Merge "Test domain and project users against group system assignment API" into stable/stein

2 files changed, 75 insertions, 11 deletions

diff --git a/keystone/tests/unit/protection/v3/test_system_assignments.py b/keystone/tests/unit/protection/v3/test_system_assignments.py
index 5f27431f3..72adc1d67 100644
--- a/keystone/tests/unit/protection/v3/test_system_assignments.py
+++ b/keystone/tests/unit/protection/v3/test_system_assignments.py
@@ -229,6 +229,68 @@ class _DomainAndProjectUserSystemAssignmentTests(object):
                 expected_status_code=http_client.FORBIDDEN
             )
 
+    def test_user_cannot_list_group_system_role_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_group(
+            group['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.get(
+                '/v3/system/groups/%s/roles' % group['id'], headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_check_group_system_role_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_group(
+            group['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.get(
+                '/v3/system/groups/%s/roles/%s' % (
+                    group['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_grant_group_system_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        with self.test_client() as c:
+            c.put(
+                '/v3/system/groups/%s/roles/%s' % (
+                    group['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
+    def test_user_cannot_revoke_group_system_assignments(self):
+        group = PROVIDERS.identity_api.create_group(
+            unit.new_group_ref(CONF.identity.default_domain_id)
+        )
+
+        PROVIDERS.assignment_api.create_system_grant_for_group(
+            group['id'], self.bootstrapper.member_role_id
+        )
+
+        with self.test_client() as c:
+            c.delete(
+                '/v3/system/groups/%s/roles/%s' % (
+                    group['id'], self.bootstrapper.member_role_id
+                ), headers=self.headers,
+                expected_status_code=http_client.FORBIDDEN
+            )
+
 
 class SystemReaderTests(base_classes.TestCaseWithBootstrap,
                         common_auth.AuthTestMixin,
diff --git a/releasenotes/notes/bug-1750669-dfce859550126f03.yaml b/releasenotes/notes/bug-1750669-dfce859550126f03.yaml
index a5aed56ce..6405f86f3 100644
--- a/releasenotes/notes/bug-1750669-dfce859550126f03.yaml
+++ b/releasenotes/notes/bug-1750669-dfce859550126f03.yaml
@@ -19,18 +19,20 @@ deprecations:
     [`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
     [`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
     The system assignment policies have been deprecated. The
-    ``identity:list_system_grants_for_user`` and
-    ``identity:check_system_grant_for_user`` policies now use
+    ``identity:list_system_grants_for_user``,
+    ``identity:check_system_grant_for_user``,
+    ``identity:list_system_grants_for_group``, and
+    ``identity:check_system_grant_for_group`` policies now use
     ``role:reader and system_scope:all`` instead of
-    ``rule:admin_required``. The
-    ``identity:create_system_grant_for_user`` and
-    ``identity:revoke_system_grant_for_user`` policies now use
-    ``role:admin and system_scope:all`` instead of
-    ``rule:admin_required``. These new defaults automatically include
-    support for a read-only role and allow for more granular access to
-    the system assignment API, making it easier for administrators to
-    delegate authorization, safely. Please consider these new defaults
-    if your deployment overrides the system assignment APIs.
+    ``rule:admin_required``. The ``identity:create_system_grant_for_user``,
+    ``identity:revoke_system_grant_for_user``,
+    ``identity:create_system_grant_for_group``, and
+    ``identity:revoke_system_grant_for_group`` policies now use ``role:admin
+    and system_scope:all`` instead of ``rule:admin_required``. These new
+    defaults automatically include support for a read-only role and allow for
+    more granular access to the system assignment API, making it easier for
+    administrators to delegate authorization, safely. Please consider these new
+    defaults if your deployment overrides the system assignment APIs.
 security:
   - |
     [`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]