openstack
/
keystone
Code Issues Proposed changes

Add tests for domain users interacting with policies 

This commit introduces some tests that show how domain users are
expected to behave with the policies API. A subsequent
patches will -

 - add project user test coverage
 - add functionality for system reader for policy association
 - add functionality for system member for policy association
 - add functionality for system admin for policy association
 - domains user test coverage for policy association
 - project user test coverage for policy association
 - Removing obsolete policies in policy.v3cloudsample.json file

Change-Id: I44b0553cc9c590cb4d5ec5d037a17e4ea9cb8667
Partial-Bug: #1805409
This commit is contained in:
Vishakha Agarwal 2019-08-21 21:43:09 +05:30
parent fd15bcd66f
commit f45a6f99d1
1 changed files with 93 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
keystone/tests/unit/protection/v3/test_policy.py
View File

@ -93,6 +93,64 @@ class _SystemReaderAndMemberPoliciesTests(object):
)
class _DomainAndProjectUserPolicyTests(object):
def test_user_cannot_list_policies(self):
policy = unit.new_policy_ref()
policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
with self.test_client() as c:
c.get('/v3/policies', headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_get_policy(self):
policy = unit.new_policy_ref()
policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
with self.test_client() as c:
c.get('/v3/policies/%s' % policy['id'], headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_create_policy(self):
create = {
'id': uuid.uuid4().hex,
'name': uuid.uuid4().hex,
'description': uuid.uuid4().hex,
'enabled': True,
# Store serialized JSON data as the blob to mimic real world usage.
'blob': json.dumps({'data': uuid.uuid4().hex, }),
'type': uuid.uuid4().hex,
}
with self.test_client() as c:
c.post(
'/v3/policies', json=create, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_update_policy(self):
policy = unit.new_policy_ref()
policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
update = {'policy': {'name': uuid.uuid4().hex}}
with self.test_client() as c:
c.patch(
'/v3/policies/%s' % policy['id'], json=update,
headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_delete_policy(self):
policy = unit.new_policy_ref()
policy = PROVIDERS.policy_api.create_policy(policy['id'], policy)
with self.test_client() as c:
c.delete(
'/v3/policies/%s' % policy['id'], headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_SystemUserPoliciesTests,
@ -224,3 +282,38 @@ class SystemAdminTests(base_classes.TestCaseWithBootstrap,
c.delete(
'/v3/policies/%s' % policy['id'], headers=self.headers
)
class DomainUserTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_DomainAndProjectUserPolicyTests):
def setUp(self):
super(DomainUserTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
self.domain_id = domain['id']
domain_admin = unit.new_user_ref(domain_id=self.domain_id)
self.user_id = PROVIDERS.identity_api.create_user(domain_admin)['id']
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.admin_role_id, user_id=self.user_id,
domain_id=self.domain_id
)
auth = self.build_authentication_request(
user_id=self.user_id,
password=domain_admin['password'],
domain_id=self.domain_id
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}