Merge "Identity v3 RBAC Tests - EP Filter Groups"
diff --git a/patrole_tempest_plugin/rbac_policy_parser.py b/patrole_tempest_plugin/rbac_policy_parser.py
index 1047d37..bb34f6c 100644
--- a/patrole_tempest_plugin/rbac_policy_parser.py
+++ b/patrole_tempest_plugin/rbac_policy_parser.py
@@ -66,15 +66,8 @@
if extra_target_data is None:
extra_target_data = {}
- # First check if the service is valid
- service = service.lower().strip() if service else None
- self.admin_mgr = credentials.AdminManager()
- services = self.admin_mgr.identity_services_v3_client.\
- list_services()['services']
- service_names = [s['name'] for s in services]
- if not service or not any(service in name for name in service_names):
- LOG.debug(str(service) + " is NOT a valid service.")
- raise rbac_exceptions.RbacInvalidService
+ # First check if the service is valid.
+ self.validate_service(service)
# Use default path in /etc/<service_name/policy.json if no path
# is provided.
@@ -90,6 +83,24 @@
self.user_id = user_id
self.extra_target_data = extra_target_data
+ @classmethod
+ def validate_service(cls, service):
+ """Validate whether the service passed to ``init`` exists."""
+ service = service.lower().strip() if service else None
+
+ # Cache the list of available services in memory to avoid needlessly
+ # doing an API call every time.
+ if not hasattr(cls, 'available_services'):
+ admin_mgr = credentials.AdminManager()
+ services = admin_mgr.identity_services_v3_client.\
+ list_services()['services']
+ cls.available_services = [s['name'] for s in services]
+
+ if not service or service not in cls.available_services:
+ LOG.debug("%s is NOT a valid service.", service)
+ raise rbac_exceptions.RbacInvalidService(
+ "%s is NOT a valid service." % service)
+
def allowed(self, rule_name, role):
is_admin_context = self._is_admin_context(role)
is_allowed = self._allowed(
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index ba04a30..53f84ff 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -29,6 +29,8 @@
CONF = config.CONF
LOG = logging.getLogger(__name__)
+_SUPPORTED_ERROR_CODES = [403, 404]
+
def action(service, rule='', admin_only=False, expected_error_code=403,
extra_target_data=None):
@@ -47,15 +49,13 @@
:param service: A OpenStack service: for example, "nova" or "neutron".
:param rule: A policy action defined in a policy.json file (or in code).
:param admin_only: Skips over oslo.policy check because the policy action
- defined by `rule` is not enforced by the service's
- policy enforcement logic. For example, Keystone v2
- performs an admin check for most of its endpoints. If
- True, `rule` is effectively ignored.
+ defined by `rule` is not enforced by the service's policy enforcement
+ logic. For example, Keystone v2 performs an admin check for most of its
+ endpoints. If True, `rule` is effectively ignored.
:param expected_error_code: Overrides default value of 403 (Forbidden)
- with endpoint-specific error code. Currently
- only supports 403 and 404. Support for 404
- is needed because some services, like Neutron,
- intentionally throw a 404 for security reasons.
+ with endpoint-specific error code. Currently only supports 403 and 404.
+ Support for 404 is needed because some services, like Neutron,
+ intentionally throw a 404 for security reasons.
:raises NotFound: if `service` is invalid or
if Tempest credentials cannot be found.
@@ -163,10 +163,29 @@
return False
-def _get_exception_type(expected_error_code):
+def _get_exception_type(expected_error_code=403):
+ """Dynamically calculate the expected exception to be caught.
+
+ Dynamically calculate the expected exception to be caught by the test case.
+ Only `Forbidden` and `NotFound` exceptions are permitted. `NotFound` is
+ supported because Neutron, for security reasons, masks `Forbidden`
+ exceptions as `NotFound` exceptions.
+
+ :param expected_error_code: the integer representation of the expected
+ exception to be caught. Must be contained in `_SUPPORTED_ERROR_CODES`.
+ :returns: tuple of the exception type corresponding to
+ `expected_error_code` and a message explaining that a non-Forbidden
+ exception was expected, if applicable.
+ """
expected_exception = None
irregular_msg = None
- supported_error_codes = [403, 404]
+
+ if not isinstance(expected_error_code, six.integer_types) \
+ or expected_error_code not in _SUPPORTED_ERROR_CODES:
+ msg = ("Please pass an expected error code. Currently "
+ "supported codes: {0}".format(_SUPPORTED_ERROR_CODES))
+ LOG.error(msg)
+ raise rbac_exceptions.RbacInvalidErrorCode(msg)
if expected_error_code == 403:
expected_exception = exceptions.Forbidden
@@ -175,11 +194,6 @@
irregular_msg = ("NotFound exception was caught for policy action "
"{0}. The service {1} throws a 404 instead of a 403, "
"which is irregular.")
- else:
- msg = ("Please pass an expected error code. Currently "
- "supported codes: {0}".format(str(supported_error_codes)))
- LOG.error(msg)
- raise rbac_exceptions.RbacInvalidErrorCode()
return expected_exception, irregular_msg
@@ -200,7 +214,7 @@
:param test_obj: type BaseTestCase (tempest base test class)
:param extra_target_data: dictionary with unresolved string literals that
- reference nested BaseTestCase attributes
+ reference nested BaseTestCase attributes
:returns: dictionary with resolved BaseTestCase attributes
"""
attr_value = test_obj
diff --git a/patrole_tempest_plugin/tests/api/identity/rbac_base.py b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
index 3c171ab..2998dbe 100644
--- a/patrole_tempest_plugin/tests/api/identity/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/rbac_base.py
@@ -183,6 +183,7 @@
def resource_setup(cls):
super(BaseIdentityV2AdminRbacTest, cls).resource_setup()
cls.tenants = []
+ cls.tokens = []
@classmethod
def resource_cleanup(cls):
@@ -190,6 +191,10 @@
test_utils.call_and_ignore_notfound_exc(
cls.tenants_client.delete_tenant, tenant['id'])
+ for token in cls.tokens:
+ test_utils.call_and_ignore_notfound_exc(
+ cls.client.delete_token, token)
+
super(BaseIdentityV2AdminRbacTest, cls).resource_cleanup()
@classmethod
@@ -203,6 +208,15 @@
cls.tenants.append(tenant)
return tenant
+ @classmethod
+ def setup_test_token(cls, user_name, password, tenant_name):
+ """Set up a test token."""
+ token = cls.token_client.auth(user_name, password,
+ tenant_name)['token']
+ token_id = token['id']
+ cls.tokens.append(token_id)
+ return token_id
+
class BaseIdentityV3RbacTest(BaseIdentityRbacTest):
diff --git a/patrole_tempest_plugin/tests/api/identity/v2/test_tokens_rbac.py b/patrole_tempest_plugin/tests/api/identity/v2/test_tokens_rbac.py
new file mode 100644
index 0000000..25150dd
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_tokens_rbac.py
@@ -0,0 +1,72 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.identity import rbac_base
+
+
+class IdentityTokenV2RbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
+
+ def _create_token(self):
+
+ user_name = self.client.auth_provider.credentials.username
+ tenant_name = self.client.auth_provider.credentials.tenant_name
+ password = self.client.auth_provider.credentials.password
+ token_id = self.setup_test_token(user_name, password,
+ tenant_name)
+ return token_id
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:validate_token")
+ @decorators.idempotent_id('71471202-4c4e-4a3d-9d41-57eb621bf3bb')
+ def test_validate_token(self):
+
+ """Validate token (get-token)
+
+ RBAC test for Identity v2 get token validation
+ """
+ token_id = self._create_token()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.client.show_token(token_id)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:revoke_token")
+ @decorators.idempotent_id('77338f66-0713-4f20-b11c-b0d750618276')
+ def test_revoke_token(self):
+
+ """Revoke token (delete-token)
+
+ RBAC test for Identity v2 delete token
+ """
+ token_id = self._create_token()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.client.delete_token(token_id)
+
+ @rbac_rule_validation.action(service="keystone",
+ rule="identity:validate_token_head")
+ @decorators.idempotent_id('71471202-4c4e-4a3d-9d41-57eb621bf3ba')
+ def test_check_token_existence(self):
+
+ """Validate Token head
+
+ RBAC test for Identity v2 token head validation
+ """
+ token_id = self._create_token()
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.client.check_token_existence(token_id)
diff --git a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
index a875321..67b32a2 100644
--- a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
@@ -15,7 +15,6 @@
import netaddr
-from oslo_log import log
from tempest import config
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
@@ -24,7 +23,6 @@
from patrole_tempest_plugin.tests.api.network import rbac_base as base
CONF = config.CONF
-LOG = log.getLogger(__name__)
class FloatingIpsRbacTest(base.BaseNetworkRbacTest):
diff --git a/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py b/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
index 2efb3fe..3c74c07 100644
--- a/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_metering_label_rules_rbac.py
@@ -13,7 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
-from oslo_log import log
from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
@@ -24,7 +23,6 @@
from patrole_tempest_plugin.tests.api.network import rbac_base as base
CONF = config.CONF
-LOG = log.getLogger(__name__)
class MeteringLabelRulesRbacTest(base.BaseNetworkRbacTest):
diff --git a/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py b/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
index 9aabfa0..89c6870 100644
--- a/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_metering_labels_rbac.py
@@ -13,7 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
-from oslo_log import log
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
@@ -22,8 +21,6 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.network import rbac_base as base
-LOG = log.getLogger(__name__)
-
class MeteringLabelsRbacTest(base.BaseNetworkRbacTest):
diff --git a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
index 1be46ab..6aec5d1 100644
--- a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
@@ -15,21 +15,16 @@
import netaddr
-from oslo_log import log
-
from tempest.common.utils import net_utils
-from tempest import config
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
from tempest import test
+from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.network import rbac_base as base
-CONF = config.CONF
-LOG = log.getLogger(__name__)
-
class RouterRbacTest(base.BaseNetworkRbacTest):
@classmethod
@@ -42,8 +37,9 @@
@classmethod
def resource_setup(cls):
super(RouterRbacTest, cls).resource_setup()
- post_body = {}
- post_body['router:external'] = True
+ # Create a network with external gateway so that
+ # ``external_gateway_info`` policies can be validated.
+ post_body = {'router:external': True}
cls.network = cls.create_network(**post_body)
cls.subnet = cls.create_subnet(cls.network)
cls.ip_range = netaddr.IPRange(
@@ -51,6 +47,14 @@
cls.subnet['allocation_pools'][0]['end'])
cls.router = cls.create_router()
+ def _get_unused_ip_address(self):
+ unused_ip = net_utils.get_unused_ip_addresses(self.ports_client,
+ self.subnets_client,
+ self.network['id'],
+ self.subnet['id'],
+ 1)
+ return unused_ip[0]
+
@rbac_rule_validation.action(service="neutron",
rule="create_router")
@decorators.idempotent_id('acc5005c-bdb6-4192-bc9f-ece9035bb488')
@@ -64,6 +68,35 @@
self.addCleanup(self.routers_client.delete_router,
router['router']['id'])
+ @decorators.idempotent_id('6139eb97-95c0-40d8-a109-99de11ab2e5e')
+ @test.requires_ext(extension='l3-ha', service='network')
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_router:ha")
+ def test_create_high_availability_router(self):
+ """Create high-availability router
+
+ RBAC test for the neutron create_router:ha policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ router = self.routers_client.create_router(ha=True)
+ self.addCleanup(self.routers_client.delete_router,
+ router['router']['id'])
+
+ @decorators.idempotent_id('c6254ca6-2728-412d-803d-d4aa3935e56d')
+ @test.requires_ext(extension='dvr', service='network')
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_router:distributed")
+ def test_create_distributed_router(self):
+ """Create distributed router
+
+ RBAC test for the neutron create_router:distributed policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ router = self.routers_client.create_router(distributed=True)
+ self.addCleanup(self.routers_client.delete_router,
+ router['router']['id'])
+
+ @test.requires_ext(extension='ext-gw-mode', service='network')
@rbac_rule_validation.action(
service="neutron",
rule="create_router:external_gateway_info:enable_snat")
@@ -96,16 +129,11 @@
"""
name = data_utils.rand_name(self.__class__.__name__ + '-snat-router')
- # Pick an unused IP address.
- ip_list = net_utils.get_unused_ip_addresses(self.ports_client,
- self.subnets_client,
- self.network['id'],
- self.subnet['id'],
- 1)
+ unused_ip = self._get_unused_ip_address()
external_fixed_ips = {'subnet_id': self.subnet['id'],
- 'ip_address': ip_list[0]}
+ 'ip_address': unused_ip}
external_gateway_info = {'network_id': self.network['id'],
- 'enable_snat': False,
+ 'enable_snat': False, # Default is True.
'external_fixed_ips': [external_fixed_ips]}
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
@@ -124,7 +152,29 @@
RBAC test for the neutron get_router policy
"""
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.show_router(self.router['id'])
+ # Prevent other policies from being enforced by using barebones fields.
+ self.routers_client.show_router(self.router['id'], fields=['id'])
+
+ @decorators.idempotent_id('3ed26ea2-b419-410c-b4b5-576c1edafa06')
+ @test.requires_ext(extension='dvr', service='network')
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_router:distributed")
+ def test_show_distributed_router(self):
+ """Get distributed router
+
+ RBAC test for the neutron get_router:distributed policy
+ """
+ router = self.routers_client.create_router(distributed=True)['router']
+ self.addCleanup(self.routers_client.delete_router, router['id'])
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ retrieved_fields = self.routers_client.show_router(
+ router['id'], fields=['distributed'])['router']
+
+ # Rather than throwing a 403, the field is not present, so raise exc.
+ if 'distributed' not in retrieved_fields:
+ raise rbac_exceptions.RbacActionFailed(
+ '"distributed" parameter not present in response body')
@rbac_rule_validation.action(
service="neutron", rule="update_router")
@@ -134,11 +184,10 @@
RBAC test for the neutron update_router policy
"""
- new_name = data_utils.rand_name(self.__class__.__name__ +
- '-new-router-name')
+ new_name = data_utils.rand_name(
+ self.__class__.__name__ + '-new-router-name')
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.routers_client.update_router(self.router['id'],
- name=new_name)
+ self.routers_client.update_router(self.router['id'], name=new_name)
@rbac_rule_validation.action(
service="neutron", rule="update_router:external_gateway_info")
@@ -172,6 +221,7 @@
self.router['id'],
external_gateway_info=None)
+ @test.requires_ext(extension='ext-gw-mode', service='network')
@rbac_rule_validation.action(
service="neutron",
rule="update_router:external_gateway_info:enable_snat")
@@ -202,14 +252,9 @@
RBAC test for the neutron
update_router:external_gateway_info:external_fixed_ips policy
"""
- # Pick an unused IP address.
- ip_list = net_utils.get_unused_ip_addresses(self.ports_client,
- self.subnets_client,
- self.network['id'],
- self.subnet['id'],
- 1)
+ unused_ip = self._get_unused_ip_address()
external_fixed_ips = {'subnet_id': self.subnet['id'],
- 'ip_address': ip_list[0]}
+ 'ip_address': unused_ip}
external_gateway_info = {'network_id': self.network['id'],
'external_fixed_ips': [external_fixed_ips]}
@@ -222,6 +267,34 @@
self.router['id'],
external_gateway_info=None)
+ @decorators.idempotent_id('ddc20731-dea1-4321-9abf-8772bf0b5977')
+ @test.requires_ext(extension='l3-ha', service='network')
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_router:ha")
+ def test_update_high_availability_router(self):
+ """Update high-availability router
+
+ RBAC test for the neutron update_router:ha policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.routers_client.update_router(self.router['id'], ha=True)
+ self.addCleanup(self.routers_client.update_router, self.router['id'],
+ ha=False)
+
+ @decorators.idempotent_id('e1932c19-8f73-41cd-b5d2-84c7ae5d530c')
+ @test.requires_ext(extension='dvr', service='network')
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_router:distributed")
+ def test_update_distributed_router(self):
+ """Update distributed router
+
+ RBAC test for the neutron update_router:distributed policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.routers_client.update_router(self.router['id'], distributed=True)
+ self.addCleanup(self.routers_client.update_router, self.router['id'],
+ distributed=False)
+
@rbac_rule_validation.action(service="neutron",
rule="delete_router",
expected_error_code=404)
diff --git a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
index 2ccc688..2672b57 100644
--- a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
@@ -13,8 +13,6 @@
# License for the specific language governing permissions and limitations
# under the License.
-from oslo_log import log
-
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
@@ -23,8 +21,6 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.network import rbac_base as base
-LOG = log.getLogger(__name__)
-
class SecGroupRbacTest(base.BaseNetworkRbacTest):
diff --git a/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
new file mode 100644
index 0000000..68f5156
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_subnets_rbac.py
@@ -0,0 +1,96 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+
+class SubnetsRbacTest(base.BaseNetworkRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(SubnetsRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('subnet_allocation', 'network'):
+ msg = "subnet_allocation extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(SubnetsRbacTest, cls).resource_setup()
+ cls.network = cls.create_network()
+ cls.subnet = cls.create_subnet(cls.network)
+
+ @decorators.idempotent_id('0481adeb-4301-44d5-851c-35910cc18a6b')
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_subnet")
+ def test_create_subnet(self):
+ """Create subnet.
+
+ RBAC test for the neutron "create_subnet" policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.create_subnet(self.network)
+
+ @decorators.idempotent_id('c02618e7-bb20-4abd-83c8-6eec2af08752')
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_subnet")
+ def test_show_subnet(self):
+ """Show subnet.
+
+ RBAC test for the neutron "get_subnet" policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.subnets_client.show_subnet(self.subnet['id'])
+
+ @decorators.idempotent_id('e2ddc415-5cab-43f4-9b61-166aed65d637')
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_subnet")
+ def test_list_subnets(self):
+ """List subnets.
+
+ RBAC test for the neutron "get_subnet" policy
+ """
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.subnets_client.list_subnets()
+
+ @decorators.idempotent_id('f36cd821-dd22-4bd0-b43d-110fc4b553eb')
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_subnet")
+ def test_update_subnet(self):
+ """Update subnet.
+
+ RBAC test for the neutron "update_subnet" policy
+ """
+ update_name = data_utils.rand_name(self.__class__.__name__ + '-Subnet')
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.subnets_client.update_subnet(self.subnet['id'], name=update_name)
+
+ @decorators.idempotent_id('bcfc7153-bbd1-43a4-a908-b3e1b0cde0dc')
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_subnet")
+ def test_delete_subnet(self):
+ """Delete subnet.
+
+ RBAC test for the neutron "delete_subnet" policy
+ """
+ subnet = self.create_subnet(self.network)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.subnets_client.delete_subnet(subnet['id'])
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
index f27b8a8..7916c8c 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -29,13 +29,10 @@
class VolumesActionsRbacTest(rbac_base.BaseVolumeRbacTest):
- # TODO(felipemonteiro): "volume_extension:volume_actions:upload_public"
- # test can be created once volumes v3 client is created in Tempest.
-
@classmethod
def setup_clients(cls):
super(VolumesActionsRbacTest, cls).setup_clients()
- cls.image_client = cls.os_primary.image_client_v2
+ cls.admin_image_client = cls.os_admin.image_client_v2
@classmethod
def resource_setup(cls):
@@ -87,6 +84,7 @@
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
self._detach_volume()
+ @test.attr(type=["slow"])
@test.services('image')
@rbac_rule_validation.action(
service="cinder",
@@ -104,9 +102,10 @@
disk_format=CONF.volume.disk_format)['os-volume_upload_image']
image_id = body["image_id"]
self.addCleanup(test_utils.call_and_ignore_notfound_exc,
- self.image_client.delete_image,
+ self.admin_image_client.delete_image,
image_id)
- waiters.wait_for_image_status(self.image_client, image_id, 'active')
+ waiters.wait_for_image_status(self.admin_image_client, image_id,
+ 'active')
waiters.wait_for_volume_resource_status(self.os_admin.volumes_client,
self.volume['id'], 'available')
@@ -210,6 +209,41 @@
_api_version = 3
+class VolumesActionsV310RbacTest(rbac_base.BaseVolumeRbacTest):
+ _api_version = 3
+ min_microversion = '3.10'
+ max_microversion = 'latest'
+
+ @classmethod
+ def setup_clients(cls):
+ super(VolumesActionsV310RbacTest, cls).setup_clients()
+ cls.admin_image_client = cls.os_admin.image_client_v2
+
+ @test.attr(type=["slow"])
+ @test.services('image')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_actions:upload_public")
+ @decorators.idempotent_id('578a84dd-a6bd-4f97-a418-4a0c3c272c08')
+ def test_volume_upload_public(self):
+ # This also enforces "volume_extension:volume_actions:upload_image".
+ volume = self.create_volume()
+ image_name = data_utils.rand_name(self.__class__.__name__ + '-Image')
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ body = self.volumes_client.upload_volume(
+ volume['id'], image_name=image_name, visibility="public",
+ disk_format=CONF.volume.disk_format)['os-volume_upload_image']
+ image_id = body["image_id"]
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.admin_image_client.delete_image,
+ image_id)
+ waiters.wait_for_image_status(self.admin_image_client, image_id,
+ 'active')
+ waiters.wait_for_volume_resource_status(self.os_admin.volumes_client,
+ volume['id'], 'available')
+
+
class VolumesActionsV312RbacTest(rbac_base.BaseVolumeRbacTest):
_api_version = 3
min_microversion = '3.12'
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_quotas_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_quotas_rbac.py
index a56ca5a..6e9812b 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_quotas_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_quotas_rbac.py
@@ -13,19 +13,11 @@
# License for the specific language governing permissions and limitations
# under the License.
-import logging
-
-from tempest import config
from tempest.lib import decorators
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.volume import rbac_base
-QUOTA_KEYS = ['gigabytes', 'snapshots', 'volumes']
-QUOTA_USAGE_KEYS = ['reserved', 'limit', 'in_use']
-CONF = config.CONF
-LOG = logging.getLogger(__name__)
-
class VolumeQuotasRbacTest(rbac_base.BaseVolumeRbacTest):
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py
new file mode 100644
index 0000000..8fd68a3
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_access_rbac.py
@@ -0,0 +1,81 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+
+class VolumeTypesAccessRbacTest(rbac_base.BaseVolumeRbacTest):
+ _api_version = 3
+
+ @classmethod
+ def skip_checks(cls):
+ super(VolumeTypesAccessRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-volume-type-access', 'volume'):
+ msg = "os-volume-type-access extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(VolumeTypesAccessRbacTest, cls).resource_setup()
+ cls.vol_type = cls.create_volume_type(
+ **{'os-volume-type-access:is_public': False})
+ cls.project_id = cls.auth_provider.credentials.project_id
+
+ def _add_type_access(self, ignore_not_found=False):
+ self.volume_types_client.add_type_access(
+ self.vol_type['id'], project=self.project_id)
+
+ if ignore_not_found:
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.volume_types_client.remove_type_access,
+ self.vol_type['id'], project=self.project_id)
+ else:
+ self.addCleanup(self.volume_types_client.remove_type_access,
+ self.vol_type['id'], project=self.project_id)
+
+ @decorators.idempotent_id('af70e6ad-e931-419f-9200-8bcc284e4e47')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_type_access")
+ def test_list_type_access(self):
+ self._add_type_access()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.list_type_access(self.vol_type['id'])[
+ 'volume_type_access']
+
+ @decorators.idempotent_id('b462eeba-45d0-4d6e-945a-a1d27708d367')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_type_access:addProjectAccess")
+ def test_add_type_access(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self._add_type_access(ignore_not_found=True)
+
+ @decorators.idempotent_id('8f848aeb-636a-46f1-aeeb-e2a60e9d2bfe')
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:volume_type_access:removeProjectAccess")
+ def test_remove_type_access(self):
+ self._add_type_access(ignore_not_found=True)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.remove_type_access(
+ self.vol_type['id'], project=self.project_id)
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
index 94199b5..97eaab7 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_types_extra_specs_rbac.py
@@ -13,21 +13,88 @@
# License for the specific language governing permissions and limitations
# under the License.
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
from tempest.lib import decorators
+from tempest import test
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.volume import rbac_base
class VolumeTypesExtraSpecsRbacTest(rbac_base.BaseVolumeRbacTest):
+ _api_version = 3
+
+ @classmethod
+ def skip_checks(cls):
+ super(VolumeTypesExtraSpecsRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-types-extra-specs', 'volume'):
+ msg = "os-types-extra-specs extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def resource_setup(cls):
+ super(VolumeTypesExtraSpecsRbacTest, cls).resource_setup()
+ cls.vol_type = cls.create_volume_type()
+ cls.spec_key = data_utils.rand_name(cls.__name__ + '-Spec')
+
+ def _create_volume_type_extra_specs(self, ignore_not_found=False):
+ extra_specs = {self.spec_key: "val1"}
+ self.volume_types_client.create_volume_type_extra_specs(
+ self.vol_type['id'], extra_specs)
+
+ if ignore_not_found:
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.volume_types_client.delete_volume_type_extra_specs,
+ self.vol_type['id'], self.spec_key)
+ else:
+ self.addCleanup(
+ self.volume_types_client.delete_volume_type_extra_specs,
+ self.vol_type['id'], self.spec_key)
+
+ @decorators.idempotent_id('76c36be2-2b6c-4acf-9aac-c9dc5c17cdbe')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:types_extra_specs")
+ def test_list_volume_types_extra_specs(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.list_volume_types_extra_specs(
+ self.vol_type['id'])['extra_specs']
@rbac_rule_validation.action(service="cinder",
rule="volume_extension:types_extra_specs")
@decorators.idempotent_id('eea40251-990b-49b0-99ae-10e4585b479b')
def test_create_volume_type_extra_specs(self):
- vol_type = self.create_volume_type()
- # List Volume types extra specs.
- extra_specs = {"spec1": "val1"}
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- self.volume_types_client.create_volume_type_extra_specs(
- vol_type['id'], extra_specs)
+ self._create_volume_type_extra_specs(ignore_not_found=True)
+
+ @decorators.idempotent_id('e2dcc9c6-2fef-431d-afaf-92b45bc76d1a')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:types_extra_specs")
+ def test_show_volume_type_extra_specs(self):
+ self._create_volume_type_extra_specs()
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.show_volume_type_extra_specs(
+ self.vol_type['id'], self.spec_key)
+
+ @decorators.idempotent_id('93001912-f938-41c7-8787-62dc7010fd52')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:types_extra_specs")
+ def test_delete_volume_type_extra_specs(self):
+ self._create_volume_type_extra_specs(ignore_not_found=True)
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.delete_volume_type_extra_specs(
+ self.vol_type['id'], self.spec_key)
+
+ @decorators.idempotent_id('0a444437-7402-4fbe-a18a-93af2ee00618')
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:types_extra_specs")
+ def test_update_volume_type_extra_specs(self):
+ self._create_volume_type_extra_specs()
+ update_extra_specs = {self.spec_key: "val2"}
+
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ self.volume_types_client.update_volume_type_extra_specs(
+ self.vol_type['id'], self.spec_key, update_extra_specs)
diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
index 6889b44..09de6bf 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_policy_parser.py
@@ -68,7 +68,7 @@
{'name': 'neutron', 'links': 'link', 'enabled': True,
'type': 'networking', 'id': 'id',
'description': 'description'},
- {'name': 'test', 'links': 'link', 'enabled': True,
+ {'name': 'test_service', 'links': 'link', 'enabled': True,
'type': 'unit_test', 'id': 'id',
'description': 'description'}
]
@@ -92,7 +92,7 @@
test_user_id = mock.sentinel.user_id
self.mock_path.path.join.return_value = self.custom_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test")
+ test_tenant_id, test_user_id, "test_service")
expected = {
'policy_action_1': ['two', 'four', 'six', 'eight'],
@@ -115,7 +115,7 @@
test_user_id = mock.sentinel.user_id
self.mock_path.path.join.return_value = self.admin_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test")
+ test_tenant_id, test_user_id, "test_service")
role = 'admin'
allowed_rules = [
@@ -136,7 +136,7 @@
test_user_id = mock.sentinel.user_id
self.mock_path.path.join.return_value = self.admin_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test")
+ test_tenant_id, test_user_id, "test_service")
role = 'Member'
allowed_rules = [
@@ -158,7 +158,7 @@
test_user_id = mock.sentinel.user_id
self.mock_path.path.join.return_value = self.alt_admin_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test")
+ test_tenant_id, test_user_id, "test_service")
role = 'fake_admin'
allowed_rules = ['non_admin_rule']
@@ -195,7 +195,7 @@
test_user_id = mock.sentinel.user_id
self.mock_path.path.join.return_value = self.tenant_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test")
+ test_tenant_id, test_user_id, "test_service")
# Check whether Member role can perform expected actions.
allowed_rules = ['rule1', 'rule2', 'rule3', 'rule4']
@@ -254,7 +254,7 @@
service)
m_log.debug.assert_called_once_with(
- "{0} is NOT a valid service.".format(str(service)))
+ '%s is NOT a valid service.', 'invalid_service')
@mock.patch.object(rbac_policy_parser, 'LOG', autospec=True)
def test_service_is_none_raises_exception(self, m_log):
@@ -268,8 +268,7 @@
test_user_id,
service)
- m_log.debug.assert_called_once_with(
- "{0} is NOT a valid service.".format(str(service)))
+ m_log.debug.assert_called_once_with('%s is NOT a valid service.', None)
@mock.patch.object(rbac_policy_parser, 'LOG', autospec=True)
def test_invalid_policy_rule_throws_rbac_parsing_exception(self, m_log):
@@ -277,7 +276,7 @@
test_user_id = mock.sentinel.user_id
self.mock_path.path.join.return_value = self.custom_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test")
+ test_tenant_id, test_user_id, "test_service")
fake_rule = 'fake_rule'
expected_message = "Policy action: {0} not found in policy file: {1}."\
@@ -293,8 +292,9 @@
test_tenant_id = mock.sentinel.tenant_id
test_user_id = mock.sentinel.user_id
self.mock_path.path.join.return_value = self.custom_policy_file
+
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test")
+ test_tenant_id, test_user_id, "test_service")
parser.rules = mock.MagicMock(
**{'__getitem__.return_value.side_effect': Exception(
mock.sentinel.error)})
@@ -329,7 +329,7 @@
test_user_id = mock.sentinel.user_id
self.mock_path.path.join.return_value = self.tenant_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test")
+ test_tenant_id, test_user_id, "test_service")
policy_data = parser._get_policy_data('fake_service')
@@ -373,7 +373,7 @@
test_user_id = mock.sentinel.user_id
self.mock_path.path.join.return_value = self.tenant_policy_file
parser = rbac_policy_parser.RbacPolicyParser(
- test_tenant_id, test_user_id, "test")
+ test_tenant_id, test_user_id, "test_service")
policy_data = parser._get_policy_data('fake_service')
@@ -413,10 +413,9 @@
self.assertIn(expected_error, str(e))
@mock.patch.object(rbac_policy_parser, 'json', autospec=True)
- @mock.patch.object(rbac_policy_parser, 'credentials', autospec=True)
@mock.patch.object(rbac_policy_parser, 'stevedore', autospec=True)
def test_get_policy_data_without_valid_policy(self, mock_stevedore,
- mock_credentials, mock_json):
+ mock_json):
self.mock_path.path.isfile.return_value = False
test_policy_action = mock.Mock(check='rule:bar')
@@ -428,11 +427,6 @@
mock_stevedore.named.NamedExtensionManager\
.return_value = [test_policy]
- mock_credentials.AdminManager.return_value.identity_services_v3_client.\
- list_services.return_value = {
- 'services': [{'name': 'test_service'}]
- }
-
mock_json.dumps.side_effect = ValueError
e = self.assertRaises(rbac_exceptions.RbacParsingException,
@@ -441,7 +435,6 @@
expected_error = "Policy file for {0} service is invalid."\
.format("test_service")
-
self.assertIn(expected_error, str(e))
mock_stevedore.named.NamedExtensionManager.assert_called_once_with(
@@ -452,16 +445,9 @@
warn_on_missing_entrypoint=False)
@mock.patch.object(rbac_policy_parser, 'json', autospec=True)
- @mock.patch.object(rbac_policy_parser, 'credentials', autospec=True)
@mock.patch.object(rbac_policy_parser, 'stevedore', autospec=True)
def test_get_policy_data_from_file_not_json(self, mock_stevedore,
- mock_credentials,
mock_json):
-
- mock_credentials.AdminManager.return_value.identity_services_v3_client.\
- list_services.return_value = {
- 'services': [{'name': 'test_service'}]
- }
mock_stevedore.named.NamedExtensionManager.return_value = None
mock_json.loads.side_effect = ValueError
self.mock_path.path.join.return_value = self.tenant_policy_file
diff --git a/releasenotes/notes/additional-router-rbac-tests-66ef013c54016326.yaml b/releasenotes/notes/additional-router-rbac-tests-66ef013c54016326.yaml
new file mode 100644
index 0000000..4f91a12
--- /dev/null
+++ b/releasenotes/notes/additional-router-rbac-tests-66ef013c54016326.yaml
@@ -0,0 +1,11 @@
+---
+features:
+ - |
+ Add additional RBAC tests for network routers API, providing coverage for
+ the following policy actions:
+
+ * create_router:ha
+ * create_router:distributed
+ * get_router:distributed
+ * update_router:ha
+ * update_router:distributed
\ No newline at end of file
diff --git a/releasenotes/notes/extra-volume-types-tests-2e4538bed7348be4.yaml b/releasenotes/notes/extra-volume-types-tests-2e4538bed7348be4.yaml
new file mode 100644
index 0000000..9be15fc
--- /dev/null
+++ b/releasenotes/notes/extra-volume-types-tests-2e4538bed7348be4.yaml
@@ -0,0 +1,10 @@
+---
+features:
+ - |
+ Added RBAC tests for volume type access and volume type extra specs
+ APIs, providing coverage for the following policy actions:
+
+ * "volume_extension:types_extra_specs"
+ * "volume_extension:volume_type_access"
+ * "volume_extension:volume_type_access:addProjectAccess"
+ * "volume_extension:volume_type_access:removeProjectAccess"
diff --git a/releasenotes/notes/subnet-rbac-tests-6d3cf54e39a7b486.yaml b/releasenotes/notes/subnet-rbac-tests-6d3cf54e39a7b486.yaml
new file mode 100644
index 0000000..8d3d22a
--- /dev/null
+++ b/releasenotes/notes/subnet-rbac-tests-6d3cf54e39a7b486.yaml
@@ -0,0 +1,10 @@
+---
+features:
+ - |
+ Add RBAC tests for network subnet endpoints, providing coverage for the
+ following policy actions:
+
+ * create_subnet
+ * get_subnet
+ * update_subnet
+ * delete_subnet
diff --git a/releasenotes/notes/test_tokens_rbac-7f36919b786e9ffc.yaml b/releasenotes/notes/test_tokens_rbac-7f36919b786e9ffc.yaml
new file mode 100644
index 0000000..5ff448b
--- /dev/null
+++ b/releasenotes/notes/test_tokens_rbac-7f36919b786e9ffc.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Added RBAC test scenarios for the token-related admin v2 identity API.
diff --git a/releasenotes/notes/volume-upload-public-test-f8e741a838ae7607.yaml b/releasenotes/notes/volume-upload-public-test-f8e741a838ae7607.yaml
new file mode 100644
index 0000000..c8c0ecd
--- /dev/null
+++ b/releasenotes/notes/volume-upload-public-test-f8e741a838ae7607.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Add RBAC test to provide coverage for the following cinder policy:
+ "volume_extension:volume_actions:upload_public".