summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdam Young <ayoung@redhat.com>2015-11-01 11:55:45 -0500
committerAdam Young <ayoung@redhat.com>2015-12-14 20:10:28 -0500
commit9804081a80ef815a86407a64f967986a7bf9ba25 (patch)
tree798356c59eac3c5f40e1d30c741eea724daa978f
parent79f141b81afa877fbe23efe7af4d78b9802ab113 (diff)
Updated Cloudsample
Uses configuration options to determine if a token is for the admin project and should be granted admin privileges. Closes-Bug: 968696 Change-Id: Ib23452e171dc90115c77fa5a4b9dc4649054eb0e
Notes
Notes (review): Verified+2: Jenkins Code-Review+2: guang-yee <guang.yee@hpe.com> Workflow+1: guang-yee <guang.yee@hpe.com> Code-Review+2: Steve Martinelli <stevemar@ca.ibm.com> Submitted-by: Jenkins Submitted-at: Tue, 15 Dec 2015 14:01:40 +0000 Reviewed-on: https://review.openstack.org/240720 Project: openstack/keystone Branch: refs/heads/master
-rw-r--r--etc/policy.v3cloudsample.json2
-rw-r--r--keystone/tests/unit/test_v3_protection.py77
2 files changed, 76 insertions, 3 deletions
diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index 2ba8766..4c9c606 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -1,6 +1,6 @@
1{ 1{
2 "admin_required": "role:admin", 2 "admin_required": "role:admin",
3 "cloud_admin": "rule:admin_required and domain_id:admin_domain_id", 3 "cloud_admin": "(role:admin and token.is_admin_project:True) or ( rule:admin_required and domain_id:admin_domain_id)",
4 "service_role": "role:service", 4 "service_role": "role:service",
5 "service_or_admin": "rule:admin_required or rule:service_role", 5 "service_or_admin": "rule:admin_required or rule:service_role",
6 "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s", 6 "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py
index 79209ca..23b3f62 100644
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@@ -572,8 +572,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
572 - domain_admin_user has role 'admin' on domainA, 572 - domain_admin_user has role 'admin' on domainA,
573 - project_admin_user has role 'admin' on the project, 573 - project_admin_user has role 'admin' on the project,
574 - just_a_user has a non-admin role on both domainA and the project. 574 - just_a_user has a non-admin role on both domainA and the project.
575 - admin_domain has user cloud_admin_user, with an 'admin' role 575 - admin_domain has admin_project, and user cloud_admin_user, with an
576 on admin_domain. 576 'admin' role on admin_project.
577 577
578 We test various api protection rules from the cloud sample policy 578 We test various api protection rules from the cloud sample policy
579 file to make sure the sample is valid and that we correctly enforce it. 579 file to make sure the sample is valid and that we correctly enforce it.
@@ -591,6 +591,13 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
591 group='oslo_policy', 591 group='oslo_policy',
592 policy_file=unit.dirs.etc('policy.v3cloudsample.json')) 592 policy_file=unit.dirs.etc('policy.v3cloudsample.json'))
593 593
594 self.config_fixture.config(
595 group='resource',
596 admin_project_name=self.admin_project['name'])
597 self.config_fixture.config(
598 group='resource',
599 admin_project_domain_name=self.admin_domain['name'])
600
594 def load_sample_data(self): 601 def load_sample_data(self):
595 # Start by creating a couple of domains 602 # Start by creating a couple of domains
596 self._populate_default_domain() 603 self._populate_default_domain()
@@ -603,6 +610,11 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
603 self.resource_api.create_domain(self.admin_domain['id'], 610 self.resource_api.create_domain(self.admin_domain['id'],
604 self.admin_domain) 611 self.admin_domain)
605 612
613 self.admin_project = unit.new_project_ref(
614 domain_id=self.admin_domain['id'])
615 self.resource_api.create_project(self.admin_project['id'],
616 self.admin_project)
617
606 # And our users 618 # And our users
607 self.cloud_admin_user = unit.create_user( 619 self.cloud_admin_user = unit.create_user(
608 self.identity_api, 620 self.identity_api,
@@ -958,6 +970,32 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
958 self.assertRoleAssignmentInListResponse(r, project_admin_entity) 970 self.assertRoleAssignmentInListResponse(r, project_admin_entity)
959 self.assertRoleAssignmentInListResponse(r, project_user_entity) 971 self.assertRoleAssignmentInListResponse(r, project_user_entity)
960 972
973 def test_admin_project_list_assignments_of_project(self):
974 self.auth = self.build_authentication_request(
975 user_id=self.project_admin_user['id'],
976 password=self.project_admin_user['password'],
977 project_id=self.project['id'])
978
979 collection_url = self.build_role_assignment_query_url(
980 project_id=self.project['id'])
981 r = self.get(collection_url, auth=self.auth)
982 self.assertValidRoleAssignmentListResponse(
983 r, expected_length=2, resource_url=collection_url)
984
985 project_admin_entity = self.build_role_assignment_entity(
986 project_id=self.project['id'],
987 user_id=self.project_admin_user['id'],
988 role_id=self.admin_role['id'],
989 inherited_to_projects=False)
990 project_user_entity = self.build_role_assignment_entity(
991 project_id=self.project['id'],
992 user_id=self.just_a_user['id'],
993 role_id=self.role['id'],
994 inherited_to_projects=False)
995
996 self.assertRoleAssignmentInListResponse(r, project_admin_entity)
997 self.assertRoleAssignmentInListResponse(r, project_user_entity)
998
961 @unit.utils.wip('waiting on bug #1437407') 999 @unit.utils.wip('waiting on bug #1437407')
962 def test_domain_admin_list_assignments_of_project(self): 1000 def test_domain_admin_list_assignments_of_project(self):
963 self.auth = self.build_authentication_request( 1001 self.auth = self.build_authentication_request(
@@ -1012,6 +1050,22 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
1012 1050
1013 self._test_domain_management() 1051 self._test_domain_management()
1014 1052
1053 def test_admin_project(self):
1054 self.auth = self.build_authentication_request(
1055 user_id=self.project_admin_user['id'],
1056 password=self.project_admin_user['password'],
1057 project_id=self.project['id'])
1058
1059 self._test_domain_management(
1060 expected=exception.ForbiddenAction.code)
1061
1062 self.auth = self.build_authentication_request(
1063 user_id=self.cloud_admin_user['id'],
1064 password=self.cloud_admin_user['password'],
1065 domain_id=self.admin_domain['id'])
1066
1067 self._test_domain_management()
1068
1015 def test_domain_admin_get_domain(self): 1069 def test_domain_admin_get_domain(self):
1016 self.auth = self.build_authentication_request( 1070 self.auth = self.build_authentication_request(
1017 user_id=self.domain_admin_user['id'], 1071 user_id=self.domain_admin_user['id'],
@@ -1138,6 +1192,25 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
1138 self.get('/auth/tokens', token=admin_token, 1192 self.get('/auth/tokens', token=admin_token,
1139 headers={'X-Subject-Token': user_token}) 1193 headers={'X-Subject-Token': user_token})
1140 1194
1195 def test_admin_project_validate_user_token(self):
1196 # An admin can validate a user's token.
1197 # This is GET /v3/auth/tokens
1198
1199 admin_auth = self.build_authentication_request(
1200 user_id=self.project_admin_user['id'],
1201 password=self.project_admin_user['password'],
1202 project_id=self.project['id'])
1203
1204 admin_token = self.get_requested_token(admin_auth)
1205
1206 user_auth = self.build_authentication_request(
1207 user_id=self.just_a_user['id'],
1208 password=self.just_a_user['password'])
1209 user_token = self.get_requested_token(user_auth)
1210
1211 self.get('/auth/tokens', token=admin_token,
1212 headers={'X-Subject-Token': user_token})
1213
1141 def test_user_check_same_token(self): 1214 def test_user_check_same_token(self):
1142 # Given a non-admin user token, the token can be used to check 1215 # Given a non-admin user token, the token can be used to check
1143 # itself. 1216 # itself.