"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/protection/v3/test_application_credential.py" (13 May 2020, 25567 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_application_credential.py": 16.0.1_vs_17.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 import datetime
   14 import uuid
   15 
   16 import http.client
   17 from oslo_serialization import jsonutils
   18 
   19 from keystone.common.policies import base as base_policy
   20 from keystone.common import provider_api
   21 import keystone.conf
   22 from keystone.tests.common import auth as common_auth
   23 from keystone.tests import unit
   24 from keystone.tests.unit import base_classes
   25 from keystone.tests.unit import ksfixtures
   26 from keystone.tests.unit.ksfixtures import temporaryfile
   27 
   28 CONF = keystone.conf.CONF
   29 PROVIDERS = provider_api.ProviderAPIs
   30 
   31 
   32 class _TestAppCredBase(base_classes.TestCaseWithBootstrap):
   33     """Base class for application credential tests."""
   34 
   35     def _new_app_cred_data(self, user_id=None, project_id=None, name=None,
   36                            expires=None, system=None):
   37         if not user_id:
   38             user_id = self.app_cred_user_id
   39         if not name:
   40             name = uuid.uuid4().hex
   41         if not expires:
   42             expires = datetime.datetime.utcnow() + datetime.timedelta(days=365)
   43         if not system:
   44             system = uuid.uuid4().hex
   45         if not project_id:
   46             project_id = self.app_cred_project_id
   47         app_cred_data = {
   48             'id': uuid.uuid4().hex,
   49             'name': name,
   50             'description': uuid.uuid4().hex,
   51             'user_id': user_id,
   52             'project_id': project_id,
   53             'system': system,
   54             'expires_at': expires,
   55             'roles': [
   56                 {'id': self.bootstrapper.member_role_id},
   57             ],
   58             'secret': uuid.uuid4().hex,
   59             'unrestricted': False
   60         }
   61         return app_cred_data
   62 
   63     def setUp(self):
   64         super(_TestAppCredBase, self).setUp()
   65 
   66         # create a user and project for app cred testing
   67         new_user_ref = unit.new_user_ref(
   68             domain_id=CONF.identity.default_domain_id
   69         )
   70         app_cred_user_ref = PROVIDERS.identity_api.create_user(
   71             new_user_ref
   72         )
   73         self.app_cred_user_id = app_cred_user_ref['id']
   74         self.app_cred_user_password = new_user_ref['password']
   75         app_cred_project_ref = PROVIDERS.resource_api.create_project(
   76             uuid.uuid4().hex,
   77             unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
   78         )
   79         self.app_cred_project_id = app_cred_project_ref['id']
   80         PROVIDERS.assignment_api.create_grant(
   81             self.bootstrapper.member_role_id,
   82             user_id=self.app_cred_user_id,
   83             project_id=self.app_cred_project_id
   84         )
   85 
   86     def _create_application_credential(self):
   87         app_cred = self._new_app_cred_data()
   88         return \
   89             PROVIDERS.application_credential_api.create_application_credential(
   90                 app_cred)
   91 
   92     def _override_policy(self):
   93         # TODO(gyee): Remove this once the deprecated policies in
   94         # keystone.common.policies.application_credential have been removed.
   95         # This is only here to make sure we test the new policies instead of
   96         # the deprecated ones. Oslo.policy will OR deprecated policies with
   97         # new policies to maintain compatibility and give operators a chance to
   98         # update permissions or update policies without breaking users.
   99         # This will cause these specific tests to fail since we're trying to
  100         # correct this broken behavior with better scope checking.
  101         with open(self.policy_file_name, 'w') as f:
  102             overridden_policies = {
  103                 'identity:get_application_credential': (
  104                     base_policy.RULE_SYSTEM_READER_OR_OWNER),
  105                 'identity:list_application_credentials': (
  106                     base_policy.RULE_SYSTEM_READER_OR_OWNER),
  107                 'identity:create_application_credential': (
  108                     base_policy.RULE_OWNER),
  109                 'identity:delete_application_credential': (
  110                     base_policy.RULE_SYSTEM_ADMIN_OR_OWNER),
  111             }
  112             f.write(jsonutils.dumps(overridden_policies))
  113 
  114 
  115 class _DomainAndProjectUserTests(object):
  116     """Domain and project user tests.
  117 
  118     Domain and project users should not be able to manage application
  119     credentials other then their own.
  120     """
  121 
  122     def test_user_cannot_list_application_credentials(self):
  123         # create a couple of application credentials
  124         self._create_application_credential()
  125         self._create_application_credential()
  126 
  127         with self.test_client() as c:
  128             c.get('/v3/users/%s/application_credentials' % (
  129                   self.app_cred_user_id),
  130                   expected_status_code=http.client.FORBIDDEN,
  131                   headers=self.headers)
  132 
  133     def test_user_cannot_get_application_credential(self):
  134         app_cred = self._create_application_credential()
  135 
  136         with self.test_client() as c:
  137             c.get('/v3/users/%s/application_credentials/%s' % (
  138                   self.app_cred_user_id,
  139                   app_cred['id']),
  140                   expected_status_code=http.client.FORBIDDEN,
  141                   headers=self.headers)
  142 
  143     def test_user_cannot_lookup_application_credential(self):
  144         app_cred = self._create_application_credential()
  145 
  146         with self.test_client() as c:
  147             c.get('/v3/users/%s/application_credentials?name=%s' % (
  148                   self.app_cred_user_id,
  149                   app_cred['name']),
  150                   expected_status_code=http.client.FORBIDDEN,
  151                   headers=self.headers)
  152 
  153     def test_user_cannot_delete_application_credential(self):
  154         app_cred = self._create_application_credential()
  155 
  156         with self.test_client() as c:
  157             c.delete(
  158                 '/v3/users/%s/application_credentials/%s' % (
  159                     self.app_cred_user_id,
  160                     app_cred['id']),
  161                 expected_status_code=http.client.FORBIDDEN,
  162                 headers=self.headers)
  163 
  164     def test_user_cannot_lookup_non_existent_application_credential(self):
  165         with self.test_client() as c:
  166             c.get('/v3/users/%s/application_credentials?name=%s' % (
  167                   self.app_cred_user_id,
  168                   uuid.uuid4().hex),
  169                   expected_status_code=http.client.FORBIDDEN,
  170                   headers=self.headers)
  171 
  172     def test_user_cannot_create_app_credential_for_another_user(self):
  173         # create another user
  174         another_user = unit.new_user_ref(
  175             domain_id=CONF.identity.default_domain_id
  176         )
  177         another_user_id = PROVIDERS.identity_api.create_user(
  178             another_user
  179         )['id']
  180 
  181         app_cred_body = {
  182             'application_credential': unit.new_application_credential_ref(
  183                 roles=[{'id': self.bootstrapper.member_role_id}])
  184         }
  185 
  186         with self.test_client() as c:
  187             c.post(
  188                 '/v3/users/%s/application_credentials' % another_user_id,
  189                 json=app_cred_body,
  190                 expected_status_code=http.client.FORBIDDEN,
  191                 headers=self.headers)
  192 
  193 
  194 class _SystemUserAndOwnerTests(object):
  195     """Common default functionality for all system users and owner."""
  196 
  197     def test_user_can_list_application_credentials(self):
  198         # create a couple of application credentials
  199         self._create_application_credential()
  200         self._create_application_credential()
  201 
  202         with self.test_client() as c:
  203             r = c.get(
  204                 '/v3/users/%s/application_credentials' % (
  205                     self.app_cred_user_id),
  206                 headers=self.headers)
  207             self.assertEqual(2, len(r.json['application_credentials']))
  208 
  209     def test_user_can_get_application_credential(self):
  210         app_cred = self._create_application_credential()
  211 
  212         with self.test_client() as c:
  213             r = c.get(
  214                 '/v3/users/%s/application_credentials/%s' % (
  215                     self.app_cred_user_id,
  216                     app_cred['id']),
  217                 headers=self.headers)
  218             actual_app_cred = r.json['application_credential']
  219             self.assertEqual(app_cred['id'], actual_app_cred['id'])
  220 
  221     def test_user_can_lookup_application_credential(self):
  222         app_cred = self._create_application_credential()
  223 
  224         with self.test_client() as c:
  225             r = c.get(
  226                 '/v3/users/%s/application_credentials?name=%s' % (
  227                     self.app_cred_user_id,
  228                     app_cred['name']),
  229                 headers=self.headers)
  230             self.assertEqual(1, len(r.json['application_credentials']))
  231             actual_app_cred = r.json['application_credentials'][0]
  232             self.assertEqual(app_cred['id'], actual_app_cred['id'])
  233 
  234     def _test_delete_application_credential(
  235             self,
  236             expected_status_code=http.client.NO_CONTENT):
  237         app_cred = self._create_application_credential()
  238 
  239         with self.test_client() as c:
  240             c.delete(
  241                 '/v3/users/%s/application_credentials/%s' % (
  242                     self.app_cred_user_id,
  243                     app_cred['id']),
  244                 expected_status_code=expected_status_code,
  245                 headers=self.headers)
  246 
  247     def test_user_cannot_create_app_credential_for_another_user(self):
  248         # create another user
  249         another_user = unit.new_user_ref(
  250             domain_id=CONF.identity.default_domain_id
  251         )
  252         another_user_id = PROVIDERS.identity_api.create_user(
  253             another_user
  254         )['id']
  255 
  256         app_cred_body = {
  257             'application_credential': unit.new_application_credential_ref(
  258                 roles=[{'id': self.bootstrapper.member_role_id}])
  259         }
  260 
  261         with self.test_client() as c:
  262             c.post(
  263                 '/v3/users/%s/application_credentials' % another_user_id,
  264                 json=app_cred_body,
  265                 expected_status_code=http.client.FORBIDDEN,
  266                 headers=self.headers)
  267 
  268 
  269 class SystemReaderTests(_TestAppCredBase,
  270                         common_auth.AuthTestMixin,
  271                         _SystemUserAndOwnerTests):
  272 
  273     def setUp(self):
  274         super(SystemReaderTests, self).setUp()
  275         self.loadapp()
  276         self.useFixture(ksfixtures.Policy(self.config_fixture))
  277         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  278 
  279         system_reader = unit.new_user_ref(
  280             domain_id=CONF.identity.default_domain_id
  281         )
  282         self.user_id = PROVIDERS.identity_api.create_user(
  283             system_reader
  284         )['id']
  285         PROVIDERS.assignment_api.create_system_grant_for_user(
  286             self.user_id, self.bootstrapper.reader_role_id
  287         )
  288 
  289         auth = self.build_authentication_request(
  290             user_id=self.user_id, password=system_reader['password'],
  291             system=True
  292         )
  293 
  294         # Grab a token using the persona we're testing and prepare headers
  295         # for requests we'll be making in the tests.
  296         with self.test_client() as c:
  297             r = c.post('/v3/auth/tokens', json=auth)
  298             self.token_id = r.headers['X-Subject-Token']
  299             self.headers = {'X-Auth-Token': self.token_id}
  300 
  301     def test_system_reader_cannot_delete_application_credential_for_user(self):
  302         self._test_delete_application_credential(
  303             expected_status_code=http.client.FORBIDDEN)
  304 
  305 
  306 class SystemMemberTests(_TestAppCredBase,
  307                         common_auth.AuthTestMixin,
  308                         _SystemUserAndOwnerTests):
  309 
  310     def setUp(self):
  311         super(SystemMemberTests, self).setUp()
  312         self.loadapp()
  313         self.useFixture(ksfixtures.Policy(self.config_fixture))
  314         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  315 
  316         system_member = unit.new_user_ref(
  317             domain_id=CONF.identity.default_domain_id
  318         )
  319         self.user_id = PROVIDERS.identity_api.create_user(
  320             system_member
  321         )['id']
  322         PROVIDERS.assignment_api.create_system_grant_for_user(
  323             self.user_id, self.bootstrapper.member_role_id
  324         )
  325 
  326         auth = self.build_authentication_request(
  327             user_id=self.user_id, password=system_member['password'],
  328             system=True
  329         )
  330 
  331         # Grab a token using the persona we're testing and prepare headers
  332         # for requests we'll be making in the tests.
  333         with self.test_client() as c:
  334             r = c.post('/v3/auth/tokens', json=auth)
  335             self.token_id = r.headers['X-Subject-Token']
  336             self.headers = {'X-Auth-Token': self.token_id}
  337 
  338     def test_system_reader_cannot_delete_application_credential_for_user(self):
  339         self._test_delete_application_credential(
  340             expected_status_code=http.client.FORBIDDEN)
  341 
  342 
  343 class SystemAdminTests(_TestAppCredBase,
  344                        common_auth.AuthTestMixin,
  345                        _SystemUserAndOwnerTests):
  346 
  347     def setUp(self):
  348         super(SystemAdminTests, self).setUp()
  349         self.loadapp()
  350         self.useFixture(ksfixtures.Policy(self.config_fixture))
  351         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  352 
  353         self.user_id = self.bootstrapper.admin_user_id
  354         auth = self.build_authentication_request(
  355             user_id=self.user_id,
  356             password=self.bootstrapper.admin_password,
  357             system=True
  358         )
  359 
  360         # Grab a token using the persona we're testing and prepare headers
  361         # for requests we'll be making in the tests.
  362         with self.test_client() as c:
  363             r = c.post('/v3/auth/tokens', json=auth)
  364             self.token_id = r.headers['X-Subject-Token']
  365             self.headers = {'X-Auth-Token': self.token_id}
  366 
  367     def test_system_admin_can_delete_application_credential_for_user(self):
  368         self._test_delete_application_credential()
  369 
  370 
  371 class OwnerTests(_TestAppCredBase,
  372                  common_auth.AuthTestMixin,
  373                  _SystemUserAndOwnerTests):
  374 
  375     def setUp(self):
  376         super(OwnerTests, self).setUp()
  377         self.loadapp()
  378 
  379         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  380         self.policy_file_name = self.policy_file.file_name
  381         self.useFixture(
  382             ksfixtures.Policy(
  383                 self.config_fixture, policy_file=self.policy_file_name
  384             )
  385         )
  386 
  387         self._override_policy()
  388         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  389 
  390         # in this case app_cred_user_id and user_id are the same since we
  391         # are testing the owner
  392         self.user_id = self.app_cred_user_id
  393         auth = self.build_authentication_request(
  394             user_id=self.user_id,
  395             password=self.app_cred_user_password,
  396             project_id=self.app_cred_project_id
  397         )
  398 
  399         # Grab a token using the persona we're testing and prepare headers
  400         # for requests we'll be making in the tests.
  401         with self.test_client() as c:
  402             r = c.post('/v3/auth/tokens', json=auth)
  403             self.token_id = r.headers['X-Subject-Token']
  404             self.headers = {'X-Auth-Token': self.token_id}
  405 
  406     def test_create_application_credential_by_owner(self):
  407         app_cred_body = {
  408             'application_credential': unit.new_application_credential_ref()
  409         }
  410 
  411         with self.test_client() as c:
  412             c.post(
  413                 '/v3/users/%s/application_credentials' % self.user_id,
  414                 json=app_cred_body,
  415                 expected_status_code=http.client.CREATED,
  416                 headers=self.headers)
  417 
  418     def test_owner_can_delete_application_credential(self):
  419         self._test_delete_application_credential()
  420 
  421 
  422 class DomainAdminTests(_TestAppCredBase,
  423                        common_auth.AuthTestMixin,
  424                        _DomainAndProjectUserTests):
  425 
  426     def setUp(self):
  427         super(DomainAdminTests, self).setUp()
  428         self.loadapp()
  429 
  430         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  431         self.policy_file_name = self.policy_file.file_name
  432         self.useFixture(
  433             ksfixtures.Policy(
  434                 self.config_fixture, policy_file=self.policy_file_name
  435             )
  436         )
  437 
  438         self._override_policy()
  439         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  440 
  441         domain_admin = unit.new_user_ref(
  442             domain_id=CONF.identity.default_domain_id)
  443         self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
  444         PROVIDERS.assignment_api.create_grant(
  445             self.bootstrapper.admin_role_id, user_id=self.user_id,
  446             domain_id=CONF.identity.default_domain_id
  447         )
  448 
  449         auth = self.build_authentication_request(
  450             user_id=self.user_id, password=domain_admin['password'],
  451             domain_id=CONF.identity.default_domain_id
  452         )
  453 
  454         # Grab a token using the persona we're testing and prepare headers
  455         # for requests we'll be making in the tests.
  456         with self.test_client() as c:
  457             r = c.post('/v3/auth/tokens', json=auth)
  458             self.token_id = r.headers['X-Subject-Token']
  459             self.headers = {'X-Auth-Token': self.token_id}
  460 
  461 
  462 class DomainReaderTests(_TestAppCredBase,
  463                         common_auth.AuthTestMixin,
  464                         _DomainAndProjectUserTests):
  465 
  466     def setUp(self):
  467         super(DomainReaderTests, self).setUp()
  468         self.loadapp()
  469 
  470         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  471         self.policy_file_name = self.policy_file.file_name
  472         self.useFixture(
  473             ksfixtures.Policy(
  474                 self.config_fixture, policy_file=self.policy_file_name
  475             )
  476         )
  477 
  478         self._override_policy()
  479         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  480 
  481         domain_admin = unit.new_user_ref(
  482             domain_id=CONF.identity.default_domain_id)
  483         self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
  484         PROVIDERS.assignment_api.create_grant(
  485             self.bootstrapper.reader_role_id, user_id=self.user_id,
  486             domain_id=CONF.identity.default_domain_id
  487         )
  488 
  489         auth = self.build_authentication_request(
  490             user_id=self.user_id, password=domain_admin['password'],
  491             domain_id=CONF.identity.default_domain_id
  492         )
  493 
  494         # Grab a token using the persona we're testing and prepare headers
  495         # for requests we'll be making in the tests.
  496         with self.test_client() as c:
  497             r = c.post('/v3/auth/tokens', json=auth)
  498             self.token_id = r.headers['X-Subject-Token']
  499             self.headers = {'X-Auth-Token': self.token_id}
  500 
  501 
  502 class DomainMemberTests(_TestAppCredBase,
  503                         common_auth.AuthTestMixin,
  504                         _DomainAndProjectUserTests):
  505 
  506     def setUp(self):
  507         super(DomainMemberTests, self).setUp()
  508         self.loadapp()
  509 
  510         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  511         self.policy_file_name = self.policy_file.file_name
  512         self.useFixture(
  513             ksfixtures.Policy(
  514                 self.config_fixture, policy_file=self.policy_file_name
  515             )
  516         )
  517 
  518         self._override_policy()
  519         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  520 
  521         domain_admin = unit.new_user_ref(
  522             domain_id=CONF.identity.default_domain_id)
  523         self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
  524         PROVIDERS.assignment_api.create_grant(
  525             self.bootstrapper.member_role_id, user_id=self.user_id,
  526             domain_id=CONF.identity.default_domain_id
  527         )
  528 
  529         auth = self.build_authentication_request(
  530             user_id=self.user_id, password=domain_admin['password'],
  531             domain_id=CONF.identity.default_domain_id
  532         )
  533 
  534         # Grab a token using the persona we're testing and prepare headers
  535         # for requests we'll be making in the tests.
  536         with self.test_client() as c:
  537             r = c.post('/v3/auth/tokens', json=auth)
  538             self.token_id = r.headers['X-Subject-Token']
  539             self.headers = {'X-Auth-Token': self.token_id}
  540 
  541 
  542 class ProjectAdminTests(_TestAppCredBase,
  543                         common_auth.AuthTestMixin,
  544                         _DomainAndProjectUserTests):
  545 
  546     def setUp(self):
  547         super(ProjectAdminTests, self).setUp()
  548         self.loadapp()
  549 
  550         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  551         self.policy_file_name = self.policy_file.file_name
  552         self.useFixture(
  553             ksfixtures.Policy(
  554                 self.config_fixture, policy_file=self.policy_file_name
  555             )
  556         )
  557 
  558         self._override_policy()
  559         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  560 
  561         project_admin = unit.new_user_ref(
  562             domain_id=CONF.identity.default_domain_id)
  563         self.user_id = PROVIDERS.identity_api.create_user(project_admin)['id']
  564         # even project admin of project where the app credential
  565         # is intended for cannot perform app credential operations
  566         PROVIDERS.assignment_api.create_grant(
  567             self.bootstrapper.admin_role_id,
  568             user_id=self.user_id,
  569             project_id=self.app_cred_project_id
  570         )
  571         auth = self.build_authentication_request(
  572             user_id=self.user_id, password=project_admin['password'],
  573             project_id=self.app_cred_project_id
  574         )
  575 
  576         # Grab a token using the persona we're testing and prepare headers
  577         # for requests we'll be making in the tests.
  578         with self.test_client() as c:
  579             r = c.post('/v3/auth/tokens', json=auth)
  580             self.token_id = r.headers['X-Subject-Token']
  581             self.headers = {'X-Auth-Token': self.token_id}
  582 
  583 
  584 class ProjectReaderTests(_TestAppCredBase,
  585                          common_auth.AuthTestMixin,
  586                          _DomainAndProjectUserTests):
  587 
  588     def setUp(self):
  589         super(ProjectReaderTests, self).setUp()
  590         self.loadapp()
  591 
  592         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  593         self.policy_file_name = self.policy_file.file_name
  594         self.useFixture(
  595             ksfixtures.Policy(
  596                 self.config_fixture, policy_file=self.policy_file_name
  597             )
  598         )
  599 
  600         self._override_policy()
  601         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  602 
  603         project_admin = unit.new_user_ref(
  604             domain_id=CONF.identity.default_domain_id)
  605         self.user_id = PROVIDERS.identity_api.create_user(project_admin)['id']
  606         # even project admin of project where the app credential
  607         # is intended for cannot perform app credential operations
  608         PROVIDERS.assignment_api.create_grant(
  609             self.bootstrapper.reader_role_id,
  610             user_id=self.user_id,
  611             project_id=self.app_cred_project_id
  612         )
  613         auth = self.build_authentication_request(
  614             user_id=self.user_id, password=project_admin['password'],
  615             project_id=self.app_cred_project_id
  616         )
  617 
  618         # Grab a token using the persona we're testing and prepare headers
  619         # for requests we'll be making in the tests.
  620         with self.test_client() as c:
  621             r = c.post('/v3/auth/tokens', json=auth)
  622             self.token_id = r.headers['X-Subject-Token']
  623             self.headers = {'X-Auth-Token': self.token_id}
  624 
  625 
  626 class ProjectMemberTests(_TestAppCredBase,
  627                          common_auth.AuthTestMixin,
  628                          _DomainAndProjectUserTests):
  629 
  630     def setUp(self):
  631         super(ProjectMemberTests, self).setUp()
  632         self.loadapp()
  633 
  634         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  635         self.policy_file_name = self.policy_file.file_name
  636         self.useFixture(
  637             ksfixtures.Policy(
  638                 self.config_fixture, policy_file=self.policy_file_name
  639             )
  640         )
  641 
  642         self._override_policy()
  643         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  644 
  645         project_admin = unit.new_user_ref(
  646             domain_id=CONF.identity.default_domain_id)
  647         self.user_id = PROVIDERS.identity_api.create_user(project_admin)['id']
  648         # even project admin of project where the app credential
  649         # is intended for cannot perform app credential operations
  650         PROVIDERS.assignment_api.create_grant(
  651             self.bootstrapper.member_role_id,
  652             user_id=self.user_id,
  653             project_id=self.app_cred_project_id
  654         )
  655         auth = self.build_authentication_request(
  656             user_id=self.user_id, password=project_admin['password'],
  657             project_id=self.app_cred_project_id
  658         )
  659 
  660         # Grab a token using the persona we're testing and prepare headers
  661         # for requests we'll be making in the tests.
  662         with self.test_client() as c:
  663             r = c.post('/v3/auth/tokens', json=auth)
  664             self.token_id = r.headers['X-Subject-Token']
  665             self.headers = {'X-Auth-Token': self.token_id}