Roles RBAC test for Keystone API v2 roles
- migrate out common clients and internal methods to the base
- fixes to projects rbac test to use tempest base instead
- using the setups in tempest identity base instead of internals
- Migrating the identity roles rbac tempest test to Patrole
Partially-Implements bp: initial-tests-identity
Co-Authored-By: Cliff Parsons <cp769u@att.com>
Change-Id: I8f0d10fbfa047c53d2ea801eb531caa24a5b51a0
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
index e379873..bd3304d 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
@@ -40,6 +40,8 @@
super(BaseIdentityV2AdminRbacTest, cls).setup_clients()
cls.auth_provider = cls.os.auth_provider
cls.admin_client = cls.os_adm.identity_client
+ cls.tenants_client = cls.os.tenants_client
+ cls.users_client = cls.os.users_client
def _create_service(self):
name = data_utils.rand_name('service')
@@ -52,3 +54,30 @@
self.services_client.delete_service,
self.service['OS-KSADM:service']['id'])
return self.service
+
+ def _create_user(self, name=None, email=None, password=None, **kwargs):
+ """Set up a test user."""
+ if name is None:
+ name = data_utils.rand_name('test_user')
+ if email is None:
+ email = name + '@testmail.tm'
+ if password is None:
+ password = data_utils.rand_password()
+ user = self.users_client.create_user(
+ name=name, email=email, password=password, **kwargs)['user']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.users_client.delete_user,
+ user['id'])
+ return user
+
+ def _create_tenant(self):
+ """Set up a test tenant."""
+ name = data_utils.rand_name('test_tenant')
+ tenant = self.projects_client.create_tenant(
+ name=name,
+ description=data_utils.rand_name('desc'))['tenant']
+ # Delete the tenant at the end of the test
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.tenants_client.delete_tenant,
+ tenant['id'])
+ return tenant
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
index 0c2eb96..22e5f87 100644
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
@@ -14,8 +14,6 @@
# under the License.
from tempest import config
-from tempest.lib.common.utils import data_utils
-from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
@@ -31,18 +29,6 @@
rbac_utils.switch_role(self, switchToRbacRole=False)
super(IdentityProjectV2AdminRbacTest, self).tearDown()
- @classmethod
- def setup_clients(cls):
- super(IdentityProjectV2AdminRbacTest, cls).setup_clients()
- cls.tenants_client = cls.os.tenants_client
-
- def _create_tenant(self, name):
- self.tenant = self.tenants_client.create_tenant(name=name)
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.tenants_client.delete_tenant,
- self.tenant['tenant']['id'])
- return self.tenant
-
@rbac_rule_validation.action(service="keystone",
rule="identity:create_project")
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080044d0d904')
@@ -53,9 +39,8 @@
RBAC test for Identity 2.0 create_tenant
"""
- tenant_name = data_utils.rand_name('test_create_project')
rbac_utils.switch_role(self, switchToRbacRole=True)
- self._create_tenant(tenant_name)
+ self._create_tenant()
@rbac_rule_validation.action(service="keystone",
rule="identity:update_project")
@@ -66,12 +51,10 @@
RBAC test for Identity 2.0 update_tenant
"""
-
- tenant_name = data_utils.rand_name('test_update_project')
- tenant = self._create_tenant(tenant_name)
+ tenant = self._create_tenant()
rbac_utils.switch_role(self, switchToRbacRole=True)
- self.tenants_client.update_tenant(tenant['tenant']['id'],
+ self.tenants_client.update_tenant(tenant['id'],
description="Changed description")
@rbac_rule_validation.action(service="keystone",
@@ -83,12 +66,10 @@
RBAC test for Identity 2.0 delete_tenant
"""
-
- tenant_name = data_utils.rand_name('test_delete_project')
- tenant = self._create_tenant(tenant_name)
+ tenant = self._create_tenant()
rbac_utils.switch_role(self, switchToRbacRole=True)
- self.tenants_client.delete_tenant(tenant['tenant']['id'])
+ self.tenants_client.delete_tenant(tenant['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:get_project")
@@ -100,11 +81,10 @@
RBAC test for Identity 2.0 show_tenant
"""
- tenant_name = data_utils.rand_name('test_get_project')
- tenant = self._create_tenant(tenant_name)
+ tenant = self._create_tenant()
rbac_utils.switch_role(self, switchToRbacRole=True)
- self.tenants_client.show_tenant(tenant['tenant']['id'])
+ self.tenants_client.show_tenant(tenant['id'])
@rbac_rule_validation.action(service="keystone",
rule="identity:list_projects")
@@ -115,7 +95,6 @@
RBAC test for Identity 2.0 list_tenants
"""
-
rbac_utils.switch_role(self, switchToRbacRole=True)
self.tenants_client.list_tenants()
@@ -128,9 +107,7 @@
RBAC test for Identity 2.0 list_tenant_users
"""
-
- tenant_name = data_utils.rand_name('test_list_users_for_tenant')
- tenant = self._create_tenant(tenant_name)
+ tenant = self._create_tenant()
rbac_utils.switch_role(self, switchToRbacRole=True)
- self.tenants_client.list_tenant_users(tenant['tenant']['id'])
+ self.tenants_client.list_tenant_users(tenant['id'])
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
new file mode 100644
index 0000000..aa9170a
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_roles_rbac.py
@@ -0,0 +1,156 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base
+
+CONF = config.CONF
+
+
+class IdentityRoleV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(IdentityRoleV2AdminRbacTest, self).tearDown()
+
+ @classmethod
+ def setup_clients(cls):
+ super(IdentityRoleV2AdminRbacTest, cls).setup_clients()
+ cls.roles_client = cls.os.roles_client
+
+ def _create_role(self):
+ role = self.roles_client.create_role(
+ name=data_utils.rand_name('test_role'))['role']
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role, role['id'])
+ return role
+
+ def _create_tenant_user_role(self):
+ role = self._create_role()
+ tenant = self._create_tenant()
+ user = self._create_user(tenantid=tenant['id'])
+ return tenant, user, role
+
+ def _create_role_on_project(self, tenant, user, role):
+ self.roles_client.create_user_role_on_project(
+ tenant['id'], user['id'], role['id'])
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_project,
+ tenant['id'], user['id'], role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_role")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d904')
+ def test_create_role(self):
+
+ """Create Role Test
+
+ RBAC test for Identity Admin 2.0 role-create
+ """
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_role()
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:delete_role")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d905')
+ def test_delete_role(self):
+
+ """Delete Role Test
+
+ RBAC test for Identity Admin 2.0 role-delete
+ """
+ role = self._create_role()
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.delete_role(role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_role")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d906')
+ def test_show_role(self):
+
+ """Get Role Test
+
+ RBAC test for Identity Admin 2.0
+ """
+ role = self._create_role()
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.show_role(role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_roles")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d907')
+ def test_list_roles(self):
+
+ """List Roles Test
+
+ RBAC test for Identity Admin 2.0 role-list
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.list_roles()
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:add_role_to_user")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d908')
+ def test_create_role_on_project(self):
+
+ """Assign User Role Test
+
+ RBAC test for Identity Admin 2.0 create_user_role_on_project
+ """
+ tenant, user, role = self._create_tenant_user_role()
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_role_on_project(tenant, user, role)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:remove_role_from_user")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d909')
+ def test_delete_role_from_user_on_project(self):
+
+ """Remove User Roles Test
+
+ RBAC test for Identity Admin 2.0 delete_role_from_user_on_project
+ """
+ tenant, user, role = self._create_tenant_user_role()
+ self._create_role_on_project(tenant, user, role)
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.delete_role_from_user_on_project(
+ tenant['id'], user['id'], role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_user_roles")
+ @decorators.idempotent_id('0f148510-63bf-11e6-8674-080044d0d90a')
+ def test_list_user_roles_on_project(self):
+
+ """List User Roles Test
+
+ RBAC test for Identity Admin 2.0 list_user_roles_on_project
+ """
+ tenant = self._create_tenant()
+ user = self._create_user(tenantid=tenant['id'])
+
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.roles_client.list_user_roles_on_project(
+ tenant['id'], user['id'])