Add tempest api tests for security groups RBAC
Partial-Bug: #1817119
Depends-On: https://review.openstack.org/635311
Change-Id: I806d0c1763a0abc4f07a7c85922949b056ad78d8
diff --git a/.zuul.yaml b/.zuul.yaml
index 65e00b7..8c3be91 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -58,6 +58,7 @@
- quotas
- quota_details
- rbac-policies
+ - rbac-security-groups
- router
- router_availability_zone
- security-group
diff --git a/neutron_tempest_plugin/api/test_security_groups.py b/neutron_tempest_plugin/api/test_security_groups.py
index b6d344d..d44ba50 100644
--- a/neutron_tempest_plugin/api/test_security_groups.py
+++ b/neutron_tempest_plugin/api/test_security_groups.py
@@ -16,6 +16,8 @@
from neutron_lib import constants
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
+from tempest.lib import exceptions
+import testtools
from neutron_tempest_plugin.api import base
from neutron_tempest_plugin.api import base_security_groups
@@ -113,3 +115,144 @@
def test_security_group_rule_protocol_legacy_names(self):
self._test_security_group_rule_protocols(
protocols=self.protocol_legacy_names)
+
+
+class RbacSharedSecurityGroupTest(base.BaseAdminNetworkTest):
+
+ force_tenant_isolation = True
+ credentials = ['primary', 'alt', 'admin']
+ required_extensions = ['security-group', 'rbac-security-groups']
+
+ @classmethod
+ def resource_setup(cls):
+ super(RbacSharedSecurityGroupTest, cls).resource_setup()
+ cls.client2 = cls.os_alt.network_client
+
+ def _create_security_group(self):
+ return self.create_security_group(
+ name=data_utils.rand_name('test-sg'),
+ project={'id': self.admin_client.tenant_id})
+
+ def _make_admin_sg_shared_to_tenant_id(self, tenant_id):
+ sg = self._create_security_group()
+ rbac_policy = self.admin_client.create_rbac_policy(
+ object_type='security_group',
+ object_id=sg['id'],
+ action='access_as_shared',
+ target_tenant=tenant_id,
+ )['rbac_policy']
+ return {'security_group': sg, 'rbac_policy': rbac_policy}
+
+ @decorators.idempotent_id('2a41eb8f-2a35-11e9-bae9-acde48001122')
+ def test_policy_target_update(self):
+ res = self._make_admin_sg_shared_to_tenant_id(
+ self.client.tenant_id)
+ # change to client2
+ update_res = self.admin_client.update_rbac_policy(
+ res['rbac_policy']['id'], target_tenant=self.client2.tenant_id)
+ self.assertEqual(self.client2.tenant_id,
+ update_res['rbac_policy']['target_tenant'])
+ # make sure everything else stayed the same
+ res['rbac_policy'].pop('target_tenant')
+ update_res['rbac_policy'].pop('target_tenant')
+ self.assertEqual(res['rbac_policy'], update_res['rbac_policy'])
+
+ @decorators.idempotent_id('2a619a8a-2a35-11e9-90d9-acde48001122')
+ def test_port_presence_prevents_policy_rbac_policy_deletion(self):
+ res = self._make_admin_sg_shared_to_tenant_id(
+ self.client2.tenant_id)
+ sg_id = res['security_group']['id']
+ net = self.create_network(client=self.client2)
+ port = self.client2.create_port(
+ network_id=net['id'],
+ security_groups=[sg_id])['port']
+
+ # a port with shared sg should prevent the deletion of an
+ # rbac-policy required for it to be shared
+ with testtools.ExpectedException(exceptions.Conflict):
+ self.admin_client.delete_rbac_policy(res['rbac_policy']['id'])
+
+ # cleanup
+ self.client2.delete_port(port['id'])
+ self.admin_client.delete_rbac_policy(res['rbac_policy']['id'])
+
+ @decorators.idempotent_id('2a81795c-2a35-11e9-9d86-acde48001122')
+ def test_regular_client_shares_to_another_regular_client(self):
+ # owned by self.admin_client
+ sg = self._create_security_group()
+ with testtools.ExpectedException(exceptions.NotFound):
+ self.client.show_security_group(sg['id'])
+ rbac_policy = self.admin_client.create_rbac_policy(
+ object_type='security_group', object_id=sg['id'],
+ action='access_as_shared',
+ target_tenant=self.client.tenant_id)['rbac_policy']
+ self.client.show_security_group(sg['id'])
+
+ self.assertIn(rbac_policy,
+ self.admin_client.list_rbac_policies()['rbac_policies'])
+ # ensure that 'client2' can't see the rbac-policy sharing the
+ # sg to it because the rbac-policy belongs to 'client'
+ self.assertNotIn(rbac_policy['id'], [p['id'] for p in
+ self.client2.list_rbac_policies()['rbac_policies']])
+
+ @decorators.idempotent_id('2a9fd480-2a35-11e9-9cb6-acde48001122')
+ def test_filter_fields(self):
+ sg = self._create_security_group()
+ self.admin_client.create_rbac_policy(
+ object_type='security_group', object_id=sg['id'],
+ action='access_as_shared', target_tenant=self.client2.tenant_id)
+ field_args = (('id',), ('id', 'action'), ('object_type', 'object_id'),
+ ('tenant_id', 'target_tenant'))
+ for fields in field_args:
+ res = self.admin_client.list_rbac_policies(fields=fields)
+ self.assertEqual(set(fields), set(res['rbac_policies'][0].keys()))
+
+ @decorators.idempotent_id('2abf8f9e-2a35-11e9-85f7-acde48001122')
+ def test_rbac_policy_show(self):
+ res = self._make_admin_sg_shared_to_tenant_id(
+ self.client.tenant_id)
+ p1 = res['rbac_policy']
+ p2 = self.admin_client.create_rbac_policy(
+ object_type='security_group',
+ object_id=res['security_group']['id'],
+ action='access_as_shared',
+ target_tenant='*')['rbac_policy']
+
+ self.assertEqual(
+ p1, self.admin_client.show_rbac_policy(p1['id'])['rbac_policy'])
+ self.assertEqual(
+ p2, self.admin_client.show_rbac_policy(p2['id'])['rbac_policy'])
+
+ @decorators.idempotent_id('2adf6bd7-2a35-11e9-9c62-acde48001122')
+ def test_filter_rbac_policies(self):
+ sg = self._create_security_group()
+ rbac_pol1 = self.admin_client.create_rbac_policy(
+ object_type='security_group', object_id=sg['id'],
+ action='access_as_shared',
+ target_tenant=self.client2.tenant_id)['rbac_policy']
+ rbac_pol2 = self.admin_client.create_rbac_policy(
+ object_type='security_group', object_id=sg['id'],
+ action='access_as_shared',
+ target_tenant=self.admin_client.tenant_id)['rbac_policy']
+ res1 = self.admin_client.list_rbac_policies(id=rbac_pol1['id'])[
+ 'rbac_policies']
+ res2 = self.admin_client.list_rbac_policies(id=rbac_pol2['id'])[
+ 'rbac_policies']
+ self.assertEqual(1, len(res1))
+ self.assertEqual(1, len(res2))
+ self.assertEqual(rbac_pol1['id'], res1[0]['id'])
+ self.assertEqual(rbac_pol2['id'], res2[0]['id'])
+
+ @decorators.idempotent_id('2aff3900-2a35-11e9-96b3-acde48001122')
+ def test_regular_client_blocked_from_sharing_anothers_policy(self):
+ sg = self._make_admin_sg_shared_to_tenant_id(
+ self.client.tenant_id)['security_group']
+ with testtools.ExpectedException(exceptions.BadRequest):
+ self.client.create_rbac_policy(
+ object_type='security_group', object_id=sg['id'],
+ action='access_as_shared',
+ target_tenant=self.client2.tenant_id)
+
+ # make sure the rbac-policy is invisible to the tenant for which it's
+ # being shared
+ self.assertFalse(self.client.list_rbac_policies()['rbac_policies'])
diff --git a/requirements.txt b/requirements.txt
index dc77e63..bb836d1 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -3,7 +3,7 @@
# process, which may cause wedges in the gate later.
pbr!=2.1.0,>=2.0.0 # Apache-2.0
-neutron-lib>=1.18.0 # Apache-2.0
+neutron-lib>=1.25.0 # Apache-2.0
oslo.config>=5.2.0 # Apache-2.0
ipaddress>=1.0.17;python_version<'3.3' # PSF
netaddr>=0.7.18 # BSD