Merge "Docstring for RbacAuthority class."
diff --git a/.testr.conf b/.testr.conf
index 6d83b3c..87d049d 100644
--- a/.testr.conf
+++ b/.testr.conf
@@ -2,6 +2,6 @@
test_command=OS_STDOUT_CAPTURE=${OS_STDOUT_CAPTURE:-1} \
OS_STDERR_CAPTURE=${OS_STDERR_CAPTURE:-1} \
OS_TEST_TIMEOUT=${OS_TEST_TIMEOUT:-60} \
- ${PYTHON:-python} -m subunit.run discover -t ./ . $LISTOPT $IDOPTION
+ ${PYTHON:-python} -m subunit.run discover -t ./ ${OS_TEST_PATH:-./patrole_tempest_plugin/tests/unit} $LISTOPT $IDOPTION
test_id_option=--load-list $IDFILE
test_list_option=--list
diff --git a/HACKING.rst b/HACKING.rst
index 5281b53..a94b47c 100644
--- a/HACKING.rst
+++ b/HACKING.rst
@@ -1,15 +1,15 @@
Patrole Style Commandments
==========================
-- Step 1: Read the OpenStack Style Commandments: `<https://docs.openstack.org/developer/hacking/>`__
-- Step 2: Review Tempest's Style Commandments: `<https://docs.openstack.org/developer/tempest/HACKING.html>`__
+- Step 1: Read the OpenStack Style Commandments: `<https://docs.openstack.org/hacking/latest/>`__
+- Step 2: Review Tempest's Style Commandments: `<https://docs.openstack.org/tempest/latest/HACKING.html>`__
- Step 3: Read on
Patrole Specific Commandments
------------------------------
Patrole borrows the following commandments from Tempest; refer to
-`Tempest's Commandments <https://docs.openstack.org/developer/tempest/HACKING.html>`__
+`Tempest's Commandments <https://docs.openstack.org/tempest/latest/HACKING.html>`__
for more information:
.. note::
@@ -32,8 +32,7 @@
The following are Patrole's specific Commandments:
- [P100] The ``rbac_rule_validation.action`` decorator must be applied to
- an RBAC test (the check fails if the decorator is not one of the
- two decorators directly above the function declaration)
+ an RBAC test
- [P101] RBAC test filenames must end with "_rbac.py"; for example,
test_servers_rbac.py, not test_servers.py
- [P102] RBAC test class names must end in 'RbacTest'
@@ -47,7 +46,7 @@
test does not call ``rbac_utils.switch_role`` with ``toggle_rbac_role=True``
within the RBAC test, then the test is *not* a valid RBAC test: The API
endpoint under test will be performed with admin credentials, which is always
-wrong unless ``CONF.rbac_test_role`` is admin.
+wrong unless ``CONF.patrole.rbac_test_role`` is admin.
.. note::
diff --git a/README.rst b/README.rst
index cc22b85..6110dda 100644
--- a/README.rst
+++ b/README.rst
@@ -2,8 +2,8 @@
Team and repository tags
========================
-.. image:: http://governance.openstack.org/badges/patrole.svg
- :target: http://governance.openstack.org/reference/tags/index.html
+.. image:: https://governance.openstack.org/tc/badges/patrole.svg
+ :target: https://governance.openstack.org/tc/reference/tags/index.html
Patrole - RBAC Integration Tempest Plugin
=========================================
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 550d2ce..8ec0013 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -5,7 +5,7 @@
Patrole can be customized by updating Tempest's ``tempest.conf`` configuration
file. All Patrole-specific configuration options should be included under
-the ``rbac`` group.
+the ``patrole`` group.
RBAC Test Role
--------------
diff --git a/doc/source/sampleconf.rst b/doc/source/sampleconf.rst
index 43933db..94ebc4d 100644
--- a/doc/source/sampleconf.rst
+++ b/doc/source/sampleconf.rst
@@ -7,7 +7,7 @@
.. code-block:: ini
- [rbac]
+ [patrole]
# The role that you want the RBAC tests to use for RBAC testing
# This needs to be edited to run the test as a different role.
diff --git a/doc/source/usage.rst b/doc/source/usage.rst
index 7470e9e..dff43f2 100644
--- a/doc/source/usage.rst
+++ b/doc/source/usage.rst
@@ -30,7 +30,7 @@
To change the role that the patrole tests are being run as, edit
``rbac_test_role`` in the ``rbac`` section of tempest.conf: ::
- [rbac]
+ [patrole]
rbac_test_role = Member
...
diff --git a/patrole_tempest_plugin/config.py b/patrole_tempest_plugin/config.py
index a6f30e7..fcf29af 100644
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py
@@ -15,19 +15,23 @@
from oslo_config import cfg
-rbac_group = cfg.OptGroup(name='rbac',
- title='RBAC testing options')
-RbacGroup = [
+patrole_group = cfg.OptGroup(name='patrole', title='Patrole Testing Options')
+
+
+PatroleGroup = [
cfg.StrOpt('rbac_test_role',
default='admin',
+ deprecated_group='rbac',
help="""The current RBAC role against which to run Patrole
tests."""),
cfg.BoolOpt('enable_rbac',
default=True,
+ deprecated_group='rbac',
help="Enables RBAC tests."),
cfg.BoolOpt('strict_policy_check',
default=False,
+ deprecated_group='rbac',
help="""If true, throws RbacParsingException for policies which
don't exist or are not included in the service's policy file. If false, throws
skipException."""),
@@ -35,6 +39,7 @@
# other hosts. It may be possible to leverage the v3 identity policy API.
cfg.ListOpt('custom_policy_files',
default=['/etc/%s/policy.json'],
+ deprecated_group='rbac',
help="""List of the paths to search for policy files. Each
policy path assumes that the service name is included in the path once. Also
assumes Patrole is on the same host as the policy files. The paths should be
@@ -45,6 +50,7 @@
default='/etc/cinder/policy.json',
help="""Location of the Cinder policy file. Assumed to be on
the same host as Patrole.""",
+ deprecated_group='rbac',
deprecated_for_removal=True,
deprecated_reason="It is better to use `custom_policy_files` "
"which supports any OpenStack service."),
@@ -52,6 +58,7 @@
default='/etc/glance/policy.json',
help="""Location of the Glance policy file. Assumed to be on
the same host as Patrole.""",
+ deprecated_group='rbac',
deprecated_for_removal=True,
deprecated_reason="It is better to use `custom_policy_files` "
"which supports any OpenStack service."),
@@ -59,6 +66,7 @@
default='/etc/keystone/policy.json',
help="""Location of the custom Keystone policy file. Assumed to
be on the same host as Patrole.""",
+ deprecated_group='rbac',
deprecated_for_removal=True,
deprecated_reason="It is better to use `custom_policy_files` "
"which supports any OpenStack service."),
@@ -66,6 +74,7 @@
default='/etc/neutron/policy.json',
help="""Location of the Neutron policy file. Assumed to be on
the same host as Patrole.""",
+ deprecated_group='rbac',
deprecated_for_removal=True,
deprecated_reason="It is better to use `custom_policy_files` "
"which supports any OpenStack service."),
@@ -73,11 +82,13 @@
default='/etc/nova/policy.json',
help="""Location of the custom Nova policy file. Assumed to be
on the same host as Patrole.""",
+ deprecated_group='rbac',
deprecated_for_removal=True,
deprecated_reason="It is better to use `custom_policy_files` "
"which supports any OpenStack service."),
cfg.BoolOpt('test_custom_requirements',
default=False,
+ deprecated_group='rbac',
help="""
This option determines whether Patrole should run against a
`custom_requirements_file` which defines RBAC requirements. The
@@ -101,6 +112,7 @@
test result: fail (over-permission)
"""),
cfg.StrOpt('custom_requirements_file',
+ deprecated_group='rbac',
help="""
File path of the yaml file that defines your RBAC requirements. This
file must be located on the same host that Patrole runs on. The yaml
@@ -128,3 +140,30 @@
allowed_role = the Keystone role that is allowed to perform the API
""")
]
+
+
+rbac_group = cfg.OptGroup(name='rbac',
+ title='RBAC testing options',
+ help="This group is deprecated and will be removed "
+ "in the next release. Use the [patrole] group "
+ "instead.")
+
+patrole_log_group = cfg.OptGroup(
+ name='patrole_log', title='Patrole Logging Options')
+
+PatroleLogGroup = [
+ cfg.BoolOpt('enable_reporting',
+ default=False,
+ help="Enables reporting on RBAC expected and actual test "
+ "results for each Patrole test"),
+ cfg.StrOpt('report_log_name',
+ default='patrole.log',
+ help="Name of file where output from 'enable_reporting' is "
+ "logged. Note that this file is recreated on each "
+ "invocation of patrole"),
+ cfg.StrOpt('report_log_path',
+ default='.',
+ help="Path (relative or absolute) where the output from "
+ "'enable_reporting' is logged. This is combined with"
+ "report_log_name to generate the full path."),
+]
diff --git a/patrole_tempest_plugin/hacking/checks.py b/patrole_tempest_plugin/hacking/checks.py
index a3ef01f..eb73ef1 100644
--- a/patrole_tempest_plugin/hacking/checks.py
+++ b/patrole_tempest_plugin/hacking/checks.py
@@ -31,14 +31,13 @@
RAND_NAME_HYPHEN_RE = re.compile(r".*rand_name\(.+[\-\_][\"\']\)")
MUTABLE_DEFAULT_ARGS = re.compile(r"^\s*def .+\((.+=\{\}|.+=\[\])")
TESTTOOLS_SKIP_DECORATOR = re.compile(r'\s*@testtools\.skip\((.*)\)')
-TEST_METHOD = re.compile(r"^ def test_.+")
CLASS = re.compile(r"^class .+")
RBAC_CLASS_NAME_RE = re.compile(r'class .+RbacTest')
RULE_VALIDATION_DECORATOR = re.compile(
- r'\s*@.*rbac_rule_validation.action\((.*)\)')
+ r'\s*@rbac_rule_validation.action\(.*')
IDEMPOTENT_ID_DECORATOR = re.compile(r'\s*@decorators\.idempotent_id\((.*)\)')
-previous_decorator = None
+have_rbac_decorator = False
def import_no_clients_in_api_tests(physical_line, filename):
@@ -144,8 +143,7 @@
yield (0, msg)
-def no_rbac_rule_validation_decorator(physical_line, filename,
- previous_logical):
+def no_rbac_rule_validation_decorator(physical_line, filename):
"""Check that each test has the ``rbac_rule_validation.action`` decorator.
Checks whether the test function has "@rbac_rule_validation.action"
@@ -157,22 +155,24 @@
P100
"""
- global previous_decorator
+ global have_rbac_decorator
- if "patrole_tempest_plugin/tests/api" in filename:
+ if ("patrole_tempest_plugin/tests/api" in filename or
+ "patrole_tempest_plugin/tests/scenario" in filename):
- if IDEMPOTENT_ID_DECORATOR.match(physical_line):
- previous_decorator = previous_logical
+ if RULE_VALIDATION_DECORATOR.match(physical_line):
+ have_rbac_decorator = True
return
- if TEST_METHOD.match(physical_line):
- if not RULE_VALIDATION_DECORATOR.match(previous_logical) and \
- not RULE_VALIDATION_DECORATOR.match(previous_decorator):
- return (0, "Must use rbac_rule_validation.action "
- "decorator for API and scenario tests")
+ if TEST_DEFINITION.match(physical_line):
+ if not have_rbac_decorator:
+ return (0, "Must use rbac_rule_validation.action "
+ "decorator for API and scenario tests")
+
+ have_rbac_decorator = False
-def no_rbac_suffix_in_test_filename(physical_line, filename, previous_logical):
+def no_rbac_suffix_in_test_filename(filename):
"""Check that RBAC filenames end with "_rbac" suffix.
P101
@@ -186,8 +186,7 @@
return 0, "RBAC test filenames must end in _rbac suffix"
-def no_rbac_test_suffix_in_test_class_name(physical_line, filename,
- previous_logical):
+def no_rbac_test_suffix_in_test_class_name(physical_line, filename):
"""Check that RBAC class names end with "RbacTest"
P102
@@ -202,7 +201,7 @@
return 0, "RBAC test class names must end in 'RbacTest'"
-def no_client_alias_in_test_cases(filename, logical_line):
+def no_client_alias_in_test_cases(logical_line, filename):
"""Check that test cases don't use "self.client" to define a client.
P103
diff --git a/patrole_tempest_plugin/plugin.py b/patrole_tempest_plugin/plugin.py
index 28ce12c..b7717ea 100644
--- a/patrole_tempest_plugin/plugin.py
+++ b/patrole_tempest_plugin/plugin.py
@@ -13,15 +13,21 @@
# License for the specific language governing permissions and limitations
# under the License.
+import logging
import os
+from oslo_concurrency import lockutils
+
from tempest import config
from tempest.test_discover import plugins
from patrole_tempest_plugin import config as project_config
+RBACLOG = logging.getLogger('rbac_reporting')
+
class PatroleTempestPlugin(plugins.TempestPlugin):
+
def load_tests(self):
base_path = os.path.split(os.path.dirname(
os.path.abspath(__file__)))[0]
@@ -29,11 +35,51 @@
full_test_dir = os.path.join(base_path, test_dir)
return full_test_dir, base_path
+ @lockutils.synchronized('_reset_log_file')
+ def _reset_log_file(self, logfile):
+ try:
+ os.remove(logfile)
+ except OSError:
+ pass
+
+ def _configure_per_test_logging(self, conf):
+ # Separate log handler for rbac reporting
+ RBACLOG.setLevel(level=logging.INFO)
+ # Set up proper directory handling
+ report_abs_path = os.path.abspath(conf.patrole_log.report_log_path)
+ report_path = os.path.join(
+ report_abs_path, conf.patrole_log.report_log_name)
+
+ # Remove the log file if it exists
+ self._reset_log_file(report_path)
+
+ # Delay=True so that we don't end up creating an empty file if we
+ # never log to it.
+ rbac_report_handler = logging.FileHandler(
+ filename=report_path, delay=True, mode='a')
+ rbac_report_handler.setFormatter(
+ fmt=logging.Formatter(fmt='%(message)s'))
+ RBACLOG.addHandler(rbac_report_handler)
+
def register_opts(self, conf):
+ # TODO(fmontei): Remove ``rbac_group`` in a future release as it is
+ # currently deprecated.
config.register_opt_group(
conf,
project_config.rbac_group,
- project_config.RbacGroup)
+ project_config.PatroleGroup)
+ config.register_opt_group(
+ conf,
+ project_config.patrole_group,
+ project_config.PatroleGroup)
+ config.register_opt_group(
+ conf,
+ project_config.patrole_log_group,
+ project_config.PatroleLogGroup)
+
+ if conf.patrole_log.enable_reporting:
+ self._configure_per_test_logging(conf)
def get_opt_lists(self):
- return [(project_config.rbac_group.name, project_config.RbacGroup)]
+ return [(project_config.patrole_group.name,
+ project_config.PatroleGroup)]
diff --git a/patrole_tempest_plugin/rbac_exceptions.py b/patrole_tempest_plugin/rbac_exceptions.py
index 5ccb216..5ee65ae 100644
--- a/patrole_tempest_plugin/rbac_exceptions.py
+++ b/patrole_tempest_plugin/rbac_exceptions.py
@@ -16,8 +16,25 @@
from tempest.lib import exceptions
-class RbacActionFailed(exceptions.ClientRestClientException):
- message = "Rbac action failed"
+class RbacConflictingPolicies(exceptions.TempestException):
+ message = ("Conflicting policies preventing this action from being "
+ "performed.")
+
+
+class RbacMalformedResponse(exceptions.TempestException):
+ message = ("The response body is missing the expected %(attribute)s due "
+ "to policy enforcement failure.")
+
+ def __init__(self, empty=False, extra_attr=False, **kwargs):
+ if empty:
+ self.message = ("The response body is empty due to policy "
+ "enforcement failure.")
+ kwargs = {}
+ if extra_attr:
+ self.message = ("The response body contained an unexpected "
+ "attribute due to policy enforcement failure.")
+ kwargs = {}
+ super(RbacMalformedResponse, self).__init__(**kwargs)
class RbacResourceSetupFailed(exceptions.TempestException):
diff --git a/patrole_tempest_plugin/rbac_policy_parser.py b/patrole_tempest_plugin/rbac_policy_parser.py
index 254bb18..aff4e66 100644
--- a/patrole_tempest_plugin/rbac_policy_parser.py
+++ b/patrole_tempest_plugin/rbac_policy_parser.py
@@ -20,7 +20,7 @@
from oslo_log import log as logging
from oslo_policy import policy
import stevedore
-
+from tempest import clients
from tempest.common import credentials_factory as credentials
from tempest import config
@@ -72,11 +72,11 @@
# Prioritize dynamically searching for policy files over relying on
# deprecated service-specific policy file locations.
- if CONF.rbac.custom_policy_files:
+ if CONF.patrole.custom_policy_files:
self.discover_policy_files()
self.path = self.policy_files.get(service)
else:
- self.path = getattr(CONF.rbac, '%s_policy_file' % str(service),
+ self.path = getattr(CONF.patrole, '%s_policy_file' % str(service),
None)
self.rules = policy.Rules.load(self._get_policy_data(service),
@@ -93,7 +93,8 @@
# Cache the list of available services in memory to avoid needlessly
# doing an API call every time.
if not hasattr(cls, 'available_services'):
- admin_mgr = credentials.AdminManager()
+ admin_mgr = clients.Manager(
+ credentials.get_configured_admin_credentials())
services_client = (admin_mgr.identity_services_v3_client
if CONF.identity_feature_enabled.api_v3
else admin_mgr.identity_services_client)
@@ -109,11 +110,11 @@
def discover_policy_files(cls):
# Dynamically discover the policy file for each service in
# ``cls.available_services``. Pick the first ``candidate_path`` found
- # out of the potential paths in ``CONF.rbac.custom_policy_files``.
+ # out of the potential paths in ``CONF.patrole.custom_policy_files``.
if not hasattr(cls, 'policy_files'):
cls.policy_files = {}
for service in cls.available_services:
- for candidate_path in CONF.rbac.custom_policy_files:
+ for candidate_path in CONF.patrole.custom_policy_files:
if os.path.isfile(candidate_path % service):
cls.policy_files.setdefault(service,
candidate_path % service)
@@ -177,7 +178,7 @@
error_message = (
'Policy file for {0} service neither found in code nor at {1}.'
.format(service, [loc % service for loc in
- CONF.rbac.custom_policy_files])
+ CONF.patrole.custom_policy_files])
)
raise rbac_exceptions.RbacParsingException(error_message)
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index 51b9d92..69a98e3 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -25,6 +25,7 @@
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_policy_parser
+from patrole_tempest_plugin import rbac_utils
from patrole_tempest_plugin import requirements_authority
CONF = config.CONF
@@ -32,46 +33,95 @@
_SUPPORTED_ERROR_CODES = [403, 404]
+RBACLOG = logging.getLogger('rbac_reporting')
+
def action(service, rule='', admin_only=False, expected_error_code=403,
extra_target_data=None):
- """A decorator which does a policy check and matches it against test run.
+ """A decorator for verifying policy enforcement.
- A decorator which allows for positive and negative RBAC testing. Given
- an OpenStack service and a policy action enforced by that service, an
- oslo.policy lookup is performed by calling `authority.get_permission`.
- Alternatively, the RBAC tests can run against a YAML file that defines
- policy requirements.
+ A decorator which allows for positive and negative RBAC testing. Given:
- The following cases are possible:
+ * an OpenStack service,
+ * a policy action (``rule``) enforced by that service, and
+ * the test role defined by ``[patrole] rbac_test_role``
- * If `allowed` is True and the test passes, this is a success.
- * If `allowed` is True and the test fails, this is a failure.
- * If `allowed` is False and the test passes, this is a failure.
- * If `allowed` is False and the test fails, this is a success.
+ determines whether the test role has sufficient permissions to perform an
+ API call that enforces the ``rule``.
- :param service: A OpenStack service: for example, "nova" or "neutron".
- :param rule: A policy action defined in a policy.json file (or in code).
- :param admin_only: Skips over oslo.policy check because the policy action
- defined by `rule` is not enforced by the service's policy enforcement
- logic. For example, Keystone v2 performs an admin check for most of its
- endpoints. If True, `rule` is effectively ignored.
+ This decorator should only be applied to an instance or subclass of
+ `tempest.base.BaseTestCase`.
+
+ The result from ``_is_authorized`` is used to determine the *expected*
+ test result. The *actual* test result is determined by running the
+ Tempest test this decorator applies to.
+
+ Below are the following possibilities from comparing the *expected* and
+ *actual* results:
+
+ 1) If *expected* is True and the test passes (*actual*), this is a success.
+ 2) If *expected* is True and the test fails (*actual*), this results in a
+ `Forbidden` exception failure.
+ 3) If *expected* is False and the test passes (*actual*), this results in
+ an `OverPermission` exception failure.
+ 4) If *expected* is False and the test fails (*actual*), this is a success.
+
+ As such, negative and positive testing can be applied using this decorator.
+
+ :param service: A OpenStack service. Examples: "nova" or "neutron".
+ :param rule: A policy action defined in a policy.json file (or in
+ code).
+
+ .. note::
+
+ Patrole currently only supports custom JSON policy files.
+
+ :param admin_only: Skips over `oslo.policy` check because the policy action
+ defined by `rule` is not enforced by the service's policy
+ enforcement engine. For example, Keystone v2 performs an admin check
+ for most of its endpoints. If True, `rule` is effectively
+ ignored.
:param expected_error_code: Overrides default value of 403 (Forbidden)
with endpoint-specific error code. Currently only supports 403 and 404.
Support for 404 is needed because some services, like Neutron,
intentionally throw a 404 for security reasons.
- :raises NotFound: if `service` is invalid or
- if Tempest credentials cannot be found.
- :raises Forbidden: for bullet (2) above.
- :raises RbacOverPermission: for bullet (3) above.
+ .. warning::
+
+ A 404 should not be provided *unless* the endpoint masks a
+ `Forbidden` exception as a `Not Found` exception.
+
+ :param extra_target_data: Dictionary, keyed with `oslo.policy` generic
+ check names, whose values are string literals that reference nested
+ `tempest.base.BaseTestCase` attributes. Used by `oslo.policy` for
+ performing matching against attributes that are sent along with the API
+ calls. Example::
+
+ extra_target_data={
+ "target.token.user_id":
+ "os_alt.auth_provider.credentials.user_id"
+ })
+
+ :raises NotFound: If `service` is invalid or if Tempest credentials cannot
+ be found.
+ :raises Forbidden: For item (2) above.
+ :raises RbacOverPermission: For item (3) above.
+
+ Examples::
+
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-agents")
+ def test_list_agents_rbac(self):
+ # The call to ``switch_role`` is mandatory.
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.list_agents()
"""
if extra_target_data is None:
extra_target_data = {}
- def decorator(func):
- role = CONF.rbac.rbac_test_role
+ def decorator(test_func):
+ role = CONF.patrole.rbac_test_role
def wrapper(*args, **kwargs):
if args and isinstance(args[0], test.BaseTestCase):
@@ -81,26 +131,26 @@
'`rbac_rule_validation` decorator can only be applied to '
'an instance of `tempest.test.BaseTestCase`.')
- if admin_only:
- LOG.info("As admin_only is True, only admin role should be "
- "allowed to perform the API. Skipping oslo.policy "
- "check for policy action {0}.".format(rule))
- allowed = test_obj.rbac_utils.is_admin
- else:
- allowed = _is_authorized(test_obj, service, rule,
- extra_target_data)
+ allowed = _is_authorized(test_obj, service, rule,
+ extra_target_data, admin_only)
expected_exception, irregular_msg = _get_exception_type(
expected_error_code)
+ test_status = 'Allowed'
+
try:
- func(*args, **kwargs)
+ test_func(*args, **kwargs)
except rbac_exceptions.RbacInvalidService as e:
msg = ("%s is not a valid service." % service)
+ test_status = ('Error, %s' % (msg))
LOG.error(msg)
raise exceptions.NotFound(
"%s RbacInvalidService was: %s" % (msg, e))
- except (expected_exception, rbac_exceptions.RbacActionFailed) as e:
+ except (expected_exception,
+ rbac_exceptions.RbacConflictingPolicies,
+ rbac_exceptions.RbacMalformedResponse) as e:
+ test_status = 'Denied'
if irregular_msg:
LOG.warning(irregular_msg.format(rule, service))
if allowed:
@@ -112,9 +162,10 @@
except Exception as e:
exc_info = sys.exc_info()
error_details = exc_info[1].__str__()
- msg = ("%s An unexpected exception has occurred: Expected "
- "exception was %s, which was not thrown."
- % (error_details, expected_exception.__name__))
+ msg = ("An unexpected exception has occurred during test: %s, "
+ "Exception was: %s"
+ % (test_func.__name__, error_details))
+ test_status = ('Error, %s' % (error_details))
LOG.error(msg)
six.reraise(exc_info[0], exc_info[0](msg), exc_info[2])
else:
@@ -127,30 +178,54 @@
finally:
test_obj.rbac_utils.switch_role(test_obj,
toggle_rbac_role=False)
+ if CONF.patrole_log.enable_reporting:
+ RBACLOG.info(
+ "[Service]: %s, [Test]: %s, [Rule]: %s, "
+ "[Expected]: %s, [Actual]: %s",
+ service, test_func.__name__, rule,
+ "Allowed" if allowed else "Denied",
+ test_status)
_wrapper = testtools.testcase.attr(role)(wrapper)
return _wrapper
return decorator
-def _is_authorized(test_obj, service, rule_name, extra_target_data):
+def _is_authorized(test_obj, service, rule, extra_target_data, admin_only):
"""Validates whether current RBAC role has permission to do policy action.
- :param test_obj: type BaseTestCase (tempest base test class)
- :param service: the OpenStack service that enforces ``rule_name``
- :param rule_name: the name of the policy action
- :param extra_target_data: dictionary with unresolved string literals that
- reference nested BaseTestCase attributes
- :returns: True if the current RBAC role can perform the policy action else
- False
+ :param test_obj: An instance or subclass of `tempest.base.BaseTestCase`.
+ :param service: The OpenStack service that enforces ``rule``.
+ :param rule: The name of the policy action. Examples include
+ "identity:create_user" or "os_compute_api:os-agents".
+ :param extra_target_data: Dictionary, keyed with `oslo.policy` generic
+ check names, whose values are string literals that reference nested
+ `tempest.base.BaseTestCase` attributes. Used by `oslo.policy` for
+ performing matching against attributes that are sent along with the API
+ calls.
+ :param admin_only: Skips over `oslo.policy` check because the policy action
+ defined by `rule` is not enforced by the service's policy
+ enforcement engine. For example, Keystone v2 performs an admin check
+ for most of its endpoints. If True, `rule` is effectively
+ ignored.
- :raises RbacResourceSetupFailed: if project_id or user_id are missing from
- the Tempest test object's `auth_provider`
- :raises RbacParsingException: if ``CONF.rbac.strict_policy_check`` is
- enabled and the ``rule_name`` does not exist in the system
- :raises skipException: if ``CONF.rbac.strict_policy_check`` is
- disabled and the ``rule_name`` does not exist in the system
+ :returns: True if the current RBAC role can perform the policy action,
+ else False.
+
+ :raises RbacResourceSetupFailed: If `project_id` or `user_id` are missing
+ from the `auth_provider` attribute in `test_obj`.
+ :raises RbacParsingException: if ``[patrole] strict_policy_check`` is True
+ and the ``rule`` does not exist in the system.
+ :raises skipException: If ``[patrole] strict_policy_check`` is False and
+ the ``rule`` does not exist in the system.
"""
+
+ if admin_only:
+ LOG.info("As admin_only is True, only admin role should be "
+ "allowed to perform the API. Skipping oslo.policy "
+ "check for policy action {0}.".format(rule))
+ return rbac_utils.is_admin()
+
try:
project_id = test_obj.os_primary.credentials.project_id
user_id = test_obj.os_primary.credentials.user_id
@@ -161,28 +236,28 @@
raise rbac_exceptions.RbacResourceSetupFailed(msg)
try:
- role = CONF.rbac.rbac_test_role
+ role = CONF.patrole.rbac_test_role
# Test RBAC against custom requirements. Otherwise use oslo.policy
- if CONF.rbac.test_custom_requirements:
+ if CONF.patrole.test_custom_requirements:
authority = requirements_authority.RequirementsAuthority(
- CONF.rbac.custom_requirements_file, service)
+ CONF.patrole.custom_requirements_file, service)
else:
formatted_target_data = _format_extra_target_data(
test_obj, extra_target_data)
authority = rbac_policy_parser.RbacPolicyParser(
project_id, user_id, service,
extra_target_data=formatted_target_data)
- is_allowed = authority.allowed(rule_name, role)
+ is_allowed = authority.allowed(rule, role)
if is_allowed:
- LOG.debug("[Action]: %s, [Role]: %s is allowed!", rule_name,
+ LOG.debug("[Action]: %s, [Role]: %s is allowed!", rule,
role)
else:
LOG.debug("[Action]: %s, [Role]: %s is NOT allowed!",
- rule_name, role)
+ rule, role)
return is_allowed
except rbac_exceptions.RbacParsingException as e:
- if CONF.rbac.strict_policy_check:
+ if CONF.patrole.strict_policy_check:
raise e
else:
raise testtools.TestCase.skipException(str(e))
@@ -207,7 +282,7 @@
irregular_msg = None
if not isinstance(expected_error_code, six.integer_types) \
- or expected_error_code not in _SUPPORTED_ERROR_CODES:
+ or expected_error_code not in _SUPPORTED_ERROR_CODES:
msg = ("Please pass an expected error code. Currently "
"supported codes: {0}".format(_SUPPORTED_ERROR_CODES))
LOG.error(msg)
@@ -228,21 +303,24 @@
"""Formats the "extra_target_data" dictionary with correct test data.
Before being formatted, "extra_target_data" is a dictionary that maps a
- policy string like "trust.trustor_user_id" to a nested list of BaseTestCase
- attributes. For example, the attribute list in:
+ policy string like "trust.trustor_user_id" to a nested list of
+ `tempest.base.BaseTestCase` attributes. For example, the attribute list in:
"trust.trustor_user_id": "os.auth_provider.credentials.user_id"
- is parsed by iteratively calling `getattr` until the value of "user_id"
+ is parsed by iteratively calling ``getattr`` until the value of "user_id"
is resolved. The resulting dictionary returns:
- "trust.trustor_user_id": "the user_id of the `primary` credential"
+ "trust.trustor_user_id": "the user_id of the `os_primary` credential"
- :param test_obj: type BaseTestCase (tempest base test class)
- :param extra_target_data: dictionary with unresolved string literals that
- reference nested BaseTestCase attributes
- :returns: dictionary containing additional object data needed by
- oslo.policy to validate generic checks
+ :param test_obj: An instance or subclass of `tempest.base.BaseTestCase`.
+ :param extra_target_data: Dictionary, keyed with `oslo.policy` generic
+ check names, whose values are string literals that reference nested
+ `tempest.base.BaseTestCase` attributes. Used by `oslo.policy` for
+ performing matching against attributes that are sent along with the API
+ calls.
+ :returns: Dictionary containing additional object data needed by
+ `oslo.policy` to validate generic checks.
"""
attr_value = test_obj
formatted_target_data = {}
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index cc95b23..81fefb2 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -19,9 +19,9 @@
import time
from oslo_log import log as logging
-import oslo_utils.uuidutils as uuid_utils
-import testtools
+from oslo_utils import excutils
+from tempest import clients
from tempest.common import credentials_factory as credentials
from tempest import config
@@ -39,29 +39,21 @@
seamlessly swap between admin credentials, needed for setup and clean up,
and primary credentials, needed to perform the API call which does
policy enforcement. The primary credentials always cycle between roles
- defined by ``CONF.identity.admin_role`` and `CONF.rbac.rbac_test_role``.
+ defined by ``CONF.identity.admin_role`` and `CONF.patrole.rbac_test_role``.
"""
def __init__(self, test_obj):
"""Constructor for ``RbacUtils``.
- :param test_obj: A Tempest test instance.
- :type test_obj: tempest.lib.base.BaseTestCase or
- tempest.test.BaseTestCase
+ :param test_obj: An instance of `tempest.test.BaseTestCase`.
"""
- # Since we are going to instantiate a client manager with
- # admin credentials, first check if admin is available.
- if not credentials.is_admin_available(
- identity_version=test_obj.get_identity_version()):
- msg = "Missing Identity Admin API credentials in configuration."
- raise testtools.TestCase.skipException(msg)
-
# Intialize the admin roles_client to perform role switching.
- admin_creds = test_obj.get_client_manager(credential_type='admin')
+ admin_mgr = clients.Manager(
+ credentials.get_configured_admin_credentials())
if test_obj.get_identity_version() == 'v3':
- admin_roles_client = admin_creds.roles_v3_client
+ admin_roles_client = admin_mgr.roles_v3_client
else:
- admin_roles_client = admin_creds.roles_client
+ admin_roles_client = admin_mgr.roles_client
self.admin_roles_client = admin_roles_client
self.switch_role(test_obj, toggle_rbac_role=False)
@@ -80,7 +72,7 @@
Switch the role used by `os_primary` credentials to:
* admin if `toggle_rbac_role` is False
- * `CONF.rbac.rbac_test_role` if `toggle_rbac_role` is True
+ * `CONF.patrole.rbac_test_role` if `toggle_rbac_role` is True
:param test_obj: test object of type tempest.lib.base.BaseTestCase
:param toggle_rbac_role: role to switch `os_primary` Tempest creds to
@@ -90,46 +82,69 @@
self.token = test_obj.os_primary.auth_provider.get_token()
LOG.debug('Switching role to: %s.', toggle_rbac_role)
+ role_already_present = False
+
try:
- if not self.admin_role_id or not self.rbac_role_id:
- self._get_roles()
+ if not all([self.admin_role_id, self.rbac_role_id]):
+ self._get_roles_by_name()
self._validate_switch_role(test_obj, toggle_rbac_role)
- if toggle_rbac_role:
- self._add_role_to_user(self.rbac_role_id)
- else:
- self._add_role_to_user(self.admin_role_id)
+ target_role = (
+ self.rbac_role_id if toggle_rbac_role else self.admin_role_id)
+ role_already_present = self._list_and_clear_user_roles_on_project(
+ target_role)
+
+ # Do not switch roles if `target_role` already exists.
+ if not role_already_present:
+ self._create_user_role_on_project(target_role)
except Exception as exp:
- LOG.exception(exp)
- raise
+ with excutils.save_and_reraise_exception():
+ LOG.exception(exp)
finally:
test_obj.os_primary.auth_provider.clear_auth()
# Fernet tokens are not subsecond aware so sleep to ensure we are
# passing the second boundary before attempting to authenticate.
- #
- # FIXME(felipemonteiro): Rather than skipping sleep if the token
- # is not uuid, this should instead be skipped if the token is not
- # Fernet.
- if not uuid_utils.is_uuid_like(self.token):
+ # Only sleep if a token revocation occurred as a result of role
+ # switching. This will optimize test runtime in the case where
+ # ``[identity] admin_role`` == ``[rbac] rbac_test_role``.
+ if not role_already_present:
time.sleep(1)
test_obj.os_primary.auth_provider.set_auth()
- def _add_role_to_user(self, role_id):
- role_already_present = self._clear_user_roles(role_id)
- if role_already_present:
- return
+ def _get_roles_by_name(self):
+ available_roles = self.admin_roles_client.list_roles()
+ admin_role_id = rbac_role_id = None
+ for role in available_roles['roles']:
+ if role['name'] == CONF.patrole.rbac_test_role:
+ rbac_role_id = role['id']
+ if role['name'] == CONF.identity.admin_role:
+ admin_role_id = role['id']
+
+ if not all([admin_role_id, rbac_role_id]):
+ msg = ("Roles defined by `[patrole] rbac_test_role` and "
+ "`[identity] admin_role` must be defined in the system.")
+ raise rbac_exceptions.RbacResourceSetupFailed(msg)
+
+ self.admin_role_id = admin_role_id
+ self.rbac_role_id = rbac_role_id
+
+ def _create_user_role_on_project(self, role_id):
self.admin_roles_client.create_user_role_on_project(
self.project_id, self.user_id, role_id)
- def _clear_user_roles(self, role_id):
+ def _list_and_clear_user_roles_on_project(self, role_id):
roles = self.admin_roles_client.list_user_roles_on_project(
self.project_id, self.user_id)['roles']
-
- # If the user already has the role that is required, return early.
role_ids = [role['id'] for role in roles]
- if role_ids == [role_id]:
+
+ # NOTE(felipemonteiro): We do not use ``role_id in role_ids`` here to
+ # avoid over-permission errors: if the current list of roles on the
+ # project includes "admin" and "Member", and we are switching to the
+ # "Member" role, then we must delete the "admin" role. Thus, we only
+ # return early if the user's roles on the project are an exact match.
+ if [role_id] == role_ids:
return True
for role in roles:
@@ -139,11 +154,11 @@
return False
def _validate_switch_role(self, test_obj, toggle_rbac_role):
- """Validates that the rbac role passed to `switch_role` is legal.
+ """Validates that the test role passed to `switch_role` is legal.
Throws an error for the following improper usages of `switch_role`:
* `switch_role` is not called with a boolean value
- * `switch_role` is never called in a test file, except in tearDown
+ * `switch_role` is never called inside a test, except in tearDown
* `switch_role` is called with the same boolean value twice
If a `skipException` is thrown then this is a legitimate reason why
@@ -151,7 +166,7 @@
"""
if not isinstance(toggle_rbac_role, bool):
raise rbac_exceptions.RbacResourceSetupFailed(
- 'toggle_rbac_role must be a boolean value.')
+ '`toggle_rbac_role` must be a boolean value.')
# The unique key is the combination of module path plus class name.
class_name = test_obj.__name__ if isinstance(test_obj, type) else \
@@ -181,7 +196,7 @@
admin_role_id = rbac_role_id = None
for role in available_roles['roles']:
- if role['name'] == CONF.rbac.rbac_test_role:
+ if role['name'] == CONF.patrole.rbac_test_role:
rbac_role_id = role['id']
if role['name'] == CONF.identity.admin_role:
admin_role_id = role['id']
@@ -195,13 +210,13 @@
self.admin_role_id = admin_role_id
self.rbac_role_id = rbac_role_id
- @property
- def is_admin(self):
- """Verifies whether the current test role equals the admin role.
- :returns: True if ``rbac_test_role`` is the admin role.
- """
- return CONF.rbac.rbac_test_role == CONF.identity.admin_role
+def is_admin():
+ """Verifies whether the current test role equals the admin role.
+
+ :returns: True if ``rbac_test_role`` is the admin role.
+ """
+ return CONF.patrole.rbac_test_role == CONF.identity.admin_role
@six.add_metaclass(abc.ABCMeta)
diff --git a/patrole_tempest_plugin/tests/api/compute/rbac_base.py b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
index 7e9a402..bab193e 100644
--- a/patrole_tempest_plugin/tests/api/compute/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
@@ -26,7 +26,7 @@
@classmethod
def skip_checks(cls):
super(BaseV2ComputeRbacTest, cls).skip_checks()
- if not CONF.rbac.enable_rbac:
+ if not CONF.patrole.enable_rbac:
raise cls.skipException(
'%s skipped as RBAC testing not enabled' % cls.__name__)
@@ -53,9 +53,12 @@
for flavor in cls.flavors:
test_utils.call_and_ignore_notfound_exc(
cls.flavors_client.delete_flavor, flavor['id'])
+ for flavor in cls.flavors:
+ test_utils.call_and_ignore_notfound_exc(
+ cls.flavors_client.wait_for_resource_deletion, flavor['id'])
@classmethod
- def _create_flavor(cls, **kwargs):
+ def create_flavor(cls, **kwargs):
flavor_kwargs = {
"name": data_utils.rand_name(cls.__name__ + '-flavor'),
"ram": data_utils.rand_int_id(1, 10),
diff --git a/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
index f355358..4712ed0 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
@@ -13,6 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from tempest import test
@@ -29,6 +31,16 @@
raise cls.skipException(
'%s skipped as os-agents not enabled' % cls.__name__)
+ def _param_helper(self, **kwargs):
+ rand_key = 'architecture'
+ if rand_key in kwargs:
+ # NOTE: The rand_name is for avoiding agent conflicts.
+ # If you try to create an agent with the same hypervisor,
+ # os and architecture as an existing agent, Nova will return
+ # an HTTPConflict or HTTPServerError.
+ kwargs[rand_key] = data_utils.rand_name(kwargs[rand_key])
+ return kwargs
+
@rbac_rule_validation.action(
service="nova", rule="os_compute_api:os-agents")
@decorators.idempotent_id('d1bc6d97-07f5-4f45-ac29-1c619a6a7e27')
@@ -48,3 +60,41 @@
body = self.agents_client.create_agent(**params)['agent']
self.addCleanup(self.agents_client.delete_agent,
body['agent_id'])
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-agents")
+ @decorators.idempotent_id('b22f2681-9ffb-439b-b240-dae503e41020')
+ def test_update_agent(self):
+ params = self._param_helper(
+ hypervisor='common', os='linux',
+ architecture='x86_64', version='7.0',
+ url='xxx://xxxx/xxx/xxx',
+ md5hash='add6bb58e139be103324d04d82d8f545')
+ body = self.agents_client.create_agent(**params)['agent']
+ self.addCleanup(self.agents_client.delete_agent,
+ body['agent_id'])
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ update_params = self._param_helper(
+ version='8.0',
+ url='xxx://xxxx/xxx/xxx2',
+ md5hash='add6bb58e139be103324d04d82d8f547')
+ self.agents_client.update_agent(body['agent_id'], **update_params)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-agents")
+ @decorators.idempotent_id('c5042af8-0682-43b0-abc4-bf33349e23dd')
+ def test_delete_agent(self):
+ params = self._param_helper(
+ hypervisor='common', os='linux',
+ architecture='x86_64', version='7.0',
+ url='xxx://xxxx/xxx/xxx',
+ md5hash='add6bb58e139be103324d04d82d8f545')
+ body = self.agents_client.create_agent(**params)['agent']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.agents_client.delete_agent,
+ body['agent_id'])
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.delete_agent(body['agent_id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
index b196d93..26c9957 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
@@ -38,7 +38,7 @@
@classmethod
def resource_setup(cls):
super(FlavorAccessRbacTest, cls).resource_setup()
- cls.flavor_id = cls._create_flavor(is_public=False)['id']
+ cls.flavor_id = cls.create_flavor(is_public=False)['id']
cls.public_flavor_id = CONF.compute.flavor_ref
cls.tenant_id = cls.os_primary.credentials.tenant_id
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
index e59fd78..031d8ad 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
@@ -34,7 +34,7 @@
@classmethod
def resource_setup(cls):
super(FlavorExtraSpecsRbacTest, cls).resource_setup()
- cls.flavor = cls._create_flavor()
+ cls.flavor = cls.create_flavor()
@classmethod
def resource_cleanup(cls):
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_manage_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_manage_rbac.py
new file mode 100644
index 0000000..519a55a
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_manage_rbac.py
@@ -0,0 +1,53 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+
+class FlavorManageRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ # Need admin to wait for resource deletion below to avoid test role
+ # having to pass extra policies.
+ credentials = ['primary', 'admin']
+
+ @classmethod
+ def skip_checks(cls):
+ super(FlavorManageRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('OS-FLV-EXT-DATA', 'compute'):
+ msg = "OS-FLV-EXT-DATA extension not enabled."
+ raise cls.skipException(msg)
+
+ @decorators.idempotent_id('a4e7faec-7a4b-4809-9856-90d5b747ca35')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-flavor-manage:create")
+ def test_create_flavor_manage(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.create_flavor()
+
+ @decorators.idempotent_id('782e988e-061b-4c40-896f-a77c70c2b057')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-flavor-manage:delete")
+ def test_delete_flavor_manage(self):
+ flavor_id = self.create_flavor()['id']
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.flavors_client.delete_flavor(flavor_id)
+ self.os_admin.flavors_client.wait_for_resource_deletion(flavor_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
index 17a6c74..a28ddb9 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
@@ -14,19 +14,106 @@
# under the License.
from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base
-class SecurityGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+class SecurtiyGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+ """Tests non-deprecated security group policies. Requires network service.
+
+ This class tests non-deprecated policies for adding and removing a security
+ group to and from a server.
+ """
+
+ @classmethod
+ def skip_checks(cls):
+ super(SecurtiyGroupsRbacTest, cls).skip_checks()
+ # All the tests below require the network service.
+ # NOTE(gmann) Currently 'network' service is always True in
+ # test.get_service_list() So below check is not much of use.
+ # Commenting the below check as Tempest is moving the get_service_list
+ # from test.py to utils.
+ # If we want to check 'network' service availability, then
+ # get_service_list can be used from new location.
+ # if not test.get_service_list()['network']:
+ # raise cls.skipException(
+ # 'Skipped because the network service is not available')
+
+ @classmethod
+ def setup_credentials(cls):
+ # A network and a subnet will be created for these tests.
+ cls.set_network_resources(network=True, subnet=True)
+ super(SecurtiyGroupsRbacTest, cls).setup_credentials()
+
+ @classmethod
+ def resource_setup(cls):
+ super(SecurtiyGroupsRbacTest, cls).resource_setup()
+ cls.server = cls.create_test_server(wait_until='ACTIVE')
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520')
+ def test_list_security_groups_by_server(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.list_security_groups_by_server(self.server['id'])
+
+ @decorators.attr(type=["slow"])
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('ea1ca73f-2d1d-43cb-9a46-900d7927b357')
+ def test_create_security_group_for_server(self):
+ sg_name = self.create_security_group()['name']
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.add_security_group(self.server['id'], name=sg_name)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.servers_client.remove_security_group,
+ self.server['id'], name=sg_name)
+
+ @decorators.attr(type=["slow"])
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('0ad2e856-e2d3-4ac5-a620-f93d0d3d2626')
+ def test_remove_security_group_from_server(self):
+ sg_name = self.create_security_group()['name']
+
+ self.servers_client.add_security_group(self.server['id'], name=sg_name)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.servers_client.remove_security_group,
+ self.server['id'], name=sg_name)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.remove_security_group(
+ self.server['id'], name=sg_name)
+
+
+class SecurityGroupsRbacMaxV235Test(rbac_base.BaseV2ComputeRbacTest):
# Tests in this class will fail with a 404 from microversion 2.36,
# according to:
# https://developer.openstack.org/api-ref/compute/#security-groups-os-security-groups-deprecated
max_microversion = '2.35'
+ @classmethod
+ def skip_checks(cls):
+ super(SecurityGroupsRbacMaxV235Test, cls).skip_checks()
+ # All the tests below require the network service.
+ # NOTE(gmann) Currently 'network' service is always True in
+ # test.get_service_list() So below check is not much of use.
+ # Commenting the below check as Tempest is moving the get_service_list
+ # from test.py to utils.
+ # If we want to check 'network' service availability, then
+ # get_service_list can be used from new location.
+ # if not test.get_service_list()['network']:
+ # raise cls.skipException(
+ # 'Skipped because the network service is not available')
+
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-security-groups")
@@ -58,9 +145,10 @@
@decorators.idempotent_id('3de5c6bc-b822-469e-a627-82427d38b067')
def test_update_security_groups(self):
sec_group_id = self.create_security_group()['id']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
new_name = data_utils.rand_name()
new_desc = data_utils.rand_name()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.security_groups_client.update_security_group(sec_group_id,
name=new_name,
description=new_desc)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
index cb32eec..aeefebf 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
@@ -322,7 +322,7 @@
# This class has test case(s) that requires at least microversion 2.16.
# See the following link for details:
- # http://developer.openstack.org/api-ref-compute-v2.1.html#show-server-details
+ # https://developer.openstack.org/api-ref/compute/#show-server-details
min_microversion = '2.16'
max_microversion = 'latest'
@@ -340,6 +340,5 @@
server = self.servers_client.show_server(self.server_id)['server']
if 'host_status' not in server:
- LOG.info("host_status attribute not returned when role doesn't "
- "have permission to access it.")
- raise rbac_exceptions.RbacActionFailed
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute='host_status')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
index e942f08..63dee63 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
@@ -42,6 +42,8 @@
Only applies to:
* policy "families" that require server creation
* small policy "families" -- i.e. containing one to three policies
+
+ Tests are ordered by policy name.
"""
credentials = ['primary', 'admin']
@@ -135,10 +137,11 @@
"""Test list servers with config_drive property in response body."""
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
body = self.servers_client.list_servers(detail=True)['servers']
+ expected_attr = 'config_drive'
# If the first server contains "config_drive", then all the others do.
- if 'config_drive' not in body[0]:
- raise rbac_exceptions.RbacActionFailed(
- '"config_drive" attribute not found in response body.')
+ if expected_attr not in body[0]:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute=expected_attr)
@test.requires_ext(extension='os-config-drive', service='compute')
@decorators.idempotent_id('55c62ef7-b72b-4970-acc6-05b0a4316e5d')
@@ -148,10 +151,12 @@
def test_show_server_config_drive(self):
"""Test show server with config_drive property in response body."""
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+
body = self.servers_client.show_server(self.server['id'])['server']
- if 'config_drive' not in body:
- raise rbac_exceptions.RbacActionFailed(
- '"config_drive" attribute not found in response body.')
+ expected_attr = 'config_drive'
+ if expected_attr not in body:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute=expected_attr)
@test.requires_ext(extension='os-deferred-delete', service='compute')
@decorators.idempotent_id('189bfed4-1e6d-475c-bb8c-d57e60895391')
@@ -164,6 +169,105 @@
# Force-deleting a server enforces os-deferred-delete.
self.servers_client.force_delete_server(self.server['id'])
+ @decorators.idempotent_id('d873740a-7b10-40a9-943d-7cc18115370e')
+ @test.requires_ext(extension='OS-EXT-AZ', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-extended-availability-zone")
+ def test_list_servers_with_details_extended_availability_zone(self):
+ """Test list servers OS-EXT-AZ:availability_zone attr in resp body."""
+ expected_attr = 'OS-EXT-AZ:availability_zone'
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ body = self.servers_client.list_servers(detail=True)['servers']
+ # If the first server contains `expected_attr`, then all the others do.
+ if expected_attr not in body[0]:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute=expected_attr)
+
+ @decorators.idempotent_id('727e5360-770a-4b9c-8015-513a40216635')
+ @test.requires_ext(extension='OS-EXT-AZ', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-extended-availability-zone")
+ def test_show_server_extended_availability_zone(self):
+ """Test show server OS-EXT-AZ:availability_zone attr in resp body."""
+ expected_attr = 'OS-EXT-AZ:availability_zone'
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ body = self.servers_client.show_server(self.server['id'])['server']
+ if expected_attr not in body:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute=expected_attr)
+
+ @decorators.idempotent_id('82053c27-3134-4003-9b55-bc9fafdb0e3b')
+ @test.requires_ext(extension='OS-EXT-STS', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-extended-status")
+ def test_list_servers_extended_status(self):
+ """Test list servers with extended properties in response body."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ body = self.servers_client.list_servers(detail=True)['servers']
+
+ expected_attrs = ('OS-EXT-STS:task_state', 'OS-EXT-STS:vm_state',
+ 'OS-EXT-STS:power_state')
+ for attr in expected_attrs:
+ if attr not in body[0]:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute=attr)
+
+ @decorators.idempotent_id('7d2620a5-eea1-4a8b-96ea-86ad77a73fc8')
+ @test.requires_ext(extension='OS-EXT-STS', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-extended-status")
+ def test_show_server_extended_status(self):
+ """Test show server with extended properties in response body."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ body = self.servers_client.show_server(self.server['id'])['server']
+
+ expected_attrs = ('OS-EXT-STS:task_state', 'OS-EXT-STS:vm_state',
+ 'OS-EXT-STS:power_state')
+ for attr in expected_attrs:
+ if attr not in body:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute=attr)
+
+ @decorators.idempotent_id('21e39cbe-6c32-48fc-80dd-3e1fece6053f')
+ @test.requires_ext(extension='os-extended-volumes', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-extended-volumes")
+ def test_list_servers_with_details_extended_volumes(self):
+ """Test list servers os-extended-volumes:volumes_attached attr in resp
+ body.
+ """
+ expected_attr = 'os-extended-volumes:volumes_attached'
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ body = self.servers_client.list_servers(detail=True)['servers']
+ if expected_attr not in body[0]:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute=expected_attr)
+
+ @decorators.idempotent_id('7f163708-0d25-4138-8512-dfdd72a92989')
+ @test.requires_ext(extension='os-extended-volumes', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-extended-volumes")
+ def test_show_server_extended_volumes(self):
+ """Test show server os-extended-volumes:volumes_attached attr in resp
+ body.
+ """
+ expected_attr = 'os-extended-volumes:volumes_attached'
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ body = self.servers_client.show_server(self.server['id'])['server']
+ if expected_attr not in body:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute=expected_attr)
+
@test.requires_ext(extension='os-instance-actions', service='compute')
@decorators.idempotent_id('9d1b131d-407e-4fa3-8eef-eb2c4526f1da')
@rbac_rule_validation.action(
@@ -192,14 +296,13 @@
self.server['id'], request_id)['instanceAction']
if 'events' not in instance_action:
- raise rbac_exceptions.RbacActionFailed(
- '"%s" attribute not found in response body.' % 'events')
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute='events')
# Microversion 2.51+ returns 'events' always, but not 'traceback'. If
# 'traceback' is also present then policy enforcement passed.
if 'traceback' not in instance_action['events'][0]:
- raise rbac_exceptions.RbacActionFailed(
- '"%s" attribute not found in response body.'
- % 'events.traceback')
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute='events.traceback')
@rbac_rule_validation.action(
service="nova",
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
index 5539221..35ca437 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
@@ -18,7 +18,6 @@
from tempest.common import waiters
from tempest import config
from tempest.lib.common.utils import data_utils
-from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from tempest.lib import exceptions
from tempest import test
@@ -41,69 +40,12 @@
cls.networks_client = cls.os_primary.networks_client
cls.ports_client = cls.os_primary.ports_client
cls.subnets_client = cls.os_primary.subnets_client
+ cls.admin_servers_client = cls.os_admin.servers_client
@classmethod
def resource_setup(cls):
super(ComputeServersRbacTest, cls).resource_setup()
cls.server = cls.create_test_server(wait_until='ACTIVE')
- # Create a volume
- volume_name = data_utils.rand_name(cls.__name__ + '-volume')
- name_field = 'name'
- if not CONF.volume_feature_enabled.api_v2:
- name_field = 'display_name'
-
- params = {name_field: volume_name,
- 'imageRef': CONF.compute.image_ref,
- 'size': CONF.volume.volume_size}
-
- volume = cls.volumes_client.create_volume(**params)['volume']
- waiters.wait_for_volume_resource_status(cls.volumes_client,
- volume['id'], 'available')
- cls.volumes.append(volume)
- cls.volume_id = volume['id']
-
- def _create_network_resources(self):
- # Create network
- network_name = data_utils.rand_name(
- self.__class__.__name__ + '-network')
-
- network = self.networks_client.create_network(
- name=network_name, port_security_enabled=True)['network']
- self.addCleanup(self.networks_client.delete_network, network['id'])
-
- # Create subnet for the network
- subnet_name = data_utils.rand_name(self.__class__.__name__ + '-subnet')
- subnet = self.subnets_client.create_subnet(
- name=subnet_name,
- network_id=network['id'],
- cidr=CONF.network.project_network_cidr,
- ip_version=4)['subnet']
- self.addCleanup(self.subnets_client.delete_subnet, subnet['id'])
-
- return network
-
- def _create_test_server_with_volume(self, volume_id):
- # Create a server with the volume created earlier
- server_name = data_utils.rand_name(self.__class__.__name__ + "-server")
- bd_map_v2 = [{'uuid': volume_id,
- 'source_type': 'volume',
- 'destination_type': 'volume',
- 'boot_index': 0,
- 'delete_on_termination': True}]
- device_mapping = {'block_device_mapping_v2': bd_map_v2}
-
- # Since the server is booted from volume, the imageRef does not need
- # to be specified.
- server = self.servers_client.create_server(
- name=server_name, imageRef='',
- flavorRef=CONF.compute.flavor_ref,
- **device_mapping)['server']
-
- waiters.wait_for_server_status(
- self.os_admin.servers_client, server['id'], 'ACTIVE')
-
- self.servers.append(server)
- return server
@rbac_rule_validation.action(
service="nova",
@@ -139,8 +81,25 @@
rule="os_compute_api:servers:create:attach_volume")
@decorators.idempotent_id('eeddac5e-15aa-454f-838d-db608aae4dd8')
def test_create_server_attach_volume(self):
+ # To create a bootable volume, the UUID of the image from which
+ # to create the volume must be included as the imageRef attribute in
+ # the request body.
+ volume_id = self.create_volume(
+ imageRef=CONF.compute.image_ref,
+ size=CONF.volume.volume_size)['id']
+
+ server_name = data_utils.rand_name(self.__class__.__name__ + "-server")
+ bd_map_v2 = [{'uuid': volume_id,
+ 'source_type': 'volume',
+ 'destination_type': 'volume',
+ 'boot_index': 0,
+ 'delete_on_termination': True}]
+ device_mapping = {'block_device_mapping_v2': bd_map_v2}
+
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_test_server_with_volume(self.volume_id)
+ # Use image_id='' to avoid using the default image in tempest.conf.
+ self.create_test_server(name=server_name, image_id='',
+ **device_mapping)
@test.services('network')
@rbac_rule_validation.action(
@@ -148,12 +107,33 @@
rule="os_compute_api:servers:create:attach_network")
@decorators.idempotent_id('b44cd4ff-50a4-42ce-ada3-724e213cd540')
def test_create_server_attach_network(self):
- network = self._create_network_resources()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ def _create_network_resources():
+ # Create network
+ network_name = data_utils.rand_name(
+ self.__class__.__name__ + '-network')
+
+ network = self.networks_client.create_network(
+ name=network_name, port_security_enabled=True)['network']
+ self.addCleanup(self.networks_client.delete_network, network['id'])
+
+ # Create subnet for the network
+ subnet_name = data_utils.rand_name(
+ self.__class__.__name__ + '-subnet')
+ subnet = self.subnets_client.create_subnet(
+ name=subnet_name,
+ network_id=network['id'],
+ cidr=CONF.network.project_network_cidr,
+ ip_version=4)['subnet']
+ self.addCleanup(self.subnets_client.delete_subnet, subnet['id'])
+
+ return network
+
+ network = _create_network_resources()
network_id = {'uuid': network['id']}
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
server = self.create_test_server(wait_until='ACTIVE',
networks=[network_id])
-
self.addCleanup(waiters.wait_for_server_termination,
self.servers_client, server['id'])
self.addCleanup(self.servers_client.delete_server, server['id'])
@@ -164,10 +144,11 @@
@decorators.idempotent_id('062e3440-e873-4b41-9317-bf6d8be50c12')
def test_delete_server(self):
server = self.create_test_server(wait_until='ACTIVE')
+
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.servers_client.delete_server(server['id'])
waiters.wait_for_server_termination(
- self.os_admin.servers_client, server['id'])
+ self.admin_servers_client, server['id'])
@rbac_rule_validation.action(
service="nova",
@@ -178,76 +159,10 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
try:
self.servers_client.update_server(self.server['id'], name=new_name)
- waiters.wait_for_server_status(self.os_admin.servers_client,
+ waiters.wait_for_server_status(self.admin_servers_client,
self.server['id'], 'ACTIVE')
except exceptions.ServerFault as e:
# Some other policy may have blocked it.
LOG.info("ServerFault exception caught. Some other policy "
"blocked updating of server")
- raise rbac_exceptions.RbacActionFailed(e)
-
-
-class SecurtiyGroupsRbacTest(base.BaseV2ComputeRbacTest):
- """Tests non-deprecated security group policies. Requires network service.
-
- This class tests non-deprecated policies for adding and removing a security
- group to and from a server.
- """
-
- @classmethod
- def setup_credentials(cls):
- # A network and a subnet will be created for these tests.
- cls.set_network_resources(network=True, subnet=True)
- super(SecurtiyGroupsRbacTest, cls).setup_credentials()
-
- @classmethod
- def skip_checks(cls):
- super(SecurtiyGroupsRbacTest, cls).skip_checks()
- # All the tests below require the network service.
- if not test.get_service_list()['network']:
- raise cls.skipException(
- 'Skipped because the network service is not available')
-
- @classmethod
- def resource_setup(cls):
- super(SecurtiyGroupsRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server(wait_until='ACTIVE')
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-security-groups")
- @decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520')
- def test_list_security_groups_by_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.list_security_groups_by_server(self.server['id'])
-
- @decorators.attr(type=["slow"])
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-security-groups")
- @decorators.idempotent_id('ea1ca73f-2d1d-43cb-9a46-900d7927b357')
- def test_create_security_group_for_server(self):
- sg_name = self.create_security_group()['name']
-
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.add_security_group(self.server['id'], name=sg_name)
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.servers_client.remove_security_group,
- self.server['id'], name=sg_name)
-
- @decorators.attr(type=["slow"])
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-security-groups")
- @decorators.idempotent_id('0ad2e856-e2d3-4ac5-a620-f93d0d3d2626')
- def test_remove_security_group_from_server(self):
- sg_name = self.create_security_group()['name']
-
- self.servers_client.add_security_group(self.server['id'], name=sg_name)
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.servers_client.remove_security_group,
- self.server['id'], name=sg_name)
-
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.remove_security_group(
- self.server['id'], name=sg_name)
+ raise rbac_exceptions.RbacConflictingPolicies(e)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
index 943cb69..65d9edb 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
@@ -97,6 +97,7 @@
self.servers_client.detach_volume,
self.server['id'], alt_volume['id'])
+ @decorators.attr(type='slow')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-volumes-attachments:delete")
diff --git a/patrole_tempest_plugin/tests/api/identity/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
index 8ee80c6..51daf96 100644
--- a/patrole_tempest_plugin/tests/api/identity/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
@@ -31,7 +31,7 @@
@classmethod
def skip_checks(cls):
super(BaseIdentityV2RbacTest, cls).skip_checks()
- if not CONF.rbac.enable_rbac:
+ if not CONF.patrole.enable_rbac:
raise cls.skipException(
"%s skipped as RBAC testing not enabled" % cls.__name__)
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
index e733e26..db1f6e6 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
@@ -18,6 +18,7 @@
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin import rbac_utils
from patrole_tempest_plugin.tests.api.identity import rbac_base
CONF = config.CONF
@@ -112,7 +113,7 @@
admin-scoped tenants, raise ``RbacActionFailed`` exception otherwise.
"""
tenants_client = self.os_admin.tenants_client if \
- self.rbac_utils.is_admin else self.os_primary.tenants_client
+ rbac_utils.is_admin() else self.os_primary.tenants_client
admin_tenant_id = self.os_admin.credentials.project_id
non_admin_tenant_id = self.os_primary.credentials.project_id
@@ -121,10 +122,8 @@
tenant_ids = [t['id'] for t in tenants]
if admin_tenant_id not in tenant_ids:
- raise rbac_exceptions.RbacActionFailed(
- "The admin tenant id was not returned by the call to "
- "``list_tenants``.")
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute="admin tenant id")
if non_admin_tenant_id in tenant_ids:
- raise rbac_exceptions.RbacActionFailed(
- "The non-admin tenant id was returned by the call to "
- "``list_tenants``.")
+ raise rbac_exceptions.RbacMalformedResponse(
+ extra_attr=True)
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py
index 90952a8..18e5bf1 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_tokens_negative_rbac.py
@@ -18,6 +18,7 @@
from tempest.lib import exceptions as lib_exc
from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin import rbac_utils
from patrole_tempest_plugin.tests.api.identity import rbac_base
CONF = config.CONF
@@ -31,8 +32,8 @@
def skip_checks(cls):
super(IdentityTokenV3RbacTest, cls).skip_checks()
# In case of admin, the positive testcase would be used, hence
- # skipping negative testcase
- if CONF.rbac.rbac_test_role == CONF.identity.admin_role:
+ # skipping negative testcase.
+ if rbac_utils.is_admin():
raise cls.skipException(
"Skipped as admin role doesn't require negative testing")
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
index 0c85240..5812f9e 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
@@ -20,11 +20,11 @@
from patrole_tempest_plugin.tests.api.identity import rbac_base
-class IdentityUserV3AdminRbacTest(rbac_base.BaseIdentityV3RbacTest):
+class IdentityUserV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@classmethod
def resource_setup(cls):
- super(IdentityUserV3AdminRbacTest, cls).resource_setup()
+ super(IdentityUserV3RbacTest, cls).resource_setup()
cls.default_user_id = cls.os_primary.credentials.user_id
@rbac_rule_validation.action(service="keystone",
@@ -71,19 +71,6 @@
self.users_client.show_user(self.default_user_id)
@rbac_rule_validation.action(service="keystone",
- rule="identity:change_password")
- @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d90a')
- def test_change_password(self):
- original_password = data_utils.rand_password()
- user = self.setup_test_user(password=original_password)
-
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.users_client.update_user_password(
- user['id'],
- original_password=original_password,
- password=data_utils.rand_password())
-
- @rbac_rule_validation.action(service="keystone",
rule="identity:list_groups_for_user")
@decorators.idempotent_id('bd5946d4-46d2-423d-a800-a3e7aabc18b3')
def test_list_own_user_group(self):
diff --git a/patrole_tempest_plugin/tests/api/image/rbac_base.py b/patrole_tempest_plugin/tests/api/image/rbac_base.py
index e49e2f6..dd4e5ed 100644
--- a/patrole_tempest_plugin/tests/api/image/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/image/rbac_base.py
@@ -24,7 +24,7 @@
@classmethod
def skip_checks(cls):
super(BaseV1ImageRbacTest, cls).skip_checks()
- if not CONF.rbac.enable_rbac:
+ if not CONF.patrole.enable_rbac:
raise cls.skipException(
"%s skipped as RBAC testing not enabled" % cls.__name__)
@@ -39,7 +39,7 @@
@classmethod
def skip_checks(cls):
super(BaseV2ImageRbacTest, cls).skip_checks()
- if not CONF.rbac.enable_rbac:
+ if not CONF.patrole.enable_rbac:
raise cls.skipException(
"%s skipped as RBAC testing not enabled" % cls.__name__)
diff --git a/patrole_tempest_plugin/tests/api/network/rbac_base.py b/patrole_tempest_plugin/tests/api/network/rbac_base.py
index 6cf0138..b495098 100644
--- a/patrole_tempest_plugin/tests/api/network/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/network/rbac_base.py
@@ -26,7 +26,7 @@
@classmethod
def skip_checks(cls):
super(BaseNetworkRbacTest, cls).skip_checks()
- if not CONF.rbac.enable_rbac:
+ if not CONF.patrole.enable_rbac:
raise cls.skipException(
"%s skipped as RBAC testing not enabled" % cls.__name__)
diff --git a/patrole_tempest_plugin/tests/api/network/test_networks_multiprovider_rbac.py b/patrole_tempest_plugin/tests/api/network/test_networks_multiprovider_rbac.py
index 01cf0fd..9d2b67a 100644
--- a/patrole_tempest_plugin/tests/api/network/test_networks_multiprovider_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_networks_multiprovider_rbac.py
@@ -95,6 +95,5 @@
if len(response_network) == 0:
LOG.info("NotFound or Forbidden exception are not thrown when "
"role doesn't have access to the endpoint. Instead, "
- "the response will have an empty network body. "
- "This is irregular and should be fixed.")
- raise rbac_exceptions.RbacActionFailed
+ "the response will have an empty network body.")
+ raise rbac_exceptions.RbacMalformedResponse(True)
diff --git a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
index b42be93..148804e 100644
--- a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
@@ -238,7 +238,7 @@
self.network['id'], **kwargs)['network']
if len(retrieved_network) == 0:
- raise rbac_exceptions.RbacActionFailed
+ raise rbac_exceptions.RbacMalformedResponse(True)
@test.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -257,7 +257,7 @@
self.network['id'], **kwargs)['network']
if len(retrieved_network) == 0:
- raise rbac_exceptions.RbacActionFailed
+ raise rbac_exceptions.RbacMalformedResponse(empty=True)
@test.requires_ext(extension='provider', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -276,7 +276,7 @@
self.network['id'], **kwargs)['network']
if len(retrieved_network) == 0:
- raise rbac_exceptions.RbacActionFailed
+ raise rbac_exceptions.RbacMalformedResponse(empty=True)
key = retrieved_network.get('provider:segmentation_id', "NotFound")
self.assertNotEqual(key, "NotFound")
diff --git a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
index cec860c..888f879 100644
--- a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
@@ -170,7 +170,8 @@
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
- raise rbac_exceptions.RbacActionFailed
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute='binding:vif_type')
@test.requires_ext(extension='binding', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -188,7 +189,8 @@
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
- raise rbac_exceptions.RbacActionFailed
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute='binding:vif_details')
@test.requires_ext(extension='binding', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -208,7 +210,8 @@
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
- raise rbac_exceptions.RbacActionFailed
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute='binding:host_id')
@test.requires_ext(extension='binding', service='network')
@rbac_rule_validation.action(service="neutron",
@@ -229,7 +232,8 @@
# Rather than throwing a 403, the field is not present, so raise exc.
if fields[0] not in retrieved_port:
- raise rbac_exceptions.RbacActionFailed
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute='binding:profile')
@rbac_rule_validation.action(service="neutron",
rule="update_port")
diff --git a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
index 6aec5d1..45a5cda 100644
--- a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
@@ -173,8 +173,8 @@
# Rather than throwing a 403, the field is not present, so raise exc.
if 'distributed' not in retrieved_fields:
- raise rbac_exceptions.RbacActionFailed(
- '"distributed" parameter not present in response body')
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute='distributed')
@rbac_rule_validation.action(
service="neutron", rule="update_router")
@@ -296,8 +296,7 @@
distributed=False)
@rbac_rule_validation.action(service="neutron",
- rule="delete_router",
- expected_error_code=404)
+ rule="delete_router")
@decorators.idempotent_id('c0634dd5-0467-48f7-a4ae-1014d8edb2a7')
def test_delete_router(self):
"""Delete Router
@@ -309,10 +308,9 @@
self.routers_client.delete_router(router['id'])
@rbac_rule_validation.action(service="neutron",
- rule="add_router_interface",
- expected_error_code=404)
+ rule="add_router_interface")
@decorators.idempotent_id('a0627778-d68d-4913-881b-e345360cca19')
- def test_add_router_interfaces(self):
+ def test_add_router_interface(self):
"""Add Router Interface
RBAC test for the neutron add_router_interface policy
@@ -331,10 +329,9 @@
subnet_id=subnet['id'])
@rbac_rule_validation.action(service="neutron",
- rule="remove_router_interface",
- expected_error_code=404)
+ rule="remove_router_interface")
@decorators.idempotent_id('ff2593a4-2bff-4c27-97d3-dd3702b27dfb')
- def test_remove_router_interfaces(self):
+ def test_remove_router_interface(self):
"""Remove Router Interface
RBAC test for the neutron remove_router_interface policy
diff --git a/patrole_tempest_plugin/tests/api/volume/rbac_base.py b/patrole_tempest_plugin/tests/api/volume/rbac_base.py
index 4d3b612..c43c552 100644
--- a/patrole_tempest_plugin/tests/api/volume/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/volume/rbac_base.py
@@ -26,7 +26,7 @@
@classmethod
def skip_checks(cls):
super(BaseVolumeRbacTest, cls).skip_checks()
- if not CONF.rbac.enable_rbac:
+ if not CONF.patrole.enable_rbac:
raise cls.skipException(
"%s skipped as RBAC testing not enabled" % cls.__name__)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
index 6b07aaa..20f20a5 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_groups_rbac.py
@@ -90,6 +90,18 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.groups_client.list_groups(detail=True)['groups']
+ @decorators.idempotent_id('f499fc48-df83-4917-bf8d-783ebf6f080b')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="group:update")
+ def test_update_group(self):
+ group = self._create_group(group_type=self.group_type_id,
+ volume_types=[self.volume_type_id])
+ updated_name = data_utils.rand_name(self.__class__.__name__ + '-Group')
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.groups_client.update_group(group['id'], name=updated_name)
+
@decorators.idempotent_id('66fda391-5774-42a9-a018-80b34e57ab76')
@rbac_rule_validation.action(
service="cinder",
@@ -128,9 +140,8 @@
group_type = self.create_group_type(ignore_notfound=True)
if 'group_specs' not in group_type:
- raise rbac_exceptions.RbacActionFailed(
- 'Policy %s does not return %s in response body.' %
- ('group:access_group_types_specs', 'group_specs'))
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute='group_specs')
@decorators.idempotent_id('f77f8156-4fc9-4f02-be15-8930f748e10c')
@rbac_rule_validation.action(
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
index a734e58..7eb1cf0 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
@@ -90,6 +90,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.backups_client.list_backups(detail=True)
+ @decorators.attr(type='slow')
@decorators.idempotent_id('50f43bde-205e-438e-9a05-5eac07fc3d63')
@rbac_rule_validation.action(
service="cinder",
diff --git a/patrole_tempest_plugin/tests/unit/fixtures.py b/patrole_tempest_plugin/tests/unit/fixtures.py
index f25e05d..ce13029 100644
--- a/patrole_tempest_plugin/tests/unit/fixtures.py
+++ b/patrole_tempest_plugin/tests/unit/fixtures.py
@@ -19,6 +19,8 @@
import fixtures
import mock
+from tempest import clients
+from tempest.common import credentials_factory as credentials
from tempest import config
from patrole_tempest_plugin import rbac_utils
@@ -53,19 +55,15 @@
class RbacUtilsFixture(fixtures.Fixture):
- """Fixture for RbacUtils class."""
+ """Fixture for `RbacUtils` class."""
USER_ID = mock.sentinel.user_id
PROJECT_ID = mock.sentinel.project_id
- def __init__(self, **kwargs):
- super(RbacUtilsFixture, self).__init__()
- self.available_roles = None
-
def setUp(self):
super(RbacUtilsFixture, self).setUp()
- self.useFixture(ConfPatcher(rbac_test_role='member', group='rbac'))
+ self.useFixture(ConfPatcher(rbac_test_role='member', group='patrole'))
self.useFixture(ConfPatcher(
admin_role='admin', auth_version='v3', group='identity'))
@@ -75,35 +73,63 @@
'os_primary.credentials.project_id': self.PROJECT_ID,
'get_identity_version.return_value': 'v3'
}
- self.mock_test_obj = mock.Mock(**test_obj_kwargs)
- self.mock_time = mock.patch.object(rbac_utils, 'time').start()
+ self.mock_test_obj = mock.Mock(__name__='foo', **test_obj_kwargs)
- self.roles_v3_client = (
- self.mock_test_obj.get_client_manager.return_value.roles_v3_client)
+ # Mock out functionality that can't be used by unit tests.
+ self.mock_time = mock.patch.object(rbac_utils, 'time').start()
+ mock.patch.object(
+ credentials, 'get_configured_admin_credentials').start()
+ mock_admin_mgr = mock.patch.object(clients, 'Manager').start()
+ self.roles_v3_client = mock_admin_mgr.return_value.roles_v3_client
+
+ self.set_roles(['admin', 'member'], [])
def switch_role(self, *role_toggles):
"""Instantiate `rbac_utils.RbacUtils` and call `switch_role`.
Create an instance of `rbac_utils.RbacUtils` and call `switch_role`
for each boolean value in `role_toggles`. The number of calls to
- `switch_role` is always 1 + len(role_toggles) because the
+ `switch_role` is always 1 + len(`role_toggles`) because the
`rbac_utils.RbacUtils` constructor automatically calls `switch_role`.
:param role_toggles: the list of boolean values iterated over and
passed to `switch_role`.
"""
- if not self.available_roles:
- self.set_roles('admin', 'member')
-
self.fake_rbac_utils = rbac_utils.RbacUtils(self.mock_test_obj)
+
for role_toggle in role_toggles:
self.fake_rbac_utils.switch_role(self.mock_test_obj, role_toggle)
+ # NOTE(felipemonteiro): Simulate that a role switch has occurred
+ # by updating the user's current role to the new role. This means
+ # that all API actions involved during a role switch -- listing,
+ # deleting and adding roles -- are executed, making it easier to
+ # assert that mock calls were called as expected.
+ new_role = 'member' if role_toggle else 'admin'
+ self.set_roles(['admin', 'member'], [new_role])
- def set_roles(self, *roles):
- """Set the list of available roles in the system to `roles`."""
- self.available_roles = {
+ def set_roles(self, roles, roles_on_project=None):
+ """Set the list of available roles in the system.
+
+ :param roles: List of roles returned by ``list_roles``.
+ :param roles_on_project: List of roles returned by
+ ``list_user_roles_on_project``.
+ :returns: None.
+ """
+ if not roles_on_project:
+ roles_on_project = []
+ if not isinstance(roles, list):
+ roles = [roles]
+ if not isinstance(roles_on_project, list):
+ roles_on_project = [roles_on_project]
+
+ available_roles = {
'roles': [{'name': role, 'id': '%s_id' % role} for role in roles]
}
- self.roles_v3_client.list_user_roles_on_project.return_value =\
- self.available_roles
- self.roles_v3_client.list_roles.return_value = self.available_roles
+ available_project_roles = {
+ 'roles': [{'name': role, 'id': '%s_id' % role}
+ for role in roles_on_project]
+ }
+
+ self.roles_v3_client.list_roles.return_value = available_roles
+ self.roles_v3_client.list_user_roles_on_project.return_value = (
+ available_project_roles)
diff --git a/patrole_tempest_plugin/tests/unit/test_hacking.py b/patrole_tempest_plugin/tests/unit/test_hacking.py
new file mode 100644
index 0000000..021602b
--- /dev/null
+++ b/patrole_tempest_plugin/tests/unit/test_hacking.py
@@ -0,0 +1,258 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.tests import base
+
+from patrole_tempest_plugin.hacking import checks
+
+
+class RBACHackingTestCase(base.TestCase):
+
+ def test_import_no_clients_in_api_tests(self):
+ for client in checks.PYTHON_CLIENTS:
+ import_string = "import " + client + "client"
+ self.assertTrue(checks.import_no_clients_in_api_tests(
+ import_string,
+ "./patrole_tempest_plugin/tests/api/fake_test_rbac.py"))
+ self.assertFalse(checks.import_no_clients_in_api_tests(
+ import_string,
+ "./patrole_tempest_plugin/tests/scenario/fake_test.py"))
+ self.assertFalse(checks.import_no_clients_in_api_tests(
+ import_string,
+ "./patrole_tempest_plugin/tests/unit/fake_test.py"))
+ self.assertFalse(checks.import_no_clients_in_api_tests(
+ import_string,
+ "./patrole_tempest_plugin/fake_test.py"))
+
+ def test_no_setup_teardown_class_for_tests(self):
+ self.assertTrue(checks.no_setup_teardown_class_for_tests(
+ " def setUpClass(cls):",
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+ self.assertIsNone(checks.no_setup_teardown_class_for_tests(
+ " def setUpClass(cls): # noqa",
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+ self.assertTrue(checks.no_setup_teardown_class_for_tests(
+ " def setUpClass(cls):",
+ "./patrole_tempest_plugin/tests/api/fake_test_rbac.py"))
+ self.assertTrue(checks.no_setup_teardown_class_for_tests(
+ " def setUpClass(cls):",
+ "./patrole_tempest_plugin/tests/scenario/fake_test.py"))
+ self.assertTrue(checks.no_setup_teardown_class_for_tests(
+ " def tearDownClass(cls):",
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+ self.assertIsNone(checks.no_setup_teardown_class_for_tests(
+ " def tearDownClass(cls): # noqa",
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+ self.assertTrue(checks.no_setup_teardown_class_for_tests(
+ " def tearDownClass(cls):",
+ "./patrole_tempest_plugin/tests/api/fake_test_rbac.py"))
+ self.assertTrue(checks.no_setup_teardown_class_for_tests(
+ " def tearDownClass(cls):",
+ "./patrole_tempest_plugin/tests/scenario/fake_test.py"))
+
+ def test_no_vi_headers(self):
+ self.assertTrue(checks.no_vi_headers(
+ "# vim: tabstop=4", 1, range(250)))
+ self.assertTrue(checks.no_vi_headers(
+ "# vim: tabstop=4", 249, range(250)))
+
+ def test_service_tags_not_in_module_path(self):
+ self.assertTrue(checks.service_tags_not_in_module_path(
+ "@test.services('volume')",
+ "./patrole_tempest_plugin/tests/api/volume/fake_test_rbac.py"))
+ self.assertFalse(checks.service_tags_not_in_module_path(
+ "@test.services('image')",
+ "./patrole_tempest_plugin/tests/api/volume/fake_test_rbac.py"))
+
+ def test_no_hyphen_at_end_of_rand_name(self):
+ self.assertIsNone(checks.no_hyphen_at_end_of_rand_name(
+ "data_utils.rand_name('test')",
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+ self.assertIsNone(checks.no_hyphen_at_end_of_rand_name(
+ "data_utils.rand_name('test')",
+ "./patrole_tempest_plugin/tests/api/compute/fake_test_rbac.py"))
+ self.assertIsNone(checks.no_hyphen_at_end_of_rand_name(
+ "data_utils.rand_name('test')",
+ "./patrole_tempest_plugin/tests/scenario/fake_test.py"))
+ self.assertIsNone(checks.no_hyphen_at_end_of_rand_name(
+ "data_utils.rand_name('test')",
+ "./patrole_tempest_plugin/tests/unit/fake_test.py"))
+ self.assertTrue(checks.no_hyphen_at_end_of_rand_name(
+ "data_utils.rand_name('test-')",
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+ self.assertTrue(checks.no_hyphen_at_end_of_rand_name(
+ "data_utils.rand_name('test-')",
+ "./patrole_tempest_plugin/tests/api/compute/fake_test_rbac.py"))
+ self.assertTrue(checks.no_hyphen_at_end_of_rand_name(
+ "data_utils.rand_name('test-')",
+ "./patrole_tempest_plugin/tests/scenario/fake_test.py"))
+ self.assertTrue(checks.no_hyphen_at_end_of_rand_name(
+ "data_utils.rand_name('test-')",
+ "./patrole_tempest_plugin/tests/unit/fake_test.py"))
+
+ def test_no_mutable_default_args(self):
+ self.assertEqual(0, len(list(checks.no_mutable_default_args(
+ " def test_function(test_param_1, test_param_2"))))
+ self.assertEqual(1, len(list(checks.no_mutable_default_args(
+ " def test_function(test_param_1, test_param_2={}"))))
+
+ def test_no_testtools_skip_decorator(self):
+ self.assertEqual(1, len(list(checks.no_testtools_skip_decorator(
+ " @testtools.skip('Bug')"))))
+ self.assertEqual(0, len(list(checks.no_testtools_skip_decorator(
+ " @testtools.skipTest('reason')"))))
+ self.assertEqual(0, len(list(checks.no_testtools_skip_decorator(
+ " @testtools.skipUnless(reason, 'message')"))))
+ self.assertEqual(0, len(list(checks.no_testtools_skip_decorator(
+ " @testtools.skipIf(reason, 'message')"))))
+
+ def test_use_rand_uuid_instead_of_uuid4(self):
+ self.assertTrue(checks.use_rand_uuid_instead_of_uuid4(
+ "new_uuid = uuid.uuid4()",
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+ self.assertTrue(checks.use_rand_uuid_instead_of_uuid4(
+ "new_hex_uuid = uuid.uuid4().hex",
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+ self.assertIsNotNone(checks.use_rand_uuid_instead_of_uuid4(
+ "new_uuid = data_utils.rand_uuid()",
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+ self.assertIsNotNone(checks.use_rand_uuid_instead_of_uuid4(
+ "new_hex_uuid = data_utils.rand_uuid_hex()",
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+
+ def _test_no_rbac_rule_validation_decorator(
+ self, filename, with_other_decorators=True,
+ with_rbac_decorator=True, expected_success=True):
+ other_decorators = [
+ "@decorators.idempotent_id(123)",
+ "@decorators.attr(type=['slow'])",
+ "@test.requires_ext(extension='ext', service='svc')"
+ ]
+
+ if with_other_decorators:
+ # Include multiple decorators to verify that this check works with
+ # arbitrarily many decorators. These insert decorators above the
+ # rbac_rule_validation decorator.
+ for decorator in other_decorators:
+ self.assertIsNone(checks.no_rbac_rule_validation_decorator(
+ " %s" % decorator, filename))
+ if with_rbac_decorator:
+ self.assertIsNone(checks.no_rbac_rule_validation_decorator(
+ " @rbac_rule_validation.action('rule')",
+ filename))
+ if with_other_decorators:
+ # Include multiple decorators to verify that this check works with
+ # arbitrarily many decorators. These insert decorators between
+ # the test and the @rbac_rule_validation decorator.
+ for decorator in other_decorators:
+ self.assertIsNone(checks.no_rbac_rule_validation_decorator(
+ " %s" % decorator, filename))
+ final_result = checks.no_rbac_rule_validation_decorator(
+ " def test_rbac_test",
+ filename)
+ if expected_success:
+ self.assertIsNone(final_result)
+ else:
+ self.assertIsInstance(final_result, tuple)
+ self.assertFalse(final_result[0])
+
+ def test_no_rbac_rule_validation_decorator(self):
+ self._test_no_rbac_rule_validation_decorator(
+ "./patrole_tempest_plugin/tests/api/fake_test_rbac.py")
+ self._test_no_rbac_rule_validation_decorator(
+ "./patrole_tempest_plugin/tests/api/fake_test_rbac.py",
+ False)
+ self._test_no_rbac_rule_validation_decorator(
+ "./patrole_tempest_plugin/tests/api/fake_test_rbac.py",
+ with_other_decorators=True, with_rbac_decorator=False,
+ expected_success=False)
+ self._test_no_rbac_rule_validation_decorator(
+ "./patrole_tempest_plugin/tests/api/fake_test_rbac.py",
+ with_other_decorators=False, with_rbac_decorator=False,
+ expected_success=False)
+
+ self._test_no_rbac_rule_validation_decorator(
+ "./patrole_tempest_plugin/tests/scenario/fake_test.py")
+ self._test_no_rbac_rule_validation_decorator(
+ "./patrole_tempest_plugin/tests/scenario/fake_test.py",
+ False)
+ self._test_no_rbac_rule_validation_decorator(
+ "./patrole_tempest_plugin/tests/scenario/fake_test.py",
+ with_other_decorators=True, with_rbac_decorator=False,
+ expected_success=False)
+ self._test_no_rbac_rule_validation_decorator(
+ "./patrole_tempest_plugin/tests/scenario/fake_test.py",
+ with_other_decorators=False, with_rbac_decorator=False,
+ expected_success=False)
+
+ def test_no_rbac_suffix_in_test_filename(self):
+ self.assertFalse(checks.no_rbac_suffix_in_test_filename(
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+ self.assertFalse(checks.no_rbac_suffix_in_test_filename(
+ "./patrole_tempest_plugin/tests/scenario/fake_test.py"))
+ self.assertFalse(checks.no_rbac_suffix_in_test_filename(
+ "./patrole_tempest_plugin/tests/unit/fake_test.py"))
+ self.assertFalse(checks.no_rbac_suffix_in_test_filename(
+ "./patrole_tempest_plugin/tests/api/fake_rbac_base.py"))
+ self.assertFalse(checks.no_rbac_suffix_in_test_filename(
+ "./patrole_tempest_plugin/tests/api/fake_test_rbac.py"))
+ self.assertTrue(checks.no_rbac_suffix_in_test_filename(
+ "./patrole_tempest_plugin/tests/api/fake_test.py"))
+
+ def test_no_rbac_test_suffix_in_test_class_name(self):
+ self.assertFalse(checks.no_rbac_test_suffix_in_test_class_name(
+ "class FakeTest",
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+ self.assertFalse(checks.no_rbac_test_suffix_in_test_class_name(
+ "class FakeTest",
+ "./patrole_tempest_plugin/tests/scenario/fake_test.py"))
+ self.assertFalse(checks.no_rbac_test_suffix_in_test_class_name(
+ "class FakeTest",
+ "./patrole_tempest_plugin/tests/unit/fake_test.py"))
+ self.assertFalse(checks.no_rbac_test_suffix_in_test_class_name(
+ "class FakeTest",
+ "./patrole_tempest_plugin/tests/api/fake_rbac_base.py"))
+ self.assertFalse(checks.no_rbac_test_suffix_in_test_class_name(
+ "class FakeRbacTest",
+ "./patrole_tempest_plugin/tests/api/fake_test_rbac.py"))
+ self.assertTrue(checks.no_rbac_test_suffix_in_test_class_name(
+ "class FakeTest",
+ "./patrole_tempest_plugin/tests/api/fake_test_rbac.py"))
+
+ def test_no_client_alias_in_test_cases(self):
+ self.assertFalse(checks.no_client_alias_in_test_cases(
+ " self.client",
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+ self.assertFalse(checks.no_client_alias_in_test_cases(
+ " cls.client",
+ "./patrole_tempest_plugin/tests/fake_test.py"))
+ self.assertFalse(checks.no_client_alias_in_test_cases(
+ " self.client",
+ "./patrole_tempest_plugin/tests/unit/fake_test.py"))
+ self.assertFalse(checks.no_client_alias_in_test_cases(
+ " cls.client",
+ "./patrole_tempest_plugin/tests/unit/fake_test.py"))
+ self.assertFalse(checks.no_client_alias_in_test_cases(
+ " self.client",
+ "./patrole_tempest_plugin/tests/scenario/fake_test.py"))
+ self.assertFalse(checks.no_client_alias_in_test_cases(
+ " cls.client",
+ "./patrole_tempest_plugin/tests/scenario/fake_test.py"))
+ self.assertTrue(checks.no_client_alias_in_test_cases(
+ " self.client",
+ "./patrole_tempest_plugin/tests/api/fake_test_rbac.py"))
+ self.assertTrue(checks.no_client_alias_in_test_cases(
+ " cls.client",
+ "./patrole_tempest_plugin/tests/api/fake_test_rbac.py"))
diff --git a/patrole_tempest_plugin/tests/unit/test_patrole.py b/patrole_tempest_plugin/tests/unit/test_patrole.py
index 58aff05..9b8e88c 100644
--- a/patrole_tempest_plugin/tests/unit/test_patrole.py
+++ b/patrole_tempest_plugin/tests/unit/test_patrole.py
@@ -14,16 +14,23 @@
# under the License.
"""
-test_patrole
-----------------------------------
-
Tests for `patrole` module.
"""
+from tempest import config
+
from patrole_tempest_plugin.tests.unit import base
+CONF = config.CONF
+
class TestPatrole(base.TestCase):
- def test_something(self):
- pass
+ def test_rbac_group_backwards_compatability(self):
+ """Validate that the deprecated group [rbac] is available and has the
+ same options and option values as [patrole] group, which is current.
+ """
+ self.assertTrue(hasattr(CONF, 'patrole'))
+ self.assertTrue(hasattr(CONF, 'rbac'))
+ # Validate that both groups are identical.
+ self.assertEqual(CONF.patrole.items(), CONF.rbac.items())
diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
index 7ce925a..5fa26df 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
@@ -40,11 +40,11 @@
def setUp(self):
super(RbacPolicyTest, self).setUp()
-
- m_creds = self.patchobject(rbac_policy_parser, 'credentials')
- m_creds.AdminManager().identity_services_client.list_services.\
+ self.patchobject(rbac_policy_parser, 'credentials')
+ m_creds = self.patchobject(rbac_policy_parser, 'clients')
+ m_creds.Manager().identity_services_client.list_services.\
return_value = self.services
- m_creds.AdminManager().identity_services_v3_client.list_services.\
+ m_creds.Manager().identity_services_v3_client.list_services.\
return_value = self.services
current_directory = os.path.dirname(os.path.realpath(__file__))
@@ -64,9 +64,9 @@
current_directory, 'resources', '%s.json')
CONF.set_override(
- 'custom_policy_files', [self.conf_policy_path], group='rbac')
+ 'custom_policy_files', [self.conf_policy_path], group='patrole')
self.addCleanup(CONF.clear_override, 'custom_policy_files',
- group='rbac')
+ group='patrole')
# Guarantee a blank slate for each test.
for attr in ('available_services', 'policy_files'):
@@ -81,7 +81,7 @@
group='identity-feature-enabled')
def _get_fake_policy_rule(self, name, rule):
- fake_rule = mock.Mock(check=rule)
+ fake_rule = mock.Mock(check=rule, __name__='foo')
fake_rule.name = name
return fake_rule
@@ -291,6 +291,7 @@
parser = rbac_policy_parser.RbacPolicyParser(
test_tenant_id, test_user_id, "custom_rbac_policy")
parser.rules = mock.MagicMock(
+ __name__='foo',
**{'__getitem__.return_value.side_effect': Exception(
mock.sentinel.error)})
@@ -314,7 +315,7 @@
'rule:code_rule_3'),
]
- mock_manager = mock.Mock(obj=fake_policy_rules)
+ mock_manager = mock.Mock(obj=fake_policy_rules, __name__='foo')
mock_manager.configure_mock(name='fake_service')
mock_stevedore.named.NamedExtensionManager.return_value = [
mock_manager
@@ -355,7 +356,7 @@
'rule:code_rule_3'),
]
- mock_manager = mock.Mock(obj=fake_policy_rules)
+ mock_manager = mock.Mock(obj=fake_policy_rules, __name__='foo')
mock_manager.configure_mock(name='fake_service')
mock_stevedore.named.NamedExtensionManager.return_value = [
mock_manager
@@ -393,7 +394,7 @@
'Policy file for {0} service neither found in code '\
'nor at {1}.'.format(
'test_service',
- [CONF.rbac.custom_policy_files[0] % 'test_service'])
+ [CONF.patrole.custom_policy_files[0] % 'test_service'])
self.assertIn(expected_error, str(e))
@@ -401,10 +402,10 @@
@mock.patch.object(rbac_policy_parser, 'stevedore', autospec=True)
def test_get_policy_data_without_valid_policy(self, mock_stevedore,
mock_json):
- test_policy_action = mock.Mock(check='rule:bar')
+ test_policy_action = mock.Mock(check='rule:bar', __name__='foo')
test_policy_action.configure_mock(name='foo')
- test_policy = mock.Mock(obj=[test_policy_action])
+ test_policy = mock.Mock(obj=[test_policy_action], __name__='foo')
test_policy.configure_mock(name='test_service')
mock_stevedore.named.NamedExtensionManager\
@@ -439,7 +440,7 @@
expected_error = (
'Policy file for {0} service neither found in code nor at {1}.'
- .format('tenant_rbac_policy', [CONF.rbac.custom_policy_files[0]
+ .format('tenant_rbac_policy', [CONF.patrole.custom_policy_files[0]
% 'tenant_rbac_policy']))
self.assertIn(expected_error, str(e))
@@ -458,7 +459,7 @@
@mock.patch.object(rbac_policy_parser, 'policy', autospec=True)
@mock.patch.object(rbac_policy_parser.RbacPolicyParser, '_get_policy_data',
autospec=True)
- @mock.patch.object(rbac_policy_parser, 'credentials', autospec=True)
+ @mock.patch.object(rbac_policy_parser, 'clients', autospec=True)
@mock.patch.object(rbac_policy_parser, 'os', autospec=True)
def test_discover_policy_files_with_many_invalid_one_valid(self, m_os,
m_creds, *args):
@@ -466,14 +467,14 @@
m_os.path.isfile.side_effect = [False, False, True, False]
# Ensure the outer for loop runs only once in `discover_policy_files`.
- m_creds.AdminManager().identity_services_v3_client.\
+ m_creds.Manager().identity_services_v3_client.\
list_services.return_value = {
'services': [{'name': 'test_service'}]}
# The expected policy will be 'baz/test_service'.
CONF.set_override(
'custom_policy_files', ['foo/%s', 'bar/%s', 'baz/%s'],
- group='rbac')
+ group='patrole')
policy_parser = rbac_policy_parser.RbacPolicyParser(
None, None, 'test_service')
@@ -504,10 +505,10 @@
def _test_validate_service(self, v2_services, v3_services,
expected_failure=False, expected_services=None):
- with mock.patch.object(rbac_policy_parser, 'credentials') as m_creds:
- m_creds.AdminManager().identity_services_client.list_services.\
+ with mock.patch.object(rbac_policy_parser, 'clients') as m_creds:
+ m_creds.Manager().identity_services_client.list_services.\
return_value = v2_services
- m_creds.AdminManager().identity_services_v3_client.list_services.\
+ m_creds.Manager().identity_services_v3_client.list_services.\
return_value = v3_services
test_tenant_id = mock.sentinel.tenant_id
diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py b/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
index 7ce5548..0dcaaa7 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
@@ -37,8 +37,11 @@
self.mock_args.os_primary.credentials.user_id = \
mock.sentinel.user_id
- CONF.set_override('rbac_test_role', 'Member', group='rbac')
- self.addCleanup(CONF.clear_override, 'rbac_test_role', group='rbac')
+ CONF.set_override('rbac_test_role', 'Member', group='patrole')
+ self.addCleanup(CONF.clear_override, 'rbac_test_role', group='patrole')
+
+ self.mock_rbaclog = mock.patch.object(
+ rbac_rv.RBACLOG, 'info', autospec=False).start()
@mock.patch.object(rbac_rv, 'LOG', autospec=True)
@mock.patch.object(rbac_rv, 'rbac_policy_parser', autospec=True)
@@ -50,7 +53,7 @@
"""
decorator = rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
- mock_function = mock.Mock()
+ mock_function = mock.Mock(__name__='foo')
wrapper = decorator(mock_function)
mock_policy.RbacPolicyParser.return_value.allowed.return_value = True
@@ -71,7 +74,7 @@
"""
decorator = rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
- mock_function = mock.Mock()
+ mock_function = mock.Mock(__name__='foo')
mock_function.side_effect = exceptions.Forbidden
wrapper = decorator(mock_function)
@@ -93,7 +96,7 @@
raised.
"""
decorator = rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
- mock_function = mock.Mock()
+ mock_function = mock.Mock(__name__='foo')
mock_function.side_effect = exceptions.Forbidden
wrapper = decorator(mock_function)
@@ -108,16 +111,16 @@
@mock.patch.object(rbac_rv, 'LOG', autospec=True)
@mock.patch.object(rbac_rv, 'rbac_policy_parser', autospec=True)
- def test_rule_validation_rbac_action_failed_positive(self, mock_policy,
- mock_log):
- """Test RbacActionFailed error is thrown without permission passes.
+ def test_rule_validation_rbac_malformed_response_positive(
+ self, mock_policy, mock_log):
+ """Test RbacMalformedResponse error is thrown without permission passes.
- Positive test case: if RbacActionFailed is thrown and the user is not
- allowed to perform the action, then this is a success.
+ Positive test case: if RbacMalformedResponse is thrown and the user is
+ not allowed to perform the action, then this is a success.
"""
decorator = rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
- mock_function = mock.Mock()
- mock_function.side_effect = rbac_exceptions.RbacActionFailed
+ mock_function = mock.Mock(__name__='foo')
+ mock_function.side_effect = rbac_exceptions.RbacMalformedResponse
wrapper = decorator(mock_function)
mock_policy.RbacPolicyParser.return_value.allowed.return_value = False
@@ -130,16 +133,62 @@
@mock.patch.object(rbac_rv, 'LOG', autospec=True)
@mock.patch.object(rbac_rv, 'rbac_policy_parser', autospec=True)
- def test_rule_validation_rbac_action_failed_negative(self, mock_policy,
- mock_log):
- """Test RbacActionFailed error is thrown with permission fails.
+ def test_rule_validation_rbac_malformed_response_negative(
+ self, mock_policy, mock_log):
+ """Test RbacMalformedResponse error is thrown with permission fails.
- Negative test case: if RbacActionFailed is thrown and the user is
+ Negative test case: if RbacMalformedResponse is thrown and the user is
allowed to perform the action, then this is an expected failure.
"""
decorator = rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
- mock_function = mock.Mock()
- mock_function.side_effect = rbac_exceptions.RbacActionFailed
+ mock_function = mock.Mock(__name__='foo')
+ mock_function.side_effect = rbac_exceptions.RbacMalformedResponse
+ wrapper = decorator(mock_function)
+
+ mock_policy.RbacPolicyParser.return_value.allowed.return_value = True
+
+ e = self.assertRaises(exceptions.Forbidden, wrapper, self.mock_args)
+ self.assertIn(
+ "Role Member was not allowed to perform sentinel.action.",
+ e.__str__())
+
+ mock_log.error.assert_called_once_with("Role Member was not allowed to"
+ " perform sentinel.action.")
+
+ @mock.patch.object(rbac_rv, 'LOG', autospec=True)
+ @mock.patch.object(rbac_rv, 'rbac_policy_parser', autospec=True)
+ def test_rule_validation_rbac_conflicting_policies_positive(
+ self, mock_policy, mock_log):
+ """Test RbacConflictingPolicies error is thrown without permission passes.
+
+ Positive test case: if RbacConflictingPolicies is thrown and the user
+ is not allowed to perform the action, then this is a success.
+ """
+ decorator = rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
+ mock_function = mock.Mock(__name__='foo')
+ mock_function.side_effect = rbac_exceptions.RbacConflictingPolicies
+ wrapper = decorator(mock_function)
+
+ mock_policy.RbacPolicyParser.return_value.allowed.return_value = False
+
+ result = wrapper(self.mock_args)
+
+ self.assertIsNone(result)
+ mock_log.error.assert_not_called()
+ mock_log.warning.assert_not_called()
+
+ @mock.patch.object(rbac_rv, 'LOG', autospec=True)
+ @mock.patch.object(rbac_rv, 'rbac_policy_parser', autospec=True)
+ def test_rule_validation_rbac_conflicting_policies_negative(
+ self, mock_policy, mock_log):
+ """Test RbacConflictingPolicies error is thrown with permission fails.
+
+ Negative test case: if RbacConflictingPolicies is thrown and the user
+ is allowed to perform the action, then this is an expected failure.
+ """
+ decorator = rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
+ mock_function = mock.Mock(__name__='foo')
+ mock_function.side_effect = rbac_exceptions.RbacConflictingPolicies
wrapper = decorator(mock_function)
mock_policy.RbacPolicyParser.return_value.allowed.return_value = True
@@ -167,13 +216,12 @@
decorator = rbac_rv.action(mock.sentinel.service,
mock.sentinel.action,
expected_error_code=404)
- mock_function = mock.Mock()
+ mock_function = mock.Mock(__name__='foo')
mock_function.side_effect = exceptions.Forbidden('Random message.')
wrapper = decorator(mock_function)
- expected_error = "Forbidden\nDetails: Random message. An unexpected "\
- "exception has occurred: Expected exception was "\
- "NotFound, which was not thrown."
+ expected_error = "An unexpected exception has occurred during test: "\
+ "foo, Exception was: Forbidden\nDetails: Random message."
for permission in [True, False]:
mock_policy.RbacPolicyParser.return_value.allowed.return_value =\
@@ -187,7 +235,8 @@
@mock.patch.object(rbac_rv, 'LOG', autospec=True)
@mock.patch.object(rbac_rv, 'rbac_policy_parser', autospec=True)
- def test_expect_not_found_and_raise_not_found(self, mock_policy, mock_log):
+ def test_expect_not_found_and_raise_not_found(self, mock_policy,
+ mock_log):
"""Test that expecting 404 and getting 404 works for all scenarios.
Tests the following scenarios:
@@ -200,7 +249,7 @@
decorator = rbac_rv.action(mock.sentinel.service,
mock.sentinel.action,
expected_error_code=404)
- mock_function = mock.Mock()
+ mock_function = mock.Mock(__name__='foo')
mock_function.side_effect = exceptions.NotFound
wrapper = decorator(mock_function)
@@ -243,7 +292,7 @@
"""
decorator = rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
- mock_function = mock.Mock()
+ mock_function = mock.Mock(__name__='foo')
wrapper = decorator(mock_function)
mock_policy.RbacPolicyParser.return_value.allowed.return_value = False
@@ -251,7 +300,7 @@
e = self.assertRaises(rbac_exceptions.RbacOverPermission, wrapper,
self.mock_args)
self.assertIn(("OverPermission: Role Member was allowed to perform "
- "sentinel.action"), e.__str__())
+ "sentinel.action"), e.__str__())
mock_log.error.assert_called_once_with(
'Role %s was allowed to perform %s', 'Member',
mock.sentinel.action)
@@ -260,16 +309,16 @@
def test_invalid_policy_rule_throws_parsing_exception(
self, mock_rbac_policy_parser):
"""Test that invalid policy action causes test to be skipped."""
- CONF.set_override('strict_policy_check', True, group='rbac')
+ CONF.set_override('strict_policy_check', True, group='patrole')
self.addCleanup(CONF.clear_override, 'strict_policy_check',
- group='rbac')
+ group='patrole')
mock_rbac_policy_parser.RbacPolicyParser.return_value.allowed.\
side_effect = rbac_exceptions.RbacParsingException
decorator = rbac_rv.action(mock.sentinel.service,
mock.sentinel.policy_rule)
- wrapper = decorator(mock.Mock())
+ wrapper = decorator(mock.Mock(__name__='foo'))
e = self.assertRaises(rbac_exceptions.RbacParsingException, wrapper,
self.mock_args)
@@ -332,3 +381,51 @@
"codes: [403, 404]")
mock_log.error.reset_mock()
+
+ @mock.patch.object(rbac_rv, 'RBACLOG', autospec=True)
+ @mock.patch.object(rbac_rv, 'rbac_policy_parser', autospec=True)
+ def test_rbac_report_logging_disabled(self, mock_policy, mock_rbaclog):
+ """Test case to ensure that we DON'T write logs when
+ enable_reporting is False
+ """
+ CONF.set_override('enable_reporting', False, group='patrole_log')
+ self.addCleanup(CONF.clear_override,
+ 'enable_reporting', group='patrole_log')
+
+ decorator = rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
+
+ mock_function = mock.Mock(__name__='foo-nolog')
+ wrapper = decorator(mock_function)
+
+ mock_policy.RbacPolicyParser.return_value.allowed.return_value = True
+
+ wrapper(self.mock_args)
+
+ self.assertFalse(mock_rbaclog.info.called)
+
+ @mock.patch.object(rbac_rv, 'RBACLOG', autospec=True)
+ @mock.patch.object(rbac_rv, 'rbac_policy_parser', autospec=True)
+ def test_rbac_report_logging_enabled(self, mock_policy, mock_rbaclog):
+ """Test case to ensure that we DO write logs when
+ enable_reporting is True
+ """
+ CONF.set_override('enable_reporting', True, group='patrole_log')
+ self.addCleanup(CONF.clear_override,
+ 'enable_reporting', group='patrole_log')
+
+ decorator = rbac_rv.action(mock.sentinel.service, mock.sentinel.action)
+
+ mock_function = mock.Mock(__name__='foo-log')
+ wrapper = decorator(mock_function)
+
+ mock_policy.RbacPolicyParser.return_value.allowed.return_value = True
+
+ wrapper(self.mock_args)
+
+ mock_rbaclog.info.assert_called_once_with(
+ "[Service]: %s, [Test]: %s, [Rule]: %s, "
+ "[Expected]: %s, [Actual]: %s",
+ mock.sentinel.service, 'foo-log',
+ mock.sentinel.action,
+ "Allowed",
+ "Allowed")
diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_utils.py b/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
index 79503b1..87adff0 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
@@ -34,17 +34,19 @@
def test_switch_role_with_missing_admin_role(self):
self.rbac_utils.set_roles('member')
- e = self.assertRaises(rbac_exceptions.RbacResourceSetupFailed,
- self.rbac_utils.switch_role, True)
- self.assertIn("Role with name 'admin' does not exist in the system.",
- e.__str__())
+ error_re = (
+ 'Roles defined by `\[patrole\] rbac_test_role` and `\[identity\] '
+ 'admin_role` must be defined in the system.')
+ self.assertRaisesRegex(rbac_exceptions.RbacResourceSetupFailed,
+ error_re, self.rbac_utils.switch_role)
def test_switch_role_with_missing_rbac_role(self):
self.rbac_utils.set_roles('admin')
- e = self.assertRaises(rbac_exceptions.RbacResourceSetupFailed,
- self.rbac_utils.switch_role, True)
- self.assertIn("Role defined by rbac_test_role does not exist in the "
- "system.", e.__str__())
+ error_re = (
+ 'Roles defined by `\[patrole\] rbac_test_role` and `\[identity\] '
+ 'admin_role` must be defined in the system.')
+ self.assertRaisesRegex(rbac_exceptions.RbacResourceSetupFailed,
+ error_re, self.rbac_utils.switch_role)
def test_switch_role_to_admin_role(self):
self.rbac_utils.switch_role()
@@ -61,6 +63,16 @@
.assert_called_once_with()
mock_time.sleep.assert_called_once_with(1)
+ def test_switch_role_to_admin_role_avoids_role_switch(self):
+ self.rbac_utils.set_roles(['admin', 'member'], 'admin')
+ self.rbac_utils.switch_role()
+
+ roles_client = self.rbac_utils.roles_v3_client
+ mock_time = self.rbac_utils.mock_time
+
+ roles_client.create_user_role_on_project.assert_not_called()
+ mock_time.sleep.assert_not_called()
+
def test_switch_role_to_member_role(self):
self.rbac_utils.switch_role(True)
@@ -80,6 +92,19 @@
[mock.call()] * 2)
mock_time.sleep.assert_has_calls([mock.call(1)] * 2)
+ def test_switch_role_to_member_role_avoids_role_switch(self):
+ self.rbac_utils.set_roles(['admin', 'member'], 'member')
+ self.rbac_utils.switch_role(True)
+
+ roles_client = self.rbac_utils.roles_v3_client
+ mock_time = self.rbac_utils.mock_time
+
+ roles_client.create_user_role_on_project.assert_has_calls([
+ mock.call(self.rbac_utils.PROJECT_ID, self.rbac_utils.USER_ID,
+ 'admin_id')
+ ])
+ mock_time.sleep.assert_called_once_with(1)
+
def test_switch_role_to_member_role_then_admin_role(self):
self.rbac_utils.switch_role(True, False)
@@ -137,19 +162,22 @@
self.assertIn(expected_error_message, str(e))
def test_clear_user_roles(self):
- self.rbac_utils.switch_role(True)
+ # NOTE(felipemonteiro): Set the user's roles on the project to
+ # include 'random' to coerce a role switch, or else it will be
+ # skipped.
+ self.rbac_utils.set_roles(['admin', 'member'], ['member', 'random'])
+ self.rbac_utils.switch_role()
roles_client = self.rbac_utils.roles_v3_client
- roles_client.list_user_roles_on_project.assert_has_calls([
- mock.call(self.rbac_utils.PROJECT_ID, self.rbac_utils.USER_ID)
- ] * 2)
+ roles_client.list_user_roles_on_project.assert_called_once_with(
+ self.rbac_utils.PROJECT_ID, self.rbac_utils.USER_ID)
roles_client.delete_role_from_user_on_project.\
assert_has_calls([
mock.call(mock.sentinel.project_id, mock.sentinel.user_id,
- 'admin_id'),
+ 'member_id'),
mock.call(mock.sentinel.project_id, mock.sentinel.user_id,
- 'member_id')] * 2)
+ 'random_id')])
@mock.patch.object(rbac_utils, 'LOG', autospec=True)
@mock.patch.object(rbac_utils, 'sys', autospec=True)
diff --git a/releasenotes/notes/agents-ca4a5e232ce242a5.yaml b/releasenotes/notes/agents-ca4a5e232ce242a5.yaml
new file mode 100644
index 0000000..3cd9646
--- /dev/null
+++ b/releasenotes/notes/agents-ca4a5e232ce242a5.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Added tests to test_agents_rbac.py for PUT and
+ DELETE endpoints.
diff --git a/releasenotes/notes/deprecate-rbac-group-148e222913dc74cc.yaml b/releasenotes/notes/deprecate-rbac-group-148e222913dc74cc.yaml
new file mode 100644
index 0000000..1b1a5ac
--- /dev/null
+++ b/releasenotes/notes/deprecate-rbac-group-148e222913dc74cc.yaml
@@ -0,0 +1,6 @@
+---
+deprecations:
+ - |
+ The ``[rbac]`` configuration group has been deprecated and will be removed
+ in the next release. Use ``[patrole]`` group instead, which has the exact
+ same options.
diff --git a/releasenotes/notes/extended-availability-zone-policies-2ec19e8bbb9ce158.yaml b/releasenotes/notes/extended-availability-zone-policies-2ec19e8bbb9ce158.yaml
new file mode 100644
index 0000000..a796946
--- /dev/null
+++ b/releasenotes/notes/extended-availability-zone-policies-2ec19e8bbb9ce158.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Add RBAC tests for APIs that enforce
+ "os_compute_api:os-extended-availability-zone".
diff --git a/releasenotes/notes/flavor-manage-rbac-tests-eb78439316d67ab2.yaml b/releasenotes/notes/flavor-manage-rbac-tests-eb78439316d67ab2.yaml
new file mode 100644
index 0000000..0fbf24f
--- /dev/null
+++ b/releasenotes/notes/flavor-manage-rbac-tests-eb78439316d67ab2.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - |
+ Add test coverage for the os-flavor-manage compute API, which includes
+ tests for the following policy actions:
+
+ * "os_compute_api:os-flavor-manage:create"
+ * "os_compute_api:os-flavor-manage:delete"
diff --git a/releasenotes/notes/rbac-per-test-log-071a530e957c1c26.yaml b/releasenotes/notes/rbac-per-test-log-071a530e957c1c26.yaml
new file mode 100644
index 0000000..b1d400c
--- /dev/null
+++ b/releasenotes/notes/rbac-per-test-log-071a530e957c1c26.yaml
@@ -0,0 +1,28 @@
+---
+features:
+ - |
+ Added in a new logging feature which logs the result of each Patrole test
+
+ The format of the new log output is:
+
+ "[Service]: %s, [Test]: %s, [Rule]: %s, [Expected]: %s, [Actual]: %s"
+
+ where each "%s" is a string that contains:
+
+ * [Service] - The openstack service being tested (Nova, Neutron, etc)
+ * [Test] - The name of the test function being invoked (eg: test_list_aggregate_rbac)
+ * [Rule] - The name of the rule the Patrole test is testing (eg: os_compute_api:os-aggregates)
+ * [Expected] - The expected outcome (one of Allowed/Denied)
+ * [Actual] - The actual outcome from the Patrole test (one of Allowed/Denied/Error)
+
+ This logging feature has two config variables:
+
+ These variables are part of a new config group ``patrole_log``
+
+ * enable_reporting:
+ This enables or disables the enhanced rbac reporting
+ * report_log_name:
+ This variable specifies the name of the log file to write
+ * report_log_path:
+ This variable specifies the path (relative or absolute)
+ of the log file to write
diff --git a/releasenotes/notes/rbac-tests-for-compute-extended-status-ef00256e58b66223.yaml b/releasenotes/notes/rbac-tests-for-compute-extended-status-ef00256e58b66223.yaml
new file mode 100644
index 0000000..6cf82e6
--- /dev/null
+++ b/releasenotes/notes/rbac-tests-for-compute-extended-status-ef00256e58b66223.yaml
@@ -0,0 +1,11 @@
+---
+features:
+ - |
+ Add RBAC tests for os_compute_api:os-extended-status, which validate that
+ the following attributes:
+
+ - OS-EXT-STS:task_state
+ - OS-EXT-STS:vm_state
+ - OS-EXT-STS:power_state
+
+ are present in the relevant response bodies.
diff --git a/releasenotes/notes/rbac-tests-for-compute-extended-volumes-7f3ccab122d22737.yaml b/releasenotes/notes/rbac-tests-for-compute-extended-volumes-7f3ccab122d22737.yaml
new file mode 100644
index 0000000..f7eb02d
--- /dev/null
+++ b/releasenotes/notes/rbac-tests-for-compute-extended-volumes-7f3ccab122d22737.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - |
+ Add RBAC tests for os-extended-volumes:volumes_attached policies, which
+ validate that "os-extended-volumes:volumes_attached" is returned in the
+ response body.
diff --git a/releasenotes/notes/update-group-volume-test-06c7475ccbe36aa8.yaml b/releasenotes/notes/update-group-volume-test-06c7475ccbe36aa8.yaml
new file mode 100644
index 0000000..77cf196
--- /dev/null
+++ b/releasenotes/notes/update-group-volume-test-06c7475ccbe36aa8.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Add test for updating a volume group, providing coverage for group:update
+ policy action.
diff --git a/requirements.txt b/requirements.txt
index cd6a577..00c7e64 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,7 +4,7 @@
hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
pbr!=2.1.0,>=2.0.0 # Apache-2.0
urllib3>=1.21.1 # MIT
-oslo.log>=3.22.0 # Apache-2.0
+oslo.log>=3.30.0 # Apache-2.0
oslo.config!=4.3.0,!=4.4.0,>=4.0.0 # Apache-2.0
oslo.policy>=1.23.0 # Apache-2.0
tempest>=16.1.0 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index 8a97494..0657438 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -5,13 +5,13 @@
sphinx>=1.6.2 # BSD
openstackdocstheme>=1.16.0 # Apache-2.0
-reno!=2.3.1,>=1.8.0 # Apache-2.0
+reno>=2.5.0 # Apache-2.0
fixtures>=3.0.0 # Apache-2.0/BSD
-mock>=2.0 # BSD
+mock>=2.0.0 # BSD
coverage!=4.4,>=4.0 # Apache-2.0
nose # LGPL
nosexcover # BSD
oslotest>=1.10.0 # Apache-2.0
oslo.policy>=1.23.0 # Apache-2.0
-oslo.log>=3.22.0 # Apache-2.0
+oslo.log>=3.30.0 # Apache-2.0
tempest>=16.1.0 # Apache-2.0
diff --git a/test-whitelist.txt b/test-whitelist.txt
deleted file mode 100644
index 162992a..0000000
--- a/test-whitelist.txt
+++ /dev/null
@@ -1 +0,0 @@
-patrole_tempest_plugin.tests.unit.test*
diff --git a/tox.ini b/tox.ini
index d2e83e9..f1b5b86 100644
--- a/tox.ini
+++ b/tox.ini
@@ -8,6 +8,9 @@
install_command = pip install -c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt} {opts} {packages}
setenv =
VIRTUAL_ENV={envdir}
+ OS_TEST_PATH=./patrole_tempest_plugin/tests/unit
+ LANGUAGE=en_US
+ LC_ALL=en_US.utf-8
PYTHONWARNINGS=default::DeprecationWarning
passenv = OS_STDOUT_CAPTURE OS_STDERR_CAPTURE OS_TEST_TIMEOUT OS_TEST_LOCK_PATH OS_TEST_PATH http_proxy HTTP_PROXY https_proxy HTTPS_PROXY no_proxy NO_PROXY
whitelist_externals = find
@@ -15,7 +18,7 @@
-r{toxinidir}/test-requirements.txt
commands =
find . -type f -name "*.pyc" -delete
- ostestr {posargs} --whitelist-file test-whitelist.txt
+ ostestr {posargs}
[testenv:pep8]
commands = flake8 {posargs}
@@ -56,7 +59,11 @@
enable-extensions = H106,H203,H904
show-source = True
# E123, E125 skipped as they are invalid PEP-8.
-ignore = E123,E125
+#
+# H405 is another one that is good as a guideline, but sometimes
+# multiline doc strings just don't have a natural summary
+# line. Rejecting code for this reason is wrong.
+ignore = E123,E125,H405
builtins = _
exclude=.venv,.git,.tox,dist,doc,*lib/python*,*egg,build