382 lines
14 KiB
Python
382 lines
14 KiB
Python
# Copyright 2020 SUSE LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import abc
|
|
|
|
from tempest.api.identity import base
|
|
from tempest.lib.common.utils import data_utils
|
|
from tempest.lib import exceptions
|
|
|
|
from keystone_tempest_plugin.tests.rbac.v3 import base as rbac_base
|
|
|
|
|
|
class IdentityV3RbacDomainConfigTest(rbac_base.IdentityV3RbacBaseTests,
|
|
metaclass=abc.ABCMeta):
|
|
|
|
@classmethod
|
|
def setup_clients(cls):
|
|
super(IdentityV3RbacDomainConfigTest, cls).setup_clients()
|
|
cls.persona = getattr(cls, 'os_%s' % cls.credentials[0])
|
|
cls.client = cls.persona.domain_config_client
|
|
cls.admin_client = cls.os_system_admin
|
|
cls.admin_domain_config_client = cls.admin_client.domain_config_client
|
|
|
|
@classmethod
|
|
def resource_setup(cls):
|
|
super(IdentityV3RbacDomainConfigTest, cls).resource_setup()
|
|
cls.domain_id = cls.admin_client.domains_client.create_domain(
|
|
name=data_utils.rand_name('domain'))['domain']['id']
|
|
cls.addClassResourceCleanup(
|
|
cls.admin_client.domains_client.delete_domain,
|
|
cls.domain_id)
|
|
cls.addClassResourceCleanup(
|
|
cls.admin_client.domains_client.update_domain,
|
|
cls.domain_id,
|
|
enabled=False)
|
|
|
|
def domain_config(self, **kwargs):
|
|
ref = {
|
|
"identity": {
|
|
"driver": "ldap"
|
|
},
|
|
"ldap": {
|
|
"url": "ldap://myldap.com:389/",
|
|
"user_tree_dn": "ou=Users,dc=my_new_root,dc=org"
|
|
}
|
|
}
|
|
ref.update(kwargs)
|
|
return ref
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_create_domain_config(self):
|
|
"""Test identity:create_domain_config policy.
|
|
|
|
This test must check:
|
|
* whether the persona can create a domain config for a valid domain
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_get_domain_config(self):
|
|
"""Test identity:get_domain_config policy.
|
|
|
|
This test must check:
|
|
* whether the persona can get a domain config
|
|
* whether the persona can get an option group for a domain config
|
|
* whether the persona can get an option from a group in a domain
|
|
config
|
|
* whether the persona can get a config for an invalid domain
|
|
* whether the persona can get a config that does not exist
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_get_domain_config_default(self):
|
|
"""Test identity:get_domain_config_default policy.
|
|
|
|
* whether the persona can get the default config
|
|
* whether the persona can get the default config for an option group
|
|
* whether the persona can get the default value for an option
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_get_security_compliance_domain_config(self):
|
|
"""Test identity:get_security_compliance_domain_config policy.
|
|
|
|
This test must check:
|
|
* whether the persona can get the security compliance configuration
|
|
for the default domain
|
|
* whether the persona can get an option from the security compliance
|
|
configuration for the default domain
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_update_domain_config(self):
|
|
"""Test identity:update_domain_config policy.
|
|
|
|
This test must check:
|
|
* whether the persona can update the config for a domain
|
|
* whether the persona can update an option group config for a domain
|
|
* whether the persona can update an option in a domain config
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_delete_domain_config(self):
|
|
"""Test identity:delete_domain_config policy.
|
|
|
|
This test must check
|
|
* whether the persona can delete a domain config
|
|
* whether the persona can delete an option group within a domain
|
|
config
|
|
* whether the persona can delete an option within a domain config
|
|
"""
|
|
pass
|
|
|
|
|
|
class SystemAdminTests(IdentityV3RbacDomainConfigTest, base.BaseIdentityTest):
|
|
|
|
credentials = ['system_admin']
|
|
|
|
def test_identity_create_domain_config(self):
|
|
self.do_request(
|
|
'create_domain_config',
|
|
expected_status=201,
|
|
domain_id=self.domain_id,
|
|
**self.domain_config())
|
|
self.addCleanup(
|
|
self.admin_domain_config_client.delete_domain_config,
|
|
self.domain_id)
|
|
|
|
def test_identity_get_domain_config(self):
|
|
# should be able to get domain config, group and individual options
|
|
self.admin_domain_config_client.create_domain_config(
|
|
self.domain_id, **self.domain_config())
|
|
self.addCleanup(
|
|
self.admin_domain_config_client.delete_domain_config,
|
|
self.domain_id)
|
|
self.do_request(
|
|
'show_domain_config',
|
|
domain_id=self.domain_id)
|
|
self.do_request(
|
|
'show_domain_group_config',
|
|
domain_id=self.domain_id,
|
|
group='ldap')
|
|
self.do_request(
|
|
'show_domain_group_option_config',
|
|
domain_id=self.domain_id,
|
|
group='ldap',
|
|
option='url')
|
|
# should get Not Found for invalid domain
|
|
self.do_request(
|
|
'show_domain_config',
|
|
expected_status=exceptions.NotFound,
|
|
domain_id=data_utils.rand_uuid_hex())
|
|
# should get Not Found for nonexistent config for valid domain
|
|
domain = self.admin_client.domains_client.create_domain(
|
|
name=data_utils.rand_name('domain'))['domain']['id']
|
|
self.addCleanup(self.admin_client.domains_client.delete_domain, domain)
|
|
self.addCleanup(
|
|
self.admin_client.domains_client.update_domain,
|
|
domain, enabled=False)
|
|
self.do_request(
|
|
'show_domain_config',
|
|
expected_status=exceptions.NotFound,
|
|
domain_id=domain)
|
|
|
|
def test_identity_get_domain_config_default(self):
|
|
self.do_request('show_default_config_settings')
|
|
self.do_request('show_default_group_config', group='ldap')
|
|
self.do_request(
|
|
'show_default_group_option', group='ldap', option='url')
|
|
|
|
def test_identity_get_security_compliance_domain_config(self):
|
|
self.do_request(
|
|
'show_domain_group_config',
|
|
domain_id='default',
|
|
group='security_compliance')
|
|
self.do_request(
|
|
'show_domain_group_option_config',
|
|
domain_id='default',
|
|
group='security_compliance',
|
|
option='password_regex_description')
|
|
|
|
def test_identity_update_domain_config(self):
|
|
self.admin_domain_config_client.create_domain_config(
|
|
self.domain_id, **self.domain_config())
|
|
self.addCleanup(
|
|
self.admin_domain_config_client.delete_domain_config,
|
|
self.domain_id)
|
|
self.do_request(
|
|
'update_domain_group_config',
|
|
domain_id=self.domain_id,
|
|
group='ldap',
|
|
ldap={'url': 'ldaps://myldap.com:636/',
|
|
'user_tree_dn': 'ou=People,dc=my_new_root,dc=org'})
|
|
self.do_request(
|
|
'update_domain_group_option_config',
|
|
domain_id=self.domain_id,
|
|
group='ldap',
|
|
option='user_tree_dn',
|
|
user_tree_dn='ou=Aliens,dc=my_new_root,dc=org')
|
|
# test changing the entire config last
|
|
self.do_request(
|
|
'update_domain_config',
|
|
domain_id=self.domain_id,
|
|
identity={"driver": "sql"})
|
|
|
|
def test_identity_delete_domain_config(self):
|
|
self.admin_domain_config_client.create_domain_config(
|
|
self.domain_id, **self.domain_config())
|
|
self.do_request(
|
|
'delete_domain_group_option_config',
|
|
expected_status=204,
|
|
domain_id=self.domain_id,
|
|
group='ldap',
|
|
option='user_tree_dn')
|
|
self.do_request(
|
|
'delete_domain_group_config',
|
|
expected_status=204,
|
|
domain_id=self.domain_id,
|
|
group='ldap')
|
|
self.do_request(
|
|
'delete_domain_config',
|
|
expected_status=204,
|
|
domain_id=self.domain_id)
|
|
|
|
|
|
class SystemMemberTests(SystemAdminTests):
|
|
|
|
credentials = ['system_member', 'system_admin']
|
|
|
|
def test_identity_create_domain_config(self):
|
|
self.do_request(
|
|
'create_domain_config',
|
|
expected_status=exceptions.Forbidden,
|
|
domain_id=self.domain_id,
|
|
**self.domain_config())
|
|
|
|
def test_identity_update_domain_config(self):
|
|
self.admin_domain_config_client.create_domain_config(
|
|
self.domain_id, **self.domain_config())
|
|
self.addCleanup(
|
|
self.admin_domain_config_client.delete_domain_config,
|
|
self.domain_id)
|
|
self.do_request(
|
|
'update_domain_group_config',
|
|
expected_status=exceptions.Forbidden,
|
|
domain_id=self.domain_id,
|
|
group='ldap',
|
|
ldap={'url': 'ldaps://myldap.com:636/',
|
|
'user_tree_dn': 'ou=People,dc=my_new_root,dc=org'})
|
|
self.do_request(
|
|
'update_domain_group_option_config',
|
|
expected_status=exceptions.Forbidden,
|
|
domain_id=self.domain_id,
|
|
group='ldap',
|
|
option='user_tree_dn',
|
|
user_tree_dn='ou=Aliens,dc=my_new_root,dc=org')
|
|
# test changing the entire config last
|
|
self.do_request(
|
|
'update_domain_config',
|
|
expected_status=exceptions.Forbidden,
|
|
domain_id=self.domain_id,
|
|
identity={"driver": "sql"})
|
|
|
|
def test_identity_delete_domain_config(self):
|
|
self.admin_domain_config_client.create_domain_config(
|
|
self.domain_id, **self.domain_config())
|
|
self.do_request(
|
|
'delete_domain_group_option_config',
|
|
expected_status=exceptions.Forbidden,
|
|
domain_id=self.domain_id,
|
|
group='ldap',
|
|
option='user_tree_dn')
|
|
self.do_request(
|
|
'delete_domain_group_config',
|
|
expected_status=exceptions.Forbidden,
|
|
domain_id=self.domain_id,
|
|
group='ldap')
|
|
self.do_request(
|
|
'delete_domain_config',
|
|
expected_status=exceptions.Forbidden,
|
|
domain_id=self.domain_id)
|
|
|
|
|
|
class SystemReaderTests(SystemMemberTests):
|
|
|
|
credentials = ['system_reader', 'system_admin']
|
|
|
|
|
|
class DomainAdminTests(SystemReaderTests):
|
|
|
|
credentials = ['domain_admin', 'system_admin']
|
|
|
|
def test_identity_get_domain_config(self):
|
|
# should not be able to get domain config, group and individual options
|
|
self.admin_domain_config_client.create_domain_config(
|
|
self.domain_id, **self.domain_config())
|
|
self.addCleanup(
|
|
self.admin_domain_config_client.delete_domain_config,
|
|
self.domain_id)
|
|
self.do_request(
|
|
'show_domain_config',
|
|
expected_status=exceptions.Forbidden,
|
|
domain_id=self.domain_id)
|
|
self.do_request(
|
|
'show_domain_group_config',
|
|
expected_status=exceptions.Forbidden,
|
|
domain_id=self.domain_id,
|
|
group='ldap')
|
|
self.do_request(
|
|
'show_domain_group_option_config',
|
|
expected_status=exceptions.Forbidden,
|
|
domain_id=self.domain_id,
|
|
group='ldap',
|
|
option='url')
|
|
# should get Forbidden for invalid domain
|
|
self.do_request(
|
|
'show_domain_config',
|
|
expected_status=exceptions.Forbidden,
|
|
domain_id=data_utils.rand_uuid_hex())
|
|
# should get Forbidden for nonexistent config for valid domain
|
|
domain = self.admin_client.domains_client.create_domain(
|
|
name=data_utils.rand_name('domain'))['domain']['id']
|
|
self.addCleanup(self.admin_client.domains_client.delete_domain, domain)
|
|
self.addCleanup(
|
|
self.admin_client.domains_client.update_domain,
|
|
domain, enabled=False)
|
|
self.do_request(
|
|
'show_domain_config',
|
|
expected_status=exceptions.Forbidden,
|
|
domain_id=domain)
|
|
|
|
def test_identity_get_domain_config_default(self):
|
|
self.do_request(
|
|
'show_default_config_settings',
|
|
expected_status=exceptions.Forbidden)
|
|
self.do_request(
|
|
'show_default_group_config',
|
|
expected_status=exceptions.Forbidden, group='ldap')
|
|
self.do_request(
|
|
'show_default_group_option',
|
|
expected_status=exceptions.Forbidden, group='ldap', option='url')
|
|
|
|
|
|
class DomainMemberTests(DomainAdminTests):
|
|
|
|
credentials = ['domain_member', 'system_admin']
|
|
|
|
|
|
class DomainReaderTests(DomainAdminTests):
|
|
|
|
credentials = ['domain_reader', 'system_admin']
|
|
|
|
|
|
class ProjectAdminTests(DomainReaderTests):
|
|
|
|
credentials = ['project_admin', 'system_admin']
|
|
|
|
|
|
class ProjectMemberTests(ProjectAdminTests):
|
|
|
|
credentials = ['project_member', 'system_admin']
|
|
|
|
|
|
class ProjectReaderTests(ProjectAdminTests):
|
|
|
|
credentials = ['project_reader', 'system_admin']
|