Merge "Replace deprecated tenant_id property"
diff --git a/.zuul.yaml b/.zuul.yaml
index e79337d..44c784f 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -1,6 +1,7 @@
- job:
name: keystone-protection-functional
- parent: keystone-dsvm-py3-functional
+ parent: keystone-tempest
+ voting: false
vars:
tempest_test_regex: 'keystone_tempest_plugin.tests.rbac'
devstack_localrc:
@@ -9,7 +10,6 @@
keystone: https://opendev.org/openstack/keystone
devstack_services:
g-api: false
- g-reg: false
n-api: false
n-api-meta: false
n-cond: false
@@ -34,40 +34,40 @@
devstack_local_conf:
post-config: {}
+- job:
+ name: keystone-tempest-2025-2
+ parent: keystone-tempest
+ nodeset: openstack-single-node-noble
+ override-checkout: stable/2025.2
+
+- job:
+ name: keystone-tempest-2025-1
+ parent: keystone-tempest
+ nodeset: openstack-single-node-noble
+ override-checkout: stable/2025.1
+
+- job:
+ name: keystone-tempest-2024-2
+ parent: keystone-tempest
+ nodeset: openstack-single-node-jammy
+ override-checkout: stable/2024.2
+
- project:
templates:
- check-requirements
- tempest-plugin-jobs
check:
jobs:
- - keystone-dsvm-py3-functional
- - keystone-dsvm-py3-functional-federation-ubuntu-focal:
+ - keystone-tempest
+ - keystone-tempest-federation:
voting: false
- - keystone-dsvm-py3-functional-federation-ubuntu-focal-k2k
- - keystone-dsvm-py3-functional-zed
- - keystone-dsvm-py3-functional-yoga
- - keystone-dsvm-py3-functional-xena
+ - keystone-tempest-federation-k2k
+ - keystone-tempest-2025-2
+ - keystone-tempest-2025-1
+ - keystone-tempest-2024-2
- keystone-protection-functional
gate:
jobs:
- - keystone-dsvm-py3-functional
- - keystone-dsvm-py3-functional-federation-ubuntu-focal-k2k
+ - keystone-tempest
+ - keystone-tempest-federation-k2k
- keystone-protection-functional
-
-- job:
- name: keystone-dsvm-py3-functional-zed
- parent: keystone-dsvm-py3-functional
- nodeset: openstack-single-node-focal
- override-checkout: stable/zed
-
-- job:
- name: keystone-dsvm-py3-functional-yoga
- parent: keystone-dsvm-py3-functional
- nodeset: openstack-single-node-focal
- override-checkout: stable/yoga
-
-- job:
- name: keystone-dsvm-py3-functional-xena
- parent: keystone-dsvm-py3-functional
- nodeset: openstack-single-node-focal
- override-checkout: stable/xena
diff --git a/README.rst b/README.rst
index e02e663..7bf06be 100644
--- a/README.rst
+++ b/README.rst
@@ -13,4 +13,4 @@
* Free software: Apache license
* Documentation: https://docs.openstack.org/keystone/latest/
* Source: http://opendev.org/openstack/keystone-tempest-plugin
-* Bugs: http://bugs.launchpad.net/keystone_tempest_plugin
+* Bugs: https://bugs.launchpad.net/keystone/
diff --git a/babel.cfg b/babel.cfg
deleted file mode 100644
index 15cd6cb..0000000
--- a/babel.cfg
+++ /dev/null
@@ -1,2 +0,0 @@
-[python: **.py]
-
diff --git a/doc/source/conf.py b/doc/source/conf.py
old mode 100755
new mode 100644
diff --git a/keystone_tempest_plugin/config.py b/keystone_tempest_plugin/config.py
index ae93471..b040fea 100644
--- a/keystone_tempest_plugin/config.py
+++ b/keystone_tempest_plugin/config.py
@@ -44,7 +44,8 @@
cfg.StrOpt('idp_username',
help='Username used to login in the Identity Provider'),
cfg.StrOpt('idp_password',
- help='Password used to login in the Identity Provider'),
+ help='Password used to login in the Identity Provider',
+ secret=True),
cfg.StrOpt('idp_ecp_url',
help='Identity Provider SAML2/ECP URL'),
cfg.StrOpt('idp_oidc_url',
@@ -56,6 +57,13 @@
cfg.StrOpt('idp_client_secret',
help='Identity Provider Client Secret'),
+ # existing user (oidc)
+ cfg.StrOpt('idp_test_user_name',
+ help='Identity Provider Test User Name'),
+ cfg.StrOpt('idp_test_user_password',
+ help='Identity Provider Test User Password',
+ secret=True),
+
# Mapping rules
cfg.StrOpt('mapping_remote_type',
help='The assertion attribute to be used in the remote rules'),
@@ -81,5 +89,4 @@
cfg.StrOpt('protocol_id',
default='mapped',
help='The Protocol ID'),
-
]
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_access_rule.py b/keystone_tempest_plugin/tests/rbac/v3/test_access_rule.py
index 25767fc..1bb5fc4 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_access_rule.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_access_rule.py
@@ -358,7 +358,12 @@
access_rule_id=data_utils.rand_uuid_hex())
-class DomainMemberTests(DomainAdminTests):
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -477,7 +482,12 @@
access_rule_id=data_utils.rand_uuid_hex())
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(ProjectAdminTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py b/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
index 3ca1680..dd20e31 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
@@ -401,7 +401,12 @@
application_credential_id=data_utils.rand_uuid_hex())
-class DomainMemberTests(DomainAdminTests):
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -411,14 +416,19 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacApplicationCredentialTest,
- base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectManagerTests(IdentityV3RbacApplicationCredentialTest,
+ base.BaseIdentityTest):
+
+ credentials = ['project_manager', 'system_admin']
+
@classmethod
def setup_clients(cls):
- super(ProjectAdminTests, cls).setup_clients()
+ super().setup_clients()
cls.test_user_client, cls.test_user_id = cls.setup_user_client()
def test_identity_create_application_credential(self):
@@ -555,11 +565,11 @@
application_credential_id=data_utils.rand_uuid_hex())
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py b/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py
index b7dbb95..8193da8 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py
@@ -171,7 +171,12 @@
expected_status=exceptions.Forbidden)
-class DomainMemberTests(DomainAdminTests):
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -181,16 +186,21 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_credential.py b/keystone_tempest_plugin/tests/rbac/v3/test_credential.py
index 5b1bee2..c3f8631 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_credential.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_credential.py
@@ -339,103 +339,14 @@
credentials = ['system_reader', 'system_admin']
-class DomainAdminTests(IdentityV3RbacCredentialTest, base.BaseIdentityTest):
+class DomainAdminTests(SystemAdminTests):
credentials = ['domain_admin', 'system_admin']
- def test_identity_create_credential(self):
- # domain admins cannot create credentials
- user_id = self.persona.credentials.user_id
- for u in [user_id, self.test_user_1, self.test_user_2]:
- self.do_request(
- 'create_credential',
- expected_status=exceptions.Forbidden,
- **self.credential(user_id=u))
- def test_identity_get_credential(self):
- # domain admins cannot get credentials
- user_id = self.persona.credentials.user_id
- for u in [user_id, self.test_user_1, self.test_user_2]:
- cred = self.admin_credentials_client.create_credential(
- **self.credential(user_id=u))['credential']
- self.addCleanup(
- self.admin_credentials_client.delete_credential, cred['id'])
- self.do_request(
- 'show_credential',
- expected_status=exceptions.Forbidden,
- credential_id=cred['id'])
- # non-existent credential is Forbidden
- self.do_request(
- 'show_credential',
- expected_status=exceptions.Forbidden,
- credential_id=data_utils.rand_uuid_hex())
+class DomainManagerTests(SystemReaderTests):
- def test_identity_list_credentials(self):
- # domain admins cannot list credentials
- user_id = self.persona.credentials.user_id
- for u in [user_id, self.test_user_1, self.test_user_2]:
- cred = self.admin_credentials_client.create_credential(
- **self.credential(user_id=u))['credential']
- self.addCleanup(
- self.admin_credentials_client.delete_credential, cred['id'])
- self.do_request(
- 'list_credentials',
- expected_status=exceptions.Forbidden)
-
- def test_identity_update_credential(self):
- # domain admins cannot update credentials
- user_id = self.persona.credentials.user_id
- for u in [user_id, self.test_user_1, self.test_user_2]:
- cred = self.credential(user_id=u)
- resp = self.admin_credentials_client.create_credential(
- **cred)['credential']
- self.addCleanup(
- self.admin_credentials_client.delete_credential, resp['id'])
- cred['blob'] = data_utils.rand_uuid_hex()
- self.do_request(
- 'update_credential',
- expected_status=exceptions.Forbidden,
- credential_id=resp['id'], **cred)
- # non-existent credential is Forbidden
- self.do_request(
- 'update_credential',
- expected_status=exceptions.Forbidden,
- credential_id=data_utils.rand_uuid_hex(),
- **self.credential(user_id=user_id))
-
- def test_identity_delete_credential(self):
- # domain admins cannot delete credentials
- user_id = self.persona.credentials.user_id
- for u in [user_id, self.test_user_1, self.test_user_2]:
- cred = self.credential(user_id=u)
- resp = self.admin_credentials_client.create_credential(
- **cred)['credential']
- self.addCleanup(
- self.admin_credentials_client.delete_credential, resp['id'])
- self.do_request(
- 'delete_credential',
- expected_status=exceptions.Forbidden,
- credential_id=resp['id'])
- # non-existent credential is Forbidden
- self.do_request(
- 'delete_credential',
- expected_status=exceptions.Forbidden,
- credential_id=data_utils.rand_uuid_hex())
-
-
-class DomainMemberTests(DomainAdminTests):
-
- credentials = ['domain_member', 'system_admin']
-
-
-class DomainReaderTests(DomainAdminTests):
-
- credentials = ['domain_reader', 'system_admin']
-
-
-class ProjectAdminTests(SystemReaderTests):
-
- credentials = ['project_admin', 'system_admin']
+ credentials = ['domain_manager', 'system_admin']
def test_identity_get_credential(self):
# user can get their own credential
@@ -480,11 +391,31 @@
self.assertNotIn(cred['id'], [c['id'] for c in resp])
-class ProjectMemberTests(ProjectAdminTests):
+class DomainMemberTests(DomainManagerTests):
+
+ credentials = ['domain_member', 'system_admin']
+
+
+class DomainReaderTests(DomainMemberTests):
+
+ credentials = ['domain_reader', 'system_admin']
+
+
+class ProjectAdminTests(SystemAdminTests):
+
+ credentials = ['project_admin', 'system_admin']
+
+
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_domain.py b/keystone_tempest_plugin/tests/rbac/v3/test_domain.py
index 13f0b71..637f7ad 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_domain.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_domain.py
@@ -31,6 +31,7 @@
cls.client = cls.persona.domains_client
admin_client = cls.os_system_admin
cls.admin_domains_client = admin_client.domains_client
+ cls.own_domain = cls.persona.credentials.domain_id
@abc.abstractmethod
def test_identity_create_domain(self):
@@ -176,18 +177,58 @@
credentials = ['domain_admin', 'system_admin']
+ def test_identity_list_domains(self):
+ domain_id = self.persona.credentials.domain_id
+ other_domain_id = self.admin_domains_client.create_domain(
+ name=data_utils.rand_name())['domain']['id']
+ self.addCleanup(self.admin_domains_client.delete_domain,
+ other_domain_id)
+ self.addCleanup(self.admin_domains_client.update_domain,
+ domain_id=other_domain_id, enabled=False)
+ resp = self.do_request('list_domains')
+ self.assertIn(domain_id, [d['id'] for d in resp['domains']])
+ self.assertNotIn(other_domain_id, [d['id'] for d in resp['domains']])
+
+
+class DomainManagerTests(DomainAdminTests, base.BaseIdentityTest):
+
+ credentials = ['domain_manager', 'system_admin']
+
def test_identity_get_domain(self):
domain_id = self.admin_domains_client.create_domain(
name=data_utils.rand_name())['domain']['id']
self.addCleanup(self.admin_domains_client.delete_domain, domain_id)
self.addCleanup(self.admin_domains_client.update_domain,
domain_id=domain_id, enabled=False)
+ # user can get own domain
+ self.do_request('show_domain', domain_id=self.own_domain)
+ # user gets a 403 for foreign domain
self.do_request('show_domain', expected_status=exceptions.Forbidden,
domain_id=domain_id)
# user gets a 403 for nonexistent domain
self.do_request('show_domain', expected_status=exceptions.Forbidden,
domain_id=data_utils.rand_uuid_hex())
+
+class DomainMemberTests(DomainManagerTests):
+
+ credentials = ['domain_member', 'system_admin']
+
+
+class DomainReaderTests(DomainMemberTests):
+
+ credentials = ['domain_reader', 'system_admin']
+
+
+class ProjectAdminTests(SystemAdminTests):
+
+ credentials = ['project_admin', 'system_admin']
+
+
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
def test_identity_list_domains(self):
domain_id = self.admin_domains_client.create_domain(
name=data_utils.rand_name())['domain']['id']
@@ -198,26 +239,11 @@
expected_status=exceptions.Forbidden)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
-
- credentials = ['domain_member', 'system_admin']
-
-
-class DomainReaderTests(DomainMemberTests):
-
- credentials = ['domain_reader', 'system_admin']
-
-
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
-
- credentials = ['project_admin', 'system_admin']
-
-
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py b/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py
index 8f1fdbf..ce900d3 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py
@@ -356,7 +356,12 @@
expected_status=exceptions.Forbidden, group='ldap', option='url')
-class DomainMemberTests(DomainAdminTests):
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -366,16 +371,21 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_ec2_credential.py b/keystone_tempest_plugin/tests/rbac/v3/test_ec2_credential.py
index 6c7d19b..fa1ae32 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_ec2_credential.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_ec2_credential.py
@@ -464,7 +464,12 @@
access=data_utils.rand_uuid_hex())
-class DomainMemberTests(DomainAdminTests):
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -474,10 +479,15 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(SystemReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectManagerTests(SystemReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
def test_identity_ec2_get_credential(self):
# user can get their own credential
user_id = self.persona.credentials.user_id
@@ -534,11 +544,11 @@
user_id=self.test_user_2)
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py
index 48dfb19..8894da1 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py
@@ -220,7 +220,12 @@
self.do_request('list_endpoints', expected_status=exceptions.Forbidden)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+class DomainManagerTests(DomainAdminTests, base.BaseIdentityTest):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -230,16 +235,20 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
-
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py
index 6cca108..258c38a 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py
@@ -496,7 +496,12 @@
project_id=project)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+class DomainManagerTests(DomainAdminTests, base.BaseIdentityTest):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -506,16 +511,21 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_grant.py b/keystone_tempest_plugin/tests/rbac/v3/test_grant.py
index e88b679..3681b9c 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_grant.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_grant.py
@@ -44,6 +44,8 @@
name=data_utils.rand_name('role'))['role']['id']
cls.addClassResourceCleanup(
cls.admin_client.roles_v3_client.delete_role, cls.role_id)
+ cls.member_role_id = cls.admin_client.roles_v3_client.list_roles(
+ name='member')['roles'][0]['id']
# own domain - if system or project user, this will be the user's
# namespace and isn't applicable for RBAC testing
@@ -1181,6 +1183,1637 @@
group_id=self.group_in_domain,
role_id=self.role_own_domain)
# role in other domain, project in own domain, user in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, user in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, group in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #####################################################
+ # global role, project in own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, user in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, group in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
+ #####################################################
+ # global role, project in other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #######################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #######################################################
+ # global role, project in other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+
+ def test_identity_list_grants(self):
+ ###################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
+ ###################################################
+ # project in other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_project',
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain)
+ # project in other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_project',
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain)
+ # other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_domain',
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain)
+ # other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_domain',
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain)
+ #####################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #####################################################
+ # project in other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_project',
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain)
+ # project in other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_project',
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain)
+ # other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_domain',
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain)
+ # other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_domain',
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain)
+ #####################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
+ #####################################################
+ # project in other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_project',
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain)
+ # project in other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_project',
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain)
+ # other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_domain',
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain)
+ # other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_domain',
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain)
+ #######################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #######################################################
+ # project in other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_project',
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain)
+ # project in other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_project',
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain)
+ # other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_domain',
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain)
+ # other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_domain',
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain)
+
+ def test_identity_create_grant(self):
+ ###################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
+ ###################################################
+ # global role, project in own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #####################################################
+ # global role, project in own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # TODO(dmendiza): This test is a repeat form line 1705
+ # Since grants are idempotent, after this second test there is only
+ # one object, which gets cleaned by the previous cleanup and makes
+ # the below cleanup fail. Not sure why we're testing the same
+ # data twice. Maybe we can delete this second test?
+ # self.addCleanup(
+ # self.admin_roles_client.delete_role_from_user_on_domain,
+ # domain_id=self.own_domain,
+ # user_id=self.user_other_domain,
+ # role_id=self.role_other_domain)
+ # role in other domain, own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # TODO(dmendiza): This test is also repeated from line 1710
+ # self.addCleanup(
+ # self.admin_roles_client.delete_role_from_group_on_domain,
+ # domain_id=self.own_domain,
+ # group_id=self.group_other_domain,
+ # role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
+ #####################################################
+ # global role, project in other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #######################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #######################################################
+ # global role, project in other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+
+ def test_identity_revoke_grant(self):
+ ###################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
+ ###################################################
+ # global role, project in own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, user in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, group in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #####################################################
+ # global role, project in own domain, user in other domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in other domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in other domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in other domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in other domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in other domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, user in other domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, group in other domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, user in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, group in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
+ #####################################################
+ # global role, project in other domain, user in own domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in own domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in own domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in own domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in own domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in own domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in own domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in own domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #######################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #######################################################
+ # global role, project in other domain, user in other domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in other domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in other domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in other domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in other domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in other domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in other domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in other domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+
+ def test_identity_list_system_grants_for_user(self):
+ self.do_request('list_user_roles_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_other_domain)
+ self.do_request('list_user_roles_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_other_domain)
+
+ def test_identity_check_system_grant_for_user(self):
+ self.do_request('check_user_role_existence_on_system',
+ exceptions.Forbidden,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request('check_user_role_existence_on_system',
+ exceptions.Forbidden,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_create_system_grant_for_user(self):
+ self.do_request(
+ 'create_user_role_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'create_user_role_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_revoke_system_grant_for_user(self):
+ # user in own domain
+ self.admin_roles_client.create_user_role_on_system(
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_system,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # user in other domain
+ self.admin_roles_client.create_user_role_on_system(
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_system,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_list_system_grants_for_group(self):
+ self.do_request('list_group_roles_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_in_domain)
+ self.do_request('list_group_roles_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_other_domain)
+
+ def test_identity_check_system_grant_for_group(self):
+ self.do_request('check_role_from_group_on_system_existence',
+ exceptions.Forbidden,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request('check_role_from_group_on_system_existence',
+ exceptions.Forbidden,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_create_system_grant_for_group(self):
+ self.do_request(
+ 'create_group_role_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'create_group_role_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_revoke_system_grant_for_group(self):
+ # group in own domain
+ self.admin_roles_client.create_group_role_on_system(
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_system,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # group in other domain
+ self.admin_roles_client.create_group_role_on_system(
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_system,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+
+
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
+ def test_identity_check_grant(self):
+ ###################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
+ ###################################################
+ # global role, project in own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in own domain
# (none created, should 403)
self.do_request(
'check_user_role_existence_on_project',
@@ -1597,59 +3230,115 @@
###################################################
# RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
###################################################
- # global role, project in own domain, user in own domain
+ # global role permitted for domain managers,
+ # project in own domain, user in own domain
self.do_request(
'create_user_role_on_project',
expected_status=204,
project_id=self.project_in_domain,
user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, project in own domain, group in own domain
+ role_id=self.member_role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.member_role_id)
+ # global role permitted for domain managers,
+ # project in own domain, group in own domain
self.do_request(
'create_group_role_on_project',
expected_status=204,
project_id=self.project_in_domain,
group_id=self.group_in_domain,
- role_id=self.role_id)
- # global role, own domain, user in own domain
+ role_id=self.member_role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.member_role_id)
+ # global role permitted for domain managers,
+ # own domain, user in own domain
self.do_request(
'create_user_role_on_domain',
expected_status=204,
domain_id=self.own_domain,
user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, own domain, group in own domain
+ role_id=self.member_role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.member_role_id)
+ # global role permitted for domain managers,
+ # own domain, group in own domain
self.do_request(
'create_group_role_on_domain',
expected_status=204,
domain_id=self.own_domain,
group_id=self.group_in_domain,
+ role_id=self.member_role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.member_role_id)
+ # global role not permitted for domain managers,
+ # project in own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role not permitted for domain managers,
+ # project in own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role not permitted for domain managers,
+ # own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role not permitted for domain managers,
+ # own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
role_id=self.role_id)
# role in own domain, project in own domain, user in own domain
self.do_request(
'create_user_role_on_project',
- expected_status=204,
+ expected_status=exceptions.Forbidden,
project_id=self.project_in_domain,
user_id=self.user_in_domain,
role_id=self.role_own_domain)
# role in own domain, project in own domain, group in own domain
self.do_request(
'create_group_role_on_project',
- expected_status=204,
+ expected_status=exceptions.Forbidden,
project_id=self.project_in_domain,
group_id=self.group_in_domain,
role_id=self.role_own_domain)
# role in own domain, own domain, user in own domain
self.do_request(
'create_user_role_on_domain',
- expected_status=204,
+ expected_status=exceptions.Forbidden,
domain_id=self.own_domain,
user_id=self.user_in_domain,
role_id=self.role_own_domain)
# role in own domain, own domain, group in own domain
self.do_request(
'create_group_role_on_domain',
- expected_status=204,
+ expected_status=exceptions.Forbidden,
domain_id=self.own_domain,
group_id=self.group_in_domain,
role_id=self.role_own_domain)
@@ -1690,28 +3379,28 @@
expected_status=exceptions.Forbidden,
project_id=self.project_in_domain,
user_id=self.user_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, project in own domain, group in other domain
self.do_request(
'create_group_role_on_project',
expected_status=exceptions.Forbidden,
project_id=self.project_in_domain,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, own domain, user in other domain
self.do_request(
'create_user_role_on_domain',
expected_status=exceptions.Forbidden,
domain_id=self.own_domain,
user_id=self.user_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, own domain, group in other domain
self.do_request(
'create_group_role_on_domain',
expected_status=exceptions.Forbidden,
domain_id=self.own_domain,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# role in own domain, project in own domain, user in other domain
self.do_request(
'create_user_role_on_project',
@@ -1761,7 +3450,6 @@
domain_id=self.own_domain,
user_id=self.user_other_domain,
role_id=self.role_other_domain)
- # role in other domain, own domain, group in other domain
self.do_request(
'create_group_role_on_domain',
expected_status=exceptions.Forbidden,
@@ -1777,28 +3465,28 @@
expected_status=exceptions.Forbidden,
project_id=self.project_other_domain,
user_id=self.user_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, project in other domain, group in own domain
self.do_request(
'create_group_role_on_project',
expected_status=exceptions.Forbidden,
project_id=self.project_other_domain,
group_id=self.group_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, other domain, user in own domain
self.do_request(
'create_user_role_on_domain',
expected_status=exceptions.Forbidden,
domain_id=self.other_domain,
user_id=self.user_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, other domain, group in own domain
self.do_request(
'create_group_role_on_domain',
expected_status=exceptions.Forbidden,
domain_id=self.other_domain,
group_id=self.group_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# role in own domain, project in other domain, user in own domain
self.do_request(
'create_user_role_on_project',
@@ -1864,28 +3552,28 @@
expected_status=exceptions.Forbidden,
project_id=self.project_other_domain,
user_id=self.user_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, project in other domain, group in other domain
self.do_request(
'create_group_role_on_project',
expected_status=exceptions.Forbidden,
project_id=self.project_other_domain,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, other domain, user in other domain
self.do_request(
'create_user_role_on_domain',
expected_status=exceptions.Forbidden,
domain_id=self.other_domain,
user_id=self.user_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, other domain, group in other domain
self.do_request(
'create_group_role_on_domain',
expected_status=exceptions.Forbidden,
domain_id=self.other_domain,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# role in own domain, project in other domain, user in other domain
self.do_request(
'create_user_role_on_project',
@@ -1947,47 +3635,99 @@
###################################################
# RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
###################################################
- # global role, project in own domain, user in own domain
+ # global role permitted for domain managers,
+ # project in own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.member_role_id)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.member_role_id)
+ # global role permitted for domain managers,
+ # project in own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.member_role_id)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.member_role_id)
+ # global role permitted for domain managers,
+ # own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.member_role_id)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.member_role_id)
+ # global role permitted for domain managers,
+ # own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.member_role_id)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.member_role_id)
+ # global role not permitted for domain managers,
+ # project in own domain, user in own domain
self.admin_roles_client.create_user_role_on_project(
project_id=self.project_in_domain,
user_id=self.user_in_domain,
role_id=self.role_id)
self.do_request(
'delete_role_from_user_on_project',
- expected_status=204,
+ expected_status=exceptions.Forbidden,
project_id=self.project_in_domain,
user_id=self.user_in_domain,
role_id=self.role_id)
- # global role, project in own domain, group in own domain
+ # global role not permitted for domain managers,
+ # project in own domain, group in own domain
self.admin_roles_client.create_group_role_on_project(
project_id=self.project_in_domain,
group_id=self.group_in_domain,
role_id=self.role_id)
self.do_request(
'delete_role_from_group_on_project',
- expected_status=204,
+ expected_status=exceptions.Forbidden,
project_id=self.project_in_domain,
group_id=self.group_in_domain,
role_id=self.role_id)
- # global role, own domain, user in own domain
+ # global role not permitted for domain managers,
+ # own domain, user in own domain
self.admin_roles_client.create_user_role_on_domain(
domain_id=self.own_domain,
user_id=self.user_in_domain,
role_id=self.role_id)
self.do_request(
'delete_role_from_user_on_domain',
- expected_status=204,
+ expected_status=exceptions.Forbidden,
domain_id=self.own_domain,
user_id=self.user_in_domain,
role_id=self.role_id)
- # global role, own domain, group in own domain
+ # global role not permitted for domain managers,
+ # own domain, group in own domain
self.admin_roles_client.create_group_role_on_domain(
domain_id=self.own_domain,
group_id=self.group_in_domain,
role_id=self.role_id)
self.do_request(
'delete_role_from_group_on_domain',
- expected_status=204,
+ expected_status=exceptions.Forbidden,
domain_id=self.own_domain,
group_id=self.group_in_domain,
role_id=self.role_id)
@@ -1998,7 +3738,7 @@
role_id=self.role_own_domain)
self.do_request(
'delete_role_from_user_on_project',
- expected_status=204,
+ expected_status=exceptions.Forbidden,
project_id=self.project_in_domain,
user_id=self.user_in_domain,
role_id=self.role_own_domain)
@@ -2009,7 +3749,7 @@
role_id=self.role_own_domain)
self.do_request(
'delete_role_from_group_on_project',
- expected_status=204,
+ expected_status=exceptions.Forbidden,
project_id=self.project_in_domain,
group_id=self.group_in_domain,
role_id=self.role_own_domain)
@@ -2020,7 +3760,7 @@
role_id=self.role_own_domain)
self.do_request(
'delete_role_from_user_on_domain',
- expected_status=204,
+ expected_status=exceptions.Forbidden,
domain_id=self.own_domain,
user_id=self.user_in_domain,
role_id=self.role_own_domain)
@@ -2031,7 +3771,7 @@
role_id=self.role_own_domain)
self.do_request(
'delete_role_from_group_on_domain',
- expected_status=204,
+ expected_status=exceptions.Forbidden,
domain_id=self.own_domain,
group_id=self.group_in_domain,
role_id=self.role_own_domain)
@@ -2074,46 +3814,46 @@
self.admin_roles_client.create_user_role_on_project(
project_id=self.project_in_domain,
user_id=self.user_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_user_on_project',
expected_status=exceptions.Forbidden,
project_id=self.project_in_domain,
user_id=self.user_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, project in own domain, group in other domain
self.admin_roles_client.create_group_role_on_project(
project_id=self.project_in_domain,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_group_on_project',
expected_status=exceptions.Forbidden,
project_id=self.project_in_domain,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, own domain, user in other domain
self.admin_roles_client.create_user_role_on_domain(
domain_id=self.own_domain,
user_id=self.user_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_user_on_domain',
expected_status=exceptions.Forbidden,
domain_id=self.own_domain,
user_id=self.user_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, own domain, group in other domain
self.admin_roles_client.create_group_role_on_domain(
domain_id=self.own_domain,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_group_on_domain',
expected_status=exceptions.Forbidden,
domain_id=self.own_domain,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# role in own domain, project in own domain, user in other domain
self.admin_roles_client.create_user_role_on_project(
project_id=self.project_in_domain,
@@ -2197,46 +3937,46 @@
self.admin_roles_client.create_user_role_on_project(
project_id=self.project_other_domain,
user_id=self.user_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_user_on_project',
expected_status=exceptions.Forbidden,
project_id=self.project_other_domain,
user_id=self.user_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, project in other domain, group in own domain
self.admin_roles_client.create_group_role_on_project(
project_id=self.project_other_domain,
group_id=self.group_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_group_on_project',
expected_status=exceptions.Forbidden,
project_id=self.project_other_domain,
group_id=self.group_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, other domain, user in own domain
self.admin_roles_client.create_user_role_on_domain(
domain_id=self.other_domain,
user_id=self.user_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_user_on_domain',
expected_status=exceptions.Forbidden,
domain_id=self.other_domain,
user_id=self.user_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, other domain, group in own domain
self.admin_roles_client.create_group_role_on_domain(
domain_id=self.other_domain,
group_id=self.group_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_group_on_domain',
expected_status=exceptions.Forbidden,
domain_id=self.other_domain,
group_id=self.group_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# role in own domain, project in other domain, user in own domain
# role assignment does not exist, should 403
self.do_request(
@@ -2320,46 +4060,46 @@
self.admin_roles_client.create_user_role_on_project(
project_id=self.project_other_domain,
user_id=self.user_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_user_on_project',
expected_status=exceptions.Forbidden,
project_id=self.project_other_domain,
user_id=self.user_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, project in other domain, group in other domain
self.admin_roles_client.create_group_role_on_project(
project_id=self.project_other_domain,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_group_on_project',
expected_status=exceptions.Forbidden,
project_id=self.project_other_domain,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, other domain, user in other domain
self.admin_roles_client.create_user_role_on_domain(
domain_id=self.other_domain,
user_id=self.user_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_user_on_domain',
expected_status=exceptions.Forbidden,
domain_id=self.other_domain,
user_id=self.user_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# global role, other domain, group in other domain
self.admin_roles_client.create_group_role_on_domain(
domain_id=self.other_domain,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_group_on_domain',
expected_status=exceptions.Forbidden,
domain_id=self.other_domain,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# role in own domain, project in other domain, user in other domain
# role assignment does not exist, should 403
self.do_request(
@@ -2437,127 +4177,418 @@
group_id=self.group_other_domain,
role_id=self.role_other_domain)
- def test_identity_list_system_grants_for_user(self):
- self.do_request('list_user_roles_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_other_domain)
- self.do_request('list_user_roles_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_other_domain)
-
- def test_identity_check_system_grant_for_user(self):
- self.do_request('check_user_role_existence_on_system',
- exceptions.Forbidden,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request('check_user_role_existence_on_system',
- exceptions.Forbidden,
- user_id=self.user_other_domain,
- role_id=self.role_id)
-
def test_identity_create_system_grant_for_user(self):
self.do_request(
'create_user_role_on_system',
expected_status=exceptions.Forbidden,
user_id=self.user_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'create_user_role_on_system',
expected_status=exceptions.Forbidden,
user_id=self.user_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
def test_identity_revoke_system_grant_for_user(self):
- # user in own domain
- self.admin_roles_client.create_user_role_on_system(
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.addCleanup(
- self.admin_roles_client.delete_role_from_user_on_system,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # user in other domain
- self.admin_roles_client.create_user_role_on_system(
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.addCleanup(
- self.admin_roles_client.delete_role_from_user_on_system,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_other_domain,
- role_id=self.role_id)
-
- def test_identity_list_system_grants_for_group(self):
- self.do_request('list_group_roles_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_in_domain)
- self.do_request('list_group_roles_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_other_domain)
-
- def test_identity_check_system_grant_for_group(self):
- self.do_request('check_role_from_group_on_system_existence',
- exceptions.Forbidden,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request('check_role_from_group_on_system_existence',
- exceptions.Forbidden,
- group_id=self.group_other_domain,
- role_id=self.role_id)
-
- def test_identity_create_system_grant_for_group(self):
- self.do_request(
- 'create_group_role_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'create_group_role_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_other_domain,
- role_id=self.role_id)
-
- def test_identity_revoke_system_grant_for_group(self):
# group in own domain
self.admin_roles_client.create_group_role_on_system(
group_id=self.group_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.addCleanup(
self.admin_roles_client.delete_role_from_group_on_system,
group_id=self.group_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_group_on_system',
expected_status=exceptions.Forbidden,
group_id=self.group_in_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
# group in other domain
self.admin_roles_client.create_group_role_on_system(
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.addCleanup(
self.admin_roles_client.delete_role_from_group_on_system,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
self.do_request(
'delete_role_from_group_on_system',
expected_status=exceptions.Forbidden,
group_id=self.group_other_domain,
- role_id=self.role_id)
+ role_id=self.member_role_id)
-class DomainMemberTests(DomainAdminTests):
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
+ def test_identity_check_grant(self):
+ ###################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
+ ###################################################
+ # global role, project in own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in own domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in own domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, user in own domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, group in own domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #####################################################
+ # global role, project in own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in other domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in other domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, user in other domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, group in other domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+
+ #####################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
+ #####################################################
+ # global role, project in other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in own domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in own domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in own domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in own domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #######################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #######################################################
+ # global role, project in other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in other domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in other domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in other domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in other domain
+ # (none created, should 403)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.Forbidden,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+
def test_identity_create_grant(self):
###################################################
# RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
@@ -3402,56 +5433,21 @@
group_id=self.group_other_domain,
role_id=self.role_other_domain)
- def test_identity_create_system_grant_for_user(self):
- self.do_request(
- 'create_user_role_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'create_user_role_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_other_domain,
- role_id=self.role_id)
-
- def test_identity_revoke_system_grant_for_user(self):
- # group in own domain
- self.admin_roles_client.create_group_role_on_system(
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.addCleanup(
- self.admin_roles_client.delete_role_from_group_on_system,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # group in other domain
- self.admin_roles_client.create_group_role_on_system(
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.addCleanup(
- self.admin_roles_client.delete_role_from_group_on_system,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_other_domain,
- role_id=self.role_id)
-
class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacGrantTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectManagerTests(ProjectAdminTests):
+
+ credentials = ['project_manager', 'system_admin']
+
def test_identity_check_grant(self):
# global role, arbitrary project, arbitrary user
self.do_request(
@@ -3789,7 +5785,7 @@
role_id=self.role_id)
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_group.py b/keystone_tempest_plugin/tests/rbac/v3/test_group.py
index c3ce1d9..d3ca20a 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_group.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_group.py
@@ -422,20 +422,89 @@
credentials = ['system_reader', 'system_admin']
-class DomainAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
+class DomainAdminTests(SystemAdminTests):
credentials = ['domain_admin', 'system_admin']
+ def test_identity_list_groups(self):
+ group1 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.own_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
+ group2 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.other_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
+ resp = self.do_request('list_groups')
+ # user can get groups in own domain
+ self.assertIn(group1['id'], set(g['id'] for g in resp['groups']))
+ # user cannot get groups in other domain
+ self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
+
+ def test_identity_list_groups_for_user(self):
+ group1 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.own_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
+ user1 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.own_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user1['id'])
+ group2 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.other_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
+ user2 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.other_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user2['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user2['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user2['id'])
+ resp = self.do_request('list_user_groups', client=self.users_client,
+ user_id=user1['id'])
+ # user can list groups in own domain for user in own domain
+ self.assertIn(group1['id'], set(g['id'] for g in resp['groups']))
+ # user cannot list groups in other domain for user in own domain
+ self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
+ # user cannot list groups for user in other domain
+ resp = self.do_request('list_user_groups', client=self.users_client,
+ user_id=user2['id'])
+ self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
+ # user gets a 404 for nonexistent user
+ self.do_request('list_user_groups', client=self.users_client,
+ expected_status=exceptions.NotFound,
+ user_id='fakeuser')
+
+ def test_identity_list_users_in_group(self):
+ group = self.admin_groups_client.create_group(**self.group())['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group['id'])
+ user = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'))['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user['id'])
+ self.admin_groups_client.add_group_user(group['id'], user['id'])
+ resp = self.do_request('list_group_users', group_id=group['id'])
+ user_ids = set(u['id'] for u in resp['users'])
+ # request is allowed but the user will get filtered out on domain
+ # scoped request
+ self.assertEqual(0, len(user_ids))
+
+
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
def test_identity_create_group(self):
# user can create group in own domain
- resp = self.do_request('create_group', expected_status=201,
+ resp = self.do_request('create_group',
+ expected_status=201,
**self.group(domain_id=self.own_domain))
self.addCleanup(self.admin_groups_client.delete_group,
resp['group']['id'])
# user cannot create group in another domain
- resp = self.do_request('create_group',
- expected_status=exceptions.Forbidden,
- **self.group(domain_id=self.other_domain))
+ self.do_request('create_group',
+ expected_status=exceptions.Forbidden,
+ **self.group(domain_id=self.other_domain))
def test_identity_get_group(self):
group = self.admin_groups_client.create_group(
@@ -453,19 +522,6 @@
self.do_request('show_group', expected_status=exceptions.Forbidden,
group_id='fakegroup')
- def test_identity_list_groups(self):
- group1 = self.admin_groups_client.create_group(
- **self.group(domain_id=self.own_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
- group2 = self.admin_groups_client.create_group(
- **self.group(domain_id=self.other_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- resp = self.do_request('list_groups')
- # user can get groups in own domain
- self.assertIn(group1['id'], set(g['id'] for g in resp['groups']))
- # user cannot get groups in other domain
- self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
-
def test_identity_list_groups_for_user(self):
group1 = self.admin_groups_client.create_group(
**self.group(domain_id=self.own_domain))['group']
@@ -591,14 +647,14 @@
user1['id'])
user2 = self.admin_client.users_v3_client.create_user(
name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
+ domain_id=self.other_domain)['user']
self.addCleanup(self.admin_client.users_v3_client.delete_user,
user2['id'])
# user can add a user in own domain to a group in own domain
self.do_request('add_group_user', expected_status=204,
group_id=group1['id'], user_id=user1['id'])
- # user can add a user in another domain to a group in own domain
- self.do_request('add_group_user', expected_status=204,
+ # user cannot add a user in another domain to a group in own domain
+ self.do_request('add_group_user', expected_status=exceptions.Forbidden,
group_id=group1['id'], user_id=user2['id'])
# user cannot add a user in own domain to a group in another domain
self.do_request('add_group_user', expected_status=exceptions.Forbidden,
@@ -627,7 +683,7 @@
user1['id'])
user2 = self.admin_client.users_v3_client.create_user(
name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
+ domain_id=self.other_domain)['user']
self.addCleanup(self.admin_client.users_v3_client.delete_user,
user2['id'])
self.admin_groups_client.add_group_user(group1['id'], user1['id'])
@@ -637,9 +693,10 @@
# user can remove a user in own domain from a group in own domain
self.do_request('delete_group_user', expected_status=204,
group_id=group1['id'], user_id=user1['id'])
- # user can remove a user in another domain from a group in own
+ # user cannot remove a user in another domain from a group in own
# domain
- self.do_request('delete_group_user', expected_status=204,
+ self.do_request('delete_group_user',
+ expected_status=exceptions.Forbidden,
group_id=group1['id'], user_id=user2['id'])
# user cannot remove a user in own domain from a group in another
# domain
@@ -709,7 +766,7 @@
group_id=group1['id'], user_id='fakeuser')
-class DomainMemberTests(DomainAdminTests):
+class DomainMemberTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
credentials = ['domain_member', 'system_admin']
@@ -723,6 +780,71 @@
expected_status=exceptions.Forbidden,
**self.group(domain_id=self.other_domain))
+ def test_identity_get_group(self):
+ group = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.own_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group['id'])
+ # user can get group in own domain
+ self.do_request('show_group', group_id=group['id'])
+ # user cannot get group in other domain
+ group = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.other_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group['id'])
+ self.do_request('show_group', expected_status=exceptions.Forbidden,
+ group_id=group['id'])
+ # user gets a 403 for nonexistent group
+ self.do_request('show_group', expected_status=exceptions.Forbidden,
+ group_id='fakegroup')
+
+ def test_identity_list_groups(self):
+ group1 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.own_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
+ group2 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.other_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
+ resp = self.do_request('list_groups')
+ # user can get groups in own domain
+ self.assertIn(group1['id'], set(g['id'] for g in resp['groups']))
+ # user cannot get groups in other domain
+ self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
+
+ def test_identity_list_groups_for_user(self):
+ group1 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.own_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
+ user1 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.own_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user1['id'])
+ group2 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.other_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
+ user2 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.other_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user2['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user2['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user2['id'])
+ resp = self.do_request('list_user_groups', client=self.users_client,
+ user_id=user1['id'])
+ # user can list groups in own domain for user in own domain
+ self.assertIn(group1['id'], set(g['id'] for g in resp['groups']))
+ # user cannot list groups in other domain for user in own domain
+ self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
+ # user cannot list groups for user in other domain
+ resp = self.do_request('list_user_groups', client=self.users_client,
+ expected_status=exceptions.Forbidden,
+ user_id=user2['id'])
+ # user gets a 403 for nonexistent user
+ self.do_request('list_user_groups', client=self.users_client,
+ expected_status=exceptions.Forbidden,
+ user_id='fakeuser')
+
def test_identity_update_group(self):
group1 = self.admin_groups_client.create_group(
**self.group(domain_id=self.own_domain))['group']
@@ -768,6 +890,37 @@
self.do_request('delete_group', expected_status=exceptions.NotFound,
group_id='fakegroup')
+ def test_identity_list_users_in_group(self):
+ group1 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.own_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
+ user1 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.own_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user1['id'])
+ group2 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.other_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
+ user2 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.other_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user2['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user2['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user2['id'])
+ resp = self.do_request('list_group_users', group_id=group1['id'])
+ # user can list users in own domain for group in own domain
+ self.assertIn(user1['id'], set(u['id'] for u in resp['users']))
+ # user cannot list users in another domain for group in own domain
+ self.assertNotIn(user2['id'], set(u['id'] for u in resp['users']))
+ # user cannot list users for group in another domain
+ self.do_request('list_group_users',
+ expected_status=exceptions.Forbidden,
+ group_id=group2['id'])
+
def test_identity_add_user_to_group(self):
group1 = self.admin_groups_client.create_group(
**self.group(self.own_domain))['group']
@@ -782,7 +935,7 @@
user1['id'])
user2 = self.admin_client.users_v3_client.create_user(
name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
+ domain_id=self.other_domain)['user']
self.addCleanup(self.admin_client.users_v3_client.delete_user,
user2['id'])
# user cannot add a user in own domain to a group in own domain
@@ -818,7 +971,7 @@
user1['id'])
user2 = self.admin_client.users_v3_client.create_user(
name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
+ domain_id=self.other_domain)['user']
self.addCleanup(self.admin_client.users_v3_client.delete_user,
user2['id'])
self.admin_groups_client.add_group_user(group1['id'], user1['id'])
@@ -853,16 +1006,69 @@
expected_status=exceptions.Forbidden,
group_id=group1['id'], user_id='fakeuser')
+ def test_identity_check_user_in_group(self):
+ group1 = self.admin_groups_client.create_group(
+ **self.group(self.own_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
+ group2 = self.admin_groups_client.create_group(
+ **self.group(self.other_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
+ user1 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.own_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user1['id'])
+ user2 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.own_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user2['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user2['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user2['id'])
+ # user can check if a user in own domain is in a group in own domain
+ self.do_request('check_group_user_existence', expected_status=204,
+ group_id=group1['id'], user_id=user1['id'])
+ # user can check if a user in another domain is in a group in own
+ # domain
+ self.do_request('check_group_user_existence',
+ expected_status=204,
+ group_id=group1['id'], user_id=user2['id'])
+ # user cannot check if a user in own domain is in a group in another
+ # domain
+ self.do_request('check_group_user_existence',
+ expected_status=exceptions.Forbidden,
+ group_id=group2['id'], user_id=user1['id'])
+ # user cannot check if a user in another domain is in a group in
+ # another domain
+ self.do_request('check_group_user_existence',
+ expected_status=exceptions.Forbidden,
+ group_id=group2['id'], user_id=user2['id'])
+ # user gets a 403 for nonexistent group
+ self.do_request('check_group_user_existence',
+ expected_status=exceptions.Forbidden,
+ group_id='fakegroup', user_id=user1['id'])
+ # user gets a 403 for nonexistent user
+ self.do_request('check_group_user_existence',
+ expected_status=exceptions.Forbidden,
+ group_id=group1['id'], user_id='fakeuser')
+
class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectManagerTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
+
+ credentials = ['project_manager', 'system_admin']
+
def test_identity_create_group(self):
# user cannot create group in own domain
self.do_request('create_group', expected_status=exceptions.Forbidden,
@@ -1142,11 +1348,11 @@
group_id=group1['id'], user_id='fakeuser')
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py b/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py
index 819508c..c2c2178 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py
@@ -258,7 +258,12 @@
expected_status=exceptions.Forbidden)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+class DomainManagerTests(DomainAdminTests, base.BaseIdentityTest):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -268,16 +273,21 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py b/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py
index 73765e4..c7d2c4d 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py
@@ -232,7 +232,12 @@
implies_role=self.implied_role)
-class DomainMemberTests(DomainAdminTests):
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -242,16 +247,21 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_limit.py b/keystone_tempest_plugin/tests/rbac/v3/test_limit.py
index d2efc6c..51c7a9b 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_limit.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_limit.py
@@ -184,7 +184,8 @@
def test_identity_list_limits(self):
reg_limit_id = self.admin_limits_client.create_limits(
- payload=self.limits())['limits'][0]['id']
+ payload=self.limits(project_id=self.persona.credentials.project_id)
+ )['limits'][0]['id']
self.addCleanup(
self.admin_limits_client.delete_limit,
limit_id=reg_limit_id)
@@ -289,8 +290,8 @@
self.admin_limits_client.delete_limit,
limit_id=reg_limit_2)
resp = self.do_request('list_limits')
- # should not see limit for other project
- self.assertNotIn(
+ # admin should see limit for other project
+ self.assertIn(
reg_limit_1, [rl['id'] for rl in resp['limits']])
# should see limit for project in own domain
self.assertIn(
@@ -303,20 +304,8 @@
self.addCleanup(
self.admin_limits_client.delete_limit,
limit_id=reg_limit_1)
- # project in own domain
- reg_limit_2 = self.admin_limits_client.create_limits(
- payload=self.limits(project_id=self.own_project)
- )['limits'][0]['id']
- self.addCleanup(
- self.admin_limits_client.delete_limit,
- limit_id=reg_limit_2)
- # cannot get limit for other project
self.do_request('show_limit',
- expected_status=exceptions.Forbidden,
limit_id=reg_limit_1)
- # can get limit for project in own domain
- self.do_request('show_limit',
- limit_id=reg_limit_2)
def test_identity_update_limit(self):
# cannot update limit for arbitrary project
@@ -366,7 +355,56 @@
limit_id=reg_limit_id)
-class DomainMemberTests(DomainAdminTests):
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
+ def test_identity_list_limits(self):
+ # random project
+ reg_limit_1 = self.admin_limits_client.create_limits(
+ payload=self.limits())['limits'][0]['id']
+ self.addCleanup(
+ self.admin_limits_client.delete_limit,
+ limit_id=reg_limit_1)
+ # project in own domain
+ reg_limit_2 = self.admin_limits_client.create_limits(
+ payload=self.limits(project_id=self.own_project)
+ )['limits'][0]['id']
+ self.addCleanup(
+ self.admin_limits_client.delete_limit,
+ limit_id=reg_limit_2)
+ resp = self.do_request('list_limits')
+ # should not see limit for other project
+ self.assertNotIn(
+ reg_limit_1, [rl['id'] for rl in resp['limits']])
+ # should see limit for project in own domain
+ self.assertIn(
+ reg_limit_2, [rl['id'] for rl in resp['limits']])
+
+ def test_identity_get_limit(self):
+ # random project
+ reg_limit_1 = self.admin_limits_client.create_limits(
+ payload=self.limits())['limits'][0]['id']
+ self.addCleanup(
+ self.admin_limits_client.delete_limit,
+ limit_id=reg_limit_1)
+ # project in own domain
+ reg_limit_2 = self.admin_limits_client.create_limits(
+ payload=self.limits(project_id=self.own_project)
+ )['limits'][0]['id']
+ self.addCleanup(
+ self.admin_limits_client.delete_limit,
+ limit_id=reg_limit_2)
+ # cannot get limit for other project
+ self.do_request('show_limit',
+ expected_status=exceptions.Forbidden,
+ limit_id=reg_limit_1)
+ # can get limit for project in own domain
+ self.do_request('show_limit',
+ limit_id=reg_limit_2)
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -376,12 +414,17 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py b/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py
index 00b2e6b..3a5da2b 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py
@@ -230,7 +230,12 @@
expected_status=exceptions.Forbidden)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+class DomainManagerTests(DomainAdminTests, base.BaseIdentityTest):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -240,16 +245,21 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_policy.py b/keystone_tempest_plugin/tests/rbac/v3/test_policy.py
index 53cdeb5..dddf084 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_policy.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_policy.py
@@ -207,7 +207,12 @@
self.do_request('list_policies', expected_status=exceptions.Forbidden)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+class DomainManagerTests(DomainAdminTests, base.BaseIdentityTest):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -217,16 +222,21 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py b/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py
index 5c3f514..a23e4e4 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py
@@ -157,7 +157,7 @@
This test must check
* whether the persona can delete a policy association for a region
and service
- """
+ """ # noqa: E501
pass
@@ -444,7 +444,12 @@
policy_id=self.policy_id)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+class DomainManagerTests(DomainAdminTests, base.BaseIdentityTest):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -454,16 +459,21 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_project.py b/keystone_tempest_plugin/tests/rbac/v3/test_project.py
index 81b64e6..2b00035 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_project.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_project.py
@@ -225,6 +225,135 @@
domain_id=self.own_domain
)['project']['id']
self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ # user can create project in other domain
+ project_id = self.do_request(
+ 'create_project', expected_status=201, name=data_utils.rand_name(),
+ domain_id=self.other_domain
+ )['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+
+ def test_identity_get_project(self):
+ # user can get project in own domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('show_project', project_id=project_id)
+ # user can get project in other domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('show_project', project_id=project_id)
+ # user gets a 403 for nonexistent project
+ self.do_request('show_project', expected_status=exceptions.NotFound,
+ project_id=data_utils.rand_uuid_hex())
+
+ def test_identity_list_projects(self):
+ # user can list projects but cannot see project in other domain
+ own_project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project,
+ own_project_id)
+ other_project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project,
+ other_project_id)
+ resp = self.do_request('list_projects')
+ self.assertIn(own_project_id, [d['id'] for d in resp['projects']])
+ self.assertNotIn(other_project_id, [d['id'] for d in resp['projects']])
+
+ def test_identity_list_user_projects(self):
+ # user can list projects for user in own domain
+ user_id = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['user']['id']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name())['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ role_id = self.admin_client.roles_v3_client.create_role(
+ name=data_utils.rand_name())['role']['id']
+ self.addCleanup(self.admin_client.roles_v3_client.delete_role,
+ role_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ project_id, user_id, role_id)
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=user_id)
+ self.assertIn(project_id, [p['id'] for p in resp['projects']])
+ # user can list projects for user in other domain
+ user_id = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['user']['id']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name())['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ role_id = self.admin_client.roles_v3_client.create_role(
+ name=data_utils.rand_name())['role']['id']
+ self.addCleanup(self.admin_client.roles_v3_client.delete_role,
+ role_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ project_id, user_id, role_id)
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=user_id)
+ self.assertIn(project_id, [p['id'] for p in resp['projects']])
+ # user can list projects for self
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=self.persona.credentials.user_id)
+ self.assertEqual(0, len([p['id'] for p in resp['projects']]))
+
+ def test_identity_update_project(self):
+ # user can update project in own domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('update_project',
+ project_id=project_id,
+ description=data_utils.arbitrary_string())
+ # user can update project in other domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('update_project',
+ project_id=project_id,
+ description=data_utils.arbitrary_string())
+ # user gets a 404 for nonexistent domain
+ self.do_request('update_project', expected_status=exceptions.NotFound,
+ project_id=data_utils.rand_uuid_hex(),
+ description=data_utils.arbitrary_string())
+
+ def test_identity_delete_project(self):
+ # user can delete project in own domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['project']['id']
+ self.do_request('delete_project', expected_status=204,
+ project_id=project_id)
+ # user can delete project in other domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['project']['id']
+ self.do_request('delete_project', expected_status=204,
+ project_id=project_id)
+
+
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
+ def test_identity_create_project(self):
+ # user can create project in own domain
+ project_id = self.do_request(
+ 'create_project', expected_status=201,
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain
+ )['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
# user cannot create project in other domain
self.do_request(
'create_project', expected_status=exceptions.Forbidden,
@@ -249,22 +378,6 @@
self.do_request('show_project', expected_status=exceptions.Forbidden,
project_id=data_utils.rand_uuid_hex())
- def test_identity_list_projects(self):
- # user can list projects but cannot see project in other domain
- own_project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.own_domain)['project']['id']
- self.addCleanup(self.admin_projects_client.delete_project,
- own_project_id)
- other_project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.other_domain)['project']['id']
- self.addCleanup(self.admin_projects_client.delete_project,
- other_project_id)
- resp = self.do_request('list_projects')
- self.assertIn(own_project_id, [d['id'] for d in resp['projects']])
- self.assertNotIn(other_project_id, [d['id'] for d in resp['projects']])
-
def test_identity_list_user_projects(self):
# user can list projects for user in own domain
user_id = self.admin_client.users_v3_client.create_user(
@@ -344,7 +457,7 @@
project_id=project_id)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -361,6 +474,64 @@
name=data_utils.rand_name(), domain_id=self.other_domain
)
+ def test_identity_get_project(self):
+ # user can get project in own domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('show_project', project_id=project_id)
+ # user cannot get project in other domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('show_project', expected_status=exceptions.Forbidden,
+ project_id=project_id)
+ # user gets a 403 for nonexistent project
+ self.do_request('show_project', expected_status=exceptions.Forbidden,
+ project_id=data_utils.rand_uuid_hex())
+
+ def test_identity_list_user_projects(self):
+ # user can list projects for user in own domain
+ user_id = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['user']['id']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name())['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ role_id = self.admin_client.roles_v3_client.create_role(
+ name=data_utils.rand_name())['role']['id']
+ self.addCleanup(self.admin_client.roles_v3_client.delete_role,
+ role_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ project_id, user_id, role_id)
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=user_id)
+ self.assertIn(project_id, [p['id'] for p in resp['projects']])
+ # user cannot list projects for user in other domain
+ user_id = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['user']['id']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name())['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ role_id = self.admin_client.roles_v3_client.create_role(
+ name=data_utils.rand_name())['role']['id']
+ self.addCleanup(self.admin_client.roles_v3_client.delete_role,
+ role_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ project_id, user_id, role_id)
+ self.do_request('list_user_projects', client=self.users_client,
+ expected_status=exceptions.Forbidden,
+ user_id=user_id)
+ # user can list projects for self
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=self.persona.credentials.user_id)
+ self.assertEqual(0, len([p['id'] for p in resp['projects']]))
+
def test_identity_update_project(self):
# user cannot update project in own domain
project_id = self.admin_projects_client.create_project(
@@ -406,10 +577,39 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+ def test_identity_list_user_projects(self):
+ user_id = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name())['user']['id']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name())['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ role_id = self.admin_client.roles_v3_client.create_role(
+ name=data_utils.rand_name())['role']['id']
+ self.addCleanup(self.admin_client.roles_v3_client.delete_role,
+ role_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ project_id, user_id, role_id)
+ # user can list projects for arbitrary user
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=user_id)
+ self.assertIn(project_id, [p['id'] for p in resp['projects']])
+ # user can list projects for self
+ # Project Admin is assigned to a tempest project so we cant re-use
+ # the System Admin test.
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=self.persona.credentials.user_id)
+ self.assertEqual(1, len([p['id'] for p in resp['projects']]))
+
+
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
def test_identity_get_project(self):
# user cannot get arbitrary project
project_id = self.admin_projects_client.create_project(
@@ -457,11 +657,11 @@
[p['id'] for p in resp['projects']])
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py b/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py
index 442ca9e..b225ee2 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py
@@ -226,7 +226,12 @@
project_id=self.project_id)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+class DomainManagerTests(DomainAdminTests, base.BaseIdentityTest):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -236,16 +241,21 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py b/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py
index 3e6c4a6..d10b9fa 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py
@@ -241,6 +241,103 @@
project_id=self.own_project_id,
tag=tag
)
+ # user can add tags to project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.do_request(
+ 'update_project_tag', expected_status=201,
+ project_id=self.other_project_id,
+ tag=tag
+ )
+
+ def test_identity_get_project_tag(self):
+ # user can get tag for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ self.do_request('check_project_tag_existence',
+ expected_status=204,
+ project_id=self.own_project_id, tag=tag)
+ # user can get tag for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ self.do_request('check_project_tag_existence',
+ expected_status=204,
+ project_id=self.other_project_id, tag=tag)
+
+ def test_identity_list_project_tags(self):
+ # user can list tags for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ resp = self.do_request('list_project_tags',
+ project_id=self.own_project_id)
+ self.assertIn(tag, resp['tags'])
+ # user can list tags for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ resp = self.do_request('list_project_tags',
+ project_id=self.other_project_id)
+ self.assertIn(tag, resp['tags'])
+
+ def test_identity_update_project_tags(self):
+ # user can update tags for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.do_request('update_all_project_tags',
+ project_id=self.own_project_id,
+ tags=[tag])
+ # user can update tags for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.do_request('update_all_project_tags',
+ project_id=self.other_project_id,
+ tags=[tag])
+
+ def test_identity_delete_project_tag(self):
+ # user can delete tag for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ self.do_request('delete_project_tag', expected_status=204,
+ project_id=self.own_project_id,
+ tag=tag)
+ # user can delete tag for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ self.do_request('delete_project_tag',
+ expected_status=204,
+ project_id=self.other_project_id,
+ tag=tag)
+
+ def test_identity_delete_project_tags(self):
+ # user can delete tags for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ self.do_request('delete_all_project_tags', expected_status=204,
+ project_id=self.own_project_id)
+ # user can delete tags for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ self.do_request('delete_all_project_tags',
+ expected_status=204,
+ project_id=self.other_project_id)
+
+
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
+ def test_identity_create_project_tag(self):
+ # user can add tags to project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.do_request(
+ 'update_project_tag', expected_status=201,
+ project_id=self.own_project_id,
+ tag=tag
+ )
# user cannot add tags to project in other domain
tag = data_utils.rand_uuid_hex()
self.do_request(
@@ -273,7 +370,7 @@
resp = self.do_request('list_project_tags',
project_id=self.own_project_id)
self.assertIn(tag, resp['tags'])
- # user cannot list tags for project in other domain
+ # user can list tags for project in other domain
tag = data_utils.rand_uuid_hex()
self.admin_project_tags_client.update_project_tag(
project_id=self.other_project_id, tag=tag)
@@ -327,7 +424,7 @@
project_id=self.other_project_id)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -347,6 +444,38 @@
tag=tag
)
+ def test_identity_get_project_tag(self):
+ # user can get tag for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ self.do_request('check_project_tag_existence',
+ expected_status=204,
+ project_id=self.own_project_id, tag=tag)
+ # user cannot get tag for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ self.do_request('check_project_tag_existence',
+ expected_status=exceptions.Forbidden,
+ project_id=self.other_project_id, tag=tag)
+
+ def test_identity_list_project_tags(self):
+ # user can list tags for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ resp = self.do_request('list_project_tags',
+ project_id=self.own_project_id)
+ self.assertIn(tag, resp['tags'])
+ # user cannot list tags for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ self.do_request('list_project_tags',
+ expected_status=exceptions.Forbidden,
+ project_id=self.other_project_id)
+
def test_identity_update_project_tags(self):
# user cannot update tags for project in own domain
tag = data_utils.rand_uuid_hex()
@@ -401,12 +530,17 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacProjectTagTests, base.BaseIdentityTest):
+class ProjectAdminTests(DomainAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectManagerTests(DomainMemberTests):
+
+ credentials = ['project_manager', 'system_admin']
+
def setUp(self):
- super(ProjectAdminTests, self).setUp()
+ super().setUp()
self.own_project_id = self.persona.credentials.project_id
project_client = self.admin_client.projects_client
self.other_project_id = project_client.create_project(
@@ -414,16 +548,13 @@
self.addCleanup(project_client.delete_project, self.other_project_id)
def test_identity_create_project_tag(self):
- # user can add tags to own project
+ # user cannot add tags to own project
tag = data_utils.rand_uuid_hex()
self.do_request(
- 'update_project_tag', expected_status=201,
+ 'update_project_tag', expected_status=exceptions.Forbidden,
project_id=self.own_project_id,
tag=tag
)
- self.addCleanup(self.admin_project_tags_client.delete_project_tag,
- project_id=self.own_project_id,
- tag=tag)
# user cannot add tags to arbitrary project
tag = data_utils.rand_uuid_hex()
self.do_request(
@@ -471,75 +602,6 @@
project_id=self.other_project_id)
def test_identity_update_project_tags(self):
- # user can update tags for own project
- tag = data_utils.rand_uuid_hex()
- self.do_request('update_all_project_tags',
- project_id=self.own_project_id,
- tags=[tag])
- self.addCleanup(self.admin_project_tags_client.delete_project_tag,
- project_id=self.own_project_id,
- tag=tag)
- # user cannot update tags for arbitrary project
- tag = data_utils.rand_uuid_hex()
- self.do_request('update_all_project_tags',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tags=[tag])
-
- def test_identity_delete_project_tag(self):
- # user can delete tag for own project
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.own_project_id, tag=tag)
- self.do_request('delete_project_tag', expected_status=204,
- project_id=self.own_project_id,
- tag=tag)
- # user cannot delete tag for arbitrary project
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.other_project_id, tag=tag)
- self.do_request('delete_project_tag',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tag=tag)
-
- def test_identity_delete_project_tags(self):
- # user can delete tags for own project
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.own_project_id, tag=tag)
- self.do_request('delete_all_project_tags', expected_status=204,
- project_id=self.own_project_id)
- # user cannot delete tags for arbitrary project
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.other_project_id, tag=tag)
- self.do_request('delete_all_project_tags',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id)
-
-
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
- def test_identity_create_project_tag(self):
- # user cannot add tags to own project
- tag = data_utils.rand_uuid_hex()
- self.do_request(
- 'update_project_tag', expected_status=exceptions.Forbidden,
- project_id=self.own_project_id,
- tag=tag
- )
- # user cannot add tags to arbitrary project
- tag = data_utils.rand_uuid_hex()
- self.do_request(
- 'update_project_tag', expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tag=tag
- )
-
- def test_identity_update_project_tags(self):
# user cannot update tags for own project
tag = data_utils.rand_uuid_hex()
self.do_request('update_all_project_tags',
@@ -594,6 +656,11 @@
project_id=self.other_project_id)
+class ProjectMemberTests(ProjectManagerTests):
+
+ credentials = ['project_member', 'system_admin']
+
+
class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py b/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py
index 5f9d9a2..c438cff 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py
@@ -277,7 +277,12 @@
idp_id=self.idp_id)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+class DomainManagerTests(DomainAdminTests, base.BaseIdentityTest):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -287,16 +292,21 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_region.py b/keystone_tempest_plugin/tests/rbac/v3/test_region.py
index e58206a..b22f586 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_region.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_region.py
@@ -184,7 +184,12 @@
credentials = ['domain_admin', 'system_admin']
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+class DomainManagerTests(DomainAdminTests, base.BaseIdentityTest):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -194,16 +199,21 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py b/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py
index c18ed01..c88fe8e 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py
@@ -197,7 +197,12 @@
credentials = ['domain_admin', 'system_admin']
-class DomainMemberTests(DomainAdminTests):
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -207,12 +212,17 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_role.py b/keystone_tempest_plugin/tests/rbac/v3/test_role.py
index a9815e8..1db157c 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_role.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_role.py
@@ -45,6 +45,8 @@
cls.admin_client.domains_client.update_domain,
cls.domain_id,
enabled=False)
+ cls.member_role_id = cls.admin_client.roles_v3_client.list_roles(
+ name='member')['roles'][0]['id']
def role(self, domain_id=None):
role = {}
@@ -304,7 +306,7 @@
description=data_utils.arbitrary_string())
def test_identity_delete_domain_role(self):
- # user can delete domain role
+ # user cannot delete domain role
role = self.admin_roles_client.create_role(
**self.role(domain_id=self.domain_id))['role']
self.do_request('delete_role', expected_status=exceptions.Forbidden,
@@ -323,26 +325,10 @@
credentials = ['domain_admin', 'system_admin']
- def test_identity_get_role(self):
- # user cannot get role
- role = self.admin_roles_client.create_role(
- **self.role())['role']
- self.addCleanup(self.admin_roles_client.delete_role, role['id'])
- self.do_request('show_role', expected_status=exceptions.Forbidden,
- role_id=role['id'])
- # user gets a 404 for nonexistent role
- self.do_request('show_role', expected_status=exceptions.NotFound,
- role_id=data_utils.rand_uuid_hex())
-
- def test_identity_list_roles(self):
- # user cannot list roles
- role = self.admin_roles_client.create_role(**self.role())['role']
- self.addCleanup(self.admin_roles_client.delete_role, role['id'])
- self.do_request('list_roles', expected_status=exceptions.Forbidden)
-
def test_identity_get_domain_role(self):
# user cannot get domain role in own domain
- role = self.admin_roles_client.create_role(**self.role())['role']
+ role = self.admin_roles_client.create_role(
+ **self.role(domain_id=self.own_domain))['role']
self.addCleanup(self.admin_roles_client.delete_role, role['id'])
self.do_request('show_role', expected_status=exceptions.Forbidden,
role_id=role['id'])
@@ -365,26 +351,68 @@
domain_id=self.domain_id)
-class DomainMemberTests(DomainAdminTests):
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
+ def test_identity_get_role(self):
+ # user can get role that is part of the domain_managed_target_role
+ # list for domain managers, which per default includes "member"
+ self.do_request('show_role', role_id=self.member_role_id)
+ # user cannot get arbitrary global role not part of the
+ # domain_managed_target_role list
+ role = self.admin_roles_client.create_role(
+ **self.role())['role']
+ self.addCleanup(self.admin_roles_client.delete_role, role['id'])
+ self.do_request('show_role', expected_status=exceptions.Forbidden,
+ role_id=role['id'])
+ # user gets a 404 for nonexistent role
+ self.do_request('show_role', expected_status=exceptions.NotFound,
+ role_id=data_utils.rand_uuid_hex())
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
+ def test_identity_get_role(self):
+ # user cannot get role
+ role = self.admin_roles_client.create_role(
+ **self.role())['role']
+ self.addCleanup(self.admin_roles_client.delete_role, role['id'])
+ self.do_request('show_role', expected_status=exceptions.Forbidden,
+ role_id=role['id'])
+ # user gets a 404 for nonexistent role
+ self.do_request('show_role', expected_status=exceptions.NotFound,
+ role_id=data_utils.rand_uuid_hex())
+
+ def test_identity_list_roles(self):
+ # user cannot list roles
+ role = self.admin_roles_client.create_role(**self.role())['role']
+ self.addCleanup(self.admin_roles_client.delete_role, role['id'])
+ self.do_request('list_roles', expected_status=exceptions.Forbidden)
+
class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainMemberTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py b/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py
index 7b27294..e7f9201 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py
@@ -939,24 +939,53 @@
# Should not see subtree assignments for project in other domain
query = {'scope.project.id': self.project_other_domain,
'include_subtree': True}
- self.do_request('list_role_assignments',
- expected_status=exceptions.Forbidden, **query)
+ self.do_request('list_role_assignments', **query)
class DomainMemberTests(DomainAdminTests):
credentials = ['domain_member', 'system_admin']
+ def test_identity_list_role_assignments_for_tree(self):
+ # Should see subtree assignments for project in own domain
+ subproject_id = self.admin_client.projects_client.create_project(
+ name=data_utils.rand_name('project'),
+ domain_id=self.own_domain,
+ parent_id=self.project_in_domain)['project']['id']
+ self.addCleanup(self.admin_client.projects_client.delete_project,
+ subproject_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ subproject_id, self.user_in_domain, self.role_id)
+ query = {'scope.project.id': self.project_in_domain,
+ 'include_subtree': True}
+ resp = self.do_request('list_role_assignments', **query)
+ actual = self._extract_role_assignments_from_response_body(resp)
+ expected_assignment = {'user_id': self.user_in_domain,
+ 'project_id': subproject_id,
+ 'role_id': self.role_id}
+ self.assertIn(expected_assignment, actual)
+
+ # Should not see subtree assignments for project in other domain
+ query = {'scope.project.id': self.project_other_domain,
+ 'include_subtree': True}
+ self.do_request('list_role_assignments',
+ expected_status=exceptions.Forbidden, **query)
+
class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectManagerTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest):
+
+ credentials = ['project_manager', 'system_admin']
+
def test_identity_list_role_assignments(self):
# Listing all assignments with no filters should fail
self.do_request('list_role_assignments',
@@ -1080,43 +1109,6 @@
self.do_request('list_role_assignments',
expected_status=exceptions.Forbidden, **query)
- # Should see subtree for own project
- own_project = self.persona.credentials.project_id
- subproject_id = self.admin_client.projects_client.create_project(
- name=data_utils.rand_name('project'),
- domain_id=self.own_domain,
- parent_id=own_project)['project']['id']
- self.addCleanup(self.admin_client.projects_client.delete_project,
- subproject_id)
- self.admin_client.roles_v3_client.create_user_role_on_project(
- subproject_id, self.user_other_domain, self.role_id)
- query = {'scope.project.id': own_project,
- 'include_subtree': True}
- resp = self.do_request('list_role_assignments', **query)
- expected_assignment = {'user_id': self.user_other_domain,
- 'project_id': subproject_id,
- 'role_id': self.role_id}
- actual = self._extract_role_assignments_from_response_body(resp)
- self.assertIn(expected_assignment, actual)
-
-
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
- def test_identity_list_role_assignments_for_tree(self):
- # Should not see subtree assignments for project in own domain
- query = {'scope.project.id': self.project_in_domain,
- 'include_subtree': True}
- self.do_request('list_role_assignments',
- expected_status=exceptions.Forbidden, **query)
-
- # Should not see subtree assignments for project in other domain
- query = {'scope.project.id': self.project_other_domain,
- 'include_subtree': True}
- self.do_request('list_role_assignments',
- expected_status=exceptions.Forbidden, **query)
-
# Should not see subtree for own project
own_project = self.persona.credentials.project_id
query = {'scope.project.id': own_project,
@@ -1125,6 +1117,11 @@
expected_status=exceptions.Forbidden, **query)
+class ProjectMemberTests(ProjectManagerTests):
+
+ credentials = ['project_member', 'system_admin']
+
+
class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_service.py b/keystone_tempest_plugin/tests/rbac/v3/test_service.py
index a6a9083..92d7a84 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_service.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_service.py
@@ -208,7 +208,12 @@
self.do_request('list_services', expected_status=exceptions.Forbidden)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+class DomainManagerTests(DomainAdminTests, base.BaseIdentityTest):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -218,16 +223,21 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py b/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py
index 6cf54b9..5e9914f 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py
@@ -225,7 +225,12 @@
expected_status=exceptions.Forbidden)
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+class DomainManagerTests(DomainAdminTests, base.BaseIdentityTest):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -235,16 +240,21 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainReaderTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_token.py b/keystone_tempest_plugin/tests/rbac/v3/test_token.py
index e5d10ed..87db0eb 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_token.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_token.py
@@ -229,7 +229,7 @@
credentials = ['system_reader', 'system_admin']
-class DomainAdminTests(SystemReaderTests, base.BaseIdentityTest):
+class DomainAdminTests(SystemAdminTests):
credentials = ['domain_admin', 'system_admin']
@@ -242,6 +242,11 @@
# call base setUp directly to ensure we don't use system creds
super(SystemAdminTests, self).setUp()
+
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
def test_identity_check_token(self):
# user can check own token
self.do_request('check_token_existence', resp_token=self.own_token)
@@ -274,18 +279,32 @@
expected_status=exceptions.Forbidden,
resp_token=self.project_token)
+ def test_identity_revoke_token(self):
+ # user can revoke own token
+ self.do_request('delete_token', expected_status=204,
+ resp_token=self.own_token)
+ # user cannot revoke other system user's token
+ self.do_request('delete_token', expected_status=exceptions.Forbidden,
+ resp_token=self.system_token)
+ # user cannot revoke domain user's token
+ self.do_request('delete_token', expected_status=exceptions.Forbidden,
+ resp_token=self.domain_token)
+ # user cannot revoke project user's token
+ self.do_request('delete_token', expected_status=exceptions.Forbidden,
+ resp_token=self.project_token)
-class DomainMemberTests(DomainAdminTests):
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
-class DomainReaderTests(DomainAdminTests):
+class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainAdminTests, base.BaseIdentityTest):
+class ProjectAdminTests(DomainAdminTests):
credentials = ['project_admin', 'system_admin']
@@ -299,11 +318,34 @@
super(SystemAdminTests, self).setUp()
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectManagerTests(DomainMemberTests):
+
+ credentials = ['project_manager', 'system_admin']
+
+ def setUp(self):
+ self.own_keystone_creds = {
+ 'user_id': self.persona.credentials.user_id,
+ 'password': self.persona.credentials.password,
+ 'project_id': self.persona.credentials.project_id
+ }
+ # call base setUp directly to ensure we don't use system creds
+ super(SystemAdminTests, self).setUp()
+
+
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
+ def setUp(self):
+ self.own_keystone_creds = {
+ 'user_id': self.persona.credentials.user_id,
+ 'password': self.persona.credentials.password,
+ 'project_id': self.persona.credentials.project_id
+ }
+ # call base setUp directly to ensure we don't use system creds
+ super(SystemAdminTests, self).setUp()
-class ProjectReaderTests(ProjectAdminTests):
+
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_trust.py b/keystone_tempest_plugin/tests/rbac/v3/test_trust.py
index c30f9eb..7a2a26c 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_trust.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_trust.py
@@ -357,7 +357,12 @@
trust_id=trust_id, role_id=self.roles[0]['id'])
-class DomainMemberTests(DomainAdminTests):
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
+
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
@@ -367,7 +372,7 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacTrustTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
@@ -395,6 +400,35 @@
expected_status=exceptions.Forbidden,
**self.trust())
+
+class ProjectManagerTests(IdentityV3RbacTrustTest, base.BaseIdentityTest):
+
+ credentials = ['project_manager', 'system_admin']
+
+ def setUp(self):
+ super(ProjectManagerTests, self).setUp()
+ self.role_id = self.member_role_id
+
+ def test_identity_create_trust(self):
+ # user can create a trust for their own project
+ trustor_user_id = self.persona.credentials.user_id
+ project_id = self.persona.credentials.project_id
+ resp = self.do_request(
+ 'create_trust',
+ expected_status=201,
+ **self.trust(
+ trustor=trustor_user_id,
+ project_id=project_id,
+ roles=[{'id': self.role_id}])
+ )['trust']
+ self.addCleanup(self.client.delete_trust, resp['id'])
+
+ # user cannot create trust with another user as trustor
+ self.do_request(
+ 'create_trust',
+ expected_status=exceptions.Forbidden,
+ **self.trust())
+
def test_identity_get_trust(self):
# user can get a trust for which they are trustor
trustor_user_id = self.persona.credentials.user_id
@@ -541,16 +575,12 @@
trust_id=trust_id)
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
- def setUp(self):
- super(ProjectMemberTests, self).setUp()
- self.role_id = self.member_role_id
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_user.py b/keystone_tempest_plugin/tests/rbac/v3/test_user.py
index 7dcfdc7..08edfe6 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_user.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_user.py
@@ -248,12 +248,30 @@
credentials = ['system_reader', 'system_admin']
-class DomainAdminTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
+class DomainAdminTests(SystemAdminTests):
credentials = ['domain_admin', 'system_admin']
+ def test_identity_list_users(self):
+ # the /v3/users api filters the response for domain-scoped
+ # tokens to users only in the domain, so we can't re-use
+ # the test from SystemAdminTests
+ user_create = self.user()
+ user_create['domain_id'] = self.persona.credentials.domain_id
+ # create user in default domain
+ user1 = self.admin_users_client.create_user(**user_create)['user']
+ self.addCleanup(self.admin_users_client.delete_user, user1['id'])
+ resp = self.do_request('list_users')
+ user_ids = set(u['id'] for u in resp['users'])
+ self.assertIn(user1['id'], user_ids)
+
+
+class DomainManagerTests(DomainAdminTests):
+
+ credentials = ['domain_manager', 'system_admin']
+
def setUp(self):
- super(DomainAdminTests, self).setUp()
+ super(DomainManagerTests, self).setUp()
self.other_domain = self.admin_domains_client.create_domain(
name=data_utils.rand_name())['domain']
self.addCleanup(self.admin_domains_client.delete_domain,
@@ -263,14 +281,16 @@
def test_identity_create_user(self):
user_create = self.user()
- # create user in other domain
+ # cannot create user without domain specified
+ self.do_request('create_user', expected_status=exceptions.Forbidden,
+ **user_create)
+ # cannot create user in other domain
user_create['domain_id'] = self.other_domain['id']
self.do_request('create_user', expected_status=exceptions.Forbidden,
**user_create)
- # create user in own domain
+ # can create user in own domain
user_create['domain_id'] = self.persona.credentials.domain_id
- resp = self.do_request('create_user',
- expected_status=201,
+ resp = self.do_request('create_user', expected_status=201,
**user_create)
self.addCleanup(self.admin_users_client.delete_user,
resp['user']['id'])
@@ -328,6 +348,7 @@
user_create['domain_id'] = self.persona.credentials.domain_id
user = self.admin_users_client.create_user(**user_create)['user']
self.addCleanup(self.admin_users_client.delete_user, user['id'])
+ # user can update user in own domain
user_update = {
'user_id': user['id'],
'description': data_utils.arbitrary_string()
@@ -347,30 +368,23 @@
user_create['domain_id'] = self.other_domain['id']
user = self.admin_users_client.create_user(**user_create)['user']
self.addCleanup(self.admin_users_client.delete_user, user['id'])
+ # user cannot delete user in other domain
self.do_request('delete_user', expected_status=exceptions.Forbidden,
user_id=user['id'])
# create user in own domain
user_create['domain_id'] = self.persona.credentials.domain_id
user = self.admin_users_client.create_user(**user_create)['user']
+ # user can delete user in own domain
self.do_request('delete_user', expected_status=204, user_id=user['id'])
# user gets a 403 for nonexistent user
self.do_request('delete_user', expected_status=exceptions.Forbidden,
user_id='fakeuser')
-class DomainMemberTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
+class DomainMemberTests(DomainManagerTests):
credentials = ['domain_member', 'system_admin']
- def setUp(self):
- super(DomainMemberTests, self).setUp()
- self.other_domain = self.admin_domains_client.create_domain(
- name=data_utils.rand_name())['domain']
- self.addCleanup(self.admin_domains_client.delete_domain,
- self.other_domain['id'])
- self.addCleanup(self.admin_domains_client.update_domain,
- domain_id=self.other_domain['id'], enabled=False)
-
def test_identity_create_user(self):
user_create = self.user()
# create user without domain specified
@@ -475,10 +489,15 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectManagerTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
+
+ credentials = ['project_manager', 'system_admin']
+
def test_identity_create_user(self):
self.do_request('create_user', expected_status=exceptions.Forbidden,
**self.user())
@@ -530,11 +549,11 @@
user_id='fakeuser')
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(ProjectManagerTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/scenario/keycloak.py b/keystone_tempest_plugin/tests/scenario/keycloak.py
index 50c3495..ef2b01d 100644
--- a/keystone_tempest_plugin/tests/scenario/keycloak.py
+++ b/keystone_tempest_plugin/tests/scenario/keycloak.py
@@ -26,7 +26,7 @@
@property
def url_base(self):
- return self.keycloak_url + f'/admin/realms'
+ return self.keycloak_url + '/admin/realms'
@property
def token_endpoint(self):
diff --git a/keystone_tempest_plugin/tests/scenario/test_oidc_federated_authentication.py b/keystone_tempest_plugin/tests/scenario/test_oidc_federated_authentication.py
index d6d064f..a860dcb 100644
--- a/keystone_tempest_plugin/tests/scenario/test_oidc_federated_authentication.py
+++ b/keystone_tempest_plugin/tests/scenario/test_oidc_federated_authentication.py
@@ -18,6 +18,7 @@
from keystoneauth1 import session as ks_session
from tempest import config
from tempest.lib.common.utils import data_utils
+from tempest.lib import exceptions
import testtools
from .keycloak import KeycloakClient
@@ -51,6 +52,14 @@
# custom CA certificate settings
self.ca_certificates_file = CONF.identity.ca_certificates_file
+ def _check_existing_protocol(self):
+ try:
+ self.idps_client.get_protocol_and_mapping(
+ self.idp_id, self.protocol_id)
+ return True
+ except exceptions.NotFound:
+ return False
+
def _setup_mapping(self):
self.mapping_id = data_utils.rand_uuid_hex()
rules = [{
@@ -84,26 +93,12 @@
self.idp_id,
self.protocol_id)
- def setUp(self):
- super(TestOidcFederatedAuthentication, self).setUp()
- self._setup_settings()
-
- # Setup mapping and protocol
- self._setup_mapping()
- self._setup_protocol()
- self.keycloak = KeycloakClient(
- keycloak_url=self.idp_url,
- keycloak_username=self.idp_username,
- keycloak_password=self.idp_password,
- ca_certs_file=self.ca_certificates_file,
- )
-
def _setup_user(self, email=None):
email = email if email else f'test-{uuid.uuid4().hex}@example.com'
self.keycloak.create_user(email, 'Test', 'User')
return email
- def _request_unscoped_token(self, user):
+ def _request_unscoped_token(self, user, password):
auth = identity.v3.OidcPassword(
auth_url=self.keystone_v3_endpoint,
identity_provider=self.idp_id,
@@ -113,11 +108,34 @@
access_token_endpoint=self.keycloak.token_endpoint,
discovery_endpoint=self.keycloak.discovery_endpoint,
username=user,
- password='secret'
+ password=password
)
s = ks_session.Session(auth, verify=self.ca_certificates_file)
return s.get_auth_headers()
+ def setUp(self):
+ super(TestOidcFederatedAuthentication, self).setUp()
+ self._setup_settings()
+
+ # Setup mapping and protocol
+ if not self._check_existing_protocol():
+ self._setup_mapping()
+ self._setup_protocol()
+
+ self.keycloak = KeycloakClient(
+ keycloak_url=self.idp_url,
+ keycloak_username=self.idp_username,
+ keycloak_password=self.idp_password,
+ ca_certs_file=self.ca_certificates_file,
+ )
+
+ if CONF.fed_scenario.idp_test_user_name:
+ self.test_user = CONF.fed_scenario.idp_test_user_name
+ self.test_user_password = CONF.fed_scenario.idp_test_user_password
+ else:
+ self.test_user = self._setup_user()
+ self.test_user_password = 'secret'
+
@testtools.skipUnless(CONF.identity_feature_enabled.federation,
"Federated Identity feature not enabled")
@testtools.skipUnless(CONF.identity_feature_enabled.external_idp,
@@ -125,10 +143,9 @@
@testtools.skipUnless(CONF.fed_scenario.protocol_id == 'openid',
"Protocol not openid")
def test_request_unscoped_token(self):
- user = self._setup_user()
- token = self._request_unscoped_token(user)
+ token = self._request_unscoped_token(self.test_user,
+ self.test_user_password)
self.assertNotEmpty(token)
- self.keycloak.delete_user(user)
@testtools.skipUnless(CONF.identity_feature_enabled.federation,
"Federated Identity feature not enabled")
@@ -137,8 +154,8 @@
@testtools.skipUnless(CONF.fed_scenario.protocol_id == 'openid',
"Protocol not openid")
def test_request_scoped_token(self):
- user = self._setup_user()
- token = self._request_unscoped_token(user)
+ token = self._request_unscoped_token(self.test_user,
+ self.test_user_password)
token_id = token['X-Auth-Token']
projects = self.auth_client.get_available_projects_scopes(
@@ -148,4 +165,8 @@
# Get a scoped token to one of the listed projects
self.tokens_client.auth(
project_id=projects[0]['id'], token=token_id)
- self.keycloak.delete_user(user)
+
+ def tearDown(self):
+ super(TestOidcFederatedAuthentication, self).tearDown()
+ if not CONF.fed_scenario.idp_test_user_name:
+ self.keycloak.delete_user(self.test_user)
diff --git a/releasenotes/notes/drop-python38-support-cbd5634f9aadf291.yaml b/releasenotes/notes/drop-python38-support-cbd5634f9aadf291.yaml
new file mode 100644
index 0000000..8785164
--- /dev/null
+++ b/releasenotes/notes/drop-python38-support-cbd5634f9aadf291.yaml
@@ -0,0 +1,6 @@
+---
+upgrade:
+ - |
+ Python 3.8 support has been dropped. Last release of
+ keystone-tempest-plugin to support python 3.8 is 0.17.0.
+ The minimum version of Python now supported is Python 3.9.
diff --git a/requirements.txt b/requirements.txt
index 38c4604..5525f8d 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,6 @@
-# The order of packages is significant, because pip processes them in the order
-# of appearance. Changing the order has an impact on the overall integration
-# process, which may cause wedges in the gate later.
+# Requirements lower bounds listed here are our best effort to keep them up to
+# date but we do not test them so no guarantee of having them all correct. If
+# you find any incorrect lower bounds, let us know or propose a fix.
pbr!=2.1.0,>=2.0.0 # Apache-2.0
diff --git a/setup.cfg b/setup.cfg
index 58f75a1..a4d7582 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -1,11 +1,12 @@
[metadata]
name = keystone_tempest_plugin
summary = Tempest plugin keystone_tempest_plugin
-description-file =
+description_file =
README.rst
author = OpenStack
-author-email = openstack-discuss@lists.openstack.org
-home-page = https://docs.openstack.org/keystone/latest/
+author_email = openstack-discuss@lists.openstack.org
+home_page = https://docs.openstack.org/keystone/latest/
+python_requires = >=3.10
classifier =
Environment :: OpenStack
Intended Audience :: Information Technology
@@ -14,8 +15,10 @@
Operating System :: POSIX :: Linux
Programming Language :: Python
Programming Language :: Python :: 3
- Programming Language :: Python :: 3.6
- Programming Language :: Python :: 3.7
+ Programming Language :: Python :: 3.10
+ Programming Language :: Python :: 3.11
+ Programming Language :: Python :: 3.12
+ Programming Language :: Python :: 3.13
[files]
packages =
diff --git a/setup.py b/setup.py
index 566d844..cd35c3c 100644
--- a/setup.py
+++ b/setup.py
@@ -13,17 +13,8 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-# THIS FILE IS MANAGED BY THE GLOBAL REQUIREMENTS REPO - DO NOT EDIT
import setuptools
-# In python < 2.7.4, a lazy loading of package `pbr` will break
-# setuptools if some other modules registered functions in `atexit`.
-# solution from: http://bugs.python.org/issue15881#msg170215
-try:
- import multiprocessing # noqa
-except ImportError:
- pass
-
setuptools.setup(
setup_requires=['pbr>=2.0.0'],
pbr=True)
diff --git a/test-requirements.txt b/test-requirements.txt
index 9c7d865..3d2e1c5 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,5 +1 @@
-# The order of packages is significant, because pip processes them in the order
-# of appearance. Changing the order has an impact on the overall integration
-# process, which may cause wedges in the gate later.
-
-hacking>=3.0,<3.1.0;python_version>='3.5' # Apache-2.0
+hacking>=6.1.0,<6.2.0 # Apache-2.0