openstack
/
keystone
Code Issues Proposed changes

Add tests for domain users interacting with roles 

This commit adds explicit tests that show how domain users
are expected to behave with global roles. A subsequent patch
will do the same for project users.

Note that these changes are slightly different from the
policy.v3cloudsample.json role policies. In policy.v3cloudsample.json,
domain users were allowed to get and list global roles. So were
project users. This behavior is changing because global roles are
considered global resources of the deployment, and they should be
managed by system users. Domain users should be able to add and remove
domain specific roles, which will come in a subsequent series of
patches. This approach is being taken because it is a safer default
for a system level resource (roles) and still allows the same
functionality for domain users through domain-specific roles.

Change-Id: Ia1a7adf4431042ecea1b41e3c589c55112183ab5
Partial-Bug: 1806713
Partial-Bug: 1805400
This commit is contained in:
Lance Bragstad 2018-12-04 18:16:34 +00:00
parent 66fa3bbf0a
commit 31eecfb2a4
1 changed files with 92 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
keystone/tests/unit/protection/v3/test_roles.py
View File

@ -85,6 +85,63 @@ class _SystemReaderAndMemberRoleTests(object):
)
class _DomainAndProjectUserRoleTests(object):
"""Common functionality for all domain and project users."""
def test_user_cannot_list_roles(self):
PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref())
with self.test_client() as c:
c.get(
'/v3/roles', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_get_a_role(self):
role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref()
)
with self.test_client() as c:
c.get(
'/v3/roles/%s' % role['id'], headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_create_roles(self):
create = {'role': unit.new_role_ref()}
with self.test_client() as c:
c.post(
'/v3/roles', json=create, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_update_roles(self):
role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref()
)
update = {'role': {'description': uuid.uuid4().hex}}
with self.test_client() as c:
c.patch(
'/v3/roles/%s' % role['id'], json=update, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_delete_roles(self):
role = PROVIDERS.role_api.create_role(
uuid.uuid4().hex, unit.new_role_ref()
)
with self.test_client() as c:
c.delete(
'/v3/roles/%s' % role['id'], headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserRoleTests,
@ -204,3 +261,38 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
with self.test_client() as c:
c.delete('/v3/roles/%s' % role['id'], headers=self.headers)
class DomainUserTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_DomainAndProjectUserRoleTests):
def setUp(self):
super(DomainUserTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
self.domain_id = domain['id']
domain_admin = unit.new_user_ref(domain_id=self.domain_id)
self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.admin_role_id, user_id=self.user_id,
domain_id=self.domain_id
)
auth = self.build_authentication_request(
user_id=self.user_id,
password=domain_admin['password'],
domain_id=self.domain_id
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}