Expand Designate RBAC testing - zone transfer acc
This patch adds RBAC testing for allowed and disallowed credentials.
This is one of a series of patches adding testing. This patch covers the
zone transfer accept API.
This patch also updates the list_transfer_accept service client to
return results consistent with the other "list" service clients.
Change-Id: I0a6145e8b348fdbe68dd5518dc7b6720fbaae8db
diff --git a/designate_tempest_plugin/services/dns/v2/json/transfer_accepts_client.py b/designate_tempest_plugin/services/dns/v2/json/transfer_accepts_client.py
index 753ffc2..9ee060d 100644
--- a/designate_tempest_plugin/services/dns/v2/json/transfer_accepts_client.py
+++ b/designate_tempest_plugin/services/dns/v2/json/transfer_accepts_client.py
@@ -66,5 +66,4 @@
:return: List of accepted zone transfers
"""
return self._list_request(
- 'zones/tasks/transfer_accepts', params=params,
- headers=headers)[1]['transfer_accepts']
+ 'zones/tasks/transfer_accepts', params=params, headers=headers)
diff --git a/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py b/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
index 87f359d..7696291 100644
--- a/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
+++ b/designate_tempest_plugin/tests/api/v2/test_transfer_accepts.py
@@ -53,7 +53,8 @@
class TransferAcceptTest(BaseTransferAcceptTest):
- credentials = ["primary", "alt", "admin", "system_admin"]
+ credentials = ["primary", "alt", "admin", "system_admin", "system_reader",
+ "project_member", "project_reader"]
@classmethod
def setup_credentials(cls):
@@ -114,6 +115,21 @@
"key": transfer_request['key'],
"zone_transfer_request_id": transfer_request['id']
}
+
+ # Test RBAC
+ # Note: Everyone can call this API and succeed if they know the
+ # transfer key.
+ expected_allowed = ['os_admin', 'os_primary', 'os_alt']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.append('os_system_admin')
+ expected_allowed.append('os_system_reader')
+ expected_allowed.append('os_project_member')
+ expected_allowed.append('os_project_reader')
+
+ self.check_CUD_RBAC_enforcement(
+ 'TransferAcceptClient', 'create_transfer_accept',
+ expected_allowed, True, data)
+
LOG.info('Create a zone transfer_accept')
_, transfer_accept = self.prm_accept_client.create_transfer_accept(
data)
@@ -159,6 +175,25 @@
'created transfer_accept')
self.assertExpected(transfer_accept, body, self.excluded_keys)
+ # TODO(johnsom) Test reader role once this bug is fixed:
+ # https://bugs.launchpad.net/tempest/+bug/1964509
+ # Test RBAC
+ expected_allowed = ['os_primary']
+
+ self.check_list_show_RBAC_enforcement(
+ 'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
+ True, transfer_accept['id'])
+
+ # Test RBAC with x-auth-all-projects
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin']
+
+ self.check_list_show_RBAC_enforcement(
+ 'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
+ True, transfer_accept['id'], headers=self.all_projects_header)
+
@decorators.idempotent_id('89b516f0-8c9f-11eb-a322-74e5f9e2a801')
def test_ownership_transferred_zone(self):
@@ -241,6 +276,30 @@
self.assertEqual('COMPLETE', transfer_accept['status'])
transfer_request_ids.append(transfer_accept['id'])
+ # TODO(johnsom) Test reader role once this bug is fixed:
+ # https://bugs.launchpad.net/tempest/+bug/1964509
+ # Test RBAC - Users that are allowed to call list, but should get
+ # zero zones.
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed = ['os_system_admin', 'os_system_reader']
+ else:
+ expected_allowed = ['os_admin']
+
+ self.check_list_RBAC_enforcement_count(
+ 'TransferAcceptClient', 'list_transfer_accept',
+ expected_allowed, 0)
+
+ # Test that users who should see the zone, can see it.
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin']
+
+ self.check_list_IDs_RBAC_enforcement(
+ 'TransferAcceptClient', 'list_transfer_accept',
+ expected_allowed, transfer_request_ids,
+ headers=self.all_projects_header)
+
# As Admin list all accepted zone transfers, expected:
# each previously transferred zone is listed.
# Note: This is an all-projects list call, so other tests running
@@ -250,7 +309,8 @@
admin_client_accept_ids = [
item['id'] for item in
self.admin_accept_client.list_transfer_accept(
- headers=self.all_projects_header, params={'limit': 1000})]
+ headers=self.all_projects_header,
+ params={'limit': 1000})[1]['transfer_accepts']]
for tr_id in transfer_request_ids:
self.assertIn(
tr_id, admin_client_accept_ids,
@@ -265,7 +325,7 @@
item['id'] for item in
self.admin_accept_client.list_transfer_accept(
headers=self.all_projects_header,
- params={'status': 'COMPLETE'})]
+ params={'status': 'COMPLETE'})[1]['transfer_accepts']]
for tr_id in transfer_request_ids:
self.assertIn(
tr_id, admin_client_accept_ids,
@@ -282,7 +342,7 @@
item['id'] for item in
self.admin_accept_client.list_transfer_accept(
headers=self.all_projects_header,
- params={'status': not_existing_status})]
+ params={'status': not_existing_status})[1]['transfer_accepts']]
self.assertEmpty(
admin_client_accept_ids,
"Failed, filtered list should be empty, but actually it's not, "
@@ -341,6 +401,18 @@
self.addCleanup(
self.wait_zone_delete, self.alt_zone_client, zone['id'])
+ # Test RBAC with x-auth-sudo-project-id header
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin']
+
+ self.check_list_show_RBAC_enforcement(
+ 'TransferAcceptClient', 'show_transfer_accept', expected_allowed,
+ True, transfer_accept['id'],
+ headers={'x-auth-sudo-project-id':
+ self.os_alt.credentials.project_id})
+
class TransferAcceptTestNegative(BaseTransferAcceptTest):