Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / 11376ab7ff60d9a4a4e8f63d905e1ee20c4ba042^! / . / releasenotes / notes / check-expected-errors-only-in-override-role-f7109a73f5ff70e2.yaml
commit11376ab7ff60d9a4a4e8f63d905e1ee20c4ba042[log] [tgz]
authorMykola Yakovliev <VegasQ@gmail.com>Mon Aug 06 15:34:22 2018 -0500
committerFelipe Monteiro <felipe.monteiro@att.com>Fri Aug 31 02:35:46 2018 +0000
treeff02f3c804f56b5155a743238c44876968fd6430
parent842845eaef1de6595e96ad253d0666555ce083f1 [diff] [blame]
Limit exception handling to calls within override_role

Motivation: prevents false positives caused by test
exceptions matching the expected exception before or
after the ``override_role`` context is called.

This patchset changes expected_error_codes behavior [0] by checking
errors explicitly outside the override_role context. This is done
by introducing a new function to rbac_rule_validation that is
used for validating that the expected exception isn't raised too
early (before ``override_role`` call) or too late (after
``override_call``) or at all (which is a bad test).

This means that exceptions raised prior to override_role
call result in failure. The same goes for exceptions raised
after override_role -- except for those that are an instance
of BasePatroleException (which is valid for things like
RbacMalformedResponse getting raised intentionally).

The new exception that is introduced is called
RbacOverrideRoleException.

Unit tests are added for all validation scenarios described
above.

[0] https://storyboard.openstack.org/#!/story/2003297
Story: 2003297
Task: 24246

Co-Authored-By: Felipe Monteiro <felipe.monteiro@att.com>
Change-Id: Iae9a58640463093f6dda20d40261b20051be2820

diff --git a/releasenotes/notes/check-expected-errors-only-in-override-role-f7109a73f5ff70e2.yaml b/releasenotes/notes/check-expected-errors-only-in-override-role-f7109a73f5ff70e2.yaml
new file mode 100644
index 0000000..e0ac744
--- /dev/null
+++ b/releasenotes/notes/check-expected-errors-only-in-override-role-f7109a73f5ff70e2.yaml

@@ -0,0 +1,19 @@
+---
+features:
+  - |
+    Add new exception called ``RbacOverrideRoleException``. Used for
+    safeguarding against false positives that might occur when the expected
+    exception isn't raised inside the ``override_role`` context. Specifically,
+    when:
+
+    * ``override_role`` isn't called
+    * an exception is raised before ``override_role`` context
+    * an exception is raised after ``override_role`` context
+fixes:
+  - |
+    Previously, the ``rbac_rule_validation.action`` decorator could catch
+    expected exceptions with no regard to where the error happened. Such
+    behavior could cause false-positive results. To prevent this from
+    happening from now on, if an exception happens outside of the
+    ``override_role`` context, it will cause
+    ``rbac_exceptions.RbacOverrideRoleException`` to be raised.