How to use check_user_role_existence_on_domain method in tempest

Best Python code snippet using tempest_python

test_grant.py

Source:test_grant.py Github

copy

Full Screen

1# Copyright 2020 SUSE LLC2#3# Licensed under the Apache License, Version 2.0 (the "License"); you may4# not use this file except in compliance with the License. You may obtain5# a copy of the License at6#7# http://www.apache.org/licenses/LICENSE-2.08#9# Unless required by applicable law or agreed to in writing, software10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the12# License for the specific language governing permissions and limitations13# under the License.14import abc15from tempest.api.identity import base16from tempest.lib.common.utils import data_utils17from tempest.lib import exceptions18from keystone_tempest_plugin.tests.rbac.v3 import base as rbac_base19class IdentityV3RbacGrantTest(rbac_base.IdentityV3RbacBaseTests,20 metaclass=abc.ABCMeta):21 @classmethod22 def setup_clients(cls):23 super(IdentityV3RbacGrantTest, cls).setup_clients()24 cls.persona = getattr(cls, 'os_%s' % cls.credentials[0])25 cls.client = cls.persona.roles_v3_client26 cls.admin_client = cls.os_system_admin27 cls.admin_roles_client = cls.admin_client.roles_v3_client28 @classmethod29 def resource_setup(cls):30 super(IdentityV3RbacGrantTest, cls).resource_setup()31 cls._setup_assignments()32 @classmethod33 def _setup_assignments(cls):34 # global role35 cls.role_id = cls.admin_client.roles_v3_client.create_role(36 name=data_utils.rand_name('role'))['role']['id']37 cls.addClassResourceCleanup(38 cls.admin_client.roles_v3_client.delete_role, cls.role_id)39 # own domain - if system or project user, this will be the user's40 # namespace and isn't applicable for RBAC testing41 # if domain user, this will be the domain on which the user has a role42 # assignment43 cls.own_domain = cls.persona.credentials.domain_id44 # domain-specific role in own domain45 cls.role_own_domain = cls.admin_client.roles_v3_client.create_role(46 name=data_utils.rand_name('role'),47 domain_id=cls.own_domain)['role']['id']48 cls.addClassResourceCleanup(49 cls.admin_client.roles_v3_client.delete_role, cls.role_own_domain)50 # arbitrary domain51 cls.other_domain = cls.admin_client.domains_client.create_domain(52 name=data_utils.rand_name('domain'))['domain']['id']53 cls.addClassResourceCleanup(54 cls.admin_client.domains_client.delete_domain,55 cls.other_domain)56 cls.addClassResourceCleanup(57 cls.admin_client.domains_client.update_domain,58 cls.other_domain,59 enabled=False)60 # domain-specific role in another domain61 cls.role_other_domain = cls.admin_client.roles_v3_client.create_role(62 name=data_utils.rand_name('role'),63 domain_id=cls.other_domain)['role']['id']64 cls.addClassResourceCleanup(65 cls.admin_client.roles_v3_client.delete_role,66 cls.role_other_domain)67 # user in own domain68 cls.user_in_domain = cls.admin_client.users_v3_client.create_user(69 name=data_utils.rand_name('user'),70 domain_id=cls.own_domain)['user']['id']71 cls.addClassResourceCleanup(72 cls.admin_client.users_v3_client.delete_user,73 cls.user_in_domain)74 # group in own domain75 cls.group_in_domain = cls.admin_client.groups_client.create_group(76 name=data_utils.rand_name('group'),77 domain_id=cls.own_domain)['group']['id']78 cls.addClassResourceCleanup(79 cls.admin_client.groups_client.delete_group,80 cls.group_in_domain)81 # project in own domain82 cls.project_in_domain = (83 cls.admin_client.projects_client.create_project(84 name=data_utils.rand_name('project'),85 domain_id=cls.own_domain)['project']['id'])86 cls.addClassResourceCleanup(87 cls.admin_client.projects_client.delete_project,88 cls.project_in_domain)89 # stuff in arbitrary domain, useful for testing system users' access to90 # arbitrary domain and domain users non-access to domains they don't91 # belong to92 # user in other domain93 cls.user_other_domain = cls.admin_client.users_v3_client.create_user(94 name=data_utils.rand_name('user'),95 domain_id=cls.other_domain)['user']['id']96 cls.addClassResourceCleanup(97 cls.admin_client.users_v3_client.delete_user,98 cls.user_other_domain)99 # group in other domain100 cls.group_other_domain = cls.admin_client.groups_client.create_group(101 name=data_utils.rand_name('group'),102 domain_id=cls.other_domain)['group']['id']103 cls.addClassResourceCleanup(104 cls.admin_client.groups_client.delete_group,105 cls.group_other_domain)106 # project in other domain107 cls.project_other_domain = (108 cls.admin_client.projects_client.create_project(109 name=data_utils.rand_name('project'),110 domain_id=cls.other_domain)['project']['id'])111 cls.addClassResourceCleanup(112 cls.admin_client.projects_client.delete_project,113 cls.project_other_domain)114 # assignments115 roles_client = cls.admin_client.roles_v3_client116 roles_client.create_user_role_on_project(117 cls.project_in_domain,118 cls.user_in_domain,119 cls.role_id)120 roles_client.create_user_role_on_project(121 cls.project_in_domain,122 cls.user_other_domain,123 cls.role_id)124 roles_client.create_user_role_on_project(125 cls.project_other_domain,126 cls.user_in_domain,127 cls.role_id)128 roles_client.create_user_role_on_project(129 cls.project_other_domain,130 cls.user_other_domain,131 cls.role_id)132 roles_client.create_user_role_on_domain(133 cls.own_domain,134 cls.user_in_domain,135 cls.role_id)136 roles_client.create_user_role_on_domain(137 cls.own_domain,138 cls.user_other_domain,139 cls.role_id)140 roles_client.create_user_role_on_domain(141 cls.other_domain,142 cls.user_in_domain,143 cls.role_id)144 roles_client.create_user_role_on_domain(145 cls.other_domain,146 cls.user_other_domain,147 cls.role_id)148 roles_client.create_user_role_on_system(149 cls.user_in_domain,150 cls.role_id)151 roles_client.create_user_role_on_system(152 cls.user_other_domain,153 cls.role_id)154 roles_client.create_user_role_on_project(155 cls.project_in_domain,156 cls.user_in_domain,157 cls.role_own_domain)158 roles_client.create_user_role_on_project(159 cls.project_in_domain,160 cls.user_other_domain,161 cls.role_own_domain)162 roles_client.create_user_role_on_project(163 cls.project_other_domain,164 cls.user_in_domain,165 cls.role_other_domain)166 roles_client.create_user_role_on_project(167 cls.project_other_domain,168 cls.user_other_domain,169 cls.role_other_domain)170 roles_client.create_user_role_on_domain(171 cls.own_domain,172 cls.user_in_domain,173 cls.role_own_domain)174 roles_client.create_user_role_on_domain(175 cls.own_domain,176 cls.user_other_domain,177 cls.role_own_domain)178 roles_client.create_user_role_on_domain(179 cls.other_domain,180 cls.user_in_domain,181 cls.role_other_domain)182 roles_client.create_user_role_on_domain(183 cls.other_domain,184 cls.user_other_domain,185 cls.role_other_domain)186 roles_client.create_group_role_on_project(187 cls.project_in_domain,188 cls.group_in_domain,189 cls.role_id)190 roles_client.create_group_role_on_project(191 cls.project_in_domain,192 cls.group_other_domain,193 cls.role_id)194 roles_client.create_group_role_on_project(195 cls.project_other_domain,196 cls.group_in_domain,197 cls.role_id)198 roles_client.create_group_role_on_project(199 cls.project_other_domain,200 cls.group_other_domain,201 cls.role_id)202 roles_client.create_group_role_on_domain(203 cls.own_domain,204 cls.group_in_domain,205 cls.role_id)206 roles_client.create_group_role_on_domain(207 cls.own_domain,208 cls.group_other_domain,209 cls.role_id)210 roles_client.create_group_role_on_domain(211 cls.other_domain,212 cls.group_in_domain,213 cls.role_id)214 roles_client.create_group_role_on_domain(215 cls.other_domain,216 cls.group_other_domain,217 cls.role_id)218 roles_client.create_group_role_on_system(219 cls.group_in_domain,220 cls.role_id)221 roles_client.create_group_role_on_system(222 cls.group_other_domain,223 cls.role_id)224 roles_client.create_group_role_on_project(225 cls.project_in_domain,226 cls.group_in_domain,227 cls.role_own_domain)228 roles_client.create_group_role_on_project(229 cls.project_in_domain,230 cls.group_other_domain,231 cls.role_own_domain)232 roles_client.create_group_role_on_project(233 cls.project_other_domain,234 cls.group_in_domain,235 cls.role_other_domain)236 roles_client.create_group_role_on_project(237 cls.project_other_domain,238 cls.group_other_domain,239 cls.role_other_domain)240 roles_client.create_group_role_on_domain(241 cls.own_domain,242 cls.group_in_domain,243 cls.role_own_domain)244 roles_client.create_group_role_on_domain(245 cls.own_domain,246 cls.group_other_domain,247 cls.role_own_domain)248 roles_client.create_group_role_on_domain(249 cls.other_domain,250 cls.group_in_domain,251 cls.role_other_domain)252 roles_client.create_group_role_on_domain(253 cls.other_domain,254 cls.group_other_domain,255 cls.role_other_domain)256 @abc.abstractmethod257 def test_identity_check_grant(self):258 """Test identity:check_grant policy.259 This test must check:260 * whether the persona can check a grant for261 +------+------+-------+---------+--------+--------+262 | Role | User | Group | Project | Domain | System |263 +--------------+------+------+-------+---------+--------+--------+264 | global | X | X | X | X | X | |265 +--------------+------+------+-------+---------+--------+--------+266 | own domain | X | X | X | X | X | |267 +--------------+------+------+-------+---------+--------+--------+268 | other domain | X | X | X | X | X | |269 +--------------+------+------+-------+---------+--------+--------+270 """271 pass272 @abc.abstractmethod273 def test_identity_list_grants(self):274 """Test identity:list_grants policy.275 This test must check:276 * whether the persona can list grants for277 +------+------+-------+---------+--------+--------+278 | Role | User | Group | Project | Domain | System |279 +--------------+------+------+-------+---------+--------+--------+280 | global | X | X | X | X | X | |281 +--------------+------+------+-------+---------+--------+--------+282 | own domain | | X | X | X | X | |283 +--------------+------+------+-------+---------+--------+--------+284 | other domain | | X | X | X | X | |285 +--------------+------+------+-------+---------+--------+--------+286 """287 pass288 @abc.abstractmethod289 def test_identity_create_grant(self):290 """Test identity:create_grant policy.291 This test must check:292 * whether the persona can create a grant of293 +------+------+-------+---------+--------+--------+294 | Role | User | Group | Project | Domain | System |295 +--------------+------+------+-------+---------+--------+--------+296 | global | X | X | X | X | X | |297 +--------------+------+------+-------+---------+--------+--------+298 | own domain | X | X | X | X | X | |299 +--------------+------+------+-------+---------+--------+--------+300 | other domain | X | X | X | X | X | |301 +--------------+------+------+-------+---------+--------+--------+302 """303 pass304 @abc.abstractmethod305 def test_identity_revoke_grant(self):306 """Test identity:revoke_grant policy.307 This test must check:308 * whether the persona can revoke a grant for309 +------+------+-------+---------+--------+--------+310 | Role | User | Group | Project | Domain | System |311 +--------------+------+------+-------+---------+--------+--------+312 | global | X | X | X | X | X | |313 +--------------+------+------+-------+---------+--------+--------+314 | own domain | X | X | X | X | X | |315 +--------------+------+------+-------+---------+--------+--------+316 | other domain | X | X | X | X | X | |317 +--------------+------+------+-------+---------+--------+--------+318 """319 pass320 @abc.abstractmethod321 def test_identity_list_system_grants_for_user(self):322 """Test identity:list_system_grants_for_user policy.323 This test must check:324 * whether the persona can list grants for325 +------+------+-------+---------+--------+--------+326 | Role | User | Group | Project | Domain | System |327 +--------------+------+------+-------+---------+--------+--------+328 | global | X | X | | | | X |329 +--------------+------+------+-------+---------+--------+--------+330 | own domain | | X | | | | |331 +--------------+------+------+-------+---------+--------+--------+332 | other domain | | X | | | | |333 +--------------+------+------+-------+---------+--------+--------+334 """335 pass336 @abc.abstractmethod337 def test_identity_check_system_grant_for_user(self):338 """Test identity:check_system_grant_for_user policy.339 This test must check:340 * whether the persona can check a grant for341 +------+------+-------+---------+--------+--------+342 | Role | User | Group | Project | Domain | System |343 +--------------+------+------+-------+---------+--------+--------+344 | global | X | X | | | | X |345 +--------------+------+------+-------+---------+--------+--------+346 | own domain | X | X | | | | |347 +--------------+------+------+-------+---------+--------+--------+348 | other domain | X | X | | | | |349 +--------------+------+------+-------+---------+--------+--------+350 """351 pass352 @abc.abstractmethod353 def test_identity_create_system_grant_for_user(self):354 """Test identity:create_system_grant_for_user policy.355 This test must check:356 * whether the persona can create a grant for357 +------+------+-------+---------+--------+--------+358 | Role | User | Group | Project | Domain | System |359 +--------------+------+------+-------+---------+--------+--------+360 | global | X | X | | | | X |361 +--------------+------+------+-------+---------+--------+--------+362 | own domain | X | X | | | | |363 +--------------+------+------+-------+---------+--------+--------+364 | other domain | X | X | | | | |365 +--------------+------+------+-------+---------+--------+--------+366 """367 pass368 @abc.abstractmethod369 def test_identity_revoke_system_grant_for_user(self):370 """Test identity:revoke_system_grant_for_user policy.371 This test must check:372 * whether the persona can revoke a grant for373 +------+------+-------+---------+--------+--------+374 | Role | User | Group | Project | Domain | System |375 +--------------+------+------+-------+---------+--------+--------+376 | global | X | X | | | | X |377 +--------------+------+------+-------+---------+--------+--------+378 | own domain | X | X | | | | |379 +--------------+------+------+-------+---------+--------+--------+380 | other domain | X | X | | | | |381 +--------------+------+------+-------+---------+--------+--------+382 """383 pass384 @abc.abstractmethod385 def test_identity_list_system_grants_for_group(self):386 """Test identity:list_system_grants_for_group policy.387 This test must check:388 * whether the persona can list grants for389 +------+------+-------+---------+--------+--------+390 | Role | User | Group | Project | Domain | System |391 +--------------+------+------+-------+---------+--------+--------+392 | global | X | | X | | | X |393 +--------------+------+------+-------+---------+--------+--------+394 | own domain | | | X | | | |395 +--------------+------+------+-------+---------+--------+--------+396 | other domain | | | X | | | |397 +--------------+------+------+-------+---------+--------+--------+398 """399 pass400 @abc.abstractmethod401 def test_identity_check_system_grant_for_group(self):402 """Test identity:check_system_grant_for_group policy.403 This test must check:404 * whether the persona can check a grant for405 +------+------+-------+---------+--------+--------+406 | Role | User | Group | Project | Domain | System |407 +--------------+------+------+-------+---------+--------+--------+408 | global | X | | X | | | X |409 +--------------+------+------+-------+---------+--------+--------+410 | own domain | X | | X | | | |411 +--------------+------+------+-------+---------+--------+--------+412 | other domain | X | | X | | | |413 +--------------+------+------+-------+---------+--------+--------+414 """415 pass416 @abc.abstractmethod417 def test_identity_create_system_grant_for_group(self):418 """Test identity:create_system_grant_for_group policy.419 This test must check:420 * whether the persona can create a grant for421 +------+------+-------+---------+--------+--------+422 | Role | User | Group | Project | Domain | System |423 +--------------+------+------+-------+---------+--------+--------+424 | global | X | | X | | | X |425 +--------------+------+------+-------+---------+--------+--------+426 | own domain | X | | X | | | |427 +--------------+------+------+-------+---------+--------+--------+428 | other domain | X | | X | | | |429 +--------------+------+------+-------+---------+--------+--------+430 """431 pass432 @abc.abstractmethod433 def test_identity_revoke_system_grant_for_group(self):434 """Test identity:revoke_system_grant_for_group policy.435 This test must check:436 * whether the persona can revoke a grant for437 +------+------+-------+---------+--------+--------+438 | Role | User | Group | Project | Domain | System |439 +--------------+------+------+-------+---------+--------+--------+440 | global | X | | X | | | X |441 +--------------+------+------+-------+---------+--------+--------+442 | own domain | X | | X | | | |443 +--------------+------+------+-------+---------+--------+--------+444 | other domain | X | | X | | | |445 +--------------+------+------+-------+---------+--------+--------+446 """447 pass448class SystemAdminTests(IdentityV3RbacGrantTest, base.BaseIdentityTest):449 credentials = ['system_admin']450 def test_identity_check_grant(self):451 # global role, arbitrary project, arbitrary user452 self.do_request(453 'check_user_role_existence_on_project',454 expected_status=204,455 project_id=self.project_other_domain,456 user_id=self.user_other_domain,457 role_id=self.role_id)458 # global role, arbitrary project, arbitrary group459 self.do_request(460 'check_role_from_group_on_project_existence',461 expected_status=204,462 project_id=self.project_other_domain,463 group_id=self.group_other_domain,464 role_id=self.role_id)465 # global role, arbitrary domain, arbitrary user466 self.do_request(467 'check_user_role_existence_on_domain',468 expected_status=204,469 domain_id=self.other_domain,470 user_id=self.user_other_domain,471 role_id=self.role_id)472 # global role, arbitrary domain, arbitrary group473 self.do_request(474 'check_role_from_group_on_domain_existence',475 expected_status=204,476 domain_id=self.other_domain,477 group_id=self.group_other_domain,478 role_id=self.role_id)479 # domain-specific role not matching arbitrary project, arbitrary group480 self.do_request(481 'check_user_role_existence_on_project',482 expected_status=exceptions.NotFound,483 project_id=self.project_other_domain,484 user_id=self.user_other_domain,485 role_id=self.role_own_domain)486 # domain-specific role not matching arbitrary project, arbitrary group487 self.do_request(488 'check_role_from_group_on_project_existence',489 expected_status=exceptions.NotFound,490 project_id=self.project_other_domain,491 group_id=self.group_other_domain,492 role_id=self.role_own_domain)493 # domain-specific role not matching arbitrary domain, arbitrary user494 self.do_request(495 'check_user_role_existence_on_domain',496 expected_status=exceptions.NotFound,497 domain_id=self.other_domain,498 user_id=self.user_other_domain,499 role_id=self.role_own_domain)500 # domain-specific role not matching arbitrary domain, arbitrary group501 self.do_request(502 'check_role_from_group_on_domain_existence',503 expected_status=exceptions.NotFound,504 domain_id=self.other_domain,505 group_id=self.group_other_domain,506 role_id=self.role_own_domain)507 # domain-specific role, arbitrary project, arbitrary user508 self.do_request(509 'check_user_role_existence_on_project',510 expected_status=204,511 project_id=self.project_other_domain,512 user_id=self.user_other_domain,513 role_id=self.role_other_domain)514 # domain-specific role, arbitrary project, arbitrary group515 self.do_request(516 'check_role_from_group_on_project_existence',517 expected_status=204,518 project_id=self.project_other_domain,519 group_id=self.group_other_domain,520 role_id=self.role_other_domain)521 # domain-specific role, arbitrary domain, arbitrary user522 self.do_request(523 'check_user_role_existence_on_domain',524 expected_status=204,525 domain_id=self.other_domain,526 user_id=self.user_other_domain,527 role_id=self.role_other_domain)528 # domain-specific role, arbitrary domain, arbitrary group529 self.do_request(530 'check_role_from_group_on_domain_existence',531 expected_status=204,532 domain_id=self.other_domain,533 group_id=self.group_other_domain,534 role_id=self.role_other_domain)535 def test_identity_list_grants(self):536 # arbitrary project, arbitrary user537 self.do_request(538 'list_user_roles_on_project',539 project_id=self.project_other_domain,540 user_id=self.user_other_domain)541 # arbitrary project, arbitrary group542 self.do_request(543 'list_group_roles_on_project',544 project_id=self.project_other_domain,545 group_id=self.group_other_domain)546 # arbitrary domain, arbitrary user547 self.do_request(548 'list_user_roles_on_domain',549 domain_id=self.other_domain,550 user_id=self.user_other_domain)551 # arbitrary domain, arbitrary group552 self.do_request(553 'list_group_roles_on_domain',554 domain_id=self.other_domain,555 group_id=self.group_other_domain)556 # other domain-specific tests not applicable to system user557 def test_identity_create_grant(self):558 # global role, arbitrary project, arbitrary user559 self.do_request(560 'create_user_role_on_project',561 expected_status=204,562 project_id=self.project_other_domain,563 user_id=self.user_other_domain,564 role_id=self.role_id)565 self.addCleanup(566 self.admin_roles_client.delete_role_from_user_on_project,567 project_id=self.project_other_domain,568 user_id=self.user_other_domain,569 role_id=self.role_id)570 # global role, arbitrary project, arbitrary group571 self.do_request(572 'create_group_role_on_project',573 expected_status=204,574 project_id=self.project_other_domain,575 group_id=self.group_other_domain,576 role_id=self.role_id)577 self.addCleanup(578 self.admin_roles_client.delete_role_from_group_on_project,579 project_id=self.project_other_domain,580 group_id=self.group_other_domain,581 role_id=self.role_id)582 # global role, arbitrary domain, arbitrary user583 self.do_request(584 'create_user_role_on_domain',585 expected_status=204,586 domain_id=self.other_domain,587 user_id=self.user_other_domain,588 role_id=self.role_id)589 self.addCleanup(590 self.admin_roles_client.delete_role_from_user_on_domain,591 domain_id=self.other_domain,592 user_id=self.user_other_domain,593 role_id=self.role_id)594 # global role, arbitrary domain, arbitrary group595 self.do_request(596 'create_group_role_on_domain',597 expected_status=204,598 domain_id=self.other_domain,599 group_id=self.group_other_domain,600 role_id=self.role_id)601 self.addCleanup(602 self.admin_roles_client.delete_role_from_group_on_domain,603 domain_id=self.other_domain,604 group_id=self.group_other_domain,605 role_id=self.role_id)606 # domain-specific, arbitrary project, arbitrary user607 self.do_request(608 'create_user_role_on_project',609 expected_status=204,610 project_id=self.project_other_domain,611 user_id=self.user_other_domain,612 role_id=self.role_other_domain)613 self.addCleanup(614 self.admin_roles_client.delete_role_from_user_on_project,615 project_id=self.project_other_domain,616 user_id=self.user_other_domain,617 role_id=self.role_other_domain)618 # domain-specific, arbitrary project, arbitrary group619 self.do_request(620 'create_group_role_on_project',621 expected_status=204,622 project_id=self.project_other_domain,623 group_id=self.group_other_domain,624 role_id=self.role_other_domain)625 self.addCleanup(626 self.admin_roles_client.delete_role_from_group_on_project,627 project_id=self.project_other_domain,628 group_id=self.group_other_domain,629 role_id=self.role_other_domain)630 # domain-specific, arbitrary domain, arbitrary user631 self.do_request(632 'create_user_role_on_domain',633 expected_status=204,634 domain_id=self.other_domain,635 user_id=self.user_other_domain,636 role_id=self.role_other_domain)637 self.addCleanup(638 self.admin_roles_client.delete_role_from_user_on_domain,639 domain_id=self.other_domain,640 user_id=self.user_other_domain,641 role_id=self.role_other_domain)642 # domain-specific, arbitrary domain, arbitrary group643 self.do_request(644 'create_group_role_on_domain',645 expected_status=204,646 domain_id=self.other_domain,647 group_id=self.group_other_domain,648 role_id=self.role_other_domain)649 self.addCleanup(650 self.admin_roles_client.delete_role_from_group_on_domain,651 domain_id=self.other_domain,652 group_id=self.group_other_domain,653 role_id=self.role_other_domain)654 # other domain-specific tests not applicable to system user655 def test_identity_revoke_grant(self):656 # global role, arbitrary project, arbitrary user657 self.admin_roles_client.create_user_role_on_project(658 project_id=self.project_other_domain,659 user_id=self.user_other_domain,660 role_id=self.role_id)661 self.do_request(662 'delete_role_from_user_on_project',663 expected_status=204,664 project_id=self.project_other_domain,665 user_id=self.user_other_domain,666 role_id=self.role_id)667 # global role, arbitrary project, arbitrary group668 self.admin_roles_client.create_group_role_on_project(669 project_id=self.project_other_domain,670 group_id=self.group_other_domain,671 role_id=self.role_id)672 self.do_request(673 'delete_role_from_group_on_project',674 expected_status=204,675 project_id=self.project_other_domain,676 group_id=self.group_other_domain,677 role_id=self.role_id)678 # global role, arbitrary domain, arbitrary user679 self.admin_roles_client.create_user_role_on_domain(680 domain_id=self.other_domain,681 user_id=self.user_other_domain,682 role_id=self.role_id)683 self.do_request(684 'delete_role_from_user_on_domain',685 expected_status=204,686 domain_id=self.other_domain,687 user_id=self.user_other_domain,688 role_id=self.role_id)689 # global role, arbitrary domain, arbitrary group690 self.admin_roles_client.create_group_role_on_domain(691 domain_id=self.other_domain,692 group_id=self.group_other_domain,693 role_id=self.role_id)694 self.do_request(695 'delete_role_from_group_on_domain',696 expected_status=204,697 domain_id=self.other_domain,698 group_id=self.group_other_domain,699 role_id=self.role_id)700 # domain-specific role, arbitrary project, arbitrary user701 self.admin_roles_client.create_user_role_on_project(702 project_id=self.project_other_domain,703 user_id=self.user_other_domain,704 role_id=self.role_other_domain)705 self.do_request(706 'delete_role_from_user_on_project',707 expected_status=204,708 project_id=self.project_other_domain,709 user_id=self.user_other_domain,710 role_id=self.role_other_domain)711 # domain-specific role, arbitrary project, arbitrary group712 self.admin_roles_client.create_group_role_on_project(713 project_id=self.project_other_domain,714 group_id=self.group_other_domain,715 role_id=self.role_other_domain)716 self.do_request(717 'delete_role_from_group_on_project',718 expected_status=204,719 project_id=self.project_other_domain,720 group_id=self.group_other_domain,721 role_id=self.role_other_domain)722 # domain-specific role, arbitrary domain, arbitrary user723 self.admin_roles_client.create_user_role_on_domain(724 domain_id=self.other_domain,725 user_id=self.user_other_domain,726 role_id=self.role_other_domain)727 self.do_request(728 'delete_role_from_user_on_domain',729 expected_status=204,730 domain_id=self.other_domain,731 user_id=self.user_other_domain,732 role_id=self.role_other_domain)733 # domain-specific role, arbitrary domain, arbitrary group734 self.admin_roles_client.create_group_role_on_domain(735 domain_id=self.other_domain,736 group_id=self.group_other_domain,737 role_id=self.role_other_domain)738 self.do_request(739 'delete_role_from_group_on_domain',740 expected_status=204,741 domain_id=self.other_domain,742 group_id=self.group_other_domain,743 role_id=self.role_other_domain)744 # other domain-specific tests not applicable to system user745 def test_identity_list_system_grants_for_user(self):746 self.do_request('list_user_roles_on_system',747 user_id=self.user_other_domain)748 def test_identity_check_system_grant_for_user(self):749 self.do_request('check_user_role_existence_on_system',750 expected_status=204,751 user_id=self.user_other_domain,752 role_id=self.role_id)753 def test_identity_create_system_grant_for_user(self):754 self.do_request(755 'create_user_role_on_system',756 expected_status=204,757 user_id=self.user_other_domain,758 role_id=self.role_id)759 self.addCleanup(760 self.admin_roles_client.delete_role_from_user_on_system,761 user_id=self.user_other_domain,762 role_id=self.role_id)763 def test_identity_revoke_system_grant_for_user(self):764 self.admin_roles_client.create_user_role_on_system(765 user_id=self.user_other_domain,766 role_id=self.role_id)767 self.do_request(768 'delete_role_from_user_on_system',769 expected_status=204,770 user_id=self.user_other_domain,771 role_id=self.role_id)772 def test_identity_list_system_grants_for_group(self):773 self.do_request('list_group_roles_on_system',774 group_id=self.group_other_domain)775 def test_identity_check_system_grant_for_group(self):776 self.do_request('check_role_from_group_on_system_existence',777 expected_status=204,778 group_id=self.group_other_domain,779 role_id=self.role_id)780 def test_identity_create_system_grant_for_group(self):781 self.do_request(782 'create_group_role_on_system',783 expected_status=204,784 group_id=self.group_other_domain,785 role_id=self.role_id)786 self.addCleanup(787 self.admin_roles_client.delete_role_from_group_on_system,788 group_id=self.group_other_domain,789 role_id=self.role_id)790 def test_identity_revoke_system_grant_for_group(self):791 self.admin_roles_client.create_group_role_on_system(792 group_id=self.group_other_domain,793 role_id=self.role_id)794 self.do_request(795 'delete_role_from_group_on_system',796 expected_status=204,797 group_id=self.group_other_domain,798 role_id=self.role_id)799class SystemMemberTests(SystemAdminTests):800 credentials = ['system_member', 'system_admin']801 def test_identity_create_grant(self):802 # global role, arbitrary project, arbitrary user803 self.do_request(804 'create_user_role_on_project',805 expected_status=exceptions.Forbidden,806 project_id=self.project_other_domain,807 user_id=self.user_other_domain,808 role_id=self.role_id)809 self.addCleanup(810 self.admin_roles_client.delete_role_from_user_on_project,811 project_id=self.project_other_domain,812 user_id=self.user_other_domain,813 role_id=self.role_id)814 # global role, arbitrary project, arbitrary group815 self.do_request(816 'create_group_role_on_project',817 expected_status=exceptions.Forbidden,818 project_id=self.project_other_domain,819 group_id=self.group_other_domain,820 role_id=self.role_id)821 self.addCleanup(822 self.admin_roles_client.delete_role_from_group_on_project,823 project_id=self.project_other_domain,824 group_id=self.group_other_domain,825 role_id=self.role_id)826 # global role, arbitrary domain, arbitrary user827 self.do_request(828 'create_user_role_on_domain',829 expected_status=exceptions.Forbidden,830 domain_id=self.other_domain,831 user_id=self.user_other_domain,832 role_id=self.role_id)833 self.addCleanup(834 self.admin_roles_client.delete_role_from_user_on_domain,835 domain_id=self.other_domain,836 user_id=self.user_other_domain,837 role_id=self.role_id)838 # global role, arbitrary domain, arbitrary group839 self.do_request(840 'create_group_role_on_domain',841 expected_status=exceptions.Forbidden,842 domain_id=self.other_domain,843 group_id=self.group_other_domain,844 role_id=self.role_id)845 self.addCleanup(846 self.admin_roles_client.delete_role_from_group_on_domain,847 domain_id=self.other_domain,848 group_id=self.group_other_domain,849 role_id=self.role_id)850 # domain-specific, arbitrary project, arbitrary user851 self.do_request(852 'create_user_role_on_project',853 expected_status=exceptions.Forbidden,854 project_id=self.project_other_domain,855 user_id=self.user_other_domain,856 role_id=self.role_other_domain)857 self.addCleanup(858 self.admin_roles_client.delete_role_from_user_on_project,859 project_id=self.project_other_domain,860 user_id=self.user_other_domain,861 role_id=self.role_other_domain)862 # domain-specific, arbitrary project, arbitrary group863 self.do_request(864 'create_group_role_on_project',865 expected_status=exceptions.Forbidden,866 project_id=self.project_other_domain,867 group_id=self.group_other_domain,868 role_id=self.role_other_domain)869 self.addCleanup(870 self.admin_roles_client.delete_role_from_group_on_project,871 project_id=self.project_other_domain,872 group_id=self.group_other_domain,873 role_id=self.role_other_domain)874 # domain-specific, arbitrary domain, arbitrary user875 self.do_request(876 'create_user_role_on_domain',877 expected_status=exceptions.Forbidden,878 domain_id=self.other_domain,879 user_id=self.user_other_domain,880 role_id=self.role_other_domain)881 self.addCleanup(882 self.admin_roles_client.delete_role_from_user_on_domain,883 domain_id=self.other_domain,884 user_id=self.user_other_domain,885 role_id=self.role_other_domain)886 # domain-specific, arbitrary domain, arbitrary group887 self.do_request(888 'create_group_role_on_domain',889 expected_status=exceptions.Forbidden,890 domain_id=self.other_domain,891 group_id=self.group_other_domain,892 role_id=self.role_other_domain)893 self.addCleanup(894 self.admin_roles_client.delete_role_from_group_on_domain,895 domain_id=self.other_domain,896 group_id=self.group_other_domain,897 role_id=self.role_other_domain)898 # other domain-specific tests not applicable to system user899 def test_identity_revoke_grant(self):900 # global role, arbitrary project, arbitrary user901 self.admin_roles_client.create_user_role_on_project(902 project_id=self.project_other_domain,903 user_id=self.user_other_domain,904 role_id=self.role_id)905 self.do_request(906 'delete_role_from_user_on_project',907 expected_status=exceptions.Forbidden,908 project_id=self.project_other_domain,909 user_id=self.user_other_domain,910 role_id=self.role_id)911 # global role, arbitrary project, arbitrary group912 self.admin_roles_client.create_group_role_on_project(913 project_id=self.project_other_domain,914 group_id=self.group_other_domain,915 role_id=self.role_id)916 self.do_request(917 'delete_role_from_group_on_project',918 expected_status=exceptions.Forbidden,919 project_id=self.project_other_domain,920 group_id=self.group_other_domain,921 role_id=self.role_id)922 # global role, arbitrary domain, arbitrary user923 self.admin_roles_client.create_user_role_on_domain(924 domain_id=self.other_domain,925 user_id=self.user_other_domain,926 role_id=self.role_id)927 self.do_request(928 'delete_role_from_user_on_domain',929 expected_status=exceptions.Forbidden,930 domain_id=self.other_domain,931 user_id=self.user_other_domain,932 role_id=self.role_id)933 # global role, arbitrary domain, arbitrary group934 self.admin_roles_client.create_group_role_on_domain(935 domain_id=self.other_domain,936 group_id=self.group_other_domain,937 role_id=self.role_id)938 self.do_request(939 'delete_role_from_group_on_domain',940 expected_status=exceptions.Forbidden,941 domain_id=self.other_domain,942 group_id=self.group_other_domain,943 role_id=self.role_id)944 # domain-specific role, arbitrary project, arbitrary user945 self.admin_roles_client.create_user_role_on_project(946 project_id=self.project_other_domain,947 user_id=self.user_other_domain,948 role_id=self.role_other_domain)949 self.do_request(950 'delete_role_from_user_on_project',951 expected_status=exceptions.Forbidden,952 project_id=self.project_other_domain,953 user_id=self.user_other_domain,954 role_id=self.role_other_domain)955 # domain-specific role, arbitrary project, arbitrary group956 self.admin_roles_client.create_group_role_on_project(957 project_id=self.project_other_domain,958 group_id=self.group_other_domain,959 role_id=self.role_other_domain)960 self.do_request(961 'delete_role_from_group_on_project',962 expected_status=exceptions.Forbidden,963 project_id=self.project_other_domain,964 group_id=self.group_other_domain,965 role_id=self.role_other_domain)966 # domain-specific role, arbitrary domain, arbitrary user967 self.admin_roles_client.create_user_role_on_domain(968 domain_id=self.other_domain,969 user_id=self.user_other_domain,970 role_id=self.role_other_domain)971 self.do_request(972 'delete_role_from_user_on_domain',973 expected_status=exceptions.Forbidden,974 domain_id=self.other_domain,975 user_id=self.user_other_domain,976 role_id=self.role_other_domain)977 # domain-specific role, arbitrary domain, arbitrary group978 self.admin_roles_client.create_group_role_on_domain(979 domain_id=self.other_domain,980 group_id=self.group_other_domain,981 role_id=self.role_other_domain)982 self.do_request(983 'delete_role_from_group_on_domain',984 expected_status=exceptions.Forbidden,985 domain_id=self.other_domain,986 group_id=self.group_other_domain,987 role_id=self.role_other_domain)988 # other domain-specific tests not applicable to system user989 def test_identity_create_system_grant_for_user(self):990 self.do_request(991 'create_user_role_on_system',992 expected_status=exceptions.Forbidden,993 user_id=self.user_other_domain,994 role_id=self.role_id)995 self.addCleanup(996 self.admin_roles_client.delete_role_from_user_on_system,997 user_id=self.user_other_domain,998 role_id=self.role_id)999 def test_identity_revoke_system_grant_for_user(self):1000 self.admin_roles_client.create_user_role_on_system(1001 user_id=self.user_other_domain,1002 role_id=self.role_id)1003 self.addCleanup(1004 self.admin_roles_client.delete_role_from_user_on_system,1005 user_id=self.user_other_domain,1006 role_id=self.role_id)1007 self.do_request(1008 'delete_role_from_user_on_system',1009 expected_status=exceptions.Forbidden,1010 user_id=self.user_other_domain,1011 role_id=self.role_id)1012 def test_identity_create_system_grant_for_group(self):1013 self.do_request(1014 'create_group_role_on_system',1015 expected_status=exceptions.Forbidden,1016 group_id=self.group_other_domain,1017 role_id=self.role_id)1018 def test_identity_revoke_system_grant_for_group(self):1019 self.admin_roles_client.create_group_role_on_system(1020 group_id=self.group_other_domain,1021 role_id=self.role_id)1022 self.addCleanup(1023 self.admin_roles_client.delete_role_from_group_on_system,1024 group_id=self.group_other_domain,1025 role_id=self.role_id)1026 self.do_request(1027 'delete_role_from_group_on_system',1028 expected_status=exceptions.Forbidden,1029 group_id=self.group_other_domain,1030 role_id=self.role_id)1031class SystemReaderTests(SystemMemberTests):1032 credentials = ['system_reader', 'system_admin']1033class DomainAdminTests(IdentityV3RbacGrantTest, base.BaseIdentityTest):1034 credentials = ['domain_admin', 'system_admin']1035 def test_identity_check_grant(self):1036 ###################################################1037 # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #1038 ###################################################1039 # global role, project in own domain, user in own domain1040 self.do_request(1041 'check_user_role_existence_on_project',1042 expected_status=204,1043 project_id=self.project_in_domain,1044 user_id=self.user_in_domain,1045 role_id=self.role_id)1046 # global role, project in own domain, group in own domain1047 self.do_request(1048 'check_role_from_group_on_project_existence',1049 expected_status=204,1050 project_id=self.project_in_domain,1051 group_id=self.group_in_domain,1052 role_id=self.role_id)1053 # global role, own domain, user in own domain1054 self.do_request(1055 'check_user_role_existence_on_domain',1056 expected_status=204,1057 domain_id=self.own_domain,1058 user_id=self.user_in_domain,1059 role_id=self.role_id)1060 # global role, own domain, group in own domain1061 self.do_request(1062 'check_role_from_group_on_domain_existence',1063 expected_status=204,1064 domain_id=self.own_domain,1065 group_id=self.group_in_domain,1066 role_id=self.role_id)1067 # role in own domain, project in own domain, user in own domain1068 self.do_request(1069 'check_user_role_existence_on_project',1070 expected_status=204,1071 project_id=self.project_in_domain,1072 user_id=self.user_in_domain,1073 role_id=self.role_own_domain)1074 # role in own domain, project in own domain, group in own domain1075 self.do_request(1076 'check_role_from_group_on_project_existence',1077 expected_status=204,1078 project_id=self.project_in_domain,1079 group_id=self.group_in_domain,1080 role_id=self.role_own_domain)1081 # role in own domain, domain in own domain, user in own domain1082 self.do_request(1083 'check_user_role_existence_on_domain',1084 expected_status=204,1085 domain_id=self.own_domain,1086 user_id=self.user_in_domain,1087 role_id=self.role_own_domain)1088 # role in own domain, domain in own domain, group in own domain1089 self.do_request(1090 'check_role_from_group_on_domain_existence',1091 expected_status=204,1092 domain_id=self.own_domain,1093 group_id=self.group_in_domain,1094 role_id=self.role_own_domain)1095 # role in other domain, project in own domain, user in own domain1096 # (none created, should 403)1097 self.do_request(1098 'check_user_role_existence_on_project',1099 expected_status=exceptions.Forbidden,1100 project_id=self.project_in_domain,1101 user_id=self.user_in_domain,1102 role_id=self.role_other_domain)1103 # role in other domain, project in own domain, group in own domain1104 # (none created, should 403)1105 self.do_request(1106 'check_role_from_group_on_project_existence',1107 expected_status=exceptions.Forbidden,1108 project_id=self.project_in_domain,1109 group_id=self.group_in_domain,1110 role_id=self.role_other_domain)1111 # role in other domain, domain in own domain, user in own domain1112 # (none created, should 403)1113 self.do_request(1114 'check_user_role_existence_on_domain',1115 expected_status=exceptions.Forbidden,1116 domain_id=self.own_domain,1117 user_id=self.user_in_domain,1118 role_id=self.role_other_domain)1119 # role in other domain, domain in own domain, group in own domain1120 # (none created, should 403)1121 self.do_request(1122 'check_role_from_group_on_domain_existence',1123 expected_status=exceptions.Forbidden,1124 domain_id=self.own_domain,1125 group_id=self.group_in_domain,1126 role_id=self.role_other_domain)1127 #####################################################1128 # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #1129 #####################################################1130 # global role, project in own domain, user in other domain1131 self.do_request(1132 'check_user_role_existence_on_project',1133 expected_status=exceptions.Forbidden,1134 project_id=self.project_in_domain,1135 user_id=self.user_other_domain,1136 role_id=self.role_id)1137 # global role, project in own domain, group in other domain1138 self.do_request(1139 'check_role_from_group_on_project_existence',1140 expected_status=exceptions.Forbidden,1141 project_id=self.project_in_domain,1142 group_id=self.group_other_domain,1143 role_id=self.role_id)1144 # global role, own domain, user in other domain1145 self.do_request(1146 'check_user_role_existence_on_domain',1147 expected_status=exceptions.Forbidden,1148 domain_id=self.own_domain,1149 user_id=self.user_other_domain,1150 role_id=self.role_id)1151 # global role, own domain, group in other domain1152 self.do_request(1153 'check_role_from_group_on_domain_existence',1154 expected_status=exceptions.Forbidden,1155 domain_id=self.own_domain,1156 group_id=self.group_other_domain,1157 role_id=self.role_id)1158 # role in own domain, project in own domain, user in other domain1159 self.do_request(1160 'check_user_role_existence_on_project',1161 expected_status=exceptions.Forbidden,1162 project_id=self.project_in_domain,1163 user_id=self.user_other_domain,1164 role_id=self.role_own_domain)1165 # role in own domain, project in own domain, group in other domain1166 self.do_request(1167 'check_role_from_group_on_project_existence',1168 expected_status=exceptions.Forbidden,1169 project_id=self.project_in_domain,1170 group_id=self.group_other_domain,1171 role_id=self.role_own_domain)1172 # role in own domain, domain in own domain, user in other domain1173 self.do_request(1174 'check_user_role_existence_on_domain',1175 expected_status=exceptions.Forbidden,1176 domain_id=self.own_domain,1177 user_id=self.user_other_domain,1178 role_id=self.role_own_domain)1179 # role in own domain, domain in own domain, group in other domain1180 self.do_request(1181 'check_role_from_group_on_domain_existence',1182 expected_status=exceptions.Forbidden,1183 domain_id=self.own_domain,1184 group_id=self.group_other_domain,1185 role_id=self.role_own_domain)1186 # role in other domain, project in own domain, user in other domain1187 # (none created, should 403)1188 self.do_request(1189 'check_user_role_existence_on_project',1190 expected_status=exceptions.Forbidden,1191 project_id=self.project_in_domain,1192 user_id=self.user_other_domain,1193 role_id=self.role_other_domain)1194 # role in other domain, project in own domain, group in other domain1195 # (none created, should 403)1196 self.do_request(1197 'check_role_from_group_on_project_existence',1198 expected_status=exceptions.Forbidden,1199 project_id=self.project_in_domain,1200 group_id=self.group_other_domain,1201 role_id=self.role_other_domain)1202 # role in other domain, domain in own domain, user in other domain1203 # (none created, should 403)1204 self.do_request(1205 'check_user_role_existence_on_domain',1206 expected_status=exceptions.Forbidden,1207 domain_id=self.own_domain,1208 user_id=self.user_other_domain,1209 role_id=self.role_other_domain)1210 # role in other domain, domain in own domain, group in other domain1211 # (none created, should 403)1212 self.do_request(1213 'check_role_from_group_on_domain_existence',1214 expected_status=exceptions.Forbidden,1215 domain_id=self.own_domain,1216 group_id=self.group_other_domain,1217 role_id=self.role_other_domain)1218 #####################################################1219 # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #1220 #####################################################1221 # global role, project in other domain, user in own domain1222 self.do_request(1223 'check_user_role_existence_on_project',1224 expected_status=exceptions.Forbidden,1225 project_id=self.project_other_domain,1226 user_id=self.user_in_domain,1227 role_id=self.role_id)1228 # global role, project in other domain, group in own domain1229 self.do_request(1230 'check_role_from_group_on_project_existence',1231 expected_status=exceptions.Forbidden,1232 project_id=self.project_other_domain,1233 group_id=self.group_in_domain,1234 role_id=self.role_id)1235 # global role, other domain, user in own domain1236 self.do_request(1237 'check_user_role_existence_on_domain',1238 expected_status=exceptions.Forbidden,1239 domain_id=self.other_domain,1240 user_id=self.user_in_domain,1241 role_id=self.role_id)1242 # global role, other domain, group in own domain1243 self.do_request(1244 'check_role_from_group_on_domain_existence',1245 expected_status=exceptions.Forbidden,1246 domain_id=self.other_domain,1247 group_id=self.group_in_domain,1248 role_id=self.role_id)1249 # role in own domain, project in other domain, user in own domain1250 # (none created, should 403)1251 self.do_request(1252 'check_user_role_existence_on_project',1253 expected_status=exceptions.Forbidden,1254 project_id=self.project_other_domain,1255 user_id=self.user_in_domain,1256 role_id=self.role_own_domain)1257 # role in own domain, project in other domain, group in own domain1258 # (none created, should 403)1259 self.do_request(1260 'check_role_from_group_on_project_existence',1261 expected_status=exceptions.Forbidden,1262 project_id=self.project_other_domain,1263 group_id=self.group_in_domain,1264 role_id=self.role_own_domain)1265 # role in own domain, other domain, user in own domain1266 # (none created, should 403)1267 self.do_request(1268 'check_user_role_existence_on_domain',1269 expected_status=exceptions.Forbidden,1270 domain_id=self.other_domain,1271 user_id=self.user_in_domain,1272 role_id=self.role_own_domain)1273 # role in own domain, other domain, group in own domain1274 # (none created, should 403)1275 self.do_request(1276 'check_role_from_group_on_domain_existence',1277 expected_status=exceptions.Forbidden,1278 domain_id=self.other_domain,1279 group_id=self.group_in_domain,1280 role_id=self.role_own_domain)1281 # role in other domain, project in other domain, user in own domain1282 self.do_request(1283 'check_user_role_existence_on_project',1284 expected_status=exceptions.Forbidden,1285 project_id=self.project_other_domain,1286 user_id=self.user_in_domain,1287 role_id=self.role_other_domain)1288 # role in other domain, project in other domain, group in own domain1289 self.do_request(1290 'check_role_from_group_on_project_existence',1291 expected_status=exceptions.Forbidden,1292 project_id=self.project_other_domain,1293 group_id=self.group_in_domain,1294 role_id=self.role_other_domain)1295 # role in other domain, other domain, user in own domain1296 self.do_request(1297 'check_user_role_existence_on_domain',1298 expected_status=exceptions.Forbidden,1299 domain_id=self.other_domain,1300 user_id=self.user_in_domain,1301 role_id=self.role_other_domain)1302 # role in other domain, other domain, group in own domain1303 self.do_request(1304 'check_role_from_group_on_domain_existence',1305 expected_status=exceptions.Forbidden,1306 domain_id=self.other_domain,1307 group_id=self.group_in_domain,1308 role_id=self.role_other_domain)1309 #######################################################1310 # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #1311 #######################################################1312 # global role, project in other domain, user in other domain1313 self.do_request(1314 'check_user_role_existence_on_project',1315 expected_status=exceptions.Forbidden,1316 project_id=self.project_other_domain,1317 user_id=self.user_other_domain,1318 role_id=self.role_id)1319 # global role, project in other domain, group in other domain1320 self.do_request(1321 'check_role_from_group_on_project_existence',1322 expected_status=exceptions.Forbidden,1323 project_id=self.project_other_domain,1324 group_id=self.group_other_domain,1325 role_id=self.role_id)1326 # global role, other domain, user in other domain1327 self.do_request(1328 'check_user_role_existence_on_domain',1329 expected_status=exceptions.Forbidden,1330 domain_id=self.other_domain,1331 user_id=self.user_other_domain,1332 role_id=self.role_id)1333 # global role, other domain, group in other domain1334 self.do_request(1335 'check_role_from_group_on_domain_existence',1336 expected_status=exceptions.Forbidden,1337 domain_id=self.other_domain,1338 group_id=self.group_other_domain,1339 role_id=self.role_id)1340 # role in own domain, project in other domain, user in other domain1341 # (none created, should 403)1342 self.do_request(1343 'check_user_role_existence_on_project',1344 expected_status=exceptions.Forbidden,1345 project_id=self.project_other_domain,1346 user_id=self.user_other_domain,1347 role_id=self.role_own_domain)1348 # role in own domain, project in other domain, group in other domain1349 # (none created, should 403)1350 self.do_request(1351 'check_role_from_group_on_project_existence',1352 expected_status=exceptions.Forbidden,1353 project_id=self.project_other_domain,1354 group_id=self.group_other_domain,1355 role_id=self.role_own_domain)1356 # role in own domain, other domain, user in other domain1357 # (none created, should 403)1358 self.do_request(1359 'check_user_role_existence_on_domain',1360 expected_status=exceptions.Forbidden,1361 domain_id=self.other_domain,1362 user_id=self.user_other_domain,1363 role_id=self.role_own_domain)1364 # role in own domain, other domain, group in other domain1365 # (none created, should 403)1366 self.do_request(1367 'check_role_from_group_on_domain_existence',1368 expected_status=exceptions.Forbidden,1369 domain_id=self.other_domain,1370 group_id=self.group_other_domain,1371 role_id=self.role_own_domain)1372 # role in other domain, project in other domain, user in other domain1373 self.do_request(1374 'check_user_role_existence_on_project',1375 expected_status=exceptions.Forbidden,1376 project_id=self.project_other_domain,1377 user_id=self.user_other_domain,1378 role_id=self.role_other_domain)1379 # role in other domain, project in other domain, group in other domain1380 self.do_request(1381 'check_role_from_group_on_project_existence',1382 expected_status=exceptions.Forbidden,1383 project_id=self.project_other_domain,1384 group_id=self.group_other_domain,1385 role_id=self.role_other_domain)1386 # role in other domain, other domain, user in other domain1387 self.do_request(1388 'check_user_role_existence_on_domain',1389 expected_status=exceptions.Forbidden,1390 domain_id=self.other_domain,1391 user_id=self.user_other_domain,1392 role_id=self.role_other_domain)1393 # role in other domain, other domain, group in other domain1394 self.do_request(1395 'check_role_from_group_on_domain_existence',1396 expected_status=exceptions.Forbidden,1397 domain_id=self.other_domain,1398 group_id=self.group_other_domain,1399 role_id=self.role_other_domain)1400 def test_identity_list_grants(self):1401 ###################################################1402 # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #1403 ###################################################1404 # project in other domain, user in other domain1405 self.do_request(1406 'list_user_roles_on_project',1407 project_id=self.project_in_domain,1408 user_id=self.user_in_domain)1409 # project in other domain, group in other domain1410 self.do_request(1411 'list_group_roles_on_project',1412 project_id=self.project_in_domain,1413 group_id=self.group_in_domain)1414 # other domain, user in other domain1415 self.do_request(1416 'list_user_roles_on_domain',1417 domain_id=self.own_domain,1418 user_id=self.user_in_domain)1419 # other domain, group in other domain1420 self.do_request(1421 'list_group_roles_on_domain',1422 domain_id=self.own_domain,1423 group_id=self.group_in_domain)1424 #####################################################1425 # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #1426 #####################################################1427 # project in other domain, user in other domain1428 self.do_request(1429 'list_user_roles_on_project',1430 expected_status=exceptions.Forbidden,1431 project_id=self.project_in_domain,1432 user_id=self.user_other_domain)1433 # project in other domain, group in other domain1434 self.do_request(1435 'list_group_roles_on_project',1436 expected_status=exceptions.Forbidden,1437 project_id=self.project_in_domain,1438 group_id=self.group_other_domain)1439 # other domain, user in other domain1440 self.do_request(1441 'list_user_roles_on_domain',1442 expected_status=exceptions.Forbidden,1443 domain_id=self.own_domain,1444 user_id=self.user_other_domain)1445 # other domain, group in other domain1446 self.do_request(1447 'list_group_roles_on_domain',1448 expected_status=exceptions.Forbidden,1449 domain_id=self.own_domain,1450 group_id=self.group_other_domain)1451 #####################################################1452 # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #1453 #####################################################1454 # project in other domain, user in other domain1455 self.do_request(1456 'list_user_roles_on_project',1457 expected_status=exceptions.Forbidden,1458 project_id=self.project_other_domain,1459 user_id=self.user_in_domain)1460 # project in other domain, group in other domain1461 self.do_request(1462 'list_group_roles_on_project',1463 expected_status=exceptions.Forbidden,1464 project_id=self.project_other_domain,1465 group_id=self.group_in_domain)1466 # other domain, user in other domain1467 self.do_request(1468 'list_user_roles_on_domain',1469 expected_status=exceptions.Forbidden,1470 domain_id=self.other_domain,1471 user_id=self.user_in_domain)1472 # other domain, group in other domain1473 self.do_request(1474 'list_group_roles_on_domain',1475 expected_status=exceptions.Forbidden,1476 domain_id=self.other_domain,1477 group_id=self.group_in_domain)1478 #######################################################1479 # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #1480 #######################################################1481 # project in other domain, user in other domain1482 self.do_request(1483 'list_user_roles_on_project',1484 expected_status=exceptions.Forbidden,1485 project_id=self.project_other_domain,1486 user_id=self.user_other_domain)1487 # project in other domain, group in other domain1488 self.do_request(1489 'list_group_roles_on_project',1490 expected_status=exceptions.Forbidden,1491 project_id=self.project_other_domain,1492 group_id=self.group_other_domain)1493 # other domain, user in other domain1494 self.do_request(1495 'list_user_roles_on_domain',1496 expected_status=exceptions.Forbidden,1497 domain_id=self.other_domain,1498 user_id=self.user_other_domain)1499 # other domain, group in other domain1500 self.do_request(1501 'list_group_roles_on_domain',1502 expected_status=exceptions.Forbidden,1503 domain_id=self.other_domain,1504 group_id=self.group_other_domain)1505 def test_identity_create_grant(self):1506 ###################################################1507 # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #1508 ###################################################1509 # global role, project in own domain, user in own domain1510 self.do_request(1511 'create_user_role_on_project',1512 expected_status=204,1513 project_id=self.project_in_domain,1514 user_id=self.user_in_domain,1515 role_id=self.role_id)1516 # global role, project in own domain, group in own domain1517 self.do_request(1518 'create_group_role_on_project',1519 expected_status=204,1520 project_id=self.project_in_domain,1521 group_id=self.group_in_domain,1522 role_id=self.role_id)1523 # global role, own domain, user in own domain1524 self.do_request(1525 'create_user_role_on_domain',1526 expected_status=204,1527 domain_id=self.own_domain,1528 user_id=self.user_in_domain,1529 role_id=self.role_id)1530 # global role, own domain, group in own domain1531 self.do_request(1532 'create_group_role_on_domain',1533 expected_status=204,1534 domain_id=self.own_domain,1535 group_id=self.group_in_domain,1536 role_id=self.role_id)1537 # role in own domain, project in own domain, user in own domain1538 self.do_request(1539 'create_user_role_on_project',1540 expected_status=204,1541 project_id=self.project_in_domain,1542 user_id=self.user_in_domain,1543 role_id=self.role_own_domain)1544 # role in own domain, project in own domain, group in own domain1545 self.do_request(1546 'create_group_role_on_project',1547 expected_status=204,1548 project_id=self.project_in_domain,1549 group_id=self.group_in_domain,1550 role_id=self.role_own_domain)1551 # role in own domain, own domain, user in own domain1552 self.do_request(1553 'create_user_role_on_domain',1554 expected_status=204,1555 domain_id=self.own_domain,1556 user_id=self.user_in_domain,1557 role_id=self.role_own_domain)1558 # role in own domain, own domain, group in own domain1559 self.do_request(1560 'create_group_role_on_domain',1561 expected_status=204,1562 domain_id=self.own_domain,1563 group_id=self.group_in_domain,1564 role_id=self.role_own_domain)1565 # role in other domain, project in own domain, user in own domain1566 self.do_request(1567 'create_user_role_on_project',1568 expected_status=exceptions.Forbidden,1569 project_id=self.project_in_domain,1570 user_id=self.user_other_domain,1571 role_id=self.role_other_domain)1572 # role in other domain, project in own domain, group in own domain1573 self.do_request(1574 'create_group_role_on_project',1575 expected_status=exceptions.Forbidden,1576 project_id=self.project_in_domain,1577 group_id=self.group_other_domain,1578 role_id=self.role_other_domain)1579 # role in other domain, own domain, user in own domain1580 self.do_request(1581 'create_user_role_on_domain',1582 expected_status=exceptions.Forbidden,1583 domain_id=self.own_domain,1584 user_id=self.user_other_domain,1585 role_id=self.role_other_domain)1586 # role in other domain, own domain, group in own domain1587 self.do_request(1588 'create_group_role_on_domain',1589 expected_status=exceptions.Forbidden,1590 domain_id=self.own_domain,1591 group_id=self.group_other_domain,1592 role_id=self.role_other_domain)1593 #####################################################1594 # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #1595 #####################################################1596 # global role, project in own domain, user in other domain1597 self.do_request(1598 'create_user_role_on_project',1599 expected_status=exceptions.Forbidden,1600 project_id=self.project_in_domain,1601 user_id=self.user_other_domain,1602 role_id=self.role_id)1603 # global role, project in own domain, group in other domain1604 self.do_request(1605 'create_group_role_on_project',1606 expected_status=exceptions.Forbidden,1607 project_id=self.project_in_domain,1608 group_id=self.group_other_domain,1609 role_id=self.role_id)1610 # global role, own domain, user in other domain1611 self.do_request(1612 'create_user_role_on_domain',1613 expected_status=exceptions.Forbidden,1614 domain_id=self.own_domain,1615 user_id=self.user_other_domain,1616 role_id=self.role_id)1617 # global role, own domain, group in other domain1618 self.do_request(1619 'create_group_role_on_domain',1620 expected_status=exceptions.Forbidden,1621 domain_id=self.own_domain,1622 group_id=self.group_other_domain,1623 role_id=self.role_id)1624 # role in own domain, project in own domain, user in other domain1625 self.do_request(1626 'create_user_role_on_project',1627 expected_status=exceptions.Forbidden,1628 project_id=self.project_in_domain,1629 user_id=self.user_other_domain,1630 role_id=self.role_own_domain)1631 # role in own domain, project in own domain, group in other domain1632 self.do_request(1633 'create_group_role_on_project',1634 expected_status=exceptions.Forbidden,1635 project_id=self.project_in_domain,1636 group_id=self.group_other_domain,1637 role_id=self.role_own_domain)1638 # role in own domain, own domain, user in other domain1639 self.do_request(1640 'create_user_role_on_domain',1641 expected_status=exceptions.Forbidden,1642 domain_id=self.own_domain,1643 user_id=self.user_other_domain,1644 role_id=self.role_own_domain)1645 # role in own domain, own domain, group in other domain1646 self.do_request(1647 'create_group_role_on_domain',1648 expected_status=exceptions.Forbidden,1649 domain_id=self.own_domain,1650 group_id=self.group_other_domain,1651 role_id=self.role_own_domain)1652 # role in other domain, project in own domain, user in other domain1653 self.do_request(1654 'create_user_role_on_project',1655 expected_status=exceptions.Forbidden,1656 project_id=self.project_in_domain,1657 user_id=self.user_other_domain,1658 role_id=self.role_other_domain)1659 # role in other domain, project in own domain, group in other domain1660 self.do_request(1661 'create_group_role_on_project',1662 expected_status=exceptions.Forbidden,1663 project_id=self.project_in_domain,1664 group_id=self.group_other_domain,1665 role_id=self.role_other_domain)1666 # role in other domain, own domain, user in other domain1667 self.do_request(1668 'create_user_role_on_domain',1669 expected_status=exceptions.Forbidden,1670 domain_id=self.own_domain,1671 user_id=self.user_other_domain,1672 role_id=self.role_other_domain)1673 # role in other domain, own domain, group in other domain1674 self.do_request(1675 'create_group_role_on_domain',1676 expected_status=exceptions.Forbidden,1677 domain_id=self.own_domain,1678 group_id=self.group_other_domain,1679 role_id=self.role_other_domain)1680 #####################################################1681 # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #1682 #####################################################1683 # global role, project in other domain, user in own domain1684 self.do_request(1685 'create_user_role_on_project',1686 expected_status=exceptions.Forbidden,1687 project_id=self.project_other_domain,1688 user_id=self.user_in_domain,1689 role_id=self.role_id)1690 # global role, project in other domain, group in own domain1691 self.do_request(1692 'create_group_role_on_project',1693 expected_status=exceptions.Forbidden,1694 project_id=self.project_other_domain,1695 group_id=self.group_in_domain,1696 role_id=self.role_id)1697 # global role, other domain, user in own domain1698 self.do_request(1699 'create_user_role_on_domain',1700 expected_status=exceptions.Forbidden,1701 domain_id=self.other_domain,1702 user_id=self.user_in_domain,1703 role_id=self.role_id)1704 # global role, other domain, group in own domain1705 self.do_request(1706 'create_group_role_on_domain',1707 expected_status=exceptions.Forbidden,1708 domain_id=self.other_domain,1709 group_id=self.group_in_domain,1710 role_id=self.role_id)1711 # role in own domain, project in other domain, user in own domain1712 self.do_request(1713 'create_user_role_on_project',1714 expected_status=exceptions.Forbidden,1715 project_id=self.project_other_domain,1716 user_id=self.user_in_domain,1717 role_id=self.role_own_domain)1718 # role in own domain, project in other domain, group in own domain1719 self.do_request(1720 'create_group_role_on_project',1721 expected_status=exceptions.Forbidden,1722 project_id=self.project_other_domain,1723 group_id=self.group_in_domain,1724 role_id=self.role_own_domain)1725 # role in own domain, other domain, user in own domain1726 self.do_request(1727 'create_user_role_on_domain',1728 expected_status=exceptions.Forbidden,1729 domain_id=self.other_domain,1730 user_id=self.user_in_domain,1731 role_id=self.role_own_domain)1732 # role in own domain, other domain, group in own domain1733 self.do_request(1734 'create_group_role_on_domain',1735 expected_status=exceptions.Forbidden,1736 domain_id=self.other_domain,1737 group_id=self.group_in_domain,1738 role_id=self.role_own_domain)1739 # role in other domain, project in other domain, user in own domain1740 self.do_request(1741 'create_user_role_on_project',1742 expected_status=exceptions.Forbidden,1743 project_id=self.project_other_domain,1744 user_id=self.user_in_domain,1745 role_id=self.role_other_domain)1746 # role in other domain, project in other domain, group in own domain1747 self.do_request(1748 'create_group_role_on_project',1749 expected_status=exceptions.Forbidden,1750 project_id=self.project_other_domain,1751 group_id=self.group_in_domain,1752 role_id=self.role_other_domain)1753 # role in other domain, other domain, user in own domain1754 self.do_request(1755 'create_user_role_on_domain',1756 expected_status=exceptions.Forbidden,1757 domain_id=self.other_domain,1758 user_id=self.user_in_domain,1759 role_id=self.role_other_domain)1760 # role in other domain, other domain, group in own domain1761 self.do_request(1762 'create_group_role_on_domain',1763 expected_status=exceptions.Forbidden,1764 domain_id=self.other_domain,1765 group_id=self.group_in_domain,1766 role_id=self.role_other_domain)1767 #######################################################1768 # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #1769 #######################################################1770 # global role, project in other domain, user in other domain1771 self.do_request(1772 'create_user_role_on_project',1773 expected_status=exceptions.Forbidden,1774 project_id=self.project_other_domain,1775 user_id=self.user_other_domain,1776 role_id=self.role_id)1777 # global role, project in other domain, group in other domain1778 self.do_request(1779 'create_group_role_on_project',1780 expected_status=exceptions.Forbidden,1781 project_id=self.project_other_domain,1782 group_id=self.group_other_domain,1783 role_id=self.role_id)1784 # global role, other domain, user in other domain1785 self.do_request(1786 'create_user_role_on_domain',1787 expected_status=exceptions.Forbidden,1788 domain_id=self.other_domain,1789 user_id=self.user_other_domain,1790 role_id=self.role_id)1791 # global role, other domain, group in other domain1792 self.do_request(1793 'create_group_role_on_domain',1794 expected_status=exceptions.Forbidden,1795 domain_id=self.other_domain,1796 group_id=self.group_other_domain,1797 role_id=self.role_id)1798 # role in own domain, project in other domain, user in other domain1799 self.do_request(1800 'create_user_role_on_project',1801 expected_status=exceptions.Forbidden,1802 project_id=self.project_other_domain,1803 user_id=self.user_other_domain,1804 role_id=self.role_own_domain)1805 # role in own domain, project in other domain, group in other domain1806 self.do_request(1807 'create_group_role_on_project',1808 expected_status=exceptions.Forbidden,1809 project_id=self.project_other_domain,1810 group_id=self.group_other_domain,1811 role_id=self.role_own_domain)1812 # role in own domain, other domain, user in other domain1813 self.do_request(1814 'create_user_role_on_domain',1815 expected_status=exceptions.Forbidden,1816 domain_id=self.other_domain,1817 user_id=self.user_other_domain,1818 role_id=self.role_own_domain)1819 # role in own domain, other domain, group in other domain1820 self.do_request(1821 'create_group_role_on_domain',1822 expected_status=exceptions.Forbidden,1823 domain_id=self.other_domain,1824 group_id=self.group_other_domain,1825 role_id=self.role_own_domain)1826 # role in other domain, project in other domain, user in other domain1827 self.do_request(1828 'create_user_role_on_project',1829 expected_status=exceptions.Forbidden,1830 project_id=self.project_other_domain,1831 user_id=self.user_other_domain,1832 role_id=self.role_other_domain)1833 # role in other domain, project in other domain, group in other domain1834 self.do_request(1835 'create_group_role_on_project',1836 expected_status=exceptions.Forbidden,1837 project_id=self.project_other_domain,1838 group_id=self.group_other_domain,1839 role_id=self.role_other_domain)1840 # role in other domain, other domain, user in other domain1841 self.do_request(1842 'create_user_role_on_domain',1843 expected_status=exceptions.Forbidden,1844 domain_id=self.other_domain,1845 user_id=self.user_other_domain,1846 role_id=self.role_other_domain)1847 # role in other domain, other domain, group in other domain1848 self.do_request(1849 'create_group_role_on_domain',1850 expected_status=exceptions.Forbidden,1851 domain_id=self.other_domain,1852 group_id=self.group_other_domain,1853 role_id=self.role_other_domain)1854 def test_identity_revoke_grant(self):1855 ###################################################1856 # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #1857 ###################################################1858 # global role, project in own domain, user in own domain1859 self.admin_roles_client.create_user_role_on_project(1860 project_id=self.project_in_domain,1861 user_id=self.user_in_domain,1862 role_id=self.role_id)1863 self.do_request(1864 'delete_role_from_user_on_project',1865 expected_status=204,1866 project_id=self.project_in_domain,1867 user_id=self.user_in_domain,1868 role_id=self.role_id)1869 # global role, project in own domain, group in own domain1870 self.admin_roles_client.create_group_role_on_project(1871 project_id=self.project_in_domain,1872 group_id=self.group_in_domain,1873 role_id=self.role_id)1874 self.do_request(1875 'delete_role_from_group_on_project',1876 expected_status=204,1877 project_id=self.project_in_domain,1878 group_id=self.group_in_domain,1879 role_id=self.role_id)1880 # global role, own domain, user in own domain1881 self.admin_roles_client.create_user_role_on_domain(1882 domain_id=self.own_domain,1883 user_id=self.user_in_domain,1884 role_id=self.role_id)1885 self.do_request(1886 'delete_role_from_user_on_domain',1887 expected_status=204,1888 domain_id=self.own_domain,1889 user_id=self.user_in_domain,1890 role_id=self.role_id)1891 # global role, own domain, group in own domain1892 self.admin_roles_client.create_group_role_on_domain(1893 domain_id=self.own_domain,1894 group_id=self.group_in_domain,1895 role_id=self.role_id)1896 self.do_request(1897 'delete_role_from_group_on_domain',1898 expected_status=204,1899 domain_id=self.own_domain,1900 group_id=self.group_in_domain,1901 role_id=self.role_id)1902 # role in own domain, project in own domain, user in own domain1903 self.admin_roles_client.create_user_role_on_project(1904 project_id=self.project_in_domain,1905 user_id=self.user_in_domain,1906 role_id=self.role_own_domain)1907 self.do_request(1908 'delete_role_from_user_on_project',1909 expected_status=204,1910 project_id=self.project_in_domain,1911 user_id=self.user_in_domain,1912 role_id=self.role_own_domain)1913 # role in own domain, project in own domain, group in own domain1914 self.admin_roles_client.create_group_role_on_project(1915 project_id=self.project_in_domain,1916 group_id=self.group_in_domain,1917 role_id=self.role_own_domain)1918 self.do_request(1919 'delete_role_from_group_on_project',1920 expected_status=204,1921 project_id=self.project_in_domain,1922 group_id=self.group_in_domain,1923 role_id=self.role_own_domain)1924 # role in own domain, own domain, user in own domain1925 self.admin_roles_client.create_user_role_on_domain(1926 domain_id=self.own_domain,1927 user_id=self.user_in_domain,1928 role_id=self.role_own_domain)1929 self.do_request(1930 'delete_role_from_user_on_domain',1931 expected_status=204,1932 domain_id=self.own_domain,1933 user_id=self.user_in_domain,1934 role_id=self.role_own_domain)1935 # role in own domain, own domain, group in own domain1936 self.admin_roles_client.create_group_role_on_domain(1937 domain_id=self.own_domain,1938 group_id=self.group_in_domain,1939 role_id=self.role_own_domain)1940 self.do_request(1941 'delete_role_from_group_on_domain',1942 expected_status=204,1943 domain_id=self.own_domain,1944 group_id=self.group_in_domain,1945 role_id=self.role_own_domain)1946 # role in other domain, project in own domain, user in own domain1947 # role assignment does not exist, should 4031948 self.do_request(1949 'delete_role_from_user_on_project',1950 expected_status=exceptions.Forbidden,1951 project_id=self.project_in_domain,1952 user_id=self.user_in_domain,1953 role_id=self.role_other_domain)1954 # role in other domain, project in own domain, group in own domain1955 # role assignment does not exist, should 4031956 self.do_request(1957 'delete_role_from_group_on_project',1958 expected_status=exceptions.Forbidden,1959 project_id=self.project_in_domain,1960 group_id=self.group_in_domain,1961 role_id=self.role_other_domain)1962 # role in other domain, own domain, user in own domain1963 # role assignment does not exist, should 4031964 self.do_request(1965 'delete_role_from_user_on_domain',1966 expected_status=exceptions.Forbidden,1967 domain_id=self.own_domain,1968 user_id=self.user_in_domain,1969 role_id=self.role_other_domain)1970 # role in other domain, own domain, group in own domain1971 # role assignment does not exist, should 4031972 self.do_request(1973 'delete_role_from_group_on_domain',1974 expected_status=exceptions.Forbidden,1975 domain_id=self.own_domain,1976 group_id=self.group_in_domain,1977 role_id=self.role_other_domain)1978 #####################################################1979 # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #1980 #####################################################1981 # global role, project in own domain, user in other domain1982 self.admin_roles_client.create_user_role_on_project(1983 project_id=self.project_in_domain,1984 user_id=self.user_other_domain,1985 role_id=self.role_id)1986 self.do_request(1987 'delete_role_from_user_on_project',1988 expected_status=exceptions.Forbidden,1989 project_id=self.project_in_domain,1990 user_id=self.user_other_domain,1991 role_id=self.role_id)1992 # global role, project in own domain, group in other domain1993 self.admin_roles_client.create_group_role_on_project(1994 project_id=self.project_in_domain,1995 group_id=self.group_other_domain,1996 role_id=self.role_id)1997 self.do_request(1998 'delete_role_from_group_on_project',1999 expected_status=exceptions.Forbidden,2000 project_id=self.project_in_domain,2001 group_id=self.group_other_domain,2002 role_id=self.role_id)2003 # global role, own domain, user in other domain2004 self.admin_roles_client.create_user_role_on_domain(2005 domain_id=self.own_domain,2006 user_id=self.user_other_domain,2007 role_id=self.role_id)2008 self.do_request(2009 'delete_role_from_user_on_domain',2010 expected_status=exceptions.Forbidden,2011 domain_id=self.own_domain,2012 user_id=self.user_other_domain,2013 role_id=self.role_id)2014 # global role, own domain, group in other domain2015 self.admin_roles_client.create_group_role_on_domain(2016 domain_id=self.own_domain,2017 group_id=self.group_other_domain,2018 role_id=self.role_id)2019 self.do_request(2020 'delete_role_from_group_on_domain',2021 expected_status=exceptions.Forbidden,2022 domain_id=self.own_domain,2023 group_id=self.group_other_domain,2024 role_id=self.role_id)2025 # role in own domain, project in own domain, user in other domain2026 self.admin_roles_client.create_user_role_on_project(2027 project_id=self.project_in_domain,2028 user_id=self.user_other_domain,2029 role_id=self.role_own_domain)2030 self.do_request(2031 'delete_role_from_user_on_project',2032 expected_status=exceptions.Forbidden,2033 project_id=self.project_in_domain,2034 user_id=self.user_other_domain,2035 role_id=self.role_own_domain)2036 # role in own domain, project in own domain, group in other domain2037 self.admin_roles_client.create_group_role_on_project(2038 project_id=self.project_in_domain,2039 group_id=self.group_other_domain,2040 role_id=self.role_own_domain)2041 self.do_request(2042 'delete_role_from_group_on_project',2043 expected_status=exceptions.Forbidden,2044 project_id=self.project_in_domain,2045 group_id=self.group_other_domain,2046 role_id=self.role_own_domain)2047 # role in own domain, own domain, user in other domain2048 self.admin_roles_client.create_user_role_on_domain(2049 domain_id=self.own_domain,2050 user_id=self.user_other_domain,2051 role_id=self.role_own_domain)2052 self.do_request(2053 'delete_role_from_user_on_domain',2054 expected_status=exceptions.Forbidden,2055 domain_id=self.own_domain,2056 user_id=self.user_other_domain,2057 role_id=self.role_own_domain)2058 # role in own domain, own domain, group in other domain2059 self.admin_roles_client.create_group_role_on_domain(2060 domain_id=self.own_domain,2061 group_id=self.group_other_domain,2062 role_id=self.role_own_domain)2063 self.do_request(2064 'delete_role_from_group_on_domain',2065 expected_status=exceptions.Forbidden,2066 domain_id=self.own_domain,2067 group_id=self.group_other_domain,2068 role_id=self.role_own_domain)2069 # role in other domain, project in own domain, user in other domain2070 # role assignment does not exist, should 4032071 self.do_request(2072 'delete_role_from_user_on_project',2073 expected_status=exceptions.Forbidden,2074 project_id=self.project_in_domain,2075 user_id=self.user_other_domain,2076 role_id=self.role_other_domain)2077 # role in other domain, project in own domain, group in other domain2078 # role assignment does not exist, should 4032079 self.do_request(2080 'delete_role_from_group_on_project',2081 expected_status=exceptions.Forbidden,2082 project_id=self.project_in_domain,2083 group_id=self.group_other_domain,2084 role_id=self.role_other_domain)2085 # role in other domain, own domain, user in other domain2086 # role assignment does not exist, should 4032087 self.do_request(2088 'delete_role_from_user_on_domain',2089 expected_status=exceptions.Forbidden,2090 domain_id=self.own_domain,2091 user_id=self.user_other_domain,2092 role_id=self.role_other_domain)2093 # role in other domain, own domain, group in other domain2094 # role assignment does not exist, should 4032095 self.do_request(2096 'delete_role_from_group_on_domain',2097 expected_status=exceptions.Forbidden,2098 domain_id=self.own_domain,2099 group_id=self.group_other_domain,2100 role_id=self.role_other_domain)2101 #####################################################2102 # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #2103 #####################################################2104 # global role, project in other domain, user in own domain2105 self.admin_roles_client.create_user_role_on_project(2106 project_id=self.project_other_domain,2107 user_id=self.user_in_domain,2108 role_id=self.role_id)2109 self.do_request(2110 'delete_role_from_user_on_project',2111 expected_status=exceptions.Forbidden,2112 project_id=self.project_other_domain,2113 user_id=self.user_in_domain,2114 role_id=self.role_id)2115 # global role, project in other domain, group in own domain2116 self.admin_roles_client.create_group_role_on_project(2117 project_id=self.project_other_domain,2118 group_id=self.group_in_domain,2119 role_id=self.role_id)2120 self.do_request(2121 'delete_role_from_group_on_project',2122 expected_status=exceptions.Forbidden,2123 project_id=self.project_other_domain,2124 group_id=self.group_in_domain,2125 role_id=self.role_id)2126 # global role, other domain, user in own domain2127 self.admin_roles_client.create_user_role_on_domain(2128 domain_id=self.other_domain,2129 user_id=self.user_in_domain,2130 role_id=self.role_id)2131 self.do_request(2132 'delete_role_from_user_on_domain',2133 expected_status=exceptions.Forbidden,2134 domain_id=self.other_domain,2135 user_id=self.user_in_domain,2136 role_id=self.role_id)2137 # global role, other domain, group in own domain2138 self.admin_roles_client.create_group_role_on_domain(2139 domain_id=self.other_domain,2140 group_id=self.group_in_domain,2141 role_id=self.role_id)2142 self.do_request(2143 'delete_role_from_group_on_domain',2144 expected_status=exceptions.Forbidden,2145 domain_id=self.other_domain,2146 group_id=self.group_in_domain,2147 role_id=self.role_id)2148 # role in own domain, project in other domain, user in own domain2149 # role assignment does not exist, should 4032150 self.do_request(2151 'delete_role_from_user_on_project',2152 expected_status=exceptions.Forbidden,2153 project_id=self.project_other_domain,2154 user_id=self.user_in_domain,2155 role_id=self.role_own_domain)2156 # role in own domain, project in other domain, group in own domain2157 # role assignment does not exist, should 4032158 self.do_request(2159 'delete_role_from_group_on_project',2160 expected_status=exceptions.Forbidden,2161 project_id=self.project_other_domain,2162 group_id=self.group_in_domain,2163 role_id=self.role_own_domain)2164 # role in own domain, other domain, user in own domain2165 # role assignment does not exist, should 4032166 self.do_request(2167 'delete_role_from_user_on_domain',2168 expected_status=exceptions.Forbidden,2169 domain_id=self.other_domain,2170 user_id=self.user_in_domain,2171 role_id=self.role_own_domain)2172 # role in own domain, other domain, group in own domain2173 # role assignment does not exist, should 4032174 self.do_request(2175 'delete_role_from_group_on_domain',2176 expected_status=exceptions.Forbidden,2177 domain_id=self.other_domain,2178 group_id=self.group_in_domain,2179 role_id=self.role_own_domain)2180 # role in other domain, project in other domain, user in own domain2181 self.admin_roles_client.create_user_role_on_project(2182 project_id=self.project_other_domain,2183 user_id=self.user_in_domain,2184 role_id=self.role_other_domain)2185 self.do_request(2186 'delete_role_from_user_on_project',2187 expected_status=exceptions.Forbidden,2188 project_id=self.project_other_domain,2189 user_id=self.user_in_domain,2190 role_id=self.role_other_domain)2191 # role in other domain, project in other domain, group in own domain2192 self.admin_roles_client.create_group_role_on_project(2193 project_id=self.project_other_domain,2194 group_id=self.group_in_domain,2195 role_id=self.role_other_domain)2196 self.do_request(2197 'delete_role_from_group_on_project',2198 expected_status=exceptions.Forbidden,2199 project_id=self.project_other_domain,2200 group_id=self.group_in_domain,2201 role_id=self.role_other_domain)2202 # role in other domain, other domain, user in own domain2203 self.admin_roles_client.create_user_role_on_domain(2204 domain_id=self.other_domain,2205 user_id=self.user_in_domain,2206 role_id=self.role_other_domain)2207 self.do_request(2208 'delete_role_from_user_on_domain',2209 expected_status=exceptions.Forbidden,2210 domain_id=self.other_domain,2211 user_id=self.user_in_domain,2212 role_id=self.role_other_domain)2213 # role in other domain, other domain, group in own domain2214 self.admin_roles_client.create_group_role_on_domain(2215 domain_id=self.other_domain,2216 group_id=self.group_in_domain,2217 role_id=self.role_other_domain)2218 self.do_request(2219 'delete_role_from_group_on_domain',2220 expected_status=exceptions.Forbidden,2221 domain_id=self.other_domain,2222 group_id=self.group_in_domain,2223 role_id=self.role_other_domain)2224 #######################################################2225 # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #2226 #######################################################2227 # global role, project in other domain, user in other domain2228 self.admin_roles_client.create_user_role_on_project(2229 project_id=self.project_other_domain,2230 user_id=self.user_other_domain,2231 role_id=self.role_id)2232 self.do_request(2233 'delete_role_from_user_on_project',2234 expected_status=exceptions.Forbidden,2235 project_id=self.project_other_domain,2236 user_id=self.user_other_domain,2237 role_id=self.role_id)2238 # global role, project in other domain, group in other domain2239 self.admin_roles_client.create_group_role_on_project(2240 project_id=self.project_other_domain,2241 group_id=self.group_other_domain,2242 role_id=self.role_id)2243 self.do_request(2244 'delete_role_from_group_on_project',2245 expected_status=exceptions.Forbidden,2246 project_id=self.project_other_domain,2247 group_id=self.group_other_domain,2248 role_id=self.role_id)2249 # global role, other domain, user in other domain2250 self.admin_roles_client.create_user_role_on_domain(2251 domain_id=self.other_domain,2252 user_id=self.user_other_domain,2253 role_id=self.role_id)2254 self.do_request(2255 'delete_role_from_user_on_domain',2256 expected_status=exceptions.Forbidden,2257 domain_id=self.other_domain,2258 user_id=self.user_other_domain,2259 role_id=self.role_id)2260 # global role, other domain, group in other domain2261 self.admin_roles_client.create_group_role_on_domain(2262 domain_id=self.other_domain,2263 group_id=self.group_other_domain,2264 role_id=self.role_id)2265 self.do_request(2266 'delete_role_from_group_on_domain',2267 expected_status=exceptions.Forbidden,2268 domain_id=self.other_domain,2269 group_id=self.group_other_domain,2270 role_id=self.role_id)2271 # role in own domain, project in other domain, user in other domain2272 # role assignment does not exist, should 4032273 self.do_request(2274 'delete_role_from_user_on_project',2275 expected_status=exceptions.Forbidden,2276 project_id=self.project_other_domain,2277 user_id=self.user_other_domain,2278 role_id=self.role_own_domain)2279 # role in own domain, project in other domain, group in other domain2280 # role assignment does not exist, should 4032281 self.do_request(2282 'delete_role_from_group_on_project',2283 expected_status=exceptions.Forbidden,2284 project_id=self.project_other_domain,2285 group_id=self.group_other_domain,2286 role_id=self.role_own_domain)2287 # role in own domain, other domain, user in other domain2288 # role assignment does not exist, should 4032289 self.do_request(2290 'delete_role_from_user_on_domain',2291 expected_status=exceptions.Forbidden,2292 domain_id=self.other_domain,2293 user_id=self.user_other_domain,2294 role_id=self.role_own_domain)2295 # role in own domain, other domain, group in other domain2296 # role assignment does not exist, should 4032297 self.do_request(2298 'delete_role_from_group_on_domain',2299 expected_status=exceptions.Forbidden,2300 domain_id=self.other_domain,2301 group_id=self.group_other_domain,2302 role_id=self.role_own_domain)2303 # role in other domain, project in other domain, user in other domain2304 self.admin_roles_client.create_user_role_on_project(2305 project_id=self.project_other_domain,2306 user_id=self.user_other_domain,2307 role_id=self.role_other_domain)2308 self.do_request(2309 'delete_role_from_user_on_project',2310 expected_status=exceptions.Forbidden,2311 project_id=self.project_other_domain,2312 user_id=self.user_other_domain,2313 role_id=self.role_other_domain)2314 # role in other domain, project in other domain, group in other domain2315 self.admin_roles_client.create_group_role_on_project(2316 project_id=self.project_other_domain,2317 group_id=self.group_other_domain,2318 role_id=self.role_other_domain)2319 self.do_request(2320 'delete_role_from_group_on_project',2321 expected_status=exceptions.Forbidden,2322 project_id=self.project_other_domain,2323 group_id=self.group_other_domain,2324 role_id=self.role_other_domain)2325 # role in other domain, other domain, user in other domain2326 self.admin_roles_client.create_user_role_on_domain(2327 domain_id=self.other_domain,2328 user_id=self.user_other_domain,2329 role_id=self.role_other_domain)2330 self.do_request(2331 'delete_role_from_user_on_domain',2332 expected_status=exceptions.Forbidden,2333 domain_id=self.other_domain,2334 user_id=self.user_other_domain,2335 role_id=self.role_other_domain)2336 # role in other domain, other domain, group in other domain2337 self.admin_roles_client.create_group_role_on_domain(2338 domain_id=self.other_domain,2339 group_id=self.group_other_domain,2340 role_id=self.role_other_domain)2341 self.do_request(2342 'delete_role_from_group_on_domain',2343 expected_status=exceptions.Forbidden,2344 domain_id=self.other_domain,2345 group_id=self.group_other_domain,2346 role_id=self.role_other_domain)2347 def test_identity_list_system_grants_for_user(self):2348 self.do_request('list_user_roles_on_system',2349 expected_status=exceptions.Forbidden,2350 user_id=self.user_other_domain)2351 self.do_request('list_user_roles_on_system',2352 expected_status=exceptions.Forbidden,2353 user_id=self.user_other_domain)2354 def test_identity_check_system_grant_for_user(self):2355 self.do_request('check_user_role_existence_on_system',2356 exceptions.Forbidden,2357 user_id=self.user_other_domain,2358 role_id=self.role_id)2359 self.do_request('check_user_role_existence_on_system',2360 exceptions.Forbidden,2361 user_id=self.user_other_domain,2362 role_id=self.role_id)2363 def test_identity_create_system_grant_for_user(self):2364 self.do_request(2365 'create_user_role_on_system',2366 expected_status=exceptions.Forbidden,2367 user_id=self.user_in_domain,2368 role_id=self.role_id)2369 self.do_request(2370 'create_user_role_on_system',2371 expected_status=exceptions.Forbidden,2372 user_id=self.user_other_domain,2373 role_id=self.role_id)2374 def test_identity_revoke_system_grant_for_user(self):2375 # user in own domain2376 self.admin_roles_client.create_user_role_on_system(2377 user_id=self.user_in_domain,2378 role_id=self.role_id)2379 self.addCleanup(2380 self.admin_roles_client.delete_role_from_user_on_system,2381 user_id=self.user_in_domain,2382 role_id=self.role_id)2383 self.do_request(2384 'delete_role_from_user_on_system',2385 expected_status=exceptions.Forbidden,2386 user_id=self.user_in_domain,2387 role_id=self.role_id)2388 # user in other domain2389 self.admin_roles_client.create_user_role_on_system(2390 user_id=self.user_other_domain,2391 role_id=self.role_id)2392 self.addCleanup(2393 self.admin_roles_client.delete_role_from_user_on_system,2394 user_id=self.user_other_domain,2395 role_id=self.role_id)2396 self.do_request(2397 'delete_role_from_user_on_system',2398 expected_status=exceptions.Forbidden,2399 user_id=self.user_other_domain,2400 role_id=self.role_id)2401 def test_identity_list_system_grants_for_group(self):2402 self.do_request('list_group_roles_on_system',2403 expected_status=exceptions.Forbidden,2404 group_id=self.group_in_domain)2405 self.do_request('list_group_roles_on_system',2406 expected_status=exceptions.Forbidden,2407 group_id=self.group_other_domain)2408 def test_identity_check_system_grant_for_group(self):2409 self.do_request('check_role_from_group_on_system_existence',2410 exceptions.Forbidden,2411 group_id=self.group_other_domain,2412 role_id=self.role_id)2413 self.do_request('check_role_from_group_on_system_existence',2414 exceptions.Forbidden,2415 group_id=self.group_other_domain,2416 role_id=self.role_id)2417 def test_identity_create_system_grant_for_group(self):2418 self.do_request(2419 'create_group_role_on_system',2420 expected_status=exceptions.Forbidden,2421 group_id=self.group_in_domain,2422 role_id=self.role_id)2423 self.do_request(2424 'create_group_role_on_system',2425 expected_status=exceptions.Forbidden,2426 group_id=self.group_other_domain,2427 role_id=self.role_id)2428 def test_identity_revoke_system_grant_for_group(self):2429 # group in own domain2430 self.admin_roles_client.create_group_role_on_system(2431 group_id=self.group_in_domain,2432 role_id=self.role_id)2433 self.addCleanup(2434 self.admin_roles_client.delete_role_from_group_on_system,2435 group_id=self.group_in_domain,2436 role_id=self.role_id)2437 self.do_request(2438 'delete_role_from_group_on_system',2439 expected_status=exceptions.Forbidden,2440 group_id=self.group_in_domain,2441 role_id=self.role_id)2442 # group in other domain2443 self.admin_roles_client.create_group_role_on_system(2444 group_id=self.group_other_domain,2445 role_id=self.role_id)2446 self.addCleanup(2447 self.admin_roles_client.delete_role_from_group_on_system,2448 group_id=self.group_other_domain,2449 role_id=self.role_id)2450 self.do_request(2451 'delete_role_from_group_on_system',2452 expected_status=exceptions.Forbidden,2453 group_id=self.group_other_domain,2454 role_id=self.role_id)2455class DomainMemberTests(DomainAdminTests):2456 credentials = ['domain_member', 'system_admin']2457 def test_identity_create_grant(self):2458 ###################################################2459 # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #2460 ###################################################2461 # global role, project in own domain, user in own domain2462 self.do_request(2463 'create_user_role_on_project',2464 expected_status=exceptions.Forbidden,2465 project_id=self.project_in_domain,2466 user_id=self.user_in_domain,2467 role_id=self.role_id)2468 # global role, project in own domain, group in own domain2469 self.do_request(2470 'create_group_role_on_project',2471 expected_status=exceptions.Forbidden,2472 project_id=self.project_in_domain,2473 group_id=self.group_in_domain,2474 role_id=self.role_id)2475 # global role, own domain, user in own domain2476 self.do_request(2477 'create_user_role_on_domain',2478 expected_status=exceptions.Forbidden,2479 domain_id=self.own_domain,2480 user_id=self.user_in_domain,2481 role_id=self.role_id)2482 # global role, own domain, group in own domain2483 self.do_request(2484 'create_group_role_on_domain',2485 expected_status=exceptions.Forbidden,2486 domain_id=self.own_domain,2487 group_id=self.group_in_domain,2488 role_id=self.role_id)2489 # role in own domain, project in own domain, user in own domain2490 self.do_request(2491 'create_user_role_on_project',2492 expected_status=exceptions.Forbidden,2493 project_id=self.project_in_domain,2494 user_id=self.user_in_domain,2495 role_id=self.role_own_domain)2496 # role in own domain, project in own domain, group in own domain2497 self.do_request(2498 'create_group_role_on_project',2499 expected_status=exceptions.Forbidden,2500 project_id=self.project_in_domain,2501 group_id=self.group_in_domain,2502 role_id=self.role_own_domain)2503 # role in own domain, own domain, user in own domain2504 self.do_request(2505 'create_user_role_on_domain',2506 expected_status=exceptions.Forbidden,2507 domain_id=self.own_domain,2508 user_id=self.user_in_domain,2509 role_id=self.role_own_domain)2510 # role in own domain, own domain, group in own domain2511 self.do_request(2512 'create_group_role_on_domain',2513 expected_status=exceptions.Forbidden,2514 domain_id=self.own_domain,2515 group_id=self.group_in_domain,2516 role_id=self.role_own_domain)2517 # role in other domain, project in own domain, user in own domain2518 self.do_request(2519 'create_user_role_on_project',2520 expected_status=exceptions.Forbidden,2521 project_id=self.project_in_domain,2522 user_id=self.user_other_domain,2523 role_id=self.role_other_domain)2524 # role in other domain, project in own domain, group in own domain2525 self.do_request(2526 'create_group_role_on_project',2527 expected_status=exceptions.Forbidden,2528 project_id=self.project_in_domain,2529 group_id=self.group_other_domain,2530 role_id=self.role_other_domain)2531 # role in other domain, own domain, user in own domain2532 self.do_request(2533 'create_user_role_on_domain',2534 expected_status=exceptions.Forbidden,2535 domain_id=self.own_domain,2536 user_id=self.user_other_domain,2537 role_id=self.role_other_domain)2538 # role in other domain, own domain, group in own domain2539 self.do_request(2540 'create_group_role_on_domain',2541 expected_status=exceptions.Forbidden,2542 domain_id=self.own_domain,2543 group_id=self.group_other_domain,2544 role_id=self.role_other_domain)2545 #####################################################2546 # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #2547 #####################################################2548 # global role, project in own domain, user in other domain2549 self.do_request(2550 'create_user_role_on_project',2551 expected_status=exceptions.Forbidden,2552 project_id=self.project_in_domain,2553 user_id=self.user_other_domain,2554 role_id=self.role_id)2555 # global role, project in own domain, group in other domain2556 self.do_request(2557 'create_group_role_on_project',2558 expected_status=exceptions.Forbidden,2559 project_id=self.project_in_domain,2560 group_id=self.group_other_domain,2561 role_id=self.role_id)2562 # global role, own domain, user in other domain2563 self.do_request(2564 'create_user_role_on_domain',2565 expected_status=exceptions.Forbidden,2566 domain_id=self.own_domain,2567 user_id=self.user_other_domain,2568 role_id=self.role_id)2569 # global role, own domain, group in other domain2570 self.do_request(2571 'create_group_role_on_domain',2572 expected_status=exceptions.Forbidden,2573 domain_id=self.own_domain,2574 group_id=self.group_other_domain,2575 role_id=self.role_id)2576 # role in own domain, project in own domain, user in other domain2577 self.do_request(2578 'create_user_role_on_project',2579 expected_status=exceptions.Forbidden,2580 project_id=self.project_in_domain,2581 user_id=self.user_other_domain,2582 role_id=self.role_own_domain)2583 # role in own domain, project in own domain, group in other domain2584 self.do_request(2585 'create_group_role_on_project',2586 expected_status=exceptions.Forbidden,2587 project_id=self.project_in_domain,2588 group_id=self.group_other_domain,2589 role_id=self.role_own_domain)2590 # role in own domain, own domain, user in other domain2591 self.do_request(2592 'create_user_role_on_domain',2593 expected_status=exceptions.Forbidden,2594 domain_id=self.own_domain,2595 user_id=self.user_other_domain,2596 role_id=self.role_own_domain)2597 # role in own domain, own domain, group in other domain2598 self.do_request(2599 'create_group_role_on_domain',2600 expected_status=exceptions.Forbidden,2601 domain_id=self.own_domain,2602 group_id=self.group_other_domain,2603 role_id=self.role_own_domain)2604 # role in other domain, project in own domain, user in other domain2605 self.do_request(2606 'create_user_role_on_project',2607 expected_status=exceptions.Forbidden,2608 project_id=self.project_in_domain,2609 user_id=self.user_other_domain,2610 role_id=self.role_other_domain)2611 # role in other domain, project in own domain, group in other domain2612 self.do_request(2613 'create_group_role_on_project',2614 expected_status=exceptions.Forbidden,2615 project_id=self.project_in_domain,2616 group_id=self.group_other_domain,2617 role_id=self.role_other_domain)2618 # role in other domain, own domain, user in other domain2619 self.do_request(2620 'create_user_role_on_domain',2621 expected_status=exceptions.Forbidden,2622 domain_id=self.own_domain,2623 user_id=self.user_other_domain,2624 role_id=self.role_other_domain)2625 # role in other domain, own domain, group in other domain2626 self.do_request(2627 'create_group_role_on_domain',2628 expected_status=exceptions.Forbidden,2629 domain_id=self.own_domain,2630 group_id=self.group_other_domain,2631 role_id=self.role_other_domain)2632 #####################################################2633 # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #2634 #####################################################2635 # global role, project in other domain, user in own domain2636 self.do_request(2637 'create_user_role_on_project',2638 expected_status=exceptions.Forbidden,2639 project_id=self.project_other_domain,2640 user_id=self.user_in_domain,2641 role_id=self.role_id)2642 # global role, project in other domain, group in own domain2643 self.do_request(2644 'create_group_role_on_project',2645 expected_status=exceptions.Forbidden,2646 project_id=self.project_other_domain,2647 group_id=self.group_in_domain,2648 role_id=self.role_id)2649 # global role, other domain, user in own domain2650 self.do_request(2651 'create_user_role_on_domain',2652 expected_status=exceptions.Forbidden,2653 domain_id=self.other_domain,2654 user_id=self.user_in_domain,2655 role_id=self.role_id)2656 # global role, other domain, group in own domain2657 self.do_request(2658 'create_group_role_on_domain',2659 expected_status=exceptions.Forbidden,2660 domain_id=self.other_domain,2661 group_id=self.group_in_domain,2662 role_id=self.role_id)2663 # role in own domain, project in other domain, user in own domain2664 self.do_request(2665 'create_user_role_on_project',2666 expected_status=exceptions.Forbidden,2667 project_id=self.project_other_domain,2668 user_id=self.user_in_domain,2669 role_id=self.role_own_domain)2670 # role in own domain, project in other domain, group in own domain2671 self.do_request(2672 'create_group_role_on_project',2673 expected_status=exceptions.Forbidden,2674 project_id=self.project_other_domain,2675 group_id=self.group_in_domain,2676 role_id=self.role_own_domain)2677 # role in own domain, other domain, user in own domain2678 self.do_request(2679 'create_user_role_on_domain',2680 expected_status=exceptions.Forbidden,2681 domain_id=self.other_domain,2682 user_id=self.user_in_domain,2683 role_id=self.role_own_domain)2684 # role in own domain, other domain, group in own domain2685 self.do_request(2686 'create_group_role_on_domain',2687 expected_status=exceptions.Forbidden,2688 domain_id=self.other_domain,2689 group_id=self.group_in_domain,2690 role_id=self.role_own_domain)2691 # role in other domain, project in other domain, user in own domain2692 self.do_request(2693 'create_user_role_on_project',2694 expected_status=exceptions.Forbidden,2695 project_id=self.project_other_domain,2696 user_id=self.user_in_domain,2697 role_id=self.role_other_domain)2698 # role in other domain, project in other domain, group in own domain2699 self.do_request(2700 'create_group_role_on_project',2701 expected_status=exceptions.Forbidden,2702 project_id=self.project_other_domain,2703 group_id=self.group_in_domain,2704 role_id=self.role_other_domain)2705 # role in other domain, other domain, user in own domain2706 self.do_request(2707 'create_user_role_on_domain',2708 expected_status=exceptions.Forbidden,2709 domain_id=self.other_domain,2710 user_id=self.user_in_domain,2711 role_id=self.role_other_domain)2712 # role in other domain, other domain, group in own domain2713 self.do_request(2714 'create_group_role_on_domain',2715 expected_status=exceptions.Forbidden,2716 domain_id=self.other_domain,2717 group_id=self.group_in_domain,2718 role_id=self.role_other_domain)2719 #######################################################2720 # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #2721 #######################################################2722 # global role, project in other domain, user in other domain2723 self.do_request(2724 'create_user_role_on_project',2725 expected_status=exceptions.Forbidden,2726 project_id=self.project_other_domain,2727 user_id=self.user_other_domain,2728 role_id=self.role_id)2729 # global role, project in other domain, group in other domain2730 self.do_request(2731 'create_group_role_on_project',2732 expected_status=exceptions.Forbidden,2733 project_id=self.project_other_domain,2734 group_id=self.group_other_domain,2735 role_id=self.role_id)2736 # global role, other domain, user in other domain2737 self.do_request(2738 'create_user_role_on_domain',2739 expected_status=exceptions.Forbidden,2740 domain_id=self.other_domain,2741 user_id=self.user_other_domain,2742 role_id=self.role_id)2743 # global role, other domain, group in other domain2744 self.do_request(2745 'create_group_role_on_domain',2746 expected_status=exceptions.Forbidden,2747 domain_id=self.other_domain,2748 group_id=self.group_other_domain,2749 role_id=self.role_id)2750 # role in own domain, project in other domain, user in other domain2751 self.do_request(2752 'create_user_role_on_project',2753 expected_status=exceptions.Forbidden,2754 project_id=self.project_other_domain,2755 user_id=self.user_other_domain,2756 role_id=self.role_own_domain)2757 # role in own domain, project in other domain, group in other domain2758 self.do_request(2759 'create_group_role_on_project',2760 expected_status=exceptions.Forbidden,2761 project_id=self.project_other_domain,2762 group_id=self.group_other_domain,2763 role_id=self.role_own_domain)2764 # role in own domain, other domain, user in other domain2765 self.do_request(2766 'create_user_role_on_domain',2767 expected_status=exceptions.Forbidden,2768 domain_id=self.other_domain,2769 user_id=self.user_other_domain,2770 role_id=self.role_own_domain)2771 # role in own domain, other domain, group in other domain2772 self.do_request(2773 'create_group_role_on_domain',2774 expected_status=exceptions.Forbidden,2775 domain_id=self.other_domain,2776 group_id=self.group_other_domain,2777 role_id=self.role_own_domain)2778 # role in other domain, project in other domain, user in other domain2779 self.do_request(2780 'create_user_role_on_project',2781 expected_status=exceptions.Forbidden,2782 project_id=self.project_other_domain,2783 user_id=self.user_other_domain,2784 role_id=self.role_other_domain)2785 # role in other domain, project in other domain, group in other domain2786 self.do_request(2787 'create_group_role_on_project',2788 expected_status=exceptions.Forbidden,2789 project_id=self.project_other_domain,2790 group_id=self.group_other_domain,2791 role_id=self.role_other_domain)2792 # role in other domain, other domain, user in other domain2793 self.do_request(2794 'create_user_role_on_domain',2795 expected_status=exceptions.Forbidden,2796 domain_id=self.other_domain,2797 user_id=self.user_other_domain,2798 role_id=self.role_other_domain)2799 # role in other domain, other domain, group in other domain2800 self.do_request(2801 'create_group_role_on_domain',2802 expected_status=exceptions.Forbidden,2803 domain_id=self.other_domain,2804 group_id=self.group_other_domain,2805 role_id=self.role_other_domain)2806 def test_identity_revoke_grant(self):2807 ###################################################2808 # RESOURCE IN OWN DOMAIN - IDENTITY IN OWN DOMAIN #2809 ###################################################2810 # global role, project in own domain, user in own domain2811 self.admin_roles_client.create_user_role_on_project(2812 project_id=self.project_in_domain,2813 user_id=self.user_in_domain,2814 role_id=self.role_id)2815 self.do_request(2816 'delete_role_from_user_on_project',2817 expected_status=exceptions.Forbidden,2818 project_id=self.project_in_domain,2819 user_id=self.user_in_domain,2820 role_id=self.role_id)2821 # global role, project in own domain, group in own domain2822 self.admin_roles_client.create_group_role_on_project(2823 project_id=self.project_in_domain,2824 group_id=self.group_in_domain,2825 role_id=self.role_id)2826 self.do_request(2827 'delete_role_from_group_on_project',2828 expected_status=exceptions.Forbidden,2829 project_id=self.project_in_domain,2830 group_id=self.group_in_domain,2831 role_id=self.role_id)2832 # global role, own domain, user in own domain2833 self.admin_roles_client.create_user_role_on_domain(2834 domain_id=self.own_domain,2835 user_id=self.user_in_domain,2836 role_id=self.role_id)2837 self.do_request(2838 'delete_role_from_user_on_domain',2839 expected_status=exceptions.Forbidden,2840 domain_id=self.own_domain,2841 user_id=self.user_in_domain,2842 role_id=self.role_id)2843 # global role, own domain, group in own domain2844 self.admin_roles_client.create_group_role_on_domain(2845 domain_id=self.own_domain,2846 group_id=self.group_in_domain,2847 role_id=self.role_id)2848 self.do_request(2849 'delete_role_from_group_on_domain',2850 expected_status=exceptions.Forbidden,2851 domain_id=self.own_domain,2852 group_id=self.group_in_domain,2853 role_id=self.role_id)2854 # role in own domain, project in own domain, user in own domain2855 self.admin_roles_client.create_user_role_on_project(2856 project_id=self.project_in_domain,2857 user_id=self.user_in_domain,2858 role_id=self.role_own_domain)2859 self.do_request(2860 'delete_role_from_user_on_project',2861 expected_status=exceptions.Forbidden,2862 project_id=self.project_in_domain,2863 user_id=self.user_in_domain,2864 role_id=self.role_own_domain)2865 # role in own domain, project in own domain, group in own domain2866 self.admin_roles_client.create_group_role_on_project(2867 project_id=self.project_in_domain,2868 group_id=self.group_in_domain,2869 role_id=self.role_own_domain)2870 self.do_request(2871 'delete_role_from_group_on_project',2872 expected_status=exceptions.Forbidden,2873 project_id=self.project_in_domain,2874 group_id=self.group_in_domain,2875 role_id=self.role_own_domain)2876 # role in own domain, own domain, user in own domain2877 self.admin_roles_client.create_user_role_on_domain(2878 domain_id=self.own_domain,2879 user_id=self.user_in_domain,2880 role_id=self.role_own_domain)2881 self.do_request(2882 'delete_role_from_user_on_domain',2883 expected_status=exceptions.Forbidden,2884 domain_id=self.own_domain,2885 user_id=self.user_in_domain,2886 role_id=self.role_own_domain)2887 # role in own domain, own domain, group in own domain2888 self.admin_roles_client.create_group_role_on_domain(2889 domain_id=self.own_domain,2890 group_id=self.group_in_domain,2891 role_id=self.role_own_domain)2892 self.do_request(2893 'delete_role_from_group_on_domain',2894 expected_status=exceptions.Forbidden,2895 domain_id=self.own_domain,2896 group_id=self.group_in_domain,2897 role_id=self.role_own_domain)2898 # role in other domain, project in own domain, user in own domain2899 # role assignment does not exist, should 4032900 self.do_request(2901 'delete_role_from_user_on_project',2902 expected_status=exceptions.Forbidden,2903 project_id=self.project_in_domain,2904 user_id=self.user_in_domain,2905 role_id=self.role_other_domain)2906 # role in other domain, project in own domain, group in own domain2907 # role assignment does not exist, should 4032908 self.do_request(2909 'delete_role_from_group_on_project',2910 expected_status=exceptions.Forbidden,2911 project_id=self.project_in_domain,2912 group_id=self.group_in_domain,2913 role_id=self.role_other_domain)2914 # role in other domain, own domain, user in own domain2915 # role assignment does not exist, should 4032916 self.do_request(2917 'delete_role_from_user_on_domain',2918 expected_status=exceptions.Forbidden,2919 domain_id=self.own_domain,2920 user_id=self.user_in_domain,2921 role_id=self.role_other_domain)2922 # role in other domain, own domain, group in own domain2923 # role assignment does not exist, should 4032924 self.do_request(2925 'delete_role_from_group_on_domain',2926 expected_status=exceptions.Forbidden,2927 domain_id=self.own_domain,2928 group_id=self.group_in_domain,2929 role_id=self.role_other_domain)2930 #####################################################2931 # RESOURCE IN OWN DOMAIN - IDENTITY IN OTHER DOMAIN #2932 #####################################################2933 # global role, project in own domain, user in other domain2934 self.admin_roles_client.create_user_role_on_project(2935 project_id=self.project_in_domain,2936 user_id=self.user_other_domain,2937 role_id=self.role_id)2938 self.do_request(2939 'delete_role_from_user_on_project',2940 expected_status=exceptions.Forbidden,2941 project_id=self.project_in_domain,2942 user_id=self.user_other_domain,2943 role_id=self.role_id)2944 # global role, project in own domain, group in other domain2945 self.admin_roles_client.create_group_role_on_project(2946 project_id=self.project_in_domain,2947 group_id=self.group_other_domain,2948 role_id=self.role_id)2949 self.do_request(2950 'delete_role_from_group_on_project',2951 expected_status=exceptions.Forbidden,2952 project_id=self.project_in_domain,2953 group_id=self.group_other_domain,2954 role_id=self.role_id)2955 # global role, own domain, user in other domain2956 self.admin_roles_client.create_user_role_on_domain(2957 domain_id=self.own_domain,2958 user_id=self.user_other_domain,2959 role_id=self.role_id)2960 self.do_request(2961 'delete_role_from_user_on_domain',2962 expected_status=exceptions.Forbidden,2963 domain_id=self.own_domain,2964 user_id=self.user_other_domain,2965 role_id=self.role_id)2966 # global role, own domain, group in other domain2967 self.admin_roles_client.create_group_role_on_domain(2968 domain_id=self.own_domain,2969 group_id=self.group_other_domain,2970 role_id=self.role_id)2971 self.do_request(2972 'delete_role_from_group_on_domain',2973 expected_status=exceptions.Forbidden,2974 domain_id=self.own_domain,2975 group_id=self.group_other_domain,2976 role_id=self.role_id)2977 # role in own domain, project in own domain, user in other domain2978 self.admin_roles_client.create_user_role_on_project(2979 project_id=self.project_in_domain,2980 user_id=self.user_other_domain,2981 role_id=self.role_own_domain)2982 self.do_request(2983 'delete_role_from_user_on_project',2984 expected_status=exceptions.Forbidden,2985 project_id=self.project_in_domain,2986 user_id=self.user_other_domain,2987 role_id=self.role_own_domain)2988 # role in own domain, project in own domain, group in other domain2989 self.admin_roles_client.create_group_role_on_project(2990 project_id=self.project_in_domain,2991 group_id=self.group_other_domain,2992 role_id=self.role_own_domain)2993 self.do_request(2994 'delete_role_from_group_on_project',2995 expected_status=exceptions.Forbidden,2996 project_id=self.project_in_domain,2997 group_id=self.group_other_domain,2998 role_id=self.role_own_domain)2999 # role in own domain, own domain, user in other domain3000 self.admin_roles_client.create_user_role_on_domain(3001 domain_id=self.own_domain,3002 user_id=self.user_other_domain,3003 role_id=self.role_own_domain)3004 self.do_request(3005 'delete_role_from_user_on_domain',3006 expected_status=exceptions.Forbidden,3007 domain_id=self.own_domain,3008 user_id=self.user_other_domain,3009 role_id=self.role_own_domain)3010 # role in own domain, own domain, group in other domain3011 self.admin_roles_client.create_group_role_on_domain(3012 domain_id=self.own_domain,3013 group_id=self.group_other_domain,3014 role_id=self.role_own_domain)3015 self.do_request(3016 'delete_role_from_group_on_domain',3017 expected_status=exceptions.Forbidden,3018 domain_id=self.own_domain,3019 group_id=self.group_other_domain,3020 role_id=self.role_own_domain)3021 # role in other domain, project in own domain, user in other domain3022 # role assignment does not exist, should 4033023 self.do_request(3024 'delete_role_from_user_on_project',3025 expected_status=exceptions.Forbidden,3026 project_id=self.project_in_domain,3027 user_id=self.user_other_domain,3028 role_id=self.role_other_domain)3029 # role in other domain, project in own domain, group in other domain3030 # role assignment does not exist, should 4033031 self.do_request(3032 'delete_role_from_group_on_project',3033 expected_status=exceptions.Forbidden,3034 project_id=self.project_in_domain,3035 group_id=self.group_other_domain,3036 role_id=self.role_other_domain)3037 # role in other domain, own domain, user in other domain3038 # role assignment does not exist, should 4033039 self.do_request(3040 'delete_role_from_user_on_domain',3041 expected_status=exceptions.Forbidden,3042 domain_id=self.own_domain,3043 user_id=self.user_other_domain,3044 role_id=self.role_other_domain)3045 # role in other domain, own domain, group in other domain3046 # role assignment does not exist, should 4033047 self.do_request(3048 'delete_role_from_group_on_domain',3049 expected_status=exceptions.Forbidden,3050 domain_id=self.own_domain,3051 group_id=self.group_other_domain,3052 role_id=self.role_other_domain)3053 #####################################################3054 # RESOURCE IN OTHER DOMAIN - IDENTITY IN OWN DOMAIN #3055 #####################################################3056 # global role, project in other domain, user in own domain3057 self.admin_roles_client.create_user_role_on_project(3058 project_id=self.project_other_domain,3059 user_id=self.user_in_domain,3060 role_id=self.role_id)3061 self.do_request(3062 'delete_role_from_user_on_project',3063 expected_status=exceptions.Forbidden,3064 project_id=self.project_other_domain,3065 user_id=self.user_in_domain,3066 role_id=self.role_id)3067 # global role, project in other domain, group in own domain3068 self.admin_roles_client.create_group_role_on_project(3069 project_id=self.project_other_domain,3070 group_id=self.group_in_domain,3071 role_id=self.role_id)3072 self.do_request(3073 'delete_role_from_group_on_project',3074 expected_status=exceptions.Forbidden,3075 project_id=self.project_other_domain,3076 group_id=self.group_in_domain,3077 role_id=self.role_id)3078 # global role, other domain, user in own domain3079 self.admin_roles_client.create_user_role_on_domain(3080 domain_id=self.other_domain,3081 user_id=self.user_in_domain,3082 role_id=self.role_id)3083 self.do_request(3084 'delete_role_from_user_on_domain',3085 expected_status=exceptions.Forbidden,3086 domain_id=self.other_domain,3087 user_id=self.user_in_domain,3088 role_id=self.role_id)3089 # global role, other domain, group in own domain3090 self.admin_roles_client.create_group_role_on_domain(3091 domain_id=self.other_domain,3092 group_id=self.group_in_domain,3093 role_id=self.role_id)3094 self.do_request(3095 'delete_role_from_group_on_domain',3096 expected_status=exceptions.Forbidden,3097 domain_id=self.other_domain,3098 group_id=self.group_in_domain,3099 role_id=self.role_id)3100 # role in own domain, project in other domain, user in own domain3101 # role assignment does not exist, should 4033102 self.do_request(3103 'delete_role_from_user_on_project',3104 expected_status=exceptions.Forbidden,3105 project_id=self.project_other_domain,3106 user_id=self.user_in_domain,3107 role_id=self.role_own_domain)3108 # role in own domain, project in other domain, group in own domain3109 # role assignment does not exist, should 4033110 self.do_request(3111 'delete_role_from_group_on_project',3112 expected_status=exceptions.Forbidden,3113 project_id=self.project_other_domain,3114 group_id=self.group_in_domain,3115 role_id=self.role_own_domain)3116 # role in own domain, other domain, user in own domain3117 # role assignment does not exist, should 4033118 self.do_request(3119 'delete_role_from_user_on_domain',3120 expected_status=exceptions.Forbidden,3121 domain_id=self.other_domain,3122 user_id=self.user_in_domain,3123 role_id=self.role_own_domain)3124 # role in own domain, other domain, group in own domain3125 # role assignment does not exist, should 4033126 self.do_request(3127 'delete_role_from_group_on_domain',3128 expected_status=exceptions.Forbidden,3129 domain_id=self.other_domain,3130 group_id=self.group_in_domain,3131 role_id=self.role_own_domain)3132 # role in other domain, project in other domain, user in own domain3133 self.admin_roles_client.create_user_role_on_project(3134 project_id=self.project_other_domain,3135 user_id=self.user_in_domain,3136 role_id=self.role_other_domain)3137 self.do_request(3138 'delete_role_from_user_on_project',3139 expected_status=exceptions.Forbidden,3140 project_id=self.project_other_domain,3141 user_id=self.user_in_domain,3142 role_id=self.role_other_domain)3143 # role in other domain, project in other domain, group in own domain3144 self.admin_roles_client.create_group_role_on_project(3145 project_id=self.project_other_domain,3146 group_id=self.group_in_domain,3147 role_id=self.role_other_domain)3148 self.do_request(3149 'delete_role_from_group_on_project',3150 expected_status=exceptions.Forbidden,3151 project_id=self.project_other_domain,3152 group_id=self.group_in_domain,3153 role_id=self.role_other_domain)3154 # role in other domain, other domain, user in own domain3155 self.admin_roles_client.create_user_role_on_domain(3156 domain_id=self.other_domain,3157 user_id=self.user_in_domain,3158 role_id=self.role_other_domain)3159 self.do_request(3160 'delete_role_from_user_on_domain',3161 expected_status=exceptions.Forbidden,3162 domain_id=self.other_domain,3163 user_id=self.user_in_domain,3164 role_id=self.role_other_domain)3165 # role in other domain, other domain, group in own domain3166 self.admin_roles_client.create_group_role_on_domain(3167 domain_id=self.other_domain,3168 group_id=self.group_in_domain,3169 role_id=self.role_other_domain)3170 self.do_request(3171 'delete_role_from_group_on_domain',3172 expected_status=exceptions.Forbidden,3173 domain_id=self.other_domain,3174 group_id=self.group_in_domain,3175 role_id=self.role_other_domain)3176 #######################################################3177 # RESOURCE IN OTHER DOMAIN - IDENTITY IN OTHER DOMAIN #3178 #######################################################3179 # global role, project in other domain, user in other domain3180 self.admin_roles_client.create_user_role_on_project(3181 project_id=self.project_other_domain,3182 user_id=self.user_other_domain,3183 role_id=self.role_id)3184 self.do_request(3185 'delete_role_from_user_on_project',3186 expected_status=exceptions.Forbidden,3187 project_id=self.project_other_domain,3188 user_id=self.user_other_domain,3189 role_id=self.role_id)3190 # global role, project in other domain, group in other domain3191 self.admin_roles_client.create_group_role_on_project(3192 project_id=self.project_other_domain,3193 group_id=self.group_other_domain,3194 role_id=self.role_id)3195 self.do_request(3196 'delete_role_from_group_on_project',3197 expected_status=exceptions.Forbidden,3198 project_id=self.project_other_domain,3199 group_id=self.group_other_domain,3200 role_id=self.role_id)3201 # global role, other domain, user in other domain3202 self.admin_roles_client.create_user_role_on_domain(3203 domain_id=self.other_domain,3204 user_id=self.user_other_domain,3205 role_id=self.role_id)3206 self.do_request(3207 'delete_role_from_user_on_domain',3208 expected_status=exceptions.Forbidden,3209 domain_id=self.other_domain,3210 user_id=self.user_other_domain,3211 role_id=self.role_id)3212 # global role, other domain, group in other domain3213 self.admin_roles_client.create_group_role_on_domain(3214 domain_id=self.other_domain,3215 group_id=self.group_other_domain,3216 role_id=self.role_id)3217 self.do_request(3218 'delete_role_from_group_on_domain',3219 expected_status=exceptions.Forbidden,3220 domain_id=self.other_domain,3221 group_id=self.group_other_domain,3222 role_id=self.role_id)3223 # role in own domain, project in other domain, user in other domain3224 # role assignment does not exist, should 4033225 self.do_request(3226 'delete_role_from_user_on_project',3227 expected_status=exceptions.Forbidden,3228 project_id=self.project_other_domain,3229 user_id=self.user_other_domain,3230 role_id=self.role_own_domain)3231 # role in own domain, project in other domain, group in other domain3232 # role assignment does not exist, should 4033233 self.do_request(3234 'delete_role_from_group_on_project',3235 expected_status=exceptions.Forbidden,3236 project_id=self.project_other_domain,3237 group_id=self.group_other_domain,3238 role_id=self.role_own_domain)3239 # role in own domain, other domain, user in other domain3240 # role assignment does not exist, should 4033241 self.do_request(3242 'delete_role_from_user_on_domain',3243 expected_status=exceptions.Forbidden,3244 domain_id=self.other_domain,3245 user_id=self.user_other_domain,3246 role_id=self.role_own_domain)3247 # role in own domain, other domain, group in other domain3248 # role assignment does not exist, should 4033249 self.do_request(3250 'delete_role_from_group_on_domain',3251 expected_status=exceptions.Forbidden,3252 domain_id=self.other_domain,3253 group_id=self.group_other_domain,3254 role_id=self.role_own_domain)3255 # role in other domain, project in other domain, user in other domain3256 self.admin_roles_client.create_user_role_on_project(3257 project_id=self.project_other_domain,3258 user_id=self.user_other_domain,3259 role_id=self.role_other_domain)3260 self.do_request(3261 'delete_role_from_user_on_project',3262 expected_status=exceptions.Forbidden,3263 project_id=self.project_other_domain,3264 user_id=self.user_other_domain,3265 role_id=self.role_other_domain)3266 # role in other domain, project in other domain, group in other domain3267 self.admin_roles_client.create_group_role_on_project(3268 project_id=self.project_other_domain,3269 group_id=self.group_other_domain,3270 role_id=self.role_other_domain)3271 self.do_request(3272 'delete_role_from_group_on_project',3273 expected_status=exceptions.Forbidden,3274 project_id=self.project_other_domain,3275 group_id=self.group_other_domain,3276 role_id=self.role_other_domain)3277 # role in other domain, other domain, user in other domain3278 self.admin_roles_client.create_user_role_on_domain(3279 domain_id=self.other_domain,3280 user_id=self.user_other_domain,3281 role_id=self.role_other_domain)3282 self.do_request(3283 'delete_role_from_user_on_domain',3284 expected_status=exceptions.Forbidden,3285 domain_id=self.other_domain,3286 user_id=self.user_other_domain,3287 role_id=self.role_other_domain)3288 # role in other domain, other domain, group in other domain3289 self.admin_roles_client.create_group_role_on_domain(3290 domain_id=self.other_domain,3291 group_id=self.group_other_domain,3292 role_id=self.role_other_domain)3293 self.do_request(3294 'delete_role_from_group_on_domain',3295 expected_status=exceptions.Forbidden,3296 domain_id=self.other_domain,3297 group_id=self.group_other_domain,3298 role_id=self.role_other_domain)3299 def test_identity_create_system_grant_for_user(self):3300 self.do_request(3301 'create_user_role_on_system',3302 expected_status=exceptions.Forbidden,3303 user_id=self.user_in_domain,3304 role_id=self.role_id)3305 self.do_request(3306 'create_user_role_on_system',3307 expected_status=exceptions.Forbidden,3308 user_id=self.user_other_domain,3309 role_id=self.role_id)3310 def test_identity_revoke_system_grant_for_user(self):3311 # group in own domain3312 self.admin_roles_client.create_group_role_on_system(3313 group_id=self.group_in_domain,3314 role_id=self.role_id)3315 self.addCleanup(3316 self.admin_roles_client.delete_role_from_group_on_system,3317 group_id=self.group_in_domain,3318 role_id=self.role_id)3319 self.do_request(3320 'delete_role_from_group_on_system',3321 expected_status=exceptions.Forbidden,3322 group_id=self.group_in_domain,3323 role_id=self.role_id)3324 # group in other domain3325 self.admin_roles_client.create_group_role_on_system(3326 group_id=self.group_other_domain,3327 role_id=self.role_id)3328 self.addCleanup(3329 self.admin_roles_client.delete_role_from_group_on_system,3330 group_id=self.group_other_domain,3331 role_id=self.role_id)3332 self.do_request(3333 'delete_role_from_group_on_system',3334 expected_status=exceptions.Forbidden,3335 group_id=self.group_other_domain,3336 role_id=self.role_id)3337class DomainReaderTests(DomainMemberTests):3338 credentials = ['domain_reader', 'system_admin']3339class ProjectAdminTests(IdentityV3RbacGrantTest, base.BaseIdentityTest):3340 credentials = ['project_admin', 'system_admin']3341 def test_identity_check_grant(self):3342 # global role, arbitrary project, arbitrary user3343 self.do_request(3344 'check_user_role_existence_on_project',3345 expected_status=exceptions.Forbidden,3346 project_id=self.project_other_domain,3347 user_id=self.user_other_domain,3348 role_id=self.role_id)3349 # global role, arbitrary project, arbitrary group3350 self.do_request(3351 'check_role_from_group_on_project_existence',3352 expected_status=exceptions.Forbidden,3353 project_id=self.project_other_domain,3354 group_id=self.group_other_domain,3355 role_id=self.role_id)3356 # global role, arbitrary domain, arbitrary user3357 self.do_request(3358 'check_user_role_existence_on_domain',3359 expected_status=exceptions.Forbidden,3360 domain_id=self.other_domain,3361 user_id=self.user_other_domain,3362 role_id=self.role_id)3363 # global role, arbitrary domain, arbitrary group3364 self.do_request(3365 'check_role_from_group_on_domain_existence',3366 expected_status=exceptions.Forbidden,3367 domain_id=self.other_domain,3368 group_id=self.group_other_domain,3369 role_id=self.role_id)3370 # domain-specific role not matching arbitrary project, arbitrary group3371 self.do_request(3372 'check_user_role_existence_on_project',3373 expected_status=exceptions.Forbidden,3374 project_id=self.project_other_domain,3375 user_id=self.user_other_domain,3376 role_id=self.role_own_domain)3377 # domain-specific role not matching arbitrary project, arbitrary group3378 self.do_request(3379 'check_role_from_group_on_project_existence',3380 expected_status=exceptions.Forbidden,3381 project_id=self.project_other_domain,3382 group_id=self.group_other_domain,3383 role_id=self.role_own_domain)3384 # domain-specific role not matching arbitrary domain, arbitrary user3385 self.do_request(3386 'check_user_role_existence_on_domain',3387 expected_status=exceptions.Forbidden,3388 domain_id=self.other_domain,3389 user_id=self.user_other_domain,3390 role_id=self.role_own_domain)3391 # domain-specific role not matching arbitrary domain, arbitrary group3392 self.do_request(3393 'check_role_from_group_on_domain_existence',3394 expected_status=exceptions.Forbidden,3395 domain_id=self.other_domain,3396 group_id=self.group_other_domain,3397 role_id=self.role_own_domain)3398 # domain-specific role, arbitrary project, arbitrary user3399 self.do_request(3400 'check_user_role_existence_on_project',3401 expected_status=exceptions.Forbidden,3402 project_id=self.project_other_domain,3403 user_id=self.user_other_domain,3404 role_id=self.role_other_domain)3405 # domain-specific role, arbitrary project, arbitrary group3406 self.do_request(3407 'check_role_from_group_on_project_existence',3408 expected_status=exceptions.Forbidden,3409 project_id=self.project_other_domain,3410 group_id=self.group_other_domain,3411 role_id=self.role_other_domain)3412 # domain-specific role, arbitrary domain, arbitrary user3413 self.do_request(3414 'check_user_role_existence_on_domain',3415 expected_status=exceptions.Forbidden,3416 domain_id=self.other_domain,3417 user_id=self.user_other_domain,3418 role_id=self.role_other_domain)3419 # domain-specific role, arbitrary domain, arbitrary group3420 self.do_request(3421 'check_role_from_group_on_domain_existence',3422 expected_status=exceptions.Forbidden,3423 domain_id=self.other_domain,3424 group_id=self.group_other_domain,3425 role_id=self.role_other_domain)3426 def test_identity_list_grants(self):3427 # arbitrary project, arbitrary user3428 self.do_request(3429 'list_user_roles_on_project',3430 expected_status=exceptions.Forbidden,3431 project_id=self.project_other_domain,3432 user_id=self.user_other_domain)3433 # arbitrary project, arbitrary group3434 self.do_request(3435 'list_group_roles_on_project',3436 expected_status=exceptions.Forbidden,3437 project_id=self.project_other_domain,3438 group_id=self.group_other_domain)3439 # arbitrary domain, arbitrary user3440 self.do_request(3441 'list_user_roles_on_domain',3442 expected_status=exceptions.Forbidden,3443 domain_id=self.other_domain,3444 user_id=self.user_other_domain)3445 # arbitrary domain, arbitrary group3446 self.do_request(3447 'list_group_roles_on_domain',3448 expected_status=exceptions.Forbidden,3449 domain_id=self.other_domain,3450 group_id=self.group_other_domain)3451 # other domain-specific tests not applicable to system user3452 def test_identity_create_grant(self):3453 # global role, arbitrary project, arbitrary user3454 self.do_request(3455 'create_user_role_on_project',3456 expected_status=exceptions.Forbidden,3457 project_id=self.project_other_domain,3458 user_id=self.user_other_domain,3459 role_id=self.role_id)3460 # global role, arbitrary project, arbitrary group3461 self.do_request(3462 'create_group_role_on_project',3463 expected_status=exceptions.Forbidden,3464 project_id=self.project_other_domain,3465 group_id=self.group_other_domain,3466 role_id=self.role_id)3467 # global role, arbitrary domain, arbitrary user3468 self.do_request(3469 'create_user_role_on_domain',3470 expected_status=exceptions.Forbidden,3471 domain_id=self.other_domain,3472 user_id=self.user_other_domain,3473 role_id=self.role_id)3474 # global role, arbitrary domain, arbitrary group3475 self.do_request(3476 'create_group_role_on_domain',3477 expected_status=exceptions.Forbidden,3478 domain_id=self.other_domain,3479 group_id=self.group_other_domain,3480 role_id=self.role_id)3481 # domain-specific, arbitrary project, arbitrary user3482 self.do_request(3483 'create_user_role_on_project',3484 expected_status=exceptions.Forbidden,3485 project_id=self.project_other_domain,3486 user_id=self.user_other_domain,3487 role_id=self.role_other_domain)3488 self.addCleanup(3489 self.admin_roles_client.delete_role_from_user_on_project,3490 project_id=self.project_other_domain,3491 user_id=self.user_other_domain,3492 role_id=self.role_other_domain)3493 # domain-specific, arbitrary project, arbitrary group3494 self.do_request(3495 'create_group_role_on_project',3496 expected_status=exceptions.Forbidden,3497 project_id=self.project_other_domain,3498 group_id=self.group_other_domain,3499 role_id=self.role_other_domain)3500 self.addCleanup(3501 self.admin_roles_client.delete_role_from_group_on_project,3502 project_id=self.project_other_domain,3503 group_id=self.group_other_domain,3504 role_id=self.role_other_domain)3505 # domain-specific, arbitrary domain, arbitrary user3506 self.do_request(3507 'create_user_role_on_domain',3508 expected_status=exceptions.Forbidden,3509 domain_id=self.other_domain,3510 user_id=self.user_other_domain,3511 role_id=self.role_other_domain)3512 self.addCleanup(3513 self.admin_roles_client.delete_role_from_user_on_domain,3514 domain_id=self.other_domain,3515 user_id=self.user_other_domain,3516 role_id=self.role_other_domain)3517 # domain-specific, arbitrary domain, arbitrary group3518 self.do_request(3519 'create_group_role_on_domain',3520 expected_status=exceptions.Forbidden,3521 domain_id=self.other_domain,3522 group_id=self.group_other_domain,3523 role_id=self.role_other_domain)3524 # other domain-specific tests not applicable to system user3525 def test_identity_revoke_grant(self):3526 # global role, arbitrary project, arbitrary user3527 self.admin_roles_client.create_user_role_on_project(3528 project_id=self.project_other_domain,3529 user_id=self.user_other_domain,3530 role_id=self.role_id)3531 self.do_request(3532 'delete_role_from_user_on_project',3533 expected_status=exceptions.Forbidden,3534 project_id=self.project_other_domain,3535 user_id=self.user_other_domain,3536 role_id=self.role_id)3537 # global role, arbitrary project, arbitrary group3538 self.admin_roles_client.create_group_role_on_project(3539 project_id=self.project_other_domain,3540 group_id=self.group_other_domain,3541 role_id=self.role_id)3542 self.do_request(3543 'delete_role_from_group_on_project',3544 expected_status=exceptions.Forbidden,3545 project_id=self.project_other_domain,3546 group_id=self.group_other_domain,3547 role_id=self.role_id)3548 # global role, arbitrary domain, arbitrary user3549 self.admin_roles_client.create_user_role_on_domain(3550 domain_id=self.other_domain,3551 user_id=self.user_other_domain,3552 role_id=self.role_id)3553 self.do_request(3554 'delete_role_from_user_on_domain',3555 expected_status=exceptions.Forbidden,3556 domain_id=self.other_domain,3557 user_id=self.user_other_domain,3558 role_id=self.role_id)3559 # global role, arbitrary domain, arbitrary group3560 self.admin_roles_client.create_group_role_on_domain(3561 domain_id=self.other_domain,3562 group_id=self.group_other_domain,3563 role_id=self.role_id)3564 self.do_request(3565 'delete_role_from_group_on_domain',3566 expected_status=exceptions.Forbidden,3567 domain_id=self.other_domain,3568 group_id=self.group_other_domain,3569 role_id=self.role_id)3570 # domain-specific role, arbitrary project, arbitrary user3571 self.admin_roles_client.create_user_role_on_project(3572 project_id=self.project_other_domain,3573 user_id=self.user_other_domain,3574 role_id=self.role_other_domain)3575 self.do_request(3576 'delete_role_from_user_on_project',3577 expected_status=exceptions.Forbidden,3578 project_id=self.project_other_domain,3579 user_id=self.user_other_domain,3580 role_id=self.role_other_domain)3581 # domain-specific role, arbitrary project, arbitrary group3582 self.admin_roles_client.create_group_role_on_project(3583 project_id=self.project_other_domain,3584 group_id=self.group_other_domain,3585 role_id=self.role_other_domain)3586 self.do_request(3587 'delete_role_from_group_on_project',3588 expected_status=exceptions.Forbidden,3589 project_id=self.project_other_domain,3590 group_id=self.group_other_domain,3591 role_id=self.role_other_domain)3592 # domain-specific role, arbitrary domain, arbitrary user3593 self.admin_roles_client.create_user_role_on_domain(3594 domain_id=self.other_domain,3595 user_id=self.user_other_domain,3596 role_id=self.role_other_domain)3597 self.do_request(3598 'delete_role_from_user_on_domain',3599 expected_status=exceptions.Forbidden,3600 domain_id=self.other_domain,3601 user_id=self.user_other_domain,3602 role_id=self.role_other_domain)3603 # domain-specific role, arbitrary domain, arbitrary group3604 self.admin_roles_client.create_group_role_on_domain(3605 domain_id=self.other_domain,3606 group_id=self.group_other_domain,3607 role_id=self.role_other_domain)3608 self.do_request(3609 'delete_role_from_group_on_domain',3610 expected_status=exceptions.Forbidden,3611 domain_id=self.other_domain,3612 group_id=self.group_other_domain,3613 role_id=self.role_other_domain)3614 # other domain-specific tests not applicable to system user3615 def test_identity_list_system_grants_for_user(self):3616 self.do_request('list_user_roles_on_system',3617 expected_status=exceptions.Forbidden,3618 user_id=self.user_other_domain)3619 def test_identity_check_system_grant_for_user(self):3620 self.do_request('check_user_role_existence_on_system',3621 exceptions.Forbidden,3622 user_id=self.user_other_domain,3623 role_id=self.role_id)3624 def test_identity_create_system_grant_for_user(self):3625 self.do_request(3626 'create_user_role_on_system',3627 expected_status=exceptions.Forbidden,3628 user_id=self.user_other_domain,3629 role_id=self.role_id)3630 def test_identity_revoke_system_grant_for_user(self):3631 self.admin_roles_client.create_user_role_on_system(3632 user_id=self.user_other_domain,3633 role_id=self.role_id)3634 self.do_request(3635 'delete_role_from_user_on_system',3636 exceptions.Forbidden,3637 user_id=self.user_other_domain,3638 role_id=self.role_id)3639 def test_identity_list_system_grants_for_group(self):3640 self.do_request('list_group_roles_on_system',3641 exceptions.Forbidden,3642 group_id=self.group_other_domain)3643 def test_identity_check_system_grant_for_group(self):3644 self.do_request('check_role_from_group_on_system_existence',3645 exceptions.Forbidden,3646 group_id=self.group_other_domain,3647 role_id=self.role_id)3648 def test_identity_create_system_grant_for_group(self):3649 self.do_request(3650 'create_group_role_on_system',3651 expected_status=exceptions.Forbidden,3652 group_id=self.group_other_domain,3653 role_id=self.role_id)3654 def test_identity_revoke_system_grant_for_group(self):3655 self.admin_roles_client.create_group_role_on_system(3656 group_id=self.group_other_domain,3657 role_id=self.role_id)3658 self.do_request(3659 'delete_role_from_group_on_system',3660 expected_status=exceptions.Forbidden,3661 group_id=self.group_other_domain,3662 role_id=self.role_id)3663class ProjectMemberTests(ProjectAdminTests):3664 credentials = ['project_member', 'system_admin']3665class ProjectReaderTests(ProjectMemberTests):...

Full Screen

Full Screen

test_roles.py

Source:test_roles.py Github

copy

Full Screen

...102 for i in roles:103 self.fetched_role_ids.append(i['id'])104 self._list_assertions(roles, self.fetched_role_ids,105 self.role['id'])106 self.roles_client.check_user_role_existence_on_domain(107 self.domain['id'], self.user_body['id'], self.role['id'])108 self.roles_client.delete_role_from_user_on_domain(109 self.domain['id'], self.user_body['id'], self.role['id'])110 @test.idempotent_id('cbf11737-1904-4690-9613-97bcbb3df1c4')111 def test_grant_list_revoke_role_to_group_on_project(self):112 # Grant role to group on project113 self.roles_client.assign_group_role_on_project(114 self.project['id'], self.group_body['id'], self.role['id'])115 # List group roles on project116 roles = self.roles_client.list_group_roles_on_project(117 self.project['id'], self.group_body['id'])['roles']118 for i in roles:119 self.fetched_role_ids.append(i['id'])120 self._list_assertions(roles, self.fetched_role_ids,...

Full Screen

Full Screen

Automation Testing Tutorials

Learn to execute automation testing from scratch with LambdaTest Learning Hub. Right from setting up the prerequisites to run your first automation test, to following best practices and diving deeper into advanced test scenarios. LambdaTest Learning Hubs compile a list of step-by-step guides to help you be proficient with different test automation frameworks i.e. Selenium, Cypress, TestNG etc.

LambdaTest Learning Hubs:

YouTube

You could also refer to video tutorials over LambdaTest YouTube channel to get step by step demonstration from industry experts.

Run tempest automation tests on LambdaTest cloud grid

Perform automation testing on 3000+ real desktop and mobile devices online.

Try LambdaTest Now !!

Get 100 minutes of automation test minutes FREE!!

Next-Gen App & Browser Testing Cloud

Was this article helpful?

Helpful

NotHelpful