From d5443e2ef0ac8d1c33ba3644ddb9053b68a6ed0d Mon Sep 17 00:00:00 2001
From: Jesse Andrews <anotherjesse@gmail.com>
Date: Thu, 26 Jan 2012 00:26:30 -0600
Subject: initial stab at requiring adminness

---
 tests/test_keystoneclient.py | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/tests/test_keystoneclient.py b/tests/test_keystoneclient.py
index 477aa304..cb531704 100644
--- a/tests/test_keystoneclient.py
+++ b/tests/test_keystoneclient.py
@@ -369,3 +369,41 @@ class KcMasterTestCase(CompatTestCase):
         services = client.services.list()
         # TODO(devcamcar): This assert should be more specific.
         self.assertTrue(len(services) > 0)
+
+    def test_admin_requires_adminness(self):
+        from keystoneclient import exceptions as client_exceptions
+        # FIXME(termie): this should be Unauthorized
+        exception = client_exceptions.ClientException
+
+        two = self.get_client(self.user_two)  # non-admin user
+
+        # USER CRUD
+        self.assertRaises(exception, two.users.list)
+        self.assertRaises(exception, two.users.get, self.user_two['id'])
+        self.assertRaises(exception, two.users.create, name='oops',
+                          password='password', email='oops@test.com')
+        self.assertRaises(exception, two.users.delete, self.user_foo['id'])
+
+        # TENANT CRUD
+        # NOTE(ja): tenants.list is different since /tenants fulfills the
+        #           two different tasks: return list of all tenants & return
+        #           list of tenants the current user is a member of...
+        #           which means if you are admin getting the list
+        #           of tenants for admin user is annoying?
+        tenants = two.tenants.list()
+        self.assertTrue(len(tenants) == 1)
+        self.assertTrue(tenants[0].id == self.tenant_baz['id'])
+        self.assertRaises(exception, two.tenants.get, self.tenant_bar['id'])
+        self.assertRaises(exception, two.tenants.create,
+                          tenant_name='oops', description="shouldn't work!",
+                          enabled=True)
+        self.assertRaises(exception, two.tenants.delete, self.tenant_baz['id'])
+
+        # ROLE CRUD
+        self.assertRaises(exception, two.roles.get, role='keystone_admin')
+        self.assertRaises(exception, two.roles.list)
+        self.assertRaises(exception, two.roles.create, name='oops')
+        self.assertRaises(exception, two.roles.delete, name='keystone_admin')
+
+        # TODO(ja): MEMBERSHIP CRUD
+        # TODO(ja): determine what else todo
-- 
cgit