Merge "Adding server evacuate test"
diff --git a/patrole_tempest_plugin/rbac_policy_parser.py b/patrole_tempest_plugin/rbac_policy_parser.py
index 38bed7c..69a9842 100644
--- a/patrole_tempest_plugin/rbac_policy_parser.py
+++ b/patrole_tempest_plugin/rbac_policy_parser.py
@@ -101,7 +101,7 @@
             try:
                 file_policy_data = json.loads(file_policy_data)
             except ValueError:
-                pass
+                file_policy_data = None
 
         # Check whether policy actions are defined in code. Nova and Keystone,
         # for example, define their default policy actions in code.
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_domains_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_domains_rbac.py
new file mode 100644
index 0000000..ba5d5e0
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_domains_rbac.py
@@ -0,0 +1,68 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
+
+
+class IdentityDomainsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:create_domain")
+    @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd110')
+    def test_create_domain(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.setup_test_domain()
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:update_domain")
+    @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd111')
+    def test_update_domain(self):
+        domain = self.setup_test_domain()
+        new_domain_name = data_utils.rand_name('test_update_domain')
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.domains_client.update_domain(domain['id'],
+                                          domain=domain,
+                                          name=new_domain_name)
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:delete_domain")
+    @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd112')
+    def test_delete_domain(self):
+        domain = self.setup_test_domain()
+        # A domain must be deactivated to be deleted
+        self.domains_client.update_domain(domain['id'],
+                                          domain=domain,
+                                          enabled=False)
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.domains_client.delete_domain(domain['id'])
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:get_domain")
+    @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd113')
+    def test_show_domain(self):
+        domain = self.setup_test_domain()
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.domains_client.show_domain(domain['id'])
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:list_domains")
+    @decorators.idempotent_id('6bdaecd4-0843-4ed6-ab64-3a57ab0cd114')
+    def test_list_domains(self):
+        self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+        self.domains_client.list_domains()
diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
index b0dd179..0906222 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
@@ -384,3 +384,89 @@
         }
 
         self.assertEqual(expected_policy_data, actual_policy_data)
+
+    @mock.patch.object(rbac_policy_parser, 'credentials', autospec=True)
+    @mock.patch.object(rbac_policy_parser, 'stevedore', autospec=True)
+    def test_get_policy_data_cannot_find_policy(self, mock_stevedore,
+                                                mock_creds):
+        mock_stevedore.named.NamedExtensionManager.return_value = None
+        mock_creds.AdminManager.return_value.identity_services_v3_client.\
+            list_services.return_value = {
+                'services': [{'name': 'test_service'}]}
+
+        e = self.assertRaises(rbac_exceptions.RbacParsingException,
+                              rbac_policy_parser.RbacPolicyParser,
+                              None, None, 'test_service', None)
+
+        expected_error = \
+            'Policy file for {0} service neither found in code '\
+            'nor at {1}.'.format('test_service',
+                                 '/etc/test_service/policy.json')
+
+        self.assertIn(expected_error, str(e))
+
+    @mock.patch.object(rbac_policy_parser, 'os', autospec=True)
+    @mock.patch.object(rbac_policy_parser, 'json', autospec=True)
+    @mock.patch.object(rbac_policy_parser, 'credentials', autospec=True)
+    @mock.patch.object(rbac_policy_parser, 'stevedore', autospec=True)
+    def test_get_policy_data_without_valid_policy(self, mock_stevedore,
+                                                  mock_credentials, mock_json,
+                                                  mock_os):
+        mock_os.path.isfile.return_value = False
+
+        test_policy_action = mock.Mock(check='rule:bar')
+        test_policy_action.configure_mock(name='foo')
+
+        test_policy = mock.Mock(obj=[test_policy_action])
+        test_policy.configure_mock(name='test_service')
+
+        mock_stevedore.named.NamedExtensionManager\
+            .return_value = [test_policy]
+
+        mock_credentials.AdminManager.return_value.identity_services_v3_client.\
+            list_services.return_value = {
+                'services': [{'name': 'test_service'}]
+            }
+
+        mock_json.dumps.side_effect = ValueError
+
+        e = self.assertRaises(rbac_exceptions.RbacParsingException,
+                              rbac_policy_parser.RbacPolicyParser,
+                              None, None, 'test_service', None)
+
+        expected_error = "Policy file for {0} service is invalid."\
+                         .format("test_service")
+
+        self.assertIn(expected_error, str(e))
+
+        mock_stevedore.named.NamedExtensionManager.assert_called_once_with(
+            'oslo.policy.policies',
+            names=['test_service'],
+            on_load_failure_callback=None,
+            invoke_on_load=True,
+            warn_on_missing_entrypoint=False)
+
+    @mock.patch.object(rbac_policy_parser, 'json', autospec=True)
+    @mock.patch.object(rbac_policy_parser, 'credentials', autospec=True)
+    @mock.patch.object(rbac_policy_parser, 'stevedore', autospec=True)
+    def test_get_policy_data_from_file_not_json(self, mock_stevedore,
+                                                mock_credentials,
+                                                mock_json):
+
+        mock_credentials.AdminManager.return_value.identity_services_v3_client.\
+            list_services.return_value = {
+                'services': [{'name': 'test_service'}]
+            }
+        mock_stevedore.named.NamedExtensionManager.return_value = None
+        mock_json.loads.side_effect = ValueError
+
+        e = self.assertRaises(rbac_exceptions.RbacParsingException,
+                              rbac_policy_parser.RbacPolicyParser,
+                              None, None, 'test_service',
+                              self.tenant_policy_file)
+
+        expected_error = 'Policy file for {0} service neither found in code '\
+                         'nor at {1}.'.format('test_service',
+                                              self.tenant_policy_file)
+
+        self.assertIn(expected_error, str(e))