commit 3ff84af052f366927045a79cc2762e0cfa45b980
author Michael Johnson <johnsomor@gmail.com> Fri Sep 03 20:16:34 2021 +0000
committer Michael Johnson <johnsomor@gmail.com> Tue May 24 22:23:00 2022 +0000
tree 9610d19b6e9181baa821dc7c43856f252a84aeee
parent bf2379bb971437e36b983e48b5435aa326bb1926

Expand Designate RBAC testing - zones

This patch adds RBAC testing for allowed and disallowed credentials.
This is one of a series of patches adding testing. This patch covers the
zones API.

Change-Id: I2312e0e4293b60d9644f8c0d3a41e0b5f330c20d

designate_tempest_plugin/tests/rbac_utils.py

diff --git a/designate_tempest_plugin/tests/rbac_utils.py b/designate_tempest_plugin/tests/rbac_utils.py
index e02fdf1..a0148bb 100644
--- a/designate_tempest_plugin/tests/rbac_utils.py
+++ b/designate_tempest_plugin/tests/rbac_utils.py
@@ -75,9 +75,13 @@
                 self.fail('Method {}.{} failed to allow access via RBAC using '
                           'credential {}. Error: {}'.format(
                               client_str, method_str, cred, str(e)))
+            except exceptions.NotFound as e:
+                self.fail('Method {}.{} failed to allow access via RBAC using '
+                          'credential {}. Error: {}'.format(
+                              client_str, method_str, cred, str(e)))
 
     def _check_disallowed(self, client_str, method_str, allowed_list,
-                          *args, **kwargs):
+                          expect_404, *args, **kwargs):
         """Test an API call disallowed RBAC enforcement.
 
         :param client_str: The service client to use for the test, without the
@@ -86,6 +90,7 @@
                            Example: 'list_zones'
         :param allowed_list: The list of credentials expected to be
                              allowed.  Example: ['primary'].
+        :param expect_404: When True, 404 responses are considered ok.
         :param args: Any positional parameters needed by the method.
         :param kwargs: Any named parameters needed by the method.
         :raises AssertionError: Raised if the RBAC tests fail.
@@ -118,11 +123,18 @@
                 method(*args, **kwargs)
             except exceptions.Forbidden:
                 continue
+            except exceptions.NotFound:
+                # Some APIs hide that the resource exists by returning 404
+                # on permission denied.
+                if expect_404:
+                    continue
+                raise
             self.fail('Method {}.{} failed to deny access via RBAC using '
                       'credential {}.'.format(client_str, method_str, cred))
 
     def check_list_show_RBAC_enforcement(self, client_str, method_str,
-                                   expected_allowed, *args, **kwargs):
+                                         expected_allowed, expect_404,
+                                         *args, **kwargs):
         """Test list or show API call RBAC enforcement.
 
         :param client_str: The service client to use for the test, without the
@@ -131,6 +143,7 @@
                            Example: 'list_zones'
         :param expected_allowed: The list of credentials expected to be
                                  allowed.  Example: ['primary'].
+        :param expect_404: When True, 404 responses are considered ok.
         :param args: Any positional parameters needed by the method.
         :param kwargs: Any named parameters needed by the method.
         :raises AssertionError: Raised if the RBAC tests fail.
@@ -145,7 +158,7 @@
 
         # #### Test that disallowed credentials cannot access the API.
         self._check_disallowed(client_str, method_str, allowed_list,
-                               *args, **kwargs)
+                               expect_404, *args, **kwargs)
 
         # #### Test that allowed credentials can access the API.
         self._check_allowed(client_str, method_str, allowed_list,