Move role_assignments_client to tempest lib
This patch adds unit tests for the role_assignments_client and also
moves it to the lib.
Additionally, the method is refactored to be generic and handle the
full set of the role_assignments API parameters.
Change-Id: I1452d4f7be927f87f180badee377afa116d55ed6
diff --git a/releasenotes/notes/add-role-assignments-client-as-a-library-d34b4fdf376984ad.yaml b/releasenotes/notes/add-role-assignments-client-as-a-library-d34b4fdf376984ad.yaml
new file mode 100644
index 0000000..a1edcc5
--- /dev/null
+++ b/releasenotes/notes/add-role-assignments-client-as-a-library-d34b4fdf376984ad.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - Define the identity service role_assignments_client as a library.
+ Add role_assignments_client to the library interface so the other
+ projects can use this module as a stable library without any
+ maintenance changes.
diff --git a/tempest/api/identity/admin/v3/test_inherits.py b/tempest/api/identity/admin/v3/test_inherits.py
index 955b6fb..c7e8411 100644
--- a/tempest/api/identity/admin/v3/test_inherits.py
+++ b/tempest/api/identity/admin/v3/test_inherits.py
@@ -168,15 +168,16 @@
self.domain['id'], self.user['id'], src_role['id'])
# List "effective" role assignments from user on the parent project
- assignments = (
- self.role_assignments.list_user_project_effective_assignments(
- self.project['id'], self.user['id']))['role_assignments']
+ params = {'scope.project.id': self.project['id'],
+ 'user.id': self.user['id']}
+ assignments = self.role_assignments.list_role_assignments(
+ effective=True, **params)['role_assignments']
self.assertNotEmpty(assignments)
# List "effective" role assignments from user on the leaf project
- assignments = (
- self.role_assignments.list_user_project_effective_assignments(
- leaf_project['id'], self.user['id']))['role_assignments']
+ params['scope.project.id'] = leaf_project['id']
+ assignments = self.role_assignments.list_role_assignments(
+ effective=True, **params)['role_assignments']
self.assertNotEmpty(assignments)
# Revoke role from domain
@@ -185,16 +186,16 @@
# List "effective" role assignments from user on the parent project
# should return an empty list
- assignments = (
- self.role_assignments.list_user_project_effective_assignments(
- self.project['id'], self.user['id']))['role_assignments']
+ params['scope.project.id'] = self.project['id']
+ assignments = self.role_assignments.list_role_assignments(
+ effective=True, **params)['role_assignments']
self.assertEmpty(assignments)
# List "effective" role assignments from user on the leaf project
# should return an empty list
- assignments = (
- self.role_assignments.list_user_project_effective_assignments(
- leaf_project['id'], self.user['id']))['role_assignments']
+ params['scope.project.id'] = leaf_project['id']
+ assignments = self.role_assignments.list_role_assignments(
+ effective=True, **params)['role_assignments']
self.assertEmpty(assignments)
@test.idempotent_id('9f02ccd9-9b57-46b4-8f77-dd5a736f3a06')
@@ -217,9 +218,10 @@
self.project['id'], self.user['id'], src_role['id'])
# List "effective" role assignments from user on the leaf project
- assignments = (
- self.role_assignments.list_user_project_effective_assignments(
- leaf_project['id'], self.user['id']))['role_assignments']
+ params = {'scope.project.id': leaf_project['id'],
+ 'user.id': self.user['id']}
+ assignments = self.role_assignments.list_role_assignments(
+ effective=True, **params)['role_assignments']
self.assertNotEmpty(assignments)
# Revoke role from parent project
@@ -228,7 +230,6 @@
# List "effective" role assignments from user on the leaf project
# should return an empty list
- assignments = (
- self.role_assignments.list_user_project_effective_assignments(
- leaf_project['id'], self.user['id']))['role_assignments']
+ assignments = self.role_assignments.list_role_assignments(
+ effective=True, **params)['role_assignments']
self.assertEmpty(assignments)
diff --git a/tempest/lib/services/identity/v3/role_assignments_client.py b/tempest/lib/services/identity/v3/role_assignments_client.py
new file mode 100644
index 0000000..c2dc3eb
--- /dev/null
+++ b/tempest/lib/services/identity/v3/role_assignments_client.py
@@ -0,0 +1,47 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from oslo_serialization import jsonutils as json
+from six.moves.urllib import parse as urllib
+
+from tempest.lib.common import rest_client
+
+
+class RoleAssignmentsClient(rest_client.RestClient):
+ api_version = "v3"
+
+ def list_role_assignments(self, effective=False, **kwargs):
+ """List role assignments.
+
+ For a full list of available parameters, please refer to the official
+ API reference:
+ http://developer.openstack.org/api-ref/identity/v3/?expanded=list-effective-role-assignments-detail
+
+ :param effective: If True, returns the effective assignments, including
+ any assignments gained by virtue of group membership.
+ """
+ url = 'role_assignments'
+ if kwargs:
+ # NOTE(rodrigods): "effective" is a key-only query parameter and
+ # is treated below.
+ if 'effective' in kwargs:
+ del kwargs['effective']
+ url += '?%s' % urllib.urlencode(kwargs)
+ if effective:
+ url += '&effective'
+
+ resp, body = self.get(url)
+ self.expected_success(200, resp.status)
+ body = json.loads(body)
+ return rest_client.ResponseBody(resp, body)
diff --git a/tempest/services/identity/v3/__init__.py b/tempest/services/identity/v3/__init__.py
index 9b40b77..6e64a7d 100644
--- a/tempest/services/identity/v3/__init__.py
+++ b/tempest/services/identity/v3/__init__.py
@@ -22,14 +22,14 @@
from tempest.lib.services.identity.v3.policies_client import PoliciesClient
from tempest.lib.services.identity.v3.projects_client import ProjectsClient
from tempest.lib.services.identity.v3.regions_client import RegionsClient
+from tempest.lib.services.identity.v3.role_assignments_client import \
+ RoleAssignmentsClient
from tempest.lib.services.identity.v3.roles_client import RolesClient
from tempest.lib.services.identity.v3.services_client import ServicesClient
from tempest.lib.services.identity.v3.token_client import V3TokenClient
from tempest.lib.services.identity.v3.trusts_client import TrustsClient
from tempest.lib.services.identity.v3.users_client import UsersClient
from tempest.services.identity.v3.json.domains_client import DomainsClient
-from tempest.services.identity.v3.json.role_assignments_client import \
- RoleAssignmentsClient
__all__ = ['CredentialsClient', 'EndPointsClient', 'GroupsClient',
'IdentityClient', 'InheritedRolesClient', 'PoliciesClient',
diff --git a/tempest/services/identity/v3/json/role_assignments_client.py b/tempest/services/identity/v3/json/role_assignments_client.py
deleted file mode 100644
index 9fd7736..0000000
--- a/tempest/services/identity/v3/json/role_assignments_client.py
+++ /dev/null
@@ -1,31 +0,0 @@
-# Copyright 2016 Red Hat, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-from oslo_serialization import jsonutils as json
-
-from tempest.lib.common import rest_client
-
-
-class RoleAssignmentsClient(rest_client.RestClient):
- api_version = "v3"
-
- def list_user_project_effective_assignments(
- self, project_id, user_id):
- """List the effective role assignments for a user in a project."""
- resp, body = self.get(
- "role_assignments?scope.project.id=%s&user.id=%s&effective" %
- (project_id, user_id))
- self.expected_success(200, resp.status)
- body = json.loads(body)
- return rest_client.ResponseBody(resp, body)
diff --git a/tempest/tests/lib/services/identity/v3/test_role_assignments_client.py b/tempest/tests/lib/services/identity/v3/test_role_assignments_client.py
new file mode 100644
index 0000000..7d304c1
--- /dev/null
+++ b/tempest/tests/lib/services/identity/v3/test_role_assignments_client.py
@@ -0,0 +1,206 @@
+# Copyright 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from tempest.lib.services.identity.v3 import role_assignments_client
+from tempest.tests.lib import fake_auth_provider
+from tempest.tests.lib.services import base
+
+
+class TestRoleAssignmentsClient(base.BaseServiceTest):
+
+ FAKE_USER_ID = "313234"
+ FAKE_GROUP_ID = "101112"
+
+ FAKE_ROLE1_ID = "123456"
+ FAKE_ROLE2_ID = "123457"
+
+ FAKE_PROJECT_ID = "456789"
+ FAKE_DOMAIN_ID = "102030"
+
+ FAKE_USER_PROJECT_ASSIGNMENT = {
+ "links": {
+ "assignment": "http://example.com/identity/v3/projects/"
+ "%s/users/%s/roles/%s" % (FAKE_PROJECT_ID,
+ FAKE_USER_ID,
+ FAKE_ROLE2_ID)
+ },
+ "role": {
+ "id": FAKE_ROLE2_ID
+ },
+ "scope": {
+ "project": {
+ "id": FAKE_PROJECT_ID
+ }
+ },
+ "user": {
+ "id": FAKE_USER_ID
+ }
+ }
+
+ FAKE_GROUP_PROJECT_ASSIGNMENT = {
+ "links": {
+ "assignment": "http://example.com/identity/v3/projects/"
+ "%s/groups/%s/roles/%s" % (FAKE_PROJECT_ID,
+ FAKE_GROUP_ID,
+ FAKE_ROLE1_ID)
+ },
+ "role": {
+ "id": FAKE_ROLE1_ID
+ },
+ "scope": {
+ "project": {
+ "id": FAKE_PROJECT_ID
+ }
+ },
+ "group": {
+ "id": FAKE_GROUP_ID
+ }
+ }
+
+ FAKE_USER_PROJECT_EFFECTIVE_ASSIGNMENT = {
+ "links": {
+ "assignment": "http://example.com/identity/v3/projects/"
+ "%s/groups/%s/roles/%s" % (FAKE_PROJECT_ID,
+ FAKE_GROUP_ID,
+ FAKE_ROLE1_ID),
+ "membership": "http://example.com/identity/v3/groups/"
+ "%s/users/%s" % (FAKE_GROUP_ID, FAKE_USER_ID)
+ },
+ "role": {
+ "id": FAKE_ROLE1_ID
+ },
+ "scope": {
+ "project": {
+ "id": FAKE_PROJECT_ID
+ }
+ },
+ "user": {
+ "id": FAKE_USER_ID
+ }
+ }
+
+ FAKE_USER_DOMAIN_ASSIGNMENT = {
+ "links": {
+ "assignment": "http://example.com/identity/v3/domains/"
+ "%s/users/%s/roles/%s" % (FAKE_DOMAIN_ID,
+ FAKE_USER_ID,
+ FAKE_ROLE1_ID)
+ },
+ "role": {
+ "id": FAKE_ROLE1_ID
+ },
+ "scope": {
+ "domain": {
+ "id": FAKE_DOMAIN_ID
+ }
+ },
+ "user": {
+ "id": FAKE_USER_ID
+ }
+ }
+
+ FAKE_GROUP_PROJECT_ASSIGNMENTS = {
+ "role_assignments": [
+ FAKE_GROUP_PROJECT_ASSIGNMENT
+ ],
+ "links": {
+ "self": "http://example.com/identity/v3/role_assignments?"
+ "scope.project.id=%s&group.id=%s&effective" % (
+ FAKE_PROJECT_ID, FAKE_GROUP_ID),
+ "previous": None,
+ "next": None
+ }
+ }
+
+ FAKE_USER_PROJECT_EFFECTIVE_ASSIGNMENTS = {
+ "role_assignments": [
+ FAKE_USER_PROJECT_ASSIGNMENT,
+ FAKE_USER_PROJECT_EFFECTIVE_ASSIGNMENT
+ ],
+ "links": {
+ "self": "http://example.com/identity/v3/role_assignments?"
+ "scope.project.id=%s&user.id=%s&effective" % (
+ FAKE_PROJECT_ID, FAKE_USER_ID),
+ "previous": None,
+ "next": None
+ }
+ }
+
+ FAKE_USER_DOMAIN_ASSIGNMENTS = {
+ "role_assignments": [
+ FAKE_USER_DOMAIN_ASSIGNMENT
+ ],
+ "links": {
+ "self": "http://example.com/identity/v3/role_assignments?"
+ "scope.domain.id=%s&user.id=%s&effective" % (
+ FAKE_DOMAIN_ID, FAKE_USER_ID),
+ "previous": None,
+ "next": None
+ }
+ }
+
+ def setUp(self):
+ super(TestRoleAssignmentsClient, self).setUp()
+ fake_auth = fake_auth_provider.FakeAuthProvider()
+ self.client = role_assignments_client.RoleAssignmentsClient(
+ fake_auth, 'identity', 'regionOne')
+
+ def _test_list_user_project_effective_assignments(self, bytes_body=False):
+ params = {'scope.project.id': self.FAKE_PROJECT_ID,
+ 'user.id': self.FAKE_USER_ID}
+ self.check_service_client_function(
+ self.client.list_role_assignments,
+ 'tempest.lib.common.rest_client.RestClient.get',
+ self.FAKE_USER_PROJECT_EFFECTIVE_ASSIGNMENTS,
+ bytes_body,
+ effective=True,
+ **params)
+
+ def test_list_user_project_effective_assignments_with_str_body(self):
+ self._test_list_user_project_effective_assignments()
+
+ def test_list_user_project_effective_assignments_with_bytes_body(self):
+ self._test_list_user_project_effective_assignments(bytes_body=True)
+
+ def _test_list_group_project_assignments(self, bytes_body=False):
+ params = {'scope.project.id': self.FAKE_PROJECT_ID,
+ 'group.id': self.FAKE_GROUP_ID}
+ self.check_service_client_function(
+ self.client.list_role_assignments,
+ 'tempest.lib.common.rest_client.RestClient.get',
+ self.FAKE_GROUP_PROJECT_ASSIGNMENTS,
+ bytes_body,
+ **params)
+
+ def test_list_group_project_assignments_with_str_body(self):
+ self._test_list_group_project_assignments()
+
+ def test_list_group_project_assignments_with_bytes_body(self):
+ self._test_list_group_project_assignments(bytes_body=True)
+
+ def _test_list_user_domain_assignments(self, bytes_body=False):
+ params = {'scope.domain.id': self.FAKE_DOMAIN_ID,
+ 'user.id': self.FAKE_USER_ID}
+ self.check_service_client_function(
+ self.client.list_role_assignments,
+ 'tempest.lib.common.rest_client.RestClient.get',
+ self.FAKE_GROUP_PROJECT_ASSIGNMENTS,
+ bytes_body,
+ **params)
+
+ def test_list_user_domain_assignments_with_str_body(self):
+ self._test_list_user_domain_assignments()
+
+ def test_list_user_domain_assignments_with_bytes_body(self):
+ self._test_list_user_domain_assignments(bytes_body=True)