[Feat.] IAM protection policy update (#762)

opentelekomcloud · Nov 28, 2024 · 12bde9d · 12bde9d
1 parent b592238
commit 12bde9d
Show file tree

Hide file tree

Showing 3 changed files with 96 additions and 2 deletions.
diff --git a/acceptance/openstack/identity/v3.0/critical_operations_test.go b/acceptance/openstack/identity/v3.0/critical_operations_test.go
@@ -0,0 +1,61 @@
+package v3
+
+import (
+	"os"
+	"testing"
+
+	"github.com/opentelekomcloud/gophertelekomcloud/acceptance/clients"
+	"github.com/opentelekomcloud/gophertelekomcloud/openstack/common/pointerto"
+	"github.com/opentelekomcloud/gophertelekomcloud/openstack/identity/v3.0/security"
+	th "github.com/opentelekomcloud/gophertelekomcloud/testhelper"
+)
+
+func TestCriticalOperationsLifecycle(t *testing.T) {
+	if os.Getenv("OS_TENANT_ADMIN") == "" {
+		t.Skip("Policy doesn't allow NewIdentityV3AdminClient() to be initialized.")
+	}
+	client, err := clients.NewIdentityV30AdminClient()
+	th.AssertNoErr(t, err)
+
+	t.Logf("Attempting to GET Operation Protection Policy for domain: %s", client.DomainID)
+	opPolicy, err := security.GetOperationProtectionPolicy(client, client.DomainID)
+	th.AssertNoErr(t, err)
+	th.AssertEquals(t, false, *opPolicy.OperationProtection)
+	th.AssertEquals(t, "off", opPolicy.AdminCheck)
+	th.AssertEquals(t, true, *opPolicy.AllowUser.ManageAccessKey)
+	th.AssertEquals(t, true, *opPolicy.AllowUser.ManageEmail)
+	th.AssertEquals(t, true, *opPolicy.AllowUser.ManageMobile)
+	th.AssertEquals(t, true, *opPolicy.AllowUser.ManagePassword)
+
+	t.Logf("Attempting to Update Operation Protection Policy for domain: %s", client.DomainID)
+	opPolicyOpts := security.UpdateProtectionPolicyOpts{
+		OperationProtection: pointerto.Bool(true),
+		AllowUser: &security.AllowUser{
+			ManageAccessKey: pointerto.Bool(false),
+			ManageEmail:     pointerto.Bool(false),
+			ManageMobile:    pointerto.Bool(false),
+			ManagePassword:  pointerto.Bool(false),
+		},
+	}
+
+	_, err = security.UpdateOperationProtectionPolicy(client, client.DomainID, opPolicyOpts)
+	th.AssertNoErr(t, err)
+
+	t.Logf("Attempting to Revert Operation Protection Policy to initial state for domain: %s", client.DomainID)
+	opPolicyRevertOpts := security.UpdateProtectionPolicyOpts{
+		OperationProtection: pointerto.Bool(false),
+		AllowUser: &security.AllowUser{
+			ManageAccessKey: pointerto.Bool(true),
+			ManageEmail:     pointerto.Bool(true),
+			ManageMobile:    pointerto.Bool(true),
+			ManagePassword:  pointerto.Bool(true),
+		},
+	}
+	_, err = security.UpdateOperationProtectionPolicy(client, client.DomainID, opPolicyRevertOpts)
+	th.AssertNoErr(t, err)
+
+	t.Logf("Attempting to GET Operation Protection Policy for domain: %s", client.DomainID)
+	opPolicyReverted, err := security.GetOperationProtectionPolicy(client, client.DomainID)
+	th.AssertNoErr(t, err)
+	th.AssertEquals(t, *opPolicyReverted.OperationProtection, *opPolicy.OperationProtection)
+}
diff --git a/openstack/identity/v3.0/security/GetOperationProtectionPolicy.go b/openstack/identity/v3.0/security/GetOperationProtectionPolicy.go
@@ -7,7 +7,17 @@ import (
 
 type ProtectionPolicy struct {
 	// Indicates whether operation protection has been enabled. The value can be true or false.
-	OperationProtection *bool `json:"operation_protection" required:"true"`
+	OperationProtection *bool `json:"operation_protection"`
+	// Specifies whether a person is designated for verification.
+	AdminCheck string `json:"admin_check"`
+	// The verification method
+	Scene string `json:"scene"`
+	// The IAM attributes which user can modify
+	AllowUser *AllowUser `json:"allow_user"`
+	// Specifies mobile number used for verification
+	Mobile string `json:"mobile"`
+	// Specifies email address used for verification
+	Email string `json:"email"`
 }
 
 func GetOperationProtectionPolicy(client *golangsdk.ServiceClient, id string) (*ProtectionPolicy, error) {

diff --git a/openstack/identity/v3.0/security/UpdateOperationProtectionPolicy.go b/openstack/identity/v3.0/security/UpdateOperationProtectionPolicy.go
@@ -8,7 +8,30 @@ import (
 
 type UpdateProtectionPolicyOpts struct {
 	// Indicates whether operation protection has been enabled. The value can be true or false.
-	OperationProtection *bool `json:"operation_protection"`
+	OperationProtection *bool `json:"operation_protection" required:"true"`
+	// Specifies the IAM attributes which user can modify
+	AllowUser *AllowUser `json:"allow_user,omitempty"`
+	// Specifies whether a person is designated for verification.
+	// Valid options are the on and off.
+	AdminCheck string `json:"admin_check,omitempty"`
+	// Specifies mobile number used for verification
+	Mobile string `json:"mobile,omitempty"`
+	// Specifies email address used for verification
+	Email string `json:"email,omitempty"`
+	// Specifies the verification method. This parameter is mandatory when admin_check is set to on.
+	// The valid options are mobile and email.
+	Scene string `json:"scene,omitempty"`
+}
+
+type AllowUser struct {
+	// Specifies whether IAM users are allowed to manage access keys.
+	ManageAccessKey *bool `json:"manage_accesskey,omitempty"`
+	// Specifies whether IAM users are allowed to change their email addresses.
+	ManageEmail *bool `json:"manage_email,omitempty"`
+	// Specifies whether IAM users are allowed to change their mobile numbers.
+	ManageMobile *bool `json:"manage_mobile,omitempty"`
+	// Specifies whether IAM users are allowed to change their passwords.
+	ManagePassword *bool `json:"manage_password,omitempty"`
 }
 
 func UpdateOperationProtectionPolicy(client *golangsdk.ServiceClient, id string, opts UpdateProtectionPolicyOpts) (*ProtectionPolicy, error) {