From 7c129f1c70ccc2ee5d68e6fabb53e3172f9d6a34 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Tue, 28 Aug 2018 15:44:48 +0000
Subject: [PATCH] Remove obsolete credential policies

The policy.v3cloudsample.json policy file attempted to solve
admin-ness issues with elaborate policy checks. These checks are no
longer needed with advent of system scope and incorporating system
scope into keystone APIs.

This commit removes the credential policies from the
policy.v3cloudsample.conf policy file since the new defaults introduce
more flexibility by consuming scope, rendering the policies in
policy.v3cloudsample.conf obsolete. More specific test coverage has
also been added for each new case in
keystone.tests.unit.protection.v3.test_credentials.

Change-Id: I6c74f40640da23375574f4a26ee60779ef08d120
Related-Bug: 1788415
---
 etc/policy.v3cloudsample.json             |  6 ------
 keystone/tests/unit/test_policy.py        | 11 +++++++++++
 keystone/tests/unit/test_v3_protection.py | 22 ----------------------
 3 files changed, 11 insertions(+), 28 deletions(-)

diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index 7e40f7c957..271d7e8050 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -83,12 +83,6 @@
     "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
     "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
 
-    "identity:get_credential": "rule:admin_required",
-    "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
-    "identity:create_credential": "rule:admin_required",
-    "identity:update_credential": "rule:admin_required",
-    "identity:delete_credential": "rule:admin_required",
-
     "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
     "identity:ec2_list_credentials": "rule:admin_required or rule:owner",
     "identity:ec2_create_credential": "rule:admin_required or rule:owner",
diff --git a/keystone/tests/unit/test_policy.py b/keystone/tests/unit/test_policy.py
index 892c6aefc6..24e507b7f0 100644
--- a/keystone/tests/unit/test_policy.py
+++ b/keystone/tests/unit/test_policy.py
@@ -178,7 +178,18 @@ class PolicyJsonTestCase(unit.TestCase):
         return rules
 
     def test_json_examples_have_matching_entries(self):
+        # TODO(lbragstad): Once all policies have been removed from
+        # policy.v3cloudsample.json, remove this test.
+        removed_policies = [
+            'identity:create_credential',
+            'identity:get_credential',
+            'identity:list_credentials',
+            'identity:update_credential',
+            'identity:delete_credential'
+        ]
         policy_keys = self._get_default_policy_rules()
+        for p in removed_policies:
+            del policy_keys[p]
         cloud_policy_keys = set(
             json.load(open(unit.dirs.etc('policy.v3cloudsample.json'))))
 
diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py
index f0f015002a..bdbdafff7d 100644
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@@ -1563,28 +1563,6 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase,
         entity_url = '/domains/%s' % self.domainA['id']
         self.get(entity_url, auth=self.auth)
 
-    def test_list_user_credentials(self):
-        credential_user = unit.new_credential_ref(self.just_a_user['id'])
-        PROVIDERS.credential_api.create_credential(
-            credential_user['id'], credential_user
-        )
-        credential_admin = unit.new_credential_ref(self.cloud_admin_user['id'])
-        PROVIDERS.credential_api.create_credential(
-            credential_admin['id'], credential_admin
-        )
-
-        self.auth = self.build_authentication_request(
-            user_id=self.just_a_user['id'],
-            password=self.just_a_user['password'])
-        url = '/credentials?user_id=%s' % self.just_a_user['id']
-        self.get(url, auth=self.auth)
-        url = '/credentials?user_id=%s' % self.cloud_admin_user['id']
-        self.get(url, auth=self.auth,
-                 expected_status=exception.ForbiddenAction.code)
-        url = '/credentials'
-        self.get(url, auth=self.auth,
-                 expected_status=exception.ForbiddenAction.code)
-
     def test_get_and_delete_ec2_credentials(self):
         """Test getting and deleting ec2 credentials through the ec2 API."""
         another_user = unit.create_user(PROVIDERS.identity_api,