projects / osm / SO.git / blob
? search:


9d05c3713e4bc5962bfee3b7cff2cdff92985b08
[osm/SO.git] / rwlaunchpad / ra / pytest / ns / rbac / test_rbac_identity.py
1 #!/usr/bin/env python3
2 """
3 #
4 # Copyright 2017 RIFT.IO Inc
5 #
6 # Licensed under the Apache License, Version 2.0 (the "License");
7 # you may not use this file except in compliance with the License.
8 # You may obtain a copy of the License at
9 #
10 # http://www.apache.org/licenses/LICENSE-2.0
11 #
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS,
14 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 # See the License for the specific language governing permissions and
16 # limitations under the License.
17 #
18 #This file contains the code for RIFT-16314, RIFT-16315, RIFT-16536,
19 #RIFT-16537, RIFT-16541, RIFT-16313, RIFT-16692, RIFT-16637, RIFT-16636.
20 """
21 import gi
22 import pytest
23
24 import rift.auto.mano
25
26 gi.require_version('RwUserYang', '1.0')
27 gi.require_version('RwProjectYang', '1.0')
28 gi.require_version('RwRbacPlatformYang', '1.0')
29 gi.require_version('RwRbacInternalYang', '1.0')
30 gi.require_version('RwlogMgmtYang', '1.0')
31
32
33 from gi.repository import (
34 RwUserYang,
35 RwProjectYang,
36 RwRbacPlatformYang,
37 RwRbacInternalYang,
38 RwlogMgmtYang,
39 RwConmanYang
40 )
41 gi.require_version('RwKeyspec', '1.0')
42 from gi.repository.RwKeyspec import quoted_key
43
44
45 @pytest.mark.setup('rbac_setup')
46 @pytest.mark.incremental
47 class TestIdentity(object):
48 """Test Identity."""
49
50 platform_role_users = ['platform_user_admin', 'platform_user_oper', 'platform_user_super_admin']
51 platform_users = ['platform_user_admin', 'platform_user_oper', 'platform_user_test', 'platform_user_super_admin']
52
53 project_roles = (
54 'rw-project-mano:catalog-oper', 'rw-project-mano:catalog-admin',
55 'rw-project-mano:lcm-oper', 'rw-project-mano:lcm-admin',
56 'rw-project-mano:account-oper', 'rw-project-mano:account-admin',
57 'rw-project:project-admin', 'rw-project:project-oper'
58 )
59 platform_roles = (
60 'rw-rbac-platform:platform-admin',
61 'rw-rbac-platform:platform-oper',
62 'rw-rbac-platform:super-admin'
63 )
64
65 RBAC_PROJECTS = ['default']
66 RBAC_USERS = []
67
68 TEST_PROJECTS = []
69 TEST_USERS = []
70
71 # This is required so as to track the
72 # already deleted users when creation and deletion
73 # are performed in ad-hoc way.
74 # Checking this set allows us to ignore Proxy request
75 # errors when deletion is performed twice.
76 DELETED_PROJECTS_TRACKER = set()
77
78 INVALID_CREDENTIALS = {
79 'Jason' * 500: 'likeu' * 500
80 }
81
82 POSSIBLY_PROBLEMATIC_CREDENTIALS = {
83 'Ja#son': ['lik#eu', 'syste#m'],
84 'Ja&son': ['lik&eu', 'syste&m'],
85 'J%ason': ['lik%eu', 'syste%m'],
86 'Jåson': ['likeü', 'system'],
87 '<Jason>': ['<likeu>', '<system>'],
88 '/jason': ['/likeu', '/system;'],
89 'jason;': ['likeu;', 'system;'],
90 'j*son': ['like*u;', 'syste*m'],
91 'j@so?': ['l!keu;', 'system!']
92 }
93
94 INAVLID_LOGIN_CREDENTIALS = {
95 'wrong_username': 'mypasswd',
96 'testuser': 0,
97 0: 'mypasswd',
98 0: 0,
99 'wrong_username': 'wrong_password'
100 }
101
102 INVALID_PROJECT_KEYS = ['this_project_doesnt_exist', 'Test01']
103 INVALID_PROJECT_CREATE_KEYS = ['testproject' * 500, ]
104 #POSSIBLY_PROBLEMATIC_KEYS = ['/projectname', 'project name', 'projectname.', 'project,name', 'Projëçt', 'Pro;je:ct', 'Proj*ct', 'Pr@ject']
105 POSSIBLY_PROBLEMATIC_KEYS = ['/projectname', 'project name', 'projectname.', 'project,name', 'Pro;je:ct', 'Proj*ct', 'Pr@ject']
106
107 def test_platform_roles(self, rw_user_proxy, rbac_platform_proxy, rbac_user_passwd, user_domain, session_class, tbac,
108 confd_host, platform_roles, rw_rbac_int_proxy):
109 # Setting users and roles up for upcoming checks
110 rift.auto.mano.create_user(rw_user_proxy, 'platform_user_super_admin', rbac_user_passwd, user_domain)
111 rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, 'rw-rbac-platform:super-admin',
112 'platform_user_super_admin', user_domain, rw_rbac_int_proxy)
113 rift.auto.mano.create_user(rw_user_proxy, 'platform_user_admin', rbac_user_passwd, user_domain)
114 rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, 'rw-rbac-platform:platform-admin',
115 'platform_user_admin', user_domain, rw_rbac_int_proxy)
116 rift.auto.mano.create_user(rw_user_proxy, 'platform_user_oper', rbac_user_passwd, user_domain)
117 rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, 'rw-rbac-platform:platform-oper',
118 'platform_user_oper', user_domain, rw_rbac_int_proxy)
119 rift.auto.mano.create_user(rw_user_proxy, 'platform_user_test', rbac_user_passwd, user_domain)
120
121 """Various access tests for platform users"""
122
123 # Testing if platform role users have access to /rbac-platform-config
124 for user in self.platform_role_users:
125 user_session = rift.auto.mano.get_session(session_class, confd_host, user, rbac_user_passwd)
126 pxy = user_session.proxy(RwRbacPlatformYang)
127 access_ = pxy.get_config("/rbac-platform-config/user[user-name='platform_user_admin'][user-domain={}]"
128 .format(quoted_key(user_domain)))
129 assert access_ is not None
130 rift.auto.mano.close_session(user_session)
131
132 # Testing if platform role users have access to /rbac-platform-state
133 for user in self.platform_role_users:
134 user_session = rift.auto.mano.get_session(session_class, confd_host, user, rbac_user_passwd)
135 pxy = user_session.proxy(RwRbacPlatformYang)
136 access_ = pxy.get_config("/rbac-platform-state/user[user-name='platform_user_admin'][user-domain={}]"
137 .format(quoted_key(user_domain)))
138 if user == 'platform_user_oper':
139 assert access_ is None
140 else:
141 """At the time of writing this code, /rbac-platform-state/user is unpopulated and so the access_ will be None no matter what.
142 In the future when the path /rbac-platform-state/user is populated this test will break. When that happens, just change
143 the next line to 'access_ is not None'
144 """
145 assert access_ is None
146 rift.auto.mano.close_session(user_session)
147
148 """Changing roles and verifying it """
149
150 # Case 01 Assign and then revoke that role. Assign a second role and see if that sticks and that the older role hasn't stayed on.
151 rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, 'rw-rbac-platform:platform-oper',
152 'platform_user_test', user_domain, rw_rbac_int_proxy)
153 rift.auto.mano.revoke_platform_role_from_user(rbac_platform_proxy, 'rw-rbac-platform:platform-oper',
154 'platform_user_test', user_domain)
155 rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, 'rw-rbac-platform:platform-admin',
156 'platform_user_test', user_domain, rw_rbac_int_proxy)
157 # If the older role didn't stick and the new role did stick (as it should), then the user should be able to change another users password
158 user_session = rift.auto.mano.get_session(session_class, confd_host, 'platform_user_test', rbac_user_passwd)
159 pxy = user_session.proxy(RwUserYang)
160 rift.auto.mano.update_password(pxy, 'platform_user_oper', 'even_newer_password', user_domain, rw_rbac_int_proxy)
161 rift.auto.mano.close_session(user_session)
162
163 # Case 02 Switching the roles back after Case 01
164 rift.auto.mano.revoke_platform_role_from_user(rbac_platform_proxy, 'rw-rbac-platform:platform-admin',
165 'platform_user_test', user_domain)
166 rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, 'rw-rbac-platform:platform-oper',
167 'platform_user_test', user_domain, rw_rbac_int_proxy)
168 # If the older role didn't stick and the new role did stick (as it should), then the user shouldn't be able to change another users password
169 user_session = rift.auto.mano.get_session(session_class, confd_host, 'platform_user_test', rbac_user_passwd)
170 pxy = user_session.proxy(RwUserYang)
171 with pytest.raises(Exception, message="User shouldn't be able to change another user's password") as excinfo:
172 rift.auto.mano.update_password(pxy, 'platform_user_oper', 'new_password', user_domain, rw_rbac_int_proxy)
173 rift.auto.mano.close_session(user_session)
174
175 if not tbac:
176 """Disabling and enabling users and verifying it"""
177
178 rift.auto.mano.create_user(rw_user_proxy, 'disabled_user', rbac_user_passwd, user_domain)
179 rift.auto.mano.update_password(rw_user_proxy, 'platform_user_oper', rbac_user_passwd, user_domain, rw_rbac_int_proxy)
180 # Checking if the disabled user can login
181 rift.auto.mano.disable_user(rw_user_proxy, 'disabled_user', user_domain, rw_rbac_int_proxy)
182 with pytest.raises(Exception, message="User shouldn't be able to login as he is disabled") as excinfo:
183 user_session = rift.auto.mano.get_session(session_class, confd_host, 'disabled_user', rbac_user_passwd, timeout=5)
184 # Checking if he can login after he has been enabled back on.
185 rift.auto.mano.enable_user(rw_user_proxy, 'disabled_user', user_domain, rw_rbac_int_proxy)
186 user_session = rift.auto.mano.get_session(session_class, confd_host, 'disabled_user', rbac_user_passwd)
187 rift.auto.mano.close_session(user_session)
188 # All platform roles trying to change the status of a user
189 for user in self.platform_role_users:
190 user_session = rift.auto.mano.get_session(session_class, confd_host, user, rbac_user_passwd)
191 pxy = user_session.proxy(RwUserYang)
192 if user == 'platform_user_oper':
193 with pytest.raises(Exception, message="Platform oper shouldn't be able to disable other users") as excinfo:
194 rift.auto.mano.disable_user(pxy, 'disabled_user', user_domain, rw_rbac_int_proxy)
195 else:
196 rift.auto.mano.disable_user(pxy, 'disabled_user', user_domain, rw_rbac_int_proxy)
197 rift.auto.mano.enable_user(pxy, 'disabled_user', user_domain, rw_rbac_int_proxy)
198 rift.auto.mano.close_session(user_session)
199
200 # Testing if users can change their own passwords
201 for user in self.platform_users:
202 user_session = rift.auto.mano.get_session(session_class, confd_host, user, rbac_user_passwd)
203 pxy = user_session.proxy(RwUserYang)
204 rift.auto.mano.update_password(pxy, user, 'new_password', user_domain, rw_rbac_int_proxy)
205 rift.auto.mano.close_session(user_session)
206
207 # Testing if platform role users can change the password of another user
208 for idx, user in enumerate(self.platform_role_users, 1):
209 user_session = rift.auto.mano.get_session(session_class, confd_host, user, 'new_password')
210 pxy = user_session.proxy(RwUserYang)
211 if user == 'platform_user_oper':
212 with pytest.raises(Exception, message="User shouldn't be able to change another user's password") as excinfo:
213 rift.auto.mano.update_password(pxy, 'platform_user_test', 'even_newer_password_{}'.format(idx), user_domain, rw_rbac_int_proxy)
214 else:
215 rift.auto.mano.update_password(pxy, 'platform_user_test', 'even_newer_password_{}'.format(idx), user_domain, rw_rbac_int_proxy)
216 rift.auto.mano.close_session(user_session)
217
218 # Testing if platform users have access to logging
219 for user in self.platform_role_users:
220 user_session = rift.auto.mano.get_session(session_class, confd_host, user, 'new_password')
221 pxy = user_session.proxy(RwlogMgmtYang)
222 access_ = pxy.get_config('/logging')
223 assert access_ is not None
224 rpc_input = RwlogMgmtYang.YangInput_RwlogMgmt_ShowLogs.from_dict({'all': 'None'})
225 pxy.rpc(rpc_input)
226 rpc_input_1 = RwlogMgmtYang.YangInput_RwlogMgmt_LogEvent.from_dict({'on': 'None'})
227 pxy.rpc(rpc_input_1)
228 rift.auto.mano.close_session(user_session)
229
230 def rbac_internal_check(self, mgmt_session, xpath):
231
232 rbac_intl_proxy = mgmt_session.proxy(RwRbacInternalYang)
233 rbac_intl_proxy.wait_for(xpath, "active", timeout=5)
234
235 def test_rbac_internal_verification(self, rw_user_proxy, rw_conman_proxy, rbac_user_passwd, user_domain, mgmt_session,
236 rw_project_proxy, rbac_platform_proxy, rw_rbac_int_proxy):
237 """Doing various tasks and verifying if rbac-internal is reflecting these changes properly"""
238
239 # Creating projects and users for verifying the rbac-internal scenario
240 for idx in range(1, 4):
241 project_name = 'rbac_project_{}'.format(idx)
242 rift.auto.mano.create_project(rw_conman_proxy, project_name)
243 self.RBAC_PROJECTS.append(project_name)
244
245 if project_name in self.DELETED_PROJECTS_TRACKER:
246 self.DELETED_PROJECTS_TRACKER.remove(project_name)
247
248 for idx in range(1, 5):
249 rift.auto.mano.create_user(rw_user_proxy, 'rbac_user_{}'.format(idx), rbac_user_passwd, user_domain)
250 self.RBAC_USERS.append('rbac_user_{}'.format(idx))
251
252 # Rbac-Internal Verification
253 project_order = [0, 1, 2, 3, 0]
254 xpath = '/rw-rbac-internal/role[role={role}][keys={project}]/user[user-name={user}][user-domain={domain}]/state-machine/state'
255 # Assigning four users to four projects with two project roles for each user and checking the rbac-internal
256 for idx in range(0, 4):
257 fdx = project_order[idx]
258 ldx = project_order[idx + 1]
259 role = self.project_roles[2 * idx]
260 role1 = self.project_roles[(2 * idx) + 1]
261 rift.auto.mano.assign_project_role_to_user(rw_project_proxy, role, self.RBAC_USERS[idx],
262 self.RBAC_PROJECTS[fdx], user_domain, rw_rbac_int_proxy)
263 self.rbac_internal_check(mgmt_session, xpath.format(role=quoted_key(role), project=quoted_key(self.RBAC_PROJECTS[fdx]),
264 user=quoted_key(self.RBAC_USERS[idx]), domain=quoted_key(user_domain)))
265 rift.auto.mano.assign_project_role_to_user(rw_project_proxy, role1, self.RBAC_USERS[idx],
266 self.RBAC_PROJECTS[ldx], user_domain, rw_rbac_int_proxy)
267 self.rbac_internal_check(mgmt_session, xpath.format(role=quoted_key(role1), project=quoted_key(self.RBAC_PROJECTS[ldx]),
268 user=quoted_key(self.RBAC_USERS[idx]), domain=quoted_key(user_domain)))
269 # Deleting the four projects and then checking rw-rbac-internal
270 for project_name in self.RBAC_PROJECTS:
271 rift.auto.mano.delete_project(rw_conman_proxy, project_name)
272 print ("Deleting project: {}".format(project_name))
273 self.DELETED_PROJECTS_TRACKER.add(project_name)
274
275 for idx in range(0, 4):
276 fdx = project_order[idx]
277 ldx = project_order[idx + 1]
278 role = self.project_roles[2 * idx]
279 role1 = self.project_roles[(2 * idx) + 1]
280
281 with pytest.raises(Exception, message="This user {} (with this role {} and project {}) shouldn't be on rbac-internal."
282 .format(self.RBAC_USERS[idx], role, self.RBAC_PROJECTS[fdx])) as excinfo:
283 self.rbac_internal_check(mgmt_session, xpath.format(role=quoted_key(role), project=quoted_key(self.RBAC_PROJECTS[fdx]),
284 user=quoted_key(self.RBAC_USERS[idx]), domain=quoted_key(user_domain)))
285 with pytest.raises(Exception, message="This user {} (with this role {} and project {}) shouldn't be on rbac-internal."
286 .format(self.RBAC_USERS[idx], role1, self.RBAC_PROJECTS[ldx])) as excinfo:
287 self.rbac_internal_check(mgmt_session, xpath.format(role=quoted_key(role1), project=quoted_key(self.RBAC_PROJECTS[ldx]),
288 user=quoted_key(self.RBAC_USERS[idx]), domain=quoted_key(user_domain)))
289
290 def test_roles_revoke(self, rw_conman_proxy, rw_user_proxy, rbac_platform_proxy, rw_project_proxy,
291 rbac_user_passwd, user_domain, rw_rbac_int_proxy):
292 """Assigning all the roles and then revoking them"""
293
294 # Creating users and assigning each of them a role
295 rift.auto.mano.create_project(rw_conman_proxy, 'test01')
296 for incrementor, role in enumerate(self.project_roles + self.platform_roles, 1):
297 user_name = 'test_user_{}'.format(incrementor)
298 rift.auto.mano.create_user(rw_user_proxy, user_name, rbac_user_passwd, user_domain)
299
300 if 'platform' in role:
301 rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, role, user_name, user_domain, rw_rbac_int_proxy)
302 else:
303
304 rift.auto.mano.assign_project_role_to_user(rw_project_proxy, role, user_name, 'test01', user_domain, rw_rbac_int_proxy)
305
306 # Removing the assigned roles from each user
307 for incrementor, role in enumerate(self.project_roles + self.platform_roles, 1):
308 user_name = 'test_user_{}'.format(incrementor)
309 if 'platform' in role:
310 rift.auto.mano.revoke_platform_role_from_user(rbac_platform_proxy, role, user_name, user_domain)
311 rift.auto.mano.revoke_user_from_platform_config(rbac_platform_proxy, user_name, user_domain)
312 else:
313 rift.auto.mano.revoke_project_role_from_user(rw_project_proxy, role, user_name, 'test01', user_domain)
314
315 def test_misbehaviours(
316 self, rw_user_proxy, rbac_user_passwd, user_domain,
317 session_class, confd_host, tbac, rw_rbac_int_proxy):
318 """Verify if bad credentials can cause any problems."""
319 rift.auto.mano.create_user(
320 rw_user_proxy, 'testuser', rbac_user_passwd, user_domain)
321 # Trying to login with an incorrect password multiple times
322 counter = 1
323 while(counter < 4):
324 with pytest.raises(
325 Exception,
326 message="User was able to login with the wrong password"
327 ):
328 rift.auto.mano.get_session(
329 session_class, confd_host, 'testuser', 'wrong_password',
330 timeout=5)
331 counter += 1
332
333 # Trying to login with INAVLID_LOGIN_CREDENTIALS
334 for uname, passwd in self.INAVLID_LOGIN_CREDENTIALS.items():
335 with pytest.raises(
336 Exception,
337 message="User logged im with invalid login credentials"
338 ):
339 rift.auto.mano.get_session(
340 session_class, confd_host, uname, passwd, timeout=5)
341 # Creating a user with POSSIBLY_PROBLEMATIC_CREDENTIALS
342 if tbac:
343 for uname, passwd in self.POSSIBLY_PROBLEMATIC_CREDENTIALS.items():
344 rift.auto.mano.create_user(
345 rw_user_proxy, uname,
346 passwd[0],
347 passwd[1]
348 )
349 else:
350 for uname, passwd in self.POSSIBLY_PROBLEMATIC_CREDENTIALS.items():
351 rift.auto.mano.create_user(
352 rw_user_proxy, uname,
353 passwd[0],
354 user_domain
355 )
356 # Creating a user with INVALID_CREDENTIALS
357 for username, password in self.INVALID_CREDENTIALS.items():
358 with pytest.raises(
359 Exception,
360 message="User created with invalid credentials"
361 ):
362 rift.auto.mano.create_user(
363 rw_user_proxy, username, password, user_domain)
364 # Delete the users created with POSSIBLY_PROBLEMATIC_CREDENTIALS
365 if tbac:
366 for uname, domain in self.POSSIBLY_PROBLEMATIC_CREDENTIALS.items():
367 rift.auto.mano.delete_user(
368 rw_user_proxy, uname,
369 domain[1]
370 )
371 else:
372 for uname, passwd in self.POSSIBLY_PROBLEMATIC_CREDENTIALS.items():
373 rift.auto.mano.delete_user(
374 rw_user_proxy, uname, user_domain
375 )
376
377 def test_project_keys(
378 self, rw_project_proxy, rbac_user_passwd, session_class,
379 confd_host):
380 """Trying to access/create various projects with bad project keys."""
381 # Checking if INVALID_PROJECT_KEYS can be accessed.
382 for project_name in self.INVALID_PROJECT_KEYS:
383 project_cm_config_xpath = '/project[name={project_name}]/project-state'
384 project_ = rw_project_proxy.get_config(
385 project_cm_config_xpath.format(
386 project_name=quoted_key(project_name)
387 ),
388 list_obj=True
389 )
390 assert project_ is None
391 # Trying to create projects with INVALID_PROJECT_CREATE_KEYS
392 for project_name in self.INVALID_PROJECT_CREATE_KEYS:
393 with pytest.raises(
394 Exception,
395 message="Project created with the INVALID_PROJECT_CREATE_KEYS"
396 ):
397 rift.auto.mano.create_project(rw_conman_proxy, project_name)
398 # These POSSIBLY_PROBLEMATIC_KEYS should not cause any error in theory.
399 for project_name in self.POSSIBLY_PROBLEMATIC_KEYS:
400 rift.auto.mano.create_project(rw_project_proxy, project_name)
401 # User trying to access a project he has no access to.
402 user_session = rift.auto.mano.get_session(
403 session_class, confd_host, 'test_user_11', rbac_user_passwd)
404 pxy = user_session.proxy(RwConmanYang)
405 project_ = pxy.get_config(
406 project_cm_config_xpath.format(
407 project_name=quoted_key('test01')
408 )
409 )
410 assert project_ is None
411 rift.auto.mano.close_session(user_session)
412
413 def test_project_testing(self, rw_conman_proxy, rw_user_proxy, rw_project_proxy, rbac_user_passwd, user_domain, rw_rbac_int_proxy):
414 """Multiple projects creation, deletion, re-addition with verification every step of the way"""
415
416 # Creating projects and users for this test case
417 for idx in range(1,5):
418 project_name = 'testing_project_{}'.format(idx)
419 rift.auto.mano.create_project(rw_conman_proxy, project_name)
420 self.TEST_PROJECTS.append(project_name)
421 if project_name in self.DELETED_PROJECTS_TRACKER:
422 self.DELETED_PROJECTS_TRACKER.remove(project_name)
423
424 for idx in range(1,9):
425 rift.auto.mano.create_user(rw_user_proxy, 'testing_user_{}'.format(idx), rbac_user_passwd, user_domain)
426 self.TEST_USERS.append('testing_user_{}'.format(idx))
427
428 # Assigning project roles to users
429 for idx in range(0,8):
430 role = self.project_roles[idx]
431 rift.auto.mano.assign_project_role_to_user(rw_project_proxy, role, self.TEST_USERS[idx],
432 self.TEST_PROJECTS[idx//2], user_domain, rw_rbac_int_proxy)
433
434 # Deleting all test projects
435 for project_name in self.TEST_PROJECTS:
436 rift.auto.mano.delete_project(rw_conman_proxy, project_name)
437 self.DELETED_PROJECTS_TRACKER.add(project_name)
438
439 # Recreating all the deleted projects
440 for project_name in self.TEST_PROJECTS:
441 rift.auto.mano.create_project(rw_conman_proxy, project_name)
442 if project_name in self.DELETED_PROJECTS_TRACKER:
443 self.DELETED_PROJECTS_TRACKER.remove(project_name)
444
445 # Check if the recreated projects have the old users assigned to them still.
446 for idx in range(0,8):
447 role = self.project_roles[idx]
448 role_keyed_path = "/project[name={project}]/project-config/user[user-name={user}][user-domain={domain}]/role[role={user_role}]"
449 role_ = rw_project_proxy.get_config(role_keyed_path.format(project=quoted_key(self.TEST_PROJECTS[idx//2]),
450 user=quoted_key(self.TEST_USERS[idx]), domain=quoted_key(user_domain), user_role=quoted_key(role)))
451 assert role_ is None, "This user shouldn't exist in this project which was just created"
452
453 # Reassigning the old users to their old roles.
454 for idx in range(0,8):
455 role = self.project_roles[idx]
456 rift.auto.mano.assign_project_role_to_user(rw_project_proxy, role, self.TEST_USERS[idx],
457 self.TEST_PROJECTS[idx//2], user_domain, rw_rbac_int_proxy)
458
459
460 @pytest.mark.depends('rbac_setup')
461 @pytest.mark.teardown('rbac_setup')
462 @pytest.mark.incremental
463 class TestTeardown(object):
464 """Class Teardown."""
465
466 def test_delete_projects(self, rw_conman_proxy):
467 invalid_projects = TestIdentity.POSSIBLY_PROBLEMATIC_KEYS + ['test01']
468 valid_projects = TestIdentity.TEST_PROJECTS + TestIdentity.RBAC_PROJECTS
469 all_projects = valid_projects + invalid_projects
470
471 for project_name in all_projects:
472 try:
473 rift.auto.mano.delete_project(rw_conman_proxy, project_name)
474 except rift.auto.session.ProxyRequestError as e:
475 if project_name in TestIdentity.DELETED_PROJECTS_TRACKER:
476 print ("Project {} is already deleted".format(project_name))
477 elif project_name not in invalid_projects:
478 print ("Failed to delete project: {}".format(project_name))
479 raise e
480
481 def test_delete_users(self, rw_user_proxy, rbac_platform_proxy, user_domain):
482 users_test_data = ['testuser']
483 for incrementor, role in enumerate(TestIdentity.project_roles + TestIdentity.platform_roles, 1):
484 users_test_data.append('test_user_{}'.format(incrementor))
485
486 for user in TestIdentity.platform_users:
487 users_test_data.append(user)
488
489 # Deletes the users
490 for user in users_test_data+TestIdentity.RBAC_USERS+TestIdentity.TEST_USERS:
491 try:
492 keyed_path = "/rbac-platform-config/user[user-name={user}][user-domain={domain}]"
493 platform_cfg_ent = rbac_platform_proxy.get_config(keyed_path.format(user=quoted_key(user), domain=quoted_key(user_domain)))
494
495 if platform_cfg_ent is not None:
496 # Delete from the platform-config first.
497 rift.auto.mano.revoke_user_from_platform_config(rbac_platform_proxy, user, user_domain)
498 rift.auto.mano.delete_user(rw_user_proxy, user, user_domain)
499
500 except rift.auto.session.ProxyRequestError as e:
501 if user not in TestIdentity.INAVLID_LOGIN_CREDENTIALS:
502 print ("Deletion of user {} failed".format(user))
503 raise e
504 else:
505 print ("Expected error deleting invalid user {}".format(user))