Add list security group rules API test
This test checks that regular user can see all SG rules which belongs
to his tenant OR belongs to security group owned by his tenant.
This test also ensures that SG rules from different tenants and Security
Groups are not visible for regular user.
Fix for master branch
Depends-On: https://review.opendev.org/681910
Fix for stable/train
Depends-On: https://review.opendev.org/688715
Fix for stable/stein
Depends-On: https://review.opendev.org/688716
Fix for stable/rocky
Depends-On: https://review.opendev.org/688717
Fix for stable/queens
Depends-On: https://review.opendev.org/688719
Change-Id: Ic2e97ab8162d10e507ef83b9af0840e7311f0587
Related-Bug: #1824248
diff --git a/neutron_tempest_plugin/api/test_security_groups.py b/neutron_tempest_plugin/api/test_security_groups.py
index c2e63da..67925f7 100644
--- a/neutron_tempest_plugin/api/test_security_groups.py
+++ b/neutron_tempest_plugin/api/test_security_groups.py
@@ -76,6 +76,39 @@
self.assertIn(
security_group_rule['id'], observerd_security_group_rules_ids)
+ @decorators.idempotent_id('b5923b1a-4d33-44e1-af25-088dcb55b02b')
+ def test_list_security_group_rules_contains_all_rules(self):
+ """Test list security group rules.
+
+ This test checks if all SG rules which belongs to the tenant OR
+ which belongs to the tenant's security group are listed.
+ """
+ security_group = self.create_security_group()
+ protocol = random.choice(list(base_security_groups.V4_PROTOCOL_NAMES))
+ security_group_rule = self.create_security_group_rule(
+ security_group=security_group,
+ project={'id': self.admin_client.tenant_id},
+ client=self.admin_client,
+ protocol=protocol,
+ direction=constants.INGRESS_DIRECTION)
+
+ # Create also other SG with some custom rule to check that regular user
+ # can't see this rule
+ admin_security_group = self.create_security_group(
+ project={'id': self.admin_client.tenant_id},
+ client=self.admin_client)
+ admin_security_group_rule = self.create_security_group_rule(
+ security_group=admin_security_group,
+ project={'id': self.admin_client.tenant_id},
+ client=self.admin_client,
+ protocol=protocol,
+ direction=constants.INGRESS_DIRECTION)
+
+ rules = self.client.list_security_group_rules()['security_group_rules']
+ rules_ids = [rule['id'] for rule in rules]
+ self.assertIn(security_group_rule['id'], rules_ids)
+ self.assertNotIn(admin_security_group_rule['id'], rules_ids)
+
@decorators.idempotent_id('7c0ecb10-b2db-11e6-9b14-000c29248b0d')
def test_create_bulk_sec_groups(self):
# Creates 2 sec-groups in one request
diff --git a/neutron_tempest_plugin/services/network/json/network_client.py b/neutron_tempest_plugin/services/network/json/network_client.py
index 521e2be..ddb6f95 100644
--- a/neutron_tempest_plugin/services/network/json/network_client.py
+++ b/neutron_tempest_plugin/services/network/json/network_client.py
@@ -893,6 +893,15 @@
self.expected_success(204, resp.status)
return service_client.ResponseBody(resp, body)
+ def list_security_group_rules(self, **kwargs):
+ uri = '%s/security-group-rules' % self.uri_prefix
+ if kwargs:
+ uri += '?' + urlparse.urlencode(kwargs, doseq=1)
+ resp, body = self.get(uri)
+ self.expected_success(200, resp.status)
+ body = jsonutils.loads(body)
+ return service_client.ResponseBody(resp, body)
+
def create_security_group_rule(self, direction, security_group_id,
**kwargs):
post_body = {'security_group_rule': kwargs}