Exemplo n.º 1
0
    def test_edit_user_roles_modified_config_add(self):
        """
        Tests that the role mappings do come from config and a new role
        added there will be allowed.
        """
        project = fake_clients.FakeProject(name="test_project")

        user = fake_clients.FakeUser(
            name="*****@*****.**", password="******", email="*****@*****.**"
        )

        assignment = fake_clients.FakeRoleAssignment(
            scope={"project": {"id": project.id}},
            role_name="project_mod",
            user={"id": user.id},
        )

        setup_identity_cache(
            projects=[project], users=[user], role_assignments=[assignment]
        )

        new_role = fake_clients.FakeRole("new_role")

        fake_clients.identity_cache["roles"][new_role.id] = new_role

        task = Task.objects.create(
            keystone_user={
                "roles": ["project_mod"],
                "project_id": project.id,
                "project_domain_id": "default",
            }
        )

        data = {
            "domain_id": "default",
            "user_id": user.id,
            "project_id": project.id,
            "roles": ["new_role"],
            "inherited_roles": [],
            "remove": False,
        }

        action = EditUserRolesAction(data, task=task, order=1)

        action.prepare()
        self.assertEqual(action.valid, True)

        action.approve()
        self.assertEqual(action.valid, True)

        token_data = {}
        action.submit(token_data)
        self.assertEqual(action.valid, True)

        fake_client = fake_clients.FakeManager()

        roles = fake_client._get_roles_as_names(user, project)
        self.assertEqual(roles, ["project_mod", "new_role"])
Exemplo n.º 2
0
    def test_edit_user_roles_remove_complete(self):
        """
        Remove roles from user that does not have them.
        """

        project = fake_clients.FakeProject(name="test_project")

        user = fake_clients.FakeUser(
            name="*****@*****.**", password="******", email="*****@*****.**"
        )

        assignment = fake_clients.FakeRoleAssignment(
            scope={"project": {"id": project.id}},
            role_name="member",
            user={"id": user.id},
        )

        setup_identity_cache(
            projects=[project], users=[user], role_assignments=[assignment]
        )

        task = Task.objects.create(
            keystone_user={
                "roles": ["admin", "project_mod"],
                "project_id": project.id,
                "project_domain_id": "default",
            }
        )

        data = {
            "domain_id": "default",
            "user_id": user.id,
            "project_id": project.id,
            "roles": ["project_mod"],
            "inherited_roles": [],
            "remove": True,
        }

        action = EditUserRolesAction(data, task=task, order=1)

        action.prepare()
        self.assertEqual(action.valid, True)
        self.assertEqual(action.action.state, "complete")

        action.approve()
        self.assertEqual(action.valid, True)

        token_data = {}
        action.submit(token_data)
        self.assertEqual(action.valid, True)

        fake_client = fake_clients.FakeManager()

        roles = fake_client._get_roles_as_names(user, project)
        self.assertEqual(roles, ["member"])
Exemplo n.º 3
0
    def test_edit_user_roles_can_manage_all(self):
        """
        Confirm that you cannot edit a user unless all their roles
        can be managed by you.
        """
        project = fake_clients.FakeProject(name="test_project")

        user = fake_clients.FakeUser(
            name="*****@*****.**", password="******", email="*****@*****.**"
        )

        assignments = [
            fake_clients.FakeRoleAssignment(
                scope={"project": {"id": project.id}},
                role_name="member",
                user={"id": user.id},
            ),
            fake_clients.FakeRoleAssignment(
                scope={"project": {"id": project.id}},
                role_name="project_admin",
                user={"id": user.id},
            ),
        ]

        setup_identity_cache(
            projects=[project], users=[user], role_assignments=assignments
        )

        task = Task.objects.create(
            keystone_user={
                "roles": ["project_mod"],
                "project_id": project.id,
                "project_domain_id": "default",
            }
        )

        data = {
            "domain_id": "default",
            "user_id": user.id,
            "project_id": project.id,
            "roles": ["project_mod"],
            "inherited_roles": [],
            "remove": False,
        }

        action = EditUserRolesAction(data, task=task, order=1)

        action.prepare()
        self.assertEqual(action.valid, False)

        fake_client = fake_clients.FakeManager()

        roles = fake_client._get_roles_as_names(user, project)
        self.assertEqual(roles, ["member", "project_admin"])
Exemplo n.º 4
0
    def test_edit_user_roles_add(self):
        """
        Add roles to existing user.
        """
        project = fake_clients.FakeProject(name="test_project")

        user = fake_clients.FakeUser(
            name="*****@*****.**", password="******", email="*****@*****.**"
        )

        setup_identity_cache(projects=[project], users=[user])

        task = Task.objects.create(
            keystone_user={
                "roles": ["admin", "project_mod"],
                "project_id": project.id,
                "project_domain_id": "default",
            }
        )

        data = {
            "domain_id": "default",
            "user_id": user.id,
            "project_id": project.id,
            "roles": ["member", "project_mod"],
            "inherited_roles": [],
            "remove": False,
        }

        action = EditUserRolesAction(data, task=task, order=1)

        action.prepare()
        self.assertEqual(action.valid, True)

        action.approve()
        self.assertEqual(action.valid, True)

        token_data = {}
        action.submit(token_data)
        self.assertEqual(action.valid, True)

        fake_client = fake_clients.FakeManager()

        roles = fake_client._get_roles_as_names(user, project)
        self.assertEqual(sorted(roles), sorted(["member", "project_mod"]))
Exemplo n.º 5
0
    def test_edit_user_roles_modified_config(self):
        """
        Tests that the role mappings do come from config and that they
        are enforced.
        """
        project = fake_clients.FakeProject(name="test_project")

        user = fake_clients.FakeUser(
            name="*****@*****.**", password="******", email="*****@*****.**"
        )

        assignment = fake_clients.FakeRoleAssignment(
            scope={"project": {"id": project.id}},
            role_name="project_mod",
            user={"id": user.id},
        )

        setup_identity_cache(
            projects=[project], users=[user], role_assignments=[assignment]
        )

        task = Task.objects.create(
            keystone_user={
                "roles": ["project_mod"],
                "project_id": project.id,
                "project_domain_id": "default",
            }
        )

        data = {
            "domain_id": "default",
            "user_id": user.id,
            "project_id": project.id,
            "roles": ["heat_stack_owner"],
            "inherited_roles": [],
            "remove": False,
        }

        action = EditUserRolesAction(data, task=task, order=1)

        action.prepare()
        self.assertEqual(action.valid, True)

        # Change config
        with conf_utils.modify_conf(
            CONF,
            operations={
                "adjutant.identity.role_mapping": [
                    {
                        "operation": "update",
                        "value": {
                            "project_mod": [
                                "member",
                                "project_mod",
                            ],
                        },
                    },
                ],
            },
        ):
            action.approve()
            self.assertEqual(action.valid, False)

            token_data = {}
            action.submit(token_data)
            self.assertEqual(action.valid, False)

        # After Settings Reset
        action.approve()
        self.assertEqual(action.valid, True)

        token_data = {}
        action.submit(token_data)
        self.assertEqual(action.valid, True)

        fake_client = fake_clients.FakeManager()

        roles = fake_client._get_roles_as_names(user, project)
        self.assertEqual(roles, ["project_mod", "heat_stack_owner"])