Expand Designate RBAC testing - Quotas
This patch adds RBAC testing for allowed and disallowed credentials.
This is one of a series of patches adding testing. This patch covers the
quotas API.
Depends-On: https://review.opendev.org/c/openstack/designate/+/834975
Change-Id: If65926433b64316adba5fb29ec945b84de77951f
diff --git a/designate_tempest_plugin/tests/api/v2/test_quotas.py b/designate_tempest_plugin/tests/api/v2/test_quotas.py
index d7b86fa..83b9fdd 100644
--- a/designate_tempest_plugin/tests/api/v2/test_quotas.py
+++ b/designate_tempest_plugin/tests/api/v2/test_quotas.py
@@ -29,7 +29,8 @@
class QuotasV2Test(base.BaseDnsV2Test):
- credentials = ["primary", "admin", "system_admin", "alt"]
+ credentials = ["primary", "admin", "system_admin", "system_reader", "alt",
+ "project_member", "project_reader"]
@classmethod
def setup_credentials(cls):
@@ -90,10 +91,28 @@
'Failed, the value of:{} is:{}, expected integer'.format(
quota_type, quota_value))
+ expected_allowed = ['os_admin', 'os_primary', 'os_alt']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.extend(['os_system_admin', 'os_system_reader',
+ 'os_project_member', 'os_project_reader'])
+
+ self.check_list_show_with_ID_RBAC_enforcement(
+ 'QuotasClient', 'show_quotas', expected_allowed, False)
+
@decorators.idempotent_id('0448b089-5803-4ce3-8a6c-5c15ff75a2cc')
def test_reset_quotas(self):
self._store_quotas(project_id=self.quotas_client.project_id)
+
LOG.info("Deleting (reset) quotas")
+
+ expected_allowed = ['os_admin']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.extend(['os_system_admin'])
+
+ self.check_CUD_RBAC_enforcement(
+ 'QuotasClient', 'delete_quotas', expected_allowed, False,
+ project_id=self.quotas_client.project_id)
+
body = self.admin_client.delete_quotas(
project_id=self.quotas_client.project_id,
headers=self.all_projects_header)[1]
@@ -103,16 +122,21 @@
@decorators.idempotent_id('76d24c87-1b39-4e19-947c-c08e1380dc61')
def test_update_quotas(self):
- if CONF.enforce_scope.designate:
- raise self.skipException(
- "System scoped tokens do not have a project_id.")
-
- self._store_quotas(project_id=self.admin_client.project_id)
+ self._store_quotas(project_id=self.quotas_client.project_id)
LOG.info("Updating quotas")
quotas = dns_data_utils.rand_quotas()
body = self.admin_client.update_quotas(
- project_id=self.admin_client.project_id,
- **quotas)[1]
+ project_id=self.quotas_client.project_id,
+ **quotas, headers=self.all_projects_header)[1]
+
+ expected_allowed = ['os_admin']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.extend(['os_system_admin'])
+
+ self.check_CUD_RBAC_enforcement(
+ 'QuotasClient', 'update_quotas', expected_allowed, False,
+ project_id=self.quotas_client.project_id,
+ **quotas, headers=self.all_projects_header)
LOG.info("Ensuring the response has all quota types")
self.assertExpected(quotas, body, [])
diff --git a/designate_tempest_plugin/tests/rbac_utils.py b/designate_tempest_plugin/tests/rbac_utils.py
index a0148bb..fa66410 100644
--- a/designate_tempest_plugin/tests/rbac_utils.py
+++ b/designate_tempest_plugin/tests/rbac_utils.py
@@ -33,8 +33,15 @@
method = getattr(client_obj, method_str)
return method
+ def _get_client_project_id(self, cred_obj, client_str):
+ """Get project ID for the credential."""
+ dns_clients = getattr(cred_obj, 'dns_v2')
+ client = getattr(dns_clients, client_str)
+ client_obj = client()
+ return client_obj.project_id
+
def _check_allowed(self, client_str, method_str, allowed_list,
- *args, **kwargs):
+ with_project, *args, **kwargs):
"""Test an API call allowed RBAC enforcement.
:param client_str: The service client to use for the test, without the
@@ -43,6 +50,7 @@
Example: 'list_zones'
:param allowed_list: The list of credentials expected to be
allowed. Example: ['primary'].
+ :param with_project: When true, pass the project ID to the call.
:param args: Any positional parameters needed by the method.
:param kwargs: Any named parameters needed by the method.
:raises AssertionError: Raised if the RBAC tests fail.
@@ -69,8 +77,12 @@
'credentials setup. This is likely a bug in the '
'test.'.format(cred))
method = self._get_client_method(cred_obj, client_str, method_str)
+ project_id = self._get_client_project_id(cred_obj, client_str)
try:
- method(*args, **kwargs)
+ if with_project:
+ method(project_id, *args, **kwargs)
+ else:
+ method(*args, **kwargs)
except exceptions.Forbidden as e:
self.fail('Method {}.{} failed to allow access via RBAC using '
'credential {}. Error: {}'.format(
@@ -81,7 +93,7 @@
client_str, method_str, cred, str(e)))
def _check_disallowed(self, client_str, method_str, allowed_list,
- expect_404, *args, **kwargs):
+ expect_404, with_project, *args, **kwargs):
"""Test an API call disallowed RBAC enforcement.
:param client_str: The service client to use for the test, without the
@@ -91,6 +103,7 @@
:param allowed_list: The list of credentials expected to be
allowed. Example: ['primary'].
:param expect_404: When True, 404 responses are considered ok.
+ :param with_project: When true, pass the project ID to the call.
:param args: Any positional parameters needed by the method.
:param kwargs: Any named parameters needed by the method.
:raises AssertionError: Raised if the RBAC tests fail.
@@ -105,6 +118,7 @@
for cred in expected_disallowed:
cred_obj = getattr(self, cred)
method = self._get_client_method(cred_obj, client_str, method_str)
+ project_id = self._get_client_project_id(cred_obj, client_str)
# Unfortunately tempest uses testtools assertRaises[1] which means
# we cannot use the unittest assertRaises context[2] with msg= to
@@ -120,7 +134,10 @@
# unittest.html#unittest.TestCase.assertRaises
# [3] https://github.com/testing-cabal/testtools/issues/235
try:
- method(*args, **kwargs)
+ if with_project:
+ method(project_id, *args, **kwargs)
+ else:
+ method(*args, **kwargs)
except exceptions.Forbidden:
continue
except exceptions.NotFound:
@@ -158,15 +175,16 @@
# #### Test that disallowed credentials cannot access the API.
self._check_disallowed(client_str, method_str, allowed_list,
- expect_404, *args, **kwargs)
+ expect_404, False, *args, **kwargs)
# #### Test that allowed credentials can access the API.
- self._check_allowed(client_str, method_str, allowed_list,
+ self._check_allowed(client_str, method_str, allowed_list, False,
*args, **kwargs)
- def check_CUD_RBAC_enforcement(self, client_str, method_str,
- expected_allowed, *args, **kwargs):
- """Test an API create/update/delete call RBAC enforcement.
+ def check_list_show_with_ID_RBAC_enforcement(self, client_str, method_str,
+ expected_allowed, expect_404,
+ *args, **kwargs):
+ """Test list or show API call passing the project ID RBAC enforcement.
:param client_str: The service client to use for the test, without the
credential. Example: 'ZonesClient'
@@ -174,6 +192,7 @@
Example: 'list_zones'
:param expected_allowed: The list of credentials expected to be
allowed. Example: ['primary'].
+ :param expect_404: When True, 404 responses are considered ok.
:param args: Any positional parameters needed by the method.
:param kwargs: Any named parameters needed by the method.
:raises AssertionError: Raised if the RBAC tests fail.
@@ -188,7 +207,39 @@
# #### Test that disallowed credentials cannot access the API.
self._check_disallowed(client_str, method_str, allowed_list,
- *args, **kwargs)
+ expect_404, True, *args, **kwargs)
+
+ # #### Test that allowed credentials can access the API.
+ self._check_allowed(client_str, method_str, allowed_list, True,
+ *args, **kwargs)
+
+ def check_CUD_RBAC_enforcement(self, client_str, method_str,
+ expected_allowed, expect_404,
+ *args, **kwargs):
+ """Test an API create/update/delete call RBAC enforcement.
+
+ :param client_str: The service client to use for the test, without the
+ credential. Example: 'ZonesClient'
+ :param method_str: The method on the client to call for the test.
+ Example: 'list_zones'
+ :param expected_allowed: The list of credentials expected to be
+ allowed. Example: ['primary'].
+ :param expect_404: When True, 404 responses are considered ok.
+ :param args: Any positional parameters needed by the method.
+ :param kwargs: Any named parameters needed by the method.
+ :raises AssertionError: Raised if the RBAC tests fail.
+ :raises Forbidden: Raised if a credential that should have access does
+ not and is denied.
+ :raises InvalidScope: Raised if a credential that should have the
+ correct scope for access is denied.
+ :returns: None on success
+ """
+
+ allowed_list = copy.deepcopy(expected_allowed)
+
+ # #### Test that disallowed credentials cannot access the API.
+ self._check_disallowed(client_str, method_str, allowed_list,
+ expect_404, False, *args, **kwargs)
def check_list_RBAC_enforcement_count(
self, client_str, method_str, expected_allowed, expected_count,