"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/protection/v3/test_grants.py" (13 May 2020, 80900 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_grants.py": 16.0.1_vs_17.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 import uuid
   14 
   15 import http.client
   16 from oslo_serialization import jsonutils
   17 
   18 from keystone.common.policies import grant as gp
   19 from keystone.common import provider_api
   20 import keystone.conf
   21 from keystone.tests.common import auth as common_auth
   22 from keystone.tests import unit
   23 from keystone.tests.unit import base_classes
   24 from keystone.tests.unit import ksfixtures
   25 from keystone.tests.unit.ksfixtures import temporaryfile
   26 
   27 CONF = keystone.conf.CONF
   28 PROVIDERS = provider_api.ProviderAPIs
   29 
   30 
   31 class _SystemUserGrantTests(object):
   32 
   33     def test_can_list_grants_for_user_on_project(self):
   34         user = PROVIDERS.identity_api.create_user(
   35             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
   36         )
   37 
   38         project = PROVIDERS.resource_api.create_project(
   39             uuid.uuid4().hex, unit.new_project_ref(
   40                 domain_id=CONF.identity.default_domain_id
   41             )
   42         )
   43 
   44         PROVIDERS.assignment_api.create_grant(
   45             self.bootstrapper.reader_role_id, user_id=user['id'],
   46             project_id=project['id']
   47         )
   48 
   49         with self.test_client() as c:
   50             r = c.get(
   51                 '/v3/projects/%s/users/%s/roles' % (project['id'], user['id']),
   52                 headers=self.headers
   53             )
   54             self.assertEqual(1, len(r.json['roles']))
   55 
   56     def test_can_list_grants_for_user_on_domain(self):
   57         user = PROVIDERS.identity_api.create_user(
   58             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
   59         )
   60 
   61         domain = PROVIDERS.resource_api.create_domain(
   62             uuid.uuid4().hex, unit.new_domain_ref()
   63         )
   64 
   65         PROVIDERS.assignment_api.create_grant(
   66             self.bootstrapper.reader_role_id, user_id=user['id'],
   67             domain_id=domain['id']
   68         )
   69 
   70         with self.test_client() as c:
   71             r = c.get(
   72                 '/v3/domains/%s/users/%s/roles' % (domain['id'], user['id']),
   73                 headers=self.headers
   74             )
   75             self.assertEqual(1, len(r.json['roles']))
   76 
   77     def test_can_list_grants_for_group_on_project(self):
   78         group = PROVIDERS.identity_api.create_group(
   79             unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
   80         )
   81 
   82         project = PROVIDERS.resource_api.create_project(
   83             uuid.uuid4().hex, unit.new_project_ref(
   84                 domain_id=CONF.identity.default_domain_id
   85             )
   86         )
   87 
   88         PROVIDERS.assignment_api.create_grant(
   89             self.bootstrapper.reader_role_id, group_id=group['id'],
   90             project_id=project['id']
   91         )
   92 
   93         with self.test_client() as c:
   94             r = c.get(
   95                 '/v3/projects/%s/groups/%s/roles' % (
   96                     project['id'], group['id']),
   97                 headers=self.headers
   98             )
   99             self.assertEqual(1, len(r.json['roles']))
  100 
  101     def test_can_list_grants_for_group_on_domain(self):
  102         group = PROVIDERS.identity_api.create_group(
  103             unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
  104         )
  105 
  106         domain = PROVIDERS.resource_api.create_domain(
  107             uuid.uuid4().hex, unit.new_domain_ref()
  108         )
  109 
  110         PROVIDERS.assignment_api.create_grant(
  111             self.bootstrapper.reader_role_id, group_id=group['id'],
  112             domain_id=domain['id']
  113         )
  114 
  115         with self.test_client() as c:
  116             r = c.get(
  117                 '/v3/domains/%s/groups/%s/roles' % (domain['id'], group['id']),
  118                 headers=self.headers
  119             )
  120             self.assertEqual(1, len(r.json['roles']))
  121 
  122     def test_can_check_grant_for_user_on_project(self):
  123         user = PROVIDERS.identity_api.create_user(
  124             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  125         )
  126 
  127         project = PROVIDERS.resource_api.create_project(
  128             uuid.uuid4().hex, unit.new_project_ref(
  129                 domain_id=CONF.identity.default_domain_id
  130             )
  131         )
  132 
  133         PROVIDERS.assignment_api.create_grant(
  134             self.bootstrapper.reader_role_id, user_id=user['id'],
  135             project_id=project['id']
  136         )
  137 
  138         with self.test_client() as c:
  139             c.get(
  140                 '/v3/projects/%s/users/%s/roles/%s' % (
  141                     project['id'], user['id'], self.bootstrapper.reader_role_id
  142                 ),
  143                 headers=self.headers,
  144                 expected_status_code=http.client.NO_CONTENT
  145             )
  146 
  147     def test_can_check_grant_for_user_on_domain(self):
  148         user = PROVIDERS.identity_api.create_user(
  149             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  150         )
  151 
  152         domain = PROVIDERS.resource_api.create_domain(
  153             uuid.uuid4().hex, unit.new_domain_ref()
  154         )
  155 
  156         PROVIDERS.assignment_api.create_grant(
  157             self.bootstrapper.reader_role_id, user_id=user['id'],
  158             domain_id=domain['id']
  159         )
  160 
  161         with self.test_client() as c:
  162             c.get(
  163                 '/v3/domains/%s/users/%s/roles/%s' % (
  164                     domain['id'], user['id'], self.bootstrapper.reader_role_id
  165                 ),
  166                 headers=self.headers,
  167                 expected_status_code=http.client.NO_CONTENT
  168             )
  169 
  170     def test_can_check_grant_for_group_on_project(self):
  171         group = PROVIDERS.identity_api.create_group(
  172             unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
  173         )
  174 
  175         project = PROVIDERS.resource_api.create_project(
  176             uuid.uuid4().hex, unit.new_project_ref(
  177                 domain_id=CONF.identity.default_domain_id
  178             )
  179         )
  180 
  181         PROVIDERS.assignment_api.create_grant(
  182             self.bootstrapper.reader_role_id, group_id=group['id'],
  183             project_id=project['id']
  184         )
  185 
  186         with self.test_client() as c:
  187             c.get(
  188                 '/v3/projects/%s/groups/%s/roles/%s' % (
  189                     project['id'],
  190                     group['id'],
  191                     self.bootstrapper.reader_role_id
  192                 ),
  193                 headers=self.headers,
  194                 expected_status_code=http.client.NO_CONTENT
  195             )
  196 
  197     def test_can_check_grant_for_group_on_domain(self):
  198         group = PROVIDERS.identity_api.create_group(
  199             unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
  200         )
  201 
  202         domain = PROVIDERS.resource_api.create_domain(
  203             uuid.uuid4().hex, unit.new_domain_ref()
  204         )
  205 
  206         PROVIDERS.assignment_api.create_grant(
  207             self.bootstrapper.reader_role_id, group_id=group['id'],
  208             domain_id=domain['id']
  209         )
  210 
  211         with self.test_client() as c:
  212             c.get(
  213                 '/v3/domains/%s/groups/%s/roles/%s' % (
  214                     domain['id'], group['id'], self.bootstrapper.reader_role_id
  215                 ),
  216                 headers=self.headers,
  217                 expected_status_code=http.client.NO_CONTENT
  218             )
  219 
  220 
  221 class _SystemMemberAndReaderGrantTests(object):
  222 
  223     def test_cannot_create_grant_for_user_on_project(self):
  224         user = PROVIDERS.identity_api.create_user(
  225             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  226         )
  227 
  228         project = PROVIDERS.resource_api.create_project(
  229             uuid.uuid4().hex, unit.new_project_ref(
  230                 domain_id=CONF.identity.default_domain_id
  231             )
  232         )
  233 
  234         with self.test_client() as c:
  235             c.put(
  236                 '/v3/projects/%s/users/%s/roles/%s' % (
  237                     project['id'], user['id'], self.bootstrapper.reader_role_id
  238                 ),
  239                 headers=self.headers,
  240                 expected_status_code=http.client.FORBIDDEN
  241             )
  242 
  243     def test_cannot_create_grant_for_user_on_domain(self):
  244         user = PROVIDERS.identity_api.create_user(
  245             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  246         )
  247 
  248         domain = PROVIDERS.resource_api.create_domain(
  249             uuid.uuid4().hex, unit.new_domain_ref()
  250         )
  251 
  252         with self.test_client() as c:
  253             c.put(
  254                 '/v3/domains/%s/users/%s/roles/%s' % (
  255                     domain['id'], user['id'], self.bootstrapper.reader_role_id
  256                 ),
  257                 headers=self.headers,
  258                 expected_status_code=http.client.FORBIDDEN
  259             )
  260 
  261     def test_cannot_create_grant_for_group_on_project(self):
  262         group = PROVIDERS.identity_api.create_group(
  263             unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
  264         )
  265 
  266         project = PROVIDERS.resource_api.create_project(
  267             uuid.uuid4().hex, unit.new_project_ref(
  268                 domain_id=CONF.identity.default_domain_id
  269             )
  270         )
  271 
  272         with self.test_client() as c:
  273             c.put(
  274                 '/v3/projects/%s/groups/%s/roles/%s' % (
  275                     project['id'],
  276                     group['id'],
  277                     self.bootstrapper.reader_role_id
  278                 ),
  279                 headers=self.headers,
  280                 expected_status_code=http.client.FORBIDDEN
  281             )
  282 
  283     def test_cannot_create_grant_for_group_on_domain(self):
  284         group = PROVIDERS.identity_api.create_group(
  285             unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
  286         )
  287 
  288         domain = PROVIDERS.resource_api.create_domain(
  289             uuid.uuid4().hex, unit.new_domain_ref()
  290         )
  291 
  292         with self.test_client() as c:
  293             c.put(
  294                 '/v3/domains/%s/groups/%s/roles/%s' % (
  295                     domain['id'], group['id'], self.bootstrapper.reader_role_id
  296                 ),
  297                 headers=self.headers,
  298                 expected_status_code=http.client.FORBIDDEN
  299             )
  300 
  301     def test_cannot_revoke_grant_from_user_on_project(self):
  302         user = PROVIDERS.identity_api.create_user(
  303             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  304         )
  305 
  306         project = PROVIDERS.resource_api.create_project(
  307             uuid.uuid4().hex, unit.new_project_ref(
  308                 domain_id=CONF.identity.default_domain_id
  309             )
  310         )
  311 
  312         PROVIDERS.assignment_api.create_grant(
  313             self.bootstrapper.reader_role_id, user_id=user['id'],
  314             project_id=project['id']
  315         )
  316 
  317         with self.test_client() as c:
  318             c.delete(
  319                 '/v3/projects/%s/users/%s/roles/%s' % (
  320                     project['id'], user['id'], self.bootstrapper.reader_role_id
  321                 ),
  322                 headers=self.headers,
  323                 expected_status_code=http.client.FORBIDDEN
  324             )
  325 
  326     def test_cannot_revoke_grant_from_user_on_domain(self):
  327         user = PROVIDERS.identity_api.create_user(
  328             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
  329         )
  330 
  331         domain = PROVIDERS.resource_api.create_domain(
  332             uuid.uuid4().hex, unit.new_domain_ref()
  333         )
  334 
  335         PROVIDERS.assignment_api.create_grant(
  336             self.bootstrapper.reader_role_id, user_id=user['id'],
  337             domain_id=domain['id']
  338         )
  339 
  340         with self.test_client() as c:
  341             c.delete(
  342                 '/v3/domains/%s/users/%s/roles/%s' % (
  343                     domain['id'], user['id'], self.bootstrapper.reader_role_id
  344                 ),
  345                 headers=self.headers,
  346                 expected_status_code=http.client.FORBIDDEN
  347             )
  348 
  349     def test_cannot_revoke_grant_from_group_on_project(self):
  350         group = PROVIDERS.identity_api.create_group(
  351             unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
  352         )
  353 
  354         project = PROVIDERS.resource_api.create_project(
  355             uuid.uuid4().hex, unit.new_project_ref(
  356                 domain_id=CONF.identity.default_domain_id
  357             )
  358         )
  359 
  360         PROVIDERS.assignment_api.create_grant(
  361             self.bootstrapper.reader_role_id, group_id=group['id'],
  362             project_id=project['id']
  363         )
  364 
  365         with self.test_client() as c:
  366             c.delete(
  367                 '/v3/projects/%s/groups/%s/roles/%s' % (
  368                     project['id'],
  369                     group['id'],
  370                     self.bootstrapper.reader_role_id
  371                 ),
  372                 headers=self.headers,
  373                 expected_status_code=http.client.FORBIDDEN
  374             )
  375 
  376     def test_cannot_revoke_grant_from_group_on_domain(self):
  377         group = PROVIDERS.identity_api.create_group(
  378             unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
  379         )
  380 
  381         domain = PROVIDERS.resource_api.create_domain(
  382             uuid.uuid4().hex, unit.new_domain_ref()
  383         )
  384 
  385         PROVIDERS.assignment_api.create_grant(
  386             self.bootstrapper.reader_role_id, group_id=group['id'],
  387             domain_id=domain['id']
  388         )
  389 
  390         with self.test_client() as c:
  391             c.delete(
  392                 '/v3/domains/%s/groups/%s/roles/%s' % (
  393                     domain['id'], group['id'], self.bootstrapper.reader_role_id
  394                 ),
  395                 headers=self.headers,
  396                 expected_status_code=http.client.FORBIDDEN
  397             )
  398 
  399 
  400 class _DomainUserTests(object):
  401 
  402     def test_can_list_grants_for_user_on_project(self):
  403         user = PROVIDERS.identity_api.create_user(
  404             unit.new_user_ref(domain_id=self.domain_id)
  405         )
  406 
  407         project = PROVIDERS.resource_api.create_project(
  408             uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
  409         )
  410 
  411         PROVIDERS.assignment_api.create_grant(
  412             self.bootstrapper.reader_role_id, user_id=user['id'],
  413             project_id=project['id']
  414         )
  415 
  416         with self.test_client() as c:
  417             r = c.get(
  418                 '/v3/projects/%s/users/%s/roles' % (project['id'], user['id']),
  419                 headers=self.headers
  420             )
  421             self.assertEqual(1, len(r.json['roles']))
  422 
  423     def test_can_list_grants_for_user_on_domain(self):
  424         user = PROVIDERS.identity_api.create_user(
  425             unit.new_user_ref(domain_id=self.domain_id)
  426         )
  427 
  428         PROVIDERS.assignment_api.create_grant(
  429             self.bootstrapper.reader_role_id, user_id=user['id'],
  430             domain_id=self.domain_id
  431         )
  432 
  433         with self.test_client() as c:
  434             r = c.get(
  435                 '/v3/domains/%s/users/%s/roles' % (self.domain_id, user['id']),
  436                 headers=self.headers
  437             )
  438             self.assertEqual(1, len(r.json['roles']))
  439 
  440     def test_can_list_grants_for_group_on_project(self):
  441         group = PROVIDERS.identity_api.create_group(
  442             unit.new_group_ref(domain_id=self.domain_id)
  443         )
  444 
  445         project = PROVIDERS.resource_api.create_project(
  446             uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
  447         )
  448 
  449         PROVIDERS.assignment_api.create_grant(
  450             self.bootstrapper.reader_role_id, group_id=group['id'],
  451             project_id=project['id']
  452         )
  453 
  454         with self.test_client() as c:
  455             r = c.get(
  456                 '/v3/projects/%s/groups/%s/roles' % (
  457                     project['id'], group['id']),
  458                 headers=self.headers
  459             )
  460             self.assertEqual(1, len(r.json['roles']))
  461 
  462     def test_can_list_grants_for_group_on_domain(self):
  463         group = PROVIDERS.identity_api.create_group(
  464             unit.new_group_ref(domain_id=self.domain_id)
  465         )
  466 
  467         PROVIDERS.assignment_api.create_grant(
  468             self.bootstrapper.reader_role_id, group_id=group['id'],
  469             domain_id=self.domain_id
  470         )
  471 
  472         with self.test_client() as c:
  473             r = c.get(
  474                 '/v3/domains/%s/groups/%s/roles' % (
  475                     self.domain_id, group['id']
  476                 ), headers=self.headers
  477             )
  478             self.assertEqual(1, len(r.json['roles']))
  479 
  480     def test_can_check_grant_for_user_on_project(self):
  481         user = PROVIDERS.identity_api.create_user(
  482             unit.new_user_ref(domain_id=self.domain_id)
  483         )
  484 
  485         project = PROVIDERS.resource_api.create_project(
  486             uuid.uuid4().hex, unit.new_project_ref(
  487                 domain_id=self.domain_id
  488             )
  489         )
  490 
  491         PROVIDERS.assignment_api.create_grant(
  492             self.bootstrapper.reader_role_id, user_id=user['id'],
  493             project_id=project['id']
  494         )
  495 
  496         with self.test_client() as c:
  497             c.get(
  498                 '/v3/projects/%s/users/%s/roles/%s' % (
  499                     project['id'], user['id'], self.bootstrapper.reader_role_id
  500                 ),
  501                 headers=self.headers,
  502                 expected_status_code=http.client.NO_CONTENT
  503             )
  504 
  505     def test_can_check_grant_for_user_on_domain(self):
  506         user = PROVIDERS.identity_api.create_user(
  507             unit.new_user_ref(domain_id=self.domain_id)
  508         )
  509 
  510         PROVIDERS.assignment_api.create_grant(
  511             self.bootstrapper.reader_role_id, user_id=user['id'],
  512             domain_id=self.domain_id
  513         )
  514 
  515         with self.test_client() as c:
  516             c.get(
  517                 '/v3/domains/%s/users/%s/roles/%s' % (
  518                     self.domain_id, user['id'],
  519                     self.bootstrapper.reader_role_id
  520                 ),
  521                 headers=self.headers,
  522                 expected_status_code=http.client.NO_CONTENT
  523             )
  524 
  525     def test_can_check_grant_for_group_on_project(self):
  526         group = PROVIDERS.identity_api.create_group(
  527             unit.new_group_ref(domain_id=self.domain_id)
  528         )
  529 
  530         project = PROVIDERS.resource_api.create_project(
  531             uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
  532         )
  533 
  534         PROVIDERS.assignment_api.create_grant(
  535             self.bootstrapper.reader_role_id, group_id=group['id'],
  536             project_id=project['id']
  537         )
  538 
  539         with self.test_client() as c:
  540             c.get(
  541                 '/v3/projects/%s/groups/%s/roles/%s' % (
  542                     project['id'],
  543                     group['id'],
  544                     self.bootstrapper.reader_role_id
  545                 ),
  546                 headers=self.headers,
  547                 expected_status_code=http.client.NO_CONTENT
  548             )
  549 
  550     def test_can_check_grant_for_group_on_domain(self):
  551         group = PROVIDERS.identity_api.create_group(
  552             unit.new_group_ref(domain_id=self.domain_id)
  553         )
  554 
  555         PROVIDERS.assignment_api.create_grant(
  556             self.bootstrapper.reader_role_id, group_id=group['id'],
  557             domain_id=self.domain_id
  558         )
  559 
  560         with self.test_client() as c:
  561             c.get(
  562                 '/v3/domains/%s/groups/%s/roles/%s' % (
  563                     self.domain_id, group['id'],
  564                     self.bootstrapper.reader_role_id
  565                 ),
  566                 headers=self.headers,
  567                 expected_status_code=http.client.NO_CONTENT
  568             )
  569 
  570     def test_cannot_list_grants_for_user_other_domain_on_project_own_domain(self):  # noqa: E501
  571         user_domain_id = CONF.identity.default_domain_id
  572         project_domain_id = self.domain_id
  573 
  574         user = PROVIDERS.identity_api.create_user(
  575             unit.new_user_ref(domain_id=user_domain_id)
  576         )
  577 
  578         project = PROVIDERS.resource_api.create_project(
  579             uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id)
  580         )
  581 
  582         PROVIDERS.assignment_api.create_grant(
  583             self.bootstrapper.reader_role_id, user_id=user['id'],
  584             project_id=project['id']
  585         )
  586 
  587         with self.test_client() as c:
  588             c.get(
  589                 '/v3/projects/%s/users/%s/roles' % (project['id'], user['id']),
  590                 headers=self.headers,
  591                 expected_status_code=http.client.FORBIDDEN
  592             )
  593 
  594     def test_cannot_list_grants_for_user_own_domain_on_project_other_domain(self):  # noqa: E501
  595         user_domain_id = self.domain_id
  596         project_domain_id = CONF.identity.default_domain_id
  597 
  598         user = PROVIDERS.identity_api.create_user(
  599             unit.new_user_ref(domain_id=user_domain_id)
  600         )
  601 
  602         project = PROVIDERS.resource_api.create_project(
  603             uuid.uuid4().hex,
  604             unit.new_project_ref(domain_id=project_domain_id)
  605         )
  606 
  607         PROVIDERS.assignment_api.create_grant(
  608             self.bootstrapper.reader_role_id, user_id=user['id'],
  609             project_id=project['id']
  610         )
  611 
  612         with self.test_client() as c:
  613             c.get(
  614                 '/v3/projects/%s/users/%s/roles' % (project['id'], user['id']),
  615                 headers=self.headers,
  616                 expected_status_code=http.client.FORBIDDEN
  617             )
  618 
  619     def test_cannot_list_grants_for_user_own_domain_on_other_domain(self):
  620         user_domain_id = self.domain_id
  621         domain_id = CONF.identity.default_domain_id
  622 
  623         user = PROVIDERS.identity_api.create_user(
  624             unit.new_user_ref(domain_id=user_domain_id)
  625         )
  626 
  627         PROVIDERS.assignment_api.create_grant(
  628             self.bootstrapper.reader_role_id, user_id=user['id'],
  629             domain_id=domain_id
  630         )
  631 
  632         with self.test_client() as c:
  633             c.get(
  634                 '/v3/domains/%s/users/%s/roles' % (domain_id, user['id']),
  635                 headers=self.headers,
  636                 expected_status_code=http.client.FORBIDDEN
  637             )
  638 
  639     def test_cannot_list_grants_for_user_other_domain_on_own_domain(self):
  640         user_domain_id = CONF.identity.default_domain_id
  641         domain_id = self.domain_id
  642 
  643         user = PROVIDERS.identity_api.create_user(
  644             unit.new_user_ref(domain_id=user_domain_id)
  645         )
  646 
  647         PROVIDERS.assignment_api.create_grant(
  648             self.bootstrapper.reader_role_id, user_id=user['id'],
  649             domain_id=domain_id
  650         )
  651 
  652         with self.test_client() as c:
  653             c.get(
  654                 '/v3/domains/%s/users/%s/roles' % (domain_id, user['id']),
  655                 headers=self.headers,
  656                 expected_status_code=http.client.FORBIDDEN
  657             )
  658 
  659     def test_cannot_list_grants_for_group_other_domain_on_project_own_domain(self):  # noqa: E501
  660         group_domain_id = CONF.identity.default_domain_id
  661         project_domain_id = self.domain_id
  662 
  663         group = PROVIDERS.identity_api.create_group(
  664             unit.new_group_ref(domain_id=group_domain_id)
  665         )
  666 
  667         project = PROVIDERS.resource_api.create_project(
  668             uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id)
  669         )
  670 
  671         PROVIDERS.assignment_api.create_grant(
  672             self.bootstrapper.reader_role_id, group_id=group['id'],
  673             project_id=project['id']
  674         )
  675 
  676         with self.test_client() as c:
  677             c.get(
  678                 '/v3/projects/%s/groups/%s/roles' % (
  679                     project['id'], group['id']),
  680                 headers=self.headers,
  681                 expected_status_code=http.client.FORBIDDEN
  682             )
  683 
  684     def test_cannot_list_grants_for_group_own_domain_on_project_other_domain(self):  # noqa: E501
  685         group_domain_id = self.domain_id
  686         project_domain_id = CONF.identity.default_domain_id
  687 
  688         group = PROVIDERS.identity_api.create_group(
  689             unit.new_group_ref(domain_id=group_domain_id)
  690         )
  691 
  692         project = PROVIDERS.resource_api.create_project(
  693             uuid.uuid4().hex,
  694             unit.new_project_ref(domain_id=project_domain_id)
  695         )
  696 
  697         PROVIDERS.assignment_api.create_grant(
  698             self.bootstrapper.reader_role_id, group_id=group['id'],
  699             project_id=project['id']
  700         )
  701 
  702         with self.test_client() as c:
  703             c.get(
  704                 '/v3/projects/%s/groups/%s/roles' % (
  705                     project['id'], group['id']),
  706                 headers=self.headers,
  707                 expected_status_code=http.client.FORBIDDEN
  708             )
  709 
  710     def test_cannot_list_grants_for_group_own_domain_on_other_domain(self):
  711         group_domain_id = self.domain_id
  712         domain_id = CONF.identity.default_domain_id
  713 
  714         group = PROVIDERS.identity_api.create_group(
  715             unit.new_group_ref(domain_id=group_domain_id)
  716         )
  717 
  718         PROVIDERS.assignment_api.create_grant(
  719             self.bootstrapper.reader_role_id, group_id=group['id'],
  720             domain_id=domain_id
  721         )
  722 
  723         with self.test_client() as c:
  724             c.get(
  725                 '/v3/domains/%s/groups/%s/roles' % (
  726                     domain_id, group['id']),
  727                 headers=self.headers,
  728                 expected_status_code=http.client.FORBIDDEN
  729             )
  730 
  731     def test_cannot_list_grants_for_group_other_domain_on_own_domain(self):
  732         group_domain_id = CONF.identity.default_domain_id
  733         domain_id = self.domain_id
  734 
  735         group = PROVIDERS.identity_api.create_group(
  736             unit.new_group_ref(domain_id=group_domain_id)
  737         )
  738 
  739         PROVIDERS.assignment_api.create_grant(
  740             self.bootstrapper.reader_role_id, group_id=group['id'],
  741             domain_id=domain_id
  742         )
  743 
  744         with self.test_client() as c:
  745             c.get(
  746                 '/v3/domains/%s/groups/%s/roles' % (
  747                     domain_id, group['id']),
  748                 headers=self.headers,
  749                 expected_status_code=http.client.FORBIDDEN
  750             )
  751 
  752     def test_cannot_check_grant_for_user_other_domain_on_project_own_domain(self):  # noqa: E501
  753         user_domain_id = CONF.identity.default_domain_id
  754         project_domain_id = self.domain_id
  755 
  756         user = PROVIDERS.identity_api.create_user(
  757             unit.new_user_ref(domain_id=user_domain_id)
  758         )
  759 
  760         project = PROVIDERS.resource_api.create_project(
  761             uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id)
  762         )
  763 
  764         PROVIDERS.assignment_api.create_grant(
  765             self.bootstrapper.reader_role_id, user_id=user['id'],
  766             project_id=project['id']
  767         )
  768 
  769         with self.test_client() as c:
  770             c.get(
  771                 '/v3/projects/%s/users/%s/roles/%s' % (
  772                     project['id'], user['id'],
  773                     self.bootstrapper.reader_role_id),
  774                 headers=self.headers,
  775                 expected_status_code=http.client.FORBIDDEN
  776             )
  777 
  778     def test_cannot_check_grant_for_user_own_domain_on_project_other_domain(self):  # noqa: E501
  779         user_domain_id = self.domain_id
  780         project_domain_id = CONF.identity.default_domain_id
  781 
  782         user = PROVIDERS.identity_api.create_user(
  783             unit.new_user_ref(domain_id=user_domain_id)
  784         )
  785 
  786         project = PROVIDERS.resource_api.create_project(
  787             uuid.uuid4().hex,
  788             unit.new_project_ref(domain_id=project_domain_id)
  789         )
  790 
  791         PROVIDERS.assignment_api.create_grant(
  792             self.bootstrapper.reader_role_id, user_id=user['id'],
  793             project_id=project['id']
  794         )
  795 
  796         with self.test_client() as c:
  797             c.get(
  798                 '/v3/projects/%s/users/%s/roles/%s' % (
  799                     project['id'], user['id'],
  800                     self.bootstrapper.reader_role_id),
  801                 headers=self.headers,
  802                 expected_status_code=http.client.FORBIDDEN
  803             )
  804 
  805     def test_cannot_check_grant_for_user_own_domain_on_project_own_domain_with_role_other_domain(self):  # noqa: E501
  806         user_domain_id = self.domain_id
  807         project_domain_id = self.domain_id
  808         role_domain_id = CONF.identity.default_domain_id
  809 
  810         role = PROVIDERS.role_api.create_role(
  811             uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
  812 
  813         user = PROVIDERS.identity_api.create_user(
  814             unit.new_user_ref(domain_id=user_domain_id)
  815         )
  816 
  817         project = PROVIDERS.resource_api.create_project(
  818             uuid.uuid4().hex,
  819             unit.new_project_ref(domain_id=project_domain_id)
  820         )
  821 
  822         # NOTE(cmurphy) the grant for a domain-specific role cannot be created
  823         # for a project in a different domain, so we don't try to create it,
  824         # but we still need to test that checking the role results in a 403 and
  825         # not a 404
  826 
  827         with self.test_client() as c:
  828             c.get(
  829                 '/v3/projects/%s/users/%s/roles/%s' % (
  830                     project['id'], user['id'],
  831                     role['id']),
  832                 headers=self.headers,
  833                 expected_status_code=http.client.FORBIDDEN
  834             )
  835 
  836     def test_cannot_check_grant_for_user_own_domain_on_other_domain(self):
  837         user_domain_id = self.domain_id
  838         domain_id = CONF.identity.default_domain_id
  839 
  840         user = PROVIDERS.identity_api.create_user(
  841             unit.new_user_ref(domain_id=user_domain_id)
  842         )
  843 
  844         PROVIDERS.assignment_api.create_grant(
  845             self.bootstrapper.reader_role_id, user_id=user['id'],
  846             domain_id=domain_id
  847         )
  848 
  849         with self.test_client() as c:
  850             c.get(
  851                 '/v3/domains/%s/users/%s/roles/%s' % (
  852                     domain_id, user['id'],
  853                     self.bootstrapper.reader_role_id
  854                 ),
  855                 headers=self.headers,
  856                 expected_status_code=http.client.FORBIDDEN
  857             )
  858 
  859     def test_cannot_check_grant_for_user_other_domain_on_own_domain(self):
  860         user_domain_id = CONF.identity.default_domain_id
  861         domain_id = self.domain_id
  862 
  863         user = PROVIDERS.identity_api.create_user(
  864             unit.new_user_ref(domain_id=user_domain_id)
  865         )
  866 
  867         PROVIDERS.assignment_api.create_grant(
  868             self.bootstrapper.reader_role_id, user_id=user['id'],
  869             domain_id=domain_id
  870         )
  871 
  872         with self.test_client() as c:
  873             c.get(
  874                 '/v3/domains/%s/users/%s/roles/%s' % (
  875                     domain_id, user['id'],
  876                     self.bootstrapper.reader_role_id
  877                 ),
  878                 headers=self.headers,
  879                 expected_status_code=http.client.FORBIDDEN
  880             )
  881 
  882     def test_cannot_check_grant_for_user_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
  883         user_domain_id = self.domain_id
  884         domain_id = self.domain_id
  885         role_domain_id = CONF.identity.default_domain_id
  886 
  887         role = PROVIDERS.role_api.create_role(
  888             uuid.uuid4().hex,
  889             unit.new_role_ref(domain_id=role_domain_id))
  890 
  891         user = PROVIDERS.identity_api.create_user(
  892             unit.new_user_ref(domain_id=user_domain_id)
  893         )
  894 
  895         # NOTE(cmurphy) the grant for a domain-specific role cannot be created
  896         # for a project in a different domain, so we don't try to create it,
  897         # but we still need to test that checking the role results in a 403 and
  898         # not a 404
  899 
  900         with self.test_client() as c:
  901             c.get(
  902                 '/v3/domains/%s/users/%s/roles/%s' % (
  903                     domain_id, user['id'],
  904                     role['id']
  905                 ),
  906                 headers=self.headers,
  907                 expected_status_code=http.client.FORBIDDEN
  908             )
  909 
  910     def test_cannot_check_grant_for_group_other_domain_on_project_own_domain(self):  # noqa: E501
  911         group_domain_id = CONF.identity.default_domain_id
  912         project_domain_id = self.domain_id
  913 
  914         group = PROVIDERS.identity_api.create_group(
  915             unit.new_group_ref(domain_id=group_domain_id)
  916         )
  917 
  918         project = PROVIDERS.resource_api.create_project(
  919             uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id)
  920         )
  921 
  922         PROVIDERS.assignment_api.create_grant(
  923             self.bootstrapper.reader_role_id, group_id=group['id'],
  924             project_id=project['id']
  925         )
  926 
  927         with self.test_client() as c:
  928             c.get(
  929                 '/v3/projects/%s/groups/%s/roles/%s' % (
  930                     project['id'], group['id'],
  931                     self.bootstrapper.reader_role_id),
  932                 headers=self.headers,
  933                 expected_status_code=http.client.FORBIDDEN
  934             )
  935 
  936     def test_cannot_check_grant_for_group_own_domain_on_project_other_domain(self):  # noqa: E501
  937         group_domain_id = self.domain_id
  938         project_domain_id = CONF.identity.default_domain_id
  939 
  940         group = PROVIDERS.identity_api.create_group(
  941             unit.new_group_ref(domain_id=group_domain_id)
  942         )
  943 
  944         project = PROVIDERS.resource_api.create_project(
  945             uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id)
  946         )
  947 
  948         PROVIDERS.assignment_api.create_grant(
  949             self.bootstrapper.reader_role_id, group_id=group['id'],
  950             project_id=project['id']
  951         )
  952 
  953         with self.test_client() as c:
  954             c.get(
  955                 '/v3/projects/%s/groups/%s/roles/%s' % (
  956                     project['id'], group['id'],
  957                     self.bootstrapper.reader_role_id),
  958                 headers=self.headers,
  959                 expected_status_code=http.client.FORBIDDEN
  960             )
  961 
  962     def test_cannot_check_grant_for_group_own_domain_on_project_own_domain_with_role_other_domain(self):  # noqa: E501
  963         group_domain_id = self.domain_id
  964         project_domain_id = CONF.identity.default_domain_id
  965         role_domain_id = CONF.identity.default_domain_id
  966 
  967         role = PROVIDERS.role_api.create_role(
  968             uuid.uuid4().hex,
  969             unit.new_role_ref(domain_id=role_domain_id))
  970 
  971         group = PROVIDERS.identity_api.create_group(
  972             unit.new_group_ref(domain_id=group_domain_id)
  973         )
  974 
  975         project = PROVIDERS.resource_api.create_project(
  976             uuid.uuid4().hex, unit.new_project_ref(domain_id=project_domain_id)
  977         )
  978 
  979         # NOTE(cmurphy) the grant for a domain-specific role cannot be created
  980         # for a project in a different domain, so we don't try to create it,
  981         # but we still need to test that checking the role results in a 403 and
  982         # not a 404
  983 
  984         with self.test_client() as c:
  985             c.get(
  986                 '/v3/projects/%s/groups/%s/roles/%s' % (
  987                     project['id'], group['id'],
  988                     role['id']),
  989                 headers=self.headers,
  990                 expected_status_code=http.client.FORBIDDEN
  991             )
  992 
  993     def test_cannot_check_grant_for_group_own_domain_on_other_domain(self):
  994         group_domain_id = self.domain_id
  995         domain_id = CONF.identity.default_domain_id
  996 
  997         group = PROVIDERS.identity_api.create_group(
  998             unit.new_group_ref(domain_id=group_domain_id)
  999         )
 1000 
 1001         PROVIDERS.assignment_api.create_grant(
 1002             self.bootstrapper.reader_role_id, group_id=group['id'],
 1003             domain_id=domain_id
 1004         )
 1005 
 1006         with self.test_client() as c:
 1007             c.get(
 1008                 '/v3/domains/%s/groups/%s/roles/%s' % (
 1009                     domain_id, group['id'],
 1010                     self.bootstrapper.reader_role_id),
 1011                 headers=self.headers,
 1012                 expected_status_code=http.client.FORBIDDEN
 1013             )
 1014 
 1015     def test_cannot_check_grant_for_group_other_domain_on_own_domain(self):
 1016         group_domain_id = CONF.identity.default_domain_id
 1017         domain_id = self.domain_id
 1018 
 1019         group = PROVIDERS.identity_api.create_group(
 1020             unit.new_group_ref(domain_id=group_domain_id)
 1021         )
 1022 
 1023         PROVIDERS.assignment_api.create_grant(
 1024             self.bootstrapper.reader_role_id, group_id=group['id'],
 1025             domain_id=domain_id
 1026         )
 1027 
 1028         with self.test_client() as c:
 1029             c.get(
 1030                 '/v3/domains/%s/groups/%s/roles/%s' % (
 1031                     domain_id, group['id'],
 1032                     self.bootstrapper.reader_role_id),
 1033                 headers=self.headers,
 1034                 expected_status_code=http.client.FORBIDDEN
 1035             )
 1036 
 1037     def test_cannot_check_grant_for_group_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
 1038         group_domain_id = self.domain_id
 1039         domain_id = self.domain_id
 1040         role_domain_id = CONF.identity.default_domain_id
 1041 
 1042         role = PROVIDERS.role_api.create_role(
 1043             uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
 1044 
 1045         group = PROVIDERS.identity_api.create_group(
 1046             unit.new_group_ref(domain_id=group_domain_id)
 1047         )
 1048 
 1049         # NOTE(cmurphy) the grant for a domain-specific role cannot be created
 1050         # for a project in a different domain, so we don't try to create it,
 1051         # but we still need to test that checking the role results in a 403 and
 1052         # not a 404
 1053 
 1054         with self.test_client() as c:
 1055             c.get(
 1056                 '/v3/domains/%s/groups/%s/roles/%s' % (
 1057                     domain_id, group['id'],
 1058                     role['id']),
 1059                 headers=self.headers,
 1060                 expected_status_code=http.client.FORBIDDEN
 1061             )
 1062 
 1063     def test_cannot_create_grant_for_user_other_domain_on_project_own_domain(self):  # noqa: E501
 1064         user_domain_id = CONF.identity.default_domain_id
 1065         project_domain_id = self.domain_id
 1066 
 1067         user = PROVIDERS.identity_api.create_user(
 1068             unit.new_user_ref(domain_id=user_domain_id)
 1069         )
 1070 
 1071         project = PROVIDERS.resource_api.create_project(
 1072             uuid.uuid4().hex, unit.new_project_ref(
 1073                 domain_id=project_domain_id
 1074             )
 1075         )
 1076 
 1077         with self.test_client() as c:
 1078             c.put(
 1079                 '/v3/projects/%s/users/%s/roles/%s' % (
 1080                     project['id'], user['id'], self.bootstrapper.reader_role_id
 1081                 ),
 1082                 headers=self.headers,
 1083                 expected_status_code=http.client.FORBIDDEN
 1084             )
 1085 
 1086     def test_cannot_create_grant_for_user_own_domain_on_project_other_domain(self):  # noqa: E501
 1087         user_domain_id = self.domain_id
 1088         project_domain_id = CONF.identity.default_domain_id
 1089 
 1090         user = PROVIDERS.identity_api.create_user(
 1091             unit.new_user_ref(domain_id=user_domain_id)
 1092         )
 1093 
 1094         project = PROVIDERS.resource_api.create_project(
 1095             uuid.uuid4().hex, unit.new_project_ref(
 1096                 domain_id=project_domain_id
 1097             )
 1098         )
 1099 
 1100         with self.test_client() as c:
 1101             c.put(
 1102                 '/v3/projects/%s/users/%s/roles/%s' % (
 1103                     project['id'], user['id'], self.bootstrapper.reader_role_id
 1104                 ),
 1105                 headers=self.headers,
 1106                 expected_status_code=http.client.FORBIDDEN
 1107             )
 1108 
 1109     def test_cannot_create_grant_for_user_own_domain_on_project_own_domain_with_role_other_domain(self):  # noqa: E501
 1110         user_domain_id = self.domain_id
 1111         project_domain_id = self.domain_id
 1112         role_domain_id = CONF.identity.default_domain_id
 1113 
 1114         role = PROVIDERS.role_api.create_role(
 1115             uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
 1116 
 1117         user = PROVIDERS.identity_api.create_user(
 1118             unit.new_user_ref(domain_id=user_domain_id)
 1119         )
 1120 
 1121         project = PROVIDERS.resource_api.create_project(
 1122             uuid.uuid4().hex, unit.new_project_ref(
 1123                 domain_id=project_domain_id
 1124             )
 1125         )
 1126         with self.test_client() as c:
 1127             c.put(
 1128                 '/v3/projects/%s/users/%s/roles/%s' % (
 1129                     project['id'], user['id'], role['id']
 1130                 ),
 1131                 headers=self.headers,
 1132                 expected_status_code=http.client.FORBIDDEN
 1133             )
 1134 
 1135     def test_cannot_create_grant_for_user_other_domain_on_own_domain(self):
 1136         user_domain_id = CONF.identity.default_domain_id
 1137         domain_id = self.domain_id
 1138 
 1139         user = PROVIDERS.identity_api.create_user(
 1140             unit.new_user_ref(domain_id=user_domain_id)
 1141         )
 1142 
 1143         with self.test_client() as c:
 1144             c.put(
 1145                 '/v3/domains/%s/users/%s/roles/%s' % (
 1146                     domain_id, user['id'], self.bootstrapper.reader_role_id
 1147                 ),
 1148                 headers=self.headers,
 1149                 expected_status_code=http.client.FORBIDDEN
 1150             )
 1151 
 1152     def test_cannot_create_grant_for_user_own_domain_on_other_domain(self):
 1153         user_domain_id = self.domain_id
 1154         domain_id = CONF.identity.default_domain_id
 1155 
 1156         user = PROVIDERS.identity_api.create_user(
 1157             unit.new_user_ref(domain_id=user_domain_id)
 1158         )
 1159 
 1160         with self.test_client() as c:
 1161             c.put(
 1162                 '/v3/domains/%s/users/%s/roles/%s' % (
 1163                     domain_id, user['id'], self.bootstrapper.reader_role_id
 1164                 ),
 1165                 headers=self.headers,
 1166                 expected_status_code=http.client.FORBIDDEN
 1167             )
 1168 
 1169     def test_cannot_create_grant_for_user_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
 1170         user_domain_id = self.domain_id
 1171         domain_id = self.domain_id
 1172         role_domain_id = CONF.identity.default_domain_id
 1173 
 1174         role = PROVIDERS.role_api.create_role(
 1175             uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
 1176 
 1177         user = PROVIDERS.identity_api.create_user(
 1178             unit.new_user_ref(domain_id=user_domain_id)
 1179         )
 1180 
 1181         with self.test_client() as c:
 1182             c.put(
 1183                 '/v3/domains/%s/users/%s/roles/%s' % (
 1184                     domain_id, user['id'], role['id']
 1185                 ),
 1186                 headers=self.headers,
 1187                 expected_status_code=http.client.FORBIDDEN
 1188             )
 1189 
 1190     def test_cannot_create_grant_for_group_other_domain_on_project_own_domain(self):  # noqa: E501
 1191         group_domain_id = CONF.identity.default_domain_id
 1192         project_domain_id = self.domain_id
 1193 
 1194         group = PROVIDERS.identity_api.create_group(
 1195             unit.new_group_ref(domain_id=group_domain_id)
 1196         )
 1197 
 1198         project = PROVIDERS.resource_api.create_project(
 1199             uuid.uuid4().hex, unit.new_project_ref(
 1200                 domain_id=project_domain_id
 1201             )
 1202         )
 1203 
 1204         with self.test_client() as c:
 1205             c.put(
 1206                 '/v3/projects/%s/groups/%s/roles/%s' % (
 1207                     project['id'],
 1208                     group['id'],
 1209                     self.bootstrapper.reader_role_id
 1210                 ),
 1211                 headers=self.headers,
 1212                 expected_status_code=http.client.FORBIDDEN
 1213             )
 1214 
 1215     def test_cannot_create_grant_for_group_own_domain_on_project_other_domain(self):  # noqa: E501
 1216         group_domain_id = self.domain_id
 1217         project_domain_id = CONF.identity.default_domain_id
 1218 
 1219         group = PROVIDERS.identity_api.create_group(
 1220             unit.new_group_ref(domain_id=group_domain_id)
 1221         )
 1222 
 1223         project = PROVIDERS.resource_api.create_project(
 1224             uuid.uuid4().hex, unit.new_project_ref(
 1225                 domain_id=project_domain_id
 1226             )
 1227         )
 1228 
 1229         with self.test_client() as c:
 1230             c.put(
 1231                 '/v3/projects/%s/groups/%s/roles/%s' % (
 1232                     project['id'],
 1233                     group['id'],
 1234                     self.bootstrapper.reader_role_id
 1235                 ),
 1236                 headers=self.headers,
 1237                 expected_status_code=http.client.FORBIDDEN
 1238             )
 1239 
 1240     def test_cannot_create_grant_for_group_own_domain_on_project_own_domain_with_role_other_domain(self):  # noqa: E501
 1241         group_domain_id = self.domain_id
 1242         project_domain_id = self.domain_id
 1243         role_domain_id = CONF.identity.default_domain_id
 1244 
 1245         role = PROVIDERS.role_api.create_role(
 1246             uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
 1247 
 1248         group = PROVIDERS.identity_api.create_group(
 1249             unit.new_group_ref(domain_id=group_domain_id)
 1250         )
 1251 
 1252         project = PROVIDERS.resource_api.create_project(
 1253             uuid.uuid4().hex, unit.new_project_ref(
 1254                 domain_id=project_domain_id
 1255             )
 1256         )
 1257 
 1258         with self.test_client() as c:
 1259             c.put(
 1260                 '/v3/projects/%s/groups/%s/roles/%s' % (
 1261                     project['id'],
 1262                     group['id'],
 1263                     role['id']
 1264                 ),
 1265                 headers=self.headers,
 1266                 expected_status_code=http.client.FORBIDDEN
 1267             )
 1268 
 1269     def test_cannot_create_grant_for_group_other_domain_on_own_domain(self):
 1270         group_domain_id = CONF.identity.default_domain_id
 1271         domain_id = self.domain_id
 1272 
 1273         group = PROVIDERS.identity_api.create_group(
 1274             unit.new_group_ref(domain_id=group_domain_id)
 1275         )
 1276 
 1277         with self.test_client() as c:
 1278             c.put(
 1279                 '/v3/domains/%s/groups/%s/roles/%s' % (
 1280                     domain_id, group['id'], self.bootstrapper.reader_role_id
 1281                 ),
 1282                 headers=self.headers,
 1283                 expected_status_code=http.client.FORBIDDEN
 1284             )
 1285 
 1286     def test_cannot_create_grant_for_group_own_domain_on_other_domain(self):
 1287         group_domain_id = self.domain_id
 1288         domain_id = CONF.identity.default_domain_id
 1289 
 1290         group = PROVIDERS.identity_api.create_group(
 1291             unit.new_group_ref(domain_id=group_domain_id)
 1292         )
 1293 
 1294         with self.test_client() as c:
 1295             c.put(
 1296                 '/v3/domains/%s/groups/%s/roles/%s' % (
 1297                     domain_id, group['id'], self.bootstrapper.reader_role_id
 1298                 ),
 1299                 headers=self.headers,
 1300                 expected_status_code=http.client.FORBIDDEN
 1301             )
 1302 
 1303     def test_cannot_create_grant_for_group_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
 1304         group_domain_id = self.domain_id
 1305         domain_id = self.domain_id
 1306         role_domain_id = CONF.identity.default_domain_id
 1307 
 1308         role = PROVIDERS.role_api.create_role(
 1309             uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
 1310 
 1311         group = PROVIDERS.identity_api.create_group(
 1312             unit.new_group_ref(domain_id=group_domain_id)
 1313         )
 1314 
 1315         with self.test_client() as c:
 1316             c.put(
 1317                 '/v3/domains/%s/groups/%s/roles/%s' % (
 1318                     domain_id, group['id'], role['id']
 1319                 ),
 1320                 headers=self.headers,
 1321                 expected_status_code=http.client.FORBIDDEN
 1322             )
 1323 
 1324     def test_cannot_revoke_grant_from_user_other_domain_on_project_own_domain(self):  # noqa: E501
 1325         user_domain_id = CONF.identity.default_domain_id
 1326         project_domain_id = self.domain_id
 1327 
 1328         user = PROVIDERS.identity_api.create_user(
 1329             unit.new_user_ref(domain_id=user_domain_id)
 1330         )
 1331 
 1332         project = PROVIDERS.resource_api.create_project(
 1333             uuid.uuid4().hex, unit.new_project_ref(
 1334                 domain_id=project_domain_id
 1335             )
 1336         )
 1337 
 1338         PROVIDERS.assignment_api.create_grant(
 1339             self.bootstrapper.reader_role_id, user_id=user['id'],
 1340             project_id=project['id']
 1341         )
 1342 
 1343         with self.test_client() as c:
 1344             c.delete(
 1345                 '/v3/projects/%s/users/%s/roles/%s' % (
 1346                     project['id'], user['id'], self.bootstrapper.reader_role_id
 1347                 ),
 1348                 headers=self.headers,
 1349                 expected_status_code=http.client.FORBIDDEN
 1350             )
 1351 
 1352     def test_cannot_revoke_grant_from_user_own_domain_on_project_other_domain(self):  # noqa: E501
 1353         user_domain_id = self.domain_id
 1354         project_domain_id = CONF.identity.default_domain_id
 1355 
 1356         user = PROVIDERS.identity_api.create_user(
 1357             unit.new_user_ref(domain_id=user_domain_id)
 1358         )
 1359 
 1360         project = PROVIDERS.resource_api.create_project(
 1361             uuid.uuid4().hex, unit.new_project_ref(
 1362                 domain_id=project_domain_id
 1363             )
 1364         )
 1365 
 1366         PROVIDERS.assignment_api.create_grant(
 1367             self.bootstrapper.reader_role_id, user_id=user['id'],
 1368             project_id=project['id']
 1369         )
 1370 
 1371         with self.test_client() as c:
 1372             c.delete(
 1373                 '/v3/projects/%s/users/%s/roles/%s' % (
 1374                     project['id'], user['id'], self.bootstrapper.reader_role_id
 1375                 ),
 1376                 headers=self.headers,
 1377                 expected_status_code=http.client.FORBIDDEN
 1378             )
 1379 
 1380     def test_cannot_revoke_grant_from_user_other_domain_on_own_domain(self):
 1381         user_domain_id = CONF.identity.default_domain_id
 1382         domain_id = self.domain_id
 1383 
 1384         user = PROVIDERS.identity_api.create_user(
 1385             unit.new_user_ref(domain_id=user_domain_id)
 1386         )
 1387 
 1388         PROVIDERS.assignment_api.create_grant(
 1389             self.bootstrapper.reader_role_id, user_id=user['id'],
 1390             domain_id=domain_id
 1391         )
 1392 
 1393         with self.test_client() as c:
 1394             c.delete(
 1395                 '/v3/domains/%s/users/%s/roles/%s' % (
 1396                     domain_id, user['id'], self.bootstrapper.reader_role_id
 1397                 ),
 1398                 headers=self.headers,
 1399                 expected_status_code=http.client.FORBIDDEN
 1400             )
 1401 
 1402     def test_cannot_revoke_grant_from_user_own_domain_on_other_domain(self):
 1403         user_domain_id = self.domain_id
 1404         domain_id = CONF.identity.default_domain_id
 1405 
 1406         user = PROVIDERS.identity_api.create_user(
 1407             unit.new_user_ref(domain_id=user_domain_id)
 1408         )
 1409 
 1410         PROVIDERS.assignment_api.create_grant(
 1411             self.bootstrapper.reader_role_id, user_id=user['id'],
 1412             domain_id=domain_id
 1413         )
 1414 
 1415         with self.test_client() as c:
 1416             c.delete(
 1417                 '/v3/domains/%s/users/%s/roles/%s' % (
 1418                     domain_id, user['id'], self.bootstrapper.reader_role_id
 1419                 ),
 1420                 headers=self.headers,
 1421                 expected_status_code=http.client.FORBIDDEN
 1422             )
 1423 
 1424     def test_cannot_revoke_grant_from_user_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
 1425         user_domain_id = self.domain_id
 1426         domain_id = self.domain_id
 1427         role_domain_id = CONF.identity.default_domain_id
 1428 
 1429         role = PROVIDERS.role_api.create_role(
 1430             uuid.uuid4().hex, unit.new_role_ref(domain_id=role_domain_id))
 1431 
 1432         user = PROVIDERS.identity_api.create_user(
 1433             unit.new_user_ref(domain_id=user_domain_id)
 1434         )
 1435 
 1436         PROVIDERS.assignment_api.create_grant(
 1437             role['id'], user_id=user['id'],
 1438             domain_id=domain_id
 1439         )
 1440 
 1441         with self.test_client() as c:
 1442             c.delete(
 1443                 '/v3/domains/%s/users/%s/roles/%s' % (
 1444                     domain_id, user['id'], role['id']
 1445                 ),
 1446                 headers=self.headers,
 1447                 expected_status_code=http.client.FORBIDDEN
 1448             )
 1449 
 1450     def test_cannot_revoke_grant_from_group_other_domain_on_project_own_domain(self):  # noqa: E501
 1451         group_domain_id = CONF.identity.default_domain_id
 1452         project_domain_id = self.domain_id
 1453 
 1454         group = PROVIDERS.identity_api.create_group(
 1455             unit.new_group_ref(domain_id=group_domain_id)
 1456         )
 1457 
 1458         project = PROVIDERS.resource_api.create_project(
 1459             uuid.uuid4().hex, unit.new_project_ref(
 1460                 domain_id=project_domain_id
 1461             )
 1462         )
 1463 
 1464         PROVIDERS.assignment_api.create_grant(
 1465             self.bootstrapper.reader_role_id, group_id=group['id'],
 1466             project_id=project['id']
 1467         )
 1468 
 1469         with self.test_client() as c:
 1470             c.delete(
 1471                 '/v3/projects/%s/groups/%s/roles/%s' % (
 1472                     project['id'],
 1473                     group['id'],
 1474                     self.bootstrapper.reader_role_id
 1475                 ),
 1476                 headers=self.headers,
 1477                 expected_status_code=http.client.FORBIDDEN
 1478             )
 1479 
 1480     def test_cannot_revoke_grant_from_group_own_domain_on_project_other_domain(self):  # noqa: E501
 1481         group_domain_id = self.domain_id
 1482         project_domain_id = CONF.identity.default_domain_id
 1483 
 1484         group = PROVIDERS.identity_api.create_group(
 1485             unit.new_group_ref(domain_id=group_domain_id)
 1486         )
 1487 
 1488         project = PROVIDERS.resource_api.create_project(
 1489             uuid.uuid4().hex, unit.new_project_ref(
 1490                 domain_id=project_domain_id
 1491             )
 1492         )
 1493 
 1494         PROVIDERS.assignment_api.create_grant(
 1495             self.bootstrapper.reader_role_id, group_id=group['id'],
 1496             project_id=project['id']
 1497         )
 1498 
 1499         with self.test_client() as c:
 1500             c.delete(
 1501                 '/v3/projects/%s/groups/%s/roles/%s' % (
 1502                     project['id'],
 1503                     group['id'],
 1504                     self.bootstrapper.reader_role_id
 1505                 ),
 1506                 headers=self.headers,
 1507                 expected_status_code=http.client.FORBIDDEN
 1508             )
 1509 
 1510     def test_cannot_revoke_grant_from_group_other_domain_on_own_domain(self):
 1511         group_domain_id = CONF.identity.default_domain_id
 1512         domain_id = self.domain_id
 1513 
 1514         group = PROVIDERS.identity_api.create_group(
 1515             unit.new_group_ref(domain_id=group_domain_id)
 1516         )
 1517 
 1518         PROVIDERS.assignment_api.create_grant(
 1519             self.bootstrapper.reader_role_id, group_id=group['id'],
 1520             domain_id=domain_id
 1521         )
 1522 
 1523         with self.test_client() as c:
 1524             c.delete(
 1525                 '/v3/domains/%s/groups/%s/roles/%s' % (
 1526                     domain_id, group['id'], self.bootstrapper.reader_role_id
 1527                 ),
 1528                 headers=self.headers,
 1529                 expected_status_code=http.client.FORBIDDEN
 1530             )
 1531 
 1532     def test_cannot_revoke_grant_from_group_own_domain_on_other_domain(self):
 1533         group_domain_id = self.domain_id
 1534         domain_id = CONF.identity.default_domain_id
 1535 
 1536         group = PROVIDERS.identity_api.create_group(
 1537             unit.new_group_ref(domain_id=group_domain_id)
 1538         )
 1539 
 1540         PROVIDERS.assignment_api.create_grant(
 1541             self.bootstrapper.reader_role_id, group_id=group['id'],
 1542             domain_id=domain_id
 1543         )
 1544 
 1545         with self.test_client() as c:
 1546             c.delete(
 1547                 '/v3/domains/%s/groups/%s/roles/%s' % (
 1548                     domain_id, group['id'], self.bootstrapper.reader_role_id
 1549                 ),
 1550                 headers=self.headers,
 1551                 expected_status_code=http.client.FORBIDDEN
 1552             )
 1553 
 1554     def test_cannot_revoke_grant_from_group_own_domain_on_own_domain_with_role_other_domain(self):  # noqa: E501
 1555         group_domain_id = self.domain_id
 1556         domain_id = self.domain_id
 1557         role_domain_id = CONF.identity.default_domain_id
 1558 
 1559         role = PROVIDERS.role_api.create_role(
 1560             uuid.uuid4().hex,
 1561             unit.new_role_ref(domain_id=role_domain_id))
 1562 
 1563         group = PROVIDERS.identity_api.create_group(
 1564             unit.new_group_ref(domain_id=group_domain_id)
 1565         )
 1566 
 1567         PROVIDERS.assignment_api.create_grant(
 1568             role['id'], group_id=group['id'],
 1569             domain_id=domain_id
 1570         )
 1571 
 1572         with self.test_client() as c:
 1573             c.delete(
 1574                 '/v3/domains/%s/groups/%s/roles/%s' % (
 1575                     domain_id, group['id'], role['id']
 1576                 ),
 1577                 headers=self.headers,
 1578                 expected_status_code=http.client.FORBIDDEN
 1579             )
 1580 
 1581 
 1582 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
 1583                         common_auth.AuthTestMixin,
 1584                         _SystemUserGrantTests,
 1585                         _SystemMemberAndReaderGrantTests):
 1586 
 1587     def setUp(self):
 1588         super(SystemReaderTests, self).setUp()
 1589         self.loadapp()
 1590         self.useFixture(ksfixtures.Policy(self.config_fixture))
 1591         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
 1592 
 1593         system_reader = unit.new_user_ref(
 1594             domain_id=CONF.identity.default_domain_id
 1595         )
 1596         self.user_id = PROVIDERS.identity_api.create_user(
 1597             system_reader
 1598         )['id']
 1599         PROVIDERS.assignment_api.create_system_grant_for_user(
 1600             self.user_id, self.bootstrapper.reader_role_id
 1601         )
 1602 
 1603         auth = self.build_authentication_request(
 1604             user_id=self.user_id, password=system_reader['password'],
 1605             system=True
 1606         )
 1607 
 1608         # Grab a token using the persona we're testing and prepare headers
 1609         # for requests we'll be making in the tests.
 1610         with self.test_client() as c:
 1611             r = c.post('/v3/auth/tokens', json=auth)
 1612             self.token_id = r.headers['X-Subject-Token']
 1613             self.headers = {'X-Auth-Token': self.token_id}
 1614 
 1615 
 1616 class SystemMemberTests(base_classes.TestCaseWithBootstrap,
 1617                         common_auth.AuthTestMixin,
 1618                         _SystemUserGrantTests,
 1619                         _SystemMemberAndReaderGrantTests):
 1620 
 1621     def setUp(self):
 1622         super(SystemMemberTests, self).setUp()
 1623         self.loadapp()
 1624         self.useFixture(ksfixtures.Policy(self.config_fixture))
 1625         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
 1626 
 1627         system_member = unit.new_user_ref(
 1628             domain_id=CONF.identity.default_domain_id
 1629         )
 1630         self.user_id = PROVIDERS.identity_api.create_user(
 1631             system_member
 1632         )['id']
 1633         PROVIDERS.assignment_api.create_system_grant_for_user(
 1634             self.user_id, self.bootstrapper.member_role_id
 1635         )
 1636 
 1637         auth = self.build_authentication_request(
 1638             user_id=self.user_id, password=system_member['password'],
 1639             system=True
 1640         )
 1641 
 1642         # Grab a token using the persona we're testing and prepare headers
 1643         # for requests we'll be making in the tests.
 1644         with self.test_client() as c:
 1645             r = c.post('/v3/auth/tokens', json=auth)
 1646             self.token_id = r.headers['X-Subject-Token']
 1647             self.headers = {'X-Auth-Token': self.token_id}
 1648 
 1649 
 1650 class SystemAdminTests(base_classes.TestCaseWithBootstrap,
 1651                        common_auth.AuthTestMixin,
 1652                        _SystemUserGrantTests):
 1653 
 1654     def setUp(self):
 1655         super(SystemAdminTests, self).setUp()
 1656         self.loadapp()
 1657         self.useFixture(ksfixtures.Policy(self.config_fixture))
 1658         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
 1659 
 1660         self.user_id = self.bootstrapper.admin_user_id
 1661         auth = self.build_authentication_request(
 1662             user_id=self.user_id,
 1663             password=self.bootstrapper.admin_password,
 1664             system=True
 1665         )
 1666 
 1667         # Grab a token using the persona we're testing and prepare headers
 1668         # for requests we'll be making in the tests.
 1669         with self.test_client() as c:
 1670             r = c.post('/v3/auth/tokens', json=auth)
 1671             self.token_id = r.headers['X-Subject-Token']
 1672             self.headers = {'X-Auth-Token': self.token_id}
 1673 
 1674     def test_can_create_grant_for_user_on_project(self):
 1675         user = PROVIDERS.identity_api.create_user(
 1676             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 1677         )
 1678 
 1679         project = PROVIDERS.resource_api.create_project(
 1680             uuid.uuid4().hex, unit.new_project_ref(
 1681                 domain_id=CONF.identity.default_domain_id
 1682             )
 1683         )
 1684 
 1685         with self.test_client() as c:
 1686             c.put(
 1687                 '/v3/projects/%s/users/%s/roles/%s' % (
 1688                     project['id'], user['id'], self.bootstrapper.reader_role_id
 1689                 ),
 1690                 headers=self.headers
 1691             )
 1692 
 1693     def test_can_create_grant_for_user_on_domain(self):
 1694         user = PROVIDERS.identity_api.create_user(
 1695             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 1696         )
 1697 
 1698         domain = PROVIDERS.resource_api.create_domain(
 1699             uuid.uuid4().hex, unit.new_domain_ref()
 1700         )
 1701 
 1702         with self.test_client() as c:
 1703             c.put(
 1704                 '/v3/domains/%s/users/%s/roles/%s' % (
 1705                     domain['id'], user['id'], self.bootstrapper.reader_role_id
 1706                 ),
 1707                 headers=self.headers
 1708             )
 1709 
 1710     def test_can_create_grant_for_group_on_project(self):
 1711         group = PROVIDERS.identity_api.create_group(
 1712             unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 1713         )
 1714 
 1715         project = PROVIDERS.resource_api.create_project(
 1716             uuid.uuid4().hex, unit.new_project_ref(
 1717                 domain_id=CONF.identity.default_domain_id
 1718             )
 1719         )
 1720 
 1721         with self.test_client() as c:
 1722             c.put(
 1723                 '/v3/projects/%s/groups/%s/roles/%s' % (
 1724                     project['id'],
 1725                     group['id'],
 1726                     self.bootstrapper.reader_role_id
 1727                 ),
 1728                 headers=self.headers
 1729             )
 1730 
 1731     def test_can_create_grant_for_group_on_domain(self):
 1732         group = PROVIDERS.identity_api.create_group(
 1733             unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 1734         )
 1735 
 1736         domain = PROVIDERS.resource_api.create_domain(
 1737             uuid.uuid4().hex, unit.new_domain_ref()
 1738         )
 1739 
 1740         with self.test_client() as c:
 1741             c.put(
 1742                 '/v3/domains/%s/groups/%s/roles/%s' % (
 1743                     domain['id'], group['id'], self.bootstrapper.reader_role_id
 1744                 ),
 1745                 headers=self.headers
 1746             )
 1747 
 1748     def test_can_revoke_grant_from_user_on_project(self):
 1749         user = PROVIDERS.identity_api.create_user(
 1750             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 1751         )
 1752 
 1753         project = PROVIDERS.resource_api.create_project(
 1754             uuid.uuid4().hex, unit.new_project_ref(
 1755                 domain_id=CONF.identity.default_domain_id
 1756             )
 1757         )
 1758 
 1759         PROVIDERS.assignment_api.create_grant(
 1760             self.bootstrapper.reader_role_id, user_id=user['id'],
 1761             project_id=project['id']
 1762         )
 1763 
 1764         with self.test_client() as c:
 1765             c.delete(
 1766                 '/v3/projects/%s/users/%s/roles/%s' % (
 1767                     project['id'], user['id'], self.bootstrapper.reader_role_id
 1768                 ),
 1769                 headers=self.headers
 1770             )
 1771 
 1772     def test_can_revoke_grant_from_user_on_domain(self):
 1773         user = PROVIDERS.identity_api.create_user(
 1774             unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
 1775         )
 1776 
 1777         domain = PROVIDERS.resource_api.create_domain(
 1778             uuid.uuid4().hex, unit.new_domain_ref()
 1779         )
 1780 
 1781         PROVIDERS.assignment_api.create_grant(
 1782             self.bootstrapper.reader_role_id, user_id=user['id'],
 1783             domain_id=domain['id']
 1784         )
 1785 
 1786         with self.test_client() as c:
 1787             c.delete(
 1788                 '/v3/domains/%s/users/%s/roles/%s' % (
 1789                     domain['id'], user['id'], self.bootstrapper.reader_role_id
 1790                 ),
 1791                 headers=self.headers
 1792             )
 1793 
 1794     def test_can_revoke_grant_from_group_on_project(self):
 1795         group = PROVIDERS.identity_api.create_group(
 1796             unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 1797         )
 1798 
 1799         project = PROVIDERS.resource_api.create_project(
 1800             uuid.uuid4().hex, unit.new_project_ref(
 1801                 domain_id=CONF.identity.default_domain_id
 1802             )
 1803         )
 1804 
 1805         PROVIDERS.assignment_api.create_grant(
 1806             self.bootstrapper.reader_role_id, group_id=group['id'],
 1807             project_id=project['id']
 1808         )
 1809 
 1810         with self.test_client() as c:
 1811             c.delete(
 1812                 '/v3/projects/%s/groups/%s/roles/%s' % (
 1813                     project['id'],
 1814                     group['id'],
 1815                     self.bootstrapper.reader_role_id
 1816                 ),
 1817                 headers=self.headers
 1818             )
 1819 
 1820     def test_can_revoke_grant_from_group_on_domain(self):
 1821         group = PROVIDERS.identity_api.create_group(
 1822             unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 1823         )
 1824 
 1825         domain = PROVIDERS.resource_api.create_domain(
 1826             uuid.uuid4().hex, unit.new_domain_ref()
 1827         )
 1828 
 1829         PROVIDERS.assignment_api.create_grant(
 1830             self.bootstrapper.reader_role_id, group_id=group['id'],
 1831             domain_id=domain['id']
 1832         )
 1833 
 1834         with self.test_client() as c:
 1835             c.delete(
 1836                 '/v3/domains/%s/groups/%s/roles/%s' % (
 1837                     domain['id'], group['id'], self.bootstrapper.reader_role_id
 1838                 ),
 1839                 headers=self.headers
 1840             )
 1841 
 1842 
 1843 class _DomainMemberAndReaderTests(object):
 1844 
 1845     def test_cannot_create_grant_for_user_on_project(self):
 1846         user = PROVIDERS.identity_api.create_user(
 1847             unit.new_user_ref(domain_id=self.domain_id)
 1848         )
 1849 
 1850         project = PROVIDERS.resource_api.create_project(
 1851             uuid.uuid4().hex, unit.new_project_ref(
 1852                 domain_id=CONF.identity.default_domain_id
 1853             )
 1854         )
 1855 
 1856         with self.test_client() as c:
 1857             c.put(
 1858                 '/v3/projects/%s/users/%s/roles/%s' % (
 1859                     project['id'], user['id'], self.bootstrapper.reader_role_id
 1860                 ),
 1861                 headers=self.headers,
 1862                 expected_status_code=http.client.FORBIDDEN
 1863             )
 1864 
 1865     def test_cannot_create_grant_for_user_on_domain(self):
 1866         user = PROVIDERS.identity_api.create_user(
 1867             unit.new_user_ref(domain_id=self.domain_id)
 1868         )
 1869 
 1870         domain = PROVIDERS.resource_api.create_domain(
 1871             uuid.uuid4().hex, unit.new_domain_ref()
 1872         )
 1873 
 1874         with self.test_client() as c:
 1875             c.put(
 1876                 '/v3/domains/%s/users/%s/roles/%s' % (
 1877                     domain['id'], user['id'], self.bootstrapper.reader_role_id
 1878                 ),
 1879                 headers=self.headers,
 1880                 expected_status_code=http.client.FORBIDDEN
 1881             )
 1882 
 1883     def test_cannot_create_grant_for_group_on_project(self):
 1884         group = PROVIDERS.identity_api.create_group(
 1885             unit.new_group_ref(domain_id=self.domain_id)
 1886         )
 1887 
 1888         project = PROVIDERS.resource_api.create_project(
 1889             uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
 1890         )
 1891 
 1892         with self.test_client() as c:
 1893             c.put(
 1894                 '/v3/projects/%s/groups/%s/roles/%s' % (
 1895                     project['id'],
 1896                     group['id'],
 1897                     self.bootstrapper.reader_role_id
 1898                 ),
 1899                 headers=self.headers,
 1900                 expected_status_code=http.client.FORBIDDEN
 1901             )
 1902 
 1903     def test_cannot_create_grant_for_group_on_domain(self):
 1904         group = PROVIDERS.identity_api.create_group(
 1905             unit.new_group_ref(domain_id=self.domain_id)
 1906         )
 1907 
 1908         domain = PROVIDERS.resource_api.create_domain(
 1909             uuid.uuid4().hex, unit.new_domain_ref()
 1910         )
 1911 
 1912         with self.test_client() as c:
 1913             c.put(
 1914                 '/v3/domains/%s/groups/%s/roles/%s' % (
 1915                     domain['id'], group['id'], self.bootstrapper.reader_role_id
 1916                 ),
 1917                 headers=self.headers,
 1918                 expected_status_code=http.client.FORBIDDEN
 1919             )
 1920 
 1921     def test_cannot_revoke_grant_from_user_on_project(self):
 1922         user = PROVIDERS.identity_api.create_user(
 1923             unit.new_user_ref(domain_id=self.domain_id)
 1924         )
 1925 
 1926         project = PROVIDERS.resource_api.create_project(
 1927             uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
 1928         )
 1929 
 1930         PROVIDERS.assignment_api.create_grant(
 1931             self.bootstrapper.reader_role_id, user_id=user['id'],
 1932             project_id=project['id']
 1933         )
 1934 
 1935         with self.test_client() as c:
 1936             c.delete(
 1937                 '/v3/projects/%s/users/%s/roles/%s' % (
 1938                     project['id'], user['id'], self.bootstrapper.reader_role_id
 1939                 ),
 1940                 headers=self.headers,
 1941                 expected_status_code=http.client.FORBIDDEN
 1942             )
 1943 
 1944     def test_cannot_revoke_grant_from_user_on_domain(self):
 1945         user = PROVIDERS.identity_api.create_user(
 1946             unit.new_user_ref(domain_id=self.domain_id)
 1947         )
 1948 
 1949         domain = PROVIDERS.resource_api.create_domain(
 1950             uuid.uuid4().hex, unit.new_domain_ref()
 1951         )
 1952 
 1953         PROVIDERS.assignment_api.create_grant(
 1954             self.bootstrapper.reader_role_id, user_id=user['id'],
 1955             domain_id=domain['id']
 1956         )
 1957 
 1958         with self.test_client() as c:
 1959             c.delete(
 1960                 '/v3/domains/%s/users/%s/roles/%s' % (
 1961                     domain['id'], user['id'], self.bootstrapper.reader_role_id
 1962                 ),
 1963                 headers=self.headers,
 1964                 expected_status_code=http.client.FORBIDDEN
 1965             )
 1966 
 1967     def test_cannot_revoke_grant_from_group_on_project(self):
 1968         group = PROVIDERS.identity_api.create_group(
 1969             unit.new_group_ref(domain_id=self.domain_id)
 1970         )
 1971 
 1972         project = PROVIDERS.resource_api.create_project(
 1973             uuid.uuid4().hex, unit.new_project_ref(
 1974                 domain_id=CONF.identity.default_domain_id
 1975             )
 1976         )
 1977 
 1978         PROVIDERS.assignment_api.create_grant(
 1979             self.bootstrapper.reader_role_id, group_id=group['id'],
 1980             project_id=project['id']
 1981         )
 1982 
 1983         with self.test_client() as c:
 1984             c.delete(
 1985                 '/v3/projects/%s/groups/%s/roles/%s' % (
 1986                     project['id'],
 1987                     group['id'],
 1988                     self.bootstrapper.reader_role_id
 1989                 ),
 1990                 headers=self.headers,
 1991                 expected_status_code=http.client.FORBIDDEN
 1992             )
 1993 
 1994     def test_cannot_revoke_grant_from_group_on_domain(self):
 1995         group = PROVIDERS.identity_api.create_group(
 1996             unit.new_group_ref(domain_id=self.domain_id)
 1997         )
 1998 
 1999         domain = PROVIDERS.resource_api.create_domain(
 2000             uuid.uuid4().hex, unit.new_domain_ref()
 2001         )
 2002 
 2003         PROVIDERS.assignment_api.create_grant(
 2004             self.bootstrapper.reader_role_id, group_id=group['id'],
 2005             domain_id=domain['id']
 2006         )
 2007 
 2008         with self.test_client() as c:
 2009             c.delete(
 2010                 '/v3/domains/%s/groups/%s/roles/%s' % (
 2011                     domain['id'], group['id'], self.bootstrapper.reader_role_id
 2012                 ),
 2013                 headers=self.headers,
 2014                 expected_status_code=http.client.FORBIDDEN
 2015             )
 2016 
 2017 
 2018 class DomainReaderTests(base_classes.TestCaseWithBootstrap,
 2019                         common_auth.AuthTestMixin,
 2020                         _DomainUserTests,
 2021                         _DomainMemberAndReaderTests):
 2022 
 2023     def setUp(self):
 2024         super(DomainReaderTests, self).setUp()
 2025         self.loadapp()
 2026         self.useFixture(ksfixtures.Policy(self.config_fixture))
 2027         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
 2028 
 2029         domain = PROVIDERS.resource_api.create_domain(
 2030             uuid.uuid4().hex, unit.new_domain_ref()
 2031         )
 2032         self.domain_id = domain['id']
 2033         domain_user = unit.new_user_ref(domain_id=self.domain_id)
 2034         self.user_id = PROVIDERS.identity_api.create_user(domain_user)['id']
 2035         PROVIDERS.assignment_api.create_grant(
 2036             self.bootstrapper.reader_role_id, user_id=self.user_id,
 2037             domain_id=self.domain_id
 2038         )
 2039 
 2040         auth = self.build_authentication_request(
 2041             user_id=self.user_id, password=domain_user['password'],
 2042             domain_id=self.domain_id
 2043         )
 2044 
 2045         # Grab a token using the persona we're testing and prepare headers
 2046         # for requests we'll be making in the tests.
 2047         with self.test_client() as c:
 2048             r = c.post('/v3/auth/tokens', json=auth)
 2049             self.token_id = r.headers['X-Subject-Token']
 2050             self.headers = {'X-Auth-Token': self.token_id}
 2051 
 2052 
 2053 class DomainMemberTests(base_classes.TestCaseWithBootstrap,
 2054                         common_auth.AuthTestMixin,
 2055                         _DomainUserTests,
 2056                         _DomainMemberAndReaderTests):
 2057 
 2058     def setUp(self):
 2059         super(DomainMemberTests, self).setUp()
 2060         self.loadapp()
 2061         self.useFixture(ksfixtures.Policy(self.config_fixture))
 2062         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
 2063         domain = PROVIDERS.resource_api.create_domain(
 2064             uuid.uuid4().hex, unit.new_domain_ref()
 2065         )
 2066         self.domain_id = domain['id']
 2067         domain_user = unit.new_user_ref(domain_id=self.domain_id)
 2068         self.user_id = PROVIDERS.identity_api.create_user(domain_user)['id']
 2069         PROVIDERS.assignment_api.create_grant(
 2070             self.bootstrapper.member_role_id, user_id=self.user_id,
 2071             domain_id=self.domain_id
 2072         )
 2073 
 2074         auth = self.build_authentication_request(
 2075             user_id=self.user_id, password=domain_user['password'],
 2076             domain_id=self.domain_id
 2077         )
 2078 
 2079         # Grab a token using the persona we're testing and prepare headers
 2080         # for requests we'll be making in the tests.
 2081         with self.test_client() as c:
 2082             r = c.post('/v3/auth/tokens', json=auth)
 2083             self.token_id = r.headers['X-Subject-Token']
 2084             self.headers = {'X-Auth-Token': self.token_id}
 2085 
 2086 
 2087 class DomainAdminTests(base_classes.TestCaseWithBootstrap,
 2088                        common_auth.AuthTestMixin,
 2089                        _DomainUserTests):
 2090 
 2091     def setUp(self):
 2092         super(DomainAdminTests, self).setUp()
 2093         self.loadapp()
 2094         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
 2095         self.policy_file_name = self.policy_file.file_name
 2096         self.useFixture(
 2097             ksfixtures.Policy(
 2098                 self.config_fixture, policy_file=self.policy_file_name
 2099             )
 2100         )
 2101         self._override_policy()
 2102         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
 2103 
 2104         domain = PROVIDERS.resource_api.create_domain(
 2105             uuid.uuid4().hex, unit.new_domain_ref()
 2106         )
 2107         self.domain_id = domain['id']
 2108         domain_admin = unit.new_user_ref(domain_id=self.domain_id)
 2109         self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
 2110         PROVIDERS.assignment_api.create_grant(
 2111             self.bootstrapper.admin_role_id, user_id=self.user_id,
 2112             domain_id=self.domain_id
 2113         )
 2114 
 2115         auth = self.build_authentication_request(
 2116             user_id=self.user_id,
 2117             password=domain_admin['password'],
 2118             domain_id=self.domain_id
 2119         )
 2120 
 2121         # Grab a token using the persona we're testing and prepare headers
 2122         # for requests we'll be making in the tests.
 2123         with self.test_client() as c:
 2124             r = c.post('/v3/auth/tokens', json=auth)
 2125             self.token_id = r.headers['X-Subject-Token']
 2126             self.headers = {'X-Auth-Token': self.token_id}
 2127 
 2128     def _override_policy(self):
 2129         # TODO(lbragstad): Remove this once the deprecated policies in
 2130         # keystone.common.policies.grant have been removed. This is only
 2131         # here to make sure we test the new policies instead of the deprecated
 2132         # ones. Oslo.policy will OR deprecated policies with new policies to
 2133         # maintain compatibility and give operators a chance to update
 2134         # permissions or update policies without breaking users. This will
 2135         # cause these specific tests to fail since we're trying to correct this
 2136         # broken behavior with better scope checking.
 2137         with open(self.policy_file_name, 'w') as f:
 2138             overridden_policies = {
 2139                 'identity:list_grants': gp.SYSTEM_READER_OR_DOMAIN_READER_LIST,
 2140                 'identity:check_grant': gp.SYSTEM_READER_OR_DOMAIN_READER,
 2141                 'identity:create_grant': gp.SYSTEM_ADMIN_OR_DOMAIN_ADMIN,
 2142                 'identity:revoke_grant': gp.SYSTEM_ADMIN_OR_DOMAIN_ADMIN
 2143             }
 2144             f.write(jsonutils.dumps(overridden_policies))
 2145 
 2146     def test_can_create_grant_for_user_on_project(self):
 2147         user = PROVIDERS.identity_api.create_user(
 2148             unit.new_user_ref(domain_id=self.domain_id)
 2149         )
 2150 
 2151         project = PROVIDERS.resource_api.create_project(
 2152             uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
 2153         )
 2154 
 2155         with self.test_client() as c:
 2156             c.put(
 2157                 '/v3/projects/%s/users/%s/roles/%s' % (
 2158                     project['id'], user['id'], self.bootstrapper.reader_role_id
 2159                 ),
 2160                 headers=self.headers
 2161             )
 2162 
 2163     def test_can_create_grant_for_user_own_domain_on_own_domain(self):
 2164         user = PROVIDERS.identity_api.create_user(
 2165             unit.new_user_ref(domain_id=self.domain_id)
 2166         )
 2167 
 2168         with self.test_client() as c:
 2169             c.put(
 2170                 '/v3/domains/%s/users/%s/roles/%s' % (
 2171                     self.domain_id, user['id'],
 2172                     self.bootstrapper.reader_role_id
 2173                 ),
 2174                 headers=self.headers
 2175             )
 2176 
 2177     def test_can_create_grant_for_group_on_project(self):
 2178         group = PROVIDERS.identity_api.create_group(
 2179             unit.new_group_ref(domain_id=self.domain_id)
 2180         )
 2181 
 2182         project = PROVIDERS.resource_api.create_project(
 2183             uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
 2184         )
 2185 
 2186         with self.test_client() as c:
 2187             c.put(
 2188                 '/v3/projects/%s/groups/%s/roles/%s' % (
 2189                     project['id'],
 2190                     group['id'],
 2191                     self.bootstrapper.reader_role_id
 2192                 ),
 2193                 headers=self.headers
 2194             )
 2195 
 2196     def test_can_create_grant_for_group_own_domain_on_own_domain(self):
 2197         group = PROVIDERS.identity_api.create_group(
 2198             unit.new_group_ref(domain_id=self.domain_id)
 2199         )
 2200 
 2201         with self.test_client() as c:
 2202             c.put(
 2203                 '/v3/domains/%s/groups/%s/roles/%s' % (
 2204                     self.domain_id, group['id'],
 2205                     self.bootstrapper.reader_role_id
 2206                 ),
 2207                 headers=self.headers
 2208             )
 2209 
 2210     def test_can_revoke_grant_from_user_on_project(self):
 2211         user = PROVIDERS.identity_api.create_user(
 2212             unit.new_user_ref(domain_id=self.domain_id)
 2213         )
 2214 
 2215         project = PROVIDERS.resource_api.create_project(
 2216             uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
 2217         )
 2218 
 2219         PROVIDERS.assignment_api.create_grant(
 2220             self.bootstrapper.reader_role_id, user_id=user['id'],
 2221             project_id=project['id']
 2222         )
 2223 
 2224         with self.test_client() as c:
 2225             c.delete(
 2226                 '/v3/projects/%s/users/%s/roles/%s' % (
 2227                     project['id'], user['id'], self.bootstrapper.reader_role_id
 2228                 ),
 2229                 headers=self.headers
 2230             )
 2231 
 2232     def test_can_revoke_grant_from_group_on_project(self):
 2233         group = PROVIDERS.identity_api.create_group(
 2234             unit.new_group_ref(domain_id=self.domain_id)
 2235         )
 2236 
 2237         project = PROVIDERS.resource_api.create_project(
 2238             uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
 2239         )
 2240 
 2241         PROVIDERS.assignment_api.create_grant(
 2242             self.bootstrapper.reader_role_id, group_id=group['id'],
 2243             project_id=project['id']
 2244         )
 2245 
 2246         with self.test_client() as c:
 2247             c.delete(
 2248                 '/v3/projects/%s/groups/%s/roles/%s' % (
 2249                     project['id'],
 2250                     group['id'],
 2251                     self.bootstrapper.reader_role_id
 2252                 ),
 2253                 headers=self.headers
 2254             )
 2255 
 2256     def test_cannot_revoke_grant_from_group_on_domain(self):
 2257         group = PROVIDERS.identity_api.create_group(
 2258             unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
 2259         )
 2260 
 2261         domain = PROVIDERS.resource_api.create_domain(
 2262             uuid.uuid4().hex, unit.new_domain_ref()
 2263         )
 2264 
 2265         PROVIDERS.assignment_api.create_grant(
 2266             self.bootstrapper.reader_role_id, group_id=group['id'],
 2267             domain_id=domain['id']
 2268         )
 2269 
 2270         with self.test_client() as c:
 2271             c.delete(
 2272                 '/v3/domains/%s/groups/%s/roles/%s' % (
 2273                     domain['id'], group['id'], self.bootstrapper.reader_role_id
 2274                 ),
 2275                 headers=self.headers,
 2276                 expected_status_code=http.client.FORBIDDEN
 2277             )