Merge "Use admin creds for waiting"
diff --git a/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py
index ff79684..f9b065c 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py
@@ -29,11 +29,6 @@
msg = "%s skipped as os-server-groups not enabled." % cls.__name__
raise cls.skipException(msg)
- @classmethod
- def resource_setup(cls):
- super(ServerGroupsRbacTest, cls).resource_setup()
- cls.server = cls.create_test_server(wait_until='ACTIVE')
-
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-server-groups:create")
diff --git a/patrole_tempest_plugin/tests/api/identity/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
index a053614..2998dbe 100644
--- a/patrole_tempest_plugin/tests/api/identity/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
@@ -230,6 +230,8 @@
cls.domains_client = cls.os_primary.domains_client
cls.domain_config_client = cls.os_primary.domain_config_client
cls.endpoints_client = cls.os_primary.endpoints_v3_client
+ cls.endpoint_filter_client = cls.os_primary.endpoint_filter_client
+ cls.endpoint_groups_client = cls.os_primary.endpoint_groups_client
cls.groups_client = cls.os_primary.groups_client
cls.identity_client = cls.os_primary.identity_v3_client
cls.projects_client = cls.os_primary.projects_client
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_groups_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_groups_rbac.py
new file mode 100644
index 0000000..e7b73b6
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_groups_rbac.py
@@ -0,0 +1,108 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity import rbac_base
+
+
+class EndpointFilterGroupsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
+
+ interface = 'public'
+
+ @classmethod
+ def resource_setup(cls):
+ super(EndpointFilterGroupsV3RbacTest, cls).resource_setup()
+ cls.service_id = cls.setup_test_service()['id']
+
+ def setUp(self):
+ super(EndpointFilterGroupsV3RbacTest, self).setUp()
+ self.endpoint_group_id = self._create_endpoint_group()
+
+ def _create_endpoint_group(self, ignore_not_found=False):
+ # Create an endpoint group
+ ep_group_name = data_utils.rand_name(
+ self.__class__.__name__ + '-EPFilterGroup')
+ filters = {
+ 'filters': {
+ 'interface': self.interface,
+ 'service_id': self.service_id
+ }
+ }
+ endpoint_group = self.endpoint_groups_client.create_endpoint_group(
+ name=ep_group_name, **filters)['endpoint_group']
+
+ if ignore_not_found:
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.endpoint_groups_client.delete_endpoint_group,
+ endpoint_group['id'])
+ else:
+ self.addCleanup(self.endpoint_groups_client.delete_endpoint_group,
+ endpoint_group['id'])
+
+ return endpoint_group['id']
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:create_endpoint_group")
+ @decorators.idempotent_id('b4765906-52ec-477b-b441-a8508ced68e3')
+ def test_create_endpoint_group(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self._create_endpoint_group(ignore_not_found=True)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:list_endpoint_groups")
+ @decorators.idempotent_id('089aa3a7-ba1f-4f70-a1cf-f298a845058a')
+ def test_list_endpoint_groups(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.endpoint_groups_client.list_endpoint_groups()['endpoint_groups']
+
+ @decorators.idempotent_id('5c16368d-1485-4c28-9803-db3fa3510623')
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:check_endpoint_group")
+ def test_check_endpoint_group(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.endpoint_groups_client.check_endpoint_group(
+ self.endpoint_group_id)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:get_endpoint_group")
+ @decorators.idempotent_id('bd2b6fb8-661f-4255-84b2-50fea4a1dc61')
+ def test_show_endpoint_group(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.endpoint_groups_client.show_endpoint_group(
+ self.endpoint_group_id)['endpoint_group']
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:update_endpoint_group")
+ @decorators.idempotent_id('028b9198-ec35-4bd5-8f72-e23dfb7a0c8e')
+ def test_update_endpoint_group(self):
+ updated_name = data_utils.rand_name(
+ self.__class__.__name__ + '-EPFilterGroup')
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.endpoint_groups_client.update_endpoint_group(
+ self.endpoint_group_id, name=updated_name)['endpoint_group']
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:delete_endpoint_group")
+ @decorators.idempotent_id('88cc105e-70d9-48ac-927e-200ef41e070c')
+ def test_delete_endpoint_group(self):
+ endpoint_group_id = self._create_endpoint_group(ignore_not_found=True)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.endpoint_groups_client.delete_endpoint_group(endpoint_group_id)
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_endpoint_filter_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_projects_rbac.py
similarity index 70%
rename from patrole_tempest_plugin/tests/api/identity/v3/test_endpoint_filter_rbac.py
rename to patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_projects_rbac.py
index 7e844e7..7a4f2d7 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_endpoint_filter_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_ep_filter_projects_rbac.py
@@ -20,28 +20,27 @@
from patrole_tempest_plugin.tests.api.identity import rbac_base
-class IdentityEndpointsFilterV3RbacTest(
- rbac_base.BaseIdentityV3RbacTest):
-
- @classmethod
- def setup_clients(cls):
- super(IdentityEndpointsFilterV3RbacTest, cls).setup_clients()
- cls.ep_api_client = cls.os_primary.endpoint_filter_client
+class EndpointFilterProjectsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@classmethod
def resource_setup(cls):
- super(IdentityEndpointsFilterV3RbacTest, cls).resource_setup()
+ super(EndpointFilterProjectsV3RbacTest, cls).resource_setup()
cls.project = cls.setup_test_project()
- cls.service = cls.setup_test_service()
- cls.endpoint = cls.setup_test_endpoint(service=cls.service)
+ cls.endpoint = cls.setup_test_endpoint()
- def _add_endpoint_to_project(self):
- # Adding and cleaning up endpoints to projects
- self.ep_api_client.add_endpoint_to_project(
+ def _add_endpoint_to_project(self, ignore_not_found=False):
+ self.endpoint_filter_client.add_endpoint_to_project(
self.project['id'], self.endpoint['id'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.ep_api_client.delete_endpoint_from_project,
- self.project['id'], self.endpoint['id'])
+
+ if ignore_not_found:
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.endpoint_filter_client.delete_endpoint_from_project,
+ self.project['id'], self.endpoint['id'])
+ else:
+ self.addCleanup(
+ self.endpoint_filter_client.delete_endpoint_from_project,
+ self.project['id'], self.endpoint['id'])
@rbac_rule_validation.action(
service="keystone",
@@ -50,7 +49,7 @@
def test_add_endpoint_to_project(self):
# Adding endpoints to projects
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self._add_endpoint_to_project()
+ self._add_endpoint_to_project(ignore_not_found=True)
@rbac_rule_validation.action(
service="keystone",
@@ -58,7 +57,7 @@
@decorators.idempotent_id('f53dca42-ec8a-48e9-924b-0bbe6c99727f')
def test_list_projects_for_endpoint(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ep_api_client.list_projects_for_endpoint(
+ self.endpoint_filter_client.list_projects_for_endpoint(
self.endpoint['id'])
@rbac_rule_validation.action(
@@ -68,7 +67,7 @@
def test_check_endpoint_in_project(self):
self._add_endpoint_to_project()
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ep_api_client.check_endpoint_in_project(
+ self.endpoint_filter_client.check_endpoint_in_project(
self.project['id'], self.endpoint['id'])
@rbac_rule_validation.action(
@@ -77,7 +76,7 @@
@decorators.idempotent_id('5d86c659-c6ad-41e0-854e-3823e95c7cc2')
def test_list_endpoints_in_project(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ep_api_client.list_endpoints_in_project(
+ self.endpoint_filter_client.list_endpoints_in_project(
self.project['id'])
@rbac_rule_validation.action(
@@ -85,7 +84,7 @@
rule="identity:remove_endpoint_from_project")
@decorators.idempotent_id('b4e21c10-4f47-427b-9b8a-f5b5601adfda')
def test_remove_endpoint_from_project(self):
- self._add_endpoint_to_project()
+ self._add_endpoint_to_project(ignore_not_found=True)
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.ep_api_client.delete_endpoint_from_project(
+ self.endpoint_filter_client.delete_endpoint_from_project(
self.project['id'], self.endpoint['id'])
diff --git a/releasenotes/notes/ep-filter-groups-rbac-tests-bca28e9a055bbb8d.yaml b/releasenotes/notes/ep-filter-groups-rbac-tests-bca28e9a055bbb8d.yaml
new file mode 100644
index 0000000..6014061
--- /dev/null
+++ b/releasenotes/notes/ep-filter-groups-rbac-tests-bca28e9a055bbb8d.yaml
@@ -0,0 +1,13 @@
+---
+features:
+ - |
+ Add group-specific RBAC tests for the identity v3 extension API,
+ OS-EP-FILTER, providing coverage for the following policy actions:
+
+ * identity:create_endpoint_group
+ * identity:list_endpoint_groups
+ * identity:show_endpoint_group (get endpoint group)
+ * identity:check_endpoint_group
+ * identity:list_endpoint_group (get endpoint groups)
+ * identity:update_endpoint_group
+ * identity:delete_endpoint_group