def test_list_domains_for_user_with_grants(self):
# Create two groups each with a role on a different domain, and
# make user1 a member of both groups. Both these new domains
# should now be included, along with any direct user grants.
domain = unit.new_domain_ref()
self.resource_api.create_domain(domain['id'], domain)
user = unit.new_user_ref(domain_id=domain['id'])
user = self.identity_api.create_user(user)
group1 = unit.new_group_ref(domain_id=domain['id'])
group1 = self.identity_api.create_group(group1)
group2 = unit.new_group_ref(domain_id=domain['id'])
group2 = self.identity_api.create_group(group2)
test_domain1 = unit.new_domain_ref()
self.resource_api.create_domain(test_domain1['id'], test_domain1)
test_domain2 = unit.new_domain_ref()
self.resource_api.create_domain(test_domain2['id'], test_domain2)
test_domain3 = unit.new_domain_ref()
self.resource_api.create_domain(test_domain3['id'], test_domain3)
self.identity_api.add_user_to_group(user['id'], group1['id'])
self.identity_api.add_user_to_group(user['id'], group2['id'])
# Create 3 grants, one user grant, the other two as group grants
self.assignment_api.create_grant(user_id=user['id'],
domain_id=test_domain1['id'],
role_id=self.role_member['id'])
self.assignment_api.create_grant(group_id=group1['id'],
domain_id=test_domain2['id'],
role_id=self.role_admin['id'])
self.assignment_api.create_grant(group_id=group2['id'],
domain_id=test_domain3['id'],
role_id=self.role_admin['id'])
user_domains = self.assignment_api.list_domains_for_user(user['id'])
self.assertThat(user_domains, matchers.HasLength(3))
def test_delete_group_without_role_does_not_revoke_users(self):
revocation_backend = sql.Revoke()
domain = unit.new_domain_ref()
PROVIDERS.resource_api.create_domain(domain['id'], domain)
# Create two groups. Group1 will be used to test deleting a group,
# without role assignments and users in the group, doesn't create
# revoked events. Group2 will show that deleting a group with role
# assignment and users in the group does create revoked events
group1 = unit.new_group_ref(domain_id=domain['id'])
group1 = PROVIDERS.identity_api.create_group(group1)
group2 = unit.new_group_ref(domain_id=domain['id'])
group2 = PROVIDERS.identity_api.create_group(group2)
role = unit.new_role_ref()
PROVIDERS.role_api.create_role(role['id'], role)
user1 = unit.new_user_ref(domain_id=domain['id'])
user1 = PROVIDERS.identity_api.create_user(user1)
user2 = unit.new_user_ref(domain_id=domain['id'])
user2 = PROVIDERS.identity_api.create_user(user2)
# Add two users to the group, verify they are added, delete group, and
# check that the revocaiton events have not been created
PROVIDERS.identity_api.add_user_to_group(
user_id=user1['id'], group_id=group1['id']
)
PROVIDERS.identity_api.add_user_to_group(
user_id=user2['id'], group_id=group1['id']
)
self.assertEqual(
2, len(PROVIDERS.identity_api.list_users_in_group(group1['id'])))
PROVIDERS.identity_api.delete_group(group1['id'])
self.assertEqual(0, len(revocation_backend.list_events()))
# Assign a role to the group, add two users to the group, verify that
# the role has been assigned to the group, verify the users have been
# added to the group, delete the group, check that the revocation
# events have been created
PROVIDERS.assignment_api.create_grant(
group_id=group2['id'], domain_id=domain['id'], role_id=role['id']
)
grants = PROVIDERS.assignment_api.list_role_assignments(
role_id=role['id']
)
self.assertThat(grants, matchers.HasLength(1))
PROVIDERS.identity_api.add_user_to_group(
user_id=user1['id'], group_id=group2['id']
)
PROVIDERS.identity_api.add_user_to_group(
user_id=user2['id'], group_id=group2['id']
)
self.assertEqual(
2, len(PROVIDERS.identity_api.list_users_in_group(group2['id'])))
PROVIDERS.identity_api.delete_group(group2['id'])
self.assertEqual(2, len(revocation_backend.list_events()))
def test_user_can_check_grant_for_group_on_project(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
)
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
)
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'],
project_id=project['id']
)
with self.test_client() as c:
c.get(
'/v3/projects/%s/groups/%s/roles/%s' % (
project['id'],
group['id'],
self.bootstrapper.reader_role_id
),
headers=self.headers,
expected_status_code=http_client.NO_CONTENT
)
def test_list_groups_for_user_filtered(self):
domain = self._get_domain_fixture()
test_groups = []
test_users = []
GROUP_COUNT = 3
USER_COUNT = 2
for x in range(0, USER_COUNT):
# TODO(shaleh): use unit.new_user_ref()
new_user = {'name': uuid.uuid4().hex, 'password': uuid.uuid4().hex,
'enabled': True, 'domain_id': domain['id']}
new_user = self.identity_api.create_user(new_user)
test_users.append(new_user)
positive_user = test_users[0]
negative_user = test_users[1]
for x in range(0, USER_COUNT):
group_refs = self.identity_api.list_groups_for_user(
test_users[x]['id'])
self.assertEqual(0, len(group_refs))
for x in range(0, GROUP_COUNT):
new_group = unit.new_group_ref(domain_id=domain['id'])
new_group = self.identity_api.create_group(new_group)
test_groups.append(new_group)
group_refs = self.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(x, len(group_refs))
self.identity_api.add_user_to_group(
positive_user['id'],
new_group['id'])
group_refs = self.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(x + 1, len(group_refs))
group_refs = self.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
driver = self.identity_api._select_identity_driver(
CONF.identity.default_domain_id)
driver.group.ldap_filter = '(dn=xx)'
group_refs = self.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(0, len(group_refs))
group_refs = self.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
driver.group.ldap_filter = '(objectclass=*)'
group_refs = self.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(GROUP_COUNT, len(group_refs))
group_refs = self.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
def test_user_can_revoke_grant_from_group_on_project(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
)
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex, unit.new_project_ref(
domain_id=CONF.identity.default_domain_id
)
)
PROVIDERS.assignment_api.create_grant(
self.bootstrapper.reader_role_id, group_id=group['id'],
project_id=project['id']
)
with self.test_client() as c:
c.delete(
'/v3/projects/%s/groups/%s/roles/%s' % (
project['id'],
group['id'],
self.bootstrapper.reader_role_id
),
headers=self.headers
)
def test_filter_sql_injection_attack(self):
"""Test against sql injection attack on filters.
Test Plan:
- Attempt to get all entities back by passing a two-term attribute
- Attempt to piggyback filter to damage DB (e.g. drop table)
"""
# Check we have some users
users = self.identity_api.list_users()
self.assertTrue(len(users) > 0)
hints = driver_hints.Hints()
hints.add_filter('name', "anything' or 'x'='x")
users = self.identity_api.list_users(hints=hints)
self.assertEqual(0, len(users))
# See if we can add a SQL command...use the group table instead of the
# user table since 'user' is reserved word for SQLAlchemy.
group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
group = self.identity_api.create_group(group)
hints = driver_hints.Hints()
hints.add_filter('name', "x'; drop table group")
groups = self.identity_api.list_groups(hints=hints)
self.assertEqual(0, len(groups))
groups = self.identity_api.list_groups()
self.assertTrue(len(groups) > 0)
def test_filter_sql_injection_attack(self):
"""GET /users?name=<injected sql_statement>.
Test Plan:
- Attempt to get all entities back by passing a two-term attribute
- Attempt to piggyback filter to damage DB (e.g. drop table)
"""
self._set_policy({"identity:list_users": [],
"identity:list_groups": [],
"identity:create_group": []})
url_by_name = "/users?name=anything' or 'x'='x"
r = self.get(url_by_name, auth=self.auth)
self.assertEqual(0, len(r.result.get('users')))
# See if we can add a SQL command...use the group table instead of the
# user table since 'user' is reserved word for SQLAlchemy.
group = unit.new_group_ref(domain_id=self.domainB['id'])
group = self.identity_api.create_group(group)
url_by_name = "/users?name=x'; drop table group"
r = self.get(url_by_name, auth=self.auth)
# Check group table is still there...
url_by_name = "/groups"
r = self.get(url_by_name, auth=self.auth)
self.assertGreater(len(r.result.get('groups')), 0)
def test_create_group(self):
"""Call ``POST /groups``."""
# Create a new group to avoid a duplicate check failure
ref = unit.new_group_ref(domain_id=self.domain_id)
r = self.post(
'/groups',
body={'group': ref})
return self.assertValidGroupResponse(r, ref)
def test_update_group(self):
"""Call ``PATCH /groups/{group_id}``."""
group = unit.new_group_ref(domain_id=self.domain_id)
del group['id']
r = self.patch('/groups/%(group_id)s' % {
'group_id': self.group_id},
body={'group': group})
self.assertValidGroupResponse(r, group)
def test_user_can_get_group_in_domain(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id)
)
with self.test_client() as c:
r = c.get('/v3/groups/%s' % group['id'],
headers=self.headers)
self.assertEqual(group['id'], r.json['group']['id'])
def test_user_can_delete_group_in_own_domain(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id)
)
with self.test_client() as c:
c.delete(
'/v3/groups/%s' % group['id'],
headers=self.headers
)
def test_user_cannot_remove_non_existent_user_from_group_forbidden(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id)
)
with self.test_client() as c:
c.delete('/v3/groups/%(group)s/users/%(user)s' % {
'group': group['id'], 'user': uuid.uuid4().hex},
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_can_update_group_in_own_domain(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id)
)
update = {'group': {'description': uuid.uuid4().hex}}
with self.test_client() as c:
c.patch(
'/v3/groups/%s' % group['id'], json=update,
headers=self.headers)
def setUp(self):
super(IdentityTestCase, self).setUp()
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
self.group_id = self.group["id"]
self.credential = unit.new_credential_ref(user_id=self.user["id"], project_id=self.project_id)
self.credential_api.create_credential(self.credential["id"], self.credential)
def test_group_duplicate_conflict_gives_name(self):
group = unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
group = self.identity_api.create_group(group)
try:
self.identity_api.create_group(group)
except exception.Conflict as e:
self.assertIn("Duplicate entry found with name %s"
% group['name'], repr(e))
else:
self.fail("Create duplicate group did not raise a conflict")
def test_user_cannot_list_groups_in_other_domain(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=domain['id'])
)
with self.test_client() as c:
r = c.get('/v3/groups?domain_id=%s' % domain['id'],
headers=self.headers)
self.assertEqual(0, len(r.json['groups']))
def test_user_can_list_groups_in_domain(self):
# second domain
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
# one group in new domain
group1 = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=domain['id'])
)
# one group in user's domain
group2 = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id)
)
# user should only see one group
with self.test_client() as c:
r = c.get('/v3/groups', headers=self.headers)
self.assertEqual(1, len(r.json['groups']))
self.assertNotIn(group1['id'], [g['id'] for g in r.json['groups']])
self.assertEqual(group2['id'], r.json['groups'][0]['id'])
def test_user_can_get_a_group(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=domain['id'])
)
with self.test_client() as c:
r = c.get('/v3/groups/%s' % group['id'], headers=self.headers)
self.assertEqual(group['id'], r.json['group']['id'])
def test_user_can_grant_group_system_assignments(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
with self.test_client() as c:
c.put(
'/v3/system/groups/%s/roles/%s' % (
group['id'], self.bootstrapper.member_role_id
), headers=self.headers,
)
def test_list_groups_for_user_filtered(self):
domain = self._get_domain_fixture()
test_groups = []
test_users = []
GROUP_COUNT = 3
USER_COUNT = 2
positive_user = unit.create_user(PROVIDERS.identity_api, domain['id'])
negative_user = unit.create_user(PROVIDERS.identity_api, domain['id'])
for x in range(0, USER_COUNT):
group_refs = PROVIDERS.identity_api.list_groups_for_user(
test_users[x]['id'])
self.assertEqual(0, len(group_refs))
for x in range(0, GROUP_COUNT):
new_group = unit.new_group_ref(domain_id=domain['id'])
new_group = PROVIDERS.identity_api.create_group(new_group)
test_groups.append(new_group)
group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(x, len(group_refs))
PROVIDERS.identity_api.add_user_to_group(
positive_user['id'],
new_group['id'])
group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(x + 1, len(group_refs))
group_refs = PROVIDERS.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
driver = PROVIDERS.identity_api._select_identity_driver(
CONF.identity.default_domain_id)
driver.group.ldap_filter = '(dn=xx)'
group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(0, len(group_refs))
group_refs = PROVIDERS.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
driver.group.ldap_filter = '(objectclass=*)'
group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(GROUP_COUNT, len(group_refs))
group_refs = PROVIDERS.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
def _load_sample_data(self):
self.project_id = uuid.uuid4().hex
self.project_name = uuid.uuid4().hex
self.protocol_id = 'x509'
# 1) Create a domain for the user.
self.domain = unit.new_domain_ref()
self.domain_id = self.domain['id']
self.domain_name = self.domain['name']
self.resource_api.create_domain(self.domain_id, self.domain)
# 2) Create a project for the user.
self.project = {
'description': uuid.uuid4().hex,
'domain_id': self.domain_id,
'enabled': True,
'id': self.project_id,
'name': self.project_name,
}
self.resource_api.create_project(self.project_id, self.project)
# 3) Create a user in new domain.
self.user = unit.new_user_ref(domain_id=self.domain_id,
project_id=self.project_id)
self.user = self.identity_api.create_user(self.user)
# Add IDP
self.idp = self._idp_ref(id=self.idp_id)
self.federation_api.create_idp(self.idp['id'],
self.idp)
# Add a role
self.role = unit.new_role_ref()
self.role_id = self.role['id']
self.role_name = self.role['name']
self.role_api.create_role(self.role_id, self.role)
# Add a group
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
# Assign a role to the user on a project
self.assignment_api.add_role_to_user_and_project(
user_id=self.user['id'],
tenant_id=self.project_id,
role_id=self.role_id)
# Assign a role to the group on a project
self.assignment_api.create_grant(
role_id=self.role_id,
group_id=self.group['id'],
project_id=self.project_id)
def test_user_cannot_get_group_in_other_domain(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=domain['id'])
)
with self.test_client() as c:
c.get('/v3/groups/%s' % group['id'],
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_can_add_user_in_own_domain_to_group_in_own_domain(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id)
)
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id)
)
with self.test_client() as c:
c.put('/v3/groups/%(group)s/users/%(user)s' % {
'group': group['id'], 'user': user['id']},
headers=self.headers)
def test_user_can_delete_group(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=domain['id'])
)
with self.test_client() as c:
c.delete(
'/v3/groups/%s' % group['id'], headers=self.headers
)
def test_user_can_get_list_their_own_groups(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id)
)
PROVIDERS.identity_api.add_user_to_group(self.user_id, group['id'])
with self.test_client() as c:
r = c.get(
'/v3/users/%s/groups' % self.user_id, headers=self.headers
)
self.assertEqual(1, len(r.json['groups']))
self.assertEqual(group['id'], r.json['groups'][0]['id'])
def test_user_can_list_users_in_own_domain_for_group_in_own_domain(self):
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id)
)
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id)
)
PROVIDERS.identity_api.add_user_to_group(user['id'], group['id'])
with self.test_client() as c:
r = c.get('/v3/groups/%s/users' % group['id'],
headers=self.headers)
self.assertEqual(1, len(r.json['users']))
self.assertEqual(user['id'], r.json['users'][0]['id'])
def test_user_cannot_list_group_system_role_assignments(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_group(
group['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
c.get(
'/v3/system/groups/%s/roles' % group['id'], headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def test_user_cannot_create_grant_for_group_on_project(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id))
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id))
with self.test_client() as c:
c.put(
'/v3/projects/%s/groups/%s/roles/%s' %
(project['id'], group['id'], self.bootstrapper.reader_role_id),
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_remove_users_from_group(self):
domain = PROVIDERS.resource_api.create_domain(uuid.uuid4().hex,
unit.new_domain_ref())
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=domain['id']))
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=domain['id']))
PROVIDERS.identity_api.add_user_to_group(user['id'], group['id'])
with self.test_client() as c:
c.delete('/v3/groups/%s/users/%s' % (group['id'], user['id']),
headers=self.headers,
expected_status_code=http.client.FORBIDDEN)
def test_user_cannot_list_groups_in_other_domain_user_in_own_domain(self):
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id)
)
# one group in other domain
group1 = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=domain['id'])
)
# one group in own domain
group2 = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id)
)
PROVIDERS.identity_api.add_user_to_group(user['id'], group1['id'])
PROVIDERS.identity_api.add_user_to_group(user['id'], group2['id'])
with self.test_client() as c:
r = c.get('/v3/users/%s/groups' % user['id'],
headers=self.headers)
# only one group should be visible
self.assertEqual(1, len(r.json['groups']))
self.assertEqual(group2['id'], r.json['groups'][0]['id'])
def test_add_user_to_group(self):
user_ref = unit.new_user_ref(domain_id=self.domain_id)
user_ref = self.identity_api.create_user(user_ref)
group_ref = unit.new_group_ref(domain_id=self.domain_id)
group_ref = self.identity_api.create_group(group_ref)
self.identity_api.add_user_to_group(user_ref["id"], group_ref["id"])
self._assert_last_note(
group_ref["id"],
UPDATED_OPERATION,
"group",
actor_id=user_ref["id"],
actor_type="user",
actor_operation="added",
)
def test_user_can_list_groups_for_other_users(self):
domain = PROVIDERS.resource_api.create_domain(uuid.uuid4().hex,
unit.new_domain_ref())
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=domain['id']))
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=domain['id']))
PROVIDERS.identity_api.add_user_to_group(user['id'], group['id'])
with self.test_client() as c:
r = c.get('/v3/users/%s/groups' % user['id'], headers=self.headers)
self.assertEqual(1, len(r.json['groups']))
self.assertEqual(group['id'], r.json['groups'][0]['id'])
def test_user_can_check_if_user_in_group(self):
domain = PROVIDERS.resource_api.create_domain(uuid.uuid4().hex,
unit.new_domain_ref())
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=domain['id']))
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=domain['id']))
PROVIDERS.identity_api.add_user_to_group(user['id'], group['id'])
with self.test_client() as c:
c.get('/v3/groups/%s/users/%s' % (group['id'], user['id']),
headers=self.headers,
expected_status_code=http.client.NO_CONTENT)
def test_user_cannot_list_groups_for_other_users(self):
domain = PROVIDERS.resource_api.create_domain(uuid.uuid4().hex,
unit.new_domain_ref())
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=domain['id']))
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=domain['id']))
PROVIDERS.identity_api.add_user_to_group(user['id'], group['id'])
with self.test_client() as c:
c.get('/v3/users/%s/groups' % user['id'],
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def test_user_cannot_add_user_own_domain_to_group_other_domain(self):
domain = PROVIDERS.resource_api.create_domain(uuid.uuid4().hex,
unit.new_domain_ref())
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=domain['id']))
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id))
with self.test_client() as c:
c.put('/v3/groups/%(group)s/users/%(user)s' % {
'group': group['id'],
'user': user['id']
},
headers=self.headers,
expected_status_code=http_client.FORBIDDEN)
def _load_sample_data(self):
self.protocol_id = 'x509'
# 1) Create a domain for the user.
self.domain = unit.new_domain_ref()
self.domain_id = self.domain['id']
self.domain_name = self.domain['name']
PROVIDERS.resource_api.create_domain(self.domain_id, self.domain)
# 2) Create a project for the user.
self.project = unit.new_project_ref(domain_id=self.domain_id)
self.project_id = self.project['id']
self.project_name = self.project['name']
PROVIDERS.resource_api.create_project(self.project_id, self.project)
# 3) Create a user in new domain.
self.user = unit.new_user_ref(domain_id=self.domain_id,
project_id=self.project_id)
self.user = PROVIDERS.identity_api.create_user(self.user)
# Add IDP
self.idp = self._idp_ref(id=self.idp_id)
PROVIDERS.federation_api.create_idp(
self.idp['id'], self.idp
)
# Add a role
self.role = unit.new_role_ref()
self.role_id = self.role['id']
self.role_name = self.role['name']
PROVIDERS.role_api.create_role(self.role_id, self.role)
# Add a group
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = PROVIDERS.identity_api.create_group(self.group)
# Assign a role to the user on a project
PROVIDERS.assignment_api.add_role_to_user_and_project(
user_id=self.user['id'],
project_id=self.project_id,
role_id=self.role_id)
# Assign a role to the group on a project
PROVIDERS.assignment_api.create_grant(
role_id=self.role_id,
group_id=self.group['id'],
project_id=self.project_id)
def _load_sample_data(self):
self.protocol_id = 'x509'
# 1) Create a domain for the user.
self.domain = unit.new_domain_ref()
self.domain_id = self.domain['id']
self.domain_name = self.domain['name']
PROVIDERS.resource_api.create_domain(self.domain_id, self.domain)
# 2) Create a project for the user.
self.project = unit.new_project_ref(domain_id=self.domain_id)
self.project_id = self.project['id']
self.project_name = self.project['name']
PROVIDERS.resource_api.create_project(self.project_id, self.project)
# 3) Create a user in new domain.
self.user = unit.new_user_ref(domain_id=self.domain_id,
project_id=self.project_id)
self.user = PROVIDERS.identity_api.create_user(self.user)
# Add IDP
self.idp = self._idp_ref(id=self.idp_id)
PROVIDERS.federation_api.create_idp(
self.idp['id'], self.idp
)
# Add a role
self.role = unit.new_role_ref()
self.role_id = self.role['id']
self.role_name = self.role['name']
PROVIDERS.role_api.create_role(self.role_id, self.role)
# Add a group
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = PROVIDERS.identity_api.create_group(self.group)
# Assign a role to the user on a project
PROVIDERS.assignment_api.add_role_to_user_and_project(
user_id=self.user['id'],
tenant_id=self.project_id,
role_id=self.role_id)
# Assign a role to the group on a project
PROVIDERS.assignment_api.create_grant(
role_id=self.role_id,
group_id=self.group['id'],
project_id=self.project_id)
def test_user_can_revoke_group_system_assignments(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_group(
group['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
c.delete(
'/v3/system/groups/%s/roles/%s' % (
group['id'], self.bootstrapper.member_role_id
), headers=self.headers
)
def test_user_cannot_list_group_system_role_assignments(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_group(
group['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
c.get(
'/v3/system/groups/%s/roles' % group['id'],
headers=self.headers,
expected_status_code=http_client.FORBIDDEN
)
def setUp(self):
super(IdentityTestCase, self).setUp()
self.useFixture(
ksfixtures.KeyRepository(self.config_fixture, 'credential',
credential_fernet.MAX_ACTIVE_KEYS))
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
self.group_id = self.group['id']
self.credential = unit.new_credential_ref(user_id=self.user['id'],
project_id=self.project_id)
self.credential_api.create_credential(self.credential['id'],
self.credential)
def setUp(self):
super(IdentityTestCase, self).setUp()
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
self.group_id = self.group['id']
self.credential_id = uuid.uuid4().hex
self.credential = self.new_credential_ref(
user_id=self.user['id'],
project_id=self.project_id)
self.credential['id'] = self.credential_id
self.credential_api.create_credential(
self.credential_id,
self.credential)
def test_user_can_list_grants_for_group_on_domain(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id))
domain = PROVIDERS.resource_api.create_domain(uuid.uuid4().hex,
unit.new_domain_ref())
PROVIDERS.assignment_api.create_grant(self.bootstrapper.reader_role_id,
group_id=group['id'],
domain_id=domain['id'])
with self.test_client() as c:
r = c.get('/v3/domains/%s/groups/%s/roles' %
(domain['id'], group['id']),
headers=self.headers)
self.assertEqual(1, len(r.json['roles']))
def test_user_can_revoke_grant_from_group_on_domain(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id))
domain = PROVIDERS.resource_api.create_domain(uuid.uuid4().hex,
unit.new_domain_ref())
PROVIDERS.assignment_api.create_grant(self.bootstrapper.reader_role_id,
group_id=group['id'],
domain_id=domain['id'])
with self.test_client() as c:
c.delete(
'/v3/domains/%s/groups/%s/roles/%s' %
(domain['id'], group['id'], self.bootstrapper.reader_role_id),
headers=self.headers)
def test_user_can_check_grant_for_group_on_domain(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id))
domain = PROVIDERS.resource_api.create_domain(uuid.uuid4().hex,
unit.new_domain_ref())
PROVIDERS.assignment_api.create_grant(self.bootstrapper.reader_role_id,
group_id=group['id'],
domain_id=domain['id'])
with self.test_client() as c:
c.get(
'/v3/domains/%s/groups/%s/roles/%s' %
(domain['id'], group['id'], self.bootstrapper.reader_role_id),
headers=self.headers,
expected_status_code=http_client.NO_CONTENT)
def test_user_can_list_group_system_role_assignments(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(CONF.identity.default_domain_id)
)
PROVIDERS.assignment_api.create_system_grant_for_group(
group['id'], self.bootstrapper.member_role_id
)
with self.test_client() as c:
r = c.get(
'/v3/system/groups/%s/roles' % group['id'],
headers=self.headers
)
self.assertEqual(1, len(r.json['roles']))
self.assertEqual(
self.bootstrapper.member_role_id, r.json['roles'][0]['id']
)
def test_user_can_check_user_in_own_domain_group_in_own_domain(self):
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id))
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id))
PROVIDERS.identity_api.add_user_to_group(user['id'], group['id'])
with self.test_client() as c:
c.head('/v3/groups/%(group)s/users/%(user)s' % {
'group': group['id'],
'user': user['id']
},
headers=self.headers,
expected_status_code=http.client.NO_CONTENT)
c.get('/v3/groups/%(group)s/users/%(user)s' % {
'group': group['id'],
'user': user['id']
},
headers=self.headers,
expected_status_code=http.client.NO_CONTENT)
def test_user_cannot_list_users_in_other_domain_group_in_own_domain(self):
domain = PROVIDERS.resource_api.create_domain(uuid.uuid4().hex,
unit.new_domain_ref())
# one user in other domain
user1 = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=domain['id']))
# one user in own domain
user2 = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=self.domain_id))
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id))
PROVIDERS.identity_api.add_user_to_group(user1['id'], group['id'])
PROVIDERS.identity_api.add_user_to_group(user2['id'], group['id'])
with self.test_client() as c:
r = c.get('/v3/groups/%s/users' % group['id'],
headers=self.headers)
# only one user should be visible
self.assertEqual(1, len(r.json['users']))
self.assertEqual(user2['id'], r.json['users'][0]['id'])
def test_list_domains_for_user_with_inherited_grants(self):
"""Test that inherited roles on the domain are excluded.
Test Plan:
- Create two domains, one user, group and role
- Domain1 is given an inherited user role, Domain2 an inherited
group role (for a group of which the user is a member)
- When listing domains for user, neither domain should be returned
"""
domain1 = unit.new_domain_ref()
domain1 = PROVIDERS.resource_api.create_domain(domain1['id'], domain1)
domain2 = unit.new_domain_ref()
domain2 = PROVIDERS.resource_api.create_domain(domain2['id'], domain2)
user = unit.new_user_ref(domain_id=domain1['id'])
user = PROVIDERS.identity_api.create_user(user)
group = unit.new_group_ref(domain_id=domain1['id'])
group = PROVIDERS.identity_api.create_group(group)
PROVIDERS.identity_api.add_user_to_group(user['id'], group['id'])
role = unit.new_role_ref()
PROVIDERS.role_api.create_role(role['id'], role)
# Create a grant on each domain, one user grant, one group grant,
# both inherited.
PROVIDERS.assignment_api.create_grant(
user_id=user['id'], domain_id=domain1['id'], role_id=role['id'],
inherited_to_projects=True
)
PROVIDERS.assignment_api.create_grant(
group_id=group['id'], domain_id=domain2['id'], role_id=role['id'],
inherited_to_projects=True
)
user_domains = PROVIDERS.assignment_api.list_domains_for_user(
user['id']
)
# No domains should be returned since both domains have only inherited
# roles assignments.
self.assertThat(user_domains, matchers.HasLength(0))
def test_user_can_get_group_in_domain(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id))
with self.test_client() as c:
r = c.get('/v3/groups/%s' % group['id'], headers=self.headers)
self.assertEqual(group['id'], r.json['group']['id'])
def test_list_groups_for_user_filtered(self):
domain = self._get_domain_fixture()
test_groups = []
test_users = []
GROUP_COUNT = 3
USER_COUNT = 2
for x in range(0, USER_COUNT):
# TODO(shaleh): use unit.new_user_ref()
new_user = {
'name': uuid.uuid4().hex,
'password': uuid.uuid4().hex,
'enabled': True,
'domain_id': domain['id']
}
new_user = self.identity_api.create_user(new_user)
test_users.append(new_user)
positive_user = test_users[0]
negative_user = test_users[1]
for x in range(0, USER_COUNT):
group_refs = self.identity_api.list_groups_for_user(
test_users[x]['id'])
self.assertEqual(0, len(group_refs))
for x in range(0, GROUP_COUNT):
new_group = unit.new_group_ref(domain_id=domain['id'])
new_group = self.identity_api.create_group(new_group)
test_groups.append(new_group)
group_refs = self.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(x, len(group_refs))
self.identity_api.add_user_to_group(positive_user['id'],
new_group['id'])
group_refs = self.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(x + 1, len(group_refs))
group_refs = self.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
driver = self.identity_api._select_identity_driver(
CONF.identity.default_domain_id)
driver.group.ldap_filter = '(dn=xx)'
group_refs = self.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(0, len(group_refs))
group_refs = self.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
driver.group.ldap_filter = '(objectclass=*)'
group_refs = self.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(GROUP_COUNT, len(group_refs))
group_refs = self.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
def test_list_groups_for_user(self):
domain = self._get_domain_fixture()
test_groups = []
test_users = []
GROUP_COUNT = 3
USER_COUNT = 2
for x in range(0, USER_COUNT):
new_user = unit.new_user_ref(domain_id=domain['id'])
new_user = PROVIDERS.identity_api.create_user(new_user)
test_users.append(new_user)
positive_user = test_users[0]
negative_user = test_users[1]
for x in range(0, USER_COUNT):
group_refs = PROVIDERS.identity_api.list_groups_for_user(
test_users[x]['id'])
self.assertEqual(0, len(group_refs))
for x in range(0, GROUP_COUNT):
before_count = x
after_count = x + 1
new_group = unit.new_group_ref(domain_id=domain['id'])
new_group = PROVIDERS.identity_api.create_group(new_group)
test_groups.append(new_group)
# add the user to the group and ensure that the
# group count increases by one for each
group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(before_count, len(group_refs))
PROVIDERS.identity_api.add_user_to_group(
positive_user['id'],
new_group['id'])
group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(after_count, len(group_refs))
# Make sure the group count for the unrelated user did not change
group_refs = PROVIDERS.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
# remove the user from each group and ensure that
# the group count reduces by one for each
for x in range(0, 3):
before_count = GROUP_COUNT - x
after_count = GROUP_COUNT - x - 1
group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(before_count, len(group_refs))
PROVIDERS.identity_api.remove_user_from_group(
positive_user['id'],
test_groups[x]['id'])
group_refs = PROVIDERS.identity_api.list_groups_for_user(
positive_user['id'])
self.assertEqual(after_count, len(group_refs))
# Make sure the group count for the unrelated user
# did not change
group_refs = PROVIDERS.identity_api.list_groups_for_user(
negative_user['id'])
self.assertEqual(0, len(group_refs))
def _setup_test_role_assignments(self):
# Utility to create assignments and return important data for
# assertions.
# Since the role doesn't really matter too much, we can just re-use an
# existing role instead of creating a new one.
role_id = self.bootstrapper.reader_role_id
user = PROVIDERS.identity_api.create_user(
unit.new_user_ref(domain_id=CONF.identity.default_domain_id)
)
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=CONF.identity.default_domain_id)
)
domain = PROVIDERS.resource_api.create_domain(
uuid.uuid4().hex, unit.new_domain_ref()
)
project = PROVIDERS.resource_api.create_project(
uuid.uuid4().hex,
unit.new_project_ref(domain_id=CONF.identity.default_domain_id)
)
# create a user+project role assignment.
PROVIDERS.assignment_api.create_grant(
role_id, user_id=user['id'], project_id=project['id']
)
# create a user+domain role assignment.
PROVIDERS.assignment_api.create_grant(
role_id, user_id=user['id'], domain_id=domain['id']
)
# create a user+system role assignment.
PROVIDERS.assignment_api.create_system_grant_for_user(
user['id'], role_id
)
# create a group+project role assignment.
PROVIDERS.assignment_api.create_grant(
role_id, group_id=group['id'], project_id=project['id']
)
# create a group+domain role assignment.
PROVIDERS.assignment_api.create_grant(
role_id, group_id=group['id'], domain_id=domain['id']
)
# create a group+system role assignment.
PROVIDERS.assignment_api.create_system_grant_for_group(
group['id'], role_id
)
return {
'user_id': user['id'],
'group_id': group['id'],
'domain_id': domain['id'],
'project_id': project['id'],
'role_id': role_id,
}
def test_user_can_delete_group_in_own_domain(self):
group = PROVIDERS.identity_api.create_group(
unit.new_group_ref(domain_id=self.domain_id))
with self.test_client() as c:
c.delete('/v3/groups/%s' % group['id'], headers=self.headers)
def test_create_group(self):
"""Call ``POST /groups``."""
# Create a new group to avoid a duplicate check failure
ref = unit.new_group_ref(domain_id=self.domain_id)
r = self.post('/groups', body={'group': ref})
return self.assertValidGroupResponse(r, ref)
def test_delete_domain(self):
"""Call ``DELETE /domains/{domain_id}``.
The sample data set up already has a user and project that is part of
self.domain. Additionally we will create a group and a credential
within it. Since the user we will authenticate with is in this domain,
we create a another set of entities in a second domain. Deleting this
second domain should delete all these new entities. In addition,
all the entities in the regular self.domain should be unaffected
by the delete.
Test Plan:
- Create domain2 and a 2nd set of entities
- Disable domain2
- Delete domain2
- Check entities in domain2 have been deleted
- Check entities in self.domain are unaffected
"""
# Create a group and a credential in the main domain
group = unit.new_group_ref(domain_id=self.domain_id)
group = self.identity_api.create_group(group)
credential = unit.new_credential_ref(user_id=self.user['id'],
project_id=self.project_id)
self.credential_api.create_credential(credential['id'], credential)
# Create a 2nd set of entities in a 2nd domain
domain2 = unit.new_domain_ref()
self.resource_api.create_domain(domain2['id'], domain2)
project2 = unit.new_project_ref(domain_id=domain2['id'])
self.resource_api.create_project(project2['id'], project2)
user2 = unit.new_user_ref(domain_id=domain2['id'],
project_id=project2['id'])
user2 = self.identity_api.create_user(user2)
group2 = unit.new_group_ref(domain_id=domain2['id'])
group2 = self.identity_api.create_group(group2)
credential2 = unit.new_credential_ref(user_id=user2['id'],
project_id=project2['id'])
self.credential_api.create_credential(credential2['id'], credential2)
# Now disable the new domain and delete it
domain2['enabled'] = False
r = self.patch('/domains/%(domain_id)s' % {'domain_id': domain2['id']},
body={'domain': {
'enabled': False
}})
self.assertValidDomainResponse(r, domain2)
self.delete('/domains/%(domain_id)s' % {'domain_id': domain2['id']})
# Check all the domain2 relevant entities are gone
self.assertRaises(exception.DomainNotFound,
self.resource_api.get_domain, domain2['id'])
self.assertRaises(exception.ProjectNotFound,
self.resource_api.get_project, project2['id'])
self.assertRaises(exception.GroupNotFound, self.identity_api.get_group,
group2['id'])
self.assertRaises(exception.UserNotFound, self.identity_api.get_user,
user2['id'])
self.assertRaises(exception.CredentialNotFound,
self.credential_api.get_credential,
credential2['id'])
# ...and that all self.domain entities are still here
r = self.resource_api.get_domain(self.domain['id'])
self.assertDictEqual(self.domain, r)
r = self.resource_api.get_project(self.project['id'])
self.assertDictEqual(self.project, r)
r = self.identity_api.get_group(group['id'])
self.assertDictEqual(group, r)
r = self.identity_api.get_user(self.user['id'])
self.user.pop('password')
self.assertDictEqual(self.user, r)
r = self.credential_api.get_credential(credential['id'])
self.assertDictEqual(credential, r)
def load_sample_data(self):
"""Create sample data for password expiry tests.
The test environment will consist of a single domain, containing
a single project. It will create three users and one group.
Each user is going to be given a role assignment on the project
and the domain. Two of the three users are going to be placed into
the group, which won't have any role assignments to either the
project or the domain.
"""
self._populate_default_domain()
self.domain = unit.new_domain_ref()
self.resource_api.create_domain(self.domain['id'], self.domain)
self.domain_id = self.domain['id']
self.project = unit.new_project_ref(domain_id=self.domain_id)
self.project_id = self.project['id']
self.project = self.resource_api.create_project(
self.project_id, self.project)
self.group = unit.new_group_ref(domain_id=self.domain_id)
self.group = self.identity_api.create_group(self.group)
self.group_id = self.group['id']
# Creates three users each with password expiration offset
# by one day, starting with the current time frozen.
self.starttime = datetime.datetime.utcnow()
with freezegun.freeze_time(self.starttime):
self.config_fixture.config(group='security_compliance',
password_expires_days=1)
self.user = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.config_fixture.config(group='security_compliance',
password_expires_days=2)
self.user2 = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.config_fixture.config(group='security_compliance',
password_expires_days=3)
self.user3 = unit.create_user(self.identity_api,
domain_id=self.domain_id)
self.role = unit.new_role_ref(name='admin')
self.role_api.create_role(self.role['id'], self.role)
self.role_id = self.role['id']
# Grant admin role to the users created.
self.assignment_api.create_grant(self.role_id,
user_id=self.user['id'],
domain_id=self.domain_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user2['id'],
domain_id=self.domain_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user3['id'],
domain_id=self.domain_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user['id'],
project_id=self.project_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user2['id'],
project_id=self.project_id)
self.assignment_api.create_grant(self.role_id,
user_id=self.user3['id'],
project_id=self.project_id)
# Add the last two users to the group.
self.identity_api.add_user_to_group(self.user2['id'], self.group_id)
self.identity_api.add_user_to_group(self.user3['id'], self.group_id)
