"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/protection/v3/test_trusts.py" (13 May 2020, 38441 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_trusts.py": 16.0.1_vs_17.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 import uuid
   14 
   15 import http.client
   16 from oslo_serialization import jsonutils
   17 
   18 from keystone.common import provider_api
   19 import keystone.conf
   20 from keystone.tests.common import auth as common_auth
   21 from keystone.tests import unit
   22 from keystone.tests.unit import base_classes
   23 from keystone.tests.unit import ksfixtures
   24 from keystone.tests.unit.ksfixtures import temporaryfile
   25 
   26 CONF = keystone.conf.CONF
   27 PROVIDERS = provider_api.ProviderAPIs
   28 
   29 
   30 class TrustTests(base_classes.TestCaseWithBootstrap,
   31                  common_auth.AuthTestMixin):
   32     """Common functionality for all trust tests.
   33 
   34     Sets up trustor and trustee users and trust.
   35     """
   36 
   37     def setUp(self):
   38         super(TrustTests, self).setUp()
   39         self.loadapp()
   40         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
   41         self.policy_file_name = self.policy_file.file_name
   42         self.useFixture(
   43             ksfixtures.Policy(
   44                 self.config_fixture, policy_file=self.policy_file_name
   45             )
   46         )
   47 
   48         domain = PROVIDERS.resource_api.create_domain(
   49             uuid.uuid4().hex, unit.new_domain_ref()
   50         )
   51         self.domain_id = domain['id']
   52 
   53         trustor_user = unit.new_user_ref(domain_id=self.domain_id)
   54         self.trustor_user_id = PROVIDERS.identity_api.create_user(
   55             trustor_user)['id']
   56         trustee_user = unit.new_user_ref(domain_id=self.domain_id)
   57         self.trustee_user_id = PROVIDERS.identity_api.create_user(
   58             trustee_user)['id']
   59         project = PROVIDERS.resource_api.create_project(
   60             uuid.uuid4().hex, unit.new_project_ref(domain_id=self.domain_id)
   61         )
   62         self.project_id = project['id']
   63         PROVIDERS.assignment_api.create_grant(
   64             self.bootstrapper.member_role_id, user_id=self.trustor_user_id,
   65             project_id=self.project_id
   66         )
   67         PROVIDERS.assignment_api.create_grant(
   68             self.bootstrapper.member_role_id, user_id=self.trustee_user_id,
   69             project_id=project['id']
   70         )
   71         self.trust_id = uuid.uuid4().hex
   72         self.trust_data = {
   73             'trust': {'trustor_user_id': self.trustor_user_id,
   74                       'trustee_user_id': self.trustee_user_id,
   75                       'project_id': self.project_id,
   76                       'impersonation': False},
   77             'roles': [{"id": self.bootstrapper.member_role_id}]
   78         }
   79         auth = self.build_authentication_request(
   80             user_id=self.trustor_user_id,
   81             password=trustor_user['password'],
   82             project_id=project['id']
   83         )
   84         # Grab a token using the trustor persona we're testing and prepare
   85         # headers for requests we'll be making in the tests.
   86         with self.test_client() as c:
   87             r = c.post('/v3/auth/tokens', json=auth)
   88             self.token_id = r.headers['X-Subject-Token']
   89             self.trustor_headers = {'X-Auth-Token': self.token_id}
   90 
   91         auth = self.build_authentication_request(
   92             user_id=self.trustee_user_id,
   93             password=trustee_user['password'],
   94             project_id=project['id']
   95         )
   96         # Grab a token using the trustee persona we're testing and prepare
   97         # headers for requests we'll be making in the tests.
   98         with self.test_client() as c:
   99             r = c.post('/v3/auth/tokens', json=auth)
  100             self.token_id = r.headers['X-Subject-Token']
  101             self.trustee_headers = {'X-Auth-Token': self.token_id}
  102 
  103     def _override_policy_old_defaults(self):
  104         # TODO(cmurphy): This is to simulate what would happen if the operator
  105         # had generated a sample policy config, or had never removed their old
  106         # policy files since we adopted policy in code, and had explicitly
  107         # retained the old "" policy check strings. Remove this once the
  108         # hardcoded enforcement is removed from the trusts API.
  109         with open(self.policy_file_name, 'w') as f:
  110             overridden_policies = {
  111                 'identity:list_trusts': '',
  112                 'identity:delete_trust': '',
  113                 'identity:get_trust': '',
  114                 'identity:list_roles_for_trust': '',
  115                 'identity:get_role_for_trust': '',
  116             }
  117             f.write(jsonutils.dumps(overridden_policies))
  118 
  119 
  120 class _AdminTestsMixin(object):
  121     """Tests for all admin users.
  122 
  123     This exercises both the is_admin user and users granted the admin role on
  124     the system scope.
  125     """
  126 
  127     def test_admin_cannot_create_trust_for_other_user(self):
  128         json = {'trust': self.trust_data['trust']}
  129         json['trust']['roles'] = self.trust_data['roles']
  130 
  131         with self.test_client() as c:
  132             c.post(
  133                 '/v3/OS-TRUST/trusts',
  134                 json=json,
  135                 headers=self.headers,
  136                 expected_status_code=http.client.FORBIDDEN
  137             )
  138 
  139     def test_admin_list_all_trusts(self):
  140         PROVIDERS.trust_api.create_trust(
  141             self.trust_id, **self.trust_data)
  142 
  143         with self.test_client() as c:
  144             r = c.get(
  145                 '/v3/OS-TRUST/trusts',
  146                 headers=self.headers
  147             )
  148         self.assertEqual(1, len(r.json['trusts']))
  149 
  150 
  151 class AdminTokenTests(TrustTests, _AdminTestsMixin):
  152     """Tests for the is_admin user.
  153 
  154     The Trusts API has hardcoded is_admin checks that we need to ensure are
  155     preserved through the system-scope transition.
  156     """
  157 
  158     def setUp(self):
  159         super(AdminTokenTests, self).setUp()
  160         self.config_fixture.config(admin_token='ADMIN')
  161         self.headers = {'X-Auth-Token': 'ADMIN'}
  162 
  163     def test_admin_can_delete_trust_for_other_user(self):
  164         ref = PROVIDERS.trust_api.create_trust(
  165             self.trust_id, **self.trust_data)
  166 
  167         with self.test_client() as c:
  168             c.delete(
  169                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  170                 headers=self.headers,
  171                 expected_status_code=http.client.NO_CONTENT
  172             )
  173 
  174     def test_admin_can_get_non_existent_trust_not_found(self):
  175         trust_id = uuid.uuid4().hex
  176         with self.test_client() as c:
  177             c.get(
  178                 '/v3/OS-TRUST/trusts/%s' % trust_id,
  179                 headers=self.headers,
  180                 expected_status_code=http.client.NOT_FOUND
  181             )
  182 
  183     def test_admin_cannot_get_trust_for_other_user(self):
  184         PROVIDERS.trust_api.create_trust(
  185             self.trust_id, **self.trust_data)
  186 
  187         with self.test_client() as c:
  188             c.get(
  189                 '/v3/OS-TRUST/trusts/%s' % self.trust_id,
  190                 headers=self.headers,
  191                 expected_status_code=http.client.FORBIDDEN
  192             )
  193 
  194     def test_admin_cannot_list_trust_roles_for_other_user(self):
  195         PROVIDERS.trust_api.create_trust(
  196             self.trust_id, **self.trust_data)
  197 
  198         with self.test_client() as c:
  199             c.get(
  200                 '/v3/OS-TRUST/trusts/%s/roles' % self.trust_id,
  201                 headers=self.headers,
  202                 expected_status_code=http.client.FORBIDDEN
  203             )
  204 
  205     def test_admin_cannot_get_trust_role_for_other_user(self):
  206         PROVIDERS.trust_api.create_trust(
  207             self.trust_id, **self.trust_data)
  208 
  209         with self.test_client() as c:
  210             c.get(
  211                 ('/v3/OS-TRUST/trusts/%s/roles/%s' %
  212                  (self.trust_id, self.bootstrapper.member_role_id)),
  213                 headers=self.headers,
  214                 expected_status_code=http.client.FORBIDDEN
  215             )
  216 
  217 
  218 class _SystemUserTests(object):
  219     """Tests for system admin, member, and reader."""
  220 
  221     def test_user_can_get_non_existent_trust(self):
  222         trust_id = uuid.uuid4().hex
  223         with self.test_client() as c:
  224             c.get(
  225                 '/v3/OS-TRUST/trusts/%s' % trust_id,
  226                 headers=self.headers,
  227                 expected_status_code=http.client.NOT_FOUND
  228             )
  229 
  230     def test_user_can_get_trust_for_other_user(self):
  231         PROVIDERS.trust_api.create_trust(
  232             self.trust_id, **self.trust_data)
  233 
  234         with self.test_client() as c:
  235             r = c.get(
  236                 '/v3/OS-TRUST/trusts/%s' % self.trust_id,
  237                 headers=self.headers
  238             )
  239         self.assertEqual(r.json['trust']['id'], self.trust_id)
  240 
  241     def test_user_can_list_trusts_for_trustee(self):
  242         PROVIDERS.trust_api.create_trust(
  243             self.trust_id, **self.trust_data)
  244 
  245         with self.test_client() as c:
  246             c.get(
  247                 ('/v3/OS-TRUST/trusts?trustee_user_id=%s' %
  248                  self.trustee_user_id),
  249                 headers=self.headers
  250             )
  251 
  252     def test_user_can_list_trusts_for_trustor(self):
  253         PROVIDERS.trust_api.create_trust(
  254             self.trust_id, **self.trust_data)
  255 
  256         with self.test_client() as c:
  257             c.get(
  258                 ('/v3/OS-TRUST/trusts?trustor_user_id=%s' %
  259                  self.trustor_user_id),
  260                 headers=self.headers
  261             )
  262 
  263     def test_user_can_list_trust_roles_for_other_user(self):
  264         PROVIDERS.trust_api.create_trust(
  265             self.trust_id, **self.trust_data)
  266 
  267         with self.test_client() as c:
  268             r = c.get(
  269                 '/v3/OS-TRUST/trusts/%s/roles' % self.trust_id,
  270                 headers=self.headers
  271             )
  272         self.assertEqual(r.json['roles'][0]['id'],
  273                          self.bootstrapper.member_role_id)
  274 
  275     def test_user_can_get_trust_role_for_other_user(self):
  276         PROVIDERS.trust_api.create_trust(
  277             self.trust_id, **self.trust_data)
  278 
  279         with self.test_client() as c:
  280             c.get(
  281                 ('/v3/OS-TRUST/trusts/%s/roles/%s' %
  282                  (self.trust_id, self.bootstrapper.member_role_id)),
  283                 headers=self.headers
  284             )
  285 
  286 
  287 class _SystemReaderMemberTests(_SystemUserTests):
  288     """Tests for system readers and members."""
  289 
  290     def test_user_cannot_create_trust(self):
  291         json = {'trust': self.trust_data['trust']}
  292         json['trust']['roles'] = self.trust_data['roles']
  293 
  294         with self.test_client() as c:
  295             c.post(
  296                 '/v3/OS-TRUST/trusts',
  297                 json=json,
  298                 headers=self.headers,
  299                 expected_status_code=http.client.FORBIDDEN
  300             )
  301 
  302     def test_user_cannot_delete_trust(self):
  303         ref = PROVIDERS.trust_api.create_trust(
  304             self.trust_id, **self.trust_data)
  305 
  306         with self.test_client() as c:
  307             c.delete(
  308                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  309                 headers=self.headers,
  310                 expected_status_code=http.client.FORBIDDEN
  311             )
  312 
  313 
  314 class SystemReaderTests(TrustTests, _SystemReaderMemberTests):
  315     """Tests for system reader users."""
  316 
  317     def setUp(self):
  318         super(SystemReaderTests, self).setUp()
  319         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  320 
  321         system_reader = unit.new_user_ref(
  322             domain_id=CONF.identity.default_domain_id
  323         )
  324         self.user_id = PROVIDERS.identity_api.create_user(
  325             system_reader
  326         )['id']
  327         PROVIDERS.assignment_api.create_system_grant_for_user(
  328             self.user_id, self.bootstrapper.reader_role_id
  329         )
  330 
  331         auth = self.build_authentication_request(
  332             user_id=self.user_id,
  333             password=system_reader['password'],
  334             system=True
  335         )
  336 
  337         # Grab a token using the persona we're testing and prepare headers
  338         # for requests we'll be making in the tests.
  339         with self.test_client() as c:
  340             r = c.post('/v3/auth/tokens', json=auth)
  341             self.token_id = r.headers['X-Subject-Token']
  342             self.headers = {'X-Auth-Token': self.token_id}
  343 
  344 
  345 class SystemMemberTests(TrustTests, _SystemReaderMemberTests):
  346     """Tests for system member users."""
  347 
  348     def setUp(self):
  349         super(SystemMemberTests, self).setUp()
  350         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  351 
  352         system_member = unit.new_user_ref(
  353             domain_id=CONF.identity.default_domain_id
  354         )
  355         self.user_id = PROVIDERS.identity_api.create_user(
  356             system_member
  357         )['id']
  358         PROVIDERS.assignment_api.create_system_grant_for_user(
  359             self.user_id, self.bootstrapper.member_role_id
  360         )
  361 
  362         auth = self.build_authentication_request(
  363             user_id=self.user_id,
  364             password=system_member['password'],
  365             system=True
  366         )
  367 
  368         # Grab a token using the persona we're testing and prepare headers
  369         # for requests we'll be making in the tests.
  370         with self.test_client() as c:
  371             r = c.post('/v3/auth/tokens', json=auth)
  372             self.token_id = r.headers['X-Subject-Token']
  373             self.headers = {'X-Auth-Token': self.token_id}
  374 
  375 
  376 class SystemAdminTests(TrustTests, _AdminTestsMixin, _SystemUserTests):
  377     """Tests for system admin users."""
  378 
  379     def setUp(self):
  380         super(SystemAdminTests, self).setUp()
  381         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  382 
  383         self.user_id = self.bootstrapper.admin_user_id
  384         auth = self.build_authentication_request(
  385             user_id=self.user_id,
  386             password=self.bootstrapper.admin_password,
  387             system=True
  388         )
  389 
  390         # Grab a token using the persona we're testing and prepare headers
  391         # for requests we'll be making in the tests.
  392         with self.test_client() as c:
  393             r = c.post('/v3/auth/tokens', json=auth)
  394             self.token_id = r.headers['X-Subject-Token']
  395             self.headers = {'X-Auth-Token': self.token_id}
  396 
  397     def test_admin_can_delete_trust_for_other_user(self):
  398         ref = PROVIDERS.trust_api.create_trust(
  399             self.trust_id, **self.trust_data)
  400 
  401         with self.test_client() as c:
  402             c.delete(
  403                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  404                 headers=self.headers
  405             )
  406 
  407     def test_admin_cannot_delete_trust_for_user_overridden_defaults(self):
  408         # only the is_admin admin can do this
  409         self._override_policy_old_defaults()
  410         ref = PROVIDERS.trust_api.create_trust(
  411             self.trust_id, **self.trust_data)
  412 
  413         with self.test_client() as c:
  414             c.delete(
  415                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  416                 headers=self.headers,
  417                 expected_status_code=http.client.FORBIDDEN
  418             )
  419 
  420     def test_admin_cannot_get_trust_for_other_user_overridden_defaults(self):
  421         self._override_policy_old_defaults()
  422         PROVIDERS.trust_api.create_trust(
  423             self.trust_id, **self.trust_data)
  424 
  425         with self.test_client() as c:
  426             c.get(
  427                 '/v3/OS-TRUST/trusts/%s' % self.trust_id,
  428                 headers=self.headers,
  429                 expected_status_code=http.client.FORBIDDEN
  430             )
  431 
  432     def test_admin_cannot_list_roles_for_other_user_overridden_defaults(self):
  433         self._override_policy_old_defaults()
  434         PROVIDERS.trust_api.create_trust(
  435             self.trust_id, **self.trust_data)
  436 
  437         with self.test_client() as c:
  438             c.get(
  439                 '/v3/OS-TRUST/trusts/%s/roles' % self.trust_id,
  440                 headers=self.headers,
  441                 expected_status_code=http.client.FORBIDDEN
  442             )
  443 
  444     def test_admin_cannot_get_trust_role_for_other_user_overridden(self):
  445         self._override_policy_old_defaults()
  446         PROVIDERS.trust_api.create_trust(
  447             self.trust_id, **self.trust_data)
  448 
  449         with self.test_client() as c:
  450             c.get(
  451                 ('/v3/OS-TRUST/trusts/%s/roles/%s' %
  452                  (self.trust_id, self.bootstrapper.member_role_id)),
  453                 headers=self.headers,
  454                 expected_status_code=http.client.FORBIDDEN
  455             )
  456 
  457     def test_user_list_all_trusts_overridden_defaults(self):
  458         self._override_policy_old_defaults()
  459         PROVIDERS.trust_api.create_trust(
  460             self.trust_id, **self.trust_data)
  461 
  462         with self.test_client() as c:
  463             r = c.get(
  464                 '/v3/OS-TRUST/trusts',
  465                 headers=self.headers
  466             )
  467         self.assertEqual(1, len(r.json['trusts']))
  468 
  469 
  470 class ProjectUserTests(TrustTests):
  471     """Tests for all project users."""
  472 
  473     def setUp(self):
  474         super(ProjectUserTests, self).setUp()
  475         other_user = unit.new_user_ref(domain_id=self.domain_id)
  476         self.other_user_id = PROVIDERS.identity_api.create_user(
  477             other_user)['id']
  478         PROVIDERS.assignment_api.create_grant(
  479             self.bootstrapper.member_role_id, user_id=self.other_user_id,
  480             project_id=self.project_id
  481         )
  482 
  483         auth = self.build_authentication_request(
  484             user_id=self.other_user_id,
  485             password=other_user['password'],
  486             project_id=self.project_id
  487         )
  488         # Grab a token using another persona who has no trusts associated with
  489         # them
  490         with self.test_client() as c:
  491             r = c.post('/v3/auth/tokens', json=auth)
  492             self.token_id = r.headers['X-Subject-Token']
  493             self.other_headers = {'X-Auth-Token': self.token_id}
  494 
  495     def test_user_can_list_trusts_of_whom_they_are_the_trustor(self):
  496         PROVIDERS.trust_api.create_trust(
  497             self.trust_id, **self.trust_data)
  498 
  499         with self.test_client() as c:
  500             r = c.get(
  501                 ('/v3/OS-TRUST/trusts?trustor_user_id=%s' %
  502                  self.trustor_user_id),
  503                 headers=self.trustor_headers
  504             )
  505         self.assertEqual(1, len(r.json['trusts']))
  506         self.assertEqual(self.trust_id, r.json['trusts'][0]['id'])
  507 
  508     def test_user_can_list_trusts_delegated_to_them(self):
  509         PROVIDERS.trust_api.create_trust(
  510             self.trust_id, **self.trust_data)
  511 
  512         with self.test_client() as c:
  513             r = c.get(
  514                 ('/v3/OS-TRUST/trusts?trustee_user_id=%s' %
  515                  self.trustee_user_id),
  516                 headers=self.trustee_headers
  517             )
  518         self.assertEqual(1, len(r.json['trusts']))
  519         self.assertEqual(self.trust_id, r.json['trusts'][0]['id'])
  520 
  521     def test_trustor_cannot_list_trusts_for_trustee(self):
  522         PROVIDERS.trust_api.create_trust(
  523             self.trust_id, **self.trust_data)
  524 
  525         with self.test_client() as c:
  526             c.get(
  527                 ('/v3/OS-TRUST/trusts?trustee_user_id=%s' %
  528                  self.trustee_user_id),
  529                 headers=self.trustor_headers,
  530                 expected_status_code=http.client.FORBIDDEN
  531             )
  532 
  533     def test_trustee_cannot_list_trusts_for_trustor(self):
  534         PROVIDERS.trust_api.create_trust(
  535             self.trust_id, **self.trust_data)
  536 
  537         with self.test_client() as c:
  538             c.get(
  539                 ('/v3/OS-TRUST/trusts?trustor_user_id=%s' %
  540                  self.trustor_user_id),
  541                 headers=self.trustee_headers,
  542                 expected_status_code=http.client.FORBIDDEN
  543             )
  544 
  545     def test_user_cannot_list_trusts_for_other_trustor(self):
  546         PROVIDERS.trust_api.create_trust(
  547             self.trust_id, **self.trust_data)
  548 
  549         with self.test_client() as c:
  550             c.get(
  551                 ('/v3/OS-TRUST/trusts?trustor_user_id=%s' %
  552                  self.trustor_user_id),
  553                 headers=self.other_headers,
  554                 expected_status_code=http.client.FORBIDDEN
  555             )
  556 
  557     def test_user_cannot_list_trusts_for_other_trustee(self):
  558         PROVIDERS.trust_api.create_trust(
  559             self.trust_id, **self.trust_data)
  560 
  561         with self.test_client() as c:
  562             c.get(
  563                 ('/v3/OS-TRUST/trusts?trustee_user_id=%s' %
  564                  self.trustee_user_id),
  565                 headers=self.other_headers,
  566                 expected_status_code=http.client.FORBIDDEN
  567             )
  568 
  569     def test_user_cannot_list_all_trusts(self):
  570         PROVIDERS.trust_api.create_trust(
  571             self.trust_id, **self.trust_data)
  572 
  573         with self.test_client() as c:
  574             c.get(
  575                 '/v3/OS-TRUST/trusts',
  576                 headers=self.trustee_headers,
  577                 expected_status_code=http.client.FORBIDDEN
  578             )
  579 
  580     def test_user_cannot_get_another_users_trust(self):
  581         ref = PROVIDERS.trust_api.create_trust(
  582             self.trust_id, **self.trust_data)
  583 
  584         with self.test_client() as c:
  585             c.get(
  586                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  587                 headers=self.other_headers,
  588                 expected_status_code=http.client.FORBIDDEN
  589             )
  590 
  591     def test_user_can_get_non_existent_trust_not_found(self):
  592         trust_id = uuid.uuid4().hex
  593         with self.test_client() as c:
  594             c.get(
  595                 '/v3/OS-TRUST/trusts/%s' % trust_id,
  596                 headers=self.other_headers,
  597                 expected_status_code=http.client.NOT_FOUND
  598             )
  599 
  600     def test_user_can_get_trust_of_whom_they_are_the_trustor(self):
  601         ref = PROVIDERS.trust_api.create_trust(
  602             self.trust_id, **self.trust_data)
  603 
  604         with self.test_client() as c:
  605             c.get(
  606                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  607                 headers=self.trustor_headers
  608             )
  609 
  610     def test_user_can_get_trust_delegated_to_them(self):
  611         ref = PROVIDERS.trust_api.create_trust(
  612             self.trust_id, **self.trust_data)
  613 
  614         with self.test_client() as c:
  615             r = c.get(
  616                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  617                 headers=self.trustee_headers
  618             )
  619         self.assertEqual(r.json['trust']['id'], self.trust_id)
  620 
  621     def test_trustor_can_create_trust(self):
  622         json = {'trust': self.trust_data['trust']}
  623         json['trust']['roles'] = self.trust_data['roles']
  624 
  625         with self.test_client() as c:
  626             c.post(
  627                 '/v3/OS-TRUST/trusts',
  628                 json=json,
  629                 headers=self.trustor_headers
  630             )
  631 
  632     def test_trustee_cannot_create_trust(self):
  633         json = {'trust': self.trust_data['trust']}
  634         json['trust']['roles'] = self.trust_data['roles']
  635 
  636         with self.test_client() as c:
  637             c.post(
  638                 '/v3/OS-TRUST/trusts',
  639                 json=json,
  640                 headers=self.trustee_headers,
  641                 expected_status_code=http.client.FORBIDDEN
  642             )
  643 
  644     def test_trustor_can_delete_trust(self):
  645         ref = PROVIDERS.trust_api.create_trust(
  646             self.trust_id, **self.trust_data)
  647 
  648         with self.test_client() as c:
  649             c.delete(
  650                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  651                 headers=self.trustor_headers
  652             )
  653 
  654     def test_trustee_cannot_delete_trust(self):
  655         ref = PROVIDERS.trust_api.create_trust(
  656             self.trust_id, **self.trust_data)
  657 
  658         with self.test_client() as c:
  659             c.delete(
  660                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  661                 headers=self.trustee_headers,
  662                 expected_status_code=http.client.FORBIDDEN
  663             )
  664 
  665     def test_user_cannot_delete_trust_for_other_user(self):
  666         ref = PROVIDERS.trust_api.create_trust(
  667             self.trust_id, **self.trust_data)
  668 
  669         with self.test_client() as c:
  670             c.delete(
  671                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  672                 headers=self.other_headers,
  673                 expected_status_code=http.client.FORBIDDEN
  674             )
  675 
  676     def test_trustor_can_list_trust_roles(self):
  677         PROVIDERS.trust_api.create_trust(
  678             self.trust_id, **self.trust_data)
  679 
  680         with self.test_client() as c:
  681             r = c.get(
  682                 '/v3/OS-TRUST/trusts/%s/roles' % self.trust_id,
  683                 headers=self.trustor_headers
  684             )
  685         self.assertEqual(r.json['roles'][0]['id'],
  686                          self.bootstrapper.member_role_id)
  687 
  688     def test_trustee_can_list_trust_roles(self):
  689         PROVIDERS.trust_api.create_trust(
  690             self.trust_id, **self.trust_data)
  691 
  692         with self.test_client() as c:
  693             r = c.get(
  694                 '/v3/OS-TRUST/trusts/%s/roles' % self.trust_id,
  695                 headers=self.trustee_headers
  696             )
  697         self.assertEqual(r.json['roles'][0]['id'],
  698                          self.bootstrapper.member_role_id)
  699 
  700     def test_user_cannot_list_trust_roles_for_other_user(self):
  701         PROVIDERS.trust_api.create_trust(
  702             self.trust_id, **self.trust_data)
  703 
  704         with self.test_client() as c:
  705             c.get(
  706                 '/v3/OS-TRUST/trusts/%s/roles' % self.trust_id,
  707                 headers=self.other_headers,
  708                 expected_status_code=http.client.FORBIDDEN
  709             )
  710 
  711     def test_trustor_can_get_trust_role(self):
  712         PROVIDERS.trust_api.create_trust(
  713             self.trust_id, **self.trust_data)
  714 
  715         with self.test_client() as c:
  716             c.head(
  717                 ('/v3/OS-TRUST/trusts/%s/roles/%s' %
  718                  (self.trust_id, self.bootstrapper.member_role_id)),
  719                 headers=self.trustor_headers
  720             )
  721 
  722     def test_trustee_can_get_trust_role(self):
  723         PROVIDERS.trust_api.create_trust(
  724             self.trust_id, **self.trust_data)
  725 
  726         with self.test_client() as c:
  727             c.head(
  728                 ('/v3/OS-TRUST/trusts/%s/roles/%s' %
  729                  (self.trust_id, self.bootstrapper.member_role_id)),
  730                 headers=self.trustee_headers
  731             )
  732 
  733     def test_user_cannot_get_trust_role_for_other_user(self):
  734         PROVIDERS.trust_api.create_trust(
  735             self.trust_id, **self.trust_data)
  736 
  737         with self.test_client() as c:
  738             c.head(
  739                 ('/v3/OS-TRUST/trusts/%s/roles/%s' %
  740                  (self.trust_id, self.bootstrapper.member_role_id)),
  741                 headers=self.other_headers,
  742                 expected_status_code=http.client.FORBIDDEN
  743             )
  744 
  745     def test_trustor_cannot_list_trusts_for_trustee_overridden_default(self):
  746         self._override_policy_old_defaults()
  747         PROVIDERS.trust_api.create_trust(
  748             self.trust_id, **self.trust_data)
  749 
  750         with self.test_client() as c:
  751             c.get(
  752                 ('/v3/OS-TRUST/trusts?trustee_user_id=%s' %
  753                  self.trustee_user_id),
  754                 headers=self.trustor_headers,
  755                 expected_status_code=http.client.FORBIDDEN
  756             )
  757 
  758     def test_trustee_cannot_list_trusts_for_trustor_overridden_default(self):
  759         self._override_policy_old_defaults()
  760         PROVIDERS.trust_api.create_trust(
  761             self.trust_id, **self.trust_data)
  762 
  763         with self.test_client() as c:
  764             c.get(
  765                 ('/v3/OS-TRUST/trusts?trustor_user_id=%s' %
  766                  self.trustor_user_id),
  767                 headers=self.trustee_headers,
  768                 expected_status_code=http.client.FORBIDDEN
  769             )
  770 
  771     def test_user_cannot_list_trusts_for_other_trustor_overridden(self):
  772         self._override_policy_old_defaults()
  773         PROVIDERS.trust_api.create_trust(
  774             self.trust_id, **self.trust_data)
  775 
  776         with self.test_client() as c:
  777             c.get(
  778                 ('/v3/OS-TRUST/trusts?trustor_user_id=%s' %
  779                  self.trustor_user_id),
  780                 headers=self.other_headers,
  781                 expected_status_code=http.client.FORBIDDEN
  782             )
  783 
  784     def test_user_cannot_list_trusts_for_trustee_overridden_default(self):
  785         self._override_policy_old_defaults()
  786         PROVIDERS.trust_api.create_trust(
  787             self.trust_id, **self.trust_data)
  788 
  789         with self.test_client() as c:
  790             c.get(
  791                 ('/v3/OS-TRUST/trusts?trustee_user_id=%s' %
  792                  self.trustee_user_id),
  793                 headers=self.other_headers,
  794                 expected_status_code=http.client.FORBIDDEN
  795             )
  796 
  797     def test_user_cannot_list_all_trusts_overridden_default(self):
  798         self._override_policy_old_defaults()
  799         PROVIDERS.trust_api.create_trust(
  800             self.trust_id, **self.trust_data)
  801 
  802         with self.test_client() as c:
  803             c.get(
  804                 '/v3/OS-TRUST/trusts',
  805                 headers=self.trustee_headers,
  806                 expected_status_code=http.client.FORBIDDEN
  807             )
  808 
  809     def test_trustor_can_delete_trust_overridden_default(self):
  810         self._override_policy_old_defaults()
  811         ref = PROVIDERS.trust_api.create_trust(
  812             self.trust_id, **self.trust_data)
  813 
  814         with self.test_client() as c:
  815             c.delete(
  816                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  817                 headers=self.trustor_headers
  818             )
  819 
  820     def test_trustee_cannot_delete_trust_overridden_default(self):
  821         self._override_policy_old_defaults()
  822         ref = PROVIDERS.trust_api.create_trust(
  823             self.trust_id, **self.trust_data)
  824 
  825         with self.test_client() as c:
  826             c.delete(
  827                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  828                 headers=self.trustee_headers,
  829                 expected_status_code=http.client.FORBIDDEN
  830             )
  831 
  832     def test_user_cannot_delete_trust_for_other_user_overridden_default(self):
  833         self._override_policy_old_defaults()
  834         ref = PROVIDERS.trust_api.create_trust(
  835             self.trust_id, **self.trust_data)
  836 
  837         with self.test_client() as c:
  838             c.delete(
  839                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  840                 headers=self.other_headers,
  841                 expected_status_code=http.client.FORBIDDEN
  842             )
  843 
  844     def test_user_can_get_trust_of_whom_they_are_the_trustor_overridden(self):
  845         self._override_policy_old_defaults()
  846         ref = PROVIDERS.trust_api.create_trust(
  847             self.trust_id, **self.trust_data)
  848 
  849         with self.test_client() as c:
  850             c.get(
  851                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  852                 headers=self.trustor_headers
  853             )
  854 
  855     def test_user_can_get_trust_delegated_to_them_overridden_default(self):
  856         self._override_policy_old_defaults()
  857         ref = PROVIDERS.trust_api.create_trust(
  858             self.trust_id, **self.trust_data)
  859 
  860         with self.test_client() as c:
  861             r = c.get(
  862                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
  863                 headers=self.trustee_headers
  864             )
  865         self.assertEqual(r.json['trust']['id'], self.trust_id)
  866 
  867     def test_trustor_can_list_trust_roles_overridden_default(self):
  868         self._override_policy_old_defaults()
  869         PROVIDERS.trust_api.create_trust(
  870             self.trust_id, **self.trust_data)
  871 
  872         with self.test_client() as c:
  873             r = c.get(
  874                 '/v3/OS-TRUST/trusts/%s/roles' % self.trust_id,
  875                 headers=self.trustor_headers
  876             )
  877         self.assertEqual(r.json['roles'][0]['id'],
  878                          self.bootstrapper.member_role_id)
  879 
  880     def test_trustee_can_list_trust_roles_overridden_default(self):
  881         self._override_policy_old_defaults()
  882         PROVIDERS.trust_api.create_trust(
  883             self.trust_id, **self.trust_data)
  884 
  885         with self.test_client() as c:
  886             r = c.get(
  887                 '/v3/OS-TRUST/trusts/%s/roles' % self.trust_id,
  888                 headers=self.trustee_headers
  889             )
  890         self.assertEqual(r.json['roles'][0]['id'],
  891                          self.bootstrapper.member_role_id)
  892 
  893     def test_user_cannot_list_trust_roles_other_user_overridden_default(self):
  894         self._override_policy_old_defaults()
  895         PROVIDERS.trust_api.create_trust(
  896             self.trust_id, **self.trust_data)
  897 
  898         with self.test_client() as c:
  899             c.get(
  900                 '/v3/OS-TRUST/trusts/%s/roles' % self.trust_id,
  901                 headers=self.other_headers,
  902                 expected_status_code=http.client.FORBIDDEN
  903             )
  904 
  905     def test_trustor_can_get_trust_role_overridden_default(self):
  906         self._override_policy_old_defaults()
  907         PROVIDERS.trust_api.create_trust(
  908             self.trust_id, **self.trust_data)
  909 
  910         with self.test_client() as c:
  911             c.head(
  912                 ('/v3/OS-TRUST/trusts/%s/roles/%s' %
  913                  (self.trust_id, self.bootstrapper.member_role_id)),
  914                 headers=self.trustor_headers
  915             )
  916 
  917     def test_trustee_can_get_trust_role_overridden_default(self):
  918         self._override_policy_old_defaults()
  919         PROVIDERS.trust_api.create_trust(
  920             self.trust_id, **self.trust_data)
  921 
  922         with self.test_client() as c:
  923             c.head(
  924                 ('/v3/OS-TRUST/trusts/%s/roles/%s' %
  925                  (self.trust_id, self.bootstrapper.member_role_id)),
  926                 headers=self.trustee_headers
  927             )
  928 
  929     def test_user_cannot_get_trust_role_other_user_overridden_default(self):
  930         self._override_policy_old_defaults()
  931         PROVIDERS.trust_api.create_trust(
  932             self.trust_id, **self.trust_data)
  933 
  934         with self.test_client() as c:
  935             c.head(
  936                 ('/v3/OS-TRUST/trusts/%s/roles/%s' %
  937                  (self.trust_id, self.bootstrapper.member_role_id)),
  938                 headers=self.other_headers,
  939                 expected_status_code=http.client.FORBIDDEN
  940             )
  941 
  942 
  943 class DomainUserTests(TrustTests):
  944     """Tests for all domain users.
  945 
  946     Domain users should not be able to interact with trusts at all.
  947     """
  948 
  949     def setUp(self):
  950         super(DomainUserTests, self).setUp()
  951         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  952         domain_admin = unit.new_user_ref(domain_id=self.domain_id)
  953         self.user_id = PROVIDERS.identity_api.create_user(
  954             domain_admin)['id']
  955         PROVIDERS.assignment_api.create_grant(
  956             self.bootstrapper.admin_role_id, user_id=self.user_id,
  957             domain_id=self.domain_id
  958         )
  959 
  960         auth = self.build_authentication_request(
  961             user_id=self.user_id,
  962             password=domain_admin['password'],
  963             domain_id=self.domain_id
  964         )
  965         # Grab a token using another persona who has no trusts associated with
  966         # them
  967         with self.test_client() as c:
  968             r = c.post('/v3/auth/tokens', json=auth)
  969             self.token_id = r.headers['X-Subject-Token']
  970             self.headers = {'X-Auth-Token': self.token_id}
  971 
  972     def test_trustor_cannot_list_trusts_for_trustee(self):
  973         PROVIDERS.trust_api.create_trust(
  974             self.trust_id, **self.trust_data)
  975 
  976         with self.test_client() as c:
  977             c.get(
  978                 ('/v3/OS-TRUST/trusts?trustee_user_id=%s' %
  979                  self.trustee_user_id),
  980                 headers=self.headers,
  981                 expected_status_code=http.client.FORBIDDEN
  982             )
  983 
  984     def test_trustee_cannot_list_trusts_for_trustor(self):
  985         PROVIDERS.trust_api.create_trust(
  986             self.trust_id, **self.trust_data)
  987 
  988         with self.test_client() as c:
  989             c.get(
  990                 ('/v3/OS-TRUST/trusts?trustor_user_id=%s' %
  991                  self.trustor_user_id),
  992                 headers=self.headers,
  993                 expected_status_code=http.client.FORBIDDEN
  994             )
  995 
  996     def test_user_cannot_list_all_trusts(self):
  997         PROVIDERS.trust_api.create_trust(
  998             self.trust_id, **self.trust_data)
  999 
 1000         with self.test_client() as c:
 1001             c.get(
 1002                 '/v3/OS-TRUST/trusts',
 1003                 headers=self.headers,
 1004                 expected_status_code=http.client.FORBIDDEN
 1005             )
 1006 
 1007     def test_user_cannot_get_trust(self):
 1008         ref = PROVIDERS.trust_api.create_trust(
 1009             self.trust_id, **self.trust_data)
 1010 
 1011         with self.test_client() as c:
 1012             c.get(
 1013                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
 1014                 headers=self.headers,
 1015                 expected_status_code=http.client.FORBIDDEN
 1016             )
 1017 
 1018     def test_user_can_get_non_existent_trust_not_found(self):
 1019         trust_id = uuid.uuid4().hex
 1020         with self.test_client() as c:
 1021             c.get(
 1022                 '/v3/OS-TRUST/trusts/%s' % trust_id,
 1023                 headers=self.headers,
 1024                 expected_status_code=http.client.NOT_FOUND
 1025             )
 1026 
 1027     def test_user_cannot_create_trust(self):
 1028         trust_data = self.trust_data['trust']
 1029         trust_data['trustor_user_id'] = self.user_id
 1030         json = {'trust': trust_data}
 1031         json['trust']['roles'] = self.trust_data['roles']
 1032 
 1033         with self.test_client() as c:
 1034             c.post(
 1035                 '/v3/OS-TRUST/trusts',
 1036                 json=json,
 1037                 headers=self.headers,
 1038                 expected_status_code=http.client.FORBIDDEN
 1039             )
 1040 
 1041     def test_user_cannot_delete_trust(self):
 1042         ref = PROVIDERS.trust_api.create_trust(
 1043             self.trust_id, **self.trust_data)
 1044 
 1045         with self.test_client() as c:
 1046             c.delete(
 1047                 '/v3/OS-TRUST/trusts/%s' % ref['id'],
 1048                 headers=self.headers,
 1049                 expected_status_code=http.client.FORBIDDEN
 1050             )
 1051 
 1052     def test_user_cannot_list_trust_roles(self):
 1053         PROVIDERS.trust_api.create_trust(
 1054             self.trust_id, **self.trust_data)
 1055 
 1056         with self.test_client() as c:
 1057             c.get(
 1058                 '/v3/OS-TRUST/trusts/%s/roles' % self.trust_id,
 1059                 headers=self.headers,
 1060                 expected_status_code=http.client.FORBIDDEN
 1061             )
 1062 
 1063     def test_user_cannot_get_trust_role(self):
 1064         PROVIDERS.trust_api.create_trust(
 1065             self.trust_id, **self.trust_data)
 1066 
 1067         with self.test_client() as c:
 1068             c.head(
 1069                 ('/v3/OS-TRUST/trusts/%s/roles/%s' %
 1070                  (self.trust_id, self.bootstrapper.member_role_id)),
 1071                 headers=self.headers,
 1072                 expected_status_code=http.client.FORBIDDEN
 1073             )