Add tests for domain users interacting with roles
This commit adds explicit tests that show how domain users are expected to behave with global roles. A subsequent patch will do the same for project users. Note that these changes are slightly different from the policy.v3cloudsample.json role policies. In policy.v3cloudsample.json, domain users were allowed to get and list global roles. So were project users. This behavior is changing because global roles are considered global resources of the deployment, and they should be managed by system users. Domain users should be able to add and remove domain specific roles, which will come in a subsequent series of patches. This approach is being taken because it is a safer default for a system level resource (roles) and still allows the same functionality for domain users through domain-specific roles. Change-Id: Ia1a7adf4431042ecea1b41e3c589c55112183ab5 Partial-Bug: 1806713 Partial-Bug: 1805400
This commit is contained in:
parent
66fa3bbf0a
commit
31eecfb2a4
|
@ -85,6 +85,63 @@ class _SystemReaderAndMemberRoleTests(object):
|
|||
)
|
||||
|
||||
|
||||
class _DomainAndProjectUserRoleTests(object):
|
||||
"""Common functionality for all domain and project users."""
|
||||
|
||||
def test_user_cannot_list_roles(self):
|
||||
PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref())
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/roles', headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_get_a_role(self):
|
||||
role = PROVIDERS.role_api.create_role(
|
||||
uuid.uuid4().hex, unit.new_role_ref()
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get(
|
||||
'/v3/roles/%s' % role['id'], headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_create_roles(self):
|
||||
create = {'role': unit.new_role_ref()}
|
||||
|
||||
with self.test_client() as c:
|
||||
c.post(
|
||||
'/v3/roles', json=create, headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_update_roles(self):
|
||||
role = PROVIDERS.role_api.create_role(
|
||||
uuid.uuid4().hex, unit.new_role_ref()
|
||||
)
|
||||
|
||||
update = {'role': {'description': uuid.uuid4().hex}}
|
||||
|
||||
with self.test_client() as c:
|
||||
c.patch(
|
||||
'/v3/roles/%s' % role['id'], json=update, headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_delete_roles(self):
|
||||
role = PROVIDERS.role_api.create_role(
|
||||
uuid.uuid4().hex, unit.new_role_ref()
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/roles/%s' % role['id'], headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
|
||||
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
_SystemUserRoleTests,
|
||||
|
@ -204,3 +261,38 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
|
|||
|
||||
with self.test_client() as c:
|
||||
c.delete('/v3/roles/%s' % role['id'], headers=self.headers)
|
||||
|
||||
|
||||
class DomainUserTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
_DomainAndProjectUserRoleTests):
|
||||
|
||||
def setUp(self):
|
||||
super(DomainUserTests, self).setUp()
|
||||
self.loadapp()
|
||||
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
||||
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||
|
||||
domain = PROVIDERS.resource_api.create_domain(
|
||||
uuid.uuid4().hex, unit.new_domain_ref()
|
||||
)
|
||||
self.domain_id = domain['id']
|
||||
domain_admin = unit.new_user_ref(domain_id=self.domain_id)
|
||||
self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.bootstrapper.admin_role_id, user_id=self.user_id,
|
||||
domain_id=self.domain_id
|
||||
)
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.user_id,
|
||||
password=domain_admin['password'],
|
||||
domain_id=self.domain_id
|
||||
)
|
||||
|
||||
# Grab a token using the persona we're testing and prepare headers
|
||||
# for requests we'll be making in the tests.
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=auth)
|
||||
self.token_id = r.headers['X-Subject-Token']
|
||||
self.headers = {'X-Auth-Token': self.token_id}
|
||||
|
|
Loading…
Reference in New Issue