Merge "Fix for few failing network rbac tests"
diff --git a/patrole_tempest_plugin/tests/api/compute/admin/__init__.py b/patrole_tempest_plugin/tests/api/compute/admin/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/admin/__init__.py
diff --git a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py
new file mode 100644
index 0000000..953f518
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py
@@ -0,0 +1,69 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import testtools
+
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+
+CONF = config.CONF
+
+
+class PasswordAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(PasswordAdminRbacTest, self).tearDown()
+
+ @classmethod
+ def setup_clients(cls):
+ super(PasswordAdminRbacTest, cls).setup_clients()
+ cls.client = cls.servers_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(PasswordAdminRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+
+ @classmethod
+ def resource_setup(cls):
+ super(PasswordAdminRbacTest, cls).resource_setup()
+ cls.server_id = cls.create_test_server(wait_until='ACTIVE')['id']
+
+ @testtools.skipUnless(CONF.compute_feature_enabled.change_password,
+ 'Change password not available.')
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-admin-password")
+ @decorators.idempotent_id('908a7d59-3a66-441c-94cf-38e57ed14956')
+ def test_change_server_password(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.change_password(
+ self.server_id,
+ adminPass=data_utils.rand_password())
+
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-admin-password:discoverable")
+ @decorators.idempotent_id('379fce8a-f1ff-11e6-bc64-92361f002671')
+ def test_admin_password_discoverable(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.extensions_client.show_extension('os-admin-password')
diff --git a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py
new file mode 100644
index 0000000..c49ba82
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py
@@ -0,0 +1,83 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+
+CONF = config.CONF
+
+
+class ServersAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(ServersAdminRbacTest, self).tearDown()
+
+ @classmethod
+ def setup_clients(cls):
+ super(ServersAdminRbacTest, cls).setup_clients()
+ cls.client = cls.servers_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(ServersAdminRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+
+ @classmethod
+ def resource_setup(cls):
+ super(ServersAdminRbacTest, cls).resource_setup()
+ cls.server_id = cls.create_test_server(wait_until='ACTIVE')['id']
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:reset_state")
+ @decorators.idempotent_id('ae84dd0b-f364-462e-b565-3457f9c019ef')
+ def test_reset_server_state(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.reset_state(self.server_id, state='error')
+ self.addCleanup(self.client.reset_state,
+ self.server_id,
+ state='active')
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:inject_network_info")
+ @decorators.idempotent_id('ce48c340-51c1-4cff-9b6e-0cc5ef008630')
+ def test_inject_network_info(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.inject_network_info(self.server_id)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:reset_network")
+ @decorators.idempotent_id('2911a242-15c4-4fcb-80d5-80a8930661b0')
+ def test_reset_network(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.reset_network(self.server_id)
+
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-admin-actions:discoverable")
+ @decorators.idempotent_id('e9d2991f-a05e-4116-881b-e2a82bb173cf')
+ def test_admin_actions_discoverable(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.extensions_client.show_extension('os-admin-actions')
diff --git a/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
new file mode 100644
index 0000000..8465add
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
@@ -0,0 +1,49 @@
+# Copyright 2017 AT&T Corporation.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class NovaAvailabilityZoneRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(NovaAvailabilityZoneRbacTest, self).tearDown()
+
+ @classmethod
+ def skip_checks(cls):
+ super(NovaAvailabilityZoneRbacTest, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+
+ @rbac_rule_validation.action(service="nova", rule="os_compute_api:"
+ "os-availability-zone:list")
+ @decorators.idempotent_id('cd34e7ea-d26e-4fa3-a8d0-f8883726ce3d')
+ def test_get_availability_zone_list_rbac(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.os.availability_zone_client.list_availability_zones()
+
+ @rbac_rule_validation.action(service="nova", rule="os_compute_api:"
+ "os-availability-zone:detail")
+ @decorators.idempotent_id('2f61c191-6ece-4f21-b487-39d749e3d38e')
+ def test_get_availability_zone_list_detail_rbac(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.os.availability_zone_client.list_availability_zones(detail=True)
diff --git a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
new file mode 100644
index 0000000..ea5a346
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
@@ -0,0 +1,57 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = config.CONF
+
+
+class FloatingIpsRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ # Tests will fail with a 404 starting from microversion 2.36, according to:
+ # https://developer.openstack.org/api-ref/
+ # compute/?expanded=list-floating-ip-addresses-detail
+ max_microversion = '2.35'
+
+ @classmethod
+ def setup_clients(cls):
+ super(FloatingIpsRbacTest, cls).setup_clients()
+ cls.client = cls.floating_ips_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(FloatingIpsRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-floating-ips', 'compute'):
+ msg = "%s skipped as os-floating-ips extension not enabled." \
+ % cls.__name__
+ raise cls.skipException(msg)
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(FloatingIpsRbacTest, self).tearDown()
+
+ @decorators.idempotent_id('ac1b3053-f755-4cda-85a0-30e88b88d7ba')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-floating-ips")
+ def test_list_floating_ips(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_floating_ips()['floating_ips']
diff --git a/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py
new file mode 100644
index 0000000..b37f74f
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py
@@ -0,0 +1,50 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+
+class InstanceUsagesAuditLogAdminRbacTest(
+ rbac_base.BaseV2ComputeAdminRbacTest):
+
+ @classmethod
+ def skip_checks(cls):
+ super(InstanceUsagesAuditLogAdminRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-instance-usage-audit-log',
+ 'compute'):
+ msg = "os-instance-usage-audit-log extension not enabled."
+ raise cls.skipException(msg)
+
+ @classmethod
+ def setup_clients(cls):
+ super(InstanceUsagesAuditLogAdminRbacTest, cls).setup_clients()
+ cls.client = cls.instance_usages_audit_log_client
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(InstanceUsagesAuditLogAdminRbacTest, self).tearDown()
+
+ @decorators.idempotent_id('c80246c0-5c13-4ab0-97ba-91551cd53dc1')
+ @rbac_rule_validation.action(
+ service="nova", rule="os_compute_api:os-instance-usage-audit-log")
+ def test_list_instance_usage_audit_logs(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_instance_usage_audit_logs()
+ ["instance_usage_audit_logs"]
diff --git a/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
new file mode 100644
index 0000000..1bb5100
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
@@ -0,0 +1,65 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_config import cfg
+
+from tempest.lib import decorators
+from tempest import test
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+
+CONF = cfg.CONF
+
+
+class TenantNetworksRbacTest(rbac_base.BaseV2ComputeRbacTest):
+
+ # Tests will fail with a 404 starting from microversion 2.36, according to:
+ # https://developer.openstack.org/api-ref/
+ # compute/?expanded=list-project-networks-detail
+ max_microversion = '2.35'
+
+ @classmethod
+ def setup_clients(cls):
+ super(TenantNetworksRbacTest, cls).setup_clients()
+ cls.client = cls.os.tenant_networks_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(TenantNetworksRbacTest, cls).skip_checks()
+ if not test.is_extension_enabled('os-tenant-networks', 'compute'):
+ msg = "os-tenant-networks extension not enabled."
+ raise cls.skipException(msg)
+ if not CONF.service_available.neutron:
+ raise cls.skipException(
+ '%s skipped as Neutron is required' % cls.__name__)
+
+ @classmethod
+ def setup_credentials(cls):
+ cls.set_network_resources(network=True)
+ super(TenantNetworksRbacTest, cls).setup_credentials()
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(TenantNetworksRbacTest, self).tearDown()
+
+ @decorators.idempotent_id('42b39ba1-14aa-4799-9518-34367d0da67a')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-tenant-networks")
+ def test_list_show_tenant_networks(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_tenant_networks()['networks']