From 12bde9d9ad22031ca8e94a709c3612e59803bd9e Mon Sep 17 00:00:00 2001 From: Anton Sidelnikov <53078276+anton-sidelnikov@users.noreply.github.com> Date: Thu, 28 Nov 2024 11:29:34 +0100 Subject: [PATCH] [Feat.] IAM protection policy update (#762) --- .../identity/v3.0/critical_operations_test.go | 61 +++++++++++++++++++ .../security/GetOperationProtectionPolicy.go | 12 +++- .../UpdateOperationProtectionPolicy.go | 25 +++++++- 3 files changed, 96 insertions(+), 2 deletions(-) create mode 100644 acceptance/openstack/identity/v3.0/critical_operations_test.go diff --git a/acceptance/openstack/identity/v3.0/critical_operations_test.go b/acceptance/openstack/identity/v3.0/critical_operations_test.go new file mode 100644 index 000000000..d3e6c331d --- /dev/null +++ b/acceptance/openstack/identity/v3.0/critical_operations_test.go @@ -0,0 +1,61 @@ +package v3 + +import ( + "os" + "testing" + + "github.com/opentelekomcloud/gophertelekomcloud/acceptance/clients" + "github.com/opentelekomcloud/gophertelekomcloud/openstack/common/pointerto" + "github.com/opentelekomcloud/gophertelekomcloud/openstack/identity/v3.0/security" + th "github.com/opentelekomcloud/gophertelekomcloud/testhelper" +) + +func TestCriticalOperationsLifecycle(t *testing.T) { + if os.Getenv("OS_TENANT_ADMIN") == "" { + t.Skip("Policy doesn't allow NewIdentityV3AdminClient() to be initialized.") + } + client, err := clients.NewIdentityV30AdminClient() + th.AssertNoErr(t, err) + + t.Logf("Attempting to GET Operation Protection Policy for domain: %s", client.DomainID) + opPolicy, err := security.GetOperationProtectionPolicy(client, client.DomainID) + th.AssertNoErr(t, err) + th.AssertEquals(t, false, *opPolicy.OperationProtection) + th.AssertEquals(t, "off", opPolicy.AdminCheck) + th.AssertEquals(t, true, *opPolicy.AllowUser.ManageAccessKey) + th.AssertEquals(t, true, *opPolicy.AllowUser.ManageEmail) + th.AssertEquals(t, true, *opPolicy.AllowUser.ManageMobile) + th.AssertEquals(t, true, *opPolicy.AllowUser.ManagePassword) + + t.Logf("Attempting to Update Operation Protection Policy for domain: %s", client.DomainID) + opPolicyOpts := security.UpdateProtectionPolicyOpts{ + OperationProtection: pointerto.Bool(true), + AllowUser: &security.AllowUser{ + ManageAccessKey: pointerto.Bool(false), + ManageEmail: pointerto.Bool(false), + ManageMobile: pointerto.Bool(false), + ManagePassword: pointerto.Bool(false), + }, + } + + _, err = security.UpdateOperationProtectionPolicy(client, client.DomainID, opPolicyOpts) + th.AssertNoErr(t, err) + + t.Logf("Attempting to Revert Operation Protection Policy to initial state for domain: %s", client.DomainID) + opPolicyRevertOpts := security.UpdateProtectionPolicyOpts{ + OperationProtection: pointerto.Bool(false), + AllowUser: &security.AllowUser{ + ManageAccessKey: pointerto.Bool(true), + ManageEmail: pointerto.Bool(true), + ManageMobile: pointerto.Bool(true), + ManagePassword: pointerto.Bool(true), + }, + } + _, err = security.UpdateOperationProtectionPolicy(client, client.DomainID, opPolicyRevertOpts) + th.AssertNoErr(t, err) + + t.Logf("Attempting to GET Operation Protection Policy for domain: %s", client.DomainID) + opPolicyReverted, err := security.GetOperationProtectionPolicy(client, client.DomainID) + th.AssertNoErr(t, err) + th.AssertEquals(t, *opPolicyReverted.OperationProtection, *opPolicy.OperationProtection) +} diff --git a/openstack/identity/v3.0/security/GetOperationProtectionPolicy.go b/openstack/identity/v3.0/security/GetOperationProtectionPolicy.go index d68c3081b..f3e3bcbcb 100644 --- a/openstack/identity/v3.0/security/GetOperationProtectionPolicy.go +++ b/openstack/identity/v3.0/security/GetOperationProtectionPolicy.go @@ -7,7 +7,17 @@ import ( type ProtectionPolicy struct { // Indicates whether operation protection has been enabled. The value can be true or false. - OperationProtection *bool `json:"operation_protection" required:"true"` + OperationProtection *bool `json:"operation_protection"` + // Specifies whether a person is designated for verification. + AdminCheck string `json:"admin_check"` + // The verification method + Scene string `json:"scene"` + // The IAM attributes which user can modify + AllowUser *AllowUser `json:"allow_user"` + // Specifies mobile number used for verification + Mobile string `json:"mobile"` + // Specifies email address used for verification + Email string `json:"email"` } func GetOperationProtectionPolicy(client *golangsdk.ServiceClient, id string) (*ProtectionPolicy, error) { diff --git a/openstack/identity/v3.0/security/UpdateOperationProtectionPolicy.go b/openstack/identity/v3.0/security/UpdateOperationProtectionPolicy.go index 2f01be0eb..9460346c2 100644 --- a/openstack/identity/v3.0/security/UpdateOperationProtectionPolicy.go +++ b/openstack/identity/v3.0/security/UpdateOperationProtectionPolicy.go @@ -8,7 +8,30 @@ import ( type UpdateProtectionPolicyOpts struct { // Indicates whether operation protection has been enabled. The value can be true or false. - OperationProtection *bool `json:"operation_protection"` + OperationProtection *bool `json:"operation_protection" required:"true"` + // Specifies the IAM attributes which user can modify + AllowUser *AllowUser `json:"allow_user,omitempty"` + // Specifies whether a person is designated for verification. + // Valid options are the on and off. + AdminCheck string `json:"admin_check,omitempty"` + // Specifies mobile number used for verification + Mobile string `json:"mobile,omitempty"` + // Specifies email address used for verification + Email string `json:"email,omitempty"` + // Specifies the verification method. This parameter is mandatory when admin_check is set to on. + // The valid options are mobile and email. + Scene string `json:"scene,omitempty"` +} + +type AllowUser struct { + // Specifies whether IAM users are allowed to manage access keys. + ManageAccessKey *bool `json:"manage_accesskey,omitempty"` + // Specifies whether IAM users are allowed to change their email addresses. + ManageEmail *bool `json:"manage_email,omitempty"` + // Specifies whether IAM users are allowed to change their mobile numbers. + ManageMobile *bool `json:"manage_mobile,omitempty"` + // Specifies whether IAM users are allowed to change their passwords. + ManagePassword *bool `json:"manage_password,omitempty"` } func UpdateOperationProtectionPolicy(client *golangsdk.ServiceClient, id string, opts UpdateProtectionPolicyOpts) (*ProtectionPolicy, error) {