470 lines
18 KiB
Python
470 lines
18 KiB
Python
# Copyright 2020 SUSE LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import abc
|
|
|
|
from tempest.api.identity import base
|
|
from tempest.lib.common.utils import data_utils
|
|
from tempest.lib import exceptions
|
|
|
|
from keystone_tempest_plugin.tests.rbac.v3 import base as rbac_base
|
|
|
|
|
|
class IdentityV3RbacPolicyAssociationTests(rbac_base.IdentityV3RbacBaseTests,
|
|
metaclass=abc.ABCMeta):
|
|
|
|
@classmethod
|
|
def setup_clients(cls):
|
|
super(IdentityV3RbacPolicyAssociationTests, cls).setup_clients()
|
|
cls.persona = getattr(cls, 'os_%s' % cls.credentials[0])
|
|
cls.client = cls.persona.policies_client
|
|
cls.admin_client = cls.os_system_admin
|
|
cls.admin_policies_client = cls.admin_client.policies_client
|
|
|
|
@classmethod
|
|
def resource_setup(cls):
|
|
super(IdentityV3RbacPolicyAssociationTests, cls).resource_setup()
|
|
cls.policy_id = cls.admin_policies_client.create_policy(
|
|
blob=data_utils.rand_uuid_hex(),
|
|
type=data_utils.rand_uuid_hex())['policy']['id']
|
|
cls.addClassResourceCleanup(
|
|
cls.admin_policies_client.delete_policy,
|
|
policy_id=cls.policy_id)
|
|
cls.region_id = cls.admin_client.regions_client.create_region(
|
|
region_id=data_utils.rand_name())['region']['id']
|
|
cls.addClassResourceCleanup(
|
|
cls.admin_client.regions_client.delete_region,
|
|
cls.region_id)
|
|
svc_client = cls.admin_client.identity_services_v3_client
|
|
cls.service_id = svc_client.create_service(
|
|
type=data_utils.rand_name())['service']['id']
|
|
cls.addClassResourceCleanup(svc_client.delete_service, cls.service_id)
|
|
cls.endpoint_id = cls.admin_client.endpoints_v3_client.create_endpoint(
|
|
interface='public',
|
|
url='http://localhost/foo',
|
|
service_id=cls.service_id)['endpoint']['id']
|
|
cls.addClassResourceCleanup(
|
|
cls.admin_client.endpoints_v3_client.delete_endpoint,
|
|
endpoint_id=cls.endpoint_id)
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_create_policy_association_for_endpoint(self):
|
|
"""Test identity:create_policy_association_for_endpoint policy.
|
|
|
|
This test must check:
|
|
* whether the persona can associate a policy with an endpoint
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_create_policy_association_for_service(self):
|
|
"""Test identity:create_policy_association_for_service policy.
|
|
|
|
This test must check:
|
|
* whether the persona can associate a policy with a service
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_create_policy_association_for_region_and_service(self):
|
|
"""Test identity:create_policy_association_for_region_and_service.
|
|
|
|
This test must check:
|
|
* whether the persona can associate a policy with a region and
|
|
service
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_check_policy_association_for_endpoint(self):
|
|
"""Test identity:check_policy_association_for_endpoint policy.
|
|
|
|
This test must check:
|
|
* whether the persona can check a policy association for an endpoint
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_check_policy_association_for_service(self):
|
|
"""Test identity:check_policy_association_for_service policy.
|
|
|
|
This test must check:
|
|
* whether the persona can check a policy association for a service
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_check_policy_association_for_region_and_service(self):
|
|
"""Test identity:check_policy_association_for_region_and_service.
|
|
|
|
This test must check:
|
|
* whether the persona can check a policy association for a region and
|
|
service
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_get_policy_for_endpoint(self):
|
|
"""Test identity:get_policy_for_endpoint policy.
|
|
|
|
This test must check:
|
|
* whether the persona can get a policy for an endpoint
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_list_endpoints_for_policy(self):
|
|
"""Test identity:list_endpoints_for_policy policy.
|
|
|
|
This test must check:
|
|
* whether the persona can list endpoints for a policy
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_delete_policy_association_for_endpoint(self):
|
|
"""Test identity:delete_policy_association_for_endpoint policy.
|
|
|
|
This test must check
|
|
* whether the persona can delete a policy association for an endpoint
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_delete_policy_association_for_service(self):
|
|
"""Test identity:delete_policy_association_for_service policy.
|
|
|
|
This test must check
|
|
* whether the persona can delete a policy association for a service
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_delete_policy_association_for_region_and_service(self):
|
|
"""Test identity:delete_policy_association_for_region_and_service policy.
|
|
|
|
This test must check
|
|
* whether the persona can delete a policy association for a region
|
|
and service
|
|
"""
|
|
pass
|
|
|
|
|
|
class SystemAdminTests(
|
|
IdentityV3RbacPolicyAssociationTests, base.BaseIdentityTest):
|
|
|
|
credentials = ['system_admin']
|
|
|
|
def test_identity_create_policy_association_for_endpoint(self):
|
|
self.do_request(
|
|
'update_policy_association_for_endpoint',
|
|
expected_status=204,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.addCleanup(
|
|
self.admin_policies_client.delete_policy_association_for_endpoint,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
|
|
def test_identity_create_policy_association_for_service(self):
|
|
self.do_request(
|
|
'update_policy_association_for_service',
|
|
expected_status=204,
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
self.addCleanup(
|
|
self.admin_policies_client.delete_policy_association_for_service,
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
|
|
def test_identity_create_policy_association_for_region_and_service(self):
|
|
self.do_request(
|
|
'update_policy_association_for_region_and_service',
|
|
expected_status=204,
|
|
policy_id=self.policy_id, service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
delete_fn = getattr(
|
|
self.admin_policies_client,
|
|
'delete_policy_association_for_region_and_service'
|
|
)
|
|
self.addCleanup(delete_fn,
|
|
policy_id=self.policy_id,
|
|
service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
|
|
def test_identity_check_policy_association_for_endpoint(self):
|
|
self.admin_policies_client.update_policy_association_for_endpoint(
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.addCleanup(
|
|
self.admin_policies_client.delete_policy_association_for_endpoint,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.do_request(
|
|
'show_policy_association_for_endpoint',
|
|
expected_status=204,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
|
|
def test_identity_check_policy_association_for_service(self):
|
|
self.admin_policies_client.update_policy_association_for_service(
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
self.addCleanup(
|
|
self.admin_policies_client.delete_policy_association_for_service,
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
self.do_request(
|
|
'show_policy_association_for_service',
|
|
expected_status=204,
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
|
|
def test_identity_check_policy_association_for_region_and_service(self):
|
|
update_fn = getattr(
|
|
self.admin_policies_client,
|
|
'update_policy_association_for_region_and_service'
|
|
)
|
|
update_fn(policy_id=self.policy_id,
|
|
service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
delete_fn = getattr(
|
|
self.admin_policies_client,
|
|
'delete_policy_association_for_region_and_service'
|
|
)
|
|
self.addCleanup(delete_fn,
|
|
policy_id=self.policy_id,
|
|
service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
self.do_request(
|
|
'show_policy_association_for_region_and_service',
|
|
expected_status=204,
|
|
policy_id=self.policy_id,
|
|
service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
|
|
def test_identity_get_policy_for_endpoint(self):
|
|
self.admin_policies_client.update_policy_association_for_endpoint(
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.addCleanup(
|
|
self.admin_policies_client.delete_policy_association_for_endpoint,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.do_request(
|
|
'show_policy_for_endpoint',
|
|
expected_status=200,
|
|
endpoint_id=self.endpoint_id)
|
|
|
|
def test_identity_list_endpoints_for_policy(self):
|
|
self.admin_policies_client.update_policy_association_for_endpoint(
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.addCleanup(
|
|
self.admin_policies_client.delete_policy_association_for_endpoint,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.do_request(
|
|
'list_endpoints_for_policy',
|
|
expected_status=200,
|
|
policy_id=self.policy_id)
|
|
|
|
def test_identity_delete_policy_association_for_endpoint(self):
|
|
self.admin_policies_client.update_policy_association_for_endpoint(
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.do_request(
|
|
'delete_policy_association_for_endpoint',
|
|
expected_status=204,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
|
|
def test_identity_delete_policy_association_for_service(self):
|
|
self.admin_policies_client.update_policy_association_for_service(
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
self.do_request(
|
|
'delete_policy_association_for_service',
|
|
expected_status=204,
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
|
|
def test_identity_delete_policy_association_for_region_and_service(self):
|
|
update_fn = getattr(
|
|
self.admin_policies_client,
|
|
'update_policy_association_for_region_and_service'
|
|
)
|
|
update_fn(policy_id=self.policy_id,
|
|
service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
self.do_request(
|
|
'delete_policy_association_for_region_and_service',
|
|
expected_status=204,
|
|
policy_id=self.policy_id,
|
|
service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
|
|
|
|
class SystemMemberTests(SystemAdminTests, base.BaseIdentityTest):
|
|
|
|
credentials = ['system_member', 'system_admin']
|
|
|
|
def test_identity_create_policy_association_for_endpoint(self):
|
|
self.do_request(
|
|
'update_policy_association_for_endpoint',
|
|
expected_status=exceptions.Forbidden,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
|
|
def test_identity_create_policy_association_for_service(self):
|
|
self.do_request(
|
|
'update_policy_association_for_service',
|
|
expected_status=exceptions.Forbidden,
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
|
|
def test_identity_create_policy_association_for_region_and_service(self):
|
|
self.do_request(
|
|
'update_policy_association_for_region_and_service',
|
|
expected_status=exceptions.Forbidden,
|
|
policy_id=self.policy_id, service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
|
|
def test_identity_delete_policy_association_for_endpoint(self):
|
|
self.admin_policies_client.update_policy_association_for_endpoint(
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.addCleanup(
|
|
self.admin_policies_client.delete_policy_association_for_endpoint,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.do_request(
|
|
'delete_policy_association_for_endpoint',
|
|
expected_status=exceptions.Forbidden,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
|
|
def test_identity_delete_policy_association_for_service(self):
|
|
self.admin_policies_client.update_policy_association_for_service(
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
self.addCleanup(
|
|
self.admin_policies_client.delete_policy_association_for_service,
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
self.do_request(
|
|
'delete_policy_association_for_service',
|
|
expected_status=exceptions.Forbidden,
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
|
|
def test_identity_delete_policy_association_for_region_and_service(self):
|
|
update_fn = getattr(
|
|
self.admin_policies_client,
|
|
'update_policy_association_for_region_and_service'
|
|
)
|
|
update_fn(policy_id=self.policy_id,
|
|
service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
delete_fn = getattr(
|
|
self.admin_policies_client,
|
|
'delete_policy_association_for_region_and_service'
|
|
)
|
|
self.addCleanup(delete_fn,
|
|
policy_id=self.policy_id,
|
|
service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
self.do_request(
|
|
'delete_policy_association_for_region_and_service',
|
|
expected_status=exceptions.Forbidden,
|
|
policy_id=self.policy_id,
|
|
service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
|
|
|
|
class SystemReaderTests(SystemMemberTests):
|
|
|
|
credentials = ['system_reader', 'system_admin']
|
|
|
|
|
|
class DomainAdminTests(SystemReaderTests, base.BaseIdentityTest):
|
|
|
|
credentials = ['domain_admin', 'system_admin']
|
|
|
|
def test_identity_check_policy_association_for_endpoint(self):
|
|
self.admin_policies_client.update_policy_association_for_endpoint(
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.addCleanup(
|
|
self.admin_policies_client.delete_policy_association_for_endpoint,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.do_request(
|
|
'show_policy_association_for_endpoint',
|
|
expected_status=exceptions.Forbidden,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
|
|
def test_identity_check_policy_association_for_service(self):
|
|
self.admin_policies_client.update_policy_association_for_service(
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
self.addCleanup(
|
|
self.admin_policies_client.delete_policy_association_for_service,
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
self.do_request(
|
|
'show_policy_association_for_service',
|
|
expected_status=exceptions.Forbidden,
|
|
policy_id=self.policy_id, service_id=self.service_id)
|
|
|
|
def test_identity_check_policy_association_for_region_and_service(self):
|
|
update_fn = getattr(
|
|
self.admin_policies_client,
|
|
'update_policy_association_for_region_and_service'
|
|
)
|
|
update_fn(policy_id=self.policy_id,
|
|
service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
delete_fn = getattr(
|
|
self.admin_policies_client,
|
|
'delete_policy_association_for_region_and_service'
|
|
)
|
|
self.addCleanup(delete_fn,
|
|
policy_id=self.policy_id,
|
|
service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
self.do_request(
|
|
'show_policy_association_for_region_and_service',
|
|
expected_status=exceptions.Forbidden,
|
|
policy_id=self.policy_id,
|
|
service_id=self.service_id,
|
|
region_id=self.region_id)
|
|
|
|
def test_identity_get_policy_for_endpoint(self):
|
|
self.admin_policies_client.update_policy_association_for_endpoint(
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.addCleanup(
|
|
self.admin_policies_client.delete_policy_association_for_endpoint,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.do_request(
|
|
'show_policy_for_endpoint',
|
|
expected_status=exceptions.Forbidden,
|
|
endpoint_id=self.endpoint_id)
|
|
|
|
def test_identity_list_endpoints_for_policy(self):
|
|
self.admin_policies_client.update_policy_association_for_endpoint(
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.addCleanup(
|
|
self.admin_policies_client.delete_policy_association_for_endpoint,
|
|
policy_id=self.policy_id, endpoint_id=self.endpoint_id)
|
|
self.do_request(
|
|
'list_endpoints_for_policy',
|
|
expected_status=exceptions.Forbidden,
|
|
policy_id=self.policy_id)
|
|
|
|
|
|
class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
|
|
|
|
credentials = ['domain_member', 'system_admin']
|
|
|
|
|
|
class DomainReaderTests(DomainMemberTests):
|
|
|
|
credentials = ['domain_reader', 'system_admin']
|
|
|
|
|
|
class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
|
|
|
|
credentials = ['project_admin', 'system_admin']
|
|
|
|
|
|
class ProjectMemberTests(ProjectAdminTests):
|
|
|
|
credentials = ['project_member', 'system_admin']
|
|
|
|
|
|
class ProjectReaderTests(ProjectAdminTests):
|
|
|
|
credentials = ['project_reader', 'system_admin']
|