summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--keystone/tests/unit/protection/v3/test_roles.py91
1 files changed, 65 insertions, 26 deletions
diff --git a/keystone/tests/unit/protection/v3/test_roles.py b/keystone/tests/unit/protection/v3/test_roles.py
index 3797938..320c966 100644
--- a/keystone/tests/unit/protection/v3/test_roles.py
+++ b/keystone/tests/unit/protection/v3/test_roles.py
@@ -48,9 +48,47 @@ class _SystemUserRoleTests(object):
48 self.assertEqual(role['id'], r.json['role']['id']) 48 self.assertEqual(role['id'], r.json['role']['id'])
49 49
50 50
51class _SystemReaderAndMemberRoleTests(object):
52 """Common default functionality for system readers and system members."""
53
54 def test_user_cannot_create_roles(self):
55 create = {'role': unit.new_role_ref()}
56
57 with self.test_client() as c:
58 c.post(
59 '/v3/roles', json=create, headers=self.headers,
60 expected_status_code=http_client.FORBIDDEN
61 )
62
63 def test_user_cannot_update_roles(self):
64 role = PROVIDERS.role_api.create_role(
65 uuid.uuid4().hex, unit.new_role_ref()
66 )
67
68 update = {'role': {'description': uuid.uuid4().hex}}
69
70 with self.test_client() as c:
71 c.patch(
72 '/v3/roles/%s' % role['id'], json=update, headers=self.headers,
73 expected_status_code=http_client.FORBIDDEN
74 )
75
76 def test_user_cannot_delete_roles(self):
77 role = PROVIDERS.role_api.create_role(
78 uuid.uuid4().hex, unit.new_role_ref()
79 )
80
81 with self.test_client() as c:
82 c.delete(
83 '/v3/roles/%s' % role['id'], headers=self.headers,
84 expected_status_code=http_client.FORBIDDEN
85 )
86
87
51class SystemReaderTests(base_classes.TestCaseWithBootstrap, 88class SystemReaderTests(base_classes.TestCaseWithBootstrap,
52 common_auth.AuthTestMixin, 89 common_auth.AuthTestMixin,
53 _SystemUserRoleTests): 90 _SystemUserRoleTests,
91 _SystemReaderAndMemberRoleTests):
54 92
55 def setUp(self): 93 def setUp(self):
56 super(SystemReaderTests, self).setUp() 94 super(SystemReaderTests, self).setUp()
@@ -80,35 +118,36 @@ class SystemReaderTests(base_classes.TestCaseWithBootstrap,
80 self.token_id = r.headers['X-Subject-Token'] 118 self.token_id = r.headers['X-Subject-Token']
81 self.headers = {'X-Auth-Token': self.token_id} 119 self.headers = {'X-Auth-Token': self.token_id}
82 120
83 def test_user_cannot_create_roles(self):
84 create = {'role': unit.new_role_ref()}
85
86 with self.test_client() as c:
87 c.post(
88 '/v3/roles', json=create, headers=self.headers,
89 expected_status_code=http_client.FORBIDDEN
90 )
91 121
92 def test_user_cannot_update_roles(self): 122class SystemMemberTests(base_classes.TestCaseWithBootstrap,
93 role = PROVIDERS.role_api.create_role( 123 common_auth.AuthTestMixin,
94 uuid.uuid4().hex, unit.new_role_ref() 124 _SystemUserRoleTests,
95 ) 125 _SystemReaderAndMemberRoleTests):
96 126
97 update = {'role': {'description': uuid.uuid4().hex}} 127 def setUp(self):
128 super(SystemMemberTests, self).setUp()
129 self.loadapp()
130 self.useFixture(ksfixtures.Policy(self.config_fixture))
131 self.config_fixture.config(group='oslo_policy', enforce_scope=True)
98 132
99 with self.test_client() as c: 133 system_member = unit.new_user_ref(
100 c.patch( 134 domain_id=CONF.identity.default_domain_id
101 '/v3/roles/%s' % role['id'], json=update, headers=self.headers, 135 )
102 expected_status_code=http_client.FORBIDDEN 136 self.user_id = PROVIDERS.identity_api.create_user(
103 ) 137 system_member
138 )['id']
139 PROVIDERS.assignment_api.create_system_grant_for_user(
140 self.user_id, self.bootstrapper.member_role_id
141 )
104 142
105 def test_user_cannot_delete_roles(self): 143 auth = self.build_authentication_request(
106 role = PROVIDERS.role_api.create_role( 144 user_id=self.user_id, password=system_member['password'],
107 uuid.uuid4().hex, unit.new_role_ref() 145 system=True
108 ) 146 )
109 147
148 # Grab a token using the persona we're testing and prepare headers
149 # for requests we'll be making in the tests.
110 with self.test_client() as c: 150 with self.test_client() as c:
111 c.delete( 151 r = c.post('/v3/auth/tokens', json=auth)
112 '/v3/roles/%s' % role['id'], headers=self.headers, 152 self.token_id = r.headers['X-Subject-Token']
113 expected_status_code=http_client.FORBIDDEN 153 self.headers = {'X-Auth-Token': self.token_id}
114 )