Gitiles
Code Review Sign In
spfactory.storpool.com / tempest / 2ff32b34b2dcefe187cd957f6c98815fc75bf896 / . / tempest / api / identity / admin / v3 / test_inherits.py
blob: cababc6bd3f8efa7bb63aa3bdfd6b1e0b1f2b0f2 [file] [log] [blame]
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License"); you may
2# not use this file except in compliance with the License. You may obtain
3# a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10# License for the specific language governing permissions and limitations
11# under the License.
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]12import testtools
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]13
14from tempest.api.identity import base
Andrea Frittolicd368412017-08-14 21:37:56 +0100[diff] [blame]15from tempest.common import utils
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]16from tempest import config
Ken'ichi Ohmichi7bd25752017-03-10 10:45:39 -0800[diff] [blame]17from tempest.lib.common.utils import data_utils
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]18from tempest.lib import decorators
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]19
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]20CONF = config.CONF
21
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]22
zhuflf6bae312017-08-14 13:37:53 +0800[diff] [blame]23class InheritsV3TestJSON(base.BaseIdentityV3AdminTest):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]24 """Test keystone inherits"""
25
Trevor McCaslandbd898412019-01-17 10:04:40 -0600[diff] [blame]26 # NOTE: force_tenant_isolation is true in the base class by default but
27 # overridden to false here to allow test execution for clouds using the
28 # pre-provisioned credentials provider.
29 force_tenant_isolation = False
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]30
31 @classmethod
32 def skip_checks(cls):
zhuflf6bae312017-08-14 13:37:53 +0800[diff] [blame]33 super(InheritsV3TestJSON, cls).skip_checks()
Andrea Frittolicd368412017-08-14 21:37:56 +0100[diff] [blame]34 if not utils.is_extension_enabled('OS-INHERIT', 'identity'):
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]35 raise cls.skipException("Inherits aren't enabled")
36
37 @classmethod
38 def resource_setup(cls):
zhuflf6bae312017-08-14 13:37:53 +0800[diff] [blame]39 super(InheritsV3TestJSON, cls).resource_setup()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]40 u_name = data_utils.rand_name('user-')
41 u_desc = '%s description' % u_name
42 u_email = '%s@testmail.tm' % u_name
zhufl00e47772019-02-22 11:18:46 +0800[diff] [blame]43 u_password = data_utils.rand_password()
zhufl2b33c1a2017-04-24 17:33:48 +0800[diff] [blame]44 cls.domain = cls.create_domain()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]45 cls.project = cls.projects_client.create_project(
46 data_utils.rand_name('project-'),
47 description=data_utils.rand_name('project-desc-'),
48 domain_id=cls.domain['id'])['project']
zhufl0ba73df2017-12-12 16:37:01 +0800[diff] [blame]49 cls.addClassResourceCleanup(cls.projects_client.delete_project,
50 cls.project['id'])
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]51 cls.group = cls.groups_client.create_group(
52 name=data_utils.rand_name('group-'), project_id=cls.project['id'],
53 domain_id=cls.domain['id'])['group']
zhufl0ba73df2017-12-12 16:37:01 +0800[diff] [blame]54 cls.addClassResourceCleanup(cls.groups_client.delete_group,
55 cls.group['id'])
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]56 if not CONF.identity_feature_enabled.immutable_user_source:
57 cls.user = cls.users_client.create_user(
58 name=u_name,
59 description=u_desc,
60 password=u_password,
61 email=u_email,
62 project_id=cls.project['id'],
63 domain_id=cls.domain['id']
64 )['user']
65 cls.addClassResourceCleanup(cls.users_client.delete_user,
66 cls.user['id'])
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]67
68 def _list_assertions(self, body, fetched_role_ids, role_id):
69 self.assertEqual(len(body), 1)
70 self.assertIn(role_id, fetched_role_ids)
71
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]72 @decorators.idempotent_id('4e6f0366-97c8-423c-b2be-41eae6ac91c8')
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]73 @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
74 'Skipped because environment has an immutable user '
75 'source and solely provides read-only access to users.')
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]76 def test_inherit_assign_list_check_revoke_roles_on_domains_user(self):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]77 """Test assign/list/check/revoke inherited role on domain user"""
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]78 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]79 src_role = self.setup_test_role()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]80 # Assign role on domains user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]81 self.inherited_roles_client.create_inherited_role_on_domains_user(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]82 self.domain['id'], self.user['id'], src_role['id'])
83 # list role on domains user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]84 roles = self.inherited_roles_client.\
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]85 list_inherited_project_role_for_user_on_domain(
86 self.domain['id'], self.user['id'])['roles']
87
88 fetched_role_ids = [i['id'] for i in roles]
89 self._list_assertions(roles, fetched_role_ids,
90 src_role['id'])
91
92 # Check role on domains user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]93 (self.inherited_roles_client.
94 check_user_inherited_project_role_on_domain(
95 self.domain['id'], self.user['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]96 # Revoke role from domains user.
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]97 self.inherited_roles_client.delete_inherited_role_from_user_on_domain(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]98 self.domain['id'], self.user['id'], src_role['id'])
99
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]100 @decorators.idempotent_id('c7a8dda2-be50-4fb4-9a9c-e830771078b1')
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]101 def test_inherit_assign_list_check_revoke_roles_on_domains_group(self):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]102 """Test assign/list/check/revoke inherited role on domain group"""
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]103 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]104 src_role = self.setup_test_role()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]105 # Assign role on domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]106 self.inherited_roles_client.create_inherited_role_on_domains_group(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]107 self.domain['id'], self.group['id'], src_role['id'])
108 # List role on domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]109 roles = self.inherited_roles_client.\
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]110 list_inherited_project_role_for_group_on_domain(
111 self.domain['id'], self.group['id'])['roles']
112
113 fetched_role_ids = [i['id'] for i in roles]
114 self._list_assertions(roles, fetched_role_ids,
115 src_role['id'])
116
117 # Check role on domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]118 (self.inherited_roles_client.
119 check_group_inherited_project_role_on_domain(
120 self.domain['id'], self.group['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]121 # Revoke role from domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]122 self.inherited_roles_client.delete_inherited_role_from_group_on_domain(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]123 self.domain['id'], self.group['id'], src_role['id'])
124
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]125 @decorators.idempotent_id('18b70e45-7687-4b72-8277-b8f1a47d7591')
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]126 @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
127 'Skipped because environment has an immutable user '
128 'source and solely provides read-only access to users.')
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]129 def test_inherit_assign_check_revoke_roles_on_projects_user(self):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]130 """Test assign/list/check/revoke inherited role on project user"""
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]131 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]132 src_role = self.setup_test_role()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]133 # Assign role on projects user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]134 self.inherited_roles_client.create_inherited_role_on_projects_user(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]135 self.project['id'], self.user['id'], src_role['id'])
136 # Check role on projects user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]137 (self.inherited_roles_client.
138 check_user_has_flag_on_inherited_to_project(
139 self.project['id'], self.user['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]140 # Revoke role from projects user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]141 self.inherited_roles_client.delete_inherited_role_from_user_on_project(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]142 self.project['id'], self.user['id'], src_role['id'])
143
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]144 @decorators.idempotent_id('26021436-d5a4-4256-943c-ded01e0d4b45')
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]145 def test_inherit_assign_check_revoke_roles_on_projects_group(self):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]146 """Test assign/list/check/revoke inherited role on project group"""
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]147 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]148 src_role = self.setup_test_role()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]149 # Assign role on projects group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]150 self.inherited_roles_client.create_inherited_role_on_projects_group(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]151 self.project['id'], self.group['id'], src_role['id'])
152 # Check role on projects group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]153 (self.inherited_roles_client.
154 check_group_has_flag_on_inherited_to_project(
155 self.project['id'], self.group['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]156 # Revoke role from projects group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]157 (self.inherited_roles_client.
158 delete_inherited_role_from_group_on_project(
159 self.project['id'], self.group['id'], src_role['id']))
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]160
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]161 @decorators.idempotent_id('3acf666e-5354-42ac-8e17-8b68893bcd36')
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]162 @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
163 'Skipped because environment has an immutable user '
164 'source and solely provides read-only access to users.')
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]165 def test_inherit_assign_list_revoke_user_roles_on_domain(self):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]166 """Test assign/list/check/revoke inherited role on domain"""
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]167 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]168 src_role = self.setup_test_role()
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]169
170 # Create a project hierarchy
zhuflf2f47052017-04-20 15:08:02 +0800[diff] [blame]171 leaf_project = self.setup_test_project(domain_id=self.domain['id'],
172 parent_id=self.project['id'])
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]173
174 # Assign role on domain
175 self.inherited_roles_client.create_inherited_role_on_domains_user(
176 self.domain['id'], self.user['id'], src_role['id'])
177
178 # List "effective" role assignments from user on the parent project
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]179 params = {'scope.project.id': self.project['id'],
180 'user.id': self.user['id']}
181 assignments = self.role_assignments.list_role_assignments(
182 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]183 self.assertNotEmpty(assignments)
184
185 # List "effective" role assignments from user on the leaf project
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]186 params['scope.project.id'] = leaf_project['id']
187 assignments = self.role_assignments.list_role_assignments(
188 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]189 self.assertNotEmpty(assignments)
190
191 # Revoke role from domain
192 self.inherited_roles_client.delete_inherited_role_from_user_on_domain(
193 self.domain['id'], self.user['id'], src_role['id'])
194
195 # List "effective" role assignments from user on the parent project
196 # should return an empty list
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]197 params['scope.project.id'] = self.project['id']
198 assignments = self.role_assignments.list_role_assignments(
199 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]200 self.assertEmpty(assignments)
201
202 # List "effective" role assignments from user on the leaf project
203 # should return an empty list
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]204 params['scope.project.id'] = leaf_project['id']
205 assignments = self.role_assignments.list_role_assignments(
206 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]207 self.assertEmpty(assignments)
208
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]209 @decorators.idempotent_id('9f02ccd9-9b57-46b4-8f77-dd5a736f3a06')
Trevor McCaslandc3f07b42019-01-17 08:53:24 -0600[diff] [blame]210 @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
211 'Skipped because environment has an immutable user '
212 'source and solely provides read-only access to users.')
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]213 def test_inherit_assign_list_revoke_user_roles_on_project_tree(self):
zhufl23925882020-04-29 08:42:40 +0800[diff] [blame]214 """Test assign/list/check/revoke inherited role on project tree"""
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]215 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]216 src_role = self.setup_test_role()
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]217
218 # Create a project hierarchy
zhuflf2f47052017-04-20 15:08:02 +0800[diff] [blame]219 leaf_project = self.setup_test_project(domain_id=self.domain['id'],
220 parent_id=self.project['id'])
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]221
222 # Assign role on parent project
223 self.inherited_roles_client.create_inherited_role_on_projects_user(
224 self.project['id'], self.user['id'], src_role['id'])
225
226 # List "effective" role assignments from user on the leaf project
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]227 params = {'scope.project.id': leaf_project['id'],
228 'user.id': self.user['id']}
229 assignments = self.role_assignments.list_role_assignments(
230 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]231 self.assertNotEmpty(assignments)
232
233 # Revoke role from parent project
234 self.inherited_roles_client.delete_inherited_role_from_user_on_project(
235 self.project['id'], self.user['id'], src_role['id'])
236
237 # List "effective" role assignments from user on the leaf project
238 # should return an empty list
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]239 assignments = self.role_assignments.list_role_assignments(
240 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]241 self.assertEmpty(assignments)