diff options
author | RHE <rebirthmonkey@gmail.com> | 2017-11-24 13:54:26 +0100 |
---|---|---|
committer | RHE <rebirthmonkey@gmail.com> | 2017-11-24 13:54:26 +0100 |
commit | 920a49cfa055733d575282973e23558c33087a4a (patch) | |
tree | d371dab34efa5028600dad2e7ca58063626e7ba4 /keystone-moon/keystone/tests/unit/test_v3_assignment.py | |
parent | ef3eefca70d8abb4a00dafb9419ad32738e934b2 (diff) |
remove keystone-moon
Change-Id: I80d7c9b669f19d5f6607e162de8e0e55c2f80fdd
Signed-off-by: RHE <rebirthmonkey@gmail.com>
Diffstat (limited to 'keystone-moon/keystone/tests/unit/test_v3_assignment.py')
-rw-r--r-- | keystone-moon/keystone/tests/unit/test_v3_assignment.py | 2871 |
1 files changed, 0 insertions, 2871 deletions
diff --git a/keystone-moon/keystone/tests/unit/test_v3_assignment.py b/keystone-moon/keystone/tests/unit/test_v3_assignment.py deleted file mode 100644 index 86fb9f74..00000000 --- a/keystone-moon/keystone/tests/unit/test_v3_assignment.py +++ /dev/null @@ -1,2871 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -import random -import uuid - -from oslo_config import cfg -from six.moves import http_client -from six.moves import range -from testtools import matchers - -from keystone.tests import unit -from keystone.tests.unit import test_v3 - - -CONF = cfg.CONF - - -class AssignmentTestCase(test_v3.RestfulTestCase, - test_v3.AssignmentTestMixin): - """Test roles and role assignments.""" - - def setUp(self): - super(AssignmentTestCase, self).setUp() - - self.group = unit.new_group_ref(domain_id=self.domain_id) - self.group = self.identity_api.create_group(self.group) - self.group_id = self.group['id'] - - # Role CRUD tests - - def test_create_role(self): - """Call ``POST /roles``.""" - ref = unit.new_role_ref() - r = self.post( - '/roles', - body={'role': ref}) - return self.assertValidRoleResponse(r, ref) - - def test_create_role_bad_request(self): - """Call ``POST /roles``.""" - self.post('/roles', body={'role': {}}, - expected_status=http_client.BAD_REQUEST) - - def test_list_roles(self): - """Call ``GET /roles``.""" - resource_url = '/roles' - r = self.get(resource_url) - self.assertValidRoleListResponse(r, ref=self.role, - resource_url=resource_url) - - def test_get_role(self): - """Call ``GET /roles/{role_id}``.""" - r = self.get('/roles/%(role_id)s' % { - 'role_id': self.role_id}) - self.assertValidRoleResponse(r, self.role) - - def test_update_role(self): - """Call ``PATCH /roles/{role_id}``.""" - ref = unit.new_role_ref() - del ref['id'] - r = self.patch('/roles/%(role_id)s' % { - 'role_id': self.role_id}, - body={'role': ref}) - self.assertValidRoleResponse(r, ref) - - def test_delete_role(self): - """Call ``DELETE /roles/{role_id}``.""" - self.delete('/roles/%(role_id)s' % { - 'role_id': self.role_id}) - - def test_create_member_role(self): - """Call ``POST /roles``.""" - # specify only the name on creation - ref = unit.new_role_ref(name=CONF.member_role_name) - r = self.post( - '/roles', - body={'role': ref}) - self.assertValidRoleResponse(r, ref) - - # but the ID should be set as defined in CONF - self.assertEqual(CONF.member_role_id, r.json['role']['id']) - - # Role Grants tests - - def test_crud_user_project_role_grants(self): - role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) - - collection_url = ( - '/projects/%(project_id)s/users/%(user_id)s/roles' % { - 'project_id': self.project['id'], - 'user_id': self.user['id']}) - member_url = '%(collection_url)s/%(role_id)s' % { - 'collection_url': collection_url, - 'role_id': role['id']} - - # There is a role assignment for self.user on self.project - r = self.get(collection_url) - self.assertValidRoleListResponse(r, ref=self.role, - expected_length=1) - - self.put(member_url) - self.head(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, ref=role, - resource_url=collection_url, - expected_length=2) - - self.delete(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, ref=self.role, expected_length=1) - self.assertIn(collection_url, r.result['links']['self']) - - def test_crud_user_project_role_grants_no_user(self): - """Grant role on a project to a user that doesn't exist. - - When grant a role on a project to a user that doesn't exist, the server - returns Not Found for the user. - - """ - user_id = uuid.uuid4().hex - - collection_url = ( - '/projects/%(project_id)s/users/%(user_id)s/roles' % { - 'project_id': self.project['id'], 'user_id': user_id}) - member_url = '%(collection_url)s/%(role_id)s' % { - 'collection_url': collection_url, - 'role_id': self.role_id} - - self.put(member_url, expected_status=http_client.NOT_FOUND) - - def test_crud_user_domain_role_grants(self): - collection_url = ( - '/domains/%(domain_id)s/users/%(user_id)s/roles' % { - 'domain_id': self.domain_id, - 'user_id': self.user['id']}) - member_url = '%(collection_url)s/%(role_id)s' % { - 'collection_url': collection_url, - 'role_id': self.role_id} - - self.put(member_url) - self.head(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, ref=self.role, - resource_url=collection_url) - - self.delete(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, expected_length=0, - resource_url=collection_url) - - def test_crud_user_domain_role_grants_no_user(self): - """Grant role on a domain to a user that doesn't exist. - - When grant a role on a domain to a user that doesn't exist, the server - returns 404 Not Found for the user. - - """ - user_id = uuid.uuid4().hex - - collection_url = ( - '/domains/%(domain_id)s/users/%(user_id)s/roles' % { - 'domain_id': self.domain_id, 'user_id': user_id}) - member_url = '%(collection_url)s/%(role_id)s' % { - 'collection_url': collection_url, - 'role_id': self.role_id} - - self.put(member_url, expected_status=http_client.NOT_FOUND) - - def test_crud_group_project_role_grants(self): - collection_url = ( - '/projects/%(project_id)s/groups/%(group_id)s/roles' % { - 'project_id': self.project_id, - 'group_id': self.group_id}) - member_url = '%(collection_url)s/%(role_id)s' % { - 'collection_url': collection_url, - 'role_id': self.role_id} - - self.put(member_url) - self.head(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, ref=self.role, - resource_url=collection_url) - - self.delete(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, expected_length=0, - resource_url=collection_url) - - def test_crud_group_project_role_grants_no_group(self): - """Grant role on a project to a group that doesn't exist. - - When grant a role on a project to a group that doesn't exist, the - server returns 404 Not Found for the group. - - """ - group_id = uuid.uuid4().hex - - collection_url = ( - '/projects/%(project_id)s/groups/%(group_id)s/roles' % { - 'project_id': self.project_id, - 'group_id': group_id}) - member_url = '%(collection_url)s/%(role_id)s' % { - 'collection_url': collection_url, - 'role_id': self.role_id} - - self.put(member_url, expected_status=http_client.NOT_FOUND) - - def test_crud_group_domain_role_grants(self): - collection_url = ( - '/domains/%(domain_id)s/groups/%(group_id)s/roles' % { - 'domain_id': self.domain_id, - 'group_id': self.group_id}) - member_url = '%(collection_url)s/%(role_id)s' % { - 'collection_url': collection_url, - 'role_id': self.role_id} - - self.put(member_url) - self.head(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, ref=self.role, - resource_url=collection_url) - - self.delete(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, expected_length=0, - resource_url=collection_url) - - def test_crud_group_domain_role_grants_no_group(self): - """Grant role on a domain to a group that doesn't exist. - - When grant a role on a domain to a group that doesn't exist, the server - returns 404 Not Found for the group. - - """ - group_id = uuid.uuid4().hex - - collection_url = ( - '/domains/%(domain_id)s/groups/%(group_id)s/roles' % { - 'domain_id': self.domain_id, - 'group_id': group_id}) - member_url = '%(collection_url)s/%(role_id)s' % { - 'collection_url': collection_url, - 'role_id': self.role_id} - - self.put(member_url, expected_status=http_client.NOT_FOUND) - - def _create_new_user_and_assign_role_on_project(self): - """Create a new user and assign user a role on a project.""" - # Create a new user - new_user = unit.new_user_ref(domain_id=self.domain_id) - user_ref = self.identity_api.create_user(new_user) - # Assign the user a role on the project - collection_url = ( - '/projects/%(project_id)s/users/%(user_id)s/roles' % { - 'project_id': self.project_id, - 'user_id': user_ref['id']}) - member_url = ('%(collection_url)s/%(role_id)s' % { - 'collection_url': collection_url, - 'role_id': self.role_id}) - self.put(member_url) - # Check the user has the role assigned - self.head(member_url) - return member_url, user_ref - - def test_delete_user_before_removing_role_assignment_succeeds(self): - """Call ``DELETE`` on the user before the role assignment.""" - member_url, user = self._create_new_user_and_assign_role_on_project() - # Delete the user from identity backend - self.identity_api.driver.delete_user(user['id']) - # Clean up the role assignment - self.delete(member_url) - # Make sure the role is gone - self.head(member_url, expected_status=http_client.NOT_FOUND) - - def test_delete_user_and_check_role_assignment_fails(self): - """Call ``DELETE`` on the user and check the role assignment.""" - member_url, user = self._create_new_user_and_assign_role_on_project() - # Delete the user from identity backend - self.identity_api.delete_user(user['id']) - # We should get a 404 Not Found when looking for the user in the - # identity backend because we're not performing a delete operation on - # the role. - self.head(member_url, expected_status=http_client.NOT_FOUND) - - def test_token_revoked_once_group_role_grant_revoked(self): - """Test token is revoked when group role grant is revoked - - When a role granted to a group is revoked for a given scope, - all tokens related to this scope and belonging to one of the members - of this group should be revoked. - - The revocation should be independently to the presence - of the revoke API. - """ - # creates grant from group on project. - self.assignment_api.create_grant(role_id=self.role['id'], - project_id=self.project['id'], - group_id=self.group['id']) - - # adds user to the group. - self.identity_api.add_user_to_group(user_id=self.user['id'], - group_id=self.group['id']) - - # creates a token for the user - auth_body = self.build_authentication_request( - user_id=self.user['id'], - password=self.user['password'], - project_id=self.project['id']) - token_resp = self.post('/auth/tokens', body=auth_body) - token = token_resp.headers.get('x-subject-token') - - # validates the returned token; it should be valid. - self.head('/auth/tokens', - headers={'x-subject-token': token}, - expected_status=http_client.OK) - - # revokes the grant from group on project. - self.assignment_api.delete_grant(role_id=self.role['id'], - project_id=self.project['id'], - group_id=self.group['id']) - - # validates the same token again; it should not longer be valid. - self.head('/auth/tokens', - headers={'x-subject-token': token}, - expected_status=http_client.NOT_FOUND) - - @unit.skip_if_cache_disabled('assignment') - def test_delete_grant_from_user_and_project_invalidate_cache(self): - # create a new project - new_project = unit.new_project_ref(domain_id=self.domain_id) - self.resource_api.create_project(new_project['id'], new_project) - - collection_url = ( - '/projects/%(project_id)s/users/%(user_id)s/roles' % { - 'project_id': new_project['id'], - 'user_id': self.user['id']}) - member_url = '%(collection_url)s/%(role_id)s' % { - 'collection_url': collection_url, - 'role_id': self.role_id} - - # create the user a grant on the new project - self.put(member_url) - - # check the grant that was just created - self.head(member_url) - resp = self.get(collection_url) - self.assertValidRoleListResponse(resp, ref=self.role, - resource_url=collection_url) - - # delete the grant - self.delete(member_url) - - # get the collection and ensure there are no roles on the project - resp = self.get(collection_url) - self.assertListEqual(resp.json_body['roles'], []) - - @unit.skip_if_cache_disabled('assignment') - def test_delete_grant_from_user_and_domain_invalidates_cache(self): - # create a new domain - new_domain = unit.new_domain_ref() - self.resource_api.create_domain(new_domain['id'], new_domain) - - collection_url = ( - '/domains/%(domain_id)s/users/%(user_id)s/roles' % { - 'domain_id': new_domain['id'], - 'user_id': self.user['id']}) - member_url = '%(collection_url)s/%(role_id)s' % { - 'collection_url': collection_url, - 'role_id': self.role_id} - - # create the user a grant on the new domain - self.put(member_url) - - # check the grant that was just created - self.head(member_url) - resp = self.get(collection_url) - self.assertValidRoleListResponse(resp, ref=self.role, - resource_url=collection_url) - - # delete the grant - self.delete(member_url) - - # get the collection and ensure there are no roles on the domain - resp = self.get(collection_url) - self.assertListEqual(resp.json_body['roles'], []) - - @unit.skip_if_cache_disabled('assignment') - def test_delete_grant_from_group_and_project_invalidates_cache(self): - # create a new project - new_project = unit.new_project_ref(domain_id=self.domain_id) - self.resource_api.create_project(new_project['id'], new_project) - - collection_url = ( - '/projects/%(project_id)s/groups/%(group_id)s/roles' % { - 'project_id': new_project['id'], - 'group_id': self.group['id']}) - member_url = '%(collection_url)s/%(role_id)s' % { - 'collection_url': collection_url, - 'role_id': self.role_id} - - # create the group a grant on the new project - self.put(member_url) - - # check the grant that was just created - self.head(member_url) - resp = self.get(collection_url) - self.assertValidRoleListResponse(resp, ref=self.role, - resource_url=collection_url) - - # delete the grant - self.delete(member_url) - - # get the collection and ensure there are no roles on the project - resp = self.get(collection_url) - self.assertListEqual(resp.json_body['roles'], []) - - @unit.skip_if_cache_disabled('assignment') - def test_delete_grant_from_group_and_domain_invalidates_cache(self): - # create a new domain - new_domain = unit.new_domain_ref() - self.resource_api.create_domain(new_domain['id'], new_domain) - - collection_url = ( - '/domains/%(domain_id)s/groups/%(group_id)s/roles' % { - 'domain_id': new_domain['id'], - 'group_id': self.group['id']}) - member_url = '%(collection_url)s/%(role_id)s' % { - 'collection_url': collection_url, - 'role_id': self.role_id} - - # create the group a grant on the new domain - self.put(member_url) - - # check the grant that was just created - self.head(member_url) - resp = self.get(collection_url) - self.assertValidRoleListResponse(resp, ref=self.role, - resource_url=collection_url) - - # delete the grant - self.delete(member_url) - - # get the collection and ensure there are no roles on the domain - resp = self.get(collection_url) - self.assertListEqual(resp.json_body['roles'], []) - - # Role Assignments tests - - def test_get_role_assignments(self): - """Call ``GET /role_assignments``. - - The sample data set up already has a user, group and project - that is part of self.domain. We use these plus a new user - we create as our data set, making sure we ignore any - role assignments that are already in existence. - - Since we don't yet support a first class entity for role - assignments, we are only testing the LIST API. To create - and delete the role assignments we use the old grant APIs. - - Test Plan: - - - Create extra user for tests - - Get a list of all existing role assignments - - Add a new assignment for each of the four combinations, i.e. - group+domain, user+domain, group+project, user+project, using - the same role each time - - Get a new list of all role assignments, checking these four new - ones have been added - - Then delete the four we added - - Get a new list of all role assignments, checking the four have - been removed - - """ - # Since the default fixtures already assign some roles to the - # user it creates, we also need a new user that will not have any - # existing assignments - user1 = unit.new_user_ref(domain_id=self.domain['id']) - user1 = self.identity_api.create_user(user1) - - collection_url = '/role_assignments' - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - resource_url=collection_url) - existing_assignments = len(r.result.get('role_assignments')) - - # Now add one of each of the four types of assignment, making sure - # that we get them all back. - gd_entity = self.build_role_assignment_entity(domain_id=self.domain_id, - group_id=self.group_id, - role_id=self.role_id) - self.put(gd_entity['links']['assignment']) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, - expected_length=existing_assignments + 1, - resource_url=collection_url) - self.assertRoleAssignmentInListResponse(r, gd_entity) - - ud_entity = self.build_role_assignment_entity(domain_id=self.domain_id, - user_id=user1['id'], - role_id=self.role_id) - self.put(ud_entity['links']['assignment']) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, - expected_length=existing_assignments + 2, - resource_url=collection_url) - self.assertRoleAssignmentInListResponse(r, ud_entity) - - gp_entity = self.build_role_assignment_entity( - project_id=self.project_id, group_id=self.group_id, - role_id=self.role_id) - self.put(gp_entity['links']['assignment']) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, - expected_length=existing_assignments + 3, - resource_url=collection_url) - self.assertRoleAssignmentInListResponse(r, gp_entity) - - up_entity = self.build_role_assignment_entity( - project_id=self.project_id, user_id=user1['id'], - role_id=self.role_id) - self.put(up_entity['links']['assignment']) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, - expected_length=existing_assignments + 4, - resource_url=collection_url) - self.assertRoleAssignmentInListResponse(r, up_entity) - - # Now delete the four we added and make sure they are removed - # from the collection. - - self.delete(gd_entity['links']['assignment']) - self.delete(ud_entity['links']['assignment']) - self.delete(gp_entity['links']['assignment']) - self.delete(up_entity['links']['assignment']) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, - expected_length=existing_assignments, - resource_url=collection_url) - self.assertRoleAssignmentNotInListResponse(r, gd_entity) - self.assertRoleAssignmentNotInListResponse(r, ud_entity) - self.assertRoleAssignmentNotInListResponse(r, gp_entity) - self.assertRoleAssignmentNotInListResponse(r, up_entity) - - def test_get_effective_role_assignments(self): - """Call ``GET /role_assignments?effective``. - - Test Plan: - - - Create two extra user for tests - - Add these users to a group - - Add a role assignment for the group on a domain - - Get a list of all role assignments, checking one has been added - - Then get a list of all effective role assignments - the group - assignment should have turned into assignments on the domain - for each of the group members. - - """ - user1 = unit.create_user(self.identity_api, - domain_id=self.domain['id']) - user2 = unit.create_user(self.identity_api, - domain_id=self.domain['id']) - - self.identity_api.add_user_to_group(user1['id'], self.group['id']) - self.identity_api.add_user_to_group(user2['id'], self.group['id']) - - collection_url = '/role_assignments' - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - resource_url=collection_url) - existing_assignments = len(r.result.get('role_assignments')) - - gd_entity = self.build_role_assignment_entity(domain_id=self.domain_id, - group_id=self.group_id, - role_id=self.role_id) - self.put(gd_entity['links']['assignment']) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, - expected_length=existing_assignments + 1, - resource_url=collection_url) - self.assertRoleAssignmentInListResponse(r, gd_entity) - - # Now re-read the collection asking for effective roles - this - # should mean the group assignment is translated into the two - # member user assignments - collection_url = '/role_assignments?effective' - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, - expected_length=existing_assignments + 2, - resource_url=collection_url) - ud_entity = self.build_role_assignment_entity( - link=gd_entity['links']['assignment'], domain_id=self.domain_id, - user_id=user1['id'], role_id=self.role_id) - self.assertRoleAssignmentInListResponse(r, ud_entity) - ud_entity = self.build_role_assignment_entity( - link=gd_entity['links']['assignment'], domain_id=self.domain_id, - user_id=user2['id'], role_id=self.role_id) - self.assertRoleAssignmentInListResponse(r, ud_entity) - - def test_check_effective_values_for_role_assignments(self): - """Call ``GET /role_assignments?effective=value``. - - Check the various ways of specifying the 'effective' - query parameter. If the 'effective' query parameter - is included then this should always be treated as meaning 'True' - unless it is specified as: - - {url}?effective=0 - - This is by design to match the agreed way of handling - policy checking on query/filter parameters. - - Test Plan: - - - Create two extra user for tests - - Add these users to a group - - Add a role assignment for the group on a domain - - Get a list of all role assignments, checking one has been added - - Then issue various request with different ways of defining - the 'effective' query parameter. As we have tested the - correctness of the data coming back when we get effective roles - in other tests, here we just use the count of entities to - know if we are getting effective roles or not - - """ - user1 = unit.create_user(self.identity_api, - domain_id=self.domain['id']) - user2 = unit.create_user(self.identity_api, - domain_id=self.domain['id']) - - self.identity_api.add_user_to_group(user1['id'], self.group['id']) - self.identity_api.add_user_to_group(user2['id'], self.group['id']) - - collection_url = '/role_assignments' - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - resource_url=collection_url) - existing_assignments = len(r.result.get('role_assignments')) - - gd_entity = self.build_role_assignment_entity(domain_id=self.domain_id, - group_id=self.group_id, - role_id=self.role_id) - self.put(gd_entity['links']['assignment']) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, - expected_length=existing_assignments + 1, - resource_url=collection_url) - self.assertRoleAssignmentInListResponse(r, gd_entity) - - # Now re-read the collection asking for effective roles, - # using the most common way of defining "effective'. This - # should mean the group assignment is translated into the two - # member user assignments - collection_url = '/role_assignments?effective' - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, - expected_length=existing_assignments + 2, - resource_url=collection_url) - # Now set 'effective' to false explicitly - should get - # back the regular roles - collection_url = '/role_assignments?effective=0' - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, - expected_length=existing_assignments + 1, - resource_url=collection_url) - # Now try setting 'effective' to 'False' explicitly- this is - # NOT supported as a way of setting a query or filter - # parameter to false by design. Hence we should get back - # effective roles. - collection_url = '/role_assignments?effective=False' - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, - expected_length=existing_assignments + 2, - resource_url=collection_url) - # Now set 'effective' to True explicitly - collection_url = '/role_assignments?effective=True' - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, - expected_length=existing_assignments + 2, - resource_url=collection_url) - - def test_filtered_role_assignments(self): - """Call ``GET /role_assignments?filters``. - - Test Plan: - - - Create extra users, group, role and project for tests - - Make the following assignments: - Give group1, role1 on project1 and domain - Give user1, role2 on project1 and domain - Make User1 a member of Group1 - - Test a series of single filter list calls, checking that - the correct results are obtained - - Test a multi-filtered list call - - Test listing all effective roles for a given user - - Test the equivalent of the list of roles in a project scoped - token (all effective roles for a user on a project) - - """ - # Since the default fixtures already assign some roles to the - # user it creates, we also need a new user that will not have any - # existing assignments - user1 = unit.create_user(self.identity_api, - domain_id=self.domain['id']) - user2 = unit.create_user(self.identity_api, - domain_id=self.domain['id']) - - group1 = unit.new_group_ref(domain_id=self.domain['id']) - group1 = self.identity_api.create_group(group1) - self.identity_api.add_user_to_group(user1['id'], group1['id']) - self.identity_api.add_user_to_group(user2['id'], group1['id']) - project1 = unit.new_project_ref(domain_id=self.domain['id']) - self.resource_api.create_project(project1['id'], project1) - self.role1 = unit.new_role_ref() - self.role_api.create_role(self.role1['id'], self.role1) - self.role2 = unit.new_role_ref() - self.role_api.create_role(self.role2['id'], self.role2) - - # Now add one of each of the four types of assignment - - gd_entity = self.build_role_assignment_entity( - domain_id=self.domain_id, group_id=group1['id'], - role_id=self.role1['id']) - self.put(gd_entity['links']['assignment']) - - ud_entity = self.build_role_assignment_entity(domain_id=self.domain_id, - user_id=user1['id'], - role_id=self.role2['id']) - self.put(ud_entity['links']['assignment']) - - gp_entity = self.build_role_assignment_entity( - project_id=project1['id'], - group_id=group1['id'], - role_id=self.role1['id']) - self.put(gp_entity['links']['assignment']) - - up_entity = self.build_role_assignment_entity( - project_id=project1['id'], - user_id=user1['id'], - role_id=self.role2['id']) - self.put(up_entity['links']['assignment']) - - # Now list by various filters to make sure we get back the right ones - - collection_url = ('/role_assignments?scope.project.id=%s' % - project1['id']) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=2, - resource_url=collection_url) - self.assertRoleAssignmentInListResponse(r, up_entity) - self.assertRoleAssignmentInListResponse(r, gp_entity) - - collection_url = ('/role_assignments?scope.domain.id=%s' % - self.domain['id']) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=2, - resource_url=collection_url) - self.assertRoleAssignmentInListResponse(r, ud_entity) - self.assertRoleAssignmentInListResponse(r, gd_entity) - - collection_url = '/role_assignments?user.id=%s' % user1['id'] - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=2, - resource_url=collection_url) - self.assertRoleAssignmentInListResponse(r, up_entity) - self.assertRoleAssignmentInListResponse(r, ud_entity) - - collection_url = '/role_assignments?group.id=%s' % group1['id'] - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=2, - resource_url=collection_url) - self.assertRoleAssignmentInListResponse(r, gd_entity) - self.assertRoleAssignmentInListResponse(r, gp_entity) - - collection_url = '/role_assignments?role.id=%s' % self.role1['id'] - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=2, - resource_url=collection_url) - self.assertRoleAssignmentInListResponse(r, gd_entity) - self.assertRoleAssignmentInListResponse(r, gp_entity) - - # Let's try combining two filers together.... - - collection_url = ( - '/role_assignments?user.id=%(user_id)s' - '&scope.project.id=%(project_id)s' % { - 'user_id': user1['id'], - 'project_id': project1['id']}) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=1, - resource_url=collection_url) - self.assertRoleAssignmentInListResponse(r, up_entity) - - # Now for a harder one - filter for user with effective - # roles - this should return role assignment that were directly - # assigned as well as by virtue of group membership - - collection_url = ('/role_assignments?effective&user.id=%s' % - user1['id']) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=4, - resource_url=collection_url) - # Should have the two direct roles... - self.assertRoleAssignmentInListResponse(r, up_entity) - self.assertRoleAssignmentInListResponse(r, ud_entity) - # ...and the two via group membership... - gp1_link = self.build_role_assignment_link( - project_id=project1['id'], - group_id=group1['id'], - role_id=self.role1['id']) - gd1_link = self.build_role_assignment_link(domain_id=self.domain_id, - group_id=group1['id'], - role_id=self.role1['id']) - - up1_entity = self.build_role_assignment_entity( - link=gp1_link, project_id=project1['id'], - user_id=user1['id'], role_id=self.role1['id']) - ud1_entity = self.build_role_assignment_entity( - link=gd1_link, domain_id=self.domain_id, user_id=user1['id'], - role_id=self.role1['id']) - self.assertRoleAssignmentInListResponse(r, up1_entity) - self.assertRoleAssignmentInListResponse(r, ud1_entity) - - # ...and for the grand-daddy of them all, simulate the request - # that would generate the list of effective roles in a project - # scoped token. - - collection_url = ( - '/role_assignments?effective&user.id=%(user_id)s' - '&scope.project.id=%(project_id)s' % { - 'user_id': user1['id'], - 'project_id': project1['id']}) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=2, - resource_url=collection_url) - # Should have one direct role and one from group membership... - self.assertRoleAssignmentInListResponse(r, up_entity) - self.assertRoleAssignmentInListResponse(r, up1_entity) - - -class RoleAssignmentBaseTestCase(test_v3.RestfulTestCase, - test_v3.AssignmentTestMixin): - """Base class for testing /v3/role_assignments API behavior.""" - - MAX_HIERARCHY_BREADTH = 3 - MAX_HIERARCHY_DEPTH = CONF.max_project_tree_depth - 1 - - def load_sample_data(self): - """Creates sample data to be used on tests. - - Created data are i) a role and ii) a domain containing: a project - hierarchy and 3 users within 3 groups. - - """ - def create_project_hierarchy(parent_id, depth): - """Creates a random project hierarchy.""" - if depth == 0: - return - - breadth = random.randint(1, self.MAX_HIERARCHY_BREADTH) - - subprojects = [] - for i in range(breadth): - subprojects.append(unit.new_project_ref( - domain_id=self.domain_id, parent_id=parent_id)) - self.resource_api.create_project(subprojects[-1]['id'], - subprojects[-1]) - - new_parent = subprojects[random.randint(0, breadth - 1)] - create_project_hierarchy(new_parent['id'], depth - 1) - - super(RoleAssignmentBaseTestCase, self).load_sample_data() - - # Create a domain - self.domain = unit.new_domain_ref() - self.domain_id = self.domain['id'] - self.resource_api.create_domain(self.domain_id, self.domain) - - # Create a project hierarchy - self.project = unit.new_project_ref(domain_id=self.domain_id) - self.project_id = self.project['id'] - self.resource_api.create_project(self.project_id, self.project) - - # Create a random project hierarchy - create_project_hierarchy(self.project_id, - random.randint(1, self.MAX_HIERARCHY_DEPTH)) - - # Create 3 users - self.user_ids = [] - for i in range(3): - user = unit.new_user_ref(domain_id=self.domain_id) - user = self.identity_api.create_user(user) - self.user_ids.append(user['id']) - - # Create 3 groups - self.group_ids = [] - for i in range(3): - group = unit.new_group_ref(domain_id=self.domain_id) - group = self.identity_api.create_group(group) - self.group_ids.append(group['id']) - - # Put 2 members on each group - self.identity_api.add_user_to_group(user_id=self.user_ids[i], - group_id=group['id']) - self.identity_api.add_user_to_group(user_id=self.user_ids[i % 2], - group_id=group['id']) - - self.assignment_api.create_grant(user_id=self.user_id, - project_id=self.project_id, - role_id=self.role_id) - - # Create a role - self.role = unit.new_role_ref() - self.role_id = self.role['id'] - self.role_api.create_role(self.role_id, self.role) - - # Set default user and group to be used on tests - self.default_user_id = self.user_ids[0] - self.default_group_id = self.group_ids[0] - - def get_role_assignments(self, expected_status=http_client.OK, **filters): - """Returns the result from querying role assignment API + queried URL. - - Calls GET /v3/role_assignments?<params> and returns its result, where - <params> is the HTTP query parameters form of effective option plus - filters, if provided. Queried URL is returned as well. - - :returns: a tuple containing the list role assignments API response and - queried URL. - - """ - query_url = self._get_role_assignments_query_url(**filters) - response = self.get(query_url, expected_status=expected_status) - - return (response, query_url) - - def _get_role_assignments_query_url(self, **filters): - """Returns non-effective role assignments query URL from given filters. - - :param filters: query parameters are created with the provided filters - on role assignments attributes. Valid filters are: - role_id, domain_id, project_id, group_id, user_id and - inherited_to_projects. - - :returns: role assignments query URL. - - """ - return self.build_role_assignment_query_url(**filters) - - -class RoleAssignmentFailureTestCase(RoleAssignmentBaseTestCase): - """Class for testing invalid query params on /v3/role_assignments API. - - Querying domain and project, or user and group results in a HTTP 400 Bad - Request, since a role assignment must contain only a single pair of (actor, - target). In addition, since filtering on role assignments applies only to - the final result, effective mode cannot be combined with i) group or ii) - domain and inherited, because it would always result in an empty list. - - """ - - def test_get_role_assignments_by_domain_and_project(self): - self.get_role_assignments(domain_id=self.domain_id, - project_id=self.project_id, - expected_status=http_client.BAD_REQUEST) - - def test_get_role_assignments_by_user_and_group(self): - self.get_role_assignments(user_id=self.default_user_id, - group_id=self.default_group_id, - expected_status=http_client.BAD_REQUEST) - - def test_get_role_assignments_by_effective_and_inherited(self): - self.config_fixture.config(group='os_inherit', enabled=True) - - self.get_role_assignments(domain_id=self.domain_id, effective=True, - inherited_to_projects=True, - expected_status=http_client.BAD_REQUEST) - - def test_get_role_assignments_by_effective_and_group(self): - self.get_role_assignments(effective=True, - group_id=self.default_group_id, - expected_status=http_client.BAD_REQUEST) - - -class RoleAssignmentDirectTestCase(RoleAssignmentBaseTestCase): - """Class for testing direct assignments on /v3/role_assignments API. - - Direct assignments on a domain or project have effect on them directly, - instead of on their project hierarchy, i.e they are non-inherited. In - addition, group direct assignments are not expanded to group's users. - - Tests on this class make assertions on the representation and API filtering - of direct assignments. - - """ - - def _test_get_role_assignments(self, **filters): - """Generic filtering test method. - - According to the provided filters, this method: - - creates a new role assignment; - - asserts that list role assignments API reponds correctly; - - deletes the created role assignment. - - :param filters: filters to be considered when listing role assignments. - Valid filters are: role_id, domain_id, project_id, - group_id, user_id and inherited_to_projects. - - """ - # Fills default assignment with provided filters - test_assignment = self._set_default_assignment_attributes(**filters) - - # Create new role assignment for this test - self.assignment_api.create_grant(**test_assignment) - - # Get expected role assignments - expected_assignments = self._list_expected_role_assignments( - **test_assignment) - - # Get role assignments from API - response, query_url = self.get_role_assignments(**test_assignment) - self.assertValidRoleAssignmentListResponse(response, - resource_url=query_url) - self.assertEqual(len(expected_assignments), - len(response.result.get('role_assignments'))) - - # Assert that expected role assignments were returned by the API call - for assignment in expected_assignments: - self.assertRoleAssignmentInListResponse(response, assignment) - - # Delete created role assignment - self.assignment_api.delete_grant(**test_assignment) - - def _set_default_assignment_attributes(self, **attribs): - """Inserts default values for missing attributes of role assignment. - - If no actor, target or role are provided, they will default to values - from sample data. - - :param attribs: info from a role assignment entity. Valid attributes - are: role_id, domain_id, project_id, group_id, user_id - and inherited_to_projects. - - """ - if not any(target in attribs - for target in ('domain_id', 'projects_id')): - attribs['project_id'] = self.project_id - - if not any(actor in attribs for actor in ('user_id', 'group_id')): - attribs['user_id'] = self.default_user_id - - if 'role_id' not in attribs: - attribs['role_id'] = self.role_id - - return attribs - - def _list_expected_role_assignments(self, **filters): - """Given the filters, it returns expected direct role assignments. - - :param filters: filters that will be considered when listing role - assignments. Valid filters are: role_id, domain_id, - project_id, group_id, user_id and - inherited_to_projects. - - :returns: the list of the expected role assignments. - - """ - return [self.build_role_assignment_entity(**filters)] - - # Test cases below call the generic test method, providing different filter - # combinations. Filters are provided as specified in the method name, after - # 'by'. For example, test_get_role_assignments_by_project_user_and_role - # calls the generic test method with project_id, user_id and role_id. - - def test_get_role_assignments_by_domain(self, **filters): - self._test_get_role_assignments(domain_id=self.domain_id, **filters) - - def test_get_role_assignments_by_project(self, **filters): - self._test_get_role_assignments(project_id=self.project_id, **filters) - - def test_get_role_assignments_by_user(self, **filters): - self._test_get_role_assignments(user_id=self.default_user_id, - **filters) - - def test_get_role_assignments_by_group(self, **filters): - self._test_get_role_assignments(group_id=self.default_group_id, - **filters) - - def test_get_role_assignments_by_role(self, **filters): - self._test_get_role_assignments(role_id=self.role_id, **filters) - - def test_get_role_assignments_by_domain_and_user(self, **filters): - self.test_get_role_assignments_by_domain(user_id=self.default_user_id, - **filters) - - def test_get_role_assignments_by_domain_and_group(self, **filters): - self.test_get_role_assignments_by_domain( - group_id=self.default_group_id, **filters) - - def test_get_role_assignments_by_project_and_user(self, **filters): - self.test_get_role_assignments_by_project(user_id=self.default_user_id, - **filters) - - def test_get_role_assignments_by_project_and_group(self, **filters): - self.test_get_role_assignments_by_project( - group_id=self.default_group_id, **filters) - - def test_get_role_assignments_by_domain_user_and_role(self, **filters): - self.test_get_role_assignments_by_domain_and_user(role_id=self.role_id, - **filters) - - def test_get_role_assignments_by_domain_group_and_role(self, **filters): - self.test_get_role_assignments_by_domain_and_group( - role_id=self.role_id, **filters) - - def test_get_role_assignments_by_project_user_and_role(self, **filters): - self.test_get_role_assignments_by_project_and_user( - role_id=self.role_id, **filters) - - def test_get_role_assignments_by_project_group_and_role(self, **filters): - self.test_get_role_assignments_by_project_and_group( - role_id=self.role_id, **filters) - - -class RoleAssignmentInheritedTestCase(RoleAssignmentDirectTestCase): - """Class for testing inherited assignments on /v3/role_assignments API. - - Inherited assignments on a domain or project have no effect on them - directly, but on the projects under them instead. - - Tests on this class do not make assertions on the effect of inherited - assignments, but in their representation and API filtering. - - """ - - def config_overrides(self): - super(RoleAssignmentBaseTestCase, self).config_overrides() - self.config_fixture.config(group='os_inherit', enabled=True) - - def _test_get_role_assignments(self, **filters): - """Adds inherited_to_project filter to expected entity in tests.""" - super(RoleAssignmentInheritedTestCase, - self)._test_get_role_assignments(inherited_to_projects=True, - **filters) - - -class RoleAssignmentEffectiveTestCase(RoleAssignmentInheritedTestCase): - """Class for testing inheritance effects on /v3/role_assignments API. - - Inherited assignments on a domain or project have no effect on them - directly, but on the projects under them instead. - - Tests on this class make assertions on the effect of inherited assignments - and API filtering. - - """ - - def _get_role_assignments_query_url(self, **filters): - """Returns effective role assignments query URL from given filters. - - For test methods in this class, effetive will always be true. As in - effective mode, inherited_to_projects, group_id, domain_id and - project_id will always be desconsidered from provided filters. - - :param filters: query parameters are created with the provided filters. - Valid filters are: role_id, domain_id, project_id, - group_id, user_id and inherited_to_projects. - - :returns: role assignments query URL. - - """ - query_filters = filters.copy() - query_filters.pop('inherited_to_projects') - - query_filters.pop('group_id', None) - query_filters.pop('domain_id', None) - query_filters.pop('project_id', None) - - return self.build_role_assignment_query_url(effective=True, - **query_filters) - - def _list_expected_role_assignments(self, **filters): - """Given the filters, it returns expected direct role assignments. - - :param filters: filters that will be considered when listing role - assignments. Valid filters are: role_id, domain_id, - project_id, group_id, user_id and - inherited_to_projects. - - :returns: the list of the expected role assignments. - - """ - # Get assignment link, to be put on 'links': {'assignment': link} - assignment_link = self.build_role_assignment_link(**filters) - - # Expand group membership - user_ids = [None] - if filters.get('group_id'): - user_ids = [user['id'] for user in - self.identity_api.list_users_in_group( - filters['group_id'])] - else: - user_ids = [self.default_user_id] - - # Expand role inheritance - project_ids = [None] - if filters.get('domain_id'): - project_ids = [project['id'] for project in - self.resource_api.list_projects_in_domain( - filters.pop('domain_id'))] - else: - project_ids = [project['id'] for project in - self.resource_api.list_projects_in_subtree( - self.project_id)] - - # Compute expected role assignments - assignments = [] - for project_id in project_ids: - filters['project_id'] = project_id - for user_id in user_ids: - filters['user_id'] = user_id - assignments.append(self.build_role_assignment_entity( - link=assignment_link, **filters)) - - return assignments - - -class AssignmentInheritanceTestCase(test_v3.RestfulTestCase, - test_v3.AssignmentTestMixin): - """Test inheritance crud and its effects.""" - - def config_overrides(self): - super(AssignmentInheritanceTestCase, self).config_overrides() - self.config_fixture.config(group='os_inherit', enabled=True) - - def test_get_token_from_inherited_user_domain_role_grants(self): - # Create a new user to ensure that no grant is loaded from sample data - user = unit.create_user(self.identity_api, domain_id=self.domain_id) - - # Define domain and project authentication data - domain_auth_data = self.build_authentication_request( - user_id=user['id'], - password=user['password'], - domain_id=self.domain_id) - project_auth_data = self.build_authentication_request( - user_id=user['id'], - password=user['password'], - project_id=self.project_id) - - # Check the user cannot get a domain nor a project token - self.v3_create_token(domain_auth_data, - expected_status=http_client.UNAUTHORIZED) - self.v3_create_token(project_auth_data, - expected_status=http_client.UNAUTHORIZED) - - # Grant non-inherited role for user on domain - non_inher_ud_link = self.build_role_assignment_link( - domain_id=self.domain_id, user_id=user['id'], role_id=self.role_id) - self.put(non_inher_ud_link) - - # Check the user can get only a domain token - self.v3_create_token(domain_auth_data) - self.v3_create_token(project_auth_data, - expected_status=http_client.UNAUTHORIZED) - - # Create inherited role - inherited_role = unit.new_role_ref(name='inherited') - self.role_api.create_role(inherited_role['id'], inherited_role) - - # Grant inherited role for user on domain - inher_ud_link = self.build_role_assignment_link( - domain_id=self.domain_id, user_id=user['id'], - role_id=inherited_role['id'], inherited_to_projects=True) - self.put(inher_ud_link) - - # Check the user can get both a domain and a project token - self.v3_create_token(domain_auth_data) - self.v3_create_token(project_auth_data) - - # Delete inherited grant - self.delete(inher_ud_link) - - # Check the user can only get a domain token - self.v3_create_token(domain_auth_data) - self.v3_create_token(project_auth_data, - expected_status=http_client.UNAUTHORIZED) - - # Delete non-inherited grant - self.delete(non_inher_ud_link) - - # Check the user cannot get a domain token anymore - self.v3_create_token(domain_auth_data, - expected_status=http_client.UNAUTHORIZED) - - def test_get_token_from_inherited_group_domain_role_grants(self): - # Create a new group and put a new user in it to - # ensure that no grant is loaded from sample data - user = unit.create_user(self.identity_api, domain_id=self.domain_id) - - group = unit.new_group_ref(domain_id=self.domain['id']) - group = self.identity_api.create_group(group) - self.identity_api.add_user_to_group(user['id'], group['id']) - - # Define domain and project authentication data - domain_auth_data = self.build_authentication_request( - user_id=user['id'], - password=user['password'], - domain_id=self.domain_id) - project_auth_data = self.build_authentication_request( - user_id=user['id'], - password=user['password'], - project_id=self.project_id) - - # Check the user cannot get a domain nor a project token - self.v3_create_token(domain_auth_data, - expected_status=http_client.UNAUTHORIZED) - self.v3_create_token(project_auth_data, - expected_status=http_client.UNAUTHORIZED) - - # Grant non-inherited role for user on domain - non_inher_gd_link = self.build_role_assignment_link( - domain_id=self.domain_id, user_id=user['id'], role_id=self.role_id) - self.put(non_inher_gd_link) - - # Check the user can get only a domain token - self.v3_create_token(domain_auth_data) - self.v3_create_token(project_auth_data, - expected_status=http_client.UNAUTHORIZED) - - # Create inherited role - inherited_role = unit.new_role_ref(name='inherited') - self.role_api.create_role(inherited_role['id'], inherited_role) - - # Grant inherited role for user on domain - inher_gd_link = self.build_role_assignment_link( - domain_id=self.domain_id, user_id=user['id'], - role_id=inherited_role['id'], inherited_to_projects=True) - self.put(inher_gd_link) - - # Check the user can get both a domain and a project token - self.v3_create_token(domain_auth_data) - self.v3_create_token(project_auth_data) - - # Delete inherited grant - self.delete(inher_gd_link) - - # Check the user can only get a domain token - self.v3_create_token(domain_auth_data) - self.v3_create_token(project_auth_data, - expected_status=http_client.UNAUTHORIZED) - - # Delete non-inherited grant - self.delete(non_inher_gd_link) - - # Check the user cannot get a domain token anymore - self.v3_create_token(domain_auth_data, - expected_status=http_client.UNAUTHORIZED) - - def _test_crud_inherited_and_direct_assignment_on_target(self, target_url): - # Create a new role to avoid assignments loaded from sample data - role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) - - # Define URLs - direct_url = '%s/users/%s/roles/%s' % ( - target_url, self.user_id, role['id']) - inherited_url = '/OS-INHERIT/%s/inherited_to_projects' % direct_url - - # Create the direct assignment - self.put(direct_url) - # Check the direct assignment exists, but the inherited one does not - self.head(direct_url) - self.head(inherited_url, expected_status=http_client.NOT_FOUND) - - # Now add the inherited assignment - self.put(inherited_url) - # Check both the direct and inherited assignment exist - self.head(direct_url) - self.head(inherited_url) - - # Delete indirect assignment - self.delete(inherited_url) - # Check the direct assignment exists, but the inherited one does not - self.head(direct_url) - self.head(inherited_url, expected_status=http_client.NOT_FOUND) - - # Now delete the inherited assignment - self.delete(direct_url) - # Check that none of them exist - self.head(direct_url, expected_status=http_client.NOT_FOUND) - self.head(inherited_url, expected_status=http_client.NOT_FOUND) - - def test_crud_inherited_and_direct_assignment_on_domains(self): - self._test_crud_inherited_and_direct_assignment_on_target( - '/domains/%s' % self.domain_id) - - def test_crud_inherited_and_direct_assignment_on_projects(self): - self._test_crud_inherited_and_direct_assignment_on_target( - '/projects/%s' % self.project_id) - - def test_crud_user_inherited_domain_role_grants(self): - role_list = [] - for _ in range(2): - role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) - role_list.append(role) - - # Create a non-inherited role as a spoiler - self.assignment_api.create_grant( - role_list[1]['id'], user_id=self.user['id'], - domain_id=self.domain_id) - - base_collection_url = ( - '/OS-INHERIT/domains/%(domain_id)s/users/%(user_id)s/roles' % { - 'domain_id': self.domain_id, - 'user_id': self.user['id']}) - member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % { - 'collection_url': base_collection_url, - 'role_id': role_list[0]['id']} - collection_url = base_collection_url + '/inherited_to_projects' - - self.put(member_url) - - # Check we can read it back - self.head(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, ref=role_list[0], - resource_url=collection_url) - - # Now delete and check its gone - self.delete(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, expected_length=0, - resource_url=collection_url) - - def test_list_role_assignments_for_inherited_domain_grants(self): - """Call ``GET /role_assignments with inherited domain grants``. - - Test Plan: - - - Create 4 roles - - Create a domain with a user and two projects - - Assign two direct roles to project1 - - Assign a spoiler role to project2 - - Issue the URL to add inherited role to the domain - - Issue the URL to check it is indeed on the domain - - Issue the URL to check effective roles on project1 - this - should return 3 roles. - - """ - role_list = [] - for _ in range(4): - role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) - role_list.append(role) - - domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) - user1 = unit.create_user(self.identity_api, domain_id=domain['id']) - project1 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project1['id'], project1) - project2 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project2['id'], project2) - # Add some roles to the project - self.assignment_api.add_role_to_user_and_project( - user1['id'], project1['id'], role_list[0]['id']) - self.assignment_api.add_role_to_user_and_project( - user1['id'], project1['id'], role_list[1]['id']) - # ..and one on a different project as a spoiler - self.assignment_api.add_role_to_user_and_project( - user1['id'], project2['id'], role_list[2]['id']) - - # Now create our inherited role on the domain - base_collection_url = ( - '/OS-INHERIT/domains/%(domain_id)s/users/%(user_id)s/roles' % { - 'domain_id': domain['id'], - 'user_id': user1['id']}) - member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % { - 'collection_url': base_collection_url, - 'role_id': role_list[3]['id']} - collection_url = base_collection_url + '/inherited_to_projects' - - self.put(member_url) - self.head(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, ref=role_list[3], - resource_url=collection_url) - - # Now use the list domain role assignments api to check if this - # is included - collection_url = ( - '/role_assignments?user.id=%(user_id)s' - '&scope.domain.id=%(domain_id)s' % { - 'user_id': user1['id'], - 'domain_id': domain['id']}) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=1, - resource_url=collection_url) - ud_entity = self.build_role_assignment_entity( - domain_id=domain['id'], user_id=user1['id'], - role_id=role_list[3]['id'], inherited_to_projects=True) - self.assertRoleAssignmentInListResponse(r, ud_entity) - - # Now ask for effective list role assignments - the role should - # turn into a project role, along with the two direct roles that are - # on the project - collection_url = ( - '/role_assignments?effective&user.id=%(user_id)s' - '&scope.project.id=%(project_id)s' % { - 'user_id': user1['id'], - 'project_id': project1['id']}) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=3, - resource_url=collection_url) - # An effective role for an inherited role will be a project - # entity, with a domain link to the inherited assignment - ud_url = self.build_role_assignment_link( - domain_id=domain['id'], user_id=user1['id'], - role_id=role_list[3]['id'], inherited_to_projects=True) - up_entity = self.build_role_assignment_entity( - link=ud_url, project_id=project1['id'], - user_id=user1['id'], role_id=role_list[3]['id'], - inherited_to_projects=True) - self.assertRoleAssignmentInListResponse(r, up_entity) - - def test_list_role_assignments_include_names(self): - """Call ``GET /role_assignments with include names``. - - Test Plan: - - - Create a domain with a group and a user - - Create a project with a group and a user - - """ - role1 = unit.new_role_ref() - self.role_api.create_role(role1['id'], role1) - user1 = unit.create_user(self.identity_api, domain_id=self.domain_id) - group = unit.new_group_ref(domain_id=self.domain_id) - group = self.identity_api.create_group(group) - project1 = unit.new_project_ref(domain_id=self.domain_id) - self.resource_api.create_project(project1['id'], project1) - - expected_entity1 = self.build_role_assignment_entity_include_names( - role_ref=role1, - project_ref=project1, - user_ref=user1) - self.put(expected_entity1['links']['assignment']) - expected_entity2 = self.build_role_assignment_entity_include_names( - role_ref=role1, - domain_ref=self.domain, - group_ref=group) - self.put(expected_entity2['links']['assignment']) - expected_entity3 = self.build_role_assignment_entity_include_names( - role_ref=role1, - domain_ref=self.domain, - user_ref=user1) - self.put(expected_entity3['links']['assignment']) - expected_entity4 = self.build_role_assignment_entity_include_names( - role_ref=role1, - project_ref=project1, - group_ref=group) - self.put(expected_entity4['links']['assignment']) - - collection_url_domain = ( - '/role_assignments?include_names&scope.domain.id=%(domain_id)s' % { - 'domain_id': self.domain_id}) - rs_domain = self.get(collection_url_domain) - collection_url_project = ( - '/role_assignments?include_names&' - 'scope.project.id=%(project_id)s' % { - 'project_id': project1['id']}) - rs_project = self.get(collection_url_project) - collection_url_group = ( - '/role_assignments?include_names&group.id=%(group_id)s' % { - 'group_id': group['id']}) - rs_group = self.get(collection_url_group) - collection_url_user = ( - '/role_assignments?include_names&user.id=%(user_id)s' % { - 'user_id': user1['id']}) - rs_user = self.get(collection_url_user) - collection_url_role = ( - '/role_assignments?include_names&role.id=%(role_id)s' % { - 'role_id': role1['id']}) - rs_role = self.get(collection_url_role) - # Make sure all entities were created successfully - self.assertEqual(rs_domain.status_int, http_client.OK) - self.assertEqual(rs_project.status_int, http_client.OK) - self.assertEqual(rs_group.status_int, http_client.OK) - self.assertEqual(rs_user.status_int, http_client.OK) - # Make sure we can get back the correct number of entities - self.assertValidRoleAssignmentListResponse( - rs_domain, - expected_length=2, - resource_url=collection_url_domain) - self.assertValidRoleAssignmentListResponse( - rs_project, - expected_length=2, - resource_url=collection_url_project) - self.assertValidRoleAssignmentListResponse( - rs_group, - expected_length=2, - resource_url=collection_url_group) - self.assertValidRoleAssignmentListResponse( - rs_user, - expected_length=2, - resource_url=collection_url_user) - self.assertValidRoleAssignmentListResponse( - rs_role, - expected_length=4, - resource_url=collection_url_role) - # Verify all types of entities have the correct format - self.assertRoleAssignmentInListResponse(rs_domain, expected_entity2) - self.assertRoleAssignmentInListResponse(rs_project, expected_entity1) - self.assertRoleAssignmentInListResponse(rs_group, expected_entity4) - self.assertRoleAssignmentInListResponse(rs_user, expected_entity3) - self.assertRoleAssignmentInListResponse(rs_role, expected_entity1) - - def test_list_role_assignments_for_disabled_inheritance_extension(self): - """Call ``GET /role_assignments with inherited domain grants``. - - Test Plan: - - - Issue the URL to add inherited role to the domain - - Issue the URL to check effective roles on project include the - inherited role - - Disable the extension - - Re-check the effective roles, proving the inherited role no longer - shows up. - - """ - role_list = [] - for _ in range(4): - role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) - role_list.append(role) - - domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) - user1 = unit.create_user(self.identity_api, domain_id=domain['id']) - project1 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project1['id'], project1) - project2 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project2['id'], project2) - # Add some roles to the project - self.assignment_api.add_role_to_user_and_project( - user1['id'], project1['id'], role_list[0]['id']) - self.assignment_api.add_role_to_user_and_project( - user1['id'], project1['id'], role_list[1]['id']) - # ..and one on a different project as a spoiler - self.assignment_api.add_role_to_user_and_project( - user1['id'], project2['id'], role_list[2]['id']) - - # Now create our inherited role on the domain - base_collection_url = ( - '/OS-INHERIT/domains/%(domain_id)s/users/%(user_id)s/roles' % { - 'domain_id': domain['id'], - 'user_id': user1['id']}) - member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % { - 'collection_url': base_collection_url, - 'role_id': role_list[3]['id']} - collection_url = base_collection_url + '/inherited_to_projects' - - self.put(member_url) - self.head(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, ref=role_list[3], - resource_url=collection_url) - - # Get effective list role assignments - the role should - # turn into a project role, along with the two direct roles that are - # on the project - collection_url = ( - '/role_assignments?effective&user.id=%(user_id)s' - '&scope.project.id=%(project_id)s' % { - 'user_id': user1['id'], - 'project_id': project1['id']}) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=3, - resource_url=collection_url) - - ud_url = self.build_role_assignment_link( - domain_id=domain['id'], user_id=user1['id'], - role_id=role_list[3]['id'], inherited_to_projects=True) - up_entity = self.build_role_assignment_entity( - link=ud_url, project_id=project1['id'], - user_id=user1['id'], role_id=role_list[3]['id'], - inherited_to_projects=True) - - self.assertRoleAssignmentInListResponse(r, up_entity) - - # Disable the extension and re-check the list, the role inherited - # from the project should no longer show up - self.config_fixture.config(group='os_inherit', enabled=False) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=2, - resource_url=collection_url) - - self.assertRoleAssignmentNotInListResponse(r, up_entity) - - def test_list_role_assignments_for_inherited_group_domain_grants(self): - """Call ``GET /role_assignments with inherited group domain grants``. - - Test Plan: - - - Create 4 roles - - Create a domain with a user and two projects - - Assign two direct roles to project1 - - Assign a spoiler role to project2 - - Issue the URL to add inherited role to the domain - - Issue the URL to check it is indeed on the domain - - Issue the URL to check effective roles on project1 - this - should return 3 roles. - - """ - role_list = [] - for _ in range(4): - role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) - role_list.append(role) - - domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) - user1 = unit.create_user(self.identity_api, domain_id=domain['id']) - user2 = unit.create_user(self.identity_api, domain_id=domain['id']) - group1 = unit.new_group_ref(domain_id=domain['id']) - group1 = self.identity_api.create_group(group1) - self.identity_api.add_user_to_group(user1['id'], - group1['id']) - self.identity_api.add_user_to_group(user2['id'], - group1['id']) - project1 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project1['id'], project1) - project2 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project2['id'], project2) - # Add some roles to the project - self.assignment_api.add_role_to_user_and_project( - user1['id'], project1['id'], role_list[0]['id']) - self.assignment_api.add_role_to_user_and_project( - user1['id'], project1['id'], role_list[1]['id']) - # ..and one on a different project as a spoiler - self.assignment_api.add_role_to_user_and_project( - user1['id'], project2['id'], role_list[2]['id']) - - # Now create our inherited role on the domain - base_collection_url = ( - '/OS-INHERIT/domains/%(domain_id)s/groups/%(group_id)s/roles' % { - 'domain_id': domain['id'], - 'group_id': group1['id']}) - member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % { - 'collection_url': base_collection_url, - 'role_id': role_list[3]['id']} - collection_url = base_collection_url + '/inherited_to_projects' - - self.put(member_url) - self.head(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, ref=role_list[3], - resource_url=collection_url) - - # Now use the list domain role assignments api to check if this - # is included - collection_url = ( - '/role_assignments?group.id=%(group_id)s' - '&scope.domain.id=%(domain_id)s' % { - 'group_id': group1['id'], - 'domain_id': domain['id']}) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=1, - resource_url=collection_url) - gd_entity = self.build_role_assignment_entity( - domain_id=domain['id'], group_id=group1['id'], - role_id=role_list[3]['id'], inherited_to_projects=True) - self.assertRoleAssignmentInListResponse(r, gd_entity) - - # Now ask for effective list role assignments - the role should - # turn into a user project role, along with the two direct roles - # that are on the project - collection_url = ( - '/role_assignments?effective&user.id=%(user_id)s' - '&scope.project.id=%(project_id)s' % { - 'user_id': user1['id'], - 'project_id': project1['id']}) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=3, - resource_url=collection_url) - # An effective role for an inherited role will be a project - # entity, with a domain link to the inherited assignment - up_entity = self.build_role_assignment_entity( - link=gd_entity['links']['assignment'], project_id=project1['id'], - user_id=user1['id'], role_id=role_list[3]['id'], - inherited_to_projects=True) - self.assertRoleAssignmentInListResponse(r, up_entity) - - def test_filtered_role_assignments_for_inherited_grants(self): - """Call ``GET /role_assignments?scope.OS-INHERIT:inherited_to``. - - Test Plan: - - - Create 5 roles - - Create a domain with a user, group and two projects - - Assign three direct spoiler roles to projects - - Issue the URL to add an inherited user role to the domain - - Issue the URL to add an inherited group role to the domain - - Issue the URL to filter by inherited roles - this should - return just the 2 inherited roles. - - """ - role_list = [] - for _ in range(5): - role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) - role_list.append(role) - - domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) - user1 = unit.create_user(self.identity_api, domain_id=domain['id']) - group1 = unit.new_group_ref(domain_id=domain['id']) - group1 = self.identity_api.create_group(group1) - project1 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project1['id'], project1) - project2 = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project2['id'], project2) - # Add some spoiler roles to the projects - self.assignment_api.add_role_to_user_and_project( - user1['id'], project1['id'], role_list[0]['id']) - self.assignment_api.add_role_to_user_and_project( - user1['id'], project2['id'], role_list[1]['id']) - # Create a non-inherited role as a spoiler - self.assignment_api.create_grant( - role_list[2]['id'], user_id=user1['id'], domain_id=domain['id']) - - # Now create two inherited roles on the domain, one for a user - # and one for a domain - base_collection_url = ( - '/OS-INHERIT/domains/%(domain_id)s/users/%(user_id)s/roles' % { - 'domain_id': domain['id'], - 'user_id': user1['id']}) - member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % { - 'collection_url': base_collection_url, - 'role_id': role_list[3]['id']} - collection_url = base_collection_url + '/inherited_to_projects' - - self.put(member_url) - self.head(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, ref=role_list[3], - resource_url=collection_url) - - base_collection_url = ( - '/OS-INHERIT/domains/%(domain_id)s/groups/%(group_id)s/roles' % { - 'domain_id': domain['id'], - 'group_id': group1['id']}) - member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % { - 'collection_url': base_collection_url, - 'role_id': role_list[4]['id']} - collection_url = base_collection_url + '/inherited_to_projects' - - self.put(member_url) - self.head(member_url) - r = self.get(collection_url) - self.assertValidRoleListResponse(r, ref=role_list[4], - resource_url=collection_url) - - # Now use the list role assignments api to get a list of inherited - # roles on the domain - should get back the two roles - collection_url = ( - '/role_assignments?scope.OS-INHERIT:inherited_to=projects') - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - expected_length=2, - resource_url=collection_url) - ud_entity = self.build_role_assignment_entity( - domain_id=domain['id'], user_id=user1['id'], - role_id=role_list[3]['id'], inherited_to_projects=True) - gd_entity = self.build_role_assignment_entity( - domain_id=domain['id'], group_id=group1['id'], - role_id=role_list[4]['id'], inherited_to_projects=True) - self.assertRoleAssignmentInListResponse(r, ud_entity) - self.assertRoleAssignmentInListResponse(r, gd_entity) - - def _setup_hierarchical_projects_scenario(self): - """Creates basic hierarchical projects scenario. - - This basic scenario contains a root with one leaf project and - two roles with the following names: non-inherited and inherited. - - """ - # Create project hierarchy - root = unit.new_project_ref(domain_id=self.domain['id']) - leaf = unit.new_project_ref(domain_id=self.domain['id'], - parent_id=root['id']) - - self.resource_api.create_project(root['id'], root) - self.resource_api.create_project(leaf['id'], leaf) - - # Create 'non-inherited' and 'inherited' roles - non_inherited_role = unit.new_role_ref(name='non-inherited') - self.role_api.create_role(non_inherited_role['id'], non_inherited_role) - inherited_role = unit.new_role_ref(name='inherited') - self.role_api.create_role(inherited_role['id'], inherited_role) - - return (root['id'], leaf['id'], - non_inherited_role['id'], inherited_role['id']) - - def test_get_token_from_inherited_user_project_role_grants(self): - # Create default scenario - root_id, leaf_id, non_inherited_role_id, inherited_role_id = ( - self._setup_hierarchical_projects_scenario()) - - # Define root and leaf projects authentication data - root_project_auth_data = self.build_authentication_request( - user_id=self.user['id'], - password=self.user['password'], - project_id=root_id) - leaf_project_auth_data = self.build_authentication_request( - user_id=self.user['id'], - password=self.user['password'], - project_id=leaf_id) - - # Check the user cannot get a token on root nor leaf project - self.v3_create_token(root_project_auth_data, - expected_status=http_client.UNAUTHORIZED) - self.v3_create_token(leaf_project_auth_data, - expected_status=http_client.UNAUTHORIZED) - - # Grant non-inherited role for user on leaf project - non_inher_up_link = self.build_role_assignment_link( - project_id=leaf_id, user_id=self.user['id'], - role_id=non_inherited_role_id) - self.put(non_inher_up_link) - - # Check the user can only get a token on leaf project - self.v3_create_token(root_project_auth_data, - expected_status=http_client.UNAUTHORIZED) - self.v3_create_token(leaf_project_auth_data) - - # Grant inherited role for user on root project - inher_up_link = self.build_role_assignment_link( - project_id=root_id, user_id=self.user['id'], - role_id=inherited_role_id, inherited_to_projects=True) - self.put(inher_up_link) - - # Check the user still can get a token only on leaf project - self.v3_create_token(root_project_auth_data, - expected_status=http_client.UNAUTHORIZED) - self.v3_create_token(leaf_project_auth_data) - - # Delete non-inherited grant - self.delete(non_inher_up_link) - - # Check the inherited role still applies for leaf project - self.v3_create_token(root_project_auth_data, - expected_status=http_client.UNAUTHORIZED) - self.v3_create_token(leaf_project_auth_data) - - # Delete inherited grant - self.delete(inher_up_link) - - # Check the user cannot get a token on leaf project anymore - self.v3_create_token(leaf_project_auth_data, - expected_status=http_client.UNAUTHORIZED) - - def test_get_token_from_inherited_group_project_role_grants(self): - # Create default scenario - root_id, leaf_id, non_inherited_role_id, inherited_role_id = ( - self._setup_hierarchical_projects_scenario()) - - # Create group and add user to it - group = unit.new_group_ref(domain_id=self.domain['id']) - group = self.identity_api.create_group(group) - self.identity_api.add_user_to_group(self.user['id'], group['id']) - - # Define root and leaf projects authentication data - root_project_auth_data = self.build_authentication_request( - user_id=self.user['id'], - password=self.user['password'], - project_id=root_id) - leaf_project_auth_data = self.build_authentication_request( - user_id=self.user['id'], - password=self.user['password'], - project_id=leaf_id) - - # Check the user cannot get a token on root nor leaf project - self.v3_create_token(root_project_auth_data, - expected_status=http_client.UNAUTHORIZED) - self.v3_create_token(leaf_project_auth_data, - expected_status=http_client.UNAUTHORIZED) - - # Grant non-inherited role for group on leaf project - non_inher_gp_link = self.build_role_assignment_link( - project_id=leaf_id, group_id=group['id'], - role_id=non_inherited_role_id) - self.put(non_inher_gp_link) - - # Check the user can only get a token on leaf project - self.v3_create_token(root_project_auth_data, - expected_status=http_client.UNAUTHORIZED) - self.v3_create_token(leaf_project_auth_data) - - # Grant inherited role for group on root project - inher_gp_link = self.build_role_assignment_link( - project_id=root_id, group_id=group['id'], - role_id=inherited_role_id, inherited_to_projects=True) - self.put(inher_gp_link) - - # Check the user still can get a token only on leaf project - self.v3_create_token(root_project_auth_data, - expected_status=http_client.UNAUTHORIZED) - self.v3_create_token(leaf_project_auth_data) - - # Delete no-inherited grant - self.delete(non_inher_gp_link) - - # Check the inherited role still applies for leaf project - self.v3_create_token(leaf_project_auth_data) - - # Delete inherited grant - self.delete(inher_gp_link) - - # Check the user cannot get a token on leaf project anymore - self.v3_create_token(leaf_project_auth_data, - expected_status=http_client.UNAUTHORIZED) - - def test_get_role_assignments_for_project_hierarchy(self): - """Call ``GET /role_assignments``. - - Test Plan: - - - Create 2 roles - - Create a hierarchy of projects with one root and one leaf project - - Issue the URL to add a non-inherited user role to the root project - - Issue the URL to add an inherited user role to the root project - - Issue the URL to get all role assignments - this should return just - 2 roles (non-inherited and inherited) in the root project. - - """ - # Create default scenario - root_id, leaf_id, non_inherited_role_id, inherited_role_id = ( - self._setup_hierarchical_projects_scenario()) - - # Grant non-inherited role - non_inher_up_entity = self.build_role_assignment_entity( - project_id=root_id, user_id=self.user['id'], - role_id=non_inherited_role_id) - self.put(non_inher_up_entity['links']['assignment']) - - # Grant inherited role - inher_up_entity = self.build_role_assignment_entity( - project_id=root_id, user_id=self.user['id'], - role_id=inherited_role_id, inherited_to_projects=True) - self.put(inher_up_entity['links']['assignment']) - - # Get role assignments - collection_url = '/role_assignments' - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - resource_url=collection_url) - - # Assert that the user has non-inherited role on root project - self.assertRoleAssignmentInListResponse(r, non_inher_up_entity) - - # Assert that the user has inherited role on root project - self.assertRoleAssignmentInListResponse(r, inher_up_entity) - - # Assert that the user does not have non-inherited role on leaf project - non_inher_up_entity = self.build_role_assignment_entity( - project_id=leaf_id, user_id=self.user['id'], - role_id=non_inherited_role_id) - self.assertRoleAssignmentNotInListResponse(r, non_inher_up_entity) - - # Assert that the user does not have inherited role on leaf project - inher_up_entity['scope']['project']['id'] = leaf_id - self.assertRoleAssignmentNotInListResponse(r, inher_up_entity) - - def test_get_effective_role_assignments_for_project_hierarchy(self): - """Call ``GET /role_assignments?effective``. - - Test Plan: - - - Create 2 roles - - Create a hierarchy of projects with one root and one leaf project - - Issue the URL to add a non-inherited user role to the root project - - Issue the URL to add an inherited user role to the root project - - Issue the URL to get effective role assignments - this should return - 1 role (non-inherited) on the root project and 1 role (inherited) on - the leaf project. - - """ - # Create default scenario - root_id, leaf_id, non_inherited_role_id, inherited_role_id = ( - self._setup_hierarchical_projects_scenario()) - - # Grant non-inherited role - non_inher_up_entity = self.build_role_assignment_entity( - project_id=root_id, user_id=self.user['id'], - role_id=non_inherited_role_id) - self.put(non_inher_up_entity['links']['assignment']) - - # Grant inherited role - inher_up_entity = self.build_role_assignment_entity( - project_id=root_id, user_id=self.user['id'], - role_id=inherited_role_id, inherited_to_projects=True) - self.put(inher_up_entity['links']['assignment']) - - # Get effective role assignments - collection_url = '/role_assignments?effective' - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - resource_url=collection_url) - - # Assert that the user has non-inherited role on root project - self.assertRoleAssignmentInListResponse(r, non_inher_up_entity) - - # Assert that the user does not have inherited role on root project - self.assertRoleAssignmentNotInListResponse(r, inher_up_entity) - - # Assert that the user does not have non-inherited role on leaf project - non_inher_up_entity = self.build_role_assignment_entity( - project_id=leaf_id, user_id=self.user['id'], - role_id=non_inherited_role_id) - self.assertRoleAssignmentNotInListResponse(r, non_inher_up_entity) - - # Assert that the user has inherited role on leaf project - inher_up_entity['scope']['project']['id'] = leaf_id - self.assertRoleAssignmentInListResponse(r, inher_up_entity) - - def test_project_id_specified_if_include_subtree_specified(self): - """When using include_subtree, you must specify a project ID.""" - self.get('/role_assignments?include_subtree=True', - expected_status=http_client.BAD_REQUEST) - self.get('/role_assignments?scope.project.id&' - 'include_subtree=True', - expected_status=http_client.BAD_REQUEST) - - def test_get_role_assignments_for_project_tree(self): - """Get role_assignment?scope.project.id=X?include_subtree``. - - Test Plan: - - - Create 2 roles and a hierarchy of projects with one root and one leaf - - Issue the URL to add a non-inherited user role to the root project - and the leaf project - - Issue the URL to get role assignments for the root project but - not the subtree - this should return just the root assignment - - Issue the URL to get role assignments for the root project and - it's subtree - this should return both assignments - - Check that explicitly setting include_subtree to False is the - equivalent to not including it at all in the query. - - """ - # Create default scenario - root_id, leaf_id, non_inherited_role_id, unused_role_id = ( - self._setup_hierarchical_projects_scenario()) - - # Grant non-inherited role to root and leaf projects - non_inher_entity_root = self.build_role_assignment_entity( - project_id=root_id, user_id=self.user['id'], - role_id=non_inherited_role_id) - self.put(non_inher_entity_root['links']['assignment']) - non_inher_entity_leaf = self.build_role_assignment_entity( - project_id=leaf_id, user_id=self.user['id'], - role_id=non_inherited_role_id) - self.put(non_inher_entity_leaf['links']['assignment']) - - # Without the subtree, we should get the one assignment on the - # root project - collection_url = ( - '/role_assignments?scope.project.id=%(project)s' % { - 'project': root_id}) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, resource_url=collection_url) - - self.assertThat(r.result['role_assignments'], matchers.HasLength(1)) - self.assertRoleAssignmentInListResponse(r, non_inher_entity_root) - - # With the subtree, we should get both assignments - collection_url = ( - '/role_assignments?scope.project.id=%(project)s' - '&include_subtree=True' % { - 'project': root_id}) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, resource_url=collection_url) - - self.assertThat(r.result['role_assignments'], matchers.HasLength(2)) - self.assertRoleAssignmentInListResponse(r, non_inher_entity_root) - self.assertRoleAssignmentInListResponse(r, non_inher_entity_leaf) - - # With subtree=0, we should also only get the one assignment on the - # root project - collection_url = ( - '/role_assignments?scope.project.id=%(project)s' - '&include_subtree=0' % { - 'project': root_id}) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, resource_url=collection_url) - - self.assertThat(r.result['role_assignments'], matchers.HasLength(1)) - self.assertRoleAssignmentInListResponse(r, non_inher_entity_root) - - def test_get_effective_role_assignments_for_project_tree(self): - """Get role_assignment ?project_id=X?include_subtree=True?effective``. - - Test Plan: - - - Create 2 roles and a hierarchy of projects with one root and 4 levels - of child project - - Issue the URL to add a non-inherited user role to the root project - and a level 1 project - - Issue the URL to add an inherited user role on the level 2 project - - Issue the URL to get effective role assignments for the level 1 - project and it's subtree - this should return a role (non-inherited) - on the level 1 project and roles (inherited) on each of the level - 2, 3 and 4 projects - - """ - # Create default scenario - root_id, leaf_id, non_inherited_role_id, inherited_role_id = ( - self._setup_hierarchical_projects_scenario()) - - # Add some extra projects to the project hierarchy - level2 = unit.new_project_ref(domain_id=self.domain['id'], - parent_id=leaf_id) - level3 = unit.new_project_ref(domain_id=self.domain['id'], - parent_id=level2['id']) - level4 = unit.new_project_ref(domain_id=self.domain['id'], - parent_id=level3['id']) - self.resource_api.create_project(level2['id'], level2) - self.resource_api.create_project(level3['id'], level3) - self.resource_api.create_project(level4['id'], level4) - - # Grant non-inherited role to root (as a spoiler) and to - # the level 1 (leaf) project - non_inher_entity_root = self.build_role_assignment_entity( - project_id=root_id, user_id=self.user['id'], - role_id=non_inherited_role_id) - self.put(non_inher_entity_root['links']['assignment']) - non_inher_entity_leaf = self.build_role_assignment_entity( - project_id=leaf_id, user_id=self.user['id'], - role_id=non_inherited_role_id) - self.put(non_inher_entity_leaf['links']['assignment']) - - # Grant inherited role to level 2 - inher_entity = self.build_role_assignment_entity( - project_id=level2['id'], user_id=self.user['id'], - role_id=inherited_role_id, inherited_to_projects=True) - self.put(inher_entity['links']['assignment']) - - # Get effective role assignments - collection_url = ( - '/role_assignments?scope.project.id=%(project)s' - '&include_subtree=True&effective' % { - 'project': leaf_id}) - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse( - r, resource_url=collection_url) - - # There should be three assignments returned in total - self.assertThat(r.result['role_assignments'], matchers.HasLength(3)) - - # Assert that the user does not non-inherited role on root project - self.assertRoleAssignmentNotInListResponse(r, non_inher_entity_root) - - # Assert that the user does have non-inherited role on leaf project - self.assertRoleAssignmentInListResponse(r, non_inher_entity_leaf) - - # Assert that the user has inherited role on levels 3 and 4 - inher_entity['scope']['project']['id'] = level3['id'] - self.assertRoleAssignmentInListResponse(r, inher_entity) - inher_entity['scope']['project']['id'] = level4['id'] - self.assertRoleAssignmentInListResponse(r, inher_entity) - - def test_get_inherited_role_assignments_for_project_hierarchy(self): - """Call ``GET /role_assignments?scope.OS-INHERIT:inherited_to``. - - Test Plan: - - - Create 2 roles - - Create a hierarchy of projects with one root and one leaf project - - Issue the URL to add a non-inherited user role to the root project - - Issue the URL to add an inherited user role to the root project - - Issue the URL to filter inherited to projects role assignments - this - should return 1 role (inherited) on the root project. - - """ - # Create default scenario - root_id, leaf_id, non_inherited_role_id, inherited_role_id = ( - self._setup_hierarchical_projects_scenario()) - - # Grant non-inherited role - non_inher_up_entity = self.build_role_assignment_entity( - project_id=root_id, user_id=self.user['id'], - role_id=non_inherited_role_id) - self.put(non_inher_up_entity['links']['assignment']) - - # Grant inherited role - inher_up_entity = self.build_role_assignment_entity( - project_id=root_id, user_id=self.user['id'], - role_id=inherited_role_id, inherited_to_projects=True) - self.put(inher_up_entity['links']['assignment']) - - # Get inherited role assignments - collection_url = ('/role_assignments' - '?scope.OS-INHERIT:inherited_to=projects') - r = self.get(collection_url) - self.assertValidRoleAssignmentListResponse(r, - resource_url=collection_url) - - # Assert that the user does not have non-inherited role on root project - self.assertRoleAssignmentNotInListResponse(r, non_inher_up_entity) - - # Assert that the user has inherited role on root project - self.assertRoleAssignmentInListResponse(r, inher_up_entity) - - # Assert that the user does not have non-inherited role on leaf project - non_inher_up_entity = self.build_role_assignment_entity( - project_id=leaf_id, user_id=self.user['id'], - role_id=non_inherited_role_id) - self.assertRoleAssignmentNotInListResponse(r, non_inher_up_entity) - - # Assert that the user does not have inherited role on leaf project - inher_up_entity['scope']['project']['id'] = leaf_id - self.assertRoleAssignmentNotInListResponse(r, inher_up_entity) - - -class AssignmentInheritanceDisabledTestCase(test_v3.RestfulTestCase): - """Test inheritance crud and its effects.""" - - def config_overrides(self): - super(AssignmentInheritanceDisabledTestCase, self).config_overrides() - self.config_fixture.config(group='os_inherit', enabled=False) - - def test_crud_inherited_role_grants_failed_if_disabled(self): - role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) - - base_collection_url = ( - '/OS-INHERIT/domains/%(domain_id)s/users/%(user_id)s/roles' % { - 'domain_id': self.domain_id, - 'user_id': self.user['id']}) - member_url = '%(collection_url)s/%(role_id)s/inherited_to_projects' % { - 'collection_url': base_collection_url, - 'role_id': role['id']} - collection_url = base_collection_url + '/inherited_to_projects' - - self.put(member_url, expected_status=http_client.NOT_FOUND) - self.head(member_url, expected_status=http_client.NOT_FOUND) - self.get(collection_url, expected_status=http_client.NOT_FOUND) - self.delete(member_url, expected_status=http_client.NOT_FOUND) - - -class ImpliedRolesTests(test_v3.RestfulTestCase, test_v3.AssignmentTestMixin, - unit.TestCase): - def _create_role(self): - """Call ``POST /roles``.""" - ref = unit.new_role_ref() - r = self.post('/roles', body={'role': ref}) - return self.assertValidRoleResponse(r, ref) - - def test_list_implied_roles_none(self): - self.prior = self._create_role() - url = '/roles/%s/implies' % (self.prior['id']) - response = self.get(url).json["role_inference"] - self.assertEqual(self.prior['id'], response['prior_role']['id']) - self.assertEqual(0, len(response['implies'])) - - def _create_implied_role(self, prior, implied): - self.put('/roles/%s/implies/%s' % (prior['id'], implied['id']), - expected_status=http_client.CREATED) - - def _delete_implied_role(self, prior, implied): - self.delete('/roles/%s/implies/%s' % (prior['id'], implied['id'])) - - def _setup_prior_two_implied(self): - self.prior = self._create_role() - self.implied1 = self._create_role() - self._create_implied_role(self.prior, self.implied1) - self.implied2 = self._create_role() - self._create_implied_role(self.prior, self.implied2) - - def _assert_expected_implied_role_response( - self, expected_prior_id, expected_implied_ids): - r = self.get('/roles/%s/implies' % expected_prior_id) - response = r.json["role_inference"] - self.assertEqual(expected_prior_id, response['prior_role']['id']) - - actual_implied_ids = [implied['id'] for implied in response['implies']] - - for expected_id in expected_implied_ids: - self.assertIn(expected_id, actual_implied_ids) - self.assertEqual(len(expected_implied_ids), len(response['implies'])) - - self.assertIsNotNone(response['prior_role']['links']['self']) - for implied in response['implies']: - self.assertIsNotNone(implied['links']['self']) - - def _assert_two_roles_implied(self): - self._assert_expected_implied_role_response( - self.prior['id'], [self.implied1['id'], self.implied2['id']]) - - def _assert_one_role_implied(self): - self._assert_expected_implied_role_response( - self.prior['id'], [self.implied1['id']]) - - self.get('/roles/%s/implies/%s' % - (self.prior['id'], self.implied2['id']), - expected_status=http_client.NOT_FOUND) - - def _assert_two_rules_defined(self): - r = self.get('/role_inferences/') - - rules = r.result['role_inferences'] - - self.assertEqual(self.prior['id'], rules[0]['prior_role']['id']) - self.assertEqual(2, len(rules[0]['implies'])) - implied_ids = [implied['id'] for implied in rules[0]['implies']] - implied_names = [implied['name'] for implied in rules[0]['implies']] - - self.assertIn(self.implied1['id'], implied_ids) - self.assertIn(self.implied2['id'], implied_ids) - self.assertIn(self.implied1['name'], implied_names) - self.assertIn(self.implied2['name'], implied_names) - - def _assert_one_rule_defined(self): - r = self.get('/role_inferences/') - rules = r.result['role_inferences'] - self.assertEqual(self.prior['id'], rules[0]['prior_role']['id']) - self.assertEqual(self.implied1['id'], rules[0]['implies'][0]['id']) - self.assertEqual(self.implied1['name'], rules[0]['implies'][0]['name']) - self.assertEqual(1, len(rules[0]['implies'])) - - def test_list_all_rules(self): - self._setup_prior_two_implied() - self._assert_two_rules_defined() - - self._delete_implied_role(self.prior, self.implied2) - self._assert_one_rule_defined() - - def test_CRD_implied_roles(self): - - self._setup_prior_two_implied() - self._assert_two_roles_implied() - - self._delete_implied_role(self.prior, self.implied2) - self._assert_one_role_implied() - - def _create_three_roles(self): - self.role_list = [] - for _ in range(3): - role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) - self.role_list.append(role) - - def _create_test_domain_user_project(self): - domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) - user = unit.create_user(self.identity_api, domain_id=domain['id']) - project = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project['id'], project) - return domain, user, project - - def _assign_top_role_to_user_on_project(self, user, project): - self.assignment_api.add_role_to_user_and_project( - user['id'], project['id'], self.role_list[0]['id']) - - def _build_effective_role_assignments_url(self, user): - return '/role_assignments?effective&user.id=%(user_id)s' % { - 'user_id': user['id']} - - def _assert_all_roles_in_assignment(self, response, user): - # Now use the list role assignments api to check that all three roles - # appear in the collection - self.assertValidRoleAssignmentListResponse( - response, - expected_length=len(self.role_list), - resource_url=self._build_effective_role_assignments_url(user)) - - def _assert_initial_assignment_in_effective(self, response, user, project): - # The initial assignment should be there (the link url will be - # generated and checked automatically since it matches the assignment) - entity = self.build_role_assignment_entity( - project_id=project['id'], - user_id=user['id'], role_id=self.role_list[0]['id']) - self.assertRoleAssignmentInListResponse(response, entity) - - def _assert_effective_role_for_implied_has_prior_in_links( - self, response, user, project, prior_index, implied_index): - # An effective role for an implied role will have the prior role - # assignment in the links - prior_link = '/prior_roles/%(prior)s/implies/%(implied)s' % { - 'prior': self.role_list[prior_index]['id'], - 'implied': self.role_list[implied_index]['id']} - link = self.build_role_assignment_link( - project_id=project['id'], user_id=user['id'], - role_id=self.role_list[prior_index]['id']) - entity = self.build_role_assignment_entity( - link=link, project_id=project['id'], - user_id=user['id'], role_id=self.role_list[implied_index]['id'], - prior_link=prior_link) - self.assertRoleAssignmentInListResponse(response, entity) - - def test_list_role_assignments_with_implied_roles(self): - """Call ``GET /role_assignments`` with implied role grant. - - Test Plan: - - - Create a domain with a user and a project - - Create 3 roles - - Role 0 implies role 1 and role 1 implies role 2 - - Assign the top role to the project - - Issue the URL to check effective roles on project - this - should return all 3 roles. - - Check the links of the 3 roles indicate the prior role where - appropriate - - """ - (domain, user, project) = self._create_test_domain_user_project() - self._create_three_roles() - self._create_implied_role(self.role_list[0], self.role_list[1]) - self._create_implied_role(self.role_list[1], self.role_list[2]) - self._assign_top_role_to_user_on_project(user, project) - - response = self.get(self._build_effective_role_assignments_url(user)) - r = response - - self._assert_all_roles_in_assignment(r, user) - self._assert_initial_assignment_in_effective(response, user, project) - self._assert_effective_role_for_implied_has_prior_in_links( - response, user, project, 0, 1) - self._assert_effective_role_for_implied_has_prior_in_links( - response, user, project, 1, 2) - - def _create_named_role(self, name): - role = unit.new_role_ref() - role['name'] = name - self.role_api.create_role(role['id'], role) - return role - - def test_root_role_as_implied_role_forbidden(self): - """Test root role is forbidden to be set as an implied role. - - Create 2 roles that are prohibited from being an implied role. - Create 1 additional role which should be accepted as an implied - role. Assure the prohibited role names cannot be set as an implied - role. Assure the accepted role name which is not a member of the - prohibited implied role list can be successfully set an implied - role. - """ - prohibited_name1 = 'root1' - prohibited_name2 = 'root2' - accepted_name1 = 'implied1' - - prohibited_names = [prohibited_name1, prohibited_name2] - self.config_fixture.config(group='assignment', - prohibited_implied_role=prohibited_names) - - prior_role = self._create_role() - - prohibited_role1 = self._create_named_role(prohibited_name1) - url = '/roles/{prior_role_id}/implies/{implied_role_id}'.format( - prior_role_id=prior_role['id'], - implied_role_id=prohibited_role1['id']) - self.put(url, expected_status=http_client.FORBIDDEN) - - prohibited_role2 = self._create_named_role(prohibited_name2) - url = '/roles/{prior_role_id}/implies/{implied_role_id}'.format( - prior_role_id=prior_role['id'], - implied_role_id=prohibited_role2['id']) - self.put(url, expected_status=http_client.FORBIDDEN) - - accepted_role1 = self._create_named_role(accepted_name1) - url = '/roles/{prior_role_id}/implies/{implied_role_id}'.format( - prior_role_id=prior_role['id'], - implied_role_id=accepted_role1['id']) - self.put(url, expected_status=http_client.CREATED) - - def test_trusts_from_implied_role(self): - self._create_three_roles() - self._create_implied_role(self.role_list[0], self.role_list[1]) - self._create_implied_role(self.role_list[1], self.role_list[2]) - self._assign_top_role_to_user_on_project(self.user, self.project) - - # Create a trustee and assign the prior role to her - trustee = unit.create_user(self.identity_api, domain_id=self.domain_id) - ref = unit.new_trust_ref( - trustor_user_id=self.user['id'], - trustee_user_id=trustee['id'], - project_id=self.project['id'], - role_ids=[self.role_list[0]['id']]) - r = self.post('/OS-TRUST/trusts', body={'trust': ref}) - trust = r.result['trust'] - - # Only the role that was specified is in the trust, NOT implied roles - self.assertEqual(self.role_list[0]['id'], trust['roles'][0]['id']) - self.assertThat(trust['roles'], matchers.HasLength(1)) - - # Authenticate as the trustee - auth_data = self.build_authentication_request( - user_id=trustee['id'], - password=trustee['password'], - trust_id=trust['id']) - r = self.v3_create_token(auth_data) - token = r.result['token'] - self.assertThat(token['roles'], - matchers.HasLength(len(self.role_list))) - for role in token['roles']: - self.assertIn(role, self.role_list) - for role in self.role_list: - self.assertIn(role, token['roles']) - - def test_trusts_from_domain_specific_implied_role(self): - self._create_three_roles() - # Overwrite the first role with a domain specific role - role = unit.new_role_ref(domain_id=self.domain_id) - self.role_list[0] = self.role_api.create_role(role['id'], role) - self._create_implied_role(self.role_list[0], self.role_list[1]) - self._create_implied_role(self.role_list[1], self.role_list[2]) - self._assign_top_role_to_user_on_project(self.user, self.project) - - # Create a trustee and assign the prior role to her - trustee = unit.create_user(self.identity_api, domain_id=self.domain_id) - ref = unit.new_trust_ref( - trustor_user_id=self.user['id'], - trustee_user_id=trustee['id'], - project_id=self.project['id'], - role_ids=[self.role_list[0]['id']]) - r = self.post('/OS-TRUST/trusts', body={'trust': ref}) - trust = r.result['trust'] - - # Only the role that was specified is in the trust, NOT implied roles - self.assertEqual(self.role_list[0]['id'], trust['roles'][0]['id']) - self.assertThat(trust['roles'], matchers.HasLength(1)) - - # Authenticate as the trustee - auth_data = self.build_authentication_request( - user_id=trustee['id'], - password=trustee['password'], - trust_id=trust['id']) - r = self.v3_create_token(auth_data) - token = r.result['token'] - - # The token should have the roles implies by the domain specific role, - # but not the domain specific role itself. - self.assertThat(token['roles'], - matchers.HasLength(len(self.role_list) - 1)) - for role in token['roles']: - self.assertIn(role, self.role_list) - for role in [self.role_list[1], self.role_list[2]]: - self.assertIn(role, token['roles']) - self.assertNotIn(self.role_list[0], token['roles']) - - -class DomainSpecificRoleTests(test_v3.RestfulTestCase, unit.TestCase): - def setUp(self): - def create_role(domain_id=None): - """Call ``POST /roles``.""" - ref = unit.new_role_ref(domain_id=domain_id) - r = self.post( - '/roles', - body={'role': ref}) - return self.assertValidRoleResponse(r, ref) - - super(DomainSpecificRoleTests, self).setUp() - self.domainA = unit.new_domain_ref() - self.resource_api.create_domain(self.domainA['id'], self.domainA) - self.domainB = unit.new_domain_ref() - self.resource_api.create_domain(self.domainB['id'], self.domainB) - - self.global_role1 = create_role() - self.global_role2 = create_role() - # Since there maybe other global roles already created, let's count - # them, so we can ensure we can check subsequent list responses - # are correct - r = self.get('/roles') - self.existing_global_roles = len(r.result['roles']) - - # And now create some domain specific roles - self.domainA_role1 = create_role(domain_id=self.domainA['id']) - self.domainA_role2 = create_role(domain_id=self.domainA['id']) - self.domainB_role = create_role(domain_id=self.domainB['id']) - - def test_get_and_list_domain_specific_roles(self): - # Check we can get a domain specific role - r = self.get('/roles/%s' % self.domainA_role1['id']) - self.assertValidRoleResponse(r, self.domainA_role1) - - # If we list without specifying a domain, we should only get global - # roles back. - r = self.get('/roles') - self.assertValidRoleListResponse( - r, expected_length=self.existing_global_roles) - self.assertRoleInListResponse(r, self.global_role1) - self.assertRoleInListResponse(r, self.global_role2) - self.assertRoleNotInListResponse(r, self.domainA_role1) - self.assertRoleNotInListResponse(r, self.domainA_role2) - self.assertRoleNotInListResponse(r, self.domainB_role) - - # Now list those in domainA, making sure that's all we get back - r = self.get('/roles?domain_id=%s' % self.domainA['id']) - self.assertValidRoleListResponse(r, expected_length=2) - self.assertRoleInListResponse(r, self.domainA_role1) - self.assertRoleInListResponse(r, self.domainA_role2) - - def test_update_domain_specific_roles(self): - self.domainA_role1['name'] = uuid.uuid4().hex - self.patch('/roles/%(role_id)s' % { - 'role_id': self.domainA_role1['id']}, - body={'role': self.domainA_role1}) - r = self.get('/roles/%s' % self.domainA_role1['id']) - self.assertValidRoleResponse(r, self.domainA_role1) - - def test_delete_domain_specific_roles(self): - # Check delete only removes that one domain role - self.delete('/roles/%(role_id)s' % { - 'role_id': self.domainA_role1['id']}) - - self.get('/roles/%s' % self.domainA_role1['id'], - expected_status=http_client.NOT_FOUND) - # Now re-list those in domainA, making sure there's only one left - r = self.get('/roles?domain_id=%s' % self.domainA['id']) - self.assertValidRoleListResponse(r, expected_length=1) - self.assertRoleInListResponse(r, self.domainA_role2) - - -class ListUserProjectsTestCase(test_v3.RestfulTestCase): - """Tests for /users/<user>/projects""" - - def load_sample_data(self): - # do not load base class's data, keep it focused on the tests - - self.auths = [] - self.domains = [] - self.projects = [] - self.roles = [] - self.users = [] - - # Create 3 sets of domain, roles, projects, and users to demonstrate - # the right user's data is loaded and only projects they can access - # are returned. - - for _ in range(3): - domain = unit.new_domain_ref() - self.resource_api.create_domain(domain['id'], domain) - - user = unit.create_user(self.identity_api, domain_id=domain['id']) - - role = unit.new_role_ref() - self.role_api.create_role(role['id'], role) - - self.assignment_api.create_grant(role['id'], - user_id=user['id'], - domain_id=domain['id']) - - project = unit.new_project_ref(domain_id=domain['id']) - self.resource_api.create_project(project['id'], project) - - self.assignment_api.create_grant(role['id'], - user_id=user['id'], - project_id=project['id']) - - auth = self.build_authentication_request( - user_id=user['id'], - password=user['password'], - domain_id=domain['id']) - - self.auths.append(auth) - self.domains.append(domain) - self.projects.append(project) - self.roles.append(role) - self.users.append(user) - - def test_list_all(self): - for i in range(len(self.users)): - user = self.users[i] - auth = self.auths[i] - - url = '/users/%s/projects' % user['id'] - result = self.get(url, auth=auth) - projects_result = result.json['projects'] - self.assertEqual(1, len(projects_result)) - self.assertEqual(self.projects[i]['id'], projects_result[0]['id']) - - def test_list_enabled(self): - for i in range(len(self.users)): - user = self.users[i] - auth = self.auths[i] - - # There are no disabled projects - url = '/users/%s/projects?enabled=True' % user['id'] - result = self.get(url, auth=auth) - projects_result = result.json['projects'] - self.assertEqual(1, len(projects_result)) - self.assertEqual(self.projects[i]['id'], projects_result[0]['id']) - - def test_list_disabled(self): - for i in range(len(self.users)): - user = self.users[i] - auth = self.auths[i] - project = self.projects[i] - - # There are no disabled projects - url = '/users/%s/projects?enabled=False' % user['id'] - result = self.get(url, auth=auth) - self.assertEqual(0, len(result.json['projects'])) - - # disable this one and check again - project['enabled'] = False - self.resource_api.update_project(project['id'], project) - result = self.get(url, auth=auth) - projects_result = result.json['projects'] - self.assertEqual(1, len(projects_result)) - self.assertEqual(self.projects[i]['id'], projects_result[0]['id']) - - def test_list_by_domain_id(self): - for i in range(len(self.users)): - user = self.users[i] - domain = self.domains[i] - auth = self.auths[i] - - # Try looking for projects with a non-existent domain_id - url = '/users/%s/projects?domain_id=%s' % (user['id'], - uuid.uuid4().hex) - result = self.get(url, auth=auth) - self.assertEqual(0, len(result.json['projects'])) - - # Now try a valid one - url = '/users/%s/projects?domain_id=%s' % (user['id'], - domain['id']) - result = self.get(url, auth=auth) - projects_result = result.json['projects'] - self.assertEqual(1, len(projects_result)) - self.assertEqual(self.projects[i]['id'], projects_result[0]['id']) |