4 # Copyright 2017 RIFT.IO Inc
6 # Licensed under the Apache License, Version 2.0 (the "License");
7 # you may not use this file except in compliance with the License.
8 # You may obtain a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS,
14 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 # See the License for the specific language governing permissions and
16 # limitations under the License.
18 #This file contains the code for RIFT-16314, RIFT-16315, RIFT-16536,
19 #RIFT-16537, RIFT-16541, RIFT-16313, RIFT-16692, RIFT-16637, RIFT-16636.
26 gi
.require_version('RwUserYang', '1.0')
27 gi
.require_version('RwProjectYang', '1.0')
28 gi
.require_version('RwRbacPlatformYang', '1.0')
29 gi
.require_version('RwRbacInternalYang', '1.0')
30 gi
.require_version('RwlogMgmtYang', '1.0')
33 from gi
.repository
import (
41 gi
.require_version('RwKeyspec', '1.0')
42 from gi
.repository
.RwKeyspec
import quoted_key
45 @pytest.mark
.setup('rbac_setup')
46 @pytest.mark
.incremental
47 class TestIdentity(object):
50 platform_role_users
= ['platform_user_admin', 'platform_user_oper', 'platform_user_super_admin']
51 platform_users
= ['platform_user_admin', 'platform_user_oper', 'platform_user_test', 'platform_user_super_admin']
54 'rw-project-mano:catalog-oper', 'rw-project-mano:catalog-admin',
55 'rw-project-mano:lcm-oper', 'rw-project-mano:lcm-admin',
56 'rw-project-mano:account-oper', 'rw-project-mano:account-admin',
57 'rw-project:project-admin', 'rw-project:project-oper'
60 'rw-rbac-platform:platform-admin',
61 'rw-rbac-platform:platform-oper',
62 'rw-rbac-platform:super-admin'
65 RBAC_PROJECTS
= ['default']
71 # This is required so as to track the
72 # already deleted users when creation and deletion
73 # are performed in ad-hoc way.
74 # Checking this set allows us to ignore Proxy request
75 # errors when deletion is performed twice.
76 DELETED_PROJECTS_TRACKER
= set()
78 INVALID_CREDENTIALS
= {
79 'Jason' * 500: 'likeu' * 500
82 POSSIBLY_PROBLEMATIC_CREDENTIALS
= {
83 'Ja#son': ['lik#eu', 'syste#m'],
84 'Ja&son': ['lik&eu', 'syste&m'],
85 'J%ason': ['lik%eu', 'syste%m'],
86 'Jåson': ['likeü', 'system'],
87 '<Jason>': ['<likeu>', '<system>'],
88 '/jason': ['/likeu', '/system;'],
89 'jason;': ['likeu;', 'system;'],
90 'j*son': ['like*u;', 'syste*m'],
91 'j@so?': ['l!keu;', 'system!']
94 INAVLID_LOGIN_CREDENTIALS
= {
95 'wrong_username': 'mypasswd',
99 'wrong_username': 'wrong_password'
102 INVALID_PROJECT_KEYS
= ['this_project_doesnt_exist', 'Test01']
103 INVALID_PROJECT_CREATE_KEYS
= ['testproject' * 500, ]
104 #POSSIBLY_PROBLEMATIC_KEYS = ['/projectname', 'project name', 'projectname.', 'project,name', 'Projëçt', 'Pro;je:ct', 'Proj*ct', 'Pr@ject']
105 POSSIBLY_PROBLEMATIC_KEYS
= ['/projectname', 'project name', 'projectname.', 'project,name', 'Pro;je:ct', 'Proj*ct', 'Pr@ject']
107 def test_platform_roles(self
, rw_user_proxy
, rbac_platform_proxy
, rbac_user_passwd
, user_domain
, session_class
, tbac
,
108 confd_host
, platform_roles
, rw_rbac_int_proxy
):
109 # Setting users and roles up for upcoming checks
110 rift
.auto
.mano
.create_user(rw_user_proxy
, 'platform_user_super_admin', rbac_user_passwd
, user_domain
)
111 rift
.auto
.mano
.assign_platform_role_to_user(rbac_platform_proxy
, 'rw-rbac-platform:super-admin',
112 'platform_user_super_admin', user_domain
, rw_rbac_int_proxy
)
113 rift
.auto
.mano
.create_user(rw_user_proxy
, 'platform_user_admin', rbac_user_passwd
, user_domain
)
114 rift
.auto
.mano
.assign_platform_role_to_user(rbac_platform_proxy
, 'rw-rbac-platform:platform-admin',
115 'platform_user_admin', user_domain
, rw_rbac_int_proxy
)
116 rift
.auto
.mano
.create_user(rw_user_proxy
, 'platform_user_oper', rbac_user_passwd
, user_domain
)
117 rift
.auto
.mano
.assign_platform_role_to_user(rbac_platform_proxy
, 'rw-rbac-platform:platform-oper',
118 'platform_user_oper', user_domain
, rw_rbac_int_proxy
)
119 rift
.auto
.mano
.create_user(rw_user_proxy
, 'platform_user_test', rbac_user_passwd
, user_domain
)
121 """Various access tests for platform users"""
123 # Testing if platform role users have access to /rbac-platform-config
124 for user
in self
.platform_role_users
:
125 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, user
, rbac_user_passwd
)
126 pxy
= user_session
.proxy(RwRbacPlatformYang
)
127 access_
= pxy
.get_config("/rbac-platform-config/user[user-name='platform_user_admin'][user-domain={}]"
128 .format(quoted_key(user_domain
)))
129 assert access_
is not None
130 rift
.auto
.mano
.close_session(user_session
)
132 # Testing if platform role users have access to /rbac-platform-state
133 for user
in self
.platform_role_users
:
134 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, user
, rbac_user_passwd
)
135 pxy
= user_session
.proxy(RwRbacPlatformYang
)
136 access_
= pxy
.get_config("/rbac-platform-state/user[user-name='platform_user_admin'][user-domain={}]"
137 .format(quoted_key(user_domain
)))
138 if user
== 'platform_user_oper':
139 assert access_
is None
141 """At the time of writing this code, /rbac-platform-state/user is unpopulated and so the access_ will be None no matter what.
142 In the future when the path /rbac-platform-state/user is populated this test will break. When that happens, just change
143 the next line to 'access_ is not None'
145 assert access_
is None
146 rift
.auto
.mano
.close_session(user_session
)
148 """Changing roles and verifying it """
150 # Case 01 Assign and then revoke that role. Assign a second role and see if that sticks and that the older role hasn't stayed on.
151 rift
.auto
.mano
.assign_platform_role_to_user(rbac_platform_proxy
, 'rw-rbac-platform:platform-oper',
152 'platform_user_test', user_domain
, rw_rbac_int_proxy
)
153 rift
.auto
.mano
.revoke_platform_role_from_user(rbac_platform_proxy
, 'rw-rbac-platform:platform-oper',
154 'platform_user_test', user_domain
)
155 rift
.auto
.mano
.assign_platform_role_to_user(rbac_platform_proxy
, 'rw-rbac-platform:platform-admin',
156 'platform_user_test', user_domain
, rw_rbac_int_proxy
)
157 # If the older role didn't stick and the new role did stick (as it should), then the user should be able to change another users password
158 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, 'platform_user_test', rbac_user_passwd
)
159 pxy
= user_session
.proxy(RwUserYang
)
160 rift
.auto
.mano
.update_password(pxy
, 'platform_user_oper', 'even_newer_password', user_domain
, rw_rbac_int_proxy
)
161 rift
.auto
.mano
.close_session(user_session
)
163 # Case 02 Switching the roles back after Case 01
164 rift
.auto
.mano
.revoke_platform_role_from_user(rbac_platform_proxy
, 'rw-rbac-platform:platform-admin',
165 'platform_user_test', user_domain
)
166 rift
.auto
.mano
.assign_platform_role_to_user(rbac_platform_proxy
, 'rw-rbac-platform:platform-oper',
167 'platform_user_test', user_domain
, rw_rbac_int_proxy
)
168 # If the older role didn't stick and the new role did stick (as it should), then the user shouldn't be able to change another users password
169 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, 'platform_user_test', rbac_user_passwd
)
170 pxy
= user_session
.proxy(RwUserYang
)
171 with pytest
.raises(Exception, message
="User shouldn't be able to change another user's password") as excinfo
:
172 rift
.auto
.mano
.update_password(pxy
, 'platform_user_oper', 'new_password', user_domain
, rw_rbac_int_proxy
)
173 rift
.auto
.mano
.close_session(user_session
)
176 """Disabling and enabling users and verifying it"""
178 rift
.auto
.mano
.create_user(rw_user_proxy
, 'disabled_user', rbac_user_passwd
, user_domain
)
179 rift
.auto
.mano
.update_password(rw_user_proxy
, 'platform_user_oper', rbac_user_passwd
, user_domain
, rw_rbac_int_proxy
)
180 # Checking if the disabled user can login
181 rift
.auto
.mano
.disable_user(rw_user_proxy
, 'disabled_user', user_domain
, rw_rbac_int_proxy
)
182 with pytest
.raises(Exception, message
="User shouldn't be able to login as he is disabled") as excinfo
:
183 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, 'disabled_user', rbac_user_passwd
, timeout
=5)
184 # Checking if he can login after he has been enabled back on.
185 rift
.auto
.mano
.enable_user(rw_user_proxy
, 'disabled_user', user_domain
, rw_rbac_int_proxy
)
186 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, 'disabled_user', rbac_user_passwd
)
187 rift
.auto
.mano
.close_session(user_session
)
188 # All platform roles trying to change the status of a user
189 for user
in self
.platform_role_users
:
190 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, user
, rbac_user_passwd
)
191 pxy
= user_session
.proxy(RwUserYang
)
192 if user
== 'platform_user_oper':
193 with pytest
.raises(Exception, message
="Platform oper shouldn't be able to disable other users") as excinfo
:
194 rift
.auto
.mano
.disable_user(pxy
, 'disabled_user', user_domain
, rw_rbac_int_proxy
)
196 rift
.auto
.mano
.disable_user(pxy
, 'disabled_user', user_domain
, rw_rbac_int_proxy
)
197 rift
.auto
.mano
.enable_user(pxy
, 'disabled_user', user_domain
, rw_rbac_int_proxy
)
198 rift
.auto
.mano
.close_session(user_session
)
200 # Testing if users can change their own passwords
201 for user
in self
.platform_users
:
202 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, user
, rbac_user_passwd
)
203 pxy
= user_session
.proxy(RwUserYang
)
204 rift
.auto
.mano
.update_password(pxy
, user
, 'new_password', user_domain
, rw_rbac_int_proxy
)
205 rift
.auto
.mano
.close_session(user_session
)
207 # Testing if platform role users can change the password of another user
208 for idx
, user
in enumerate(self
.platform_role_users
, 1):
209 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, user
, 'new_password')
210 pxy
= user_session
.proxy(RwUserYang
)
211 if user
== 'platform_user_oper':
212 with pytest
.raises(Exception, message
="User shouldn't be able to change another user's password") as excinfo
:
213 rift
.auto
.mano
.update_password(pxy
, 'platform_user_test', 'even_newer_password_{}'.format(idx
), user_domain
, rw_rbac_int_proxy
)
215 rift
.auto
.mano
.update_password(pxy
, 'platform_user_test', 'even_newer_password_{}'.format(idx
), user_domain
, rw_rbac_int_proxy
)
216 rift
.auto
.mano
.close_session(user_session
)
218 # Testing if platform users have access to logging
219 for user
in self
.platform_role_users
:
220 user_session
= rift
.auto
.mano
.get_session(session_class
, confd_host
, user
, 'new_password')
221 pxy
= user_session
.proxy(RwlogMgmtYang
)
222 access_
= pxy
.get_config('/logging')
223 assert access_
is not None
224 rpc_input
= RwlogMgmtYang
.YangInput_RwlogMgmt_ShowLogs
.from_dict({'all': 'None'})
226 rpc_input_1
= RwlogMgmtYang
.YangInput_RwlogMgmt_LogEvent
.from_dict({'on': 'None'})
228 rift
.auto
.mano
.close_session(user_session
)
230 def rbac_internal_check(self
, mgmt_session
, xpath
):
232 rbac_intl_proxy
= mgmt_session
.proxy(RwRbacInternalYang
)
233 rbac_intl_proxy
.wait_for(xpath
, "active", timeout
=5)
235 def test_rbac_internal_verification(self
, rw_user_proxy
, rw_conman_proxy
, rbac_user_passwd
, user_domain
, mgmt_session
,
236 rw_project_proxy
, rbac_platform_proxy
, rw_rbac_int_proxy
):
237 """Doing various tasks and verifying if rbac-internal is reflecting these changes properly"""
239 # Creating projects and users for verifying the rbac-internal scenario
240 for idx
in range(1, 4):
241 project_name
= 'rbac_project_{}'.format(idx
)
242 rift
.auto
.mano
.create_project(rw_conman_proxy
, project_name
)
243 self
.RBAC_PROJECTS
.append(project_name
)
245 if project_name
in self
.DELETED_PROJECTS_TRACKER
:
246 self
.DELETED_PROJECTS_TRACKER
.remove(project_name
)
248 for idx
in range(1, 5):
249 rift
.auto
.mano
.create_user(rw_user_proxy
, 'rbac_user_{}'.format(idx
), rbac_user_passwd
, user_domain
)
250 self
.RBAC_USERS
.append('rbac_user_{}'.format(idx
))
252 # Rbac-Internal Verification
253 project_order
= [0, 1, 2, 3, 0]
254 xpath
= '/rw-rbac-internal/role[role={role}][keys={project}]/user[user-name={user}][user-domain={domain}]/state-machine/state'
255 # Assigning four users to four projects with two project roles for each user and checking the rbac-internal
256 for idx
in range(0, 4):
257 fdx
= project_order
[idx
]
258 ldx
= project_order
[idx
+ 1]
259 role
= self
.project_roles
[2 * idx
]
260 role1
= self
.project_roles
[(2 * idx
) + 1]
261 rift
.auto
.mano
.assign_project_role_to_user(rw_project_proxy
, role
, self
.RBAC_USERS
[idx
],
262 self
.RBAC_PROJECTS
[fdx
], user_domain
, rw_rbac_int_proxy
)
263 self
.rbac_internal_check(mgmt_session
, xpath
.format(role
=quoted_key(role
), project
=quoted_key(self
.RBAC_PROJECTS
[fdx
]),
264 user
=quoted_key(self
.RBAC_USERS
[idx
]), domain
=quoted_key(user_domain
)))
265 rift
.auto
.mano
.assign_project_role_to_user(rw_project_proxy
, role1
, self
.RBAC_USERS
[idx
],
266 self
.RBAC_PROJECTS
[ldx
], user_domain
, rw_rbac_int_proxy
)
267 self
.rbac_internal_check(mgmt_session
, xpath
.format(role
=quoted_key(role1
), project
=quoted_key(self
.RBAC_PROJECTS
[ldx
]),
268 user
=quoted_key(self
.RBAC_USERS
[idx
]), domain
=quoted_key(user_domain
)))
269 # Deleting the four projects and then checking rw-rbac-internal
270 for project_name
in self
.RBAC_PROJECTS
:
271 rift
.auto
.mano
.delete_project(rw_conman_proxy
, project_name
)
272 print ("Deleting project: {}".format(project_name
))
273 self
.DELETED_PROJECTS_TRACKER
.add(project_name
)
275 for idx
in range(0, 4):
276 fdx
= project_order
[idx
]
277 ldx
= project_order
[idx
+ 1]
278 role
= self
.project_roles
[2 * idx
]
279 role1
= self
.project_roles
[(2 * idx
) + 1]
281 with pytest
.raises(Exception, message
="This user {} (with this role {} and project {}) shouldn't be on rbac-internal."
282 .format(self
.RBAC_USERS
[idx
], role
, self
.RBAC_PROJECTS
[fdx
])) as excinfo
:
283 self
.rbac_internal_check(mgmt_session
, xpath
.format(role
=quoted_key(role
), project
=quoted_key(self
.RBAC_PROJECTS
[fdx
]),
284 user
=quoted_key(self
.RBAC_USERS
[idx
]), domain
=quoted_key(user_domain
)))
285 with pytest
.raises(Exception, message
="This user {} (with this role {} and project {}) shouldn't be on rbac-internal."
286 .format(self
.RBAC_USERS
[idx
], role1
, self
.RBAC_PROJECTS
[ldx
])) as excinfo
:
287 self
.rbac_internal_check(mgmt_session
, xpath
.format(role
=quoted_key(role1
), project
=quoted_key(self
.RBAC_PROJECTS
[ldx
]),
288 user
=quoted_key(self
.RBAC_USERS
[idx
]), domain
=quoted_key(user_domain
)))
290 def test_roles_revoke(self
, rw_conman_proxy
, rw_user_proxy
, rbac_platform_proxy
, rw_project_proxy
,
291 rbac_user_passwd
, user_domain
, rw_rbac_int_proxy
):
292 """Assigning all the roles and then revoking them"""
294 # Creating users and assigning each of them a role
295 rift
.auto
.mano
.create_project(rw_conman_proxy
, 'test01')
296 for incrementor
, role
in enumerate(self
.project_roles
+ self
.platform_roles
, 1):
297 user_name
= 'test_user_{}'.format(incrementor
)
298 rift
.auto
.mano
.create_user(rw_user_proxy
, user_name
, rbac_user_passwd
, user_domain
)
300 if 'platform' in role
:
301 rift
.auto
.mano
.assign_platform_role_to_user(rbac_platform_proxy
, role
, user_name
, user_domain
, rw_rbac_int_proxy
)
304 rift
.auto
.mano
.assign_project_role_to_user(rw_project_proxy
, role
, user_name
, 'test01', user_domain
, rw_rbac_int_proxy
)
306 # Removing the assigned roles from each user
307 for incrementor
, role
in enumerate(self
.project_roles
+ self
.platform_roles
, 1):
308 user_name
= 'test_user_{}'.format(incrementor
)
309 if 'platform' in role
:
310 rift
.auto
.mano
.revoke_platform_role_from_user(rbac_platform_proxy
, role
, user_name
, user_domain
)
311 rift
.auto
.mano
.revoke_user_from_platform_config(rbac_platform_proxy
, user_name
, user_domain
)
313 rift
.auto
.mano
.revoke_project_role_from_user(rw_project_proxy
, role
, user_name
, 'test01', user_domain
)
315 def test_misbehaviours(
316 self
, rw_user_proxy
, rbac_user_passwd
, user_domain
,
317 session_class
, confd_host
, tbac
, rw_rbac_int_proxy
):
318 """Verify if bad credentials can cause any problems."""
319 rift
.auto
.mano
.create_user(
320 rw_user_proxy
, 'testuser', rbac_user_passwd
, user_domain
)
321 # Trying to login with an incorrect password multiple times
326 message
="User was able to login with the wrong password"
328 rift
.auto
.mano
.get_session(
329 session_class
, confd_host
, 'testuser', 'wrong_password',
333 # Trying to login with INAVLID_LOGIN_CREDENTIALS
334 for uname
, passwd
in self
.INAVLID_LOGIN_CREDENTIALS
.items():
337 message
="User logged im with invalid login credentials"
339 rift
.auto
.mano
.get_session(
340 session_class
, confd_host
, uname
, passwd
, timeout
=5)
341 # Creating a user with POSSIBLY_PROBLEMATIC_CREDENTIALS
343 for uname
, passwd
in self
.POSSIBLY_PROBLEMATIC_CREDENTIALS
.items():
344 rift
.auto
.mano
.create_user(
345 rw_user_proxy
, uname
,
350 for uname
, passwd
in self
.POSSIBLY_PROBLEMATIC_CREDENTIALS
.items():
351 rift
.auto
.mano
.create_user(
352 rw_user_proxy
, uname
,
356 # Creating a user with INVALID_CREDENTIALS
357 for username
, password
in self
.INVALID_CREDENTIALS
.items():
360 message
="User created with invalid credentials"
362 rift
.auto
.mano
.create_user(
363 rw_user_proxy
, username
, password
, user_domain
)
364 # Delete the users created with POSSIBLY_PROBLEMATIC_CREDENTIALS
366 for uname
, domain
in self
.POSSIBLY_PROBLEMATIC_CREDENTIALS
.items():
367 rift
.auto
.mano
.delete_user(
368 rw_user_proxy
, uname
,
372 for uname
, passwd
in self
.POSSIBLY_PROBLEMATIC_CREDENTIALS
.items():
373 rift
.auto
.mano
.delete_user(
374 rw_user_proxy
, uname
, user_domain
377 def test_project_keys(
378 self
, rw_project_proxy
, rbac_user_passwd
, session_class
,
380 """Trying to access/create various projects with bad project keys."""
381 # Checking if INVALID_PROJECT_KEYS can be accessed.
382 for project_name
in self
.INVALID_PROJECT_KEYS
:
383 project_cm_config_xpath
= '/project[name={project_name}]/project-state'
384 project_
= rw_project_proxy
.get_config(
385 project_cm_config_xpath
.format(
386 project_name
=quoted_key(project_name
)
390 assert project_
is None
391 # Trying to create projects with INVALID_PROJECT_CREATE_KEYS
392 for project_name
in self
.INVALID_PROJECT_CREATE_KEYS
:
395 message
="Project created with the INVALID_PROJECT_CREATE_KEYS"
397 rift
.auto
.mano
.create_project(rw_conman_proxy
, project_name
)
398 # These POSSIBLY_PROBLEMATIC_KEYS should not cause any error in theory.
399 for project_name
in self
.POSSIBLY_PROBLEMATIC_KEYS
:
400 rift
.auto
.mano
.create_project(rw_project_proxy
, project_name
)
401 # User trying to access a project he has no access to.
402 user_session
= rift
.auto
.mano
.get_session(
403 session_class
, confd_host
, 'test_user_11', rbac_user_passwd
)
404 pxy
= user_session
.proxy(RwConmanYang
)
405 project_
= pxy
.get_config(
406 project_cm_config_xpath
.format(
407 project_name
=quoted_key('test01')
410 assert project_
is None
411 rift
.auto
.mano
.close_session(user_session
)
413 def test_project_testing(self
, rw_conman_proxy
, rw_user_proxy
, rw_project_proxy
, rbac_user_passwd
, user_domain
, rw_rbac_int_proxy
):
414 """Multiple projects creation, deletion, re-addition with verification every step of the way"""
416 # Creating projects and users for this test case
417 for idx
in range(1,5):
418 project_name
= 'testing_project_{}'.format(idx
)
419 rift
.auto
.mano
.create_project(rw_conman_proxy
, project_name
)
420 self
.TEST_PROJECTS
.append(project_name
)
421 if project_name
in self
.DELETED_PROJECTS_TRACKER
:
422 self
.DELETED_PROJECTS_TRACKER
.remove(project_name
)
424 for idx
in range(1,9):
425 rift
.auto
.mano
.create_user(rw_user_proxy
, 'testing_user_{}'.format(idx
), rbac_user_passwd
, user_domain
)
426 self
.TEST_USERS
.append('testing_user_{}'.format(idx
))
428 # Assigning project roles to users
429 for idx
in range(0,8):
430 role
= self
.project_roles
[idx
]
431 rift
.auto
.mano
.assign_project_role_to_user(rw_project_proxy
, role
, self
.TEST_USERS
[idx
],
432 self
.TEST_PROJECTS
[idx
//2], user_domain
, rw_rbac_int_proxy
)
434 # Deleting all test projects
435 for project_name
in self
.TEST_PROJECTS
:
436 rift
.auto
.mano
.delete_project(rw_conman_proxy
, project_name
)
437 self
.DELETED_PROJECTS_TRACKER
.add(project_name
)
439 # Recreating all the deleted projects
440 for project_name
in self
.TEST_PROJECTS
:
441 rift
.auto
.mano
.create_project(rw_conman_proxy
, project_name
)
442 if project_name
in self
.DELETED_PROJECTS_TRACKER
:
443 self
.DELETED_PROJECTS_TRACKER
.remove(project_name
)
445 # Check if the recreated projects have the old users assigned to them still.
446 for idx
in range(0,8):
447 role
= self
.project_roles
[idx
]
448 role_keyed_path
= "/project[name={project}]/project-config/user[user-name={user}][user-domain={domain}]/role[role={user_role}]"
449 role_
= rw_project_proxy
.get_config(role_keyed_path
.format(project
=quoted_key(self
.TEST_PROJECTS
[idx
//2]),
450 user
=quoted_key(self
.TEST_USERS
[idx
]), domain
=quoted_key(user_domain
), user_role
=quoted_key(role
)))
451 assert role_
is None, "This user shouldn't exist in this project which was just created"
453 # Reassigning the old users to their old roles.
454 for idx
in range(0,8):
455 role
= self
.project_roles
[idx
]
456 rift
.auto
.mano
.assign_project_role_to_user(rw_project_proxy
, role
, self
.TEST_USERS
[idx
],
457 self
.TEST_PROJECTS
[idx
//2], user_domain
, rw_rbac_int_proxy
)
460 @pytest.mark
.depends('rbac_setup')
461 @pytest.mark
.teardown('rbac_setup')
462 @pytest.mark
.incremental
463 class TestTeardown(object):
464 """Class Teardown."""
466 def test_delete_projects(self
, rw_conman_proxy
):
467 invalid_projects
= TestIdentity
.POSSIBLY_PROBLEMATIC_KEYS
+ ['test01']
468 valid_projects
= TestIdentity
.TEST_PROJECTS
+ TestIdentity
.RBAC_PROJECTS
469 all_projects
= valid_projects
+ invalid_projects
471 for project_name
in all_projects
:
473 rift
.auto
.mano
.delete_project(rw_conman_proxy
, project_name
)
474 except rift
.auto
.session
.ProxyRequestError
as e
:
475 if project_name
in TestIdentity
.DELETED_PROJECTS_TRACKER
:
476 print ("Project {} is already deleted".format(project_name
))
477 elif project_name
not in invalid_projects
:
478 print ("Failed to delete project: {}".format(project_name
))
481 def test_delete_users(self
, rw_user_proxy
, rbac_platform_proxy
, user_domain
):
482 users_test_data
= ['testuser']
483 for incrementor
, role
in enumerate(TestIdentity
.project_roles
+ TestIdentity
.platform_roles
, 1):
484 users_test_data
.append('test_user_{}'.format(incrementor
))
486 for user
in TestIdentity
.platform_users
:
487 users_test_data
.append(user
)
490 for user
in users_test_data
+TestIdentity
.RBAC_USERS
+TestIdentity
.TEST_USERS
:
492 keyed_path
= "/rbac-platform-config/user[user-name={user}][user-domain={domain}]"
493 platform_cfg_ent
= rbac_platform_proxy
.get_config(keyed_path
.format(user
=quoted_key(user
), domain
=quoted_key(user_domain
)))
495 if platform_cfg_ent
is not None:
496 # Delete from the platform-config first.
497 rift
.auto
.mano
.revoke_user_from_platform_config(rbac_platform_proxy
, user
, user_domain
)
498 rift
.auto
.mano
.delete_user(rw_user_proxy
, user
, user_domain
)
500 except rift
.auto
.session
.ProxyRequestError
as e
:
501 if user
not in TestIdentity
.INAVLID_LOGIN_CREDENTIALS
:
502 print ("Deletion of user {} failed".format(user
))
505 print ("Expected error deleting invalid user {}".format(user
))