Merge "[docs] Fix weird indentation in documentation"
diff --git a/.gitignore b/.gitignore
index b77e7f3..350e0da 100644
--- a/.gitignore
+++ b/.gitignore
@@ -44,6 +44,7 @@
# Sphinx
doc/build
+doc/source/_static/patrole.conf.sample
# pbr generates these
AUTHORS
diff --git a/doc/source/framework/overview.rst b/doc/source/framework/overview.rst
index 1c9bf3b..d862770 100644
--- a/doc/source/framework/overview.rst
+++ b/doc/source/framework/overview.rst
@@ -7,32 +7,32 @@
RBAC testing validation is broken up into 3 stages:
- #. "Expected" stage. Determine whether the test should be able to succeed
- or fail based on the test role defined by ``[patrole] rbac_test_role``)
- and the policy action that the test enforces.
- #. "Actual" stage. Run the test by calling the API endpoint that enforces
- the expected policy action using the test role.
- #. Comparing the outputs from both stages for consistency. A "consistent"
- result is treated as a pass and an "inconsistent" result is treated
- as a failure. "Consistent" (or successful) cases include:
+#. "Expected" stage. Determine whether the test should be able to succeed
+ or fail based on the test role defined by ``[patrole] rbac_test_role``)
+ and the policy action that the test enforces.
+#. "Actual" stage. Run the test by calling the API endpoint that enforces
+ the expected policy action using the test role.
+#. Comparing the outputs from both stages for consistency. A "consistent"
+ result is treated as a pass and an "inconsistent" result is treated
+ as a failure. "Consistent" (or successful) cases include:
- * Expected result is ``True`` and the test passes.
- * Expected result is ``False`` and the test fails.
+ * Expected result is ``True`` and the test passes.
+ * Expected result is ``False`` and the test fails.
- For example, a 200 from the API call and a ``True`` result from
- ``oslo.policy`` or a 403 from the API call and a ``False`` result from
- ``oslo.policy`` are successful results.
+ For example, a 200 from the API call and a ``True`` result from
+ ``oslo.policy`` or a 403 from the API call and a ``False`` result from
+ ``oslo.policy`` are successful results.
- "Inconsistent" (or failing) cases include:
+ "Inconsistent" (or failing) cases include:
- * Expected result is ``False`` and the test passes. This results in an
- ``RbacOverPermission`` exception getting thrown.
- * Expected result is ``True`` and the test fails. This results in a
- ``Forbidden`` exception getting thrown.
+ * Expected result is ``False`` and the test passes. This results in an
+ ``RbacOverPermission`` exception getting thrown.
+ * Expected result is ``True`` and the test fails. This results in a
+ ``Forbidden`` exception getting thrown.
- For example, a 200 from the API call and a ``False`` result from
- ``oslo.policy`` or a 403 from the API call and a ``True`` result from
- ``oslo.policy`` are failing results.
+ For example, a 200 from the API call and a ``False`` result from
+ ``oslo.policy`` or a 403 from the API call and a ``True`` result from
+ ``oslo.policy`` are failing results.
-------------------------------
The RBAC Rule Validation Module
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index fc8b145..75d1baa 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -43,15 +43,15 @@
A decorator which allows for positive and negative RBAC testing. Given:
- * an OpenStack service,
- * a policy action (``rule``) enforced by that service, and
- * the test role defined by ``[patrole] rbac_test_role``
+ * an OpenStack service,
+ * a policy action (``rule``) enforced by that service, and
+ * the test role defined by ``[patrole] rbac_test_role``
determines whether the test role has sufficient permissions to perform an
API call that enforces the ``rule``.
This decorator should only be applied to an instance or subclass of
- ``tempest.test.BaseTestCase``.
+ ``tempest.test.BaseTestCase``.
The result from ``_is_authorized`` is used to determine the *expected*
test result. The *actual* test result is determined by running the
@@ -306,14 +306,14 @@
Before being formatted, "extra_target_data" is a dictionary that maps a
policy string like "trust.trustor_user_id" to a nested list of
``tempest.test.BaseTestCase`` attributes. For example, the attribute list
- in:
+ in::
- "trust.trustor_user_id": "os.auth_provider.credentials.user_id"
+ "trust.trustor_user_id": "os.auth_provider.credentials.user_id"
is parsed by iteratively calling ``getattr`` until the value of "user_id"
- is resolved. The resulting dictionary returns:
+ is resolved. The resulting dictionary returns::
- "trust.trustor_user_id": "the user_id of the `os_primary` credential"
+ "trust.trustor_user_id": "the user_id of the `os_primary` credential"
:param test_obj: An instance or subclass of ``tempest.test.BaseTestCase``.
:param extra_target_data: Dictionary, keyed with ``oslo.policy`` generic
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 4ef0f80..51d1d25 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -68,8 +68,9 @@
"""Override the role used by ``os_primary`` Tempest credentials.
Temporarily change the role used by ``os_primary`` credentials to:
- * ``[patrole] rbac_test_role`` before test execution
- * ``[identity] admin_role`` after test execution
+
+ * ``[patrole] rbac_test_role`` before test execution
+ * ``[identity] admin_role`` after test execution
Automatically switches to admin role after test execution.
@@ -111,8 +112,9 @@
"""Switch the role used by `os_primary` Tempest credentials.
Switch the role used by `os_primary` credentials to:
- * admin if `toggle_rbac_role` is False
- * `CONF.patrole.rbac_test_role` if `toggle_rbac_role` is True
+
+ * admin if `toggle_rbac_role` is False
+ * `CONF.patrole.rbac_test_role` if `toggle_rbac_role` is True
:param test_obj: test object of type tempest.lib.base.BaseTestCase
:param toggle_rbac_role: role to switch `os_primary` Tempest creds to