"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/protection/v3/test_domain_roles.py" (13 May 2020, 13992 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_domain_roles.py": 16.0.1_vs_17.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 import uuid
   14 
   15 import http.client
   16 
   17 from keystone.common import provider_api
   18 import keystone.conf
   19 from keystone.tests.common import auth as common_auth
   20 from keystone.tests import unit
   21 from keystone.tests.unit import base_classes
   22 from keystone.tests.unit import ksfixtures
   23 
   24 CONF = keystone.conf.CONF
   25 PROVIDERS = provider_api.ProviderAPIs
   26 
   27 
   28 class _SystemUserDomainRoleTests(object):
   29     """Common default functionality for all system users."""
   30 
   31     def test_user_can_list_domain_roles(self):
   32         PROVIDERS.role_api.create_role(
   33             uuid.uuid4().hex,
   34             unit.new_role_ref(domain_id=CONF.identity.default_domain_id))
   35 
   36         with self.test_client() as c:
   37             r = c.get(
   38                 '/v3/roles?domain_id=%s' % CONF.identity.default_domain_id,
   39                 headers=self.headers)
   40             self.assertEqual(1, len(r.json['roles']))
   41 
   42     def test_user_can_get_a_domain_role(self):
   43         role = PROVIDERS.role_api.create_role(
   44             uuid.uuid4().hex,
   45             unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
   46         )
   47 
   48         with self.test_client() as c:
   49             r = c.get('/v3/roles/%s' % role['id'], headers=self.headers)
   50             self.assertEqual(role['id'], r.json['role']['id'])
   51 
   52 
   53 class _SystemReaderAndMemberDomainRoleTests(object):
   54     """Common default functionality for system readers and system members."""
   55 
   56     def test_user_cannot_create_domain_roles(self):
   57         create = {'role': unit.new_role_ref(
   58             domain_id=CONF.identity.default_domain_id)}
   59 
   60         with self.test_client() as c:
   61             c.post(
   62                 '/v3/roles', json=create, headers=self.headers,
   63                 expected_status_code=http.client.FORBIDDEN
   64             )
   65 
   66     def test_user_cannot_update_domain_roles(self):
   67         role = PROVIDERS.role_api.create_role(
   68             uuid.uuid4().hex,
   69             unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
   70         )
   71 
   72         update = {'role': {'description': uuid.uuid4().hex}}
   73 
   74         with self.test_client() as c:
   75             c.patch(
   76                 '/v3/roles/%s' % role['id'], json=update, headers=self.headers,
   77                 expected_status_code=http.client.FORBIDDEN
   78             )
   79 
   80     def test_user_cannot_delete_domain_roles(self):
   81         role = PROVIDERS.role_api.create_role(
   82             uuid.uuid4().hex,
   83             unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
   84         )
   85 
   86         with self.test_client() as c:
   87             c.delete(
   88                 '/v3/roles/%s' % role['id'], headers=self.headers,
   89                 expected_status_code=http.client.FORBIDDEN
   90             )
   91 
   92 
   93 class _DomainAndProjectUserDomainRoleTests(object):
   94     """Common functionality for all domain and project users."""
   95 
   96     def test_user_cannot_list_domain_roles(self):
   97         PROVIDERS.role_api.create_role(
   98             uuid.uuid4().hex,
   99             unit.new_role_ref(domain_id=CONF.identity.default_domain_id))
  100 
  101         with self.test_client() as c:
  102             c.get(
  103                 '/v3/roles', headers=self.headers,
  104                 expected_status_code=http.client.FORBIDDEN
  105             )
  106 
  107     def test_user_cannot_get_a_domain_role(self):
  108         role = PROVIDERS.role_api.create_role(
  109             uuid.uuid4().hex,
  110             unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
  111         )
  112 
  113         with self.test_client() as c:
  114             c.get(
  115                 '/v3/roles/%s' % role['id'], headers=self.headers,
  116                 expected_status_code=http.client.FORBIDDEN
  117             )
  118 
  119     def test_user_cannot_create_domain_roles(self):
  120         create = {'role': unit.new_role_ref(
  121             domain_id=CONF.identity.default_domain_id)}
  122 
  123         with self.test_client() as c:
  124             c.post(
  125                 '/v3/roles', json=create, headers=self.headers,
  126                 expected_status_code=http.client.FORBIDDEN
  127             )
  128 
  129     def test_user_cannot_update_domain_roles(self):
  130         role = PROVIDERS.role_api.create_role(
  131             uuid.uuid4().hex,
  132             unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
  133         )
  134 
  135         update = {'role': {'description': uuid.uuid4().hex}}
  136 
  137         with self.test_client() as c:
  138             c.patch(
  139                 '/v3/roles/%s' % role['id'], json=update, headers=self.headers,
  140                 expected_status_code=http.client.FORBIDDEN
  141             )
  142 
  143     def test_user_cannot_delete_domain_roles(self):
  144         role = PROVIDERS.role_api.create_role(
  145             uuid.uuid4().hex,
  146             unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
  147         )
  148 
  149         with self.test_client() as c:
  150             c.delete(
  151                 '/v3/roles/%s' % role['id'], headers=self.headers,
  152                 expected_status_code=http.client.FORBIDDEN
  153             )
  154 
  155 
  156 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
  157                         common_auth.AuthTestMixin,
  158                         _SystemUserDomainRoleTests,
  159                         _SystemReaderAndMemberDomainRoleTests):
  160 
  161     def setUp(self):
  162         super(SystemReaderTests, self).setUp()
  163         self.loadapp()
  164         self.useFixture(ksfixtures.Policy(self.config_fixture))
  165         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  166 
  167         system_reader = unit.new_user_ref(
  168             domain_id=CONF.identity.default_domain_id
  169         )
  170         self.user_id = PROVIDERS.identity_api.create_user(
  171             system_reader
  172         )['id']
  173         PROVIDERS.assignment_api.create_system_grant_for_user(
  174             self.user_id, self.bootstrapper.reader_role_id
  175         )
  176 
  177         auth = self.build_authentication_request(
  178             user_id=self.user_id, password=system_reader['password'],
  179             system=True
  180         )
  181 
  182         # Grab a token using the persona we're testing and prepare headers
  183         # for requests we'll be making in the tests.
  184         with self.test_client() as c:
  185             r = c.post('/v3/auth/tokens', json=auth)
  186             self.token_id = r.headers['X-Subject-Token']
  187             self.headers = {'X-Auth-Token': self.token_id}
  188 
  189 
  190 class SystemMemberTests(base_classes.TestCaseWithBootstrap,
  191                         common_auth.AuthTestMixin,
  192                         _SystemUserDomainRoleTests,
  193                         _SystemReaderAndMemberDomainRoleTests):
  194 
  195     def setUp(self):
  196         super(SystemMemberTests, self).setUp()
  197         self.loadapp()
  198         self.useFixture(ksfixtures.Policy(self.config_fixture))
  199         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  200 
  201         system_member = unit.new_user_ref(
  202             domain_id=CONF.identity.default_domain_id
  203         )
  204         self.user_id = PROVIDERS.identity_api.create_user(
  205             system_member
  206         )['id']
  207         PROVIDERS.assignment_api.create_system_grant_for_user(
  208             self.user_id, self.bootstrapper.member_role_id
  209         )
  210 
  211         auth = self.build_authentication_request(
  212             user_id=self.user_id, password=system_member['password'],
  213             system=True
  214         )
  215 
  216         # Grab a token using the persona we're testing and prepare headers
  217         # for requests we'll be making in the tests.
  218         with self.test_client() as c:
  219             r = c.post('/v3/auth/tokens', json=auth)
  220             self.token_id = r.headers['X-Subject-Token']
  221             self.headers = {'X-Auth-Token': self.token_id}
  222 
  223 
  224 class SystemAdminTests(base_classes.TestCaseWithBootstrap,
  225                        common_auth.AuthTestMixin,
  226                        _SystemUserDomainRoleTests):
  227 
  228     def setUp(self):
  229         super(SystemAdminTests, self).setUp()
  230         self.loadapp()
  231         self.useFixture(ksfixtures.Policy(self.config_fixture))
  232         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  233 
  234         # Reuse the system administrator account created during
  235         # ``keystone-manage bootstrap``
  236         self.user_id = self.bootstrapper.admin_user_id
  237         auth = self.build_authentication_request(
  238             user_id=self.user_id,
  239             password=self.bootstrapper.admin_password,
  240             system=True
  241         )
  242 
  243         # Grab a token using the persona we're testing and prepare headers
  244         # for requests we'll be making in the tests.
  245         with self.test_client() as c:
  246             r = c.post('/v3/auth/tokens', json=auth)
  247             self.token_id = r.headers['X-Subject-Token']
  248             self.headers = {'X-Auth-Token': self.token_id}
  249 
  250     def test_user_can_create_roles(self):
  251         create = {'role': unit.new_role_ref(
  252             domain_id=CONF.identity.default_domain_id)}
  253 
  254         with self.test_client() as c:
  255             c.post('/v3/roles', json=create, headers=self.headers)
  256 
  257     def test_user_can_update_roles(self):
  258         role = PROVIDERS.role_api.create_role(
  259             uuid.uuid4().hex,
  260             unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
  261         )
  262 
  263         update = {'role': {'description': uuid.uuid4().hex}}
  264 
  265         with self.test_client() as c:
  266             c.patch(
  267                 '/v3/roles/%s' % role['id'], json=update, headers=self.headers,
  268             )
  269 
  270     def test_user_can_delete_roles(self):
  271         role = PROVIDERS.role_api.create_role(
  272             uuid.uuid4().hex,
  273             unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
  274         )
  275 
  276         with self.test_client() as c:
  277             c.delete('/v3/roles/%s' % role['id'], headers=self.headers)
  278 
  279 
  280 class DomainUserTests(base_classes.TestCaseWithBootstrap,
  281                       common_auth.AuthTestMixin,
  282                       _DomainAndProjectUserDomainRoleTests):
  283 
  284     def setUp(self):
  285         super(DomainUserTests, self).setUp()
  286         self.loadapp()
  287         self.useFixture(ksfixtures.Policy(self.config_fixture))
  288         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  289 
  290         domain = PROVIDERS.resource_api.create_domain(
  291             uuid.uuid4().hex, unit.new_domain_ref()
  292         )
  293         self.domain_id = domain['id']
  294         domain_admin = unit.new_user_ref(domain_id=self.domain_id)
  295         self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
  296         PROVIDERS.assignment_api.create_grant(
  297             self.bootstrapper.admin_role_id, user_id=self.user_id,
  298             domain_id=self.domain_id
  299         )
  300 
  301         auth = self.build_authentication_request(
  302             user_id=self.user_id,
  303             password=domain_admin['password'],
  304             domain_id=self.domain_id
  305         )
  306 
  307         # Grab a token using the persona we're testing and prepare headers
  308         # for requests we'll be making in the tests.
  309         with self.test_client() as c:
  310             r = c.post('/v3/auth/tokens', json=auth)
  311             self.token_id = r.headers['X-Subject-Token']
  312             self.headers = {'X-Auth-Token': self.token_id}
  313 
  314 
  315 class ProjectUserTests(base_classes.TestCaseWithBootstrap,
  316                        common_auth.AuthTestMixin,
  317                        _DomainAndProjectUserDomainRoleTests):
  318 
  319     def setUp(self):
  320         super(ProjectUserTests, self).setUp()
  321         self.loadapp()
  322         self.useFixture(ksfixtures.Policy(self.config_fixture))
  323         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  324 
  325         self.user_id = self.bootstrapper.admin_user_id
  326         auth = self.build_authentication_request(
  327             user_id=self.user_id,
  328             password=self.bootstrapper.admin_password,
  329             project_id=self.bootstrapper.project_id
  330         )
  331 
  332         # Grab a token using the persona we're testing and prepare headers
  333         # for requests we'll be making in the tests.
  334         with self.test_client() as c:
  335             r = c.post('/v3/auth/tokens', json=auth)
  336             self.token_id = r.headers['X-Subject-Token']
  337             self.headers = {'X-Auth-Token': self.token_id}
  338 
  339 
  340 class ProjectUserTestsWithoutEnforceScope(
  341         base_classes.TestCaseWithBootstrap,
  342         common_auth.AuthTestMixin,
  343         _DomainAndProjectUserDomainRoleTests):
  344 
  345     def setUp(self):
  346         super(ProjectUserTestsWithoutEnforceScope, self).setUp()
  347         self.loadapp()
  348         self.useFixture(ksfixtures.Policy(self.config_fixture))
  349 
  350         # Explicityly set enforce_scope to False to make sure we maintain
  351         # backwards compatibility with project users.
  352         self.config_fixture.config(group='oslo_policy', enforce_scope=False)
  353 
  354         domain = PROVIDERS.resource_api.create_domain(
  355             uuid.uuid4().hex, unit.new_domain_ref()
  356         )
  357         user = unit.new_user_ref(domain_id=domain['id'])
  358         self.user_id = PROVIDERS.identity_api.create_user(user)['id']
  359 
  360         self.project_id = PROVIDERS.resource_api.create_project(
  361             uuid.uuid4().hex, unit.new_project_ref(domain_id=domain['id'])
  362         )['id']
  363 
  364         PROVIDERS.assignment_api.create_grant(
  365             self.bootstrapper.member_role_id, user_id=self.user_id,
  366             project_id=self.project_id
  367         )
  368 
  369         auth = self.build_authentication_request(
  370             user_id=self.user_id,
  371             password=user['password'],
  372             project_id=self.project_id
  373         )
  374 
  375         # Grab a token using the persona we're testing and prepare headers
  376         # for requests we'll be making in the tests.
  377         with self.test_client() as c:
  378             r = c.post('/v3/auth/tokens', json=auth)
  379             self.token_id = r.headers['X-Subject-Token']
  380             self.headers = {'X-Auth-Token': self.token_id}