Merge "Migrate to override_role for network tests"
diff --git a/.gitignore b/.gitignore
index b77e7f3..350e0da 100644
--- a/.gitignore
+++ b/.gitignore
@@ -44,6 +44,7 @@
# Sphinx
doc/build
+doc/source/_static/patrole.conf.sample
# pbr generates these
AUTHORS
diff --git a/doc/source/framework/overview.rst b/doc/source/framework/overview.rst
index 1c9bf3b..d862770 100644
--- a/doc/source/framework/overview.rst
+++ b/doc/source/framework/overview.rst
@@ -7,32 +7,32 @@
RBAC testing validation is broken up into 3 stages:
- #. "Expected" stage. Determine whether the test should be able to succeed
- or fail based on the test role defined by ``[patrole] rbac_test_role``)
- and the policy action that the test enforces.
- #. "Actual" stage. Run the test by calling the API endpoint that enforces
- the expected policy action using the test role.
- #. Comparing the outputs from both stages for consistency. A "consistent"
- result is treated as a pass and an "inconsistent" result is treated
- as a failure. "Consistent" (or successful) cases include:
+#. "Expected" stage. Determine whether the test should be able to succeed
+ or fail based on the test role defined by ``[patrole] rbac_test_role``)
+ and the policy action that the test enforces.
+#. "Actual" stage. Run the test by calling the API endpoint that enforces
+ the expected policy action using the test role.
+#. Comparing the outputs from both stages for consistency. A "consistent"
+ result is treated as a pass and an "inconsistent" result is treated
+ as a failure. "Consistent" (or successful) cases include:
- * Expected result is ``True`` and the test passes.
- * Expected result is ``False`` and the test fails.
+ * Expected result is ``True`` and the test passes.
+ * Expected result is ``False`` and the test fails.
- For example, a 200 from the API call and a ``True`` result from
- ``oslo.policy`` or a 403 from the API call and a ``False`` result from
- ``oslo.policy`` are successful results.
+ For example, a 200 from the API call and a ``True`` result from
+ ``oslo.policy`` or a 403 from the API call and a ``False`` result from
+ ``oslo.policy`` are successful results.
- "Inconsistent" (or failing) cases include:
+ "Inconsistent" (or failing) cases include:
- * Expected result is ``False`` and the test passes. This results in an
- ``RbacOverPermission`` exception getting thrown.
- * Expected result is ``True`` and the test fails. This results in a
- ``Forbidden`` exception getting thrown.
+ * Expected result is ``False`` and the test passes. This results in an
+ ``RbacOverPermission`` exception getting thrown.
+ * Expected result is ``True`` and the test fails. This results in a
+ ``Forbidden`` exception getting thrown.
- For example, a 200 from the API call and a ``False`` result from
- ``oslo.policy`` or a 403 from the API call and a ``True`` result from
- ``oslo.policy`` are failing results.
+ For example, a 200 from the API call and a ``False`` result from
+ ``oslo.policy`` or a 403 from the API call and a ``True`` result from
+ ``oslo.policy`` are failing results.
-------------------------------
The RBAC Rule Validation Module
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index fc8b145..75d1baa 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -43,15 +43,15 @@
A decorator which allows for positive and negative RBAC testing. Given:
- * an OpenStack service,
- * a policy action (``rule``) enforced by that service, and
- * the test role defined by ``[patrole] rbac_test_role``
+ * an OpenStack service,
+ * a policy action (``rule``) enforced by that service, and
+ * the test role defined by ``[patrole] rbac_test_role``
determines whether the test role has sufficient permissions to perform an
API call that enforces the ``rule``.
This decorator should only be applied to an instance or subclass of
- ``tempest.test.BaseTestCase``.
+ ``tempest.test.BaseTestCase``.
The result from ``_is_authorized`` is used to determine the *expected*
test result. The *actual* test result is determined by running the
@@ -306,14 +306,14 @@
Before being formatted, "extra_target_data" is a dictionary that maps a
policy string like "trust.trustor_user_id" to a nested list of
``tempest.test.BaseTestCase`` attributes. For example, the attribute list
- in:
+ in::
- "trust.trustor_user_id": "os.auth_provider.credentials.user_id"
+ "trust.trustor_user_id": "os.auth_provider.credentials.user_id"
is parsed by iteratively calling ``getattr`` until the value of "user_id"
- is resolved. The resulting dictionary returns:
+ is resolved. The resulting dictionary returns::
- "trust.trustor_user_id": "the user_id of the `os_primary` credential"
+ "trust.trustor_user_id": "the user_id of the `os_primary` credential"
:param test_obj: An instance or subclass of ``tempest.test.BaseTestCase``.
:param extra_target_data: Dictionary, keyed with ``oslo.policy`` generic
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 4ef0f80..51d1d25 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -68,8 +68,9 @@
"""Override the role used by ``os_primary`` Tempest credentials.
Temporarily change the role used by ``os_primary`` credentials to:
- * ``[patrole] rbac_test_role`` before test execution
- * ``[identity] admin_role`` after test execution
+
+ * ``[patrole] rbac_test_role`` before test execution
+ * ``[identity] admin_role`` after test execution
Automatically switches to admin role after test execution.
@@ -111,8 +112,9 @@
"""Switch the role used by `os_primary` Tempest credentials.
Switch the role used by `os_primary` credentials to:
- * admin if `toggle_rbac_role` is False
- * `CONF.patrole.rbac_test_role` if `toggle_rbac_role` is True
+
+ * admin if `toggle_rbac_role` is False
+ * `CONF.patrole.rbac_test_role` if `toggle_rbac_role` is True
:param test_obj: test object of type tempest.lib.base.BaseTestCase
:param toggle_rbac_role: role to switch `os_primary` Tempest creds to
diff --git a/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
index fb747d6..6b03ebe 100644
--- a/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_agents_rbac.py
@@ -45,8 +45,8 @@
RBAC test for the neutron get_agent policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.show_agent(self.agent['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.show_agent(self.agent['id'])
@decorators.idempotent_id('8ca68fdb-eaf6-4880-af82-ba0982949dec')
@rbac_rule_validation.action(service="neutron",
@@ -60,9 +60,9 @@
original_status = self.agent['admin_state_up']
agent_status = {'admin_state_up': original_status}
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.update_agent(agent_id=self.agent['id'],
- agent=agent_status)
+ with self.rbac_utils.override_role(self):
+ self.agents_client.update_agent(agent_id=self.agent['id'],
+ agent=agent_status)
class L3AgentSchedulerRbacTest(base.BaseNetworkRbacTest):
@@ -105,8 +105,8 @@
RBAC test for the neutron get_l3-routers policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.list_routers_on_l3_agent(self.agent['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.list_routers_on_l3_agent(self.agent['id'])
@decorators.idempotent_id('466b2a10-8747-4c09-855a-bd90a1c86ce7')
@rbac_rule_validation.action(service="neutron",
@@ -116,9 +116,9 @@
RBAC test for the neutron create_l3-router policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.create_router_on_l3_agent(
- self.agent['id'], router_id=self.router['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.create_router_on_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
self.addCleanup(
test_utils.call_and_ignore_notfound_exc,
self.agents_client.delete_router_from_l3_agent,
@@ -139,9 +139,9 @@
self.agents_client.delete_router_from_l3_agent,
self.agent['id'], router_id=self.router['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.delete_router_from_l3_agent(
- self.agent['id'], router_id=self.router['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.delete_router_from_l3_agent(
+ self.agent['id'], router_id=self.router['id'])
class DHCPAgentSchedulersRbacTest(base.BaseNetworkRbacTest):
@@ -198,9 +198,9 @@
RBAC test for the neutron get_dhcp-networks policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.list_networks_hosted_by_one_dhcp_agent(
- self.agent['id'])
+ with self.rbac_utils.override_role(self):
+ self.agents_client.list_networks_hosted_by_one_dhcp_agent(
+ self.agent['id'])
@decorators.idempotent_id('14e014ac-f355-46d3-b6d8-98f2c9ec1610')
@rbac_rule_validation.action(service="neutron",
@@ -213,9 +213,9 @@
network_id = self._create_and_prepare_network_for_agent(
self.agent['id'])
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.add_dhcp_agent_to_network(
- self.agent['id'], network_id=network_id)
+ with self.rbac_utils.override_role(self):
+ self.agents_client.add_dhcp_agent_to_network(
+ self.agent['id'], network_id=network_id)
# Clean up is not necessary and might result in 409 being raised.
@decorators.idempotent_id('937a4302-4b49-407d-9980-5843d7badc38')
@@ -232,6 +232,6 @@
self.agent['id'], network_id=network_id)
# Clean up is not necessary and might result in 409 being raised.
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.agents_client.delete_network_from_dhcp_agent(
- self.agent['id'], network_id=network_id)
+ with self.rbac_utils.override_role(self):
+ self.agents_client.delete_network_from_dhcp_agent(
+ self.agent['id'], network_id=network_id)
diff --git a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
index dc674d1..20e4aa7 100644
--- a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
@@ -70,8 +70,8 @@
RBAC test for the neutron create_floatingip policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_floatingip()
+ with self.rbac_utils.override_role(self):
+ self._create_floatingip()
@rbac_rule_validation.action(service="neutron",
rule="create_floatingip:floating_ip_address")
@@ -83,8 +83,8 @@
"""
fip = str(netaddr.IPAddress(self.cidr) + 10)
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_floatingip(floating_ip_address=fip)
+ with self.rbac_utils.override_role(self):
+ self._create_floatingip(floating_ip_address=fip)
@rbac_rule_validation.action(service="neutron",
rule="update_floatingip")
@@ -95,11 +95,10 @@
RBAC test for the neutron update_floatingip policy
"""
floating_ip = self._create_floatingip()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
-
- # Associate floating IP to the other port
- self.floating_ips_client.update_floatingip(
- floating_ip['id'], port_id=None)
+ with self.rbac_utils.override_role(self):
+ # Associate floating IP to the other port
+ self.floating_ips_client.update_floatingip(
+ floating_ip['id'], port_id=None)
@rbac_rule_validation.action(service="neutron",
rule="get_floatingip",
@@ -111,9 +110,9 @@
RBAC test for the neutron get_floatingip policy
"""
floating_ip = self._create_floatingip()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Show floating IP
- self.floating_ips_client.show_floatingip(floating_ip['id'])
+ with self.rbac_utils.override_role(self):
+ # Show floating IP
+ self.floating_ips_client.show_floatingip(floating_ip['id'])
@rbac_rule_validation.action(service="neutron",
rule="delete_floatingip",
@@ -125,6 +124,6 @@
RBAC test for the neutron delete_floatingip policy
"""
floating_ip = self._create_floatingip()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Delete the floating IP
- self.floating_ips_client.delete_floatingip(floating_ip['id'])
+ with self.rbac_utils.override_role(self):
+ # Delete the floating IP
+ self.floating_ips_client.delete_floatingip(floating_ip['id'])
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
index 9231c15..fe14c92 100644
--- a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
@@ -60,8 +60,8 @@
RBAC test for the neutron create_subnetpool policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_subnetpool()
+ with self.rbac_utils.override_role(self):
+ self._create_subnetpool()
@rbac_rule_validation.action(service="neutron",
rule="create_subnetpool:shared")
@@ -71,8 +71,8 @@
RBAC test for the neutron create_subnetpool:shared policy
"""
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._create_subnetpool(shared=True)
+ with self.rbac_utils.override_role(self):
+ self._create_subnetpool(shared=True)
@rbac_rule_validation.action(service="neutron",
rule="get_subnetpool",
@@ -84,8 +84,8 @@
RBAC test for the neutron get_subnetpool policy
"""
subnetpool = self._create_subnetpool()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.show_subnetpool(subnetpool['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.show_subnetpool(subnetpool['id'])
@rbac_rule_validation.action(service="neutron",
rule="update_subnetpool")
@@ -96,9 +96,9 @@
RBAC test for the neutron update_subnetpool policy
"""
subnetpool = self._create_subnetpool()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.update_subnetpool(subnetpool['id'],
- min_prefixlen=24)
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.update_subnetpool(subnetpool['id'],
+ min_prefixlen=24)
@decorators.idempotent_id('a16f4e5c-0675-415f-b636-00af00638693')
@rbac_rule_validation.action(service="neutron",
@@ -117,9 +117,9 @@
default_pool = self._create_subnetpool(is_default=True)
original_desc = default_pool['description']
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.update_subnetpool(
- default_pool['id'], description=original_desc, is_default=True)
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.update_subnetpool(
+ default_pool['id'], description=original_desc, is_default=True)
@rbac_rule_validation.action(service="neutron",
rule="delete_subnetpool")
@@ -130,5 +130,5 @@
RBAC test for the neutron delete_subnetpool policy
"""
subnetpool = self._create_subnetpool()
- self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.subnetpools_client.delete_subnetpool(subnetpool['id'])
+ with self.rbac_utils.override_role(self):
+ self.subnetpools_client.delete_subnetpool(subnetpool['id'])