"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/protection/v3/test_access_rules.py" (13 May 2020, 25271 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_access_rules.py": 16.0.1_vs_17.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 import uuid
   14 
   15 import http.client
   16 
   17 from keystone.common import provider_api
   18 import keystone.conf
   19 from keystone.tests.common import auth as common_auth
   20 from keystone.tests import unit
   21 from keystone.tests.unit import base_classes
   22 from keystone.tests.unit import ksfixtures
   23 from keystone.tests.unit.ksfixtures import temporaryfile
   24 
   25 CONF = keystone.conf.CONF
   26 PROVIDERS = provider_api.ProviderAPIs
   27 
   28 
   29 class _UserAccessRuleTests(object):
   30     """Test cases for anyone that has a valid user token."""
   31 
   32     def test_user_can_get_their_access_rules(self):
   33         access_rule_id = uuid.uuid4().hex
   34         app_cred = {
   35             'id': uuid.uuid4().hex,
   36             'name': uuid.uuid4().hex,
   37             'user_id': self.user_id,
   38             'project_id': self.project_id,
   39             'secret': uuid.uuid4().hex,
   40             'access_rules': [{
   41                 'id': access_rule_id,
   42                 'service': uuid.uuid4().hex,
   43                 'path': uuid.uuid4().hex,
   44                 'method': uuid.uuid4().hex[16:]
   45             }]
   46         }
   47         PROVIDERS.application_credential_api.create_application_credential(
   48             app_cred)
   49         with self.test_client() as c:
   50             path = '/v3/users/%s/access_rules/%s' % (
   51                 self.user_id, app_cred['access_rules'][0]['id'])
   52             c.get(path, headers=self.headers)
   53 
   54     def test_user_can_list_their_access_rules(self):
   55         app_cred = {
   56             'id': uuid.uuid4().hex,
   57             'name': uuid.uuid4().hex,
   58             'user_id': self.user_id,
   59             'project_id': self.project_id,
   60             'secret': uuid.uuid4().hex,
   61             'access_rules': [{
   62                 'id': uuid.uuid4().hex,
   63                 'service': uuid.uuid4().hex,
   64                 'path': uuid.uuid4().hex,
   65                 'method': uuid.uuid4().hex[16:]
   66             }]
   67         }
   68         PROVIDERS.application_credential_api.create_application_credential(
   69             app_cred)
   70         with self.test_client() as c:
   71             r = c.get('/v3/users/%s/access_rules' % self.user_id,
   72                       headers=self.headers)
   73             self.assertEqual(len(r.json['access_rules']), 1)
   74 
   75     def test_user_can_delete_their_access_rules(self):
   76         access_rule_id = uuid.uuid4().hex
   77         app_cred = {
   78             'id': uuid.uuid4().hex,
   79             'name': uuid.uuid4().hex,
   80             'user_id': self.user_id,
   81             'project_id': self.project_id,
   82             'secret': uuid.uuid4().hex,
   83             'access_rules': [{
   84                 'id': access_rule_id,
   85                 'service': uuid.uuid4().hex,
   86                 'path': uuid.uuid4().hex,
   87                 'method': uuid.uuid4().hex[16:]
   88             }]
   89         }
   90         PROVIDERS.application_credential_api.create_application_credential(
   91             app_cred)
   92         PROVIDERS.application_credential_api.delete_application_credential(
   93             app_cred['id'])
   94         with self.test_client() as c:
   95             path = '/v3/users/%s/access_rules/%s' % (
   96                 self.user_id, access_rule_id)
   97             c.delete(path, headers=self.headers)
   98 
   99 
  100 class _ProjectUsersTests(object):
  101     """Users who have project role authorization observe the same behavior."""
  102 
  103     def test_user_cannot_get_access_rules_for_other_users(self):
  104         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  105         user = PROVIDERS.identity_api.create_user(user)
  106         project = unit.new_project_ref(
  107             domain_id=CONF.identity.default_domain_id
  108         )
  109         project = PROVIDERS.resource_api.create_project(project['id'], project)
  110         PROVIDERS.assignment_api.create_grant(
  111             self.bootstrapper.member_role_id, user_id=user['id'],
  112             project_id=project['id']
  113         )
  114 
  115         access_rule_id = uuid.uuid4().hex
  116         app_cred = {
  117             'id': uuid.uuid4().hex,
  118             'name': uuid.uuid4().hex,
  119             'user_id': user['id'],
  120             'project_id': project['id'],
  121             'secret': uuid.uuid4().hex,
  122             'access_rules': [{
  123                 'id': access_rule_id,
  124                 'service': uuid.uuid4().hex,
  125                 'path': uuid.uuid4().hex,
  126                 'method': uuid.uuid4().hex[16:]
  127             }]
  128         }
  129         PROVIDERS.application_credential_api.create_application_credential(
  130             app_cred)
  131         with self.test_client() as c:
  132             path = '/v3/users/%s/access_rules/%s' % (
  133                 user['id'], access_rule_id)
  134             c.get(
  135                 path, headers=self.headers,
  136                 expected_status_code=http.client.FORBIDDEN
  137             )
  138 
  139     def test_user_cannot_get_own_non_existent_access_rule_not_found(self):
  140         with self.test_client() as c:
  141             c.get(
  142                 '/v3/users/%s/access_rules/%s' % (
  143                     self.user_id, uuid.uuid4().hex),
  144                 headers=self.headers,
  145                 expected_status_code=http.client.NOT_FOUND
  146             )
  147 
  148     def test_cannot_get_non_existent_access_rule_other_user_forbidden(self):
  149         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  150         user = PROVIDERS.identity_api.create_user(user)
  151         with self.test_client() as c:
  152             c.get(
  153                 '/v3/users/%s/access_rules/%s' % (
  154                     user['id'], uuid.uuid4().hex),
  155                 headers=self.headers,
  156                 expected_status_code=http.client.FORBIDDEN
  157             )
  158 
  159     def test_user_cannot_list_access_rules_for_other_users(self):
  160         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  161         user = PROVIDERS.identity_api.create_user(user)
  162         project = unit.new_project_ref(
  163             domain_id=CONF.identity.default_domain_id
  164         )
  165         project = PROVIDERS.resource_api.create_project(project['id'], project)
  166         PROVIDERS.assignment_api.create_grant(
  167             self.bootstrapper.member_role_id, user_id=user['id'],
  168             project_id=project['id']
  169         )
  170         app_cred = {
  171             'id': uuid.uuid4().hex,
  172             'name': uuid.uuid4().hex,
  173             'user_id': user['id'],
  174             'project_id': project['id'],
  175             'secret': uuid.uuid4().hex,
  176             'access_rules': [{
  177                 'id': uuid.uuid4().hex,
  178                 'service': uuid.uuid4().hex,
  179                 'path': uuid.uuid4().hex,
  180                 'method': uuid.uuid4().hex[16:]
  181             }]
  182         }
  183         PROVIDERS.application_credential_api.create_application_credential(
  184             app_cred)
  185 
  186         with self.test_client() as c:
  187             path = '/v3/users/%s/access_rules' % user['id']
  188             c.get(path, headers=self.headers,
  189                   expected_status_code=http.client.FORBIDDEN)
  190 
  191     def test_user_cannot_delete_access_rules_for_others(self):
  192         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  193         user = PROVIDERS.identity_api.create_user(user)
  194         project = unit.new_project_ref(
  195             domain_id=CONF.identity.default_domain_id
  196         )
  197         project = PROVIDERS.resource_api.create_project(project['id'], project)
  198         PROVIDERS.assignment_api.create_grant(
  199             self.bootstrapper.member_role_id, user_id=user['id'],
  200             project_id=project['id']
  201         )
  202         access_rule_id = uuid.uuid4().hex
  203         app_cred = {
  204             'id': uuid.uuid4().hex,
  205             'name': uuid.uuid4().hex,
  206             'user_id': user['id'],
  207             'project_id': project['id'],
  208             'secret': uuid.uuid4().hex,
  209             'access_rules': [{
  210                 'id': access_rule_id,
  211                 'service': uuid.uuid4().hex,
  212                 'path': uuid.uuid4().hex,
  213                 'method': uuid.uuid4().hex[16:]
  214             }]
  215         }
  216         PROVIDERS.application_credential_api.create_application_credential(
  217             app_cred)
  218         PROVIDERS.application_credential_api.delete_application_credential(
  219             app_cred['id'])
  220         with self.test_client() as c:
  221             path = '/v3/users/%s/access_rules/%s' % (
  222                 user['id'], access_rule_id)
  223             c.delete(
  224                 path, headers=self.headers,
  225                 expected_status_code=http.client.FORBIDDEN
  226             )
  227 
  228     def test_cannot_delete_non_existent_access_rule_other_user_forbidden(self):
  229         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  230         user = PROVIDERS.identity_api.create_user(user)
  231         with self.test_client() as c:
  232             c.delete(
  233                 '/v3/users/%s/access_rules/%s' % (
  234                     user['id'], uuid.uuid4().hex),
  235                 headers=self.headers,
  236                 expected_status_code=http.client.FORBIDDEN
  237             )
  238 
  239 
  240 class _SystemUserAccessRuleTests(object):
  241     """Tests that are common across all system users."""
  242 
  243     def test_user_can_list_access_rules_for_other_users(self):
  244         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  245         user = PROVIDERS.identity_api.create_user(user)
  246         project = unit.new_project_ref(
  247             domain_id=CONF.identity.default_domain_id
  248         )
  249         project = PROVIDERS.resource_api.create_project(project['id'], project)
  250         PROVIDERS.assignment_api.create_grant(
  251             self.bootstrapper.member_role_id, user_id=user['id'],
  252             project_id=project['id']
  253         )
  254 
  255         app_cred = {
  256             'id': uuid.uuid4().hex,
  257             'name': uuid.uuid4().hex,
  258             'user_id': user['id'],
  259             'project_id': project['id'],
  260             'secret': uuid.uuid4().hex,
  261             'access_rules': [{
  262                 'id': uuid.uuid4().hex,
  263                 'service': uuid.uuid4().hex,
  264                 'path': uuid.uuid4().hex,
  265                 'method': uuid.uuid4().hex[16:]
  266             }]
  267         }
  268         PROVIDERS.application_credential_api.create_application_credential(
  269             app_cred)
  270 
  271         with self.test_client() as c:
  272             r = c.get('/v3/users/%s/access_rules' % user['id'],
  273                       headers=self.headers)
  274             self.assertEqual(1, len(r.json['access_rules']))
  275 
  276     def test_user_cannot_get_non_existent_access_rule_not_found(self):
  277         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  278         user = PROVIDERS.identity_api.create_user(user)
  279         with self.test_client() as c:
  280             c.get(
  281                 '/v3/users/%s/access_rules/%s' % (
  282                     user['id'], uuid.uuid4().hex),
  283                 headers=self.headers,
  284                 expected_status_code=http.client.NOT_FOUND
  285             )
  286 
  287 
  288 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
  289                         common_auth.AuthTestMixin,
  290                         _SystemUserAccessRuleTests):
  291 
  292     def setUp(self):
  293         super(SystemReaderTests, self).setUp()
  294         self.loadapp()
  295         self.useFixture(ksfixtures.Policy(self.config_fixture))
  296         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  297 
  298         system_reader = unit.new_user_ref(
  299             domain_id=CONF.identity.default_domain_id
  300         )
  301         self.user_id = PROVIDERS.identity_api.create_user(
  302             system_reader
  303         )['id']
  304         PROVIDERS.assignment_api.create_system_grant_for_user(
  305             self.user_id, self.bootstrapper.reader_role_id
  306         )
  307 
  308         auth = self.build_authentication_request(
  309             user_id=self.user_id, password=system_reader['password'],
  310             system=True
  311         )
  312 
  313         # Grab a token using the persona we're testing and prepare headers
  314         # for requests we'll be making in the tests.
  315         with self.test_client() as c:
  316             r = c.post('/v3/auth/tokens', json=auth)
  317             self.token_id = r.headers['X-Subject-Token']
  318             self.headers = {'X-Auth-Token': self.token_id}
  319 
  320     def test_user_cannot_delete_access_rules_for_others(self):
  321         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  322         user = PROVIDERS.identity_api.create_user(user)
  323         project = unit.new_project_ref(
  324             domain_id=CONF.identity.default_domain_id
  325         )
  326         project = PROVIDERS.resource_api.create_project(project['id'], project)
  327         PROVIDERS.assignment_api.create_grant(
  328             self.bootstrapper.member_role_id, user_id=user['id'],
  329             project_id=project['id']
  330         )
  331 
  332         access_rule_id = uuid.uuid4().hex
  333         app_cred = {
  334             'id': uuid.uuid4().hex,
  335             'name': uuid.uuid4().hex,
  336             'user_id': user['id'],
  337             'project_id': project['id'],
  338             'secret': uuid.uuid4().hex,
  339             'access_rules': [{
  340                 'id': access_rule_id,
  341                 'service': uuid.uuid4().hex,
  342                 'path': uuid.uuid4().hex,
  343                 'method': uuid.uuid4().hex[16:]
  344             }]
  345         }
  346         PROVIDERS.application_credential_api.create_application_credential(
  347             app_cred)
  348         PROVIDERS.application_credential_api.delete_application_credential(
  349             app_cred['id'])
  350         with self.test_client() as c:
  351             path = '/v3/users/%s/access_rules/%s' % (
  352                 user['id'], access_rule_id)
  353             c.delete(
  354                 path, headers=self.headers,
  355                 expected_status_code=http.client.FORBIDDEN
  356             )
  357 
  358     def test_user_cannot_delete_non_existent_access_rule_forbidden(self):
  359         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  360         user = PROVIDERS.identity_api.create_user(user)
  361         with self.test_client() as c:
  362             c.delete(
  363                 '/v3/users/%s/access_rules/%s' % (
  364                     user['id'], uuid.uuid4().hex),
  365                 headers=self.headers,
  366                 expected_status_code=http.client.FORBIDDEN
  367             )
  368 
  369 
  370 class SystemMemberTests(base_classes.TestCaseWithBootstrap,
  371                         common_auth.AuthTestMixin,
  372                         _SystemUserAccessRuleTests):
  373 
  374     def setUp(self):
  375         super(SystemMemberTests, self).setUp()
  376         self.loadapp()
  377         self.useFixture(ksfixtures.Policy(self.config_fixture))
  378         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  379 
  380         system_member = unit.new_user_ref(
  381             domain_id=CONF.identity.default_domain_id
  382         )
  383         self.user_id = PROVIDERS.identity_api.create_user(
  384             system_member
  385         )['id']
  386         PROVIDERS.assignment_api.create_system_grant_for_user(
  387             self.user_id, self.bootstrapper.member_role_id
  388         )
  389 
  390         auth = self.build_authentication_request(
  391             user_id=self.user_id, password=system_member['password'],
  392             system=True
  393         )
  394 
  395         # Grab a token using the persona we're testing and prepare headers
  396         # for requests we'll be making in the tests.
  397         with self.test_client() as c:
  398             r = c.post('/v3/auth/tokens', json=auth)
  399             self.token_id = r.headers['X-Subject-Token']
  400             self.headers = {'X-Auth-Token': self.token_id}
  401 
  402     def test_user_cannot_delete_access_rules_for_others(self):
  403         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  404         user = PROVIDERS.identity_api.create_user(user)
  405         project = unit.new_project_ref(
  406             domain_id=CONF.identity.default_domain_id
  407         )
  408         project = PROVIDERS.resource_api.create_project(project['id'], project)
  409         PROVIDERS.assignment_api.create_grant(
  410             self.bootstrapper.member_role_id, user_id=user['id'],
  411             project_id=project['id']
  412         )
  413 
  414         access_rule_id = uuid.uuid4().hex
  415         app_cred = {
  416             'id': uuid.uuid4().hex,
  417             'name': uuid.uuid4().hex,
  418             'user_id': user['id'],
  419             'project_id': project['id'],
  420             'secret': uuid.uuid4().hex,
  421             'access_rules': [{
  422                 'id': access_rule_id,
  423                 'service': uuid.uuid4().hex,
  424                 'path': uuid.uuid4().hex,
  425                 'method': uuid.uuid4().hex[16:]
  426             }]
  427         }
  428         PROVIDERS.application_credential_api.create_application_credential(
  429             app_cred)
  430         PROVIDERS.application_credential_api.delete_application_credential(
  431             app_cred['id'])
  432         with self.test_client() as c:
  433             path = '/v3/users/%s/access_rules/%s' % (
  434                 user['id'], access_rule_id)
  435             c.delete(
  436                 path, headers=self.headers,
  437                 expected_status_code=http.client.FORBIDDEN
  438             )
  439 
  440         with self.test_client() as c:
  441             path = '/v3/users/%s/access_rules/%s' % (
  442                 user['id'], access_rule_id)
  443             c.delete(
  444                 path, headers=self.headers,
  445                 expected_status_code=http.client.FORBIDDEN
  446             )
  447 
  448     def test_user_cannot_delete_non_existent_access_rule_forbidden(self):
  449         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  450         user = PROVIDERS.identity_api.create_user(user)
  451         with self.test_client() as c:
  452             c.delete(
  453                 '/v3/users/%s/access_rules/%s' % (
  454                     user['id'], uuid.uuid4().hex),
  455                 headers=self.headers,
  456                 expected_status_code=http.client.FORBIDDEN
  457             )
  458 
  459 
  460 class SystemAdminTests(base_classes.TestCaseWithBootstrap,
  461                        common_auth.AuthTestMixin,
  462                        _SystemUserAccessRuleTests):
  463 
  464     def setUp(self):
  465         super(SystemAdminTests, self).setUp()
  466         self.loadapp()
  467         self.useFixture(ksfixtures.Policy(self.config_fixture))
  468         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  469 
  470         # Reuse the system administrator account created during
  471         # ``keystone-manage bootstrap``
  472         self.user_id = self.bootstrapper.admin_user_id
  473         auth = self.build_authentication_request(
  474             user_id=self.user_id,
  475             password=self.bootstrapper.admin_password,
  476             system=True
  477         )
  478 
  479         # Grab a token using the persona we're testing and prepare headers
  480         # for requests we'll be making in the tests.
  481         with self.test_client() as c:
  482             r = c.post('/v3/auth/tokens', json=auth)
  483             self.token_id = r.headers['X-Subject-Token']
  484             self.headers = {'X-Auth-Token': self.token_id}
  485 
  486     def test_user_can_delete_access_rules_for_others(self):
  487         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  488         user = PROVIDERS.identity_api.create_user(user)
  489         project = unit.new_project_ref(
  490             domain_id=CONF.identity.default_domain_id
  491         )
  492         project = PROVIDERS.resource_api.create_project(project['id'], project)
  493         PROVIDERS.assignment_api.create_grant(
  494             self.bootstrapper.member_role_id, user_id=user['id'],
  495             project_id=project['id']
  496         )
  497         access_rule_id = uuid.uuid4().hex
  498         app_cred = {
  499             'id': uuid.uuid4().hex,
  500             'name': uuid.uuid4().hex,
  501             'user_id': user['id'],
  502             'project_id': project['id'],
  503             'secret': uuid.uuid4().hex,
  504             'access_rules': [{
  505                 'id': access_rule_id,
  506                 'service': uuid.uuid4().hex,
  507                 'path': uuid.uuid4().hex,
  508                 'method': uuid.uuid4().hex[16:]
  509             }]
  510         }
  511         PROVIDERS.application_credential_api.create_application_credential(
  512             app_cred)
  513         PROVIDERS.application_credential_api.delete_application_credential(
  514             app_cred['id'])
  515 
  516         with self.test_client() as c:
  517             path = '/v3/users/%s/access_rules/%s' % (
  518                 user['id'], access_rule_id)
  519             c.delete(path, headers=self.headers)
  520 
  521     def test_user_cannot_delete_non_existent_access_rule_not_found(self):
  522         user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  523         user = PROVIDERS.identity_api.create_user(user)
  524         with self.test_client() as c:
  525             c.delete(
  526                 '/v3/users/%s/access_rules/%s' % (
  527                     user['id'], uuid.uuid4().hex),
  528                 headers=self.headers,
  529                 expected_status_code=http.client.NOT_FOUND
  530             )
  531 
  532 
  533 class ProjectReaderTests(base_classes.TestCaseWithBootstrap,
  534                          common_auth.AuthTestMixin,
  535                          _UserAccessRuleTests,
  536                          _ProjectUsersTests):
  537 
  538     def setUp(self):
  539         super(ProjectReaderTests, self).setUp()
  540         self.loadapp()
  541         self.useFixture(ksfixtures.Policy(self.config_fixture))
  542         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  543 
  544         project_reader = unit.new_user_ref(
  545             domain_id=CONF.identity.default_domain_id
  546         )
  547         self.user_id = PROVIDERS.identity_api.create_user(
  548             project_reader
  549         )['id']
  550         project = unit.new_project_ref(
  551             domain_id=CONF.identity.default_domain_id
  552         )
  553         self.project_id = PROVIDERS.resource_api.create_project(
  554             project['id'], project
  555         )['id']
  556         PROVIDERS.assignment_api.create_grant(
  557             self.bootstrapper.reader_role_id, user_id=self.user_id,
  558             project_id=self.project_id
  559         )
  560 
  561         auth = self.build_authentication_request(
  562             user_id=self.user_id,
  563             password=project_reader['password'],
  564             project_id=self.project_id
  565         )
  566 
  567         # Grab a token using the persona we're testing and prepare headers
  568         # for requests we'll be making in the tests.
  569         with self.test_client() as c:
  570             r = c.post('/v3/auth/tokens', json=auth)
  571             self.token_id = r.headers['X-Subject-Token']
  572             self.headers = {'X-Auth-Token': self.token_id}
  573 
  574 
  575 class ProjectMemberTests(base_classes.TestCaseWithBootstrap,
  576                          common_auth.AuthTestMixin,
  577                          _UserAccessRuleTests,
  578                          _ProjectUsersTests):
  579 
  580     def setUp(self):
  581         super(ProjectMemberTests, self).setUp()
  582         self.loadapp()
  583         self.useFixture(ksfixtures.Policy(self.config_fixture))
  584         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  585 
  586         project_member = unit.new_user_ref(
  587             domain_id=CONF.identity.default_domain_id
  588         )
  589         self.user_id = PROVIDERS.identity_api.create_user(
  590             project_member
  591         )['id']
  592         project = unit.new_project_ref(
  593             domain_id=CONF.identity.default_domain_id
  594         )
  595         self.project_id = PROVIDERS.resource_api.create_project(
  596             project['id'], project
  597         )['id']
  598         PROVIDERS.assignment_api.create_grant(
  599             self.bootstrapper.member_role_id, user_id=self.user_id,
  600             project_id=self.project_id
  601         )
  602 
  603         auth = self.build_authentication_request(
  604             user_id=self.user_id,
  605             password=project_member['password'],
  606             project_id=self.project_id
  607         )
  608 
  609         # Grab a token using the persona we're testing and prepare headers
  610         # for requests we'll be making in the tests.
  611         with self.test_client() as c:
  612             r = c.post('/v3/auth/tokens', json=auth)
  613             self.token_id = r.headers['X-Subject-Token']
  614             self.headers = {'X-Auth-Token': self.token_id}
  615 
  616 
  617 class ProjectAdminTests(base_classes.TestCaseWithBootstrap,
  618                         common_auth.AuthTestMixin,
  619                         _UserAccessRuleTests,
  620                         _ProjectUsersTests):
  621 
  622     def setUp(self):
  623         super(ProjectAdminTests, self).setUp()
  624         self.loadapp()
  625 
  626         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  627         self.policy_file_name = self.policy_file.file_name
  628         self.useFixture(
  629             ksfixtures.Policy(
  630                 self.config_fixture, policy_file=self.policy_file_name
  631             )
  632         )
  633         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  634 
  635         # Reuse the system administrator account created during
  636         # ``keystone-manage bootstrap``
  637         self.user_id = self.bootstrapper.admin_user_id
  638         self.project_id = self.bootstrapper.project_id
  639         auth = self.build_authentication_request(
  640             user_id=self.user_id,
  641             password=self.bootstrapper.admin_password,
  642             project_id=self.project_id
  643         )
  644 
  645         # Grab a token using the persona we're testing and prepare headers
  646         # for requests we'll be making in the tests.
  647         with self.test_client() as c:
  648             r = c.post('/v3/auth/tokens', json=auth)
  649             self.token_id = r.headers['X-Subject-Token']
  650             self.headers = {'X-Auth-Token': self.token_id}