commit b0595650c3e218a323290f44457520a92abf09a6
author Felipe Monteiro <felipe.monteiro@att.com> Mon Jan 23 16:51:58 2017 -0500
committer Felipe Monteiro <felipe.monteiro@att.com> Mon Jan 23 17:47:54 2017 -0500
tree 0996edf2e2efb09d494fc1a387e5603bd56d6d59
parent 2006807611378a636cdfb355caeec96837b44deb

Fixes converter not working for certain edge cases.

Currently, the converter framework is not robust enough to handle
all policy cases. For example, is_admin context breaks.

This patch makes the converter more robust. The converter was changed
to use oslo_policy's shell tool for figuring out which roles are
permitted for a given rule. The shell tool can be found here:
https://github.com/openstack/oslo.policy/blob/master/oslo_policy/shell.py

Because the shell tool is intended to be used as a CLI tool, it was
adapted from oslo policy to better work within Patrole.

implements blueprint: oslo-policy-converter

Change-Id: Ia0fe9113e2be44e609b0edbb4c6facd1425f28b5

tests/test_rbac_rule_validation.py

diff --git a/tests/test_rbac_rule_validation.py b/tests/test_rbac_rule_validation.py
index a8e2be3..edc442e 100644
--- a/tests/test_rbac_rule_validation.py
+++ b/tests/test_rbac_rule_validation.py
@@ -25,31 +25,42 @@
 class RBACRuleValidationTest(base.TestCase):
     @mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
     def test_RBAC_rv_happy_path(self, mock_auth):
-        decorator = rbac_rv.action("", "", "")
+        decorator = rbac_rv.action("", "")
         mock_function = mock.Mock()
+        mock_args = mock.MagicMock(**{
+            'auth_provider.credentials.tenant_id': 'tenant_id'
+        })
         wrapper = decorator(mock_function)
-        wrapper()
+        wrapper((mock_args))
         self.assertTrue(mock_function.called)
 
     @mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
     def test_RBAC_rv_forbidden(self, mock_auth):
-        decorator = rbac_rv.action("", "", "")
+        decorator = rbac_rv.action("", "")
         mock_function = mock.Mock()
         mock_function.side_effect = exceptions.Forbidden
         wrapper = decorator(mock_function)
-        self.assertRaises(exceptions.Forbidden, wrapper)
+        mock_args = mock.MagicMock(**{
+            'auth_provider.credentials.tenant_id': 'tenant_id'
+        })
+
+        self.assertRaises(exceptions.Forbidden, wrapper, mock_args)
 
     @mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
     def test_RBAC_rv_rbac_action_failed(self, mock_auth):
-        decorator = rbac_rv.action("", "", "")
+        decorator = rbac_rv.action("", "")
         mock_function = mock.Mock()
         mock_function.side_effect = rbac_exceptions.RbacActionFailed
+        mock_args = mock.MagicMock(**{
+            'auth_provider.credentials.tenant_id': 'tenant_id'
+        })
+
         wrapper = decorator(mock_function)
-        self.assertRaises(exceptions.Forbidden, wrapper)
+        self.assertRaises(exceptions.Forbidden, wrapper, mock_args)
 
     @mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
     def test_RBAC_rv_not_allowed(self, mock_auth):
-        decorator = rbac_rv.action("", "", "")
+        decorator = rbac_rv.action("", "")
 
         mock_function = mock.Mock()
         wrapper = decorator(mock_function)
@@ -58,25 +69,33 @@
         mock_permission.get_permission.return_value = False
         mock_auth.return_value = mock_permission
 
-        self.assertRaises(rbac_exceptions.RbacOverPermission, wrapper)
+        mock_args = mock.MagicMock(**{
+            'auth_provider.credentials.tenant_id': 'tenant_id'
+        })
+
+        self.assertRaises(rbac_exceptions.RbacOverPermission, wrapper,
+                          mock_args)
 
     @mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
     def test_RBAC_rv_forbidden_not_allowed(self, mock_auth):
-        decorator = rbac_rv.action("", "", "")
+        decorator = rbac_rv.action("", "")
 
         mock_function = mock.Mock()
         mock_function.side_effect = exceptions.Forbidden
+        mock_args = mock.MagicMock(**{
+            'auth_provider.credentials.tenant_id': 'tenant_id'
+        })
         wrapper = decorator(mock_function)
 
         mock_permission = mock.Mock()
         mock_permission.get_permission.return_value = False
         mock_auth.return_value = mock_permission
 
-        self.assertIsNone(wrapper())
+        self.assertIsNone(wrapper(mock_args))
 
     @mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
     def test_RBAC_rv_rbac_action_failed_not_allowed(self, mock_auth):
-        decorator = rbac_rv.action("", "", "")
+        decorator = rbac_rv.action("", "")
 
         mock_function = mock.Mock()
         mock_function.side_effect = rbac_exceptions.RbacActionFailed
@@ -86,4 +105,8 @@
         mock_permission.get_permission.return_value = False
         mock_auth.return_value = mock_permission
 
-        self.assertIsNone(wrapper())
+        mock_args = mock.MagicMock(**{
+            'auth_provider.credentials.tenant_id': 'tenant_id'
+        })
+
+        self.assertIsNone(wrapper(mock_args))