Consistent and Secure RBAC (Phase 1)
This patch updates the RBAC tests to test the new policy changes in
Keystone that allow users with the "admin" (aka root) role to access
system-level APIs previously available only to the system-admin persona.
The changes affect both the project-admin and domain-admin personas.
All the relevant policy changes have been made in keystone.
Depends-On: https://review.opendev.org/c/openstack/keystone/+/908524
Change-Id: I43c6da5bce9552948692eef8d71408d74382cc4e
diff --git a/.zuul.yaml b/.zuul.yaml
index 799c05a..d44f208 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -47,14 +47,12 @@
- keystone-dsvm-py3-functional-2023-2
- keystone-dsvm-py3-functional-2023-1
- keystone-dsvm-py3-functional-zed
- - keystone-protection-functional:
- voting: false
+ - keystone-protection-functional
gate:
jobs:
- keystone-dsvm-py3-functional
- keystone-dsvm-py3-functional-federation-ubuntu-focal-k2k
- - keystone-protection-functional:
- voting: false
+ - keystone-protection-functional
- job:
name: keystone-dsvm-py3-functional-2023-2
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py b/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py
index b7dbb95..a04fcd9 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_consumer.py
@@ -181,16 +181,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_domain.py b/keystone_tempest_plugin/tests/rbac/v3/test_domain.py
index 13f0b71..49f7556 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_domain.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_domain.py
@@ -176,18 +176,6 @@
credentials = ['domain_admin', 'system_admin']
- def test_identity_get_domain(self):
- domain_id = self.admin_domains_client.create_domain(
- name=data_utils.rand_name())['domain']['id']
- self.addCleanup(self.admin_domains_client.delete_domain, domain_id)
- self.addCleanup(self.admin_domains_client.update_domain,
- domain_id=domain_id, enabled=False)
- self.do_request('show_domain', expected_status=exceptions.Forbidden,
- domain_id=domain_id)
- # user gets a 403 for nonexistent domain
- self.do_request('show_domain', expected_status=exceptions.Forbidden,
- domain_id=data_utils.rand_uuid_hex())
-
def test_identity_list_domains(self):
domain_id = self.admin_domains_client.create_domain(
name=data_utils.rand_name())['domain']['id']
@@ -200,6 +188,18 @@
class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
+ def test_identity_get_domain(self):
+ domain_id = self.admin_domains_client.create_domain(
+ name=data_utils.rand_name())['domain']['id']
+ self.addCleanup(self.admin_domains_client.delete_domain, domain_id)
+ self.addCleanup(self.admin_domains_client.update_domain,
+ domain_id=domain_id, enabled=False)
+ self.do_request('show_domain', expected_status=exceptions.Forbidden,
+ domain_id=domain_id)
+ # user gets a 403 for nonexistent domain
+ self.do_request('show_domain', expected_status=exceptions.Forbidden,
+ domain_id=data_utils.rand_uuid_hex())
+
credentials = ['domain_member', 'system_admin']
@@ -208,16 +208,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py b/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py
index 8f1fdbf..ba2b612 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_domain_config.py
@@ -366,16 +366,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py
index 48dfb19..8dde1ea 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint.py
@@ -230,16 +230,15 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
-
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py
index 6cca108..305b6e2 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_endpoint_group.py
@@ -506,16 +506,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_grant.py b/keystone_tempest_plugin/tests/rbac/v3/test_grant.py
index e88b679..5e1a501 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_grant.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_grant.py
@@ -1181,6 +1181,1637 @@
group_id=self.group_in_domain,
role_id=self.role_own_domain)
# role in other domain, project in own domain, user in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, user in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, group in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #####################################################
+ # global role, project in own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, user in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, domain in own domain, group in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
+ #####################################################
+ # global role, project in other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in own domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #######################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #######################################################
+ # global role, project in other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in other domain
+ # (none created, should 404)
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in other domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in other domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+
+ def test_identity_list_grants(self):
+ ###################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
+ ###################################################
+ # project in other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_project',
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain)
+ # project in other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_project',
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain)
+ # other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_domain',
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain)
+ # other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_domain',
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain)
+ #####################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #####################################################
+ # project in other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_project',
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain)
+ # project in other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_project',
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain)
+ # other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_domain',
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain)
+ # other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_domain',
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain)
+ #####################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
+ #####################################################
+ # project in other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_project',
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain)
+ # project in other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_project',
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain)
+ # other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_domain',
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain)
+ # other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_domain',
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain)
+ #######################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #######################################################
+ # project in other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_project',
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain)
+ # project in other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_project',
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain)
+ # other domain, user in other domain
+ self.do_request(
+ 'list_user_roles_on_domain',
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain)
+ # other domain, group in other domain
+ self.do_request(
+ 'list_group_roles_on_domain',
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain)
+
+ def test_identity_create_grant(self):
+ ###################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
+ ###################################################
+ # global role, project in own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #####################################################
+ # global role, project in own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # TODO(dmendiza): This test is a repeat form line 1705
+ # Since grants are idempotent, after this second test there is only
+ # one object, which gets cleaned by the previous cleanup and makes
+ # the below cleanup fail. Not sure why we're testing the same
+ # data twice. Maybe we can delete this second test?
+ # self.addCleanup(
+ # self.admin_roles_client.delete_role_from_user_on_domain,
+ # domain_id=self.own_domain,
+ # user_id=self.user_other_domain,
+ # role_id=self.role_other_domain)
+ # role in other domain, own domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # TODO(dmendiza): This test is also repeated from line 1710
+ # self.addCleanup(
+ # self.admin_roles_client.delete_role_from_group_on_domain,
+ # domain_id=self.own_domain,
+ # group_id=self.group_other_domain,
+ # role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
+ #####################################################
+ # global role, project in other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in own domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in own domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #######################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #######################################################
+ # global role, project in other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=exceptions.Forbidden,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_project,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_project,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in other domain
+ self.do_request(
+ 'create_user_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_domain,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in other domain
+ self.do_request(
+ 'create_group_role_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_domain,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+
+ def test_identity_revoke_grant(self):
+ ###################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
+ ###################################################
+ # global role, project in own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, user in own domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, group in own domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, user in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, group in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #####################################################
+ # global role, project in own domain, user in other domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in other domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in other domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in other domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in other domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in other domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, user in other domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, own domain, group in other domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in own domain, group in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_in_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, user in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, own domain, group in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.own_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ #####################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
+ #####################################################
+ # global role, project in other domain, user in own domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in own domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in own domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in own domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in own domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in own domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in own domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in own domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in own domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_other_domain)
+ #######################################################
+ # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
+ #######################################################
+ # global role, project in other domain, user in other domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, project in other domain, group in other domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, user in other domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ # global role, other domain, group in other domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ # role in own domain, project in other domain, user in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in other domain, group in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=exceptions.NotFound,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, user in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, other domain, group in other domain
+ # role assignment does not exist, should 404
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=exceptions.NotFound,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in other domain, user in other domain
+ self.admin_roles_client.create_user_role_on_project(
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_user_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, project in other domain, group in other domain
+ self.admin_roles_client.create_group_role_on_project(
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_group_on_project',
+ expected_status=204,
+ project_id=self.project_other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, user in other domain
+ self.admin_roles_client.create_user_role_on_domain(
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_user_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ user_id=self.user_other_domain,
+ role_id=self.role_other_domain)
+ # role in other domain, other domain, group in other domain
+ self.admin_roles_client.create_group_role_on_domain(
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+ self.do_request(
+ 'delete_role_from_group_on_domain',
+ expected_status=204,
+ domain_id=self.other_domain,
+ group_id=self.group_other_domain,
+ role_id=self.role_other_domain)
+
+ def test_identity_list_system_grants_for_user(self):
+ self.do_request('list_user_roles_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_other_domain)
+ self.do_request('list_user_roles_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_other_domain)
+
+ def test_identity_check_system_grant_for_user(self):
+ self.do_request('check_user_role_existence_on_system',
+ exceptions.Forbidden,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request('check_user_role_existence_on_system',
+ exceptions.Forbidden,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_create_system_grant_for_user(self):
+ self.do_request(
+ 'create_user_role_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'create_user_role_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_revoke_system_grant_for_user(self):
+ # user in own domain
+ self.admin_roles_client.create_user_role_on_system(
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_system,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # user in other domain
+ self.admin_roles_client.create_user_role_on_system(
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_user_on_system,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_user_on_system',
+ expected_status=exceptions.Forbidden,
+ user_id=self.user_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_list_system_grants_for_group(self):
+ self.do_request('list_group_roles_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_in_domain)
+ self.do_request('list_group_roles_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_other_domain)
+
+ def test_identity_check_system_grant_for_group(self):
+ self.do_request('check_role_from_group_on_system_existence',
+ exceptions.Forbidden,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request('check_role_from_group_on_system_existence',
+ exceptions.Forbidden,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_create_system_grant_for_group(self):
+ self.do_request(
+ 'create_group_role_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'create_group_role_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+
+ def test_identity_revoke_system_grant_for_group(self):
+ # group in own domain
+ self.admin_roles_client.create_group_role_on_system(
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_system,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # group in other domain
+ self.admin_roles_client.create_group_role_on_system(
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.addCleanup(
+ self.admin_roles_client.delete_role_from_group_on_system,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+ self.do_request(
+ 'delete_role_from_group_on_system',
+ expected_status=exceptions.Forbidden,
+ group_id=self.group_other_domain,
+ role_id=self.role_id)
+
+
+class DomainMemberTests(DomainAdminTests):
+
+ credentials = ['domain_member', 'system_admin']
+
+ def test_identity_check_grant(self):
+ ###################################################
+ # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
+ ###################################################
+ # global role, project in own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, project in own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_id)
+ # global role, own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_id)
+ # role in own domain, project in own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_project',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, project in own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_project_existence',
+ expected_status=204,
+ project_id=self.project_in_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, user in own domain
+ self.do_request(
+ 'check_user_role_existence_on_domain',
+ expected_status=204,
+ domain_id=self.own_domain,
+ user_id=self.user_in_domain,
+ role_id=self.role_own_domain)
+ # role in own domain, domain in own domain, group in own domain
+ self.do_request(
+ 'check_role_from_group_on_domain_existence',
+ expected_status=204,
+ domain_id=self.own_domain,
+ group_id=self.group_in_domain,
+ role_id=self.role_own_domain)
+ # role in other domain, project in own domain, user in own domain
# (none created, should 403)
self.do_request(
'check_user_role_existence_on_project',
@@ -1600,971 +3231,6 @@
# global role, project in own domain, user in own domain
self.do_request(
'create_user_role_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, project in own domain, group in own domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # global role, own domain, user in own domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, own domain, group in own domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # role in own domain, project in own domain, user in own domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in own domain, group in own domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, user in own domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, group in own domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in own domain, user in own domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in own domain, group in own domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, user in own domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, group in own domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- #####################################################
- # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
- #####################################################
- # global role, project in own domain, user in other domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, project in own domain, group in other domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # global role, own domain, user in other domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, own domain, group in other domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # role in own domain, project in own domain, user in other domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in own domain, group in other domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, user in other domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, group in other domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in own domain, user in other domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in own domain, group in other domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, user in other domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, group in other domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- #####################################################
- # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
- #####################################################
- # global role, project in other domain, user in own domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, project in other domain, group in own domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # global role, other domain, user in own domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, other domain, group in own domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # role in own domain, project in other domain, user in own domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in other domain, group in own domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, user in own domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, group in own domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in other domain, user in own domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in other domain, group in own domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, user in own domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, group in own domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- #######################################################
- # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
- #######################################################
- # global role, project in other domain, user in other domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, project in other domain, group in other domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # global role, other domain, user in other domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, other domain, group in other domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # role in own domain, project in other domain, user in other domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in other domain, group in other domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, user in other domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, group in other domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in other domain, user in other domain
- self.do_request(
- 'create_user_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in other domain, group in other domain
- self.do_request(
- 'create_group_role_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, user in other domain
- self.do_request(
- 'create_user_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, group in other domain
- self.do_request(
- 'create_group_role_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
-
- def test_identity_revoke_grant(self):
- ###################################################
- # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
- ###################################################
- # global role, project in own domain, user in own domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, project in own domain, group in own domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # global role, own domain, user in own domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, own domain, group in own domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # role in own domain, project in own domain, user in own domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in own domain, group in own domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=204,
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, user in own domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, group in own domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=204,
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in own domain, user in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in own domain, group in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, user in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, group in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- #####################################################
- # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #
- #####################################################
- # global role, project in own domain, user in other domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, project in own domain, group in other domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # global role, own domain, user in other domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, own domain, group in other domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # role in own domain, project in own domain, user in other domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in own domain, group in other domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, user in other domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, own domain, group in other domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in own domain, user in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in own domain, group in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_in_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, user in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, own domain, group in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.own_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- #####################################################
- # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #
- #####################################################
- # global role, project in other domain, user in own domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, project in other domain, group in own domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # global role, other domain, user in own domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # global role, other domain, group in own domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # role in own domain, project in other domain, user in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in other domain, group in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, user in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, group in own domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in other domain, user in own domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in other domain, group in own domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, user in own domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_in_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, group in own domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_in_domain,
- role_id=self.role_other_domain)
- #######################################################
- # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #
- #######################################################
- # global role, project in other domain, user in other domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, project in other domain, group in other domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # global role, other domain, user in other domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- # global role, other domain, group in other domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- # role in own domain, project in other domain, user in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, project in other domain, group in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, user in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_own_domain)
- # role in own domain, other domain, group in other domain
- # role assignment does not exist, should 403
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_own_domain)
- # role in other domain, project in other domain, user in other domain
- self.admin_roles_client.create_user_role_on_project(
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_user_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, project in other domain, group in other domain
- self.admin_roles_client.create_group_role_on_project(
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_group_on_project',
- expected_status=exceptions.Forbidden,
- project_id=self.project_other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, user in other domain
- self.admin_roles_client.create_user_role_on_domain(
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_user_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- user_id=self.user_other_domain,
- role_id=self.role_other_domain)
- # role in other domain, other domain, group in other domain
- self.admin_roles_client.create_group_role_on_domain(
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
- self.do_request(
- 'delete_role_from_group_on_domain',
- expected_status=exceptions.Forbidden,
- domain_id=self.other_domain,
- group_id=self.group_other_domain,
- role_id=self.role_other_domain)
-
- def test_identity_list_system_grants_for_user(self):
- self.do_request('list_user_roles_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_other_domain)
- self.do_request('list_user_roles_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_other_domain)
-
- def test_identity_check_system_grant_for_user(self):
- self.do_request('check_user_role_existence_on_system',
- exceptions.Forbidden,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request('check_user_role_existence_on_system',
- exceptions.Forbidden,
- user_id=self.user_other_domain,
- role_id=self.role_id)
-
- def test_identity_create_system_grant_for_user(self):
- self.do_request(
- 'create_user_role_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'create_user_role_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_other_domain,
- role_id=self.role_id)
-
- def test_identity_revoke_system_grant_for_user(self):
- # user in own domain
- self.admin_roles_client.create_user_role_on_system(
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.addCleanup(
- self.admin_roles_client.delete_role_from_user_on_system,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_in_domain,
- role_id=self.role_id)
- # user in other domain
- self.admin_roles_client.create_user_role_on_system(
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.addCleanup(
- self.admin_roles_client.delete_role_from_user_on_system,
- user_id=self.user_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_user_on_system',
- expected_status=exceptions.Forbidden,
- user_id=self.user_other_domain,
- role_id=self.role_id)
-
- def test_identity_list_system_grants_for_group(self):
- self.do_request('list_group_roles_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_in_domain)
- self.do_request('list_group_roles_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_other_domain)
-
- def test_identity_check_system_grant_for_group(self):
- self.do_request('check_role_from_group_on_system_existence',
- exceptions.Forbidden,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request('check_role_from_group_on_system_existence',
- exceptions.Forbidden,
- group_id=self.group_other_domain,
- role_id=self.role_id)
-
- def test_identity_create_system_grant_for_group(self):
- self.do_request(
- 'create_group_role_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'create_group_role_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_other_domain,
- role_id=self.role_id)
-
- def test_identity_revoke_system_grant_for_group(self):
- # group in own domain
- self.admin_roles_client.create_group_role_on_system(
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.addCleanup(
- self.admin_roles_client.delete_role_from_group_on_system,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_in_domain,
- role_id=self.role_id)
- # group in other domain
- self.admin_roles_client.create_group_role_on_system(
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.addCleanup(
- self.admin_roles_client.delete_role_from_group_on_system,
- group_id=self.group_other_domain,
- role_id=self.role_id)
- self.do_request(
- 'delete_role_from_group_on_system',
- expected_status=exceptions.Forbidden,
- group_id=self.group_other_domain,
- role_id=self.role_id)
-
-
-class DomainMemberTests(DomainAdminTests):
-
- credentials = ['domain_member', 'system_admin']
-
- def test_identity_create_grant(self):
- ###################################################
- # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #
- ###################################################
- # global role, project in own domain, user in own domain
- self.do_request(
- 'create_user_role_on_project',
expected_status=exceptions.Forbidden,
project_id=self.project_in_domain,
user_id=self.user_in_domain,
@@ -3448,10 +4114,15 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacGrantTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(ProjectAdminTests):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_check_grant(self):
# global role, arbitrary project, arbitrary user
self.do_request(
@@ -3789,11 +4460,6 @@
role_id=self.role_id)
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_group.py b/keystone_tempest_plugin/tests/rbac/v3/test_group.py
index c3ce1d9..d62e801 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_group.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_group.py
@@ -422,20 +422,87 @@
credentials = ['system_reader', 'system_admin']
-class DomainAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
+class DomainAdminTests(SystemAdminTests):
credentials = ['domain_admin', 'system_admin']
+ def test_identity_list_groups(self):
+ group1 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.own_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
+ group2 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.other_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
+ resp = self.do_request('list_groups')
+ # user can get groups in own domain
+ self.assertIn(group1['id'], set(g['id'] for g in resp['groups']))
+ # user cannot get groups in other domain
+ self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
+
+ def test_identity_list_groups_for_user(self):
+ group1 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.own_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
+ user1 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.own_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user1['id'])
+ group2 = self.admin_groups_client.create_group(
+ **self.group(domain_id=self.other_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
+ user2 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.other_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user2['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user2['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user2['id'])
+ resp = self.do_request('list_user_groups', client=self.users_client,
+ user_id=user1['id'])
+ # user can list groups in own domain for user in own domain
+ self.assertIn(group1['id'], set(g['id'] for g in resp['groups']))
+ # user cannot list groups in other domain for user in own domain
+ self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
+ # user cannot list groups for user in other domain
+ resp = self.do_request('list_user_groups', client=self.users_client,
+ user_id=user2['id'])
+ self.assertNotIn(group2['id'], set(g['id'] for g in resp['groups']))
+ # user gets a 404 for nonexistent user
+ self.do_request('list_user_groups', client=self.users_client,
+ expected_status=exceptions.NotFound,
+ user_id='fakeuser')
+
+ def test_identity_list_users_in_group(self):
+ group = self.admin_groups_client.create_group(**self.group())['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group['id'])
+ user = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'))['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user['id'])
+ self.admin_groups_client.add_group_user(group['id'], user['id'])
+ resp = self.do_request('list_group_users', group_id=group['id'])
+ user_ids = set(u['id'] for u in resp['users'])
+ # request is allowed but the user will get filtered out on domain
+ # scoped request
+ self.assertEqual(0, len(user_ids))
+
+
+class DomainMemberTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
+
+ credentials = ['domain_member', 'system_admin']
+
def test_identity_create_group(self):
- # user can create group in own domain
- resp = self.do_request('create_group', expected_status=201,
- **self.group(domain_id=self.own_domain))
- self.addCleanup(self.admin_groups_client.delete_group,
- resp['group']['id'])
+ # user cannot create group in own domain
+ self.do_request('create_group',
+ expected_status=exceptions.Forbidden,
+ **self.group(domain_id=self.own_domain))
# user cannot create group in another domain
- resp = self.do_request('create_group',
- expected_status=exceptions.Forbidden,
- **self.group(domain_id=self.other_domain))
+ self.do_request('create_group',
+ expected_status=exceptions.Forbidden,
+ **self.group(domain_id=self.other_domain))
def test_identity_get_group(self):
group = self.admin_groups_client.create_group(
@@ -509,12 +576,13 @@
group2 = self.admin_groups_client.create_group(
**self.group(domain_id=self.other_domain))['group']
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- # user can update a group in own domain
+ # user cannot update a group in own domain
group_update = {
'group_id': group1['id'],
'description': data_utils.arbitrary_string
}
- self.do_request('update_group', **group_update)
+ self.do_request('update_group', expected_status=exceptions.Forbidden,
+ **group_update)
# user cannot update a group in other domain
group_update = {
'group_id': group2['id'],
@@ -536,8 +604,8 @@
group2 = self.admin_groups_client.create_group(
**self.group(domain_id=self.other_domain))['group']
self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- # user can delete a group in own domain
- self.do_request('delete_group', expected_status=204,
+ # user cannot delete a group in own domain
+ self.do_request('delete_group', expected_status=exceptions.Forbidden,
group_id=group1['id'])
# user cannot delete a group in other domain
self.do_request('delete_group', expected_status=exceptions.Forbidden,
@@ -594,197 +662,6 @@
domain_id=self.own_domain)['user']
self.addCleanup(self.admin_client.users_v3_client.delete_user,
user2['id'])
- # user can add a user in own domain to a group in own domain
- self.do_request('add_group_user', expected_status=204,
- group_id=group1['id'], user_id=user1['id'])
- # user can add a user in another domain to a group in own domain
- self.do_request('add_group_user', expected_status=204,
- group_id=group1['id'], user_id=user2['id'])
- # user cannot add a user in own domain to a group in another domain
- self.do_request('add_group_user', expected_status=exceptions.Forbidden,
- group_id=group2['id'], user_id=user1['id'])
- # user cannot add a user in another domain to a group in another domain
- self.do_request('add_group_user', expected_status=exceptions.Forbidden,
- group_id=group2['id'], user_id=user2['id'])
- # user gets a 403 for nonexistent group
- self.do_request('add_group_user', expected_status=exceptions.Forbidden,
- group_id='fakegroup', user_id=user1['id'])
- # user gets a 403 for nonexistent user
- self.do_request('add_group_user', expected_status=exceptions.Forbidden,
- group_id=group1['id'], user_id='fakeuser')
-
- def test_identity_remove_user_from_group(self):
- group1 = self.admin_groups_client.create_group(
- **self.group(self.own_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
- group2 = self.admin_groups_client.create_group(
- **self.group(self.other_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- user1 = self.admin_client.users_v3_client.create_user(
- name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
- self.addCleanup(self.admin_client.users_v3_client.delete_user,
- user1['id'])
- user2 = self.admin_client.users_v3_client.create_user(
- name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
- self.addCleanup(self.admin_client.users_v3_client.delete_user,
- user2['id'])
- self.admin_groups_client.add_group_user(group1['id'], user1['id'])
- self.admin_groups_client.add_group_user(group1['id'], user2['id'])
- self.admin_groups_client.add_group_user(group2['id'], user1['id'])
- self.admin_groups_client.add_group_user(group2['id'], user2['id'])
- # user can remove a user in own domain from a group in own domain
- self.do_request('delete_group_user', expected_status=204,
- group_id=group1['id'], user_id=user1['id'])
- # user can remove a user in another domain from a group in own
- # domain
- self.do_request('delete_group_user', expected_status=204,
- group_id=group1['id'], user_id=user2['id'])
- # user cannot remove a user in own domain from a group in another
- # domain
- self.do_request('delete_group_user',
- expected_status=exceptions.Forbidden,
- group_id=group2['id'], user_id=user1['id'])
- # user cannot remove a user in another domain from a group in another
- # domain
- self.do_request('delete_group_user',
- expected_status=exceptions.Forbidden,
- group_id=group2['id'], user_id=user2['id'])
- # user gets a 403 for nonexistent group
- self.do_request('delete_group_user',
- expected_status=exceptions.Forbidden,
- group_id='fakegroup', user_id=user1['id'])
- # user gets a 403 for nonexistent user
- self.do_request('delete_group_user',
- expected_status=exceptions.Forbidden,
- group_id=group1['id'], user_id='fakeuser')
-
- def test_identity_check_user_in_group(self):
- group1 = self.admin_groups_client.create_group(
- **self.group(self.own_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
- group2 = self.admin_groups_client.create_group(
- **self.group(self.other_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- user1 = self.admin_client.users_v3_client.create_user(
- name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
- self.addCleanup(self.admin_client.users_v3_client.delete_user,
- user1['id'])
- user2 = self.admin_client.users_v3_client.create_user(
- name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
- self.addCleanup(self.admin_client.users_v3_client.delete_user,
- user2['id'])
- self.admin_groups_client.add_group_user(group1['id'], user1['id'])
- self.admin_groups_client.add_group_user(group1['id'], user2['id'])
- self.admin_groups_client.add_group_user(group2['id'], user1['id'])
- self.admin_groups_client.add_group_user(group2['id'], user2['id'])
- # user can check if a user in own domain is in a group in own domain
- self.do_request('check_group_user_existence', expected_status=204,
- group_id=group1['id'], user_id=user1['id'])
- # user can check if a user in another domain is in a group in own
- # domain
- self.do_request('check_group_user_existence',
- expected_status=204,
- group_id=group1['id'], user_id=user2['id'])
- # user cannot check if a user in own domain is in a group in another
- # domain
- self.do_request('check_group_user_existence',
- expected_status=exceptions.Forbidden,
- group_id=group2['id'], user_id=user1['id'])
- # user cannot check if a user in another domain is in a group in
- # another domain
- self.do_request('check_group_user_existence',
- expected_status=exceptions.Forbidden,
- group_id=group2['id'], user_id=user2['id'])
- # user gets a 403 for nonexistent group
- self.do_request('check_group_user_existence',
- expected_status=exceptions.Forbidden,
- group_id='fakegroup', user_id=user1['id'])
- # user gets a 403 for nonexistent user
- self.do_request('check_group_user_existence',
- expected_status=exceptions.Forbidden,
- group_id=group1['id'], user_id='fakeuser')
-
-
-class DomainMemberTests(DomainAdminTests):
-
- credentials = ['domain_member', 'system_admin']
-
- def test_identity_create_group(self):
- # user cannot create group in own domain
- self.do_request('create_group',
- expected_status=exceptions.Forbidden,
- **self.group(domain_id=self.own_domain))
- # user cannot create group in another domain
- self.do_request('create_group',
- expected_status=exceptions.Forbidden,
- **self.group(domain_id=self.other_domain))
-
- def test_identity_update_group(self):
- group1 = self.admin_groups_client.create_group(
- **self.group(domain_id=self.own_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
- group2 = self.admin_groups_client.create_group(
- **self.group(domain_id=self.other_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- # user cannot update a group in own domain
- group_update = {
- 'group_id': group1['id'],
- 'description': data_utils.arbitrary_string
- }
- self.do_request('update_group', expected_status=exceptions.Forbidden,
- **group_update)
- # user cannot update a group in other domain
- group_update = {
- 'group_id': group2['id'],
- 'description': data_utils.arbitrary_string
- }
- self.do_request('update_group', expected_status=exceptions.Forbidden,
- **group_update)
- # user gets a 403 for nonexistent group
- group_update = {
- 'group_id': 'fakegroup',
- 'description': data_utils.arbitrary_string
- }
- self.do_request('update_group', expected_status=exceptions.Forbidden,
- **group_update)
-
- def test_identity_delete_group(self):
- group1 = self.admin_groups_client.create_group(
- **self.group(domain_id=self.own_domain))['group']
- group2 = self.admin_groups_client.create_group(
- **self.group(domain_id=self.other_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- # user cannot delete a group in own domain
- self.do_request('delete_group', expected_status=exceptions.Forbidden,
- group_id=group1['id'])
- # user cannot delete a group in other domain
- self.do_request('delete_group', expected_status=exceptions.Forbidden,
- group_id=group2['id'])
- # user gets a 404 for nonexistent group
- self.do_request('delete_group', expected_status=exceptions.NotFound,
- group_id='fakegroup')
-
- def test_identity_add_user_to_group(self):
- group1 = self.admin_groups_client.create_group(
- **self.group(self.own_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
- group2 = self.admin_groups_client.create_group(
- **self.group(self.other_domain))['group']
- self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
- user1 = self.admin_client.users_v3_client.create_user(
- name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
- self.addCleanup(self.admin_client.users_v3_client.delete_user,
- user1['id'])
- user2 = self.admin_client.users_v3_client.create_user(
- name=data_utils.rand_name('user'),
- domain_id=self.own_domain)['user']
- self.addCleanup(self.admin_client.users_v3_client.delete_user,
- user2['id'])
# user cannot add a user in own domain to a group in own domain
self.do_request('add_group_user', expected_status=exceptions.Forbidden,
group_id=group1['id'], user_id=user1['id'])
@@ -853,16 +730,69 @@
expected_status=exceptions.Forbidden,
group_id=group1['id'], user_id='fakeuser')
+ def test_identity_check_user_in_group(self):
+ group1 = self.admin_groups_client.create_group(
+ **self.group(self.own_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group1['id'])
+ group2 = self.admin_groups_client.create_group(
+ **self.group(self.other_domain))['group']
+ self.addCleanup(self.admin_groups_client.delete_group, group2['id'])
+ user1 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.own_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user1['id'])
+ user2 = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name('user'),
+ domain_id=self.own_domain)['user']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user,
+ user2['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group1['id'], user2['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user1['id'])
+ self.admin_groups_client.add_group_user(group2['id'], user2['id'])
+ # user can check if a user in own domain is in a group in own domain
+ self.do_request('check_group_user_existence', expected_status=204,
+ group_id=group1['id'], user_id=user1['id'])
+ # user can check if a user in another domain is in a group in own
+ # domain
+ self.do_request('check_group_user_existence',
+ expected_status=204,
+ group_id=group1['id'], user_id=user2['id'])
+ # user cannot check if a user in own domain is in a group in another
+ # domain
+ self.do_request('check_group_user_existence',
+ expected_status=exceptions.Forbidden,
+ group_id=group2['id'], user_id=user1['id'])
+ # user cannot check if a user in another domain is in a group in
+ # another domain
+ self.do_request('check_group_user_existence',
+ expected_status=exceptions.Forbidden,
+ group_id=group2['id'], user_id=user2['id'])
+ # user gets a 403 for nonexistent group
+ self.do_request('check_group_user_existence',
+ expected_status=exceptions.Forbidden,
+ group_id='fakegroup', user_id=user1['id'])
+ # user gets a 403 for nonexistent user
+ self.do_request('check_group_user_existence',
+ expected_status=exceptions.Forbidden,
+ group_id=group1['id'], user_id='fakeuser')
+
class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(IdentityV3RbacGroupTest, base.BaseIdentityTest):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_create_group(self):
# user cannot create group in own domain
self.do_request('create_group', expected_status=exceptions.Forbidden,
@@ -1142,11 +1072,6 @@
group_id=group1['id'], user_id='fakeuser')
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py b/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py
index 819508c..fa6d9c1 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_identity_provider.py
@@ -268,16 +268,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py b/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py
index 73765e4..f73d510 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_implied_role.py
@@ -242,16 +242,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_limit.py b/keystone_tempest_plugin/tests/rbac/v3/test_limit.py
index d2efc6c..456b850 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_limit.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_limit.py
@@ -184,7 +184,8 @@
def test_identity_list_limits(self):
reg_limit_id = self.admin_limits_client.create_limits(
- payload=self.limits())['limits'][0]['id']
+ payload=self.limits(project_id=self.persona.credentials.project_id)
+ )['limits'][0]['id']
self.addCleanup(
self.admin_limits_client.delete_limit,
limit_id=reg_limit_id)
@@ -303,20 +304,8 @@
self.addCleanup(
self.admin_limits_client.delete_limit,
limit_id=reg_limit_1)
- # project in own domain
- reg_limit_2 = self.admin_limits_client.create_limits(
- payload=self.limits(project_id=self.own_project)
- )['limits'][0]['id']
- self.addCleanup(
- self.admin_limits_client.delete_limit,
- limit_id=reg_limit_2)
- # cannot get limit for other project
self.do_request('show_limit',
- expected_status=exceptions.Forbidden,
limit_id=reg_limit_1)
- # can get limit for project in own domain
- self.do_request('show_limit',
- limit_id=reg_limit_2)
def test_identity_update_limit(self):
# cannot update limit for arbitrary project
@@ -370,18 +359,40 @@
credentials = ['domain_member', 'system_admin']
+ def test_identity_get_limit(self):
+ # random project
+ reg_limit_1 = self.admin_limits_client.create_limits(
+ payload=self.limits())['limits'][0]['id']
+ self.addCleanup(
+ self.admin_limits_client.delete_limit,
+ limit_id=reg_limit_1)
+ # project in own domain
+ reg_limit_2 = self.admin_limits_client.create_limits(
+ payload=self.limits(project_id=self.own_project)
+ )['limits'][0]['id']
+ self.addCleanup(
+ self.admin_limits_client.delete_limit,
+ limit_id=reg_limit_2)
+ # cannot get limit for other project
+ self.do_request('show_limit',
+ expected_status=exceptions.Forbidden,
+ limit_id=reg_limit_1)
+ # can get limit for project in own domain
+ self.do_request('show_limit',
+ limit_id=reg_limit_2)
+
class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py b/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py
index 00b2e6b..c519426 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_mapping.py
@@ -240,16 +240,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_policy.py b/keystone_tempest_plugin/tests/rbac/v3/test_policy.py
index 53cdeb5..df5844f 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_policy.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_policy.py
@@ -217,16 +217,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py b/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py
index 5c3f514..a3cf76d 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_policy_association.py
@@ -454,16 +454,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_project.py b/keystone_tempest_plugin/tests/rbac/v3/test_project.py
index 81b64e6..8d975e7 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_project.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_project.py
@@ -225,6 +225,134 @@
domain_id=self.own_domain
)['project']['id']
self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ # user can create project in other domain
+ project_id = self.do_request(
+ 'create_project', expected_status=201, name=data_utils.rand_name(),
+ domain_id=self.other_domain
+ )['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+
+ def test_identity_get_project(self):
+ # user can get project in own domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('show_project', project_id=project_id)
+ # user can get project in other domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('show_project', project_id=project_id)
+ # user gets a 403 for nonexistent project
+ self.do_request('show_project', expected_status=exceptions.NotFound,
+ project_id=data_utils.rand_uuid_hex())
+
+ def test_identity_list_projects(self):
+ # user can list projects but cannot see project in other domain
+ own_project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project,
+ own_project_id)
+ other_project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project,
+ other_project_id)
+ resp = self.do_request('list_projects')
+ self.assertIn(own_project_id, [d['id'] for d in resp['projects']])
+ self.assertNotIn(other_project_id, [d['id'] for d in resp['projects']])
+
+ def test_identity_list_user_projects(self):
+ # user can list projects for user in own domain
+ user_id = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['user']['id']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name())['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ role_id = self.admin_client.roles_v3_client.create_role(
+ name=data_utils.rand_name())['role']['id']
+ self.addCleanup(self.admin_client.roles_v3_client.delete_role,
+ role_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ project_id, user_id, role_id)
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=user_id)
+ self.assertIn(project_id, [p['id'] for p in resp['projects']])
+ # user can list projects for user in other domain
+ user_id = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['user']['id']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name())['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ role_id = self.admin_client.roles_v3_client.create_role(
+ name=data_utils.rand_name())['role']['id']
+ self.addCleanup(self.admin_client.roles_v3_client.delete_role,
+ role_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ project_id, user_id, role_id)
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=user_id)
+ self.assertIn(project_id, [p['id'] for p in resp['projects']])
+ # user can list projects for self
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=self.persona.credentials.user_id)
+ self.assertEqual(0, len([p['id'] for p in resp['projects']]))
+
+ def test_identity_update_project(self):
+ # user can update project in own domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('update_project',
+ project_id=project_id,
+ description=data_utils.arbitrary_string())
+ # user can update project in other domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ self.do_request('update_project',
+ project_id=project_id,
+ description=data_utils.arbitrary_string())
+ # user gets a 404 for nonexistent domain
+ self.do_request('update_project', expected_status=exceptions.NotFound,
+ project_id=data_utils.rand_uuid_hex(),
+ description=data_utils.arbitrary_string())
+
+ def test_identity_delete_project(self):
+ # user can delete project in own domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain)['project']['id']
+ self.do_request('delete_project', expected_status=204,
+ project_id=project_id)
+ # user can delete project in other domain
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name(),
+ domain_id=self.other_domain)['project']['id']
+ self.do_request('delete_project', expected_status=204,
+ project_id=project_id)
+
+
+class DomainMemberTests(DomainAdminTests):
+
+ credentials = ['domain_member', 'system_admin']
+
+ def test_identity_create_project(self):
+ # user cannot create project in own domain
+ self.do_request(
+ 'create_project', expected_status=exceptions.Forbidden,
+ name=data_utils.rand_name(),
+ domain_id=self.own_domain
+ )
# user cannot create project in other domain
self.do_request(
'create_project', expected_status=exceptions.Forbidden,
@@ -249,22 +377,6 @@
self.do_request('show_project', expected_status=exceptions.Forbidden,
project_id=data_utils.rand_uuid_hex())
- def test_identity_list_projects(self):
- # user can list projects but cannot see project in other domain
- own_project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.own_domain)['project']['id']
- self.addCleanup(self.admin_projects_client.delete_project,
- own_project_id)
- other_project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.other_domain)['project']['id']
- self.addCleanup(self.admin_projects_client.delete_project,
- other_project_id)
- resp = self.do_request('list_projects')
- self.assertIn(own_project_id, [d['id'] for d in resp['projects']])
- self.assertNotIn(other_project_id, [d['id'] for d in resp['projects']])
-
def test_identity_list_user_projects(self):
# user can list projects for user in own domain
user_id = self.admin_client.users_v3_client.create_user(
@@ -306,62 +418,6 @@
self.assertEqual(0, len([p['id'] for p in resp['projects']]))
def test_identity_update_project(self):
- # user can update project in own domain
- project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.own_domain)['project']['id']
- self.addCleanup(self.admin_projects_client.delete_project, project_id)
- self.do_request('update_project',
- project_id=project_id,
- description=data_utils.arbitrary_string())
- # user cannot update project in other domain
- project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.other_domain)['project']['id']
- self.addCleanup(self.admin_projects_client.delete_project, project_id)
- self.do_request('update_project',
- expected_status=exceptions.Forbidden,
- project_id=project_id,
- description=data_utils.arbitrary_string())
- # user gets a 403 for nonexistent domain
- self.do_request('update_project', expected_status=exceptions.Forbidden,
- project_id=data_utils.rand_uuid_hex(),
- description=data_utils.arbitrary_string())
-
- def test_identity_delete_project(self):
- # user can delete project in own domain
- project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.own_domain)['project']['id']
- self.do_request('delete_project', expected_status=204,
- project_id=project_id)
- # user cannot delete project in other domain
- project_id = self.admin_projects_client.create_project(
- name=data_utils.rand_name(),
- domain_id=self.other_domain)['project']['id']
- self.addCleanup(self.admin_projects_client.delete_project, project_id)
- self.do_request('delete_project', expected_status=exceptions.Forbidden,
- project_id=project_id)
-
-
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
-
- credentials = ['domain_member', 'system_admin']
-
- def test_identity_create_project(self):
- # user cannot create project in own domain
- self.do_request(
- 'create_project', expected_status=exceptions.Forbidden,
- name=data_utils.rand_name(),
- domain_id=self.own_domain
- )
- # user cannot create project in other domain
- self.do_request(
- 'create_project', expected_status=exceptions.Forbidden,
- name=data_utils.rand_name(), domain_id=self.other_domain
- )
-
- def test_identity_update_project(self):
# user cannot update project in own domain
project_id = self.admin_projects_client.create_project(
name=data_utils.rand_name(),
@@ -406,10 +462,39 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+ def test_identity_list_user_projects(self):
+ user_id = self.admin_client.users_v3_client.create_user(
+ name=data_utils.rand_name())['user']['id']
+ self.addCleanup(self.admin_client.users_v3_client.delete_user, user_id)
+ project_id = self.admin_projects_client.create_project(
+ name=data_utils.rand_name())['project']['id']
+ self.addCleanup(self.admin_projects_client.delete_project, project_id)
+ role_id = self.admin_client.roles_v3_client.create_role(
+ name=data_utils.rand_name())['role']['id']
+ self.addCleanup(self.admin_client.roles_v3_client.delete_role,
+ role_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ project_id, user_id, role_id)
+ # user can list projects for arbitrary user
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=user_id)
+ self.assertIn(project_id, [p['id'] for p in resp['projects']])
+ # user can list projects for self
+ # Project Admin is assigned to a tempest project so we cant re-use
+ # the System Admin test.
+ resp = self.do_request('list_user_projects', client=self.users_client,
+ user_id=self.persona.credentials.user_id)
+ self.assertEqual(1, len([p['id'] for p in resp['projects']]))
+
+
+class ProjectMemberTests(DomainReaderTests):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_get_project(self):
# user cannot get arbitrary project
project_id = self.admin_projects_client.create_project(
@@ -457,11 +542,6 @@
[p['id'] for p in resp['projects']])
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py b/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py
index 442ca9e..34bb13e 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_project_endpoint.py
@@ -236,16 +236,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py b/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py
index 3e6c4a6..646fa86 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_project_tag.py
@@ -241,6 +241,103 @@
project_id=self.own_project_id,
tag=tag
)
+ # user can add tags to project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.do_request(
+ 'update_project_tag', expected_status=201,
+ project_id=self.other_project_id,
+ tag=tag
+ )
+
+ def test_identity_get_project_tag(self):
+ # user can get tag for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ self.do_request('check_project_tag_existence',
+ expected_status=204,
+ project_id=self.own_project_id, tag=tag)
+ # user can get tag for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ self.do_request('check_project_tag_existence',
+ expected_status=204,
+ project_id=self.other_project_id, tag=tag)
+
+ def test_identity_list_project_tags(self):
+ # user can list tags for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ resp = self.do_request('list_project_tags',
+ project_id=self.own_project_id)
+ self.assertIn(tag, resp['tags'])
+ # user can list tags for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ resp = self.do_request('list_project_tags',
+ project_id=self.other_project_id)
+ self.assertIn(tag, resp['tags'])
+
+ def test_identity_update_project_tags(self):
+ # user can update tags for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.do_request('update_all_project_tags',
+ project_id=self.own_project_id,
+ tags=[tag])
+ # user can update tags for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.do_request('update_all_project_tags',
+ project_id=self.other_project_id,
+ tags=[tag])
+
+ def test_identity_delete_project_tag(self):
+ # user can delete tag for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ self.do_request('delete_project_tag', expected_status=204,
+ project_id=self.own_project_id,
+ tag=tag)
+ # user can delete tag for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ self.do_request('delete_project_tag',
+ expected_status=204,
+ project_id=self.other_project_id,
+ tag=tag)
+
+ def test_identity_delete_project_tags(self):
+ # user can delete tags for project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.own_project_id, tag=tag)
+ self.do_request('delete_all_project_tags', expected_status=204,
+ project_id=self.own_project_id)
+ # user can delete tags for project in other domain
+ tag = data_utils.rand_uuid_hex()
+ self.admin_project_tags_client.update_project_tag(
+ project_id=self.other_project_id, tag=tag)
+ self.do_request('delete_all_project_tags',
+ expected_status=204,
+ project_id=self.other_project_id)
+
+
+class DomainMemberTests(DomainAdminTests):
+
+ credentials = ['domain_member', 'system_admin']
+
+ def test_identity_create_project_tag(self):
+ # user cannot add tags to project in own domain
+ tag = data_utils.rand_uuid_hex()
+ self.do_request(
+ 'update_project_tag', expected_status=exceptions.Forbidden,
+ project_id=self.own_project_id,
+ tag=tag
+ )
# user cannot add tags to project in other domain
tag = data_utils.rand_uuid_hex()
self.do_request(
@@ -282,72 +379,6 @@
project_id=self.other_project_id)
def test_identity_update_project_tags(self):
- # user can update tags for project in own domain
- tag = data_utils.rand_uuid_hex()
- self.do_request('update_all_project_tags',
- project_id=self.own_project_id,
- tags=[tag])
- # user cannot update tags for project in other domain
- tag = data_utils.rand_uuid_hex()
- self.do_request('update_all_project_tags',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tags=[tag])
-
- def test_identity_delete_project_tag(self):
- # user can delete tag for project in own domain
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.own_project_id, tag=tag)
- self.do_request('delete_project_tag', expected_status=204,
- project_id=self.own_project_id,
- tag=tag)
- # user cannot delete tag for project in other domain
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.other_project_id, tag=tag)
- self.do_request('delete_project_tag',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tag=tag)
-
- def test_identity_delete_project_tags(self):
- # user can delete tags for project in own domain
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.own_project_id, tag=tag)
- self.do_request('delete_all_project_tags', expected_status=204,
- project_id=self.own_project_id)
- # user cannot delete tags for project in other domain
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.other_project_id, tag=tag)
- self.do_request('delete_all_project_tags',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id)
-
-
-class DomainMemberTests(DomainAdminTests, base.BaseIdentityTest):
-
- credentials = ['domain_member', 'system_admin']
-
- def test_identity_create_project_tag(self):
- # user cannot add tags to project in own domain
- tag = data_utils.rand_uuid_hex()
- self.do_request(
- 'update_project_tag', expected_status=exceptions.Forbidden,
- project_id=self.own_project_id,
- tag=tag
- )
- # user cannot add tags to project in other domain
- tag = data_utils.rand_uuid_hex()
- self.do_request(
- 'update_project_tag', expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tag=tag
- )
-
- def test_identity_update_project_tags(self):
# user cannot update tags for project in own domain
tag = data_utils.rand_uuid_hex()
self.do_request('update_all_project_tags',
@@ -401,12 +432,17 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacProjectTagTests, base.BaseIdentityTest):
+class ProjectAdminTests(DomainAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(DomainMemberTests):
+
+ credentials = ['project_member', 'system_admin']
+
def setUp(self):
- super(ProjectAdminTests, self).setUp()
+ super().setUp()
self.own_project_id = self.persona.credentials.project_id
project_client = self.admin_client.projects_client
self.other_project_id = project_client.create_project(
@@ -414,16 +450,13 @@
self.addCleanup(project_client.delete_project, self.other_project_id)
def test_identity_create_project_tag(self):
- # user can add tags to own project
+ # user cannot add tags to own project
tag = data_utils.rand_uuid_hex()
self.do_request(
- 'update_project_tag', expected_status=201,
+ 'update_project_tag', expected_status=exceptions.Forbidden,
project_id=self.own_project_id,
tag=tag
)
- self.addCleanup(self.admin_project_tags_client.delete_project_tag,
- project_id=self.own_project_id,
- tag=tag)
# user cannot add tags to arbitrary project
tag = data_utils.rand_uuid_hex()
self.do_request(
@@ -471,75 +504,6 @@
project_id=self.other_project_id)
def test_identity_update_project_tags(self):
- # user can update tags for own project
- tag = data_utils.rand_uuid_hex()
- self.do_request('update_all_project_tags',
- project_id=self.own_project_id,
- tags=[tag])
- self.addCleanup(self.admin_project_tags_client.delete_project_tag,
- project_id=self.own_project_id,
- tag=tag)
- # user cannot update tags for arbitrary project
- tag = data_utils.rand_uuid_hex()
- self.do_request('update_all_project_tags',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tags=[tag])
-
- def test_identity_delete_project_tag(self):
- # user can delete tag for own project
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.own_project_id, tag=tag)
- self.do_request('delete_project_tag', expected_status=204,
- project_id=self.own_project_id,
- tag=tag)
- # user cannot delete tag for arbitrary project
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.other_project_id, tag=tag)
- self.do_request('delete_project_tag',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tag=tag)
-
- def test_identity_delete_project_tags(self):
- # user can delete tags for own project
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.own_project_id, tag=tag)
- self.do_request('delete_all_project_tags', expected_status=204,
- project_id=self.own_project_id)
- # user cannot delete tags for arbitrary project
- tag = data_utils.rand_uuid_hex()
- self.admin_project_tags_client.update_project_tag(
- project_id=self.other_project_id, tag=tag)
- self.do_request('delete_all_project_tags',
- expected_status=exceptions.Forbidden,
- project_id=self.other_project_id)
-
-
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
- def test_identity_create_project_tag(self):
- # user cannot add tags to own project
- tag = data_utils.rand_uuid_hex()
- self.do_request(
- 'update_project_tag', expected_status=exceptions.Forbidden,
- project_id=self.own_project_id,
- tag=tag
- )
- # user cannot add tags to arbitrary project
- tag = data_utils.rand_uuid_hex()
- self.do_request(
- 'update_project_tag', expected_status=exceptions.Forbidden,
- project_id=self.other_project_id,
- tag=tag
- )
-
- def test_identity_update_project_tags(self):
# user cannot update tags for own project
tag = data_utils.rand_uuid_hex()
self.do_request('update_all_project_tags',
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py b/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py
index 5f9d9a2..f766b1f 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_protocol.py
@@ -287,16 +287,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_region.py b/keystone_tempest_plugin/tests/rbac/v3/test_region.py
index e58206a..ab5969e 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_region.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_region.py
@@ -194,16 +194,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py b/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py
index c18ed01..31e78e4 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_registered_limit.py
@@ -207,12 +207,12 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_role.py b/keystone_tempest_plugin/tests/rbac/v3/test_role.py
index a9815e8..997731c 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_role.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_role.py
@@ -375,16 +375,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py b/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py
index 7b27294..14e164a 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_role_assignment.py
@@ -939,24 +939,53 @@
# Should not see subtree assignments for project in other domain
query = {'scope.project.id': self.project_other_domain,
'include_subtree': True}
- self.do_request('list_role_assignments',
- expected_status=exceptions.Forbidden, **query)
+ self.do_request('list_role_assignments', **query)
class DomainMemberTests(DomainAdminTests):
credentials = ['domain_member', 'system_admin']
+ def test_identity_list_role_assignments_for_tree(self):
+ # Should see subtree assignments for project in own domain
+ subproject_id = self.admin_client.projects_client.create_project(
+ name=data_utils.rand_name('project'),
+ domain_id=self.own_domain,
+ parent_id=self.project_in_domain)['project']['id']
+ self.addCleanup(self.admin_client.projects_client.delete_project,
+ subproject_id)
+ self.admin_client.roles_v3_client.create_user_role_on_project(
+ subproject_id, self.user_in_domain, self.role_id)
+ query = {'scope.project.id': self.project_in_domain,
+ 'include_subtree': True}
+ resp = self.do_request('list_role_assignments', **query)
+ actual = self._extract_role_assignments_from_response_body(resp)
+ expected_assignment = {'user_id': self.user_in_domain,
+ 'project_id': subproject_id,
+ 'role_id': self.role_id}
+ self.assertIn(expected_assignment, actual)
+
+ # Should not see subtree assignments for project in other domain
+ query = {'scope.project.id': self.project_other_domain,
+ 'include_subtree': True}
+ self.do_request('list_role_assignments',
+ expected_status=exceptions.Forbidden, **query)
+
class DomainReaderTests(DomainMemberTests):
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(IdentityV3RbacAssignmentTest, base.BaseIdentityTest):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_list_role_assignments(self):
# Listing all assignments with no filters should fail
self.do_request('list_role_assignments',
@@ -1080,43 +1109,6 @@
self.do_request('list_role_assignments',
expected_status=exceptions.Forbidden, **query)
- # Should see subtree for own project
- own_project = self.persona.credentials.project_id
- subproject_id = self.admin_client.projects_client.create_project(
- name=data_utils.rand_name('project'),
- domain_id=self.own_domain,
- parent_id=own_project)['project']['id']
- self.addCleanup(self.admin_client.projects_client.delete_project,
- subproject_id)
- self.admin_client.roles_v3_client.create_user_role_on_project(
- subproject_id, self.user_other_domain, self.role_id)
- query = {'scope.project.id': own_project,
- 'include_subtree': True}
- resp = self.do_request('list_role_assignments', **query)
- expected_assignment = {'user_id': self.user_other_domain,
- 'project_id': subproject_id,
- 'role_id': self.role_id}
- actual = self._extract_role_assignments_from_response_body(resp)
- self.assertIn(expected_assignment, actual)
-
-
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
- def test_identity_list_role_assignments_for_tree(self):
- # Should not see subtree assignments for project in own domain
- query = {'scope.project.id': self.project_in_domain,
- 'include_subtree': True}
- self.do_request('list_role_assignments',
- expected_status=exceptions.Forbidden, **query)
-
- # Should not see subtree assignments for project in other domain
- query = {'scope.project.id': self.project_other_domain,
- 'include_subtree': True}
- self.do_request('list_role_assignments',
- expected_status=exceptions.Forbidden, **query)
-
# Should not see subtree for own project
own_project = self.persona.credentials.project_id
query = {'scope.project.id': own_project,
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_service.py b/keystone_tempest_plugin/tests/rbac/v3/test_service.py
index a6a9083..616741a 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_service.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_service.py
@@ -218,16 +218,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py b/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py
index 6cf54b9..668289b 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_service_provider.py
@@ -235,16 +235,16 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(DomainReaderTests, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
-class ProjectMemberTests(ProjectAdminTests):
+class ProjectMemberTests(DomainReaderTests):
credentials = ['project_member', 'system_admin']
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_trust.py b/keystone_tempest_plugin/tests/rbac/v3/test_trust.py
index c30f9eb..9165503 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_trust.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_trust.py
@@ -367,7 +367,7 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacTrustTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
@@ -395,6 +395,35 @@
expected_status=exceptions.Forbidden,
**self.trust())
+
+class ProjectMemberTests(IdentityV3RbacTrustTest, base.BaseIdentityTest):
+
+ credentials = ['project_member', 'system_admin']
+
+ def setUp(self):
+ super(ProjectMemberTests, self).setUp()
+ self.role_id = self.member_role_id
+
+ def test_identity_create_trust(self):
+ # user can create a trust for their own project
+ trustor_user_id = self.persona.credentials.user_id
+ project_id = self.persona.credentials.project_id
+ resp = self.do_request(
+ 'create_trust',
+ expected_status=201,
+ **self.trust(
+ trustor=trustor_user_id,
+ project_id=project_id,
+ roles=[{'id': self.role_id}])
+ )['trust']
+ self.addCleanup(self.client.delete_trust, resp['id'])
+
+ # user cannot create trust with another user as trustor
+ self.do_request(
+ 'create_trust',
+ expected_status=exceptions.Forbidden,
+ **self.trust())
+
def test_identity_get_trust(self):
# user can get a trust for which they are trustor
trustor_user_id = self.persona.credentials.user_id
@@ -541,16 +570,7 @@
trust_id=trust_id)
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
- def setUp(self):
- super(ProjectMemberTests, self).setUp()
- self.role_id = self.member_role_id
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']
diff --git a/keystone_tempest_plugin/tests/rbac/v3/test_user.py b/keystone_tempest_plugin/tests/rbac/v3/test_user.py
index 7dcfdc7..c031cfe 100644
--- a/keystone_tempest_plugin/tests/rbac/v3/test_user.py
+++ b/keystone_tempest_plugin/tests/rbac/v3/test_user.py
@@ -248,114 +248,22 @@
credentials = ['system_reader', 'system_admin']
-class DomainAdminTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
+class DomainAdminTests(SystemAdminTests):
credentials = ['domain_admin', 'system_admin']
- def setUp(self):
- super(DomainAdminTests, self).setUp()
- self.other_domain = self.admin_domains_client.create_domain(
- name=data_utils.rand_name())['domain']
- self.addCleanup(self.admin_domains_client.delete_domain,
- self.other_domain['id'])
- self.addCleanup(self.admin_domains_client.update_domain,
- domain_id=self.other_domain['id'], enabled=False)
-
- def test_identity_create_user(self):
- user_create = self.user()
- # create user in other domain
- user_create['domain_id'] = self.other_domain['id']
- self.do_request('create_user', expected_status=exceptions.Forbidden,
- **user_create)
- # create user in own domain
- user_create['domain_id'] = self.persona.credentials.domain_id
- resp = self.do_request('create_user',
- expected_status=201,
- **user_create)
- self.addCleanup(self.admin_users_client.delete_user,
- resp['user']['id'])
-
- def test_identity_get_user(self):
- user_create = self.user()
- user_create['domain_id'] = self.other_domain['id']
- user = self.admin_users_client.create_user(**user_create)['user']
- self.addCleanup(self.admin_users_client.delete_user, user['id'])
- # user cannot get user in other domain
- self.do_request('show_user', expected_status=exceptions.Forbidden,
- user_id=user['id'])
- user_create['domain_id'] = self.persona.credentials.domain_id
- user = self.admin_users_client.create_user(**user_create)['user']
- self.addCleanup(self.admin_users_client.delete_user, user['id'])
- # user can get user in own domain
- resp = self.do_request('show_user', user_id=user['id'])
- self.assertEqual(resp['user']['id'], user['id'])
- # user can get own user
- user_id = self.persona.credentials.user_id
- resp = self.do_request('show_user', user_id=user_id)
- self.assertEqual(resp['user']['id'], user_id)
- # user gets a 403 for nonexistent user
- self.do_request('show_user', expected_status=exceptions.Forbidden,
- user_id='fakeuser')
-
def test_identity_list_users(self):
+ # the /v3/users api filters the response for domain-scoped
+ # tokens to users only in the domain, so we can't re-use
+ # the test from SystemAdminTests
user_create = self.user()
- # create user in other domain
- user_create['domain_id'] = self.other_domain['id']
+ user_create['domain_id'] = self.persona.credentials.domain_id
+ # create user in default domain
user1 = self.admin_users_client.create_user(**user_create)['user']
self.addCleanup(self.admin_users_client.delete_user, user1['id'])
- # create user in own domain
- user_create['domain_id'] = self.persona.credentials.domain_id
- user2 = self.admin_users_client.create_user(**user_create)['user']
- self.addCleanup(self.admin_users_client.delete_user, user2['id'])
resp = self.do_request('list_users')
user_ids = set(u['id'] for u in resp['users'])
- self.assertNotIn(user1['id'], user_ids)
- self.assertIn(user2['id'], user_ids)
-
- def test_identity_update_user(self):
- user_create = self.user()
- # create user in other domain
- user_create['domain_id'] = self.other_domain['id']
- user = self.admin_users_client.create_user(**user_create)['user']
- self.addCleanup(self.admin_users_client.delete_user, user['id'])
- user_update = {
- 'user_id': user['id'],
- 'description': data_utils.arbitrary_string()
- }
- self.do_request('update_user', expected_status=exceptions.Forbidden,
- **user_update)
- # create user in own domain
- user_create['domain_id'] = self.persona.credentials.domain_id
- user = self.admin_users_client.create_user(**user_create)['user']
- self.addCleanup(self.admin_users_client.delete_user, user['id'])
- user_update = {
- 'user_id': user['id'],
- 'description': data_utils.arbitrary_string()
- }
- self.do_request('update_user', **user_update)
- # user gets a 403 for nonexistent user
- user_update = {
- 'user_id': 'fakeuser',
- 'description': data_utils.arbitrary_string()
- }
- self.do_request('update_user', expected_status=exceptions.Forbidden,
- **user_update)
-
- def test_identity_delete_user(self):
- user_create = self.user()
- # create user in other domain
- user_create['domain_id'] = self.other_domain['id']
- user = self.admin_users_client.create_user(**user_create)['user']
- self.addCleanup(self.admin_users_client.delete_user, user['id'])
- self.do_request('delete_user', expected_status=exceptions.Forbidden,
- user_id=user['id'])
- # create user in own domain
- user_create['domain_id'] = self.persona.credentials.domain_id
- user = self.admin_users_client.create_user(**user_create)['user']
- self.do_request('delete_user', expected_status=204, user_id=user['id'])
- # user gets a 403 for nonexistent user
- self.do_request('delete_user', expected_status=exceptions.Forbidden,
- user_id='fakeuser')
+ self.assertIn(user1['id'], user_ids)
class DomainMemberTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
@@ -475,10 +383,15 @@
credentials = ['domain_reader', 'system_admin']
-class ProjectAdminTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
+class ProjectAdminTests(SystemAdminTests):
credentials = ['project_admin', 'system_admin']
+
+class ProjectMemberTests(IdentityV3RbacUserTest, base.BaseIdentityTest):
+
+ credentials = ['project_member', 'system_admin']
+
def test_identity_create_user(self):
self.do_request('create_user', expected_status=exceptions.Forbidden,
**self.user())
@@ -530,11 +443,6 @@
user_id='fakeuser')
-class ProjectMemberTests(ProjectAdminTests):
-
- credentials = ['project_member', 'system_admin']
-
-
-class ProjectReaderTests(ProjectAdminTests):
+class ProjectReaderTests(ProjectMemberTests):
credentials = ['project_reader', 'system_admin']