Add secure-rbac tests for Orders across projects
This patch adds rbac tests to the Orders resource to test
access across different projects.
Change-Id: I4fe67821696263f570c097c610e5f37114b5d76e
diff --git a/barbican_tempest_plugin/tests/rbac/v1/base.py b/barbican_tempest_plugin/tests/rbac/v1/base.py
index c03adb2..235636c 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/base.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/base.py
@@ -73,14 +73,13 @@
data_utils.rand_name()
)['project']['id']
cls._created_projects.append(project_id)
- setattr(cls, 'os_project_admin',
- cls._setup_new_user_client(project_id, 'admin'))
- setattr(cls, 'os_project_member',
- cls._setup_new_user_client(project_id, 'member'))
- setattr(cls, 'os_project_reader',
- cls._setup_new_user_client(project_id, 'reader'))
- setattr(cls, 'os_project_other_member',
- cls._setup_new_user_client(project_id, 'member'))
+ cls.os_project_admin = cls._setup_new_user_client(project_id, 'admin')
+ cls.os_project_member = cls._setup_new_user_client(project_id,
+ 'member')
+ cls.os_project_other_member = cls._setup_new_user_client(project_id,
+ 'member')
+ cls.os_project_reader = cls._setup_new_user_client(project_id,
+ 'reader')
@classmethod
def _setup_new_user_client(cls, project_id, role):
@@ -158,9 +157,18 @@
container_client=cls.container_client
)
cls.quota_client = member.secret_v1.QuotaClient()
+
# set up clients for member persona associated with a different
# project
- cls.other_client = cls.os_project_alt_member.secret_v1.SecretClient()
+ cls.other_secret_client = \
+ cls.os_project_alt_member.secret_v1.SecretClient()
+ cls.other_container_client = \
+ cls.os_project_alt_member.secret_v1.ContainerClient()
+ cls.other_order_client = \
+ cls.os_project_alt_member.secret_v1.OrderClient(
+ secret_client=cls.other_secret_client,
+ container_client=cls.other_container_client
+ )
@classmethod
def resource_setup(cls):
@@ -185,7 +193,8 @@
cls.order_client,
cls.admin_secret_client,
cls.admin_order_client,
- cls.other_client]:
+ cls.other_secret_client,
+ cls.other_order_client]:
client.cleanup()
finally:
super(BarbicanV1RbacBase, cls).resource_cleanup()
@@ -253,27 +262,25 @@
if payload is not None:
kwargs['payload'] = payload
kwargs['payload_content_type'] = 'text/plain'
- resp = self.other_client.create_secret(**kwargs)
- return self.other_client.ref_to_uuid(resp['secret_ref'])
+ resp = self.other_secret_client.create_secret(**kwargs)
+ return self.other_secret_client.ref_to_uuid(resp['secret_ref'])
- def create_key_order(self, name=None):
+ def create_test_order(self, client, order_name):
"""Create a symmetric key order for testing
- The new order is created using the default
- member persona.
+ The new order is created using the given
+ client.
:returns: the uuid for the new order
"""
- meta = {
- 'algorithm': 'AES',
- 'bit_length': 256,
- 'mode': 'CBC'
- }
- if name is not None:
- meta['name'] = name
kwargs = {
'type': 'key',
- 'meta': meta
+ 'meta': {
+ 'name': order_name,
+ 'algorithm': 'AES',
+ 'bit_length': 256,
+ 'mode': 'CBC',
+ }
}
- resp = self.order_client.create_order(**kwargs)
- return self.order_client.ref_to_uuid(resp['order_ref'])
+ resp = client.create_order(**kwargs)
+ return client.ref_to_uuid(resp['order_ref'])
diff --git a/barbican_tempest_plugin/tests/rbac/v1/test_orders.py b/barbican_tempest_plugin/tests/rbac/v1/test_orders.py
index 5eadfa3..964d95d 100644
--- a/barbican_tempest_plugin/tests/rbac/v1/test_orders.py
+++ b/barbican_tempest_plugin/tests/rbac/v1/test_orders.py
@@ -58,45 +58,28 @@
"""
raise NotImplementedError
+ @abc.abstractmethod
+ def test_get_other_project_order(self):
+ """Test get_order policy
-class ProjectMemberTests(base.BarbicanV1RbacBase, BarbicanV1RbacOrders):
+ Testing GET /v1/orders/{order-id}
+ This test must check:
+ * whether persona can get order information
+ for an order that belongs to a different
+ project
+ """
+ raise NotImplementedError
- @classmethod
- def setup_clients(cls):
- super().setup_clients()
- cls.client = cls.os_project_member.secret_v1.OrderClient()
+ @abc.abstractmethod
+ def test_delete_other_project_order(self):
+ """Test delete_order policy
- def test_list_orders(self):
- _ = self.create_key_order('test_list_orders')
- resp = self.client.list_orders()
- self.assertGreaterEqual(len(resp['orders']), 1)
-
- def test_create_order(self):
- self.client.create_order(
- name='create_order', type='key',
- meta={
- 'name': 'create_orders_s',
- 'algorithm': 'aes',
- 'bit_length': 256,
- 'mode': 'cbc',
- })
-
- def test_get_order(self):
- order_id = self.create_key_order('test_get_order')
- resp = self.client.get_order(order_id)
- self.assertEqual(order_id, self.client.ref_to_uuid(resp['order_ref']))
-
- def test_delete_order(self):
- order_id = self.create_key_order('test_delete_order')
- self.client.delete_order(order_id)
-
-
-class ProjectAdminTests(ProjectMemberTests):
-
- @classmethod
- def setup_clients(cls):
- super().setup_clients()
- cls.client = cls.os_project_admin.secret_v1.OrderClient()
+ Testing DELETE /v1/orders/{order-id}
+ This test must check:
+ * whether persona can delete orders
+ that belong to a different project
+ """
+ raise NotImplementedError
class ProjectReaderTests(base.BarbicanV1RbacBase, BarbicanV1RbacOrders):
@@ -112,25 +95,74 @@
def test_create_order(self):
self.assertRaises(
exceptions.Forbidden,
- self.client.create_order,
- name='test_create_order', type='key',
- meta={
- 'name': 'create_orders_s',
- 'algorithm': 'aes',
- 'bit_length': 256,
- 'mode': 'cbc',
- })
+ self.create_test_order,
+ self.client,
+ 'create_orders_s'
+ )
def test_get_order(self):
- order_id = self.create_key_order('test_get_order')
+ order_id = self.create_test_order(self.order_client, 'test_get_order')
self.assertRaises(
exceptions.Forbidden,
self.client.get_order,
order_id=order_id)
def test_delete_order(self):
- order_id = self.create_key_order('test_delete_order')
+ order_id = self.create_test_order(self.order_client,
+ 'test_delete_order')
self.assertRaises(
exceptions.Forbidden,
self.client.delete_order,
order_id=order_id)
+
+ def test_get_other_project_order(self):
+ order_id = self.create_test_order(
+ self.other_order_client,
+ 'test_get_other_project_order')
+ self.assertRaises(
+ exceptions.NotFound,
+ self.client.get_order,
+ order_id)
+
+ def test_delete_other_project_order(self):
+ order_id = self.create_test_order(
+ self.other_order_client,
+ 'test_delete_other_project_order')
+ self.assertRaises(
+ exceptions.NotFound,
+ self.client.delete_order,
+ order_id)
+
+
+class ProjectMemberTests(ProjectReaderTests):
+
+ @classmethod
+ def setup_clients(cls):
+ super().setup_clients()
+ cls.client = cls.os_project_member.secret_v1.OrderClient()
+
+ def test_list_orders(self):
+ _ = self.create_test_order(self.order_client, 'test_list_orders')
+ resp = self.client.list_orders()
+ self.assertGreaterEqual(len(resp['orders']), 1)
+
+ def test_create_order(self):
+ self.create_test_order(self.client, 'create_orders_s')
+
+ def test_get_order(self):
+ order_id = self.create_test_order(self.order_client, 'test_get_order')
+ resp = self.client.get_order(order_id)
+ self.assertEqual(order_id, self.client.ref_to_uuid(resp['order_ref']))
+
+ def test_delete_order(self):
+ order_id = self.create_test_order(self.order_client,
+ 'test_delete_order')
+ self.client.delete_order(order_id)
+
+
+class ProjectAdminTests(ProjectMemberTests):
+
+ @classmethod
+ def setup_clients(cls):
+ super().setup_clients()
+ cls.client = cls.os_project_admin.secret_v1.OrderClient()