560 lines
23 KiB
Python
560 lines
23 KiB
Python
# Copyright 2020 SUSE LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import abc
|
|
|
|
from tempest.api.identity import base
|
|
from tempest import clients
|
|
from tempest.lib import auth
|
|
from tempest.lib.common.utils import data_utils
|
|
from tempest.lib import exceptions
|
|
|
|
from keystone_tempest_plugin.tests.rbac.v3 import base as rbac_base
|
|
|
|
|
|
class IdentityV3RbacTrustTest(rbac_base.IdentityV3RbacBaseTests,
|
|
metaclass=abc.ABCMeta):
|
|
|
|
@classmethod
|
|
def setup_clients(cls):
|
|
super(IdentityV3RbacTrustTest, cls).setup_clients()
|
|
cls.persona = getattr(cls, 'os_%s' % cls.credentials[0])
|
|
cls.client = cls.persona.trusts_client
|
|
cls.admin_client = cls.os_system_admin
|
|
cls.admin_trusts_client = cls.admin_client.trusts_client
|
|
|
|
@classmethod
|
|
def resource_setup(cls):
|
|
trustor_user = {
|
|
'name': data_utils.rand_name('user'),
|
|
'password': data_utils.rand_password(),
|
|
}
|
|
cls.trustor = cls.admin_client.users_v3_client.create_user(
|
|
**trustor_user)['user']['id']
|
|
cls.addClassResourceCleanup(
|
|
cls.admin_client.users_v3_client.delete_user,
|
|
user_id=cls.trustor)
|
|
cls.trustee = cls.admin_client.users_v3_client.create_user(
|
|
name=data_utils.rand_name())['user']['id']
|
|
cls.addClassResourceCleanup(
|
|
cls.admin_client.users_v3_client.delete_user,
|
|
user_id=cls.trustee)
|
|
cls.project = cls.admin_client.projects_client.create_project(
|
|
name=data_utils.rand_name()
|
|
)['project']['id']
|
|
cls.addClassResourceCleanup(
|
|
cls.admin_client.projects_client.delete_project,
|
|
project_id=cls.project)
|
|
cls.roles = [
|
|
{'id': cls.admin_client.roles_v3_client.create_role(
|
|
name=data_utils.rand_name())['role']['id']}
|
|
]
|
|
cls.addClassResourceCleanup(
|
|
cls.admin_client.roles_v3_client.delete_role,
|
|
role_id=cls.roles[0]['id'])
|
|
cls.admin_client.roles_v3_client.create_user_role_on_project(
|
|
project_id=cls.project,
|
|
user_id=cls.trustor,
|
|
role_id=cls.roles[0]['id']
|
|
)
|
|
creds = auth.KeystoneV3Credentials(
|
|
user_id=cls.trustor,
|
|
password=trustor_user['password'],
|
|
project_id=cls.project)
|
|
auth_provider = clients.get_auth_provider(creds)
|
|
creds = auth_provider.fill_credentials()
|
|
user_client = clients.Manager(credentials=creds)
|
|
cls.user_trust_client = user_client.trusts_client
|
|
|
|
cls.admin_role_id = cls.admin_client.roles_v3_client.list_roles(
|
|
name='admin')['roles'][0]['id']
|
|
cls.member_role_id = cls.admin_client.roles_v3_client.list_roles(
|
|
name='member')['roles'][0]['id']
|
|
cls.reader_role_id = cls.admin_client.roles_v3_client.list_roles(
|
|
name='reader')['roles'][0]['id']
|
|
|
|
def trust(self, trustor=None, trustee=None, project_id=None, roles=None):
|
|
trust = {}
|
|
trust['trustor_user_id'] = trustor or self.trustor
|
|
trust['trustee_user_id'] = trustee or self.trustee
|
|
trust['project_id'] = project_id or self.project
|
|
trust['roles'] = roles or self.roles
|
|
trust['impersonation'] = False
|
|
return trust
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_create_trust(self):
|
|
"""Test identity:create_trust policy.
|
|
|
|
This test must check:
|
|
* whether the persona can create a trust for themself
|
|
* whether the persona can create a trust for another user
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_get_trust(self):
|
|
"""Test identity:get_trust policy.
|
|
|
|
This test must check:
|
|
* whether the persona can get a trust for which they are the trustor
|
|
* whether the persona can get a trust for which they are the trustee
|
|
* whether the persona can get a trust with which they are
|
|
unaffiliated
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_list_trusts(self):
|
|
"""Test identity:list_trusts policy.
|
|
|
|
This test must check:
|
|
* whether the persona can list all trusts
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_list_trusts_for_trustor(self):
|
|
"""Test identity:list_trusts_for_trustor policy.
|
|
|
|
This test must check:
|
|
* whether the persona can list trusts by trustor for which they are
|
|
the trustor
|
|
* whether the persona can list trusts by trustor for which another
|
|
user is trustor
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_list_trusts_for_trustee(self):
|
|
"""Test identity:list_trusts_for_trustee policy.
|
|
|
|
This test must check:
|
|
* whether the persona can list trusts by trustee for which they are
|
|
the trustee
|
|
* whether the persona can list trusts by trustee for which another
|
|
user is trustee
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_list_roles_for_trust(self):
|
|
"""Test identity:list_roles_for_trust policy.
|
|
|
|
This test must check:
|
|
* whether the persona can list the roles of a trust for which they
|
|
are the trustee
|
|
* whether the persona can list the roles of a trust for which they
|
|
are the trustor
|
|
* whether the persona can list the roles of a trust with which they
|
|
are unaffiliated
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_get_role_for_trust(self):
|
|
"""Test identity:get_role_for_trust policy.
|
|
|
|
This test must check:
|
|
* whether the persona can get a role of a trust for which they are
|
|
the trustee
|
|
* whether the persona can get a role of a trust for which they are
|
|
the trustor
|
|
* whether the persona can get a role of a trust with which they are
|
|
unaffiliated
|
|
"""
|
|
pass
|
|
|
|
@abc.abstractmethod
|
|
def test_identity_delete_trust(self):
|
|
"""Test identity:delete_trust policy.
|
|
|
|
This test must check
|
|
* whether the persona can delete a trust for which they are the
|
|
trustor
|
|
* whether the persona can delete a trust for which they are the
|
|
trustee
|
|
* whether the persona can delete a trust which which they are
|
|
unaffiliated
|
|
"""
|
|
pass
|
|
|
|
|
|
class SystemAdminTests(IdentityV3RbacTrustTest, base.BaseIdentityTest):
|
|
|
|
credentials = ['system_admin']
|
|
|
|
def test_identity_create_trust(self):
|
|
# user cannot create trust for themself
|
|
self.do_request('create_trust',
|
|
expected_status=exceptions.Forbidden,
|
|
**self.trust(trustor=self.persona.credentials.user_id))
|
|
# user cannot create trust for another user
|
|
self.do_request('create_trust',
|
|
expected_status=exceptions.Forbidden,
|
|
**self.trust())
|
|
|
|
def test_identity_get_trust(self):
|
|
# user cannot have their own trust
|
|
# user can get trust for other user
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
self.do_request('show_trust', trust_id=trust_id)
|
|
|
|
def test_identity_list_trusts(self):
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
resp = self.do_request('list_trusts')
|
|
self.assertIn(trust_id, [t['id'] for t in resp['trusts']])
|
|
|
|
def test_identity_list_trusts_for_trustor(self):
|
|
# user cannot have their own trust
|
|
# user can list trusts for other user
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
self.do_request('list_trusts', trustor_user_id=self.trustor)
|
|
|
|
def test_identity_list_trusts_for_trustee(self):
|
|
# user cannot have their own trust
|
|
# user can list trusts for other user
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
self.do_request('list_trusts', trustee_user_id=self.trustee)
|
|
|
|
def test_identity_list_roles_for_trust(self):
|
|
# user cannot have their own trust
|
|
# user can list roles of trust for other user
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
resp = self.do_request('list_trust_roles', trust_id=trust_id)
|
|
self.assertIn(self.roles[0]['id'], [r['id'] for r in resp['roles']])
|
|
|
|
def test_identity_get_role_for_trust(self):
|
|
# user cannot have their own trust
|
|
# user can get role of trust for other user
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
self.do_request('show_trust_role',
|
|
trust_id=trust_id, role_id=self.roles[0]['id'])
|
|
|
|
def test_identity_delete_trust(self):
|
|
# user cannot have their own trust
|
|
# user can delete a user's trust
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.do_request('delete_trust', expected_status=204, trust_id=trust_id)
|
|
|
|
|
|
class SystemMemberTests(SystemAdminTests):
|
|
|
|
credentials = ['system_member', 'system_admin']
|
|
|
|
def test_identity_delete_trust(self):
|
|
# system user cannot have their own trust
|
|
# user cannot delete another user's trust
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
self.do_request('delete_trust', expected_status=exceptions.Forbidden,
|
|
trust_id=trust_id)
|
|
|
|
|
|
class SystemReaderTests(SystemMemberTests):
|
|
|
|
credentials = ['system_reader', 'system_admin']
|
|
|
|
|
|
class DomainAdminTests(SystemReaderTests, base.BaseIdentityTest):
|
|
|
|
# Domain admins cannot create their own trusts (trusts can only be
|
|
# scoped to projects) and domain admins have no special privileges over the
|
|
# trusts own by users in their domains.
|
|
|
|
credentials = ['domain_admin', 'system_admin']
|
|
|
|
def test_identity_get_trust(self):
|
|
# user cannot have their own trust
|
|
# user can get trust for other user
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
self.do_request('show_trust', expected_status=exceptions.Forbidden,
|
|
trust_id=trust_id)
|
|
|
|
def test_identity_list_trusts(self):
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
self.do_request('list_trusts',
|
|
expected_status=exceptions.Forbidden)
|
|
|
|
def test_identity_list_trusts_for_trustor(self):
|
|
# user cannot have their own trust
|
|
# user can list trusts for other user
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
self.do_request('list_trusts', expected_status=exceptions.Forbidden,
|
|
trustor_user_id=self.trustor)
|
|
|
|
def test_identity_list_trusts_for_trustee(self):
|
|
# user cannot have their own trust
|
|
# user can list trusts for other user
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
self.do_request('list_trusts', expected_status=exceptions.Forbidden,
|
|
trustee_user_id=self.trustee)
|
|
|
|
def test_identity_list_roles_for_trust(self):
|
|
# user cannot have their own trust
|
|
# user can list roles of trust for other user
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
self.do_request('list_trust_roles',
|
|
expected_status=exceptions.Forbidden,
|
|
trust_id=trust_id)
|
|
|
|
def test_identity_get_role_for_trust(self):
|
|
# user cannot have their own trust
|
|
# user can get role of trust for other user
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
self.do_request('show_trust_role',
|
|
expected_status=exceptions.Forbidden,
|
|
trust_id=trust_id, role_id=self.roles[0]['id'])
|
|
|
|
|
|
class DomainMemberTests(DomainAdminTests):
|
|
|
|
credentials = ['domain_member', 'system_admin']
|
|
|
|
|
|
class DomainReaderTests(DomainAdminTests):
|
|
|
|
credentials = ['domain_reader', 'system_admin']
|
|
|
|
|
|
class ProjectAdminTests(IdentityV3RbacTrustTest, base.BaseIdentityTest):
|
|
|
|
credentials = ['project_admin', 'system_admin']
|
|
|
|
def setUp(self):
|
|
super(ProjectAdminTests, self).setUp()
|
|
self.role_id = self.admin_role_id
|
|
|
|
def test_identity_create_trust(self):
|
|
# user can create a trust for their own project
|
|
trustor_user_id = self.persona.credentials.user_id
|
|
project_id = self.persona.credentials.project_id
|
|
resp = self.do_request(
|
|
'create_trust',
|
|
expected_status=201,
|
|
**self.trust(
|
|
trustor=trustor_user_id,
|
|
project_id=project_id,
|
|
roles=[{'id': self.role_id}])
|
|
)['trust']
|
|
self.addCleanup(self.client.delete_trust, resp['id'])
|
|
|
|
# user cannot create trust with another user as trustor
|
|
self.do_request(
|
|
'create_trust',
|
|
expected_status=exceptions.Forbidden,
|
|
**self.trust())
|
|
|
|
def test_identity_get_trust(self):
|
|
# user can get a trust for which they are trustor
|
|
trustor_user_id = self.persona.credentials.user_id
|
|
project_id = self.persona.credentials.project_id
|
|
trust_id = self.client.create_trust(
|
|
**self.trust(trustor=trustor_user_id,
|
|
project_id=project_id,
|
|
roles=[{'id': self.role_id}]))['trust']['id']
|
|
self.addCleanup(self.client.delete_trust, trust_id=trust_id)
|
|
self.do_request('show_trust', trust_id=trust_id)
|
|
|
|
# user can get a trust for which they are trustee
|
|
trustee_user_id = self.persona.credentials.user_id
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust(trustee=trustee_user_id))['trust']['id']
|
|
self.addCleanup(self.user_trust_client.delete_trust, trust_id=trust_id)
|
|
self.do_request('show_trust', trust_id=trust_id)
|
|
|
|
# user cannot get a trust with which they are unaffiliated
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.user_trust_client.delete_trust, trust_id=trust_id)
|
|
self.do_request('show_trust', expected_status=exceptions.Forbidden,
|
|
trust_id=trust_id)
|
|
|
|
def test_identity_list_trusts(self):
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.admin_trusts_client.delete_trust,
|
|
trust_id=trust_id)
|
|
self.do_request('list_trusts',
|
|
expected_status=exceptions.Forbidden)
|
|
|
|
def test_identity_list_trusts_for_trustor(self):
|
|
# user can list their own trusts
|
|
trustor_user_id = self.persona.credentials.user_id
|
|
project_id = self.persona.credentials.project_id
|
|
trust_id = self.client.create_trust(
|
|
**self.trust(trustor=trustor_user_id,
|
|
project_id=project_id,
|
|
roles=[{'id': self.role_id}]))['trust']['id']
|
|
self.addCleanup(self.client.delete_trust, trust_id=trust_id)
|
|
self.do_request('list_trusts', trustor_user_id=trustor_user_id)
|
|
|
|
# user cannot list another user's trusts
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.user_trust_client.delete_trust, trust_id=trust_id)
|
|
self.do_request('list_trusts', expected_status=exceptions.Forbidden,
|
|
trustor_user_id=self.trustor)
|
|
|
|
def test_identity_list_trusts_for_trustee(self):
|
|
# user can list their own trusts
|
|
trustee_user_id = self.persona.credentials.user_id
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust(trustee=trustee_user_id))['trust']['id']
|
|
self.addCleanup(self.user_trust_client.delete_trust, trust_id=trust_id)
|
|
self.do_request('list_trusts', trustee_user_id=trustee_user_id)
|
|
|
|
# user cannot list another user's trusts
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.user_trust_client.delete_trust, trust_id=trust_id)
|
|
self.do_request('list_trusts', expected_status=exceptions.Forbidden,
|
|
trustee_user_id=self.trustee)
|
|
|
|
def test_identity_list_roles_for_trust(self):
|
|
# user can list roles for trust for which they are trustor
|
|
trustor_user_id = self.persona.credentials.user_id
|
|
project_id = self.persona.credentials.project_id
|
|
trust_id = self.client.create_trust(
|
|
**self.trust(trustor=trustor_user_id,
|
|
project_id=project_id,
|
|
roles=[{'id': self.role_id}]))['trust']['id']
|
|
self.addCleanup(self.client.delete_trust, trust_id=trust_id)
|
|
self.do_request('list_trust_roles', trust_id=trust_id)
|
|
|
|
# user can list roles for trust for which they are trustee
|
|
trustee_user_id = self.persona.credentials.user_id
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust(trustee=trustee_user_id))['trust']['id']
|
|
self.addCleanup(self.user_trust_client.delete_trust, trust_id=trust_id)
|
|
self.do_request('list_trust_roles', trust_id=trust_id)
|
|
|
|
# user cannot list roles for trust with which they are unaffiliated
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.user_trust_client.delete_trust, trust_id=trust_id)
|
|
self.do_request('list_trust_roles',
|
|
expected_status=exceptions.Forbidden,
|
|
trust_id=trust_id)
|
|
|
|
def test_identity_get_role_for_trust(self):
|
|
# user can get roles for trust for which they are trustor
|
|
trustor_user_id = self.persona.credentials.user_id
|
|
project_id = self.persona.credentials.project_id
|
|
trust_id = self.client.create_trust(
|
|
**self.trust(trustor=trustor_user_id,
|
|
project_id=project_id,
|
|
roles=[{'id': self.role_id}]))['trust']['id']
|
|
self.addCleanup(self.client.delete_trust, trust_id=trust_id)
|
|
self.do_request('show_trust_role',
|
|
trust_id=trust_id, role_id=self.role_id)
|
|
|
|
# user can list roles for trust for which they are trustee
|
|
trustee_user_id = self.persona.credentials.user_id
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust(trustee=trustee_user_id))['trust']['id']
|
|
self.addCleanup(self.user_trust_client.delete_trust, trust_id=trust_id)
|
|
self.do_request('show_trust_role',
|
|
trust_id=trust_id, role_id=self.roles[0]['id'])
|
|
|
|
# user cannot list roles for trust with which they are unaffiliated
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.user_trust_client.delete_trust, trust_id=trust_id)
|
|
self.do_request('show_trust_role',
|
|
expected_status=exceptions.Forbidden,
|
|
trust_id=trust_id, role_id=self.role_id)
|
|
|
|
def test_identity_delete_trust(self):
|
|
# user can delete trust for which they are the trustor
|
|
trustor_user_id = self.persona.credentials.user_id
|
|
project_id = self.persona.credentials.project_id
|
|
trust_id = self.client.create_trust(
|
|
**self.trust(trustor=trustor_user_id,
|
|
project_id=project_id,
|
|
roles=[{'id': self.role_id}]))['trust']['id']
|
|
self.do_request('delete_trust', expected_status=204, trust_id=trust_id)
|
|
|
|
# user cannot delete trust for which they are the trustee
|
|
trustee_user_id = self.persona.credentials.user_id
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust(trustee=trustee_user_id))['trust']['id']
|
|
self.addCleanup(self.user_trust_client.delete_trust, trust_id=trust_id)
|
|
self.do_request('delete_trust', expected_status=exceptions.Forbidden,
|
|
trust_id=trust_id)
|
|
|
|
# user cannot delete trust with which they are unaffiliated
|
|
trust_id = self.user_trust_client.create_trust(
|
|
**self.trust())['trust']['id']
|
|
self.addCleanup(self.user_trust_client.delete_trust, trust_id=trust_id)
|
|
self.do_request('delete_trust', expected_status=exceptions.Forbidden,
|
|
trust_id=trust_id)
|
|
|
|
|
|
class ProjectMemberTests(ProjectAdminTests):
|
|
|
|
credentials = ['project_member', 'system_admin']
|
|
|
|
def setUp(self):
|
|
super(ProjectMemberTests, self).setUp()
|
|
self.role_id = self.member_role_id
|
|
|
|
|
|
class ProjectReaderTests(ProjectAdminTests):
|
|
|
|
credentials = ['project_reader', 'system_admin']
|
|
|
|
def setUp(self):
|
|
super(ProjectReaderTests, self).setUp()
|
|
self.role_id = self.reader_role_id
|