Gitiles
Code Review Sign In
spfactory.storpool.com / tempest / 1b548f951fa346bc4ecd6be7268a9a68bfe67008 / . / tempest / api / identity / admin / v3 / test_inherits.py
blob: 48bde2b4f40450dd90f7b9bc2f56744323c5cf9a [file] [log] [blame]
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License"); you may
2# not use this file except in compliance with the License. You may obtain
3# a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10# License for the specific language governing permissions and limitations
11# under the License.
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]12import testtools
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]13
14from tempest.api.identity import base
Andrea Frittolicd368412017-08-14 21:37:56 +0100[diff] [blame]15from tempest.common import utils
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]16from tempest import config
Ken'ichi Ohmichi7bd25752017-03-10 10:45:39 -0800[diff] [blame]17from tempest.lib.common.utils import data_utils
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]18from tempest.lib import decorators
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]19
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]20CONF = config.CONF
21
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]22
zhuflf6bae312017-08-14 13:37:53 +0800[diff] [blame]23class InheritsV3TestJSON(base.BaseIdentityV3AdminTest):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]24 """Test keystone inherits"""
25
Trevor McCaslandbd898412019-01-17 10:04:40 -0600[diff] [blame]26 # NOTE: force_tenant_isolation is true in the base class by default but
27 # overridden to false here to allow test execution for clouds using the
28 # pre-provisioned credentials provider.
29 force_tenant_isolation = False
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]30
31 @classmethod
32 def skip_checks(cls):
zhuflf6bae312017-08-14 13:37:53 +0800[diff] [blame]33 super(InheritsV3TestJSON, cls).skip_checks()
Andrea Frittolicd368412017-08-14 21:37:56 +0100[diff] [blame]34 if not utils.is_extension_enabled('OS-INHERIT', 'identity'):
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]35 raise cls.skipException("Inherits aren't enabled")
36
37 @classmethod
38 def resource_setup(cls):
zhuflf6bae312017-08-14 13:37:53 +0800[diff] [blame]39 super(InheritsV3TestJSON, cls).resource_setup()
Martin Kopec213d0a42023-11-30 10:28:14 +0100[diff] [blame]40 prefix = CONF.resource_name_prefix
41 u_name = data_utils.rand_name(name='user-', prefix=prefix)
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]42 u_desc = '%s description' % u_name
43 u_email = '%s@testmail.tm' % u_name
zhufl00e47772019-02-22 11:18:46 +0800[diff] [blame]44 u_password = data_utils.rand_password()
zhufl2b33c1a2017-04-24 17:33:48 +0800[diff] [blame]45 cls.domain = cls.create_domain()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]46 cls.project = cls.projects_client.create_project(
Martin Kopec213d0a42023-11-30 10:28:14 +0100[diff] [blame]47 data_utils.rand_name(name='project-', prefix=prefix),
48 description=data_utils.rand_name('project-desc-', prefix=prefix),
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]49 domain_id=cls.domain['id'])['project']
zhufl0ba73df2017-12-12 16:37:01 +0800[diff] [blame]50 cls.addClassResourceCleanup(cls.projects_client.delete_project,
51 cls.project['id'])
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]52 cls.group = cls.groups_client.create_group(
Martin Kopec213d0a42023-11-30 10:28:14 +0100[diff] [blame]53 name=data_utils.rand_name(name='group-', prefix=prefix),
54 project_id=cls.project['id'], domain_id=cls.domain['id'])['group']
zhufl0ba73df2017-12-12 16:37:01 +0800[diff] [blame]55 cls.addClassResourceCleanup(cls.groups_client.delete_group,
56 cls.group['id'])
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]57 if not CONF.identity_feature_enabled.immutable_user_source:
58 cls.user = cls.users_client.create_user(
59 name=u_name,
60 description=u_desc,
61 password=u_password,
62 email=u_email,
63 project_id=cls.project['id'],
64 domain_id=cls.domain['id']
65 )['user']
66 cls.addClassResourceCleanup(cls.users_client.delete_user,
67 cls.user['id'])
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]68
69 def _list_assertions(self, body, fetched_role_ids, role_id):
70 self.assertEqual(len(body), 1)
71 self.assertIn(role_id, fetched_role_ids)
72
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]73 @decorators.idempotent_id('4e6f0366-97c8-423c-b2be-41eae6ac91c8')
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]74 @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
75 'Skipped because environment has an immutable user '
76 'source and solely provides read-only access to users.')
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]77 def test_inherit_assign_list_check_revoke_roles_on_domains_user(self):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]78 """Test assign/list/check/revoke inherited role on domain user"""
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]79 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]80 src_role = self.setup_test_role()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]81 # Assign role on domains user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]82 self.inherited_roles_client.create_inherited_role_on_domains_user(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]83 self.domain['id'], self.user['id'], src_role['id'])
84 # list role on domains user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]85 roles = self.inherited_roles_client.\
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]86 list_inherited_project_role_for_user_on_domain(
87 self.domain['id'], self.user['id'])['roles']
88
89 fetched_role_ids = [i['id'] for i in roles]
90 self._list_assertions(roles, fetched_role_ids,
91 src_role['id'])
92
93 # Check role on domains user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]94 (self.inherited_roles_client.
95 check_user_inherited_project_role_on_domain(
96 self.domain['id'], self.user['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]97 # Revoke role from domains user.
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]98 self.inherited_roles_client.delete_inherited_role_from_user_on_domain(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]99 self.domain['id'], self.user['id'], src_role['id'])
100
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]101 @decorators.idempotent_id('c7a8dda2-be50-4fb4-9a9c-e830771078b1')
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]102 def test_inherit_assign_list_check_revoke_roles_on_domains_group(self):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]103 """Test assign/list/check/revoke inherited role on domain group"""
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]104 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]105 src_role = self.setup_test_role()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]106 # Assign role on domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]107 self.inherited_roles_client.create_inherited_role_on_domains_group(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]108 self.domain['id'], self.group['id'], src_role['id'])
109 # List role on domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]110 roles = self.inherited_roles_client.\
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]111 list_inherited_project_role_for_group_on_domain(
112 self.domain['id'], self.group['id'])['roles']
113
114 fetched_role_ids = [i['id'] for i in roles]
115 self._list_assertions(roles, fetched_role_ids,
116 src_role['id'])
117
118 # Check role on domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]119 (self.inherited_roles_client.
120 check_group_inherited_project_role_on_domain(
121 self.domain['id'], self.group['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]122 # Revoke role from domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]123 self.inherited_roles_client.delete_inherited_role_from_group_on_domain(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]124 self.domain['id'], self.group['id'], src_role['id'])
125
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]126 @decorators.idempotent_id('18b70e45-7687-4b72-8277-b8f1a47d7591')
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]127 @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
128 'Skipped because environment has an immutable user '
129 'source and solely provides read-only access to users.')
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]130 def test_inherit_assign_check_revoke_roles_on_projects_user(self):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]131 """Test assign/list/check/revoke inherited role on project user"""
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]132 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]133 src_role = self.setup_test_role()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]134 # Assign role on projects user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]135 self.inherited_roles_client.create_inherited_role_on_projects_user(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]136 self.project['id'], self.user['id'], src_role['id'])
137 # Check role on projects user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]138 (self.inherited_roles_client.
139 check_user_has_flag_on_inherited_to_project(
140 self.project['id'], self.user['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]141 # Revoke role from projects user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]142 self.inherited_roles_client.delete_inherited_role_from_user_on_project(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]143 self.project['id'], self.user['id'], src_role['id'])
144
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]145 @decorators.idempotent_id('26021436-d5a4-4256-943c-ded01e0d4b45')
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]146 def test_inherit_assign_check_revoke_roles_on_projects_group(self):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]147 """Test assign/list/check/revoke inherited role on project group"""
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]148 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]149 src_role = self.setup_test_role()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]150 # Assign role on projects group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]151 self.inherited_roles_client.create_inherited_role_on_projects_group(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]152 self.project['id'], self.group['id'], src_role['id'])
153 # Check role on projects group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]154 (self.inherited_roles_client.
155 check_group_has_flag_on_inherited_to_project(
156 self.project['id'], self.group['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]157 # Revoke role from projects group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]158 (self.inherited_roles_client.
159 delete_inherited_role_from_group_on_project(
160 self.project['id'], self.group['id'], src_role['id']))
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]161
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]162 @decorators.idempotent_id('3acf666e-5354-42ac-8e17-8b68893bcd36')
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]163 @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
164 'Skipped because environment has an immutable user '
165 'source and solely provides read-only access to users.')
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]166 def test_inherit_assign_list_revoke_user_roles_on_domain(self):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]167 """Test assign/list/check/revoke inherited role on domain"""
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]168 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]169 src_role = self.setup_test_role()
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]170
171 # Create a project hierarchy
zhuflf2f47052017-04-20 15:08:02 +0800[diff] [blame]172 leaf_project = self.setup_test_project(domain_id=self.domain['id'],
173 parent_id=self.project['id'])
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]174
175 # Assign role on domain
176 self.inherited_roles_client.create_inherited_role_on_domains_user(
177 self.domain['id'], self.user['id'], src_role['id'])
178
179 # List "effective" role assignments from user on the parent project
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]180 params = {'scope.project.id': self.project['id'],
181 'user.id': self.user['id']}
182 assignments = self.role_assignments.list_role_assignments(
183 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]184 self.assertNotEmpty(assignments)
185
186 # List "effective" role assignments from user on the leaf project
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]187 params['scope.project.id'] = leaf_project['id']
188 assignments = self.role_assignments.list_role_assignments(
189 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]190 self.assertNotEmpty(assignments)
191
192 # Revoke role from domain
193 self.inherited_roles_client.delete_inherited_role_from_user_on_domain(
194 self.domain['id'], self.user['id'], src_role['id'])
195
196 # List "effective" role assignments from user on the parent project
197 # should return an empty list
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]198 params['scope.project.id'] = self.project['id']
199 assignments = self.role_assignments.list_role_assignments(
200 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]201 self.assertEmpty(assignments)
202
203 # List "effective" role assignments from user on the leaf project
204 # should return an empty list
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]205 params['scope.project.id'] = leaf_project['id']
206 assignments = self.role_assignments.list_role_assignments(
207 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]208 self.assertEmpty(assignments)
209
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]210 @decorators.idempotent_id('9f02ccd9-9b57-46b4-8f77-dd5a736f3a06')
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]211 @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
212 'Skipped because environment has an immutable user '
213 'source and solely provides read-only access to users.')
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]214 def test_inherit_assign_list_revoke_user_roles_on_project_tree(self):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]215 """Test assign/list/check/revoke inherited role on project tree"""
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]216 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]217 src_role = self.setup_test_role()
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]218
219 # Create a project hierarchy
zhuflf2f47052017-04-20 15:08:02 +0800[diff] [blame]220 leaf_project = self.setup_test_project(domain_id=self.domain['id'],
221 parent_id=self.project['id'])
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]222
223 # Assign role on parent project
224 self.inherited_roles_client.create_inherited_role_on_projects_user(
225 self.project['id'], self.user['id'], src_role['id'])
226
227 # List "effective" role assignments from user on the leaf project
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]228 params = {'scope.project.id': leaf_project['id'],
229 'user.id': self.user['id']}
230 assignments = self.role_assignments.list_role_assignments(
231 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]232 self.assertNotEmpty(assignments)
233
234 # Revoke role from parent project
235 self.inherited_roles_client.delete_inherited_role_from_user_on_project(
236 self.project['id'], self.user['id'], src_role['id'])
237
238 # List "effective" role assignments from user on the leaf project
239 # should return an empty list
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]240 assignments = self.role_assignments.list_role_assignments(
241 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]242 self.assertEmpty(assignments)