Merge "Add missing v2 token related testcases"
diff --git a/README.rst b/README.rst
index 8ba4649..f5b4c00 100644
--- a/README.rst
+++ b/README.rst
@@ -1,6 +1,15 @@
-========
-Overview
-========
+========================
+Team and repository tags
+========================
+
+.. image:: http://governance.openstack.org/badges/patrole.svg
+ :target: http://governance.openstack.org/reference/tags/index.html
+
+..
+
+=========================================
+Patrole - RBAC Integration Tempest Plugin
+=========================================
Patrole is a tool for verifying that Role-Based Access Control is being
correctly enforced.
diff --git a/patrole_tempest_plugin/tests/api/compute/test_admin_password_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_admin_password_rbac.py
index a0e46a6..38b5f1a 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_admin_password_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_admin_password_rbac.py
@@ -13,6 +13,9 @@
# License for the specific language governing permissions and limitations
# under the License.
+import testtools
+
+from tempest.common import waiters
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
@@ -20,28 +23,22 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base
-
CONF = config.CONF
class AdminPasswordRbacTest(rbac_base.BaseV2ComputeRbacTest):
- @classmethod
- def skip_checks(cls):
- super(AdminPasswordRbacTest, cls).skip_checks()
- if not CONF.compute_feature_enabled.change_password:
- raise cls.skipException('Change password not available.')
-
- @classmethod
- def resource_setup(cls):
- super(AdminPasswordRbacTest, cls).resource_setup()
- cls.server_id = cls.create_test_server(wait_until='ACTIVE')['id']
-
+ @testtools.skipUnless(CONF.compute_feature_enabled.change_password,
+ 'Change password not available.')
@rbac_rule_validation.action(
- service="nova", rule="os_compute_api:os-admin-password")
+ service="nova",
+ rule="os_compute_api:os-admin-password")
@decorators.idempotent_id('908a7d59-3a66-441c-94cf-38e57ed14956')
def test_change_server_password(self):
+ server_id = self.create_test_server(wait_until='ACTIVE')['id']
+
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.servers_client.change_password(
- self.server_id,
- adminPass=data_utils.rand_password())
+ server_id, adminPass=data_utils.rand_password())
+ waiters.wait_for_server_status(
+ self.os_admin.servers_client, server_id, 'ACTIVE')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_admin_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_admin_server_actions_rbac.py
deleted file mode 100644
index 37fad18..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_admin_server_actions_rbac.py
+++ /dev/null
@@ -1,65 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest import config
-from tempest.lib import decorators
-from tempest import test
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-CONF = config.CONF
-
-
-class AdminServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def skip_checks(cls):
- super(AdminServerActionsRbacTest, cls).skip_checks()
- if not test.is_extension_enabled('os-admin-actions', 'compute'):
- msg = "%s skipped as os-admin-actions not enabled." % cls.__name__
- raise cls.skipException(msg)
-
- @classmethod
- def resource_setup(cls):
- super(AdminServerActionsRbacTest, cls).resource_setup()
- cls.server_id = cls.create_test_server(wait_until='ACTIVE')['id']
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-admin-actions:reset_state")
- @decorators.idempotent_id('ae84dd0b-f364-462e-b565-3457f9c019ef')
- def test_reset_server_state(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.reset_state(self.server_id, state='error')
- self.addCleanup(self.servers_client.reset_state,
- self.server_id,
- state='active')
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-admin-actions:inject_network_info")
- @decorators.idempotent_id('ce48c340-51c1-4cff-9b6e-0cc5ef008630')
- def test_inject_network_info(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.inject_network_info(self.server_id)
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-admin-actions:reset_network")
- @decorators.idempotent_id('2911a242-15c4-4fcb-80d5-80a8930661b0')
- def test_reset_network(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.reset_network(self.server_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_deferred_delete_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_deferred_delete_rbac.py
deleted file mode 100644
index ebeab76..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_deferred_delete_rbac.py
+++ /dev/null
@@ -1,47 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest.lib import decorators
-from tempest import test
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-
-class DeferredDeleteRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def skip_checks(cls):
- super(DeferredDeleteRbacTest, cls).skip_checks()
- if not test.is_extension_enabled('os-deferred-delete', 'compute'):
- msg = "%s skipped as os-deferred-delete extension not enabled." \
- % cls.__name__
- raise cls.skipException(msg)
-
- @classmethod
- def resource_setup(cls):
- super(DeferredDeleteRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server(wait_until='ACTIVE')
-
- @decorators.idempotent_id('189bfed4-1e6d-475c-bb8c-d57e60895391')
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-deferred-delete")
- def test_force_delete_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Force-deleting a server enforces os-deferred-delete according to the
- # following API: https://github.com/openstack/nova/blob/master/nova/api
- # /openstack/compute/deferred_delete.py
- self.servers_client.force_delete_server(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_lock_server_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_lock_server_rbac.py
new file mode 100644
index 0000000..1daf305
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_lock_server_rbac.py
@@ -0,0 +1,58 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base as base
+
+
+class ComputeLockServersRbacTest(base.BaseV2ComputeRbacTest):
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-lock-server:lock")
+ @decorators.idempotent_id('b81e10fb-1864-498f-8c1d-5175c6fec5fb')
+ def test_lock_server(self):
+ server = self.create_test_server(wait_until='ACTIVE')
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.lock_server(server['id'])
+ self.addCleanup(self.servers_client.unlock_server, server['id'])
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-lock-server:unlock")
+ @decorators.idempotent_id('d50ef8e8-4bce-11e7-b114-b2f933d5fe66')
+ def test_unlock_server(self):
+ server = self.create_test_server(wait_until='ACTIVE')
+ self.servers_client.lock_server(server['id'])
+ self.addCleanup(self.servers_client.unlock_server, server['id'])
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.unlock_server(server['id'])
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-lock-server:unlock:unlock_override")
+ @decorators.idempotent_id('40dfeef9-73ee-48a9-be19-a219875de457')
+ def test_unlock_server_override(self):
+ server = self.create_test_server(wait_until='ACTIVE')
+ # In order to trigger the unlock:unlock_override policy instead
+ # of the unlock policy, the server must be locked by a different
+ # user than the one who is attempting to unlock it.
+ self.os_admin.servers_client.lock_server(server['id'])
+ self.addCleanup(self.servers_client.unlock_server, server['id'])
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.unlock_server(server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_rescue_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_rescue_rbac.py
deleted file mode 100644
index a0a021f..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_rescue_rbac.py
+++ /dev/null
@@ -1,43 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest.lib import decorators
-from tempest import test
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-
-class RescueRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def skip_checks(cls):
- super(RescueRbacTest, cls).skip_checks()
- if not test.is_extension_enabled('os-rescue', 'compute'):
- msg = "%s skipped as os-rescue not enabled." % cls.__name__
- raise cls.skipException(msg)
-
- @classmethod
- def resource_setup(cls):
- super(RescueRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server(wait_until='ACTIVE')
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-rescue")
- @decorators.idempotent_id('fbbb2afc-ed0e-4552-887d-ac00fb5d436e')
- def test_rescue_server(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.rescue_server(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
index f45632e..17a6c74 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
@@ -21,10 +22,54 @@
class SecurityGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+ # Tests in this class will fail with a 404 from microversion 2.36,
+ # according to:
+ # https://developer.openstack.org/api-ref/compute/#security-groups-os-security-groups-deprecated
+ max_microversion = '2.35'
+
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-security-groups")
@decorators.idempotent_id('4ac58e49-48c1-4fca-a6c3-3f95fb99eb77')
- def test_server_security_groups(self):
+ def test_list_security_groups(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.security_groups_client.list_security_groups()
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('e8fe7f5a-69ee-412d-81d3-a8c7a488b54d')
+ def test_create_security_groups(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.create_security_group()['id']
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('59127e8e-302d-11e7-93ae-92361f002671')
+ def test_delete_security_groups(self):
+ sec_group_id = self.create_security_group()['id']
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.security_groups_client.delete_security_group(sec_group_id)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('3de5c6bc-b822-469e-a627-82427d38b067')
+ def test_update_security_groups(self):
+ sec_group_id = self.create_security_group()['id']
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ new_name = data_utils.rand_name()
+ new_desc = data_utils.rand_name()
+ self.security_groups_client.update_security_group(sec_group_id,
+ name=new_name,
+ description=new_desc)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('6edc0320-302d-11e7-93ae-92361f002671')
+ def test_show_security_groups(self):
+ sec_group_id = self.create_security_group()['id']
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.security_groups_client.show_security_group(sec_group_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_consoles_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_consoles_rbac.py
new file mode 100644
index 0000000..7744263
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_consoles_rbac.py
@@ -0,0 +1,94 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class ServerConsolesRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(ServerConsolesRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.console_output:
+ raise cls.skipException('Console output not available.')
+
+ @classmethod
+ def resource_setup(cls):
+ super(ServerConsolesRbacTest, cls).resource_setup()
+ cls.server_id = cls.create_test_server(wait_until='ACTIVE')['id']
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-console-output")
+ @decorators.idempotent_id('90fd80f6-456c-11e7-a919-92ebcb67fe33')
+ def test_get_console_output(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.get_console_output(self.server_id)
+
+
+class ServerConsolesMaxV25RbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ max_microversion = '2.5'
+
+ @classmethod
+ def skip_checks(cls):
+ super(ServerConsolesMaxV25RbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.console_output:
+ raise cls.skipException('Console output not available.')
+
+ @classmethod
+ def resource_setup(cls):
+ super(ServerConsolesMaxV25RbacTest, cls).resource_setup()
+ cls.server_id = cls.create_test_server(wait_until='ACTIVE')['id']
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-remote-consoles")
+ @decorators.idempotent_id('b0a72c02-9b15-4dcb-b186-efe8753370ab')
+ def test_get_vnc_console_output(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.get_vnc_console(self.server_id, type="novnc")
+
+
+class ServerConsolesV26RbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ min_microversion = '2.6'
+ max_microversion = 'latest'
+
+ @classmethod
+ def skip_checks(cls):
+ super(ServerConsolesV26RbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.console_output:
+ raise cls.skipException('Console output not available.')
+
+ @classmethod
+ def resource_setup(cls):
+ super(ServerConsolesV26RbacTest, cls).resource_setup()
+ cls.server_id = cls.create_test_server(wait_until='ACTIVE')['id']
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-remote-consoles")
+ @decorators.idempotent_id('879597de-87e0-4da9-a60a-28c8088dc508')
+ def test_get_remote_console_output(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.get_remote_console(self.server_id,
+ "novnc", "vnc")
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_diagnostics_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_diagnostics_rbac.py
deleted file mode 100644
index f6359b4..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_server_diagnostics_rbac.py
+++ /dev/null
@@ -1,44 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest.lib import decorators
-from tempest import test
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-
-class ServerDiagnosticsRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def skip_checks(cls):
- super(ServerDiagnosticsRbacTest, cls).skip_checks()
- if not test.is_extension_enabled('os-server-diagnostics', 'compute'):
- msg = ("%s skipped as os-server-diagnostics not "
- "enabled." % cls.__name__)
- raise cls.skipException(msg)
-
- @classmethod
- def resource_setup(cls):
- super(ServerDiagnosticsRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server(wait_until='ACTIVE')
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-server-diagnostics")
- @decorators.idempotent_id('5dabfcc4-bedb-417b-8247-b3ee7c5c0f3e')
- def test_show_server_diagnostics(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.show_server_diagnostics(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
new file mode 100644
index 0000000..cb826e3
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_misc_policy_actions_rbac.py
@@ -0,0 +1,154 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.common import waiters
+from tempest.lib import decorators
+from tempest.lib import exceptions as lib_exc
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+
+class MiscPolicyActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+ """Test multiple policy actions that require a server to be created.
+
+ Minimize the number of servers that need to be created across classes
+ by consolidating test cases related to different policy "families" into
+ one class. This reduces the risk of running into `BuildErrorException`
+ errors being raised due to too many servers being created simultaneously
+ especially when higher concurrency is used.
+
+ Only applies to:
+ * policy "families" that require server creation
+ * small policy "families" -- i.e. containing one to three policies
+ """
+
+ @classmethod
+ def resource_setup(cls):
+ super(MiscPolicyActionsRbacTest, cls).resource_setup()
+ cls.server_id = cls.create_test_server(wait_until='ACTIVE')['id']
+
+ def setUp(self):
+ super(MiscPolicyActionsRbacTest, self).setUp()
+ try:
+ waiters.wait_for_server_status(self.servers_client,
+ self.server_id, 'ACTIVE')
+ except lib_exc.NotFound:
+ # If the server was found to be deleted by a previous test,
+ # a new one is built
+ server = self.create_test_server(wait_until='ACTIVE')
+ self.__class__.server_id = server['id']
+ except Exception:
+ # Rebuilding the server in case something happened during a test
+ self.__class__.server_id = self.rebuild_server(self.server_id)
+
+ @test.requires_ext(extension='os-admin-actions', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:reset_state")
+ @decorators.idempotent_id('ae84dd0b-f364-462e-b565-3457f9c019ef')
+ def test_reset_server_state(self):
+ """Test reset server state, part of os-admin-actions."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.reset_state(self.server_id, state='error')
+ self.addCleanup(self.servers_client.reset_state, self.server_id,
+ state='active')
+
+ @test.requires_ext(extension='os-admin-actions', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:inject_network_info")
+ @decorators.idempotent_id('ce48c340-51c1-4cff-9b6e-0cc5ef008630')
+ def test_inject_network_info(self):
+ """Test inject network info, part of os-admin-actions."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.inject_network_info(self.server_id)
+
+ @test.attr(type=['slow'])
+ @test.requires_ext(extension='os-admin-actions', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:reset_network")
+ @decorators.idempotent_id('2911a242-15c4-4fcb-80d5-80a8930661b0')
+ def test_reset_network(self):
+ """Test reset network, part of os-admin-actions."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.reset_network(self.server_id)
+
+ @test.requires_ext(extension='os-deferred-delete', service='compute')
+ @decorators.idempotent_id('189bfed4-1e6d-475c-bb8c-d57e60895391')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-deferred-delete")
+ def test_force_delete_server(self):
+ """Test force delete server, part of os-deferred-delete."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ # Force-deleting a server enforces os-deferred-delete.
+ self.servers_client.force_delete_server(self.server_id)
+
+ @test.requires_ext(extension='os-rescue', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-rescue")
+ @decorators.idempotent_id('fbbb2afc-ed0e-4552-887d-ac00fb5d436e')
+ def test_rescue_server(self):
+ """Test rescue server, part of os-rescue."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.rescue_server(self.server_id)
+
+ @test.requires_ext(extension='os-server-diagnostics', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-diagnostics")
+ @decorators.idempotent_id('5dabfcc4-bedb-417b-8247-b3ee7c5c0f3e')
+ def test_show_server_diagnostics(self):
+ """Test show server diagnostics, part of os-server-diagnostics."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.show_server_diagnostics(self.server_id)
+
+ @test.requires_ext(extension='os-server-password', service='compute')
+ @decorators.idempotent_id('aaf43f78-c178-4581-ac18-14afd3f1f6ba')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-password")
+ def test_delete_server_password(self):
+ """Test delete server password, part of os-server-password."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.delete_password(self.server_id)
+
+ @test.requires_ext(extension='os-server-password', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-password")
+ @decorators.idempotent_id('f677971a-7d20-493c-977f-6ff0a74b5b2c')
+ def test_get_server_password(self):
+ """Test show server password, part of os-server-password."""
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.show_password(self.server_id)
+
+ @test.requires_ext(extension='OS-SRV-USG', service='compute')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-server-usage")
+ @decorators.idempotent_id('f0437ead-b9fb-462a-9f3d-ce53fac9d57a')
+ def test_show_server_usage(self):
+ """Test show server usage, part of os-server-usage.
+
+ TODO(felipemonteiro): Once multiple policy test is supported, this
+ test can be combined with the generic test for showing a server.
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.show_server(self.server_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py
deleted file mode 100644
index 7826268..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py
+++ /dev/null
@@ -1,52 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest.lib import decorators
-from tempest import test
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-
-class ServerPasswordRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def skip_checks(cls):
- super(ServerPasswordRbacTest, cls).skip_checks()
- if not test.is_extension_enabled('os-server-password', 'compute'):
- msg = "%s skipped as os-server-password extension not enabled." \
- % cls.__name__
- raise cls.skipException(msg)
-
- @classmethod
- def resource_setup(cls):
- super(ServerPasswordRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server(wait_until="ACTIVE")
-
- @decorators.idempotent_id('aaf43f78-c178-4581-ac18-14afd3f1f6ba')
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-server-password")
- def test_delete_server_password(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.delete_password(self.server['id'])
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-server-password")
- @decorators.idempotent_id('f677971a-7d20-493c-977f-6ff0a74b5b2c')
- def test_get_server_password(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.show_password(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
index 3c8ef69..3a2b5ec 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_rbac.py
@@ -17,11 +17,11 @@
from tempest.common import waiters
from tempest import config
-
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from tempest.lib import exceptions
+from tempest import test
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
@@ -36,14 +36,14 @@
@classmethod
def setup_clients(cls):
super(ComputeServersRbacTest, cls).setup_clients()
- cls.client = cls.servers_client
cls.networks_client = cls.os_primary.networks_client
+ cls.ports_client = cls.os_primary.ports_client
cls.subnets_client = cls.os_primary.subnets_client
@classmethod
def resource_setup(cls):
super(ComputeServersRbacTest, cls).resource_setup()
-
+ cls.server = cls.create_test_server(wait_until='ACTIVE')
# Create a volume
volume_name = data_utils.rand_name(cls.__name__ + '-volume')
name_field = 'name'
@@ -66,7 +66,8 @@
self.__class__.__name__ + '-network')
network = self.networks_client.create_network(
- **{'name': network_name})['network']
+ name=network_name, port_security_enabled=True)['network']
+ self.addCleanup(self.networks_client.delete_network, network['id'])
# Create subnet for the network
subnet_name = data_utils.rand_name(self.__class__.__name__ + '-subnet')
@@ -75,11 +76,7 @@
network_id=network['id'],
cidr=CONF.network.project_network_cidr,
ip_version=4)['subnet']
-
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.networks_client.delete_network, network['id'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.subnets_client.delete_subnet, subnet['id'])
+ self.addCleanup(self.subnets_client.delete_subnet, subnet['id'])
return network
@@ -134,6 +131,7 @@
self.create_test_server(wait_until='ACTIVE',
availability_zone=availability_zone)
+ @test.services('volume')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:create:attach_volume")
@@ -142,20 +140,18 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._create_test_server_with_volume(self.volume_id)
+ @test.services('network')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:servers:create:attach_network")
@decorators.idempotent_id('b44cd4ff-50a4-42ce-ada3-724e213cd540')
def test_create_server_attach_network(self):
network = self._create_network_resources()
- network_id = {'uuid': network['id']}
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ network_id = {'uuid': network['id']}
server = self.create_test_server(wait_until='ACTIVE',
networks=[network_id])
- # The network resources created is for this test case only. We will
- # clean them up after this test case. In order to do that,
- # we need to clean up the server first.
self.addCleanup(waiters.wait_for_server_termination,
self.servers_client, server['id'])
self.addCleanup(self.servers_client.delete_server, server['id'])
@@ -175,13 +171,80 @@
rule="os_compute_api:servers:update")
@decorators.idempotent_id('077b17cb-5621-43b9-8adf-5725f0d7a863')
def test_update_server(self):
- server = self.create_test_server(wait_until='ACTIVE')
new_name = data_utils.rand_name(self.__class__.__name__ + '-server')
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
try:
- self.servers_client.update_server(server['id'], name=new_name)
+ self.servers_client.update_server(self.server['id'], name=new_name)
+ waiters.wait_for_server_status(self.os_admin.servers_client,
+ self.server['id'], 'ACTIVE')
except exceptions.ServerFault as e:
# Some other policy may have blocked it.
LOG.info("ServerFault exception caught. Some other policy "
"blocked updating of server")
raise rbac_exceptions.RbacActionFailed(e)
+
+
+class SecurtiyGroupsRbacTest(base.BaseV2ComputeRbacTest):
+ """Tests non-deprecated security group policies. Requires network service.
+
+ This class tests non-deprecated policies for adding and removing a security
+ group to and from a server.
+ """
+
+ @classmethod
+ def setup_credentials(cls):
+ # A network and a subnet will be created for these tests.
+ cls.set_network_resources(network=True, subnet=True)
+ super(SecurtiyGroupsRbacTest, cls).setup_credentials()
+
+ @classmethod
+ def skip_checks(cls):
+ super(SecurtiyGroupsRbacTest, cls).skip_checks()
+ # All the tests below require the network service.
+ if not test.get_service_list()['network']:
+ raise cls.skipException(
+ 'Skipped because the network service is not available')
+
+ @classmethod
+ def resource_setup(cls):
+ super(SecurtiyGroupsRbacTest, cls).resource_setup()
+ cls.server = cls.create_test_server(wait_until='ACTIVE')
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('3db159c6-a467-469f-9a25-574197885520')
+ def test_list_security_groups_by_server(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.list_security_groups_by_server(self.server['id'])
+
+ @test.attr(type=["slow"])
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('ea1ca73f-2d1d-43cb-9a46-900d7927b357')
+ def test_create_security_group_for_server(self):
+ sg_name = self.create_security_group()['name']
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.add_security_group(self.server['id'], name=sg_name)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.servers_client.remove_security_group,
+ self.server['id'], name=sg_name)
+
+ @test.attr(type=["slow"])
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-security-groups")
+ @decorators.idempotent_id('0ad2e856-e2d3-4ac5-a620-f93d0d3d2626')
+ def test_remove_security_group_from_server(self):
+ sg_name = self.create_security_group()['name']
+
+ self.servers_client.add_security_group(self.server['id'], name=sg_name)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.servers_client.remove_security_group,
+ self.server['id'], name=sg_name)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.servers_client.remove_security_group(
+ self.server['id'], name=sg_name)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_usage_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_usage_rbac.py
deleted file mode 100644
index 777af29..0000000
--- a/patrole_tempest_plugin/tests/api/compute/test_server_usage_rbac.py
+++ /dev/null
@@ -1,43 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest.lib import decorators
-from tempest import test
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.compute import rbac_base
-
-
-class ServerUsageRbacTest(rbac_base.BaseV2ComputeRbacTest):
-
- @classmethod
- def skip_checks(cls):
- super(ServerUsageRbacTest, cls).skip_checks()
- if not test.is_extension_enabled('OS-SRV-USG', 'compute'):
- msg = "%s skipped as OS-SRV-USG not enabled." % cls.__name__
- raise cls.skipException(msg)
-
- @classmethod
- def resource_setup(cls):
- super(ServerUsageRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server(wait_until='ACTIVE')
-
- @rbac_rule_validation.action(
- service="nova",
- rule="os_compute_api:os-server-usage")
- @decorators.idempotent_id('f0437ead-b9fb-462a-9f3d-ce53fac9d57a')
- def test_show_server_diagnostics(self):
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.servers_client.show_server(self.server['id'])
diff --git a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
index 499f58d..23dbf1b 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_volume_rbac.py
@@ -38,6 +38,14 @@
super(VolumeRbacTest, cls).resource_setup()
cls.volume = cls.create_volume()
+ def _delete_snapshot(self, snapshot_id):
+ waiters.wait_for_volume_resource_status(
+ self.os_admin.snapshots_extensions_client, snapshot_id,
+ 'available')
+ self.snapshots_extensions_client.delete_snapshot(snapshot_id)
+ self.snapshots_extensions_client.wait_for_resource_deletion(
+ snapshot_id)
+
@decorators.idempotent_id('2402013e-a624-43e3-9518-44a5d1dbb32d')
@rbac_rule_validation.action(
service="nova",
@@ -87,8 +95,7 @@
snapshot = self.snapshots_extensions_client.create_snapshot(
self.volume['id'])['snapshot']
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.snapshots_extensions_client.delete_snapshot,
- snapshot['id'])
+ self._delete_snapshot, snapshot['id'])
@decorators.idempotent_id('e944e816-416c-11e7-a919-92ebcb67fe33')
@rbac_rule_validation.action(
@@ -105,8 +112,8 @@
def test_show_snapshot(self):
snapshot = self.snapshots_extensions_client.create_snapshot(
self.volume['id'])['snapshot']
- self.addCleanup(self.snapshots_extensions_client.delete_snapshot,
- snapshot['id'])
+ self.addCleanup(self._delete_snapshot, snapshot['id'])
+
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.snapshots_extensions_client.show_snapshot(snapshot['id'])
@@ -118,7 +125,7 @@
snapshot = self.snapshots_extensions_client.create_snapshot(
self.volume['id'])['snapshot']
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.snapshots_extensions_client.delete_snapshot,
- snapshot['id'])
+ self._delete_snapshot, snapshot['id'])
+
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.snapshots_extensions_client.delete_snapshot(snapshot['id'])
+ self._delete_snapshot(snapshot['id'])
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_objects_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_objects_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_objects_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_image_namespace_objects_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_property_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_property_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_property_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_image_namespace_property_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_image_namespace_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_tags_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_namespace_tags_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_tags_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_image_namespace_tags_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_image_resource_types_rbac.py b/patrole_tempest_plugin/tests/api/image/test_image_resource_types_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_image_resource_types_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_image_resource_types_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py b/patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py b/patrole_tempest_plugin/tests/api/image/test_images_rbac.py
similarity index 100%
rename from patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py
rename to patrole_tempest_plugin/tests/api/image/test_images_rbac.py
diff --git a/patrole_tempest_plugin/tests/api/image/v1/__init__.py b/patrole_tempest_plugin/tests/api/image/v1/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/patrole_tempest_plugin/tests/api/image/v1/__init__.py
+++ /dev/null
diff --git a/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py b/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py
deleted file mode 100644
index 8015277..0000000
--- a/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py
+++ /dev/null
@@ -1,79 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from tempest import config
-from tempest.lib import decorators
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.image import rbac_base as base
-
-CONF = config.CONF
-
-
-class ImagesMemberRbacTest(base.BaseV1ImageRbacTest):
-
- credentials = ['primary', 'alt', 'admin']
-
- @classmethod
- def setup_clients(cls):
- super(ImagesMemberRbacTest, cls).setup_clients()
- cls.image_member_client = cls.os_primary.image_member_client
-
- @classmethod
- def resource_setup(cls):
- super(ImagesMemberRbacTest, cls).resource_setup()
- cls.alt_tenant_id = cls.os_alt.image_member_client.tenant_id
-
- @rbac_rule_validation.action(service="glance", rule="add_member")
- @decorators.idempotent_id('bda2bb78-e6ec-4b87-ba6d-1eaf1b28fa8b')
- def test_add_image_member(self):
- """Add image member
-
- RBAC test for the glance add_member policy
- """
- image = self.create_image()
- # Toggle role and add image member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.create_image_member(image['id'],
- self.alt_tenant_id)
-
- @rbac_rule_validation.action(service="glance", rule="delete_member")
- @decorators.idempotent_id('9beaf28c-62b7-4c30-bbe5-4283aed1201c')
- def test_delete_image_member(self):
- """Delete image member
-
- RBAC test for the glance delete_member policy
- """
- image = self.create_image()
- self.image_member_client.create_image_member(image['id'],
- self.alt_tenant_id)
- # Toggle role and delete image member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.delete_image_member(image['id'],
- self.alt_tenant_id)
-
- @rbac_rule_validation.action(service="glance", rule="get_members")
- @decorators.idempotent_id('a0fcd855-31ef-458c-97e0-14a448cdd6da')
- def test_list_image_members(self):
- """List image members
-
- RBAC test for the glance get_members policy
- """
- image = self.create_image()
- self.image_member_client.create_image_member(image['id'],
- self.alt_tenant_id)
- # Toggle role and delete image member
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.image_member_client.list_image_members(image['id'])
diff --git a/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py b/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py
deleted file mode 100644
index a90790b..0000000
--- a/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py
+++ /dev/null
@@ -1,151 +0,0 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-import six
-
-from tempest import config
-from tempest.lib.common.utils import data_utils
-from tempest.lib import decorators
-
-from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.tests.api.image import rbac_base
-
-CONF = config.CONF
-
-
-class BasicOperationsImagesRbacTest(rbac_base.BaseV1ImageRbacTest):
-
- @rbac_rule_validation.action(service="glance", rule="add_image")
- @decorators.idempotent_id('33248a04-6527-11e6-be0f-080027d0d606')
- def test_create_image(self):
- """Create Image Test
-
- RBAC test for the glance add_image policy.
- """
- properties = {'prop1': 'val1'}
- image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_image(name=image_name,
- container_format='bare',
- disk_format='raw',
- is_public=False,
- properties=properties)
-
- @rbac_rule_validation.action(service="glance", rule="delete_image")
- @decorators.idempotent_id('731c8c81-6c63-413b-a61a-050ce9ca16ad')
- def test_delete_image(self):
- """Delete Image Test
-
- RBAC test for the glance delete_image policy.
- """
- image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
- properties = {'prop1': 'val1'}
- body = self.create_image(name=image_name,
- container_format='bare',
- disk_format='raw',
- is_public=False,
- properties=properties)
- image_id = body['id']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.client.delete_image(image_id)
-
- @rbac_rule_validation.action(service="glance", rule="download_image")
- @decorators.idempotent_id('a22bf112-5a3a-419e-9cd6-9562d1a3a458')
- def test_download_image(self):
- """Download Image Test
-
- RBAC test for the glance download_image policy.
- """
- image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
- properties = {'prop1': 'val1'}
- body = self.create_image(name=image_name,
- container_format='bare',
- disk_format='raw',
- is_public=False,
- properties=properties)
- image_id = body['id']
- # Now try uploading an image file
- image_file = six.BytesIO(data_utils.random_bytes())
- self.client.update_image(image_id, data=image_file)
- # Toggle role and get created image
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.client.show_image(image_id)
-
- @rbac_rule_validation.action(service="glance", rule="get_image")
- @decorators.idempotent_id('110257aa-6fa3-4cc0-b8dd-d93d43acd45c')
- def test_get_image(self):
- """Get Image Test
-
- RBAC test for the glance get_image policy.
- """
- image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
- properties = {'prop1': 'val1'}
- body = self.create_image(name=image_name,
- container_format='bare',
- disk_format='raw',
- is_public=False,
- properties=properties)
- image_id = body['id']
- # Now try uploading an image file
- image_file = six.BytesIO(data_utils.random_bytes())
- self.client.update_image(image_id, data=image_file)
- # Toggle role and get created image
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.client.check_image(image_id)
-
- @rbac_rule_validation.action(service="glance", rule="get_images")
- @decorators.idempotent_id('37662238-0fe9-4dff-8d90-e02f31e7e3fb')
- def test_list_images(self):
- """Get Image Test
-
- RBAC test for the glance get_images policy.
- """
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.client.list_images()
-
- @rbac_rule_validation.action(service="glance", rule="modify_image")
- @decorators.idempotent_id('3a391a19-d756-4c96-a346-72cc02f6106e')
- def test_update_image(self):
- """Update Image Test
-
- RBAC test for the glance modify_image policy.
- """
- image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
- properties = {'prop1': 'val1'}
- body = self.create_image(name=image_name,
- container_format='bare',
- disk_format='raw',
- is_public=False,
- properties=properties)
- image_id = body.get('id')
- properties = {'prop1': 'val2'}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.client.update_image(image_id, headers=properties)
-
- @rbac_rule_validation.action(service="glance", rule="publicize_image")
- @decorators.idempotent_id('d5b1d09f-ba47-4d56-913e-4f38733a9a5c')
- def test_publicize_image(self):
- """Publicize Image Test
-
- RBAC test for the glance publicize_image policy.
- """
- image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
- properties = {'prop1': 'val1'}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.create_image(name=image_name,
- container_format='bare',
- disk_format='raw',
- is_public=True,
- properties=properties)
diff --git a/patrole_tempest_plugin/tests/api/image/v2/__init__.py b/patrole_tempest_plugin/tests/api/image/v2/__init__.py
deleted file mode 100644
index e69de29..0000000
--- a/patrole_tempest_plugin/tests/api/image/v2/__init__.py
+++ /dev/null
diff --git a/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
new file mode 100644
index 0000000..506dd5b
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
@@ -0,0 +1,237 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+
+class AgentsRbacTest(base.BaseNetworkRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(AgentsRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('agent', 'network'):
+ msg = "agent extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(AgentsRbacTest, cls).resource_setup()
+ agents = cls.agents_client.list_agents()['agents']
+ cls.agent = agents[0]
+
+ @decorators.idempotent_id('f88e38e0-ab52-4b97-8ffa-48a27f9d199b')
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_agent",
+ expected_error_code=404)
+ def test_show_agent(self):
+ """Show agent test.
+
+ RBAC test for the neutron get_agent policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.show_agent(self.agent['id'])
+
+ @decorators.idempotent_id('8ca68fdb-eaf6-4880-af82-ba0982949dec')
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_agent",
+ expected_error_code=404)
+ def test_update_agent(self):
+ """Update agent test.
+
+ RBAC test for the neutron update_agent policy
+ """
+ original_status = self.agent['admin_state_up']
+ agent_status = {'admin_state_up': original_status}
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.update_agent(agent_id=self.agent['id'],
+ agent=agent_status)
+
+
+class L3AgentSchedulerRbacTest(base.BaseNetworkRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(L3AgentSchedulerRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('l3_agent_scheduler', 'network'):
+ msg = "l3_agent_scheduler extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(L3AgentSchedulerRbacTest, cls).resource_setup()
+ cls.router = cls.create_router()
+ cls.agent = None
+
+ def setUp(self):
+ super(L3AgentSchedulerRbacTest, self).setUp()
+ if self.agent is not None:
+ return
+
+ # Find an agent and validate that it is correct.
+ agents = self.agents_client.list_agents()['agents']
+ agent = {'agent_type': None}
+ for a in agents:
+ if a['agent_type'] == 'L3 agent':
+ agent = a
+ break
+ self.assertEqual(agent['agent_type'], 'L3 agent', 'Could not find '
+ 'L3 agent in agent list though l3_agent_scheduler '
+ 'is enabled.')
+ self.agent = agent
+
+ @decorators.idempotent_id('5d2bbdbc-40a5-43d2-828a-84dc93fcc453')
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_l3-routers")
+ def test_list_routers_on_l3_agent(self):
+ """List routers on L3 agent test.
+
+ RBAC test for the neutron get_l3-routers policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.list_routers_on_l3_agent(self.agent['id'])
+
+ @decorators.idempotent_id('466b2a10-8747-4c09-855a-bd90a1c86ce7')
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_l3-router")
+ def test_create_router_on_l3_agent(self):
+ """Create router on L3 agent test.
+
+ RBAC test for the neutron create_l3-router policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.create_router_on_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.agents_client.delete_router_from_l3_agent,
+ self.agent['id'], router_id=self.router['id'])
+
+ @decorators.idempotent_id('8138cfc9-3e48-4a34-adf6-894077aa1be4')
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_l3-router")
+ def test_delete_router_from_l3_agent(self):
+ """Delete router from L3 agent test.
+
+ RBAC test for the neutron delete_l3-router policy
+ """
+ self.agents_client.create_router_on_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.agents_client.delete_router_from_l3_agent,
+ self.agent['id'], router_id=self.router['id'])
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.delete_router_from_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
+
+
+class DHCPAgentSchedulersRbacTest(base.BaseNetworkRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(DHCPAgentSchedulersRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('dhcp_agent_scheduler', 'network'):
+ msg = "dhcp_agent_scheduler extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(DHCPAgentSchedulersRbacTest, cls).resource_setup()
+ cls.agent = None
+
+ def setUp(self):
+ super(DHCPAgentSchedulersRbacTest, self).setUp()
+ if self.agent is not None:
+ return
+
+ # Find a DHCP agent and validate that it is correct.
+ agents = self.agents_client.list_agents()['agents']
+ agent = {'agent_type': None}
+ for a in agents:
+ if a['agent_type'] == 'DHCP agent':
+ agent = a
+ break
+ self.assertEqual(agent['agent_type'], 'DHCP agent', 'Could not find '
+ 'DHCP agent in agent list though dhcp_agent_scheduler'
+ ' is enabled.')
+ self.agent = agent
+
+ def _create_and_prepare_network_for_agent(self, agent_id):
+ """Create network and ensure it is not hosted by agent_id."""
+ network_id = self.create_network()['id']
+
+ if self._check_network_in_dhcp_agent(network_id, agent_id):
+ self.agents_client.delete_network_from_dhcp_agent(
+ agent_id=agent_id, network_id=network_id)
+
+ return network_id
+
+ def _check_network_in_dhcp_agent(self, network_id, agent_id):
+ networks = self.agents_client.list_networks_hosted_by_one_dhcp_agent(
+ agent_id)['networks'] or []
+ return network_id in [network['id'] for network in networks]
+
+ @decorators.idempotent_id('dc84087b-4c2a-4878-8ed0-40370e19da17')
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_dhcp-networks")
+ def test_list_networks_hosted_by_one_dhcp_agent(self):
+ """List networks hosted by one DHCP agent test.
+
+ RBAC test for the neutron get_dhcp-networks policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.list_networks_hosted_by_one_dhcp_agent(
+ self.agent['id'])
+
+ @decorators.idempotent_id('14e014ac-f355-46d3-b6d8-98f2c9ec1610')
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_dhcp-network")
+ def test_add_dhcp_agent_to_network(self):
+ """Add DHCP agent to network test.
+
+ RBAC test for the neutron create_dhcp-network policy
+ """
+ network_id = self._create_and_prepare_network_for_agent(
+ self.agent['id'])
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.add_dhcp_agent_to_network(
+ self.agent['id'], network_id=network_id)
+ # Clean up is not necessary and might result in 409 being raised.
+
+ @decorators.idempotent_id('937a4302-4b49-407d-9980-5843d7badc38')
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_dhcp-network")
+ def test_delete_network_from_dhcp_agent(self):
+ """Delete DHCP agent from network test.
+
+ RBAC test for the neutron delete_dhcp-network policy
+ """
+ network_id = self._create_and_prepare_network_for_agent(
+ self.agent['id'])
+ self.agents_client.add_dhcp_agent_to_network(
+ self.agent['id'], network_id=network_id)
+ # Clean up is not necessary and might result in 409 being raised.
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.agents_client.delete_network_from_dhcp_agent(
+ self.agent['id'], network_id=network_id)
diff --git a/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py
new file mode 100644
index 0000000..e111ae8
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_service_providers_rbac.py
@@ -0,0 +1,29 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+
+class ServiceProvidersRbacTest(base.BaseNetworkRbacTest):
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_service_provider")
+ @decorators.idempotent_id('15f573b7-474a-4b37-8629-7fac86553ce5')
+ def test_list_service_providers(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.service_providers_client.list_service_providers()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
index afa83a6..f27b8a8 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -35,10 +35,7 @@
@classmethod
def setup_clients(cls):
super(VolumesActionsRbacTest, cls).setup_clients()
- if CONF.image_feature_enabled.api_v1:
- cls.image_client = cls.os_primary.image_client
- elif CONF.image_feature_enabled.api_v2:
- cls.image_client = cls.os_primary.image_client_v2
+ cls.image_client = cls.os_primary.image_client_v2
@classmethod
def resource_setup(cls):
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
index 9e93658..8c4185b 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
@@ -25,14 +25,6 @@
class VolumeMetadataRbacTest(rbac_base.BaseVolumeRbacTest):
@classmethod
- def setup_clients(cls):
- super(VolumeMetadataRbacTest, cls).setup_clients()
- if CONF.image_feature_enabled.api_v1:
- cls.image_client = cls.os_primary.image_client
- elif CONF.image_feature_enabled.api_v2:
- cls.image_client = cls.os_primary.image_client_v2
-
- @classmethod
def resource_setup(cls):
super(VolumeMetadataRbacTest, cls).resource_setup()
cls.volume = cls.create_volume()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
index 25c8504..2861531 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
@@ -100,6 +100,8 @@
volume_id=self.volume['id'])['backup']
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
self.backups_client.delete_backup, backup['id'])
+ waiters.wait_for_volume_resource_status(self.os_admin.backups_client,
+ backup['id'], 'available')
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self.backups_client.delete_backup(backup['id'])
diff --git a/releasenotes/notes/add-security-group-tests-ae5c07074e0ac849.yaml b/releasenotes/notes/add-security-group-tests-ae5c07074e0ac849.yaml
new file mode 100644
index 0000000..8d250cd
--- /dev/null
+++ b/releasenotes/notes/add-security-group-tests-ae5c07074e0ac849.yaml
@@ -0,0 +1,13 @@
+---
+features:
+ - |
+ Add security groups and server security groups
+ tests to Nova RBAC tests.
+fixes:
+ - |
+ Add microversion check to test_security_groups_rbac
+ as tests in this file will fail with a 404 after
+ 2.36.
+ - Rename test_server_security_groups to
+ test_list_security_groups to properly reflect the
+ test actually being run.
diff --git a/releasenotes/notes/console-6db96c4e329c0ab2.yaml b/releasenotes/notes/console-6db96c4e329c0ab2.yaml
new file mode 100644
index 0000000..43ad236
--- /dev/null
+++ b/releasenotes/notes/console-6db96c4e329c0ab2.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Adds tests for os-console-output and os-remote-console
+ to compute module.
diff --git a/releasenotes/notes/glance-v1-api-deprecated-1aba7b6ae0b6e063.yaml b/releasenotes/notes/glance-v1-api-deprecated-1aba7b6ae0b6e063.yaml
new file mode 100644
index 0000000..dffd064
--- /dev/null
+++ b/releasenotes/notes/glance-v1-api-deprecated-1aba7b6ae0b6e063.yaml
@@ -0,0 +1,4 @@
+---
+deprecations:
+ - Glance v1 APIs are deprecated and v2 APIs are current. Glance v1 APIs are
+ removed from volume tests and Glance v1 RBAC tests are removed.
diff --git a/releasenotes/notes/lock-server-460767a02d15bb29.yaml b/releasenotes/notes/lock-server-460767a02d15bb29.yaml
new file mode 100644
index 0000000..7af7ff3
--- /dev/null
+++ b/releasenotes/notes/lock-server-460767a02d15bb29.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Adds tests for Nova's lock_server policies: lock,
+ unlock, and unlock_override.
diff --git a/releasenotes/notes/rbac-tests-for-network-agents-fbc899925b5948b1.yaml b/releasenotes/notes/rbac-tests-for-network-agents-fbc899925b5948b1.yaml
new file mode 100644
index 0000000..64deadc
--- /dev/null
+++ b/releasenotes/notes/rbac-tests-for-network-agents-fbc899925b5948b1.yaml
@@ -0,0 +1,14 @@
+---
+features:
+ - |
+ Implements RBAC tests for Tempest network agents_client, providing
+ coverage for the following policies:
+
+ * update_agent
+ * get_agent
+ * create_dhcp-network
+ * delete_dhcp-network
+ * get_dhcp-networks
+ * create_l3-router
+ * delete_l3-router
+ * get_l3-routers
diff --git a/releasenotes/notes/service-provider-bc71da578e717c3a.yaml b/releasenotes/notes/service-provider-bc71da578e717c3a.yaml
new file mode 100644
index 0000000..855f398
--- /dev/null
+++ b/releasenotes/notes/service-provider-bc71da578e717c3a.yaml
@@ -0,0 +1,4 @@
+---
+features:
+ - |
+ Adds test for Neutron's get_service_provider policy.