def test_update_domain_id_of_role_fails(self): # Create a global role role1 = unit.new_role_ref() role1 = self.role_api.create_role(role1['id'], role1) # Try and update it to be domain specific domainA = unit.new_domain_ref() role1['domain_id'] = domainA['id'] self.assertRaises(exception.ValidationError, self.role_api.update_role, role1['id'], role1) # Create a domain specific role from scratch role2 = unit.new_role_ref(domain_id=domainA['id']) self.role_api.create_role(role2['id'], role2) # Try to "move" it to another domain domainB = unit.new_domain_ref() role2['domain_id'] = domainB['id'] self.assertRaises(exception.ValidationError, self.role_api.update_role, role2['id'], role2) # Now try to make it global role2['domain_id'] = None self.assertRaises(exception.ValidationError, self.role_api.update_role, role2['id'], role2)
def test_domain_specific_separation(self): domain1 = unit.new_domain_ref() role1 = unit.new_role_ref(domain_id=domain1['id']) role_ref1 = self.role_api.create_role(role1['id'], role1) self.assertDictEqual(role1, role_ref1) # Check we can have the same named role in a different domain domain2 = unit.new_domain_ref() role2 = unit.new_role_ref(name=role1['name'], domain_id=domain2['id']) role_ref2 = self.role_api.create_role(role2['id'], role2) self.assertDictEqual(role2, role_ref2) # ...and in fact that you can have the same named role as a global role role3 = unit.new_role_ref(name=role1['name']) role_ref3 = self.role_api.create_role(role3['id'], role3) self.assertDictEqual(role3, role_ref3) # Check that updating one doesn't change the others role1['name'] = uuid.uuid4().hex self.role_api.update_role(role1['id'], role1) role_ref1 = self.role_api.get_role(role1['id']) self.assertDictEqual(role1, role_ref1) role_ref2 = self.role_api.get_role(role2['id']) self.assertDictEqual(role2, role_ref2) role_ref3 = self.role_api.get_role(role3['id']) self.assertDictEqual(role3, role_ref3) # Check that deleting one of these, doesn't affect the others self.role_api.delete_role(role1['id']) self.assertRaises(exception.RoleNotFound, self.role_api.get_role, role1['id']) self.role_api.get_role(role2['id']) self.role_api.get_role(role3['id'])
def test_create_duplicate_role_domain_specific_name_fails(self): domain = unit.new_domain_ref() role1 = unit.new_role_ref(domain_id=domain['id']) PROVIDERS.role_api.create_role(role1['id'], role1) role2 = unit.new_role_ref(name=role1['name'], domain_id=domain['id']) self.assertRaises(exception.Conflict, PROVIDERS.role_api.create_role, role2['id'], role2)
def test_domain_specific_separation(self): domain1 = unit.new_domain_ref() role1 = unit.new_role_ref(domain_id=domain1['id']) role_ref1 = PROVIDERS.role_api.create_role(role1['id'], role1.copy()) self.assertDictEqual(role1, role_ref1) # Check we can have the same named role in a different domain domain2 = unit.new_domain_ref() role2 = unit.new_role_ref(name=role1['name'], domain_id=domain2['id']) role_ref2 = PROVIDERS.role_api.create_role(role2['id'], role2) self.assertDictEqual(role2, role_ref2) # ...and in fact that you can have the same named role as a global role role3 = unit.new_role_ref(name=role1['name']) role_ref3 = PROVIDERS.role_api.create_role(role3['id'], role3) self.assertDictEqual(role3, role_ref3) # Check that updating one doesn't change the others role1['name'] = uuid.uuid4().hex PROVIDERS.role_api.update_role(role1['id'], role1) role_ref1 = PROVIDERS.role_api.get_role(role1['id']) self.assertDictEqual(role1, role_ref1) role_ref2 = PROVIDERS.role_api.get_role(role2['id']) self.assertDictEqual(role2, role_ref2) role_ref3 = PROVIDERS.role_api.get_role(role3['id']) self.assertDictEqual(role3, role_ref3) # Check that deleting one of these, doesn't affect the others PROVIDERS.role_api.delete_role(role1['id']) self.assertRaises(exception.RoleNotFound, PROVIDERS.role_api.get_role, role1['id']) PROVIDERS.role_api.get_role(role2['id']) PROVIDERS.role_api.get_role(role3['id'])
def _create_test_roles(self): ref = unit.new_role_ref() role = PROVIDERS.role_api.create_role(ref['id'], ref) self.prior_role_id = role['id'] ref = unit.new_role_ref() role = PROVIDERS.role_api.create_role(ref['id'], ref) self.implied_role_id = role['id']
def test_rename_duplicate_role_name_fails(self): role1 = unit.new_role_ref(id='fake1', name='fake1name') role2 = unit.new_role_ref(id='fake2', name='fake2name') self.role_api.create_role('fake1', role1) self.role_api.create_role('fake2', role2) role1['name'] = 'fake2name' self.assertRaises(exception.Conflict, self.role_api.update_role, 'fake1', role1)
def test_rename_duplicate_role_name_fails(self): role_id1 = uuid.uuid4().hex role_id2 = uuid.uuid4().hex role1 = unit.new_role_ref(id=role_id1, name='fake1name') role2 = unit.new_role_ref(id=role_id2, name='fake2name') self.role_api.create_role(role_id1, role1) self.role_api.create_role(role_id2, role2) role1['name'] = 'fake2name' self.assertRaises(exception.Conflict, self.role_api.update_role, role_id1, role1)
def test_create_duplicate_role_domain_specific_name_fails(self): domain = unit.new_domain_ref() role1 = unit.new_role_ref(domain_id=domain['id']) self.role_api.create_role(role1['id'], role1) role2 = unit.new_role_ref(name=role1['name'], domain_id=domain['id']) self.assertRaises(exception.Conflict, self.role_api.create_role, role2['id'], role2)
def test_rename_duplicate_role_name_fails(self): role_id1 = uuid.uuid4().hex role_id2 = uuid.uuid4().hex role1 = unit.new_role_ref(id=role_id1, name='fake1name') role2 = unit.new_role_ref(id=role_id2, name='fake2name') PROVIDERS.role_api.create_role(role_id1, role1) PROVIDERS.role_api.create_role(role_id2, role2) role1['name'] = 'fake2name' self.assertRaises(exception.Conflict, PROVIDERS.role_api.update_role, role_id1, role1)
def test_user_can_delete_roles(self): role = PROVIDERS.role_api.create_role( uuid.uuid4().hex, unit.new_role_ref() ) with self.test_client() as c: c.delete('/v3/roles/%s' % role['id'], headers=self.headers)
def test_update_credential_non_owner(self): """Call ``PATCH /credentials/{credential_id}``.""" alt_user = unit.create_user(PROVIDERS.identity_api, domain_id=self.domain_id) alt_user_id = alt_user['id'] alt_project = unit.new_project_ref(domain_id=self.domain_id) alt_project_id = alt_project['id'] PROVIDERS.resource_api.create_project(alt_project['id'], alt_project) alt_role = unit.new_role_ref(name='reader') alt_role_id = alt_role['id'] PROVIDERS.role_api.create_role(alt_role_id, alt_role) PROVIDERS.assignment_api.add_role_to_user_and_project( alt_user_id, alt_project_id, alt_role_id) auth = self.build_authentication_request(user_id=alt_user_id, password=alt_user['password'], project_id=alt_project_id) ref = unit.new_credential_ref(user_id=alt_user_id, project_id=alt_project_id) r = self.post('/credentials', auth=auth, body={'credential': ref}) self.assertValidCredentialResponse(r, ref) credential_id = r.result.get('credential')['id'] # Cannot change the credential to be owned by another user update_ref = {'user_id': self.user_id, 'project_id': self.project_id} self.patch('/credentials/%(credential_id)s' % {'credential_id': credential_id}, expected_status=403, auth=auth, body={'credential': update_ref})
def test_create_application_credential_with_trust(self): second_role = unit.new_role_ref(name='reader') PROVIDERS.role_api.create_role(second_role['id'], second_role) PROVIDERS.assignment_api.add_role_to_user_and_project( self.user_id, self.project_id, second_role['id']) with self.test_client() as c: pw_token = self.get_scoped_token() # create a self-trust - only the roles are important for this test trust_ref = unit.new_trust_ref(trustor_user_id=self.user_id, trustee_user_id=self.user_id, project_id=self.project_id, role_ids=[second_role['id']]) resp = c.post('/v3/OS-TRUST/trusts', headers={'X-Auth-Token': pw_token}, json={'trust': trust_ref}) trust_id = resp.json['trust']['id'] trust_auth = self.build_authentication_request( user_id=self.user_id, password=self.user['password'], trust_id=trust_id) trust_token = self.v3_create_token( trust_auth).headers['X-Subject-Token'] app_cred = self._app_cred_body(roles=[{'id': self.role_id}]) # only the roles from the trust token should be allowed, even if # the user has the role assigned on the project c.post('/v3/users/%s/application_credentials' % self.user_id, headers={'X-Auth-Token': trust_token}, json=app_cred, expected_status_code=http.client.BAD_REQUEST)
def test_user_cannot_list_roles(self): PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref()) with self.test_client() as c: c.get('/v3/roles', headers=self.headers, expected_status_code=http.client.FORBIDDEN)
def test_user_can_delete_roles(self): role = PROVIDERS.role_api.create_role( uuid.uuid4().hex, unit.new_role_ref(domain_id=CONF.identity.default_domain_id)) with self.test_client() as c: c.delete('/v3/roles/%s' % role['id'], headers=self.headers)
def test_user_can_get_a_role(self): role = PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref()) with self.test_client() as c: r = c.get('/v3/roles/%s' % role['id'], headers=self.headers) self.assertEqual(role['id'], r.json['role']['id'])
def _create_three_roles(): id_list = [] for _ in range(3): role = unit.new_role_ref() self.role_api.create_role(role['id'], role) id_list.append(role['id']) return id_list
def setUp(self): super(SecurityRequirementsTestCase, self).setUp() # Create a user in the default domain self.non_admin_user = unit.create_user(self.identity_api, CONF.identity.default_domain_id) # Create an admin in the default domain self.admin_user = unit.create_user(self.identity_api, CONF.identity.default_domain_id) # Create a project in the default domain and a non-admin role self.project = unit.new_project_ref( domain_id=CONF.identity.default_domain_id) self.resource_api.create_project(self.project['id'], self.project) self.non_admin_role = unit.new_role_ref(name='not_admin') self.role_api.create_role(self.non_admin_role['id'], self.non_admin_role) # Give the non-admin user a role on the project self.assignment_api.add_role_to_user_and_project( self.non_admin_user['id'], self.project['id'], self.role['id']) # Give the user the admin role on the project, which is technically # `self.role` because RestfulTestCase sets that up for us. self.assignment_api.add_role_to_user_and_project( self.admin_user['id'], self.project['id'], self.role_id)
def test_assignment_created_with_role_exists(self): # test assignment can be created if role already exists. bootstrap = cli.BootStrap() bootstrap.resource_manager.create_domain(self.default_domain["id"], self.default_domain) role = unit.new_role_ref(name=self.role_name) bootstrap.role_manager.create_role(role["id"], role) self._do_test_bootstrap(bootstrap)
def test_update_role_unset_immutable(self): role = unit.new_role_ref() role_id = role['id'] role['options'][ro_opt.IMMUTABLE_OPT.option_name] = True PROVIDERS.role_api.create_role(role_id, role) role_via_manager = PROVIDERS.role_api.get_role(role_id) self.assertTrue('options' in role_via_manager) self.assertTrue( role_via_manager['options'][ro_opt.IMMUTABLE_OPT.option_name]) update_role = {'options': {ro_opt.IMMUTABLE_OPT.option_name: False}} PROVIDERS.role_api.update_role(role_id, update_role) role_via_manager = PROVIDERS.role_api.get_role(role_id) self.assertTrue('options' in role_via_manager) self.assertTrue( ro_opt.IMMUTABLE_OPT.option_name in role_via_manager['options']) self.assertFalse( role_via_manager['options'][ro_opt.IMMUTABLE_OPT.option_name]) update_role = {'options': {ro_opt.IMMUTABLE_OPT.option_name: None}} role_updated = PROVIDERS.role_api.update_role(role_id, update_role) role_via_manager = PROVIDERS.role_api.get_role(role_id) self.assertTrue('options' in role_updated) self.assertTrue('options' in role_via_manager) self.assertFalse( ro_opt.IMMUTABLE_OPT.option_name in role_updated['options']) self.assertFalse( ro_opt.IMMUTABLE_OPT.option_name in role_via_manager['options'])
def test_update_role_set_immutable_with_additional_updates(self): role = unit.new_role_ref() role_id = role['id'] PROVIDERS.role_api.create_role(role_id, role) update_role = { 'name': uuid.uuid4().hex, 'options': { ro_opt.IMMUTABLE_OPT.option_name: True } } role_via_manager = PROVIDERS.role_api.get_role(role_id) self.assertTrue('options' in role_via_manager) self.assertFalse( ro_opt.IMMUTABLE_OPT.option_name in role_via_manager['options']) role_update = PROVIDERS.role_api.update_role(role_id, update_role) role_via_manager = PROVIDERS.role_api.get_role(role_id) self.assertEqual(role_update['name'], update_role['name']) self.assertEqual(role_via_manager['name'], update_role['name']) self.assertTrue( ro_opt.IMMUTABLE_OPT.option_name in role_update['options']) self.assertTrue( role_update['options'][ro_opt.IMMUTABLE_OPT.option_name]) self.assertTrue( ro_opt.IMMUTABLE_OPT.option_name in role_via_manager['options']) self.assertTrue( role_via_manager['options'][ro_opt.IMMUTABLE_OPT.option_name])
def test_cannot_delete_immutable_role(self): role = unit.new_role_ref() role_id = role['id'] role['options'][ro_opt.IMMUTABLE_OPT.option_name] = True PROVIDERS.role_api.create_role(role_id, role) self.assertRaises(exception.ResourceDeleteForbidden, PROVIDERS.role_api.delete_role, role_id)
def test_can_get_security_compliance_config_with_user_from_other_domain(self): # noqa: E501 domain = unit.new_domain_ref() PROVIDERS.resource_api.create_domain(domain['id'], domain) # Create a user in the new domain user = unit.create_user(PROVIDERS.identity_api, domain['id']) # Create a project in the new domain project = unit.new_project_ref(domain_id=domain['id']) PROVIDERS.resource_api.create_project(project['id'], project) role = unit.new_role_ref() PROVIDERS.role_api.create_role(role['id'], role) # Give the new user a non-admin role on the project PROVIDERS.assignment_api.add_role_to_user_and_project( user['id'], project['id'], role['id'] ) password_regex = uuid.uuid4().hex password_regex_description = uuid.uuid4().hex group = 'security_compliance' self.config_fixture.config( group=group, password_regex=password_regex ) self.config_fixture.config( group=group, password_regex_description=password_regex_description ) with self.test_client() as c: c.get('/v3/domains/%s/config/security_compliance' % CONF.identity.default_domain_id, headers=self.headers)
def test_app_cred_ec2_credential(self): """Test creating ec2 credential from an application credential. Call ``POST /credentials``. """ # Create the app cred ref = unit.new_application_credential_ref(roles=[{'id': self.role_id}]) del ref['id'] r = self.post('/users/%s/application_credentials' % self.user_id, body={'application_credential': ref}) app_cred = r.result['application_credential'] # Get an application credential token auth_data = self.build_authentication_request( app_cred_id=app_cred['id'], secret=app_cred['secret']) r = self.v3_create_token(auth_data) token_id = r.headers.get('X-Subject-Token') # Create the credential with the app cred token blob, ref = unit.new_ec2_credential(user_id=self.user_id, project_id=self.project_id) r = self.post('/credentials', body={'credential': ref}, token=token_id) # We expect the response blob to contain the app_cred_id ret_ref = ref.copy() ret_blob = blob.copy() ret_blob['app_cred_id'] = app_cred['id'] ret_ref['blob'] = json.dumps(ret_blob) self.assertValidCredentialResponse(r, ref=ret_ref) # Assert credential id is same as hash of access key id for # ec2 credentials access = blob['access'].encode('utf-8') self.assertEqual(hashlib.sha256(access).hexdigest(), r.result['credential']['id']) # Create a role assignment to ensure that it is ignored and only the # roles in the app cred are used role = unit.new_role_ref(name='reader') role_id = role['id'] PROVIDERS.role_api.create_role(role_id, role) PROVIDERS.assignment_api.add_role_to_user_and_project( self.user_id, self.project_id, role_id) ret_blob = json.loads(r.result['credential']['blob']) ec2token = self._test_get_token( access=ret_blob['access'], secret=ret_blob['secret']) ec2_roles = [role['id'] for role in ec2token['roles']] self.assertIn(self.role_id, ec2_roles) self.assertNotIn(role_id, ec2_roles) # Create second ec2 credential with the same access key id and check # for conflict. self.post( '/credentials', body={'credential': ref}, token=token_id, expected_status=http.client.CONFLICT)
def test_user_can_get_a_role(self): role = PROVIDERS.role_api.create_role( uuid.uuid4().hex, unit.new_role_ref() ) with self.test_client() as c: r = c.get('/v3/roles/%s' % role['id'], headers=self.headers) self.assertEqual(role['id'], r.json['role']['id'])
def test_user_cannot_create_roles(self): create = {'role': unit.new_role_ref()} with self.test_client() as c: c.post( '/v3/roles', json=create, headers=self.headers, expected_status_code=http_client.FORBIDDEN )
def test_create_duplicate_role_name_fails(self): role = unit.new_role_ref(id='fake1', name='fake1name') self.role_api.create_role('fake1', role) role['id'] = 'fake2' self.assertRaises(exception.Conflict, self.role_api.create_role, 'fake2', role)
def test_user_cannot_delete_roles(self): role = PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref()) with self.test_client() as c: c.delete('/v3/roles/%s' % role['id'], headers=self.headers, expected_status_code=http.client.FORBIDDEN)
def test_user_can_create_roles(self): create = { 'role': unit.new_role_ref(domain_id=CONF.identity.default_domain_id) } with self.test_client() as c: c.post('/v3/roles', json=create, headers=self.headers)
def test_user_cannot_list_roles(self): PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref()) with self.test_client() as c: c.get( '/v3/roles', headers=self.headers, expected_status_code=http_client.FORBIDDEN )
def test_create_duplicate_role_name_fails(self): role_id = uuid.uuid4().hex role = unit.new_role_ref(id=role_id, name='fake1name') self.role_api.create_role(role_id, role) new_role_id = uuid.uuid4().hex role['id'] = new_role_id self.assertRaises(exception.Conflict, self.role_api.create_role, new_role_id, role)
def test_assignment_created_with_role_exists(self): # test assignment can be created if role already exists. bootstrap = cli.BootStrap() bootstrap.resource_manager.create_domain(self.default_domain['id'], self.default_domain) role = unit.new_role_ref(name=self.role_name) bootstrap.role_manager.create_role(role['id'], role) self._do_test_bootstrap(bootstrap)
def test_cannot_update_immutable_role(self): role = unit.new_role_ref() role_id = role['id'] role['options'][ro_opt.IMMUTABLE_OPT.option_name] = True PROVIDERS.role_api.create_role(role_id, role) update_role = {'name': uuid.uuid4().hex} self.assertRaises(exception.ResourceUpdateForbidden, PROVIDERS.role_api.update_role, role_id, update_role)
def test_user_cannot_create_roles(self): create = {'role': unit.new_role_ref()} with self.test_client() as c: c.post('/v3/roles', json=create, headers=self.headers, expected_status_code=http.client.FORBIDDEN)
def test_create_null_role_name(self): role = unit.new_role_ref(name=None) self.assertRaises(exception.UnexpectedError, self.role_api.create_role, role['id'], role) self.assertRaises(exception.RoleNotFound, self.role_api.get_role, role['id'])
def test_config_option_no_events(self): self.config_fixture.config(notification_format="basic") role_ref = unit.new_role_ref() self.role_api.create_role(role_ref["id"], role_ref) # The regular notifications will still be emitted, since they are # used for callback handling. self._assert_last_note(role_ref["id"], CREATED_OPERATION, "role") # No audit event should have occurred self.assertEqual(0, len(self._audits))
def test_user_can_list_roles(self): PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref()) with self.test_client() as c: r = c.get('/v3/roles', headers=self.headers) # With bootstrap setup and the role we just created, there should # be four roles present in the deployment. Bootstrap creates # ``admin``, ``member``, and ``reader``. self.assertEqual(4, len(r.json['roles']))
def test_user_cannot_list_domain_roles(self): PROVIDERS.role_api.create_role( uuid.uuid4().hex, unit.new_role_ref(domain_id=CONF.identity.default_domain_id)) with self.test_client() as c: c.get('/v3/roles', headers=self.headers, expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_delete_roles(self): role = PROVIDERS.role_api.create_role( uuid.uuid4().hex, unit.new_role_ref() ) with self.test_client() as c: c.delete( '/v3/roles/%s' % role['id'], headers=self.headers, expected_status_code=http_client.FORBIDDEN )
def test_create_duplicate_role_name_fails(self): role_id = uuid.uuid4().hex role = unit.new_role_ref(id=role_id, name='fake1name') PROVIDERS.role_api.create_role(role_id, role) new_role_id = uuid.uuid4().hex role['id'] = new_role_id self.assertRaises(exception.Conflict, PROVIDERS.role_api.create_role, new_role_id, role)
def test_user_can_list_domain_roles(self): PROVIDERS.role_api.create_role( uuid.uuid4().hex, unit.new_role_ref(domain_id=CONF.identity.default_domain_id)) with self.test_client() as c: r = c.get('/v3/roles?domain_id=%s' % CONF.identity.default_domain_id, headers=self.headers) self.assertEqual(1, len(r.json['roles']))
def test_validate_v3_token_trust(self): # Check the trust fields in the token result when use validate_v3_token # when the token has trust info. domain_ref = unit.new_domain_ref() domain_ref = PROVIDERS.resource_api.create_domain( domain_ref['id'], domain_ref ) user_ref = unit.new_user_ref(domain_ref['id']) user_ref = PROVIDERS.identity_api.create_user(user_ref) trustor_user_ref = unit.new_user_ref(domain_ref['id']) trustor_user_ref = PROVIDERS.identity_api.create_user(trustor_user_ref) project_ref = unit.new_project_ref(domain_id=domain_ref['id']) project_ref = PROVIDERS.resource_api.create_project( project_ref['id'], project_ref ) role_ref = unit.new_role_ref() role_ref = PROVIDERS.role_api.create_role(role_ref['id'], role_ref) PROVIDERS.assignment_api.create_grant( role_ref['id'], user_id=user_ref['id'], project_id=project_ref['id']) PROVIDERS.assignment_api.create_grant( role_ref['id'], user_id=trustor_user_ref['id'], project_id=project_ref['id']) trustor_user_id = trustor_user_ref['id'] trustee_user_id = user_ref['id'] trust_ref = unit.new_trust_ref( trustor_user_id, trustee_user_id, project_id=project_ref['id'], role_ids=[role_ref['id'], ]) trust_ref = PROVIDERS.trust_api.create_trust( trust_ref['id'], trust_ref, trust_ref['roles'] ) method_names = ['password'] token_id, token_data_ = PROVIDERS.token_provider_api.issue_token( user_ref['id'], method_names, project_id=project_ref['id'], trust=trust_ref) token_data = PROVIDERS.token_provider_api.validate_token(token_id) token = token_data['token'] exp_trust_info = { 'id': trust_ref['id'], 'impersonation': False, 'trustee_user': {'id': user_ref['id'], }, 'trustor_user': {'id': trustor_user_ref['id'], }, } self.assertEqual(exp_trust_info, token['OS-TRUST:trust'])
def load_sample_data(self): self._populate_default_domain() self.domain = unit.new_domain_ref() self.domain_id = self.domain['id'] self.resource_api.create_domain(self.domain_id, self.domain) self.project = unit.new_project_ref(domain_id=self.domain_id) self.project_id = self.project['id'] self.resource_api.create_project(self.project_id, self.project) self.user = unit.create_user(self.identity_api, domain_id=self.domain_id) self.user_id = self.user['id'] self.default_domain_project_id = uuid.uuid4().hex self.default_domain_project = unit.new_project_ref( domain_id=DEFAULT_DOMAIN_ID) self.default_domain_project['id'] = self.default_domain_project_id self.resource_api.create_project(self.default_domain_project_id, self.default_domain_project) self.default_domain_user = unit.create_user( self.identity_api, domain_id=DEFAULT_DOMAIN_ID) self.default_domain_user_id = self.default_domain_user['id'] # create & grant policy.json's default role for admin_required self.role = unit.new_role_ref(name='admin') self.role_id = self.role['id'] self.role_api.create_role(self.role_id, self.role) self.assignment_api.add_role_to_user_and_project( self.user_id, self.project_id, self.role_id) self.assignment_api.add_role_to_user_and_project( self.default_domain_user_id, self.default_domain_project_id, self.role_id) self.assignment_api.add_role_to_user_and_project( self.default_domain_user_id, self.project_id, self.role_id) self.region = unit.new_region_ref() self.region_id = self.region['id'] self.catalog_api.create_region(self.region) self.service = unit.new_service_ref() self.service_id = self.service['id'] self.catalog_api.create_service(self.service_id, self.service.copy()) self.endpoint = unit.new_endpoint_ref(service_id=self.service_id, interface='public', region_id=self.region_id) self.endpoint_id = self.endpoint['id'] self.catalog_api.create_endpoint(self.endpoint_id, self.endpoint.copy()) # The server adds 'enabled' and defaults to True. self.endpoint['enabled'] = True
def test_user_can_update_roles(self): role = PROVIDERS.role_api.create_role( uuid.uuid4().hex, unit.new_role_ref() ) update = {'role': {'description': uuid.uuid4().hex}} with self.test_client() as c: c.patch( '/v3/roles/%s' % role['id'], json=update, headers=self.headers, )
def _load_sample_data(self): self.project_id = uuid.uuid4().hex self.project_name = uuid.uuid4().hex self.protocol_id = 'x509' # 1) Create a domain for the user. self.domain = unit.new_domain_ref() self.domain_id = self.domain['id'] self.domain_name = self.domain['name'] self.resource_api.create_domain(self.domain_id, self.domain) # 2) Create a project for the user. self.project = { 'description': uuid.uuid4().hex, 'domain_id': self.domain_id, 'enabled': True, 'id': self.project_id, 'name': self.project_name, } self.resource_api.create_project(self.project_id, self.project) # 3) Create a user in new domain. self.user = unit.new_user_ref(domain_id=self.domain_id, project_id=self.project_id) self.user = self.identity_api.create_user(self.user) # Add IDP self.idp = self._idp_ref(id=self.idp_id) self.federation_api.create_idp(self.idp['id'], self.idp) # Add a role self.role = unit.new_role_ref() self.role_id = self.role['id'] self.role_name = self.role['name'] self.role_api.create_role(self.role_id, self.role) # Add a group self.group = unit.new_group_ref(domain_id=self.domain_id) self.group = self.identity_api.create_group(self.group) # Assign a role to the user on a project self.assignment_api.add_role_to_user_and_project( user_id=self.user['id'], tenant_id=self.project_id, role_id=self.role_id) # Assign a role to the group on a project self.assignment_api.create_grant( role_id=self.role_id, group_id=self.group['id'], project_id=self.project_id)
def test_delete_trust(self): trustor = unit.new_user_ref(domain_id=self.domain_id) trustor = self.identity_api.create_user(trustor) trustee = unit.new_user_ref(domain_id=self.domain_id) trustee = self.identity_api.create_user(trustee) role_ref = unit.new_role_ref() trust_ref = unit.new_trust_ref(trustor["id"], trustee["id"]) self.trust_api.create_trust(trust_ref["id"], trust_ref, [role_ref]) self.trust_api.delete_trust(trust_ref["id"]) self._assert_last_note(trust_ref["id"], DELETED_OPERATION, "OS-TRUST:trust") self._assert_last_audit(trust_ref["id"], DELETED_OPERATION, "OS-TRUST:trust", cadftaxonomy.SECURITY_TRUST)
def test_user_cannot_update_roles(self): role = PROVIDERS.role_api.create_role(uuid.uuid4().hex, unit.new_role_ref()) update = {'role': {'description': uuid.uuid4().hex}} with self.test_client() as c: c.patch('/v3/roles/%s' % role['id'], json=update, headers=self.headers, expected_status_code=http.client.FORBIDDEN)
def test_role_duplicate_conflict_gives_name(self): role = unit.new_role_ref() self.role_api.create_role(role['id'], role) role['id'] = uuid.uuid4().hex try: self.role_api.create_role(role['id'], role) except exception.Conflict as e: self.assertIn("Duplicate entry found with name %s" % role['name'], repr(e)) else: self.fail("Create duplicate role did not raise a conflict")
def test_delete_project_with_user_association(self): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = PROVIDERS.identity_api.create_user(user) role_member = unit.new_role_ref() PROVIDERS.role_api.create_role(role_member['id'], role_member) PROVIDERS.assignment_api.add_role_to_user_and_project( user['id'], self.tenant_bar['id'], role_member['id'] ) PROVIDERS.resource_api.delete_project(self.tenant_bar['id']) tenants = PROVIDERS.assignment_api.list_projects_for_user(user['id']) self.assertEqual([], tenants)
def test_user_cannot_create_domain_roles(self): create = { 'role': unit.new_role_ref(domain_id=CONF.identity.default_domain_id) } with self.test_client() as c: c.post('/v3/roles', json=create, headers=self.headers, expected_status_code=http_client.FORBIDDEN)
def test_delete_group_without_role_does_not_revoke_users(self): revocation_backend = sql.Revoke() domain = unit.new_domain_ref() PROVIDERS.resource_api.create_domain(domain['id'], domain) # Create two groups. Group1 will be used to test deleting a group, # without role assignments and users in the group, doesn't create # revoked events. Group2 will show that deleting a group with role # assignment and users in the group does create revoked events group1 = unit.new_group_ref(domain_id=domain['id']) group1 = PROVIDERS.identity_api.create_group(group1) group2 = unit.new_group_ref(domain_id=domain['id']) group2 = PROVIDERS.identity_api.create_group(group2) role = unit.new_role_ref() PROVIDERS.role_api.create_role(role['id'], role) user1 = unit.new_user_ref(domain_id=domain['id']) user1 = PROVIDERS.identity_api.create_user(user1) user2 = unit.new_user_ref(domain_id=domain['id']) user2 = PROVIDERS.identity_api.create_user(user2) # Add two users to the group, verify they are added, delete group, and # check that the revocaiton events have not been created PROVIDERS.identity_api.add_user_to_group( user_id=user1['id'], group_id=group1['id'] ) PROVIDERS.identity_api.add_user_to_group( user_id=user2['id'], group_id=group1['id'] ) self.assertEqual( 2, len(PROVIDERS.identity_api.list_users_in_group(group1['id']))) PROVIDERS.identity_api.delete_group(group1['id']) self.assertEqual(0, len(revocation_backend.list_events())) # Assign a role to the group, add two users to the group, verify that # the role has been assigned to the group, verify the users have been # added to the group, delete the group, check that the revocation # events have been created PROVIDERS.assignment_api.create_grant( group_id=group2['id'], domain_id=domain['id'], role_id=role['id'] ) grants = PROVIDERS.assignment_api.list_role_assignments( role_id=role['id'] ) self.assertThat(grants, matchers.HasLength(1)) PROVIDERS.identity_api.add_user_to_group( user_id=user1['id'], group_id=group2['id'] ) PROVIDERS.identity_api.add_user_to_group( user_id=user2['id'], group_id=group2['id'] ) self.assertEqual( 2, len(PROVIDERS.identity_api.list_users_in_group(group2['id']))) PROVIDERS.identity_api.delete_group(group2['id']) self.assertEqual(2, len(revocation_backend.list_events()))
def test_delete_user_with_project_association(self): user = unit.new_user_ref(domain_id=CONF.identity.default_domain_id) user = PROVIDERS.identity_api.create_user(user) role_member = unit.new_role_ref() PROVIDERS.role_api.create_role(role_member['id'], role_member) PROVIDERS.assignment_api.add_role_to_user_and_project( user['id'], self.tenant_bar['id'], role_member['id'] ) PROVIDERS.identity_api.delete_user(user['id']) self.assertRaises(exception.UserNotFound, PROVIDERS.assignment_api.list_projects_for_user, user['id'])
def load_sample_data(self): """Create sample data for these tests. As well as the usual housekeeping, create a set of domains, users, roles and projects for the subsequent tests: - Three domains: A,B & C. C is disabled. - DomainA has user1, DomainB has user2 and user3 - DomainA has group1 and group2, DomainB has group3 - User1 has a role on DomainA Remember that there will also be a fourth domain in existence, the default domain. """ # Start by creating a few domains self._populate_default_domain() self.domainA = unit.new_domain_ref() self.resource_api.create_domain(self.domainA['id'], self.domainA) self.domainB = unit.new_domain_ref() self.resource_api.create_domain(self.domainB['id'], self.domainB) self.domainC = unit.new_domain_ref() self.domainC['enabled'] = False self.resource_api.create_domain(self.domainC['id'], self.domainC) # Now create some users, one in domainA and two of them in domainB self.user1 = self.new_user_ref(domain_id=self.domainA['id']) password = uuid.uuid4().hex self.user1['password'] = password self.user1 = self.identity_api.create_user(self.user1) self.user1['password'] = password self.user2 = self.new_user_ref(domain_id=self.domainB['id']) self.user2['password'] = password self.user2 = self.identity_api.create_user(self.user2) self.user2['password'] = password self.user3 = self.new_user_ref(domain_id=self.domainB['id']) self.user3['password'] = password self.user3 = self.identity_api.create_user(self.user3) self.user3['password'] = password self.role = unit.new_role_ref() self.role_api.create_role(self.role['id'], self.role) self.assignment_api.create_grant(self.role['id'], user_id=self.user1['id'], domain_id=self.domainA['id']) # A default auth request we can use - un-scoped user token self.auth = self.build_authentication_request( user_id=self.user1['id'], password=self.user1['password'])
def test_configurable_allowed_role_actions(self): role = unit.new_role_ref(id=u'fäké1', name=u'fäké1') self.role_api.create_role(u'fäké1', role) role_ref = self.role_api.get_role(u'fäké1') self.assertEqual(u'fäké1', role_ref['id']) role['name'] = u'fäké2' self.role_api.update_role(u'fäké1', role) self.role_api.delete_role(u'fäké1') self.assertRaises(exception.RoleNotFound, self.role_api.get_role, u'fäké1')
def test_create_trust_with_role_name_ambiguous_returns_bad_request(self): # Create second role with the same name role_ref = unit.new_role_ref(name=self.role['name'], domain_id=uuid.uuid4().hex) self.post('/roles', body={'role': role_ref}) ref = unit.new_trust_ref( trustor_user_id=self.user_id, trustee_user_id=self.trustee_user_id, project_id=self.project_id, role_names=[self.role['name']] ) self.post('/OS-TRUST/trusts', body={'trust': ref}, expected_status=http_client.BAD_REQUEST)
def _load_sample_data(self): self.protocol_id = 'x509' # 1) Create a domain for the user. self.domain = unit.new_domain_ref() self.domain_id = self.domain['id'] self.domain_name = self.domain['name'] PROVIDERS.resource_api.create_domain(self.domain_id, self.domain) # 2) Create a project for the user. self.project = unit.new_project_ref(domain_id=self.domain_id) self.project_id = self.project['id'] self.project_name = self.project['name'] PROVIDERS.resource_api.create_project(self.project_id, self.project) # 3) Create a user in new domain. self.user = unit.new_user_ref(domain_id=self.domain_id, project_id=self.project_id) self.user = PROVIDERS.identity_api.create_user(self.user) # Add IDP self.idp = self._idp_ref(id=self.idp_id) PROVIDERS.federation_api.create_idp( self.idp['id'], self.idp ) # Add a role self.role = unit.new_role_ref() self.role_id = self.role['id'] self.role_name = self.role['name'] PROVIDERS.role_api.create_role(self.role_id, self.role) # Add a group self.group = unit.new_group_ref(domain_id=self.domain_id) self.group = PROVIDERS.identity_api.create_group(self.group) # Assign a role to the user on a project PROVIDERS.assignment_api.add_role_to_user_and_project( user_id=self.user['id'], tenant_id=self.project_id, role_id=self.role_id) # Assign a role to the group on a project PROVIDERS.assignment_api.create_grant( role_id=self.role_id, group_id=self.group['id'], project_id=self.project_id)