Add secure-rbac test for Container ACL API This patch adds policy tests for the Containers ACL API. Change-Id: I4e01c0e7f93f52c72faadb9d2a8317f9f553904b

commit: 378efe61acd169f4edb5601df8d4cf972acd4813 [log] [tgz]
author: Douglas Mendizábal <douglas@redrobot.io> Fri Oct 15 20:07:52 2021 +0000
committer: Douglas Mendizábal <dmendiza@redhat.com> Wed Nov 03 17:00:22 2021 +0000
tree: f922f8e5606bc1df93da38bbc4e3c790d256e6f3
parent: e80c1db7e022e6d60548a25488c1f1147f392eb1 [diff]
diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_containers.py b/barbican_tempest_plugin/tests/rbac/v1/test_containers.py
index 951a9a5..95b37a1 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_containers.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_containers.py

@@ -65,9 +65,8 @@
 
     @abc.abstractmethod
     def test_get_container_acl(self):
-        """Test get_container_acl policy
+        """Test GET /v1/containers/{container-id}/acl
 
-        Testing: GET /v1/containers/{container-id}/acl
         This test must check:
           * whether the persona can get a containers acl
         """
@@ -75,9 +74,8 @@
 
     @abc.abstractmethod
     def test_update_container_acl(self):
-        """Test update_container_acl policy
+        """Test PATCH /v1/containers/{container-id}/acl
 
-        Testing: PATCH /v1/containers/{container-id}/acl
         This test must check:
           * whether the persona can update an existing containers acl
         """
@@ -85,9 +83,8 @@
 
     @abc.abstractmethod
     def test_create_container_acl(self):
-        """Test create_container_acl policy
+        """Test PUT /v1/containers/{container-id}/acl
 
-        Testing: PUT /v1/containers/{container-id}/acl
         This test must check:
           * whether the persona can create a containers acl
         """
@@ -95,9 +92,8 @@
 
     @abc.abstractmethod
     def test_delete_container_acl(self):
-        """Test delete_container_acl policy
+        """Test DELETE /v1/containers/{container-id}/acl
 
-        Testing: DELETE /v1/containers/{container-id}/acl
         This test must check:
           * whether the persona can delete a containers acl
         """
@@ -183,6 +179,12 @@
         self.container_id = self.create_test_container(
             self.container_client,
             data_utils.rand_name('test-containers'))
+        self.valid_acl = {
+            'read': {
+                'users': [self.other_secret_client.user_id],
+                'project-access': True
+            }
+        }
 
     def test_list_containers(self):
         self.assertRaises(
@@ -207,16 +209,30 @@
             container_id=self.container_id)
 
     def test_get_container_acl(self):
-        pass
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.client.get_container_acl,
+            self.container_id)
 
     def test_update_container_acl(self):
-        pass
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.client.patch_container_acl,
+            self.container_id,
+            self.valid_acl)
 
     def test_create_container_acl(self):
-        pass
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.client.put_container_acl,
+            self.container_id,
+            self.valid_acl)
 
     def test_delete_container_acl(self):
-        pass
+        self.assertRaises(
+            exceptions.Forbidden,
+            self.client.delete_container,
+            self.container_id)
 
     def test_list_container_consumers(self):
         resp = self.create_empty_container_admin(
@@ -329,6 +345,42 @@
                       for sr in resp['secret_refs']]
         self.assertNotIn(self.secret_id, secret_ids)
 
+    def test_get_container_acl(self):
+        resp = self.client.get_container_acl(self.container_id)
+        self.assertIn('read', resp.keys())
+
+    def test_create_container_acl(self):
+        _ = self.client.put_container_acl(self.container_id, self.valid_acl)
+
+        acl = self.client.get_container_acl(self.container_id)
+        self.assertIn(self.other_secret_client.user_id, acl['read']['users'])
+
+    def test_update_container_acl(self):
+        _ = self.client.put_container_acl(self.container_id, self.valid_acl)
+        acl = self.client.get_container_acl(self.container_id)
+        self.assertIn(self.other_secret_client.user_id, acl['read']['users'])
+        clear_users_acl = {
+            'read': {
+                'users': []
+            }
+        }
+
+        _ = self.client.patch_container_acl(self.container_id, clear_users_acl)
+
+        acl = self.client.get_container_acl(self.container_id)
+        self.assertNotIn(self.other_secret_client.user_id,
+                         acl['read']['users'])
+
+    def test_delete_container_acl(self):
+        _ = self.client.put_container_acl(self.container_id, self.valid_acl)
+        acl = self.client.get_container_acl(self.container_id)
+        self.assertIn(self.other_secret_client.user_id, acl['read']['users'])
+
+        _ = self.client.delete_container_acl(self.container_id)
+
+        acl = self.client.get_container_acl(self.container_id)
+        self.assertNotIn('users', acl['read'].keys())
+
 
 class ProjectAdminTests(ProjectMemberTests):
commit	378efe61acd169f4edb5601df8d4cf972acd4813	[log] [tgz]
author	Douglas Mendizábal <douglas@redrobot.io>	Fri Oct 15 20:07:52 2021 +0000
committer	Douglas Mendizábal <dmendiza@redhat.com>	Wed Nov 03 17:00:22 2021 +0000
tree	f922f8e5606bc1df93da38bbc4e3c790d256e6f3
parent	e80c1db7e022e6d60548a25488c1f1147f392eb1 [diff]