Identity V3 Tests - Roles
Tests for identity v3 roles
Partially-Implements bp: initial-tests-identity
Depends-On: I4e28de9ab106239b3926634591ce4a550f108a3e
Change-Id: Id6652b195ae4e32ec2404d2bbd183e81ec605bca
Co-Authored-By: Nishant Kumar <nk613n@att.com>
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
new file mode 100644
index 0000000..e3eebfc
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
@@ -0,0 +1,292 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
+
+
+class IdentityRolesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_role")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d904')
+ def test_create_role(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.setup_test_role()
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:update_role")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d905')
+ def test_update_role(self):
+ role = self.setup_test_role()
+ new_role_name = data_utils.rand_name('test_update_role')
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.update_role(role['id'],
+ name=new_role_name)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:delete_role")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d906')
+ def test_delete_role(self):
+ role = self.setup_test_role()
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.delete_role(role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_role")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d907')
+ def test_show_role(self):
+ role = self.setup_test_role()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.show_role(role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_roles")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d908')
+ def test_list_roles(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.list_roles()
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_grant")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d909')
+ def test_create_user_role_on_project(self):
+ project = self.setup_test_project()
+ role = self.setup_test_role()
+ user = self.setup_test_user()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.create_user_role_on_project(
+ project['id'],
+ user['id'],
+ role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_project,
+ project['id'],
+ user['id'],
+ role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:check_grant")
+ @decorators.idempotent_id('22921b1e-1a33-4026-bff9-f236d6dd149c')
+ def test_check_user_role_existence_on_project(self):
+ project = self.setup_test_project()
+ role = self.setup_test_role()
+ user = self.setup_test_user()
+ self.roles_client.create_user_role_on_project(
+ project['id'],
+ user['id'],
+ role['id'])
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.check_user_role_existence_on_project(
+ project['id'],
+ user['id'],
+ role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_project,
+ project['id'],
+ user['id'],
+ role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:revoke_grant")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90a')
+ def test_delete_role_from_user_on_project(self):
+ project = self.setup_test_project()
+ role = self.setup_test_role()
+ user = self.setup_test_user()
+ self.roles_client.create_user_role_on_project(
+ project['id'],
+ user['id'],
+ role['id'])
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.delete_role_from_user_on_project(
+ project['id'],
+ user['id'],
+ role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_project,
+ project['id'],
+ user['id'],
+ role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_grants")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90b')
+ def test_list_user_roles_on_project(self):
+ project = self.setup_test_project()
+ user = self.setup_test_user()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.list_user_roles_on_project(
+ project['id'],
+ user['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_grant")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90c')
+ def test_create_group_role_on_project(self):
+ group = self.setup_test_group()
+ project = self.setup_test_project()
+ role = self.setup_test_role()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.create_group_role_on_project(
+ project['id'],
+ group['id'],
+ role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_group_on_project,
+ project['id'],
+ group['id'],
+ role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:revoke_grant")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90d')
+ def test_delete_role_from_group_on_project(self):
+ group = self.setup_test_group()
+ project = self.setup_test_project()
+ role = self.setup_test_role()
+ self.roles_client.create_group_role_on_project(
+ project['id'],
+ group['id'],
+ role['id'])
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.delete_role_from_group_on_project(
+ project['id'],
+ group['id'],
+ role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_group_on_project,
+ project['id'],
+ group['id'],
+ role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_grants")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90e')
+ def test_list_group_roles_on_project(self):
+ group = self.setup_test_group()
+ project = self.setup_test_project()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.list_group_roles_on_project(
+ project['id'],
+ group['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_grant")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90f')
+ def test_create_user_role_on_domain(self):
+ domain = self.setup_test_domain()
+ role = self.setup_test_role()
+ user = self.setup_test_user()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.create_user_role_on_domain(
+ domain['id'],
+ user['id'],
+ role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_domain,
+ domain['id'],
+ user['id'],
+ role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:revoke_grant")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d910')
+ def test_delete_role_from_user_on_domain(self):
+ domain = self.setup_test_domain()
+ role = self.setup_test_role()
+ user = self.setup_test_user()
+ self.roles_client.create_user_role_on_domain(
+ domain['id'],
+ user['id'],
+ role['id'])
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.delete_role_from_user_on_domain(
+ domain['id'],
+ user['id'],
+ role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_domain,
+ domain['id'],
+ user['id'],
+ role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_grants")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d911')
+ def test_list_user_roles_on_domain(self):
+ domain = self.setup_test_domain()
+ user = self.setup_test_user()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.list_user_roles_on_domain(
+ domain['id'],
+ user['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_grant")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d912')
+ def test_create_group_role_on_domain(self):
+ domain = self.setup_test_domain()
+ group = self.setup_test_group()
+ role = self.setup_test_role()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.create_group_role_on_domain(
+ domain['id'],
+ group['id'],
+ role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_group_on_domain,
+ domain['id'],
+ group['id'],
+ role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:revoke_grant")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d913')
+ def test_delete_role_from_group_on_domain(self):
+ domain = self.setup_test_domain()
+ group = self.setup_test_group()
+ role = self.setup_test_role()
+ self.roles_client.create_group_role_on_domain(
+ domain['id'],
+ group['id'],
+ role['id'])
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.delete_role_from_group_on_domain(
+ domain['id'],
+ group['id'],
+ role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_group_on_domain,
+ domain['id'],
+ group['id'],
+ role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_grants")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d914')
+ def test_list_group_roles_on_domain(self):
+ domain = self.setup_test_domain()
+ group = self.setup_test_group()
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.list_group_roles_on_domain(
+ domain['id'],
+ group['id'])