Updated Cloudsample
Uses configuration options to determine if a token is for the admin project and should be granted admin privileges. Closes-Bug: 968696 Change-Id: Ib23452e171dc90115c77fa5a4b9dc4649054eb0e
This commit is contained in:
parent
79f141b81a
commit
9804081a80
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"admin_required": "role:admin",
|
||||
"cloud_admin": "rule:admin_required and domain_id:admin_domain_id",
|
||||
"cloud_admin": "(role:admin and token.is_admin_project:True) or ( rule:admin_required and domain_id:admin_domain_id)",
|
||||
"service_role": "role:service",
|
||||
"service_or_admin": "rule:admin_required or rule:service_role",
|
||||
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
|
||||
|
|
|
@ -572,8 +572,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
|||
- domain_admin_user has role 'admin' on domainA,
|
||||
- project_admin_user has role 'admin' on the project,
|
||||
- just_a_user has a non-admin role on both domainA and the project.
|
||||
- admin_domain has user cloud_admin_user, with an 'admin' role
|
||||
on admin_domain.
|
||||
- admin_domain has admin_project, and user cloud_admin_user, with an
|
||||
'admin' role on admin_project.
|
||||
|
||||
We test various api protection rules from the cloud sample policy
|
||||
file to make sure the sample is valid and that we correctly enforce it.
|
||||
|
@ -591,6 +591,13 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
|||
group='oslo_policy',
|
||||
policy_file=unit.dirs.etc('policy.v3cloudsample.json'))
|
||||
|
||||
self.config_fixture.config(
|
||||
group='resource',
|
||||
admin_project_name=self.admin_project['name'])
|
||||
self.config_fixture.config(
|
||||
group='resource',
|
||||
admin_project_domain_name=self.admin_domain['name'])
|
||||
|
||||
def load_sample_data(self):
|
||||
# Start by creating a couple of domains
|
||||
self._populate_default_domain()
|
||||
|
@ -603,6 +610,11 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
|||
self.resource_api.create_domain(self.admin_domain['id'],
|
||||
self.admin_domain)
|
||||
|
||||
self.admin_project = unit.new_project_ref(
|
||||
domain_id=self.admin_domain['id'])
|
||||
self.resource_api.create_project(self.admin_project['id'],
|
||||
self.admin_project)
|
||||
|
||||
# And our users
|
||||
self.cloud_admin_user = unit.create_user(
|
||||
self.identity_api,
|
||||
|
@ -958,6 +970,32 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
|||
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
|
||||
self.assertRoleAssignmentInListResponse(r, project_user_entity)
|
||||
|
||||
def test_admin_project_list_assignments_of_project(self):
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.project_admin_user['id'],
|
||||
password=self.project_admin_user['password'],
|
||||
project_id=self.project['id'])
|
||||
|
||||
collection_url = self.build_role_assignment_query_url(
|
||||
project_id=self.project['id'])
|
||||
r = self.get(collection_url, auth=self.auth)
|
||||
self.assertValidRoleAssignmentListResponse(
|
||||
r, expected_length=2, resource_url=collection_url)
|
||||
|
||||
project_admin_entity = self.build_role_assignment_entity(
|
||||
project_id=self.project['id'],
|
||||
user_id=self.project_admin_user['id'],
|
||||
role_id=self.admin_role['id'],
|
||||
inherited_to_projects=False)
|
||||
project_user_entity = self.build_role_assignment_entity(
|
||||
project_id=self.project['id'],
|
||||
user_id=self.just_a_user['id'],
|
||||
role_id=self.role['id'],
|
||||
inherited_to_projects=False)
|
||||
|
||||
self.assertRoleAssignmentInListResponse(r, project_admin_entity)
|
||||
self.assertRoleAssignmentInListResponse(r, project_user_entity)
|
||||
|
||||
@unit.utils.wip('waiting on bug #1437407')
|
||||
def test_domain_admin_list_assignments_of_project(self):
|
||||
self.auth = self.build_authentication_request(
|
||||
|
@ -1012,6 +1050,22 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
|||
|
||||
self._test_domain_management()
|
||||
|
||||
def test_admin_project(self):
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.project_admin_user['id'],
|
||||
password=self.project_admin_user['password'],
|
||||
project_id=self.project['id'])
|
||||
|
||||
self._test_domain_management(
|
||||
expected=exception.ForbiddenAction.code)
|
||||
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.cloud_admin_user['id'],
|
||||
password=self.cloud_admin_user['password'],
|
||||
domain_id=self.admin_domain['id'])
|
||||
|
||||
self._test_domain_management()
|
||||
|
||||
def test_domain_admin_get_domain(self):
|
||||
self.auth = self.build_authentication_request(
|
||||
user_id=self.domain_admin_user['id'],
|
||||
|
@ -1138,6 +1192,25 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
|
|||
self.get('/auth/tokens', token=admin_token,
|
||||
headers={'X-Subject-Token': user_token})
|
||||
|
||||
def test_admin_project_validate_user_token(self):
|
||||
# An admin can validate a user's token.
|
||||
# This is GET /v3/auth/tokens
|
||||
|
||||
admin_auth = self.build_authentication_request(
|
||||
user_id=self.project_admin_user['id'],
|
||||
password=self.project_admin_user['password'],
|
||||
project_id=self.project['id'])
|
||||
|
||||
admin_token = self.get_requested_token(admin_auth)
|
||||
|
||||
user_auth = self.build_authentication_request(
|
||||
user_id=self.just_a_user['id'],
|
||||
password=self.just_a_user['password'])
|
||||
user_token = self.get_requested_token(user_auth)
|
||||
|
||||
self.get('/auth/tokens', token=admin_token,
|
||||
headers={'X-Subject-Token': user_token})
|
||||
|
||||
def test_user_check_same_token(self):
|
||||
# Given a non-admin user token, the token can be used to check
|
||||
# itself.
|
||||
|
|
Loading…
Reference in New Issue