diff options
| author | Jenkins <jenkins@review.openstack.org> | 2013-04-23 17:10:34 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-04-23 17:10:34 +0000 |
| commit | 4960ce161ce29601957b43eb45f15ced3ecbde0d (patch) | |
| tree | 2f2e87bbd4928a0ece61c50ec271a9a2c56ec396 | |
| parent | e6b76cea95cf1cc8eec3acfaa5fb3bd95e919249 (diff) | |
| parent | 50073c5a0e00389518ee414e3ef1ef1f5db1676d (diff) | |
| download | keystone-4960ce161ce29601957b43eb45f15ced3ecbde0d.tar.gz keystone-4960ce161ce29601957b43eb45f15ced3ecbde0d.tar.xz keystone-4960ce161ce29601957b43eb45f15ced3ecbde0d.zip | |
Merge "Add rule for list_groups_for_user in policy.json"
| -rw-r--r-- | etc/policy.json | 1 | ||||
| -rw-r--r-- | tests/test_v3_identity.py | 37 |
2 files changed, 38 insertions, 0 deletions
diff --git a/etc/policy.json b/etc/policy.json index 17da8eac..f53161ef 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -38,6 +38,7 @@ "identity:get_group": [["rule:admin_required"]], "identity:list_groups": [["rule:admin_required"]], + "identity:list_groups_for_user": [["rule:admin_or_owner"]], "identity:create_group": [["rule:admin_required"]], "identity:update_group": [["rule:admin_required"]], "identity:delete_group": [["rule:admin_required"]], diff --git a/tests/test_v3_identity.py b/tests/test_v3_identity.py index e9fe44c9..d212857b 100644 --- a/tests/test_v3_identity.py +++ b/tests/test_v3_identity.py @@ -349,6 +349,43 @@ class IdentityTestCase(test_v3.RestfulTestCase): self.put('/groups/%(group_id)s/users/%(user_id)s' % { 'group_id': self.group_id, 'user_id': self.user['id']}) + def test_list_groups_for_user(self): + """GET /users/{user_id}/groups""" + + self.user1 = self.new_user_ref( + domain_id=self.domain['id']) + self.user1['password'] = uuid.uuid4().hex + self.identity_api.create_user(self.user1['id'], self.user1) + self.user2 = self.new_user_ref( + domain_id=self.domain['id']) + self.user2['password'] = uuid.uuid4().hex + self.identity_api.create_user(self.user1['id'], self.user2) + self.put('/groups/%(group_id)s/users/%(user_id)s' % { + 'group_id': self.group_id, 'user_id': self.user1['id']}) + + #Scenarios below are written to test the default policy configuration + + #One should be allowed to list one's own groups + auth = self.build_authentication_request( + user_id=self.user1['id'], + password=self.user1['password']) + r = self.get('/users/%(user_id)s/groups' % { + 'user_id': self.user1['id']}, auth=auth) + self.assertValidGroupListResponse(r, ref=self.group) + + #Administrator is allowed to list others' groups + r = self.get('/users/%(user_id)s/groups' % { + 'user_id': self.user1['id']}) + self.assertValidGroupListResponse(r, ref=self.group) + + #Ordinary users should not be allowed to list other's groups + auth = self.build_authentication_request( + user_id=self.user2['id'], + password=self.user2['password']) + r = self.get('/users/%(user_id)s/groups' % { + 'user_id': self.user1['id']}, auth=auth, + expected_status=exception.ForbiddenAction.code) + def test_check_user_in_group(self): """HEAD /groups/{group_id}/users/{user_id}""" self.put('/groups/%(group_id)s/users/%(user_id)s' % { |