"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/protection/v3/test_mappings.py" (13 May 2020, 17120 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_mappings.py": 16.0.1_vs_17.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 import uuid
   14 
   15 import http.client
   16 
   17 from keystone.common import provider_api
   18 import keystone.conf
   19 from keystone.tests.common import auth as common_auth
   20 from keystone.tests import unit
   21 from keystone.tests.unit import base_classes
   22 from keystone.tests.unit import ksfixtures
   23 
   24 CONF = keystone.conf.CONF
   25 PROVIDERS = provider_api.ProviderAPIs
   26 
   27 
   28 class _SystemUserMappingTests(object):
   29     """Common default functionality for all system users."""
   30 
   31     def test_user_can_list_mappings(self):
   32         mapping = unit.new_mapping_ref()
   33         mapping = PROVIDERS.federation_api.create_mapping(
   34             mapping['id'], mapping
   35         )
   36 
   37         with self.test_client() as c:
   38             r = c.get('/v3/OS-FEDERATION/mappings', headers=self.headers)
   39             self.assertEqual(1, len(r.json['mappings']))
   40             self.assertEqual(mapping['id'], r.json['mappings'][0]['id'])
   41 
   42     def test_user_can_get_a_mapping(self):
   43         mapping = unit.new_mapping_ref()
   44         mapping = PROVIDERS.federation_api.create_mapping(
   45             mapping['id'], mapping
   46         )
   47 
   48         with self.test_client() as c:
   49             c.get(
   50                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
   51                 headers=self.headers
   52             )
   53 
   54 
   55 class _SystemReaderAndMemberUserMappingTests(object):
   56     """Common default functionality for system readers and system members."""
   57 
   58     def test_user_cannot_create_mappings(self):
   59         create = {
   60             'mapping': {
   61                 'id': uuid.uuid4().hex,
   62                 'rules': [{
   63                     'local': [{'user': {'name': '{0}'}}],
   64                     'remote': [{'type': 'UserName'}],
   65                 }]
   66             }
   67         }
   68         mapping_id = create['mapping']['id']
   69 
   70         with self.test_client() as c:
   71             c.put(
   72                 '/v3/OS-FEDERATION/mappings/%s' % mapping_id, json=create,
   73                 headers=self.headers,
   74                 expected_status_code=http.client.FORBIDDEN
   75             )
   76 
   77     def test_user_cannot_update_mappings(self):
   78         mapping = unit.new_mapping_ref()
   79         mapping = PROVIDERS.federation_api.create_mapping(
   80             mapping['id'], mapping
   81         )
   82 
   83         update = {
   84             'mapping': {
   85                 'rules': [{
   86                     'local': [{'user': {'name': '{0}'}}],
   87                     'remote': [{'type': 'UserName'}],
   88                 }]
   89             }
   90         }
   91 
   92         with self.test_client() as c:
   93             c.patch(
   94                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
   95                 json=update, headers=self.headers,
   96                 expected_status_code=http.client.FORBIDDEN
   97             )
   98 
   99     def test_user_cannot_delete_mappings(self):
  100         mapping = unit.new_mapping_ref()
  101         mapping = PROVIDERS.federation_api.create_mapping(
  102             mapping['id'], mapping
  103         )
  104 
  105         with self.test_client() as c:
  106             c.delete(
  107                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
  108                 headers=self.headers,
  109                 expected_status_code=http.client.FORBIDDEN
  110             )
  111 
  112 
  113 class _DomainAndProjectUserMappingTests(object):
  114 
  115     def test_user_cannot_create_mappings(self):
  116         create = {
  117             'mapping': {
  118                 'id': uuid.uuid4().hex,
  119                 'rules': [{
  120                     'local': [{'user': {'name': '{0}'}}],
  121                     'remote': [{'type': 'UserName'}],
  122                 }]
  123             }
  124         }
  125         mapping_id = create['mapping']['id']
  126 
  127         with self.test_client() as c:
  128             c.put(
  129                 '/v3/OS-FEDERATION/mappings/%s' % mapping_id, json=create,
  130                 headers=self.headers,
  131                 expected_status_code=http.client.FORBIDDEN
  132             )
  133 
  134     def test_user_cannot_list_mappings(self):
  135         mapping = unit.new_mapping_ref()
  136         mapping = PROVIDERS.federation_api.create_mapping(
  137             mapping['id'], mapping
  138         )
  139 
  140         with self.test_client() as c:
  141             c.get(
  142                 '/v3/OS-FEDERATION/mappings', headers=self.headers,
  143                 expected_status_code=http.client.FORBIDDEN
  144             )
  145 
  146     def test_user_cannot_get_a_mapping(self):
  147         mapping = unit.new_mapping_ref()
  148         mapping = PROVIDERS.federation_api.create_mapping(
  149             mapping['id'], mapping
  150         )
  151 
  152         with self.test_client() as c:
  153             c.get(
  154                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
  155                 headers=self.headers,
  156                 expected_status_code=http.client.FORBIDDEN
  157             )
  158 
  159     def test_user_cannot_update_mappings(self):
  160         mapping = unit.new_mapping_ref()
  161         mapping = PROVIDERS.federation_api.create_mapping(
  162             mapping['id'], mapping
  163         )
  164 
  165         update = {
  166             'mapping': {
  167                 'rules': [{
  168                     'local': [{'user': {'name': '{0}'}}],
  169                     'remote': [{'type': 'UserName'}],
  170                 }]
  171             }
  172         }
  173 
  174         with self.test_client() as c:
  175             c.patch(
  176                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
  177                 json=update, headers=self.headers,
  178                 expected_status_code=http.client.FORBIDDEN
  179             )
  180 
  181     def test_user_cannot_delete_mappings(self):
  182         mapping = unit.new_mapping_ref()
  183         mapping = PROVIDERS.federation_api.create_mapping(
  184             mapping['id'], mapping
  185         )
  186 
  187         with self.test_client() as c:
  188             c.delete(
  189                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
  190                 headers=self.headers,
  191                 expected_status_code=http.client.FORBIDDEN
  192             )
  193 
  194 
  195 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
  196                         common_auth.AuthTestMixin,
  197                         _SystemUserMappingTests,
  198                         _SystemReaderAndMemberUserMappingTests):
  199 
  200     def setUp(self):
  201         super(SystemReaderTests, self).setUp()
  202         self.loadapp()
  203         self.useFixture(ksfixtures.Policy(self.config_fixture))
  204         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  205 
  206         system_reader = unit.new_user_ref(
  207             domain_id=CONF.identity.default_domain_id
  208         )
  209         self.user_id = PROVIDERS.identity_api.create_user(
  210             system_reader
  211         )['id']
  212         PROVIDERS.assignment_api.create_system_grant_for_user(
  213             self.user_id, self.bootstrapper.reader_role_id
  214         )
  215 
  216         auth = self.build_authentication_request(
  217             user_id=self.user_id, password=system_reader['password'],
  218             system=True
  219         )
  220 
  221         # Grab a token using the persona we're testing and prepare headers
  222         # for requests we'll be making in the tests.
  223         with self.test_client() as c:
  224             r = c.post('/v3/auth/tokens', json=auth)
  225             self.token_id = r.headers['X-Subject-Token']
  226             self.headers = {'X-Auth-Token': self.token_id}
  227 
  228     def test_user_cannot_create_mappings(self):
  229         create = {
  230             'mapping': {
  231                 'id': uuid.uuid4().hex,
  232                 'rules': [{
  233                     'local': [{'user': {'name': '{0}'}}],
  234                     'remote': [{'type': 'UserName'}],
  235                 }]
  236             }
  237         }
  238         mapping_id = create['mapping']['id']
  239 
  240         with self.test_client() as c:
  241             c.put(
  242                 '/v3/OS-FEDERATION/mappings/%s' % mapping_id, json=create,
  243                 headers=self.headers,
  244                 expected_status_code=http.client.FORBIDDEN
  245             )
  246 
  247     def test_user_cannot_update_mappings(self):
  248         mapping = unit.new_mapping_ref()
  249         mapping = PROVIDERS.federation_api.create_mapping(
  250             mapping['id'], mapping
  251         )
  252 
  253         update = {
  254             'mapping': {
  255                 'rules': [{
  256                     'local': [{'user': {'name': '{0}'}}],
  257                     'remote': [{'type': 'UserName'}],
  258                 }]
  259             }
  260         }
  261 
  262         with self.test_client() as c:
  263             c.patch(
  264                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
  265                 json=update, headers=self.headers,
  266                 expected_status_code=http.client.FORBIDDEN
  267             )
  268 
  269     def test_user_cannot_delete_mappings(self):
  270         mapping = unit.new_mapping_ref()
  271         mapping = PROVIDERS.federation_api.create_mapping(
  272             mapping['id'], mapping
  273         )
  274 
  275         with self.test_client() as c:
  276             c.delete(
  277                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
  278                 headers=self.headers,
  279                 expected_status_code=http.client.FORBIDDEN
  280             )
  281 
  282 
  283 class SystemMemberTests(base_classes.TestCaseWithBootstrap,
  284                         common_auth.AuthTestMixin,
  285                         _SystemUserMappingTests,
  286                         _SystemReaderAndMemberUserMappingTests):
  287 
  288     def setUp(self):
  289         super(SystemMemberTests, self).setUp()
  290         self.loadapp()
  291         self.useFixture(ksfixtures.Policy(self.config_fixture))
  292         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  293 
  294         system_member = unit.new_user_ref(
  295             domain_id=CONF.identity.default_domain_id
  296         )
  297         self.user_id = PROVIDERS.identity_api.create_user(
  298             system_member
  299         )['id']
  300         PROVIDERS.assignment_api.create_system_grant_for_user(
  301             self.user_id, self.bootstrapper.member_role_id
  302         )
  303 
  304         auth = self.build_authentication_request(
  305             user_id=self.user_id, password=system_member['password'],
  306             system=True
  307         )
  308 
  309         # Grab a token using the persona we're testing and prepare headers
  310         # for requests we'll be making in the tests.
  311         with self.test_client() as c:
  312             r = c.post('/v3/auth/tokens', json=auth)
  313             self.token_id = r.headers['X-Subject-Token']
  314             self.headers = {'X-Auth-Token': self.token_id}
  315 
  316 
  317 class SystemAdminTests(base_classes.TestCaseWithBootstrap,
  318                        common_auth.AuthTestMixin,
  319                        _SystemUserMappingTests):
  320 
  321     def setUp(self):
  322         super(SystemAdminTests, self).setUp()
  323         self.loadapp()
  324         self.useFixture(ksfixtures.Policy(self.config_fixture))
  325         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  326 
  327         # Reuse the system administrator account created during
  328         # ``keystone-manage bootstrap``
  329         self.user_id = self.bootstrapper.admin_user_id
  330         auth = self.build_authentication_request(
  331             user_id=self.user_id,
  332             password=self.bootstrapper.admin_password,
  333             system=True
  334         )
  335 
  336         # Grab a token using the persona we're testing and prepare headers
  337         # for requests we'll be making in the tests.
  338         with self.test_client() as c:
  339             r = c.post('/v3/auth/tokens', json=auth)
  340             self.token_id = r.headers['X-Subject-Token']
  341             self.headers = {'X-Auth-Token': self.token_id}
  342 
  343     def test_user_can_create_mappings(self):
  344         create = {
  345             'mapping': {
  346                 'id': uuid.uuid4().hex,
  347                 'rules': [{
  348                     'local': [{'user': {'name': '{0}'}}],
  349                     'remote': [{'type': 'UserName'}],
  350                 }]
  351             }
  352         }
  353         mapping_id = create['mapping']['id']
  354 
  355         with self.test_client() as c:
  356             c.put(
  357                 '/v3/OS-FEDERATION/mappings/%s' % mapping_id, json=create,
  358                 headers=self.headers, expected_status_code=http.client.CREATED
  359             )
  360 
  361     def test_user_can_update_mappings(self):
  362         mapping = unit.new_mapping_ref()
  363         mapping = PROVIDERS.federation_api.create_mapping(
  364             mapping['id'], mapping
  365         )
  366 
  367         update = {
  368             'mapping': {
  369                 'rules': [{
  370                     'local': [{'user': {'name': '{0}'}}],
  371                     'remote': [{'type': 'UserName'}],
  372                 }]
  373             }
  374         }
  375 
  376         with self.test_client() as c:
  377             c.patch(
  378                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
  379                 json=update, headers=self.headers
  380             )
  381 
  382     def test_user_can_delete_mappings(self):
  383         mapping = unit.new_mapping_ref()
  384         mapping = PROVIDERS.federation_api.create_mapping(
  385             mapping['id'], mapping
  386         )
  387 
  388         with self.test_client() as c:
  389             c.delete(
  390                 '/v3/OS-FEDERATION/mappings/%s' % mapping['id'],
  391                 headers=self.headers
  392             )
  393 
  394 
  395 class DomainUserTests(base_classes.TestCaseWithBootstrap,
  396                       common_auth.AuthTestMixin,
  397                       _DomainAndProjectUserMappingTests):
  398 
  399     def setUp(self):
  400         super(DomainUserTests, self).setUp()
  401         self.loadapp()
  402         self.useFixture(ksfixtures.Policy(self.config_fixture))
  403         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  404 
  405         domain = PROVIDERS.resource_api.create_domain(
  406             uuid.uuid4().hex, unit.new_domain_ref()
  407         )
  408         self.domain_id = domain['id']
  409         domain_admin = unit.new_user_ref(domain_id=self.domain_id)
  410         self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
  411         PROVIDERS.assignment_api.create_grant(
  412             self.bootstrapper.admin_role_id, user_id=self.user_id,
  413             domain_id=self.domain_id
  414         )
  415 
  416         auth = self.build_authentication_request(
  417             user_id=self.user_id,
  418             password=domain_admin['password'],
  419             domain_id=self.domain_id
  420         )
  421 
  422         # Grab a token using the persona we're testing and prepare headers
  423         # for requests we'll be making in the tests.
  424         with self.test_client() as c:
  425             r = c.post('/v3/auth/tokens', json=auth)
  426             self.token_id = r.headers['X-Subject-Token']
  427             self.headers = {'X-Auth-Token': self.token_id}
  428 
  429 
  430 class ProjectUserTests(base_classes.TestCaseWithBootstrap,
  431                        common_auth.AuthTestMixin,
  432                        _DomainAndProjectUserMappingTests):
  433 
  434     def setUp(self):
  435         super(ProjectUserTests, self).setUp()
  436         self.loadapp()
  437         self.useFixture(ksfixtures.Policy(self.config_fixture))
  438         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  439 
  440         self.user_id = self.bootstrapper.admin_user_id
  441         auth = self.build_authentication_request(
  442             user_id=self.user_id,
  443             password=self.bootstrapper.admin_password,
  444             project_id=self.bootstrapper.project_id
  445         )
  446 
  447         # Grab a token using the persona we're testing and prepare headers
  448         # for requests we'll be making in the tests.
  449         with self.test_client() as c:
  450             r = c.post('/v3/auth/tokens', json=auth)
  451             self.token_id = r.headers['X-Subject-Token']
  452             self.headers = {'X-Auth-Token': self.token_id}
  453 
  454 
  455 class ProjectUserTestsWithoutEnforceScope(
  456         base_classes.TestCaseWithBootstrap,
  457         common_auth.AuthTestMixin,
  458         _DomainAndProjectUserMappingTests):
  459 
  460     def setUp(self):
  461         super(ProjectUserTestsWithoutEnforceScope, self).setUp()
  462         self.loadapp()
  463         self.useFixture(ksfixtures.Policy(self.config_fixture))
  464 
  465         # Explicitly set enforce_scope to False to make sure we maintain
  466         # backwards compatibility with project users.
  467         self.config_fixture.config(group='oslo_policy', enforce_scope=False)
  468 
  469         domain = PROVIDERS.resource_api.create_domain(
  470             uuid.uuid4().hex, unit.new_domain_ref()
  471         )
  472         user = unit.new_user_ref(domain_id=domain['id'])
  473         self.user_id = PROVIDERS.identity_api.create_user(user)['id']
  474 
  475         self.project_id = PROVIDERS.resource_api.create_project(
  476             uuid.uuid4().hex, unit.new_project_ref(domain_id=domain['id'])
  477         )['id']
  478 
  479         PROVIDERS.assignment_api.create_grant(
  480             self.bootstrapper.member_role_id, user_id=self.user_id,
  481             project_id=self.project_id
  482         )
  483 
  484         auth = self.build_authentication_request(
  485             user_id=self.user_id,
  486             password=user['password'],
  487             project_id=self.project_id
  488         )
  489 
  490         # Grab a token using the persona we're testing and prepare headers
  491         # for requests we'll be making in the tests.
  492         with self.test_client() as c:
  493             r = c.post('/v3/auth/tokens', json=auth)
  494             self.token_id = r.headers['X-Subject-Token']
  495             self.headers = {'X-Auth-Token': self.token_id}