openstack
/
keystone
Code Issues Proposed changes

Exposes bug on role assignments creation 

It should be possible to add both inherited and
non-inherited role assignments for the same actor
and target with the same role.

However, this is not currently possible. This
patch exposes this bug.

Related-Bug: #1403539

Change-Id: I9ee82b490ca36e9b2d135ef9ead54a2a4c312657
This commit is contained in:
Samuel de Medeiros Queiroz 2015-04-08 08:38:06 -03:00
parent 29152d4211
commit 193bcfeaeb
2 changed files with 120 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
keystone/tests/unit/test_backend.py
View File

@ -5157,6 +5157,81 @@ class PolicyTests(object):
class InheritanceTests(object):
def _test_crud_inherited_and_direct_assignment(self, **kwargs):
"""Tests inherited and direct assignments for the actor and target
Ensure it is possible to create both inherited and direct role
assignments for the same actor on the same target. The actor and the
target are specified in the kwargs as ('user_id' or 'group_id') and
('project_id' or 'domain_id'), respectively.
"""
# Create a new role to avoid assignments loaded from default fixtures
role = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex}
role = self.role_api.create_role(role['id'], role)
# Define the common assigment entity
assignment_entity = {'role_id': role['id']}
assignment_entity.update(kwargs)
# Define assignments under test
direct_assignment_entity = assignment_entity.copy()
inherited_assignment_entity = assignment_entity.copy()
inherited_assignment_entity['inherited_to_projects'] = 'projects'
# Create direct assignment and check grants
self.assignment_api.create_grant(inherited_to_projects=False,
**assignment_entity)
grants = self.assignment_api.list_role_assignments_for_role(role['id'])
self.assertThat(grants, matchers.HasLength(1))
self.assertIn(direct_assignment_entity, grants)
# Now add inherited assignment and check grants
self.assignment_api.create_grant(inherited_to_projects=True,
**assignment_entity)
grants = self.assignment_api.list_role_assignments_for_role(role['id'])
self.assertThat(grants, matchers.HasLength(2))
self.assertIn(direct_assignment_entity, grants)
self.assertIn(inherited_assignment_entity, grants)
# Delete both and check grants
self.assignment_api.delete_grant(inherited_to_projects=False,
**assignment_entity)
self.assignment_api.delete_grant(inherited_to_projects=True,
**assignment_entity)
grants = self.assignment_api.list_role_assignments_for_role(role['id'])
self.assertEqual([], grants)
@test_utils.wip('Waiting on bug #1403539')
def test_crud_inherited_and_direct_assignment_for_user_on_domain(self):
self._test_crud_inherited_and_direct_assignment(
user_id=self.user_foo['id'], domain_id=DEFAULT_DOMAIN_ID)
@test_utils.wip('Waiting on bug #1403539')
def test_crud_inherited_and_direct_assignment_for_group_on_domain(self):
group = {'name': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID}
group = self.identity_api.create_group(group)
self._test_crud_inherited_and_direct_assignment(
group_id=group['id'], domain_id=DEFAULT_DOMAIN_ID)
@test_utils.wip('Waiting on bug #1403539')
def test_crud_inherited_and_direct_assignment_for_user_on_project(self):
self._test_crud_inherited_and_direct_assignment(
user_id=self.user_foo['id'], project_id=self.tenant_baz['id'])
@test_utils.wip('Waiting on bug #1403539')
def test_crud_inherited_and_direct_assignment_for_group_on_project(self):
group = {'name': uuid.uuid4().hex, 'domain_id': DEFAULT_DOMAIN_ID}
group = self.identity_api.create_group(group)
self._test_crud_inherited_and_direct_assignment(
group_id=group['id'], project_id=self.tenant_baz['id'])
def test_inherited_role_grants_for_user(self):
"""Test inherited user roles.

45
keystone/tests/unit/test_v3_assignment.py
View File

@ -20,6 +20,7 @@ from keystone.common import controller
from keystone import exception
from keystone.tests import unit as tests
from keystone.tests.unit import test_v3
from keystone.tests.unit import utils as test_utils
CONF = cfg.CONF
@ -2262,6 +2263,50 @@ class AssignmentInheritanceTestCase(test_v3.RestfulTestCase):
# Check the user cannot get a domain token anymore
self.v3_authenticate_token(domain_auth_data, expected_status=401)
def _test_crud_inherited_and_direct_assignment_on_target(self, target_url):
# Create a new role to avoid assignments loaded from sample data
role = self.new_role_ref()
self.role_api.create_role(role['id'], role)
# Define URLs
direct_url = '%s/users/%s/roles/%s' % (
target_url, self.user_id, role['id'])
inherited_url = '/OS-INHERIT/%s/inherited_to_projects' % direct_url
# Create the direct assignment
self.put(direct_url)
# Check the direct assignment exists, but the inherited one does not
self.head(direct_url)
self.head(inherited_url, expected_status=404)
# Now add the inherited assignment
self.put(inherited_url)
# Check both the direct and inherited assignment exist
self.head(direct_url)
self.head(inherited_url)
# Delete indirect assignment
self.delete(inherited_url)
# Check the direct assignment exists, but the inherited one does not
self.head(direct_url)
self.head(inherited_url, expected_status=404)
# Now delete the inherited assignment
self.delete(direct_url)
# Check that none of them exist
self.head(direct_url, expected_status=404)
self.head(inherited_url, expected_status=404)
@test_utils.wip('Waiting on bug #1403539')
def test_crud_inherited_and_direct_assignment_on_domains(self):
self._test_crud_inherited_and_direct_assignment_on_target(
'/domains/%s' % self.domain_id)
@test_utils.wip('Waiting on bug #1403539')
def test_crud_inherited_and_direct_assignment_on_projects(self):
self._test_crud_inherited_and_direct_assignment_on_target(
'/projects/%s' % self.project_id)
def test_crud_user_inherited_domain_role_grants(self):
role_list = []
for _ in range(2):