"Fossies" - the Fresh Open Source Software Archive

Member "keystone-19.0.0/keystone/tests/protection/v3/test_application_credential.py" (14 Apr 2021, 28216 Bytes) of package /linux/misc/openstack/keystone-19.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_application_credential.py": 18.0.0_vs_19.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 import datetime
   14 import uuid
   15 
   16 import http.client
   17 from oslo_serialization import jsonutils
   18 
   19 from keystone.common.policies import base as base_policy
   20 from keystone.common import provider_api
   21 import keystone.conf
   22 from keystone.tests.common import auth as common_auth
   23 from keystone.tests import unit
   24 from keystone.tests.unit import base_classes
   25 from keystone.tests.unit import ksfixtures
   26 from keystone.tests.unit.ksfixtures import temporaryfile
   27 
   28 CONF = keystone.conf.CONF
   29 PROVIDERS = provider_api.ProviderAPIs
   30 
   31 
   32 class _TestAppCredBase(base_classes.TestCaseWithBootstrap):
   33     """Base class for application credential tests."""
   34 
   35     def _new_app_cred_data(self, user_id=None, project_id=None, name=None,
   36                            expires=None, system=None):
   37         if not user_id:
   38             user_id = self.app_cred_user_id
   39         if not name:
   40             name = uuid.uuid4().hex
   41         if not expires:
   42             expires = datetime.datetime.utcnow() + datetime.timedelta(days=365)
   43         if not system:
   44             system = uuid.uuid4().hex
   45         if not project_id:
   46             project_id = self.app_cred_project_id
   47         app_cred_data = {
   48             'id': uuid.uuid4().hex,
   49             'name': name,
   50             'description': uuid.uuid4().hex,
   51             'user_id': user_id,
   52             'project_id': project_id,
   53             'system': system,
   54             'expires_at': expires,
   55             'roles': [
   56                 {'id': self.bootstrapper.member_role_id},
   57             ],
   58             'secret': uuid.uuid4().hex,
   59             'unrestricted': False
   60         }
   61         return app_cred_data
   62 
   63     def setUp(self):
   64         super(_TestAppCredBase, self).setUp()
   65 
   66         # create a user and project for app cred testing
   67         new_user_ref = unit.new_user_ref(
   68             domain_id=CONF.identity.default_domain_id
   69         )
   70         app_cred_user_ref = PROVIDERS.identity_api.create_user(
   71             new_user_ref
   72         )
   73         self.app_cred_user_id = app_cred_user_ref['id']
   74         self.app_cred_user_password = new_user_ref['password']
   75         app_cred_project_ref = PROVIDERS.resource_api.create_project(
   76             uuid.uuid4().hex,
   77             unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
   78         )
   79         self.app_cred_project_id = app_cred_project_ref['id']
   80         PROVIDERS.assignment_api.create_grant(
   81             self.bootstrapper.member_role_id,
   82             user_id=self.app_cred_user_id,
   83             project_id=self.app_cred_project_id
   84         )
   85 
   86     def _create_application_credential(self):
   87         app_cred = self._new_app_cred_data()
   88         return \
   89             PROVIDERS.application_credential_api.create_application_credential(
   90                 app_cred)
   91 
   92     def _override_policy(self):
   93         # TODO(gyee): Remove this once the deprecated policies in
   94         # keystone.common.policies.application_credential have been removed.
   95         # This is only here to make sure we test the new policies instead of
   96         # the deprecated ones. Oslo.policy will OR deprecated policies with
   97         # new policies to maintain compatibility and give operators a chance to
   98         # update permissions or update policies without breaking users.
   99         # This will cause these specific tests to fail since we're trying to
  100         # correct this broken behavior with better scope checking.
  101         with open(self.policy_file_name, 'w') as f:
  102             overridden_policies = {
  103                 'identity:get_application_credential': (
  104                     base_policy.RULE_SYSTEM_READER_OR_OWNER),
  105                 'identity:list_application_credentials': (
  106                     base_policy.RULE_SYSTEM_READER_OR_OWNER),
  107                 'identity:create_application_credential': (
  108                     base_policy.RULE_OWNER),
  109                 'identity:delete_application_credential': (
  110                     base_policy.RULE_SYSTEM_ADMIN_OR_OWNER),
  111             }
  112             f.write(jsonutils.dumps(overridden_policies))
  113 
  114 
  115 class _DomainAndProjectUserTests(object):
  116     """Domain and project user tests.
  117 
  118     Domain and project users should not be able to manage application
  119     credentials other then their own.
  120     """
  121 
  122     def test_user_cannot_list_application_credentials(self):
  123         # create a couple of application credentials
  124         self._create_application_credential()
  125         self._create_application_credential()
  126 
  127         with self.test_client() as c:
  128             c.get('/v3/users/%s/application_credentials' % (
  129                   self.app_cred_user_id),
  130                   expected_status_code=http.client.FORBIDDEN,
  131                   headers=self.headers)
  132 
  133     def test_user_cannot_get_application_credential(self):
  134         app_cred = self._create_application_credential()
  135 
  136         with self.test_client() as c:
  137             c.get('/v3/users/%s/application_credentials/%s' % (
  138                   self.app_cred_user_id,
  139                   app_cred['id']),
  140                   expected_status_code=http.client.FORBIDDEN,
  141                   headers=self.headers)
  142 
  143     def test_user_cannot_lookup_application_credential(self):
  144         app_cred = self._create_application_credential()
  145 
  146         with self.test_client() as c:
  147             c.get('/v3/users/%s/application_credentials?name=%s' % (
  148                   self.app_cred_user_id,
  149                   app_cred['name']),
  150                   expected_status_code=http.client.FORBIDDEN,
  151                   headers=self.headers)
  152 
  153     def test_user_cannot_delete_application_credential(self):
  154         app_cred = self._create_application_credential()
  155 
  156         with self.test_client() as c:
  157             c.delete(
  158                 '/v3/users/%s/application_credentials/%s' % (
  159                     self.app_cred_user_id,
  160                     app_cred['id']),
  161                 expected_status_code=http.client.FORBIDDEN,
  162                 headers=self.headers)
  163 
  164     def test_user_cannot_lookup_non_existent_application_credential(self):
  165         with self.test_client() as c:
  166             c.get('/v3/users/%s/application_credentials?name=%s' % (
  167                   self.app_cred_user_id,
  168                   uuid.uuid4().hex),
  169                   expected_status_code=http.client.FORBIDDEN,
  170                   headers=self.headers)
  171 
  172     def test_user_cannot_create_app_credential_for_another_user(self):
  173         # create another user
  174         another_user = unit.new_user_ref(
  175             domain_id=CONF.identity.default_domain_id
  176         )
  177         another_user_id = PROVIDERS.identity_api.create_user(
  178             another_user
  179         )['id']
  180 
  181         app_cred_body = {
  182             'application_credential': unit.new_application_credential_ref(
  183                 roles=[{'id': self.bootstrapper.member_role_id}])
  184         }
  185 
  186         with self.test_client() as c:
  187             c.post(
  188                 '/v3/users/%s/application_credentials' % another_user_id,
  189                 json=app_cred_body,
  190                 expected_status_code=http.client.FORBIDDEN,
  191                 headers=self.headers)
  192 
  193 
  194 class _SystemUserAndOwnerTests(object):
  195     """Common default functionality for all system users and owner."""
  196 
  197     def test_user_can_list_application_credentials(self):
  198         # create a couple of application credentials
  199         self._create_application_credential()
  200         self._create_application_credential()
  201 
  202         with self.test_client() as c:
  203             r = c.get(
  204                 '/v3/users/%s/application_credentials' % (
  205                     self.app_cred_user_id),
  206                 headers=self.headers)
  207             self.assertEqual(2, len(r.json['application_credentials']))
  208 
  209     def test_user_can_get_application_credential(self):
  210         app_cred = self._create_application_credential()
  211 
  212         with self.test_client() as c:
  213             r = c.get(
  214                 '/v3/users/%s/application_credentials/%s' % (
  215                     self.app_cred_user_id,
  216                     app_cred['id']),
  217                 headers=self.headers)
  218             actual_app_cred = r.json['application_credential']
  219             self.assertEqual(app_cred['id'], actual_app_cred['id'])
  220 
  221     def test_user_can_lookup_application_credential(self):
  222         app_cred = self._create_application_credential()
  223 
  224         with self.test_client() as c:
  225             r = c.get(
  226                 '/v3/users/%s/application_credentials?name=%s' % (
  227                     self.app_cred_user_id,
  228                     app_cred['name']),
  229                 headers=self.headers)
  230             self.assertEqual(1, len(r.json['application_credentials']))
  231             actual_app_cred = r.json['application_credentials'][0]
  232             self.assertEqual(app_cred['id'], actual_app_cred['id'])
  233 
  234     def _test_delete_application_credential(
  235             self,
  236             expected_status_code=http.client.NO_CONTENT):
  237         app_cred = self._create_application_credential()
  238 
  239         with self.test_client() as c:
  240             c.delete(
  241                 '/v3/users/%s/application_credentials/%s' % (
  242                     self.app_cred_user_id,
  243                     app_cred['id']),
  244                 expected_status_code=expected_status_code,
  245                 headers=self.headers)
  246 
  247     def test_user_cannot_create_app_credential_for_another_user(self):
  248         # create another user
  249         another_user = unit.new_user_ref(
  250             domain_id=CONF.identity.default_domain_id
  251         )
  252         another_user_id = PROVIDERS.identity_api.create_user(
  253             another_user
  254         )['id']
  255 
  256         app_cred_body = {
  257             'application_credential': unit.new_application_credential_ref(
  258                 roles=[{'id': self.bootstrapper.member_role_id}])
  259         }
  260 
  261         with self.test_client() as c:
  262             c.post(
  263                 '/v3/users/%s/application_credentials' % another_user_id,
  264                 json=app_cred_body,
  265                 expected_status_code=http.client.FORBIDDEN,
  266                 headers=self.headers)
  267 
  268 
  269 class SystemReaderTests(_TestAppCredBase,
  270                         common_auth.AuthTestMixin,
  271                         _SystemUserAndOwnerTests):
  272 
  273     def setUp(self):
  274         super(SystemReaderTests, self).setUp()
  275         self.loadapp()
  276         self.useFixture(ksfixtures.Policy(self.config_fixture))
  277         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  278 
  279         system_reader = unit.new_user_ref(
  280             domain_id=CONF.identity.default_domain_id
  281         )
  282         self.user_id = PROVIDERS.identity_api.create_user(
  283             system_reader
  284         )['id']
  285         PROVIDERS.assignment_api.create_system_grant_for_user(
  286             self.user_id, self.bootstrapper.reader_role_id
  287         )
  288 
  289         auth = self.build_authentication_request(
  290             user_id=self.user_id, password=system_reader['password'],
  291             system=True
  292         )
  293 
  294         # Grab a token using the persona we're testing and prepare headers
  295         # for requests we'll be making in the tests.
  296         with self.test_client() as c:
  297             r = c.post('/v3/auth/tokens', json=auth)
  298             self.token_id = r.headers['X-Subject-Token']
  299             self.headers = {'X-Auth-Token': self.token_id}
  300 
  301     def test_system_reader_cannot_delete_application_credential_for_user(self):
  302         self._test_delete_application_credential(
  303             expected_status_code=http.client.FORBIDDEN)
  304 
  305 
  306 class SystemMemberTests(_TestAppCredBase,
  307                         common_auth.AuthTestMixin,
  308                         _SystemUserAndOwnerTests):
  309 
  310     def setUp(self):
  311         super(SystemMemberTests, self).setUp()
  312         self.loadapp()
  313         self.useFixture(ksfixtures.Policy(self.config_fixture))
  314         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  315 
  316         system_member = unit.new_user_ref(
  317             domain_id=CONF.identity.default_domain_id
  318         )
  319         self.user_id = PROVIDERS.identity_api.create_user(
  320             system_member
  321         )['id']
  322         PROVIDERS.assignment_api.create_system_grant_for_user(
  323             self.user_id, self.bootstrapper.member_role_id
  324         )
  325 
  326         auth = self.build_authentication_request(
  327             user_id=self.user_id, password=system_member['password'],
  328             system=True
  329         )
  330 
  331         # Grab a token using the persona we're testing and prepare headers
  332         # for requests we'll be making in the tests.
  333         with self.test_client() as c:
  334             r = c.post('/v3/auth/tokens', json=auth)
  335             self.token_id = r.headers['X-Subject-Token']
  336             self.headers = {'X-Auth-Token': self.token_id}
  337 
  338     def test_system_reader_cannot_delete_application_credential_for_user(self):
  339         self._test_delete_application_credential(
  340             expected_status_code=http.client.FORBIDDEN)
  341 
  342 
  343 class SystemAdminTests(_TestAppCredBase,
  344                        common_auth.AuthTestMixin,
  345                        _SystemUserAndOwnerTests):
  346 
  347     def setUp(self):
  348         super(SystemAdminTests, self).setUp()
  349         self.loadapp()
  350         self.useFixture(ksfixtures.Policy(self.config_fixture))
  351         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  352 
  353         self.user_id = self.bootstrapper.admin_user_id
  354         auth = self.build_authentication_request(
  355             user_id=self.user_id,
  356             password=self.bootstrapper.admin_password,
  357             system=True
  358         )
  359 
  360         # Grab a token using the persona we're testing and prepare headers
  361         # for requests we'll be making in the tests.
  362         with self.test_client() as c:
  363             r = c.post('/v3/auth/tokens', json=auth)
  364             self.token_id = r.headers['X-Subject-Token']
  365             self.headers = {'X-Auth-Token': self.token_id}
  366 
  367     def test_system_admin_can_delete_application_credential_for_user(self):
  368         self._test_delete_application_credential()
  369 
  370 
  371 class OwnerTests(_TestAppCredBase,
  372                  common_auth.AuthTestMixin,
  373                  _SystemUserAndOwnerTests):
  374 
  375     def setUp(self):
  376         super(OwnerTests, self).setUp()
  377         self.loadapp()
  378 
  379         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  380         self.policy_file_name = self.policy_file.file_name
  381         self.useFixture(
  382             ksfixtures.Policy(
  383                 self.config_fixture, policy_file=self.policy_file_name
  384             )
  385         )
  386 
  387         self._override_policy()
  388         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  389 
  390         # in this case app_cred_user_id and user_id are the same since we
  391         # are testing the owner
  392         self.user_id = self.app_cred_user_id
  393         auth = self.build_authentication_request(
  394             user_id=self.user_id,
  395             password=self.app_cred_user_password,
  396             project_id=self.app_cred_project_id
  397         )
  398 
  399         # Grab a token using the persona we're testing and prepare headers
  400         # for requests we'll be making in the tests.
  401         with self.test_client() as c:
  402             r = c.post('/v3/auth/tokens', json=auth)
  403             self.token_id = r.headers['X-Subject-Token']
  404             self.headers = {'X-Auth-Token': self.token_id}
  405 
  406     def test_create_application_credential_by_owner(self):
  407         app_cred_body = {
  408             'application_credential': unit.new_application_credential_ref()
  409         }
  410 
  411         with self.test_client() as c:
  412             c.post(
  413                 '/v3/users/%s/application_credentials' % self.user_id,
  414                 json=app_cred_body,
  415                 expected_status_code=http.client.CREATED,
  416                 headers=self.headers)
  417 
  418     def test_owner_can_delete_application_credential(self):
  419         self._test_delete_application_credential()
  420 
  421     def test_user_cannot_lookup_application_credential_for_another_user(self):
  422         # create another user
  423         another_user = unit.new_user_ref(
  424             domain_id=CONF.identity.default_domain_id
  425         )
  426         another_user_id = PROVIDERS.identity_api.create_user(
  427             another_user
  428         )['id']
  429 
  430         auth = self.build_authentication_request(
  431             user_id=another_user_id,
  432             password=another_user['password']
  433         )
  434 
  435         # authenticate for a token as a completely different user with
  436         # completely different authorization
  437         with self.test_client() as c:
  438             r = c.post('/v3/auth/tokens', json=auth)
  439             another_user_token = r.headers['X-Subject-Token']
  440 
  441         # create an application credential as the self.user_id user on a
  442         # project that the user above doesn't have any authorization on
  443         app_cred = self._create_application_credential()
  444 
  445         # attempt to lookup the application credential as another user
  446         with self.test_client() as c:
  447             c.get(
  448                 '/v3/users/%s/application_credentials/%s' % (
  449                     another_user_id,
  450                     app_cred['id']),
  451                 expected_status_code=http.client.FORBIDDEN,
  452                 headers={'X-Auth-Token': another_user_token})
  453 
  454     def test_user_cannot_delete_application_credential_for_another_user(self):
  455         # create another user
  456         another_user = unit.new_user_ref(
  457             domain_id=CONF.identity.default_domain_id
  458         )
  459         another_user_id = PROVIDERS.identity_api.create_user(
  460             another_user
  461         )['id']
  462 
  463         auth = self.build_authentication_request(
  464             user_id=another_user_id,
  465             password=another_user['password']
  466         )
  467 
  468         # authenticate for a token as a completely different user with
  469         # completely different authorization
  470         with self.test_client() as c:
  471             r = c.post('/v3/auth/tokens', json=auth)
  472             another_user_token = r.headers['X-Subject-Token']
  473 
  474         # create an application credential as the self.user_id user on a
  475         # project that the user above doesn't have any authorization on
  476         app_cred = self._create_application_credential()
  477 
  478         # attempt to delete the application credential as another user
  479         with self.test_client() as c:
  480             c.delete(
  481                 '/v3/users/%s/application_credentials/%s' % (
  482                     another_user_id,
  483                     app_cred['id']),
  484                 expected_status_code=http.client.FORBIDDEN,
  485                 headers={'X-Auth-Token': another_user_token})
  486 
  487 
  488 class DomainAdminTests(_TestAppCredBase,
  489                        common_auth.AuthTestMixin,
  490                        _DomainAndProjectUserTests):
  491 
  492     def setUp(self):
  493         super(DomainAdminTests, self).setUp()
  494         self.loadapp()
  495 
  496         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  497         self.policy_file_name = self.policy_file.file_name
  498         self.useFixture(
  499             ksfixtures.Policy(
  500                 self.config_fixture, policy_file=self.policy_file_name
  501             )
  502         )
  503 
  504         self._override_policy()
  505         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  506 
  507         domain_admin = unit.new_user_ref(
  508             domain_id=CONF.identity.default_domain_id)
  509         self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
  510         PROVIDERS.assignment_api.create_grant(
  511             self.bootstrapper.admin_role_id, user_id=self.user_id,
  512             domain_id=CONF.identity.default_domain_id
  513         )
  514 
  515         auth = self.build_authentication_request(
  516             user_id=self.user_id, password=domain_admin['password'],
  517             domain_id=CONF.identity.default_domain_id
  518         )
  519 
  520         # Grab a token using the persona we're testing and prepare headers
  521         # for requests we'll be making in the tests.
  522         with self.test_client() as c:
  523             r = c.post('/v3/auth/tokens', json=auth)
  524             self.token_id = r.headers['X-Subject-Token']
  525             self.headers = {'X-Auth-Token': self.token_id}
  526 
  527 
  528 class DomainReaderTests(_TestAppCredBase,
  529                         common_auth.AuthTestMixin,
  530                         _DomainAndProjectUserTests):
  531 
  532     def setUp(self):
  533         super(DomainReaderTests, self).setUp()
  534         self.loadapp()
  535 
  536         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  537         self.policy_file_name = self.policy_file.file_name
  538         self.useFixture(
  539             ksfixtures.Policy(
  540                 self.config_fixture, policy_file=self.policy_file_name
  541             )
  542         )
  543 
  544         self._override_policy()
  545         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  546 
  547         domain_admin = unit.new_user_ref(
  548             domain_id=CONF.identity.default_domain_id)
  549         self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
  550         PROVIDERS.assignment_api.create_grant(
  551             self.bootstrapper.reader_role_id, user_id=self.user_id,
  552             domain_id=CONF.identity.default_domain_id
  553         )
  554 
  555         auth = self.build_authentication_request(
  556             user_id=self.user_id, password=domain_admin['password'],
  557             domain_id=CONF.identity.default_domain_id
  558         )
  559 
  560         # Grab a token using the persona we're testing and prepare headers
  561         # for requests we'll be making in the tests.
  562         with self.test_client() as c:
  563             r = c.post('/v3/auth/tokens', json=auth)
  564             self.token_id = r.headers['X-Subject-Token']
  565             self.headers = {'X-Auth-Token': self.token_id}
  566 
  567 
  568 class DomainMemberTests(_TestAppCredBase,
  569                         common_auth.AuthTestMixin,
  570                         _DomainAndProjectUserTests):
  571 
  572     def setUp(self):
  573         super(DomainMemberTests, self).setUp()
  574         self.loadapp()
  575 
  576         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  577         self.policy_file_name = self.policy_file.file_name
  578         self.useFixture(
  579             ksfixtures.Policy(
  580                 self.config_fixture, policy_file=self.policy_file_name
  581             )
  582         )
  583 
  584         self._override_policy()
  585         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  586 
  587         domain_admin = unit.new_user_ref(
  588             domain_id=CONF.identity.default_domain_id)
  589         self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
  590         PROVIDERS.assignment_api.create_grant(
  591             self.bootstrapper.member_role_id, user_id=self.user_id,
  592             domain_id=CONF.identity.default_domain_id
  593         )
  594 
  595         auth = self.build_authentication_request(
  596             user_id=self.user_id, password=domain_admin['password'],
  597             domain_id=CONF.identity.default_domain_id
  598         )
  599 
  600         # Grab a token using the persona we're testing and prepare headers
  601         # for requests we'll be making in the tests.
  602         with self.test_client() as c:
  603             r = c.post('/v3/auth/tokens', json=auth)
  604             self.token_id = r.headers['X-Subject-Token']
  605             self.headers = {'X-Auth-Token': self.token_id}
  606 
  607 
  608 class ProjectAdminTests(_TestAppCredBase,
  609                         common_auth.AuthTestMixin,
  610                         _DomainAndProjectUserTests):
  611 
  612     def setUp(self):
  613         super(ProjectAdminTests, self).setUp()
  614         self.loadapp()
  615 
  616         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  617         self.policy_file_name = self.policy_file.file_name
  618         self.useFixture(
  619             ksfixtures.Policy(
  620                 self.config_fixture, policy_file=self.policy_file_name
  621             )
  622         )
  623 
  624         self._override_policy()
  625         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  626 
  627         project_admin = unit.new_user_ref(
  628             domain_id=CONF.identity.default_domain_id)
  629         self.user_id = PROVIDERS.identity_api.create_user(project_admin)['id']
  630         # even project admin of project where the app credential
  631         # is intended for cannot perform app credential operations
  632         PROVIDERS.assignment_api.create_grant(
  633             self.bootstrapper.admin_role_id,
  634             user_id=self.user_id,
  635             project_id=self.app_cred_project_id
  636         )
  637         auth = self.build_authentication_request(
  638             user_id=self.user_id, password=project_admin['password'],
  639             project_id=self.app_cred_project_id
  640         )
  641 
  642         # Grab a token using the persona we're testing and prepare headers
  643         # for requests we'll be making in the tests.
  644         with self.test_client() as c:
  645             r = c.post('/v3/auth/tokens', json=auth)
  646             self.token_id = r.headers['X-Subject-Token']
  647             self.headers = {'X-Auth-Token': self.token_id}
  648 
  649 
  650 class ProjectReaderTests(_TestAppCredBase,
  651                          common_auth.AuthTestMixin,
  652                          _DomainAndProjectUserTests):
  653 
  654     def setUp(self):
  655         super(ProjectReaderTests, self).setUp()
  656         self.loadapp()
  657 
  658         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  659         self.policy_file_name = self.policy_file.file_name
  660         self.useFixture(
  661             ksfixtures.Policy(
  662                 self.config_fixture, policy_file=self.policy_file_name
  663             )
  664         )
  665 
  666         self._override_policy()
  667         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  668 
  669         project_admin = unit.new_user_ref(
  670             domain_id=CONF.identity.default_domain_id)
  671         self.user_id = PROVIDERS.identity_api.create_user(project_admin)['id']
  672         # even project admin of project where the app credential
  673         # is intended for cannot perform app credential operations
  674         PROVIDERS.assignment_api.create_grant(
  675             self.bootstrapper.reader_role_id,
  676             user_id=self.user_id,
  677             project_id=self.app_cred_project_id
  678         )
  679         auth = self.build_authentication_request(
  680             user_id=self.user_id, password=project_admin['password'],
  681             project_id=self.app_cred_project_id
  682         )
  683 
  684         # Grab a token using the persona we're testing and prepare headers
  685         # for requests we'll be making in the tests.
  686         with self.test_client() as c:
  687             r = c.post('/v3/auth/tokens', json=auth)
  688             self.token_id = r.headers['X-Subject-Token']
  689             self.headers = {'X-Auth-Token': self.token_id}
  690 
  691 
  692 class ProjectMemberTests(_TestAppCredBase,
  693                          common_auth.AuthTestMixin,
  694                          _DomainAndProjectUserTests):
  695 
  696     def setUp(self):
  697         super(ProjectMemberTests, self).setUp()
  698         self.loadapp()
  699 
  700         self.policy_file = self.useFixture(temporaryfile.SecureTempFile())
  701         self.policy_file_name = self.policy_file.file_name
  702         self.useFixture(
  703             ksfixtures.Policy(
  704                 self.config_fixture, policy_file=self.policy_file_name
  705             )
  706         )
  707 
  708         self._override_policy()
  709         self.config_fixture.config(group='oslo_policy', enforce_scope=True)
  710 
  711         project_admin = unit.new_user_ref(
  712             domain_id=CONF.identity.default_domain_id)
  713         self.user_id = PROVIDERS.identity_api.create_user(project_admin)['id']
  714         # even project admin of project where the app credential
  715         # is intended for cannot perform app credential operations
  716         PROVIDERS.assignment_api.create_grant(
  717             self.bootstrapper.member_role_id,
  718             user_id=self.user_id,
  719             project_id=self.app_cred_project_id
  720         )
  721         auth = self.build_authentication_request(
  722             user_id=self.user_id, password=project_admin['password'],
  723             project_id=self.app_cred_project_id
  724         )
  725 
  726         # Grab a token using the persona we're testing and prepare headers
  727         # for requests we'll be making in the tests.
  728         with self.test_client() as c:
  729             r = c.post('/v3/auth/tokens', json=auth)
  730             self.token_id = r.headers['X-Subject-Token']
  731             self.headers = {'X-Auth-Token': self.token_id}