Added test_create_access_rule_cephx_admin_user testcase
This test case validates the fix to CVE-2020-27781.
The test will create a share and allow access to "admin" user.
This step should return success, but the access rule for
"admin" will be set to "error".
Related-Bug: #1904015
Depends-On: I1edd5a50079f325fa143a7e0d51b3aa3bb5ed45d
Change-Id: I01157147e749ae6068e9878bffe322cb3993fb60
diff --git a/manila_tempest_tests/tests/api/test_rules_negative.py b/manila_tempest_tests/tests/api/test_rules_negative.py
index ac54d1f..fd736a3 100644
--- a/manila_tempest_tests/tests/api/test_rules_negative.py
+++ b/manila_tempest_tests/tests/api/test_rules_negative.py
@@ -22,6 +22,7 @@
from manila_tempest_tests.common import constants
from manila_tempest_tests.common import waiters
+from manila_tempest_tests import share_exceptions
from manila_tempest_tests.tests.api import base
from manila_tempest_tests import utils
@@ -402,6 +403,17 @@
self.shares_v2_client.create_access_rule,
self.share["id"], self.access_type, access_to)
+ @decorators.idempotent_id('16b7d848-2f7c-4709-85a3-2dfb4576cc59')
+ @tc.attr(base.TAG_NEGATIVE, base.TAG_API_WITH_BACKEND)
+ def test_create_access_rule_cephx_admin_user(self):
+ """CVE-2020-27781 - using admin in cephx rule must be disallowed"""
+
+ self.assertRaises(share_exceptions.AccessRuleBuildErrorException,
+ self.allow_access,
+ self.share["id"],
+ access_type=self.access_type,
+ access_to='admin')
+
@decorators.idempotent_id('dd8be44c-c7e8-42fe-b81c-095a1c66730c')
@tc.attr(base.TAG_NEGATIVE, base.TAG_API_WITH_BACKEND)
def test_create_access_rule_cephx_with_wrong_level(self):