Rbac tests for Neutron list actions
Add RBAC tests for
* list_routers [0]
* list_subnetpools [1]
* list_networks [2]
* list_ports [3]
* list_trunks [4]
* list_address_scopes [5]
* list_floatingips [6]
* list_rbac_policies [8]
* list_metering_labels [10]
* list_metering_label_rules [11]
* list_qos_policies [12]
* list_dscp_marking_rules [13]
* list_agents [14]
* list_segments [15]
Update RBAC tests to use validate_list function for:
* list_subnets [7]
* list_security_groups [9]
[0] https://developer.openstack.org/api-ref/network/v2/index.html#list-routers
[1] https://developer.openstack.org/api-ref/network/v2/index.html#list-subnet-pools
[2] https://developer.openstack.org/api-ref/network/v2/index.html#list-networks
[3] https://developer.openstack.org/api-ref/network/v2/index.html#list-ports
[4] https://developer.openstack.org/api-ref/network/v2/index.html#list-trunks
[5] https://developer.openstack.org/api-ref/network/v2/index.html#list-address-scopes
[6] https://developer.openstack.org/api-ref/network/v2/index.html#list-floating-ips
[7] https://developer.openstack.org/api-ref/network/v2/index.html#list-subnets
[8] https://developer.openstack.org/api-ref/network/v2/index.html#list-rbac-policies
[9] https://developer.openstack.org/api-ref/network/v2/index.html#list-security-groups
[10] https://developer.openstack.org/api-ref/network/v2/index.html#list-metering-labels
[11] https://developer.openstack.org/api-ref/network/v2/index.html#list-metering-label-rules
[12] https://developer.openstack.org/api-ref/network/v2/index.html#list-qos-policies
[13] https://developer.openstack.org/api-ref/network/v2/index.html#list-dscp-marking-rules-for-qos-policy
[14] https://developer.openstack.org/api-ref/network/v2/index.html#list-all-agents
[15] https://developer.openstack.org/api-ref/network/v2/index.html#list-segments
Change-Id: I0dae01a3271efe6d3469718976c471416279e337
diff --git a/patrole_tempest_plugin/tests/api/network/test_address_scope_rbac.py b/patrole_tempest_plugin/tests/api/network/test_address_scope_rbac.py
index 6cdeccd..ad0a1d4 100644
--- a/patrole_tempest_plugin/tests/api/network/test_address_scope_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_address_scope_rbac.py
@@ -137,3 +137,18 @@
address_scope = self._create_address_scope()
with self.rbac_utils.override_role(self):
self.ntp_client.delete_address_scope(address_scope['id'])
+
+ @rbac_rule_validation.action(service="neutron",
+ rules=["get_address_scope"])
+ @decorators.idempotent_id('c093fd34-96ee-4abe-8fa5-916dc29653e3')
+ def test_list_address_scopes(self):
+ """List Address Scopes
+
+ RBAC test for the neutron ``list_address_scopes`` function and
+ the ``get_address_scope`` policy
+ """
+ admin_resource_id = self._create_address_scope()['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.ntp_client.list_address_scopes(
+ id=admin_resource_id)["address_scopes"]
diff --git a/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
index c2b23f2..fe5f5a1 100644
--- a/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
@@ -65,6 +65,20 @@
self.agents_client.update_agent(agent_id=self.agent['id'],
agent=agent_status)
+ @decorators.idempotent_id('f7a085e2-71b1-4d39-be3e-fea4bc10ccb8')
+ @rbac_rule_validation.action(service="neutron", rules=["get_agent"])
+ def test_list_agents(self):
+ """List agents test.
+
+ RBAC test for the neutron ``list_agents`` function and
+ the ``get_agent`` policy
+ """
+ admin_resource_id = self.agent['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.agents_client.list_agents(
+ id=admin_resource_id)["agents"]
+
class L3AgentSchedulerRbacTest(base.BaseNetworkRbacTest):
diff --git a/patrole_tempest_plugin/tests/api/network/test_dscp_marking_rule_rbac.py b/patrole_tempest_plugin/tests/api/network/test_dscp_marking_rule_rbac.py
index e03de74..bdc2a7c 100644
--- a/patrole_tempest_plugin/tests/api/network/test_dscp_marking_rule_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_dscp_marking_rule_rbac.py
@@ -104,3 +104,18 @@
with self.rbac_utils.override_role(self):
self.ntp_client.delete_dscp_marking_rule(self.policy_id, rule_id)
+
+ @decorators.idempotent_id('c012fd4f-3a3e-4af4-9075-dd3e170daecd')
+ @rbac_rule_validation.action(service="neutron",
+ rules=["get_policy_dscp_marking_rule"])
+ def test_list_policy_dscp_marking_rules(self):
+ """List policy_dscp_marking_rules.
+
+ RBAC test for the neutron ``list_dscp_marking_rules`` function and
+ the ``get_policy_dscp_marking_rule`` policy
+ """
+ admin_resource_id = self.create_policy_dscp_marking_rule()
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.ntp_client.list_dscp_marking_rules(
+ policy_id=self.policy_id)["dscp_marking_rules"]
diff --git a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
index 336490a..89772d9 100644
--- a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
@@ -130,3 +130,17 @@
with self.rbac_utils.override_role(self):
# Delete the floating IP
self.floating_ips_client.delete_floatingip(floating_ip['id'])
+
+ @rbac_rule_validation.action(service="neutron", rules=["get_floatingip"])
+ @decorators.idempotent_id('824965e3-8be8-46e2-be64-0d793533ad20')
+ def test_list_floating_ips(self):
+ """List Floating IPs.
+
+ RBAC test for the neutron ``list_floatingips`` function and
+ the ``get_floatingip`` policy
+ """
+ admin_resource_id = self._create_floatingip()['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.floating_ips_client.list_floatingips(
+ id=admin_resource_id)["floatingips"]
diff --git a/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py b/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
index bf49053..6673201 100644
--- a/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
@@ -101,3 +101,20 @@
with self.rbac_utils.override_role(self):
self.metering_label_rules_client.delete_metering_label_rule(
label_rule['id'])
+
+ @rbac_rule_validation.action(service="neutron",
+ rules=["get_metering_label_rule"])
+ @decorators.idempotent_id('eaaf9eb5-ee53-4b6b-a4d3-a721dd39bc40')
+ def test_list_metering_label_rules(self):
+ """List metering label rules.
+
+ RBAC test for the neutron ``list_metering_label_rules`` function and
+ the ``get_metering_label_rule`` policy
+ """
+ admin_resource_id = self._create_metering_label_rule(self.label)['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = (
+ self.metering_label_rules_client.
+ list_metering_label_rules(id=admin_resource_id)
+ ["metering_label_rules"])
diff --git a/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py b/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
index ed6e316..bac55d1 100644
--- a/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
@@ -83,3 +83,20 @@
label = self._create_metering_label()
with self.rbac_utils.override_role(self):
self.metering_labels_client.delete_metering_label(label['id'])
+
+ @rbac_rule_validation.action(service="neutron",
+ rules=["get_metering_label"])
+ @decorators.idempotent_id('d60d72b0-cb8f-44db-b10b-5092fa01cb0e')
+ def test_list_metering_labels(self):
+ """List metering label.
+
+ RBAC test for the neutron ``list_metering_labels`` function and
+ the ``get_metering_label`` policy
+ """
+ admin_resource_id = self._create_metering_label()['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = (
+ self.metering_labels_client.
+ list_metering_labels(id=admin_resource_id)
+ ["metering_labels"])
diff --git a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
index b39489a..d98febd 100644
--- a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
@@ -457,3 +457,18 @@
with self.rbac_utils.override_role(self):
self.networks_client.list_dhcp_agents_on_hosting_network(
self.network['id'])
+
+ @rbac_rule_validation.action(service="neutron", rules=["get_network"])
+ @decorators.idempotent_id('53d6d826-ec9a-4407-9362-b474187fae6d')
+ def test_list_networks(self):
+ """List Networks
+
+ RBAC test for the neutron ``list_networks`` function and
+ the ``get_network`` policy
+ """
+
+ admin_resource_id = self.network['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.networks_client.list_networks(
+ id=admin_resource_id)["networks"]
diff --git a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
index dd3537f..a5e4be6 100644
--- a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
@@ -388,3 +388,17 @@
port = self.create_port(self.network)
with self.rbac_utils.override_role(self):
self.ports_client.delete_port(port['id'])
+
+ @rbac_rule_validation.action(service="neutron", rules=["get_port"])
+ @decorators.idempotent_id('877ea70d-b000-4af4-9322-0a76b47b7890')
+ def test_list_ports(self):
+ """List Ports
+
+ RBAC test for the neutron ``list_ports`` function and
+ the ``get_port`` policy
+ """
+ admin_resource_id = self.port['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.ports_client.list_ports(
+ id=admin_resource_id)["ports"]
diff --git a/patrole_tempest_plugin/tests/api/network/test_qos_rbac.py b/patrole_tempest_plugin/tests/api/network/test_qos_rbac.py
index 3fcb7e4..95a1456 100644
--- a/patrole_tempest_plugin/tests/api/network/test_qos_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_qos_rbac.py
@@ -98,3 +98,17 @@
policy = self.create_policy()
with self.rbac_utils.override_role(self):
self.ntp_client.delete_qos_policy(policy['id'])
+
+ @rbac_rule_validation.action(service="neutron", rules=["get_policy"])
+ @decorators.idempotent_id('e84cec88-8478-4787-b603-5fcdd8ed7bd5')
+ def test_list_policies(self):
+ """List Policies Test
+
+ RBAC test for the neutron ``list_qos_policies`` function and
+ the ``get_policy``
+ """
+ admin_resource_id = self.create_policy()['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.ntp_client.list_qos_policies(
+ id=admin_resource_id)["policies"]
diff --git a/patrole_tempest_plugin/tests/api/network/test_rbac_policies_rbac.py b/patrole_tempest_plugin/tests/api/network/test_rbac_policies_rbac.py
index 2123eb3..599cab7 100644
--- a/patrole_tempest_plugin/tests/api/network/test_rbac_policies_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_rbac_policies_rbac.py
@@ -109,3 +109,18 @@
with self.rbac_utils.override_role(self):
self.ntp_client.delete_rbac_policy(policy_id)
+
+ @decorators.idempotent_id('5337d95a-2e75-47bb-a0ea-0a082be930bf')
+ @rbac_rule_validation.action(service="neutron", rules=["get_rbac_policy"])
+ def test_list_rbac_policies(self):
+ """List RBAC policies.
+
+ RBAC test for the neutron ``list_rbac_policies`` function and
+ the ``get_rbac_policy`` policy
+ """
+ admin_resource_id = self.create_rbac_policy(self.tenant_id,
+ self.network_id)
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.ntp_client.list_rbac_policies(
+ id=admin_resource_id)["rbac_policies"]
diff --git a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
index 399ad47..e253b1e 100644
--- a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
@@ -401,3 +401,18 @@
self.routers_client.remove_router_interface(
router['id'],
subnet_id=subnet['id'])
+
+ @rbac_rule_validation.action(service="neutron", rules=["get_router"])
+ @decorators.idempotent_id('86816700-12d1-4173-a50f-34bd137f47e6')
+ def test_list_routers(self):
+ """List Routers
+
+ RBAC test for the neutron ``get_router policy`` and
+ the ``get_router`` policy
+ """
+
+ admin_resource_id = self.router['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.routers_client.list_routers(
+ id=admin_resource_id)["routers"]
diff --git a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
index e9fa018..750ba3d 100644
--- a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
@@ -119,14 +119,16 @@
rules=["get_security_group"])
@decorators.idempotent_id('fbaf8d96-ed3e-49af-b24c-5fb44f05bbb7')
def test_list_security_groups(self):
+ """List Security Groups
- with self.rbac_utils.override_role(self):
- security_groups = self.security_groups_client.\
- list_security_groups()
-
- # Neutron may return an empty list if access is denied.
- if not security_groups['security_groups']:
- raise rbac_exceptions.RbacEmptyResponseBody()
+ RBAC test for the neutron ``list_security_groups`` function and
+ the ``get_security_group`` policy
+ """
+ admin_resource_id = self.secgroup['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.security_groups_client.list_security_groups(
+ id=admin_resource_id)["security_groups"]
@rbac_rule_validation.action(service="neutron",
rules=["create_security_group_rule"])
diff --git a/patrole_tempest_plugin/tests/api/network/test_segments_rbac.py b/patrole_tempest_plugin/tests/api/network/test_segments_rbac.py
index 0b58649..a85b4d5 100644
--- a/patrole_tempest_plugin/tests/api/network/test_segments_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_segments_rbac.py
@@ -120,3 +120,17 @@
with self.rbac_utils.override_role(self):
self.ntp_client.delete_segment(segment['segment']['id'])
+
+ @decorators.idempotent_id('d68a0578-36ae-435e-8aaa-508ee96bdfae')
+ @rbac_rule_validation.action(service="neutron", rules=["get_segment"])
+ def test_list_segments(self):
+ """List segments.
+
+ RBAC test for the neutron ``list_segments`` function and
+ the``get_segment`` policy
+ """
+ admin_resource_id = self.create_segment(self.network)['segment']['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.ntp_client.list_segments(
+ id=admin_resource_id)["segments"]
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
index bc6b923..3daeff1 100644
--- a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
@@ -164,3 +164,17 @@
subnetpool = self._create_subnetpool()
with self.rbac_utils.override_role(self):
self.subnetpools_client.delete_subnetpool(subnetpool['id'])
+
+ @rbac_rule_validation.action(service="neutron", rules=["get_subnetpool"])
+ @decorators.idempotent_id('f1caf0f6-bde5-11e8-a355-529269fb1459')
+ def test_list_subnetpools(self):
+ """List subnetpools.
+
+ RBAC test for the neutron ``list_subnetpools`` function and
+ the ``get_subnetpool`` policy
+ """
+ admin_resource_id = self._create_subnetpool()['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.subnetpools_client.list_subnetpools(
+ id=admin_resource_id)["subnetpools"]
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
index 8fe157a..babb6ad 100644
--- a/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
@@ -17,7 +17,6 @@
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
-from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.network import rbac_base as base
@@ -61,19 +60,18 @@
self.subnets_client.show_subnet(self.subnet['id'])
@decorators.idempotent_id('e2ddc415-5cab-43f4-9b61-166aed65d637')
- @rbac_rule_validation.action(service="neutron",
- rules=["get_subnet"])
+ @rbac_rule_validation.action(service="neutron", rules=["get_subnet"])
def test_list_subnets(self):
"""List subnets.
- RBAC test for the neutron "get_subnet" policy
+ RBAC test for the neutron ``list_subnets`` function and
+ the ``get_subnet`` policy
"""
- with self.rbac_utils.override_role(self):
- subnets = self.subnets_client.list_subnets()
-
- # Neutron may return an empty list if access is denied.
- if not subnets['subnets']:
- raise rbac_exceptions.RbacEmptyResponseBody()
+ admin_resource_id = self.subnet['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.subnets_client.list_subnets(
+ id=admin_resource_id)["subnets"]
@decorators.idempotent_id('f36cd821-dd22-4bd0-b43d-110fc4b553eb')
@rbac_rule_validation.action(service="neutron",
diff --git a/patrole_tempest_plugin/tests/api/network/test_trunks_rbac.py b/patrole_tempest_plugin/tests/api/network/test_trunks_rbac.py
index 80c4157..761820b 100644
--- a/patrole_tempest_plugin/tests/api/network/test_trunks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_trunks_rbac.py
@@ -84,6 +84,20 @@
with self.rbac_utils.override_role(self):
self.ntp_client.delete_trunk(trunk['trunk']['id'])
+ @decorators.idempotent_id('047badd1-e4ff-40c5-9929-99ffcb8750a7')
+ @rbac_rule_validation.action(service="neutron", rules=["get_trunk"])
+ def test_list_trunks(self):
+ """Show trunk.
+
+ RBAC test for the neutron ``list_trunks``` function and
+ the ``get_trunk`` policy
+ """
+ admin_resource_id = self.create_trunk(self.port_id)["trunk"]['id']
+ with (self.rbac_utils.override_role_and_validate_list(
+ self, admin_resource_id=admin_resource_id)) as ctx:
+ ctx.resources = self.ntp_client.list_trunks(
+ id=admin_resource_id)["trunks"]
+
class TrunksSubportsExtRbacTest(base.BaseNetworkExtRbacTest):