Merge "Compute API Migrations Tests."
diff --git a/patrole_tempest_plugin/tests/api/identity/__init__.py b/patrole_tempest_plugin/tests/api/identity/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/__init__.py
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/__init__.py b/patrole_tempest_plugin/tests/api/identity/v3/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/__init__.py
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
new file mode 100644
index 0000000..3d53df4
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
@@ -0,0 +1,41 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.api.identity import base
+from tempest import config
+
+CONF = config.CONF
+
+
+class BaseIdentityV3RbacAdminTest(base.BaseIdentityV3AdminTest):
+
+ credentials = ['primary', 'admin']
+
+ @classmethod
+ def skip_checks(cls):
+ super(BaseIdentityV3RbacAdminTest, cls).skip_checks()
+ if not CONF.rbac.rbac_flag:
+ raise cls.skipException(
+ "%s skipped as RBAC Flag not enabled" % cls.__name__)
+ if CONF.auth.tempest_roles != ['admin']:
+ raise cls.skipException(
+ "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def resource_setup(cls):
+ super(BaseIdentityV3RbacAdminTest, cls).resource_setup()
+ cls.auth_provider = cls.os.auth_provider
+ cls.admin_client = cls.os_adm.identity_v3_client
+ cls.creds_client = cls.os.credentials_client
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
new file mode 100644
index 0000000..45abe9f
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
@@ -0,0 +1,117 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.common.utils import data_utils
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
+
+
+class IdentityCredentialsV3AdminRbacTest(
+ rbac_base.BaseIdentityV3RbacAdminTest):
+
+ def tearDown(self):
+ """Reverts user back to admin for cleanup."""
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(IdentityCredentialsV3AdminRbacTest, self).tearDown()
+
+ def _create_credential(self):
+ """Creates a user, project, and credential for test."""
+ user = self.setup_test_user()
+ user_id = user['id']
+ project_id = user['project_id']
+ keys = [data_utils.rand_name('Access'),
+ data_utils.rand_name('Secret')]
+ blob = "{\"access\": \"%s\", \"secret\": \"%s\"}" % (
+ keys[0], keys[1])
+ credential = self.creds_client \
+ .create_credential(user_id=user_id,
+ project_id=project_id,
+ blob=blob,
+ type='ec2')['credential']
+
+ self.addCleanup(self.creds_client.delete_credential, credential['id'])
+ return (project_id, credential)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_credential")
+ @test.idempotent_id('c1ab6d34-c59f-4ae1-bae9-bb3c1089b48e')
+ def test_create_credential(self):
+ """Create a Credential.
+
+ RBAC test for Keystone: identity:create_credential
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_credential()
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:update_credential")
+ @test.idempotent_id('cfb05ce3-bffb-496e-a3c2-9515d730da63')
+ def test_update_credential(self):
+ """Update a Credential.
+
+ RBAC test for Keystone: identity:update_credential
+ """
+ project_id, credential = self._create_credential()
+ # Update blob keys
+ new_keys = [data_utils.rand_name('NewAccess'),
+ data_utils.rand_name('NewSecret')]
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.creds_client \
+ .update_credential(credential['id'],
+ credential=credential,
+ access_key=new_keys[0],
+ secret_key=new_keys[1],
+ project_id=project_id)['credential']
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:delete_credential")
+ @test.idempotent_id('87ab42af-8d41-401b-90df-21e72919fcde')
+ def test_delete_credential(self):
+ """Delete a Credential.
+
+ RBAC test for Keystone: identity:delete_credential
+ """
+ _, credential = self._create_credential()
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.creds_client.delete_credential(credential['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_credential")
+ @test.idempotent_id('1b6eeae6-f1e8-4cdf-8903-1c002b1fc271')
+ def test_show_credential(self):
+ """Show/Get a Credential.
+
+ RBAC test for Keystone: identity:get_credential
+ """
+ _, credential = self._create_credential()
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.creds_client.show_credential(credential['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_credentials")
+ @test.idempotent_id('3de303e2-12a7-4811-805a-f18906472038')
+ def test_list_credentials(self):
+ """List all Credentials.
+
+ RBAC test for Keystone: identity:list_credentials
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.creds_client.list_credentials()
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
new file mode 100644
index 0000000..b611541
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
@@ -0,0 +1,144 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
+
+CONF = config.CONF
+
+
+class IdentityUserV3AdminRbacTest(
+ rbac_base.BaseIdentityV3RbacAdminTest):
+
+ def tearDown(self):
+ """Reverts user back to admin for cleanup."""
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(IdentityUserV3AdminRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_user")
+ @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d904')
+ def test_create_user(self):
+ """Creates a user.
+
+ RBAC test for Keystone: identity:create_user
+ """
+ user_name = data_utils.rand_name('test_create_user')
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.non_admin_users_client.create_user(name=user_name)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:update_user")
+ @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d905')
+ def test_update_user(self):
+ """Updates a user.
+
+ RBAC test for Keystone: identity:update_user
+ """
+ user_name = data_utils.rand_name('test_update_user')
+ user = self._create_test_user(name=user_name, password=None)
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.non_admin_users_client.update_user(user['id'],
+ name=user_name,
+ email="changedUser@xyz.com")
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:delete_user")
+ @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d906')
+ def test_delete_user(self):
+ """Get the list of users.
+
+ RBAC test for Keystone: identity:delete_user
+ """
+ user_name = data_utils.rand_name('test_delete_user')
+ user = self._create_test_user(name=user_name, password=None)
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.non_admin_users_client.delete_user(user['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_users")
+ @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d907')
+ def test_list_users(self):
+ """Get the list of users.
+
+ RBAC test for Keystone: identity:list_users
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.non_admin_users_client.list_users()
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_user")
+ @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d908')
+ def test_show_user(self):
+ """Get one user.
+
+ RBAC test for Keystone: identity:get_user
+ """
+ user_name = data_utils.rand_name('test_get_user')
+ user = self._create_test_user(name=user_name, password=None)
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.non_admin_users_client.show_user(user['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:change_password")
+ @decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d90a')
+ def test_change_password(self):
+ """Update a user password
+
+ RBAC test for Keystone: identity:change_password
+ """
+ user_name = data_utils.rand_name('test_change_password')
+ user = self._create_test_user(name=user_name, password='nova')
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.non_admin_users_client \
+ .update_user_password(user['id'],
+ original_password='nova',
+ password='neutron')
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_groups_for_user")
+ @decorators.idempotent_id('bd5946d4-46d2-423d-a800-a3e7aabc18b3')
+ def test_list_group_user(self):
+ """Lists groups which a user belongs to.
+
+ RBAC test for Keystone: identity:list_groups_for_user
+ """
+ user_name = data_utils.rand_name('User')
+ user = self._create_test_user(name=user_name, password=None)
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.non_admin_users_client.list_user_groups(user['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_user_projects")
+ @decorators.idempotent_id('0f148510-63bf-11e6-1564-080044d0d909')
+ def test_list_user_projects(self):
+ """List User's Projects.
+
+ RBAC test for Keystone: identity:list_user_projects
+ """
+ user = self.setup_test_user()
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.non_admin_users_client.list_user_projects(user['id'])