Expand Designate RBAC testing - zones import
This patch adds RBAC testing for allowed and disallowed credentials.
This is one of a series of patches adding testing. This patch covers the
zones import API.
Change-Id: I3b7f7eb00a31da5d9f26e71f961ca5300ec17bd2
diff --git a/designate_tempest_plugin/services/dns/v2/json/zone_imports_client.py b/designate_tempest_plugin/services/dns/v2/json/zone_imports_client.py
index 86d9fb1..4fbba2a 100644
--- a/designate_tempest_plugin/services/dns/v2/json/zone_imports_client.py
+++ b/designate_tempest_plugin/services/dns/v2/json/zone_imports_client.py
@@ -66,15 +66,16 @@
'zones/tasks/imports', params=params, headers=headers)
@base.handle_errors
- def delete_zone_import(self, uuid, params=None):
+ def delete_zone_import(self, uuid, params=None, headers=None):
"""Deletes a imported zone having the specified UUID.
:param uuid: The unique identifier of the imported zone.
:param params: A Python dict that represents the query paramaters to
include in the request URI.
+ :param headers (dict): The headers to use for the request.
:return: A tuple with the server response and the response body.
"""
resp, body = self._delete_request(
- 'zones/tasks/imports', uuid, params=params)
+ 'zones/tasks/imports', uuid, params=params, headers=headers)
# Delete Zone should Return a HTTP 204
self.expected_success(204, resp.status)
diff --git a/designate_tempest_plugin/tests/api/v2/test_zones_imports.py b/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
index 09ff4af..34f2538 100644
--- a/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
+++ b/designate_tempest_plugin/tests/api/v2/test_zones_imports.py
@@ -55,7 +55,8 @@
class ZonesImportTest(BaseZonesImportTest):
- credentials = ["primary", "admin", "system_admin", "alt"]
+ credentials = ["primary", "admin", "system_admin", "system_reader", "alt",
+ "project_member", "project_reader"]
@classmethod
def setup_credentials(cls):
@@ -97,6 +98,15 @@
waiters.wait_for_zone_import_status(
self.client, zone_import['id'], const.COMPLETE)
+ # Test with no extra header overrides (sudo-project-id)
+ expected_allowed = ['os_admin', 'os_primary', 'os_alt']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.append('os_system_admin')
+ expected_allowed.append('os_project_member')
+
+ self.check_CUD_RBAC_enforcement(
+ 'ZoneImportsClient', 'create_zone_import', expected_allowed, False)
+
@decorators.idempotent_id('31eaf25a-9532-11eb-a55d-74e5f9e2a801')
def test_create_zone_import_invalid_ttl(self):
LOG.info('Try to create a zone import using invalid TTL value')
@@ -139,6 +149,25 @@
LOG.info('Ensure the fetched response matches the expected one')
self.assertExpected(zone_import, body, self.excluded_keys)
+ # TODO(johnsom) Test reader roles once this bug is fixed.
+ # https://bugs.launchpad.net/tempest/+bug/1964509
+ # Test with no extra header overrides (all_projects, sudo-project-id)
+ expected_allowed = ['os_primary']
+
+ self.check_list_show_RBAC_enforcement(
+ 'ZoneImportsClient', 'show_zone_import', expected_allowed, True,
+ zone_import['id'])
+
+ # Test with x-auth-all-projects
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin']
+
+ self.check_list_show_RBAC_enforcement(
+ 'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
+ zone_import['id'], headers=self.all_projects_header)
+
@decorators.idempotent_id('56a16e68-b241-4e41-bc5c-c40747fa68e3')
def test_delete_zone_import(self):
LOG.info('Create a zone import')
@@ -154,6 +183,28 @@
self.zone_client,
zone_import['zone_id'])
+ # Test RBAC
+ expected_allowed = ['os_admin', 'os_primary']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.append('os_system_admin')
+
+ self.check_CUD_RBAC_enforcement(
+ 'ZoneImportsClient', 'delete_zone_import', expected_allowed, True,
+ zone_import['id'])
+
+ # Test RBAC with x-auth-all-projects and x-auth-sudo-project-id header
+ expected_allowed = ['os_admin', 'os_primary']
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed.append('os_system_admin')
+
+ self.check_CUD_RBAC_enforcement(
+ 'ZoneImportsClient', 'delete_zone_import', expected_allowed, False,
+ zone_import['id'], headers=self.all_projects_header)
+ self.check_CUD_RBAC_enforcement(
+ 'ZoneImportsClient', 'delete_zone_import', expected_allowed, False,
+ zone_import['id'],
+ headers={'x-auth-sudo-project-id': self.client.project_id})
+
LOG.info('Delete the zone')
resp, body = self.client.delete_zone_import(zone_import['id'])
@@ -179,6 +230,38 @@
self.assertGreater(len(body['imports']), 0)
+ # TODO(johnsom) Test reader role once this bug is fixed:
+ # https://bugs.launchpad.net/tempest/+bug/1964509
+ # Test RBAC - Users that are allowed to call list, but should get
+ # zero zones.
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed = ['os_system_admin', 'os_system_reader',
+ 'os_admin', 'os_project_member',
+ 'os_project_reader']
+ else:
+ expected_allowed = ['os_alt']
+
+ self.check_list_RBAC_enforcement_count(
+ 'ZoneImportsClient', 'list_zone_imports', expected_allowed, 0)
+
+ # Test that users who should see the zone, can see it.
+ expected_allowed = ['os_primary']
+
+ self.check_list_IDs_RBAC_enforcement(
+ 'ZoneImportsClient', 'list_zone_imports', expected_allowed,
+ [zone_import['id']])
+
+ # Test RBAC with x-auth-sudo-project-id header
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin']
+
+ self.check_list_IDs_RBAC_enforcement(
+ 'ZoneImportsClient', 'list_zone_imports', expected_allowed,
+ [zone_import['id']],
+ headers={'x-auth-sudo-project-id': self.client.project_id})
+
@decorators.idempotent_id('2c1fa20e-9554-11eb-a55d-74e5f9e2a801')
def test_show_import_impersonate_another_project(self):
@@ -226,6 +309,17 @@
self.assertExpected(
zone_import, resp_body['imports'][0], self.excluded_keys)
+ # Test with x-auth-sudo-project-id header
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin']
+
+ self.check_list_show_RBAC_enforcement(
+ 'ZoneImportsClient', 'show_zone_import', expected_allowed, False,
+ zone_import['id'],
+ headers={'x-auth-sudo-project-id': self.client.project_id})
+
@decorators.idempotent_id('7bd06ec6-9556-11eb-a55d-74e5f9e2a801')
def test_list_import_zones_all_projects(self):
LOG.info('Create import zone "A" using primary client')
@@ -269,3 +363,13 @@
"Failed, expected import ID:{} wasn't found in "
"listed import IDs".format(
zone_import['id'], listed_zone_import_ids))
+
+ # Test RBAC with x-auth-all-projects
+ if CONF.dns_feature_enabled.enforce_new_defaults:
+ expected_allowed = ['os_system_admin']
+ else:
+ expected_allowed = ['os_admin']
+
+ self.check_list_IDs_RBAC_enforcement(
+ 'ZoneImportsClient', 'list_zone_imports', expected_allowed,
+ [zone_import['id']], headers=self.all_projects_header)