Remove obsolete credential policies

The policy.v3cloudsample.json policy file attempted to solve
admin-ness issues with elaborate policy checks. These checks are no
longer needed with advent of system scope and incorporating system
scope into keystone APIs.

This commit removes the credential policies from the
policy.v3cloudsample.conf policy file since the new defaults introduce
more flexibility by consuming scope, rendering the policies in
policy.v3cloudsample.conf obsolete. More specific test coverage has
also been added for each new case in
keystone.tests.unit.protection.v3.test_credentials.

Change-Id: I6c74f40640da23375574f4a26ee60779ef08d120
Related-Bug: 1788415

etc/policy.v3cloudsample.json

@@ -83,12 +83,6 @@
     "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
     "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
 
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
     "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
     "identity:ec2_list_credentials": "rule:admin_required or rule:owner",
     "identity:ec2_create_credential": "rule:admin_required or rule:owner",

keystone/tests/unit/test_policy.py

@@ -178,7 +178,18 @@ class PolicyJsonTestCase(unit.TestCase):
         return rules
 
     def test_json_examples_have_matching_entries(self):
+        # TODO(lbragstad): Once all policies have been removed from
+        # policy.v3cloudsample.json, remove this test.
+        removed_policies = [
+            'identity:create_credential',
+            'identity:get_credential',
+            'identity:list_credentials',
+            'identity:update_credential',
+            'identity:delete_credential'
+        ]
         policy_keys = self._get_default_policy_rules()
+        for p in removed_policies:
+            del policy_keys[p]
         cloud_policy_keys = set(
             json.load(open(unit.dirs.etc('policy.v3cloudsample.json'))))
 

keystone/tests/unit/test_v3_protection.py

@@ -1563,28 +1563,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
         entity_url = '/domains/%s' % self.domainA['id']
         self.get(entity_url, auth=self.auth)
 
-    def test_list_user_credentials(self):
-        credential_user = unit.new_credential_ref(self.just_a_user['id'])
-        PROVIDERS.credential_api.create_credential(
-            credential_user['id'], credential_user
-        )
-        credential_admin = unit.new_credential_ref(self.cloud_admin_user['id'])
-        PROVIDERS.credential_api.create_credential(
-            credential_admin['id'], credential_admin
-        )
-
-        self.auth = self.build_authentication_request(
-            user_id=self.just_a_user['id'],
-            password=self.just_a_user['password'])
-        url = '/credentials?user_id=%s' % self.just_a_user['id']
-        self.get(url, auth=self.auth)
-        url = '/credentials?user_id=%s' % self.cloud_admin_user['id']
-        self.get(url, auth=self.auth,
-                 expected_status=exception.ForbiddenAction.code)
-        url = '/credentials'
-        self.get(url, auth=self.auth,
-                 expected_status=exception.ForbiddenAction.code)
-
     def test_get_and_delete_ec2_credentials(self):
         """Test getting and deleting ec2 credentials through the ec2 API."""
         another_user = unit.create_user(PROVIDERS.identity_api,