X-Git-Url: https://osm.etsi.org/gitweb/?a=blobdiff_plain;f=rwlaunchpad%2Fra%2Fpytest%2Fns%2Frbac%2Ftest_rbac_identity.py;fp=rwlaunchpad%2Fra%2Fpytest%2Fns%2Frbac%2Ftest_rbac_identity.py;h=9d05c3713e4bc5962bfee3b7cff2cdff92985b08;hb=4870d0ee29789b859931e4e2c73e13dcb29537d5;hp=0000000000000000000000000000000000000000;hpb=6f1a3fe149e4a6b9803382cb299c902f4cf58ec9;p=osm%2FSO.git diff --git a/rwlaunchpad/ra/pytest/ns/rbac/test_rbac_identity.py b/rwlaunchpad/ra/pytest/ns/rbac/test_rbac_identity.py new file mode 100644 index 00000000..9d05c371 --- /dev/null +++ b/rwlaunchpad/ra/pytest/ns/rbac/test_rbac_identity.py @@ -0,0 +1,505 @@ +#!/usr/bin/env python3 +""" +# +# Copyright 2017 RIFT.IO Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +#This file contains the code for RIFT-16314, RIFT-16315, RIFT-16536, +#RIFT-16537, RIFT-16541, RIFT-16313, RIFT-16692, RIFT-16637, RIFT-16636. +""" +import gi +import pytest + +import rift.auto.mano + +gi.require_version('RwUserYang', '1.0') +gi.require_version('RwProjectYang', '1.0') +gi.require_version('RwRbacPlatformYang', '1.0') +gi.require_version('RwRbacInternalYang', '1.0') +gi.require_version('RwlogMgmtYang', '1.0') + + +from gi.repository import ( + RwUserYang, + RwProjectYang, + RwRbacPlatformYang, + RwRbacInternalYang, + RwlogMgmtYang, + RwConmanYang +) +gi.require_version('RwKeyspec', '1.0') +from gi.repository.RwKeyspec import quoted_key + + +@pytest.mark.setup('rbac_setup') +@pytest.mark.incremental +class TestIdentity(object): + """Test Identity.""" + + platform_role_users = ['platform_user_admin', 'platform_user_oper', 'platform_user_super_admin'] + platform_users = ['platform_user_admin', 'platform_user_oper', 'platform_user_test', 'platform_user_super_admin'] + + project_roles = ( + 'rw-project-mano:catalog-oper', 'rw-project-mano:catalog-admin', + 'rw-project-mano:lcm-oper', 'rw-project-mano:lcm-admin', + 'rw-project-mano:account-oper', 'rw-project-mano:account-admin', + 'rw-project:project-admin', 'rw-project:project-oper' + ) + platform_roles = ( + 'rw-rbac-platform:platform-admin', + 'rw-rbac-platform:platform-oper', + 'rw-rbac-platform:super-admin' + ) + + RBAC_PROJECTS = ['default'] + RBAC_USERS = [] + + TEST_PROJECTS = [] + TEST_USERS = [] + + # This is required so as to track the + # already deleted users when creation and deletion + # are performed in ad-hoc way. + # Checking this set allows us to ignore Proxy request + # errors when deletion is performed twice. + DELETED_PROJECTS_TRACKER = set() + + INVALID_CREDENTIALS = { + 'Jason' * 500: 'likeu' * 500 + } + + POSSIBLY_PROBLEMATIC_CREDENTIALS = { + 'Ja#son': ['lik#eu', 'syste#m'], + 'Ja&son': ['lik&eu', 'syste&m'], + 'J%ason': ['lik%eu', 'syste%m'], + 'Jåson': ['likeü', 'system'], + '': ['', ''], + '/jason': ['/likeu', '/system;'], + 'jason;': ['likeu;', 'system;'], + 'j*son': ['like*u;', 'syste*m'], + 'j@so?': ['l!keu;', 'system!'] + } + + INAVLID_LOGIN_CREDENTIALS = { + 'wrong_username': 'mypasswd', + 'testuser': 0, + 0: 'mypasswd', + 0: 0, + 'wrong_username': 'wrong_password' + } + + INVALID_PROJECT_KEYS = ['this_project_doesnt_exist', 'Test01'] + INVALID_PROJECT_CREATE_KEYS = ['testproject' * 500, ] + #POSSIBLY_PROBLEMATIC_KEYS = ['/projectname', 'project name', 'projectname.', 'project,name', 'Projëçt', 'Pro;je:ct', 'Proj*ct', 'Pr@ject'] + POSSIBLY_PROBLEMATIC_KEYS = ['/projectname', 'project name', 'projectname.', 'project,name', 'Pro;je:ct', 'Proj*ct', 'Pr@ject'] + + def test_platform_roles(self, rw_user_proxy, rbac_platform_proxy, rbac_user_passwd, user_domain, session_class, tbac, + confd_host, platform_roles, rw_rbac_int_proxy): + # Setting users and roles up for upcoming checks + rift.auto.mano.create_user(rw_user_proxy, 'platform_user_super_admin', rbac_user_passwd, user_domain) + rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, 'rw-rbac-platform:super-admin', + 'platform_user_super_admin', user_domain, rw_rbac_int_proxy) + rift.auto.mano.create_user(rw_user_proxy, 'platform_user_admin', rbac_user_passwd, user_domain) + rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, 'rw-rbac-platform:platform-admin', + 'platform_user_admin', user_domain, rw_rbac_int_proxy) + rift.auto.mano.create_user(rw_user_proxy, 'platform_user_oper', rbac_user_passwd, user_domain) + rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, 'rw-rbac-platform:platform-oper', + 'platform_user_oper', user_domain, rw_rbac_int_proxy) + rift.auto.mano.create_user(rw_user_proxy, 'platform_user_test', rbac_user_passwd, user_domain) + + """Various access tests for platform users""" + + # Testing if platform role users have access to /rbac-platform-config + for user in self.platform_role_users: + user_session = rift.auto.mano.get_session(session_class, confd_host, user, rbac_user_passwd) + pxy = user_session.proxy(RwRbacPlatformYang) + access_ = pxy.get_config("/rbac-platform-config/user[user-name='platform_user_admin'][user-domain={}]" + .format(quoted_key(user_domain))) + assert access_ is not None + rift.auto.mano.close_session(user_session) + + # Testing if platform role users have access to /rbac-platform-state + for user in self.platform_role_users: + user_session = rift.auto.mano.get_session(session_class, confd_host, user, rbac_user_passwd) + pxy = user_session.proxy(RwRbacPlatformYang) + access_ = pxy.get_config("/rbac-platform-state/user[user-name='platform_user_admin'][user-domain={}]" + .format(quoted_key(user_domain))) + if user == 'platform_user_oper': + assert access_ is None + else: + """At the time of writing this code, /rbac-platform-state/user is unpopulated and so the access_ will be None no matter what. + In the future when the path /rbac-platform-state/user is populated this test will break. When that happens, just change + the next line to 'access_ is not None' + """ + assert access_ is None + rift.auto.mano.close_session(user_session) + + """Changing roles and verifying it """ + + # Case 01 Assign and then revoke that role. Assign a second role and see if that sticks and that the older role hasn't stayed on. + rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, 'rw-rbac-platform:platform-oper', + 'platform_user_test', user_domain, rw_rbac_int_proxy) + rift.auto.mano.revoke_platform_role_from_user(rbac_platform_proxy, 'rw-rbac-platform:platform-oper', + 'platform_user_test', user_domain) + rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, 'rw-rbac-platform:platform-admin', + 'platform_user_test', user_domain, rw_rbac_int_proxy) + # If the older role didn't stick and the new role did stick (as it should), then the user should be able to change another users password + user_session = rift.auto.mano.get_session(session_class, confd_host, 'platform_user_test', rbac_user_passwd) + pxy = user_session.proxy(RwUserYang) + rift.auto.mano.update_password(pxy, 'platform_user_oper', 'even_newer_password', user_domain, rw_rbac_int_proxy) + rift.auto.mano.close_session(user_session) + + # Case 02 Switching the roles back after Case 01 + rift.auto.mano.revoke_platform_role_from_user(rbac_platform_proxy, 'rw-rbac-platform:platform-admin', + 'platform_user_test', user_domain) + rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, 'rw-rbac-platform:platform-oper', + 'platform_user_test', user_domain, rw_rbac_int_proxy) + # If the older role didn't stick and the new role did stick (as it should), then the user shouldn't be able to change another users password + user_session = rift.auto.mano.get_session(session_class, confd_host, 'platform_user_test', rbac_user_passwd) + pxy = user_session.proxy(RwUserYang) + with pytest.raises(Exception, message="User shouldn't be able to change another user's password") as excinfo: + rift.auto.mano.update_password(pxy, 'platform_user_oper', 'new_password', user_domain, rw_rbac_int_proxy) + rift.auto.mano.close_session(user_session) + + if not tbac: + """Disabling and enabling users and verifying it""" + + rift.auto.mano.create_user(rw_user_proxy, 'disabled_user', rbac_user_passwd, user_domain) + rift.auto.mano.update_password(rw_user_proxy, 'platform_user_oper', rbac_user_passwd, user_domain, rw_rbac_int_proxy) + # Checking if the disabled user can login + rift.auto.mano.disable_user(rw_user_proxy, 'disabled_user', user_domain, rw_rbac_int_proxy) + with pytest.raises(Exception, message="User shouldn't be able to login as he is disabled") as excinfo: + user_session = rift.auto.mano.get_session(session_class, confd_host, 'disabled_user', rbac_user_passwd, timeout=5) + # Checking if he can login after he has been enabled back on. + rift.auto.mano.enable_user(rw_user_proxy, 'disabled_user', user_domain, rw_rbac_int_proxy) + user_session = rift.auto.mano.get_session(session_class, confd_host, 'disabled_user', rbac_user_passwd) + rift.auto.mano.close_session(user_session) + # All platform roles trying to change the status of a user + for user in self.platform_role_users: + user_session = rift.auto.mano.get_session(session_class, confd_host, user, rbac_user_passwd) + pxy = user_session.proxy(RwUserYang) + if user == 'platform_user_oper': + with pytest.raises(Exception, message="Platform oper shouldn't be able to disable other users") as excinfo: + rift.auto.mano.disable_user(pxy, 'disabled_user', user_domain, rw_rbac_int_proxy) + else: + rift.auto.mano.disable_user(pxy, 'disabled_user', user_domain, rw_rbac_int_proxy) + rift.auto.mano.enable_user(pxy, 'disabled_user', user_domain, rw_rbac_int_proxy) + rift.auto.mano.close_session(user_session) + + # Testing if users can change their own passwords + for user in self.platform_users: + user_session = rift.auto.mano.get_session(session_class, confd_host, user, rbac_user_passwd) + pxy = user_session.proxy(RwUserYang) + rift.auto.mano.update_password(pxy, user, 'new_password', user_domain, rw_rbac_int_proxy) + rift.auto.mano.close_session(user_session) + + # Testing if platform role users can change the password of another user + for idx, user in enumerate(self.platform_role_users, 1): + user_session = rift.auto.mano.get_session(session_class, confd_host, user, 'new_password') + pxy = user_session.proxy(RwUserYang) + if user == 'platform_user_oper': + with pytest.raises(Exception, message="User shouldn't be able to change another user's password") as excinfo: + rift.auto.mano.update_password(pxy, 'platform_user_test', 'even_newer_password_{}'.format(idx), user_domain, rw_rbac_int_proxy) + else: + rift.auto.mano.update_password(pxy, 'platform_user_test', 'even_newer_password_{}'.format(idx), user_domain, rw_rbac_int_proxy) + rift.auto.mano.close_session(user_session) + + # Testing if platform users have access to logging + for user in self.platform_role_users: + user_session = rift.auto.mano.get_session(session_class, confd_host, user, 'new_password') + pxy = user_session.proxy(RwlogMgmtYang) + access_ = pxy.get_config('/logging') + assert access_ is not None + rpc_input = RwlogMgmtYang.YangInput_RwlogMgmt_ShowLogs.from_dict({'all': 'None'}) + pxy.rpc(rpc_input) + rpc_input_1 = RwlogMgmtYang.YangInput_RwlogMgmt_LogEvent.from_dict({'on': 'None'}) + pxy.rpc(rpc_input_1) + rift.auto.mano.close_session(user_session) + + def rbac_internal_check(self, mgmt_session, xpath): + + rbac_intl_proxy = mgmt_session.proxy(RwRbacInternalYang) + rbac_intl_proxy.wait_for(xpath, "active", timeout=5) + + def test_rbac_internal_verification(self, rw_user_proxy, rw_conman_proxy, rbac_user_passwd, user_domain, mgmt_session, + rw_project_proxy, rbac_platform_proxy, rw_rbac_int_proxy): + """Doing various tasks and verifying if rbac-internal is reflecting these changes properly""" + + # Creating projects and users for verifying the rbac-internal scenario + for idx in range(1, 4): + project_name = 'rbac_project_{}'.format(idx) + rift.auto.mano.create_project(rw_conman_proxy, project_name) + self.RBAC_PROJECTS.append(project_name) + + if project_name in self.DELETED_PROJECTS_TRACKER: + self.DELETED_PROJECTS_TRACKER.remove(project_name) + + for idx in range(1, 5): + rift.auto.mano.create_user(rw_user_proxy, 'rbac_user_{}'.format(idx), rbac_user_passwd, user_domain) + self.RBAC_USERS.append('rbac_user_{}'.format(idx)) + + # Rbac-Internal Verification + project_order = [0, 1, 2, 3, 0] + xpath = '/rw-rbac-internal/role[role={role}][keys={project}]/user[user-name={user}][user-domain={domain}]/state-machine/state' + # Assigning four users to four projects with two project roles for each user and checking the rbac-internal + for idx in range(0, 4): + fdx = project_order[idx] + ldx = project_order[idx + 1] + role = self.project_roles[2 * idx] + role1 = self.project_roles[(2 * idx) + 1] + rift.auto.mano.assign_project_role_to_user(rw_project_proxy, role, self.RBAC_USERS[idx], + self.RBAC_PROJECTS[fdx], user_domain, rw_rbac_int_proxy) + self.rbac_internal_check(mgmt_session, xpath.format(role=quoted_key(role), project=quoted_key(self.RBAC_PROJECTS[fdx]), + user=quoted_key(self.RBAC_USERS[idx]), domain=quoted_key(user_domain))) + rift.auto.mano.assign_project_role_to_user(rw_project_proxy, role1, self.RBAC_USERS[idx], + self.RBAC_PROJECTS[ldx], user_domain, rw_rbac_int_proxy) + self.rbac_internal_check(mgmt_session, xpath.format(role=quoted_key(role1), project=quoted_key(self.RBAC_PROJECTS[ldx]), + user=quoted_key(self.RBAC_USERS[idx]), domain=quoted_key(user_domain))) + # Deleting the four projects and then checking rw-rbac-internal + for project_name in self.RBAC_PROJECTS: + rift.auto.mano.delete_project(rw_conman_proxy, project_name) + print ("Deleting project: {}".format(project_name)) + self.DELETED_PROJECTS_TRACKER.add(project_name) + + for idx in range(0, 4): + fdx = project_order[idx] + ldx = project_order[idx + 1] + role = self.project_roles[2 * idx] + role1 = self.project_roles[(2 * idx) + 1] + + with pytest.raises(Exception, message="This user {} (with this role {} and project {}) shouldn't be on rbac-internal." + .format(self.RBAC_USERS[idx], role, self.RBAC_PROJECTS[fdx])) as excinfo: + self.rbac_internal_check(mgmt_session, xpath.format(role=quoted_key(role), project=quoted_key(self.RBAC_PROJECTS[fdx]), + user=quoted_key(self.RBAC_USERS[idx]), domain=quoted_key(user_domain))) + with pytest.raises(Exception, message="This user {} (with this role {} and project {}) shouldn't be on rbac-internal." + .format(self.RBAC_USERS[idx], role1, self.RBAC_PROJECTS[ldx])) as excinfo: + self.rbac_internal_check(mgmt_session, xpath.format(role=quoted_key(role1), project=quoted_key(self.RBAC_PROJECTS[ldx]), + user=quoted_key(self.RBAC_USERS[idx]), domain=quoted_key(user_domain))) + + def test_roles_revoke(self, rw_conman_proxy, rw_user_proxy, rbac_platform_proxy, rw_project_proxy, + rbac_user_passwd, user_domain, rw_rbac_int_proxy): + """Assigning all the roles and then revoking them""" + + # Creating users and assigning each of them a role + rift.auto.mano.create_project(rw_conman_proxy, 'test01') + for incrementor, role in enumerate(self.project_roles + self.platform_roles, 1): + user_name = 'test_user_{}'.format(incrementor) + rift.auto.mano.create_user(rw_user_proxy, user_name, rbac_user_passwd, user_domain) + + if 'platform' in role: + rift.auto.mano.assign_platform_role_to_user(rbac_platform_proxy, role, user_name, user_domain, rw_rbac_int_proxy) + else: + + rift.auto.mano.assign_project_role_to_user(rw_project_proxy, role, user_name, 'test01', user_domain, rw_rbac_int_proxy) + + # Removing the assigned roles from each user + for incrementor, role in enumerate(self.project_roles + self.platform_roles, 1): + user_name = 'test_user_{}'.format(incrementor) + if 'platform' in role: + rift.auto.mano.revoke_platform_role_from_user(rbac_platform_proxy, role, user_name, user_domain) + rift.auto.mano.revoke_user_from_platform_config(rbac_platform_proxy, user_name, user_domain) + else: + rift.auto.mano.revoke_project_role_from_user(rw_project_proxy, role, user_name, 'test01', user_domain) + + def test_misbehaviours( + self, rw_user_proxy, rbac_user_passwd, user_domain, + session_class, confd_host, tbac, rw_rbac_int_proxy): + """Verify if bad credentials can cause any problems.""" + rift.auto.mano.create_user( + rw_user_proxy, 'testuser', rbac_user_passwd, user_domain) + # Trying to login with an incorrect password multiple times + counter = 1 + while(counter < 4): + with pytest.raises( + Exception, + message="User was able to login with the wrong password" + ): + rift.auto.mano.get_session( + session_class, confd_host, 'testuser', 'wrong_password', + timeout=5) + counter += 1 + + # Trying to login with INAVLID_LOGIN_CREDENTIALS + for uname, passwd in self.INAVLID_LOGIN_CREDENTIALS.items(): + with pytest.raises( + Exception, + message="User logged im with invalid login credentials" + ): + rift.auto.mano.get_session( + session_class, confd_host, uname, passwd, timeout=5) + # Creating a user with POSSIBLY_PROBLEMATIC_CREDENTIALS + if tbac: + for uname, passwd in self.POSSIBLY_PROBLEMATIC_CREDENTIALS.items(): + rift.auto.mano.create_user( + rw_user_proxy, uname, + passwd[0], + passwd[1] + ) + else: + for uname, passwd in self.POSSIBLY_PROBLEMATIC_CREDENTIALS.items(): + rift.auto.mano.create_user( + rw_user_proxy, uname, + passwd[0], + user_domain + ) + # Creating a user with INVALID_CREDENTIALS + for username, password in self.INVALID_CREDENTIALS.items(): + with pytest.raises( + Exception, + message="User created with invalid credentials" + ): + rift.auto.mano.create_user( + rw_user_proxy, username, password, user_domain) + # Delete the users created with POSSIBLY_PROBLEMATIC_CREDENTIALS + if tbac: + for uname, domain in self.POSSIBLY_PROBLEMATIC_CREDENTIALS.items(): + rift.auto.mano.delete_user( + rw_user_proxy, uname, + domain[1] + ) + else: + for uname, passwd in self.POSSIBLY_PROBLEMATIC_CREDENTIALS.items(): + rift.auto.mano.delete_user( + rw_user_proxy, uname, user_domain + ) + + def test_project_keys( + self, rw_project_proxy, rbac_user_passwd, session_class, + confd_host): + """Trying to access/create various projects with bad project keys.""" + # Checking if INVALID_PROJECT_KEYS can be accessed. + for project_name in self.INVALID_PROJECT_KEYS: + project_cm_config_xpath = '/project[name={project_name}]/project-state' + project_ = rw_project_proxy.get_config( + project_cm_config_xpath.format( + project_name=quoted_key(project_name) + ), + list_obj=True + ) + assert project_ is None + # Trying to create projects with INVALID_PROJECT_CREATE_KEYS + for project_name in self.INVALID_PROJECT_CREATE_KEYS: + with pytest.raises( + Exception, + message="Project created with the INVALID_PROJECT_CREATE_KEYS" + ): + rift.auto.mano.create_project(rw_conman_proxy, project_name) + # These POSSIBLY_PROBLEMATIC_KEYS should not cause any error in theory. + for project_name in self.POSSIBLY_PROBLEMATIC_KEYS: + rift.auto.mano.create_project(rw_project_proxy, project_name) + # User trying to access a project he has no access to. + user_session = rift.auto.mano.get_session( + session_class, confd_host, 'test_user_11', rbac_user_passwd) + pxy = user_session.proxy(RwConmanYang) + project_ = pxy.get_config( + project_cm_config_xpath.format( + project_name=quoted_key('test01') + ) + ) + assert project_ is None + rift.auto.mano.close_session(user_session) + + def test_project_testing(self, rw_conman_proxy, rw_user_proxy, rw_project_proxy, rbac_user_passwd, user_domain, rw_rbac_int_proxy): + """Multiple projects creation, deletion, re-addition with verification every step of the way""" + + # Creating projects and users for this test case + for idx in range(1,5): + project_name = 'testing_project_{}'.format(idx) + rift.auto.mano.create_project(rw_conman_proxy, project_name) + self.TEST_PROJECTS.append(project_name) + if project_name in self.DELETED_PROJECTS_TRACKER: + self.DELETED_PROJECTS_TRACKER.remove(project_name) + + for idx in range(1,9): + rift.auto.mano.create_user(rw_user_proxy, 'testing_user_{}'.format(idx), rbac_user_passwd, user_domain) + self.TEST_USERS.append('testing_user_{}'.format(idx)) + + # Assigning project roles to users + for idx in range(0,8): + role = self.project_roles[idx] + rift.auto.mano.assign_project_role_to_user(rw_project_proxy, role, self.TEST_USERS[idx], + self.TEST_PROJECTS[idx//2], user_domain, rw_rbac_int_proxy) + + # Deleting all test projects + for project_name in self.TEST_PROJECTS: + rift.auto.mano.delete_project(rw_conman_proxy, project_name) + self.DELETED_PROJECTS_TRACKER.add(project_name) + + # Recreating all the deleted projects + for project_name in self.TEST_PROJECTS: + rift.auto.mano.create_project(rw_conman_proxy, project_name) + if project_name in self.DELETED_PROJECTS_TRACKER: + self.DELETED_PROJECTS_TRACKER.remove(project_name) + + # Check if the recreated projects have the old users assigned to them still. + for idx in range(0,8): + role = self.project_roles[idx] + role_keyed_path = "/project[name={project}]/project-config/user[user-name={user}][user-domain={domain}]/role[role={user_role}]" + role_ = rw_project_proxy.get_config(role_keyed_path.format(project=quoted_key(self.TEST_PROJECTS[idx//2]), + user=quoted_key(self.TEST_USERS[idx]), domain=quoted_key(user_domain), user_role=quoted_key(role))) + assert role_ is None, "This user shouldn't exist in this project which was just created" + + # Reassigning the old users to their old roles. + for idx in range(0,8): + role = self.project_roles[idx] + rift.auto.mano.assign_project_role_to_user(rw_project_proxy, role, self.TEST_USERS[idx], + self.TEST_PROJECTS[idx//2], user_domain, rw_rbac_int_proxy) + + +@pytest.mark.depends('rbac_setup') +@pytest.mark.teardown('rbac_setup') +@pytest.mark.incremental +class TestTeardown(object): + """Class Teardown.""" + + def test_delete_projects(self, rw_conman_proxy): + invalid_projects = TestIdentity.POSSIBLY_PROBLEMATIC_KEYS + ['test01'] + valid_projects = TestIdentity.TEST_PROJECTS + TestIdentity.RBAC_PROJECTS + all_projects = valid_projects + invalid_projects + + for project_name in all_projects: + try: + rift.auto.mano.delete_project(rw_conman_proxy, project_name) + except rift.auto.session.ProxyRequestError as e: + if project_name in TestIdentity.DELETED_PROJECTS_TRACKER: + print ("Project {} is already deleted".format(project_name)) + elif project_name not in invalid_projects: + print ("Failed to delete project: {}".format(project_name)) + raise e + + def test_delete_users(self, rw_user_proxy, rbac_platform_proxy, user_domain): + users_test_data = ['testuser'] + for incrementor, role in enumerate(TestIdentity.project_roles + TestIdentity.platform_roles, 1): + users_test_data.append('test_user_{}'.format(incrementor)) + + for user in TestIdentity.platform_users: + users_test_data.append(user) + + # Deletes the users + for user in users_test_data+TestIdentity.RBAC_USERS+TestIdentity.TEST_USERS: + try: + keyed_path = "/rbac-platform-config/user[user-name={user}][user-domain={domain}]" + platform_cfg_ent = rbac_platform_proxy.get_config(keyed_path.format(user=quoted_key(user), domain=quoted_key(user_domain))) + + if platform_cfg_ent is not None: + # Delete from the platform-config first. + rift.auto.mano.revoke_user_from_platform_config(rbac_platform_proxy, user, user_domain) + rift.auto.mano.delete_user(rw_user_proxy, user, user_domain) + + except rift.auto.session.ProxyRequestError as e: + if user not in TestIdentity.INAVLID_LOGIN_CREDENTIALS: + print ("Deletion of user {} failed".format(user)) + raise e + else: + print ("Expected error deleting invalid user {}".format(user))