openstack
/
keystone
Code Issues Proposed changes

Add region protection tests for system readers 

This commit ensures we test the default roles provided with keystone
against the scope types used in default region policies. Subsequent
patches will include testing for:

 - system member test coverage
 - system admin functionality
 - domain users test coverage
 - project users test coverage

Change-Id: I65a8a291e87a29f7ae819ba1ec177e955708db51
Related-Bug: 1804292
Related-Bug: 1804446
This commit is contained in:
Lance Bragstad 2018-11-20 19:14:48 +00:00
parent adfee4eb79
commit fdf8cb1f04
1 changed files with 109 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
keystone/tests/unit/protection/v3/test_regions.py Normal file
View File

@ -0,0 +1,109 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import uuid
from six.moves import http_client
from keystone.common import provider_api
import keystone.conf
from keystone.tests.common import auth as common_auth
from keystone.tests import unit
from keystone.tests.unit import base_classes
from keystone.tests.unit import ksfixtures
CONF = keystone.conf.CONF
PROVIDERS = provider_api.ProviderAPIs
class _UserRegionTests(object):
"""Common default functionality for all users."""
def test_user_can_get_a_region(self):
region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
with self.test_client() as c:
c.get('/v3/regions/%s' % region['id'], headers=self.headers)
def test_user_can_list_regions(self):
expected_regions = []
for _ in range(2):
region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
expected_regions.append(region['id'])
with self.test_client() as c:
r = c.get('/v3/regions', headers=self.headers)
for region in r.json['regions']:
self.assertIn(region['id'], expected_regions)
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
common_auth.AuthTestMixin,
_UserRegionTests):
def setUp(self):
super(SystemReaderTests, self).setUp()
self.loadapp()
self.useFixture(ksfixtures.Policy(self.config_fixture))
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
system_reader = unit.new_user_ref(
domain_id=CONF.identity.default_domain_id
)
self.user_id = PROVIDERS.identity_api.create_user(
system_reader
)['id']
PROVIDERS.assignment_api.create_system_grant_for_user(
self.user_id, self.bootstrapper.reader_role_id
)
auth = self.build_authentication_request(
user_id=self.user_id, password=system_reader['password'],
system=True
)
# Grab a token using the persona we're testing and prepare headers
# for requests we'll be making in the tests.
with self.test_client() as c:
r = c.post('/v3/auth/tokens', json=auth)
self.token_id = r.headers['X-Subject-Token']
self.headers = {'X-Auth-Token': self.token_id}
def test_user_cannot_create_regions(self):
create = {'region': {'description': uuid.uuid4().hex}}
with self.test_client() as c:
c.post(
'/v3/regions', json=create, headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_update_regions(self):
region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
with self.test_client() as c:
update = {'region': {'description': uuid.uuid4().hex}}
c.patch(
'/v3/regions/%s' % region['id'], json=update,
headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_delete_regions(self):
region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
with self.test_client() as c:
c.delete(
'/v3/regions/%s' % region['id'],
headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)