Add skip check to tests that modify the user source
When using an immutable user source, test should skip if the
test tries to modify the user source. This includes creating,
updating and deleting users. A similar change was merged here:
https://review.opendev.org/#/c/670590/
Change-Id: If7c6ae7fc57a4ac256cf668c4075ee86143202ea
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
index 185dc8c..aa77aa3 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
@@ -45,6 +45,9 @@
with self.override_role():
self.setup_test_credential(user=user)
+ @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
+ 'Skipped because environment has an immutable user '
+ 'source and solely provides read-only access to users.')
@rbac_rule_validation.action(service="keystone",
rules=["identity:update_credential"])
@decorators.idempotent_id('cfb05ce3-bffb-496e-a3c2-9515d730da63')
@@ -61,6 +64,9 @@
secret_key=new_keys[1],
project_id=credential['project_id'])
+ @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
+ 'Skipped because environment has an immutable user '
+ 'source and solely provides read-only access to users.')
@rbac_rule_validation.action(service="keystone",
rules=["identity:delete_credential"])
@decorators.idempotent_id('87ab42af-8d41-401b-90df-21e72919fcde')
@@ -70,6 +76,9 @@
with self.override_role():
self.creds_client.delete_credential(credential['id'])
+ @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
+ 'Skipped because environment has an immutable user '
+ 'source and solely provides read-only access to users.')
@rbac_rule_validation.action(service="keystone",
rules=["identity:get_credential"])
@decorators.idempotent_id('1b6eeae6-f1e8-4cdf-8903-1c002b1fc271')
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
index 7fc4a43..1e79501 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
@@ -13,12 +13,17 @@
# License for the specific language governing permissions and limitations
# under the License.
+import testtools
+
+from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity import rbac_base
+CONF = config.CONF
+
class IdentityGroupsV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@@ -82,6 +87,9 @@
with self.override_role():
self.groups_client.add_group_user(group['id'], user['id'])
+ @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
+ 'Skipped because environment has an immutable user '
+ 'source and solely provides read-only access to users.')
@rbac_rule_validation.action(service="keystone",
rules=["identity:remove_user_from_group"])
@decorators.idempotent_id('8a60d11c-7d2b-47e5-a0f3-9ea900ca66fe')
@@ -100,6 +108,9 @@
with self.override_role():
self.groups_client.list_group_users(group['id'])
+ @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
+ 'Skipped because environment has an immutable user '
+ 'source and solely provides read-only access to users.')
@rbac_rule_validation.action(service="keystone",
rules=["identity:check_user_in_group"])
@decorators.idempotent_id('d3603241-fd87-4a2d-94f9-f32469d1aaba')
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
index 4f447c0..c93afa1 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_roles_rbac.py
@@ -13,6 +13,7 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
@@ -20,6 +21,8 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity import rbac_base
+CONF = config.CONF
+
class IdentityRolesV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@@ -31,7 +34,6 @@
cls.group = cls.setup_test_group()
cls.role = cls.setup_test_role()
cls.implies_role = cls.setup_test_role()
- cls.user = cls.setup_test_user()
@rbac_rule_validation.action(service="keystone",
rules=["identity:create_role"])
@@ -76,21 +78,6 @@
@rbac_rule_validation.action(service="keystone",
rules=["identity:create_grant"])
- @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d909')
- def test_create_user_role_on_project(self):
- with self.override_role():
- self.roles_client.create_user_role_on_project(
- self.project['id'],
- self.user['id'],
- self.role['id'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.roles_client.delete_role_from_user_on_project,
- self.project['id'],
- self.user['id'],
- self.role['id'])
-
- @rbac_rule_validation.action(service="keystone",
- rules=["identity:create_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90c')
def test_create_group_role_on_project(self):
with self.override_role():
@@ -106,21 +93,6 @@
@rbac_rule_validation.action(service="keystone",
rules=["identity:create_grant"])
- @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90f')
- def test_create_user_role_on_domain(self):
- with self.override_role():
- self.roles_client.create_user_role_on_domain(
- self.domain['id'],
- self.user['id'],
- self.role['id'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.roles_client.delete_role_from_user_on_domain,
- self.domain['id'],
- self.user['id'],
- self.role['id'])
-
- @rbac_rule_validation.action(service="keystone",
- rules=["identity:create_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d912')
def test_create_group_role_on_domain(self):
with self.override_role():
@@ -134,46 +106,6 @@
self.group['id'],
self.role['id'])
- @rbac_rule_validation.action(service="keystone",
- rules=["identity:check_grant"])
- @decorators.idempotent_id('22921b1e-1a33-4026-bff9-f236d6dd149c')
- def test_check_user_role_existence_on_project(self):
- self.roles_client.create_user_role_on_project(
- self.project['id'],
- self.user['id'],
- self.role['id'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.roles_client.delete_role_from_user_on_project,
- self.project['id'],
- self.user['id'],
- self.role['id'])
-
- with self.override_role():
- self.roles_client.check_user_role_existence_on_project(
- self.project['id'],
- self.user['id'],
- self.role['id'])
-
- @decorators.idempotent_id('92f8e67d-85bf-407d-9814-edd5664abc47')
- @rbac_rule_validation.action(service="keystone",
- rules=["identity:check_grant"])
- def test_check_user_role_existence_on_domain(self):
- self.roles_client.create_user_role_on_domain(
- self.domain['id'],
- self.user['id'],
- self.role['id'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.roles_client.delete_role_from_user_on_domain,
- self.domain['id'],
- self.user['id'],
- self.role['id'])
-
- with self.override_role():
- self.roles_client.check_user_role_existence_on_domain(
- self.domain['id'],
- self.user['id'],
- self.role['id'])
-
@decorators.idempotent_id('8738d3d2-8c84-4423-b36c-7c59eaa08b73')
@rbac_rule_validation.action(service="keystone",
rules=["identity:check_grant"])
@@ -216,26 +148,6 @@
@rbac_rule_validation.action(service="keystone",
rules=["identity:revoke_grant"])
- @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90a')
- def test_delete_role_from_user_on_project(self):
- self.roles_client.create_user_role_on_project(
- self.project['id'],
- self.user['id'],
- self.role['id'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.roles_client.delete_role_from_user_on_project,
- self.project['id'],
- self.user['id'],
- self.role['id'])
-
- with self.override_role():
- self.roles_client.delete_role_from_user_on_project(
- self.project['id'],
- self.user['id'],
- self.role['id'])
-
- @rbac_rule_validation.action(service="keystone",
- rules=["identity:revoke_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90d')
def test_delete_role_from_group_on_project(self):
self.roles_client.create_group_role_on_project(
@@ -256,26 +168,6 @@
@rbac_rule_validation.action(service="keystone",
rules=["identity:revoke_grant"])
- @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d910')
- def test_delete_role_from_user_on_domain(self):
- self.roles_client.create_user_role_on_domain(
- self.domain['id'],
- self.user['id'],
- self.role['id'])
- self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.roles_client.delete_role_from_user_on_domain,
- self.domain['id'],
- self.user['id'],
- self.role['id'])
-
- with self.override_role():
- self.roles_client.delete_role_from_user_on_domain(
- self.domain['id'],
- self.user['id'],
- self.role['id'])
-
- @rbac_rule_validation.action(service="keystone",
- rules=["identity:revoke_grant"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d913')
def test_delete_role_from_group_on_domain(self):
self.roles_client.create_group_role_on_domain(
@@ -296,15 +188,6 @@
@rbac_rule_validation.action(service="keystone",
rules=["identity:list_grants"])
- @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90b')
- def test_list_user_roles_on_project(self):
- with self.override_role():
- self.roles_client.list_user_roles_on_project(
- self.project['id'],
- self.user['id'])
-
- @rbac_rule_validation.action(service="keystone",
- rules=["identity:list_grants"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90e')
def test_list_group_roles_on_project(self):
with self.override_role():
@@ -314,15 +197,6 @@
@rbac_rule_validation.action(service="keystone",
rules=["identity:list_grants"])
- @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d911')
- def test_list_user_roles_on_domain(self):
- with self.override_role():
- self.roles_client.list_user_roles_on_domain(
- self.domain['id'],
- self.user['id'])
-
- @rbac_rule_validation.action(service="keystone",
- rules=["identity:list_grants"])
@decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d914')
def test_list_group_roles_on_domain(self):
with self.override_role():
@@ -393,3 +267,156 @@
def test_list_all_role_inference_rules(self):
with self.override_role():
self.roles_client.list_all_role_inference_rules()
+
+
+class IdentityRolesUserCreateV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
+ """Tests identity roles v3 API endpoints that require user creation.
+ This is in a separate class to better manage immutable user source feature
+ flag.
+ """
+
+ @classmethod
+ def skip_checks(cls):
+ super(IdentityRolesUserCreateV3RbacTest, cls).skip_checks()
+ if CONF.identity_feature_enabled.immutable_user_source:
+ raise cls.skipException('Skipped because environment has an '
+ 'immutable user source and solely '
+ 'provides read-only access to users.')
+
+ @classmethod
+ def resource_setup(cls):
+ super(IdentityRolesUserCreateV3RbacTest, cls).resource_setup()
+ cls.domain = cls.setup_test_domain()
+ cls.project = cls.setup_test_project()
+ cls.group = cls.setup_test_group()
+ cls.role = cls.setup_test_role()
+ cls.implies_role = cls.setup_test_role()
+ cls.user = cls.setup_test_user()
+
+ @rbac_rule_validation.action(service="keystone",
+ rules=["identity:create_grant"])
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d909')
+ def test_create_user_role_on_project(self):
+ with self.override_role():
+ self.roles_client.create_user_role_on_project(
+ self.project['id'],
+ self.user['id'],
+ self.role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_project,
+ self.project['id'],
+ self.user['id'],
+ self.role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rules=["identity:create_grant"])
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90f')
+ def test_create_user_role_on_domain(self):
+ with self.override_role():
+ self.roles_client.create_user_role_on_domain(
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_domain,
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rules=["identity:check_grant"])
+ @decorators.idempotent_id('22921b1e-1a33-4026-bff9-f236d6dd149c')
+ def test_check_user_role_existence_on_project(self):
+ self.roles_client.create_user_role_on_project(
+ self.project['id'],
+ self.user['id'],
+ self.role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_project,
+ self.project['id'],
+ self.user['id'],
+ self.role['id'])
+
+ with self.override_role():
+ self.roles_client.check_user_role_existence_on_project(
+ self.project['id'],
+ self.user['id'],
+ self.role['id'])
+
+ @decorators.idempotent_id('92f8e67d-85bf-407d-9814-edd5664abc47')
+ @rbac_rule_validation.action(service="keystone",
+ rules=["identity:check_grant"])
+ def test_check_user_role_existence_on_domain(self):
+ self.roles_client.create_user_role_on_domain(
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_domain,
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
+
+ with self.override_role():
+ self.roles_client.check_user_role_existence_on_domain(
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rules=["identity:revoke_grant"])
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90a')
+ def test_delete_role_from_user_on_project(self):
+ self.roles_client.create_user_role_on_project(
+ self.project['id'],
+ self.user['id'],
+ self.role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_project,
+ self.project['id'],
+ self.user['id'],
+ self.role['id'])
+
+ with self.override_role():
+ self.roles_client.delete_role_from_user_on_project(
+ self.project['id'],
+ self.user['id'],
+ self.role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rules=["identity:revoke_grant"])
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d910')
+ def test_delete_role_from_user_on_domain(self):
+ self.roles_client.create_user_role_on_domain(
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.roles_client.delete_role_from_user_on_domain,
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
+
+ with self.override_role():
+ self.roles_client.delete_role_from_user_on_domain(
+ self.domain['id'],
+ self.user['id'],
+ self.role['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rules=["identity:list_grants"])
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d90b')
+ def test_list_user_roles_on_project(self):
+ with self.override_role():
+ self.roles_client.list_user_roles_on_project(
+ self.project['id'],
+ self.user['id'])
+
+ @rbac_rule_validation.action(service="keystone",
+ rules=["identity:list_grants"])
+ @decorators.idempotent_id('0f148510-63bf-11e6-1395-080044d0d911')
+ def test_list_user_roles_on_domain(self):
+ with self.override_role():
+ self.roles_client.list_user_roles_on_domain(
+ self.domain['id'],
+ self.user['id'])
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py
index bd34f9e..23c75c6 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_trusts_rbac.py
@@ -35,6 +35,10 @@
if not CONF.identity_feature_enabled.trust:
raise cls.skipException(
"%s skipped as trust feature isn't enabled" % cls.__name__)
+ if CONF.identity_feature_enabled.immutable_user_source:
+ raise cls.skipException('Skipped because environment has an '
+ 'immutable user source and solely '
+ 'provides read-only access to users.')
@classmethod
def resource_setup(cls):
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
index 9f6f028..0d2a04d 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
@@ -13,12 +13,17 @@
# License for the specific language governing permissions and limitations
# under the License.
+import testtools
+
+from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.identity import rbac_base
+CONF = config.CONF
+
class IdentityUserV3RbacTest(rbac_base.BaseIdentityV3RbacTest):
@@ -27,6 +32,8 @@
super(IdentityUserV3RbacTest, cls).resource_setup()
cls.default_user_id = cls.os_primary.credentials.user_id
+ @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
+ "Configured to use an immutable user source")
@rbac_rule_validation.action(service="keystone",
rules=["identity:create_user"])
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d904')
@@ -34,6 +41,8 @@
with self.override_role():
self.setup_test_user()
+ @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
+ "Configured to use an immutable user source")
@rbac_rule_validation.action(service="keystone",
rules=["identity:update_user"])
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d905')
@@ -47,6 +56,8 @@
name=user['name'],
email=new_email)
+ @testtools.skipIf(CONF.identity_feature_enabled.immutable_user_source,
+ "Configured to use an immutable user source")
@rbac_rule_validation.action(service="keystone",
rules=["identity:delete_user"])
@decorators.idempotent_id('0f148510-63bf-11e6-4522-080044d0d906')