Neutron tests - Security Groups
Tests for the neutron security group policies
Implements bp: initial-tests-network
Co-Authored-By: Samantha Blanco <samantha.blanco@att.com>
Co-Authored-By: Chi Lo <cl566n@att.com>
Co-Authored-By: David Purcell <david.purcell@att.com>
Change-Id: If466551726811e190bf4c426c04d49d074eaff15
diff --git a/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
new file mode 100644
index 0000000..25f1acf
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/test_security_groups_rbac.py
@@ -0,0 +1,191 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_log import log
+
+from tempest.lib.common.utils import data_utils
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+from tempest.lib import exceptions
+
+from patrole_tempest_plugin import rbac_exceptions
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
+
+LOG = log.getLogger(__name__)
+
+
+class SecGroupRbacTest(base.BaseNetworkRbacTest):
+
+ def tearDown(self):
+ self.rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(SecGroupRbacTest, self).tearDown()
+
+ @classmethod
+ def resource_setup(cls):
+ super(SecGroupRbacTest, cls).resource_setup()
+ secgroup_name = data_utils.rand_name('secgroup')
+ cls.secgroup = cls.security_groups_client.create_security_group(
+ name=secgroup_name)['security_group']
+
+ @classmethod
+ def resource_cleanup(cls):
+ # Clean up security group
+ test_utils.call_and_ignore_notfound_exc(
+ cls.security_groups_client.delete_security_group,
+ cls.secgroup['id'])
+ super(SecGroupRbacTest, cls).resource_cleanup()
+
+ def _create_security_group(self):
+ # Create a security group
+ name = data_utils.rand_name('secgroup')
+ security_group =\
+ self.security_groups_client.create_security_group(
+ name=name)['security_group']
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.security_groups_client.delete_security_group,
+ security_group['id'])
+ return security_group
+
+ def _create_security_group_rule(self):
+ # Create a security group rule
+ sec_group_rule = \
+ self.security_group_rules_client.create_security_group_rule(
+ security_group_id=self.secgroup['id'],
+ direction='ingress',
+ protocol='tcp',
+ port_range_min=99,
+ port_range_max=99)['security_group_rule']
+ self.addCleanup(
+ test_utils.call_and_ignore_notfound_exc,
+ self.security_group_rules_client.delete_security_group_rule,
+ sec_group_rule['id'])
+ return sec_group_rule
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_security_group")
+ @decorators.idempotent_id('db7003ce-5717-4e5b-afc7-befa35e8c67f')
+ def test_create_security_group(self):
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_security_group()
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_security_group")
+ @decorators.idempotent_id('56335e77-aef2-4b54-86c7-7f772034b585')
+ def test_show_security_groups(self):
+
+ try:
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.security_groups_client.show_security_group(
+ self.secgroup['id'])
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_security_group")
+ @decorators.idempotent_id('0b1330fd-dd28-40f3-ad73-966052e4b3de')
+ def test_delete_security_group(self):
+
+ # Create a security group
+ secgroup_id = self._create_security_group()['id']
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.security_groups_client.delete_security_group(secgroup_id)
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="update_security_group")
+ @decorators.idempotent_id('56c5e4dc-f8aa-11e6-bc64-92361f002671')
+ def test_update_security_group(self):
+
+ # Create a security group
+ secgroup_id = self._create_security_group()['id']
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.security_groups_client.update_security_group(
+ secgroup_id,
+ description="test description")
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_security_groups")
+ @decorators.idempotent_id('fbaf8d96-ed3e-49af-b24c-5fb44f05bbb7')
+ def test_list_security_groups(self):
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.security_groups_client.list_security_groups()
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="create_security_group_rule")
+ @decorators.idempotent_id('953d78df-00cd-416f-9cbd-b7cb4ea65772')
+ def test_create_security_group_rule(self):
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self._create_security_group_rule()
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="delete_security_group_rule")
+ @decorators.idempotent_id('2262539e-b7d9-438c-acf9-a5ce0613be28')
+ def test_delete_security_group_rule(self):
+
+ sec_group_rule = self._create_security_group_rule()
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.security_group_rules_client.delete_security_group_rule(
+ sec_group_rule['id'])
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_security_group_rule")
+ @decorators.idempotent_id('84b4038c-261e-4a94-90d5-c885739ab0d5')
+ def test_show_security_group_rule(self):
+
+ sec_group_rule = self._create_security_group_rule()
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ try:
+ self.security_group_rules_client.show_security_group_rule(
+ sec_group_rule['id'])
+ except exceptions.NotFound as e:
+ LOG.info("NotFound exception caught. Exception is thrown when "
+ "role doesn't have access to the endpoint."
+ "This is irregular and should be fixed.")
+ raise rbac_exceptions.RbacActionFailed(e)
+
+ @rbac_rule_validation.action(service="neutron",
+ rule="get_security_group_rules")
+ @decorators.idempotent_id('05739ab6-fa35-11e6-bc64-92361f002671')
+ def test_list_security_group_rules(self):
+
+ self.rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.security_group_rules_client.list_security_group_rules()