openstack
/
keystone
Code Issues Proposed changes

Add tests for domain users interacting with idps 

This commit introduces some tests that show how domain users are
expected to behave with the federated identity provider API. A
subsequent patch will do the same for project users.

Change-Id: Ie48c8001aec9ef8f3e2d7540d7dd7e8e2231c811
Related-Bug: 1804517
This commit is contained in:
Lance Bragstad 2018-11-21 22:15:56 +00:00
parent a4c5d80439
commit caf147ad0c
1 changed files with 98 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
keystone/tests/unit/protection/v3/test_identity_providers.py
View File

@ -95,6 +95,69 @@ class _SystemReaderAndMemberIdentityProviderTests(object):
)
class _DomainAndProjectUserIdentityProviderTests(object):
"""Common functionality for all domain and project users."""
def test_user_cannot_create_identity_providers(self):
create = {'identity_provider': {'remote_ids': [uuid.uuid4().hex]}}
with self.test_client() as c:
c.put(
'/v3/OS-FEDERATION/identity_providers/%s' % uuid.uuid4().hex,
json=create, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_update_identity_providers(self):
idp = PROVIDERS.federation_api.create_idp(
uuid.uuid4().hex, unit.new_identity_provider_ref()
)
update = {'identity_provider': {'enabled': False}}
with self.test_client() as c:
c.patch(
'/v3/OS-FEDERATION/identity_providers/%s' % idp['id'],
json=update, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_list_identity_providers(self):
PROVIDERS.federation_api.create_idp(
uuid.uuid4().hex, unit.new_identity_provider_ref()
)
with self.test_client() as c:
c.get(
'/v3/OS-FEDERATION/identity_providers', headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_get_an_identity_provider(self):
idp = PROVIDERS.federation_api.create_idp(
uuid.uuid4().hex, unit.new_identity_provider_ref()
)
with self.test_client() as c:
c.get(
'/v3/OS-FEDERATION/identity_providers/%s' % idp['id'],
headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_delete_identity_providers(self):
idp = PROVIDERS.federation_api.create_idp(
uuid.uuid4().hex, unit.new_identity_provider_ref()
)
with self.test_client() as c:
c.delete(
'/v3/OS-FEDERATION/identity_providers/%s' % idp['id'],
headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserIdentityProviderTests,
@ -222,3 +285,38 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
'/v3/OS-FEDERATION/identity_providers/%s' % idp['id'],
headers=self.headers
)
class DomainUserTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_DomainAndProjectUserIdentityProviderTests):
def setUp(self):
super(DomainUserTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
self.domain_id = domain['id']
domain_admin = unit.new_user_ref(domain_id=self.domain_id)
self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.admin_role_id, user_id=self.user_id,
domain_id=self.domain_id
)
auth = self.build_authentication_request(
user_id=self.user_id,
password=domain_admin['password'],
domain_id=self.domain_id
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}