openstack
/
keystone-tempest-plugin
Code Issues Proposed changes

Update tests for admin role in credentials 

This patch updates tests to expect "admin" personas to be able to access
credential endpoints.  The relevant policies have been updated in
Keystone.

Change-Id: I54d0ae44a7f669734edcbd31cbc03e9ccf3d829e
This commit is contained in:
Douglas Mendizábal 2024-04-02 21:14:20 -05:00
parent f05f742f80
commit c0ae2d9930
4 changed files with 55 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
View File

@ -411,14 +411,19 @@ class DomainReaderTests(DomainAdminTests):
credentials = ['domain_reader', 'system_admin']
class ProjectAdminTests(IdentityV3RbacApplicationCredentialTest,
base.BaseIdentityTest):
class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
class ProjectMemberTests(IdentityV3RbacApplicationCredentialTest,
base.BaseIdentityTest):
credentials = ['project_member', 'system_admin']
@classmethod
def setup_clients(cls):
super(ProjectAdminTests, cls).setup_clients()
super().setup_clients()
cls.test_user_client, cls.test_user_id = cls.setup_user_client()
def test_identity_create_application_credential(self):
@ -555,11 +560,6 @@ class ProjectAdminTests(IdentityV3RbacApplicationCredentialTest,
application_credential_id=data_utils.rand_uuid_hex())
class ProjectMemberTests(ProjectAdminTests):
credentials = ['project_member', 'system_admin']
class ProjectReaderTests(ProjectAdminTests):
class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']

14
keystone_tempest_plugin/tests/rbac/v3/test_credential.py
View File

@ -433,10 +433,15 @@ class DomainReaderTests(DomainAdminTests):
credentials = ['domain_reader', 'system_admin']
class ProjectAdminTests(SystemReaderTests):
class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
class ProjectMemberTests(SystemReaderTests):
credentials = ['project_member', 'system_admin']
def test_identity_get_credential(self):
# user can get their own credential
user_id = self.persona.credentials.user_id
@ -480,11 +485,6 @@ class ProjectAdminTests(SystemReaderTests):
self.assertNotIn(cred['id'], [c['id'] for c in resp])
class ProjectMemberTests(ProjectAdminTests):
credentials = ['project_member', 'system_admin']
class ProjectReaderTests(ProjectAdminTests):
class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']

14
keystone_tempest_plugin/tests/rbac/v3/test_ec2_credential.py
View File

@ -474,10 +474,15 @@ class DomainReaderTests(DomainAdminTests):
credentials = ['domain_reader', 'system_admin']
class ProjectAdminTests(SystemReaderTests):
class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
class ProjectMemberTests(SystemReaderTests):
credentials = ['project_member', 'system_admin']
def test_identity_ec2_get_credential(self):
# user can get their own credential
user_id = self.persona.credentials.user_id
@ -534,11 +539,6 @@ class ProjectAdminTests(SystemReaderTests):
user_id=self.test_user_2)
class ProjectMemberTests(ProjectAdminTests):
credentials = ['project_member', 'system_admin']
class ProjectReaderTests(ProjectAdminTests):
class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']

41
keystone_tempest_plugin/tests/rbac/v3/test_token.py
View File

@ -229,7 +229,7 @@ class SystemReaderTests(SystemMemberTests):
credentials = ['system_reader', 'system_admin']
class DomainAdminTests(SystemReaderTests, base.BaseIdentityTest):
class DomainAdminTests(SystemAdminTests):
credentials = ['domain_admin', 'system_admin']
@ -242,6 +242,11 @@ class DomainAdminTests(SystemReaderTests, base.BaseIdentityTest):
# call base setUp directly to ensure we don't use system creds
super(SystemAdminTests, self).setUp()
class DomainMemberTests(DomainAdminTests):
credentials = ['domain_member', 'system_admin']
def test_identity_check_token(self):
# user can check own token
self.do_request('check_token_existence', resp_token=self.own_token)
@ -274,18 +279,27 @@ class DomainAdminTests(SystemReaderTests, base.BaseIdentityTest):
expected_status=exceptions.Forbidden,
resp_token=self.project_token)
class DomainMemberTests(DomainAdminTests):
credentials = ['domain_member', 'system_admin']
def test_identity_revoke_token(self):
# user can revoke own token
self.do_request('delete_token', expected_status=204,
resp_token=self.own_token)
# user cannot revoke other system user's token
self.do_request('delete_token', expected_status=exceptions.Forbidden,
resp_token=self.system_token)
# user cannot revoke domain user's token
self.do_request('delete_token', expected_status=exceptions.Forbidden,
resp_token=self.domain_token)
# user cannot revoke project user's token
self.do_request('delete_token', expected_status=exceptions.Forbidden,
resp_token=self.project_token)
class DomainReaderTests(DomainAdminTests):
class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
class ProjectAdminTests(DomainAdminTests, base.BaseIdentityTest):
class ProjectAdminTests(DomainAdminTests):
credentials = ['project_admin', 'system_admin']
@ -299,11 +313,20 @@ class ProjectAdminTests(DomainAdminTests, base.BaseIdentityTest):
super(SystemAdminTests, self).setUp()
class ProjectMemberTests(ProjectAdminTests):
class ProjectMemberTests(DomainMemberTests):
credentials = ['project_member', 'system_admin']
def setUp(self):
self.own_keystone_creds = {
'user_id': self.persona.credentials.user_id,
'password': self.persona.credentials.password,
'project_id': self.persona.credentials.project_id
}
# call base setUp directly to ensure we don't use system creds
super(SystemAdminTests, self).setUp()
class ProjectReaderTests(ProjectAdminTests):
class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']