diff options
author | Henry Nash <henryn@linux.vnet.ibm.com> | 2013-06-21 22:50:40 +0100 |
---|---|---|
committer | Henry Nash <henryn@linux.vnet.ibm.com> | 2013-07-03 21:30:09 +0100 |
commit | fa10d4945ca9658eff02b1d8e917fde50d6576ce (patch) | |
tree | b5c50890695d8a503dc130a5c219cf543051cc2c /tests/test_backend.py | |
parent | 62d948a66b27ad2622a324bd9a070346f7b607d2 (diff) | |
download | keystone-fa10d4945ca9658eff02b1d8e917fde50d6576ce.tar.gz keystone-fa10d4945ca9658eff02b1d8e917fde50d6576ce.tar.xz keystone-fa10d4945ca9658eff02b1d8e917fde50d6576ce.zip |
Implement GET /role_assignment API call
Add support for the GET /role_assignment call as a first step
to making role_assignment a first class entity.
This patch also enables v3 collection filtering to match against
attributes of entities being returned in the list, using the same
dot notation (e.g. user.id) that we already support for policy file
checking against filters.
Limitations:
- The current implementation uses the standard v3 collections wrapper
mechanism for filtering. Given the potential numbers of role
assignments in a large system, this may have performance and resource
impacts. A future improvement would pass the filters into the
driver layer to keep the internal assignment processing to a minimum.
- The LDAP backend is not currently supported
Implements bp get-role-assignments
Change-Id: I6ff2ea780e39d7097a88214fbb3ddee1b924c30c
Diffstat (limited to 'tests/test_backend.py')
-rw-r--r-- | tests/test_backend.py | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/tests/test_backend.py b/tests/test_backend.py index ea40cd8b..f8d04b6e 100644 --- a/tests/test_backend.py +++ b/tests/test_backend.py @@ -482,6 +482,72 @@ class IdentityTests(object): self.identity_api.get_project, 'fake2') + def test_list_role_assignments_unfiltered(self): + """Test for unfiltered listing role assignments. + + Test Plan: + - Create a domain, with a user, group & project + - Find how many role assignments already exist (from default + fixtures) + - Create a grant of each type (user/group on project/domain) + - Check the number of assignments has gone up by 4 and that + the entries we added are in the list returned + + """ + new_domain = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex} + self.identity_api.create_domain(new_domain['id'], new_domain) + new_user = {'id': uuid.uuid4().hex, 'name': uuid.uuid4().hex, + 'password': uuid.uuid4().hex, 'enabled': True, + 'domain_id': new_domain['id']} + self.identity_api.create_user(new_user['id'], + new_user) + new_group = {'id': uuid.uuid4().hex, 'domain_id': new_domain['id'], + 'name': uuid.uuid4().hex} + self.identity_api.create_group(new_group['id'], new_group) + new_project = {'id': uuid.uuid4().hex, + 'name': uuid.uuid4().hex, + 'domain_id': new_domain['id']} + self.identity_api.create_project(new_project['id'], new_project) + + # First check how many role grant already exist + existing_assignments = len(self.identity_api.list_role_assignments()) + + # Now create the grants (roles are defined in default_fixtures) + self.identity_api.create_grant(user_id=new_user['id'], + domain_id=new_domain['id'], + role_id='member') + self.identity_api.create_grant(user_id=new_user['id'], + project_id=new_project['id'], + role_id='other') + self.identity_api.create_grant(group_id=new_group['id'], + domain_id=new_domain['id'], + role_id='admin') + self.identity_api.create_grant(group_id=new_group['id'], + project_id=new_project['id'], + role_id='admin') + + # Read back the list of assignments - check it is gone up by 4 + assignment_list = self.identity_api.list_role_assignments() + self.assertEquals(len(assignment_list), existing_assignments + 4) + + # Now check that each of our four new entries are in the list + self.assertIn( + {'user_id': new_user['id'], 'domain_id': new_domain['id'], + 'role_id': 'member'}, + assignment_list) + self.assertIn( + {'user_id': new_user['id'], 'project_id': new_project['id'], + 'role_id': 'other'}, + assignment_list) + self.assertIn( + {'group_id': new_group['id'], 'domain_id': new_domain['id'], + 'role_id': 'admin'}, + assignment_list) + self.assertIn( + {'group_id': new_group['id'], 'project_id': new_project['id'], + 'role_id': 'admin'}, + assignment_list) + def test_add_duplicate_role_grant(self): roles_ref = self.identity_api.get_roles_for_user_and_project( self.user_foo['id'], self.tenant_bar['id']) |