Increase unit test coverage for rbac_utils.
With recent framework changes, need unit tests needed to be added
for full unit test coverage. This patch does just that.
Also made clear_rbac_roles a private class by prefixing it with
'_', and moved a validation method from __init__ which checked
whether admin_role_id or rbac_role_id were None to switch_role,
so that this check is performed more than just during the
initialization.
Change-Id: Iba261989d9cbffba9d33aec0d4f48c3fcc83092e
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index d5f1c2b..69c6ccd 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -55,32 +55,25 @@
cls.rbac_role_id = item['id']
if item['name'] == 'admin':
cls.admin_role_id = item['id']
- # Check if admin and rbac role exits
- if not cls.admin_role_id or not cls.rbac_role_id:
- msg = ("defined 'rbac_role' or 'admin' role does not exist"
- " in the system.")
- raise rbac_exceptions.RbacResourceSetupFailed(msg)
-
- def clear_user_roles(cls, user_id, tenant_id):
- roles = cls.creds_client.roles_client.list_user_roles_on_project(
- tenant_id, user_id)['roles']
-
- for role in roles:
- cls.creds_client.roles_client.delete_role_from_user_on_project(
- tenant_id, user_id, role['id'])
def switch_role(cls, test_obj, switchToRbacRole=None):
LOG.debug('Switching role to: %s', switchToRbacRole)
+ # Check if admin and rbac roles exist.
+ if not cls.admin_role_id or not cls.rbac_role_id:
+ msg = ("Defined 'rbac_role' or 'admin' role does not exist"
+ " in the system.")
+ raise rbac_exceptions.RbacResourceSetupFailed(msg)
+
if not isinstance(switchToRbacRole, bool):
msg = ("Wrong value for parameter 'switchToRbacRole' is passed."
" It should be either 'True' or 'False'.")
- raise rbac_exceptions.RbacActionFailed(msg)
+ raise rbac_exceptions.RbacResourceSetupFailed(msg)
try:
user_id = test_obj.auth_provider.credentials.user_id
project_id = test_obj.auth_provider.credentials.tenant_id
- cls.clear_user_roles(user_id, project_id)
+ cls._clear_user_roles(user_id, project_id)
if switchToRbacRole:
cls.creds_client.roles_client.create_user_role_on_project(
@@ -100,4 +93,12 @@
time.sleep(1)
test_obj.auth_provider.set_auth()
+ def _clear_user_roles(cls, user_id, tenant_id):
+ roles = cls.creds_client.roles_client.list_user_roles_on_project(
+ tenant_id, user_id)['roles']
+
+ for role in roles:
+ cls.creds_client.roles_client.delete_role_from_user_on_project(
+ tenant_id, user_id, role['id'])
+
rbac_utils = RbacUtils
diff --git a/patrole_tempest_plugin/tests/unit/test_rbac_utils.py b/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
index 9dd5985..add1770 100644
--- a/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
@@ -15,45 +15,141 @@
import mock
+from tempest import config
from tempest.lib import exceptions as lib_exc
from tempest.tests import base
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_utils
+CONF = config.CONF
+
class RBACUtilsTest(base.TestCase):
- def setUp(self):
+
+ @mock.patch.object(rbac_utils, 'time', autospec=True)
+ def setUp(self, _):
super(RBACUtilsTest, self).setUp()
- mock_creds_provider = mock.patch.object(
- rbac_utils, 'credentials_factory').start()
- mock_creds_provider.get_credentials_provider.return_value.\
- creds_client.roles_client.list_roles.return_value.\
- __getitem__.return_value = [
+ self.mock_creds_provider = mock.patch.object(
+ rbac_utils, 'credentials_factory', autospec=True).start()
+
+ available_roles = {
+ 'roles': [
{'name': 'admin', 'id': 'admin_id'},
{'name': 'Member', 'id': 'member_id'}
]
+ }
+ self.mock_creds_provider.get_credentials_provider.return_value.\
+ creds_client.roles_client.list_roles.return_value = \
+ available_roles
+ self.addCleanup(mock.patch.stopall)
+
+ CONF.set_override('rbac_test_role', 'Member', group='rbac',
+ enforce_type=True)
+ self.addCleanup(CONF.clear_override, 'rbac_test_role', group='rbac')
+
+ # Because rbac_utils is a singleton, reset all of its role-related
+ # parameters to the correct values for each test run.
self.rbac_utils = rbac_utils.rbac_utils()
+ self.rbac_utils.available_roles = available_roles
+ self.rbac_utils.admin_role_id = 'admin_id'
+ self.rbac_utils.rbac_role_id = 'member_id'
- def test_rbac_utils_switch_roles_none(self):
- self.assertRaises(rbac_exceptions.RbacActionFailed,
- self.rbac_utils.switch_role, None)
+ def test_initialization_with_missing_admin_role(self):
+ self.rbac_utils.admin_role_id = None
+ e = self.assertRaises(rbac_exceptions.RbacResourceSetupFailed,
+ self.rbac_utils.switch_role, None)
+ self.assertIn("Defined 'rbac_role' or 'admin' role does not exist"
+ " in the system.", e.__str__())
- def test_rbac_utils_switch_roles_false(self):
- self.auth_provider = mock.Mock()
- self.auth_provider.credentials.user_id = "user_id"
- self.auth_provider.credentials.tenant_id = "tenant_id"
- self.admin_client = mock.Mock()
- self.admin_client.token = "admin_token"
- self.assertIsNone(self.rbac_utils.switch_role(self, False))
+ def test_initialization_with_missing_rbac_role(self):
+ self.rbac_utils.rbac_role_id = None
+ e = self.assertRaises(rbac_exceptions.RbacResourceSetupFailed,
+ self.rbac_utils.switch_role, None)
+ self.assertIn("Defined 'rbac_role' or 'admin' role does not exist"
+ " in the system.", e.__str__())
- def test_rbac_utils_switch_roles_get_roles_fails(self):
- self.auth_provider = mock.Mock()
- self.auth_provider.credentials.user_id = "user_id"
- self.auth_provider.credentials.tenant_id = "tenant_id"
- self.admin_client = mock.Mock()
- self.admin_client.token = "admin_token"
- self.rbac_utils.creds_client.roles_client.create_user_role_on_project.\
- side_effect = lib_exc.NotFound
- self.assertRaises(lib_exc.NotFound, self.rbac_utils.switch_role, self,
- False)
+ def test_clear_user_roles(self):
+ self.rbac_utils.creds_client = mock.Mock()
+ creds_client = self.rbac_utils.creds_client
+ creds_client.roles_client.list_user_roles_on_project.return_value = {
+ 'roles': [{'id': 'admin_id'}, {'id': 'member_id'}]
+ }
+
+ self.rbac_utils._clear_user_roles(mock.sentinel.user_id,
+ mock.sentinel.project_id)
+
+ creds_client.roles_client.list_user_roles_on_project.\
+ assert_called_once_with(mock.sentinel.project_id,
+ mock.sentinel.user_id)
+ creds_client.roles_client.delete_role_from_user_on_project.\
+ assert_has_calls([
+ mock.call(mock.sentinel.project_id, mock.sentinel.user_id,
+ 'admin_id'),
+ mock.call(mock.sentinel.project_id, mock.sentinel.user_id,
+ 'member_id'),
+ ])
+
+ @mock.patch.object(rbac_utils.rbac_utils, '_clear_user_roles',
+ autospec=True)
+ def test_rbac_utils_switch_role_to_admin(self, mock_clear_user_roles):
+ mock_test_object = mock.Mock()
+ mock_test_object.auth_provider.credentials.user_id = \
+ mock.sentinel.user_id
+ mock_test_object.auth_provider.credentials.tenant_id = \
+ mock.sentinel.project_id
+
+ self.rbac_utils.creds_client = mock.Mock()
+ creds_client = self.rbac_utils.creds_client
+
+ self.rbac_utils.switch_role(mock_test_object, False)
+
+ creds_client.roles_client.create_user_role_on_project.\
+ assert_called_once_with(mock.sentinel.project_id,
+ mock.sentinel.user_id,
+ 'admin_id')
+ mock_clear_user_roles.assert_called_once_with(
+ self.rbac_utils, mock.sentinel.user_id, mock.sentinel.project_id)
+ mock_test_object.auth_provider.clear_auth.assert_called_once_with()
+ mock_test_object.auth_provider.set_auth.assert_called_once_with()
+
+ @mock.patch.object(rbac_utils.rbac_utils, '_clear_user_roles',
+ autospec=True)
+ def test_rbac_utils_switch_role_to_rbac_role(self, mock_clear_user_roles):
+ mock_test_object = mock.Mock()
+ mock_test_object.auth_provider.credentials.user_id = \
+ mock.sentinel.user_id
+ mock_test_object.auth_provider.credentials.tenant_id = \
+ mock.sentinel.project_id
+
+ self.rbac_utils.creds_client = mock.Mock()
+ creds_client = self.rbac_utils.creds_client
+
+ self.rbac_utils.switch_role(mock_test_object, True)
+
+ creds_client.roles_client.create_user_role_on_project.\
+ assert_called_once_with(mock.sentinel.project_id,
+ mock.sentinel.user_id,
+ 'member_id')
+ mock_clear_user_roles.assert_called_once_with(
+ self.rbac_utils, mock.sentinel.user_id, mock.sentinel.project_id)
+ mock_test_object.auth_provider.clear_auth.assert_called_once_with()
+ mock_test_object.auth_provider.set_auth.assert_called_once_with()
+
+ def test_rbac_utils_switch_roles_with_invalid_value(self):
+ e = self.assertRaises(rbac_exceptions.RbacResourceSetupFailed,
+ self.rbac_utils.switch_role, None)
+ self.assertIn("Wrong value for parameter 'switchToRbacRole' is passed."
+ " It should be either 'True' or 'False'.", e.__str__())
+
+ @mock.patch.object(rbac_utils.rbac_utils, '_clear_user_roles',
+ autospec=True)
+ def test_rbac_utils_switch_role_except_exception(self,
+ mock_clear_user_roles):
+ self.rbac_utils.creds_client = mock.Mock()
+ creds_client = self.rbac_utils.creds_client
+ creds_client.roles_client.create_user_role_on_project.side_effect =\
+ lib_exc.NotFound
+
+ self.assertRaises(lib_exc.NotFound, self.rbac_utils.switch_role,
+ mock.Mock(), True)