openstack
/
keystone
Code Issues Proposed changes

Implement system reader and member for endpoint_groups 

This change modifies the policies for endpoint_groups
API to be more self-service by properly checking for
system scopes. It also includes the test cases.

Subsequent patches will -

 - add functionality for system admin
 - domains user test coverage
 - project user test coverage
Change-Id: Ie13fd2296f2836466d38544c4f672ee95c4156b0
Partial-Bug: #1818734
This commit is contained in:
Vishakha Agarwal 2019-08-07 22:45:48 +05:30 committed by Colleen Murphy
parent 71a1fb0437
commit e4fb1e1fdd
3 changed files with 361 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
keystone/common/policies/endpoint_group.py
View File

@ -10,10 +10,51 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from keystone.common.policies import base
deprecated_list_endpoint_groups = policy.DeprecatedRule(
name=base.IDENTITY % 'list_endpoint_groups',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_get_endpoint_group = policy.DeprecatedRule(
name=base.IDENTITY % 'get_endpoint_group',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_list_projects_associated_with_endpoint_group = policy.DeprecatedRule(
name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_list_endpoints_associated_with_endpoint_group = policy.DeprecatedRule(
name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_get_endpoint_group_in_project = policy.DeprecatedRule(
name=base.IDENTITY % 'get_endpoint_group_in_project',
check_str=base.RULE_ADMIN_REQUIRED,
)
deprecated_list_endpoint_groups_for_project = policy.DeprecatedRule(
name=base.IDENTITY % 'list_endpoint_groups_for_project',
check_str=base.RULE_ADMIN_REQUIRED,
)
DEPRECATED_REASON = """
As of the Train release, the endpoint groups API now understands default roles
and system-scoped tokens, making the API more granular by default without
compromising security. The new policy defaults account for these changes
automatically. Be sure to take these new defaults into consideration if you are
relying on overrides in your deployment for the endpoint groups API.
"""
group_endpoint_policies = [
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'create_endpoint_group',
@ -24,14 +65,17 @@ group_endpoint_policies = [
'method': 'POST'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_endpoint_groups',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_READER,
scope_types=['system'],
description='List endpoint groups.',
operations=[{'path': '/v3/OS-EP-FILTER/endpoint_groups',
'method': 'GET'}]),
'method': 'GET'}],
deprecated_rule=deprecated_list_endpoint_groups,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_endpoint_group',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_READER,
scope_types=['system'],
description='Get endpoint group.',
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
@ -39,7 +83,10 @@ group_endpoint_policies = [
'method': 'GET'},
{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
'{endpoint_group_id}'),
'method': 'HEAD'}]),
'method': 'HEAD'}],
deprecated_rule=deprecated_get_endpoint_group,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'update_endpoint_group',
check_str=base.RULE_ADMIN_REQUIRED,
@ -58,24 +105,30 @@ group_endpoint_policies = [
'method': 'DELETE'}]),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_projects_associated_with_endpoint_group',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_READER,
scope_types=['system'],
description=('List all projects associated with a specific endpoint '
'group.'),
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
'{endpoint_group_id}/projects'),
'method': 'GET'}]),
'method': 'GET'}],
deprecated_rule=deprecated_list_projects_associated_with_endpoint_group,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_endpoints_associated_with_endpoint_group',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_READER,
scope_types=['system'],
description='List all endpoints associated with an endpoint group.',
operations=[{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
'{endpoint_group_id}/endpoints'),
'method': 'GET'}]),
'method': 'GET'}],
deprecated_rule=deprecated_list_endpoints_associated_with_endpoint_group,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'get_endpoint_group_in_project',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_READER,
scope_types=['system'],
description=('Check if an endpoint group is associated with a '
'project.'),
@ -84,15 +137,21 @@ group_endpoint_policies = [
'method': 'GET'},
{'path': ('/v3/OS-EP-FILTER/endpoint_groups/'
'{endpoint_group_id}/projects/{project_id}'),
'method': 'HEAD'}]),
'method': 'HEAD'}],
deprecated_rule=deprecated_get_endpoint_group_in_project,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'list_endpoint_groups_for_project',
check_str=base.RULE_ADMIN_REQUIRED,
check_str=base.SYSTEM_READER,
scope_types=['system'],
description='List endpoint groups associated with a specific project.',
operations=[{'path': ('/v3/OS-EP-FILTER/projects/{project_id}/'
'endpoint_groups'),
'method': 'GET'}]),
'method': 'GET'}],
deprecated_rule=deprecated_list_endpoint_groups_for_project,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.TRAIN),
policy.DocumentedRuleDefault(
name=base.IDENTITY % 'add_endpoint_group_to_project',
check_str=base.RULE_ADMIN_REQUIRED,

11
keystone/tests/unit/core.py
View File

@ -242,6 +242,17 @@ def new_endpoint_ref(service_id, interface='public',
return ref
def new_endpoint_group_ref(filters, **kwargs):
ref = {
'id': uuid.uuid4().hex,
'description': uuid.uuid4().hex,
'filters': filters,
'name': uuid.uuid4().hex
}
ref.update(kwargs)
return ref
def new_endpoint_ref_with_region(service_id, region, interface='public',
**kwargs):
"""Define an endpoint_ref having a pre-3.2 form.

279
keystone/tests/unit/protection/v3/test_endpoint_group.py Normal file
View File

@ -0,0 +1,279 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import uuid
from six.moves import http_client
from keystone.common import provider_api
import keystone.conf
from keystone.tests.common import auth as common_auth
from keystone.tests import unit
from keystone.tests.unit import base_classes
from keystone.tests.unit import ksfixtures
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class _SystemUserEndpointGroupsTests(object):
"""Common default functionality for all system users."""
def test_user_can_list_endpoint_groups(self):
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
with self.test_client() as c:
r = c.get('/v3/OS-EP-FILTER/endpoint_groups', headers=self.headers)
endpoint_groups = []
for endpoint_group in r.json['endpoint_groups']:
endpoint_groups.append(endpoint_group['id'])
self.assertIn(endpoint_group['id'], endpoint_groups)
def test_user_can_get_an_endpoint_group(self):
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
with self.test_client() as c:
c.get('/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'],
headers=self.headers)
def test_user_can_list_projects_associated_with_endpoint_groups(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
PROVIDERS.catalog_api.add_endpoint_group_to_project(
endpoint_group['id'], project['id'])
with self.test_client() as c:
r = c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects'
% endpoint_group['id'], headers=self.headers)
projects = []
for project in r.json['projects']:
projects.append(project['id'])
self.assertIn(project['id'], projects)
def test_user_can_list_endpoints_associated_with_endpoint_groups(self):
service = PROVIDERS.catalog_api.create_service(
uuid.uuid4().hex, unit.new_service_ref()
)
endpoint = unit.new_endpoint_ref(service['id'], region_id=None)
endpoint = PROVIDERS.catalog_api.create_endpoint(
endpoint['id'], endpoint
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
with self.test_client() as c:
r = c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/endpoints'
% endpoint_group['id'],
headers=self.headers)
endpoints = []
for endpoint in r.json['endpoints']:
endpoints.append(endpoint['id'])
self.assertIn(endpoint['id'], endpoints)
def test_user_can_get_endpoints_associated_with_endpoint_groups(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
PROVIDERS.catalog_api.add_endpoint_group_to_project(
endpoint_group['id'], project['id'])
with self.test_client() as c:
c.get('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s'
% (endpoint_group['id'], project['id']),
headers=self.headers)
def test_user_can_list_endpoint_groups_with_their_projects(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
PROVIDERS.catalog_api.add_endpoint_group_to_project(
endpoint_group['id'], project['id'])
with self.test_client() as c:
r = c.get('/v3/OS-EP-FILTER/projects/%s/endpoint_groups'
% project['id'],
headers=self.headers)
endpoint_groups = []
for endpoint_group in r.json['endpoint_groups']:
endpoint_groups.append(endpoint_group['id'])
class _SystemReaderAndMemberUserEndpointGroupsTests(object):
"""Common default functionality for system readers and system members."""
def test_user_cannot_create_endpoint_groups(self):
create = {
'endpoint_group': {
'id': uuid.uuid4().hex,
'description': uuid.uuid4().hex,
'filters': {'interface': 'public'},
'name': uuid.uuid4().hex
}
}
with self.test_client() as c:
c.post(
'/v3/OS-EP-FILTER/endpoint_groups', json=create, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_update_endpoint_groups(self):
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
update = {'endpoint_group': {'filters': {'interface': 'internal'}}}
with self.test_client() as c:
c.patch(
'/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], json=update,
headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_delete_endpoint_groups(self):
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
with self.test_client() as c:
c.delete(
'/v3/OS-EP-FILTER/endpoint_groups/%s' % endpoint_group['id'], headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_add_endpoint_group_to_project(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
with self.test_client() as c:
c.put('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s'
% (endpoint_group['id'], project['id']),
headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_cannot_remove_endpoint_group_from_project(self):
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
)
endpoint_group = unit.new_endpoint_group_ref(filters={'interface': 'public'})
endpoint_group = PROVIDERS.catalog_api.create_endpoint_group(
endpoint_group['id'], endpoint_group
)
with self.test_client() as c:
c.delete('/v3/OS-EP-FILTER/endpoint_groups/%s/projects/%s'
% (endpoint_group['id'], project['id']),
headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserEndpointGroupsTests,
_SystemReaderAndMemberUserEndpointGroupsTests):
def setUp(self):
super(SystemReaderTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
system_reader = unit.new_user_ref(
domain_id=CONF.identity.default_domain_id
)
self.user_id = PROVIDERS.identity_api.create_user(
system_reader
)['id']
PROVIDERS.assignment_api.create_system_grant_for_user(
self.user_id, self.bootstrapper.reader_role_id
)
auth = self.build_authentication_request(
user_id=self.user_id, password=system_reader['password'],
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
class SystemMemberTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserEndpointGroupsTests,
_SystemReaderAndMemberUserEndpointGroupsTests):
def setUp(self):
super(SystemMemberTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
system_member = unit.new_user_ref(
domain_id=CONF.identity.default_domain_id
)
self.user_id = PROVIDERS.identity_api.create_user(
system_member
)['id']
PROVIDERS.assignment_api.create_system_grant_for_user(
self.user_id, self.bootstrapper.member_role_id
)
auth = self.build_authentication_request(
user_id=self.user_id, password=system_member['password'],
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}