openstack
/
keystone
Code Issues Proposed changes

Reorganize role assignment tests for system users 

The GET /v3/role_assignments API is a read-only API, making the
behavior for all system users the same. They should all be able to
list and filter role assignments for the entire deployment.

This commit moves the existing system reader tests into a common class
that can be reused by other test classes for system members and system
administrators.

Subsequent patches will:

  - add test coverage for system members
  - add test coverage for system admins
  - add functionality for domain readers
  - add functionality for domain members
  - add functionality for domain admins
  - add functionality for project readers
  - add functionality for project members
  - add functionality for project admins
  - remove the obsolete policies from policy.v3cloudsample.json

Change-Id: Ic9b1ad3306bb272d3e24a00009014df16b36a65d
Partial-Bug: 1750673
Partial-Bug: 1816833
This commit is contained in:
Lance Bragstad 2019-02-20 18:08:40 +00:00
parent ca835d913d
commit 63c6e6c397
1 changed files with 214 additions and 220 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

434
keystone/tests/unit/protection/v3/test_assignment.py
View File

@ -23,36 +23,8 @@ CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin):
def setUp(self):
super(SystemReaderTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
system_reader = unit.new_user_ref(
domain_id=CONF.identity.default_domain_id
)
self.user_id = PROVIDERS.identity_api.create_user(
system_reader
)['id']
PROVIDERS.assignment_api.create_system_grant_for_user(
self.user_id, self.bootstrapper.reader_role_id
)
auth = self.build_authentication_request(
user_id=self.user_id, password=system_reader['password'],
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class _AssignmentTestUtilities(object):
"""Useful utilities for setting up test assignments and assertions."""
def _setup_test_role_assignments(self):
# Utility to create assignments and return important data for
@ -140,127 +112,123 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
assignments.append(a)
return assignments
class _SystemUserTests(object):
"""Common functionality for system users regardless of default role."""
def test_user_can_list_all_role_assignments_in_the_deployment(self):
assignments = self._setup_test_role_assignments()
expected = [
# assignment of the user running the test case
{
'user_id': self.user_id,
'system': 'all',
'role_id': self.bootstrapper.reader_role_id
},
# this assignment is created by keystone-manage bootstrap
{
'user_id': self.bootstrapper.admin_user_id,
'project_id': self.bootstrapper.project_id,
'role_id': self.bootstrapper.admin_role_id
},
# this assignment is created by keystone-manage bootstrap
{
'user_id': self.bootstrapper.admin_user_id,
'system': 'all',
'role_id': self.bootstrapper.admin_role_id
},
{
'user_id': assignments['user_id'],
'project_id': assignments['project_id'],
'role_id': assignments['role_id']
},
{
'user_id': assignments['user_id'],
'domain_id': assignments['domain_id'],
'role_id': assignments['role_id']
},
{
'user_id': assignments['user_id'],
'system': 'all',
'role_id': assignments['role_id']
},
{
'group_id': assignments['group_id'],
'project_id': assignments['project_id'],
'role_id': assignments['role_id']
},
{
'group_id': assignments['group_id'],
'domain_id': assignments['domain_id'],
'role_id': assignments['role_id']
},
{
'group_id': assignments['group_id'],
'system': 'all',
'role_id': assignments['role_id']
}
]
# this assignment is created by keystone-manage bootstrap
self.expected.append({
'user_id': self.bootstrapper.admin_user_id,
'project_id': self.bootstrapper.project_id,
'role_id': self.bootstrapper.admin_role_id
})
# this assignment is created by keystone-manage bootstrap
self.expected.append({
'user_id': self.bootstrapper.admin_user_id,
'system': 'all',
'role_id': self.bootstrapper.admin_role_id
})
self.expected.append({
'user_id': assignments['user_id'],
'project_id': assignments['project_id'],
'role_id': assignments['role_id']
})
self.expected.append({
'user_id': assignments['user_id'],
'domain_id': assignments['domain_id'],
'role_id': assignments['role_id']
})
self.expected.append({
'user_id': assignments['user_id'],
'system': 'all',
'role_id': assignments['role_id']
})
self.expected.append({
'group_id': assignments['group_id'],
'project_id': assignments['project_id'],
'role_id': assignments['role_id']
})
self.expected.append({
'group_id': assignments['group_id'],
'domain_id': assignments['domain_id'],
'role_id': assignments['role_id']
})
self.expected.append({
'group_id': assignments['group_id'],
'system': 'all',
'role_id': assignments['role_id']
})
with self.test_client() as c:
r = c.get('/v3/role_assignments', headers=self.headers)
self.assertEqual(len(expected), len(r.json['role_assignments']))
self.assertEqual(
len(self.expected), len(r.json['role_assignments'])
)
actual = self._extract_role_assignments_from_response_body(r)
for assignment in actual:
self.assertIn(assignment, expected)
self.assertIn(assignment, self.expected)
def test_user_can_list_all_role_names_assignments_in_the_deployment(self):
assignments = self._setup_test_role_assignments()
expected = [
# assignment of the user running the test case
{
'user_id': self.user_id,
'system': 'all',
'role_id': self.bootstrapper.reader_role_id
},
# this assignment is created by keystone-manage bootstrap
{
'user_id': self.bootstrapper.admin_user_id,
'project_id': self.bootstrapper.project_id,
'role_id': self.bootstrapper.admin_role_id
},
# this assignment is created by keystone-manage bootstrap
{
'user_id': self.bootstrapper.admin_user_id,
'system': 'all',
'role_id': self.bootstrapper.admin_role_id
},
{
'user_id': assignments['user_id'],
'project_id': assignments['project_id'],
'role_id': assignments['role_id']
},
{
'user_id': assignments['user_id'],
'domain_id': assignments['domain_id'],
'role_id': assignments['role_id']
},
{
'user_id': assignments['user_id'],
'system': 'all',
'role_id': assignments['role_id']
},
{
'group_id': assignments['group_id'],
'project_id': assignments['project_id'],
'role_id': assignments['role_id']
},
{
'group_id': assignments['group_id'],
'domain_id': assignments['domain_id'],
'role_id': assignments['role_id']
},
{
'group_id': assignments['group_id'],
'system': 'all',
'role_id': assignments['role_id']
}
]
# this assignment is created by keystone-manage bootstrap
self.expected.append({
'user_id': self.bootstrapper.admin_user_id,
'project_id': self.bootstrapper.project_id,
'role_id': self.bootstrapper.admin_role_id
})
# this assignment is created by keystone-manage bootstrap
self.expected.append({
'user_id': self.bootstrapper.admin_user_id,
'system': 'all',
'role_id': self.bootstrapper.admin_role_id
})
self.expected.append({
'user_id': assignments['user_id'],
'project_id': assignments['project_id'],
'role_id': assignments['role_id']
})
self.expected.append({
'user_id': assignments['user_id'],
'domain_id': assignments['domain_id'],
'role_id': assignments['role_id']
})
self.expected.append({
'user_id': assignments['user_id'],
'system': 'all',
'role_id': assignments['role_id']
})
self.expected.append({
'group_id': assignments['group_id'],
'project_id': assignments['project_id'],
'role_id': assignments['role_id']
})
self.expected.append({
'group_id': assignments['group_id'],
'domain_id': assignments['domain_id'],
'role_id': assignments['role_id']
})
self.expected.append({
'group_id': assignments['group_id'],
'system': 'all',
'role_id': assignments['role_id']
})
with self.test_client() as c:
r = c.get(
'/v3/role_assignments?include_names=True', headers=self.headers
)
self.assertEqual(len(expected), len(r.json['role_assignments']))
self.assertEqual(
len(self.expected), len(r.json['role_assignments'])
)
actual = self._extract_role_assignments_from_response_body(r)
for assignment in actual:
self.assertIn(assignment, expected)
self.assertIn(assignment, self.expected)
def test_user_can_filter_role_assignments_by_project(self):
assignments = self._setup_test_role_assignments()
@ -316,40 +284,35 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
def test_user_can_filter_role_assignments_by_system(self):
assignments = self._setup_test_role_assignments()
expected = [
# assignment of the user running the test case
{
'user_id': self.user_id,
'system': 'all',
'role_id': self.bootstrapper.reader_role_id
},
# this assignment is created by keystone-manage bootstrap
{
'user_id': self.bootstrapper.admin_user_id,
'system': 'all',
'role_id': self.bootstrapper.admin_role_id
},
{
'user_id': assignments['user_id'],
'system': 'all',
'role_id': assignments['role_id']
},
{
'group_id': assignments['group_id'],
'system': 'all',
'role_id': assignments['role_id']
}
]
# this assignment is created by keystone-manage bootstrap
self.expected.append({
'user_id': self.bootstrapper.admin_user_id,
'system': 'all',
'role_id': self.bootstrapper.admin_role_id
})
self.expected.append({
'user_id': assignments['user_id'],
'system': 'all',
'role_id': assignments['role_id']
})
self.expected.append({
'group_id': assignments['group_id'],
'system': 'all',
'role_id': assignments['role_id']
})
with self.test_client() as c:
r = c.get(
'/v3/role_assignments?scope.system=all',
headers=self.headers
)
self.assertEqual(len(expected), len(r.json['role_assignments']))
self.assertEqual(
len(self.expected), len(r.json['role_assignments'])
)
actual = self._extract_role_assignments_from_response_body(r)
for assignment in actual:
self.assertIn(assignment, expected)
self.assertIn(assignment, self.expected)
def test_user_can_filter_role_assignments_by_user(self):
assignments = self._setup_test_role_assignments()
@ -416,44 +379,37 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
def test_user_can_filter_role_assignments_by_role(self):
assignments = self._setup_test_role_assignments()
expected = [
# assignment of the user running the test case
{
'user_id': self.user_id,
'system': 'all',
'role_id': self.bootstrapper.reader_role_id
},
{
'user_id': assignments['user_id'],
'project_id': assignments['project_id'],
'role_id': assignments['role_id']
},
{
'user_id': assignments['user_id'],
'domain_id': assignments['domain_id'],
'role_id': assignments['role_id']
},
{
'user_id': assignments['user_id'],
'system': 'all',
'role_id': assignments['role_id']
},
{
'group_id': assignments['group_id'],
'project_id': assignments['project_id'],
'role_id': assignments['role_id']
},
{
'group_id': assignments['group_id'],
'domain_id': assignments['domain_id'],
'role_id': assignments['role_id']
},
{
'group_id': assignments['group_id'],
'system': 'all',
'role_id': assignments['role_id']
}
]
self.expected.append({
'user_id': assignments['user_id'],
'project_id': assignments['project_id'],
'role_id': assignments['role_id']
})
self.expected.append({
'user_id': assignments['user_id'],
'domain_id': assignments['domain_id'],
'role_id': assignments['role_id']
})
self.expected.append({
'user_id': assignments['user_id'],
'system': 'all',
'role_id': assignments['role_id']
})
self.expected.append({
'group_id': assignments['group_id'],
'project_id': assignments['project_id'],
'role_id': assignments['role_id']
})
self.expected.append({
'group_id': assignments['group_id'],
'domain_id': assignments['domain_id'],
'role_id': assignments['role_id']
})
self.expected.append({
'group_id': assignments['group_id'],
'system': 'all',
'role_id': assignments['role_id']
})
role_id = assignments['role_id']
with self.test_client() as c:
@ -461,10 +417,12 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
'/v3/role_assignments?role.id=%s&include_names=True' % role_id,
headers=self.headers
)
self.assertEqual(len(expected), len(r.json['role_assignments']))
self.assertEqual(
len(self.expected), len(r.json['role_assignments'])
)
actual = self._extract_role_assignments_from_response_body(r)
for assignment in actual:
self.assertIn(assignment, expected)
self.assertIn(assignment, self.expected)
def test_user_can_filter_role_assignments_by_project_and_role(self):
assignments = self._setup_test_role_assignments()
@ -520,24 +478,16 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
def test_user_can_filter_role_assignments_by_system_and_role(self):
assignments = self._setup_test_role_assignments()
expected = [
# assignment of the user running the test case
{
'user_id': self.user_id,
'system': 'all',
'role_id': self.bootstrapper.reader_role_id
},
{
'user_id': assignments['user_id'],
'system': 'all',
'role_id': assignments['role_id']
},
{
'group_id': assignments['group_id'],
'system': 'all',
'role_id': assignments['role_id']
}
]
self.expected.append({
'user_id': assignments['user_id'],
'system': 'all',
'role_id': assignments['role_id']
})
self.expected.append({
'group_id': assignments['group_id'],
'system': 'all',
'role_id': assignments['role_id']
})
role_id = assignments['role_id']
with self.test_client() as c:
@ -545,10 +495,12 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
'/v3/role_assignments?scope.system=all&role.id=%s' % role_id,
headers=self.headers
)
self.assertEqual(len(expected), len(r.json['role_assignments']))
self.assertEqual(
len(self.expected), len(r.json['role_assignments'])
)
actual = self._extract_role_assignments_from_response_body(r)
for assignment in actual:
self.assertIn(assignment, expected)
self.assertIn(assignment, self.expected)
def test_user_can_filter_role_assignments_by_user_and_role(self):
assignments = self._setup_test_role_assignments()
@ -695,3 +647,45 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
actual = self._extract_role_assignments_from_response_body(r)
for assignment in actual:
self.assertIn(assignment, expected)
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_AssignmentTestUtilities,
_SystemUserTests):
def setUp(self):
super(SystemReaderTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
system_reader = unit.new_user_ref(
domain_id=CONF.identity.default_domain_id
)
self.user_id = PROVIDERS.identity_api.create_user(
system_reader
)['id']
PROVIDERS.assignment_api.create_system_grant_for_user(
self.user_id, self.bootstrapper.reader_role_id
)
self.expected = [
# assignment of the user running the test case
{
'user_id': self.user_id,
'system': 'all',
'role_id': self.bootstrapper.reader_role_id
}
]
auth = self.build_authentication_request(
user_id=self.user_id, password=system_reader['password'],
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}