commit 029d8c31267758d60c7f28f81ddb27d25f2fdd65
author DavidPurcell <david.purcell@att.com> Fri Jan 06 15:27:41 2017 -0500
committer DavidPurcell <david.purcell@att.com> Fri Jan 13 11:37:30 2017 -0500
tree 5a2daee0144ca4a7fb4d3d0db53ccd6e1f7b2854
parent 663aedfe4619a278a3abd224bd4f0909e5d9dea7

Initial functionality framework.
Includes:
rbac_util - Utility for switching between roles for tests.
rbac_auth - Determines if a given role is valid for a given api call.
rbac_rule_validation - Determines if a allowed proper access and denied improper access (403 error)
rbac_role_converter - Converts policy.json files into a list of api's and the roles that can access them.

One example rbac_base in tests/api/rbac_base
One example test in tests/api/images/test_images_rbac.py

New config settings for rbac_flag, rbac_test_role, and rbac_roles

Implements bp: initial-framework
Co-Authored-By: Sangeet Gupta <sg774j@att.com>
Co-Authored-By: Rick Bartra <rb560u@att.com>
Co-Authored-By: Felipe Monteiro <felipe.monteiro@att.com>
Co-Authored-By: Anthony Bellino <ab2434@att.com>
Co-Authored-By: Avishek Dutta <ad620p@att.com>

Change-Id: Ic97b2558ba33ab47ac8174ae37629d36ceb1c9de

tests/test_rbac_role_converter.py

diff --git a/tests/test_rbac_role_converter.py b/tests/test_rbac_role_converter.py
new file mode 100644
index 0000000..942d7d0
--- /dev/null
+++ b/tests/test_rbac_role_converter.py
@@ -0,0 +1,67 @@
+#    Copyright 2017 AT&T Inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import os
+
+from tempest import config
+from tempest.tests import base
+
+from patrole_tempest_plugin import rbac_role_converter
+
+CONF = config.CONF
+
+
+class RbacPolicyTest(base.TestCase):
+
+    def setUp(self):
+        super(RbacPolicyTest, self).setUp()
+
+        current_directory = os.path.dirname(os.path.realpath(__file__))
+        self.custom_policy_file = os.path.join(current_directory,
+                                               'custom_rbac_policy.json')
+
+    def test_custom_policy(self):
+        default_roles = ['zero', 'one', 'two', 'three', 'four',
+                         'five', 'six', 'seven', 'eight', 'nine']
+        CONF.set_override('rbac_roles', default_roles, group='rbac',
+                          enforce_type=True)
+
+        self.converter = rbac_role_converter.RbacPolicyConverter(
+            "custom",
+            self.custom_policy_file
+        )
+        self.roles_dict = self.converter.rules
+
+        expected = {
+            'policy_action_1': ['two', 'four', 'six', 'eight'],
+            'policy_action_2': ['one', 'three', 'five', 'seven', 'nine'],
+            'policy_action_3': ['zero'],
+            'policy_action_4': ['one', 'two', 'three', 'five', 'seven'],
+            'policy_action_5': ['zero', 'one', 'two', 'three', 'four', 'five',
+                                'six', 'seven', 'eight', 'nine'],
+            'policy_action_6': ['eight'],
+        }
+
+        fake_rule = 'fake_rule'
+
+        self.assertFalse(fake_rule in self.roles_dict.keys())
+
+        for rule in expected.keys():
+            self.assertTrue(rule in self.roles_dict.keys())
+            expected_roles = expected[rule]
+            unexpected_roles = set(default_roles) - set(expected[rule])
+            for role in expected_roles:
+                self.assertTrue(role in self.roles_dict[rule])
+            for role in unexpected_roles:
+                self.assertFalse(role in self.roles_dict[rule])