From 51f7872f4902093cb0f0d445737c5892dd784191 Mon Sep 17 00:00:00 2001 From: asteroide Date: Fri, 31 Jul 2015 16:49:31 +0200 Subject: Play unit tests and modify code accordingly. (some tests are still not OK). Change-Id: I021081710411be12ffbbb0a3c8192626dbf9f8ce --- .../keystone/tests/moon/backends/__init__.py | 1 + .../tests/moon/backends/test_sql_backend.py | 43 + keystone-moon/keystone/tests/moon/unit/__init__.py | 81 + .../moon/unit/test_unit_core_configuration.py | 56 +- .../unit/test_unit_core_intra_extension_admin.py | 3984 ++++++++------------ .../unit/test_unit_core_intra_extension_authz.py | 2749 ++++++++++---- .../keystone/tests/moon/unit/test_unit_core_log.py | 11 +- .../tests/moon/unit/test_unit_core_tenant.py | 72 +- 8 files changed, 3874 insertions(+), 3123 deletions(-) create mode 100644 keystone-moon/keystone/tests/moon/backends/__init__.py create mode 100644 keystone-moon/keystone/tests/moon/backends/test_sql_backend.py (limited to 'keystone-moon/keystone/tests') diff --git a/keystone-moon/keystone/tests/moon/backends/__init__.py b/keystone-moon/keystone/tests/moon/backends/__init__.py new file mode 100644 index 00000000..5b02576c --- /dev/null +++ b/keystone-moon/keystone/tests/moon/backends/__init__.py @@ -0,0 +1 @@ +__author__ = 'vdsq3226' diff --git a/keystone-moon/keystone/tests/moon/backends/test_sql_backend.py b/keystone-moon/keystone/tests/moon/backends/test_sql_backend.py new file mode 100644 index 00000000..27b8d3a0 --- /dev/null +++ b/keystone-moon/keystone/tests/moon/backends/test_sql_backend.py @@ -0,0 +1,43 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +"""Unit tests for core configuration.""" + +import uuid +from oslo_config import cfg +from keystone.tests import unit as tests +from keystone.contrib.moon.backends import sql +from keystone.tests.unit.ksfixtures import database +from keystone.contrib.moon.exception import * +from keystone.tests.unit import default_fixtures +from keystone.contrib.moon.core import LogManager + +CONF = cfg.CONF + + +class TestSQL(tests.TestCase): + + def setUp(self): + self.useFixture(database.Database()) + super(TestSQL, self).setUp() + self.load_backends() + self.load_fixtures(default_fixtures) + self.driver = sql.IntraExtensionConnector() + + def load_extra_backends(self): + return { + "moonlog_api": LogManager() + } + + def config_overrides(self): + super(TestSQL, self).config_overrides() + self.config_fixture.config( + group='moon', + tenant_driver='keystone.contrib.moon.backends.sql.ConfigurationConnector') + + def test_intra_extensions(self): + result = self.driver.get_intra_extensions_dict() + print(type(result)) + self.assertIn("toto", result) diff --git a/keystone-moon/keystone/tests/moon/unit/__init__.py b/keystone-moon/keystone/tests/moon/unit/__init__.py index 1b678d53..0cd835ce 100644 --- a/keystone-moon/keystone/tests/moon/unit/__init__.py +++ b/keystone-moon/keystone/tests/moon/unit/__init__.py @@ -2,3 +2,84 @@ # This software is distributed under the terms and conditions of the 'Apache-2.0' # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. +import uuid +from keystone.contrib.moon.core import ADMIN_ID + +USER = { + 'name': 'admin', + 'domain_id': "default", + 'password': 'admin' +} +IE = { + "name": "test IE", + "policymodel": "policy_authz", + "description": "a simple description." +} + + +def create_intra_extension(self, policy_model="policy_authz"): + + IE["model"] = policy_model + IE["name"] = uuid.uuid4().hex + genre = "admin" + if "authz" in policy_model: + genre = "authz" + IE["genre"] = genre + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID + ref = self.admin_api.load_intra_extension_dict(self.ADMIN_ID, intra_extension_dict=IE) + self.assertIsInstance(ref, dict) + return ref + + +# def create_tenant(self, authz_uuid): +# tenant = { +# "id": uuid.uuid4().hex, +# "name": "TestAuthzIntraExtensionManager", +# "enabled": True, +# "description": "", +# "domain_id": "default" +# } +# project = self.resource_api.create_project(tenant["id"], tenant) +# mapping = self.tenant_api.set_tenant_dict(project["id"], project["name"], authz_uuid, None) +# self.assertIsInstance(mapping, dict) +# self.assertIn("authz", mapping) +# self.assertEqual(mapping["authz"], authz_uuid) +# return mapping + + +def create_user(self, username="TestAdminIntraExtensionManagerUser"): + user = { + "id": uuid.uuid4().hex, + "name": username, + "enabled": True, + "description": "", + "domain_id": "default" + } + _user = self.identity_api.create_user(user) + return _user + +def create_mapping(self, tenant_name=None, authz_id=None, admin_id=None): + + from keystone.contrib.moon.core import ADMIN_ID + if not tenant_name: + tenant_name = uuid.uuid4().hex + + tenant = { + "id": uuid.uuid4().hex, + "name": tenant_name, + "description": uuid.uuid4().hex, + "intra_authz_extension_id": authz_id, + "intra_admin_extension_id": admin_id, + "enabled": True, + "domain_id": "default" + } + keystone_tenant = self.resource_api.create_project(tenant["id"], tenant) + mapping = self.tenant_api.add_tenant_dict(ADMIN_ID, tenant) + self.assertIsInstance(mapping, dict) + self.assertIn("intra_authz_extension_id", mapping[tenant["id"]]) + self.assertIn("intra_admin_extension_id", mapping[tenant["id"]]) + self.assertEqual(mapping[tenant["id"]]["intra_authz_extension_id"], authz_id) + self.assertEqual(mapping[tenant["id"]]["intra_admin_extension_id"], admin_id) + return tenant, mapping diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py index e6388559..1d612b7d 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py @@ -12,11 +12,15 @@ from keystone.contrib.moon.core import ConfigurationManager from keystone.tests.unit.ksfixtures import database from keystone.contrib.moon.exception import * from keystone.tests.unit import default_fixtures +from keystone.contrib.moon.core import ADMIN_ID from keystone.contrib.moon.core import LogManager +from keystone.contrib.moon.core import IntraExtensionAdminManager +from keystone.tests.moon.unit import * CONF = cfg.CONF +@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api') class TestConfigurationManager(tests.TestCase): def setUp(self): @@ -24,34 +28,52 @@ class TestConfigurationManager(tests.TestCase): super(TestConfigurationManager, self).setUp() self.load_backends() self.load_fixtures(default_fixtures) - self.manager = ConfigurationManager() + self.admin = create_user(self, username="admin") + self.demo = create_user(self, username="demo") + self.root_intra_extension = create_intra_extension(self, policy_model="policy_root") + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID + self.manager = self.configuration_api def load_extra_backends(self): return { - "moonlog_api": LogManager() + "moonlog_api": LogManager(), + "admin_api": IntraExtensionAdminManager() } def config_overrides(self): super(TestConfigurationManager, self).config_overrides() self.config_fixture.config( group='moon', - tenant_driver='keystone.contrib.moon.backends.sql.ConfigurationConnector') + configuration_driver='keystone.contrib.moon.backends.memory.ConfigurationConnector' + ) + self.config_fixture.config( + group='moon', + tenant_driver='keystone.contrib.moon.backends.sql.TenantConnector') + self.policy_directory = 'examples/moon/policies' + self.config_fixture.config( + group='moon', + intraextension_driver='keystone.contrib.moon.backends.sql.IntraExtensionConnector') + self.config_fixture.config( + group='moon', + policy_directory=self.policy_directory) def test_get_policy_template_dict(self): - pass - - def test_get_policy_template_id_from_name(self): - pass - - def test_get_aggregation_algorithm_dict(self): - pass - - def test_get_aggregation_algorithm_id_from_name(self): - pass + data = self.manager.get_policy_templates_dict(self.ADMIN_ID) + self.assertIsInstance(data, dict) + self.assertIn("authz_templates", data) + self.assertIn("policy_root", data["authz_templates"]) - def test_get_sub_meta_rule_algorithm_dict(self): - pass + # def test_get_aggregation_algorithm_dict(self): + # admin_intra_extension = create_intra_extension(self, policy_model="policy_admin") + # print(admin_intra_extension) + # data = self.manager.get_aggregation_algorithm_dict(self.ADMIN_ID, admin_intra_extension['id']) + # print(data) - def test_get_sub_meta_rule_algorithm_id_from_name(self): - pass + # def test_get_sub_meta_rule_algorithm_dict(self): + # data = self.manager.get_sub_meta_rule_algorithm_dict(self.ADMIN_ID) + # print(data) + # + # self.assertEqual("", "ee") diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py index 97442228..68e4a79a 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py @@ -16,7 +16,8 @@ from keystone import resource from keystone.contrib.moon.exception import * from keystone.tests.unit import default_fixtures from keystone.contrib.moon.core import LogManager, TenantManager -from keystone.contrib.moon.core import DEFAULT_USER_ID +from keystone.contrib.moon.core import ADMIN_ID +from keystone.tests.moon.unit import * CONF = cfg.CONF @@ -32,14 +33,23 @@ IE = { "description": "a simple description." } +@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api') class TestIntraExtensionAdminManagerOK(tests.TestCase): + # TODO: must be reviewed because some tests are on the authz interface def setUp(self): self.useFixture(database.Database()) super(TestIntraExtensionAdminManagerOK, self).setUp() self.load_backends() self.load_fixtures(default_fixtures) - self.manager = IntraExtensionAdminManager() + self.admin = create_user(self, username="admin") + self.demo = create_user(self, username="demo") + self.root_intra_extension = create_intra_extension(self, policy_model="policy_root") + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID + self.manager = self.authz_api + self.admin_manager = self.admin_api def __get_key_from_value(self, value, values_dict): return filter(lambda v: v[1] == value, values_dict.iteritems())[0][0] @@ -48,6 +58,8 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): return { "moonlog_api": LogManager(), "tenant_api": TenantManager(), + "admin_api": IntraExtensionAdminManager(), + "authz_api": IntraExtensionAuthzManager(), # "resource_api": resource.Manager(), } @@ -61,1207 +73,921 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): group='moon', policy_directory=self.policy_directory) - def create_intra_extension(self, policy_model="policy_admin"): - # Create the admin user because IntraExtension needs it - #self.admin = self.identity_api.create_user(USER) - IE["policymodel"] = policy_model - IE["name"] = uuid.uuid4().hex - self.ref = self.manager.load_intra_extension_dict(DEFAULT_USER_ID, intra_extension_dict=IE) - self.assertIsInstance(self.ref, dict) - self.create_tenant(self.ref["id"]) - - def create_tenant(self, authz_uuid): - tenant = { - "id": uuid.uuid4().hex, - "name": "TestAuthzIntraExtensionManager", - "enabled": True, - "description": "", - "domain_id": "default" - } - project = self.resource_api.create_project(tenant["id"], tenant) - mapping = self.tenant_api.set_tenant_dict(project["id"], project["name"], authz_uuid, None) - self.assertIsInstance(mapping, dict) - self.assertIn("authz", mapping) - self.assertEqual(mapping["authz"], authz_uuid) - return mapping - - def create_user(self, username="TestAdminIntraExtensionManagerUser"): - user = { - "id": uuid.uuid4().hex, - "name": username, - "enabled": True, - "description": "", - "domain_id": "default" - } - _user = self.identity_api.create_user(user) - return _user - def delete_admin_intra_extension(self): self.manager.del_intra_extension(self.ref["id"]) def test_subjects(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - subjects = self.manager.get_subjects_dict("admin", self.ref["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(self.ref["id"], subjects["intra_extension_uuid"]) - self.assertIsInstance(subjects["subjects"], dict) - - new_subject = self.create_user() - new_subjects = dict() - new_subjects[new_subject["id"]] = new_subject["name"] - subjects = self.manager.set_subject_dict("admin", self.ref["id"], new_subjects) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(self.ref["id"], subjects["intra_extension_uuid"]) - self.assertEqual(subjects["subjects"], new_subjects) - self.assertIn(new_subject["id"], subjects["subjects"]) - + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + self.assertIn("keystone_name", value) + self.assertIn("keystone_id", value) + + create_user(self, "subject_test") + new_subject = {"name": "subject_test", "description": "subject_test"} + + subjects = self.admin_manager.add_subject_dict(admin_subject_id, authz_ie_dict["id"], new_subject) + _subjects = dict(subjects) + self.assertEqual(len(_subjects.keys()), 1) + new_subject["id"] = _subjects.keys()[0] + value = subjects[new_subject["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject["description"]) + # Delete the new subject - self.manager.del_subject("admin", self.ref["id"], new_subject["id"]) - subjects = self.manager.get_subjects_dict("admin", self.ref["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(self.ref["id"], subjects["intra_extension_uuid"]) - self.assertNotIn(new_subject["id"], subjects["subjects"]) - - # Add a particular subject - subjects = self.manager.add_subject_dict("admin", self.ref["id"], new_subject["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subject", subjects) - self.assertIn("uuid", subjects["subject"]) - self.assertEqual(new_subject["name"], subjects["subject"]["name"]) - subjects = self.manager.get_subjects_dict("admin", self.ref["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(self.ref["id"], subjects["intra_extension_uuid"]) - self.assertIn(new_subject["id"], subjects["subjects"]) + self.admin_manager.del_subject(admin_subject_id, authz_ie_dict["id"], new_subject["id"]) + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject["name"], value["name"]) + self.assertIn("description", value) def test_objects(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - objects = self.manager.get_objects_dict("admin", self.ref["id"]) - self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(self.ref["id"], objects["intra_extension_uuid"]) - self.assertIsInstance(objects["objects"], dict) - - new_object = {"id": uuid.uuid4().hex, "name": "my_object"} - new_objects = dict() - new_objects[new_object["id"]] = new_object["name"] - objects = self.manager.set_object_dict("admin", self.ref["id"], new_objects) - self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(self.ref["id"], objects["intra_extension_uuid"]) - self.assertEqual(objects["objects"], new_objects) - self.assertIn(new_object["id"], objects["objects"]) - - # Delete the new object - self.manager.del_object("admin", self.ref["id"], new_object["id"]) - objects = self.manager.get_objects_dict("admin", self.ref["id"]) - self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(self.ref["id"], objects["intra_extension_uuid"]) - self.assertNotIn(new_object["id"], objects["objects"]) - - # Add a particular object - objects = self.manager.add_object_dict("admin", self.ref["id"], new_object["name"]) - self.assertIsInstance(objects, dict) - self.assertIn("object", objects) - self.assertIn("uuid", objects["object"]) - self.assertEqual(new_object["name"], objects["object"]["name"]) - new_object["id"] = objects["object"]["uuid"] - objects = self.manager.get_objects_dict("admin", self.ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + objects = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + objects_id_list = [] self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(self.ref["id"], objects["intra_extension_uuid"]) - self.assertIn(new_object["id"], objects["objects"]) + for key, value in objects.iteritems(): + objects_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) def test_actions(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - actions = self.manager.get_actions_dict("admin", self.ref["id"]) - self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(self.ref["id"], actions["intra_extension_uuid"]) - self.assertIsInstance(actions["actions"], dict) - - new_action = {"id": uuid.uuid4().hex, "name": "my_action"} - new_actions = dict() - new_actions[new_action["id"]] = new_action["name"] - actions = self.manager.set_action_dict("admin", self.ref["id"], new_actions) - self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(self.ref["id"], actions["intra_extension_uuid"]) - self.assertEqual(actions["actions"], new_actions) - self.assertIn(new_action["id"], actions["actions"]) - - # Delete the new action - self.manager.del_action("admin", self.ref["id"], new_action["id"]) - actions = self.manager.get_actions_dict("admin", self.ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + actions = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + actions_id_list = [] self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(self.ref["id"], actions["intra_extension_uuid"]) - self.assertNotIn(new_action["id"], actions["actions"]) - - # Add a particular action - actions = self.manager.add_action_dict("admin", self.ref["id"], new_action["name"]) - self.assertIsInstance(actions, dict) - self.assertIn("action", actions) - self.assertIn("uuid", actions["action"]) - self.assertEqual(new_action["name"], actions["action"]["name"]) - new_action["id"] = actions["action"]["uuid"] - actions = self.manager.get_actions_dict("admin", self.ref["id"]) - self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(self.ref["id"], actions["intra_extension_uuid"]) - self.assertIn(new_action["id"], actions["actions"]) + for key, value in actions.iteritems(): + actions_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) def test_subject_categories(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - subject_categories = self.manager.get_subject_categories_dict("admin", self.ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIsInstance(subject_categories["subject_categories"], dict) - - new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"} - new_subject_categories = dict() - new_subject_categories[new_subject_category["id"]] = new_subject_category["name"] - subject_categories = self.manager.set_subject_category_dict("admin", self.ref["id"], new_subject_categories) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"]) - self.assertEqual(subject_categories["subject_categories"], new_subject_categories) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_subject_category = {"name": "subject_category_test", "description": "subject_category_test"} + + subject_categories = self.admin_manager.add_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category) + _subject_categories = dict(subject_categories) + self.assertEqual(len(_subject_categories.keys()), 1) + new_subject_category["id"] = _subject_categories.keys()[0] + value = subject_categories[new_subject_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject_category["description"]) # Delete the new subject_category - self.manager.del_subject_category("admin", self.ref["id"], new_subject_category["id"]) - subject_categories = self.manager.get_subject_categories_dict("admin", self.ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"]) - self.assertNotIn(new_subject_category["id"], subject_categories["subject_categories"]) - - # Add a particular subject_category - subject_categories = self.manager.add_subject_category( - "admin", - self.ref["id"], - new_subject_category["name"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_category", subject_categories) - self.assertIn("uuid", subject_categories["subject_category"]) - self.assertEqual(new_subject_category["name"], subject_categories["subject_category"]["name"]) - new_subject_category["id"] = subject_categories["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_categories_dict( - "admin", - self.ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) + self.admin_manager.del_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category["id"]) + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject_category["name"], value["name"]) + self.assertIn("description", value) def test_object_categories(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - object_categories = self.manager.get_object_category_dict("admin", self.ref["id"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(self.ref["id"], object_categories["intra_extension_uuid"]) - self.assertIsInstance(object_categories["object_categories"], dict) - - new_object_category = {"id": uuid.uuid4().hex, "name": "object_category_test"} - new_object_categories = dict() - new_object_categories[new_object_category["id"]] = new_object_category["name"] - object_categories = self.manager.set_object_category_dict("admin", self.ref["id"], new_object_categories) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(self.ref["id"], object_categories["intra_extension_uuid"]) - self.assertEqual(object_categories["object_categories"], new_object_categories) - self.assertIn(new_object_category["id"], object_categories["object_categories"]) + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_object_category = {"name": "object_category_test", "description": "object_category_test"} + + object_categories = self.admin_manager.add_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category) + _object_categories = dict(object_categories) + self.assertEqual(len(_object_categories.keys()), 1) + new_object_category["id"] = _object_categories.keys()[0] + value = object_categories[new_object_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_object_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_object_category["description"]) # Delete the new object_category - self.manager.del_object_category("admin", self.ref["id"], new_object_category["id"]) - object_categories = self.manager.get_object_category_dict("admin", self.ref["id"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(self.ref["id"], object_categories["intra_extension_uuid"]) - self.assertNotIn(new_object_category["id"], object_categories["object_categories"]) - - # Add a particular object_category - object_categories = self.manager.add_object_category( - "admin", - self.ref["id"], - new_object_category["name"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_category", object_categories) - self.assertIn("uuid", object_categories["object_category"]) - self.assertEqual(new_object_category["name"], object_categories["object_category"]["name"]) - new_object_category["id"] = object_categories["object_category"]["uuid"] - object_categories = self.manager.get_object_category_dict( - "admin", - self.ref["id"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(self.ref["id"], object_categories["intra_extension_uuid"]) - self.assertIn(new_object_category["id"], object_categories["object_categories"]) - def test_action_categories(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() + self.admin_manager.del_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category["id"]) + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_object_category["name"], value["name"]) + self.assertIn("description", value) - action_categories = self.manager.get_action_category_dict("admin", self.ref["id"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(self.ref["id"], action_categories["intra_extension_uuid"]) - self.assertIsInstance(action_categories["action_categories"], dict) - - new_action_category = {"id": uuid.uuid4().hex, "name": "action_category_test"} - new_action_categories = dict() - new_action_categories[new_action_category["id"]] = new_action_category["name"] - action_categories = self.manager.set_action_category_dict("admin", self.ref["id"], new_action_categories) + def test_action_categories(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(self.ref["id"], action_categories["intra_extension_uuid"]) - self.assertEqual(action_categories["action_categories"], new_action_categories) - self.assertIn(new_action_category["id"], action_categories["action_categories"]) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_action_category = {"name": "action_category_test", "description": "action_category_test"} + + action_categories = self.admin_manager.add_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category) + _action_categories = dict(action_categories) + self.assertEqual(len(_action_categories.keys()), 1) + new_action_category["id"] = _action_categories.keys()[0] + value = action_categories[new_action_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_action_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_action_category["description"]) # Delete the new action_category - self.manager.del_action_category("admin", self.ref["id"], new_action_category["id"]) - action_categories = self.manager.get_action_category_dict("admin", self.ref["id"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(self.ref["id"], action_categories["intra_extension_uuid"]) - self.assertNotIn(new_action_category["id"], action_categories["action_categories"]) - - # Add a particular action_category - action_categories = self.manager.add_action_category( - "admin", - self.ref["id"], - new_action_category["name"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_category", action_categories) - self.assertIn("uuid", action_categories["action_category"]) - self.assertEqual(new_action_category["name"], action_categories["action_category"]["name"]) - new_action_category["id"] = action_categories["action_category"]["uuid"] - action_categories = self.manager.get_action_category_dict( - "admin", - self.ref["id"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(self.ref["id"], action_categories["intra_extension_uuid"]) - self.assertIn(new_action_category["id"], action_categories["action_categories"]) - def test_subject_category_scope(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() + self.admin_manager.del_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category["id"]) + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_action_category["name"], value["name"]) + self.assertIn("description", value) - subject_categories = self.manager.set_subject_category_dict( - "admin", - self.ref["id"], + def test_subject_category_scope(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "admin", - uuid.uuid4().hex: "dev", + "name": "country", + "description": "country", } ) - for subject_category in subject_categories["subject_categories"]: + for subject_category_id in subject_categories: + subject_category_scope = self.manager.get_subject_scopes_dict( - "admin", - self.ref["id"], - subject_category) + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIsInstance(subject_category_scope["subject_category_scope"], dict) - - new_subject_category_scope = dict() - new_subject_category_scope_uuid = uuid.uuid4().hex - new_subject_category_scope[new_subject_category_scope_uuid] = "new_subject_category_scope" - subject_category_scope = self.manager.set_subject_scope_dict( - "admin", - self.ref["id"], - subject_category, + self.assertEqual({}, subject_category_scope) + + new_subject_category_scope = { + "name": "france", + "description": "france", + } + + subject_category_scope = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, new_subject_category_scope) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) + self.assertEqual(len(subject_category_scope.keys()), 1) + subject_category_scope_id = subject_category_scope.keys()[0] + subject_category_scope_value = subject_category_scope[subject_category_scope_id] + self.assertIn("name", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["name"], subject_category_scope_value["name"]) + self.assertIn("description", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["description"], subject_category_scope_value["description"]) # Delete the new subject_category_scope - self.manager.del_subject_scope( - "admin", - self.ref["id"], - subject_category, - new_subject_category_scope_uuid) - subject_category_scope = self.manager.get_subject_scopes_dict( - "admin", - self.ref["id"], - subject_category) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_subject_category_scope_uuid, subject_category_scope["subject_category_scope"]) - - # Add a particular subject_category_scope - subject_category_scope = self.manager.add_subject_scope_dict( - "admin", - self.ref["id"], - subject_category, - new_subject_category_scope[new_subject_category_scope_uuid]) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("uuid", subject_category_scope["subject_category_scope"]) - self.assertEqual(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"]["name"]) - subject_category_scope = self.manager.get_subject_scopes_dict( - "admin", - self.ref["id"], - subject_category) + + self.admin_manager.del_subject_scope( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + subject_category_scope_id) + subject_category_scope = self.admin_manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_subject_category_scope_uuid, subject_category_scope["subject_category_scope"]) + self.assertNotIn(subject_category_scope_id, subject_category_scope.keys()) def test_object_category_scope(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - object_categories = self.manager.set_object_category_dict( - "admin", - self.ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "id", - uuid.uuid4().hex: "domain", + "name": "country", + "description": "country", } ) - for object_category in object_categories["object_categories"]: + for object_category_id in object_categories: + object_category_scope = self.manager.get_object_scopes_dict( - "admin", - self.ref["id"], - object_category) + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIsInstance(object_category_scope["object_category_scope"], dict) - - new_object_category_scope = dict() - new_object_category_scope_uuid = uuid.uuid4().hex - new_object_category_scope[new_object_category_scope_uuid] = "new_object_category_scope" - object_category_scope = self.manager.set_object_scope_dict( - "admin", - self.ref["id"], - object_category, + self.assertEqual({}, object_category_scope) + + new_object_category_scope = { + "name": "france", + "description": "france", + } + + object_category_scope = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, new_object_category_scope) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"][object_category].values()) + self.assertEqual(len(object_category_scope.keys()), 1) + object_category_scope_id = object_category_scope.keys()[0] + object_category_scope_value = object_category_scope[object_category_scope_id] + self.assertIn("name", object_category_scope_value) + self.assertEqual(new_object_category_scope["name"], object_category_scope_value["name"]) + self.assertIn("description", object_category_scope_value) + self.assertEqual(new_object_category_scope["description"], object_category_scope_value["description"]) # Delete the new object_category_scope - self.manager.del_object_scope( - "admin", - self.ref["id"], - object_category, - new_object_category_scope_uuid) - object_category_scope = self.manager.get_object_scopes_dict( - "admin", - self.ref["id"], - object_category) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_object_category_scope_uuid, object_category_scope["object_category_scope"]) - - # Add a particular object_category_scope - object_category_scope = self.manager.add_object_scope_dict( - "admin", - self.ref["id"], - object_category, - new_object_category_scope[new_object_category_scope_uuid]) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("uuid", object_category_scope["object_category_scope"]) - self.assertEqual(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"]["name"]) - object_category_scope = self.manager.get_object_scopes_dict( - "admin", - self.ref["id"], - object_category) + + self.admin_manager.del_object_scope( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + object_category_scope_id) + object_category_scope = self.admin_manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_object_category_scope_uuid, object_category_scope["object_category_scope"]) + self.assertNotIn(object_category_scope_id, object_category_scope.keys()) def test_action_category_scope(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - action_categories = self.manager.set_action_category_dict( - "admin", - self.ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "compute", - uuid.uuid4().hex: "identity", + "name": "swift", + "description": "swift actions", } ) - for action_category in action_categories["action_categories"]: + for action_category_id in action_categories: + action_category_scope = self.manager.get_action_scopes_dict( - "admin", - self.ref["id"], - action_category) + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIsInstance(action_category_scope["action_category_scope"], dict) - - new_action_category_scope = dict() - new_action_category_scope_uuid = uuid.uuid4().hex - new_action_category_scope[new_action_category_scope_uuid] = "new_action_category_scope" - action_category_scope = self.manager.set_action_scope_dict( - "admin", - self.ref["id"], - action_category, + self.assertEqual({}, action_category_scope) + + new_action_category_scope = { + "name": "get", + "description": "get swift files", + } + + action_category_scope = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, new_action_category_scope) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"][action_category].values()) + self.assertEqual(len(action_category_scope.keys()), 1) + action_category_scope_id = action_category_scope.keys()[0] + action_category_scope_value = action_category_scope[action_category_scope_id] + self.assertIn("name", action_category_scope_value) + self.assertEqual(new_action_category_scope["name"], action_category_scope_value["name"]) + self.assertIn("description", action_category_scope_value) + self.assertEqual(new_action_category_scope["description"], action_category_scope_value["description"]) # Delete the new action_category_scope - self.manager.del_action_scope( - "admin", - self.ref["id"], - action_category, - new_action_category_scope_uuid) - action_category_scope = self.manager.get_action_scopes_dict( - "admin", - self.ref["id"], - action_category) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_action_category_scope_uuid, action_category_scope["action_category_scope"]) - - # Add a particular action_category_scope - action_category_scope = self.manager.add_action_scope_dict( - "admin", - self.ref["id"], - action_category, - new_action_category_scope[new_action_category_scope_uuid]) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("uuid", action_category_scope["action_category_scope"]) - self.assertEqual(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"]["name"]) - action_category_scope = self.manager.get_action_scopes_dict( - "admin", - self.ref["id"], - action_category) + + self.admin_manager.del_action_scope( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + action_category_scope_id) + action_category_scope = self.admin_manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_action_category_scope_uuid, action_category_scope["action_category_scope"]) + self.assertNotIn(action_category_scope_id, action_category_scope.keys()) def test_subject_category_assignment(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - new_subject = self.create_user() - new_subjects = dict() - new_subjects[new_subject["id"]] = new_subject["name"] - subjects = self.manager.set_subject_dict("admin", self.ref["id"], new_subjects) - - new_subject_category_uuid = uuid.uuid4().hex - new_subject_category_value = "role" - subject_categories = self.manager.set_subject_category_dict( - "admin", - self.ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + admin_authz_subject_id, admin_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + demo_authz_subject_id, demo_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next() + + subjects_dict = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], { - new_subject_category_uuid: new_subject_category_value + "name": "country", + "description": "country", } ) - for subject_category in subject_categories["subject_categories"]: + for subject_category_id in subject_categories: subject_category_scope = self.manager.get_subject_scopes_dict( - "admin", - self.ref["id"], - subject_category) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIsInstance(subject_category_scope["subject_category_scope"], dict) - - new_subject_category_scope = dict() - new_subject_category_scope_uuid = uuid.uuid4().hex - new_subject_category_scope[new_subject_category_scope_uuid] = "admin" - subject_category_scope = self.manager.set_subject_scope_dict( - "admin", - self.ref["id"], - subject_category, - new_subject_category_scope) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) - - new_subject_category_scope2 = dict() - new_subject_category_scope2_uuid = uuid.uuid4().hex - new_subject_category_scope2[new_subject_category_scope2_uuid] = "dev" - subject_category_scope = self.manager.set_subject_scope_dict( - "admin", - self.ref["id"], - subject_category, - new_subject_category_scope2) + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope2[new_subject_category_scope2_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) - - subject_category_assignments = self.manager.get_subject_assignment_dict( - "admin", - self.ref["id"], - new_subject["id"] + self.assertEqual({}, subject_category_scope) + + new_subject_category_scope_1 = { + "name": "france", + "description": "france", + } + + subject_category_scope_1 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_1) + subject_category_scope_1_id = subject_category_scope_1.keys()[0] + + new_subject_category_scope_2 = { + "name": "china", + "description": "china", + } + + subject_category_scope_2 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_2) + subject_category_scope_2_id = subject_category_scope_2.keys()[0] + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, + subject_category_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, subject_category_assignments["subject_category_assignments"][new_subject["id"]]) - - subject_category_assignments = self.manager.set_subject_assignment_dict( - "admin", - self.ref["id"], - new_subject["id"], - { - new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid], - } + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, + subject_category_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) - subject_category_assignments = self.manager.get_subject_assignment_dict( - "admin", - self.ref["id"], - new_subject["id"] + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_1_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) - - self.manager.del_subject_assignment( - "admin", - self.ref["id"], - new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid + self.assertIsInstance(subject_category_assignments, list) + + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id ) - subject_category_assignments = self.manager.get_subject_assignment_dict( - "admin", - self.ref["id"], - new_subject["id"] + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope2_uuid, ]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) - - data = self.manager.add_subject_assignment_list( - "admin", - self.ref["id"], - new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) - subject_category_assignments = self.manager.get_subject_assignment_dict( - "admin", - self.ref["id"], - new_subject["id"] + self.admin_manager.del_subject_assignment( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope2_uuid, new_subject_category_scope_uuid]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) def test_object_category_assignment(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - new_object = {"id": uuid.uuid4().hex, "name": "my_object"} - new_objects = dict() - new_objects[new_object["id"]] = new_object["name"] - objects = self.manager.set_object_dict("admin", self.ref["id"], new_objects) - - new_object_category_uuid = uuid.uuid4().hex - new_object_category_value = "role" - object_categories = self.manager.set_object_category_dict( - "admin", - self.ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + objects_dict = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + + object_vm1_id = None + object_vm2_id = None + for _object_id in objects_dict: + if objects_dict[_object_id]['name'] == 'vm1': + object_vm1_id = _object_id + if objects_dict[_object_id]['name'] == 'vm2': + object_vm2_id = _object_id + if not object_vm1_id or not object_vm2_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in objects)") + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], { - new_object_category_uuid: new_object_category_value + "name": "location", + "description": "location", } ) - for object_category in object_categories["object_categories"]: + for object_category_id in object_categories: object_category_scope = self.manager.get_object_scopes_dict( - "admin", - self.ref["id"], - object_category) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIsInstance(object_category_scope["object_category_scope"], dict) - - new_object_category_scope = dict() - new_object_category_scope_uuid = uuid.uuid4().hex - new_object_category_scope[new_object_category_scope_uuid] = "admin" - object_category_scope = self.manager.set_object_scope_dict( - "admin", - self.ref["id"], - object_category, - new_object_category_scope) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"][object_category].values()) - - new_object_category_scope2 = dict() - new_object_category_scope2_uuid = uuid.uuid4().hex - new_object_category_scope2[new_object_category_scope2_uuid] = "dev" - object_category_scope = self.manager.set_object_scope_dict( - "admin", - self.ref["id"], - object_category, - new_object_category_scope2) + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope2[new_object_category_scope2_uuid], - object_category_scope["object_category_scope"][object_category].values()) + self.assertEqual({}, object_category_scope) + + new_object_category_scope_1 = { + "name": "france", + "description": "france", + } + + object_category_scope_1 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_1) + object_category_scope_1_id = object_category_scope_1.keys()[0] + + new_object_category_scope_2 = { + "name": "china", + "description": "china", + } + + object_category_scope_2 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_2) + object_category_scope_2_id = object_category_scope_2.keys()[0] object_category_assignments = self.manager.get_object_assignment_list( - "admin", - self.ref["id"], - new_object["id"] - ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, object_category_assignments["object_category_assignments"][new_object["id"]]) - - object_category_assignments = self.manager.set_object_category_assignment_dict( - "admin", - self.ref["id"], - new_object["id"], - { - new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid], - } + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, + object_category_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) + object_category_assignments = self.manager.get_object_assignment_list( - "admin", - self.ref["id"], - new_object["id"] + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, + object_category_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) - - self.manager.del_object_assignment( - "admin", - self.ref["id"], - new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_1_id ) - object_category_assignments = self.manager.get_object_assignment_list( - "admin", - self.ref["id"], - new_object["id"] + self.assertIsInstance(object_category_assignments, list) + + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope2_uuid, ]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) - - self.manager.add_object_assignment_list( - "admin", - self.ref["id"], - new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) - object_category_assignments = self.manager.get_object_assignment_list( - "admin", - self.ref["id"], - new_object["id"] + self.admin_manager.del_object_assignment( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope2_uuid, new_object_category_scope_uuid]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) def test_action_category_assignment(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - new_action = {"id": uuid.uuid4().hex, "name": "my_action"} - new_actions = dict() - new_actions[new_action["id"]] = new_action["name"] - actions = self.manager.set_action_dict("admin", self.ref["id"], new_actions) - - new_action_category_uuid = uuid.uuid4().hex - new_action_category_value = "role" - action_categories = self.manager.set_action_category_dict( - "admin", - self.ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + actions_dict = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + + action_upload_id = None + action_list_id = None + for _action_id in actions_dict: + if actions_dict[_action_id]['name'] == 'upload': + action_upload_id = _action_id + if actions_dict[_action_id]['name'] == 'list': + action_list_id = _action_id + if not action_upload_id or not action_list_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in actions)") + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], { - new_action_category_uuid: new_action_category_value + "name": "swift", + "description": "swift actions", } ) - for action_category in action_categories["action_categories"]: + for action_category_id in action_categories: action_category_scope = self.manager.get_action_scopes_dict( - "admin", - self.ref["id"], - action_category) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIsInstance(action_category_scope["action_category_scope"], dict) - - new_action_category_scope = dict() - new_action_category_scope_uuid = uuid.uuid4().hex - new_action_category_scope[new_action_category_scope_uuid] = "admin" - action_category_scope = self.manager.set_action_scope_dict( - "admin", - self.ref["id"], - action_category, - new_action_category_scope) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"][action_category].values()) - - new_action_category_scope2 = dict() - new_action_category_scope2_uuid = uuid.uuid4().hex - new_action_category_scope2[new_action_category_scope2_uuid] = "dev" - action_category_scope = self.manager.set_action_scope_dict( - "admin", - self.ref["id"], - action_category, - new_action_category_scope2) + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope2[new_action_category_scope2_uuid], - action_category_scope["action_category_scope"][action_category].values()) + self.assertEqual({}, action_category_scope) + + new_action_category_scope_1 = { + "name": "swift_admin", + "description": "action require admin rights", + } + + action_category_scope_1 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_1) + action_category_scope_1_id = action_category_scope_1.keys()[0] + + new_action_category_scope_2 = { + "name": "swift_anonymous", + "description": "action require no right", + } + + action_category_scope_2 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_2) + action_category_scope_2_id = action_category_scope_2.keys()[0] action_category_assignments = self.manager.get_action_assignment_list( - "admin", - self.ref["id"], - new_action["id"] + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, + action_category_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, action_category_assignments["action_category_assignments"][new_action["id"]]) - - action_category_assignments = self.manager.set_action_assignment_dict( - "admin", - self.ref["id"], - new_action["id"], - { - new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid], - } - ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) + action_category_assignments = self.manager.get_action_assignment_list( - "admin", - self.ref["id"], - new_action["id"] + admin_subject_id, + authz_ie_dict["id"], + action_list_id, + action_category_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) - - self.manager.del_action_assignment( - "admin", - self.ref["id"], - new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_1_id ) - action_category_assignments = self.manager.get_action_assignment_list( - "admin", - self.ref["id"], - new_action["id"] + self.assertIsInstance(action_category_assignments, list) + + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope2_uuid, ]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) - - self.manager.add_action_assignment_list( - "admin", - self.ref["id"], - new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) - action_category_assignments = self.manager.get_action_assignment_list( - "admin", - self.ref["id"], - new_action["id"] + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) + + self.admin_manager.del_action_assignment( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope2_uuid, new_action_category_scope_uuid]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) def test_sub_meta_rules(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - aggregation_algorithms = self.manager.get_aggregation_algorithms("admin", self.ref["id"]) - self.assertIsInstance(aggregation_algorithms, dict) - self.assertIsInstance(aggregation_algorithms["aggregation_algorithms"], list) - self.assertIn("and_true_aggregation", aggregation_algorithms["aggregation_algorithms"]) - self.assertIn("test_aggregation", aggregation_algorithms["aggregation_algorithms"]) - - aggregation_algorithm = self.manager.get_aggregation_algorithm_dict("admin", self.ref["id"]) - self.assertIsInstance(aggregation_algorithm, dict) - self.assertIn("aggregation", aggregation_algorithm) - self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) - - _aggregation_algorithm = list(aggregation_algorithms["aggregation_algorithms"]) - _aggregation_algorithm.remove(aggregation_algorithm["aggregation"]) - aggregation_algorithm = self.manager.set_aggregation_algorithm_dict("admin", self.ref["id"], _aggregation_algorithm[0]) - self.assertIsInstance(aggregation_algorithm, dict) - self.assertIn("aggregation", aggregation_algorithm) - self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) - - sub_meta_rules = self.manager.get_sub_meta_rules_dict("admin", self.ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + aggregation_algorithms = self.admin_manager.get_aggregation_algorithm_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in aggregation_algorithms.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + # TODO: need more tests on aggregation_algorithms (set and del) + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(sub_meta_rules, dict) - self.assertIn("sub_meta_rules", sub_meta_rules) - sub_meta_rules_conf = json.load(open(os.path.join(self.policy_directory, self.ref["model"], "metarule.json"))) - metarule = dict() categories = { - "subject_categories": self.manager.get_subject_categories_dict("admin", self.ref["id"]), - "object_categories": self.manager.get_object_category_dict("admin", self.ref["id"]), - "action_categories": self.manager.get_action_category_dict("admin", self.ref["id"]) + "subject_categories": self.admin_manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]), + "object_categories": self.admin_manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]), + "action_categories": self.admin_manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) } - for relation in sub_meta_rules_conf["sub_meta_rules"]: - metarule[relation] = dict() - for item in ("subject_categories", "object_categories", "action_categories"): - metarule[relation][item] = list() - for element in sub_meta_rules_conf["sub_meta_rules"][relation][item]: - metarule[relation][item].append(self.__get_key_from_value( - element, - categories[item][item] - )) - - for relation in sub_meta_rules["sub_meta_rules"]: - self.assertIn(relation, metarule) - for item in ("subject_categories", "object_categories", "action_categories"): - self.assertEqual( - sub_meta_rules["sub_meta_rules"][relation][item], - metarule[relation][item] - ) - - new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"} - # Add a particular subject_category - data = self.manager.add_subject_category( - "admin", - self.ref["id"], - new_subject_category["name"]) - new_subject_category["id"] = data["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_categories_dict( - "admin", - self.ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) - metarule[relation]["subject_categories"].append(new_subject_category["id"]) - _sub_meta_rules = self.manager.del_sub_meta_rule("admin", self.ref["id"], metarule) - self.assertIn(relation, metarule) - for item in ("subject_categories", "object_categories", "action_categories"): - self.assertEqual( - _sub_meta_rules["sub_meta_rules"][relation][item], - metarule[relation][item] - ) + for key, value in sub_meta_rules.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("action_categories", value) + self.assertIn("object_categories", value) + self.assertIn("subject_categories", value) + self.assertIn("algorithm", value) + self.assertIn("name", value) + for action_category_id in value["action_categories"]: + self.assertIn(action_category_id, categories["action_categories"]) + for object_category_id in value["object_categories"]: + self.assertIn(object_category_id, categories["object_categories"]) + for subject_category_id in value["subject_categories"]: + self.assertIn(subject_category_id, categories["subject_categories"]) + # TODO: need more tests (set and del) def test_sub_rules(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - sub_meta_rules = self.manager.get_sub_meta_rules_dict("admin", self.ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(sub_meta_rules, dict) - self.assertIn("sub_meta_rules", sub_meta_rules) - - sub_rules = self.manager.get_sub_rules("admin", self.ref["id"]) - self.assertIsInstance(sub_rules, dict) - self.assertIn("rules", sub_rules) - rules = dict() - for relation in sub_rules["rules"]: - self.assertIn(relation, self.manager.get_sub_meta_rule_relations("admin", self.ref["id"])["sub_meta_rule_relations"]) - rules[relation] = list() - for rule in sub_rules["rules"][relation]: + + for relation_id in sub_meta_rules: + rules = self.admin_manager.get_rules_dict(admin_subject_id, authz_ie_dict["id"], relation_id) + rule_length = len(sub_meta_rules[relation_id]["subject_categories"]) + \ + len(sub_meta_rules[relation_id]["object_categories"]) + \ + len(sub_meta_rules[relation_id]["action_categories"]) + 1 + for rule_id in rules: + self.assertEqual(rule_length, len(rules[rule_id])) + rule = list(rules[rule_id]) for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: + for cat_value in sub_meta_rules[relation_id][cat]: scope = cat_func( - "admin", - self.ref["id"], + admin_subject_id, + authz_ie_dict["id"], cat_value ) a_scope = rule.pop(0) if type(a_scope) is not bool: - self.assertIn(a_scope, scope[func_name][cat_value]) - - # add a new subrule - - relation = sub_rules["rules"].keys()[0] - sub_rule = [] - for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), - ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: - scope = cat_func( - "admin", - self.ref["id"], - cat_value - ) - sub_rule.append(scope[func_name][cat_value].keys()[0]) - - sub_rule.append(True) - sub_rules = self.manager.set_sub_rule("admin", self.ref["id"], relation, sub_rule) - self.assertIsInstance(sub_rules, dict) - self.assertIn("rules", sub_rules) - rules = dict() - self.assertIn(sub_rule, sub_rules["rules"][relation]) - for relation in sub_rules["rules"]: - self.assertIn(relation, self.manager.get_sub_meta_rule_relations("admin", self.ref["id"])["sub_meta_rule_relations"]) - rules[relation] = list() - for rule in sub_rules["rules"][relation]: + self.assertIn(a_scope, scope.keys()) + + # add a new subrule + + sub_rule = [] + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + sub_rule.append(scope.keys()[0]) + + sub_rule.append(False) + + sub_rules = self.admin_manager.add_rule_dict(admin_subject_id, authz_ie_dict["id"], relation_id, sub_rule) + self.assertIsInstance(sub_rules, dict) + self.assertIn(sub_rule, sub_rules.values()) + + for rule_id, rule_value in sub_rules.iteritems(): for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_category_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_category_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_category_scope"), ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: + for cat_value in sub_meta_rules[relation_id][cat]: scope = cat_func( - "admin", - self.ref["id"], + admin_subject_id, + authz_ie_dict["id"], cat_value ) - a_scope = rule.pop(0) - self.assertIn(a_scope, scope[func_name][cat_value]) + a_scope = rule_value.pop(0) + self.assertIn(a_scope, scope.keys()) + + # TODO: add test for the delete function +@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api') class TestIntraExtensionAdminManagerKO(tests.TestCase): + # TODO: must be reviewed because some tests are on the authz interface def setUp(self): self.useFixture(database.Database()) super(TestIntraExtensionAdminManagerKO, self).setUp() self.load_backends() self.load_fixtures(default_fixtures) - self.manager = IntraExtensionAuthzManager() - self.admin_manager = IntraExtensionAdminManager() + self.admin = create_user(self, username="admin") + self.demo = create_user(self, username="demo") + self.root_intra_extension = create_intra_extension(self, policy_model="policy_root") + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID + self.manager = self.authz_api + self.admin_manager = self.admin_api def __get_key_from_value(self, value, values_dict): return filter(lambda v: v[1] == value, values_dict.iteritems())[0][0] @@ -1270,6 +996,8 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): return { "moonlog_api": LogManager(), "tenant_api": TenantManager(), + "admin_api": IntraExtensionAdminManager(), + "authz_api": IntraExtensionAuthzManager(), # "resource_api": resource.Manager(), } @@ -1283,1519 +1011,1117 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): group='moon', policy_directory=self.policy_directory) - def create_tenant(self): - tenant = { - "id": uuid.uuid4().hex, - "name": "TestIntraExtensionAuthzManager", - "enabled": True, - "description": "", - "domain_id": "default" - } - return self.resource_api.create_project(tenant["id"], tenant) - - def create_mapping(self, tenant, authz_uuid=None, admin_uuid=None): - - mapping = self.tenant_api.set_tenant_dict(tenant["id"], tenant["name"], authz_uuid, admin_uuid) - self.assertIsInstance(mapping, dict) - self.assertIn("authz", mapping) - self.assertEqual(mapping["authz"], authz_uuid) - return mapping - - def create_user(self, username="admin"): - - _USER = dict(USER) - _USER["name"] = username - return self.identity_api.create_user(_USER) - - def create_intra_extension(self, policy_model="policy_authz"): - - IE["policymodel"] = policy_model - IE["name"] = uuid.uuid4().hex - ref = self.admin_manager.load_intra_extension_dict(DEFAULT_USER_ID, intra_extension_dict=IE) - self.assertIsInstance(ref, dict) - return ref - def test_subjects(self): - admin_user = self.create_user("admin") - demo_user = self.create_user("demo") - ref = self.create_intra_extension() - - self.assertRaises( - AuthzException, - self.manager.get_subjects_dict, - demo_user["id"], ref["id"]) - - subjects = self.manager.get_subjects_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(ref["id"], subjects["intra_extension_uuid"]) - self.assertIsInstance(subjects["subjects"], dict) - - new_subject = self.create_user("new_user") - new_subjects = dict() - new_subjects[new_subject["id"]] = new_subject["name"] - + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + self.assertIn("keystone_name", value) + self.assertIn("keystone_id", value) + + create_user(self, "subject_test") + new_subject = {"name": "subject_test", "description": "subject_test"} self.assertRaises( AuthzException, - self.manager.set_subject_dict, - demo_user["id"], ref["id"], new_subjects) - - subjects = self.manager.set_subject_dict(admin_user["id"], ref["id"], new_subjects) - self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(ref["id"], subjects["intra_extension_uuid"]) - self.assertEqual(subjects["subjects"], new_subjects) - self.assertIn(new_subject["id"], subjects["subjects"]) + self.manager.add_subject_dict, + demo_subject_id, admin_ie_dict["id"], new_subject) + + subjects = self.admin_manager.add_subject_dict(admin_subject_id, authz_ie_dict["id"], new_subject) + _subjects = dict(subjects) + self.assertEqual(len(_subjects.keys()), 1) + new_subject["id"] = _subjects.keys()[0] + value = subjects[new_subject["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject["description"]) # Delete the new subject self.assertRaises( AuthzException, - self.manager.del_subject_dict, - demo_user["id"], ref["id"], new_subject["id"]) - - self.manager.del_subject(admin_user["id"], ref["id"], new_subject["id"]) - subjects = self.manager.get_subjects_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(ref["id"], subjects["intra_extension_uuid"]) - self.assertNotIn(new_subject["id"], subjects["subjects"]) - - # Add a particular subject - self.assertRaises( - AuthzException, - self.manager.add_subject_dict, - demo_user["id"], ref["id"], new_subject["id"]) + self.manager.del_subject, + demo_subject_id, authz_ie_dict["id"], new_subject["id"]) - subjects = self.manager.add_subject_dict(admin_user["id"], ref["id"], new_subject["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subject", subjects) - self.assertIn("uuid", subjects["subject"]) - self.assertEqual(new_subject["name"], subjects["subject"]["name"]) - subjects = self.manager.get_subjects_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(ref["id"], subjects["intra_extension_uuid"]) - self.assertIn(new_subject["id"], subjects["subjects"]) + self.admin_manager.del_subject(admin_subject_id, authz_ie_dict["id"], new_subject["id"]) + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject["name"], value["name"]) + self.assertIn("description", value) def test_objects(self): - admin_user = self.create_user("admin") - demo_user = self.create_user("demo") - ref = self.create_intra_extension() - - self.assertRaises( - AuthzException, - self.manager.get_objects_dict, - demo_user["id"], ref["id"]) - - objects = self.manager.get_objects_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + objects = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + objects_id_list = [] self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(ref["id"], objects["intra_extension_uuid"]) - self.assertIsInstance(objects["objects"], dict) - - new_object = {"id": uuid.uuid4().hex, "name": "my_object"} - new_objects = dict() - new_objects[new_object["id"]] = new_object["name"] - + for key, value in objects.iteritems(): + objects_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + create_user(self, "subject_test") + new_object = {"name": "object_test", "description": "object_test"} self.assertRaises( AuthzException, - self.manager.set_object_dict, - demo_user["id"], ref["id"], new_objects) - - objects = self.manager.set_object_dict(admin_user["id"], ref["id"], new_objects) - self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(ref["id"], objects["intra_extension_uuid"]) - self.assertEqual(objects["objects"], new_objects) - self.assertIn(new_object["id"], objects["objects"]) + self.manager.add_object_dict, + demo_subject_id, admin_ie_dict["id"], new_object) - # Delete the new object self.assertRaises( - AuthzException, - self.manager.del_object_dict, - demo_user["id"], ref["id"], new_object["id"]) - - self.manager.del_object(admin_user["id"], ref["id"], new_object["id"]) - objects = self.manager.get_objects_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(ref["id"], objects["intra_extension_uuid"]) - self.assertNotIn(new_object["id"], objects["objects"]) + ObjectsWriteNoAuthorized, + self.admin_manager.add_object_dict, + admin_subject_id, authz_ie_dict["id"], new_object + ) - # Add a particular object - self.assertRaises( - AuthzException, - self.manager.add_object_dict, - demo_user["id"], ref["id"], new_object["name"]) + # Delete the new object + for key in objects_id_list: + self.assertRaises( + AuthzException, + self.manager.del_object, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + AuthzException, + self.manager.del_object, + admin_subject_id, authz_ie_dict["id"], key) - objects = self.manager.add_object_dict(admin_user["id"], ref["id"], new_object["name"]) - self.assertIsInstance(objects, dict) - self.assertIn("object", objects) - self.assertIn("uuid", objects["object"]) - self.assertEqual(new_object["name"], objects["object"]["name"]) - new_object["id"] = objects["object"]["uuid"] - objects = self.manager.get_objects_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(ref["id"], objects["intra_extension_uuid"]) - self.assertIn(new_object["id"], objects["objects"]) + for key in objects_id_list: + self.assertRaises( + ObjectsWriteNoAuthorized, + self.admin_manager.del_object, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + ObjectsWriteNoAuthorized, + self.admin_manager.del_object, + admin_subject_id, authz_ie_dict["id"], key) def test_actions(self): - admin_user = self.create_user("admin") - demo_user = self.create_user("demo") - ref = self.create_intra_extension() - - self.assertRaises( - AuthzException, - self.manager.get_actions_dict, - demo_user["id"], ref["id"]) - - actions = self.manager.get_actions_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + actions = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + actions_id_list = [] self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(ref["id"], actions["intra_extension_uuid"]) - self.assertIsInstance(actions["actions"], dict) - - new_action = {"id": uuid.uuid4().hex, "name": "my_action"} - new_actions = dict() - new_actions[new_action["id"]] = new_action["name"] - + for key, value in actions.iteritems(): + actions_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + create_user(self, "subject_test") + new_action = {"name": "action_test", "description": "action_test"} self.assertRaises( AuthzException, - self.manager.set_action_dict, - demo_user["id"], ref["id"], new_actions) + self.manager.add_action_dict, + demo_subject_id, admin_ie_dict["id"], new_action) - actions = self.manager.set_action_dict(admin_user["id"], ref["id"], new_actions) - self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(ref["id"], actions["intra_extension_uuid"]) - self.assertEqual(actions["actions"], new_actions) - self.assertIn(new_action["id"], actions["actions"]) - - # Delete the new action self.assertRaises( - AuthzException, - self.manager.del_action_dict, - demo_user["id"], ref["id"], new_action["id"]) - - self.manager.del_action(admin_user["id"], ref["id"], new_action["id"]) - actions = self.manager.get_actions_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(ref["id"], actions["intra_extension_uuid"]) - self.assertNotIn(new_action["id"], actions["actions"]) + ActionsWriteNoAuthorized, + self.admin_manager.add_action_dict, + admin_subject_id, authz_ie_dict["id"], new_action + ) - # Add a particular action - self.assertRaises( - AuthzException, - self.manager.add_action_dict, - demo_user["id"], ref["id"], new_action["name"]) + # Delete all actions + for key in actions_id_list: + self.assertRaises( + AuthzException, + self.manager.del_action, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + AuthzException, + self.manager.del_action, + admin_subject_id, authz_ie_dict["id"], key) - actions = self.manager.add_action_dict(admin_user["id"], ref["id"], new_action["name"]) - self.assertIsInstance(actions, dict) - self.assertIn("action", actions) - self.assertIn("uuid", actions["action"]) - self.assertEqual(new_action["name"], actions["action"]["name"]) - new_action["id"] = actions["action"]["uuid"] - actions = self.manager.get_actions_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(ref["id"], actions["intra_extension_uuid"]) - self.assertIn(new_action["id"], actions["actions"]) + for key in actions_id_list: + self.assertRaises( + ActionsWriteNoAuthorized, + self.admin_manager.del_action, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + ActionsWriteNoAuthorized, + self.admin_manager.del_action, + admin_subject_id, authz_ie_dict["id"], key) def test_subject_categories(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - self.assertRaises( - AuthzException, - self.manager.get_subject_categories_dict, - demo_user["id"], ref["id"]) - - subject_categories = self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIsInstance(subject_categories["subject_categories"], dict) - - new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"} - new_subject_categories = dict() - new_subject_categories[new_subject_category["id"]] = new_subject_category["name"] + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + new_subject_category = {"name": "subject_category_test", "description": "subject_category_test"} self.assertRaises( AuthzException, - self.manager.set_subject_category_dict, - demo_user["id"], ref["id"], new_subject_categories) - - subject_categories = self.manager.set_subject_category_dict(admin_user["id"], ref["id"], new_subject_categories) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertEqual(subject_categories["subject_categories"], new_subject_categories) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) + self.manager.add_subject_category, + demo_subject_id, admin_ie_dict["id"], new_subject_category) + + subject_categories = self.admin_manager.add_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category) + _subject_categories = dict(subject_categories) + self.assertEqual(len(_subject_categories.keys()), 1) + new_subject_category["id"] = _subject_categories.keys()[0] + value = subject_categories[new_subject_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject_category["description"]) # Delete the new subject_category self.assertRaises( AuthzException, - self.manager.del_subject_category_dict, - demo_user["id"], ref["id"], new_subject_category["id"]) - - self.manager.del_subject_category(admin_user["id"], ref["id"], new_subject_category["id"]) - subject_categories = self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertNotIn(new_subject_category["id"], subject_categories["subject_categories"]) + self.manager.del_subject_category, + demo_subject_id, authz_ie_dict["id"], new_subject_category["id"]) - # Add a particular subject_category - self.assertRaises( - AuthzException, - self.manager.add_subject_category, - demo_user["id"], ref["id"], new_subject_category["name"]) - - subject_categories = self.manager.add_subject_category( - admin_user["id"], - ref["id"], - new_subject_category["name"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_category", subject_categories) - self.assertIn("uuid", subject_categories["subject_category"]) - self.assertEqual(new_subject_category["name"], subject_categories["subject_category"]["name"]) - new_subject_category["id"] = subject_categories["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_categories_dict( - admin_user["id"], - ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) + self.admin_manager.del_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category["id"]) + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject_category["name"], value["name"]) + self.assertIn("description", value) def test_object_categories(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - self.assertRaises( - AuthzException, - self.manager.get_object_category_dict, - demo_user["id"], ref["id"]) - - object_categories = self.manager.get_object_category_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(ref["id"], object_categories["intra_extension_uuid"]) - self.assertIsInstance(object_categories["object_categories"], dict) - - new_object_category = {"id": uuid.uuid4().hex, "name": "object_category_test"} - new_object_categories = dict() - new_object_categories[new_object_category["id"]] = new_object_category["name"] + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + new_object_category = {"name": "object_category_test", "description": "object_category_test"} self.assertRaises( AuthzException, - self.manager.set_object_category_dict, - demo_user["id"], ref["id"], new_object_categories) - - object_categories = self.manager.set_object_category_dict(admin_user["id"], ref["id"], new_object_categories) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(ref["id"], object_categories["intra_extension_uuid"]) - self.assertEqual(object_categories["object_categories"], new_object_categories) - self.assertIn(new_object_category["id"], object_categories["object_categories"]) + self.manager.add_object_category, + demo_subject_id, admin_ie_dict["id"], new_object_category) + + object_categories = self.admin_manager.add_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category) + _object_categories = dict(object_categories) + self.assertEqual(len(_object_categories.keys()), 1) + new_object_category["id"] = _object_categories.keys()[0] + value = object_categories[new_object_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_object_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_object_category["description"]) # Delete the new object_category self.assertRaises( AuthzException, self.manager.del_object_category, - demo_user["id"], ref["id"], new_object_category["id"]) - - self.manager.del_object_category(admin_user["id"], ref["id"], new_object_category["id"]) - object_categories = self.manager.get_object_category_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(ref["id"], object_categories["intra_extension_uuid"]) - self.assertNotIn(new_object_category["id"], object_categories["object_categories"]) + demo_subject_id, authz_ie_dict["id"], new_object_category["id"]) - # Add a particular object_category - self.assertRaises( - AuthzException, - self.manager.add_object_category, - demo_user["id"], ref["id"], new_object_category["name"]) - - object_categories = self.manager.add_object_category( - admin_user["id"], - ref["id"], - new_object_category["name"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_category", object_categories) - self.assertIn("uuid", object_categories["object_category"]) - self.assertEqual(new_object_category["name"], object_categories["object_category"]["name"]) - new_object_category["id"] = object_categories["object_category"]["uuid"] - object_categories = self.manager.get_object_category_dict( - admin_user["id"], - ref["id"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(ref["id"], object_categories["intra_extension_uuid"]) - self.assertIn(new_object_category["id"], object_categories["object_categories"]) + self.admin_manager.del_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category["id"]) + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_object_category["name"], value["name"]) + self.assertIn("description", value) def test_action_categories(self): - admin_user = self.create_user() - demo_user = self.create_user("demo") - tenant = self.create_tenant() - ie_authz = self.create_intra_extension("policy_authz") - ie_admin = self.create_intra_extension("policy_admin") - mapping = self.create_mapping(tenant, ie_authz["id"], ie_admin["id"]) - ref = ie_authz - # admin_user = self.create_user("admin") - # ref = self.create_intra_extension() - - self.assertRaises( - AuthzException, - self.manager.get_action_category_dict, - demo_user["id"], ref["id"]) - - action_categories = self.manager.get_action_category_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(ref["id"], action_categories["intra_extension_uuid"]) - self.assertIsInstance(action_categories["action_categories"], dict) - - new_action_category = {"id": uuid.uuid4().hex, "name": "action_category_test"} - new_action_categories = dict() - new_action_categories[new_action_category["id"]] = new_action_category["name"] - self.assertRaises( - AuthzException, - self.manager.set_action_category_dict, - demo_user["id"], ref["id"], new_action_categories) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) - action_categories = self.manager.set_action_category_dict(admin_user["id"], ref["id"], new_action_categories) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(ref["id"], action_categories["intra_extension_uuid"]) - self.assertEqual(action_categories["action_categories"], new_action_categories) - self.assertIn(new_action_category["id"], action_categories["action_categories"]) - - # Delete the new action_category + new_action_category = {"name": "action_category_test", "description": "action_category_test"} self.assertRaises( AuthzException, - self.manager.del_action_category_dict, - demo_user["id"], ref["id"], new_action_category["id"]) - - self.manager.del_action_category(admin_user["id"], ref["id"], new_action_category["id"]) - action_categories = self.manager.get_action_category_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(ref["id"], action_categories["intra_extension_uuid"]) - self.assertNotIn(new_action_category["id"], action_categories["action_categories"]) + self.manager.add_action_category, + demo_subject_id, admin_ie_dict["id"], new_action_category) + + action_categories = self.admin_manager.add_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category) + _action_categories = dict(action_categories) + self.assertEqual(len(_action_categories.keys()), 1) + new_action_category["id"] = _action_categories.keys()[0] + value = action_categories[new_action_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_action_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_action_category["description"]) - # Add a particular action_category + # Delete the new action_category self.assertRaises( AuthzException, - self.manager.add_action_category, - demo_user["id"], ref["id"], new_action_category["name"]) + self.manager.del_action_category, + demo_subject_id, authz_ie_dict["id"], new_action_category["id"]) - action_categories = self.manager.add_action_category( - admin_user["id"], - ref["id"], - new_action_category["name"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_category", action_categories) - self.assertIn("uuid", action_categories["action_category"]) - self.assertEqual(new_action_category["name"], action_categories["action_category"]["name"]) - new_action_category["id"] = action_categories["action_category"]["uuid"] - action_categories = self.manager.get_action_category_dict( - admin_user["id"], - ref["id"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(ref["id"], action_categories["intra_extension_uuid"]) - self.assertIn(new_action_category["id"], action_categories["action_categories"]) + self.admin_manager.del_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category["id"]) + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_action_category["name"], value["name"]) + self.assertIn("description", value) def test_subject_category_scope(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - subject_categories = self.manager.set_subject_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: admin_user["id"], - uuid.uuid4().hex: "dev", + "name": "country", + "description": "country", } ) - for subject_category in subject_categories["subject_categories"]: - self.assertRaises( - AuthzException, - self.manager.get_subject_scopes_dict, - demo_user["id"], ref["id"], subject_category) + for subject_category_id in subject_categories: subject_category_scope = self.manager.get_subject_scopes_dict( - admin_user["id"], - ref["id"], - subject_category) + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIsInstance(subject_category_scope["subject_category_scope"], dict) + self.assertEqual({}, subject_category_scope) - new_subject_category_scope = dict() - new_subject_category_scope_uuid = uuid.uuid4().hex - new_subject_category_scope[new_subject_category_scope_uuid] = "new_subject_category_scope" + new_subject_category_scope = { + "name": "france", + "description": "france", + } self.assertRaises( AuthzException, - self.manager.set_subject_scope_dict, - demo_user["id"], ref["id"], subject_category, new_subject_category_scope) + self.admin_manager.add_subject_scope_dict, + demo_subject_id, authz_ie_dict["id"], subject_category_id, new_subject_category_scope) - subject_category_scope = self.manager.set_subject_scope_dict( - admin_user["id"], - ref["id"], - subject_category, + subject_category_scope = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, new_subject_category_scope) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) + self.assertEqual(len(subject_category_scope.keys()), 1) + subject_category_scope_id = subject_category_scope.keys()[0] + subject_category_scope_value = subject_category_scope[subject_category_scope_id] + self.assertIn("name", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["name"], subject_category_scope_value["name"]) + self.assertIn("description", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["description"], subject_category_scope_value["description"]) # Delete the new subject_category_scope self.assertRaises( AuthzException, - self.manager.del_subject_category_scope_dict, - demo_user["id"], ref["id"], subject_category, new_subject_category_scope_uuid) - - self.manager.del_subject_scope( - admin_user["id"], - ref["id"], - subject_category, - new_subject_category_scope_uuid) - subject_category_scope = self.manager.get_subject_scopes_dict( - admin_user["id"], - ref["id"], - subject_category) + self.admin_manager.del_subject_scope, + demo_subject_id, authz_ie_dict["id"], subject_category_id, subject_category_scope_id) + + self.admin_manager.del_subject_scope( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + subject_category_scope_id) + subject_category_scope = self.admin_manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_subject_category_scope_uuid, subject_category_scope["subject_category_scope"]) - - # Add a particular subject_category_scope - self.assertRaises( - AuthzException, - self.manager.add_subject_scope_dict, - demo_user["id"], ref["id"], subject_category, - new_subject_category_scope[new_subject_category_scope_uuid]) - - subject_category_scope = self.manager.add_subject_scope_dict( - admin_user["id"], - ref["id"], - subject_category, - new_subject_category_scope[new_subject_category_scope_uuid]) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("uuid", subject_category_scope["subject_category_scope"]) - self.assertEqual(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"]["name"]) - subject_category_scope = self.manager.get_subject_scopes_dict( - admin_user["id"], - ref["id"], - subject_category) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_subject_category_scope_uuid, subject_category_scope["subject_category_scope"]) + self.assertNotIn(subject_category_scope_id, subject_category_scope.keys()) def test_object_category_scope(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - object_categories = self.manager.set_object_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "id", - uuid.uuid4().hex: "domain", + "name": "country", + "description": "country", } ) - for object_category in object_categories["object_categories"]: - self.assertRaises( - AuthzException, - self.manager.get_object_scopes_dict, - demo_user["id"], ref["id"], object_category) + for object_category_id in object_categories: object_category_scope = self.manager.get_object_scopes_dict( - admin_user["id"], - ref["id"], - object_category) + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIsInstance(object_category_scope["object_category_scope"], dict) + self.assertEqual({}, object_category_scope) - new_object_category_scope = dict() - new_object_category_scope_uuid = uuid.uuid4().hex - new_object_category_scope[new_object_category_scope_uuid] = "new_object_category_scope" + new_object_category_scope = { + "name": "france", + "description": "france", + } self.assertRaises( AuthzException, - self.manager.set_object_scope_dict, - demo_user["id"], ref["id"], object_category, new_object_category_scope) + self.admin_manager.add_object_scope_dict, + demo_subject_id, authz_ie_dict["id"], object_category_id, new_object_category_scope) - object_category_scope = self.manager.set_object_scope_dict( - admin_user["id"], - ref["id"], - object_category, + object_category_scope = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, new_object_category_scope) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"][object_category].values()) + self.assertEqual(len(object_category_scope.keys()), 1) + object_category_scope_id = object_category_scope.keys()[0] + object_category_scope_value = object_category_scope[object_category_scope_id] + self.assertIn("name", object_category_scope_value) + self.assertEqual(new_object_category_scope["name"], object_category_scope_value["name"]) + self.assertIn("description", object_category_scope_value) + self.assertEqual(new_object_category_scope["description"], object_category_scope_value["description"]) # Delete the new object_category_scope self.assertRaises( AuthzException, - self.manager.del_object_category_scope_dict, - demo_user["id"], ref["id"], object_category, new_object_category_scope) - - self.manager.del_object_scope( - admin_user["id"], - ref["id"], - object_category, - new_object_category_scope_uuid) - object_category_scope = self.manager.get_object_scopes_dict( - admin_user["id"], - ref["id"], - object_category) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_object_category_scope_uuid, object_category_scope["object_category_scope"]) - - # Add a particular object_category_scope - self.assertRaises( - AuthzException, - self.manager.add_object_scope_dict, - demo_user["id"], ref["id"], object_category, - new_object_category_scope[new_object_category_scope_uuid] - ) - - object_category_scope = self.manager.add_object_scope_dict( - admin_user["id"], - ref["id"], - object_category, - new_object_category_scope[new_object_category_scope_uuid]) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("uuid", object_category_scope["object_category_scope"]) - self.assertEqual(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"]["name"]) - object_category_scope = self.manager.get_object_scopes_dict( - admin_user["id"], - ref["id"], - object_category) + self.admin_manager.del_object_scope, + demo_subject_id, authz_ie_dict["id"], object_category_id, object_category_scope_id) + + self.admin_manager.del_object_scope( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + object_category_scope_id) + object_category_scope = self.admin_manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_object_category_scope_uuid, object_category_scope["object_category_scope"]) + self.assertNotIn(object_category_scope_id, object_category_scope.keys()) def test_action_category_scope(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - action_categories = self.manager.set_action_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "compute", - uuid.uuid4().hex: "identity", + "name": "swift", + "description": "swift actions", } ) - for action_category in action_categories["action_categories"]: - self.assertRaises( - AuthzException, - self.manager.get_object_scopes_dict, - demo_user["id"], ref["id"], action_category) + for action_category_id in action_categories: action_category_scope = self.manager.get_action_scopes_dict( - admin_user["id"], - ref["id"], - action_category) + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIsInstance(action_category_scope["action_category_scope"], dict) + self.assertEqual({}, action_category_scope) - new_action_category_scope = dict() - new_action_category_scope_uuid = uuid.uuid4().hex - new_action_category_scope[new_action_category_scope_uuid] = "new_action_category_scope" + new_action_category_scope = { + "name": "get", + "description": "get swift files", + } self.assertRaises( AuthzException, - self.manager.set_action_scope_dict, - demo_user["id"], ref["id"], action_category, new_action_category_scope) + self.admin_manager.add_action_scope_dict, + demo_subject_id, authz_ie_dict["id"], action_category_id, new_action_category_scope) - action_category_scope = self.manager.set_action_scope_dict( - admin_user["id"], - ref["id"], - action_category, + action_category_scope = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, new_action_category_scope) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"][action_category].values()) + self.assertEqual(len(action_category_scope.keys()), 1) + action_category_scope_id = action_category_scope.keys()[0] + action_category_scope_value = action_category_scope[action_category_scope_id] + self.assertIn("name", action_category_scope_value) + self.assertEqual(new_action_category_scope["name"], action_category_scope_value["name"]) + self.assertIn("description", action_category_scope_value) + self.assertEqual(new_action_category_scope["description"], action_category_scope_value["description"]) # Delete the new action_category_scope self.assertRaises( AuthzException, - self.manager.del_action_category_scope_dict, - demo_user["id"], ref["id"], action_category, - new_action_category_scope_uuid - ) - - self.manager.del_action_scope( - admin_user["id"], - ref["id"], - action_category, - new_action_category_scope_uuid) - action_category_scope = self.manager.get_action_scopes_dict( - admin_user["id"], - ref["id"], - action_category) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_action_category_scope_uuid, action_category_scope["action_category_scope"]) - - # Add a particular action_category_scope - self.assertRaises( - AuthzException, - self.manager.add_action_scope_dict, - demo_user["id"], ref["id"], action_category, - new_action_category_scope[new_action_category_scope_uuid] - ) - - action_category_scope = self.manager.add_action_scope_dict( - admin_user["id"], - ref["id"], - action_category, - new_action_category_scope[new_action_category_scope_uuid]) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("uuid", action_category_scope["action_category_scope"]) - self.assertEqual(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"]["name"]) - action_category_scope = self.manager.get_action_scopes_dict( - admin_user["id"], - ref["id"], - action_category) + self.admin_manager.del_action_scope, + demo_subject_id, authz_ie_dict["id"], action_category_id, action_category_scope_id) + + self.admin_manager.del_action_scope( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + action_category_scope_id) + action_category_scope = self.admin_manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_action_category_scope_uuid, action_category_scope["action_category_scope"]) + self.assertNotIn(action_category_scope_id, action_category_scope.keys()) def test_subject_category_assignment(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - new_subject = self.create_user() - new_subjects = dict() - new_subjects[new_subject["id"]] = new_subject["name"] - subjects = self.manager.set_subject_dict(admin_user["id"], ref["id"], new_subjects) - - new_subject_category_uuid = uuid.uuid4().hex - new_subject_category_value = "role" - subject_categories = self.manager.set_subject_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + admin_authz_subject_id, admin_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + demo_authz_subject_id, demo_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next() + + subjects_dict = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], { - new_subject_category_uuid: new_subject_category_value + "name": "country", + "description": "country", } ) - for subject_category in subject_categories["subject_categories"]: + for subject_category_id in subject_categories: subject_category_scope = self.manager.get_subject_scopes_dict( - admin_user["id"], - ref["id"], - subject_category) + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIsInstance(subject_category_scope["subject_category_scope"], dict) - - new_subject_category_scope = dict() - new_subject_category_scope_uuid = uuid.uuid4().hex - new_subject_category_scope[new_subject_category_scope_uuid] = admin_user["id"] - subject_category_scope = self.manager.set_subject_scope_dict( - admin_user["id"], - ref["id"], - subject_category, - new_subject_category_scope) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) - - new_subject_category_scope2 = dict() - new_subject_category_scope2_uuid = uuid.uuid4().hex - new_subject_category_scope2[new_subject_category_scope2_uuid] = "dev" - subject_category_scope = self.manager.set_subject_scope_dict( - admin_user["id"], - ref["id"], - subject_category, - new_subject_category_scope2) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope2[new_subject_category_scope2_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) + self.assertEqual({}, subject_category_scope) - self.assertRaises( - AuthzException, - self.manager.get_subject_assignment_dict, - demo_user["id"], ref["id"], new_subject["id"]) + new_subject_category_scope_1 = { + "name": "france", + "description": "france", + } - subject_category_assignments = self.manager.get_subject_assignment_dict( - admin_user["id"], - ref["id"], - new_subject["id"] + subject_category_scope_1 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_1) + subject_category_scope_1_id = subject_category_scope_1.keys()[0] + + new_subject_category_scope_2 = { + "name": "china", + "description": "china", + } + + subject_category_scope_2 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_2) + subject_category_scope_2_id = subject_category_scope_2.keys()[0] + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, + subject_category_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, subject_category_assignments["subject_category_assignments"][new_subject["id"]]) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, + subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) self.assertRaises( AuthzException, - self.manager.set_subject_assignment_dict, - demo_user["id"], ref["id"], new_subject["id"], - { - new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid], - } + self.manager.add_subject_assignment_list, + demo_subject_id, authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_1_id ) - subject_category_assignments = self.manager.set_subject_assignment_dict( - admin_user["id"], - ref["id"], - new_subject["id"], - { - new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid], - } + self.assertRaises( + AuthzException, + self.manager.add_subject_assignment_list, + demo_subject_id, authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) - subject_category_assignments = self.manager.get_subject_assignment_dict( - admin_user["id"], - ref["id"], - new_subject["id"] + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_1_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) + self.assertIsInstance(subject_category_assignments, list) - self.assertRaises( - AuthzException, - self.manager.del_subject_category_assignment_dict, - demo_user["id"], ref["id"], new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) - self.manager.del_subject_assignment( - admin_user["id"], - ref["id"], - new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id ) - subject_category_assignments = self.manager.get_subject_assignment_dict( - admin_user["id"], - ref["id"], - new_subject["id"] + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope2_uuid, ]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) self.assertRaises( AuthzException, - self.manager.add_subject_assignment_list, - demo_user["id"], ref["id"], new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid + self.admin_manager.del_subject_assignment, + demo_subject_id, authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id ) - data = self.manager.add_subject_assignment_list( - admin_user["id"], - ref["id"], - new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid + self.admin_manager.del_subject_assignment( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) - subject_category_assignments = self.manager.get_subject_assignment_dict( - admin_user["id"], - ref["id"], - new_subject["id"] + self.assertRaises( + SubjectAssignmentUnknown, + self.admin_manager.del_subject_assignment, + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope2_uuid, new_subject_category_scope_uuid]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) def test_object_category_assignment(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - new_object = {"id": uuid.uuid4().hex, "name": "my_object"} - new_objects = dict() - new_objects[new_object["id"]] = new_object["name"] - objects = self.manager.set_object_dict(admin_user["id"], ref["id"], new_objects) - - new_object_category_uuid = uuid.uuid4().hex - new_object_category_value = "role" - object_categories = self.manager.set_object_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + objects_dict = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + + object_vm1_id = None + object_vm2_id = None + for _object_id in objects_dict: + if objects_dict[_object_id]['name'] == 'vm1': + object_vm1_id = _object_id + if objects_dict[_object_id]['name'] == 'vm2': + object_vm2_id = _object_id + if not object_vm1_id or not object_vm2_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in objects)") + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], { - new_object_category_uuid: new_object_category_value + "name": "location", + "description": "location", } ) - for object_category in object_categories["object_categories"]: + for object_category_id in object_categories: object_category_scope = self.manager.get_object_scopes_dict( - admin_user["id"], - ref["id"], - object_category) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIsInstance(object_category_scope["object_category_scope"], dict) - - new_object_category_scope = dict() - new_object_category_scope_uuid = uuid.uuid4().hex - new_object_category_scope[new_object_category_scope_uuid] = admin_user["id"] - object_category_scope = self.manager.set_object_scope_dict( - admin_user["id"], - ref["id"], - object_category, - new_object_category_scope) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"][object_category].values()) - - new_object_category_scope2 = dict() - new_object_category_scope2_uuid = uuid.uuid4().hex - new_object_category_scope2[new_object_category_scope2_uuid] = "dev" - object_category_scope = self.manager.set_object_scope_dict( - admin_user["id"], - ref["id"], - object_category, - new_object_category_scope2) + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope2[new_object_category_scope2_uuid], - object_category_scope["object_category_scope"][object_category].values()) + self.assertEqual({}, object_category_scope) - self.assertRaises( - AuthzException, - self.manager.get_object_assignment_list, - demo_user["id"], ref["id"], new_object["id"] + new_object_category_scope_1 = { + "name": "france", + "description": "france", + } + + object_category_scope_1 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_1) + object_category_scope_1_id = object_category_scope_1.keys()[0] + + new_object_category_scope_2 = { + "name": "china", + "description": "china", + } + + object_category_scope_2 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_2) + object_category_scope_2_id = object_category_scope_2.keys()[0] + + object_category_assignments = self.manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, + object_category_id ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) object_category_assignments = self.manager.get_object_assignment_list( - admin_user["id"], - ref["id"], - new_object["id"] + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, + object_category_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, object_category_assignments["object_category_assignments"][new_object["id"]]) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) self.assertRaises( AuthzException, - self.manager.set_object_category_assignment_dict, - demo_user["id"], ref["id"], new_object["id"], - { - new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid], - } + self.manager.add_object_assignment_list, + demo_subject_id, authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_1_id ) - object_category_assignments = self.manager.set_object_category_assignment_dict( - admin_user["id"], - ref["id"], - new_object["id"], - { - new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid], - } + self.assertRaises( + AuthzException, + self.manager.add_object_assignment_list, + demo_subject_id, authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) - object_category_assignments = self.manager.get_object_assignment_list( - admin_user["id"], - ref["id"], - new_object["id"] + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_1_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) + self.assertIsInstance(object_category_assignments, list) - self.assertRaises( - AuthzException, - self.manager.del_object_category_assignment_dict, - demo_user["id"], ref["id"], new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) - self.manager.del_object_assignment( - admin_user["id"], - ref["id"], - new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id ) - object_category_assignments = self.manager.get_object_assignment_list( - admin_user["id"], - ref["id"], - new_object["id"] + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope2_uuid, ]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) self.assertRaises( AuthzException, - self.manager.add_object_assignment_list, - demo_user["id"], ref["id"], new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid + self.admin_manager.del_object_assignment, + demo_subject_id, authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id ) - self.manager.add_object_assignment_list( - admin_user["id"], - ref["id"], - new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid + self.admin_manager.del_object_assignment( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) - object_category_assignments = self.manager.get_object_assignment_list( - admin_user["id"], - ref["id"], - new_object["id"] + self.assertRaises( + ObjectAssignmentUnknown, + self.admin_manager.del_object_assignment, + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope2_uuid, new_object_category_scope_uuid]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) def test_action_category_assignment(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - new_action = {"id": uuid.uuid4().hex, "name": "my_action"} - new_actions = dict() - new_actions[new_action["id"]] = new_action["name"] - actions = self.manager.set_action_dict(admin_user["id"], ref["id"], new_actions) - - new_action_category_uuid = uuid.uuid4().hex - new_action_category_value = "role" - action_categories = self.manager.set_action_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + actions_dict = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + + action_upload_id = None + action_list_id = None + for _action_id in actions_dict: + if actions_dict[_action_id]['name'] == 'upload': + action_upload_id = _action_id + if actions_dict[_action_id]['name'] == 'list': + action_list_id = _action_id + if not action_upload_id or not action_list_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in actions)") + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], { - new_action_category_uuid: new_action_category_value + "name": "swift", + "description": "swift actions", } ) - for action_category in action_categories["action_categories"]: + for action_category_id in action_categories: action_category_scope = self.manager.get_action_scopes_dict( - admin_user["id"], - ref["id"], - action_category) + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIsInstance(action_category_scope["action_category_scope"], dict) - - new_action_category_scope = dict() - new_action_category_scope_uuid = uuid.uuid4().hex - new_action_category_scope[new_action_category_scope_uuid] = admin_user["id"] - action_category_scope = self.manager.set_action_scope_dict( - admin_user["id"], - ref["id"], - action_category, - new_action_category_scope) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"][action_category].values()) - - new_action_category_scope2 = dict() - new_action_category_scope2_uuid = uuid.uuid4().hex - new_action_category_scope2[new_action_category_scope2_uuid] = "dev" - action_category_scope = self.manager.set_action_scope_dict( - admin_user["id"], - ref["id"], - action_category, - new_action_category_scope2) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope2[new_action_category_scope2_uuid], - action_category_scope["action_category_scope"][action_category].values()) + self.assertEqual({}, action_category_scope) - self.assertRaises( - AuthzException, - self.manager.get_action_assignment_list, - demo_user["id"], ref["id"], new_action["id"] + new_action_category_scope_1 = { + "name": "swift_admin", + "description": "action require admin rights", + } + + action_category_scope_1 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_1) + action_category_scope_1_id = action_category_scope_1.keys()[0] + + new_action_category_scope_2 = { + "name": "swift_anonymous", + "description": "action require no right", + } + + action_category_scope_2 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_2) + action_category_scope_2_id = action_category_scope_2.keys()[0] + + action_category_assignments = self.manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, + action_category_id ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) action_category_assignments = self.manager.get_action_assignment_list( - admin_user["id"], - ref["id"], - new_action["id"] + admin_subject_id, + authz_ie_dict["id"], + action_list_id, + action_category_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, action_category_assignments["action_category_assignments"][new_action["id"]]) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) self.assertRaises( AuthzException, - self.manager.set_action_assignment_dict, - demo_user["id"], ref["id"], new_action["id"], - { - new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid], - } + self.manager.add_action_assignment_list, + demo_subject_id, authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_1_id ) - action_category_assignments = self.manager.set_action_assignment_dict( - admin_user["id"], - ref["id"], - new_action["id"], - { - new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid], - } + self.assertRaises( + AuthzException, + self.manager.add_action_assignment_list, + demo_subject_id, authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) - action_category_assignments = self.manager.get_action_assignment_list( - admin_user["id"], - ref["id"], - new_action["id"] + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_1_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) + self.assertIsInstance(action_category_assignments, list) - self.assertRaises( - AuthzException, - self.manager.del_action_category_assignment_dict, - demo_user["id"], ref["id"], new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) - self.manager.del_action_assignment( - admin_user["id"], - ref["id"], - new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id ) - action_category_assignments = self.manager.get_action_assignment_list( - admin_user["id"], - ref["id"], - new_action["id"] + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope2_uuid, ]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) self.assertRaises( AuthzException, - self.manager.add_action_assignment_list, - demo_user["id"], ref["id"], new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid + self.admin_manager.del_action_assignment, + demo_subject_id, authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id ) - self.manager.add_action_assignment_list( - admin_user["id"], - ref["id"], - new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid + self.admin_manager.del_action_assignment( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) - action_category_assignments = self.manager.get_action_assignment_list( - admin_user["id"], - ref["id"], - new_action["id"] + self.assertRaises( + ActionAssignmentUnknown, + self.admin_manager.del_action_assignment, + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope2_uuid, new_action_category_scope_uuid]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) def test_sub_meta_rules(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - aggregation_algorithms = self.manager.get_aggregation_algorithms(admin_user["id"], ref["id"]) - self.assertIsInstance(aggregation_algorithms, dict) - self.assertIsInstance(aggregation_algorithms["aggregation_algorithms"], list) - self.assertIn("and_true_aggregation", aggregation_algorithms["aggregation_algorithms"]) - self.assertIn("test_aggregation", aggregation_algorithms["aggregation_algorithms"]) - - self.assertRaises( - AuthzException, - self.manager.get_aggregation_algorithm_dict, - demo_user["id"], ref["id"] - ) - - aggregation_algorithm = self.manager.get_aggregation_algorithm_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(aggregation_algorithm, dict) - self.assertIn("aggregation", aggregation_algorithm) - self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) - - _aggregation_algorithm = list(aggregation_algorithms["aggregation_algorithms"]) - _aggregation_algorithm.remove(aggregation_algorithm["aggregation"]) - - self.assertRaises( - AuthzException, - self.manager.set_aggregation_algorithms, - demo_user["id"], ref["id"], _aggregation_algorithm[0] - ) - - aggregation_algorithm = self.manager.set_aggregation_algorithm_dict(admin_user["id"], ref["id"], _aggregation_algorithm[0]) - self.assertIsInstance(aggregation_algorithm, dict) - self.assertIn("aggregation", aggregation_algorithm) - self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) - - self.assertRaises( - AuthzException, - self.manager.get_sub_meta_rules_dict, - demo_user["id"], ref["id"] - ) - - sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + aggregation_algorithms = self.admin_manager.get_aggregation_algorithm_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in aggregation_algorithms.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + # TODO: need more tests on aggregation_algorithms (set and del) + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(sub_meta_rules, dict) - self.assertIn("sub_meta_rules", sub_meta_rules) - sub_meta_rules_conf = json.load(open(os.path.join(self.policy_directory, ref["model"], "metarule.json"))) - metarule = dict() categories = { - "subject_categories": self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]), - "object_categories": self.manager.get_object_category_dict(admin_user["id"], ref["id"]), - "action_categories": self.manager.get_action_category_dict(admin_user["id"], ref["id"]) + "subject_categories": self.admin_manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]), + "object_categories": self.admin_manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]), + "action_categories": self.admin_manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) } - for relation in sub_meta_rules_conf["sub_meta_rules"]: - metarule[relation] = dict() - for item in ("subject_categories", "object_categories", "action_categories"): - metarule[relation][item] = list() - for element in sub_meta_rules_conf["sub_meta_rules"][relation][item]: - metarule[relation][item].append(self.__get_key_from_value( - element, - categories[item][item] - )) - - for relation in sub_meta_rules["sub_meta_rules"]: - self.assertIn(relation, metarule) - for item in ("subject_categories", "object_categories", "action_categories"): - self.assertEqual( - sub_meta_rules["sub_meta_rules"][relation][item], - metarule[relation][item] - ) - - new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"} - # Add a particular subject_category - data = self.manager.add_subject_category( - admin_user["id"], - ref["id"], - new_subject_category["name"]) - new_subject_category["id"] = data["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_categories_dict( - admin_user["id"], - ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) - metarule[relation]["subject_categories"].append(new_subject_category["id"]) - - self.assertRaises( - AuthzException, - self.manager.get_sub_meta_rule_dict, - demo_user["id"], ref["id"], metarule - ) - - _sub_meta_rules = self.manager.get_sub_meta_rule_dict(admin_user["id"], ref["id"], metarule) - self.assertIn(relation, metarule) - for item in ("subject_categories", "object_categories", "action_categories"): - self.assertEqual( - _sub_meta_rules["sub_meta_rules"][relation][item], - metarule[relation][item] - ) + for key, value in sub_meta_rules.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("action_categories", value) + self.assertIn("object_categories", value) + self.assertIn("subject_categories", value) + self.assertIn("algorithm", value) + self.assertIn("name", value) + for action_category_id in value["action_categories"]: + self.assertIn(action_category_id, categories["action_categories"]) + for object_category_id in value["object_categories"]: + self.assertIn(object_category_id, categories["object_categories"]) + for subject_category_id in value["subject_categories"]: + self.assertIn(subject_category_id, categories["subject_categories"]) + # TODO: need more tests (set and del) def test_sub_rules(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(sub_meta_rules, dict) - self.assertIn("sub_meta_rules", sub_meta_rules) - self.assertRaises( - AuthzException, - self.manager.get_sub_rules, - demo_user["id"], ref["id"] - ) - - sub_rules = self.manager.get_sub_rules(admin_user["id"], ref["id"]) - self.assertIsInstance(sub_rules, dict) - self.assertIn("rules", sub_rules) - rules = dict() - for relation in sub_rules["rules"]: - self.assertIn(relation, self.manager.get_sub_meta_rule_relations(admin_user["id"], ref["id"])["sub_meta_rule_relations"]) - rules[relation] = list() - for rule in sub_rules["rules"][relation]: + for relation_id in sub_meta_rules: + rules = self.admin_manager.get_rules_dict(admin_subject_id, authz_ie_dict["id"], relation_id) + rule_length = len(sub_meta_rules[relation_id]["subject_categories"]) + \ + len(sub_meta_rules[relation_id]["object_categories"]) + \ + len(sub_meta_rules[relation_id]["action_categories"]) + 1 + for rule_id in rules: + self.assertEqual(rule_length, len(rules[rule_id])) + rule = list(rules[rule_id]) for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: + for cat_value in sub_meta_rules[relation_id][cat]: scope = cat_func( - admin_user["id"], - ref["id"], + admin_subject_id, + authz_ie_dict["id"], cat_value ) a_scope = rule.pop(0) if type(a_scope) is not bool: - self.assertIn(a_scope, scope[func_name][cat_value]) - - # add a new subrule - - relation = sub_rules["rules"].keys()[0] - sub_rule = [] - for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), - ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: - scope = cat_func( - admin_user["id"], - ref["id"], - cat_value - ) - sub_rule.append(scope[func_name][cat_value].keys()[0]) - - sub_rule.append(True) - self.assertRaises( - AuthzException, - self.manager.set_sub_rules, - demo_user["id"], ref["id"], relation, sub_rule - ) + self.assertIn(a_scope, scope.keys()) + + # add a new subrule + + sub_rule = [] + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + sub_rule.append(scope.keys()[0]) + + sub_rule.append(False) + self.assertRaises( + AuthzException, + self.admin_manager.add_rule_dict, + demo_subject_id, authz_ie_dict["id"], relation_id, sub_rule + ) + + sub_rules = self.admin_manager.add_rule_dict(admin_subject_id, authz_ie_dict["id"], relation_id, sub_rule) + self.assertIsInstance(sub_rules, dict) + self.assertIn(sub_rule, sub_rules.values()) - sub_rules = self.manager.set_sub_rule(admin_user["id"], ref["id"], relation, sub_rule) - self.assertIsInstance(sub_rules, dict) - self.assertIn("rules", sub_rules) - rules = dict() - self.assertIn(sub_rule, sub_rules["rules"][relation]) - for relation in sub_rules["rules"]: - self.assertIn(relation, self.manager.get_sub_meta_rule_relations(admin_user["id"], ref["id"])["sub_meta_rule_relations"]) - rules[relation] = list() - for rule in sub_rules["rules"][relation]: + for rule_id, rule_value in sub_rules.iteritems(): for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_category_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_category_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_category_scope"), ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: + for cat_value in sub_meta_rules[relation_id][cat]: scope = cat_func( - admin_user["id"], - ref["id"], + admin_subject_id, + authz_ie_dict["id"], cat_value ) - a_scope = rule.pop(0) - self.assertIn(a_scope, scope[func_name][cat_value]) + a_scope = rule_value.pop(0) + self.assertIn(a_scope, scope.keys()) + # TODO: add test for the delete function diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py index 0e22a1b4..705aea8a 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py @@ -16,6 +16,7 @@ from keystone import resource from keystone.contrib.moon.exception import * from keystone.tests.unit import default_fixtures from keystone.contrib.moon.core import LogManager, TenantManager, ADMIN_ID +from keystone.tests.moon.unit import * CONF = cfg.CONF @@ -31,15 +32,22 @@ IE = { "description": "a simple description." } -class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): +@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api') +class TestIntraExtensionAuthzManagerAuthzOK(tests.TestCase): def setUp(self): self.useFixture(database.Database()) - super(TestIntraExtensionAuthzManagerAuthz, self).setUp() + super(TestIntraExtensionAuthzManagerAuthzOK, self).setUp() self.load_backends() self.load_fixtures(default_fixtures) - self.manager = IntraExtensionAuthzManager() - self.admin_manager = IntraExtensionAdminManager() + self.admin = create_user(self, username="admin") + self.demo = create_user(self, username="demo") + self.root_intra_extension = create_intra_extension(self, policy_model="policy_root") + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID + self.manager = self.authz_api + self.admin_manager = self.admin_api def __get_key_from_value(self, value, values_dict): return filter(lambda v: v[1] == value, values_dict.iteritems())[0][0] @@ -48,11 +56,13 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): return { "moonlog_api": LogManager(), "tenant_api": TenantManager(), + "admin_api": IntraExtensionAdminManager(), + "authz_api": IntraExtensionAuthzManager(), # "resource_api": resource.Manager(), } def config_overrides(self): - super(TestIntraExtensionAuthzManagerAuthz, self).config_overrides() + super(TestIntraExtensionAuthzManagerAuthzOK, self).config_overrides() self.policy_directory = 'examples/moon/policies' self.config_fixture.config( group='moon', @@ -61,37 +71,942 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): group='moon', policy_directory=self.policy_directory) - def create_tenant(self): - tenant = { - "id": uuid.uuid4().hex, - "name": "TestIntraExtensionAuthzManager", - "enabled": True, - "description": "", - "domain_id": "default" + def delete_admin_intra_extension(self): + self.manager.del_intra_extension(self.ref["id"]) + + def test_subjects(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + self.assertIsInstance(subjects, dict) + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + self.assertIn("keystone_name", value) + self.assertIn("keystone_id", value) + + create_user(self, "subject_test") + new_subject = {"name": "subject_test", "description": "subject_test"} + + subjects = self.admin_manager.add_subject_dict(admin_subject_id, authz_ie_dict["id"], new_subject) + _subjects = dict(subjects) + self.assertEqual(len(_subjects.keys()), 1) + new_subject["id"] = _subjects.keys()[0] + value = subjects[new_subject["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject["description"]) + + # Delete the new subject + self.admin_manager.del_subject(admin_subject_id, authz_ie_dict["id"], new_subject["id"]) + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject["name"], value["name"]) + self.assertIn("description", value) + + def test_objects(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + objects = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + objects_id_list = [] + self.assertIsInstance(objects, dict) + for key, value in objects.iteritems(): + objects_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + def test_actions(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + actions = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + actions_id_list = [] + self.assertIsInstance(actions, dict) + for key, value in actions.iteritems(): + actions_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + def test_subject_categories(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) + self.assertIsInstance(subject_categories, dict) + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_subject_category = {"name": "subject_category_test", "description": "subject_category_test"} + + subject_categories = self.admin_manager.add_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category) + _subject_categories = dict(subject_categories) + self.assertEqual(len(_subject_categories.keys()), 1) + new_subject_category["id"] = _subject_categories.keys()[0] + value = subject_categories[new_subject_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject_category["description"]) + + # Delete the new subject_category + self.admin_manager.del_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category["id"]) + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject_category["name"], value["name"]) + self.assertIn("description", value) + + def test_object_categories(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) + self.assertIsInstance(object_categories, dict) + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_object_category = {"name": "object_category_test", "description": "object_category_test"} + + object_categories = self.admin_manager.add_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category) + _object_categories = dict(object_categories) + self.assertEqual(len(_object_categories.keys()), 1) + new_object_category["id"] = _object_categories.keys()[0] + value = object_categories[new_object_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_object_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_object_category["description"]) + + # Delete the new object_category + + self.admin_manager.del_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category["id"]) + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_object_category["name"], value["name"]) + self.assertIn("description", value) + + def test_action_categories(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) + self.assertIsInstance(action_categories, dict) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_action_category = {"name": "action_category_test", "description": "action_category_test"} + + action_categories = self.admin_manager.add_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category) + _action_categories = dict(action_categories) + self.assertEqual(len(_action_categories.keys()), 1) + new_action_category["id"] = _action_categories.keys()[0] + value = action_categories[new_action_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_action_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_action_category["description"]) + + # Delete the new action_category + + self.admin_manager.del_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category["id"]) + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_action_category["name"], value["name"]) + self.assertIn("description", value) + + def test_subject_category_scope(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], + { + "name": "country", + "description": "country", + } + ) + + for subject_category_id in subject_categories: + + subject_category_scope = self.manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) + self.assertIsInstance(subject_category_scope, dict) + self.assertEqual({}, subject_category_scope) + + new_subject_category_scope = { + "name": "france", + "description": "france", + } + + subject_category_scope = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope) + self.assertIsInstance(subject_category_scope, dict) + self.assertEqual(len(subject_category_scope.keys()), 1) + subject_category_scope_id = subject_category_scope.keys()[0] + subject_category_scope_value = subject_category_scope[subject_category_scope_id] + self.assertIn("name", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["name"], subject_category_scope_value["name"]) + self.assertIn("description", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["description"], subject_category_scope_value["description"]) + + # Delete the new subject_category_scope + + self.admin_manager.del_subject_scope( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + subject_category_scope_id) + subject_category_scope = self.admin_manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) + self.assertIsInstance(subject_category_scope, dict) + self.assertNotIn(subject_category_scope_id, subject_category_scope.keys()) + + def test_object_category_scope(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], + { + "name": "country", + "description": "country", + } + ) + + for object_category_id in object_categories: + + object_category_scope = self.manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) + self.assertIsInstance(object_category_scope, dict) + self.assertEqual({}, object_category_scope) + + new_object_category_scope = { + "name": "france", + "description": "france", + } + + object_category_scope = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope) + self.assertIsInstance(object_category_scope, dict) + self.assertEqual(len(object_category_scope.keys()), 1) + object_category_scope_id = object_category_scope.keys()[0] + object_category_scope_value = object_category_scope[object_category_scope_id] + self.assertIn("name", object_category_scope_value) + self.assertEqual(new_object_category_scope["name"], object_category_scope_value["name"]) + self.assertIn("description", object_category_scope_value) + self.assertEqual(new_object_category_scope["description"], object_category_scope_value["description"]) + + # Delete the new object_category_scope + + self.admin_manager.del_object_scope( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + object_category_scope_id) + object_category_scope = self.admin_manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) + self.assertIsInstance(object_category_scope, dict) + self.assertNotIn(object_category_scope_id, object_category_scope.keys()) + + def test_action_category_scope(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], + { + "name": "swift", + "description": "swift actions", + } + ) + + for action_category_id in action_categories: + + action_category_scope = self.manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) + self.assertIsInstance(action_category_scope, dict) + self.assertEqual({}, action_category_scope) + + new_action_category_scope = { + "name": "get", + "description": "get swift files", + } + + action_category_scope = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope) + self.assertIsInstance(action_category_scope, dict) + self.assertEqual(len(action_category_scope.keys()), 1) + action_category_scope_id = action_category_scope.keys()[0] + action_category_scope_value = action_category_scope[action_category_scope_id] + self.assertIn("name", action_category_scope_value) + self.assertEqual(new_action_category_scope["name"], action_category_scope_value["name"]) + self.assertIn("description", action_category_scope_value) + self.assertEqual(new_action_category_scope["description"], action_category_scope_value["description"]) + + # Delete the new action_category_scope + + self.admin_manager.del_action_scope( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + action_category_scope_id) + action_category_scope = self.admin_manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) + self.assertIsInstance(action_category_scope, dict) + self.assertNotIn(action_category_scope_id, action_category_scope.keys()) + + def test_subject_category_assignment(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + admin_authz_subject_id, admin_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + demo_authz_subject_id, demo_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next() + + subjects_dict = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], + { + "name": "country", + "description": "country", + } + ) + + for subject_category_id in subject_categories: + subject_category_scope = self.manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) + self.assertIsInstance(subject_category_scope, dict) + self.assertEqual({}, subject_category_scope) + + new_subject_category_scope_1 = { + "name": "france", + "description": "france", + } + + subject_category_scope_1 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_1) + subject_category_scope_1_id = subject_category_scope_1.keys()[0] + + new_subject_category_scope_2 = { + "name": "china", + "description": "china", + } + + subject_category_scope_2 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_2) + subject_category_scope_2_id = subject_category_scope_2.keys()[0] + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, + subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, + subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_1_id + ) + self.assertIsInstance(subject_category_assignments, list) + + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) + + self.admin_manager.del_subject_assignment( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) + + def test_object_category_assignment(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + objects_dict = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + + object_vm1_id = None + object_vm2_id = None + for _object_id in objects_dict: + if objects_dict[_object_id]['name'] == 'vm1': + object_vm1_id = _object_id + if objects_dict[_object_id]['name'] == 'vm2': + object_vm2_id = _object_id + if not object_vm1_id or not object_vm2_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in objects)") + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], + { + "name": "location", + "description": "location", + } + ) + + for object_category_id in object_categories: + object_category_scope = self.manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) + self.assertIsInstance(object_category_scope, dict) + self.assertEqual({}, object_category_scope) + + new_object_category_scope_1 = { + "name": "france", + "description": "france", + } + + object_category_scope_1 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_1) + object_category_scope_1_id = object_category_scope_1.keys()[0] + + new_object_category_scope_2 = { + "name": "china", + "description": "china", + } + + object_category_scope_2 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_2) + object_category_scope_2_id = object_category_scope_2.keys()[0] + + object_category_assignments = self.manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, + object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) + + object_category_assignments = self.manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, + object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_1_id + ) + self.assertIsInstance(object_category_assignments, list) + + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) + + self.admin_manager.del_object_assignment( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) + + def test_action_category_assignment(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + actions_dict = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + + action_upload_id = None + action_list_id = None + for _action_id in actions_dict: + if actions_dict[_action_id]['name'] == 'upload': + action_upload_id = _action_id + if actions_dict[_action_id]['name'] == 'list': + action_list_id = _action_id + if not action_upload_id or not action_list_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in actions)") + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], + { + "name": "swift", + "description": "swift actions", + } + ) + + for action_category_id in action_categories: + action_category_scope = self.manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) + self.assertIsInstance(action_category_scope, dict) + self.assertEqual({}, action_category_scope) + + new_action_category_scope_1 = { + "name": "swift_admin", + "description": "action require admin rights", + } + + action_category_scope_1 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_1) + action_category_scope_1_id = action_category_scope_1.keys()[0] + + new_action_category_scope_2 = { + "name": "swift_anonymous", + "description": "action require no right", + } + + action_category_scope_2 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_2) + action_category_scope_2_id = action_category_scope_2.keys()[0] + + action_category_assignments = self.manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, + action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) + + action_category_assignments = self.manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_list_id, + action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_1_id + ) + self.assertIsInstance(action_category_assignments, list) + + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) + + self.admin_manager.del_action_assignment( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) + + def test_sub_meta_rules(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + aggregation_algorithms = self.admin_manager.get_aggregation_algorithm_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in aggregation_algorithms.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + # TODO: need more tests on aggregation_algorithms (set and del) + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) + self.assertIsInstance(sub_meta_rules, dict) + categories = { + "subject_categories": self.admin_manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]), + "object_categories": self.admin_manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]), + "action_categories": self.admin_manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) } - return self.resource_api.create_project(tenant["id"], tenant) + for key, value in sub_meta_rules.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("action_categories", value) + self.assertIn("object_categories", value) + self.assertIn("subject_categories", value) + self.assertIn("algorithm", value) + self.assertIn("name", value) + for action_category_id in value["action_categories"]: + self.assertIn(action_category_id, categories["action_categories"]) + for object_category_id in value["object_categories"]: + self.assertIn(object_category_id, categories["object_categories"]) + for subject_category_id in value["subject_categories"]: + self.assertIn(subject_category_id, categories["subject_categories"]) + # TODO: need more tests (set and del) - def create_mapping(self, tenant, authz_uuid=None, admin_uuid=None): + def test_sub_rules(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) + self.assertIsInstance(sub_meta_rules, dict) + + for relation_id in sub_meta_rules: + rules = self.admin_manager.get_rules_dict(admin_subject_id, authz_ie_dict["id"], relation_id) + rule_length = len(sub_meta_rules[relation_id]["subject_categories"]) + \ + len(sub_meta_rules[relation_id]["object_categories"]) + \ + len(sub_meta_rules[relation_id]["action_categories"]) + 1 + for rule_id in rules: + self.assertEqual(rule_length, len(rules[rule_id])) + rule = list(rules[rule_id]) + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + a_scope = rule.pop(0) + if type(a_scope) is not bool: + self.assertIn(a_scope, scope.keys()) + + # add a new subrule + + sub_rule = [] + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + sub_rule.append(scope.keys()[0]) + + sub_rule.append(False) + + sub_rules = self.admin_manager.add_rule_dict(admin_subject_id, authz_ie_dict["id"], relation_id, sub_rule) + self.assertIsInstance(sub_rules, dict) + self.assertIn(sub_rule, sub_rules.values()) + + for rule_id, rule_value in sub_rules.iteritems(): + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_category_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_category_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_category_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + a_scope = rule_value.pop(0) + self.assertIn(a_scope, scope.keys()) + + # TODO: add test for the delete function - mapping = self.tenant_api.set_tenant_dict(tenant["id"], tenant["name"], authz_uuid, admin_uuid) - self.assertIsInstance(mapping, dict) - self.assertIn("authz", mapping) - self.assertEqual(mapping["authz"], authz_uuid) - return mapping - def create_user(self, username="admin"): +@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api') +class TestIntraExtensionAuthzManagerAuthzKO(tests.TestCase): + + def setUp(self): + self.useFixture(database.Database()) + super(TestIntraExtensionAuthzManagerAuthzKO, self).setUp() + self.load_backends() + self.load_fixtures(default_fixtures) + self.admin = create_user(self, username="admin") + self.demo = create_user(self, username="demo") + self.root_intra_extension = create_intra_extension(self, policy_model="policy_root") + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID + self.manager = self.authz_api + self.admin_manager = self.admin_api - _USER = dict(USER) - _USER["name"] = username - return self.identity_api.create_user(_USER) + def __get_key_from_value(self, value, values_dict): + return filter(lambda v: v[1] == value, values_dict.iteritems())[0][0] - def create_intra_extension(self, policy_model="policy_authz"): + def load_extra_backends(self): + return { + "moonlog_api": LogManager(), + "tenant_api": TenantManager(), + "admin_api": IntraExtensionAdminManager(), + "authz_api": IntraExtensionAuthzManager(), + # "resource_api": resource.Manager(), + } - IE["model"] = policy_model - IE["name"] = uuid.uuid4().hex - ref = self.admin_manager.load_intra_extension_dict(ADMIN_ID, intra_extension_dict=IE) - self.assertIsInstance(ref, dict) - return ref + def config_overrides(self): + super(TestIntraExtensionAuthzManagerAuthzKO, self).config_overrides() + self.policy_directory = 'examples/moon/policies' + self.config_fixture.config( + group='moon', + intraextension_driver='keystone.contrib.moon.backends.sql.IntraExtensionConnector') + self.config_fixture.config( + group='moon', + policy_directory=self.policy_directory) def test_tenant_exceptions(self): self.assertRaises( @@ -142,137 +1057,149 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): def test_authz_exceptions(self): self.assertRaises( - IntraExtensionUnknown, + TenantUnknown, self.manager.authz, uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex ) - admin_user = self.create_user() - tenant = self.create_tenant() - ie_authz = self.create_intra_extension("policy_authz") - ie_admin = self.create_intra_extension("policy_admin") - mapping = self.create_mapping(tenant, ie_authz["id"], ie_admin["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() # Test when subject is unknown self.assertRaises( - AuthzException, + SubjectUnknown, self.manager.authz, - ie_authz["id"], uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex + tenant["name"], uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex ) # Test when subject is known but not the object - demo_user = self.create_user("demo") - self.manager.add_subject_dict( - admin_user['id'], - self.ref["id"], - demo_user["id"] - ) + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next() + + # self.manager.add_subject_dict( + # admin_subject_id, + # ie_authz["id"], + # demo_user["id"] + # ) self.assertRaises( - AuthzException, + ObjectUnknown, self.manager.authz, - ie_authz["id"], demo_user["id"], uuid.uuid4().hex, uuid.uuid4().hex + tenant["name"], demo_subject_dict["name"], uuid.uuid4().hex, uuid.uuid4().hex ) # Test when subject and object are known but not the action + my_object = {"name": "my_object", "description": "my_object description"} _tmp = self.manager.add_object_dict( - admin_user['id'], - self.ref["id"], - "my_object" - ).items()[0] - my_object = {"id": _tmp[0], "name": _tmp[1]} + admin_subject_id, + authz_ie_dict["id"], + my_object + ) + my_object["id"] = _tmp.keys()[0] self.assertRaises( - AuthzException, + ActionUnknown, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], uuid.uuid4().hex + tenant["name"], demo_subject_dict["name"], my_object["name"], uuid.uuid4().hex ) # Test when subject and object and action are known + my_action = {"name": "my_action", "description": "my_action description"} _tmp = self.manager.add_action_dict( - admin_user['id'], - self.ref["id"], - "my_action" - ).items()[0] - my_action = {"id": _tmp[0], "name": _tmp[1]} + admin_subject_id, + authz_ie_dict["id"], + my_action + ) + my_action["id"] = _tmp.keys()[0] self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"] ) # Add a subject scope and test ObjectCategoryAssignmentOutOfScope + my_subject_category = {"name": "my_subject_category", "description": "my_subject_category description"} _tmp = self.manager.add_subject_category( - admin_user['id'], - self.ref["id"], - "my_subject_category" + admin_subject_id, + authz_ie_dict["id"], + my_subject_category ) - my_subject_category = {"id": _tmp[0], "name": _tmp[1]} + my_subject_category["id"] = _tmp.keys()[0] + my_subject_scope = {"name": "my_subject_scope", "description": "my_subject_scope description"} _tmp = self.manager.add_subject_scope_dict( - admin_user['id'], - self.ref["id"], + admin_subject_id, + authz_ie_dict["id"], my_subject_category["id"], - "my_subject_scope", + my_subject_scope ) - my_subject_scope = {"id": _tmp[0], "name": _tmp[1]} + my_subject_scope["id"] = _tmp.keys()[0] self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"] ) # Add an object scope and test ActionCategoryAssignmentOutOfScope + my_object_category = {"name": "my_object_category", "description": "my_object_category description"} _tmp = self.manager.add_object_category( - admin_user['id'], - self.ref["id"], - "my_object_category" + admin_subject_id, + authz_ie_dict["id"], + my_object_category ) - my_object_category = {"id": _tmp[0], "name": _tmp[1]} + my_object_category["id"] = _tmp.keys()[0] + my_object_scope = {"name": "my_object_scope", "description": "my_object_scope description"} _tmp = self.manager.add_object_scope_dict( - admin_user['id'], - self.ref["id"], + admin_subject_id, + authz_ie_dict["id"], my_object_category["id"], - "my_object_scope", + my_object_scope ) - my_object_scope = {"id": _tmp[0], "name": _tmp[1]} + my_object_scope["id"] = _tmp.keys()[0] self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"] ) # Add an action scope and test SubjectCategoryAssignmentUnknown + my_action_category = {"name": "my_action_category", "description": "my_action_category description"} _tmp = self.manager.add_action_category( - admin_user['id'], - self.ref["id"], - "my_action_category" + admin_subject_id, + authz_ie_dict["id"], + my_action_category ) - my_action_category = {"id": _tmp[0], "name": _tmp[1]} + my_action_category["id"] = _tmp.keys()[0] + my_action_scope = {"name": "my_action_scope", "description": "my_action_scope description"} _tmp = self.manager.add_action_scope_dict( - admin_user['id'], - self.ref["id"], + admin_subject_id, + authz_ie_dict["id"], my_action_category["id"], - "my_action_scope", + my_action_scope ) - my_action_scope = {"id": _tmp[0], "name": _tmp[1]} + my_action_scope["id"] = _tmp.keys()[0] self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"] ) # Add a subject assignment and test ObjectCategoryAssignmentUnknown self.manager.add_subject_assignment_list( - admin_user['id'], - self.ref["id"], - demo_user["id"], + admin_subject_id, + authz_ie_dict["id"], + demo_subject_id, my_subject_category["id"], my_subject_scope["id"] ) @@ -280,14 +1207,14 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"] ) # Add an object assignment and test ActionCategoryAssignmentUnknown self.manager.add_object_assignment_list( - admin_user['id'], - self.ref["id"], - demo_user["id"], + admin_subject_id, + authz_ie_dict["id"], + my_object["id"], my_object_category["id"], my_object_scope["id"] ) @@ -295,14 +1222,14 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"] ) # Add an action assignment and test RuleUnknown self.manager.add_action_assignment_list( - admin_user['id'], - self.ref["id"], - demo_user["id"], + admin_subject_id, + authz_ie_dict["id"], + my_action["id"], my_action_category["id"], my_action_scope["id"] ) @@ -310,828 +1237,1172 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], admin_subject_dict["name"], my_object["name"], my_action["name"] ) # Add the correct rule and test that no exception is raised my_meta_rule = { - "relation_super": { - "subject_categories": [my_subject_category["id"], ], - "action_categories": [my_object_category["id"], ], - "object_categories": [my_action_category["id"], ], - "relation": "relation_super" - } + "name": "my_meta_rule", + "algorithm": "test", + "subject_categories": [my_subject_category["id"], ], + "action_categories": [my_action_category["id"], ], + "object_categories": [my_object_category["id"], ] } - self.manager.get_sub_meta_rule_dict( - admin_user['id'], - self.ref["id"], + print("my_meta_rule", my_meta_rule) + sub_meta_rules_dict = self.manager.get_sub_meta_rules_dict( + admin_subject_id, + authz_ie_dict["id"] + ) + + self.assertRaises( + SubMetaRuleAlgorithmNotExisting, + self.manager.add_sub_meta_rule_dict, + admin_subject_id, + authz_ie_dict["id"], my_meta_rule ) - self.manager.set_sub_rule( - admin_user['id'], - self.ref["id"], - "relation_super", - [my_subject_scope, my_object_scope, my_action_scope] + + # TODO: the next request should be called with demo_subject_id + # but the demo user has no right in the root intra_extension + algorithms = self.configuration_api.get_sub_meta_rule_algorithms_dict(admin_subject_id) + for algorithm_id in algorithms: + if algorithms[algorithm_id]["name"] == "inclusion": + my_meta_rule["algorithm"] = algorithm_id + + sub_meta_rule = self.manager.add_sub_meta_rule_dict( + admin_subject_id, + authz_ie_dict["id"], + my_meta_rule ) + sub_meta_rule_id, sub_meta_rule_dict = sub_meta_rule.iteritems().next() - result = self.manager.authz(ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"]) + rule = self.manager.add_rule_dict( + admin_subject_id, + authz_ie_dict["id"], + sub_meta_rule_id, + [my_subject_scope["id"], my_action_scope["id"], my_object_scope["id"], True] + ) + + self.assertRaises( + AuthzException, + self.manager.authz, + tenant["name"], admin_subject_dict["name"], my_object["name"], my_action["name"] + ) + + result = self.manager.authz(tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"]) self.assertEqual(True, result) def test_subjects(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - subjects = self.manager.get_subjects_dict(admin_user["id"], tenant["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(ref["id"], subjects["intra_extension_uuid"]) - self.assertIsInstance(subjects["subjects"], dict) - - new_subject = self.create_user("my_user") - new_subjects = dict() - new_subjects[new_subject["id"]] = new_subject["name"] + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + self.assertIn("keystone_name", value) + self.assertIn("keystone_id", value) + + create_user(self, "subject_test") + new_subject = {"name": "subject_test", "description": "subject_test"} self.assertRaises( AuthzException, - self.manager.set_subject_dict, - admin_user["id"], ref["id"], new_subjects) + self.manager.add_subject_dict, + demo_subject_id, admin_ie_dict["id"], new_subject) + + subjects = self.admin_manager.add_subject_dict(admin_subject_id, authz_ie_dict["id"], new_subject) + _subjects = dict(subjects) + self.assertEqual(len(_subjects.keys()), 1) + new_subject["id"] = _subjects.keys()[0] + value = subjects[new_subject["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject["description"]) # Delete the new subject self.assertRaises( AuthzException, self.manager.del_subject, - admin_user["id"], ref["id"], new_subject["id"]) + demo_subject_id, authz_ie_dict["id"], new_subject["id"]) - # Add a particular subject - self.assertRaises( - AuthzException, - self.manager.add_subject_dict, - admin_user["id"], ref["id"], new_subject["id"]) + self.admin_manager.del_subject(admin_subject_id, authz_ie_dict["id"], new_subject["id"]) + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject["name"], value["name"]) + self.assertIn("description", value) def test_objects(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - objects = self.manager.get_objects_dict(admin_user["id"], tenant["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + objects = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + objects_id_list = [] self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(ref["id"], objects["intra_extension_uuid"]) - self.assertIsInstance(objects["objects"], dict) - - new_object = {"id": uuid.uuid4().hex, "name": "my_object"} - new_objects = dict() - new_objects[new_object["id"]] = new_object["name"] + for key, value in objects.iteritems(): + objects_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + create_user(self, "subject_test") + new_object = {"name": "object_test", "description": "object_test"} self.assertRaises( AuthzException, - self.manager.set_object_dict, - admin_user["id"], ref["id"], new_object["id"]) + self.manager.add_object_dict, + demo_subject_id, admin_ie_dict["id"], new_object) - # Delete the new object self.assertRaises( - AuthzException, - self.manager.del_object, - admin_user["id"], ref["id"], new_object["id"]) + ObjectsWriteNoAuthorized, + self.admin_manager.add_object_dict, + admin_subject_id, authz_ie_dict["id"], new_object + ) - # Add a particular object - self.assertRaises( - AuthzException, - self.manager.add_object_dict, - admin_user["id"], ref["id"], new_object["name"]) + # Delete the new object + for key in objects_id_list: + self.assertRaises( + AuthzException, + self.manager.del_object, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + AuthzException, + self.manager.del_object, + admin_subject_id, authz_ie_dict["id"], key) - def test_actions(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) + for key in objects_id_list: + self.assertRaises( + ObjectsWriteNoAuthorized, + self.admin_manager.del_object, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + ObjectsWriteNoAuthorized, + self.admin_manager.del_object, + admin_subject_id, authz_ie_dict["id"], key) - actions = self.manager.get_actions_dict(admin_user["id"], tenant["id"]) + def test_actions(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + actions = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + actions_id_list = [] self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(ref["id"], actions["intra_extension_uuid"]) - self.assertIsInstance(actions["actions"], dict) - - new_action = {"id": uuid.uuid4().hex, "name": "my_action"} - new_actions = dict() - new_actions[new_action["id"]] = new_action["name"] + for key, value in actions.iteritems(): + actions_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + create_user(self, "subject_test") + new_action = {"name": "action_test", "description": "action_test"} self.assertRaises( AuthzException, - self.manager.set_action_dict, - admin_user["id"], ref["id"], new_actions) + self.manager.add_action_dict, + demo_subject_id, admin_ie_dict["id"], new_action) - # Delete the new action self.assertRaises( - AuthzException, - self.manager.del_action, - admin_user["id"], ref["id"], new_action["id"]) + ActionsWriteNoAuthorized, + self.admin_manager.add_action_dict, + admin_subject_id, authz_ie_dict["id"], new_action + ) - # Add a particular action - self.assertRaises( - AuthzException, - self.manager.add_action_dict, - admin_user["id"], ref["id"], new_action["id"]) + # Delete all actions + for key in actions_id_list: + self.assertRaises( + AuthzException, + self.manager.del_action, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + AuthzException, + self.manager.del_action, + admin_subject_id, authz_ie_dict["id"], key) - def test_subject_categories(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) + for key in actions_id_list: + self.assertRaises( + ActionsWriteNoAuthorized, + self.admin_manager.del_action, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + ActionsWriteNoAuthorized, + self.admin_manager.del_action, + admin_subject_id, authz_ie_dict["id"], key) - subject_categories = self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]) + def test_subject_categories(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIsInstance(subject_categories["subject_categories"], dict) - - new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"} - new_subject_categories = dict() - new_subject_categories[new_subject_category["id"]] = new_subject_category["name"] + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_subject_category = {"name": "subject_category_test", "description": "subject_category_test"} self.assertRaises( AuthzException, - self.manager.set_subject_category_dict, - admin_user["id"], ref["id"], new_subject_categories) + self.manager.add_subject_category, + demo_subject_id, admin_ie_dict["id"], new_subject_category) + + subject_categories = self.admin_manager.add_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category) + _subject_categories = dict(subject_categories) + self.assertEqual(len(_subject_categories.keys()), 1) + new_subject_category["id"] = _subject_categories.keys()[0] + value = subject_categories[new_subject_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject_category["description"]) # Delete the new subject_category self.assertRaises( AuthzException, self.manager.del_subject_category, - admin_user["id"], ref["id"], new_subject_category["id"]) + demo_subject_id, authz_ie_dict["id"], new_subject_category["id"]) - # Add a particular subject_category - self.assertRaises( - AuthzException, - self.manager.add_subject_category, - admin_user["id"], ref["id"], new_subject_category["name"]) + self.admin_manager.del_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category["id"]) + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject_category["name"], value["name"]) + self.assertIn("description", value) def test_object_categories(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - object_categories = self.manager.get_object_category_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(ref["id"], object_categories["intra_extension_uuid"]) - self.assertIsInstance(object_categories["object_categories"], dict) - - new_object_category = {"id": uuid.uuid4().hex, "name": "object_category_test"} - new_object_categories = dict() - new_object_categories[new_object_category["id"]] = new_object_category["name"] + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_object_category = {"name": "object_category_test", "description": "object_category_test"} self.assertRaises( AuthzException, - self.manager.set_object_category_dict, - admin_user["id"], ref["id"], new_object_categories) + self.manager.add_object_category, + demo_subject_id, admin_ie_dict["id"], new_object_category) + + object_categories = self.admin_manager.add_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category) + _object_categories = dict(object_categories) + self.assertEqual(len(_object_categories.keys()), 1) + new_object_category["id"] = _object_categories.keys()[0] + value = object_categories[new_object_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_object_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_object_category["description"]) # Delete the new object_category self.assertRaises( AuthzException, self.manager.del_object_category, - admin_user["id"], ref["id"], new_object_category["id"]) + demo_subject_id, authz_ie_dict["id"], new_object_category["id"]) - # Add a particular object_category - self.assertRaises( - AuthzException, - self.manager.add_object_category, - admin_user["id"], ref["id"], new_object_category["name"]) + self.admin_manager.del_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category["id"]) + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_object_category["name"], value["name"]) + self.assertIn("description", value) def test_action_categories(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - action_categories = self.manager.get_action_category_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(ref["id"], action_categories["intra_extension_uuid"]) - self.assertIsInstance(action_categories["action_categories"], dict) - - new_action_category = {"id": uuid.uuid4().hex, "name": "action_category_test"} - new_action_categories = dict() - new_action_categories[new_action_category["id"]] = new_action_category["name"] + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_action_category = {"name": "action_category_test", "description": "action_category_test"} self.assertRaises( AuthzException, - self.manager.set_action_category_dict, - admin_user["id"], ref["id"], new_action_categories) + self.manager.add_action_category, + demo_subject_id, admin_ie_dict["id"], new_action_category) + + action_categories = self.admin_manager.add_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category) + _action_categories = dict(action_categories) + self.assertEqual(len(_action_categories.keys()), 1) + new_action_category["id"] = _action_categories.keys()[0] + value = action_categories[new_action_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_action_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_action_category["description"]) # Delete the new action_category self.assertRaises( AuthzException, self.manager.del_action_category, - admin_user["id"], ref["id"], new_action_category["id"]) + demo_subject_id, authz_ie_dict["id"], new_action_category["id"]) - # Add a particular action_category - self.assertRaises( - AuthzException, - self.manager.add_action_category, - admin_user["id"], ref["id"], new_action_category["name"]) + self.admin_manager.del_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category["id"]) + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_action_category["name"], value["name"]) + self.assertIn("description", value) def test_subject_category_scope(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - subject_categories = self.admin_manager.set_subject_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: admin_user["id"], - uuid.uuid4().hex: "dev", + "name": "country", + "description": "country", } ) - for subject_category in subject_categories["subject_categories"]: + for subject_category_id in subject_categories: + subject_category_scope = self.manager.get_subject_scopes_dict( - admin_user["id"], - ref["id"], - subject_category) + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIsInstance(subject_category_scope["subject_category_scope"], dict) - - new_subject_category_scope = dict() - new_subject_category_scope_uuid = uuid.uuid4().hex - new_subject_category_scope[new_subject_category_scope_uuid] = "new_subject_category_scope" - self.assertRaises( - AuthzException, - self.manager.set_subject_scope_dict, - admin_user["id"], ref["id"], subject_category, new_subject_category_scope) + self.assertEqual({}, subject_category_scope) + + new_subject_category_scope = { + "name": "france", + "description": "france", + } - # Delete the new subject_category_scope self.assertRaises( AuthzException, - self.manager.del_subject_scope, - admin_user["id"], ref["id"], subject_category, new_subject_category_scope_uuid) + self.admin_manager.add_subject_scope_dict, + demo_subject_id, authz_ie_dict["id"], subject_category_id, new_subject_category_scope) - # Add a particular subject_category_scope + subject_category_scope = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope) + self.assertIsInstance(subject_category_scope, dict) + self.assertEqual(len(subject_category_scope.keys()), 1) + subject_category_scope_id = subject_category_scope.keys()[0] + subject_category_scope_value = subject_category_scope[subject_category_scope_id] + self.assertIn("name", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["name"], subject_category_scope_value["name"]) + self.assertIn("description", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["description"], subject_category_scope_value["description"]) + + # Delete the new subject_category_scope self.assertRaises( AuthzException, - self.manager.add_subject_scope_dict, - admin_user["id"], ref["id"], subject_category, new_subject_category_scope[new_subject_category_scope_uuid]) + self.admin_manager.del_subject_scope, + demo_subject_id, authz_ie_dict["id"], subject_category_id, subject_category_scope_id) + + self.admin_manager.del_subject_scope( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + subject_category_scope_id) + subject_category_scope = self.admin_manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) + self.assertIsInstance(subject_category_scope, dict) + self.assertNotIn(subject_category_scope_id, subject_category_scope.keys()) def test_object_category_scope(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - object_categories = self.admin_manager.set_object_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "id", - uuid.uuid4().hex: "domain", + "name": "country", + "description": "country", } ) - for object_category in object_categories["object_categories"]: + for object_category_id in object_categories: + object_category_scope = self.manager.get_object_scopes_dict( - admin_user["id"], - ref["id"], - object_category) + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIsInstance(object_category_scope["object_category_scope"], dict) - - new_object_category_scope = dict() - new_object_category_scope_uuid = uuid.uuid4().hex - new_object_category_scope[new_object_category_scope_uuid] = "new_object_category_scope" - self.assertRaises( - AuthzException, - self.manager.set_object_scope_dict, - admin_user["id"], ref["id"], object_category, new_object_category_scope) + self.assertEqual({}, object_category_scope) + + new_object_category_scope = { + "name": "france", + "description": "france", + } - # Delete the new object_category_scope self.assertRaises( AuthzException, - self.manager.del_object_scope, - admin_user["id"], ref["id"], object_category, new_object_category_scope_uuid) + self.admin_manager.add_object_scope_dict, + demo_subject_id, authz_ie_dict["id"], object_category_id, new_object_category_scope) + + object_category_scope = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope) + self.assertIsInstance(object_category_scope, dict) + self.assertEqual(len(object_category_scope.keys()), 1) + object_category_scope_id = object_category_scope.keys()[0] + object_category_scope_value = object_category_scope[object_category_scope_id] + self.assertIn("name", object_category_scope_value) + self.assertEqual(new_object_category_scope["name"], object_category_scope_value["name"]) + self.assertIn("description", object_category_scope_value) + self.assertEqual(new_object_category_scope["description"], object_category_scope_value["description"]) - # Add a particular object_category_scope + # Delete the new object_category_scope self.assertRaises( AuthzException, - self.manager.add_object_scope_dict, - admin_user["id"], ref["id"], object_category, new_object_category_scope[new_object_category_scope_uuid]) + self.admin_manager.del_object_scope, + demo_subject_id, authz_ie_dict["id"], object_category_id, object_category_scope_id) + + self.admin_manager.del_object_scope( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + object_category_scope_id) + object_category_scope = self.admin_manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) + self.assertIsInstance(object_category_scope, dict) + self.assertNotIn(object_category_scope_id, object_category_scope.keys()) def test_action_category_scope(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - action_categories = self.admin_manager.set_action_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "compute", - uuid.uuid4().hex: "identity", + "name": "swift", + "description": "swift actions", } ) - for action_category in action_categories["action_categories"]: + for action_category_id in action_categories: + action_category_scope = self.manager.get_action_scopes_dict( - admin_user["id"], - ref["id"], - action_category) + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIsInstance(action_category_scope["action_category_scope"], dict) - - new_action_category_scope = dict() - new_action_category_scope_uuid = uuid.uuid4().hex - new_action_category_scope[new_action_category_scope_uuid] = "new_action_category_scope" - self.assertRaises( - AuthzException, - self.manager.set_action_scope_dict, - admin_user["id"], ref["id"], action_category, new_action_category_scope) + self.assertEqual({}, action_category_scope) + + new_action_category_scope = { + "name": "get", + "description": "get swift files", + } - # Delete the new action_category_scope self.assertRaises( AuthzException, - self.manager.del_action_scope, - admin_user["id"], ref["id"], action_category, new_action_category_scope_uuid) + self.admin_manager.add_action_scope_dict, + demo_subject_id, authz_ie_dict["id"], action_category_id, new_action_category_scope) - # Add a particular action_category_scope + action_category_scope = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope) + self.assertIsInstance(action_category_scope, dict) + self.assertEqual(len(action_category_scope.keys()), 1) + action_category_scope_id = action_category_scope.keys()[0] + action_category_scope_value = action_category_scope[action_category_scope_id] + self.assertIn("name", action_category_scope_value) + self.assertEqual(new_action_category_scope["name"], action_category_scope_value["name"]) + self.assertIn("description", action_category_scope_value) + self.assertEqual(new_action_category_scope["description"], action_category_scope_value["description"]) + + # Delete the new action_category_scope self.assertRaises( AuthzException, - self.manager.add_action_scope_dict, - admin_user["id"], ref["id"], action_category, new_action_category_scope[new_action_category_scope_uuid]) + self.admin_manager.del_action_scope, + demo_subject_id, authz_ie_dict["id"], action_category_id, action_category_scope_id) + + self.admin_manager.del_action_scope( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + action_category_scope_id) + action_category_scope = self.admin_manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) + self.assertIsInstance(action_category_scope, dict) + self.assertNotIn(action_category_scope_id, action_category_scope.keys()) def test_subject_category_assignment(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - new_subject = self.create_user() - new_subjects = dict() - new_subjects[new_subject["id"]] = new_subject["name"] - subjects = self.admin_manager.set_subject_dict(admin_user["id"], ref["id"], new_subjects) - - new_subject_category_uuid = uuid.uuid4().hex - new_subject_category_value = "role" - subject_categories = self.admin_manager.set_subject_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + admin_authz_subject_id, admin_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + demo_authz_subject_id, demo_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next() + + subjects_dict = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], { - new_subject_category_uuid: new_subject_category_value + "name": "country", + "description": "country", } ) - for subject_category in subject_categories["subject_categories"]: - subject_category_scope = self.admin_manager.get_subject_scopes_dict( - admin_user["id"], - ref["id"], - subject_category) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIsInstance(subject_category_scope["subject_category_scope"], dict) - - new_subject_category_scope = dict() - new_subject_category_scope_uuid = uuid.uuid4().hex - new_subject_category_scope[new_subject_category_scope_uuid] = admin_user["id"] - subject_category_scope = self.admin_manager.set_subject_scope_dict( - admin_user["id"], - ref["id"], - subject_category, - new_subject_category_scope) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) - - new_subject_category_scope2 = dict() - new_subject_category_scope2_uuid = uuid.uuid4().hex - new_subject_category_scope2[new_subject_category_scope2_uuid] = "dev" - subject_category_scope = self.admin_manager.set_subject_scope_dict( - admin_user["id"], - ref["id"], - subject_category, - new_subject_category_scope2) + for subject_category_id in subject_categories: + subject_category_scope = self.manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope2[new_subject_category_scope2_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) - - subject_category_assignments = self.manager.get_subject_assignment_dict( - admin_user["id"], - ref["id"], - new_subject["id"] + self.assertEqual({}, subject_category_scope) + + new_subject_category_scope_1 = { + "name": "france", + "description": "france", + } + + subject_category_scope_1 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_1) + subject_category_scope_1_id = subject_category_scope_1.keys()[0] + + new_subject_category_scope_2 = { + "name": "china", + "description": "china", + } + + subject_category_scope_2 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_2) + subject_category_scope_2_id = subject_category_scope_2.keys()[0] + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, + subject_category_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, subject_category_assignments["subject_category_assignments"][new_subject["id"]]) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, + subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) self.assertRaises( AuthzException, - self.manager.set_subject_assignment_dict, - admin_user["id"], ref["id"], new_subject["id"], - { - new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid], - }) + self.manager.add_subject_assignment_list, + demo_subject_id, authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_1_id + ) self.assertRaises( AuthzException, - self.manager.del_subject_assignment, - admin_user["id"], ref["id"], new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid) + self.manager.add_subject_assignment_list, + demo_subject_id, authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_1_id + ) + self.assertIsInstance(subject_category_assignments, list) + + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) self.assertRaises( AuthzException, - self.manager.add_subject_assignment_list, - admin_user["id"], ref["id"], new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid) + self.admin_manager.del_subject_assignment, + demo_subject_id, authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + + self.admin_manager.del_subject_assignment( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) + + self.assertRaises( + SubjectAssignmentUnknown, + self.admin_manager.del_subject_assignment, + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) def test_object_category_assignment(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - new_object = {"id": uuid.uuid4().hex, "name": "my_object"} - new_objects = dict() - new_objects[new_object["id"]] = new_object["name"] - objects = self.admin_manager.set_object_dict(admin_user["id"], ref["id"], new_objects) - - new_object_category_uuid = uuid.uuid4().hex - new_object_category_value = "role" - object_categories = self.admin_manager.set_object_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + objects_dict = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + + object_vm1_id = None + object_vm2_id = None + for _object_id in objects_dict: + if objects_dict[_object_id]['name'] == 'vm1': + object_vm1_id = _object_id + if objects_dict[_object_id]['name'] == 'vm2': + object_vm2_id = _object_id + if not object_vm1_id or not object_vm2_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in objects)") + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], { - new_object_category_uuid: new_object_category_value + "name": "location", + "description": "location", } ) - for object_category in object_categories["object_categories"]: - object_category_scope = self.admin_manager.get_object_scopes_dict( - admin_user["id"], - ref["id"], - object_category) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIsInstance(object_category_scope["object_category_scope"], dict) - - new_object_category_scope = dict() - new_object_category_scope_uuid = uuid.uuid4().hex - new_object_category_scope[new_object_category_scope_uuid] = admin_user["id"] - object_category_scope = self.admin_manager.set_object_scope_dict( - admin_user["id"], - ref["id"], - object_category, - new_object_category_scope) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"][object_category].values()) - - new_object_category_scope2 = dict() - new_object_category_scope2_uuid = uuid.uuid4().hex - new_object_category_scope2[new_object_category_scope2_uuid] = "dev" - object_category_scope = self.admin_manager.set_object_scope_dict( - admin_user["id"], - ref["id"], - object_category, - new_object_category_scope2) + for object_category_id in object_categories: + object_category_scope = self.manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope2[new_object_category_scope2_uuid], - object_category_scope["object_category_scope"][object_category].values()) + self.assertEqual({}, object_category_scope) + + new_object_category_scope_1 = { + "name": "france", + "description": "france", + } + + object_category_scope_1 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_1) + object_category_scope_1_id = object_category_scope_1.keys()[0] + + new_object_category_scope_2 = { + "name": "china", + "description": "china", + } + + object_category_scope_2 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_2) + object_category_scope_2_id = object_category_scope_2.keys()[0] object_category_assignments = self.manager.get_object_assignment_list( - admin_user["id"], - ref["id"], - new_object["id"] + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, + object_category_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, object_category_assignments["object_category_assignments"][new_object["id"]]) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) + + object_category_assignments = self.manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, + object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) self.assertRaises( AuthzException, - self.manager.set_object_category_assignment_dict, - admin_user["id"], ref["id"], new_object["id"], - { - new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid], - }) + self.manager.add_object_assignment_list, + demo_subject_id, authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_1_id + ) self.assertRaises( AuthzException, - self.manager.del_object_assignment, - admin_user["id"], ref["id"], new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid) + self.manager.add_object_assignment_list, + demo_subject_id, authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id + ) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_1_id + ) + self.assertIsInstance(object_category_assignments, list) + + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) self.assertRaises( AuthzException, - self.manager.add_object_assignment_list, - admin_user["id"], ref["id"], new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid) + self.admin_manager.del_object_assignment, + demo_subject_id, authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id + ) + + self.admin_manager.del_object_assignment( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) + + self.assertRaises( + ObjectAssignmentUnknown, + self.admin_manager.del_object_assignment, + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) def test_action_category_assignment(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - new_action = {"id": uuid.uuid4().hex, "name": "my_action"} - new_actions = dict() - new_actions[new_action["id"]] = new_action["name"] - actions = self.admin_manager.set_action_dict(admin_user["id"], ref["id"], new_actions) - - new_action_category_uuid = uuid.uuid4().hex - new_action_category_value = "role" - action_categories = self.admin_manager.set_action_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + actions_dict = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + + action_upload_id = None + action_list_id = None + for _action_id in actions_dict: + if actions_dict[_action_id]['name'] == 'upload': + action_upload_id = _action_id + if actions_dict[_action_id]['name'] == 'list': + action_list_id = _action_id + if not action_upload_id or not action_list_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in actions)") + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], { - new_action_category_uuid: new_action_category_value + "name": "swift", + "description": "swift actions", } ) - for action_category in action_categories["action_categories"]: - action_category_scope = self.admin_manager.get_action_scopes_dict( - admin_user["id"], - ref["id"], - action_category) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIsInstance(action_category_scope["action_category_scope"], dict) - - new_action_category_scope = dict() - new_action_category_scope_uuid = uuid.uuid4().hex - new_action_category_scope[new_action_category_scope_uuid] = admin_user["id"] - action_category_scope = self.admin_manager.set_action_scope_dict( - admin_user["id"], - ref["id"], - action_category, - new_action_category_scope) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"][action_category].values()) - - new_action_category_scope2 = dict() - new_action_category_scope2_uuid = uuid.uuid4().hex - new_action_category_scope2[new_action_category_scope2_uuid] = "dev" - action_category_scope = self.admin_manager.set_action_scope_dict( - admin_user["id"], - ref["id"], - action_category, - new_action_category_scope2) + for action_category_id in action_categories: + action_category_scope = self.manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope2[new_action_category_scope2_uuid], - action_category_scope["action_category_scope"][action_category].values()) + self.assertEqual({}, action_category_scope) + + new_action_category_scope_1 = { + "name": "swift_admin", + "description": "action require admin rights", + } + + action_category_scope_1 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_1) + action_category_scope_1_id = action_category_scope_1.keys()[0] + + new_action_category_scope_2 = { + "name": "swift_anonymous", + "description": "action require no right", + } + + action_category_scope_2 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_2) + action_category_scope_2_id = action_category_scope_2.keys()[0] action_category_assignments = self.manager.get_action_assignment_list( - admin_user["id"], - ref["id"], - new_action["id"] + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, + action_category_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, action_category_assignments["action_category_assignments"][new_action["id"]]) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) + + action_category_assignments = self.manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_list_id, + action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) self.assertRaises( AuthzException, - self.manager.set_action_assignment_dict, - admin_user["id"], ref["id"], new_action["id"], - { - new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid], - }) + self.manager.add_action_assignment_list, + demo_subject_id, authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_1_id + ) + + self.assertRaises( + AuthzException, + self.manager.add_action_assignment_list, + demo_subject_id, authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id + ) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_1_id + ) + self.assertIsInstance(action_category_assignments, list) + + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) self.assertRaises( AuthzException, - self.manager.del_action_assignment, - admin_user["id"], ref["id"], new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid) + self.admin_manager.del_action_assignment, + demo_subject_id, authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id + ) + + self.admin_manager.del_action_assignment( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) self.assertRaises( - ActionCategoryAssignmentAddNotAuthorized, - self.manager.add_action_assignment_list, - admin_user["id"], ref["id"], new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid) + ActionAssignmentUnknown, + self.admin_manager.del_action_assignment, + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) def test_sub_meta_rules(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - aggregation_algorithms = self.manager.get_aggregation_algorithms(admin_user["id"], ref["id"]) - self.assertIsInstance(aggregation_algorithms, dict) - self.assertIsInstance(aggregation_algorithms["aggregation_algorithms"], list) - self.assertIn("and_true_aggregation", aggregation_algorithms["aggregation_algorithms"]) - self.assertIn("test_aggregation", aggregation_algorithms["aggregation_algorithms"]) - - aggregation_algorithm = self.manager.get_aggregation_algorithm_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(aggregation_algorithm, dict) - self.assertIn("aggregation", aggregation_algorithm) - self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) - - _aggregation_algorithm = list(aggregation_algorithms["aggregation_algorithms"]) - _aggregation_algorithm.remove(aggregation_algorithm["aggregation"]) - self.assertRaises( - AuthzException, - self.manager.set_aggregation_algorithm_dict, - admin_user["id"], ref["id"], _aggregation_algorithm[0]) - - sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + aggregation_algorithms = self.admin_manager.get_aggregation_algorithm_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in aggregation_algorithms.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + # TODO: need more tests on aggregation_algorithms (set and del) + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(sub_meta_rules, dict) - self.assertIn("sub_meta_rules", sub_meta_rules) - sub_meta_rules_conf = json.load(open(os.path.join(self.policy_directory, ref["model"], "metarule.json"))) - metarule = dict() categories = { - "subject_categories": self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]), - "object_categories": self.manager.get_object_category_dict(admin_user["id"], ref["id"]), - "action_categories": self.manager.get_action_category_dict(admin_user["id"], ref["id"]) + "subject_categories": self.admin_manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]), + "object_categories": self.admin_manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]), + "action_categories": self.admin_manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) } - for relation in sub_meta_rules_conf["sub_meta_rules"]: - metarule[relation] = dict() - for item in ("subject_categories", "object_categories", "action_categories"): - metarule[relation][item] = list() - for element in sub_meta_rules_conf["sub_meta_rules"][relation][item]: - metarule[relation][item].append(self.__get_key_from_value( - element, - categories[item][item] - )) - - for relation in sub_meta_rules["sub_meta_rules"]: - self.assertIn(relation, metarule) - for item in ("subject_categories", "object_categories", "action_categories"): - self.assertEqual( - sub_meta_rules["sub_meta_rules"][relation][item], - metarule[relation][item] - ) - - new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"} - # Add a particular subject_category - data = self.admin_manager.add_subject_category( - admin_user["id"], - ref["id"], - new_subject_category["name"]) - new_subject_category["id"] = data["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_categories_dict( - admin_user["id"], - ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) - metarule[relation]["subject_categories"].append(new_subject_category["id"]) - self.assertRaises( - AuthzException, - self.manager.get_sub_meta_rule_dict, - admin_user["id"], ref["id"], metarule) + for key, value in sub_meta_rules.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("action_categories", value) + self.assertIn("object_categories", value) + self.assertIn("subject_categories", value) + self.assertIn("algorithm", value) + self.assertIn("name", value) + for action_category_id in value["action_categories"]: + self.assertIn(action_category_id, categories["action_categories"]) + for object_category_id in value["object_categories"]: + self.assertIn(object_category_id, categories["object_categories"]) + for subject_category_id in value["subject_categories"]: + self.assertIn(subject_category_id, categories["subject_categories"]) + # TODO: need more tests (set and del) def test_sub_rules(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(sub_meta_rules, dict) - self.assertIn("sub_meta_rules", sub_meta_rules) - - sub_rules = self.manager.get_sub_rules(admin_user["id"], ref["id"]) - self.assertIsInstance(sub_rules, dict) - self.assertIn("rules", sub_rules) - rules = dict() - for relation in sub_rules["rules"]: - self.assertIn(relation, self.manager.get_sub_meta_rule_relations(admin_user["id"], ref["id"])["sub_meta_rule_relations"]) - rules[relation] = list() - for rule in sub_rules["rules"][relation]: + + for relation_id in sub_meta_rules: + rules = self.admin_manager.get_rules_dict(admin_subject_id, authz_ie_dict["id"], relation_id) + rule_length = len(sub_meta_rules[relation_id]["subject_categories"]) + \ + len(sub_meta_rules[relation_id]["object_categories"]) + \ + len(sub_meta_rules[relation_id]["action_categories"]) + 1 + for rule_id in rules: + self.assertEqual(rule_length, len(rules[rule_id])) + rule = list(rules[rule_id]) for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: + for cat_value in sub_meta_rules[relation_id][cat]: scope = cat_func( - admin_user["id"], - ref["id"], + admin_subject_id, + authz_ie_dict["id"], cat_value ) a_scope = rule.pop(0) - self.assertIn(a_scope, scope[func_name][cat_value]) - - # add a new subrule - - relation = sub_rules["rules"].keys()[0] - sub_rule = [] - for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), - ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: - scope = cat_func( - admin_user["id"], - ref["id"], - cat_value - ) - sub_rule.append(scope[func_name][cat_value].keys()[0]) + if type(a_scope) is not bool: + self.assertIn(a_scope, scope.keys()) + + # add a new subrule + + sub_rule = [] + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + sub_rule.append(scope.keys()[0]) + + sub_rule.append(False) + self.assertRaises( + AuthzException, + self.admin_manager.add_rule_dict, + demo_subject_id, authz_ie_dict["id"], relation_id, sub_rule + ) - self.assertRaises( - AuthzException, - self.manager.set_sub_rule, - admin_user["id"], ref["id"], relation, sub_rule) + sub_rules = self.admin_manager.add_rule_dict(admin_subject_id, authz_ie_dict["id"], relation_id, sub_rule) + self.assertIsInstance(sub_rules, dict) + self.assertIn(sub_rule, sub_rules.values()) + + for rule_id, rule_value in sub_rules.iteritems(): + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_category_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_category_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_category_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + a_scope = rule_value.pop(0) + self.assertIn(a_scope, scope.keys()) + # TODO: add test for the delete function diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py index aa584a65..17e70018 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py @@ -17,7 +17,7 @@ from keystone import resource from keystone.contrib.moon.exception import * from keystone.tests.unit import default_fixtures from keystone.contrib.moon.core import LogManager, TenantManager -from keystone.contrib.moon.core import DEFAULT_USER_ID +from keystone.contrib.moon.core import ADMIN_ID CONF = cfg.CONF @@ -35,6 +35,7 @@ IE = { TIME_FORMAT = '%Y-%m-%d-%H:%M:%S' +@dependency.requires('admin_api', 'tenant_api', 'configuration_api') class TestIntraExtensionAdminManager(tests.TestCase): def setUp(self): @@ -42,6 +43,12 @@ class TestIntraExtensionAdminManager(tests.TestCase): super(TestIntraExtensionAdminManager, self).setUp() self.load_backends() self.load_fixtures(default_fixtures) + self.admin = self.create_user(username="admin") + self.demo = self.create_user(username="demo") + self.root_intra_extension = self.create_intra_extension(policy_model="policy_root") + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID self.manager = IntraExtensionAdminManager() def __get_key_from_value(self, value, values_dict): @@ -68,7 +75,7 @@ class TestIntraExtensionAdminManager(tests.TestCase): # Create the admin user because IntraExtension needs it self.admin = self.identity_api.create_user(USER_ADMIN) IE["policymodel"] = policy_model - self.ref = self.manager.load_intra_extension_dict(DEFAULT_USER_ID, intra_extension_dict=IE) + self.ref = self.manager.load_intra_extension_dict(ADMIN_ID, intra_extension_dict=IE) self.assertIsInstance(self.ref, dict) self.create_tenant(self.ref["id"]) diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py index 6d656488..995b6a54 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py @@ -30,7 +30,7 @@ IE = { "description": "a simple description." } -@dependency.requires('admin_api') +@dependency.requires('admin_api', 'tenant_api', 'configuration_api') class TestTenantManager(tests.TestCase): ADMIN_ID = None @@ -45,8 +45,8 @@ class TestTenantManager(tests.TestCase): # force re-initialization of the ADMIN_ID variable from keystone.contrib.moon.core import ADMIN_ID self.ADMIN_ID = ADMIN_ID - self.manager = TenantManager() - self.configuration_api = ConfigurationManager() + self.manager = self.tenant_api + # self.configuration_api = self.configuration_api # self.configuration_api.init_default_variables() def load_extra_backends(self): @@ -95,20 +95,20 @@ class TestTenantManager(tests.TestCase): "id": uuid.uuid4().hex, "name": "demo", "description": uuid.uuid4().hex, - "intra_authz_extension": authz_intra_extension['id'], - "intra_admin_extension": admin_intra_extension['id'], + "intra_authz_extension_id": authz_intra_extension['id'], + "intra_admin_extension_id": admin_intra_extension['id'], } data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) data = self.manager.get_tenants_dict(self.ADMIN_ID) self.assertNotEqual(data, {}) - data = self.admin_api.get_intra_extension_dict(self.ADMIN_ID, new_tenant["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_authz_extension"], data["id"]) - data = self.admin_api.get_intra_extension_dict(self.ADMIN_ID, new_tenant["intra_admin_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data["id"]) + data = self.admin_api.get_intra_extension_dict(self.ADMIN_ID, new_tenant["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data["id"]) + data = self.admin_api.get_intra_extension_dict(self.ADMIN_ID, new_tenant["intra_admin_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data["id"]) def test_del_tenant(self): authz_intra_extension = self.create_intra_extension(policy_model="policy_authz") @@ -117,14 +117,14 @@ class TestTenantManager(tests.TestCase): "id": uuid.uuid4().hex, "name": "demo", "description": uuid.uuid4().hex, - "intra_authz_extension": authz_intra_extension['id'], - "intra_admin_extension": admin_intra_extension['id'], + "intra_authz_extension_id": authz_intra_extension['id'], + "intra_admin_extension_id": admin_intra_extension['id'], } data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) data = self.manager.get_tenants_dict(self.ADMIN_ID) self.assertNotEqual(data, {}) self.manager.del_tenant(self.ADMIN_ID, new_tenant["id"]) @@ -138,14 +138,14 @@ class TestTenantManager(tests.TestCase): "id": uuid.uuid4().hex, "name": "demo", "description": uuid.uuid4().hex, - "intra_authz_extension": authz_intra_extension['id'], - "intra_admin_extension": admin_intra_extension['id'], + "intra_authz_extension_id": authz_intra_extension['id'], + "intra_admin_extension_id": admin_intra_extension['id'], } data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) data = self.manager.get_tenants_dict(self.ADMIN_ID) self.assertNotEqual(data, {}) @@ -153,8 +153,8 @@ class TestTenantManager(tests.TestCase): data = self.manager.set_tenant_dict(user_id=self.ADMIN_ID, tenant_id=new_tenant["id"], tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) def test_exception_tenant_unknown(self): self.assertRaises(TenantUnknown, self.manager.get_tenant_dict, self.ADMIN_ID, uuid.uuid4().hex) @@ -167,14 +167,14 @@ class TestTenantManager(tests.TestCase): "id": uuid.uuid4().hex, "name": "demo", "description": uuid.uuid4().hex, - "intra_authz_extension": authz_intra_extension['id'], - "intra_admin_extension": admin_intra_extension['id'], + "intra_authz_extension_id": authz_intra_extension['id'], + "intra_admin_extension_id": admin_intra_extension['id'], } data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) data = self.manager.get_tenants_dict(self.ADMIN_ID) self.assertNotEqual(data, {}) @@ -187,14 +187,14 @@ class TestTenantManager(tests.TestCase): "id": uuid.uuid4().hex, "name": "demo", "description": uuid.uuid4().hex, - "intra_authz_extension": authz_intra_extension['id'], - "intra_admin_extension": admin_intra_extension['id'], + "intra_authz_extension_id": authz_intra_extension['id'], + "intra_admin_extension_id": admin_intra_extension['id'], } data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) data = self.manager.get_tenants_dict(self.ADMIN_ID) self.assertNotEqual(data, {}) @@ -207,20 +207,20 @@ class TestTenantManager(tests.TestCase): "id": uuid.uuid4().hex, "name": "demo", "description": uuid.uuid4().hex, - "intra_authz_extension": authz_intra_extension['id'], - "intra_admin_extension": admin_intra_extension['id'], + "intra_authz_extension_id": authz_intra_extension['id'], + "intra_admin_extension_id": admin_intra_extension['id'], } - new_tenant['intra_authz_extension'] = None + new_tenant['intra_authz_extension_id'] = None self.assertRaises(TenantNoIntraAuthzExtension, self.manager.add_tenant_dict, self.ADMIN_ID, new_tenant) - new_tenant['intra_authz_extension'] = authz_intra_extension['id'] + new_tenant['intra_authz_extension_id'] = authz_intra_extension['id'] data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) data = self.manager.get_tenants_dict(self.ADMIN_ID) self.assertNotEqual(data, {}) - new_tenant['intra_authz_extension'] = None + new_tenant['intra_authz_extension_id'] = None new_tenant['name'] = "demo2" self.assertRaises(TenantNoIntraAuthzExtension, self.manager.set_tenant_dict, self.ADMIN_ID, new_tenant["id"], new_tenant) -- cgit 1.2.3-korg