Add region protection tests for system readers
This commit ensures we test the default roles provided with keystone against the scope types used in default region policies. Subsequent patches will include testing for: - system member test coverage - system admin functionality - domain users test coverage - project users test coverage Change-Id: I65a8a291e87a29f7ae819ba1ec177e955708db51 Related-Bug: 1804292 Related-Bug: 1804446
This commit is contained in:
parent
adfee4eb79
commit
fdf8cb1f04
|
@ -0,0 +1,109 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import uuid
|
||||
|
||||
from six.moves import http_client
|
||||
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone.tests.common import auth as common_auth
|
||||
from keystone.tests import unit
|
||||
from keystone.tests.unit import base_classes
|
||||
from keystone.tests.unit import ksfixtures
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
class _UserRegionTests(object):
|
||||
"""Common default functionality for all users."""
|
||||
|
||||
def test_user_can_get_a_region(self):
|
||||
region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
|
||||
|
||||
with self.test_client() as c:
|
||||
c.get('/v3/regions/%s' % region['id'], headers=self.headers)
|
||||
|
||||
def test_user_can_list_regions(self):
|
||||
expected_regions = []
|
||||
for _ in range(2):
|
||||
region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
|
||||
expected_regions.append(region['id'])
|
||||
|
||||
with self.test_client() as c:
|
||||
r = c.get('/v3/regions', headers=self.headers)
|
||||
for region in r.json['regions']:
|
||||
self.assertIn(region['id'], expected_regions)
|
||||
|
||||
|
||||
class SystemReaderTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
_UserRegionTests):
|
||||
|
||||
def setUp(self):
|
||||
super(SystemReaderTests, self).setUp()
|
||||
self.loadapp()
|
||||
self.useFixture(ksfixtures.Policy(self.config_fixture))
|
||||
self.config_fixture.config(group='oslo_policy', enforce_scope=True)
|
||||
|
||||
system_reader = unit.new_user_ref(
|
||||
domain_id=CONF.identity.default_domain_id
|
||||
)
|
||||
self.user_id = PROVIDERS.identity_api.create_user(
|
||||
system_reader
|
||||
)['id']
|
||||
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||
self.user_id, self.bootstrapper.reader_role_id
|
||||
)
|
||||
|
||||
auth = self.build_authentication_request(
|
||||
user_id=self.user_id, password=system_reader['password'],
|
||||
system=True
|
||||
)
|
||||
|
||||
# Grab a token using the persona we're testing and prepare headers
|
||||
# for requests we'll be making in the tests.
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=auth)
|
||||
self.token_id = r.headers['X-Subject-Token']
|
||||
self.headers = {'X-Auth-Token': self.token_id}
|
||||
|
||||
def test_user_cannot_create_regions(self):
|
||||
create = {'region': {'description': uuid.uuid4().hex}}
|
||||
|
||||
with self.test_client() as c:
|
||||
c.post(
|
||||
'/v3/regions', json=create, headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_update_regions(self):
|
||||
region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
|
||||
|
||||
with self.test_client() as c:
|
||||
update = {'region': {'description': uuid.uuid4().hex}}
|
||||
c.patch(
|
||||
'/v3/regions/%s' % region['id'], json=update,
|
||||
headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_delete_regions(self):
|
||||
region = PROVIDERS.catalog_api.create_region(unit.new_region_ref())
|
||||
|
||||
with self.test_client() as c:
|
||||
c.delete(
|
||||
'/v3/regions/%s' % region['id'],
|
||||
headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
Loading…
Reference in New Issue