def test_edit_user_roles_can_manage_all(self):
"""
Confirm that you cannot edit a user unless all their roles
can be managed by you.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignments = [
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="_member_",
user={'id': user.id}),
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="project_admin",
user={'id': user.id}),
]
setup_identity_cache(projects=[project],
users=[user],
role_assignments=assignments)
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['project_mod'],
'inherited_roles': [],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, False)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['_member_', 'project_admin'])
def test_edit_user_roles_can_manage_all(self):
"""
Confirm that you cannot edit a user unless all their roles
can be managed by you.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignments = [
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
),
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="project_admin",
user={"id": user.id},
),
]
setup_identity_cache(
projects=[project], users=[user], role_assignments=assignments
)
task = Task.objects.create(
keystone_user={
"roles": ["project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["project_mod"],
"inherited_roles": [],
"remove": False,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, False)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["member", "project_admin"])
def test_modify_settings_append_password(self):
"""
Test override reset, by changing the reset password blacklisted roles
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
user2 = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
project = fake_clients.FakeProject(name="test_project")
test_role = fake_clients.FakeRole("test_role")
assignments = [
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="test_role",
user={'id': user.id}),
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="admin",
user={'id': user2.id}),
]
setup_identity_cache(projects=[project],
users=[user, user2],
role_assignments=assignments,
extra_roles=[test_role])
url = "/v1/actions/ResetPassword"
data = {'email': "*****@*****.**"}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(0, Token.objects.count())
admin_data = {'email': '*****@*****.**'}
response2 = self.client.post(url, admin_data, format='json')
self.assertEqual(response2.status_code, status.HTTP_200_OK)
self.assertEqual(0, Token.objects.count())
def test_remove_user_role(self):
""" Remove all roles on a user from our project """
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
admin_headers = {
"project_name": "test_project",
"project_id": project.id,
"roles": "project_admin,member,project_mod",
"username": "******",
"user_id": "test_user_id",
"authenticated": True,
}
# admins removes role from the test user
url = "/v1/openstack/users/%s/roles" % user.id
data = {"roles": ["member"]}
response = self.client.delete(url, data, format="json", headers=admin_headers)
self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
self.assertEqual(response.json(), {"notes": ["task created"]})
def test_edit_user_roles_modified_config_add(self):
"""
Tests that the role mappings do come from config and a new role
added there will be allowed.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="project_mod",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
new_role = fake_clients.FakeRole("new_role")
fake_clients.identity_cache["roles"][new_role.id] = new_role
task = Task.objects.create(
keystone_user={
"roles": ["project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["new_role"],
"inherited_roles": [],
"remove": False,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["project_mod", "new_role"])
def test_edit_user_roles_modified_settings_add(self):
"""
Tests that the role mappings do come from settings and a new role
added there will be allowed.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="project_mod",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
new_role = fake_clients.FakeRole("new_role")
fake_clients.identity_cache['roles'][new_role.id] = new_role
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['new_role'],
'inherited_roles': [],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['project_mod', 'new_role'])
def test_new_user_existing_role(self):
"""
Existing user, valid tenant, has role.
Should complete the action as if no role,
but actually do nothing.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
task = Task.objects.create(
keystone_user={
"roles": ["admin", "project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"email": "*****@*****.**",
"project_id": project.id,
"roles": ["member"],
"inherited_roles": [],
"domain_id": "default",
}
action = NewUserAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
action.approve()
self.assertEqual(action.valid, True)
self.assertEqual(action.action.state, "complete")
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["member"])
def test_new_user_existing_role(self):
"""
Existing user, valid tenant, has role.
Should complete the action as if no role,
but actually do nothing.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="_member_",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'email': '*****@*****.**',
'project_id': project.id,
'roles': ['_member_'],
'inherited_roles': [],
'domain_id': 'default',
}
action = NewUserAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
action.post_approve()
self.assertEqual(action.valid, True)
self.assertEqual(action.action.state, 'complete')
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['_member_'])
def test_user_detail(self):
"""
Confirm that the user detail view functions as expected
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignments = [
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
inherited=True,
),
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
),
]
setup_identity_cache(
projects=[project], users=[user], role_assignments=assignments
)
headers = {
"project_name": "test_project",
"project_id": project.id,
"roles": "project_admin,member,project_mod",
"username": "******",
"user_id": "test_user_id",
"authenticated": True,
}
url = "/v1/openstack/users/%s" % user.id
response = self.client.get(url, headers=headers)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.json()["username"], "*****@*****.**")
self.assertEqual(response.json()["roles"], ["member"])
self.assertEqual(response.json()["inherited_roles"], ["member"])
def test_edit_user_roles_remove_complete(self):
"""
Remove roles from user that does not have them.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="_member_",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['admin', 'project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['project_mod'],
'inherited_roles': [],
'remove': True
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
self.assertEqual(action.action.state, "complete")
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['_member_'])
def test_edit_user_roles_remove_complete(self):
"""
Remove roles from user that does not have them.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
task = Task.objects.create(
keystone_user={
"roles": ["admin", "project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["project_mod"],
"inherited_roles": [],
"remove": True,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
self.assertEqual(action.action.state, "complete")
action.approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["member"])
def test_modify_settings_remove_password(self):
"""
Test override reset, by changing the reset password blacklisted roles
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
project = fake_clients.FakeProject(name="test_project")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="admin",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
url = "/v1/actions/ResetPassword"
data = {'email': '*****@*****.**'}
override = {
'key_list': [
'reset_password', 'action_settings', 'ResetUserPasswordAction',
'blacklisted_roles'
],
'operation':
'remove',
'value': ['admin']
}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(0, Token.objects.count())
with self.modify_dict_settings(TASK_SETTINGS=override):
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(1, Token.objects.count())
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(1, Token.objects.count())
def test_new_user_wrong_domain(self):
"""
Existing user, valid project, invalid domain.
Action should be invalid.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
task = Task.objects.create(
keystone_user={
"roles": ["project_admin"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"email": "*****@*****.**",
"project_id": project.id,
"roles": ["member"],
"inherited_roles": [],
"domain_id": "not_default",
}
action = NewUserAction(data, task=task, order=1)
action.prepare()
self.assertFalse(action.valid)
def test_new_user_wrong_domain(self):
"""
Existing user, valid project, invalid domain.
Action should be invalid.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="_member_",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_admin'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'email': '*****@*****.**',
'project_id': project.id,
'roles': ['_member_'],
'inherited_roles': [],
'domain_id': 'not_default',
}
action = NewUserAction(data, task=task, order=1)
action.pre_approve()
self.assertFalse(action.valid)
def test_user_list_manageable(self):
"""
Confirm that the manageable value is set correctly.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
user2 = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignments = [
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user.id},
),
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="project_admin",
user={"id": user.id},
),
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="member",
user={"id": user2.id},
),
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="project_mod",
user={"id": user2.id},
),
]
setup_identity_cache(
projects=[project], users=[user, user2], role_assignments=assignments
)
url = "/v1/openstack/users"
headers = {
"project_name": "test_project",
"project_id": project.id,
"roles": "member,project_mod",
"username": "******",
"user_id": "test_user_id",
"authenticated": True,
}
url = "/v1/openstack/users"
response = self.client.get(url, headers=headers)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(len(response.json()["users"]), 2)
for adj_user in response.json()["users"]:
if adj_user["id"] == user.id:
self.assertFalse(adj_user["manageable"])
if adj_user["id"] == user2.id:
self.assertTrue(adj_user["manageable"])
def test_user_list_inherited(self):
"""
Test that user list returns inherited roles correctly.
"""
project = fake_clients.FakeProject(name="test_project")
project2 = fake_clients.FakeProject(
name="test_project/child", parent_id=project.id
)
project3 = fake_clients.FakeProject(
name="test_project/child/another", parent_id=project2.id
)
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
user2 = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
user3 = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignments = [
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="project_admin",
user={"id": user.id},
inherited=True,
),
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project2.id}},
role_name="project_mod",
user={"id": user2.id},
inherited=True,
),
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project3.id}},
role_name="member",
user={"id": user3.id},
),
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project3.id}},
role_name="member",
user={"id": user3.id},
inherited=True,
),
fake_clients.FakeRoleAssignment(
scope={"project": {"id": project3.id}},
role_name="project_mod",
user={"id": user3.id},
),
]
setup_identity_cache(
projects=[project, project2, project3],
users=[user, user2, user3],
role_assignments=assignments,
)
url = "/v1/openstack/users"
headers = {
"project_name": "test_project",
"project_id": project3.id,
"roles": "project_admin,member,project_mod",
"username": "******",
"user_id": "test_user_id",
"authenticated": True,
}
response = self.client.get(url, headers=headers)
response_json = response.json()
self.assertEqual(response.status_code, status.HTTP_200_OK)
project_users = []
inherited_users = []
for u in response_json["users"]:
if u["cohort"] == "Inherited":
inherited_users.append(u)
else:
project_users.append(u)
self.assertEqual(len(inherited_users), 2)
self.assertEqual(len(project_users), 1)
for u in inherited_users:
if u["id"] == user.id:
self.assertEqual(u["roles"], ["project_admin"])
if u["id"] == user2.id:
self.assertEqual(u["roles"], ["project_mod"])
normal_user = project_users[0]
self.assertEqual(normal_user["roles"], ["member", "project_mod"])
self.assertEqual(normal_user["inherited_roles"], ["member"])
def test_modify_settings_update_email(self):
"""
Tests the update operator using email sending
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
project = fake_clients.FakeProject(name="test_project")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="project_admin",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
url = "/v1/actions/UpdateEmail"
data = {'new_email': "*****@*****.**"}
headers = {
'project_name': "test_project",
'project_id': project.id,
'roles': "project_admin,_member_,project_mod",
'username': "******",
'user_id': user.id,
'authenticated': True
}
override = [{
'key_list': ['update_email', 'emails', 'token'],
'operation': 'update',
'value': {
'subject': 'modified_token_email',
'template': 'email_update_token.txt'
}
}]
response = self.client.post(url, data, headers=headers, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(len(mail.outbox), 1)
self.assertNotEqual(mail.outbox[0].subject, 'modified_token_email')
with self.modify_dict_settings(TASK_SETTINGS=override):
data = {'new_email': "*****@*****.**"}
response = self.client.post(url,
data,
headers=headers,
format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(len(mail.outbox), 2)
self.assertEqual(mail.outbox[1].subject, 'modified_token_email')
data = {'new_email': "*****@*****.**"}
response = self.client.post(url, data, headers=headers, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(len(mail.outbox), 3)
self.assertNotEqual(mail.outbox[2].subject, 'modified_token_email')
def test_edit_user_roles_modified_config(self):
"""
Tests that the role mappings do come from config and that they
are enforced.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(
name="*****@*****.**", password="******", email="*****@*****.**"
)
assignment = fake_clients.FakeRoleAssignment(
scope={"project": {"id": project.id}},
role_name="project_mod",
user={"id": user.id},
)
setup_identity_cache(
projects=[project], users=[user], role_assignments=[assignment]
)
task = Task.objects.create(
keystone_user={
"roles": ["project_mod"],
"project_id": project.id,
"project_domain_id": "default",
}
)
data = {
"domain_id": "default",
"user_id": user.id,
"project_id": project.id,
"roles": ["heat_stack_owner"],
"inherited_roles": [],
"remove": False,
}
action = EditUserRolesAction(data, task=task, order=1)
action.prepare()
self.assertEqual(action.valid, True)
# Change config
with conf_utils.modify_conf(
CONF,
operations={
"adjutant.identity.role_mapping": [
{
"operation": "update",
"value": {
"project_mod": [
"member",
"project_mod",
],
},
},
],
},
):
action.approve()
self.assertEqual(action.valid, False)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, False)
# After Settings Reset
action.approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ["project_mod", "heat_stack_owner"])
def test_modify_settings_override_password(self):
"""
Test override reset, by changing the reset password blacklisted roles
"""
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
user2 = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
project = fake_clients.FakeProject(name="test_project")
test_role = fake_clients.FakeRole("test_role")
assignments = [
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="test_role",
user={'id': user.id}),
fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="admin",
user={'id': user2.id}),
]
setup_identity_cache(projects=[project],
users=[user, user2],
role_assignments=assignments,
extra_roles=[test_role])
url = "/v1/actions/ResetPassword"
data = {'email': "*****@*****.**"}
admin_data = {'email': '*****@*****.**'}
override = {
'key_list': [
'reset_password', 'action_settings', 'ResetUserPasswordAction',
'blacklisted_roles'
],
'operation':
'override',
'value': ['test_role']
}
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(1, Token.objects.count())
# NOTE(amelia): This next bit relies on the default settings being
# that admins can't reset their own password
with self.modify_dict_settings(TASK_SETTINGS=override):
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(1, Token.objects.count())
response2 = self.client.post(url, admin_data, format='json')
self.assertEqual(response2.status_code, status.HTTP_200_OK)
self.assertEqual(2, Token.objects.count())
response = self.client.post(url, data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(3, Token.objects.count())
response = self.client.post(url, admin_data, format='json')
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(3, Token.objects.count())
def test_edit_user_roles_modified_settings(self):
"""
Tests that the role mappings do come from settings and that they
are enforced.
"""
project = fake_clients.FakeProject(name="test_project")
user = fake_clients.FakeUser(name="*****@*****.**",
password="******",
email="*****@*****.**")
assignment = fake_clients.FakeRoleAssignment(
scope={'project': {
'id': project.id
}},
role_name="project_mod",
user={'id': user.id})
setup_identity_cache(projects=[project],
users=[user],
role_assignments=[assignment])
task = Task.objects.create(ip_address="0.0.0.0",
keystone_user={
'roles': ['project_mod'],
'project_id': project.id,
'project_domain_id': 'default',
})
data = {
'domain_id': 'default',
'user_id': user.id,
'project_id': project.id,
'roles': ['heat_stack_owner'],
'inherited_roles': [],
'remove': False
}
action = EditUserRolesAction(data, task=task, order=1)
action.pre_approve()
self.assertEqual(action.valid, True)
# Change settings
with self.modify_dict_settings(
ROLES_MAPPING={
'key_list': ['project_mod'],
'operation': "remove",
'value': 'heat_stack_owner'
}):
action.post_approve()
self.assertEqual(action.valid, False)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, False)
# After Settings Reset
action.post_approve()
self.assertEqual(action.valid, True)
token_data = {}
action.submit(token_data)
self.assertEqual(action.valid, True)
fake_client = fake_clients.FakeManager()
roles = fake_client._get_roles_as_names(user, project)
self.assertEqual(roles, ['project_mod', 'heat_stack_owner'])