Remove legacy protection tests
This commit removes a bunch of tests that were originally written to test the policy.v3cloudsample.json policy file. Now that we've implemented system-scope, default roles, and removed the policy.v3cloudsample.json policy file, we can remove these tests. This commit also ports some token revocation tests over to the protection test suite so we have full coverage from TestTokenRevokeSelfAndAdmin. Change-Id: Ie0c0b48d240b118f7b491d164e5c1a203ebb31e8
This commit is contained in:
parent
d4a6023de5
commit
5f5f10630c
|
@ -362,6 +362,11 @@ class _DomainAndProjectUserTests(object):
|
|||
self.headers['X-Subject-Token'] = self.token_id
|
||||
c.get('/v3/auth/tokens', headers=self.headers)
|
||||
|
||||
def test_user_can_revoke_their_own_tokens(self):
|
||||
with self.test_client() as c:
|
||||
self.headers['X-Subject-Token'] = self.token_id
|
||||
c.delete('/v3/auth/tokens', headers=self.headers)
|
||||
|
||||
def test_user_cannot_validate_system_scoped_token(self):
|
||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
|
||||
|
@ -386,6 +391,30 @@ class _DomainAndProjectUserTests(object):
|
|||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_revoke_system_scoped_token(self):
|
||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
|
||||
|
||||
PROVIDERS.assignment_api.create_system_grant_for_user(
|
||||
user['id'], self.bootstrapper.reader_role_id
|
||||
)
|
||||
|
||||
system_auth = self.build_authentication_request(
|
||||
user_id=user['id'], password=user['password'],
|
||||
system=True
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=system_auth)
|
||||
system_token = r.headers['X-Subject-Token']
|
||||
|
||||
with self.test_client() as c:
|
||||
self.headers['X-Subject-Token'] = system_token
|
||||
c.delete(
|
||||
'/v3/auth/tokens', headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_validate_domain_scoped_token(self):
|
||||
domain = PROVIDERS.resource_api.create_domain(
|
||||
uuid.uuid4().hex, unit.new_domain_ref()
|
||||
|
@ -414,7 +443,35 @@ class _DomainAndProjectUserTests(object):
|
|||
'/v3/auth/tokens', headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
pass
|
||||
|
||||
def test_user_cannot_revoke_domain_scoped_token(self):
|
||||
domain = PROVIDERS.resource_api.create_domain(
|
||||
uuid.uuid4().hex, unit.new_domain_ref()
|
||||
)
|
||||
|
||||
user = unit.new_user_ref(domain_id=domain['id'])
|
||||
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
|
||||
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.bootstrapper.reader_role_id, user_id=user['id'],
|
||||
domain_id=domain['id']
|
||||
)
|
||||
|
||||
domain_auth = self.build_authentication_request(
|
||||
user_id=user['id'], password=user['password'],
|
||||
domain_id=domain['id']
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=domain_auth)
|
||||
domain_token = r.headers['X-Subject-Token']
|
||||
|
||||
with self.test_client() as c:
|
||||
self.headers['X-Subject-Token'] = domain_token
|
||||
c.delete(
|
||||
'/v3/auth/tokens', headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_validate_project_scoped_token(self):
|
||||
project = PROVIDERS.resource_api.create_project(
|
||||
|
@ -446,6 +503,36 @@ class _DomainAndProjectUserTests(object):
|
|||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
def test_user_cannot_revoke_project_scoped_token(self):
|
||||
project = PROVIDERS.resource_api.create_project(
|
||||
uuid.uuid4().hex,
|
||||
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
|
||||
)
|
||||
|
||||
user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
|
||||
user['id'] = PROVIDERS.identity_api.create_user(user)['id']
|
||||
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.bootstrapper.reader_role_id, user_id=user['id'],
|
||||
project_id=project['id']
|
||||
)
|
||||
|
||||
project_auth = self.build_authentication_request(
|
||||
user_id=user['id'], password=user['password'],
|
||||
project_id=project['id']
|
||||
)
|
||||
|
||||
with self.test_client() as c:
|
||||
r = c.post('/v3/auth/tokens', json=project_auth)
|
||||
project_token = r.headers['X-Subject-Token']
|
||||
|
||||
with self.test_client() as c:
|
||||
self.headers['X-Subject-Token'] = project_token
|
||||
c.delete(
|
||||
'/v3/auth/tokens', headers=self.headers,
|
||||
expected_status_code=http_client.FORBIDDEN
|
||||
)
|
||||
|
||||
|
||||
class DomainUserTests(base_classes.TestCaseWithBootstrap,
|
||||
common_auth.AuthTestMixin,
|
||||
|
|
|
@ -2879,110 +2879,6 @@ class TestJWSTokenAPIs(test_v3.RestfulTestCase, TokenAPITests, TokenDataTests):
|
|||
)
|
||||
|
||||
|
||||
class TestTokenRevokeSelfAndAdmin(test_v3.RestfulTestCase):
|
||||
"""Test token revoke using v3 Identity API by token owner and admin."""
|
||||
|
||||
def load_sample_data(self):
|
||||
"""Load Sample Data for Test Cases.
|
||||
|
||||
Two domains, domainA and domainB
|
||||
Two users in domainA, userNormalA and userAdminA
|
||||
One user in domainB, userAdminB
|
||||
|
||||
"""
|
||||
super(TestTokenRevokeSelfAndAdmin, self).load_sample_data()
|
||||
# DomainA setup
|
||||
self.domainA = unit.new_domain_ref()
|
||||
PROVIDERS.resource_api.create_domain(self.domainA['id'], self.domainA)
|
||||
|
||||
self.userAdminA = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domainA['id'])
|
||||
|
||||
self.userNormalA = unit.create_user(PROVIDERS.identity_api,
|
||||
domain_id=self.domainA['id'])
|
||||
|
||||
PROVIDERS.assignment_api.create_grant(
|
||||
self.role['id'], user_id=self.userAdminA['id'],
|
||||
domain_id=self.domainA['id']
|
||||
)
|
||||
|
||||
def test_user_revokes_own_token(self):
|
||||
user_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
user_id=self.userNormalA['id'],
|
||||
password=self.userNormalA['password'],
|
||||
user_domain_id=self.domainA['id']))
|
||||
self.assertNotEmpty(user_token)
|
||||
headers = {'X-Subject-Token': user_token}
|
||||
|
||||
adminA_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
user_id=self.userAdminA['id'],
|
||||
password=self.userAdminA['password'],
|
||||
domain_name=self.domainA['name']))
|
||||
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.OK,
|
||||
token=adminA_token)
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.OK,
|
||||
token=user_token)
|
||||
self.delete('/auth/tokens', headers=headers,
|
||||
token=user_token)
|
||||
# invalid X-Auth-Token and invalid X-Subject-Token
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.UNAUTHORIZED,
|
||||
token=user_token)
|
||||
# invalid X-Auth-Token and invalid X-Subject-Token
|
||||
self.delete('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.UNAUTHORIZED,
|
||||
token=user_token)
|
||||
# valid X-Auth-Token and invalid X-Subject-Token
|
||||
self.delete('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.NOT_FOUND,
|
||||
token=adminA_token)
|
||||
# valid X-Auth-Token and invalid X-Subject-Token
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.NOT_FOUND,
|
||||
token=adminA_token)
|
||||
|
||||
def test_adminA_revokes_userA_token(self):
|
||||
user_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
user_id=self.userNormalA['id'],
|
||||
password=self.userNormalA['password'],
|
||||
user_domain_id=self.domainA['id']))
|
||||
self.assertNotEmpty(user_token)
|
||||
headers = {'X-Subject-Token': user_token}
|
||||
|
||||
adminA_token = self.get_requested_token(
|
||||
self.build_authentication_request(
|
||||
user_id=self.userAdminA['id'],
|
||||
password=self.userAdminA['password'],
|
||||
domain_name=self.domainA['name']))
|
||||
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.OK,
|
||||
token=adminA_token)
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.OK,
|
||||
token=user_token)
|
||||
self.delete('/auth/tokens', headers=headers,
|
||||
token=adminA_token)
|
||||
# invalid X-Auth-Token and invalid X-Subject-Token
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.UNAUTHORIZED,
|
||||
token=user_token)
|
||||
# valid X-Auth-Token and invalid X-Subject-Token
|
||||
self.delete('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.NOT_FOUND,
|
||||
token=adminA_token)
|
||||
# valid X-Auth-Token and invalid X-Subject-Token
|
||||
self.head('/auth/tokens', headers=headers,
|
||||
expected_status=http_client.NOT_FOUND,
|
||||
token=adminA_token)
|
||||
|
||||
|
||||
class TestTokenRevokeById(test_v3.RestfulTestCase):
|
||||
"""Test token revocation on the v3 Identity API."""
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue