352 lines
13 KiB
Python
352 lines
13 KiB
Python
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||
|
# not use this file except in compliance with the License. You may obtain
|
||
|
# a copy of the License at
|
||
|
#
|
||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||
|
#
|
||
|
# Unless required by applicable law or agreed to in writing, software
|
||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||
|
# License for the specific language governing permissions and limitations
|
||
|
# under the License.
|
||
|
|
||
|
"""
|
||
|
test_identity
|
||
|
----------------------------------
|
||
|
|
||
|
Functional tests for `shade` identity methods.
|
||
|
"""
|
||
|
|
||
|
import random
|
||
|
import string
|
||
|
|
||
|
from openstack.cloud.exc import OpenStackCloudException
|
||
|
from openstack.tests.functional import base
|
||
|
|
||
|
|
||
|
class TestIdentity(base.KeystoneBaseFunctionalTest):
|
||
|
def setUp(self):
|
||
|
super(TestIdentity, self).setUp()
|
||
|
if not self.operator_cloud:
|
||
|
self.skipTest("Operator cloud is required for this test")
|
||
|
self.role_prefix = 'test_role' + ''.join(
|
||
|
random.choice(string.ascii_lowercase) for _ in range(5)
|
||
|
)
|
||
|
self.user_prefix = self.getUniqueString('user')
|
||
|
self.group_prefix = self.getUniqueString('group')
|
||
|
|
||
|
self.addCleanup(self._cleanup_users)
|
||
|
if self.identity_version not in ('2', '2.0'):
|
||
|
self.addCleanup(self._cleanup_groups)
|
||
|
self.addCleanup(self._cleanup_roles)
|
||
|
|
||
|
def _cleanup_groups(self):
|
||
|
exception_list = list()
|
||
|
for group in self.operator_cloud.list_groups():
|
||
|
if group['name'].startswith(self.group_prefix):
|
||
|
try:
|
||
|
self.operator_cloud.delete_group(group['id'])
|
||
|
except Exception as e:
|
||
|
exception_list.append(str(e))
|
||
|
continue
|
||
|
|
||
|
if exception_list:
|
||
|
# Raise an error: we must make users aware that something went
|
||
|
# wrong
|
||
|
raise OpenStackCloudException('\n'.join(exception_list))
|
||
|
|
||
|
def _cleanup_users(self):
|
||
|
exception_list = list()
|
||
|
for user in self.operator_cloud.list_users():
|
||
|
if user['name'].startswith(self.user_prefix):
|
||
|
try:
|
||
|
self.operator_cloud.delete_user(user['id'])
|
||
|
except Exception as e:
|
||
|
exception_list.append(str(e))
|
||
|
continue
|
||
|
|
||
|
if exception_list:
|
||
|
raise OpenStackCloudException('\n'.join(exception_list))
|
||
|
|
||
|
def _cleanup_roles(self):
|
||
|
exception_list = list()
|
||
|
for role in self.operator_cloud.list_roles():
|
||
|
if role['name'].startswith(self.role_prefix):
|
||
|
try:
|
||
|
self.operator_cloud.delete_role(role['name'])
|
||
|
except Exception as e:
|
||
|
exception_list.append(str(e))
|
||
|
continue
|
||
|
|
||
|
if exception_list:
|
||
|
raise OpenStackCloudException('\n'.join(exception_list))
|
||
|
|
||
|
def _create_user(self, **kwargs):
|
||
|
domain_id = None
|
||
|
if self.identity_version not in ('2', '2.0'):
|
||
|
domain = self.operator_cloud.get_domain('default')
|
||
|
domain_id = domain['id']
|
||
|
return self.operator_cloud.create_user(domain_id=domain_id, **kwargs)
|
||
|
|
||
|
def test_list_roles(self):
|
||
|
roles = self.operator_cloud.list_roles()
|
||
|
self.assertIsNotNone(roles)
|
||
|
self.assertNotEqual([], roles)
|
||
|
|
||
|
def test_get_role(self):
|
||
|
role = self.operator_cloud.get_role('admin')
|
||
|
self.assertIsNotNone(role)
|
||
|
self.assertIn('id', role)
|
||
|
self.assertIn('name', role)
|
||
|
self.assertEqual('admin', role['name'])
|
||
|
|
||
|
def test_search_roles(self):
|
||
|
roles = self.operator_cloud.search_roles(filters={'name': 'admin'})
|
||
|
self.assertIsNotNone(roles)
|
||
|
self.assertEqual(1, len(roles))
|
||
|
self.assertEqual('admin', roles[0]['name'])
|
||
|
|
||
|
def test_create_role(self):
|
||
|
role_name = self.role_prefix + '_create_role'
|
||
|
role = self.operator_cloud.create_role(role_name)
|
||
|
self.assertIsNotNone(role)
|
||
|
self.assertIn('id', role)
|
||
|
self.assertIn('name', role)
|
||
|
self.assertEqual(role_name, role['name'])
|
||
|
|
||
|
def test_delete_role(self):
|
||
|
role_name = self.role_prefix + '_delete_role'
|
||
|
role = self.operator_cloud.create_role(role_name)
|
||
|
self.assertIsNotNone(role)
|
||
|
self.assertTrue(self.operator_cloud.delete_role(role_name))
|
||
|
|
||
|
# TODO(Shrews): Once we can support assigning roles within shade, we
|
||
|
# need to make this test a little more specific, and add more for testing
|
||
|
# filtering functionality.
|
||
|
def test_list_role_assignments(self):
|
||
|
if self.identity_version in ('2', '2.0'):
|
||
|
self.skipTest("Identity service does not support role assignments")
|
||
|
assignments = self.operator_cloud.list_role_assignments()
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertGreater(len(assignments), 0)
|
||
|
|
||
|
def test_list_role_assignments_v2(self):
|
||
|
user = self.operator_cloud.get_user('demo')
|
||
|
project = self.operator_cloud.get_project('demo')
|
||
|
assignments = self.operator_cloud.list_role_assignments(
|
||
|
filters={'user': user['id'], 'project': project['id']}
|
||
|
)
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertGreater(len(assignments), 0)
|
||
|
|
||
|
def test_grant_revoke_role_user_project(self):
|
||
|
user_name = self.user_prefix + '_user_project'
|
||
|
user_email = 'nobody@nowhere.com'
|
||
|
role_name = self.role_prefix + '_grant_user_project'
|
||
|
role = self.operator_cloud.create_role(role_name)
|
||
|
user = self._create_user(
|
||
|
name=user_name, email=user_email, default_project='demo'
|
||
|
)
|
||
|
self.assertTrue(
|
||
|
self.operator_cloud.grant_role(
|
||
|
role_name, user=user['id'], project='demo', wait=True
|
||
|
)
|
||
|
)
|
||
|
assignments = self.operator_cloud.list_role_assignments(
|
||
|
{
|
||
|
'role': role['id'],
|
||
|
'user': user['id'],
|
||
|
'project': self.operator_cloud.get_project('demo')['id'],
|
||
|
}
|
||
|
)
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertEqual(1, len(assignments))
|
||
|
self.assertTrue(
|
||
|
self.operator_cloud.revoke_role(
|
||
|
role_name, user=user['id'], project='demo', wait=True
|
||
|
)
|
||
|
)
|
||
|
assignments = self.operator_cloud.list_role_assignments(
|
||
|
{
|
||
|
'role': role['id'],
|
||
|
'user': user['id'],
|
||
|
'project': self.operator_cloud.get_project('demo')['id'],
|
||
|
}
|
||
|
)
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertEqual(0, len(assignments))
|
||
|
|
||
|
def test_grant_revoke_role_group_project(self):
|
||
|
if self.identity_version in ('2', '2.0'):
|
||
|
self.skipTest("Identity service does not support group")
|
||
|
role_name = self.role_prefix + '_grant_group_project'
|
||
|
role = self.operator_cloud.create_role(role_name)
|
||
|
group_name = self.group_prefix + '_group_project'
|
||
|
group = self.operator_cloud.create_group(
|
||
|
name=group_name, description='test group', domain='default'
|
||
|
)
|
||
|
self.assertTrue(
|
||
|
self.operator_cloud.grant_role(
|
||
|
role_name, group=group['id'], project='demo'
|
||
|
)
|
||
|
)
|
||
|
assignments = self.operator_cloud.list_role_assignments(
|
||
|
{
|
||
|
'role': role['id'],
|
||
|
'group': group['id'],
|
||
|
'project': self.operator_cloud.get_project('demo')['id'],
|
||
|
}
|
||
|
)
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertEqual(1, len(assignments))
|
||
|
self.assertTrue(
|
||
|
self.operator_cloud.revoke_role(
|
||
|
role_name, group=group['id'], project='demo'
|
||
|
)
|
||
|
)
|
||
|
assignments = self.operator_cloud.list_role_assignments(
|
||
|
{
|
||
|
'role': role['id'],
|
||
|
'group': group['id'],
|
||
|
'project': self.operator_cloud.get_project('demo')['id'],
|
||
|
}
|
||
|
)
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertEqual(0, len(assignments))
|
||
|
|
||
|
def test_grant_revoke_role_user_domain(self):
|
||
|
if self.identity_version in ('2', '2.0'):
|
||
|
self.skipTest("Identity service does not support domain")
|
||
|
role_name = self.role_prefix + '_grant_user_domain'
|
||
|
role = self.operator_cloud.create_role(role_name)
|
||
|
user_name = self.user_prefix + '_user_domain'
|
||
|
user_email = 'nobody@nowhere.com'
|
||
|
user = self._create_user(
|
||
|
name=user_name, email=user_email, default_project='demo'
|
||
|
)
|
||
|
self.assertTrue(
|
||
|
self.operator_cloud.grant_role(
|
||
|
role_name, user=user['id'], domain='default'
|
||
|
)
|
||
|
)
|
||
|
assignments = self.operator_cloud.list_role_assignments(
|
||
|
{
|
||
|
'role': role['id'],
|
||
|
'user': user['id'],
|
||
|
'domain': self.operator_cloud.get_domain('default')['id'],
|
||
|
}
|
||
|
)
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertEqual(1, len(assignments))
|
||
|
self.assertTrue(
|
||
|
self.operator_cloud.revoke_role(
|
||
|
role_name, user=user['id'], domain='default'
|
||
|
)
|
||
|
)
|
||
|
assignments = self.operator_cloud.list_role_assignments(
|
||
|
{
|
||
|
'role': role['id'],
|
||
|
'user': user['id'],
|
||
|
'domain': self.operator_cloud.get_domain('default')['id'],
|
||
|
}
|
||
|
)
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertEqual(0, len(assignments))
|
||
|
|
||
|
def test_grant_revoke_role_group_domain(self):
|
||
|
if self.identity_version in ('2', '2.0'):
|
||
|
self.skipTest("Identity service does not support domain or group")
|
||
|
role_name = self.role_prefix + '_grant_group_domain'
|
||
|
role = self.operator_cloud.create_role(role_name)
|
||
|
group_name = self.group_prefix + '_group_domain'
|
||
|
group = self.operator_cloud.create_group(
|
||
|
name=group_name, description='test group', domain='default'
|
||
|
)
|
||
|
self.assertTrue(
|
||
|
self.operator_cloud.grant_role(
|
||
|
role_name, group=group['id'], domain='default'
|
||
|
)
|
||
|
)
|
||
|
assignments = self.operator_cloud.list_role_assignments(
|
||
|
{
|
||
|
'role': role['id'],
|
||
|
'group': group['id'],
|
||
|
'domain': self.operator_cloud.get_domain('default')['id'],
|
||
|
}
|
||
|
)
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertEqual(1, len(assignments))
|
||
|
self.assertTrue(
|
||
|
self.operator_cloud.revoke_role(
|
||
|
role_name, group=group['id'], domain='default'
|
||
|
)
|
||
|
)
|
||
|
assignments = self.operator_cloud.list_role_assignments(
|
||
|
{
|
||
|
'role': role['id'],
|
||
|
'group': group['id'],
|
||
|
'domain': self.operator_cloud.get_domain('default')['id'],
|
||
|
}
|
||
|
)
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertEqual(0, len(assignments))
|
||
|
|
||
|
def test_grant_revoke_role_user_system(self):
|
||
|
role_name = self.role_prefix + '_grant_user_system'
|
||
|
role = self.operator_cloud.create_role(role_name)
|
||
|
user_name = self.user_prefix + '_user_system'
|
||
|
user_email = 'nobody@nowhere.com'
|
||
|
user = self._create_user(
|
||
|
name=user_name, email=user_email, default_project='demo'
|
||
|
)
|
||
|
self.assertTrue(
|
||
|
self.operator_cloud.grant_role(
|
||
|
role_name, user=user['id'], system='all'
|
||
|
)
|
||
|
)
|
||
|
assignments = self.operator_cloud.list_role_assignments(
|
||
|
{'role': role['id'], 'user': user['id'], 'system': 'all'}
|
||
|
)
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertEqual(1, len(assignments))
|
||
|
self.assertTrue(
|
||
|
self.operator_cloud.revoke_role(
|
||
|
role_name, user=user['id'], system='all'
|
||
|
)
|
||
|
)
|
||
|
assignments = self.operator_cloud.list_role_assignments(
|
||
|
{'role': role['id'], 'user': user['id'], 'system': 'all'}
|
||
|
)
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertEqual(0, len(assignments))
|
||
|
|
||
|
def test_grant_revoke_role_group_system(self):
|
||
|
if self.identity_version in ('2', '2.0'):
|
||
|
self.skipTest("Identity service does not support system or group")
|
||
|
role_name = self.role_prefix + '_grant_group_system'
|
||
|
role = self.operator_cloud.create_role(role_name)
|
||
|
group_name = self.group_prefix + '_group_system'
|
||
|
group = self.operator_cloud.create_group(
|
||
|
name=group_name, description='test group'
|
||
|
)
|
||
|
self.assertTrue(
|
||
|
self.operator_cloud.grant_role(
|
||
|
role_name, group=group['id'], system='all'
|
||
|
)
|
||
|
)
|
||
|
assignments = self.operator_cloud.list_role_assignments(
|
||
|
{'role': role['id'], 'group': group['id'], 'system': 'all'}
|
||
|
)
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertEqual(1, len(assignments))
|
||
|
self.assertTrue(
|
||
|
self.operator_cloud.revoke_role(
|
||
|
role_name, group=group['id'], system='all'
|
||
|
)
|
||
|
)
|
||
|
assignments = self.operator_cloud.list_role_assignments(
|
||
|
{'role': role['id'], 'group': group['id'], 'system': 'all'}
|
||
|
)
|
||
|
self.assertIsInstance(assignments, list)
|
||
|
self.assertEqual(0, len(assignments))
|