Exposes bug on role assignments creation
It should be possible to add both inherited and non-inherited role assignments for the same actor and target with the same role. However, this is not currently possible. This patch exposes this bug. Related-Bug: #1403539 Change-Id: I9ee82b490ca36e9b2d135ef9ead54a2a4c312657
This commit is contained in:
parent
29152d4211
commit
193bcfeaeb
|
@ -5157,6 +5157,81 @@ class PolicyTests(object):
|
|||
|
||||
class InheritanceTests(object):
|
||||
|
||||
def _test_crud_inherited_and_direct_assignment(self, **kwargs):
|
||||
"""Tests inherited and direct assignments for the actor and target
|
||||
|
||||
Ensure it is possible to create both inherited and direct role
|
||||
assignments for the same actor on the same target. The actor and the
|
||||
target are specified in the kwargs as ('user_id' or 'group_id') and
|
||||
('project_id' or 'domain_id'), respectively.
|
||||
|
||||
"""
|
||||
|
||||
# Create a new role to avoid assignments loaded from default fixtures
|
||||
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
|
||||
role = self.role_api.create_role(role['id'], role)
|
||||
|
||||
# Define the common assigment entity
|
||||
assignment_entity = {'role_id': role['id']}
|
||||
assignment_entity.update(kwargs)
|
||||
|
||||
# Define assignments under test
|
||||
direct_assignment_entity = assignment_entity.copy()
|
||||
inherited_assignment_entity = assignment_entity.copy()
|
||||
inherited_assignment_entity['inherited_to_projects'] = 'projects'
|
||||
|
||||
# Create direct assignment and check grants
|
||||
self.assignment_api.create_grant(inherited_to_projects=False,
|
||||
**assignment_entity)
|
||||
|
||||
grants = self.assignment_api.list_role_assignments_for_role(role['id'])
|
||||
self.assertThat(grants, matchers.HasLength(1))
|
||||
self.assertIn(direct_assignment_entity, grants)
|
||||
|
||||
# Now add inherited assignment and check grants
|
||||
self.assignment_api.create_grant(inherited_to_projects=True,
|
||||
**assignment_entity)
|
||||
|
||||
grants = self.assignment_api.list_role_assignments_for_role(role['id'])
|
||||
self.assertThat(grants, matchers.HasLength(2))
|
||||
self.assertIn(direct_assignment_entity, grants)
|
||||
self.assertIn(inherited_assignment_entity, grants)
|
||||
|
||||
# Delete both and check grants
|
||||
self.assignment_api.delete_grant(inherited_to_projects=False,
|
||||
**assignment_entity)
|
||||
self.assignment_api.delete_grant(inherited_to_projects=True,
|
||||
**assignment_entity)
|
||||
|
||||
grants = self.assignment_api.list_role_assignments_for_role(role['id'])
|
||||
self.assertEqual([], grants)
|
||||
|
||||
@test_utils.wip('Waiting on bug #1403539')
|
||||
def test_crud_inherited_and_direct_assignment_for_user_on_domain(self):
|
||||
self._test_crud_inherited_and_direct_assignment(
|
||||
user_id=self.user_foo['id'], domain_id=DEFAULT_DOMAIN_ID)
|
||||
|
||||
@test_utils.wip('Waiting on bug #1403539')
|
||||
def test_crud_inherited_and_direct_assignment_for_group_on_domain(self):
|
||||
group = {'name': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID}
|
||||
group = self.identity_api.create_group(group)
|
||||
|
||||
self._test_crud_inherited_and_direct_assignment(
|
||||
group_id=group['id'], domain_id=DEFAULT_DOMAIN_ID)
|
||||
|
||||
@test_utils.wip('Waiting on bug #1403539')
|
||||
def test_crud_inherited_and_direct_assignment_for_user_on_project(self):
|
||||
self._test_crud_inherited_and_direct_assignment(
|
||||
user_id=self.user_foo['id'], project_id=self.tenant_baz['id'])
|
||||
|
||||
@test_utils.wip('Waiting on bug #1403539')
|
||||
def test_crud_inherited_and_direct_assignment_for_group_on_project(self):
|
||||
group = {'name': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID}
|
||||
group = self.identity_api.create_group(group)
|
||||
|
||||
self._test_crud_inherited_and_direct_assignment(
|
||||
group_id=group['id'], project_id=self.tenant_baz['id'])
|
||||
|
||||
def test_inherited_role_grants_for_user(self):
|
||||
"""Test inherited user roles.
|
||||
|
||||
|
|
|
@ -20,6 +20,7 @@ from keystone.common import controller
|
|||
from keystone import exception
|
||||
from keystone.tests import unit as tests
|
||||
from keystone.tests.unit import test_v3
|
||||
from keystone.tests.unit import utils as test_utils
|
||||
|
||||
|
||||
CONF = cfg.CONF
|
||||
|
@ -2262,6 +2263,50 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase):
|
|||
# Check the user cannot get a domain token anymore
|
||||
self.v3_authenticate_token(domain_auth_data, expected_status=401)
|
||||
|
||||
def _test_crud_inherited_and_direct_assignment_on_target(self, target_url):
|
||||
# Create a new role to avoid assignments loaded from sample data
|
||||
role = self.new_role_ref()
|
||||
self.role_api.create_role(role['id'], role)
|
||||
|
||||
# Define URLs
|
||||
direct_url = '%s/users/%s/roles/%s' % (
|
||||
target_url, self.user_id, role['id'])
|
||||
inherited_url = '/OS-INHERIT/%s/inherited_to_projects' % direct_url
|
||||
|
||||
# Create the direct assignment
|
||||
self.put(direct_url)
|
||||
# Check the direct assignment exists, but the inherited one does not
|
||||
self.head(direct_url)
|
||||
self.head(inherited_url, expected_status=404)
|
||||
|
||||
# Now add the inherited assignment
|
||||
self.put(inherited_url)
|
||||
# Check both the direct and inherited assignment exist
|
||||
self.head(direct_url)
|
||||
self.head(inherited_url)
|
||||
|
||||
# Delete indirect assignment
|
||||
self.delete(inherited_url)
|
||||
# Check the direct assignment exists, but the inherited one does not
|
||||
self.head(direct_url)
|
||||
self.head(inherited_url, expected_status=404)
|
||||
|
||||
# Now delete the inherited assignment
|
||||
self.delete(direct_url)
|
||||
# Check that none of them exist
|
||||
self.head(direct_url, expected_status=404)
|
||||
self.head(inherited_url, expected_status=404)
|
||||
|
||||
@test_utils.wip('Waiting on bug #1403539')
|
||||
def test_crud_inherited_and_direct_assignment_on_domains(self):
|
||||
self._test_crud_inherited_and_direct_assignment_on_target(
|
||||
'/domains/%s' % self.domain_id)
|
||||
|
||||
@test_utils.wip('Waiting on bug #1403539')
|
||||
def test_crud_inherited_and_direct_assignment_on_projects(self):
|
||||
self._test_crud_inherited_and_direct_assignment_on_target(
|
||||
'/projects/%s' % self.project_id)
|
||||
|
||||
def test_crud_user_inherited_domain_role_grants(self):
|
||||
role_list = []
|
||||
for _ in range(2):
|
||||
|
|
Loading…
Reference in New Issue