From 9804081a80ef815a86407a64f967986a7bf9ba25 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Sun, 1 Nov 2015 11:55:45 -0500 Subject: [PATCH] Updated Cloudsample Uses configuration options to determine if a token is for the admin project and should be granted admin privileges. Closes-Bug: 968696 Change-Id: Ib23452e171dc90115c77fa5a4b9dc4649054eb0e --- etc/policy.v3cloudsample.json | 2 +- keystone/tests/unit/test_v3_protection.py | 77 ++++++++++++++++++++++- 2 files changed, 76 insertions(+), 3 deletions(-) diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json index 2ba876609b..4c9c606635 100644 --- a/etc/policy.v3cloudsample.json +++ b/etc/policy.v3cloudsample.json @@ -1,6 +1,6 @@ { "admin_required": "role:admin", - "cloud_admin": "rule:admin_required and domain_id:admin_domain_id", + "cloud_admin": "(role:admin and token.is_admin_project:True) or ( rule:admin_required and domain_id:admin_domain_id)", "service_role": "role:service", "service_or_admin": "rule:admin_required or rule:service_role", "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s", diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py index 79209ca296..23b3f620ce 100644 --- a/keystone/tests/unit/test_v3_protection.py +++ b/keystone/tests/unit/test_v3_protection.py @@ -572,8 +572,8 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, - domain_admin_user has role 'admin' on domainA, - project_admin_user has role 'admin' on the project, - just_a_user has a non-admin role on both domainA and the project. - - admin_domain has user cloud_admin_user, with an 'admin' role - on admin_domain. + - admin_domain has admin_project, and user cloud_admin_user, with an + 'admin' role on admin_project. We test various api protection rules from the cloud sample policy file to make sure the sample is valid and that we correctly enforce it. @@ -591,6 +591,13 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, group='oslo_policy', policy_file=unit.dirs.etc('policy.v3cloudsample.json')) + self.config_fixture.config( + group='resource', + admin_project_name=self.admin_project['name']) + self.config_fixture.config( + group='resource', + admin_project_domain_name=self.admin_domain['name']) + def load_sample_data(self): # Start by creating a couple of domains self._populate_default_domain() @@ -603,6 +610,11 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, self.resource_api.create_domain(self.admin_domain['id'], self.admin_domain) + self.admin_project = unit.new_project_ref( + domain_id=self.admin_domain['id']) + self.resource_api.create_project(self.admin_project['id'], + self.admin_project) + # And our users self.cloud_admin_user = unit.create_user( self.identity_api, @@ -958,6 +970,32 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, self.assertRoleAssignmentInListResponse(r, project_admin_entity) self.assertRoleAssignmentInListResponse(r, project_user_entity) + def test_admin_project_list_assignments_of_project(self): + self.auth = self.build_authentication_request( + user_id=self.project_admin_user['id'], + password=self.project_admin_user['password'], + project_id=self.project['id']) + + collection_url = self.build_role_assignment_query_url( + project_id=self.project['id']) + r = self.get(collection_url, auth=self.auth) + self.assertValidRoleAssignmentListResponse( + r, expected_length=2, resource_url=collection_url) + + project_admin_entity = self.build_role_assignment_entity( + project_id=self.project['id'], + user_id=self.project_admin_user['id'], + role_id=self.admin_role['id'], + inherited_to_projects=False) + project_user_entity = self.build_role_assignment_entity( + project_id=self.project['id'], + user_id=self.just_a_user['id'], + role_id=self.role['id'], + inherited_to_projects=False) + + self.assertRoleAssignmentInListResponse(r, project_admin_entity) + self.assertRoleAssignmentInListResponse(r, project_user_entity) + @unit.utils.wip('waiting on bug #1437407') def test_domain_admin_list_assignments_of_project(self): self.auth = self.build_authentication_request( @@ -1012,6 +1050,22 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, self._test_domain_management() + def test_admin_project(self): + self.auth = self.build_authentication_request( + user_id=self.project_admin_user['id'], + password=self.project_admin_user['password'], + project_id=self.project['id']) + + self._test_domain_management( + expected=exception.ForbiddenAction.code) + + self.auth = self.build_authentication_request( + user_id=self.cloud_admin_user['id'], + password=self.cloud_admin_user['password'], + domain_id=self.admin_domain['id']) + + self._test_domain_management() + def test_domain_admin_get_domain(self): self.auth = self.build_authentication_request( user_id=self.domain_admin_user['id'], @@ -1138,6 +1192,25 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase, self.get('/auth/tokens', token=admin_token, headers={'X-Subject-Token': user_token}) + def test_admin_project_validate_user_token(self): + # An admin can validate a user's token. + # This is GET /v3/auth/tokens + + admin_auth = self.build_authentication_request( + user_id=self.project_admin_user['id'], + password=self.project_admin_user['password'], + project_id=self.project['id']) + + admin_token = self.get_requested_token(admin_auth) + + user_auth = self.build_authentication_request( + user_id=self.just_a_user['id'], + password=self.just_a_user['password']) + user_token = self.get_requested_token(user_auth) + + self.get('/auth/tokens', token=admin_token, + headers={'X-Subject-Token': user_token}) + def test_user_check_same_token(self): # Given a non-admin user token, the token can be used to check # itself.