Gitiles
Code Review Sign In
spfactory.storpool.com / tempest / 56c5a14525fa19bf260e7bcb698b4945688f0c49 / . / tempest / api / identity / admin / v3 / test_inherits.py
blob: c7e8411d2a6405010cd720e0f943dc58e17a607c [file] [log] [blame]
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License"); you may
2# not use this file except in compliance with the License. You may obtain
3# a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10# License for the specific language governing permissions and limitations
11# under the License.
12
13from tempest.api.identity import base
14from tempest.common.utils import data_utils
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]15from tempest import test
16
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]17
18class BaseInheritsV3Test(base.BaseIdentityV3AdminTest):
19
20 @classmethod
21 def skip_checks(cls):
22 super(BaseInheritsV3Test, cls).skip_checks()
23 if not test.is_extension_enabled('OS-INHERIT', 'identity'):
24 raise cls.skipException("Inherits aren't enabled")
25
26 @classmethod
27 def resource_setup(cls):
28 super(BaseInheritsV3Test, cls).resource_setup()
29 u_name = data_utils.rand_name('user-')
30 u_desc = '%s description' % u_name
31 u_email = '%s@testmail.tm' % u_name
32 u_password = data_utils.rand_name('pass-')
33 cls.domain = cls.domains_client.create_domain(
34 data_utils.rand_name('domain-'),
35 description=data_utils.rand_name('domain-desc-'))['domain']
36 cls.project = cls.projects_client.create_project(
37 data_utils.rand_name('project-'),
38 description=data_utils.rand_name('project-desc-'),
39 domain_id=cls.domain['id'])['project']
40 cls.group = cls.groups_client.create_group(
41 name=data_utils.rand_name('group-'), project_id=cls.project['id'],
42 domain_id=cls.domain['id'])['group']
43 cls.user = cls.users_client.create_user(
ghanshyam7f817db2016-08-01 18:37:13 +0900[diff] [blame]44 name=u_name, description=u_desc, password=u_password,
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]45 email=u_email, project_id=cls.project['id'],
46 domain_id=cls.domain['id'])['user']
47
48 @classmethod
49 def resource_cleanup(cls):
50 cls.groups_client.delete_group(cls.group['id'])
51 cls.users_client.delete_user(cls.user['id'])
52 cls.projects_client.delete_project(cls.project['id'])
53 cls.domains_client.update_domain(cls.domain['id'], enabled=False)
54 cls.domains_client.delete_domain(cls.domain['id'])
55 super(BaseInheritsV3Test, cls).resource_cleanup()
56
57 def _list_assertions(self, body, fetched_role_ids, role_id):
58 self.assertEqual(len(body), 1)
59 self.assertIn(role_id, fetched_role_ids)
60
61
62class InheritsV3TestJSON(BaseInheritsV3Test):
63
64 @test.idempotent_id('4e6f0366-97c8-423c-b2be-41eae6ac91c8')
65 def test_inherit_assign_list_check_revoke_roles_on_domains_user(self):
66 # Create role
67 src_role = self.roles_client.create_role(
68 name=data_utils.rand_name('Role'))['role']
69 self.addCleanup(self.roles_client.delete_role, src_role['id'])
70 # Assign role on domains user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]71 self.inherited_roles_client.create_inherited_role_on_domains_user(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]72 self.domain['id'], self.user['id'], src_role['id'])
73 # list role on domains user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]74 roles = self.inherited_roles_client.\
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]75 list_inherited_project_role_for_user_on_domain(
76 self.domain['id'], self.user['id'])['roles']
77
78 fetched_role_ids = [i['id'] for i in roles]
79 self._list_assertions(roles, fetched_role_ids,
80 src_role['id'])
81
82 # Check role on domains user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]83 (self.inherited_roles_client.
84 check_user_inherited_project_role_on_domain(
85 self.domain['id'], self.user['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]86 # Revoke role from domains user.
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]87 self.inherited_roles_client.delete_inherited_role_from_user_on_domain(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]88 self.domain['id'], self.user['id'], src_role['id'])
89
90 @test.idempotent_id('c7a8dda2-be50-4fb4-9a9c-e830771078b1')
91 def test_inherit_assign_list_check_revoke_roles_on_domains_group(self):
92 # Create role
93 src_role = self.roles_client.create_role(
94 name=data_utils.rand_name('Role'))['role']
95 self.addCleanup(self.roles_client.delete_role, src_role['id'])
96 # Assign role on domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]97 self.inherited_roles_client.create_inherited_role_on_domains_group(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]98 self.domain['id'], self.group['id'], src_role['id'])
99 # List role on domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]100 roles = self.inherited_roles_client.\
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]101 list_inherited_project_role_for_group_on_domain(
102 self.domain['id'], self.group['id'])['roles']
103
104 fetched_role_ids = [i['id'] for i in roles]
105 self._list_assertions(roles, fetched_role_ids,
106 src_role['id'])
107
108 # Check role on domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]109 (self.inherited_roles_client.
110 check_group_inherited_project_role_on_domain(
111 self.domain['id'], self.group['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]112 # Revoke role from domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]113 self.inherited_roles_client.delete_inherited_role_from_group_on_domain(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]114 self.domain['id'], self.group['id'], src_role['id'])
115
116 @test.idempotent_id('18b70e45-7687-4b72-8277-b8f1a47d7591')
117 def test_inherit_assign_check_revoke_roles_on_projects_user(self):
118 # Create role
119 src_role = self.roles_client.create_role(
120 name=data_utils.rand_name('Role'))['role']
121 self.addCleanup(self.roles_client.delete_role, src_role['id'])
122 # Assign role on projects user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]123 self.inherited_roles_client.create_inherited_role_on_projects_user(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]124 self.project['id'], self.user['id'], src_role['id'])
125 # Check role on projects user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]126 (self.inherited_roles_client.
127 check_user_has_flag_on_inherited_to_project(
128 self.project['id'], self.user['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]129 # Revoke role from projects user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]130 self.inherited_roles_client.delete_inherited_role_from_user_on_project(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]131 self.project['id'], self.user['id'], src_role['id'])
132
133 @test.idempotent_id('26021436-d5a4-4256-943c-ded01e0d4b45')
134 def test_inherit_assign_check_revoke_roles_on_projects_group(self):
135 # Create role
136 src_role = self.roles_client.create_role(
137 name=data_utils.rand_name('Role'))['role']
138 self.addCleanup(self.roles_client.delete_role, src_role['id'])
139 # Assign role on projects group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]140 self.inherited_roles_client.create_inherited_role_on_projects_group(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]141 self.project['id'], self.group['id'], src_role['id'])
142 # Check role on projects group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]143 (self.inherited_roles_client.
144 check_group_has_flag_on_inherited_to_project(
145 self.project['id'], self.group['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]146 # Revoke role from projects group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]147 (self.inherited_roles_client.
148 delete_inherited_role_from_group_on_project(
149 self.project['id'], self.group['id'], src_role['id']))
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]150
151 @test.idempotent_id('3acf666e-5354-42ac-8e17-8b68893bcd36')
152 def test_inherit_assign_list_revoke_user_roles_on_domain(self):
153 # Create role
154 src_role = self.roles_client.create_role(
155 name=data_utils.rand_name('Role'))['role']
156 self.addCleanup(self.roles_client.delete_role, src_role['id'])
157
158 # Create a project hierarchy
159 leaf_project_name = data_utils.rand_name('project')
160 leaf_project = self.projects_client.create_project(
161 leaf_project_name, domain_id=self.domain['id'],
162 parent_id=self.project['id'])['project']
163 self.addCleanup(
164 self.projects_client.delete_project, leaf_project['id'])
165
166 # Assign role on domain
167 self.inherited_roles_client.create_inherited_role_on_domains_user(
168 self.domain['id'], self.user['id'], src_role['id'])
169
170 # List "effective" role assignments from user on the parent project
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]171 params = {'scope.project.id': self.project['id'],
172 'user.id': self.user['id']}
173 assignments = self.role_assignments.list_role_assignments(
174 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]175 self.assertNotEmpty(assignments)
176
177 # List "effective" role assignments from user on the leaf project
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]178 params['scope.project.id'] = leaf_project['id']
179 assignments = self.role_assignments.list_role_assignments(
180 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]181 self.assertNotEmpty(assignments)
182
183 # Revoke role from domain
184 self.inherited_roles_client.delete_inherited_role_from_user_on_domain(
185 self.domain['id'], self.user['id'], src_role['id'])
186
187 # List "effective" role assignments from user on the parent project
188 # should return an empty list
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]189 params['scope.project.id'] = self.project['id']
190 assignments = self.role_assignments.list_role_assignments(
191 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]192 self.assertEmpty(assignments)
193
194 # List "effective" role assignments from user on the leaf project
195 # should return an empty list
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]196 params['scope.project.id'] = leaf_project['id']
197 assignments = self.role_assignments.list_role_assignments(
198 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]199 self.assertEmpty(assignments)
200
201 @test.idempotent_id('9f02ccd9-9b57-46b4-8f77-dd5a736f3a06')
202 def test_inherit_assign_list_revoke_user_roles_on_project_tree(self):
203 # Create role
204 src_role = self.roles_client.create_role(
205 name=data_utils.rand_name('Role'))['role']
206 self.addCleanup(self.roles_client.delete_role, src_role['id'])
207
208 # Create a project hierarchy
209 leaf_project_name = data_utils.rand_name('project')
210 leaf_project = self.projects_client.create_project(
211 leaf_project_name, domain_id=self.domain['id'],
212 parent_id=self.project['id'])['project']
213 self.addCleanup(
214 self.projects_client.delete_project, leaf_project['id'])
215
216 # Assign role on parent project
217 self.inherited_roles_client.create_inherited_role_on_projects_user(
218 self.project['id'], self.user['id'], src_role['id'])
219
220 # List "effective" role assignments from user on the leaf project
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]221 params = {'scope.project.id': leaf_project['id'],
222 'user.id': self.user['id']}
223 assignments = self.role_assignments.list_role_assignments(
224 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]225 self.assertNotEmpty(assignments)
226
227 # Revoke role from parent project
228 self.inherited_roles_client.delete_inherited_role_from_user_on_project(
229 self.project['id'], self.user['id'], src_role['id'])
230
231 # List "effective" role assignments from user on the leaf project
232 # should return an empty list
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]233 assignments = self.role_assignments.list_role_assignments(
234 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]235 self.assertEmpty(assignments)