Merge "Test domain and project users against group system assignment API"

2019-03-26 01:31:45 +00:00 · 2019-03-26 01:31:45 +00:00 · 140a0110c0
parent a77fd6646a 6e118bad3d
commit 140a0110c0
2 changed files with 75 additions and 11 deletions
--- a/keystone/tests/unit/protection/v3/test_system_assignments.py
+++ b/keystone/tests/unit/protection/v3/test_system_assignments.py
@ -229,6 +229,68 @@ class _DomainAndProjectUserSystemAssignmentTests(object):
                expected_status_code=http_client.FORBIDDEN
            )

+    def test_user_cannot_list_group_system_role_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_group(
+            group['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.get(
+                '/v3/system/groups/%s/roles' % group['id'], headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_check_group_system_role_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_group(
+            group['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.get(
+                '/v3/system/groups/%s/roles/%s' % (
+                    group['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_grant_group_system_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        with self.test_client() as c:
+            c.put(
+                '/v3/system/groups/%s/roles/%s' % (
+                    group['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_revoke_group_system_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_group(
+            group['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.delete(
+                '/v3/system/groups/%s/roles/%s' % (
+                    group['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+

 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
                        common_auth.AuthTestMixin,
--- a/releasenotes/notes/bug-1750669-dfce859550126f03.yaml
+++ b/releasenotes/notes/bug-1750669-dfce859550126f03.yaml
@ -19,18 +19,20 @@ deprecations:
    [`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
    [`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
    The system assignment policies have been deprecated. The
-    ``identity:list_system_grants_for_user`` and
-    ``identity:check_system_grant_for_user`` policies now use
+    ``identity:list_system_grants_for_user``,
+    ``identity:check_system_grant_for_user``,
+    ``identity:list_system_grants_for_group``, and
+    ``identity:check_system_grant_for_group`` policies now use
    ``role:reader and system_scope:all`` instead of
-    ``rule:admin_required``. The
-    ``identity:create_system_grant_for_user`` and
-    ``identity:revoke_system_grant_for_user`` policies now use
-    ``role:admin and system_scope:all`` instead of
-    ``rule:admin_required``. These new defaults automatically include
-    support for a read-only role and allow for more granular access to
-    the system assignment API, making it easier for administrators to
-    delegate authorization, safely. Please consider these new defaults
-    if your deployment overrides the system assignment APIs.
+    ``rule:admin_required``. The ``identity:create_system_grant_for_user``,
+    ``identity:revoke_system_grant_for_user``,
+    ``identity:create_system_grant_for_group``, and
+    ``identity:revoke_system_grant_for_group`` policies now use ``role:admin
+    and system_scope:all`` instead of ``rule:admin_required``. These new
+    defaults automatically include support for a read-only role and allow for
+    more granular access to the system assignment API, making it easier for
+    administrators to delegate authorization, safely. Please consider these new
+    defaults if your deployment overrides the system assignment APIs.
 security:
  - |
    [`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]