"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/protection/v3/test_roles.py" (13 May 2020, 13262 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_roles.py": 16.0.1_vs_17.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 import uuid
   14 
   15 import http.client
   16 
   17 from keystone.common import provider_api
   18 import keystone.conf
   19 from keystone.tests.common import auth as common_auth
   20 from keystone.tests import unit
   21 from keystone.tests.unit import base_classes
   22 from keystone.tests.unit import ksfixtures
   23 
   24 CONF = keystone.conf.CONF
   25 PROVIDERS = provider_api.ProviderAPIs
   26 
   27 
   28 class _SystemUserRoleTests(object):
   29     """Common default functionality for all system users."""
   30 
   31     def test_user_can_list_roles(self):
   32         PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref())
   33 
   34         with self.test_client() as c:
   35             r = c.get('/v3/roles', headers=self.headers)
   36             # With bootstrap setup and the role we just created, there should
   37             # be four roles present in the deployment. Bootstrap creates
   38             # ``admin``, ``member``, and ``reader``.
   39             self.assertEqual(4, len(r.json['roles']))
   40 
   41     def test_user_can_get_a_role(self):
   42         role = PROVIDERS.role_api.create_role(
   43             uuid.uuid4().hex, unit.new_role_ref()
   44         )
   45 
   46         with self.test_client() as c:
   47             r = c.get('/v3/roles/%s' % role['id'], headers=self.headers)
   48             self.assertEqual(role['id'], r.json['role']['id'])
   49 
   50 
   51 class _SystemReaderAndMemberRoleTests(object):
   52     """Common default functionality for system readers and system members."""
   53 
   54     def test_user_cannot_create_roles(self):
   55         create = {'role': unit.new_role_ref()}
   56 
   57         with self.test_client() as c:
   58             c.post(
   59                 '/v3/roles', json=create, headers=self.headers,
   60                 expected_status_code=http.client.FORBIDDEN
   61             )
   62 
   63     def test_user_cannot_update_roles(self):
   64         role = PROVIDERS.role_api.create_role(
   65             uuid.uuid4().hex, unit.new_role_ref()
   66         )
   67 
   68         update = {'role': {'description': uuid.uuid4().hex}}
   69 
   70         with self.test_client() as c:
   71             c.patch(
   72                 '/v3/roles/%s' % role['id'], json=update, headers=self.headers,
   73                 expected_status_code=http.client.FORBIDDEN
   74             )
   75 
   76     def test_user_cannot_delete_roles(self):
   77         role = PROVIDERS.role_api.create_role(
   78             uuid.uuid4().hex, unit.new_role_ref()
   79         )
   80 
   81         with self.test_client() as c:
   82             c.delete(
   83                 '/v3/roles/%s' % role['id'], headers=self.headers,
   84                 expected_status_code=http.client.FORBIDDEN
   85             )
   86 
   87 
   88 class _DomainAndProjectUserRoleTests(object):
   89     """Common functionality for all domain and project users."""
   90 
   91     def test_user_cannot_list_roles(self):
   92         PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref())
   93 
   94         with self.test_client() as c:
   95             c.get(
   96                 '/v3/roles', headers=self.headers,
   97                 expected_status_code=http.client.FORBIDDEN
   98             )
   99 
  100     def test_user_cannot_get_a_role(self):
  101         role = PROVIDERS.role_api.create_role(
  102             uuid.uuid4().hex, unit.new_role_ref()
  103         )
  104 
  105         with self.test_client() as c:
  106             c.get(
  107                 '/v3/roles/%s' % role['id'], headers=self.headers,
  108                 expected_status_code=http.client.FORBIDDEN
  109             )
  110 
  111     def test_user_cannot_create_roles(self):
  112         create = {'role': unit.new_role_ref()}
  113 
  114         with self.test_client() as c:
  115             c.post(
  116                 '/v3/roles', json=create, headers=self.headers,
  117                 expected_status_code=http.client.FORBIDDEN
  118             )
  119 
  120     def test_user_cannot_update_roles(self):
  121         role = PROVIDERS.role_api.create_role(
  122             uuid.uuid4().hex, unit.new_role_ref()
  123         )
  124 
  125         update = {'role': {'description': uuid.uuid4().hex}}
  126 
  127         with self.test_client() as c:
  128             c.patch(
  129                 '/v3/roles/%s' % role['id'], json=update, headers=self.headers,
  130                 expected_status_code=http.client.FORBIDDEN
  131             )
  132 
  133     def test_user_cannot_delete_roles(self):
  134         role = PROVIDERS.role_api.create_role(
  135             uuid.uuid4().hex, unit.new_role_ref()
  136         )
  137 
  138         with self.test_client() as c:
  139             c.delete(
  140                 '/v3/roles/%s' % role['id'], headers=self.headers,
  141                 expected_status_code=http.client.FORBIDDEN
  142             )
  143 
  144 
  145 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
  146                         common_auth.AuthTestMixin,
  147                         _SystemUserRoleTests,
  148                         _SystemReaderAndMemberRoleTests):
  149 
  150     def setUp(self):
  151         super(SystemReaderTests, self).setUp()
  152         self.loadapp()
  153         self.useFixture(ksfixtures.Policy(self.config_fixture))
  154         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  155 
  156         system_reader = unit.new_user_ref(
  157             domain_id=CONF.identity.default_domain_id
  158         )
  159         self.user_id = PROVIDERS.identity_api.create_user(
  160             system_reader
  161         )['id']
  162         PROVIDERS.assignment_api.create_system_grant_for_user(
  163             self.user_id, self.bootstrapper.reader_role_id
  164         )
  165 
  166         auth = self.build_authentication_request(
  167             user_id=self.user_id, password=system_reader['password'],
  168             system=True
  169         )
  170 
  171         # Grab a token using the persona we're testing and prepare headers
  172         # for requests we'll be making in the tests.
  173         with self.test_client() as c:
  174             r = c.post('/v3/auth/tokens', json=auth)
  175             self.token_id = r.headers['X-Subject-Token']
  176             self.headers = {'X-Auth-Token': self.token_id}
  177 
  178 
  179 class SystemMemberTests(base_classes.TestCaseWithBootstrap,
  180                         common_auth.AuthTestMixin,
  181                         _SystemUserRoleTests,
  182                         _SystemReaderAndMemberRoleTests):
  183 
  184     def setUp(self):
  185         super(SystemMemberTests, self).setUp()
  186         self.loadapp()
  187         self.useFixture(ksfixtures.Policy(self.config_fixture))
  188         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  189 
  190         system_member = unit.new_user_ref(
  191             domain_id=CONF.identity.default_domain_id
  192         )
  193         self.user_id = PROVIDERS.identity_api.create_user(
  194             system_member
  195         )['id']
  196         PROVIDERS.assignment_api.create_system_grant_for_user(
  197             self.user_id, self.bootstrapper.member_role_id
  198         )
  199 
  200         auth = self.build_authentication_request(
  201             user_id=self.user_id, password=system_member['password'],
  202             system=True
  203         )
  204 
  205         # Grab a token using the persona we're testing and prepare headers
  206         # for requests we'll be making in the tests.
  207         with self.test_client() as c:
  208             r = c.post('/v3/auth/tokens', json=auth)
  209             self.token_id = r.headers['X-Subject-Token']
  210             self.headers = {'X-Auth-Token': self.token_id}
  211 
  212 
  213 class SystemAdminTests(base_classes.TestCaseWithBootstrap,
  214                        common_auth.AuthTestMixin,
  215                        _SystemUserRoleTests):
  216 
  217     def setUp(self):
  218         super(SystemAdminTests, self).setUp()
  219         self.loadapp()
  220         self.useFixture(ksfixtures.Policy(self.config_fixture))
  221         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  222 
  223         # Reuse the system administrator account created during
  224         # ``keystone-manage bootstrap``
  225         self.user_id = self.bootstrapper.admin_user_id
  226         auth = self.build_authentication_request(
  227             user_id=self.user_id,
  228             password=self.bootstrapper.admin_password,
  229             system=True
  230         )
  231 
  232         # Grab a token using the persona we're testing and prepare headers
  233         # for requests we'll be making in the tests.
  234         with self.test_client() as c:
  235             r = c.post('/v3/auth/tokens', json=auth)
  236             self.token_id = r.headers['X-Subject-Token']
  237             self.headers = {'X-Auth-Token': self.token_id}
  238 
  239     def test_user_can_create_roles(self):
  240         create = {'role': unit.new_role_ref()}
  241 
  242         with self.test_client() as c:
  243             c.post('/v3/roles', json=create, headers=self.headers)
  244 
  245     def test_user_can_update_roles(self):
  246         role = PROVIDERS.role_api.create_role(
  247             uuid.uuid4().hex, unit.new_role_ref()
  248         )
  249 
  250         update = {'role': {'description': uuid.uuid4().hex}}
  251 
  252         with self.test_client() as c:
  253             c.patch(
  254                 '/v3/roles/%s' % role['id'], json=update, headers=self.headers,
  255             )
  256 
  257     def test_user_can_delete_roles(self):
  258         role = PROVIDERS.role_api.create_role(
  259             uuid.uuid4().hex, unit.new_role_ref()
  260         )
  261 
  262         with self.test_client() as c:
  263             c.delete('/v3/roles/%s' % role['id'], headers=self.headers)
  264 
  265 
  266 class DomainUserTests(base_classes.TestCaseWithBootstrap,
  267                       common_auth.AuthTestMixin,
  268                       _DomainAndProjectUserRoleTests):
  269 
  270     def setUp(self):
  271         super(DomainUserTests, self).setUp()
  272         self.loadapp()
  273         self.useFixture(ksfixtures.Policy(self.config_fixture))
  274         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  275 
  276         domain = PROVIDERS.resource_api.create_domain(
  277             uuid.uuid4().hex, unit.new_domain_ref()
  278         )
  279         self.domain_id = domain['id']
  280         domain_admin = unit.new_user_ref(domain_id=self.domain_id)
  281         self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
  282         PROVIDERS.assignment_api.create_grant(
  283             self.bootstrapper.admin_role_id, user_id=self.user_id,
  284             domain_id=self.domain_id
  285         )
  286 
  287         auth = self.build_authentication_request(
  288             user_id=self.user_id,
  289             password=domain_admin['password'],
  290             domain_id=self.domain_id
  291         )
  292 
  293         # Grab a token using the persona we're testing and prepare headers
  294         # for requests we'll be making in the tests.
  295         with self.test_client() as c:
  296             r = c.post('/v3/auth/tokens', json=auth)
  297             self.token_id = r.headers['X-Subject-Token']
  298             self.headers = {'X-Auth-Token': self.token_id}
  299 
  300 
  301 class ProjectUserTests(base_classes.TestCaseWithBootstrap,
  302                        common_auth.AuthTestMixin,
  303                        _DomainAndProjectUserRoleTests):
  304 
  305     def setUp(self):
  306         super(ProjectUserTests, self).setUp()
  307         self.loadapp()
  308         self.useFixture(ksfixtures.Policy(self.config_fixture))
  309         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  310 
  311         self.user_id = self.bootstrapper.admin_user_id
  312         auth = self.build_authentication_request(
  313             user_id=self.user_id,
  314             password=self.bootstrapper.admin_password,
  315             project_id=self.bootstrapper.project_id
  316         )
  317 
  318         # Grab a token using the persona we're testing and prepare headers
  319         # for requests we'll be making in the tests.
  320         with self.test_client() as c:
  321             r = c.post('/v3/auth/tokens', json=auth)
  322             self.token_id = r.headers['X-Subject-Token']
  323             self.headers = {'X-Auth-Token': self.token_id}
  324 
  325 
  326 class ProjectUserTestsWithoutEnforceScope(
  327         base_classes.TestCaseWithBootstrap,
  328         common_auth.AuthTestMixin,
  329         _DomainAndProjectUserRoleTests):
  330 
  331     def setUp(self):
  332         super(ProjectUserTestsWithoutEnforceScope, self).setUp()
  333         self.loadapp()
  334         self.useFixture(ksfixtures.Policy(self.config_fixture))
  335 
  336         # Explicityly set enforce_scope to False to make sure we maintain
  337         # backwards compatibility with project users.
  338         self.config_fixture.config(group='oslo_policy', enforce_scope=False)
  339 
  340         domain = PROVIDERS.resource_api.create_domain(
  341             uuid.uuid4().hex, unit.new_domain_ref()
  342         )
  343         user = unit.new_user_ref(domain_id=domain['id'])
  344         self.user_id = PROVIDERS.identity_api.create_user(user)['id']
  345 
  346         self.project_id = PROVIDERS.resource_api.create_project(
  347             uuid.uuid4().hex, unit.new_project_ref(domain_id=domain['id'])
  348         )['id']
  349 
  350         PROVIDERS.assignment_api.create_grant(
  351             self.bootstrapper.member_role_id, user_id=self.user_id,
  352             project_id=self.project_id
  353         )
  354 
  355         auth = self.build_authentication_request(
  356             user_id=self.user_id,
  357             password=user['password'],
  358             project_id=self.project_id
  359         )
  360 
  361         # Grab a token using the persona we're testing and prepare headers
  362         # for requests we'll be making in the tests.
  363         with self.test_client() as c:
  364             r = c.post('/v3/auth/tokens', json=auth)
  365             self.token_id = r.headers['X-Subject-Token']
  366             self.headers = {'X-Auth-Token': self.token_id}