diff options
author | Jenkins <jenkins@review.openstack.org> | 2016-02-19 03:34:37 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2016-02-19 03:34:37 +0000 |
commit | 9097481e81f5b45310f4f5228369325e3bbc0f28 (patch) | |
tree | 80e36f15cb1320165a3753a8f6a75520e1c7fc14 | |
parent | 3897128e13154c401e8e0b71e1643bfa1e179258 (diff) | |
parent | abcee5f3ce234e820e90e2d8bb6823f238fb69e8 (diff) | |
download | python-keystoneclient-9097481e81f5b45310f4f5228369325e3bbc0f28.tar.gz |
Merge "Implied Roles"
-rwxr-xr-x | keystoneclient/tests/functional/v3/test_implied_roles.py | 99 | ||||
-rw-r--r-- | keystoneclient/tests/unit/v3/test_roles.py | 45 | ||||
-rw-r--r-- | keystoneclient/v3/roles.py | 39 | ||||
-rw-r--r-- | releasenotes/notes/implied_roles-ea39d3c3d998d482.yaml | 3 |
4 files changed, 186 insertions, 0 deletions
diff --git a/keystoneclient/tests/functional/v3/test_implied_roles.py b/keystoneclient/tests/functional/v3/test_implied_roles.py new file mode 100755 index 0000000..b527f07 --- /dev/null +++ b/keystoneclient/tests/functional/v3/test_implied_roles.py @@ -0,0 +1,99 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystoneclient.tests.functional import base + +role_defs = ["test_admin", + "test_id_manager", + "test_resource_manager", + "test_role_manager", + "test_assignment_manager", + "test_domain_manager", + "test_project_manager", + "test_catalog_manager", + "test_policy_manager", + "test_observer", + "test_domain_tech_lead", + "test_project_observer", + "test_member"] + +inference_rules = {"test_admin": "test_id_manager", + "test_admin": "test_resource_manager", + "test_admin": "test_role_manager", + "test_admin": "test_catalog_manager", + "test_admin": "test_policy_manager", + "test_id_manager": "test_project_observer", + "test_resource_manager": "test_project_observer", + "test_role_manager": "test_project_observer", + "test_catalog_manager": "test_project_observer", + "test_policy_manager": "test_project_observer", + "test_project_observer": "test_observer", + "test_member": "test_observer"} + + +class TestImpliedRoles(base.V3ClientTestCase): + + def setUp(self): + super(TestImpliedRoles, self).setUp() + self.delete_rules() + self.delete_roles() + + def test_implied_roles(self): + + initial_role_count = len(self.client.roles.list()) + initial_rule_count = len(self.client.roles.list_role_inferences()) + + self.create_roles() + self.create_rules() + role_count = len(self.client.roles.list()) + self.assertEqual(initial_role_count + len(role_defs), + role_count) + rule_count = len(self.client.roles.list_role_inferences()) + self.assertEqual(initial_rule_count + len(inference_rules), + rule_count) + + self.delete_rules() + self.delete_roles() + role_count = len(self.client.roles.list()) + self.assertEqual(initial_role_count, role_count) + rule_count = len(self.client.roles.list_role_inferences()) + self.assertEqual(initial_rule_count, rule_count) + + def role_dict(self): + roles = {role.name: role.id for role in self.client.roles.list()} + return roles + + def create_roles(self): + for role_def in role_defs: + self.client.roles.create(role_def) + + def delete_roles(self): + roles = self.role_dict() + for role_def in role_defs: + print ("role %s" % role_def) + try: + self.client.roles.delete(roles[role_def]) + except KeyError: + pass + + def create_rules(self): + roles = self.role_dict() + for prior, implied in inference_rules.items(): + self.client.roles.create_implied(roles[prior], roles[implied]) + + def delete_rules(self): + roles = self.role_dict() + for prior, implied in inference_rules.items(): + try: + self.client.roles.delete_implied(roles[prior], roles[implied]) + except KeyError: + pass diff --git a/keystoneclient/tests/unit/v3/test_roles.py b/keystoneclient/tests/unit/v3/test_roles.py index 9606ede..784c233 100644 --- a/keystoneclient/tests/unit/v3/test_roles.py +++ b/keystoneclient/tests/unit/v3/test_roles.py @@ -572,3 +572,48 @@ class RoleTests(utils.ClientTestCase, utils.CrudTests): project=project_id, group=group_id, user=user_id) + + def test_implied_role_check(self): + prior_role_id = uuid.uuid4().hex + implied_role_id = uuid.uuid4().hex + self.stub_url('HEAD', + ['roles', prior_role_id, 'implies', implied_role_id], + status_code=200) + + self.manager.check_implied(prior_role_id, implied_role_id) + + def test_implied_role_get(self): + prior_role_id = uuid.uuid4().hex + implied_role_id = uuid.uuid4().hex + self.stub_url('GET', + ['roles', prior_role_id, 'implies', implied_role_id], + json={'role': {}}, + status_code=204) + + self.manager.get_implied(prior_role_id, implied_role_id) + + def test_implied_role_create(self): + prior_role_id = uuid.uuid4().hex + implied_role_id = uuid.uuid4().hex + self.stub_url('PUT', + ['roles', prior_role_id, 'implies', implied_role_id], + status_code=200) + + self.manager.create_implied(prior_role_id, implied_role_id) + + def test_implied_role_delete(self): + prior_role_id = uuid.uuid4().hex + implied_role_id = uuid.uuid4().hex + self.stub_url('DELETE', + ['roles', prior_role_id, 'implies', implied_role_id], + status_code=200) + + self.manager.delete_implied(prior_role_id, implied_role_id) + + def test_list_role_inferences(self, **kwargs): + self.stub_url('GET', + ['role_inferences', ''], + json={'role_inferences': {}}, + status_code=204) + + self.manager.list_role_inferences() diff --git a/keystoneclient/v3/roles.py b/keystoneclient/v3/roles.py index bc1da69..4082eb6 100644 --- a/keystoneclient/v3/roles.py +++ b/keystoneclient/v3/roles.py @@ -32,6 +32,17 @@ class Role(base.Resource): pass +class InferenceRule(base.Resource): + """Represents an Rule that states one ROle implies another + + Attributes: + * prior_role: this role implies the other + * implied_role: this role is implied by the other + + """ + pass + + class RoleManager(base.CrudManager): """Manager class for manipulating Identity roles.""" resource_class = Role @@ -85,6 +96,34 @@ class RoleManager(base.CrudManager): name=name, **kwargs) + def _implied_role_url_tail(self, prior_role, implied_role): + base_url = ('/%(prior_role_id)s/implies/%(implied_role_id)s' % + {'prior_role_id': base.getid(prior_role), + 'implied_role_id': base.getid(implied_role)}) + return base_url + + def create_implied(self, prior_role, implied_role, **kwargs): + url_tail = self._implied_role_url_tail(prior_role, implied_role) + self.client.put("/roles" + url_tail, **kwargs) + + def delete_implied(self, prior_role, implied_role, **kwargs): + url_tail = self._implied_role_url_tail(prior_role, implied_role) + return super(RoleManager, self).delete(tail=url_tail, **kwargs) + + def get_implied(self, prior_role, implied_role, **kwargs): + url_tail = self._implied_role_url_tail(prior_role, implied_role) + return super(RoleManager, self).get(tail=url_tail, **kwargs) + + def check_implied(self, prior_role, implied_role, **kwargs): + url_tail = self._implied_role_url_tail(prior_role, implied_role) + return super(RoleManager, self).head(tail=url_tail, **kwargs) + + def list_role_inferences(self, **kwargs): + resp, body = self.client.get('/role_inferences/', **kwargs) + obj_class = InferenceRule + return [obj_class(self, res, loaded=True) + for res in body['role_inferences']] + def get(self, role): return super(RoleManager, self).get( role_id=base.getid(role)) diff --git a/releasenotes/notes/implied_roles-ea39d3c3d998d482.yaml b/releasenotes/notes/implied_roles-ea39d3c3d998d482.yaml new file mode 100644 index 0000000..e00ccae --- /dev/null +++ b/releasenotes/notes/implied_roles-ea39d3c3d998d482.yaml @@ -0,0 +1,3 @@ +--- +features: + - support for implied roles in v3 API. |