Esempio n. 1
0
    def test_update_domain_id_of_role_fails(self):
        # Create a global role
        role1 = unit.new_role_ref()
        role1 = self.role_api.create_role(role1['id'], role1)
        # Try and update it to be domain specific
        domainA = unit.new_domain_ref()
        role1['domain_id'] = domainA['id']
        self.assertRaises(exception.ValidationError,
                          self.role_api.update_role,
                          role1['id'],
                          role1)

        # Create a domain specific role from scratch
        role2 = unit.new_role_ref(domain_id=domainA['id'])
        self.role_api.create_role(role2['id'], role2)
        # Try to "move" it to another domain
        domainB = unit.new_domain_ref()
        role2['domain_id'] = domainB['id']
        self.assertRaises(exception.ValidationError,
                          self.role_api.update_role,
                          role2['id'],
                          role2)
        # Now try to make it global
        role2['domain_id'] = None
        self.assertRaises(exception.ValidationError,
                          self.role_api.update_role,
                          role2['id'],
                          role2)
Esempio n. 2
0
 def test_domain_specific_separation(self):
     domain1 = unit.new_domain_ref()
     role1 = unit.new_role_ref(domain_id=domain1['id'])
     role_ref1 = self.role_api.create_role(role1['id'], role1)
     self.assertDictEqual(role1, role_ref1)
     # Check we can have the same named role in a different domain
     domain2 = unit.new_domain_ref()
     role2 = unit.new_role_ref(name=role1['name'], domain_id=domain2['id'])
     role_ref2 = self.role_api.create_role(role2['id'], role2)
     self.assertDictEqual(role2, role_ref2)
     # ...and in fact that you can have the same named role as a global role
     role3 = unit.new_role_ref(name=role1['name'])
     role_ref3 = self.role_api.create_role(role3['id'], role3)
     self.assertDictEqual(role3, role_ref3)
     # Check that updating one doesn't change the others
     role1['name'] = uuid.uuid4().hex
     self.role_api.update_role(role1['id'], role1)
     role_ref1 = self.role_api.get_role(role1['id'])
     self.assertDictEqual(role1, role_ref1)
     role_ref2 = self.role_api.get_role(role2['id'])
     self.assertDictEqual(role2, role_ref2)
     role_ref3 = self.role_api.get_role(role3['id'])
     self.assertDictEqual(role3, role_ref3)
     # Check that deleting one of these, doesn't affect the others
     self.role_api.delete_role(role1['id'])
     self.assertRaises(exception.RoleNotFound,
                       self.role_api.get_role,
                       role1['id'])
     self.role_api.get_role(role2['id'])
     self.role_api.get_role(role3['id'])
Esempio n. 3
0
 def test_create_duplicate_role_domain_specific_name_fails(self):
     domain = unit.new_domain_ref()
     role1 = unit.new_role_ref(domain_id=domain['id'])
     PROVIDERS.role_api.create_role(role1['id'], role1)
     role2 = unit.new_role_ref(name=role1['name'], domain_id=domain['id'])
     self.assertRaises(exception.Conflict, PROVIDERS.role_api.create_role,
                       role2['id'], role2)
Esempio n. 4
0
 def test_domain_specific_separation(self):
     domain1 = unit.new_domain_ref()
     role1 = unit.new_role_ref(domain_id=domain1['id'])
     role_ref1 = PROVIDERS.role_api.create_role(role1['id'], role1.copy())
     self.assertDictEqual(role1, role_ref1)
     # Check we can have the same named role in a different domain
     domain2 = unit.new_domain_ref()
     role2 = unit.new_role_ref(name=role1['name'], domain_id=domain2['id'])
     role_ref2 = PROVIDERS.role_api.create_role(role2['id'], role2)
     self.assertDictEqual(role2, role_ref2)
     # ...and in fact that you can have the same named role as a global role
     role3 = unit.new_role_ref(name=role1['name'])
     role_ref3 = PROVIDERS.role_api.create_role(role3['id'], role3)
     self.assertDictEqual(role3, role_ref3)
     # Check that updating one doesn't change the others
     role1['name'] = uuid.uuid4().hex
     PROVIDERS.role_api.update_role(role1['id'], role1)
     role_ref1 = PROVIDERS.role_api.get_role(role1['id'])
     self.assertDictEqual(role1, role_ref1)
     role_ref2 = PROVIDERS.role_api.get_role(role2['id'])
     self.assertDictEqual(role2, role_ref2)
     role_ref3 = PROVIDERS.role_api.get_role(role3['id'])
     self.assertDictEqual(role3, role_ref3)
     # Check that deleting one of these, doesn't affect the others
     PROVIDERS.role_api.delete_role(role1['id'])
     self.assertRaises(exception.RoleNotFound, PROVIDERS.role_api.get_role,
                       role1['id'])
     PROVIDERS.role_api.get_role(role2['id'])
     PROVIDERS.role_api.get_role(role3['id'])
Esempio n. 5
0
 def _create_test_roles(self):
     ref = unit.new_role_ref()
     role = PROVIDERS.role_api.create_role(ref['id'], ref)
     self.prior_role_id = role['id']
     ref = unit.new_role_ref()
     role = PROVIDERS.role_api.create_role(ref['id'], ref)
     self.implied_role_id = role['id']
Esempio n. 6
0
 def test_rename_duplicate_role_name_fails(self):
     role1 = unit.new_role_ref(id='fake1', name='fake1name')
     role2 = unit.new_role_ref(id='fake2', name='fake2name')
     self.role_api.create_role('fake1', role1)
     self.role_api.create_role('fake2', role2)
     role1['name'] = 'fake2name'
     self.assertRaises(exception.Conflict, self.role_api.update_role,
                       'fake1', role1)
Esempio n. 7
0
 def test_rename_duplicate_role_name_fails(self):
     role_id1 = uuid.uuid4().hex
     role_id2 = uuid.uuid4().hex
     role1 = unit.new_role_ref(id=role_id1, name='fake1name')
     role2 = unit.new_role_ref(id=role_id2, name='fake2name')
     self.role_api.create_role(role_id1, role1)
     self.role_api.create_role(role_id2, role2)
     role1['name'] = 'fake2name'
     self.assertRaises(exception.Conflict, self.role_api.update_role,
                       role_id1, role1)
Esempio n. 8
0
 def test_create_duplicate_role_domain_specific_name_fails(self):
     domain = unit.new_domain_ref()
     role1 = unit.new_role_ref(domain_id=domain['id'])
     self.role_api.create_role(role1['id'], role1)
     role2 = unit.new_role_ref(name=role1['name'],
                               domain_id=domain['id'])
     self.assertRaises(exception.Conflict,
                       self.role_api.create_role,
                       role2['id'],
                       role2)
Esempio n. 9
0
 def test_rename_duplicate_role_name_fails(self):
     role1 = unit.new_role_ref(id='fake1', name='fake1name')
     role2 = unit.new_role_ref(id='fake2', name='fake2name')
     self.role_api.create_role('fake1', role1)
     self.role_api.create_role('fake2', role2)
     role1['name'] = 'fake2name'
     self.assertRaises(exception.Conflict,
                       self.role_api.update_role,
                       'fake1',
                       role1)
Esempio n. 10
0
 def test_rename_duplicate_role_name_fails(self):
     role_id1 = uuid.uuid4().hex
     role_id2 = uuid.uuid4().hex
     role1 = unit.new_role_ref(id=role_id1, name='fake1name')
     role2 = unit.new_role_ref(id=role_id2, name='fake2name')
     PROVIDERS.role_api.create_role(role_id1, role1)
     PROVIDERS.role_api.create_role(role_id2, role2)
     role1['name'] = 'fake2name'
     self.assertRaises(exception.Conflict,
                       PROVIDERS.role_api.update_role,
                       role_id1,
                       role1)
Esempio n. 11
0
    def test_user_can_delete_roles(self):
        role = PROVIDERS.role_api.create_role(
            uuid.uuid4().hex, unit.new_role_ref()
        )

        with self.test_client() as c:
            c.delete('/v3/roles/%s' % role['id'], headers=self.headers)
Esempio n. 12
0
    def test_update_credential_non_owner(self):
        """Call ``PATCH /credentials/{credential_id}``."""
        alt_user = unit.create_user(PROVIDERS.identity_api,
                                    domain_id=self.domain_id)
        alt_user_id = alt_user['id']
        alt_project = unit.new_project_ref(domain_id=self.domain_id)
        alt_project_id = alt_project['id']
        PROVIDERS.resource_api.create_project(alt_project['id'], alt_project)
        alt_role = unit.new_role_ref(name='reader')
        alt_role_id = alt_role['id']
        PROVIDERS.role_api.create_role(alt_role_id, alt_role)
        PROVIDERS.assignment_api.add_role_to_user_and_project(
            alt_user_id, alt_project_id, alt_role_id)
        auth = self.build_authentication_request(user_id=alt_user_id,
                                                 password=alt_user['password'],
                                                 project_id=alt_project_id)
        ref = unit.new_credential_ref(user_id=alt_user_id,
                                      project_id=alt_project_id)
        r = self.post('/credentials', auth=auth, body={'credential': ref})
        self.assertValidCredentialResponse(r, ref)
        credential_id = r.result.get('credential')['id']

        # Cannot change the credential to be owned by another user
        update_ref = {'user_id': self.user_id, 'project_id': self.project_id}
        self.patch('/credentials/%(credential_id)s' %
                   {'credential_id': credential_id},
                   expected_status=403,
                   auth=auth,
                   body={'credential': update_ref})
Esempio n. 13
0
 def test_create_application_credential_with_trust(self):
     second_role = unit.new_role_ref(name='reader')
     PROVIDERS.role_api.create_role(second_role['id'], second_role)
     PROVIDERS.assignment_api.add_role_to_user_and_project(
         self.user_id, self.project_id, second_role['id'])
     with self.test_client() as c:
         pw_token = self.get_scoped_token()
         # create a self-trust - only the roles are important for this test
         trust_ref = unit.new_trust_ref(trustor_user_id=self.user_id,
                                        trustee_user_id=self.user_id,
                                        project_id=self.project_id,
                                        role_ids=[second_role['id']])
         resp = c.post('/v3/OS-TRUST/trusts',
                       headers={'X-Auth-Token': pw_token},
                       json={'trust': trust_ref})
         trust_id = resp.json['trust']['id']
         trust_auth = self.build_authentication_request(
             user_id=self.user_id,
             password=self.user['password'],
             trust_id=trust_id)
         trust_token = self.v3_create_token(
             trust_auth).headers['X-Subject-Token']
         app_cred = self._app_cred_body(roles=[{'id': self.role_id}])
         # only the roles from the trust token should be allowed, even if
         # the user has the role assigned on the project
         c.post('/v3/users/%s/application_credentials' % self.user_id,
                headers={'X-Auth-Token': trust_token},
                json=app_cred,
                expected_status_code=http.client.BAD_REQUEST)
Esempio n. 14
0
    def test_user_cannot_list_roles(self):
        PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref())

        with self.test_client() as c:
            c.get('/v3/roles',
                  headers=self.headers,
                  expected_status_code=http.client.FORBIDDEN)
Esempio n. 15
0
    def test_user_can_delete_roles(self):
        role = PROVIDERS.role_api.create_role(
            uuid.uuid4().hex,
            unit.new_role_ref(domain_id=CONF.identity.default_domain_id))

        with self.test_client() as c:
            c.delete('/v3/roles/%s' % role['id'], headers=self.headers)
Esempio n. 16
0
    def test_user_can_get_a_role(self):
        role = PROVIDERS.role_api.create_role(uuid.uuid4().hex,
                                              unit.new_role_ref())

        with self.test_client() as c:
            r = c.get('/v3/roles/%s' % role['id'], headers=self.headers)
            self.assertEqual(role['id'], r.json['role']['id'])
Esempio n. 17
0
 def _create_three_roles():
     id_list = []
     for _ in range(3):
         role = unit.new_role_ref()
         self.role_api.create_role(role['id'], role)
         id_list.append(role['id'])
     return id_list
Esempio n. 18
0
 def _create_three_roles():
     id_list = []
     for _ in range(3):
         role = unit.new_role_ref()
         self.role_api.create_role(role['id'], role)
         id_list.append(role['id'])
     return id_list
    def setUp(self):
        super(SecurityRequirementsTestCase, self).setUp()

        # Create a user in the default domain
        self.non_admin_user = unit.create_user(self.identity_api,
                                               CONF.identity.default_domain_id)

        # Create an admin in the default domain
        self.admin_user = unit.create_user(self.identity_api,
                                           CONF.identity.default_domain_id)

        # Create a project in the default domain and a non-admin role
        self.project = unit.new_project_ref(
            domain_id=CONF.identity.default_domain_id)
        self.resource_api.create_project(self.project['id'], self.project)
        self.non_admin_role = unit.new_role_ref(name='not_admin')
        self.role_api.create_role(self.non_admin_role['id'],
                                  self.non_admin_role)

        # Give the non-admin user a role on the project
        self.assignment_api.add_role_to_user_and_project(
            self.non_admin_user['id'], self.project['id'], self.role['id'])

        # Give the user the admin role on the project, which is technically
        # `self.role` because RestfulTestCase sets that up for us.
        self.assignment_api.add_role_to_user_and_project(
            self.admin_user['id'], self.project['id'], self.role_id)
Esempio n. 20
0
 def test_assignment_created_with_role_exists(self):
     # test assignment can be created if role already exists.
     bootstrap = cli.BootStrap()
     bootstrap.resource_manager.create_domain(self.default_domain["id"], self.default_domain)
     role = unit.new_role_ref(name=self.role_name)
     bootstrap.role_manager.create_role(role["id"], role)
     self._do_test_bootstrap(bootstrap)
Esempio n. 21
0
 def test_update_role_unset_immutable(self):
     role = unit.new_role_ref()
     role_id = role['id']
     role['options'][ro_opt.IMMUTABLE_OPT.option_name] = True
     PROVIDERS.role_api.create_role(role_id, role)
     role_via_manager = PROVIDERS.role_api.get_role(role_id)
     self.assertTrue('options' in role_via_manager)
     self.assertTrue(
         role_via_manager['options'][ro_opt.IMMUTABLE_OPT.option_name])
     update_role = {'options': {ro_opt.IMMUTABLE_OPT.option_name: False}}
     PROVIDERS.role_api.update_role(role_id, update_role)
     role_via_manager = PROVIDERS.role_api.get_role(role_id)
     self.assertTrue('options' in role_via_manager)
     self.assertTrue(
         ro_opt.IMMUTABLE_OPT.option_name in role_via_manager['options'])
     self.assertFalse(
         role_via_manager['options'][ro_opt.IMMUTABLE_OPT.option_name])
     update_role = {'options': {ro_opt.IMMUTABLE_OPT.option_name: None}}
     role_updated = PROVIDERS.role_api.update_role(role_id, update_role)
     role_via_manager = PROVIDERS.role_api.get_role(role_id)
     self.assertTrue('options' in role_updated)
     self.assertTrue('options' in role_via_manager)
     self.assertFalse(
         ro_opt.IMMUTABLE_OPT.option_name in role_updated['options'])
     self.assertFalse(
         ro_opt.IMMUTABLE_OPT.option_name in role_via_manager['options'])
Esempio n. 22
0
 def test_update_role_set_immutable_with_additional_updates(self):
     role = unit.new_role_ref()
     role_id = role['id']
     PROVIDERS.role_api.create_role(role_id, role)
     update_role = {
         'name': uuid.uuid4().hex,
         'options': {
             ro_opt.IMMUTABLE_OPT.option_name: True
         }
     }
     role_via_manager = PROVIDERS.role_api.get_role(role_id)
     self.assertTrue('options' in role_via_manager)
     self.assertFalse(
         ro_opt.IMMUTABLE_OPT.option_name in role_via_manager['options'])
     role_update = PROVIDERS.role_api.update_role(role_id, update_role)
     role_via_manager = PROVIDERS.role_api.get_role(role_id)
     self.assertEqual(role_update['name'], update_role['name'])
     self.assertEqual(role_via_manager['name'], update_role['name'])
     self.assertTrue(
         ro_opt.IMMUTABLE_OPT.option_name in role_update['options'])
     self.assertTrue(
         role_update['options'][ro_opt.IMMUTABLE_OPT.option_name])
     self.assertTrue(
         ro_opt.IMMUTABLE_OPT.option_name in role_via_manager['options'])
     self.assertTrue(
         role_via_manager['options'][ro_opt.IMMUTABLE_OPT.option_name])
Esempio n. 23
0
 def test_cannot_delete_immutable_role(self):
     role = unit.new_role_ref()
     role_id = role['id']
     role['options'][ro_opt.IMMUTABLE_OPT.option_name] = True
     PROVIDERS.role_api.create_role(role_id, role)
     self.assertRaises(exception.ResourceDeleteForbidden,
                       PROVIDERS.role_api.delete_role, role_id)
Esempio n. 24
0
    def test_can_get_security_compliance_config_with_user_from_other_domain(self):  # noqa: E501
        domain = unit.new_domain_ref()
        PROVIDERS.resource_api.create_domain(domain['id'], domain)

        # Create a user in the new domain
        user = unit.create_user(PROVIDERS.identity_api, domain['id'])

        # Create a project in the new domain
        project = unit.new_project_ref(domain_id=domain['id'])
        PROVIDERS.resource_api.create_project(project['id'], project)

        role = unit.new_role_ref()
        PROVIDERS.role_api.create_role(role['id'], role)

        # Give the new user a non-admin role on the project
        PROVIDERS.assignment_api.add_role_to_user_and_project(
            user['id'],
            project['id'],
            role['id']
        )
        password_regex = uuid.uuid4().hex
        password_regex_description = uuid.uuid4().hex
        group = 'security_compliance'
        self.config_fixture.config(
            group=group,
            password_regex=password_regex
        )
        self.config_fixture.config(
            group=group,
            password_regex_description=password_regex_description
        )
        with self.test_client() as c:
            c.get('/v3/domains/%s/config/security_compliance'
                  % CONF.identity.default_domain_id, headers=self.headers)
Esempio n. 25
0
    def test_app_cred_ec2_credential(self):
        """Test creating ec2 credential from an application credential.

        Call ``POST /credentials``.
        """
        # Create the app cred
        ref = unit.new_application_credential_ref(roles=[{'id': self.role_id}])
        del ref['id']
        r = self.post('/users/%s/application_credentials' % self.user_id,
                      body={'application_credential': ref})
        app_cred = r.result['application_credential']

        # Get an application credential token
        auth_data = self.build_authentication_request(
            app_cred_id=app_cred['id'],
            secret=app_cred['secret'])
        r = self.v3_create_token(auth_data)
        token_id = r.headers.get('X-Subject-Token')

        # Create the credential with the app cred token
        blob, ref = unit.new_ec2_credential(user_id=self.user_id,
                                            project_id=self.project_id)
        r = self.post('/credentials', body={'credential': ref}, token=token_id)

        # We expect the response blob to contain the app_cred_id
        ret_ref = ref.copy()
        ret_blob = blob.copy()
        ret_blob['app_cred_id'] = app_cred['id']
        ret_ref['blob'] = json.dumps(ret_blob)
        self.assertValidCredentialResponse(r, ref=ret_ref)

        # Assert credential id is same as hash of access key id for
        # ec2 credentials
        access = blob['access'].encode('utf-8')
        self.assertEqual(hashlib.sha256(access).hexdigest(),
                         r.result['credential']['id'])

        # Create a role assignment to ensure that it is ignored and only the
        # roles in the app cred are used
        role = unit.new_role_ref(name='reader')
        role_id = role['id']
        PROVIDERS.role_api.create_role(role_id, role)
        PROVIDERS.assignment_api.add_role_to_user_and_project(
            self.user_id, self.project_id, role_id)

        ret_blob = json.loads(r.result['credential']['blob'])
        ec2token = self._test_get_token(
            access=ret_blob['access'], secret=ret_blob['secret'])
        ec2_roles = [role['id'] for role in ec2token['roles']]
        self.assertIn(self.role_id, ec2_roles)
        self.assertNotIn(role_id, ec2_roles)

        # Create second ec2 credential with the same access key id and check
        # for conflict.
        self.post(
            '/credentials',
            body={'credential': ref},
            token=token_id,
            expected_status=http.client.CONFLICT)
Esempio n. 26
0
    def test_user_can_get_a_role(self):
        role = PROVIDERS.role_api.create_role(
            uuid.uuid4().hex, unit.new_role_ref()
        )

        with self.test_client() as c:
            r = c.get('/v3/roles/%s' % role['id'], headers=self.headers)
            self.assertEqual(role['id'], r.json['role']['id'])
Esempio n. 27
0
    def test_user_cannot_create_roles(self):
        create = {'role': unit.new_role_ref()}

        with self.test_client() as c:
            c.post(
                '/v3/roles', json=create, headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
            )
Esempio n. 28
0
 def test_create_duplicate_role_name_fails(self):
     role = unit.new_role_ref(id='fake1', name='fake1name')
     self.role_api.create_role('fake1', role)
     role['id'] = 'fake2'
     self.assertRaises(exception.Conflict,
                       self.role_api.create_role,
                       'fake2',
                       role)
Esempio n. 29
0
    def test_user_cannot_delete_roles(self):
        role = PROVIDERS.role_api.create_role(uuid.uuid4().hex,
                                              unit.new_role_ref())

        with self.test_client() as c:
            c.delete('/v3/roles/%s' % role['id'],
                     headers=self.headers,
                     expected_status_code=http.client.FORBIDDEN)
Esempio n. 30
0
    def test_user_can_create_roles(self):
        create = {
            'role':
            unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
        }

        with self.test_client() as c:
            c.post('/v3/roles', json=create, headers=self.headers)
Esempio n. 31
0
    def test_user_cannot_list_roles(self):
        PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref())

        with self.test_client() as c:
            c.get(
                '/v3/roles', headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
            )
Esempio n. 32
0
 def test_create_duplicate_role_name_fails(self):
     role_id = uuid.uuid4().hex
     role = unit.new_role_ref(id=role_id, name='fake1name')
     self.role_api.create_role(role_id, role)
     new_role_id = uuid.uuid4().hex
     role['id'] = new_role_id
     self.assertRaises(exception.Conflict, self.role_api.create_role,
                       new_role_id, role)
Esempio n. 33
0
 def test_assignment_created_with_role_exists(self):
     # test assignment can be created if role already exists.
     bootstrap = cli.BootStrap()
     bootstrap.resource_manager.create_domain(self.default_domain['id'],
                                              self.default_domain)
     role = unit.new_role_ref(name=self.role_name)
     bootstrap.role_manager.create_role(role['id'], role)
     self._do_test_bootstrap(bootstrap)
Esempio n. 34
0
 def test_cannot_update_immutable_role(self):
     role = unit.new_role_ref()
     role_id = role['id']
     role['options'][ro_opt.IMMUTABLE_OPT.option_name] = True
     PROVIDERS.role_api.create_role(role_id, role)
     update_role = {'name': uuid.uuid4().hex}
     self.assertRaises(exception.ResourceUpdateForbidden,
                       PROVIDERS.role_api.update_role, role_id, update_role)
Esempio n. 35
0
    def test_user_cannot_create_roles(self):
        create = {'role': unit.new_role_ref()}

        with self.test_client() as c:
            c.post('/v3/roles',
                   json=create,
                   headers=self.headers,
                   expected_status_code=http.client.FORBIDDEN)
 def test_create_null_role_name(self):
     role = unit.new_role_ref(name=None)
     self.assertRaises(exception.UnexpectedError,
                       self.role_api.create_role,
                       role['id'],
                       role)
     self.assertRaises(exception.RoleNotFound,
                       self.role_api.get_role,
                       role['id'])
Esempio n. 37
0
 def test_config_option_no_events(self):
     self.config_fixture.config(notification_format="basic")
     role_ref = unit.new_role_ref()
     self.role_api.create_role(role_ref["id"], role_ref)
     # The regular notifications will still be emitted, since they are
     # used for callback handling.
     self._assert_last_note(role_ref["id"], CREATED_OPERATION, "role")
     # No audit event should have occurred
     self.assertEqual(0, len(self._audits))
Esempio n. 38
0
    def test_user_can_list_roles(self):
        PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref())

        with self.test_client() as c:
            r = c.get('/v3/roles', headers=self.headers)
            # With bootstrap setup and the role we just created, there should
            # be four roles present in the deployment. Bootstrap creates
            # ``admin``, ``member``, and ``reader``.
            self.assertEqual(4, len(r.json['roles']))
Esempio n. 39
0
    def test_user_can_list_roles(self):
        PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref())

        with self.test_client() as c:
            r = c.get('/v3/roles', headers=self.headers)
            # With bootstrap setup and the role we just created, there should
            # be four roles present in the deployment. Bootstrap creates
            # ``admin``, ``member``, and ``reader``.
            self.assertEqual(4, len(r.json['roles']))
Esempio n. 40
0
    def test_user_cannot_list_domain_roles(self):
        PROVIDERS.role_api.create_role(
            uuid.uuid4().hex,
            unit.new_role_ref(domain_id=CONF.identity.default_domain_id))

        with self.test_client() as c:
            c.get('/v3/roles',
                  headers=self.headers,
                  expected_status_code=http_client.FORBIDDEN)
Esempio n. 41
0
    def test_user_cannot_delete_roles(self):
        role = PROVIDERS.role_api.create_role(
            uuid.uuid4().hex, unit.new_role_ref()
        )

        with self.test_client() as c:
            c.delete(
                '/v3/roles/%s' % role['id'], headers=self.headers,
                expected_status_code=http_client.FORBIDDEN
            )
Esempio n. 42
0
 def test_create_duplicate_role_name_fails(self):
     role_id = uuid.uuid4().hex
     role = unit.new_role_ref(id=role_id, name='fake1name')
     PROVIDERS.role_api.create_role(role_id, role)
     new_role_id = uuid.uuid4().hex
     role['id'] = new_role_id
     self.assertRaises(exception.Conflict,
                       PROVIDERS.role_api.create_role,
                       new_role_id,
                       role)
Esempio n. 43
0
    def test_user_can_list_domain_roles(self):
        PROVIDERS.role_api.create_role(
            uuid.uuid4().hex,
            unit.new_role_ref(domain_id=CONF.identity.default_domain_id))

        with self.test_client() as c:
            r = c.get('/v3/roles?domain_id=%s' %
                      CONF.identity.default_domain_id,
                      headers=self.headers)
            self.assertEqual(1, len(r.json['roles']))
    def test_validate_v3_token_trust(self):
        # Check the trust fields in the token result when use validate_v3_token
        # when the token has trust info.

        domain_ref = unit.new_domain_ref()
        domain_ref = PROVIDERS.resource_api.create_domain(
            domain_ref['id'], domain_ref
        )

        user_ref = unit.new_user_ref(domain_ref['id'])
        user_ref = PROVIDERS.identity_api.create_user(user_ref)

        trustor_user_ref = unit.new_user_ref(domain_ref['id'])
        trustor_user_ref = PROVIDERS.identity_api.create_user(trustor_user_ref)

        project_ref = unit.new_project_ref(domain_id=domain_ref['id'])
        project_ref = PROVIDERS.resource_api.create_project(
            project_ref['id'], project_ref
        )

        role_ref = unit.new_role_ref()
        role_ref = PROVIDERS.role_api.create_role(role_ref['id'], role_ref)

        PROVIDERS.assignment_api.create_grant(
            role_ref['id'], user_id=user_ref['id'],
            project_id=project_ref['id'])

        PROVIDERS.assignment_api.create_grant(
            role_ref['id'], user_id=trustor_user_ref['id'],
            project_id=project_ref['id'])

        trustor_user_id = trustor_user_ref['id']
        trustee_user_id = user_ref['id']
        trust_ref = unit.new_trust_ref(
            trustor_user_id, trustee_user_id, project_id=project_ref['id'],
            role_ids=[role_ref['id'], ])
        trust_ref = PROVIDERS.trust_api.create_trust(
            trust_ref['id'], trust_ref, trust_ref['roles']
        )

        method_names = ['password']

        token_id, token_data_ = PROVIDERS.token_provider_api.issue_token(
            user_ref['id'], method_names, project_id=project_ref['id'],
            trust=trust_ref)

        token_data = PROVIDERS.token_provider_api.validate_token(token_id)
        token = token_data['token']
        exp_trust_info = {
            'id': trust_ref['id'],
            'impersonation': False,
            'trustee_user': {'id': user_ref['id'], },
            'trustor_user': {'id': trustor_user_ref['id'], },
        }
        self.assertEqual(exp_trust_info, token['OS-TRUST:trust'])
    def test_validate_v3_token_trust(self):
        # Check the trust fields in the token result when use validate_v3_token
        # when the token has trust info.

        domain_ref = unit.new_domain_ref()
        domain_ref = PROVIDERS.resource_api.create_domain(
            domain_ref['id'], domain_ref
        )

        user_ref = unit.new_user_ref(domain_ref['id'])
        user_ref = PROVIDERS.identity_api.create_user(user_ref)

        trustor_user_ref = unit.new_user_ref(domain_ref['id'])
        trustor_user_ref = PROVIDERS.identity_api.create_user(trustor_user_ref)

        project_ref = unit.new_project_ref(domain_id=domain_ref['id'])
        project_ref = PROVIDERS.resource_api.create_project(
            project_ref['id'], project_ref
        )

        role_ref = unit.new_role_ref()
        role_ref = PROVIDERS.role_api.create_role(role_ref['id'], role_ref)

        PROVIDERS.assignment_api.create_grant(
            role_ref['id'], user_id=user_ref['id'],
            project_id=project_ref['id'])

        PROVIDERS.assignment_api.create_grant(
            role_ref['id'], user_id=trustor_user_ref['id'],
            project_id=project_ref['id'])

        trustor_user_id = trustor_user_ref['id']
        trustee_user_id = user_ref['id']
        trust_ref = unit.new_trust_ref(
            trustor_user_id, trustee_user_id, project_id=project_ref['id'],
            role_ids=[role_ref['id'], ])
        trust_ref = PROVIDERS.trust_api.create_trust(
            trust_ref['id'], trust_ref, trust_ref['roles']
        )

        method_names = ['password']

        token_id, token_data_ = PROVIDERS.token_provider_api.issue_token(
            user_ref['id'], method_names, project_id=project_ref['id'],
            trust=trust_ref)

        token_data = PROVIDERS.token_provider_api.validate_token(token_id)
        token = token_data['token']
        exp_trust_info = {
            'id': trust_ref['id'],
            'impersonation': False,
            'trustee_user': {'id': user_ref['id'], },
            'trustor_user': {'id': trustor_user_ref['id'], },
        }
        self.assertEqual(exp_trust_info, token['OS-TRUST:trust'])
Esempio n. 46
0
    def load_sample_data(self):
        self._populate_default_domain()
        self.domain = unit.new_domain_ref()
        self.domain_id = self.domain['id']
        self.resource_api.create_domain(self.domain_id, self.domain)

        self.project = unit.new_project_ref(domain_id=self.domain_id)
        self.project_id = self.project['id']
        self.resource_api.create_project(self.project_id, self.project)

        self.user = unit.create_user(self.identity_api,
                                     domain_id=self.domain_id)
        self.user_id = self.user['id']

        self.default_domain_project_id = uuid.uuid4().hex
        self.default_domain_project = unit.new_project_ref(
            domain_id=DEFAULT_DOMAIN_ID)
        self.default_domain_project['id'] = self.default_domain_project_id
        self.resource_api.create_project(self.default_domain_project_id,
                                         self.default_domain_project)

        self.default_domain_user = unit.create_user(
            self.identity_api,
            domain_id=DEFAULT_DOMAIN_ID)
        self.default_domain_user_id = self.default_domain_user['id']

        # create & grant policy.json's default role for admin_required
        self.role = unit.new_role_ref(name='admin')
        self.role_id = self.role['id']
        self.role_api.create_role(self.role_id, self.role)
        self.assignment_api.add_role_to_user_and_project(
            self.user_id, self.project_id, self.role_id)
        self.assignment_api.add_role_to_user_and_project(
            self.default_domain_user_id, self.default_domain_project_id,
            self.role_id)
        self.assignment_api.add_role_to_user_and_project(
            self.default_domain_user_id, self.project_id,
            self.role_id)

        self.region = unit.new_region_ref()
        self.region_id = self.region['id']
        self.catalog_api.create_region(self.region)

        self.service = unit.new_service_ref()
        self.service_id = self.service['id']
        self.catalog_api.create_service(self.service_id, self.service.copy())

        self.endpoint = unit.new_endpoint_ref(service_id=self.service_id,
                                              interface='public',
                                              region_id=self.region_id)
        self.endpoint_id = self.endpoint['id']
        self.catalog_api.create_endpoint(self.endpoint_id,
                                         self.endpoint.copy())
        # The server adds 'enabled' and defaults to True.
        self.endpoint['enabled'] = True
Esempio n. 47
0
    def test_user_can_update_roles(self):
        role = PROVIDERS.role_api.create_role(
            uuid.uuid4().hex, unit.new_role_ref()
        )

        update = {'role': {'description': uuid.uuid4().hex}}

        with self.test_client() as c:
            c.patch(
                '/v3/roles/%s' % role['id'], json=update, headers=self.headers,
            )
Esempio n. 48
0
    def _load_sample_data(self):
        self.project_id = uuid.uuid4().hex
        self.project_name = uuid.uuid4().hex
        self.protocol_id = 'x509'

        # 1) Create a domain for the user.
        self.domain = unit.new_domain_ref()
        self.domain_id = self.domain['id']
        self.domain_name = self.domain['name']
        self.resource_api.create_domain(self.domain_id, self.domain)

        # 2) Create a project for the user.
        self.project = {
            'description': uuid.uuid4().hex,
            'domain_id': self.domain_id,
            'enabled': True,
            'id': self.project_id,
            'name': self.project_name,
        }

        self.resource_api.create_project(self.project_id, self.project)

        # 3) Create a user in new domain.
        self.user = unit.new_user_ref(domain_id=self.domain_id,
                                      project_id=self.project_id)

        self.user = self.identity_api.create_user(self.user)

        # Add IDP
        self.idp = self._idp_ref(id=self.idp_id)
        self.federation_api.create_idp(self.idp['id'],
                                       self.idp)

        # Add a role
        self.role = unit.new_role_ref()
        self.role_id = self.role['id']
        self.role_name = self.role['name']
        self.role_api.create_role(self.role_id, self.role)

        # Add a group
        self.group = unit.new_group_ref(domain_id=self.domain_id)
        self.group = self.identity_api.create_group(self.group)

        # Assign a role to the user on a project
        self.assignment_api.add_role_to_user_and_project(
            user_id=self.user['id'],
            tenant_id=self.project_id,
            role_id=self.role_id)

        # Assign a role to the group on a project
        self.assignment_api.create_grant(
            role_id=self.role_id,
            group_id=self.group['id'],
            project_id=self.project_id)
Esempio n. 49
0
 def test_delete_trust(self):
     trustor = unit.new_user_ref(domain_id=self.domain_id)
     trustor = self.identity_api.create_user(trustor)
     trustee = unit.new_user_ref(domain_id=self.domain_id)
     trustee = self.identity_api.create_user(trustee)
     role_ref = unit.new_role_ref()
     trust_ref = unit.new_trust_ref(trustor["id"], trustee["id"])
     self.trust_api.create_trust(trust_ref["id"], trust_ref, [role_ref])
     self.trust_api.delete_trust(trust_ref["id"])
     self._assert_last_note(trust_ref["id"], DELETED_OPERATION, "OS-TRUST:trust")
     self._assert_last_audit(trust_ref["id"], DELETED_OPERATION, "OS-TRUST:trust", cadftaxonomy.SECURITY_TRUST)
Esempio n. 50
0
    def test_user_cannot_update_roles(self):
        role = PROVIDERS.role_api.create_role(uuid.uuid4().hex,
                                              unit.new_role_ref())

        update = {'role': {'description': uuid.uuid4().hex}}

        with self.test_client() as c:
            c.patch('/v3/roles/%s' % role['id'],
                    json=update,
                    headers=self.headers,
                    expected_status_code=http.client.FORBIDDEN)
 def test_role_duplicate_conflict_gives_name(self):
     role = unit.new_role_ref()
     self.role_api.create_role(role['id'], role)
     role['id'] = uuid.uuid4().hex
     try:
         self.role_api.create_role(role['id'], role)
     except exception.Conflict as e:
         self.assertIn("Duplicate entry found with name %s" % role['name'],
                       repr(e))
     else:
         self.fail("Create duplicate role did not raise a conflict")
Esempio n. 52
0
 def test_role_duplicate_conflict_gives_name(self):
     role = unit.new_role_ref()
     self.role_api.create_role(role['id'], role)
     role['id'] = uuid.uuid4().hex
     try:
         self.role_api.create_role(role['id'], role)
     except exception.Conflict as e:
         self.assertIn("Duplicate entry found with name %s" % role['name'],
                       repr(e))
     else:
         self.fail("Create duplicate role did not raise a conflict")
Esempio n. 53
0
 def test_delete_project_with_user_association(self):
     user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
     user = PROVIDERS.identity_api.create_user(user)
     role_member = unit.new_role_ref()
     PROVIDERS.role_api.create_role(role_member['id'], role_member)
     PROVIDERS.assignment_api.add_role_to_user_and_project(
         user['id'], self.tenant_bar['id'], role_member['id']
     )
     PROVIDERS.resource_api.delete_project(self.tenant_bar['id'])
     tenants = PROVIDERS.assignment_api.list_projects_for_user(user['id'])
     self.assertEqual([], tenants)
Esempio n. 54
0
    def test_user_cannot_create_domain_roles(self):
        create = {
            'role':
            unit.new_role_ref(domain_id=CONF.identity.default_domain_id)
        }

        with self.test_client() as c:
            c.post('/v3/roles',
                   json=create,
                   headers=self.headers,
                   expected_status_code=http_client.FORBIDDEN)
Esempio n. 55
0
    def test_delete_group_without_role_does_not_revoke_users(self):
        revocation_backend = sql.Revoke()
        domain = unit.new_domain_ref()
        PROVIDERS.resource_api.create_domain(domain['id'], domain)
        # Create two groups. Group1 will be used to test deleting a group,
        # without role assignments and users in the group, doesn't create
        # revoked events. Group2 will show that deleting a group with role
        # assignment and users in the group does create revoked events
        group1 = unit.new_group_ref(domain_id=domain['id'])
        group1 = PROVIDERS.identity_api.create_group(group1)
        group2 = unit.new_group_ref(domain_id=domain['id'])
        group2 = PROVIDERS.identity_api.create_group(group2)
        role = unit.new_role_ref()
        PROVIDERS.role_api.create_role(role['id'], role)
        user1 = unit.new_user_ref(domain_id=domain['id'])
        user1 = PROVIDERS.identity_api.create_user(user1)
        user2 = unit.new_user_ref(domain_id=domain['id'])
        user2 = PROVIDERS.identity_api.create_user(user2)

        # Add two users to the group, verify they are added, delete group, and
        # check that the revocaiton events have not been created
        PROVIDERS.identity_api.add_user_to_group(
            user_id=user1['id'], group_id=group1['id']
        )
        PROVIDERS.identity_api.add_user_to_group(
            user_id=user2['id'], group_id=group1['id']
        )
        self.assertEqual(
            2, len(PROVIDERS.identity_api.list_users_in_group(group1['id'])))
        PROVIDERS.identity_api.delete_group(group1['id'])
        self.assertEqual(0, len(revocation_backend.list_events()))

        # Assign a role to the group, add two users to the group, verify that
        # the role has been assigned to the group, verify the users have been
        # added to the group, delete the group, check that the revocation
        # events have been created
        PROVIDERS.assignment_api.create_grant(
            group_id=group2['id'], domain_id=domain['id'], role_id=role['id']
        )
        grants = PROVIDERS.assignment_api.list_role_assignments(
            role_id=role['id']
        )
        self.assertThat(grants, matchers.HasLength(1))
        PROVIDERS.identity_api.add_user_to_group(
            user_id=user1['id'], group_id=group2['id']
        )
        PROVIDERS.identity_api.add_user_to_group(
            user_id=user2['id'], group_id=group2['id']
        )
        self.assertEqual(
            2, len(PROVIDERS.identity_api.list_users_in_group(group2['id'])))
        PROVIDERS.identity_api.delete_group(group2['id'])
        self.assertEqual(2, len(revocation_backend.list_events()))
Esempio n. 56
0
 def test_delete_user_with_project_association(self):
     user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
     user = PROVIDERS.identity_api.create_user(user)
     role_member = unit.new_role_ref()
     PROVIDERS.role_api.create_role(role_member['id'], role_member)
     PROVIDERS.assignment_api.add_role_to_user_and_project(
         user['id'], self.tenant_bar['id'], role_member['id']
     )
     PROVIDERS.identity_api.delete_user(user['id'])
     self.assertRaises(exception.UserNotFound,
                       PROVIDERS.assignment_api.list_projects_for_user,
                       user['id'])
Esempio n. 57
0
    def load_sample_data(self):
        """Create sample data for these tests.

        As well as the usual housekeeping, create a set of domains,
        users, roles and projects for the subsequent tests:

        - Three domains: A,B & C.  C is disabled.
        - DomainA has user1, DomainB has user2 and user3
        - DomainA has group1 and group2, DomainB has group3
        - User1 has a role on DomainA

        Remember that there will also be a fourth domain in existence,
        the default domain.

        """
        # Start by creating a few domains
        self._populate_default_domain()
        self.domainA = unit.new_domain_ref()
        self.resource_api.create_domain(self.domainA['id'], self.domainA)
        self.domainB = unit.new_domain_ref()
        self.resource_api.create_domain(self.domainB['id'], self.domainB)
        self.domainC = unit.new_domain_ref()
        self.domainC['enabled'] = False
        self.resource_api.create_domain(self.domainC['id'], self.domainC)

        # Now create some users, one in domainA and two of them in domainB
        self.user1 = self.new_user_ref(domain_id=self.domainA['id'])
        password = uuid.uuid4().hex
        self.user1['password'] = password
        self.user1 = self.identity_api.create_user(self.user1)
        self.user1['password'] = password

        self.user2 = self.new_user_ref(domain_id=self.domainB['id'])
        self.user2['password'] = password
        self.user2 = self.identity_api.create_user(self.user2)
        self.user2['password'] = password

        self.user3 = self.new_user_ref(domain_id=self.domainB['id'])
        self.user3['password'] = password
        self.user3 = self.identity_api.create_user(self.user3)
        self.user3['password'] = password

        self.role = unit.new_role_ref()
        self.role_api.create_role(self.role['id'], self.role)
        self.assignment_api.create_grant(self.role['id'],
                                         user_id=self.user1['id'],
                                         domain_id=self.domainA['id'])

        # A default auth request we can use - un-scoped user token
        self.auth = self.build_authentication_request(
            user_id=self.user1['id'],
            password=self.user1['password'])
    def test_configurable_allowed_role_actions(self):
        role = unit.new_role_ref(id=u'fäké1', name=u'fäké1')
        self.role_api.create_role(u'fäké1', role)
        role_ref = self.role_api.get_role(u'fäké1')
        self.assertEqual(u'fäké1', role_ref['id'])

        role['name'] = u'fäké2'
        self.role_api.update_role(u'fäké1', role)

        self.role_api.delete_role(u'fäké1')
        self.assertRaises(exception.RoleNotFound,
                          self.role_api.get_role,
                          u'fäké1')
Esempio n. 59
0
    def test_create_trust_with_role_name_ambiguous_returns_bad_request(self):
        # Create second role with the same name
        role_ref = unit.new_role_ref(name=self.role['name'],
                                     domain_id=uuid.uuid4().hex)
        self.post('/roles', body={'role': role_ref})

        ref = unit.new_trust_ref(
            trustor_user_id=self.user_id,
            trustee_user_id=self.trustee_user_id,
            project_id=self.project_id,
            role_names=[self.role['name']]
        )
        self.post('/OS-TRUST/trusts', body={'trust': ref},
                  expected_status=http_client.BAD_REQUEST)
Esempio n. 60
0
    def _load_sample_data(self):
        self.protocol_id = 'x509'

        # 1) Create a domain for the user.
        self.domain = unit.new_domain_ref()
        self.domain_id = self.domain['id']
        self.domain_name = self.domain['name']
        PROVIDERS.resource_api.create_domain(self.domain_id, self.domain)

        # 2) Create a project for the user.
        self.project = unit.new_project_ref(domain_id=self.domain_id)
        self.project_id = self.project['id']
        self.project_name = self.project['name']

        PROVIDERS.resource_api.create_project(self.project_id, self.project)

        # 3) Create a user in new domain.
        self.user = unit.new_user_ref(domain_id=self.domain_id,
                                      project_id=self.project_id)

        self.user = PROVIDERS.identity_api.create_user(self.user)

        # Add IDP
        self.idp = self._idp_ref(id=self.idp_id)
        PROVIDERS.federation_api.create_idp(
            self.idp['id'], self.idp
        )

        # Add a role
        self.role = unit.new_role_ref()
        self.role_id = self.role['id']
        self.role_name = self.role['name']
        PROVIDERS.role_api.create_role(self.role_id, self.role)

        # Add a group
        self.group = unit.new_group_ref(domain_id=self.domain_id)
        self.group = PROVIDERS.identity_api.create_group(self.group)

        # Assign a role to the user on a project
        PROVIDERS.assignment_api.add_role_to_user_and_project(
            user_id=self.user['id'],
            tenant_id=self.project_id,
            role_id=self.role_id)

        # Assign a role to the group on a project
        PROVIDERS.assignment_api.create_grant(
            role_id=self.role_id,
            group_id=self.group['id'],
            project_id=self.project_id)