def test_edit_user_roles_can_manage_all(self):
"""
Confirm that you cannot edit a user unless all their roles
can be managed by you.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignments = [
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="_member_",
user={'id': user.id}),
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="project_admin",
user={'id': user.id}),
]
setup_identity_cache(projects=[project],
users=[user],
role_assignments=assignments)
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['project_mod'],
'inherited_roles': [],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, False)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['_member_', 'project_admin'])
def test_edit_user_roles_can_manage_all(self):
"""
Confirm that you cannot edit a user unless all their roles
can be managed by you.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignments = [
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
),
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="project_admin",
user={"id": user.id},
),
]
setup_identity_cache(
projects=[project], users=[user], role_assignments=assignments
)
task = Task.objects.create(
keystone_user={
"roles": ["project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["project_mod"],
"inherited_roles": [],
"remove": False,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, False)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["member", "project_admin"])
def test_edit_user_roles_modified_settings_add(self):
"""
Tests that the role mappings do come from settings and a new role
added there will be allowed.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="project_mod",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
new_role = fake_clients.FakeRole("new_role")
fake_clients.identity_cache['roles'][new_role.id] = new_role
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['new_role'],
'inherited_roles': [],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['project_mod', 'new_role'])
def test_edit_user_roles_modified_config_add(self):
"""
Tests that the role mappings do come from config and a new role
added there will be allowed.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="project_mod",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
new_role = fake_clients.FakeRole("new_role")
fake_clients.identity_cache["roles"][new_role.id] = new_role
task = Task.objects.create(
keystone_user={
"roles": ["project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["new_role"],
"inherited_roles": [],
"remove": False,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["project_mod", "new_role"])
def test_edit_user_roles_remove_complete(self):
"""
Remove roles from user that does not have them.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="_member_",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['project_mod'],
'inherited_roles': [],
'remove': True
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
self.assertEqual(action.action.state, "complete")
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['_member_'])
def test_edit_user_roles_remove_complete(self):
"""
Remove roles from user that does not have them.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
task = Task.objects.create(
keystone_user={
"roles": ["admin", "project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["project_mod"],
"inherited_roles": [],
"remove": True,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
self.assertEqual(action.action.state, "complete")
action.approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["member"])
def test_edit_user_roles_modified_settings_add(self):
"""
Tests that the role mappings do come from settings and a new role
added there will be allowed.
"""
project = mock.Mock()
project.id = 'test_project_id'
project.name = 'test_project'
project.domain = 'default'
project.roles = {'user_id': ['project_mod']}
user = mock.Mock()
user.id = 'user_id'
user.name = "*****@*****.**"
user.email = "*****@*****.**"
user.domain = 'default'
setup_temp_cache({'test_project': project}, {user.id: user})
tests.temp_cache['roles']['new_role'] = 'new_role'
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': 'test_project_id',
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': 'user_id',
'project_id': 'test_project_id',
'roles': ['new_role'],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEquals(action.valid, True)
action.post_approve()
self.assertEquals(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEquals(action.valid, True)
self.assertEquals(len(project.roles[user.id]), 2)
self.assertEquals(set(project.roles[user.id]),
set(['project_mod', 'new_role']))
def test_edit_user_roles_can_manage_all(self):
"""
Confirm that you cannot edit a user unless all their roles
can be managed by you.
"""
user = mock.Mock()
user.id = 'user_id'
user.name = "*****@*****.**"
user.email = "*****@*****.**"
user.domain = 'default'
project = mock.Mock()
project.id = 'test_project_id'
project.name = 'test_project'
project.domain = 'default'
project.roles = {user.id: ['_member_', 'project_admin']}
setup_temp_cache({'test_project': project}, {user.id: user})
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': 'test_project_id',
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': 'user_id',
'project_id': 'test_project_id',
'roles': ['project_mod'],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEquals(action.valid, False)
self.assertEquals(project.roles[user.id],
['_member_', 'project_admin'])
def test_edit_user_roles_add_complete(self):
"""
Add roles to existing user.
"""
user = mock.Mock()
user.id = 'user_id'
user.name = "*****@*****.**"
user.email = "*****@*****.**"
user.domain = 'default'
project = mock.Mock()
project.id = 'test_project_id'
project.name = 'test_project'
project.domain = 'default'
project.roles = {user.id: ['_member_', 'project_mod']}
setup_temp_cache({'test_project': project}, {user.id: user})
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': 'test_project_id',
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': 'user_id',
'project_id': 'test_project_id',
'roles': ['_member_', 'project_mod'],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEquals(action.valid, True)
self.assertEquals(action.action.state, "complete")
action.post_approve()
self.assertEquals(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEquals(action.valid, True)
self.assertEquals(len(project.roles[user.id]), 2)
self.assertEquals(set(project.roles[user.id]),
set(['_member_', 'project_mod']))
def test_edit_user_roles_add(self):
"""
Add roles to existing user.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(
keystone_user={
"roles": ["admin", "project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["member", "project_mod"],
"inherited_roles": [],
"remove": False,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(sorted(roles), sorted(["member", "project_mod"]))
def test_edit_user_roles_add(self):
"""
Add roles to existing user.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
setup_identity_cache(projects=[project], users=[user])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['_member_', 'project_mod'],
'inherited_roles': [],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(sorted(roles), sorted(['_member_', 'project_mod']))
def test_edit_user_roles_modified_settings(self):
"""
Tests that the role mappings do come from settings and that they
are enforced.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="project_mod",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['heat_stack_owner'],
'inherited_roles': [],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
# Change settings
with self.modify_dict_settings(
ROLES_MAPPING={
'key_list': ['project_mod'],
'operation': "remove",
'value': 'heat_stack_owner'
}):
action.post_approve()
self.assertEqual(action.valid, False)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, False)
# After Settings Reset
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['project_mod', 'heat_stack_owner'])
def test_edit_user_roles_modified_settings(self):
"""
Tests that the role mappings do come from settings and that they
are enforced.
"""
project = mock.Mock()
project.id = 'test_project_id'
project.name = 'test_project'
project.domain = 'default'
project.roles = {'user_id': ['project_mod']}
user = mock.Mock()
user.id = 'user_id'
user.name = "*****@*****.**"
user.email = "*****@*****.**"
user.domain = 'default'
setup_temp_cache({'test_project': project}, {user.id: user})
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': 'test_project_id',
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': 'user_id',
'project_id': 'test_project_id',
'roles': ['heat_stack_owner'],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEquals(action.valid, True)
# Change settings
with self.modify_dict_settings(
ROLES_MAPPING={
'key_list': ['project_mod'],
'operation': "remove",
'value': 'heat_stack_owner'
}):
action.post_approve()
self.assertEquals(action.valid, False)
token_data = {}
action.submit(token_data)
self.assertEquals(action.valid, False)
# After Settings Reset
action.post_approve()
self.assertEquals(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEquals(action.valid, True)
self.assertEquals(len(project.roles[user.id]), 2)
self.assertEquals(set(project.roles[user.id]),
set(['project_mod', 'heat_stack_owner']))
def test_edit_user_roles_modified_config(self):
"""
Tests that the role mappings do come from config and that they
are enforced.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="project_mod",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
task = Task.objects.create(
keystone_user={
"roles": ["project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["heat_stack_owner"],
"inherited_roles": [],
"remove": False,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
# Change config
with conf_utils.modify_conf(
CONF,
operations={
"adjutant.identity.role_mapping": [
{
"operation": "update",
"value": {
"project_mod": [
"member",
"project_mod",
],
},
},
],
},
):
action.approve()
self.assertEqual(action.valid, False)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, False)
# After Settings Reset
action.approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["project_mod", "heat_stack_owner"])