Implement domain admin functionality for user API

This commit add explicit testing to show how users with the admin role
on a domain can manage users within thier domain. It also modifies the
default policies to account for this functionality. A subsequent patch
will do the same for project users.

Change-Id: I3899e07b857e213f85384ed9c9e4add199290a49
Partial-Bug: 1748027
Partial-Bug: 968696

1 files changed, 9 insertions, 2 deletions

diff --git a/keystone/api/users.py b/keystone/api/users.py
index f31b5bf32..7009c8714 100644
--- a/keystone/api/users.py
+++ b/keystone/api/users.py
@@ -181,8 +181,11 @@ class UserResource(ks_flask.ResourceBase):
 
         POST /v3/users
         """
-        ENFORCER.enforce_call(action='identity:create_user')
         user_data = self.request_body_json.get('user', {})
+        target = {'user': user_data}
+        ENFORCER.enforce_call(
+            action='identity:create_user', target_attr=target
+        )
         validation.lazy_validate(schema.user_create, user_data)
         user_data = self._normalize_dict(user_data)
         user_data = self._normalize_domain_id(user_data)
@@ -196,7 +199,11 @@ class UserResource(ks_flask.ResourceBase):
 
         PATCH /v3/users/{user_id}
         """
-        ENFORCER.enforce_call(action='identity:update_user')
+        ENFORCER.enforce_call(
+            action='identity:update_user',
+            build_target=_build_user_target_enforcement
+        )
+        PROVIDERS.identity_api.get_user(user_id)
         user_data = self.request_body_json.get('user', {})
         validation.lazy_validate(schema.user_update, user_data)
         self._require_matching_id(user_data)