"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/protection/v3/test_implied_roles.py" (13 May 2020, 8453 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_implied_roles.py": 16.0.1_vs_17.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 import http.client
   14 
   15 from keystone.common import provider_api
   16 import keystone.conf
   17 from keystone.tests.common import auth as common_auth
   18 from keystone.tests import unit
   19 from keystone.tests.unit import base_classes
   20 from keystone.tests.unit import ksfixtures
   21 
   22 CONF = keystone.conf.CONF
   23 PROVIDERS = provider_api.ProviderAPIs
   24 
   25 
   26 class _ImpliedRolesSetupMixin(object):
   27     def _create_test_roles(self):
   28         ref = unit.new_role_ref()
   29         role = PROVIDERS.role_api.create_role(ref['id'], ref)
   30         self.prior_role_id = role['id']
   31         ref = unit.new_role_ref()
   32         role = PROVIDERS.role_api.create_role(ref['id'], ref)
   33         self.implied_role_id = role['id']
   34 
   35 
   36 class _SystemUserImpliedRoleTests(object):
   37     """Common default functionality for all system users."""
   38 
   39     def test_user_can_list_implied_roles(self):
   40         PROVIDERS.role_api.create_implied_role(self.prior_role_id,
   41                                                self.implied_role_id)
   42 
   43         with self.test_client() as c:
   44             r = c.get('/v3/roles/%s/implies' % self.prior_role_id,
   45                       headers=self.headers)
   46             self.assertEqual(1, len(r.json['role_inference']['implies']))
   47 
   48     def test_user_can_get_an_implied_role(self):
   49         PROVIDERS.role_api.create_implied_role(self.prior_role_id,
   50                                                self.implied_role_id)
   51 
   52         with self.test_client() as c:
   53             c.get(
   54                 '/v3/roles/%s/implies/%s' % (
   55                     self.prior_role_id, self.implied_role_id),
   56                 headers=self.headers)
   57             c.head(
   58                 '/v3/roles/%s/implies/%s' % (
   59                     self.prior_role_id, self.implied_role_id),
   60                 headers=self.headers,
   61                 expected_status_code=http.client.NO_CONTENT)
   62 
   63     def test_user_can_list_role_inference_rules(self):
   64         PROVIDERS.role_api.create_implied_role(self.prior_role_id,
   65                                                self.implied_role_id)
   66 
   67         with self.test_client() as c:
   68             r = c.get('/v3/role_inferences',
   69                       headers=self.headers)
   70             # There should be three role inferences: two from the defaults and
   71             # one from the test setup
   72             self.assertEqual(3, len(r.json['role_inferences']))
   73 
   74 
   75 class _SystemReaderAndMemberImpliedRoleTests(object):
   76     """Common default functionality for system readers and system members."""
   77 
   78     def test_user_cannot_create_implied_roles(self):
   79         with self.test_client() as c:
   80             c.put(
   81                 '/v3/roles/%s/implies/%s' % (
   82                     self.prior_role_id, self.implied_role_id),
   83                 headers=self.headers,
   84                 expected_status_code=http.client.FORBIDDEN
   85             )
   86 
   87     def test_user_cannot_delete_implied_roles(self):
   88         PROVIDERS.role_api.create_implied_role(self.prior_role_id,
   89                                                self.implied_role_id)
   90 
   91         with self.test_client() as c:
   92             c.delete(
   93                 '/v3/roles/%s/implies/%s' % (
   94                     self.prior_role_id, self.implied_role_id),
   95                 headers=self.headers,
   96                 expected_status_code=http.client.FORBIDDEN
   97             )
   98 
   99 
  100 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
  101                         common_auth.AuthTestMixin,
  102                         _ImpliedRolesSetupMixin,
  103                         _SystemUserImpliedRoleTests,
  104                         _SystemReaderAndMemberImpliedRoleTests):
  105 
  106     def setUp(self):
  107         super(SystemReaderTests, self).setUp()
  108         self.loadapp()
  109         self.useFixture(ksfixtures.Policy(self.config_fixture))
  110         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  111 
  112         self._create_test_roles()
  113 
  114         system_reader = unit.new_user_ref(
  115             domain_id=CONF.identity.default_domain_id
  116         )
  117         self.user_id = PROVIDERS.identity_api.create_user(
  118             system_reader
  119         )['id']
  120         PROVIDERS.assignment_api.create_system_grant_for_user(
  121             self.user_id, self.bootstrapper.reader_role_id
  122         )
  123 
  124         auth = self.build_authentication_request(
  125             user_id=self.user_id, password=system_reader['password'],
  126             system=True
  127         )
  128 
  129         # Grab a token using the persona we're testing and prepare headers
  130         # for requests we'll be making in the tests.
  131         with self.test_client() as c:
  132             r = c.post('/v3/auth/tokens', json=auth)
  133             self.token_id = r.headers['X-Subject-Token']
  134             self.headers = {'X-Auth-Token': self.token_id}
  135 
  136 
  137 class SystemMemberTests(base_classes.TestCaseWithBootstrap,
  138                         common_auth.AuthTestMixin,
  139                         _ImpliedRolesSetupMixin,
  140                         _SystemUserImpliedRoleTests,
  141                         _SystemReaderAndMemberImpliedRoleTests):
  142 
  143     def setUp(self):
  144         super(SystemMemberTests, self).setUp()
  145         self.loadapp()
  146         self.useFixture(ksfixtures.Policy(self.config_fixture))
  147         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  148 
  149         self._create_test_roles()
  150 
  151         system_member = unit.new_user_ref(
  152             domain_id=CONF.identity.default_domain_id
  153         )
  154         self.user_id = PROVIDERS.identity_api.create_user(
  155             system_member
  156         )['id']
  157         PROVIDERS.assignment_api.create_system_grant_for_user(
  158             self.user_id, self.bootstrapper.member_role_id
  159         )
  160 
  161         auth = self.build_authentication_request(
  162             user_id=self.user_id, password=system_member['password'],
  163             system=True
  164         )
  165 
  166         # Grab a token using the persona we're testing and prepare headers
  167         # for requests we'll be making in the tests.
  168         with self.test_client() as c:
  169             r = c.post('/v3/auth/tokens', json=auth)
  170             self.token_id = r.headers['X-Subject-Token']
  171             self.headers = {'X-Auth-Token': self.token_id}
  172 
  173 
  174 class SystemAdminTests(base_classes.TestCaseWithBootstrap,
  175                        common_auth.AuthTestMixin,
  176                        _ImpliedRolesSetupMixin,
  177                        _SystemUserImpliedRoleTests):
  178 
  179     def setUp(self):
  180         super(SystemAdminTests, self).setUp()
  181         self.loadapp()
  182         self.useFixture(ksfixtures.Policy(self.config_fixture))
  183         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  184 
  185         self._create_test_roles()
  186 
  187         # Reuse the system administrator account created during
  188         # ``keystone-manage bootstrap``
  189         self.user_id = self.bootstrapper.admin_user_id
  190         auth = self.build_authentication_request(
  191             user_id=self.user_id,
  192             password=self.bootstrapper.admin_password,
  193             system=True
  194         )
  195 
  196         # Grab a token using the persona we're testing and prepare headers
  197         # for requests we'll be making in the tests.
  198         with self.test_client() as c:
  199             r = c.post('/v3/auth/tokens', json=auth)
  200             self.token_id = r.headers['X-Subject-Token']
  201             self.headers = {'X-Auth-Token': self.token_id}
  202 
  203     def test_user_can_create_implied_roles(self):
  204         with self.test_client() as c:
  205             c.put(
  206                 '/v3/roles/%s/implies/%s' % (
  207                     self.prior_role_id, self.implied_role_id),
  208                 headers=self.headers,
  209                 expected_status_code=http.client.CREATED
  210             )
  211 
  212     def test_user_can_delete_implied_roles(self):
  213         PROVIDERS.role_api.create_implied_role(self.prior_role_id,
  214                                                self.implied_role_id)
  215 
  216         with self.test_client() as c:
  217             c.delete(
  218                 '/v3/roles/%s/implies/%s' % (
  219                     self.prior_role_id, self.implied_role_id),
  220                 headers=self.headers
  221             )