commit 0e4fc01c2fa42e66af6547e6bd396c754e6d3b48
author Zuul <zuul@review.openstack.org> Wed Nov 21 22:54:17 2018 +0000
committer Gerrit Code Review <review@openstack.org> Wed Nov 21 22:54:17 2018 +0000
tree fd3935c27b0eab7144906e2e41a960032722d349
parent a6dbdd59b011419392bcbeac16c8a2d67de52c9f
parent 0710e5d6c85a89c1490993609a3ae7bfa34e4181

Merge "Validate omission of expected_error_codes defaults to 403"

patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py

diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py b/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
index 9e547b8..73a34fc 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_rule_validation.py
@@ -641,6 +641,7 @@
         m_authority.allowed.assert_has_calls([
             mock.call(rule, CONF.patrole.rbac_test_roles) for rule in rules
         ])
+        m_authority.allowed.reset_mock()
 
     @mock.patch.object(rbac_rv, 'policy_authority', autospec=True)
     def test_rule_validation_multi_policy_have_permission_success(
@@ -826,6 +827,44 @@
         _do_test([True, False, False, True], 'mock.sentinel.action2')
         _do_test([True, False, True, False], 'mock.sentinel.action2')
 
+    @mock.patch.object(rbac_rv, 'LOG', autospec=True)
+    @mock.patch.object(rbac_rv, 'policy_authority', autospec=True)
+    def test_rule_validation_multi_policy_defaults_to_correct_error_codes(
+            self, mock_authority, mock_log):
+        """Test omission of expected_error_codes defaults to [403] * len(rules)
+        """
+        mock_authority.PolicyAuthority.return_value.allowed.\
+            return_value = False
+        expected_log = "%s: Expecting %d to be raised for policy name: %s"
+
+        # Validate with single rule => expected_error_codes == [403].
+        rules = [mock.sentinel.action1]
+
+        @rbac_rv.action(mock.sentinel.service, rules=rules)
+        def test_policy(*args):
+            raise exceptions.Forbidden()
+
+        test_policy(self.mock_test_args)
+        self._assert_policy_authority_called_with(rules, mock_authority)
+        # Assert that 403 is expected.
+        mock_calls = [x[1] for x in mock_log.debug.mock_calls]
+        self.assertTrue(
+            any([(expected_log, 'test_policy', 403, rules[0]) in mock_calls]))
+
+        # Validate with multiple rules => expected_error_codes == [403, 403].
+        rules = [mock.sentinel.action1, mock.sentinel.action2]
+
+        @rbac_rv.action(mock.sentinel.service, rules=rules)
+        def test_policy(*args):
+            raise exceptions.Forbidden()
+
+        test_policy(self.mock_test_args)
+        self._assert_policy_authority_called_with(rules, mock_authority)
+        # Assert that 403 is expected.
+        mock_calls = [x[1] for x in mock_log.debug.mock_calls]
+        self.assertTrue(
+            any([(expected_log, 'test_policy', 403, rules[0]) in mock_calls]))
+
     def test_prepare_multi_policy_allowed_usages(self):
 
         def _do_test(rules, ecodes, exp_rules, exp_ecodes):