Maho Koshiya | 962e7d7 | 2015-11-27 20:31:17 +0900 | [diff] [blame] | 1 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 2 | # not use this file except in compliance with the License. You may obtain |
| 3 | # a copy of the License at |
| 4 | # |
| 5 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 6 | # |
| 7 | # Unless required by applicable law or agreed to in writing, software |
| 8 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 9 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 10 | # License for the specific language governing permissions and limitations |
| 11 | # under the License. |
| 12 | |
| 13 | from tempest.api.identity import base |
| 14 | from tempest.common.utils import data_utils |
| 15 | from tempest import config |
| 16 | from tempest import test |
| 17 | |
| 18 | CONF = config.CONF |
| 19 | |
| 20 | |
| 21 | class BaseInheritsV3Test(base.BaseIdentityV3AdminTest): |
| 22 | |
| 23 | @classmethod |
| 24 | def skip_checks(cls): |
| 25 | super(BaseInheritsV3Test, cls).skip_checks() |
| 26 | if not test.is_extension_enabled('OS-INHERIT', 'identity'): |
| 27 | raise cls.skipException("Inherits aren't enabled") |
| 28 | |
| 29 | @classmethod |
| 30 | def resource_setup(cls): |
| 31 | super(BaseInheritsV3Test, cls).resource_setup() |
| 32 | u_name = data_utils.rand_name('user-') |
| 33 | u_desc = '%s description' % u_name |
| 34 | u_email = '%s@testmail.tm' % u_name |
| 35 | u_password = data_utils.rand_name('pass-') |
| 36 | cls.domain = cls.domains_client.create_domain( |
| 37 | data_utils.rand_name('domain-'), |
| 38 | description=data_utils.rand_name('domain-desc-'))['domain'] |
| 39 | cls.project = cls.projects_client.create_project( |
| 40 | data_utils.rand_name('project-'), |
| 41 | description=data_utils.rand_name('project-desc-'), |
| 42 | domain_id=cls.domain['id'])['project'] |
| 43 | cls.group = cls.groups_client.create_group( |
| 44 | name=data_utils.rand_name('group-'), project_id=cls.project['id'], |
| 45 | domain_id=cls.domain['id'])['group'] |
| 46 | cls.user = cls.users_client.create_user( |
| 47 | u_name, description=u_desc, password=u_password, |
| 48 | email=u_email, project_id=cls.project['id'], |
| 49 | domain_id=cls.domain['id'])['user'] |
| 50 | |
| 51 | @classmethod |
| 52 | def resource_cleanup(cls): |
| 53 | cls.groups_client.delete_group(cls.group['id']) |
| 54 | cls.users_client.delete_user(cls.user['id']) |
| 55 | cls.projects_client.delete_project(cls.project['id']) |
| 56 | cls.domains_client.update_domain(cls.domain['id'], enabled=False) |
| 57 | cls.domains_client.delete_domain(cls.domain['id']) |
| 58 | super(BaseInheritsV3Test, cls).resource_cleanup() |
| 59 | |
| 60 | def _list_assertions(self, body, fetched_role_ids, role_id): |
| 61 | self.assertEqual(len(body), 1) |
| 62 | self.assertIn(role_id, fetched_role_ids) |
| 63 | |
| 64 | |
| 65 | class InheritsV3TestJSON(BaseInheritsV3Test): |
| 66 | |
| 67 | @test.idempotent_id('4e6f0366-97c8-423c-b2be-41eae6ac91c8') |
| 68 | def test_inherit_assign_list_check_revoke_roles_on_domains_user(self): |
| 69 | # Create role |
| 70 | src_role = self.roles_client.create_role( |
| 71 | name=data_utils.rand_name('Role'))['role'] |
| 72 | self.addCleanup(self.roles_client.delete_role, src_role['id']) |
| 73 | # Assign role on domains user |
| 74 | self.roles_client.assign_inherited_role_on_domains_user( |
| 75 | self.domain['id'], self.user['id'], src_role['id']) |
| 76 | # list role on domains user |
| 77 | roles = self.roles_client.\ |
| 78 | list_inherited_project_role_for_user_on_domain( |
| 79 | self.domain['id'], self.user['id'])['roles'] |
| 80 | |
| 81 | fetched_role_ids = [i['id'] for i in roles] |
| 82 | self._list_assertions(roles, fetched_role_ids, |
| 83 | src_role['id']) |
| 84 | |
| 85 | # Check role on domains user |
| 86 | self.roles_client.check_user_inherited_project_role_on_domain( |
| 87 | self.domain['id'], self.user['id'], src_role['id']) |
| 88 | # Revoke role from domains user. |
| 89 | self.roles_client.revoke_inherited_role_from_user_on_domain( |
| 90 | self.domain['id'], self.user['id'], src_role['id']) |
| 91 | |
| 92 | @test.idempotent_id('c7a8dda2-be50-4fb4-9a9c-e830771078b1') |
| 93 | def test_inherit_assign_list_check_revoke_roles_on_domains_group(self): |
| 94 | # Create role |
| 95 | src_role = self.roles_client.create_role( |
| 96 | name=data_utils.rand_name('Role'))['role'] |
| 97 | self.addCleanup(self.roles_client.delete_role, src_role['id']) |
| 98 | # Assign role on domains group |
| 99 | self.roles_client.assign_inherited_role_on_domains_group( |
| 100 | self.domain['id'], self.group['id'], src_role['id']) |
| 101 | # List role on domains group |
| 102 | roles = self.roles_client.\ |
| 103 | list_inherited_project_role_for_group_on_domain( |
| 104 | self.domain['id'], self.group['id'])['roles'] |
| 105 | |
| 106 | fetched_role_ids = [i['id'] for i in roles] |
| 107 | self._list_assertions(roles, fetched_role_ids, |
| 108 | src_role['id']) |
| 109 | |
| 110 | # Check role on domains group |
| 111 | self.roles_client.check_group_inherited_project_role_on_domain( |
| 112 | self.domain['id'], self.group['id'], src_role['id']) |
| 113 | # Revoke role from domains group |
| 114 | self.roles_client.revoke_inherited_role_from_group_on_domain( |
| 115 | self.domain['id'], self.group['id'], src_role['id']) |
| 116 | |
| 117 | @test.idempotent_id('18b70e45-7687-4b72-8277-b8f1a47d7591') |
| 118 | def test_inherit_assign_check_revoke_roles_on_projects_user(self): |
| 119 | # Create role |
| 120 | src_role = self.roles_client.create_role( |
| 121 | name=data_utils.rand_name('Role'))['role'] |
| 122 | self.addCleanup(self.roles_client.delete_role, src_role['id']) |
| 123 | # Assign role on projects user |
| 124 | self.roles_client.assign_inherited_role_on_projects_user( |
| 125 | self.project['id'], self.user['id'], src_role['id']) |
| 126 | # Check role on projects user |
| 127 | self.roles_client.check_user_has_flag_on_inherited_to_project( |
| 128 | self.project['id'], self.user['id'], src_role['id']) |
| 129 | # Revoke role from projects user |
| 130 | self.roles_client.revoke_inherited_role_from_user_on_project( |
| 131 | self.project['id'], self.user['id'], src_role['id']) |
| 132 | |
| 133 | @test.idempotent_id('26021436-d5a4-4256-943c-ded01e0d4b45') |
| 134 | def test_inherit_assign_check_revoke_roles_on_projects_group(self): |
| 135 | # Create role |
| 136 | src_role = self.roles_client.create_role( |
| 137 | name=data_utils.rand_name('Role'))['role'] |
| 138 | self.addCleanup(self.roles_client.delete_role, src_role['id']) |
| 139 | # Assign role on projects group |
| 140 | self.roles_client.assign_inherited_role_on_projects_group( |
| 141 | self.project['id'], self.group['id'], src_role['id']) |
| 142 | # Check role on projects group |
| 143 | self.roles_client.check_group_has_flag_on_inherited_to_project( |
| 144 | self.project['id'], self.group['id'], src_role['id']) |
| 145 | # Revoke role from projects group |
| 146 | self.roles_client.revoke_inherited_role_from_group_on_project( |
| 147 | self.project['id'], self.group['id'], src_role['id']) |