"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/protection/v3/test_domain_config.py" (13 May 2020, 28838 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_domain_config.py": 16.0.1_vs_17.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 import uuid
   14 
   15 import http.client
   16 
   17 from keystone.common import provider_api
   18 import keystone.conf
   19 from keystone.tests.common import auth as common_auth
   20 from keystone.tests import unit
   21 from keystone.tests.unit import base_classes
   22 from keystone.tests.unit import ksfixtures
   23 
   24 CONF = keystone.conf.CONF
   25 PROVIDERS = provider_api.ProviderAPIs
   26 
   27 
   28 class _SystemDomainAndProjectUserDomainConfigTests(object):
   29 
   30     def test_user_can_get_security_compliance_domain_config(self):
   31         # Set the security compliance configuration options
   32         password_regex = uuid.uuid4().hex
   33         password_regex_description = uuid.uuid4().hex
   34         self.config_fixture.config(
   35             group='security_compliance',
   36             password_regex=password_regex
   37         )
   38         self.config_fixture.config(
   39             group='security_compliance',
   40             password_regex_description=password_regex_description
   41         )
   42         with self.test_client() as c:
   43             c.get('/v3/domains/%s/config/security_compliance'
   44                   % CONF.identity.default_domain_id, headers=self.headers)
   45 
   46     def test_user_can_get_security_compliance_domain_config_option(self):
   47         password_regex_description = uuid.uuid4().hex
   48         self.config_fixture.config(
   49             group='security_compliance',
   50             password_regex_description=password_regex_description
   51         )
   52         with self.test_client() as c:
   53             c.get('/v3/domains/%s/config/security_compliance'
   54                   '/password_regex_description'
   55                   % CONF.identity.default_domain_id, headers=self.headers)
   56 
   57     def test_can_get_security_compliance_config_with_user_from_other_domain(self):  # noqa: E501
   58         domain = unit.new_domain_ref()
   59         PROVIDERS.resource_api.create_domain(domain['id'], domain)
   60 
   61         # Create a user in the new domain
   62         user = unit.create_user(PROVIDERS.identity_api, domain['id'])
   63 
   64         # Create a project in the new domain
   65         project = unit.new_project_ref(domain_id=domain['id'])
   66         PROVIDERS.resource_api.create_project(project['id'], project)
   67 
   68         role = unit.new_role_ref()
   69         PROVIDERS.role_api.create_role(role['id'], role)
   70 
   71         # Give the new user a non-admin role on the project
   72         PROVIDERS.assignment_api.add_role_to_user_and_project(
   73             user['id'],
   74             project['id'],
   75             role['id']
   76         )
   77         password_regex = uuid.uuid4().hex
   78         password_regex_description = uuid.uuid4().hex
   79         group = 'security_compliance'
   80         self.config_fixture.config(
   81             group=group,
   82             password_regex=password_regex
   83         )
   84         self.config_fixture.config(
   85             group=group,
   86             password_regex_description=password_regex_description
   87         )
   88         with self.test_client() as c:
   89             c.get('/v3/domains/%s/config/security_compliance'
   90                   % CONF.identity.default_domain_id, headers=self.headers)
   91 
   92 
   93 class _SystemUserDomainConfigTests(object):
   94 
   95     def test_user_can_get_domain_config(self):
   96         domain = PROVIDERS.resource_api.create_domain(
   97             uuid.uuid4().hex, unit.new_domain_ref()
   98         )
   99         PROVIDERS.domain_config_api.create_config(
  100             domain['id'], unit.new_domain_config_ref())
  101         with self.test_client() as c:
  102             c.get('/v3/domains/%s/config'
  103                   % domain['id'], headers=self.headers)
  104 
  105     def test_user_can_get_domain_group_config(self):
  106         domain = PROVIDERS.resource_api.create_domain(
  107             uuid.uuid4().hex, unit.new_domain_ref()
  108         )
  109         PROVIDERS.domain_config_api.create_config(
  110             domain['id'], unit.new_domain_config_ref())
  111         with self.test_client() as c:
  112             c.get('/v3/domains/%s/config/ldap'
  113                   % domain['id'], headers=self.headers)
  114 
  115     def test_user_can_get_config_by_group_invalid_domain(self):
  116         domain = PROVIDERS.resource_api.create_domain(
  117             uuid.uuid4().hex, unit.new_domain_ref()
  118         )
  119         PROVIDERS.domain_config_api.create_config(
  120             domain['id'], unit.new_domain_config_ref())
  121         invalid_domain_id = uuid.uuid4().hex
  122         with self.test_client() as c:
  123             c.get('/v3/domains/%s/config/ldap'
  124                   % invalid_domain_id, headers=self.headers,
  125                   expected_status_code=http.client.NOT_FOUND)
  126 
  127     def test_user_can_get_non_existent_config(self):
  128         domain = PROVIDERS.resource_api.create_domain(
  129             uuid.uuid4().hex, unit.new_domain_ref()
  130         )
  131         with self.test_client() as c:
  132             c.get('/v3/domains/%s/config' % domain['id'], headers=self.headers,
  133                   expected_status_code=http.client.NOT_FOUND)
  134 
  135     def test_user_can_get_non_existent_config_group_invalid_domain(self):
  136         domain = PROVIDERS.resource_api.create_domain(
  137             uuid.uuid4().hex, unit.new_domain_ref()
  138         )
  139         config = {'ldap': {'url': uuid.uuid4().hex}}
  140         PROVIDERS.domain_config_api.create_config(domain['id'], config)
  141         invalid_domain_id = uuid.uuid4().hex
  142         with self.test_client() as c:
  143             c.get('/v3/domains/%s/config/ldap'
  144                   % invalid_domain_id, headers=self.headers,
  145                   expected_status_code=http.client.NOT_FOUND)
  146 
  147     def test_user_can_get_domain_config_option(self):
  148         domain = PROVIDERS.resource_api.create_domain(
  149             uuid.uuid4().hex, unit.new_domain_ref()
  150         )
  151         PROVIDERS.domain_config_api.create_config(
  152             domain['id'], unit.new_domain_config_ref())
  153         with self.test_client() as c:
  154             c.get('/v3/domains/%s/config/ldap/url'
  155                   % domain['id'], headers=self.headers)
  156 
  157     def test_user_can_get_non_existent_config_option(self):
  158         domain = PROVIDERS.resource_api.create_domain(
  159             uuid.uuid4().hex, unit.new_domain_ref()
  160         )
  161         config = {'ldap': {'url': uuid.uuid4().hex}}
  162         PROVIDERS.domain_config_api.create_config(domain['id'], config)
  163         with self.test_client() as c:
  164             c.get('/v3/domains/%s/config/ldap/user_tree_dn'
  165                   % domain['id'], headers=self.headers,
  166                   expected_status_code=http.client.NOT_FOUND)
  167 
  168     def test_user_can_get_non_existent_config_option_invalid_domain(self):
  169         domain = PROVIDERS.resource_api.create_domain(
  170             uuid.uuid4().hex, unit.new_domain_ref()
  171         )
  172         config = {'ldap': {'url': uuid.uuid4().hex}}
  173         PROVIDERS.domain_config_api.create_config(domain['id'], config)
  174         invalid_domain_id = uuid.uuid4().hex
  175         with self.test_client() as c:
  176             c.get('/v3/domains/%s/config/ldap/user_tree_dn'
  177                   % invalid_domain_id, headers=self.headers,
  178                   expected_status_code=http.client.NOT_FOUND)
  179 
  180     def test_user_can_get_security_compliance_domain_config(self):
  181         # Set the security compliance configuration options
  182         password_regex = uuid.uuid4().hex
  183         password_regex_description = uuid.uuid4().hex
  184         self.config_fixture.config(
  185             group='security_compliance',
  186             password_regex=password_regex
  187         )
  188         self.config_fixture.config(
  189             group='security_compliance',
  190             password_regex_description=password_regex_description
  191         )
  192         with self.test_client() as c:
  193             c.get('/v3/domains/%s/config/security_compliance'
  194                   % CONF.identity.default_domain_id, headers=self.headers)
  195 
  196     def test_user_can_get_security_compliance_domain_config_option(self):
  197         password_regex_description = uuid.uuid4().hex
  198         self.config_fixture.config(
  199             group='security_compliance',
  200             password_regex_description=password_regex_description
  201         )
  202         with self.test_client() as c:
  203             c.get('/v3/domains/%s/config/security_compliance'
  204                   '/password_regex_description'
  205                   % CONF.identity.default_domain_id, headers=self.headers)
  206 
  207     def test_can_get_security_compliance_config_with_user_from_other_domain(self):  # noqa: E501
  208         domain = unit.new_domain_ref()
  209         PROVIDERS.resource_api.create_domain(domain['id'], domain)
  210 
  211         password_regex = uuid.uuid4().hex
  212         password_regex_description = uuid.uuid4().hex
  213         group = 'security_compliance'
  214         self.config_fixture.config(
  215             group=group,
  216             password_regex=password_regex
  217         )
  218         self.config_fixture.config(
  219             group=group,
  220             password_regex_description=password_regex_description
  221         )
  222         with self.test_client() as c:
  223             c.get('/v3/domains/%s/config/security_compliance'
  224                   % CONF.identity.default_domain_id, headers=self.headers)
  225 
  226     def test_user_can_get_domain_config_default(self):
  227         with self.test_client() as c:
  228             c.get('/v3/domains/config/default', headers=self.headers)
  229 
  230     def test_user_can_get_domain_group_config_default(self):
  231         with self.test_client() as c:
  232             c.get('/v3/domains/config/ldap/default', headers=self.headers)
  233 
  234     def test_user_can_get_domain_config_option_default(self):
  235         with self.test_client() as c:
  236             c.get('/v3/domains/config/ldap/url/default', headers=self.headers)
  237 
  238 
  239 class _SystemReaderMemberDomainAndProjectUserDomainConfigTests(object):
  240 
  241     def test_user_cannot_create_domain_config(self):
  242         domain = PROVIDERS.resource_api.create_domain(
  243             uuid.uuid4().hex, unit.new_domain_ref()
  244         )
  245         with self.test_client() as c:
  246             c.put('/v3/domains/%s/config'
  247                   % domain['id'],
  248                   json={'config': unit.new_domain_config_ref()},
  249                   headers=self.headers,
  250                   expected_status_code=http.client.FORBIDDEN)
  251 
  252     def test_user_cannot_update_domain_config(self):
  253         domain = PROVIDERS.resource_api.create_domain(
  254             uuid.uuid4().hex, unit.new_domain_ref()
  255         )
  256         PROVIDERS.domain_config_api.create_config(
  257             domain['id'], unit.new_domain_config_ref())
  258         new_config = {'ldap': {'url': uuid.uuid4().hex},
  259                       'identity': {'driver': uuid.uuid4().hex}}
  260         with self.test_client() as c:
  261             c.patch('/v3/domains/%s/config'
  262                     % domain['id'], json={'config': new_config},
  263                     headers=self.headers,
  264                     expected_status_code=http.client.FORBIDDEN)
  265 
  266     def test_user_cannot_update_domain_group_config(self):
  267         domain = PROVIDERS.resource_api.create_domain(
  268             uuid.uuid4().hex, unit.new_domain_ref()
  269         )
  270         PROVIDERS.domain_config_api.create_config(
  271             domain['id'], unit.new_domain_config_ref())
  272         new_config = {'ldap': {'url': uuid.uuid4().hex,
  273                                'user_filter': uuid.uuid4().hex}}
  274         with self.test_client() as c:
  275             c.patch('/v3/domains/%s/config/ldap'
  276                     % domain['id'], json={'config': new_config},
  277                     headers=self.headers,
  278                     expected_status_code=http.client.FORBIDDEN)
  279 
  280     def test_user_cannot_update_domain_config_option(self):
  281         domain = PROVIDERS.resource_api.create_domain(
  282             uuid.uuid4().hex, unit.new_domain_ref()
  283         )
  284         new_config = {'url': uuid.uuid4().hex}
  285         PROVIDERS.domain_config_api.create_config(
  286             domain['id'], unit.new_domain_config_ref())
  287         with self.test_client() as c:
  288             c.patch('/v3/domains/%s/config/ldap/url'
  289                     % domain['id'],
  290                     json={'config': new_config},
  291                     headers=self.headers,
  292                     expected_status_code=http.client.FORBIDDEN)
  293 
  294     def test_user_cannot_delete_domain_config(self):
  295         domain = PROVIDERS.resource_api.create_domain(
  296             uuid.uuid4().hex, unit.new_domain_ref()
  297         )
  298         PROVIDERS.domain_config_api.create_config(
  299             domain['id'], unit.new_domain_config_ref())
  300         with self.test_client() as c:
  301             c.delete('/v3/domains/%s/config' % domain['id'],
  302                      headers=self.headers,
  303                      expected_status_code=http.client.FORBIDDEN)
  304 
  305     def test_user_cannot_delete_domain_group_config(self):
  306         domain = PROVIDERS.resource_api.create_domain(
  307             uuid.uuid4().hex, unit.new_domain_ref()
  308         )
  309         PROVIDERS.domain_config_api.create_config(
  310             domain['id'], unit.new_domain_config_ref())
  311         with self.test_client() as c:
  312             c.delete('/v3/domains/%s/config/ldap'
  313                      % domain['id'], headers=self.headers,
  314                      expected_status_code=http.client.FORBIDDEN)
  315 
  316     def test_user_cannot_delete_domain_config_option(self):
  317         domain = PROVIDERS.resource_api.create_domain(
  318             uuid.uuid4().hex, unit.new_domain_ref()
  319         )
  320         PROVIDERS.domain_config_api.create_config(
  321             domain['id'], unit.new_domain_config_ref())
  322         with self.test_client() as c:
  323             c.delete('/v3/domains/%s/config/ldap/url'
  324                      % domain['id'], headers=self.headers,
  325                      expected_status_code=http.client.FORBIDDEN)
  326 
  327 
  328 class _DomainAndProjectUserDomainConfigTests(object):
  329 
  330     def test_user_cannot_get_domain_config(self):
  331         domain = PROVIDERS.resource_api.create_domain(
  332             uuid.uuid4().hex, unit.new_domain_ref()
  333         )
  334         PROVIDERS.domain_config_api.create_config(
  335             domain['id'], unit.new_domain_config_ref())
  336         with self.test_client() as c:
  337             c.get('/v3/domains/%s/config'
  338                   % domain['id'], headers=self.headers,
  339                   expected_status_code=http.client.FORBIDDEN)
  340 
  341     def test_user_cannot_get_domain_group_config(self):
  342         domain = PROVIDERS.resource_api.create_domain(
  343             uuid.uuid4().hex, unit.new_domain_ref()
  344         )
  345         PROVIDERS.domain_config_api.create_config(
  346             domain['id'], unit.new_domain_config_ref())
  347         with self.test_client() as c:
  348             c.get('/v3/domains/%s/config/ldap'
  349                   % domain['id'], headers=self.headers,
  350                   expected_status_code=http.client.FORBIDDEN)
  351 
  352     def test_user_cannot_get_non_existant_config(self):
  353         domain = PROVIDERS.resource_api.create_domain(
  354             uuid.uuid4().hex, unit.new_domain_ref()
  355         )
  356         with self.test_client() as c:
  357             c.get('/v3/domains/%s/config' % domain['id'], headers=self.headers,
  358                   expected_status_code=http.client.FORBIDDEN)
  359 
  360     def test_user_cannot_get_domain_config_option(self):
  361         domain = PROVIDERS.resource_api.create_domain(
  362             uuid.uuid4().hex, unit.new_domain_ref()
  363         )
  364         PROVIDERS.domain_config_api.create_config(
  365             domain['id'], unit.new_domain_config_ref())
  366         with self.test_client() as c:
  367             c.get('/v3/domains/%s/config/ldap/url'
  368                   % domain['id'], headers=self.headers,
  369                   expected_status_code=http.client.FORBIDDEN)
  370 
  371     def test_user_cannot_get_domain_config_default(self):
  372         with self.test_client() as c:
  373             c.get('/v3/domains/config/default', headers=self.headers,
  374                   expected_status_code=http.client.FORBIDDEN)
  375 
  376     def test_user_cannot_get_domain_group_config_default(self):
  377         with self.test_client() as c:
  378             c.get('/v3/domains/config/ldap/default', headers=self.headers,
  379                   expected_status_code=http.client.FORBIDDEN)
  380 
  381     def test_user_cannot_get_domain_config_option_default(self):
  382         with self.test_client() as c:
  383             c.get('/v3/domains/config/ldap/url/default', headers=self.headers,
  384                   expected_status_code=http.client.FORBIDDEN)
  385 
  386 
  387 class SystemReaderTests(
  388         base_classes.TestCaseWithBootstrap,
  389         common_auth.AuthTestMixin,
  390         _SystemUserDomainConfigTests,
  391         _SystemReaderMemberDomainAndProjectUserDomainConfigTests,
  392         _SystemDomainAndProjectUserDomainConfigTests):
  393 
  394     def setUp(self):
  395         super(SystemReaderTests, self).setUp()
  396         self.loadapp()
  397         self.useFixture(ksfixtures.Policy(self.config_fixture))
  398         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  399 
  400         system_reader = unit.new_user_ref(
  401             domain_id=CONF.identity.default_domain_id
  402         )
  403         self.user_id = PROVIDERS.identity_api.create_user(
  404             system_reader
  405         )['id']
  406         PROVIDERS.assignment_api.create_system_grant_for_user(
  407             self.user_id, self.bootstrapper.reader_role_id
  408         )
  409 
  410         auth = self.build_authentication_request(
  411             user_id=self.user_id, password=system_reader['password'],
  412             system=True
  413         )
  414 
  415         # Grab a token using the persona we're testing and prepare headers
  416         # for requests we'll be making in the tests.
  417         with self.test_client() as c:
  418             r = c.post('/v3/auth/tokens', json=auth)
  419             self.token_id = r.headers['X-Subject-Token']
  420             self.headers = {'X-Auth-Token': self.token_id}
  421 
  422 
  423 class SystemMemberTests(
  424         base_classes.TestCaseWithBootstrap,
  425         common_auth.AuthTestMixin,
  426         _SystemUserDomainConfigTests,
  427         _SystemReaderMemberDomainAndProjectUserDomainConfigTests,
  428         _SystemDomainAndProjectUserDomainConfigTests):
  429 
  430     def setUp(self):
  431         super(SystemMemberTests, self).setUp()
  432         self.loadapp()
  433         self.useFixture(ksfixtures.Policy(self.config_fixture))
  434         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  435 
  436         system_member = unit.new_user_ref(
  437             domain_id=CONF.identity.default_domain_id
  438         )
  439         self.user_id = PROVIDERS.identity_api.create_user(
  440             system_member
  441         )['id']
  442         PROVIDERS.assignment_api.create_system_grant_for_user(
  443             self.user_id, self.bootstrapper.member_role_id
  444         )
  445 
  446         auth = self.build_authentication_request(
  447             user_id=self.user_id, password=system_member['password'],
  448             system=True
  449         )
  450 
  451         # Grab a token using the persona we're testing and prepare headers
  452         # for requests we'll be making in the tests.
  453         with self.test_client() as c:
  454             r = c.post('/v3/auth/tokens', json=auth)
  455             self.token_id = r.headers['X-Subject-Token']
  456             self.headers = {'X-Auth-Token': self.token_id}
  457 
  458 
  459 class SystemAdminTests(base_classes.TestCaseWithBootstrap,
  460                        common_auth.AuthTestMixin,
  461                        _SystemUserDomainConfigTests,
  462                        _SystemDomainAndProjectUserDomainConfigTests):
  463 
  464     def setUp(self):
  465         super(SystemAdminTests, self).setUp()
  466         self.loadapp()
  467         self.useFixture(ksfixtures.Policy(self.config_fixture))
  468         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  469 
  470         # Reuse the system administrator account created during
  471         # ``keystone-manage bootstrap``
  472         self.user_id = self.bootstrapper.admin_user_id
  473         auth = self.build_authentication_request(
  474             user_id=self.user_id,
  475             password=self.bootstrapper.admin_password,
  476             system=True
  477         )
  478 
  479         # Grab a token using the persona we're testing and prepare headers
  480         # for requests we'll be making in the tests.
  481         with self.test_client() as c:
  482             r = c.post('/v3/auth/tokens', json=auth)
  483             self.token_id = r.headers['X-Subject-Token']
  484             self.headers = {'X-Auth-Token': self.token_id}
  485 
  486     def test_user_can_create_domain_config(self):
  487         domain = PROVIDERS.resource_api.create_domain(
  488             uuid.uuid4().hex, unit.new_domain_ref()
  489         )
  490         with self.test_client() as c:
  491             c.put('/v3/domains/%s/config'
  492                   % domain['id'],
  493                   json={'config': unit.new_domain_config_ref()},
  494                   headers=self.headers,
  495                   expected_status_code=http.client.CREATED)
  496 
  497     def test_user_cannot_create_invalid_domain_config(self):
  498         invalid_domain_id = uuid.uuid4().hex
  499         with self.test_client() as c:
  500             c.put('/v3/domains/%s/config'
  501                   % invalid_domain_id,
  502                   json={'config': unit.new_domain_config_ref()},
  503                   headers=self.headers,
  504                   expected_status_code=http.client.NOT_FOUND)
  505 
  506     def test_user_can_update_domain_config(self):
  507         domain = PROVIDERS.resource_api.create_domain(
  508             uuid.uuid4().hex, unit.new_domain_ref()
  509         )
  510         new_config = {'ldap': {'url': uuid.uuid4().hex},
  511                       'identity': {'driver': uuid.uuid4().hex}}
  512         PROVIDERS.domain_config_api.create_config(
  513             domain['id'], unit.new_domain_config_ref())
  514         with self.test_client() as c:
  515             c.patch('/v3/domains/%s/config'
  516                     % domain['id'], json={'config': new_config},
  517                     headers=self.headers)
  518 
  519     def test_user_can_update_domain_group_config(self):
  520         domain = PROVIDERS.resource_api.create_domain(
  521             uuid.uuid4().hex, unit.new_domain_ref()
  522         )
  523         new_config = {'ldap': {'url': uuid.uuid4().hex,
  524                                'user_filter': uuid.uuid4().hex}}
  525         PROVIDERS.domain_config_api.create_config(
  526             domain['id'], unit.new_domain_config_ref())
  527         with self.test_client() as c:
  528             c.patch('/v3/domains/%s/config/ldap'
  529                     % domain['id'], json={'config': new_config},
  530                     headers=self.headers)
  531 
  532     def test_user_can_update_domain_config_option(self):
  533         domain = PROVIDERS.resource_api.create_domain(
  534             uuid.uuid4().hex, unit.new_domain_ref()
  535         )
  536         new_config = {'url': uuid.uuid4().hex}
  537         PROVIDERS.domain_config_api.create_config(
  538             domain['id'], unit.new_domain_config_ref())
  539         with self.test_client() as c:
  540             c.patch('/v3/domains/%s/config/ldap/url'
  541                     % domain['id'], json={'config': new_config},
  542                     headers=self.headers)
  543 
  544     def test_user_can_delete_domain_config(self):
  545         domain = PROVIDERS.resource_api.create_domain(
  546             uuid.uuid4().hex, unit.new_domain_ref()
  547         )
  548         PROVIDERS.domain_config_api.create_config(
  549             domain['id'], unit.new_domain_config_ref())
  550         with self.test_client() as c:
  551             c.delete('/v3/domains/%s/config' % domain['id'],
  552                      headers=self.headers)
  553 
  554     def test_user_can_delete_domain_group_config(self):
  555         domain = PROVIDERS.resource_api.create_domain(
  556             uuid.uuid4().hex, unit.new_domain_ref()
  557         )
  558         PROVIDERS.domain_config_api.create_config(
  559             domain['id'], unit.new_domain_config_ref())
  560         with self.test_client() as c:
  561             c.delete('/v3/domains/%s/config/ldap'
  562                      % domain['id'], headers=self.headers)
  563 
  564     def test_user_can_delete_domain_config_option(self):
  565         domain = PROVIDERS.resource_api.create_domain(
  566             uuid.uuid4().hex, unit.new_domain_ref()
  567         )
  568         PROVIDERS.domain_config_api.create_config(
  569             domain['id'], unit.new_domain_config_ref())
  570         with self.test_client() as c:
  571             c.delete('/v3/domains/%s/config/ldap/url'
  572                      % domain['id'], headers=self.headers)
  573 
  574     def test_user_cannot_delete_invalid_domain_config(self):
  575         domain = PROVIDERS.resource_api.create_domain(
  576             uuid.uuid4().hex, unit.new_domain_ref()
  577         )
  578         PROVIDERS.domain_config_api.create_config(
  579             domain['id'], unit.new_domain_config_ref())
  580         invalid_domain_id = uuid.uuid4().hex
  581         with self.test_client() as c:
  582             c.delete('/v3/domains/%s/config' % invalid_domain_id,
  583                      headers=self.headers,
  584                      expected_status_code=http.client.NOT_FOUND)
  585 
  586 
  587 class DomainUserTests(
  588         base_classes.TestCaseWithBootstrap,
  589         common_auth.AuthTestMixin,
  590         _SystemDomainAndProjectUserDomainConfigTests,
  591         _DomainAndProjectUserDomainConfigTests,
  592         _SystemReaderMemberDomainAndProjectUserDomainConfigTests):
  593 
  594     def setUp(self):
  595         super(DomainUserTests, self).setUp()
  596         self.loadapp()
  597         self.useFixture(ksfixtures.Policy(self.config_fixture))
  598         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  599 
  600         domain = PROVIDERS.resource_api.create_domain(
  601             uuid.uuid4().hex, unit.new_domain_ref()
  602         )
  603         self.domain_id = domain['id']
  604         domain_admin = unit.new_user_ref(domain_id=self.domain_id)
  605         self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
  606         PROVIDERS.assignment_api.create_grant(
  607             self.bootstrapper.admin_role_id, user_id=self.user_id,
  608             domain_id=self.domain_id
  609         )
  610 
  611         auth = self.build_authentication_request(
  612             user_id=self.user_id,
  613             password=domain_admin['password'],
  614             domain_id=self.domain_id
  615         )
  616 
  617         # Grab a token using the persona we're testing and prepare headers
  618         # for requests we'll be making in the tests.
  619         with self.test_client() as c:
  620             r = c.post('/v3/auth/tokens', json=auth)
  621             self.token_id = r.headers['X-Subject-Token']
  622             self.headers = {'X-Auth-Token': self.token_id}
  623 
  624 
  625 class ProjectUserTests(
  626         base_classes.TestCaseWithBootstrap,
  627         common_auth.AuthTestMixin,
  628         _SystemDomainAndProjectUserDomainConfigTests,
  629         _DomainAndProjectUserDomainConfigTests,
  630         _SystemReaderMemberDomainAndProjectUserDomainConfigTests):
  631 
  632     def setUp(self):
  633         super(ProjectUserTests, self).setUp()
  634         self.loadapp()
  635         self.useFixture(ksfixtures.Policy(self.config_fixture))
  636         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  637 
  638         self.user_id = self.bootstrapper.admin_user_id
  639         auth = self.build_authentication_request(
  640             user_id=self.user_id,
  641             password=self.bootstrapper.admin_password,
  642             project_id=self.bootstrapper.project_id
  643         )
  644 
  645         # Grab a token using the persona we're testing and prepare headers
  646         # for requests we'll be making in the tests.
  647         with self.test_client() as c:
  648             r = c.post('/v3/auth/tokens', json=auth)
  649             self.token_id = r.headers['X-Subject-Token']
  650             self.headers = {'X-Auth-Token': self.token_id}
  651 
  652 
  653 class ProjectUserTestsWithoutEnforceScope(
  654         base_classes.TestCaseWithBootstrap,
  655         common_auth.AuthTestMixin,
  656         _SystemDomainAndProjectUserDomainConfigTests,
  657         _DomainAndProjectUserDomainConfigTests,
  658         _SystemReaderMemberDomainAndProjectUserDomainConfigTests):
  659 
  660     def setUp(self):
  661         super(ProjectUserTestsWithoutEnforceScope, self).setUp()
  662         self.loadapp()
  663         self.useFixture(ksfixtures.Policy(self.config_fixture))
  664 
  665         # Explicityly set enforce_scope to False to make sure we maintain
  666         # backwards compatibility with project users.
  667         self.config_fixture.config(group='oslo_policy', enforce_scope=False)
  668 
  669         domain = PROVIDERS.resource_api.create_domain(
  670             uuid.uuid4().hex, unit.new_domain_ref()
  671         )
  672         user = unit.new_user_ref(domain_id=domain['id'])
  673         self.user_id = PROVIDERS.identity_api.create_user(user)['id']
  674 
  675         self.project_id = PROVIDERS.resource_api.create_project(
  676             uuid.uuid4().hex, unit.new_project_ref(domain_id=domain['id'])
  677         )['id']
  678 
  679         PROVIDERS.assignment_api.create_grant(
  680             self.bootstrapper.member_role_id, user_id=self.user_id,
  681             project_id=self.project_id
  682         )
  683 
  684         auth = self.build_authentication_request(
  685             user_id=self.user_id,
  686             password=user['password'],
  687             project_id=self.project_id
  688         )
  689 
  690         # Grab a token using the persona we're testing and prepare headers
  691         # for requests we'll be making in the tests.
  692         with self.test_client() as c:
  693             r = c.post('/v3/auth/tokens', json=auth)
  694             self.token_id = r.headers['X-Subject-Token']
  695             self.headers = {'X-Auth-Token': self.token_id}