Merge "Identity V3 Tests - Projects"
diff --git a/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py
new file mode 100644
index 0000000..4825f82
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py
@@ -0,0 +1,50 @@
+#    Copyright 2017 AT&T Corporation.
+#    All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class MigrationsAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
+
+    @classmethod
+    def setup_clients(cls):
+        super(MigrationsAdminRbacTest, cls).setup_clients()
+        cls.client = cls.migrations_client
+
+    @classmethod
+    def skip_checks(cls):
+        super(MigrationsAdminRbacTest, cls).skip_checks()
+        if not CONF.compute_feature_enabled.api_extensions:
+            raise cls.skipException(
+                '%s skipped as no compute extensions enabled' % cls.__name__)
+
+    def tearDown(self):
+        rbac_utils.switch_role(self, switchToRbacRole=False)
+        super(MigrationsAdminRbacTest, self).tearDown()
+
+    @decorators.idempotent_id('5795231c-3729-448c-a072-9a225db1a328')
+    @rbac_rule_validation.action(
+        service="nova",
+        rule="os_compute_api:os-migrations:index")
+    def test_list_services(self):
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.client.list_migrations()['migrations']
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
index 5fde02a..3d53df4 100644
--- a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
@@ -38,3 +38,4 @@
         super(BaseIdentityV3RbacAdminTest, cls).resource_setup()
         cls.auth_provider = cls.os.auth_provider
         cls.admin_client = cls.os_adm.identity_v3_client
+        cls.creds_client = cls.os.credentials_client
diff --git a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
new file mode 100644
index 0000000..45abe9f
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
@@ -0,0 +1,117 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from tempest.common.utils import data_utils
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base
+
+
+class IdentityCredentialsV3AdminRbacTest(
+        rbac_base.BaseIdentityV3RbacAdminTest):
+
+    def tearDown(self):
+        """Reverts user back to admin for cleanup."""
+        rbac_utils.switch_role(self, switchToRbacRole=False)
+        super(IdentityCredentialsV3AdminRbacTest, self).tearDown()
+
+    def _create_credential(self):
+        """Creates a user, project, and credential for test."""
+        user = self.setup_test_user()
+        user_id = user['id']
+        project_id = user['project_id']
+        keys = [data_utils.rand_name('Access'),
+                data_utils.rand_name('Secret')]
+        blob = "{\"access\": \"%s\", \"secret\": \"%s\"}" % (
+            keys[0], keys[1])
+        credential = self.creds_client \
+                         .create_credential(user_id=user_id,
+                                            project_id=project_id,
+                                            blob=blob,
+                                            type='ec2')['credential']
+
+        self.addCleanup(self.creds_client.delete_credential, credential['id'])
+        return (project_id, credential)
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:create_credential")
+    @test.idempotent_id('c1ab6d34-c59f-4ae1-bae9-bb3c1089b48e')
+    def test_create_credential(self):
+        """Create a Credential.
+
+        RBAC test for Keystone: identity:create_credential
+        """
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self._create_credential()
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:update_credential")
+    @test.idempotent_id('cfb05ce3-bffb-496e-a3c2-9515d730da63')
+    def test_update_credential(self):
+        """Update a Credential.
+
+        RBAC test for Keystone: identity:update_credential
+        """
+        project_id, credential = self._create_credential()
+        # Update blob keys
+        new_keys = [data_utils.rand_name('NewAccess'),
+                    data_utils.rand_name('NewSecret')]
+
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.creds_client \
+            .update_credential(credential['id'],
+                               credential=credential,
+                               access_key=new_keys[0],
+                               secret_key=new_keys[1],
+                               project_id=project_id)['credential']
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:delete_credential")
+    @test.idempotent_id('87ab42af-8d41-401b-90df-21e72919fcde')
+    def test_delete_credential(self):
+        """Delete a Credential.
+
+        RBAC test for Keystone: identity:delete_credential
+        """
+        _, credential = self._create_credential()
+
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.creds_client.delete_credential(credential['id'])
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:get_credential")
+    @test.idempotent_id('1b6eeae6-f1e8-4cdf-8903-1c002b1fc271')
+    def test_show_credential(self):
+        """Show/Get a Credential.
+
+        RBAC test for Keystone: identity:get_credential
+        """
+        _, credential = self._create_credential()
+
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.creds_client.show_credential(credential['id'])
+
+    @rbac_rule_validation.action(service="keystone",
+                                 rule="identity:list_credentials")
+    @test.idempotent_id('3de303e2-12a7-4811-805a-f18906472038')
+    def test_list_credentials(self):
+        """List all Credentials.
+
+        RBAC test for Keystone: identity:list_credentials
+        """
+        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.creds_client.list_credentials()