Gitiles
Code Review Sign In
spfactory.storpool.com / tempest / 720c1a7d6d7917da45dcf35f1034de7cafc14afb / . / tempest / api / identity / admin / v3 / test_inherits.py
blob: 68c022583a964eedc2f95d190fc7d8bda4fb70e0 [file] [log] [blame]
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License"); you may
2# not use this file except in compliance with the License. You may obtain
3# a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
9# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
10# License for the specific language governing permissions and limitations
11# under the License.
12
13from tempest.api.identity import base
Andrea Frittolicd368412017-08-14 21:37:56 +0100[diff] [blame]14from tempest.common import utils
Ken'ichi Ohmichi7bd25752017-03-10 10:45:39 -0800[diff] [blame]15from tempest.lib.common.utils import data_utils
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]16from tempest.lib import decorators
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]17
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]18
zhuflf6bae312017-08-14 13:37:53 +0800[diff] [blame]19class InheritsV3TestJSON(base.BaseIdentityV3AdminTest):
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]20
21 @classmethod
22 def skip_checks(cls):
zhuflf6bae312017-08-14 13:37:53 +0800[diff] [blame]23 super(InheritsV3TestJSON, cls).skip_checks()
Andrea Frittolicd368412017-08-14 21:37:56 +0100[diff] [blame]24 if not utils.is_extension_enabled('OS-INHERIT', 'identity'):
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]25 raise cls.skipException("Inherits aren't enabled")
26
27 @classmethod
28 def resource_setup(cls):
zhuflf6bae312017-08-14 13:37:53 +0800[diff] [blame]29 super(InheritsV3TestJSON, cls).resource_setup()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]30 u_name = data_utils.rand_name('user-')
31 u_desc = '%s description' % u_name
32 u_email = '%s@testmail.tm' % u_name
33 u_password = data_utils.rand_name('pass-')
zhufl2b33c1a2017-04-24 17:33:48 +0800[diff] [blame]34 cls.domain = cls.create_domain()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]35 cls.project = cls.projects_client.create_project(
36 data_utils.rand_name('project-'),
37 description=data_utils.rand_name('project-desc-'),
38 domain_id=cls.domain['id'])['project']
zhufl0ba73df2017-12-12 16:37:01 +0800[diff] [blame]39 cls.addClassResourceCleanup(cls.projects_client.delete_project,
40 cls.project['id'])
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]41 cls.group = cls.groups_client.create_group(
42 name=data_utils.rand_name('group-'), project_id=cls.project['id'],
43 domain_id=cls.domain['id'])['group']
zhufl0ba73df2017-12-12 16:37:01 +0800[diff] [blame]44 cls.addClassResourceCleanup(cls.groups_client.delete_group,
45 cls.group['id'])
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]46 cls.user = cls.users_client.create_user(
ghanshyam7f817db2016-08-01 18:37:13 +0900[diff] [blame]47 name=u_name, description=u_desc, password=u_password,
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]48 email=u_email, project_id=cls.project['id'],
49 domain_id=cls.domain['id'])['user']
zhufl0ba73df2017-12-12 16:37:01 +0800[diff] [blame]50 cls.addClassResourceCleanup(cls.users_client.delete_user,
51 cls.user['id'])
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]52
53 def _list_assertions(self, body, fetched_role_ids, role_id):
54 self.assertEqual(len(body), 1)
55 self.assertIn(role_id, fetched_role_ids)
56
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]57 @decorators.idempotent_id('4e6f0366-97c8-423c-b2be-41eae6ac91c8')
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]58 def test_inherit_assign_list_check_revoke_roles_on_domains_user(self):
59 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]60 src_role = self.setup_test_role()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]61 # Assign role on domains user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]62 self.inherited_roles_client.create_inherited_role_on_domains_user(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]63 self.domain['id'], self.user['id'], src_role['id'])
64 # list role on domains user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]65 roles = self.inherited_roles_client.\
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]66 list_inherited_project_role_for_user_on_domain(
67 self.domain['id'], self.user['id'])['roles']
68
69 fetched_role_ids = [i['id'] for i in roles]
70 self._list_assertions(roles, fetched_role_ids,
71 src_role['id'])
72
73 # Check role on domains user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]74 (self.inherited_roles_client.
75 check_user_inherited_project_role_on_domain(
76 self.domain['id'], self.user['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]77 # Revoke role from domains user.
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]78 self.inherited_roles_client.delete_inherited_role_from_user_on_domain(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]79 self.domain['id'], self.user['id'], src_role['id'])
80
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]81 @decorators.idempotent_id('c7a8dda2-be50-4fb4-9a9c-e830771078b1')
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]82 def test_inherit_assign_list_check_revoke_roles_on_domains_group(self):
83 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]84 src_role = self.setup_test_role()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]85 # Assign role on domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]86 self.inherited_roles_client.create_inherited_role_on_domains_group(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]87 self.domain['id'], self.group['id'], src_role['id'])
88 # List role on domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]89 roles = self.inherited_roles_client.\
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]90 list_inherited_project_role_for_group_on_domain(
91 self.domain['id'], self.group['id'])['roles']
92
93 fetched_role_ids = [i['id'] for i in roles]
94 self._list_assertions(roles, fetched_role_ids,
95 src_role['id'])
96
97 # Check role on domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]98 (self.inherited_roles_client.
99 check_group_inherited_project_role_on_domain(
100 self.domain['id'], self.group['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]101 # Revoke role from domains group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]102 self.inherited_roles_client.delete_inherited_role_from_group_on_domain(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]103 self.domain['id'], self.group['id'], src_role['id'])
104
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]105 @decorators.idempotent_id('18b70e45-7687-4b72-8277-b8f1a47d7591')
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]106 def test_inherit_assign_check_revoke_roles_on_projects_user(self):
107 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]108 src_role = self.setup_test_role()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]109 # Assign role on projects user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]110 self.inherited_roles_client.create_inherited_role_on_projects_user(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]111 self.project['id'], self.user['id'], src_role['id'])
112 # Check role on projects user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]113 (self.inherited_roles_client.
114 check_user_has_flag_on_inherited_to_project(
115 self.project['id'], self.user['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]116 # Revoke role from projects user
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]117 self.inherited_roles_client.delete_inherited_role_from_user_on_project(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]118 self.project['id'], self.user['id'], src_role['id'])
119
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]120 @decorators.idempotent_id('26021436-d5a4-4256-943c-ded01e0d4b45')
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]121 def test_inherit_assign_check_revoke_roles_on_projects_group(self):
122 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]123 src_role = self.setup_test_role()
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]124 # Assign role on projects group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]125 self.inherited_roles_client.create_inherited_role_on_projects_group(
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]126 self.project['id'], self.group['id'], src_role['id'])
127 # Check role on projects group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]128 (self.inherited_roles_client.
129 check_group_has_flag_on_inherited_to_project(
130 self.project['id'], self.group['id'], src_role['id']))
Maho Koshiya962e7d72015-11-27 20:31:17 +0900[diff] [blame]131 # Revoke role from projects group
ghanshyamad55eb82016-09-06 13:58:29 +0900[diff] [blame]132 (self.inherited_roles_client.
133 delete_inherited_role_from_group_on_project(
134 self.project['id'], self.group['id'], src_role['id']))
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]135
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]136 @decorators.idempotent_id('3acf666e-5354-42ac-8e17-8b68893bcd36')
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]137 def test_inherit_assign_list_revoke_user_roles_on_domain(self):
138 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]139 src_role = self.setup_test_role()
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]140
141 # Create a project hierarchy
zhuflf2f47052017-04-20 15:08:02 +0800[diff] [blame]142 leaf_project = self.setup_test_project(domain_id=self.domain['id'],
143 parent_id=self.project['id'])
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]144
145 # Assign role on domain
146 self.inherited_roles_client.create_inherited_role_on_domains_user(
147 self.domain['id'], self.user['id'], src_role['id'])
148
149 # List "effective" role assignments from user on the parent project
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]150 params = {'scope.project.id': self.project['id'],
151 'user.id': self.user['id']}
152 assignments = self.role_assignments.list_role_assignments(
153 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]154 self.assertNotEmpty(assignments)
155
156 # List "effective" role assignments from user on the leaf project
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]157 params['scope.project.id'] = leaf_project['id']
158 assignments = self.role_assignments.list_role_assignments(
159 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]160 self.assertNotEmpty(assignments)
161
162 # Revoke role from domain
163 self.inherited_roles_client.delete_inherited_role_from_user_on_domain(
164 self.domain['id'], self.user['id'], src_role['id'])
165
166 # List "effective" role assignments from user on the parent project
167 # should return an empty list
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]168 params['scope.project.id'] = self.project['id']
169 assignments = self.role_assignments.list_role_assignments(
170 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]171 self.assertEmpty(assignments)
172
173 # List "effective" role assignments from user on the leaf project
174 # should return an empty list
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]175 params['scope.project.id'] = leaf_project['id']
176 assignments = self.role_assignments.list_role_assignments(
177 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]178 self.assertEmpty(assignments)
179
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]180 @decorators.idempotent_id('9f02ccd9-9b57-46b4-8f77-dd5a736f3a06')
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]181 def test_inherit_assign_list_revoke_user_roles_on_project_tree(self):
182 # Create role
zhufl66b616a2017-04-11 15:00:32 +0800[diff] [blame]183 src_role = self.setup_test_role()
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]184
185 # Create a project hierarchy
zhuflf2f47052017-04-20 15:08:02 +0800[diff] [blame]186 leaf_project = self.setup_test_project(domain_id=self.domain['id'],
187 parent_id=self.project['id'])
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]188
189 # Assign role on parent project
190 self.inherited_roles_client.create_inherited_role_on_projects_user(
191 self.project['id'], self.user['id'], src_role['id'])
192
193 # List "effective" role assignments from user on the leaf project
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]194 params = {'scope.project.id': leaf_project['id'],
195 'user.id': self.user['id']}
196 assignments = self.role_assignments.list_role_assignments(
197 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]198 self.assertNotEmpty(assignments)
199
200 # Revoke role from parent project
201 self.inherited_roles_client.delete_inherited_role_from_user_on_project(
202 self.project['id'], self.user['id'], src_role['id'])
203
204 # List "effective" role assignments from user on the leaf project
205 # should return an empty list
Rodrigo Duarte Sousabd128d12016-10-04 10:07:34 -0300[diff] [blame]206 assignments = self.role_assignments.list_role_assignments(
207 effective=True, **params)['role_assignments']
Rodrigo Duarte12f8d4a2016-07-08 11:53:53 -0300[diff] [blame]208 self.assertEmpty(assignments)