Expand Designate RBAC testing - TLDs
This patch adds RBAC testing for allowed and disallowed credentials.
This is one of a series of patches adding testing. This patch covers the
tld API.
Change-Id: I85d1f7013f1596c4998486bb6539725fb20770ef
diff --git a/designate_tempest_plugin/tests/api/v2/test_tld.py b/designate_tempest_plugin/tests/api/v2/test_tld.py
index d5d584c..16711e4 100644
--- a/designate_tempest_plugin/tests/api/v2/test_tld.py
+++ b/designate_tempest_plugin/tests/api/v2/test_tld.py
@@ -29,7 +29,8 @@
class TldAdminTest(BaseTldTest):
- credentials = ["admin", "system_admin", "primary"]
+ credentials = ["admin", "system_admin", "system_reader",
+ "primary", "alt", "project_reader", "project_member"]
# Use a TLD suffix unique to this test class.
local_tld_suffix = '.'.join(["tldadmintest", CONF.dns.tld_suffix])
@@ -67,6 +68,14 @@
self.assertEqual(tld_name, tld['name'])
+ # Test RBAC
+ expected_allowed = ['os_admin']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.append('os_system_admin')
+
+ self.check_CUD_RBAC_enforcement('TldClient', 'create_tld',
+ expected_allowed, False)
+
@decorators.idempotent_id('961bd2e8-d4d0-11eb-b8ee-74e5f9e2a801')
def test_create_duplicated_tlds(self):
tld_name = self._generate_tld_name("test_create_duplicated_tlds")
@@ -139,6 +148,15 @@
LOG.info('Ensure the fetched response matches the created tld')
self.assertExpected(tld, body, self.excluded_keys)
+ # Test RBAC
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed = ['os_system_admin', 'os_system_reader']
+ else:
+ expected_allowed = ['os_admin']
+
+ self.check_list_show_RBAC_enforcement(
+ 'TldClient', 'show_tld', expected_allowed, False, tld['id'])
+
@decorators.idempotent_id('26708cb8-7126-48a7-9424-1c225e56e609')
def test_delete_tld(self):
LOG.info('Create a tld')
@@ -150,8 +168,16 @@
LOG.info('Delete the tld')
self.admin_client.delete_tld(tld['id'])
- self.assertRaises(lib_exc.NotFound,
- lambda: self.admin_client.show_tld(tld['id']))
+ self.assertRaises(lib_exc.NotFound, self.admin_client.show_tld,
+ tld['id'])
+
+ # Test RBAC
+ expected_allowed = ['os_admin']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.append('os_system_admin')
+
+ self.check_CUD_RBAC_enforcement('TldClient', 'delete_tld',
+ expected_allowed, False, tld['id'])
@decorators.idempotent_id('95b13759-c85c-4791-829b-9591ca15779d')
def test_list_tlds(self):
@@ -165,6 +191,16 @@
self.assertGreater(len(body['tlds']), 0)
+ # Test RBAC
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed = ['os_system_admin', 'os_system_reader']
+ else:
+ expected_allowed = ['os_admin']
+
+ self.check_list_IDs_RBAC_enforcement(
+ 'TldClient', 'list_tlds', expected_allowed, [tld['id']],
+ params={'limit': 1000})
+
@decorators.idempotent_id('1a233812-48d9-4d15-af5e-9961744286ff')
def test_update_tld(self):
tld_name = self._generate_tld_name("test_update_tld")
@@ -185,6 +221,15 @@
self.assertEqual(tld_name_2, patch_tld["name"])
self.assertEqual(tld_data["description"], patch_tld["description"])
+ # Test RBAC
+ expected_allowed = ['os_admin']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.append('os_system_admin')
+
+ self.check_CUD_RBAC_enforcement(
+ 'TldClient', 'update_tld', expected_allowed, False, tld['id'],
+ tld_data['name'], tld_data['description'])
+
@decorators.idempotent_id('8116dcf5-a329-47d1-90be-5ff32f299c53')
def test_list_tlds_dot_json_fails(self):
uri = self.admin_client.get_uri('tlds.json')