diff options
Diffstat (limited to 'keystone/tests/protection/v3/test_application_credential.py')
-rw-r--r-- | keystone/tests/protection/v3/test_application_credential.py | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/keystone/tests/protection/v3/test_application_credential.py b/keystone/tests/protection/v3/test_application_credential.py index 5807d7f90..5f7c2a202 100644 --- a/keystone/tests/protection/v3/test_application_credential.py +++ b/keystone/tests/protection/v3/test_application_credential.py @@ -418,6 +418,72 @@ class OwnerTests(_TestAppCredBase, def test_owner_can_delete_application_credential(self): self._test_delete_application_credential() + def test_user_cannot_lookup_application_credential_for_another_user(self): + # create another user + another_user = unit.new_user_ref( + domain_id=CONF.identity.default_domain_id + ) + another_user_id = PROVIDERS.identity_api.create_user( + another_user + )['id'] + + auth = self.build_authentication_request( + user_id=another_user_id, + password=another_user['password'] + ) + + # authenticate for a token as a completely different user with + # completely different authorization + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + another_user_token = r.headers['X-Subject-Token'] + + # create an application credential as the self.user_id user on a + # project that the user above doesn't have any authorization on + app_cred = self._create_application_credential() + + # attempt to lookup the application credential as another user + with self.test_client() as c: + c.get( + '/v3/users/%s/application_credentials/%s' % ( + another_user_id, + app_cred['id']), + expected_status_code=http.client.FORBIDDEN, + headers={'X-Auth-Token': another_user_token}) + + def test_user_cannot_delete_application_credential_for_another_user(self): + # create another user + another_user = unit.new_user_ref( + domain_id=CONF.identity.default_domain_id + ) + another_user_id = PROVIDERS.identity_api.create_user( + another_user + )['id'] + + auth = self.build_authentication_request( + user_id=another_user_id, + password=another_user['password'] + ) + + # authenticate for a token as a completely different user with + # completely different authorization + with self.test_client() as c: + r = c.post('/v3/auth/tokens', json=auth) + another_user_token = r.headers['X-Subject-Token'] + + # create an application credential as the self.user_id user on a + # project that the user above doesn't have any authorization on + app_cred = self._create_application_credential() + + # attempt to delete the application credential as another user + with self.test_client() as c: + c.delete( + '/v3/users/%s/application_credentials/%s' % ( + another_user_id, + app_cred['id']), + expected_status_code=http.client.FORBIDDEN, + headers={'X-Auth-Token': another_user_token}) + class DomainAdminTests(_TestAppCredBase, common_auth.AuthTestMixin, |