# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import testtools
from tempest.api.identity import base
from tempest.common import utils
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
CONF = config.CONF
[docs]
class InheritsV3TestJSON(base.BaseIdentityV3AdminTest):
"""Test keystone inherits"""
# NOTE: force_tenant_isolation is true in the base class by default but
# overridden to false here to allow test execution for clouds using the
# pre-provisioned credentials provider.
force_tenant_isolation = False
@classmethod
def skip_checks(cls):
super(InheritsV3TestJSON, cls).skip_checks()
if not utils.is_extension_enabled('OS-INHERIT', 'identity'):
raise cls.skipException("Inherits aren't enabled")
@classmethod
def resource_setup(cls):
super(InheritsV3TestJSON, cls).resource_setup()
prefix = CONF.resource_name_prefix
u_name = data_utils.rand_name(name='user-', prefix=prefix)
u_desc = '%s description' % u_name
u_email = '%s@testmail.tm' % u_name
u_password = data_utils.rand_password()
cls.domain = cls.create_domain()
cls.project = cls.projects_client.create_project(
data_utils.rand_name(name='project-', prefix=prefix),
description=data_utils.rand_name('project-desc-', prefix=prefix),
domain_id=cls.domain['id'])['project']
cls.addClassResourceCleanup(cls.projects_client.delete_project,
cls.project['id'])
cls.group = cls.groups_client.create_group(
name=data_utils.rand_name(name='group-', prefix=prefix),
project_id=cls.project['id'], domain_id=cls.domain['id'])['group']
cls.addClassResourceCleanup(cls.groups_client.delete_group,
cls.group['id'])
if not CONF.identity_feature_enabled.immutable_user_source:
cls.user = cls.users_client.create_user(
name=u_name,
description=u_desc,
password=u_password,
email=u_email,
project_id=cls.project['id'],
domain_id=cls.domain['id']
)['user']
cls.addClassResourceCleanup(cls.users_client.delete_user,
cls.user['id'])
def _list_assertions(self, body, fetched_role_ids, role_id):
self.assertEqual(len(body), 1)
self.assertIn(role_id, fetched_role_ids)
[docs]
@decorators.idempotent_id('4e6f0366-97c8-423c-b2be-41eae6ac91c8')
@testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
'Skipped because environment has an immutable user '
'source and solely provides read-only access to users.')
def test_inherit_assign_list_check_revoke_roles_on_domains_user(self):
"""Test assign/list/check/revoke inherited role on domain user"""
# Create role
src_role = self.setup_test_role()
# Assign role on domains user
self.inherited_roles_client.create_inherited_role_on_domains_user(
self.domain['id'], self.user['id'], src_role['id'])
# list role on domains user
roles = self.inherited_roles_client.\
list_inherited_project_role_for_user_on_domain(
self.domain['id'], self.user['id'])['roles']
fetched_role_ids = [i['id'] for i in roles]
self._list_assertions(roles, fetched_role_ids,
src_role['id'])
# Check role on domains user
(self.inherited_roles_client.
check_user_inherited_project_role_on_domain(
self.domain['id'], self.user['id'], src_role['id']))
# Revoke role from domains user.
self.inherited_roles_client.delete_inherited_role_from_user_on_domain(
self.domain['id'], self.user['id'], src_role['id'])
[docs]
@decorators.idempotent_id('c7a8dda2-be50-4fb4-9a9c-e830771078b1')
def test_inherit_assign_list_check_revoke_roles_on_domains_group(self):
"""Test assign/list/check/revoke inherited role on domain group"""
# Create role
src_role = self.setup_test_role()
# Assign role on domains group
self.inherited_roles_client.create_inherited_role_on_domains_group(
self.domain['id'], self.group['id'], src_role['id'])
# List role on domains group
roles = self.inherited_roles_client.\
list_inherited_project_role_for_group_on_domain(
self.domain['id'], self.group['id'])['roles']
fetched_role_ids = [i['id'] for i in roles]
self._list_assertions(roles, fetched_role_ids,
src_role['id'])
# Check role on domains group
(self.inherited_roles_client.
check_group_inherited_project_role_on_domain(
self.domain['id'], self.group['id'], src_role['id']))
# Revoke role from domains group
self.inherited_roles_client.delete_inherited_role_from_group_on_domain(
self.domain['id'], self.group['id'], src_role['id'])
[docs]
@decorators.idempotent_id('18b70e45-7687-4b72-8277-b8f1a47d7591')
@testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
'Skipped because environment has an immutable user '
'source and solely provides read-only access to users.')
def test_inherit_assign_check_revoke_roles_on_projects_user(self):
"""Test assign/list/check/revoke inherited role on project user"""
# Create role
src_role = self.setup_test_role()
# Assign role on projects user
self.inherited_roles_client.create_inherited_role_on_projects_user(
self.project['id'], self.user['id'], src_role['id'])
# Check role on projects user
(self.inherited_roles_client.
check_user_has_flag_on_inherited_to_project(
self.project['id'], self.user['id'], src_role['id']))
# Revoke role from projects user
self.inherited_roles_client.delete_inherited_role_from_user_on_project(
self.project['id'], self.user['id'], src_role['id'])
[docs]
@decorators.idempotent_id('26021436-d5a4-4256-943c-ded01e0d4b45')
def test_inherit_assign_check_revoke_roles_on_projects_group(self):
"""Test assign/list/check/revoke inherited role on project group"""
# Create role
src_role = self.setup_test_role()
# Assign role on projects group
self.inherited_roles_client.create_inherited_role_on_projects_group(
self.project['id'], self.group['id'], src_role['id'])
# Check role on projects group
(self.inherited_roles_client.
check_group_has_flag_on_inherited_to_project(
self.project['id'], self.group['id'], src_role['id']))
# Revoke role from projects group
(self.inherited_roles_client.
delete_inherited_role_from_group_on_project(
self.project['id'], self.group['id'], src_role['id']))
[docs]
@decorators.idempotent_id('3acf666e-5354-42ac-8e17-8b68893bcd36')
@testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
'Skipped because environment has an immutable user '
'source and solely provides read-only access to users.')
def test_inherit_assign_list_revoke_user_roles_on_domain(self):
"""Test assign/list/check/revoke inherited role on domain"""
# Create role
src_role = self.setup_test_role()
# Create a project hierarchy
leaf_project = self.setup_test_project(domain_id=self.domain['id'],
parent_id=self.project['id'])
# Assign role on domain
self.inherited_roles_client.create_inherited_role_on_domains_user(
self.domain['id'], self.user['id'], src_role['id'])
# List "effective" role assignments from user on the parent project
params = {'scope.project.id': self.project['id'],
'user.id': self.user['id']}
assignments = self.role_assignments.list_role_assignments(
effective=True, **params)['role_assignments']
self.assertNotEmpty(assignments)
# List "effective" role assignments from user on the leaf project
params['scope.project.id'] = leaf_project['id']
assignments = self.role_assignments.list_role_assignments(
effective=True, **params)['role_assignments']
self.assertNotEmpty(assignments)
# Revoke role from domain
self.inherited_roles_client.delete_inherited_role_from_user_on_domain(
self.domain['id'], self.user['id'], src_role['id'])
# List "effective" role assignments from user on the parent project
# should return an empty list
params['scope.project.id'] = self.project['id']
assignments = self.role_assignments.list_role_assignments(
effective=True, **params)['role_assignments']
self.assertEmpty(assignments)
# List "effective" role assignments from user on the leaf project
# should return an empty list
params['scope.project.id'] = leaf_project['id']
assignments = self.role_assignments.list_role_assignments(
effective=True, **params)['role_assignments']
self.assertEmpty(assignments)
[docs]
@decorators.idempotent_id('9f02ccd9-9b57-46b4-8f77-dd5a736f3a06')
@testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
'Skipped because environment has an immutable user '
'source and solely provides read-only access to users.')
def test_inherit_assign_list_revoke_user_roles_on_project_tree(self):
"""Test assign/list/check/revoke inherited role on project tree"""
# Create role
src_role = self.setup_test_role()
# Create a project hierarchy
leaf_project = self.setup_test_project(domain_id=self.domain['id'],
parent_id=self.project['id'])
# Assign role on parent project
self.inherited_roles_client.create_inherited_role_on_projects_user(
self.project['id'], self.user['id'], src_role['id'])
# List "effective" role assignments from user on the leaf project
params = {'scope.project.id': leaf_project['id'],
'user.id': self.user['id']}
assignments = self.role_assignments.list_role_assignments(
effective=True, **params)['role_assignments']
self.assertNotEmpty(assignments)
# Revoke role from parent project
self.inherited_roles_client.delete_inherited_role_from_user_on_project(
self.project['id'], self.user['id'], src_role['id'])
# List "effective" role assignments from user on the leaf project
# should return an empty list
assignments = self.role_assignments.list_role_assignments(
effective=True, **params)['role_assignments']
self.assertEmpty(assignments)
