Update tests for admin role in credentials
This patch updates tests to expect "admin" personas to be able to access
credential endpoints. The relevant policies have been updated in
Keystone.
Change-Id: I54d0ae44a7f669734edcbd31cbc03e9ccf3d829e
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py b/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
index 3ca1680..123e64b 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_application_credential.py
@@ -411,14 +411,19 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacApplicationCredentialTest,
- base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(IdentityV3RbacApplicationCredentialTest,
+ base.BaseIdentityTest):
+
+ credentials = ['project_member', 'system_admin']
+
@classmethod
def setup_clients(cls):
- super(ProjectAdminTests, cls).setup_clients()
+ super().setup_clients()
cls.test_user_client, cls.test_user_id = cls.setup_user_client()
def test_identity_create_application_credential(self):
@@ -555,11 +560,6 @@
application_credential_id=data_utils.rand_uuid_hex())
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_credential.py b/keystone_tempest_plugin/tests/rbac/v3/test_credential.py
index 5b1bee2..ca7d355 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_credential.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_credential.py
@@ -433,10 +433,15 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(SystemReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(SystemReaderTests):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_get_credential(self):
# user can get their own credential
user_id = self.persona.credentials.user_id
@@ -480,11 +485,6 @@
self.assertNotIn(cred['id'], [c['id'] for c in resp])
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_ec2_credential.py b/keystone_tempest_plugin/tests/rbac/v3/test_ec2_credential.py
index 6c7d19b..b9affc8 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_ec2_credential.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_ec2_credential.py
@@ -474,10 +474,15 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(SystemReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(SystemReaderTests):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_ec2_get_credential(self):
# user can get their own credential
user_id = self.persona.credentials.user_id
@@ -534,11 +539,6 @@
user_id=self.test_user_2)
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_token.py b/keystone_tempest_plugin/tests/rbac/v3/test_token.py
index e5d10ed..4e654cf 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_token.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_token.py
@@ -229,7 +229,7 @@
credentials = ['system_reader', 'system_admin']
-class DomainAdminTests(SystemReaderTests, base.BaseIdentityTest):
+class DomainAdminTests(SystemAdminTests):
credentials = ['domain_admin', 'system_admin']
@@ -242,6 +242,11 @@
# call base setUp directly to ensure we don't use system creds
super(SystemAdminTests, self).setUp()
+
+class DomainMemberTests(DomainAdminTests):
+
+ credentials = ['domain_member', 'system_admin']
+
def test_identity_check_token(self):
# user can check own token
self.do_request('check_token_existence', resp_token=self.own_token)
@@ -274,18 +279,27 @@
expected_status=exceptions.Forbidden,
resp_token=self.project_token)
-
-class DomainMemberTests(DomainAdminTests):
-
- credentials = ['domain_member', 'system_admin']
+ def test_identity_revoke_token(self):
+ # user can revoke own token
+ self.do_request('delete_token', expected_status=204,
+ resp_token=self.own_token)
+ # user cannot revoke other system user's token
+ self.do_request('delete_token', expected_status=exceptions.Forbidden,
+ resp_token=self.system_token)
+ # user cannot revoke domain user's token
+ self.do_request('delete_token', expected_status=exceptions.Forbidden,
+ resp_token=self.domain_token)
+ # user cannot revoke project user's token
+ self.do_request('delete_token', expected_status=exceptions.Forbidden,
+ resp_token=self.project_token)
-class DomainReaderTests(DomainAdminTests):
+class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainAdminTests, base.BaseIdentityTest):
+class ProjectAdminTests(DomainAdminTests):
credentials = ['project_admin', 'system_admin']
@@ -299,11 +313,20 @@
super(SystemAdminTests, self).setUp()
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainMemberTests):
credentials = ['project_member', 'system_admin']
+ def setUp(self):
+ self.own_keystone_creds = {
+ 'user_id': self.persona.credentials.user_id,
+ 'password': self.persona.credentials.password,
+ 'project_id': self.persona.credentials.project_id
+ }
+ # call base setUp directly to ensure we don't use system creds
+ super(SystemAdminTests, self).setUp()
-class ProjectReaderTests(ProjectAdminTests):
+
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']