Merge "Adjust domain tests for changed list_domains scoping behavior"

commit: a49f970b62876e7cd9445658a1994a8947a0e4fa [log] [tgz]
author: Zuul <zuul@review.opendev.org> Wed Jun 26 16:21:43 2024 +0000
committer: Gerrit Code Review <review@openstack.org> Wed Jun 26 16:21:43 2024 +0000
tree: 55c197fcee101061a87a6c4649cdec8bab6cb87d
parent: 63cfcb9c71c4e1ae9570881148d6f4271862a545 [diff]
parent: e8cec014a84181c4db67827e58f537c440f87378 [diff]
diff --git a/.zuul.yaml b/.zuul.yaml
index d44f208..8eaf6af 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml

@@ -1,6 +1,7 @@
 - job:
     name: keystone-protection-functional
     parent: keystone-dsvm-py3-functional
+    voting: false
     vars:
       tempest_test_regex: 'keystone_tempest_plugin.tests.rbac'
       devstack_localrc:
@@ -41,20 +42,26 @@
     check:
       jobs:
         - keystone-dsvm-py3-functional
-        - keystone-dsvm-py3-functional-federation-ubuntu-focal:
+        - keystone-dsvm-py3-functional-federation-ubuntu-jammy:
             voting: false
-        - keystone-dsvm-py3-functional-federation-ubuntu-focal-k2k
+        - keystone-dsvm-py3-functional-federation-ubuntu-jammy-k2k
+        - keystone-dsvm-py3-functional-2024-1
         - keystone-dsvm-py3-functional-2023-2
         - keystone-dsvm-py3-functional-2023-1
-        - keystone-dsvm-py3-functional-zed
         - keystone-protection-functional
     gate:
       jobs:
         - keystone-dsvm-py3-functional
-        - keystone-dsvm-py3-functional-federation-ubuntu-focal-k2k
+        - keystone-dsvm-py3-functional-federation-ubuntu-jammy-k2k
         - keystone-protection-functional
 
 - job:
+    name: keystone-dsvm-py3-functional-2024-1
+    parent: keystone-dsvm-py3-functional
+    nodeset: openstack-single-node-jammy
+    override-checkout: stable/2024.1
+
+- job:
     name: keystone-dsvm-py3-functional-2023-2
     parent: keystone-dsvm-py3-functional
     nodeset: openstack-single-node-jammy
@@ -65,9 +72,3 @@
     parent: keystone-dsvm-py3-functional
     nodeset: openstack-single-node-jammy
     override-checkout: stable/2023.1
-
-- job:
-    name: keystone-dsvm-py3-functional-zed
-    parent: keystone-dsvm-py3-functional
-    nodeset: openstack-single-node-focal
-    override-checkout: stable/zed

diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_credential.py b/keystone_tempest_plugin/tests/rbac/v3/test_credential.py
index ca7d355..0c70589 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_credential.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_credential.py

@@ -339,109 +339,15 @@
     credentials = ['system_reader', 'system_admin']
 
 
-class DomainAdminTests(IdentityV3RbacCredentialTest, base.BaseIdentityTest):
+class DomainAdminTests(SystemAdminTests):
 
     credentials = ['domain_admin', 'system_admin']
 
-    def test_identity_create_credential(self):
-        # domain admins cannot create credentials
-        user_id = self.persona.credentials.user_id
-        for u in [user_id, self.test_user_1, self.test_user_2]:
-            self.do_request(
-                'create_credential',
-                expected_status=exceptions.Forbidden,
-                **self.credential(user_id=u))
 
-    def test_identity_get_credential(self):
-        # domain admins cannot get credentials
-        user_id = self.persona.credentials.user_id
-        for u in [user_id, self.test_user_1, self.test_user_2]:
-            cred = self.admin_credentials_client.create_credential(
-                **self.credential(user_id=u))['credential']
-            self.addCleanup(
-                self.admin_credentials_client.delete_credential, cred['id'])
-            self.do_request(
-                'show_credential',
-                expected_status=exceptions.Forbidden,
-                credential_id=cred['id'])
-        # non-existent credential is Forbidden
-        self.do_request(
-            'show_credential',
-            expected_status=exceptions.Forbidden,
-            credential_id=data_utils.rand_uuid_hex())
-
-    def test_identity_list_credentials(self):
-        # domain admins cannot list credentials
-        user_id = self.persona.credentials.user_id
-        for u in [user_id, self.test_user_1, self.test_user_2]:
-            cred = self.admin_credentials_client.create_credential(
-                **self.credential(user_id=u))['credential']
-            self.addCleanup(
-                self.admin_credentials_client.delete_credential, cred['id'])
-            self.do_request(
-                'list_credentials',
-                expected_status=exceptions.Forbidden)
-
-    def test_identity_update_credential(self):
-        # domain admins cannot update credentials
-        user_id = self.persona.credentials.user_id
-        for u in [user_id, self.test_user_1, self.test_user_2]:
-            cred = self.credential(user_id=u)
-            resp = self.admin_credentials_client.create_credential(
-                **cred)['credential']
-            self.addCleanup(
-                self.admin_credentials_client.delete_credential, resp['id'])
-            cred['blob'] = data_utils.rand_uuid_hex()
-            self.do_request(
-                'update_credential',
-                expected_status=exceptions.Forbidden,
-                credential_id=resp['id'], **cred)
-        # non-existent credential is Forbidden
-        self.do_request(
-            'update_credential',
-            expected_status=exceptions.Forbidden,
-            credential_id=data_utils.rand_uuid_hex(),
-            **self.credential(user_id=user_id))
-
-    def test_identity_delete_credential(self):
-        # domain admins cannot delete credentials
-        user_id = self.persona.credentials.user_id
-        for u in [user_id, self.test_user_1, self.test_user_2]:
-            cred = self.credential(user_id=u)
-            resp = self.admin_credentials_client.create_credential(
-                **cred)['credential']
-            self.addCleanup(
-                self.admin_credentials_client.delete_credential, resp['id'])
-            self.do_request(
-                'delete_credential',
-                expected_status=exceptions.Forbidden,
-                credential_id=resp['id'])
-        # non-existent credential is Forbidden
-        self.do_request(
-            'delete_credential',
-            expected_status=exceptions.Forbidden,
-            credential_id=data_utils.rand_uuid_hex())
-
-
-class DomainMemberTests(DomainAdminTests):
+class DomainMemberTests(SystemReaderTests):
 
     credentials = ['domain_member', 'system_admin']
 
-
-class DomainReaderTests(DomainAdminTests):
-
-    credentials = ['domain_reader', 'system_admin']
-
-
-class ProjectAdminTests(SystemAdminTests):
-
-    credentials = ['project_admin', 'system_admin']
-
-
-class ProjectMemberTests(SystemReaderTests):
-
-    credentials = ['project_member', 'system_admin']
-
     def test_identity_get_credential(self):
         # user can get their own credential
         user_id = self.persona.credentials.user_id
@@ -485,6 +391,21 @@
             self.assertNotIn(cred['id'], [c['id'] for c in resp])
 
 
+class DomainReaderTests(DomainMemberTests):
+
+    credentials = ['domain_reader', 'system_admin']
+
+
+class ProjectAdminTests(SystemAdminTests):
+
+    credentials = ['project_admin', 'system_admin']
+
+
+class ProjectMemberTests(DomainReaderTests):
+
+    credentials = ['project_member', 'system_admin']
+
+
 class ProjectReaderTests(ProjectMemberTests):
 
     credentials = ['project_reader', 'system_admin']

diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_role.py b/keystone_tempest_plugin/tests/rbac/v3/test_role.py
index 997731c..32fa424 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_role.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_role.py

@@ -323,26 +323,10 @@
 
     credentials = ['domain_admin', 'system_admin']
 
-    def test_identity_get_role(self):
-        # user cannot get role
-        role = self.admin_roles_client.create_role(
-            **self.role())['role']
-        self.addCleanup(self.admin_roles_client.delete_role, role['id'])
-        self.do_request('show_role', expected_status=exceptions.Forbidden,
-                        role_id=role['id'])
-        # user gets a 404 for nonexistent role
-        self.do_request('show_role', expected_status=exceptions.NotFound,
-                        role_id=data_utils.rand_uuid_hex())
-
-    def test_identity_list_roles(self):
-        # user cannot list roles
-        role = self.admin_roles_client.create_role(**self.role())['role']
-        self.addCleanup(self.admin_roles_client.delete_role, role['id'])
-        self.do_request('list_roles', expected_status=exceptions.Forbidden)
-
     def test_identity_get_domain_role(self):
         # user cannot get domain role in own domain
-        role = self.admin_roles_client.create_role(**self.role())['role']
+        role = self.admin_roles_client.create_role(
+            **self.role(domain_id=self.own_domain))['role']
         self.addCleanup(self.admin_roles_client.delete_role, role['id'])
         self.do_request('show_role', expected_status=exceptions.Forbidden,
                         role_id=role['id'])
@@ -369,6 +353,23 @@
 
     credentials = ['domain_member', 'system_admin']
 
+    def test_identity_get_role(self):
+        # user cannot get role
+        role = self.admin_roles_client.create_role(
+            **self.role())['role']
+        self.addCleanup(self.admin_roles_client.delete_role, role['id'])
+        self.do_request('show_role', expected_status=exceptions.Forbidden,
+                        role_id=role['id'])
+        # user gets a 404 for nonexistent role
+        self.do_request('show_role', expected_status=exceptions.NotFound,
+                        role_id=data_utils.rand_uuid_hex())
+
+    def test_identity_list_roles(self):
+        # user cannot list roles
+        role = self.admin_roles_client.create_role(**self.role())['role']
+        self.addCleanup(self.admin_roles_client.delete_role, role['id'])
+        self.do_request('list_roles', expected_status=exceptions.Forbidden)
+
 
 class DomainReaderTests(DomainMemberTests):
 
@@ -380,7 +381,7 @@
     credentials = ['project_admin', 'system_admin']
 
 
-class ProjectMemberTests(DomainReaderTests):
+class ProjectMemberTests(DomainMemberTests):
 
     credentials = ['project_member', 'system_admin']
commit	a49f970b62876e7cd9445658a1994a8947a0e4fa	[log] [tgz]
author	Zuul <zuul@review.opendev.org>	Wed Jun 26 16:21:43 2024 +0000
committer	Gerrit Code Review <review@openstack.org>	Wed Jun 26 16:21:43 2024 +0000
tree	55c197fcee101061a87a6c4649cdec8bab6cb87d
parent	63cfcb9c71c4e1ae9570881148d6f4271862a545 [diff]
parent	e8cec014a84181c4db67827e58f537c440f87378 [diff]