Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / designate-tempest-plugin / 8b60a1c869368a5acc6e7525012492870c9672b8^1..8b60a1c869368a5acc6e7525012492870c9672b8 / .
commit8b60a1c869368a5acc6e7525012492870c9672b8[log] [tgz]
authorZuul <zuul@review.opendev.org>Tue Jun 07 01:54:01 2022 +0000
committerGerrit Code Review <review@openstack.org>Tue Jun 07 01:54:01 2022 +0000
treed703705e7c9eb65360464f67def2d5bbc38ec36a
parent39c8bf2fbcd39415e7b60d2d2961e83c485312fc [diff]
parent37a442c7cf734ddcf025058e900b63f059968f8b [diff]
Merge "Expand Designate RBAC testing - Pools"
diff --git a/designate_tempest_plugin/tests/api/v2/test_pool.py b/designate_tempest_plugin/tests/api/v2/test_pool.py
index 60af204..144f0d6 100644
--- a/designate_tempest_plugin/tests/api/v2/test_pool.py
+++ b/designate_tempest_plugin/tests/api/v2/test_pool.py

@@ -36,7 +36,8 @@
 
 
 class PoolAdminTest(BasePoolTest):
-    credentials = ["admin", "system_admin"]
+    credentials = ["admin", "primary", "system_admin", "system_reader",
+                   "project_member", "project_reader", "alt"]
 
     @classmethod
     def setup_credentials(cls):
@@ -72,6 +73,16 @@
         self.assertEqual(pool_data["name"], pool['name'])
         self.assertExpected(pool_data, pool, self.excluded_keys)
 
+        # Test RBAC
+        expected_allowed = ['os_admin']
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed.append('os_system_admin')
+
+        self.check_CUD_RBAC_enforcement(
+            'PoolClient', 'create_pool', expected_allowed, False,
+            pool_name=pool_data["name"], ns_records=pool_data["ns_records"],
+            project_id=pool_data["project_id"])
+
     @decorators.idempotent_id('e80eb70a-8ee5-40eb-b06e-599597a8ab7e')
     def test_show_pool(self):
         LOG.info('Create a pool')
@@ -88,6 +99,20 @@
         self._assertExpectedNSRecords(pool["ns_records"], body["ns_records"],
                                 expected_key="priority")
 
+        # TODO(johnsom) Test reader roles once this bug is fixed.
+        #               https://bugs.launchpad.net/tempest/+bug/1964509
+        # Test RBAC
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed = ['os_system_admin']
+        else:
+            expected_allowed = ['os_admin']
+
+        # TODO(johnsom) The pools API seems inconsistent with the requirement
+        #               of the all-projects header.
+        self.check_list_show_RBAC_enforcement(
+            'PoolClient', 'show_pool', expected_allowed, True, pool['id'],
+            headers=self.all_projects_header)
+
     @decorators.idempotent_id('d8c4c377-5d88-452d-a4d2-c004d72e1abe')
     def test_delete_pool(self):
         LOG.info('Create a pool')
@@ -104,6 +129,14 @@
            lambda: self.admin_client.show_pool(
                pool['id'], headers=self.all_projects_header))
 
+        # Test RBAC
+        expected_allowed = ['os_admin']
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed.append('os_system_admin')
+
+        self.check_CUD_RBAC_enforcement(
+            'PoolClient', 'delete_pool', expected_allowed, False, pool['id'])
+
     @decorators.idempotent_id('77c85b40-83b2-4c17-9fbf-e6d516cfce90')
     def test_list_pools(self):
         LOG.info('Create a pool')
@@ -117,6 +150,18 @@
 
         self.assertGreater(len(body['pools']), 0)
 
+        # TODO(johnsom) Test reader roles once this bug is fixed.
+        #               https://bugs.launchpad.net/tempest/+bug/1964509
+        # Test RBAC
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed = ['os_system_admin']
+        else:
+            expected_allowed = ['os_admin']
+
+        self.check_list_IDs_RBAC_enforcement(
+            'PoolClient', 'list_pools', expected_allowed, [pool['id']],
+            headers=self.all_projects_header)
+
     @decorators.idempotent_id('fdcc84ce-af65-4af6-a5fc-6c50acbea0f0')
     def test_update_pool(self):
         LOG.info('Create a pool')
@@ -131,6 +176,15 @@
 
         self.assertEqual("foo", patch_pool["name"])
 
+        # Test RBAC
+        expected_allowed = ['os_admin']
+        if CONF.dns_feature_enabled.enforce_new_defaults:
+            expected_allowed.append('os_system_admin')
+
+        self.check_CUD_RBAC_enforcement(
+            'PoolClient', 'update_pool', expected_allowed, True,
+            pool['id'], pool_name="test-name")
+
     @decorators.idempotent_id('41ad6a84-00ce-4a04-9fd5-b7c15c31e2db')
     def test_list_pools_dot_json_fails(self):
         uri = self.admin_client.get_uri('pools.json')