Merge "Cleanup py27 support"
diff --git a/.zuul.yaml b/.zuul.yaml
index e79337d..7351166 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -1,6 +1,7 @@
- job:
name: keystone-protection-functional
parent: keystone-dsvm-py3-functional
+ voting: false
vars:
tempest_test_regex: 'keystone_tempest_plugin.tests.rbac'
devstack_localrc:
@@ -9,7 +10,6 @@
keystone: https://opendev.org/openstack/keystone
devstack_services:
g-api: false
- g-reg: false
n-api: false
n-api-meta: false
n-cond: false
@@ -41,33 +41,33 @@
check:
jobs:
- keystone-dsvm-py3-functional
- - keystone-dsvm-py3-functional-federation-ubuntu-focal:
+ - keystone-dsvm-py3-functional-federation-ubuntu-jammy:
voting: false
- - keystone-dsvm-py3-functional-federation-ubuntu-focal-k2k
- - keystone-dsvm-py3-functional-zed
- - keystone-dsvm-py3-functional-yoga
- - keystone-dsvm-py3-functional-xena
+ - keystone-dsvm-py3-functional-federation-ubuntu-jammy-k2k
+ - keystone-dsvm-py3-functional-2024-1
+ - keystone-dsvm-py3-functional-2023-2
+ - keystone-dsvm-py3-functional-2023-1
- keystone-protection-functional
gate:
jobs:
- keystone-dsvm-py3-functional
- - keystone-dsvm-py3-functional-federation-ubuntu-focal-k2k
+ - keystone-dsvm-py3-functional-federation-ubuntu-jammy-k2k
- keystone-protection-functional
- job:
- name: keystone-dsvm-py3-functional-zed
+ name: keystone-dsvm-py3-functional-2024-1
parent: keystone-dsvm-py3-functional
- nodeset: openstack-single-node-focal
- override-checkout: stable/zed
+ nodeset: openstack-single-node-jammy
+ override-checkout: stable/2024.1
- job:
- name: keystone-dsvm-py3-functional-yoga
+ name: keystone-dsvm-py3-functional-2023-2
parent: keystone-dsvm-py3-functional
- nodeset: openstack-single-node-focal
- override-checkout: stable/yoga
+ nodeset: openstack-single-node-jammy
+ override-checkout: stable/2023.2
- job:
- name: keystone-dsvm-py3-functional-xena
+ name: keystone-dsvm-py3-functional-2023-1
parent: keystone-dsvm-py3-functional
- nodeset: openstack-single-node-focal
- override-checkout: stable/xena
+ nodeset: openstack-single-node-jammy
+ override-checkout: stable/2023.1
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py b/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
index 3ca1680..123e64b 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
@@ -411,14 +411,19 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacApplicationCredentialTest,
- base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(IdentityV3RbacApplicationCredentialTest,
+ base.BaseIdentityTest):
+
+ credentials = ['project_member', 'system_admin']
+
@classmethod
def setup_clients(cls):
- super(ProjectAdminTests, cls).setup_clients()
+ super().setup_clients()
cls.test_user_client, cls.test_user_id = cls.setup_user_client()
def test_identity_create_application_credential(self):
@@ -555,11 +560,6 @@
application_credential_id=data_utils.rand_uuid_hex())
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py b/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py
index b7dbb95..a04fcd9 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py
@@ -181,16 +181,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_credential.py b/keystone_tempest_plugin/tests/rbac/v3/test_credential.py
index 5b1bee2..0c70589 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_credential.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_credential.py
@@ -339,104 +339,15 @@
credentials = ['system_reader', 'system_admin']
-class DomainAdminTests(IdentityV3RbacCredentialTest, base.BaseIdentityTest):
+class DomainAdminTests(SystemAdminTests):
credentials = ['domain_admin', 'system_admin']
- def test_identity_create_credential(self):
- # domain admins cannot create credentials
- user_id = self.persona.credentials.user_id
- for u in [user_id, self.test_user_1, self.test_user_2]:
- self.do_request(
- 'create_credential',
- expected_status=exceptions.Forbidden,
- **self.credential(user_id=u))
- def test_identity_get_credential(self):
- # domain admins cannot get credentials
- user_id = self.persona.credentials.user_id
- for u in [user_id, self.test_user_1, self.test_user_2]:
- cred = self.admin_credentials_client.create_credential(
- **self.credential(user_id=u))['credential']
- self.addCleanup(
- self.admin_credentials_client.delete_credential, cred['id'])
- self.do_request(
- 'show_credential',
- expected_status=exceptions.Forbidden,
- credential_id=cred['id'])
- # non-existent credential is Forbidden
- self.do_request(
- 'show_credential',
- expected_status=exceptions.Forbidden,
- credential_id=data_utils.rand_uuid_hex())
-
- def test_identity_list_credentials(self):
- # domain admins cannot list credentials
- user_id = self.persona.credentials.user_id
- for u in [user_id, self.test_user_1, self.test_user_2]:
- cred = self.admin_credentials_client.create_credential(
- **self.credential(user_id=u))['credential']
- self.addCleanup(
- self.admin_credentials_client.delete_credential, cred['id'])
- self.do_request(
- 'list_credentials',
- expected_status=exceptions.Forbidden)
-
- def test_identity_update_credential(self):
- # domain admins cannot update credentials
- user_id = self.persona.credentials.user_id
- for u in [user_id, self.test_user_1, self.test_user_2]:
- cred = self.credential(user_id=u)
- resp = self.admin_credentials_client.create_credential(
- **cred)['credential']
- self.addCleanup(
- self.admin_credentials_client.delete_credential, resp['id'])
- cred['blob'] = data_utils.rand_uuid_hex()
- self.do_request(
- 'update_credential',
- expected_status=exceptions.Forbidden,
- credential_id=resp['id'], **cred)
- # non-existent credential is Forbidden
- self.do_request(
- 'update_credential',
- expected_status=exceptions.Forbidden,
- credential_id=data_utils.rand_uuid_hex(),
- **self.credential(user_id=user_id))
-
- def test_identity_delete_credential(self):
- # domain admins cannot delete credentials
- user_id = self.persona.credentials.user_id
- for u in [user_id, self.test_user_1, self.test_user_2]:
- cred = self.credential(user_id=u)
- resp = self.admin_credentials_client.create_credential(
- **cred)['credential']
- self.addCleanup(
- self.admin_credentials_client.delete_credential, resp['id'])
- self.do_request(
- 'delete_credential',
- expected_status=exceptions.Forbidden,
- credential_id=resp['id'])
- # non-existent credential is Forbidden
- self.do_request(
- 'delete_credential',
- expected_status=exceptions.Forbidden,
- credential_id=data_utils.rand_uuid_hex())
-
-
-class DomainMemberTests(DomainAdminTests):
+class DomainMemberTests(SystemReaderTests):
credentials = ['domain_member', 'system_admin']
-
-class DomainReaderTests(DomainAdminTests):
-
- credentials = ['domain_reader', 'system_admin']
-
-
-class ProjectAdminTests(SystemReaderTests):
-
- credentials = ['project_admin', 'system_admin']
-
def test_identity_get_credential(self):
# user can get their own credential
user_id = self.persona.credentials.user_id
@@ -480,11 +391,21 @@
self.assertNotIn(cred['id'], [c['id'] for c in resp])
-class ProjectMemberTests(ProjectAdminTests):
+class DomainReaderTests(DomainMemberTests):
+
+ credentials = ['domain_reader', 'system_admin']
+
+
+class ProjectAdminTests(SystemAdminTests):
+
+ credentials = ['project_admin', 'system_admin']
+
+
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_domain.py b/keystone_tempest_plugin/tests/rbac/v3/test_domain.py
index 13f0b71..b09b4bd 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_domain.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_domain.py
@@ -176,6 +176,21 @@
credentials = ['domain_admin', 'system_admin']
+ def test_identity_list_domains(self):
+ domain_id = self.persona.credentials.domain_id
+ other_domain_id = self.admin_domains_client.create_domain(
+ name=data_utils.rand_name())['domain']['id']
+ self.addCleanup(self.admin_domains_client.delete_domain,
+ other_domain_id)
+ self.addCleanup(self.admin_domains_client.update_domain,
+ domain_id=other_domain_id, enabled=False)
+ resp = self.do_request('list_domains')
+ self.assertIn(domain_id, [d['id'] for d in resp['domains']])
+ self.assertNotIn(other_domain_id, [d['id'] for d in resp['domains']])
+
+
+class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+
def test_identity_get_domain(self):
domain_id = self.admin_domains_client.create_domain(
name=data_utils.rand_name())['domain']['id']
@@ -188,6 +203,23 @@
self.do_request('show_domain', expected_status=exceptions.Forbidden,
domain_id=data_utils.rand_uuid_hex())
+ credentials = ['domain_member', 'system_admin']
+
+
+class DomainReaderTests(DomainMemberTests):
+
+ credentials = ['domain_reader', 'system_admin']
+
+
+class ProjectAdminTests(SystemAdminTests):
+
+ credentials = ['project_admin', 'system_admin']
+
+
+class ProjectMemberTests(DomainReaderTests):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_list_domains(self):
domain_id = self.admin_domains_client.create_domain(
name=data_utils.rand_name())['domain']['id']
@@ -198,26 +230,6 @@
expected_status=exceptions.Forbidden)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
-
- credentials = ['domain_member', 'system_admin']
-
-
-class DomainReaderTests(DomainMemberTests):
-
- credentials = ['domain_reader', 'system_admin']
-
-
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
-
- credentials = ['project_admin', 'system_admin']
-
-
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py b/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py
index 8f1fdbf..ba2b612 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py
@@ -366,16 +366,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_ec2_credential.py b/keystone_tempest_plugin/tests/rbac/v3/test_ec2_credential.py
index 6c7d19b..b9affc8 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_ec2_credential.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_ec2_credential.py
@@ -474,10 +474,15 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(SystemReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(SystemReaderTests):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_ec2_get_credential(self):
# user can get their own credential
user_id = self.persona.credentials.user_id
@@ -534,11 +539,6 @@
user_id=self.test_user_2)
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py
index 48dfb19..8dde1ea 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py
@@ -230,16 +230,15 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
-
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py
index 6cca108..305b6e2 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py
@@ -506,16 +506,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_grant.py b/keystone_tempest_plugin/tests/rbac/v3/test_grant.py
index e88b679..5e1a501 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_grant.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_grant.py
@@ -1181,6 +1181,1637 @@
group_id=self.group_in_domain,
role_id=self.role_own_domain)
# role in other domain, project in own domain, user in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, user in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, group in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #####################################################
+ # global role, project in own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, user in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, group in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
+ #####################################################
+ # global role, project in other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #######################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #######################################################
+ # global role, project in other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+
+ def test_identity_list_grants(self):
+ ###################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
+ ###################################################
+ # project in other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_project',
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain)
+ # project in other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_project',
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain)
+ # other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_domain',
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain)
+ # other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_domain',
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain)
+ #####################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #####################################################
+ # project in other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_project',
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain)
+ # project in other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_project',
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain)
+ # other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_domain',
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain)
+ # other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_domain',
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain)
+ #####################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
+ #####################################################
+ # project in other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_project',
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain)
+ # project in other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_project',
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain)
+ # other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_domain',
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain)
+ # other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_domain',
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain)
+ #######################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #######################################################
+ # project in other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_project',
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain)
+ # project in other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_project',
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain)
+ # other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_domain',
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain)
+ # other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_domain',
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain)
+
+ def test_identity_create_grant(self):
+ ###################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
+ ###################################################
+ # global role, project in own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #####################################################
+ # global role, project in own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # TODO(dmendiza): This test is a repeat form line 1705
+ # Since grants are idempotent, after this second test there is only
+ # one object, which gets cleaned by the previous cleanup and makes
+ # the below cleanup fail. Not sure why we're testing the same
+ # data twice. Maybe we can delete this second test?
+ # self.addCleanup(
+ # self.admin_roles_client.delete_role_from_user_on_domain,
+ # domain_id=self.own_domain,
+ # user_id=self.user_other_domain,
+ # role_id=self.role_other_domain)
+ # role in other domain, own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # TODO(dmendiza): This test is also repeated from line 1710
+ # self.addCleanup(
+ # self.admin_roles_client.delete_role_from_group_on_domain,
+ # domain_id=self.own_domain,
+ # group_id=self.group_other_domain,
+ # role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
+ #####################################################
+ # global role, project in other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #######################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #######################################################
+ # global role, project in other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+
+ def test_identity_revoke_grant(self):
+ ###################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
+ ###################################################
+ # global role, project in own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, user in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, group in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #####################################################
+ # global role, project in own domain, user in other domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in other domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in other domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in other domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in other domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in other domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, user in other domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, group in other domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, user in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, group in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
+ #####################################################
+ # global role, project in other domain, user in own domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in own domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in own domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in own domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in own domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in own domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in own domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in own domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #######################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #######################################################
+ # global role, project in other domain, user in other domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in other domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in other domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in other domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in other domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in other domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in other domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in other domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+
+ def test_identity_list_system_grants_for_user(self):
+ self.do_request('list_user_roles_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_other_domain)
+ self.do_request('list_user_roles_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_other_domain)
+
+ def test_identity_check_system_grant_for_user(self):
+ self.do_request('check_user_role_existence_on_system',
+ exceptions.Forbidden,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request('check_user_role_existence_on_system',
+ exceptions.Forbidden,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_create_system_grant_for_user(self):
+ self.do_request(
+ 'create_user_role_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'create_user_role_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_revoke_system_grant_for_user(self):
+ # user in own domain
+ self.admin_roles_client.create_user_role_on_system(
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_system,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # user in other domain
+ self.admin_roles_client.create_user_role_on_system(
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_system,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_list_system_grants_for_group(self):
+ self.do_request('list_group_roles_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_in_domain)
+ self.do_request('list_group_roles_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_other_domain)
+
+ def test_identity_check_system_grant_for_group(self):
+ self.do_request('check_role_from_group_on_system_existence',
+ exceptions.Forbidden,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request('check_role_from_group_on_system_existence',
+ exceptions.Forbidden,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_create_system_grant_for_group(self):
+ self.do_request(
+ 'create_group_role_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'create_group_role_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_revoke_system_grant_for_group(self):
+ # group in own domain
+ self.admin_roles_client.create_group_role_on_system(
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_system,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # group in other domain
+ self.admin_roles_client.create_group_role_on_system(
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_system,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+
+
+class DomainMemberTests(DomainAdminTests):
+
+ credentials = ['domain_member', 'system_admin']
+
+ def test_identity_check_grant(self):
+ ###################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
+ ###################################################
+ # global role, project in own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in own domain
# (none created, should 403)
self.do_request(
'check_user_role_existence_on_project',
@@ -1600,971 +3231,6 @@
# global role, project in own domain, user in own domain
self.do_request(
'create_user_role_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, project in own domain, group in own domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # global role, own domain, user in own domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, own domain, group in own domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # role in own domain, project in own domain, user in own domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in own domain, group in own domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, user in own domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, group in own domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in own domain, user in own domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in own domain, group in own domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, user in own domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, group in own domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- #####################################################
- # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
- #####################################################
- # global role, project in own domain, user in other domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, project in own domain, group in other domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # global role, own domain, user in other domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, own domain, group in other domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # role in own domain, project in own domain, user in other domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in own domain, group in other domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, user in other domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, group in other domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in own domain, user in other domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in own domain, group in other domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, user in other domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, group in other domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- #####################################################
- # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
- #####################################################
- # global role, project in other domain, user in own domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, project in other domain, group in own domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # global role, other domain, user in own domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, other domain, group in own domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # role in own domain, project in other domain, user in own domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in other domain, group in own domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, user in own domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, group in own domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in other domain, user in own domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in other domain, group in own domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, user in own domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, group in own domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- #######################################################
- # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
- #######################################################
- # global role, project in other domain, user in other domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, project in other domain, group in other domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # global role, other domain, user in other domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, other domain, group in other domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # role in own domain, project in other domain, user in other domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in other domain, group in other domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, user in other domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, group in other domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in other domain, user in other domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in other domain, group in other domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, user in other domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, group in other domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
-
- def test_identity_revoke_grant(self):
- ###################################################
- # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
- ###################################################
- # global role, project in own domain, user in own domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, project in own domain, group in own domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # global role, own domain, user in own domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, own domain, group in own domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # role in own domain, project in own domain, user in own domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in own domain, group in own domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, user in own domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, group in own domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in own domain, user in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in own domain, group in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, user in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, group in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- #####################################################
- # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
- #####################################################
- # global role, project in own domain, user in other domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, project in own domain, group in other domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # global role, own domain, user in other domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, own domain, group in other domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # role in own domain, project in own domain, user in other domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in own domain, group in other domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, user in other domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, group in other domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in own domain, user in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in own domain, group in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, user in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, group in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- #####################################################
- # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
- #####################################################
- # global role, project in other domain, user in own domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, project in other domain, group in own domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # global role, other domain, user in own domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, other domain, group in own domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # role in own domain, project in other domain, user in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in other domain, group in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, user in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, group in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in other domain, user in own domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in other domain, group in own domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, user in own domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, group in own domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- #######################################################
- # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
- #######################################################
- # global role, project in other domain, user in other domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, project in other domain, group in other domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # global role, other domain, user in other domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, other domain, group in other domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # role in own domain, project in other domain, user in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in other domain, group in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, user in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, group in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in other domain, user in other domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in other domain, group in other domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, user in other domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, group in other domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
-
- def test_identity_list_system_grants_for_user(self):
- self.do_request('list_user_roles_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_other_domain)
- self.do_request('list_user_roles_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_other_domain)
-
- def test_identity_check_system_grant_for_user(self):
- self.do_request('check_user_role_existence_on_system',
- exceptions.Forbidden,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request('check_user_role_existence_on_system',
- exceptions.Forbidden,
- user_id=self.user_other_domain,
- role_id=self.role_id)
-
- def test_identity_create_system_grant_for_user(self):
- self.do_request(
- 'create_user_role_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'create_user_role_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_other_domain,
- role_id=self.role_id)
-
- def test_identity_revoke_system_grant_for_user(self):
- # user in own domain
- self.admin_roles_client.create_user_role_on_system(
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.addCleanup(
- self.admin_roles_client.delete_role_from_user_on_system,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # user in other domain
- self.admin_roles_client.create_user_role_on_system(
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.addCleanup(
- self.admin_roles_client.delete_role_from_user_on_system,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_other_domain,
- role_id=self.role_id)
-
- def test_identity_list_system_grants_for_group(self):
- self.do_request('list_group_roles_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_in_domain)
- self.do_request('list_group_roles_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_other_domain)
-
- def test_identity_check_system_grant_for_group(self):
- self.do_request('check_role_from_group_on_system_existence',
- exceptions.Forbidden,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request('check_role_from_group_on_system_existence',
- exceptions.Forbidden,
- group_id=self.group_other_domain,
- role_id=self.role_id)
-
- def test_identity_create_system_grant_for_group(self):
- self.do_request(
- 'create_group_role_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'create_group_role_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_other_domain,
- role_id=self.role_id)
-
- def test_identity_revoke_system_grant_for_group(self):
- # group in own domain
- self.admin_roles_client.create_group_role_on_system(
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.addCleanup(
- self.admin_roles_client.delete_role_from_group_on_system,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # group in other domain
- self.admin_roles_client.create_group_role_on_system(
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.addCleanup(
- self.admin_roles_client.delete_role_from_group_on_system,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_other_domain,
- role_id=self.role_id)
-
-
-class DomainMemberTests(DomainAdminTests):
-
- credentials = ['domain_member', 'system_admin']
-
- def test_identity_create_grant(self):
- ###################################################
- # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
- ###################################################
- # global role, project in own domain, user in own domain
- self.do_request(
- 'create_user_role_on_project',
expected_status=exceptions.Forbidden,
project_id=self.project_in_domain,
user_id=self.user_in_domain,
@@ -3448,10 +4114,15 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacGrantTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(ProjectAdminTests):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_check_grant(self):
# global role, arbitrary project, arbitrary user
self.do_request(
@@ -3789,11 +4460,6 @@
role_id=self.role_id)
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_group.py b/keystone_tempest_plugin/tests/rbac/v3/test_group.py
index c3ce1d9..d62e801 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_group.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_group.py
@@ -422,20 +422,87 @@
credentials = ['system_reader', 'system_admin']
-class DomainAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
+class DomainAdminTests(SystemAdminTests):
credentials = ['domain_admin', 'system_admin']
+ def test_identity_list_groups(self):
+ group1 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.own_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
+ group2 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.other_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
+ resp = self.do_request('list_groups')
+ # user can get groups in own domain
+ self.assertIn(group1['id'], set(g['id'] for g in resp['groups']))
+ # user cannot get groups in other domain
+ self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
+
+ def test_identity_list_groups_for_user(self):
+ group1 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.own_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
+ user1 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.own_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user1['id'])
+ group2 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.other_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
+ user2 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.other_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user2['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user2['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user2['id'])
+ resp = self.do_request('list_user_groups', client=self.users_client,
+ user_id=user1['id'])
+ # user can list groups in own domain for user in own domain
+ self.assertIn(group1['id'], set(g['id'] for g in resp['groups']))
+ # user cannot list groups in other domain for user in own domain
+ self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
+ # user cannot list groups for user in other domain
+ resp = self.do_request('list_user_groups', client=self.users_client,
+ user_id=user2['id'])
+ self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
+ # user gets a 404 for nonexistent user
+ self.do_request('list_user_groups', client=self.users_client,
+ expected_status=exceptions.NotFound,
+ user_id='fakeuser')
+
+ def test_identity_list_users_in_group(self):
+ group = self.admin_groups_client.create_group(**self.group())['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group['id'])
+ user = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'))['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user['id'])
+ self.admin_groups_client.add_group_user(group['id'], user['id'])
+ resp = self.do_request('list_group_users', group_id=group['id'])
+ user_ids = set(u['id'] for u in resp['users'])
+ # request is allowed but the user will get filtered out on domain
+ # scoped request
+ self.assertEqual(0, len(user_ids))
+
+
+class DomainMemberTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
+
+ credentials = ['domain_member', 'system_admin']
+
def test_identity_create_group(self):
- # user can create group in own domain
- resp = self.do_request('create_group', expected_status=201,
- **self.group(domain_id=self.own_domain))
- self.addCleanup(self.admin_groups_client.delete_group,
- resp['group']['id'])
+ # user cannot create group in own domain
+ self.do_request('create_group',
+ expected_status=exceptions.Forbidden,
+ **self.group(domain_id=self.own_domain))
# user cannot create group in another domain
- resp = self.do_request('create_group',
- expected_status=exceptions.Forbidden,
- **self.group(domain_id=self.other_domain))
+ self.do_request('create_group',
+ expected_status=exceptions.Forbidden,
+ **self.group(domain_id=self.other_domain))
def test_identity_get_group(self):
group = self.admin_groups_client.create_group(
@@ -509,12 +576,13 @@
group2 = self.admin_groups_client.create_group(
**self.group(domain_id=self.other_domain))['group']
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- # user can update a group in own domain
+ # user cannot update a group in own domain
group_update = {
'group_id': group1['id'],
'description': data_utils.arbitrary_string
}
- self.do_request('update_group', **group_update)
+ self.do_request('update_group', expected_status=exceptions.Forbidden,
+ **group_update)
# user cannot update a group in other domain
group_update = {
'group_id': group2['id'],
@@ -536,8 +604,8 @@
group2 = self.admin_groups_client.create_group(
**self.group(domain_id=self.other_domain))['group']
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- # user can delete a group in own domain
- self.do_request('delete_group', expected_status=204,
+ # user cannot delete a group in own domain
+ self.do_request('delete_group', expected_status=exceptions.Forbidden,
group_id=group1['id'])
# user cannot delete a group in other domain
self.do_request('delete_group', expected_status=exceptions.Forbidden,
@@ -594,197 +662,6 @@
domain_id=self.own_domain)['user']
self.addCleanup(self.admin_client.users_v3_client.delete_user,
user2['id'])
- # user can add a user in own domain to a group in own domain
- self.do_request('add_group_user', expected_status=204,
- group_id=group1['id'], user_id=user1['id'])
- # user can add a user in another domain to a group in own domain
- self.do_request('add_group_user', expected_status=204,
- group_id=group1['id'], user_id=user2['id'])
- # user cannot add a user in own domain to a group in another domain
- self.do_request('add_group_user', expected_status=exceptions.Forbidden,
- group_id=group2['id'], user_id=user1['id'])
- # user cannot add a user in another domain to a group in another domain
- self.do_request('add_group_user', expected_status=exceptions.Forbidden,
- group_id=group2['id'], user_id=user2['id'])
- # user gets a 403 for nonexistent group
- self.do_request('add_group_user', expected_status=exceptions.Forbidden,
- group_id='fakegroup', user_id=user1['id'])
- # user gets a 403 for nonexistent user
- self.do_request('add_group_user', expected_status=exceptions.Forbidden,
- group_id=group1['id'], user_id='fakeuser')
-
- def test_identity_remove_user_from_group(self):
- group1 = self.admin_groups_client.create_group(
- **self.group(self.own_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
- group2 = self.admin_groups_client.create_group(
- **self.group(self.other_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- user1 = self.admin_client.users_v3_client.create_user(
- name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
- self.addCleanup(self.admin_client.users_v3_client.delete_user,
- user1['id'])
- user2 = self.admin_client.users_v3_client.create_user(
- name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
- self.addCleanup(self.admin_client.users_v3_client.delete_user,
- user2['id'])
- self.admin_groups_client.add_group_user(group1['id'], user1['id'])
- self.admin_groups_client.add_group_user(group1['id'], user2['id'])
- self.admin_groups_client.add_group_user(group2['id'], user1['id'])
- self.admin_groups_client.add_group_user(group2['id'], user2['id'])
- # user can remove a user in own domain from a group in own domain
- self.do_request('delete_group_user', expected_status=204,
- group_id=group1['id'], user_id=user1['id'])
- # user can remove a user in another domain from a group in own
- # domain
- self.do_request('delete_group_user', expected_status=204,
- group_id=group1['id'], user_id=user2['id'])
- # user cannot remove a user in own domain from a group in another
- # domain
- self.do_request('delete_group_user',
- expected_status=exceptions.Forbidden,
- group_id=group2['id'], user_id=user1['id'])
- # user cannot remove a user in another domain from a group in another
- # domain
- self.do_request('delete_group_user',
- expected_status=exceptions.Forbidden,
- group_id=group2['id'], user_id=user2['id'])
- # user gets a 403 for nonexistent group
- self.do_request('delete_group_user',
- expected_status=exceptions.Forbidden,
- group_id='fakegroup', user_id=user1['id'])
- # user gets a 403 for nonexistent user
- self.do_request('delete_group_user',
- expected_status=exceptions.Forbidden,
- group_id=group1['id'], user_id='fakeuser')
-
- def test_identity_check_user_in_group(self):
- group1 = self.admin_groups_client.create_group(
- **self.group(self.own_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
- group2 = self.admin_groups_client.create_group(
- **self.group(self.other_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- user1 = self.admin_client.users_v3_client.create_user(
- name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
- self.addCleanup(self.admin_client.users_v3_client.delete_user,
- user1['id'])
- user2 = self.admin_client.users_v3_client.create_user(
- name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
- self.addCleanup(self.admin_client.users_v3_client.delete_user,
- user2['id'])
- self.admin_groups_client.add_group_user(group1['id'], user1['id'])
- self.admin_groups_client.add_group_user(group1['id'], user2['id'])
- self.admin_groups_client.add_group_user(group2['id'], user1['id'])
- self.admin_groups_client.add_group_user(group2['id'], user2['id'])
- # user can check if a user in own domain is in a group in own domain
- self.do_request('check_group_user_existence', expected_status=204,
- group_id=group1['id'], user_id=user1['id'])
- # user can check if a user in another domain is in a group in own
- # domain
- self.do_request('check_group_user_existence',
- expected_status=204,
- group_id=group1['id'], user_id=user2['id'])
- # user cannot check if a user in own domain is in a group in another
- # domain
- self.do_request('check_group_user_existence',
- expected_status=exceptions.Forbidden,
- group_id=group2['id'], user_id=user1['id'])
- # user cannot check if a user in another domain is in a group in
- # another domain
- self.do_request('check_group_user_existence',
- expected_status=exceptions.Forbidden,
- group_id=group2['id'], user_id=user2['id'])
- # user gets a 403 for nonexistent group
- self.do_request('check_group_user_existence',
- expected_status=exceptions.Forbidden,
- group_id='fakegroup', user_id=user1['id'])
- # user gets a 403 for nonexistent user
- self.do_request('check_group_user_existence',
- expected_status=exceptions.Forbidden,
- group_id=group1['id'], user_id='fakeuser')
-
-
-class DomainMemberTests(DomainAdminTests):
-
- credentials = ['domain_member', 'system_admin']
-
- def test_identity_create_group(self):
- # user cannot create group in own domain
- self.do_request('create_group',
- expected_status=exceptions.Forbidden,
- **self.group(domain_id=self.own_domain))
- # user cannot create group in another domain
- self.do_request('create_group',
- expected_status=exceptions.Forbidden,
- **self.group(domain_id=self.other_domain))
-
- def test_identity_update_group(self):
- group1 = self.admin_groups_client.create_group(
- **self.group(domain_id=self.own_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
- group2 = self.admin_groups_client.create_group(
- **self.group(domain_id=self.other_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- # user cannot update a group in own domain
- group_update = {
- 'group_id': group1['id'],
- 'description': data_utils.arbitrary_string
- }
- self.do_request('update_group', expected_status=exceptions.Forbidden,
- **group_update)
- # user cannot update a group in other domain
- group_update = {
- 'group_id': group2['id'],
- 'description': data_utils.arbitrary_string
- }
- self.do_request('update_group', expected_status=exceptions.Forbidden,
- **group_update)
- # user gets a 403 for nonexistent group
- group_update = {
- 'group_id': 'fakegroup',
- 'description': data_utils.arbitrary_string
- }
- self.do_request('update_group', expected_status=exceptions.Forbidden,
- **group_update)
-
- def test_identity_delete_group(self):
- group1 = self.admin_groups_client.create_group(
- **self.group(domain_id=self.own_domain))['group']
- group2 = self.admin_groups_client.create_group(
- **self.group(domain_id=self.other_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- # user cannot delete a group in own domain
- self.do_request('delete_group', expected_status=exceptions.Forbidden,
- group_id=group1['id'])
- # user cannot delete a group in other domain
- self.do_request('delete_group', expected_status=exceptions.Forbidden,
- group_id=group2['id'])
- # user gets a 404 for nonexistent group
- self.do_request('delete_group', expected_status=exceptions.NotFound,
- group_id='fakegroup')
-
- def test_identity_add_user_to_group(self):
- group1 = self.admin_groups_client.create_group(
- **self.group(self.own_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
- group2 = self.admin_groups_client.create_group(
- **self.group(self.other_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- user1 = self.admin_client.users_v3_client.create_user(
- name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
- self.addCleanup(self.admin_client.users_v3_client.delete_user,
- user1['id'])
- user2 = self.admin_client.users_v3_client.create_user(
- name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
- self.addCleanup(self.admin_client.users_v3_client.delete_user,
- user2['id'])
# user cannot add a user in own domain to a group in own domain
self.do_request('add_group_user', expected_status=exceptions.Forbidden,
group_id=group1['id'], user_id=user1['id'])
@@ -853,16 +730,69 @@
expected_status=exceptions.Forbidden,
group_id=group1['id'], user_id='fakeuser')
+ def test_identity_check_user_in_group(self):
+ group1 = self.admin_groups_client.create_group(
+ **self.group(self.own_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
+ group2 = self.admin_groups_client.create_group(
+ **self.group(self.other_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
+ user1 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.own_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user1['id'])
+ user2 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.own_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user2['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user2['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user2['id'])
+ # user can check if a user in own domain is in a group in own domain
+ self.do_request('check_group_user_existence', expected_status=204,
+ group_id=group1['id'], user_id=user1['id'])
+ # user can check if a user in another domain is in a group in own
+ # domain
+ self.do_request('check_group_user_existence',
+ expected_status=204,
+ group_id=group1['id'], user_id=user2['id'])
+ # user cannot check if a user in own domain is in a group in another
+ # domain
+ self.do_request('check_group_user_existence',
+ expected_status=exceptions.Forbidden,
+ group_id=group2['id'], user_id=user1['id'])
+ # user cannot check if a user in another domain is in a group in
+ # another domain
+ self.do_request('check_group_user_existence',
+ expected_status=exceptions.Forbidden,
+ group_id=group2['id'], user_id=user2['id'])
+ # user gets a 403 for nonexistent group
+ self.do_request('check_group_user_existence',
+ expected_status=exceptions.Forbidden,
+ group_id='fakegroup', user_id=user1['id'])
+ # user gets a 403 for nonexistent user
+ self.do_request('check_group_user_existence',
+ expected_status=exceptions.Forbidden,
+ group_id=group1['id'], user_id='fakeuser')
+
class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_create_group(self):
# user cannot create group in own domain
self.do_request('create_group', expected_status=exceptions.Forbidden,
@@ -1142,11 +1072,6 @@
group_id=group1['id'], user_id='fakeuser')
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py b/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py
index 819508c..fa6d9c1 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py
@@ -268,16 +268,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py b/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py
index 73765e4..f73d510 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py
@@ -242,16 +242,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_limit.py b/keystone_tempest_plugin/tests/rbac/v3/test_limit.py
index d2efc6c..456b850 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_limit.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_limit.py
@@ -184,7 +184,8 @@
def test_identity_list_limits(self):
reg_limit_id = self.admin_limits_client.create_limits(
- payload=self.limits())['limits'][0]['id']
+ payload=self.limits(project_id=self.persona.credentials.project_id)
+ )['limits'][0]['id']
self.addCleanup(
self.admin_limits_client.delete_limit,
limit_id=reg_limit_id)
@@ -303,20 +304,8 @@
self.addCleanup(
self.admin_limits_client.delete_limit,
limit_id=reg_limit_1)
- # project in own domain
- reg_limit_2 = self.admin_limits_client.create_limits(
- payload=self.limits(project_id=self.own_project)
- )['limits'][0]['id']
- self.addCleanup(
- self.admin_limits_client.delete_limit,
- limit_id=reg_limit_2)
- # cannot get limit for other project
self.do_request('show_limit',
- expected_status=exceptions.Forbidden,
limit_id=reg_limit_1)
- # can get limit for project in own domain
- self.do_request('show_limit',
- limit_id=reg_limit_2)
def test_identity_update_limit(self):
# cannot update limit for arbitrary project
@@ -370,18 +359,40 @@
credentials = ['domain_member', 'system_admin']
+ def test_identity_get_limit(self):
+ # random project
+ reg_limit_1 = self.admin_limits_client.create_limits(
+ payload=self.limits())['limits'][0]['id']
+ self.addCleanup(
+ self.admin_limits_client.delete_limit,
+ limit_id=reg_limit_1)
+ # project in own domain
+ reg_limit_2 = self.admin_limits_client.create_limits(
+ payload=self.limits(project_id=self.own_project)
+ )['limits'][0]['id']
+ self.addCleanup(
+ self.admin_limits_client.delete_limit,
+ limit_id=reg_limit_2)
+ # cannot get limit for other project
+ self.do_request('show_limit',
+ expected_status=exceptions.Forbidden,
+ limit_id=reg_limit_1)
+ # can get limit for project in own domain
+ self.do_request('show_limit',
+ limit_id=reg_limit_2)
+
class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py b/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py
index 00b2e6b..c519426 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py
@@ -240,16 +240,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_policy.py b/keystone_tempest_plugin/tests/rbac/v3/test_policy.py
index 53cdeb5..df5844f 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_policy.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_policy.py
@@ -217,16 +217,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py b/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py
index 5c3f514..a3cf76d 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py
@@ -454,16 +454,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_project.py b/keystone_tempest_plugin/tests/rbac/v3/test_project.py
index 81b64e6..8d975e7 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_project.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_project.py
@@ -225,6 +225,134 @@
domain_id=self.own_domain
)['project']['id']
self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ # user can create project in other domain
+ project_id = self.do_request(
+ 'create_project', expected_status=201, name=data_utils.rand_name(),
+ domain_id=self.other_domain
+ )['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+
+ def test_identity_get_project(self):
+ # user can get project in own domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('show_project', project_id=project_id)
+ # user can get project in other domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('show_project', project_id=project_id)
+ # user gets a 403 for nonexistent project
+ self.do_request('show_project', expected_status=exceptions.NotFound,
+ project_id=data_utils.rand_uuid_hex())
+
+ def test_identity_list_projects(self):
+ # user can list projects but cannot see project in other domain
+ own_project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project,
+ own_project_id)
+ other_project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project,
+ other_project_id)
+ resp = self.do_request('list_projects')
+ self.assertIn(own_project_id, [d['id'] for d in resp['projects']])
+ self.assertNotIn(other_project_id, [d['id'] for d in resp['projects']])
+
+ def test_identity_list_user_projects(self):
+ # user can list projects for user in own domain
+ user_id = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['user']['id']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name())['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ role_id = self.admin_client.roles_v3_client.create_role(
+ name=data_utils.rand_name())['role']['id']
+ self.addCleanup(self.admin_client.roles_v3_client.delete_role,
+ role_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ project_id, user_id, role_id)
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=user_id)
+ self.assertIn(project_id, [p['id'] for p in resp['projects']])
+ # user can list projects for user in other domain
+ user_id = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['user']['id']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name())['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ role_id = self.admin_client.roles_v3_client.create_role(
+ name=data_utils.rand_name())['role']['id']
+ self.addCleanup(self.admin_client.roles_v3_client.delete_role,
+ role_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ project_id, user_id, role_id)
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=user_id)
+ self.assertIn(project_id, [p['id'] for p in resp['projects']])
+ # user can list projects for self
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=self.persona.credentials.user_id)
+ self.assertEqual(0, len([p['id'] for p in resp['projects']]))
+
+ def test_identity_update_project(self):
+ # user can update project in own domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('update_project',
+ project_id=project_id,
+ description=data_utils.arbitrary_string())
+ # user can update project in other domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('update_project',
+ project_id=project_id,
+ description=data_utils.arbitrary_string())
+ # user gets a 404 for nonexistent domain
+ self.do_request('update_project', expected_status=exceptions.NotFound,
+ project_id=data_utils.rand_uuid_hex(),
+ description=data_utils.arbitrary_string())
+
+ def test_identity_delete_project(self):
+ # user can delete project in own domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['project']['id']
+ self.do_request('delete_project', expected_status=204,
+ project_id=project_id)
+ # user can delete project in other domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['project']['id']
+ self.do_request('delete_project', expected_status=204,
+ project_id=project_id)
+
+
+class DomainMemberTests(DomainAdminTests):
+
+ credentials = ['domain_member', 'system_admin']
+
+ def test_identity_create_project(self):
+ # user cannot create project in own domain
+ self.do_request(
+ 'create_project', expected_status=exceptions.Forbidden,
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain
+ )
# user cannot create project in other domain
self.do_request(
'create_project', expected_status=exceptions.Forbidden,
@@ -249,22 +377,6 @@
self.do_request('show_project', expected_status=exceptions.Forbidden,
project_id=data_utils.rand_uuid_hex())
- def test_identity_list_projects(self):
- # user can list projects but cannot see project in other domain
- own_project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.own_domain)['project']['id']
- self.addCleanup(self.admin_projects_client.delete_project,
- own_project_id)
- other_project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.other_domain)['project']['id']
- self.addCleanup(self.admin_projects_client.delete_project,
- other_project_id)
- resp = self.do_request('list_projects')
- self.assertIn(own_project_id, [d['id'] for d in resp['projects']])
- self.assertNotIn(other_project_id, [d['id'] for d in resp['projects']])
-
def test_identity_list_user_projects(self):
# user can list projects for user in own domain
user_id = self.admin_client.users_v3_client.create_user(
@@ -306,62 +418,6 @@
self.assertEqual(0, len([p['id'] for p in resp['projects']]))
def test_identity_update_project(self):
- # user can update project in own domain
- project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.own_domain)['project']['id']
- self.addCleanup(self.admin_projects_client.delete_project, project_id)
- self.do_request('update_project',
- project_id=project_id,
- description=data_utils.arbitrary_string())
- # user cannot update project in other domain
- project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.other_domain)['project']['id']
- self.addCleanup(self.admin_projects_client.delete_project, project_id)
- self.do_request('update_project',
- expected_status=exceptions.Forbidden,
- project_id=project_id,
- description=data_utils.arbitrary_string())
- # user gets a 403 for nonexistent domain
- self.do_request('update_project', expected_status=exceptions.Forbidden,
- project_id=data_utils.rand_uuid_hex(),
- description=data_utils.arbitrary_string())
-
- def test_identity_delete_project(self):
- # user can delete project in own domain
- project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.own_domain)['project']['id']
- self.do_request('delete_project', expected_status=204,
- project_id=project_id)
- # user cannot delete project in other domain
- project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.other_domain)['project']['id']
- self.addCleanup(self.admin_projects_client.delete_project, project_id)
- self.do_request('delete_project', expected_status=exceptions.Forbidden,
- project_id=project_id)
-
-
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
-
- credentials = ['domain_member', 'system_admin']
-
- def test_identity_create_project(self):
- # user cannot create project in own domain
- self.do_request(
- 'create_project', expected_status=exceptions.Forbidden,
- name=data_utils.rand_name(),
- domain_id=self.own_domain
- )
- # user cannot create project in other domain
- self.do_request(
- 'create_project', expected_status=exceptions.Forbidden,
- name=data_utils.rand_name(), domain_id=self.other_domain
- )
-
- def test_identity_update_project(self):
# user cannot update project in own domain
project_id = self.admin_projects_client.create_project(
name=data_utils.rand_name(),
@@ -406,10 +462,39 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+ def test_identity_list_user_projects(self):
+ user_id = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name())['user']['id']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name())['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ role_id = self.admin_client.roles_v3_client.create_role(
+ name=data_utils.rand_name())['role']['id']
+ self.addCleanup(self.admin_client.roles_v3_client.delete_role,
+ role_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ project_id, user_id, role_id)
+ # user can list projects for arbitrary user
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=user_id)
+ self.assertIn(project_id, [p['id'] for p in resp['projects']])
+ # user can list projects for self
+ # Project Admin is assigned to a tempest project so we cant re-use
+ # the System Admin test.
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=self.persona.credentials.user_id)
+ self.assertEqual(1, len([p['id'] for p in resp['projects']]))
+
+
+class ProjectMemberTests(DomainReaderTests):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_get_project(self):
# user cannot get arbitrary project
project_id = self.admin_projects_client.create_project(
@@ -457,11 +542,6 @@
[p['id'] for p in resp['projects']])
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py b/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py
index 442ca9e..34bb13e 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py
@@ -236,16 +236,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py b/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py
index 3e6c4a6..646fa86 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py
@@ -241,6 +241,103 @@
project_id=self.own_project_id,
tag=tag
)
+ # user can add tags to project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.do_request(
+ 'update_project_tag', expected_status=201,
+ project_id=self.other_project_id,
+ tag=tag
+ )
+
+ def test_identity_get_project_tag(self):
+ # user can get tag for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ self.do_request('check_project_tag_existence',
+ expected_status=204,
+ project_id=self.own_project_id, tag=tag)
+ # user can get tag for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ self.do_request('check_project_tag_existence',
+ expected_status=204,
+ project_id=self.other_project_id, tag=tag)
+
+ def test_identity_list_project_tags(self):
+ # user can list tags for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ resp = self.do_request('list_project_tags',
+ project_id=self.own_project_id)
+ self.assertIn(tag, resp['tags'])
+ # user can list tags for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ resp = self.do_request('list_project_tags',
+ project_id=self.other_project_id)
+ self.assertIn(tag, resp['tags'])
+
+ def test_identity_update_project_tags(self):
+ # user can update tags for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.do_request('update_all_project_tags',
+ project_id=self.own_project_id,
+ tags=[tag])
+ # user can update tags for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.do_request('update_all_project_tags',
+ project_id=self.other_project_id,
+ tags=[tag])
+
+ def test_identity_delete_project_tag(self):
+ # user can delete tag for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ self.do_request('delete_project_tag', expected_status=204,
+ project_id=self.own_project_id,
+ tag=tag)
+ # user can delete tag for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ self.do_request('delete_project_tag',
+ expected_status=204,
+ project_id=self.other_project_id,
+ tag=tag)
+
+ def test_identity_delete_project_tags(self):
+ # user can delete tags for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ self.do_request('delete_all_project_tags', expected_status=204,
+ project_id=self.own_project_id)
+ # user can delete tags for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ self.do_request('delete_all_project_tags',
+ expected_status=204,
+ project_id=self.other_project_id)
+
+
+class DomainMemberTests(DomainAdminTests):
+
+ credentials = ['domain_member', 'system_admin']
+
+ def test_identity_create_project_tag(self):
+ # user cannot add tags to project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.do_request(
+ 'update_project_tag', expected_status=exceptions.Forbidden,
+ project_id=self.own_project_id,
+ tag=tag
+ )
# user cannot add tags to project in other domain
tag = data_utils.rand_uuid_hex()
self.do_request(
@@ -282,72 +379,6 @@
project_id=self.other_project_id)
def test_identity_update_project_tags(self):
- # user can update tags for project in own domain
- tag = data_utils.rand_uuid_hex()
- self.do_request('update_all_project_tags',
- project_id=self.own_project_id,
- tags=[tag])
- # user cannot update tags for project in other domain
- tag = data_utils.rand_uuid_hex()
- self.do_request('update_all_project_tags',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tags=[tag])
-
- def test_identity_delete_project_tag(self):
- # user can delete tag for project in own domain
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.own_project_id, tag=tag)
- self.do_request('delete_project_tag', expected_status=204,
- project_id=self.own_project_id,
- tag=tag)
- # user cannot delete tag for project in other domain
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.other_project_id, tag=tag)
- self.do_request('delete_project_tag',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tag=tag)
-
- def test_identity_delete_project_tags(self):
- # user can delete tags for project in own domain
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.own_project_id, tag=tag)
- self.do_request('delete_all_project_tags', expected_status=204,
- project_id=self.own_project_id)
- # user cannot delete tags for project in other domain
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.other_project_id, tag=tag)
- self.do_request('delete_all_project_tags',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id)
-
-
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
-
- credentials = ['domain_member', 'system_admin']
-
- def test_identity_create_project_tag(self):
- # user cannot add tags to project in own domain
- tag = data_utils.rand_uuid_hex()
- self.do_request(
- 'update_project_tag', expected_status=exceptions.Forbidden,
- project_id=self.own_project_id,
- tag=tag
- )
- # user cannot add tags to project in other domain
- tag = data_utils.rand_uuid_hex()
- self.do_request(
- 'update_project_tag', expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tag=tag
- )
-
- def test_identity_update_project_tags(self):
# user cannot update tags for project in own domain
tag = data_utils.rand_uuid_hex()
self.do_request('update_all_project_tags',
@@ -401,12 +432,17 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacProjectTagTests, base.BaseIdentityTest):
+class ProjectAdminTests(DomainAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(DomainMemberTests):
+
+ credentials = ['project_member', 'system_admin']
+
def setUp(self):
- super(ProjectAdminTests, self).setUp()
+ super().setUp()
self.own_project_id = self.persona.credentials.project_id
project_client = self.admin_client.projects_client
self.other_project_id = project_client.create_project(
@@ -414,16 +450,13 @@
self.addCleanup(project_client.delete_project, self.other_project_id)
def test_identity_create_project_tag(self):
- # user can add tags to own project
+ # user cannot add tags to own project
tag = data_utils.rand_uuid_hex()
self.do_request(
- 'update_project_tag', expected_status=201,
+ 'update_project_tag', expected_status=exceptions.Forbidden,
project_id=self.own_project_id,
tag=tag
)
- self.addCleanup(self.admin_project_tags_client.delete_project_tag,
- project_id=self.own_project_id,
- tag=tag)
# user cannot add tags to arbitrary project
tag = data_utils.rand_uuid_hex()
self.do_request(
@@ -471,75 +504,6 @@
project_id=self.other_project_id)
def test_identity_update_project_tags(self):
- # user can update tags for own project
- tag = data_utils.rand_uuid_hex()
- self.do_request('update_all_project_tags',
- project_id=self.own_project_id,
- tags=[tag])
- self.addCleanup(self.admin_project_tags_client.delete_project_tag,
- project_id=self.own_project_id,
- tag=tag)
- # user cannot update tags for arbitrary project
- tag = data_utils.rand_uuid_hex()
- self.do_request('update_all_project_tags',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tags=[tag])
-
- def test_identity_delete_project_tag(self):
- # user can delete tag for own project
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.own_project_id, tag=tag)
- self.do_request('delete_project_tag', expected_status=204,
- project_id=self.own_project_id,
- tag=tag)
- # user cannot delete tag for arbitrary project
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.other_project_id, tag=tag)
- self.do_request('delete_project_tag',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tag=tag)
-
- def test_identity_delete_project_tags(self):
- # user can delete tags for own project
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.own_project_id, tag=tag)
- self.do_request('delete_all_project_tags', expected_status=204,
- project_id=self.own_project_id)
- # user cannot delete tags for arbitrary project
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.other_project_id, tag=tag)
- self.do_request('delete_all_project_tags',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id)
-
-
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
- def test_identity_create_project_tag(self):
- # user cannot add tags to own project
- tag = data_utils.rand_uuid_hex()
- self.do_request(
- 'update_project_tag', expected_status=exceptions.Forbidden,
- project_id=self.own_project_id,
- tag=tag
- )
- # user cannot add tags to arbitrary project
- tag = data_utils.rand_uuid_hex()
- self.do_request(
- 'update_project_tag', expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tag=tag
- )
-
- def test_identity_update_project_tags(self):
# user cannot update tags for own project
tag = data_utils.rand_uuid_hex()
self.do_request('update_all_project_tags',
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py b/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py
index 5f9d9a2..f766b1f 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py
@@ -287,16 +287,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_region.py b/keystone_tempest_plugin/tests/rbac/v3/test_region.py
index e58206a..ab5969e 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_region.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_region.py
@@ -194,16 +194,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py b/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py
index c18ed01..31e78e4 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py
@@ -207,12 +207,12 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_role.py b/keystone_tempest_plugin/tests/rbac/v3/test_role.py
index a9815e8..32fa424 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_role.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_role.py
@@ -323,26 +323,10 @@
credentials = ['domain_admin', 'system_admin']
- def test_identity_get_role(self):
- # user cannot get role
- role = self.admin_roles_client.create_role(
- **self.role())['role']
- self.addCleanup(self.admin_roles_client.delete_role, role['id'])
- self.do_request('show_role', expected_status=exceptions.Forbidden,
- role_id=role['id'])
- # user gets a 404 for nonexistent role
- self.do_request('show_role', expected_status=exceptions.NotFound,
- role_id=data_utils.rand_uuid_hex())
-
- def test_identity_list_roles(self):
- # user cannot list roles
- role = self.admin_roles_client.create_role(**self.role())['role']
- self.addCleanup(self.admin_roles_client.delete_role, role['id'])
- self.do_request('list_roles', expected_status=exceptions.Forbidden)
-
def test_identity_get_domain_role(self):
# user cannot get domain role in own domain
- role = self.admin_roles_client.create_role(**self.role())['role']
+ role = self.admin_roles_client.create_role(
+ **self.role(domain_id=self.own_domain))['role']
self.addCleanup(self.admin_roles_client.delete_role, role['id'])
self.do_request('show_role', expected_status=exceptions.Forbidden,
role_id=role['id'])
@@ -369,22 +353,39 @@
credentials = ['domain_member', 'system_admin']
+ def test_identity_get_role(self):
+ # user cannot get role
+ role = self.admin_roles_client.create_role(
+ **self.role())['role']
+ self.addCleanup(self.admin_roles_client.delete_role, role['id'])
+ self.do_request('show_role', expected_status=exceptions.Forbidden,
+ role_id=role['id'])
+ # user gets a 404 for nonexistent role
+ self.do_request('show_role', expected_status=exceptions.NotFound,
+ role_id=data_utils.rand_uuid_hex())
+
+ def test_identity_list_roles(self):
+ # user cannot list roles
+ role = self.admin_roles_client.create_role(**self.role())['role']
+ self.addCleanup(self.admin_roles_client.delete_role, role['id'])
+ self.do_request('list_roles', expected_status=exceptions.Forbidden)
+
class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainMemberTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py b/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py
index 7b27294..14e164a 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py
@@ -939,24 +939,53 @@
# Should not see subtree assignments for project in other domain
query = {'scope.project.id': self.project_other_domain,
'include_subtree': True}
- self.do_request('list_role_assignments',
- expected_status=exceptions.Forbidden, **query)
+ self.do_request('list_role_assignments', **query)
class DomainMemberTests(DomainAdminTests):
credentials = ['domain_member', 'system_admin']
+ def test_identity_list_role_assignments_for_tree(self):
+ # Should see subtree assignments for project in own domain
+ subproject_id = self.admin_client.projects_client.create_project(
+ name=data_utils.rand_name('project'),
+ domain_id=self.own_domain,
+ parent_id=self.project_in_domain)['project']['id']
+ self.addCleanup(self.admin_client.projects_client.delete_project,
+ subproject_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ subproject_id, self.user_in_domain, self.role_id)
+ query = {'scope.project.id': self.project_in_domain,
+ 'include_subtree': True}
+ resp = self.do_request('list_role_assignments', **query)
+ actual = self._extract_role_assignments_from_response_body(resp)
+ expected_assignment = {'user_id': self.user_in_domain,
+ 'project_id': subproject_id,
+ 'role_id': self.role_id}
+ self.assertIn(expected_assignment, actual)
+
+ # Should not see subtree assignments for project in other domain
+ query = {'scope.project.id': self.project_other_domain,
+ 'include_subtree': True}
+ self.do_request('list_role_assignments',
+ expected_status=exceptions.Forbidden, **query)
+
class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_list_role_assignments(self):
# Listing all assignments with no filters should fail
self.do_request('list_role_assignments',
@@ -1080,43 +1109,6 @@
self.do_request('list_role_assignments',
expected_status=exceptions.Forbidden, **query)
- # Should see subtree for own project
- own_project = self.persona.credentials.project_id
- subproject_id = self.admin_client.projects_client.create_project(
- name=data_utils.rand_name('project'),
- domain_id=self.own_domain,
- parent_id=own_project)['project']['id']
- self.addCleanup(self.admin_client.projects_client.delete_project,
- subproject_id)
- self.admin_client.roles_v3_client.create_user_role_on_project(
- subproject_id, self.user_other_domain, self.role_id)
- query = {'scope.project.id': own_project,
- 'include_subtree': True}
- resp = self.do_request('list_role_assignments', **query)
- expected_assignment = {'user_id': self.user_other_domain,
- 'project_id': subproject_id,
- 'role_id': self.role_id}
- actual = self._extract_role_assignments_from_response_body(resp)
- self.assertIn(expected_assignment, actual)
-
-
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
- def test_identity_list_role_assignments_for_tree(self):
- # Should not see subtree assignments for project in own domain
- query = {'scope.project.id': self.project_in_domain,
- 'include_subtree': True}
- self.do_request('list_role_assignments',
- expected_status=exceptions.Forbidden, **query)
-
- # Should not see subtree assignments for project in other domain
- query = {'scope.project.id': self.project_other_domain,
- 'include_subtree': True}
- self.do_request('list_role_assignments',
- expected_status=exceptions.Forbidden, **query)
-
# Should not see subtree for own project
own_project = self.persona.credentials.project_id
query = {'scope.project.id': own_project,
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_service.py b/keystone_tempest_plugin/tests/rbac/v3/test_service.py
index a6a9083..616741a 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_service.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_service.py
@@ -218,16 +218,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py b/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py
index 6cf54b9..668289b 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py
@@ -235,16 +235,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_token.py b/keystone_tempest_plugin/tests/rbac/v3/test_token.py
index e5d10ed..4e654cf 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_token.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_token.py
@@ -229,7 +229,7 @@
credentials = ['system_reader', 'system_admin']
-class DomainAdminTests(SystemReaderTests, base.BaseIdentityTest):
+class DomainAdminTests(SystemAdminTests):
credentials = ['domain_admin', 'system_admin']
@@ -242,6 +242,11 @@
# call base setUp directly to ensure we don't use system creds
super(SystemAdminTests, self).setUp()
+
+class DomainMemberTests(DomainAdminTests):
+
+ credentials = ['domain_member', 'system_admin']
+
def test_identity_check_token(self):
# user can check own token
self.do_request('check_token_existence', resp_token=self.own_token)
@@ -274,18 +279,27 @@
expected_status=exceptions.Forbidden,
resp_token=self.project_token)
-
-class DomainMemberTests(DomainAdminTests):
-
- credentials = ['domain_member', 'system_admin']
+ def test_identity_revoke_token(self):
+ # user can revoke own token
+ self.do_request('delete_token', expected_status=204,
+ resp_token=self.own_token)
+ # user cannot revoke other system user's token
+ self.do_request('delete_token', expected_status=exceptions.Forbidden,
+ resp_token=self.system_token)
+ # user cannot revoke domain user's token
+ self.do_request('delete_token', expected_status=exceptions.Forbidden,
+ resp_token=self.domain_token)
+ # user cannot revoke project user's token
+ self.do_request('delete_token', expected_status=exceptions.Forbidden,
+ resp_token=self.project_token)
-class DomainReaderTests(DomainAdminTests):
+class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainAdminTests, base.BaseIdentityTest):
+class ProjectAdminTests(DomainAdminTests):
credentials = ['project_admin', 'system_admin']
@@ -299,11 +313,20 @@
super(SystemAdminTests, self).setUp()
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainMemberTests):
credentials = ['project_member', 'system_admin']
+ def setUp(self):
+ self.own_keystone_creds = {
+ 'user_id': self.persona.credentials.user_id,
+ 'password': self.persona.credentials.password,
+ 'project_id': self.persona.credentials.project_id
+ }
+ # call base setUp directly to ensure we don't use system creds
+ super(SystemAdminTests, self).setUp()
-class ProjectReaderTests(ProjectAdminTests):
+
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_trust.py b/keystone_tempest_plugin/tests/rbac/v3/test_trust.py
index c30f9eb..9165503 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_trust.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_trust.py
@@ -367,7 +367,7 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacTrustTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
@@ -395,6 +395,35 @@
expected_status=exceptions.Forbidden,
**self.trust())
+
+class ProjectMemberTests(IdentityV3RbacTrustTest, base.BaseIdentityTest):
+
+ credentials = ['project_member', 'system_admin']
+
+ def setUp(self):
+ super(ProjectMemberTests, self).setUp()
+ self.role_id = self.member_role_id
+
+ def test_identity_create_trust(self):
+ # user can create a trust for their own project
+ trustor_user_id = self.persona.credentials.user_id
+ project_id = self.persona.credentials.project_id
+ resp = self.do_request(
+ 'create_trust',
+ expected_status=201,
+ **self.trust(
+ trustor=trustor_user_id,
+ project_id=project_id,
+ roles=[{'id': self.role_id}])
+ )['trust']
+ self.addCleanup(self.client.delete_trust, resp['id'])
+
+ # user cannot create trust with another user as trustor
+ self.do_request(
+ 'create_trust',
+ expected_status=exceptions.Forbidden,
+ **self.trust())
+
def test_identity_get_trust(self):
# user can get a trust for which they are trustor
trustor_user_id = self.persona.credentials.user_id
@@ -541,16 +570,7 @@
trust_id=trust_id)
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
- def setUp(self):
- super(ProjectMemberTests, self).setUp()
- self.role_id = self.member_role_id
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_user.py b/keystone_tempest_plugin/tests/rbac/v3/test_user.py
index 7dcfdc7..c031cfe 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_user.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_user.py
@@ -248,114 +248,22 @@
credentials = ['system_reader', 'system_admin']
-class DomainAdminTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
+class DomainAdminTests(SystemAdminTests):
credentials = ['domain_admin', 'system_admin']
- def setUp(self):
- super(DomainAdminTests, self).setUp()
- self.other_domain = self.admin_domains_client.create_domain(
- name=data_utils.rand_name())['domain']
- self.addCleanup(self.admin_domains_client.delete_domain,
- self.other_domain['id'])
- self.addCleanup(self.admin_domains_client.update_domain,
- domain_id=self.other_domain['id'], enabled=False)
-
- def test_identity_create_user(self):
- user_create = self.user()
- # create user in other domain
- user_create['domain_id'] = self.other_domain['id']
- self.do_request('create_user', expected_status=exceptions.Forbidden,
- **user_create)
- # create user in own domain
- user_create['domain_id'] = self.persona.credentials.domain_id
- resp = self.do_request('create_user',
- expected_status=201,
- **user_create)
- self.addCleanup(self.admin_users_client.delete_user,
- resp['user']['id'])
-
- def test_identity_get_user(self):
- user_create = self.user()
- user_create['domain_id'] = self.other_domain['id']
- user = self.admin_users_client.create_user(**user_create)['user']
- self.addCleanup(self.admin_users_client.delete_user, user['id'])
- # user cannot get user in other domain
- self.do_request('show_user', expected_status=exceptions.Forbidden,
- user_id=user['id'])
- user_create['domain_id'] = self.persona.credentials.domain_id
- user = self.admin_users_client.create_user(**user_create)['user']
- self.addCleanup(self.admin_users_client.delete_user, user['id'])
- # user can get user in own domain
- resp = self.do_request('show_user', user_id=user['id'])
- self.assertEqual(resp['user']['id'], user['id'])
- # user can get own user
- user_id = self.persona.credentials.user_id
- resp = self.do_request('show_user', user_id=user_id)
- self.assertEqual(resp['user']['id'], user_id)
- # user gets a 403 for nonexistent user
- self.do_request('show_user', expected_status=exceptions.Forbidden,
- user_id='fakeuser')
-
def test_identity_list_users(self):
+ # the /v3/users api filters the response for domain-scoped
+ # tokens to users only in the domain, so we can't re-use
+ # the test from SystemAdminTests
user_create = self.user()
- # create user in other domain
- user_create['domain_id'] = self.other_domain['id']
+ user_create['domain_id'] = self.persona.credentials.domain_id
+ # create user in default domain
user1 = self.admin_users_client.create_user(**user_create)['user']
self.addCleanup(self.admin_users_client.delete_user, user1['id'])
- # create user in own domain
- user_create['domain_id'] = self.persona.credentials.domain_id
- user2 = self.admin_users_client.create_user(**user_create)['user']
- self.addCleanup(self.admin_users_client.delete_user, user2['id'])
resp = self.do_request('list_users')
user_ids = set(u['id'] for u in resp['users'])
- self.assertNotIn(user1['id'], user_ids)
- self.assertIn(user2['id'], user_ids)
-
- def test_identity_update_user(self):
- user_create = self.user()
- # create user in other domain
- user_create['domain_id'] = self.other_domain['id']
- user = self.admin_users_client.create_user(**user_create)['user']
- self.addCleanup(self.admin_users_client.delete_user, user['id'])
- user_update = {
- 'user_id': user['id'],
- 'description': data_utils.arbitrary_string()
- }
- self.do_request('update_user', expected_status=exceptions.Forbidden,
- **user_update)
- # create user in own domain
- user_create['domain_id'] = self.persona.credentials.domain_id
- user = self.admin_users_client.create_user(**user_create)['user']
- self.addCleanup(self.admin_users_client.delete_user, user['id'])
- user_update = {
- 'user_id': user['id'],
- 'description': data_utils.arbitrary_string()
- }
- self.do_request('update_user', **user_update)
- # user gets a 403 for nonexistent user
- user_update = {
- 'user_id': 'fakeuser',
- 'description': data_utils.arbitrary_string()
- }
- self.do_request('update_user', expected_status=exceptions.Forbidden,
- **user_update)
-
- def test_identity_delete_user(self):
- user_create = self.user()
- # create user in other domain
- user_create['domain_id'] = self.other_domain['id']
- user = self.admin_users_client.create_user(**user_create)['user']
- self.addCleanup(self.admin_users_client.delete_user, user['id'])
- self.do_request('delete_user', expected_status=exceptions.Forbidden,
- user_id=user['id'])
- # create user in own domain
- user_create['domain_id'] = self.persona.credentials.domain_id
- user = self.admin_users_client.create_user(**user_create)['user']
- self.do_request('delete_user', expected_status=204, user_id=user['id'])
- # user gets a 403 for nonexistent user
- self.do_request('delete_user', expected_status=exceptions.Forbidden,
- user_id='fakeuser')
+ self.assertIn(user1['id'], user_ids)
class DomainMemberTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
@@ -475,10 +383,15 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_create_user(self):
self.do_request('create_user', expected_status=exceptions.Forbidden,
**self.user())
@@ -530,11 +443,6 @@
user_id='fakeuser')
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']