.put(url, expected_status=http_client.CREATED) self.put(url, expected_status=http.client.CREATED)
def test_trusts_from_implied_role(self): def test_trusts_from_implied_role(self):
self._create_three_roles() self._create_three_roles()
self._create_implied_role(self.role_list[0], self.role_list[1]) self._create_implied_role(self.role_list[0], self.role_list[1])
self._create_implied_role(self.role_list[1], self.role_list[2]) self._create_implied_role(self.role_list[1], self.role_list[2])
self._assign_top_role_to_user_on_project(self.user, self.project) self._assign_top_role_to_user_on_project(self.user, self.project)
# Create a trustee and assign the prior role to her # Create a trustee and assign the prior role to her
trustee = unit.create_user( trustee = unit.create_user(
PROVIDERS.identity_api, domain_id=self.domain_id PROVIDERS.identity_api, domain_id=self.domain_id
skipping to change at line 3164 skipping to change at line 3163
domain_role = PROVIDERS.role_api.create_role( domain_role = PROVIDERS.role_api.create_role(
domain_role_ref['id'], domain_role_ref domain_role_ref['id'], domain_role_ref
) )
global_role_ref = unit.new_role_ref() global_role_ref = unit.new_role_ref()
global_role = PROVIDERS.role_api.create_role( global_role = PROVIDERS.role_api.create_role(
global_role_ref['id'], global_role_ref global_role_ref['id'], global_role_ref
) )
self.put('/roles/%s/implies/%s' % (global_role['id'], self.put('/roles/%s/implies/%s' % (global_role['id'],
domain_role['id']), domain_role['id']),
expected_status=http_client.FORBIDDEN) expected_status=http.client.FORBIDDEN)
class DomainSpecificRoleTests(test_v3.RestfulTestCase, unit.TestCase): class DomainSpecificRoleTests(test_v3.RestfulTestCase, unit.TestCase):
def setUp(self): def setUp(self):
def create_role(domain_id=None): def create_role(domain_id=None):
"""Call ``POST /roles``.""" """Call ``POST /roles``."""
ref = unit.new_role_ref(domain_id=domain_id) ref = unit.new_role_ref(domain_id=domain_id)
r = self.post( r = self.post(
'/roles', '/roles',
body={'role': ref}) body={'role': ref})
return self.assertValidRoleResponse(r, ref) return self.assertValidRoleResponse(r, ref)
skipping to change at line 3231 skipping to change at line 3230
body={'role': self.domainA_role1}) body={'role': self.domainA_role1})
r = self.get('/roles/%s' % self.domainA_role1['id']) r = self.get('/roles/%s' % self.domainA_role1['id'])
self.assertValidRoleResponse(r, self.domainA_role1) self.assertValidRoleResponse(r, self.domainA_role1)
def test_delete_domain_specific_roles(self): def test_delete_domain_specific_roles(self):
# Check delete only removes that one domain role # Check delete only removes that one domain role
self.delete('/roles/%(role_id)s' % { self.delete('/roles/%(role_id)s' % {
'role_id': self.domainA_role1['id']}) 'role_id': self.domainA_role1['id']})
self.get('/roles/%s' % self.domainA_role1['id'], self.get('/roles/%s' % self.domainA_role1['id'],
expected_status=http_client.NOT_FOUND) expected_status=http.client.NOT_FOUND)
# Now re-list those in domainA, making sure there's only one left # Now re-list those in domainA, making sure there's only one left
r = self.get('/roles?domain_id=%s' % self.domainA['id']) r = self.get('/roles?domain_id=%s' % self.domainA['id'])
self.assertValidRoleListResponse(r, expected_length=1) self.assertValidRoleListResponse(r, expected_length=1)
self.assertRoleInListResponse(r, self.domainA_role2) self.assertRoleInListResponse(r, self.domainA_role2)
def test_same_domain_assignment(self): def test_same_domain_assignment(self):
user = unit.create_user(PROVIDERS.identity_api, user = unit.create_user(PROVIDERS.identity_api,
domain_id=self.domainA['id']) domain_id=self.domainA['id'])
projectA = unit.new_project_ref(domain_id=self.domainA['id']) projectA = unit.new_project_ref(domain_id=self.domainA['id'])
skipping to change at line 3291 skipping to change at line 3290
domain_id=self.domainB['id']) domain_id=self.domainB['id'])
# Create project in domainA # Create project in domainA
projectA = unit.new_project_ref(domain_id=self.domainA['id']) projectA = unit.new_project_ref(domain_id=self.domainA['id'])
PROVIDERS.resource_api.create_project(projectA['id'], projectA) PROVIDERS.resource_api.create_project(projectA['id'], projectA)
# Now we create an implied rule from a role in domainA to a # Now we create an implied rule from a role in domainA to a
# role in domainB # role in domainB
self.put('/roles/%s/implies/%s' % self.put('/roles/%s/implies/%s' %
(self.domainA_role1['id'], self.domainB_role['id']), (self.domainA_role1['id'], self.domainB_role['id']),
expected_status=http_client.CREATED) expected_status=http.client.CREATED)
# A role in domainA can be assigned to a user from domainB # A role in domainA can be assigned to a user from domainB
# only for a project from domainA # only for a project from domainA
PROVIDERS.assignment_api.create_grant( PROVIDERS.assignment_api.create_grant(
self.domainA_role1['id'], user_id=user['id'], self.domainA_role1['id'], user_id=user['id'],
project_id=projectA['id'] project_id=projectA['id']
) )
# The role assignments should return an empty list since domain roles # The role assignments should return an empty list since domain roles
# can only be used to imply another roles # can only be used to imply another roles
assignments = PROVIDERS.assignment_api.list_role_assignments( assignments = PROVIDERS.assignment_api.list_role_assignments(
user_id=user['id'], effective=True) user_id=user['id'], effective=True)
self.assertEqual([], assignments) self.assertEqual([], assignments)
# This also means we can't authenticate using the existing assignment # This also means we can't authenticate using the existing assignment
auth_body = self.build_authentication_request( auth_body = self.build_authentication_request(
user_id=user['id'], user_id=user['id'],
password=user['password'], password=user['password'],
project_id=projectA['id']) project_id=projectA['id'])
self.post('/auth/tokens', body=auth_body, self.post('/auth/tokens', body=auth_body,
expected_status=http_client.UNAUTHORIZED) expected_status=http.client.UNAUTHORIZED)
class ListUserProjectsTestCase(test_v3.RestfulTestCase): class ListUserProjectsTestCase(test_v3.RestfulTestCase):
"""Test for /users/<user>/projects.""" """Test for /users/<user>/projects."""
def load_sample_data(self): def load_sample_data(self):
# do not load base class's data, keep it focused on the tests # do not load base class's data, keep it focused on the tests
self.auths = [] self.auths = []
self.domains = [] self.domains = []
self.projects = [] self.projects = []
skipping to change at line 3380 skipping to change at line 3379
def test_list_head_all(self): def test_list_head_all(self):
for i in range(len(self.users)): for i in range(len(self.users)):
user = self.users[i] user = self.users[i]
auth = self.auths[i] auth = self.auths[i]
url = '/users/%s/projects' % user['id'] url = '/users/%s/projects' % user['id']
result = self.get(url, auth=auth) result = self.get(url, auth=auth)
projects_result = result.json['projects'] projects_result = result.json['projects']
self.assertEqual(1, len(projects_result)) self.assertEqual(1, len(projects_result))
self.assertEqual(self.projects[i]['id'], projects_result[0]['id']) self.assertEqual(self.projects[i]['id'], projects_result[0]['id'])
self.head(url, auth=auth, expected_status=http_client.OK) self.head(url, auth=auth, expected_status=http.client.OK)
def test_list_enabled(self): def test_list_enabled(self):
for i in range(len(self.users)): for i in range(len(self.users)):
user = self.users[i] user = self.users[i]
auth = self.auths[i] auth = self.auths[i]
# There are no disabled projects # There are no disabled projects
url = '/users/%s/projects?enabled=True' % user['id'] url = '/users/%s/projects?enabled=True' % user['id']
result = self.get(url, auth=auth) result = self.get(url, auth=auth)
projects_result = result.json['projects'] projects_result = result.json['projects']
skipping to change at line 3463 skipping to change at line 3462
# validate the role assignment # validate the role assignment
self.head(member_url) self.head(member_url)
# list system roles # list system roles
collection_url = ( collection_url = (
'/system/users/%(user_id)s/roles' % {'user_id': self.user['id']} '/system/users/%(user_id)s/roles' % {'user_id': self.user['id']}
) )
roles = self.get(collection_url).json_body['roles'] roles = self.get(collection_url).json_body['roles']
self.assertEqual(len(roles), 1) self.assertEqual(len(roles), 1)
self.assertEqual(roles[0]['id'], system_role_id) self.assertEqual(roles[0]['id'], system_role_id)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
response = self.get( response = self.get(
'/role_assignments?scope.system=all&user.id=%(user_id)s' % { '/role_assignments?scope.system=all&user.id=%(user_id)s' % {
'user_id': self.user['id'] 'user_id': self.user['id']
} }
) )
self.assertValidRoleAssignmentListResponse(response) self.assertValidRoleAssignmentListResponse(response)
def test_list_role_assignments_for_user_returns_all_assignments(self): def test_list_role_assignments_for_user_returns_all_assignments(self):
system_role_id = self._create_new_role() system_role_id = self._create_new_role()
skipping to change at line 3652 skipping to change at line 3651
self.head(member_url) self.head(member_url)
def test_check_user_does_not_have_system_role_without_assignment(self): def test_check_user_does_not_have_system_role_without_assignment(self):
system_role_id = self._create_new_role() system_role_id = self._create_new_role()
# check the user does't have the system role assignment # check the user does't have the system role assignment
member_url = '/system/users/%(user_id)s/roles/%(role_id)s' % { member_url = '/system/users/%(user_id)s/roles/%(role_id)s' % {
'user_id': self.user['id'], 'user_id': self.user['id'],
'role_id': system_role_id 'role_id': system_role_id
} }
self.head(member_url, expected_status=http_client.NOT_FOUND) self.head(member_url, expected_status=http.client.NOT_FOUND)
response = self.get( response = self.get(
'/role_assignments?scope.system=all&user.id=%(user_id)s' % { '/role_assignments?scope.system=all&user.id=%(user_id)s' % {
'user_id': self.user['id'] 'user_id': self.user['id']
} }
) )
self.assertEqual(len(response.json_body['role_assignments']), 0) self.assertEqual(len(response.json_body['role_assignments']), 0)
self.assertValidRoleAssignmentListResponse(response) self.assertValidRoleAssignmentListResponse(response)
def test_unassign_system_role_from_user(self): def test_unassign_system_role_from_user(self):
skipping to change at line 3707 skipping to change at line 3706
self.assertValidRoleAssignmentListResponse(response, expected_length=0) self.assertValidRoleAssignmentListResponse(response, expected_length=0)
def test_query_for_system_scope_and_domain_scope_fails(self): def test_query_for_system_scope_and_domain_scope_fails(self):
# When asking for assignments and providing query parameters, we # When asking for assignments and providing query parameters, we
# shouldn't be able to ask for two different types of scope. This is # shouldn't be able to ask for two different types of scope. This is
# also true for project + domain scope. # also true for project + domain scope.
path = ( path = (
'/role_assignments?scope.system=all' '/role_assignments?scope.system=all'
'&scope.domain.id=%(domain_id)s' '&scope.domain.id=%(domain_id)s'
) % {'domain_id': self.domain_id} ) % {'domain_id': self.domain_id}
self.get(path, expected_status=http_client.BAD_REQUEST) self.get(path, expected_status=http.client.BAD_REQUEST)
def test_query_for_system_scope_and_project_scope_fails(self): def test_query_for_system_scope_and_project_scope_fails(self):
# When asking for assignments and providing query parameters, we # When asking for assignments and providing query parameters, we
# shouldn't be able to ask for two different types of scope. This is # shouldn't be able to ask for two different types of scope. This is
# also true for project + domain scope. # also true for project + domain scope.
path = ( path = (
'/role_assignments?scope.system=all' '/role_assignments?scope.system=all'
'&scope.project.id=%(project_id)s' '&scope.project.id=%(project_id)s'
) % {'project_id': self.project_id} ) % {'project_id': self.project_id}
self.get(path, expected_status=http_client.BAD_REQUEST) self.get(path, expected_status=http.client.BAD_REQUEST)
def test_query_for_role_id_does_not_return_system_user_roles(self): def test_query_for_role_id_does_not_return_system_user_roles(self):
system_role_id = self._create_new_role() system_role_id = self._create_new_role()
# assign the user a role on the system # assign the user a role on the system
member_url = '/system/users/%(user_id)s/roles/%(role_id)s' % { member_url = '/system/users/%(user_id)s/roles/%(role_id)s' % {
'user_id': self.user['id'], 'user_id': self.user['id'],
'role_id': system_role_id 'role_id': system_role_id
} }
self.put(member_url) self.put(member_url)
skipping to change at line 3766 skipping to change at line 3765
# validate the role assignment # validate the role assignment
self.head(member_url) self.head(member_url)
# list global roles # list global roles
collection_url = '/system/groups/%(group_id)s/roles' % { collection_url = '/system/groups/%(group_id)s/roles' % {
'group_id': group['id'] 'group_id': group['id']
} }
roles = self.get(collection_url).json_body['roles'] roles = self.get(collection_url).json_body['roles']
self.assertEqual(len(roles), 1) self.assertEqual(len(roles), 1)
self.assertEqual(roles[0]['id'], system_role_id) self.assertEqual(roles[0]['id'], system_role_id)
self.head(collection_url, expected_status=http_client.OK) self.head(collection_url, expected_status=http.client.OK)
response = self.get( response = self.get(
'/role_assignments?scope.system=all&group.id=%(group_id)s' % { '/role_assignments?scope.system=all&group.id=%(group_id)s' % {
'group_id': group['id'] 'group_id': group['id']
} }
) )
self.assertValidRoleAssignmentListResponse(response, expected_length=1) self.assertValidRoleAssignmentListResponse(response, expected_length=1)
self.assertEqual( self.assertEqual(
response.json_body['role_assignments'][0]['role']['id'], response.json_body['role_assignments'][0]['role']['id'],
system_role_id system_role_id
skipping to change at line 3788 skipping to change at line 3787
def test_assign_system_role_to_non_existant_group_fails(self): def test_assign_system_role_to_non_existant_group_fails(self):
system_role_id = self._create_new_role() system_role_id = self._create_new_role()
group_id = uuid.uuid4().hex group_id = uuid.uuid4().hex
# assign the role to the group globally # assign the role to the group globally
member_url = '/system/groups/%(group_id)s/roles/%(role_id)s' % { member_url = '/system/groups/%(group_id)s/roles/%(role_id)s' % {
'group_id': group_id, 'group_id': group_id,
'role_id': system_role_id 'role_id': system_role_id
} }
self.put(member_url, expected_status=http_client.NOT_FOUND) self.put(member_url, expected_status=http.client.NOT_FOUND)
def test_list_role_assignments_for_group_returns_all_assignments(self): def test_list_role_assignments_for_group_returns_all_assignments(self):
system_role_id = self._create_new_role() system_role_id = self._create_new_role()
group = self._create_group() group = self._create_group()
# assign the role to the group globally and on a single project # assign the role to the group globally and on a single project
member_url = '/system/groups/%(group_id)s/roles/%(role_id)s' % { member_url = '/system/groups/%(group_id)s/roles/%(role_id)s' % {
'group_id': group['id'], 'group_id': group['id'],
'role_id': system_role_id 'role_id': system_role_id
} }
skipping to change at line 3959 skipping to change at line 3958
def test_check_group_does_not_have_system_role_without_assignment(self): def test_check_group_does_not_have_system_role_without_assignment(self):
system_role_id = self._create_new_role() system_role_id = self._create_new_role()
group = self._create_group() group = self._create_group()
# check the group does't have the system role assignment # check the group does't have the system role assignment
member_url = '/system/groups/%(group_id)s/roles/%(role_id)s' % { member_url = '/system/groups/%(group_id)s/roles/%(role_id)s' % {
'group_id': group['id'], 'group_id': group['id'],
'role_id': system_role_id 'role_id': system_role_id
} }
self.head(member_url, expected_status=http_client.NOT_FOUND) self.head(member_url, expected_status=http.client.NOT_FOUND)
response = self.get( response = self.get(
'/role_assignments?scope.system=all&group.id=%(group_id)s' % { '/role_assignments?scope.system=all&group.id=%(group_id)s' % {
'group_id': group['id'] 'group_id': group['id']
} }
) )
self.assertValidRoleAssignmentListResponse(response, expected_length=0) self.assertValidRoleAssignmentListResponse(response, expected_length=0)
def test_unassign_system_role_from_group(self): def test_unassign_system_role_from_group(self):
system_role_id = self._create_new_role() system_role_id = self._create_new_role()
 End of changes. 107 change blocks. 
135 lines changed or deleted 134 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)