Gitiles
Code Review Sign In
spfactory.storpool.com / tempest / c29ac6cf0671db9d2446981773beb5500e84146e / . / tempest / api / identity / admin / v3 / test_roles.py
blob: ac56fc6220b92e966ddc12011778fb362412232f [file] [log] [blame]
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]1# Copyright 2013 OpenStack Foundation
2# All Rights Reserved.
3#
4# Licensed under the Apache License, Version 2.0 (the "License"); you may
5# not use this file except in compliance with the License. You may obtain
6# a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13# License for the specific language governing permissions and limitations
14# under the License.
15
16from tempest.api.identity import base
Rodrigo Duarte Sousa592148c2017-01-31 15:26:16 -0300[diff] [blame]17from tempest import config
Ken'ichi Ohmichi7bd25752017-03-10 10:45:39 -0800[diff] [blame]18from tempest.lib.common.utils import data_utils
Rodrigo Duarteca3b39d2017-01-26 18:10:31 -0300[diff] [blame]19from tempest.lib.common.utils import test_utils
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]20from tempest.lib import decorators
Rodrigo Duarteca3b39d2017-01-26 18:10:31 -0300[diff] [blame]21from tempest.lib import exceptions as lib_exc
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]22
Rodrigo Duarte Sousa592148c2017-01-31 15:26:16 -0300[diff] [blame]23CONF = config.CONF
24
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]25
Matthew Treinishdb2c5972014-01-31 22:18:59 +0000[diff] [blame]26class RolesV3TestJSON(base.BaseIdentityV3AdminTest):
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]27
28 @classmethod
Andrea Frittoli7688e742014-09-15 12:38:22 +0100[diff] [blame]29 def resource_setup(cls):
30 super(RolesV3TestJSON, cls).resource_setup()
Castulo J. Martinez19b81b22016-07-15 08:58:25 -0700[diff] [blame]31 cls.roles = list()
nayna-patelc905c182014-04-21 14:00:32 +0000[diff] [blame]32 for _ in range(3):
Ken'ichi Ohmichi96508472015-03-23 01:43:42 +0000[diff] [blame]33 role_name = data_utils.rand_name(name='role')
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]34 role = cls.roles_client.create_role(name=role_name)['role']
Castulo J. Martinez19b81b22016-07-15 08:58:25 -0700[diff] [blame]35 cls.roles.append(role)
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]36 cls.fetched_role_ids = list()
Ken'ichi Ohmichi96508472015-03-23 01:43:42 +0000[diff] [blame]37 u_name = data_utils.rand_name('user')
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]38 u_desc = '%s description' % u_name
39 u_email = '%s@testmail.tm' % u_name
Zack Feldsteind8c5f7a2015-12-14 10:44:07 -0600[diff] [blame]40 cls.u_password = data_utils.rand_password()
Daniel Mellado91a26b62016-02-11 11:13:04 +0000[diff] [blame]41 cls.domain = cls.domains_client.create_domain(
ghanshyam8af17d62016-08-01 16:19:42 +0900[diff] [blame]42 name=data_utils.rand_name('domain'),
John Warren56317e02015-08-12 20:48:32 +0000[diff] [blame]43 description=data_utils.rand_name('domain-desc'))['domain']
Yaroslav Lobankov47a93ab2016-02-07 16:32:49 -0600[diff] [blame]44 cls.project = cls.projects_client.create_project(
Ken'ichi Ohmichi96508472015-03-23 01:43:42 +0000[diff] [blame]45 data_utils.rand_name('project'),
46 description=data_utils.rand_name('project-desc'),
John Warren56317e02015-08-12 20:48:32 +0000[diff] [blame]47 domain_id=cls.domain['id'])['project']
Yaroslav Lobankov997a1452015-11-19 17:11:37 +0300[diff] [blame]48 cls.group_body = cls.groups_client.create_group(
Yaroslav Lobankov45025c02015-11-19 17:55:15 +0300[diff] [blame]49 name=data_utils.rand_name('Group'), project_id=cls.project['id'],
John Warren56317e02015-08-12 20:48:32 +0000[diff] [blame]50 domain_id=cls.domain['id'])['group']
Daniel Mellado7aea5342016-02-09 09:10:12 +0000[diff] [blame]51 cls.user_body = cls.users_client.create_user(
ghanshyam7f817db2016-08-01 18:37:13 +0900[diff] [blame]52 name=u_name, description=u_desc, password=cls.u_password,
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]53 email=u_email, project_id=cls.project['id'],
John Warren56317e02015-08-12 20:48:32 +0000[diff] [blame]54 domain_id=cls.domain['id'])['user']
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]55 cls.role = cls.roles_client.create_role(
piyush110786afaaf262015-12-11 18:54:05 +0530[diff] [blame]56 name=data_utils.rand_name('Role'))['role']
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]57
58 @classmethod
Andrea Frittoli7688e742014-09-15 12:38:22 +0100[diff] [blame]59 def resource_cleanup(cls):
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]60 cls.roles_client.delete_role(cls.role['id'])
Yaroslav Lobankov997a1452015-11-19 17:11:37 +0300[diff] [blame]61 cls.groups_client.delete_group(cls.group_body['id'])
Daniel Mellado7aea5342016-02-09 09:10:12 +0000[diff] [blame]62 cls.users_client.delete_user(cls.user_body['id'])
Yaroslav Lobankov47a93ab2016-02-07 16:32:49 -0600[diff] [blame]63 cls.projects_client.delete_project(cls.project['id'])
Chang Bo Guof099f802013-09-13 19:01:46 -0700[diff] [blame]64 # NOTE(harika-vakadi): It is necessary to disable the domain
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]65 # before deleting,or else it would result in unauthorized error
Daniel Mellado91a26b62016-02-11 11:13:04 +0000[diff] [blame]66 cls.domains_client.update_domain(cls.domain['id'], enabled=False)
67 cls.domains_client.delete_domain(cls.domain['id'])
Castulo J. Martinez19b81b22016-07-15 08:58:25 -0700[diff] [blame]68 for role in cls.roles:
69 cls.roles_client.delete_role(role['id'])
Andrea Frittoli7688e742014-09-15 12:38:22 +0100[diff] [blame]70 super(RolesV3TestJSON, cls).resource_cleanup()
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]71
David Kranze9d2f422014-07-02 13:57:41 -0400[diff] [blame]72 def _list_assertions(self, body, fetched_role_ids, role_id):
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]73 self.assertEqual(len(body), 1)
74 self.assertIn(role_id, fetched_role_ids)
75
Jordan Pittier3b46d272017-04-12 16:17:28 +0200[diff] [blame]76 @decorators.attr(type='smoke')
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]77 @decorators.idempotent_id('18afc6c0-46cf-4911-824e-9989cc056c3a')
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]78 def test_role_create_update_show_list(self):
Ken'ichi Ohmichi96508472015-03-23 01:43:42 +0000[diff] [blame]79 r_name = data_utils.rand_name('Role')
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]80 role = self.roles_client.create_role(name=r_name)['role']
81 self.addCleanup(self.roles_client.delete_role, role['id'])
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]82 self.assertIn('name', role)
83 self.assertEqual(role['name'], r_name)
84
Ken'ichi Ohmichi96508472015-03-23 01:43:42 +0000[diff] [blame]85 new_name = data_utils.rand_name('NewRole')
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]86 updated_role = self.roles_client.update_role(role['id'],
87 name=new_name)['role']
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]88 self.assertIn('name', updated_role)
89 self.assertIn('id', updated_role)
90 self.assertIn('links', updated_role)
91 self.assertNotEqual(r_name, updated_role['name'])
92
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]93 new_role = self.roles_client.show_role(role['id'])['role']
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]94 self.assertEqual(new_name, new_role['name'])
95 self.assertEqual(updated_role['id'], new_role['id'])
96
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]97 roles = self.roles_client.list_roles()['roles']
wanglianmina3e84ea2014-03-26 17:30:33 +0800[diff] [blame]98 self.assertIn(role['id'], [r['id'] for r in roles])
99
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]100 @decorators.idempotent_id('c6b80012-fe4a-498b-9ce8-eb391c05169f')
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]101 def test_grant_list_revoke_role_to_user_on_project(self):
ghanshyam2e6fb562016-09-06 11:14:31 +0900[diff] [blame]102 self.roles_client.create_user_role_on_project(self.project['id'],
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]103 self.user_body['id'],
104 self.role['id'])
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]105
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]106 roles = self.roles_client.list_user_roles_on_project(
John Warren56317e02015-08-12 20:48:32 +0000[diff] [blame]107 self.project['id'], self.user_body['id'])['roles']
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]108
109 for i in roles:
110 self.fetched_role_ids.append(i['id'])
111
David Kranze9d2f422014-07-02 13:57:41 -0400[diff] [blame]112 self._list_assertions(roles, self.fetched_role_ids,
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]113 self.role['id'])
114
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]115 self.roles_client.check_user_role_existence_on_project(
Maho Koshiyab6fa2e42015-12-07 16:52:53 +0900[diff] [blame]116 self.project['id'], self.user_body['id'], self.role['id'])
117
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]118 self.roles_client.delete_role_from_user_on_project(
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]119 self.project['id'], self.user_body['id'], self.role['id'])
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]120
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]121 @decorators.idempotent_id('6c9a2940-3625-43a3-ac02-5dcec62ef3bd')
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]122 def test_grant_list_revoke_role_to_user_on_domain(self):
ghanshyam2e6fb562016-09-06 11:14:31 +0900[diff] [blame]123 self.roles_client.create_user_role_on_domain(
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]124 self.domain['id'], self.user_body['id'], self.role['id'])
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]125
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]126 roles = self.roles_client.list_user_roles_on_domain(
John Warren56317e02015-08-12 20:48:32 +0000[diff] [blame]127 self.domain['id'], self.user_body['id'])['roles']
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]128
129 for i in roles:
130 self.fetched_role_ids.append(i['id'])
131
David Kranze9d2f422014-07-02 13:57:41 -0400[diff] [blame]132 self._list_assertions(roles, self.fetched_role_ids,
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]133 self.role['id'])
134
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]135 self.roles_client.check_user_role_existence_on_domain(
Maho Koshiyab6fa2e42015-12-07 16:52:53 +0900[diff] [blame]136 self.domain['id'], self.user_body['id'], self.role['id'])
137
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]138 self.roles_client.delete_role_from_user_on_domain(
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]139 self.domain['id'], self.user_body['id'], self.role['id'])
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]140
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]141 @decorators.idempotent_id('cbf11737-1904-4690-9613-97bcbb3df1c4')
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]142 def test_grant_list_revoke_role_to_group_on_project(self):
wanglianmind599cc52014-03-17 17:03:56 +0800[diff] [blame]143 # Grant role to group on project
ghanshyam2e6fb562016-09-06 11:14:31 +0900[diff] [blame]144 self.roles_client.create_group_role_on_project(
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]145 self.project['id'], self.group_body['id'], self.role['id'])
wanglianmind599cc52014-03-17 17:03:56 +0800[diff] [blame]146 # List group roles on project
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]147 roles = self.roles_client.list_group_roles_on_project(
John Warren56317e02015-08-12 20:48:32 +0000[diff] [blame]148 self.project['id'], self.group_body['id'])['roles']
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]149
150 for i in roles:
151 self.fetched_role_ids.append(i['id'])
152
David Kranze9d2f422014-07-02 13:57:41 -0400[diff] [blame]153 self._list_assertions(roles, self.fetched_role_ids,
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]154 self.role['id'])
wanglianmind599cc52014-03-17 17:03:56 +0800[diff] [blame]155 # Add user to group, and insure user has role on project
Yaroslav Lobankov997a1452015-11-19 17:11:37 +0300[diff] [blame]156 self.groups_client.add_group_user(self.group_body['id'],
157 self.user_body['id'])
158 self.addCleanup(self.groups_client.delete_group_user,
wanglianmind599cc52014-03-17 17:03:56 +0800[diff] [blame]159 self.group_body['id'], self.user_body['id'])
Jamie Lennox97504612015-02-26 16:47:06 +1100[diff] [blame]160 body = self.token.auth(user_id=self.user_body['id'],
Jamie Lennoxe5a95d42015-02-11 07:19:57 +0000[diff] [blame]161 password=self.u_password,
Jamie Lennox97504612015-02-26 16:47:06 +1100[diff] [blame]162 user_domain_name=self.domain['name'],
163 project_name=self.project['name'],
164 project_domain_name=self.domain['name'])
wanglianmind599cc52014-03-17 17:03:56 +0800[diff] [blame]165 roles = body['token']['roles']
wanglianmind599cc52014-03-17 17:03:56 +0800[diff] [blame]166 self.assertEqual(len(roles), 1)
167 self.assertEqual(roles[0]['id'], self.role['id'])
Maho Koshiyab6fa2e42015-12-07 16:52:53 +0900[diff] [blame]168
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]169 self.roles_client.check_role_from_group_on_project_existence(
Maho Koshiyab6fa2e42015-12-07 16:52:53 +0900[diff] [blame]170 self.project['id'], self.group_body['id'], self.role['id'])
171
wanglianmind599cc52014-03-17 17:03:56 +0800[diff] [blame]172 # Revoke role to group on project
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]173 self.roles_client.delete_role_from_group_on_project(
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]174 self.project['id'], self.group_body['id'], self.role['id'])
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]175
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]176 @decorators.idempotent_id('4bf8a70b-e785-413a-ad53-9f91ce02faa7')
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]177 def test_grant_list_revoke_role_to_group_on_domain(self):
ghanshyam2e6fb562016-09-06 11:14:31 +0900[diff] [blame]178 self.roles_client.create_group_role_on_domain(
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]179 self.domain['id'], self.group_body['id'], self.role['id'])
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]180
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]181 roles = self.roles_client.list_group_roles_on_domain(
John Warren56317e02015-08-12 20:48:32 +0000[diff] [blame]182 self.domain['id'], self.group_body['id'])['roles']
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]183
184 for i in roles:
185 self.fetched_role_ids.append(i['id'])
186
David Kranze9d2f422014-07-02 13:57:41 -0400[diff] [blame]187 self._list_assertions(roles, self.fetched_role_ids,
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]188 self.role['id'])
189
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]190 self.roles_client.check_role_from_group_on_domain_existence(
Maho Koshiyab6fa2e42015-12-07 16:52:53 +0900[diff] [blame]191 self.domain['id'], self.group_body['id'], self.role['id'])
192
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]193 self.roles_client.delete_role_from_group_on_domain(
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]194 self.domain['id'], self.group_body['id'], self.role['id'])
nayna-patel755d8142013-07-16 06:45:34 +0000[diff] [blame]195
Ken'ichi Ohmichieeabdd22017-01-27 17:46:00 -0800[diff] [blame]196 @decorators.idempotent_id('f5654bcc-08c4-4f71-88fe-05d64e06de94')
nayna-patelc905c182014-04-21 14:00:32 +0000[diff] [blame]197 def test_list_roles(self):
198 # Return a list of all roles
Arx Cruz24bcb882016-02-10 15:20:16 +0100[diff] [blame]199 body = self.roles_client.list_roles()['roles']
Castulo J. Martinez19b81b22016-07-15 08:58:25 -0700[diff] [blame]200 found = [role for role in body if role in self.roles]
201 self.assertEqual(len(found), len(self.roles))
Rodrigo Duarteca3b39d2017-01-26 18:10:31 -0300[diff] [blame]202
203 def _create_implied_role(self, prior_role_id, implies_role_id,
204 ignore_not_found=False):
205 self.roles_client.create_role_inference_rule(
206 prior_role_id, implies_role_id)
207 if ignore_not_found:
208 self.addCleanup(
209 test_utils.call_and_ignore_notfound_exc,
210 self.roles_client.delete_role_inference_rule,
211 prior_role_id,
212 implies_role_id)
213 else:
214 self.addCleanup(
215 self.roles_client.delete_role_inference_rule,
216 prior_role_id,
217 implies_role_id)
218
219 @decorators.idempotent_id('c90c316c-d706-4728-bcba-eb1912081b69')
220 def test_implied_roles_create_delete(self):
221 prior_role_id = self.roles[0]['id']
222 implies_role_id = self.roles[1]['id']
223
224 # Create an inference rule from prior_role to implies_role
225 self._create_implied_role(prior_role_id, implies_role_id,
226 ignore_not_found=True)
227
228 # Check if the inference rule exists
229 self.roles_client.show_role_inference_rule(
230 prior_role_id, implies_role_id)
231
232 # Delete the inference rule
233 self.roles_client.delete_role_inference_rule(
234 prior_role_id, implies_role_id)
235 # Check if the inference rule no longer exists
236 self.assertRaises(
237 lib_exc.NotFound,
238 self.roles_client.show_role_inference_rule,
239 prior_role_id,
240 implies_role_id)
241
242 @decorators.idempotent_id('dc6f5959-b74d-4e30-a9e5-a8255494ff00')
243 def test_roles_hierarchy(self):
244 # Create inference rule from "roles[0]" to "role[1]"
245 self._create_implied_role(
246 self.roles[0]['id'], self.roles[1]['id'])
247
248 # Create inference rule from "roles[0]" to "role[2]"
249 self._create_implied_role(
250 self.roles[0]['id'], self.roles[2]['id'])
251
252 # Create inference rule from "roles[2]" to "role"
253 self._create_implied_role(
254 self.roles[2]['id'], self.role['id'])
255
256 # Listing inferences rules from "roles[2]" should only return "role"
257 rules = self.roles_client.list_role_inferences_rules(
258 self.roles[2]['id'])['role_inference']
259 self.assertEqual(1, len(rules['implies']))
260 self.assertEqual(self.role['id'], rules['implies'][0]['id'])
261
262 # Listing inferences rules from "roles[0]" should return "roles[1]" and
263 # "roles[2]" (only direct rules are listed)
264 rules = self.roles_client.list_role_inferences_rules(
265 self.roles[0]['id'])['role_inference']
266 implies_ids = [role['id'] for role in rules['implies']]
267 self.assertEqual(2, len(implies_ids))
268 self.assertIn(self.roles[1]['id'], implies_ids)
269 self.assertIn(self.roles[2]['id'], implies_ids)
270
271 @decorators.idempotent_id('c8828027-df48-4021-95df-b65b92c7429e')
272 def test_assignments_for_implied_roles_create_delete(self):
273 # Create a grant using "roles[0]"
274 self.roles_client.create_user_role_on_project(
275 self.project['id'], self.user_body['id'], self.roles[0]['id'])
276 self.addCleanup(
277 self.roles_client.delete_role_from_user_on_project,
278 self.project['id'], self.user_body['id'], self.roles[0]['id'])
279
280 # Create an inference rule from "roles[0]" to "roles[1]"
281 self._create_implied_role(self.roles[0]['id'], self.roles[1]['id'],
282 ignore_not_found=True)
283
284 # In the effective list of role assignments, both prior role and
285 # implied role should be present. This means that a user can
286 # authenticate using both roles (both roles will be present
287 # in the token).
288 params = {'scope.project.id': self.project['id'],
289 'user.id': self.user_body['id']}
290 role_assignments = self.role_assignments.list_role_assignments(
291 effective=True, **params)['role_assignments']
292 self.assertEqual(2, len(role_assignments))
293
294 roles_ids = [assignment['role']['id']
295 for assignment in role_assignments]
296 self.assertIn(self.roles[0]['id'], roles_ids)
297 self.assertIn(self.roles[1]['id'], roles_ids)
298
299 # After deleting the implied role, only the assignment with "roles[0]"
300 # should be present.
301 self.roles_client.delete_role_inference_rule(
302 self.roles[0]['id'], self.roles[1]['id'])
303
304 role_assignments = self.role_assignments.list_role_assignments(
305 effective=True, **params)['role_assignments']
306 self.assertEqual(1, len(role_assignments))
307
308 roles_ids = [assignment['role']['id']
309 for assignment in role_assignments]
310 self.assertIn(self.roles[0]['id'], roles_ids)
Rodrigo Duarte34a65122017-01-27 11:28:26 -0300[diff] [blame]311
312 @decorators.idempotent_id('d92a41d2-5501-497a-84bb-6e294330e8f8')
313 def test_domain_roles_create_delete(self):
314 domain_role = self.roles_client.create_role(
315 name=data_utils.rand_name('domain_role'),
316 domain_id=self.domain['id'])['role']
317 self.addCleanup(
318 test_utils.call_and_ignore_notfound_exc,
319 self.roles_client.delete_role,
320 domain_role['id'])
321
322 domain_roles = self.roles_client.list_roles(
323 domain_id=self.domain['id'])['roles']
324 self.assertEqual(1, len(domain_roles))
325 self.assertIn(domain_role, domain_roles)
326
327 self.roles_client.delete_role(domain_role['id'])
328 domain_roles = self.roles_client.list_roles(
329 domain_id=self.domain['id'])['roles']
330 self.assertEmpty(domain_roles)
331
332 @decorators.idempotent_id('eb1e1c24-1bc4-4d47-9748-e127a1852c82')
333 def test_implied_domain_roles(self):
334 # Create two roles in the same domain
335 domain_role1 = self.setup_test_role(domain_id=self.domain['id'])
336 domain_role2 = self.setup_test_role(domain_id=self.domain['id'])
337
338 # Check if we can create an inference rule from roles in the same
339 # domain
340 self._create_implied_role(domain_role1['id'], domain_role2['id'])
341
342 # Create another role in a different domain
343 domain2 = self.setup_test_domain()
344 domain_role3 = self.setup_test_role(domain_id=domain2['id'])
345
346 # Check if we can create cross domain implied roles
347 self._create_implied_role(domain_role1['id'], domain_role3['id'])
348
349 # Finally, we also should be able to create an implied from a
350 # domain role to a global one
351 self._create_implied_role(domain_role1['id'], self.role['id'])
352
Rodrigo Duarte Sousa592148c2017-01-31 15:26:16 -0300[diff] [blame]353 if CONF.identity_feature_enabled.forbid_global_implied_dsr:
354 # The contrary is not true: we can't create an inference rule
355 # from a global role to a domain role
356 self.assertRaises(
357 lib_exc.Forbidden,
358 self.roles_client.create_role_inference_rule,
359 self.role['id'],
360 domain_role1['id'])
361
Rodrigo Duarte34a65122017-01-27 11:28:26 -0300[diff] [blame]362 @decorators.idempotent_id('3859df7e-5b78-4e4d-b10e-214c8953842a')
363 def test_assignments_for_domain_roles(self):
364 domain_role = self.setup_test_role(domain_id=self.domain['id'])
365
366 # Create a grant using "domain_role"
367 self.roles_client.create_user_role_on_project(
368 self.project['id'], self.user_body['id'], domain_role['id'])
369 self.addCleanup(
370 self.roles_client.delete_role_from_user_on_project,
371 self.project['id'], self.user_body['id'], domain_role['id'])
372
373 # NOTE(rodrigods): Regular roles would appear in the effective
374 # list of role assignments (meaning the role would be returned in
375 # a token) as a result from the grant above. This is not the case
376 # for domain roles, they should not appear in the effective role
377 # assignments list.
378 params = {'scope.project.id': self.project['id'],
379 'user.id': self.user_body['id']}
380 role_assignments = self.role_assignments.list_role_assignments(
381 effective=True, **params)['role_assignments']
382 self.assertEmpty(role_assignments)
Felipe Monteirofe96c262017-03-31 05:25:26 +0100[diff] [blame]383
384 @decorators.idempotent_id('3748c316-c18f-4b08-997b-c60567bc6235')
385 def test_list_all_implied_roles(self):
386 # Create inference rule from "roles[0]" to "roles[1]"
387 self._create_implied_role(
388 self.roles[0]['id'], self.roles[1]['id'])
389
390 # Create inference rule from "roles[0]" to "roles[2]"
391 self._create_implied_role(
392 self.roles[0]['id'], self.roles[2]['id'])
393
394 # Create inference rule from "roles[2]" to "role"
395 self._create_implied_role(
396 self.roles[2]['id'], self.role['id'])
397
398 rules = self.roles_client.list_all_role_inference_rules()[
399 'role_inferences']
400 # Sort the rules by the number of inferences, since there should be 1
401 # inference between "roles[2]" and "role" and 2 inferences for
402 # "roles[0]": between "roles[1]" and "roles[2]".
403 sorted_rules = sorted(rules, key=lambda r: len(r['implies']))
404
405 # Check that 2 sets of rules are returned.
406 self.assertEqual(2, len(sorted_rules))
407 # Check that only 1 inference rule exists between "roles[2]" and "role"
408 self.assertEqual(1, len(sorted_rules[0]['implies']))
409 # Check that 2 inference rules exist for "roles[0]": one between
410 # "roles[1]" and one between "roles[2]".
411 self.assertEqual(2, len(sorted_rules[1]['implies']))
412
413 # Check that "roles[2]" is the "prior_role" and that "role" is the
414 # "implies" role.
415 self.assertEqual(self.roles[2]['id'],
416 sorted_rules[0]['prior_role']['id'])
417 self.assertEqual(self.role['id'],
418 sorted_rules[0]['implies'][0]['id'])
419
420 # Check that "roles[0]" is the "prior_role" and that "roles[1]" and
421 # "roles[2]" are the "implies" roles.
422 self.assertEqual(self.roles[0]['id'],
423 sorted_rules[1]['prior_role']['id'])
424
425 implies_ids = [r['id'] for r in sorted_rules[1]['implies']]
426 self.assertIn(self.roles[1]['id'], implies_ids)
427 self.assertIn(self.roles[2]['id'], implies_ids)