Merge "Identity V3 Tests - Groups"
diff --git a/patrole_tempest_plugin/tests/api/compute/rbac_base.py b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
index ca24204..6fd8f30 100644
--- a/patrole_tempest_plugin/tests/api/compute/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
@@ -11,6 +11,9 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+
from tempest.api.compute import base as compute_base
from tempest import config
@@ -56,3 +59,34 @@
super(BaseV2ComputeAdminRbacTest, cls).setup_clients()
cls.admin_client = cls.os_admin.agents_client
cls.auth_provider = cls.os.auth_provider
+
+ @classmethod
+ def resource_setup(cls):
+ super(BaseV2ComputeAdminRbacTest, cls).resource_setup()
+ cls.flavors = []
+
+ @classmethod
+ def resource_cleanup(cls):
+ cls.clear_flavors()
+ super(BaseV2ComputeAdminRbacTest, cls).resource_cleanup()
+
+ @classmethod
+ def clear_flavors(cls):
+ for flavor in cls.flavors:
+ test_utils.call_and_ignore_notfound_exc(
+ cls.flavors_client.delete_flavor, flavor['id'])
+
+ @classmethod
+ def _create_flavor(cls, **kwargs):
+ flavor_kwargs = {
+ "name": data_utils.rand_name('flavor'),
+ "ram": data_utils.rand_int_id(1, 10),
+ "vcpus": data_utils.rand_int_id(1, 10),
+ "disk": data_utils.rand_int_id(1, 10),
+ "id": data_utils.rand_uuid(),
+ }
+ if kwargs:
+ flavor_kwargs.update(kwargs)
+ flavor = cls.flavors_client.create_flavor(**flavor_kwargs)['flavor']
+ cls.flavors.append(flavor)
+ return flavor
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
new file mode 100644
index 0000000..32ec91a
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
@@ -0,0 +1,93 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_log import log
+
+from tempest import config
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+from tempest.lib import exceptions
+
+from patrole_tempest_plugin import rbac_exceptions
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+LOG = log.getLogger(__name__)
+
+
+class FlavorAccessAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
+
+ @classmethod
+ def setup_clients(cls):
+ super(FlavorAccessAdminRbacTest, cls).setup_clients()
+ cls.client = cls.flavors_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(FlavorAccessAdminRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+
+ @classmethod
+ def resource_setup(cls):
+ super(FlavorAccessAdminRbacTest, cls).resource_setup()
+ cls.flavor_id = cls._create_flavor(is_public=False)['id']
+ cls.tenant_id = cls.auth_provider.credentials.tenant_id
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(FlavorAccessAdminRbacTest, self).tearDown()
+
+ @decorators.idempotent_id('a2bd3740-765d-4c95-ac98-9e027378c75e')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-flavor-access")
+ def test_list_flavor_access(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.client.list_flavor_access(self.flavor_id)
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @decorators.idempotent_id('39cb5c8f-9990-436f-9282-fc76a41d9bac')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-flavor-access:add_tenant_access")
+ def test_add_flavor_access(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.add_flavor_access(
+ flavor_id=self.flavor_id, tenant_id=self.tenant_id)
+ self.addCleanup(self.client.remove_flavor_access,
+ flavor_id=self.flavor_id, tenant_id=self.tenant_id)
+
+ @decorators.idempotent_id('61b8621f-52e4-473a-8d07-e228af8853d1')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-flavor-access:remove_tenant_access")
+ def test_remove_flavor_access(self):
+ self.client.add_flavor_access(
+ flavor_id=self.flavor_id, tenant_id=self.tenant_id)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.client.remove_flavor_access,
+ flavor_id=self.flavor_id, tenant_id=self.tenant_id)
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.remove_flavor_access(
+ flavor_id=self.flavor_id, tenant_id=self.tenant_id)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_access_ips_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
similarity index 62%
rename from patrole_tempest_plugin/tests/api/compute/test_access_ips_rbac.py
rename to patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
index ffeebc9..d74a78e 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_access_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
@@ -1,5 +1,5 @@
-# Copyright 2017 AT&T Corporation.
-# All Rights Reserved.
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
@@ -23,23 +23,28 @@
CONF = config.CONF
-class AccessIpsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+class HostsAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
- def tearDown(self):
- rbac_utils.switch_role(self, switchToRbacRole=True)
- super(AccessIpsRbacTest, self).tearDown()
+ @classmethod
+ def setup_clients(cls):
+ super(HostsAdminRbacTest, cls).setup_clients()
+ cls.client = cls.os.hosts_client
@classmethod
def skip_checks(cls):
- super(AccessIpsRbacTest, cls).skip_checks()
+ super(HostsAdminRbacTest, cls).skip_checks()
if not CONF.compute_feature_enabled.api_extensions:
raise cls.skipException(
'%s skipped as no compute extensions enabled' % cls.__name__)
- @rbac_rule_validation.action(service="nova",
- rule="os_compute_api:os-access-ips")
- @decorators.idempotent_id('f5811ed1-95d4-4085-a69e-87e6bd958738')
- def test_access_ip(self):
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(HostsAdminRbacTest, self).tearDown()
+
+ @decorators.idempotent_id('035b7935-2fae-4218-8d37-27fa83097494')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-hosts")
+ def test_list_hosts(self):
rbac_utils.switch_role(self, switchToRbacRole=True)
- ipv4 = '127.0.0.1'
- self.create_test_server(accessIPv4=ipv4)
+ self.client.list_hosts()['hosts']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_ips_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_ips_rbac.py
new file mode 100644
index 0000000..cbe66f6
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_ips_rbac.py
@@ -0,0 +1,74 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class IpsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ @classmethod
+ def setup_clients(cls):
+ super(IpsRbacTest, cls).setup_clients()
+ cls.client = cls.servers_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(IpsRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+ if not CONF.service_available.neutron:
+ raise cls.skipException(
+ '%s skipped as Neutron is required' % cls.__name__)
+
+ @classmethod
+ def setup_credentials(cls):
+ cls.prepare_instance_network()
+ super(IpsRbacTest, cls).setup_credentials()
+
+ @classmethod
+ def resource_setup(cls):
+ super(IpsRbacTest, cls).resource_setup()
+ cls.server = cls.create_test_server(wait_until='ACTIVE')
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(IpsRbacTest, self).tearDown()
+
+ @decorators.idempotent_id('6886d360-0d86-4760-b1a3-882d81fbebcc')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:ips:index")
+ def test_list_addresses(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_addresses(self.server['id'])['addresses']
+
+ @decorators.idempotent_id('fa43e7e5-0db9-48eb-9c6b-c11eb766b8e4')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:ips:show")
+ def test_list_addresses_by_network(self):
+ addresses = self.client.list_addresses(self.server['id'])['addresses']
+ address = next(iter(addresses))
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_addresses_by_network(
+ self.server['id'], address)[address]
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
new file mode 100644
index 0000000..0c2eb96
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
@@ -0,0 +1,136 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
+
+CONF = config.CONF
+
+
+class IdentityProjectV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(IdentityProjectV2AdminRbacTest, self).tearDown()
+
+ @classmethod
+ def setup_clients(cls):
+ super(IdentityProjectV2AdminRbacTest, cls).setup_clients()
+ cls.tenants_client = cls.os.tenants_client
+
+ def _create_tenant(self, name):
+ self.tenant = self.tenants_client.create_tenant(name=name)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.tenants_client.delete_tenant,
+ self.tenant['tenant']['id'])
+ return self.tenant
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_project")
+ @decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d904')
+ def test_create_project(self):
+
+ """Create Project Test
+
+ RBAC test for Identity 2.0 create_tenant
+ """
+
+ tenant_name = data_utils.rand_name('test_create_project')
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_tenant(tenant_name)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:update_project")
+ @decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d905')
+ def test_update_project(self):
+
+ """Update Project Test
+
+ RBAC test for Identity 2.0 update_tenant
+ """
+
+ tenant_name = data_utils.rand_name('test_update_project')
+ tenant = self._create_tenant(tenant_name)
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.tenants_client.update_tenant(tenant['tenant']['id'],
+ description="Changed description")
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:delete_project")
+ @decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d906')
+ def test_delete_project(self):
+
+ """Delete Project Test
+
+ RBAC test for Identity 2.0 delete_tenant
+ """
+
+ tenant_name = data_utils.rand_name('test_delete_project')
+ tenant = self._create_tenant(tenant_name)
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.tenants_client.delete_tenant(tenant['tenant']['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_project")
+ @decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d907')
+ def test_get_project(self):
+
+ """Get Project Test
+
+ RBAC test for Identity 2.0 show_tenant
+ """
+
+ tenant_name = data_utils.rand_name('test_get_project')
+ tenant = self._create_tenant(tenant_name)
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.tenants_client.show_tenant(tenant['tenant']['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_projects")
+ @decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d908')
+ def test_get_all_projects(self):
+
+ """List All Projects Test
+
+ RBAC test for Identity 2.0 list_tenants
+ """
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.tenants_client.list_tenants()
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_user_projects")
+ @decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d909')
+ def test_list_users_for_tenant(self):
+
+ """Get Users of a Project Test
+
+ RBAC test for Identity 2.0 list_tenant_users
+ """
+
+ tenant_name = data_utils.rand_name('test_list_users_for_tenant')
+ tenant = self._create_tenant(tenant_name)
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.tenants_client.list_tenant_users(tenant['tenant']['id'])
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
new file mode 100644
index 0000000..c8447bb
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
@@ -0,0 +1,83 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
+
+CONF = config.CONF
+
+
+class IdentityServicesV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(IdentityServicesV2AdminRbacTest, self).tearDown()
+
+ @classmethod
+ def setup_clients(cls):
+ super(IdentityServicesV2AdminRbacTest, cls).setup_clients()
+ cls.services_client = cls.os.identity_services_client
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_service")
+ @decorators.idempotent_id('370050f6-d271-4fb4-abc5-4de1d6dfbad2')
+ def test_create_service(self):
+ """Create Service Test
+
+ RBAC test for Identity Admin 2.0 create_service
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_service()
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:delete_service")
+ @decorators.idempotent_id('f6c64fc3-6a1f-423e-af91-e411add3a384')
+ def test_delete_service(self):
+ """Delete Service Test
+
+ RBAC test for Identity Admin 2.0 delete_service
+ """
+ service_id = self._create_service()
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.services_client.delete_service(service_id)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_service")
+ @decorators.idempotent_id('504d62bb-97d7-445e-9d6d-b1945a7c9e08')
+ def test_show_service(self):
+ """Show Service Test
+
+ RBAC test for Identity Admin 2.0 show_service
+ """
+ service_id = self._create_service()
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.services_client.show_service(service_id)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_services")
+ @decorators.idempotent_id('d7dc461d-51ad-48e0-9cd2-33add1b88de9')
+ def test_list_services(self):
+ """List all the services
+
+ RBAC test for Identity Admin 2.0 list_service
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.services_client.list_services()
diff --git a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
new file mode 100644
index 0000000..207ae54
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
@@ -0,0 +1,358 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+import netaddr
+import random
+
+from oslo_log import log
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+from tempest.lib import exceptions
+
+from patrole_tempest_plugin import rbac_exceptions
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+CONF = config.CONF
+LOG = log.getLogger(__name__)
+
+
+class PortsRbacTest(base.BaseNetworkRbacTest):
+
+ @classmethod
+ def resource_setup(cls):
+ super(PortsRbacTest, cls).resource_setup()
+ cls.admin_network = cls.create_network()
+
+ # Create a subnet by admin user
+ cls.cidr = netaddr.IPNetwork(CONF.network.project_network_cidr)
+
+ cls.admin_subnet = cls.create_subnet(cls.admin_network,
+ cidr=cls.cidr,
+ mask_bits=24)
+ cls.admin_ip_range = netaddr.IPRange(
+ cls.admin_subnet['allocation_pools'][0]['start'],
+ cls.admin_subnet['allocation_pools'][0]['end'])
+
+ # Create a port by admin user
+ body = cls.ports_client.create_port(network_id=cls.admin_network['id'])
+ cls.admin_port = body['port']
+ cls.ports.append(cls.admin_port)
+ ipaddr = cls.admin_port['fixed_ips'][0]['ip_address']
+ cls.admin_port_ip_address = ipaddr
+ cls.admin_port_mac_address = cls.admin_port['mac_address']
+
+ def _create_port(self, **post_body):
+
+ body = self.ports_client.create_port(**post_body)
+ port = body['port']
+
+ # Schedule port deletion with verification upon test completion
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.ports_client.delete_port,
+ port['id'])
+
+ return port
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(PortsRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_port")
+ @decorators.idempotent_id('0ec8c551-625c-4864-8a52-85baa7c40f22')
+ def test_create_port(self):
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ post_body = {'network_id': self.admin_network['id']}
+ self._create_port(**post_body)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_port:binding:host_id")
+ @decorators.idempotent_id('a54bd6b8-a7eb-4101-bfe8-093930b0d660')
+ def test_create_port_binding_host_id(self):
+
+ post_body = {'network_id': self.admin_network['id'],
+ 'binding:host_id': "rbac_test_host"}
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_port(**post_body)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_port:fixed_ips")
+ @decorators.idempotent_id('2551e10d-006a-413c-925a-8c6f834c09ac')
+ def test_create_port_fixed_ips(self):
+ # Pick an ip address within the allocation_pools range
+ ip_address = random.choice(list(self.admin_ip_range))
+
+ fixed_ips = [{'ip_address': ip_address},
+ {'subnet_id': self.admin_subnet['id']}]
+
+ post_body = {'network_id': self.admin_network['id'],
+ 'fixed_ips': fixed_ips}
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_port(**post_body)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_port:mac_address")
+ @decorators.idempotent_id('aee6d0be-a7f3-452f-aefc-796b4eb9c9a8')
+ def test_create_port_mac_address(self):
+
+ post_body = {'network_id': self.admin_network['id'],
+ 'mac_address': data_utils.rand_mac_address()}
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_port(**post_body)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_port:binding:profile")
+ @decorators.idempotent_id('98fa38ab-c2ed-46a0-99f0-59f18cbd257a')
+ def test_create_port_binding_profile(self):
+
+ binding_profile = {"foo": "1"}
+
+ post_body = {'network_id': self.admin_network['id'],
+ 'binding:profile': binding_profile}
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_port(**post_body)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_port:allowed_address_pairs")
+ @decorators.idempotent_id('b638d1f4-d903-4ca8-aa2a-6fd603c5ec3a')
+ def test_create_port_allowed_address_pairs(self):
+
+ # Create port with allowed address pair attribute
+ allowed_address_pairs = [{'ip_address': self.admin_port_ip_address,
+ 'mac_address': self.admin_port_mac_address}]
+
+ post_body = {'network_id': self.admin_network['id'],
+ 'allowed_address_pairs': allowed_address_pairs}
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_port(**post_body)
+
+ @rbac_rule_validation.action(service="neutron", rule="get_port")
+ @decorators.idempotent_id('a9d41cb8-78a2-4b97-985c-44e4064416f4')
+ def test_show_port(self):
+
+ try:
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+
+ self.ports_client.show_port(self.admin_port['id'])
+
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_port:binding:vif_type")
+ @decorators.idempotent_id('125aff0b-8fed-4f8e-8410-338616594b06')
+ def test_show_port_binding_vif_type(self):
+
+ # Verify specific fields of a port
+ fields = ['binding:vif_type']
+
+ try:
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.show_port(self.admin_port['id'],
+ fields=fields)
+
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_port:binding:vif_details")
+ @decorators.idempotent_id('e42bfd77-fcce-45ee-9728-3424300f0d6f')
+ def test_show_port_binding_vif_details(self):
+
+ # Verify specific fields of a port
+ fields = ['binding:vif_details']
+
+ try:
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.show_port(self.admin_port['id'],
+ fields=fields)
+
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_port:binding:host_id")
+ @decorators.idempotent_id('8e61bcdc-6f81-443c-833e-44410266551e')
+ def test_show_port_binding_host_id(self):
+
+ # Verify specific fields of a port
+ fields = ['binding:host_id']
+ post_body = {'network_id': self.admin_network['id'],
+ 'binding:host_id': data_utils.rand_name('host-id')}
+ port = self._create_port(**post_body)
+
+ try:
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.show_port(port['id'],
+ fields=fields)
+
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_port:binding:profile")
+ @decorators.idempotent_id('d497cea9-c4ad-42e0-acc9-8d257d6b01fc')
+ def test_show_port_binding_profile(self):
+
+ # Verify specific fields of a port
+ fields = ['binding:profile']
+ binding_profile = {"foo": "1"}
+ post_body = {'network_id': self.admin_network['id'],
+ 'binding:profile': binding_profile}
+ port = self._create_port(**post_body)
+
+ try:
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.show_port(port['id'],
+ fields=fields)
+
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_port")
+ @decorators.idempotent_id('afa80981-3c59-42fd-9531-3bcb2cd03711')
+ def test_update_port(self):
+
+ port = self.create_port(self.admin_network)
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.update_port(port['id'],
+ admin_state_up=False)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_port:mac_address")
+ @decorators.idempotent_id('507140c8-7b14-4d63-b627-2103691d887e')
+ def test_update_port_mac_address(self):
+
+ port = self.create_port(self.admin_network)
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.update_port(
+ port['id'],
+ mac_address=data_utils.rand_mac_address())
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_port:fixed_ips")
+ @decorators.idempotent_id('c091c825-532b-4c6f-a14f-affd3259c1c3')
+ def test_update_port_fixed_ips(self):
+
+ # Pick an ip address within the allocation_pools range
+ ip_address = random.choice(list(self.admin_ip_range))
+ fixed_ips = [{'ip_address': ip_address}]
+ post_body = {'network_id': self.admin_network['id']}
+ port = self._create_port(**post_body)
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.update_port(port['id'],
+ fixed_ips=fixed_ips)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_port:port_security_enabled")
+ @decorators.idempotent_id('795541af-6652-4e35-9581-fd58224f7545')
+ def test_update_port_security_enabled(self):
+
+ port = self.create_port(self.admin_network)
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.update_port(port['id'],
+ security_groups=[])
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_port:binding:host_id")
+ @decorators.idempotent_id('24206a72-0d90-4712-918c-5c9a1ebef64d')
+ def test_update_port_binding_host_id(self):
+
+ post_body = {'network_id': self.admin_network['id'],
+ 'binding:host_id': 'rbac_test_host'}
+ port = self._create_port(**post_body)
+
+ updated_body = {'port_id': port['id'],
+ 'binding:host_id': 'rbac_test_host_updated'}
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.update_port(**updated_body)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_port:binding:profile")
+ @decorators.idempotent_id('990ea8d1-9257-4f71-a3bf-d6d0914625c5')
+ def test_update_port_binding_profile(self):
+
+ binding_profile = {"foo": "1"}
+ post_body = {'network_id': self.admin_network['id'],
+ 'binding:profile': binding_profile}
+
+ port = self._create_port(**post_body)
+
+ new_binding_profile = {"foo": "2"}
+ updated_body = {'port_id': port['id'],
+ 'binding:profile': new_binding_profile}
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.update_port(**updated_body)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_port:allowed_address_pairs")
+ @decorators.idempotent_id('729c2151-bb49-4f4f-9d58-3ed8819b7582')
+ def test_update_port_allowed_address_pairs(self):
+
+ ip_address = random.choice(list(self.admin_ip_range))
+ # Update allowed address pair attribute of port
+ address_pairs = [{'ip_address': ip_address,
+ 'mac_address': data_utils.rand_mac_address()}]
+ post_body = {'network_id': self.admin_network['id']}
+ port = self._create_port(**post_body)
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.update_port(port['id'],
+ allowed_address_pairs=address_pairs)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_port")
+ @decorators.idempotent_id('1cf8e582-bc09-46cb-b32a-82bf991ad56f')
+ def test_delete_port(self):
+
+ try:
+ port = self._create_port(network_id=self.admin_network['id'])
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.ports_client.delete_port(port['id'])
+
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
diff --git a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
new file mode 100644
index 0000000..662eb41
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
@@ -0,0 +1,292 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import netaddr
+import random
+
+from oslo_log import log
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+from tempest.lib import exceptions
+from tempest import test
+
+from patrole_tempest_plugin import rbac_exceptions
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+CONF = config.CONF
+LOG = log.getLogger(__name__)
+
+
+class RouterRbacTest(base.BaseNetworkRbacTest):
+ @classmethod
+ def skip_checks(cls):
+ super(RouterRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('router', 'network'):
+ msg = "router extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(RouterRbacTest, cls).resource_setup()
+ post_body = {}
+ post_body['router:external'] = True
+ cls.admin_network = cls.create_network(**post_body)
+ cls.admin_subnet = cls.create_subnet(cls.admin_network)
+ cls.admin_ip_range = netaddr.IPRange(
+ cls.admin_subnet['allocation_pools'][0]['start'],
+ cls.admin_subnet['allocation_pools'][0]['end'])
+ cls.admin_router = cls.create_router()
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(RouterRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_router")
+ @decorators.idempotent_id('acc5005c-bdb6-4192-bc9f-ece9035bb488')
+ def test_create_router(self):
+ """Create Router
+
+ RBAC test for the neutron create_router policy
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ router = self.routers_client.create_router()
+ self.addCleanup(self.routers_client.delete_router,
+ router['router']['id'])
+
+ @rbac_rule_validation.action(
+ service="neutron",
+ rule="create_router:external_gateway_info:enable_snat")
+ @decorators.idempotent_id('3c5acd49-0ec7-4109-ab51-640557b48ebc')
+ def test_create_router_enable_snat(self):
+ """Create Router Snat
+
+ RBAC test for the neutron
+ create_router:external_gateway_info:enable_snat policy
+ """
+ name = data_utils.rand_name('snat-router')
+ external_gateway_info = {'network_id': self.admin_network['id'],
+ 'enable_snat': True}
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ router = self.routers_client.create_router(
+ name=name, external_gateway_info=external_gateway_info)
+ self.addCleanup(self.routers_client.delete_router,
+ router['router']['id'])
+
+ @rbac_rule_validation.action(
+ service="neutron",
+ rule="create_router:external_gateway_info:external_fixed_ips")
+ @decorators.idempotent_id('d0354369-a040-4349-b869-645c8aed13cd')
+ def test_create_router_external_fixed_ips(self):
+ """Create Router Fixed IPs
+
+ RBAC test for the neutron
+ create_router:external_gateway_info:external_fixed_ips policy
+ """
+ name = data_utils.rand_name('snat-router')
+ # Pick an ip address within the allocation_pools range
+ ip_address = random.choice(list(self.admin_ip_range))
+ external_fixed_ips = {'subnet_id': self.admin_subnet['id'],
+ 'ip_address': ip_address}
+
+ external_gateway_info = {'network_id': self.admin_network['id'],
+ 'enable_snat': False,
+ 'external_fixed_ips': [external_fixed_ips]}
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ router = self.routers_client.create_router(
+ name=name, external_gateway_info=external_gateway_info)
+ self.addCleanup(self.routers_client.delete_router,
+ router['router']['id'])
+
+ @rbac_rule_validation.action(service="neutron", rule="get_router")
+ @decorators.idempotent_id('bfbdbcff-f115-4d3e-8cd5-6ada33fd0e21')
+ def test_show_router(self):
+ """Get Router
+
+ RBAC test for the neutron get_router policy
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.routers_client.show_router(self.admin_router['id'])
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(
+ service="neutron", rule="update_router")
+ @decorators.idempotent_id('3d182f4e-0023-4218-9aa0-ea2b0ae0bd7a')
+ def test_update_router(self):
+ """Update Router
+
+ RBAC test for the neutron update_router policy
+ """
+ new_name = data_utils.rand_name('new-router-name')
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.routers_client.update_router(self.admin_router['id'],
+ name=new_name)
+
+ @rbac_rule_validation.action(
+ service="neutron", rule="update_router:external_gateway_info")
+ @decorators.idempotent_id('5a6ae104-a9c3-4b56-8622-e1a0a0194474')
+ def test_update_router_external_gateway_info(self):
+ """Update Router External Gateway Info
+
+ RBAC test for the neutron
+ update_router:external_gateway_info policy
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.routers_client.update_router(self.admin_router['id'],
+ external_gateway_info={})
+
+ @rbac_rule_validation.action(
+ service="neutron",
+ rule="update_router:external_gateway_info:network_id")
+ @decorators.idempotent_id('f1fc5a23-e3d8-44f0-b7bc-47006ad9d3d4')
+ def test_update_router_external_gateway_info_network_id(self):
+ """Update Router External Gateway Info Network Id
+
+ RBAC test for the neutron
+ update_router:external_gateway_info:network_id policy
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.routers_client.update_router(
+ self.admin_router['id'],
+ external_gateway_info={'network_id': self.admin_network['id']})
+
+ @rbac_rule_validation.action(
+ service="neutron",
+ rule="update_router:external_gateway_info:enable_snat")
+ @decorators.idempotent_id('515a2954-3d79-4695-aeb9-d1c222765840')
+ def test_update_router_enable_snat(self):
+ """Update Router External Gateway Info Enable Snat
+
+ RBAC test for the neutron
+ update_router:external_gateway_info:enable_snat policy
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.routers_client.update_router(
+ self.admin_router['id'],
+ external_gateway_info={'network_id': self.admin_network['id'],
+ 'enable_snat': True})
+
+ @rbac_rule_validation.action(
+ service="neutron",
+ rule="update_router:external_gateway_info:external_fixed_ips")
+ @decorators.idempotent_id('f429e5ee-8f0a-4667-963e-72dd95d5adee')
+ def test_update_router_external_fixed_ips(self):
+ """Update Router External Gateway Info External Fixed Ips
+
+ RBAC test for the neutron
+ update_router:external_gateway_info:external_fixed_ips policy
+ """
+ # Pick an ip address within the allocation_pools range
+ ip_address = random.choice(list(self.admin_ip_range))
+ external_fixed_ips = {'subnet_id': self.admin_subnet['id'],
+ 'ip_address': ip_address}
+ external_gateway_info = {'network_id': self.admin_network['id'],
+ 'external_fixed_ips': [external_fixed_ips]}
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.routers_client.update_router(
+ self.admin_router['id'],
+ external_gateway_info=external_gateway_info)
+ self.addCleanup(
+ self.routers_client.update_router,
+ self.admin_router['id'],
+ external_gateway_info=None)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_router")
+ @decorators.idempotent_id('c0634dd5-0467-48f7-a4ae-1014d8edb2a7')
+ def test_delete_router(self):
+ """Delete Router
+
+ RBAC test for the neutron delete_router policy
+ """
+ router = self.create_router()
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.routers_client.delete_router(router['id'])
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="add_router_interface")
+ @decorators.idempotent_id('a0627778-d68d-4913-881b-e345360cca19')
+ def test_add_router_interfaces(self):
+ """Add Router Interface
+
+ RBAC test for the neutron add_router_interface policy
+ """
+ network = self.create_network()
+ subnet = self.create_subnet(network)
+ router = self.create_router()
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.routers_client.add_router_interface(
+ router['id'], subnet_id=subnet['id'])
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.routers_client.remove_router_interface,
+ router['id'],
+ subnet_id=subnet['id'])
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="remove_router_interface")
+ @decorators.idempotent_id('ff2593a4-2bff-4c27-97d3-dd3702b27dfb')
+ def test_remove_router_interfaces(self):
+ """Remove Router Interface
+
+ RBAC test for the neutron remove_router_interface policy
+ """
+ network = self.create_network()
+ subnet = self.create_subnet(network)
+ router = self.create_router()
+
+ self.routers_client.add_router_interface(
+ router['id'], subnet_id=subnet['id'])
+
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.routers_client.remove_router_interface,
+ router['id'],
+ subnet_id=subnet['id'])
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.routers_client.remove_router_interface(
+ router['id'],
+ subnet_id=subnet['id'])
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)