Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 029d8c31267758d60c7f28f81ddb27d25f2fdd65^! / . / patrole_tempest_plugin / rbac_auth.py
commit029d8c31267758d60c7f28f81ddb27d25f2fdd65[log] [tgz]
authorDavidPurcell <david.purcell@att.com>Fri Jan 06 15:27:41 2017 -0500
committerDavidPurcell <david.purcell@att.com>Fri Jan 13 11:37:30 2017 -0500
tree5a2daee0144ca4a7fb4d3d0db53ccd6e1f7b2854
parent663aedfe4619a278a3abd224bd4f0909e5d9dea7 [diff] [blame]
Initial functionality framework.
Includes:
rbac_util - Utility for switching between roles for tests.
rbac_auth - Determines if a given role is valid for a given api call.
rbac_rule_validation - Determines if a allowed proper access and denied improper access (403 error)
rbac_role_converter - Converts policy.json files into a list of api's and the roles that can access them.

One example rbac_base in tests/api/rbac_base
One example test in tests/api/images/test_images_rbac.py

New config settings for rbac_flag, rbac_test_role, and rbac_roles

Implements bp: initial-framework
Co-Authored-By: Sangeet Gupta <sg774j@att.com>
Co-Authored-By: Rick Bartra <rb560u@att.com>
Co-Authored-By: Felipe Monteiro <felipe.monteiro@att.com>
Co-Authored-By: Anthony Bellino <ab2434@att.com>
Co-Authored-By: Avishek Dutta <ad620p@att.com>

Change-Id: Ic97b2558ba33ab47ac8174ae37629d36ceb1c9de

diff --git a/patrole_tempest_plugin/rbac_auth.py b/patrole_tempest_plugin/rbac_auth.py
new file mode 100644
index 0000000..88b7032
--- /dev/null
+++ b/patrole_tempest_plugin/rbac_auth.py

@@ -0,0 +1,43 @@
+# Copyright 2017 AT&T Corp
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_log import log as logging
+from tempest.lib import exceptions
+
+from patrole_tempest_plugin import rbac_role_converter
+
+LOG = logging.getLogger(__name__)
+
+
+class RbacAuthority(object):
+    def __init__(self, component=None, service=None):
+        self.converter = rbac_role_converter.RbacPolicyConverter(service)
+        self.roles_dict = self.converter.rules
+
+    def get_permission(self, api, role):
+        if self.roles_dict is None:
+            raise exceptions.InvalidConfiguration("Roles dictionary is empty!")
+        try:
+            _api = self.roles_dict[api]
+            if role in _api:
+                LOG.debug("[API]: %s, [Role]: %s is allowed!", api, role)
+                return True
+            else:
+                LOG.debug("[API]: %s, [Role]: %s  is NOT allowed!", api, role)
+                return False
+        except KeyError:
+            raise KeyError("'%s' API is not defined in the policy.json"
+                           % api)
+        return False