Adds admin tests for roles and roleRef API
Change-Id: I10e7116570f922ec87e23b1f880cd4b1c08c3088
diff --git a/tempest/services/identity/json/admin_client.py b/tempest/services/identity/json/admin_client.py
index 7784d81..314814e 100644
--- a/tempest/services/identity/json/admin_client.py
+++ b/tempest/services/identity/json/admin_client.py
@@ -57,6 +57,29 @@
resp, body = self.delete('OS-KSADM/roles/%s' % str(role_id))
return resp, body
+ def list_user_roles(self, user_id):
+ """Returns a list of roles assigned to a user for a tenant"""
+ resp, body = self.get('users/%s/roleRefs' % user_id)
+ body = json.loads(body)
+ return resp, body['roles']
+
+ def assign_user_role(self, user_id, role_id, tenant_id):
+ """Assigns a role to a user for a tenant"""
+ post_body = {
+ 'roleId': role_id,
+ 'tenantId': tenant_id
+ }
+ post_body = json.dumps({'role': post_body})
+ resp, body = self.post('users/%s/roleRefs' % user_id, post_body,
+ self.headers)
+ body = json.loads(body)
+ return resp, body['role']
+
+ def remove_user_role(self, user_id, role_id):
+ """Removes a role assignment for a user on a tenant"""
+ resp, body = self.delete('users/%s/roleRefs/%s' % (user_id, role_id))
+ return resp, body
+
def delete_tenant(self, tenant_id):
"""Delete a tenant"""
resp, body = self.delete('tenants/%s' % str(tenant_id))
diff --git a/tempest/tests/identity/base_admin_test.py b/tempest/tests/identity/base_admin_test.py
index e8796c2..d5ba944 100644
--- a/tempest/tests/identity/base_admin_test.py
+++ b/tempest/tests/identity/base_admin_test.py
@@ -48,13 +48,13 @@
return user[0]
def get_tenant_by_name(self, name):
- _, tenants = self.client.get_tenants()
+ _, tenants = self.client.list_tenants()
tenant = [t for t in tenants if t['name'] == name]
if len(tenant) > 0:
return tenant[0]
def get_role_by_name(self, name):
- _, roles = self.client.get_roles()
+ _, roles = self.client.list_roles()
role = [r for r in roles if r['name'] == name]
if len(role) > 0:
return role[0]
@@ -92,9 +92,9 @@
def setup_test_role(self):
"""Set up a test role"""
- self.role_name = rand_name('role')
- resp, role = self.client.create_role(self.role_name)
- self.roles.append(role)
+ self.test_role = rand_name('role')
+ resp, self.role = self.client.create_role(self.test_role)
+ self.roles.append(self.role)
def teardown_all(self):
for user in self.users:
diff --git a/tempest/tests/identity/test_roles.py b/tempest/tests/identity/test_roles.py
index 1d413d7..f46fb8f 100644
--- a/tempest/tests/identity/test_roles.py
+++ b/tempest/tests/identity/test_roles.py
@@ -1,40 +1,45 @@
import unittest2 as unittest
-
-import nose
-
-from tempest import openstack
from tempest import exceptions
from tempest.common.utils.data_utils import rand_name
-from tempest.tests import utils
+from base_admin_test import BaseAdminTest
-class RolesTest(unittest.TestCase):
+class RolesTest(BaseAdminTest):
@classmethod
def setUpClass(cls):
- cls.os = openstack.AdminManager()
- cls.client = cls.os.admin_client
- cls.config = cls.os.config
+ super(RolesTest, cls).setUpClass()
- if not cls.client.has_admin_extensions():
- raise nose.SkipTest("Admin extensions disabled")
-
- cls.roles = []
for _ in xrange(5):
- resp, body = cls.client.create_role(rand_name('role-'))
- cls.roles.append(body['id'])
+ resp, role = cls.client.create_role(rand_name('role-'))
+ cls.data.roles.append(role)
- @classmethod
- def tearDownClass(cls):
- for role in cls.roles:
- cls.client.delete_role(role)
+ def _get_role_params(self):
+ self.data.setup_test_user()
+ self.data.setup_test_role()
+ user = self.get_user_by_name(self.data.test_user)
+ tenant = self.get_tenant_by_name(self.data.test_tenant)
+ role = self.get_role_by_name(self.data.test_role)
+ return (user, tenant, role)
def test_list_roles(self):
"""Return a list of all roles"""
resp, body = self.client.list_roles()
- found = [role for role in body if role['id'] in self.roles]
+ found = [role for role in body if role in self.data.roles]
self.assertTrue(any(found))
- self.assertEqual(len(found), len(self.roles))
+ self.assertEqual(len(found), len(self.data.roles))
+
+ def test_list_roles_by_unauthorized_user(self):
+ """Non admin user should not be able to list roles"""
+ self.assertRaises(exceptions.Unauthorized,
+ self.non_admin_client.list_roles)
+
+ def test_list_roles_request_without_token(self):
+ """Request to list roles without a valid token should fail"""
+ token = self.client.get_auth()
+ self.client.delete_token(token)
+ self.assertRaises(exceptions.Unauthorized, self.client.list_roles)
+ self.client.clear_auth()
def test_role_create_delete(self):
"""Role should be created, verified, and deleted"""
@@ -83,3 +88,141 @@
except exceptions.Duplicate:
pass
self.client.delete_role(role1_id)
+
+
+class UserRolesTest(RolesTest):
+
+ @classmethod
+ def setUpClass(cls):
+ super(UserRolesTest, cls).setUpClass()
+
+ def test_assign_user_role(self):
+ """Assign a role to a user on a tenant"""
+ (user, tenant, role) = self._get_role_params()
+ self.client.assign_user_role(user['id'], role['id'], tenant['id'])
+ resp, roles = self.client.list_user_roles(user['id'])
+ self.assertEquals(tenant['id'], roles[0]['tenantId'])
+
+ def test_assign_user_role_by_unauthorized_user(self):
+ """Non admin user should not be authorized to assign a role to user"""
+ (user, tenant, role) = self._get_role_params()
+ self.assertRaises(exceptions.Unauthorized,
+ self.non_admin_client.assign_user_role,
+ user['id'], role['id'], tenant['id'])
+
+ def test_assign_user_role_request_without_token(self):
+ """Request to assign a role to a user without a valid token"""
+ (user, tenant, role) = self._get_role_params()
+ token = self.client.get_auth()
+ self.client.delete_token(token)
+ self.assertRaises(exceptions.Unauthorized,
+ self.client.assign_user_role, user['id'], role['id'],
+ tenant['id'])
+ self.client.clear_auth()
+
+ @unittest.skip("Until Bug 999608 is fixed")
+ def test_assign_user_role_for_non_existent_user(self):
+ """Attempt to assign a role to a non existent user should fail"""
+ (user, tenant, role) = self._get_role_params()
+ self.assertRaises(exceptions.NotFound, self.client.assign_user_role,
+ 'junk-user-id-999', role['id'], tenant['id'])
+
+ @unittest.skip("Until Bug 999608 is fixed")
+ def test_assign_user_role_for_non_existent_role(self):
+ """Attempt to assign a non existent role to user should fail"""
+ (user, tenant, role) = self._get_role_params()
+ self.assertRaises(exceptions.NotFound, self.client.assign_user_role,
+ user['id'], 'junk-role-id-12345', tenant['id'])
+
+ @unittest.skip("Until Bug 999608 is fixed")
+ def test_assign_user_role_for_non_existent_tenant(self):
+ """Attempt to assign a role on a non existent tenant should fail"""
+ (user, tenant, role) = self._get_role_params()
+ self.assertRaises(exceptions.NotFound, self.client.assign_user_role,
+ user['id'], role['id'], 'junk-tenant-1234')
+
+ @unittest.skip("Until Bug 999594 is fixed")
+ def test_assign_duplicate_user_role(self):
+ """Duplicate user role should not get assigned"""
+ (user, tenant, role) = self._get_role_params()
+ self.client.create_user_role(user['id'], role['id'], tenant['id'])
+ resp, body = self.client.assign_user_role(user['id'], role['id'],
+ tenant['id'])
+ self.assertRaises(exceptions.Duplicate, self.client.assign_user_role,
+ user['id'], role['id'], tenant['id'])
+
+ @unittest.skip("Until Bug 999219 is fixed")
+ def test_remove_user_role(self):
+ """Remove a role assigned to a user on a tenant"""
+ (user, tenant, role) = self._get_role_params()
+ resp, user_role = self.client.assign_user_role(user['id'], role['id'],
+ tenant['id'])
+ resp, body = self.client.remove_user_role(user['id'], user_role['id'])
+ self.assertEquals(resp['status'], '204')
+
+ def test_remove_user_role_by_unauthorized_user(self):
+ """Non admin user should not be authorized to remove a user's role"""
+ (user, tenant, role) = self._get_role_params()
+ resp, user_role = self.client.assign_user_role(user['id'], role['id'],
+ tenant['id'])
+ self.assertRaises(exceptions.Unauthorized,
+ self.non_admin_client.remove_user_role,
+ user['id'], role['id'])
+
+ def test_remove_user_role_request_without_token(self):
+ """Request to remove a user's role without a valid token"""
+ (user, tenant, role) = self._get_role_params()
+ resp, user_role = self.client.assign_user_role(user['id'], role['id'],
+ tenant['id'])
+ token = self.client.get_auth()
+ self.client.delete_token(token)
+ self.assertRaises(exceptions.Unauthorized,
+ self.client.remove_user_role, user['id'], role['id'])
+ self.client.clear_auth()
+
+ @unittest.skip("Until Bug 999567 is fixed")
+ def test_remove_user_role_non_existant_user(self):
+ """Attempt to remove a role from a non existent user should fail"""
+ (user, tenant, role) = self._get_role_params()
+ resp, user_role = self.client.assign_user_role(user['id'], role['id'],
+ tenant['id'])
+ self.assertRaises(exceptions.NotFound, self.client.remove_user_role,
+ 'junk-user-id-123', role['id'])
+
+ @unittest.skip("Until Bug 999567 is fixed")
+ def test_remove_user_role_non_existant_role(self):
+ """Attempt to delete a non existent role from a user should fail"""
+ (user, tenant, role) = self._get_role_params()
+ resp, user_role = self.client.assign_user_role(user['id'], role['id'],
+ tenant['id'])
+ self.assertRaises(exceptions.NotFound, self.client.remove_user_role,
+ user['id'], 'junk-user-role-123')
+
+ def test_list_user_roles(self):
+ """List roles assigned to a user on tenant"""
+ (user, tenant, role) = self._get_role_params()
+ self.client.assign_user_role(user['id'], role['id'], tenant['id'])
+ resp, roles = self.client.list_user_roles(user['id'])
+ self.assertEquals(tenant['id'], roles[0]['tenantId'])
+
+ def test_list_user_roles_by_unauthorized_user(self):
+ """Non admin user should not be authorized to list a user's roles"""
+ (user, tenant, role) = self._get_role_params()
+ self.client.assign_user_role(user['id'], role['id'], tenant['id'])
+ self.assertRaises(exceptions.Unauthorized,
+ self.non_admin_client.list_user_roles, user['id'])
+
+ def test_list_user_roles_request_without_token(self):
+ """Request to list user's roles without a valid token should fail"""
+ (user, tenant, role) = self._get_role_params()
+ token = self.client.get_auth()
+ self.client.delete_token(token)
+ self.assertRaises(exceptions.Unauthorized,
+ self.client.list_user_roles, user['id'])
+ self.client.clear_auth()
+
+ @unittest.skip("Until Bug 999209 is fixed")
+ def test_list_user_roles_for_non_existent_user(self):
+ """Attempt to list roles of a non existent user should fail"""
+ self.assertRaises(exceptions.NotFound, self.client.list_user_roles,
+ 'junk-role-aabbcc11')