Updated Cloudsample

Uses configuration options to determine if a token is for the admin
project and should be granted admin privileges.

Closes-Bug: 968696

Change-Id: Ib23452e171dc90115c77fa5a4b9dc4649054eb0e
This commit is contained in:
Adam Young 2015-11-01 11:55:45 -05:00
parent 79f141b81a
commit 9804081a80
2 changed files with 76 additions and 3 deletions

View File

@ -1,6 +1,6 @@
{
"admin_required": "role:admin",
"cloud_admin": "rule:admin_required and domain_id:admin_domain_id",
"cloud_admin": "(role:admin and token.is_admin_project:True) or ( rule:admin_required and domain_id:admin_domain_id)",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",

View File

@ -572,8 +572,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
- domain_admin_user has role 'admin' on domainA,
- project_admin_user has role 'admin' on the project,
- just_a_user has a non-admin role on both domainA and the project.
- admin_domain has user cloud_admin_user, with an 'admin' role
on admin_domain.
- admin_domain has admin_project, and user cloud_admin_user, with an
'admin' role on admin_project.
We test various api protection rules from the cloud sample policy
file to make sure the sample is valid and that we correctly enforce it.
@ -591,6 +591,13 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
group='oslo_policy',
policy_file=unit.dirs.etc('policy.v3cloudsample.json'))
self.config_fixture.config(
group='resource',
admin_project_name=self.admin_project['name'])
self.config_fixture.config(
group='resource',
admin_project_domain_name=self.admin_domain['name'])
def load_sample_data(self):
# Start by creating a couple of domains
self._populate_default_domain()
@ -603,6 +610,11 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.resource_api.create_domain(self.admin_domain['id'],
self.admin_domain)
self.admin_project = unit.new_project_ref(
domain_id=self.admin_domain['id'])
self.resource_api.create_project(self.admin_project['id'],
self.admin_project)
# And our users
self.cloud_admin_user = unit.create_user(
self.identity_api,
@ -958,6 +970,32 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
self.assertRoleAssignmentInListResponse(r, project_user_entity)
def test_admin_project_list_assignments_of_project(self):
self.auth = self.build_authentication_request(
user_id=self.project_admin_user['id'],
password=self.project_admin_user['password'],
project_id=self.project['id'])
collection_url = self.build_role_assignment_query_url(
project_id=self.project['id'])
r = self.get(collection_url, auth=self.auth)
self.assertValidRoleAssignmentListResponse(
r, expected_length=2, resource_url=collection_url)
project_admin_entity = self.build_role_assignment_entity(
project_id=self.project['id'],
user_id=self.project_admin_user['id'],
role_id=self.admin_role['id'],
inherited_to_projects=False)
project_user_entity = self.build_role_assignment_entity(
project_id=self.project['id'],
user_id=self.just_a_user['id'],
role_id=self.role['id'],
inherited_to_projects=False)
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
self.assertRoleAssignmentInListResponse(r, project_user_entity)
@unit.utils.wip('waiting on bug #1437407')
def test_domain_admin_list_assignments_of_project(self):
self.auth = self.build_authentication_request(
@ -1012,6 +1050,22 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self._test_domain_management()
def test_admin_project(self):
self.auth = self.build_authentication_request(
user_id=self.project_admin_user['id'],
password=self.project_admin_user['password'],
project_id=self.project['id'])
self._test_domain_management(
expected=exception.ForbiddenAction.code)
self.auth = self.build_authentication_request(
user_id=self.cloud_admin_user['id'],
password=self.cloud_admin_user['password'],
domain_id=self.admin_domain['id'])
self._test_domain_management()
def test_domain_admin_get_domain(self):
self.auth = self.build_authentication_request(
user_id=self.domain_admin_user['id'],
@ -1138,6 +1192,25 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
self.get('/auth/tokens', token=admin_token,
headers={'X-Subject-Token': user_token})
def test_admin_project_validate_user_token(self):
# An admin can validate a user's token.
# This is GET /v3/auth/tokens
admin_auth = self.build_authentication_request(
user_id=self.project_admin_user['id'],
password=self.project_admin_user['password'],
project_id=self.project['id'])
admin_token = self.get_requested_token(admin_auth)
user_auth = self.build_authentication_request(
user_id=self.just_a_user['id'],
password=self.just_a_user['password'])
user_token = self.get_requested_token(user_auth)
self.get('/auth/tokens', token=admin_token,
headers={'X-Subject-Token': user_token})
def test_user_check_same_token(self):
# Given a non-admin user token, the token can be used to check
# itself.