Merge "Cinder tests - Volume Snapshots"
diff --git a/doc/source/installation.rst b/doc/source/installation.rst
index b0a6f33..00cc57b 100644
--- a/doc/source/installation.rst
+++ b/doc/source/installation.rst
@@ -25,7 +25,7 @@
tempest.conf
++++++++++++
-To run the RBAC tempest api test you have to make the following changes to
+To run the RBAC tempest api test, you have to make the following changes to
the tempest.conf file.
#. [auth] section updates ::
@@ -49,11 +49,8 @@
# The role that you want the RBAC tests to use for RBAC testing
# This needs to be edited to run the test as a different role.
- rbac_test_role=_member_
+ rbac_test_role = _member_
- # The list of roles that your system contains.
- # This needs to be updated as new roles are added.
- rbac_roles=admin,_member_
-
- # Tell standard RBAC test cases to run other wise it they are skipped.
- rbac_flag=true
+ # Enables RBAC Tempest tests if set to True. Otherwise, they are
+ # skipped.
+ rbac_flag = True
diff --git a/patrole_tempest_plugin/config.py b/patrole_tempest_plugin/config.py
index 2b20391..6ee1528 100644
--- a/patrole_tempest_plugin/config.py
+++ b/patrole_tempest_plugin/config.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2016 AT&T inc.
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -26,8 +26,4 @@
cfg.BoolOpt('rbac_flag',
default=False,
help="Enables RBAC tests."),
- cfg.ListOpt('rbac_roles',
- default=['admin'],
- help="List of RBAC roles found in the policy files "
- "under testing."),
]
diff --git a/patrole_tempest_plugin/plugin.py b/patrole_tempest_plugin/plugin.py
index 1bc4d04..3abf4aa 100644
--- a/patrole_tempest_plugin/plugin.py
+++ b/patrole_tempest_plugin/plugin.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2016 AT&T inc.
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
diff --git a/patrole_tempest_plugin/rbac_auth.py b/patrole_tempest_plugin/rbac_auth.py
index 88b7032..1afc7ae 100644
--- a/patrole_tempest_plugin/rbac_auth.py
+++ b/patrole_tempest_plugin/rbac_auth.py
@@ -1,4 +1,4 @@
-# Copyright 2017 AT&T Corp
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -14,7 +14,6 @@
# under the License.
from oslo_log import log as logging
-from tempest.lib import exceptions
from patrole_tempest_plugin import rbac_role_converter
@@ -22,22 +21,21 @@
class RbacAuthority(object):
- def __init__(self, component=None, service=None):
- self.converter = rbac_role_converter.RbacPolicyConverter(service)
- self.roles_dict = self.converter.rules
+ def __init__(self, tenant_id, service=None):
+ self.converter = rbac_role_converter.RbacPolicyConverter(tenant_id,
+ service)
- def get_permission(self, api, role):
- if self.roles_dict is None:
- raise exceptions.InvalidConfiguration("Roles dictionary is empty!")
+ def get_permission(self, rule_name, role):
try:
- _api = self.roles_dict[api]
- if role in _api:
- LOG.debug("[API]: %s, [Role]: %s is allowed!", api, role)
- return True
+ is_allowed = self.converter.allowed(rule_name, role)
+ if is_allowed:
+ LOG.debug("[API]: %s, [Role]: %s is allowed!", rule_name, role)
else:
- LOG.debug("[API]: %s, [Role]: %s is NOT allowed!", api, role)
- return False
+ LOG.debug("[API]: %s, [Role]: %s is NOT allowed!",
+ rule_name, role)
+ return is_allowed
except KeyError:
- raise KeyError("'%s' API is not defined in the policy.json"
- % api)
+ LOG.debug("[API]: %s, [Role]: %s is NOT allowed!",
+ rule_name, role)
+ return False
return False
diff --git a/patrole_tempest_plugin/rbac_exceptions.py b/patrole_tempest_plugin/rbac_exceptions.py
index 94e6bdd..c6165ff 100644
--- a/patrole_tempest_plugin/rbac_exceptions.py
+++ b/patrole_tempest_plugin/rbac_exceptions.py
@@ -1,4 +1,4 @@
-# Copyright 2017 AT&T Corp
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
diff --git a/patrole_tempest_plugin/rbac_role_converter.py b/patrole_tempest_plugin/rbac_role_converter.py
index cfb7856..420de7f 100644
--- a/patrole_tempest_plugin/rbac_role_converter.py
+++ b/patrole_tempest_plugin/rbac_role_converter.py
@@ -1,4 +1,4 @@
-# Copyright 2016 AT&T Corp
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -13,141 +13,125 @@
# License for the specific language governing permissions and limitations
# under the License.
+import copy
import os
-from oslo_config import cfg
from oslo_log import log as logging
-from oslo_policy import _checks
from oslo_policy import policy
from tempest import config
-from patrole_tempest_plugin.rbac_exceptions import RbacResourceSetupFailed
+from patrole_tempest_plugin import rbac_exceptions
CONF = config.CONF
LOG = logging.getLogger(__name__)
-RULES_TO_SKIP = []
-TESTED_RULES = []
-PARSED_RULES = []
-
class RbacPolicyConverter(object):
"""A class for parsing policy rules into lists of allowed roles.
RBAC testing requires that each rule in a policy file be broken up into
the roles that constitute it. This class automates that process.
+
+ The list of roles per rule can be reverse-engineered by checking, for
+ each role, whether a given rule is allowed using oslo policy.
"""
- def __init__(self, service, path=None):
- """Initialization of Policy Converter
+ def __init__(self, tenant_id, service, path=None):
+ """Initialization of Policy Converter.
- Parse policy files to create dictionary mapping
- policy actions to roles.
+ Parse policy files to create dictionary mapping policy actions to
+ roles.
+
+ :param tenant_id: type uuid
:param service: type string
:param path: type string
"""
-
if path is None:
- path = '/etc/{0}/policy.json'.format(service)
+ self.path = '/etc/{0}/policy.json'.format(service)
+ else:
+ self.path = path
- if not os.path.isfile(path):
- raise RbacResourceSetupFailed('Policy file for service: {0}, {1}'
- ' not found.'.format(service, path))
+ if not os.path.isfile(self.path):
+ raise rbac_exceptions.RbacResourceSetupFailed(
+ 'Policy file for service: {0}, {1} not found.'
+ .format(service, self.path))
- self.default_roles = CONF.rbac.rbac_roles
- self.rules = {}
+ self.tenant_id = tenant_id
- self._get_roles_for_each_rule_in_policy_file(path)
+ def allowed(self, rule_name, role):
+ policy_file = open(self.path, 'r')
+ access_token = self._get_access_token(role)
- def _get_roles_for_each_rule_in_policy_file(self, path):
- """Gets the roles for each rule in the policy file at given path."""
+ is_allowed = self._allowed(
+ policy_file=policy_file,
+ access=access_token,
+ apply_rule=rule_name,
+ is_admin=False)
- global PARSED_RULES
- global TESTED_RULES
- global RULES_TO_SKIP
+ policy_file = open(self.path, 'r')
+ access_token = self._get_access_token(role)
+ allowed_as_admin_context = self._allowed(
+ policy_file=policy_file,
+ access=access_token,
+ apply_rule=rule_name,
+ is_admin=True)
- rule_to_roles_dict = {}
- enforcer = self._init_policy_enforcer(path)
+ if allowed_as_admin_context and is_allowed:
+ return True
+ if allowed_as_admin_context and not is_allowed:
+ return False
+ if not allowed_as_admin_context and is_allowed:
+ return True
+ if not allowed_as_admin_context and not is_allowed:
+ return False
- base_rules = set()
- for rule_name, rule_checker in enforcer.rules.items():
- if isinstance(rule_checker, _checks.OrCheck):
- for sub_rule in rule_checker.rules:
- if hasattr(sub_rule, 'match'):
- base_rules.add(sub_rule.match)
- elif isinstance(rule_checker, _checks.RuleCheck):
- if hasattr(rule_checker, 'match'):
- base_rules.add(rule_checker.match)
+ def _get_access_token(self, role):
+ access_token = {
+ "token": {
+ "roles": [
+ {
+ "name": role
+ }
+ ],
+ "project": {
+ "id": self.tenant_id
+ }
+ }
+ }
+ return access_token
- RULES_TO_SKIP.extend(base_rules)
- generic_check_dict = self._get_generic_check_dict(enforcer.rules)
+ def _allowed(self, policy_file, access, apply_rule, is_admin=False):
+ """Checks if a given rule in a policy is allowed with given access.
- for rule_name, rule_checker in enforcer.rules.items():
- PARSED_RULES.append(rule_name)
+ Adapted from oslo_policy.shell.
- if rule_name in RULES_TO_SKIP:
- continue
- if isinstance(rule_checker, _checks.GenericCheck):
- continue
-
- # Determine whether each role is contained within the current rule.
- for role in self.default_roles:
- roles = {'roles': [role]}
- roles.update(generic_check_dict)
- is_role_in_rule = rule_checker(
- generic_check_dict, roles, enforcer)
- if is_role_in_rule:
- rule_to_roles_dict.setdefault(rule_name, set())
- rule_to_roles_dict[rule_name].add(role)
-
- self.rules = rule_to_roles_dict
-
- def _init_policy_enforcer(self, policy_file):
- """Initializes oslo policy enforcer"""
-
- def find_file(path):
- realpath = os.path.realpath(path)
- if os.path.isfile(realpath):
- return realpath
- else:
- return None
-
- CONF = cfg.CONF
- CONF.find_file = find_file
-
- enforcer = policy.Enforcer(CONF,
- policy_file=policy_file,
- rules=None,
- default_rule=None,
- use_conf=True)
- enforcer.load_rules()
- return enforcer
-
- def _get_generic_check_dict(self, enforcer_rules):
- """Creates permissions dictionary that oslo policy uses
-
- to determine if a user can perform an action.
+ :param policy file: type string: path to policy file
+ :param access: type dict: dictionary from ``_get_access_token``
+ :param apply_rule: type string: rule to be checked
+ :param is_admin: type bool: whether admin context is used
"""
+ access_data = copy.copy(access['token'])
+ access_data['roles'] = [role['name'] for role in access_data['roles']]
+ access_data['project_id'] = access_data['project']['id']
+ access_data['is_admin'] = is_admin
+ policy_data = policy_file.read()
+ rules = policy.Rules.load(policy_data, "default")
- generic_checks = set()
- for rule_checker in enforcer_rules.values():
- entries = set()
- self._get_generic_check_entries(rule_checker, entries)
- generic_checks |= entries
- return {e: '' for e in generic_checks}
+ class Object(object):
+ pass
+ o = Object()
+ o.rules = rules
- def _get_generic_check_entries(self, rule_checker, entries):
- if isinstance(rule_checker, _checks.GenericCheck):
- if hasattr(rule_checker, 'match'):
- if rule_checker.match.startswith('%(') and\
- rule_checker.match.endswith(')s'):
- entries.add(rule_checker.match[2:-2])
- if hasattr(rule_checker, 'rule'):
- if isinstance(rule_checker.rule, _checks.GenericCheck) and\
- hasattr(rule_checker.rule, 'match'):
- if rule_checker.rule.match.startswith('%(') and\
- rule_checker.rule.match.endswith(')s'):
- entries.add(rule_checker.rule.match[2:-2])
- if hasattr(rule_checker, 'rules'):
- for rule in rule_checker.rules:
- self._get_generic_check_entries(rule, entries)
+ target = {"project_id": access_data['project_id']}
+
+ key = apply_rule
+ rule = rules[apply_rule]
+ result = self._try_rule(key, rule, target, access_data, o)
+ return result
+
+ def _try_rule(self, key, rule, target, access_data, o):
+ try:
+ return rule(target, access_data, o)
+ except Exception as e:
+ LOG.debug("Exception: {0} for rule: {1}".format(e, rule))
+ return False
diff --git a/patrole_tempest_plugin/rbac_rule_validation.py b/patrole_tempest_plugin/rbac_rule_validation.py
index e11ae4c..4b85187 100644
--- a/patrole_tempest_plugin/rbac_rule_validation.py
+++ b/patrole_tempest_plugin/rbac_rule_validation.py
@@ -1,4 +1,4 @@
-# Copyright 2017 AT&T Corp
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -13,7 +13,8 @@
# License for the specific language governing permissions and limitations
# under the License.
-from oslo_log import log as logging
+import logging
+
from tempest import config
from tempest.lib import exceptions
@@ -24,10 +25,17 @@
LOG = logging.getLogger(__name__)
-def action(component, service, rule):
+def action(service, rule):
def decorator(func):
def wrapper(*args, **kwargs):
- authority = rbac_auth.RbacAuthority(component, service)
+ try:
+ tenant_id = args[0].auth_provider.credentials.tenant_id
+ except (IndexError, AttributeError) as e:
+ msg = ("{0}: tenant_id not found in "
+ "cls.auth_provider.credentials".format(e))
+ LOG.error(msg)
+ raise rbac_exceptions.RbacResourceSetupFailed(msg)
+ authority = rbac_auth.RbacAuthority(tenant_id, service)
allowed = authority.get_permission(rule, CONF.rbac.rbac_test_role)
try:
diff --git a/patrole_tempest_plugin/rbac_utils.py b/patrole_tempest_plugin/rbac_utils.py
index 1150416..48d5b4c 100644
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -1,4 +1,4 @@
-# Copyright 2017 AT&T Corp
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
diff --git a/patrole_tempest_plugin/tests/api/compute/__init__.py b/patrole_tempest_plugin/tests/api/compute/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/__init__.py
diff --git a/patrole_tempest_plugin/tests/api/compute/rbac_base.py b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
new file mode 100644
index 0000000..030ee5c
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
@@ -0,0 +1,38 @@
+# Copyright 2017 AT&T Corporation
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.api.compute import base as compute_base
+from tempest import config
+
+CONF = config.CONF
+
+
+class BaseV2ComputeRbacTest(compute_base.BaseV2ComputeTest):
+
+ credentials = ['primary', 'admin']
+
+ @classmethod
+ def skip_checks(cls):
+ super(BaseV2ComputeRbacTest, cls).skip_checks()
+ if not CONF.rbac.rbac_flag:
+ raise cls.skipException(
+ '%s skipped as RBAC flag not enabled' % cls.__name__)
+ if 'admin' not in CONF.auth.tempest_roles:
+ raise cls.skipException(
+ "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_clients(cls):
+ super(BaseV2ComputeRbacTest, cls).setup_clients()
+ cls.admin_client = cls.os_admin.agents_client
+ cls.auth_provider = cls.os.auth_provider
diff --git a/patrole_tempest_plugin/tests/api/compute/test_absolute_limits_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_absolute_limits_rbac.py
new file mode 100644
index 0000000..3da3bd8
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/compute/test_absolute_limits_rbac.py
@@ -0,0 +1,47 @@
+# Copyright 2017 AT&T Corporation
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.compute import rbac_base
+from tempest import config
+from tempest.lib import decorators
+
+CONF = config.CONF
+
+
+class RBACAbsoluteLimitsTestJSON(rbac_base.BaseV2ComputeRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(RBACAbsoluteLimitsTestJSON, self).tearDown()
+
+ @classmethod
+ def setup_clients(cls):
+ super(RBACAbsoluteLimitsTestJSON, cls).setup_clients()
+ cls.identity_client = cls.os_adm.identity_client
+ cls.tenants_client = cls.os_adm.tenants_client
+
+ @classmethod
+ def skip_checks(cls):
+ super(RBACAbsoluteLimitsTestJSON, cls).skip_checks()
+ if not CONF.compute_feature_enabled.api_extensions:
+ raise cls.skipException(
+ '%s skipped as no compute extensions enabled' % cls.__name__)
+
+ @rbac_rule_validation.action(service="nova",
+ rule="os_compute_api:os-used-limits")
+ @decorators.idempotent_id('3fb60f83-9a5f-4fdd-89d9-26c3710844a1')
+ def test_used_limits_for_admin_rbac(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.limits_client.show_limits()
diff --git a/patrole_tempest_plugin/tests/api/image/rbac_base.py b/patrole_tempest_plugin/tests/api/image/rbac_base.py
new file mode 100644
index 0000000..5a9731a
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/image/rbac_base.py
@@ -0,0 +1,60 @@
+# Copyright 2017 AT&T Corporation.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# Maybe these should be in lib or recreated?
+from tempest.api.image import base as image_base
+from tempest import config
+
+CONF = config.CONF
+
+
+class BaseV1ImageRbacTest(image_base.BaseV1ImageTest):
+
+ credentials = ['primary', 'admin']
+
+ @classmethod
+ def skip_checks(cls):
+ super(BaseV1ImageRbacTest, cls).skip_checks()
+ if not CONF.rbac.rbac_flag:
+ raise cls.skipException(
+ "%s skipped as RBAC Flag not enabled" % cls.__name__)
+ if 'admin' not in CONF.auth.tempest_roles:
+ raise cls.skipException(
+ "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_clients(cls):
+ super(BaseV1ImageRbacTest, cls).setup_clients()
+ cls.auth_provider = cls.os.auth_provider
+ cls.admin_client = cls.os_adm.image_client
+
+
+class BaseV2ImageRbacTest(image_base.BaseV2ImageTest):
+
+ credentials = ['primary', 'admin']
+
+ @classmethod
+ def skip_checks(cls):
+ super(BaseV2ImageRbacTest, cls).skip_checks()
+ if not CONF.rbac.rbac_flag:
+ raise cls.skipException(
+ "%s skipped as RBAC Flag not enabled" % cls.__name__)
+ if 'admin' not in CONF.auth.tempest_roles:
+ raise cls.skipException(
+ "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_clients(cls):
+ super(BaseV2ImageRbacTest, cls).setup_clients()
+ cls.auth_provider = cls.os.auth_provider
+ cls.admin_client = cls.os_adm.image_client_v2
diff --git a/patrole_tempest_plugin/tests/api/image/v1/__init__.py b/patrole_tempest_plugin/tests/api/image/v1/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/image/v1/__init__.py
diff --git a/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py b/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py
new file mode 100644
index 0000000..97c218a
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py
@@ -0,0 +1,85 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.image import rbac_base as base
+
+CONF = config.CONF
+
+
+class ImagesMemberRbacTest(base.BaseV1ImageRbacTest):
+
+ credentials = ['primary', 'alt', 'admin']
+
+ @classmethod
+ def setup_clients(cls):
+ super(ImagesMemberRbacTest, cls).setup_clients()
+ cls.image_member_client = cls.os.image_member_client
+ cls.alt_image_member_client = cls.os_alt.image_member_client
+
+ @classmethod
+ def resource_setup(cls):
+ super(ImagesMemberRbacTest, cls).resource_setup()
+ cls.alt_tenant_id = cls.alt_image_member_client.tenant_id
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(ImagesMemberRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(service="glance", rule="add_member")
+ @decorators.idempotent_id('bda2bb78-e6ec-4b87-ba6d-1eaf1b28fa8b')
+ def test_add_image_member(self):
+ """Add image member
+
+ RBAC test for the glance add_member policy
+ """
+ image = self.create_image()
+ # Toggle role and add image member
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.image_member_client.create_image_member(image['id'],
+ self.alt_tenant_id)
+
+ @rbac_rule_validation.action(service="glance", rule="delete_member")
+ @decorators.idempotent_id('9beaf28c-62b7-4c30-bbe5-4283aed1201c')
+ def test_delete_image_member(self):
+ """Delete image member
+
+ RBAC test for the glance delete_member policy
+ """
+ image = self.create_image()
+ self.image_member_client.create_image_member(image['id'],
+ self.alt_tenant_id)
+ # Toggle role and delete image member
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.image_member_client.delete_image_member(image['id'],
+ self.alt_tenant_id)
+
+ @rbac_rule_validation.action(service="glance", rule="get_members")
+ @decorators.idempotent_id('a0fcd855-31ef-458c-97e0-14a448cdd6da')
+ def test_list_image_members(self):
+ """List image members
+
+ RBAC test for the glance get_members policy
+ """
+ image = self.create_image()
+ self.image_member_client.create_image_member(image['id'],
+ self.alt_tenant_id)
+ # Toggle role and delete image member
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.image_member_client.list_image_members(image['id'])
diff --git a/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py b/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py
new file mode 100644
index 0000000..ee6a2eb
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py
@@ -0,0 +1,156 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from six import moves
+
+from tempest import config
+from tempest.lib.common.utils import data_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.image import rbac_base
+
+CONF = config.CONF
+
+
+class BasicOperationsImagesRbacTest(rbac_base.BaseV1ImageRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(BasicOperationsImagesRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(service="glance", rule="add_image")
+ @decorators.idempotent_id('33248a04-6527-11e6-be0f-080027d0d606')
+ def test_create_image(self):
+ """Create Image Test
+
+ RBAC test for the glance add_image policy.
+ """
+ properties = {'prop1': 'val1'}
+ image_name = data_utils.rand_name('image')
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.create_image(name=image_name,
+ container_format='bare',
+ disk_format='raw',
+ is_public=False,
+ properties=properties)
+
+ @rbac_rule_validation.action(service="glance", rule="delete_image")
+ @decorators.idempotent_id('731c8c81-6c63-413b-a61a-050ce9ca16ad')
+ def test_delete_image(self):
+ """Delete Image Test
+
+ RBAC test for the glance delete_image policy.
+ """
+ image_name = data_utils.rand_name('image')
+ properties = {'prop1': 'val1'}
+ body = self.create_image(name=image_name,
+ container_format='bare',
+ disk_format='raw',
+ is_public=False,
+ properties=properties)
+ image_id = body['id']
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.delete_image(image_id)
+
+ @rbac_rule_validation.action(service="glance", rule="download_image")
+ @decorators.idempotent_id('a22bf112-5a3a-419e-9cd6-9562d1a3a458')
+ def test_download_image(self):
+ """Download Image Test
+
+ RBAC test for the glance download_image policy.
+ """
+ image_name = data_utils.rand_name('image')
+ properties = {'prop1': 'val1'}
+ body = self.create_image(name=image_name,
+ container_format='bare',
+ disk_format='raw',
+ is_public=False,
+ properties=properties)
+ image_id = body['id']
+ # Now try uploading an image file
+ image_file = moves.cStringIO(data_utils.random_bytes())
+ self.client.update_image(image_id, data=image_file)
+ # Toggle role and get created image
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.show_image(image_id)
+
+ @rbac_rule_validation.action(service="glance", rule="get_image")
+ @decorators.idempotent_id('110257aa-6fa3-4cc0-b8dd-d93d43acd45c')
+ def test_get_image(self):
+ """Get Image Test
+
+ RBAC test for the glance get_image policy.
+ """
+ image_name = data_utils.rand_name('image')
+ properties = {'prop1': 'val1'}
+ body = self.create_image(name=image_name,
+ container_format='bare',
+ disk_format='raw',
+ is_public=False,
+ properties=properties)
+ image_id = body['id']
+ # Now try uploading an image file
+ image_file = moves.cStringIO(data_utils.random_bytes())
+ self.client.update_image(image_id, data=image_file)
+ # Toggle role and get created image
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.check_image(image_id)
+
+ @rbac_rule_validation.action(service="glance", rule="get_images")
+ @decorators.idempotent_id('37662238-0fe9-4dff-8d90-e02f31e7e3fb')
+ def test_list_images(self):
+ """Get Image Test
+
+ RBAC test for the glance get_images policy.
+ """
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_images()
+
+ @rbac_rule_validation.action(service="glance", rule="modify_image")
+ @decorators.idempotent_id('3a391a19-d756-4c96-a346-72cc02f6106e')
+ def test_update_image(self):
+ """Update Image Test
+
+ RBAC test for the glance modify_image policy.
+ """
+ image_name = data_utils.rand_name('image')
+ properties = {'prop1': 'val1'}
+ body = self.create_image(name=image_name,
+ container_format='bare',
+ disk_format='raw',
+ is_public=False,
+ properties=properties)
+ image_id = body.get('id')
+ properties = {'prop1': 'val2'}
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.update_image(image_id, headers=properties)
+
+ @rbac_rule_validation.action(service="glance", rule="publicize_image")
+ @decorators.idempotent_id('d5b1d09f-ba47-4d56-913e-4f38733a9a5c')
+ def test_publicize_image(self):
+ """Publicize Image Test
+
+ RBAC test for the glance publicize_image policy.
+ """
+ image_name = data_utils.rand_name('image')
+ properties = {'prop1': 'val1'}
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.create_image(name=image_name,
+ container_format='bare',
+ disk_format='raw',
+ is_public=True,
+ properties=properties)
diff --git a/patrole_tempest_plugin/tests/api/image/v2/__init__.py b/patrole_tempest_plugin/tests/api/image/v2/__init__.py
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/image/v2/__init__.py
diff --git a/patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py b/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py
similarity index 92%
rename from patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py
rename to patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py
index 8131356..d6a6d62 100644
--- a/patrole_tempest_plugin/tests/api/image/test_images_member_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py
@@ -1,4 +1,4 @@
-# Copyright 2016 ATT Corporation.
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -21,7 +21,7 @@
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.rbac_utils import rbac_utils
-from patrole_tempest_plugin.tests.api import rbac_base as base
+from patrole_tempest_plugin.tests.api.image import rbac_base as base
CONF = config.CONF
LOG = logging.getLogger(__name__)
@@ -52,7 +52,7 @@
rbac_utils.switch_role(self, switchToRbacRole=False)
super(ImagesMemberRbacTest, self).setUp()
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="add_member")
@decorators.idempotent_id('b1b85ace-6484-11e6-881e-080027d0d606')
def test_add_image_member(self):
@@ -67,7 +67,7 @@
self.image_member_client.create_image_member(image_id,
member=self.alt_tenant_id)
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="delete_member")
@decorators.idempotent_id('ba075234-6484-11e6-881e-080027d0d606')
def test_delete_image_member(self):
@@ -84,7 +84,7 @@
self.image_member_client.delete_image_member(image_id,
self.alt_tenant_id)
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="get_member")
@decorators.idempotent_id('c01fd308-6484-11e6-881e-080027d0d606')
def test_show_image_member(self):
@@ -112,7 +112,7 @@
"image members")
raise rbac_exceptions.RbacActionFailed(e)
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="modify_member")
@decorators.idempotent_id('ca448bb2-6484-11e6-881e-080027d0d606')
def test_update_image_member(self):
@@ -131,7 +131,7 @@
image_id, self.image_client.tenant_id,
status='accepted')
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="get_members")
@decorators.idempotent_id('d0a2dc20-6484-11e6-881e-080027d0d606')
def test_list_image_members(self):
diff --git a/patrole_tempest_plugin/tests/api/image/test_images_rbac.py b/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py
similarity index 91%
rename from patrole_tempest_plugin/tests/api/image/test_images_rbac.py
rename to patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py
index 7df5461..5e20612 100644
--- a/patrole_tempest_plugin/tests/api/image/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py
@@ -1,4 +1,4 @@
-# Copyright 2016 ATT Corporation.
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -22,7 +22,7 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.rbac_utils import rbac_utils
-from patrole_tempest_plugin.tests.api import rbac_base
+from patrole_tempest_plugin.tests.api.image import rbac_base
CONF = config.CONF
LOG = logging.getLogger(__name__)
@@ -39,7 +39,7 @@
rbac_utils.switch_role(self, switchToRbacRole=False)
super(BasicOperationsImagesRbacTest, self).tearDown()
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="add_image")
@decorators.idempotent_id('0f148510-63bf-11e6-b348-080027d0d606')
def test_create_image(self):
@@ -57,7 +57,7 @@
visibility='private',
ramdisk_id=uuid)
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="upload_image")
@decorators.idempotent_id('fdc0c7e2-ad58-4c5a-ba9d-1f6046a5b656')
def test_upload_image(self):
@@ -79,7 +79,7 @@
image_file = moves.cStringIO(data_utils.random_bytes())
self.client.store_image_file(body['id'], image_file)
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="delete_image")
@decorators.idempotent_id('3b5c341e-645b-11e6-ac4f-080027d0d606')
def test_delete_image(self):
@@ -99,7 +99,7 @@
self.client.delete_image(image_id)
self.client.wait_for_resource_deletion(image_id)
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="get_image")
@decorators.idempotent_id('3085c7c6-645b-11e6-ac4f-080027d0d606')
def test_show_image(self):
@@ -119,7 +119,7 @@
rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.show_image(image_id)
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="get_images")
@decorators.idempotent_id('bf1a4e94-645b-11e6-ac4f-080027d0d606')
def test_list_images(self):
@@ -133,7 +133,7 @@
rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.list_images()
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="modify_image")
@decorators.idempotent_id('32ecf48c-645e-11e6-ac4f-080027d0d606')
def test_update_image(self):
@@ -159,7 +159,7 @@
body = self.client.update_image(image_id, [
dict(replace='/name', value=new_image_name)])
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="publicize_image")
@decorators.idempotent_id('0ea4809c-6461-11e6-ac4f-080027d0d606')
def test_publicize_image(self):
@@ -175,7 +175,7 @@
disk_format='raw',
visibility='public')
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="deactivate")
@decorators.idempotent_id('b488458c-65df-11e6-9947-080027824017')
def test_deactivate_image(self):
@@ -199,7 +199,7 @@
rbac_utils.switch_role(self, switchToRbacRole=True)
self.client.deactivate_image(image_id)
- @rbac_rule_validation.action(component="Image", service="glance",
+ @rbac_rule_validation.action(service="glance",
rule="reactivate")
@decorators.idempotent_id('d3fa28b8-65df-11e6-9947-080027824017')
def test_reactivate_image(self):
diff --git a/patrole_tempest_plugin/tests/api/network/rbac_base.py b/patrole_tempest_plugin/tests/api/network/rbac_base.py
new file mode 100644
index 0000000..18a80a1
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/network/rbac_base.py
@@ -0,0 +1,40 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.api.network import base as network_base
+from tempest import config
+
+CONF = config.CONF
+
+
+class BaseNetworkRbacTest(network_base.BaseNetworkTest):
+
+ credentials = ['primary', 'admin']
+
+ @classmethod
+ def skip_checks(cls):
+ super(BaseNetworkRbacTest, cls).skip_checks()
+ if not CONF.rbac.rbac_flag:
+ raise cls.skipException(
+ "%s skipped as RBAC Flag not enabled" % cls.__name__)
+ if 'admin' not in CONF.auth.tempest_roles:
+ raise cls.skipException(
+ "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_clients(cls):
+ super(BaseNetworkRbacTest, cls).setup_clients()
+ cls.auth_provider = cls.os.auth_provider
+ cls.admin_client = cls.os_adm.agents_client
diff --git a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
index c53eba8..eb5c42a 100644
--- a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
@@ -1,4 +1,4 @@
-# Copyright 2016 AT&T Corp
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -23,7 +23,7 @@
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.rbac_utils import rbac_utils
-from patrole_tempest_plugin.tests.api import rbac_base as base
+from patrole_tempest_plugin.tests.api.network import rbac_base as base
CONF = config.CONF
@@ -48,7 +48,7 @@
cls.networks.append(cls.admin_network)
# Create a subnet by admin user
- cls.cidr = netaddr.IPNetwork(CONF.network.tenant_network_cidr)
+ cls.cidr = netaddr.IPNetwork(CONF.network.project_network_cidr)
cls.admin_subnet = cls.create_subnet(cls.admin_network,
cidr=cls.cidr,
@@ -115,6 +115,8 @@
post_body['shared'] = shared_network
elif router_external is not None:
post_body['router:external'] = router_external
+ elif router_private is not None:
+ post_body['router:private'] = router_private
elif segments is not None:
post_body['segments'] = segments
else:
@@ -128,7 +130,7 @@
rbac_utils.switch_role(self, switchToRbacRole=False)
super(RbacNetworksTest, self).tearDown()
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="create_network")
@decorators.idempotent_id('95b9baab-1ece-4e2b-89c8-8d671d974e54')
def test_create_network(self):
@@ -140,7 +142,7 @@
rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_network()
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="create_network:shared")
@decorators.idempotent_id('ccabf2a9-28c8-44b2-80e6-ffd65d43eef2')
def test_create_network_shared(self):
@@ -152,7 +154,7 @@
rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_network(shared=True)
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="create_network:router:external")
@decorators.idempotent_id('51adf2a7-739c-41e0-8857-3b4c460cbd24')
def test_create_network_router_external(self):
@@ -164,7 +166,7 @@
rbac_utils.switch_role(self, switchToRbacRole=True)
self._create_network(router_external=True)
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="create_network:provider:network_type")
@decorators.idempotent_id('3c42f7b8-b80c-44ef-8fa4-69ec4b1836bc')
def test_create_network_provider_network_type(self):
@@ -177,7 +179,7 @@
self._create_network(provider_network_type='vxlan')
@rbac_rule_validation.action(
- component="Network", service="neutron",
+ service="neutron",
rule="create_network:provider:physical_network")
@decorators.idempotent_id('f458033b-2d52-4fd1-86db-e31e111d6fac')
def test_create_network_provider_physical_network(self):
@@ -191,7 +193,7 @@
provider_physical_network='ph-eth0')
@rbac_rule_validation.action(
- component="Network", service="neutron",
+ service="neutron",
rule="create_network:provider:segmentation_id")
@decorators.idempotent_id('b9decb7b-68ef-4504-b99b-41edbf7d2af5')
def test_create_network_provider_segmentation_id(self):
@@ -204,7 +206,7 @@
self._create_network(provider_network_type='vxlan',
provider_segmentation_id=200)
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="update_network")
@decorators.idempotent_id('6485bb4e-e110-48ae-83e1-3ec8b40c3107')
def test_update_network(self):
@@ -221,7 +223,7 @@
updated_network = self._update_network(admin=True)
self.assertEqual(updated_network['admin_state_up'], True)
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="update_network:shared")
@decorators.idempotent_id('37ea3e33-47d9-49fc-9bba-1af98fbd46d6')
def test_update_network_shared(self):
@@ -238,7 +240,7 @@
updated_network = self._update_network(shared_network=False)
self.assertEqual(updated_network['shared'], False)
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="update_network:router:external")
@decorators.idempotent_id('34884c22-499b-4960-97f1-e2ed8522a9c9')
def test_update_network_router_external(self):
@@ -255,7 +257,7 @@
updated_network = self._update_network(router_external=False)
self.assertEqual(updated_network['router:external'], False)
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="get_network")
@decorators.idempotent_id('0eb62d04-338a-4ff4-a8fa-534e52110534')
def test_show_network(self):
@@ -268,7 +270,7 @@
# show a network that has been created during class setup
self.networks_client.show_network(self.admin_network['id'])
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="get_network:router:external")
@decorators.idempotent_id('529e4814-22e9-413f-af48-8fefcd637344')
def test_show_network_router_external(self):
@@ -283,7 +285,7 @@
self.networks_client.show_network(self.admin_network['id'],
**post_body)
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="get_network:provider:network_type")
@decorators.idempotent_id('6521dd60-0950-458b-8491-09d3c84ac0f4')
def test_show_network_provider_network_type(self):
@@ -302,7 +304,7 @@
if len(showed_net) == 0:
raise rbac_exceptions.RbacActionFailed
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="get_network:provider:physical_network")
@decorators.idempotent_id('c049f11a-240c-4a85-ad43-a4d3fd0a5e39')
def test_show_network_provider_physical_network(self):
@@ -321,7 +323,7 @@
if len(showed_net) == 0:
raise rbac_exceptions.RbacActionFailed
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="get_network:provider:segmentation_id")
@decorators.idempotent_id('38d9f085-6365-4f81-bac9-c53c294d727e')
def test_show_network_provider_segmentation_id(self):
@@ -343,7 +345,7 @@
key = showed_net.get('provider:segmentation_id', "NotFound")
self.assertIsNot(key, "NotFound")
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="delete_network")
@decorators.idempotent_id('56ca50ed-ac58-49d6-b239-ed39e7124d5c')
def test_delete_network(self):
@@ -356,7 +358,7 @@
rbac_utils.switch_role(self, switchToRbacRole=True)
self.networks_client.delete_network(network['id'])
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="create_subnet")
@decorators.idempotent_id('44f42aaf-8a9a-4678-868a-b8fe82689554')
def test_create_subnet(self):
@@ -372,7 +374,7 @@
# Create a subnet
self.create_subnet(network, enable_dhcp=False)
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="get_subnet")
@decorators.idempotent_id('eb88be84-2465-482b-a40b-5201acb41152')
def test_show_subnet(self):
@@ -384,7 +386,7 @@
rbac_utils.switch_role(self, switchToRbacRole=True)
self.subnets_client.show_subnet(self.admin_subnet['id'])
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="update_subnet")
@decorators.idempotent_id('1bfeaec5-83b9-4140-8138-93a0a9d04cee')
def test_update_subnet(self):
@@ -397,7 +399,7 @@
self.subnets_client.update_subnet(self.admin_subnet['id'],
name="New_subnet")
- @rbac_rule_validation.action(component="Network", service="neutron",
+ @rbac_rule_validation.action(service="neutron",
rule="delete_subnet")
@decorators.idempotent_id('1ad1400f-dc84-4edb-9674-b33bbfb0d3e3')
def test_delete_subnet(self):
diff --git a/patrole_tempest_plugin/tests/api/rbac_base.py b/patrole_tempest_plugin/tests/api/rbac_base.py
deleted file mode 100644
index 3243456..0000000
--- a/patrole_tempest_plugin/tests/api/rbac_base.py
+++ /dev/null
@@ -1,104 +0,0 @@
-# Copyright 2017 at&t
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-# Maybe these should be in lib or recreated?
-from tempest.api.image import base as image_base
-from tempest.api.network import base as network_base
-from tempest.api.volume import base as vol_base
-from tempest import config
-
-CONF = config.CONF
-
-
-class BaseV2ImageRbacTest(image_base.BaseV2ImageTest):
-
- credentials = ['primary', 'admin']
-
- @classmethod
- def skip_checks(cls):
- super(BaseV2ImageRbacTest, cls).skip_checks()
- if not CONF.rbac.rbac_flag:
- raise cls.skipException(
- "%s skipped as RBAC Flag not enabled" % cls.__name__)
- if 'admin' not in CONF.auth.tempest_roles:
- raise cls.skipException(
- "%s skipped because tempest roles is not admin" % cls.__name__)
-
- @classmethod
- def setup_clients(cls):
- super(BaseV2ImageRbacTest, cls).setup_clients()
- cls.auth_provider = cls.os.auth_provider
- cls.admin_client = cls.os_adm.image_client_v2
-
-
-class BaseVolumeRbacTest(vol_base.BaseVolumeTest):
-
- credentials = ['primary', 'admin']
-
- @classmethod
- def skip_checks(cls):
- super(BaseVolumeRbacTest, cls).skip_checks()
- if not CONF.rbac.rbac_flag:
- raise cls.skipException(
- "%s skipped as RBAC Flag not enabled" % cls.__name__)
- if 'admin' not in CONF.auth.tempest_roles:
- raise cls.skipException(
- "%s skipped because tempest roles is not admin" % cls.__name__)
-
- @classmethod
- def setup_clients(cls):
- super(BaseVolumeRbacTest, cls).setup_clients()
- cls.auth_provider = cls.os.auth_provider
- cls.admin_client = cls.os_adm.volumes_client
-
-
-class BaseVolumeAdminRbacTest(vol_base.BaseVolumeAdminTest):
-
- credentials = ['primary', 'admin']
-
- @classmethod
- def skip_checks(cls):
- super(BaseVolumeAdminRbacTest, cls).skip_checks()
- if not CONF.rbac.rbac_flag:
- raise cls.skipException(
- "%s skipped as RBAC Flag not enabled" % cls.__name__)
- if 'admin' not in CONF.auth.tempest_roles:
- raise cls.skipException(
- "%s skipped because tempest roles is not admin" % cls.__name__)
-
- @classmethod
- def setup_clients(cls):
- super(BaseVolumeAdminRbacTest, cls).setup_clients()
- cls.auth_provider = cls.os.auth_provider
- cls.admin_client = cls.os_adm.volumes_client
-
-
-class BaseNetworkRbacTest(network_base.BaseNetworkTest):
-
- credentials = ['primary', 'admin']
-
- @classmethod
- def skip_checks(cls):
- super(BaseNetworkRbacTest, cls).skip_checks()
- if not CONF.rbac.rbac_flag:
- raise cls.skipException(
- "%s skipped as RBAC Flag not enabled" % cls.__name__)
- if 'admin' not in CONF.auth.tempest_roles:
- raise cls.skipException(
- "%s skipped because tempest roles is not admin" % cls.__name__)
-
- @classmethod
- def setup_clients(cls):
- super(BaseNetworkRbacTest, cls).setup_clients()
- cls.auth_provider = cls.os.auth_provider
- cls.admin_client = cls.os_adm.agents_client
diff --git a/patrole_tempest_plugin/tests/api/volume/admin/test_qos_rbac.py b/patrole_tempest_plugin/tests/api/volume/admin/test_qos_rbac.py
new file mode 100644
index 0000000..197cbf6
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/admin/test_qos_rbac.py
@@ -0,0 +1,163 @@
+# Copyright 2017 AT&T Corp
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.common import waiters
+from tempest import config
+from tempest.lib.common.utils import test_utils
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class VolumeQOSRbacTest(rbac_base.BaseVolumeAdminRbacTest):
+ @classmethod
+ def setup_clients(cls):
+ super(VolumeQOSRbacTest, cls).setup_clients()
+ cls.admin_client = cls.os_adm.volume_qos_client
+ cls.auth_provider = cls.os.auth_provider
+ cls.client = cls.admin_volume_qos_client
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(VolumeQOSRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(
+ service="cinder", rule="volume_extension:qos_specs_manage:create")
+ @decorators.idempotent_id('4f9f45f0-b379-4577-a279-cec3e917cbec')
+ def test_create_qos_with_consumer(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # Create a qos
+ self.create_test_qos_specs()
+
+ @rbac_rule_validation.action(
+ service="cinder", rule="volume_extension:qos_specs_manage:delete")
+ @decorators.idempotent_id('fbc8a77e-6b6d-45ae-bebe-c496eb8f06f7')
+ def test_delete_qos_with_consumer(self):
+ # Create a qos
+ qos = self.create_test_qos_specs()
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # Delete a qos
+ self.client.delete_qos(qos['id'])
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:qos_specs_manage:read")
+ @decorators.idempotent_id('22aff0dd-0343-408d-ae80-e77551956e14')
+ def test_get_qos(self):
+ # Create a qos
+ qos = self.create_test_qos_specs()
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # Get a qos
+ self.client.show_qos(qos['id'])['qos_specs']
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:qos_specs_manage:read")
+ @decorators.idempotent_id('546b8bb1-04a4-4387-9506-a538a7f3cd6a')
+ def test_list_qos(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # list all qos
+ self.client.list_qos()['qos_specs']
+
+ @rbac_rule_validation.action(
+ service="cinder", rule="volume_extension:qos_specs_manage:update")
+ @decorators.idempotent_id('89b630b7-c170-47c3-ac80-50ed425c2d98')
+ def test_set_qos_key(self):
+ # Create a qos
+ qos = self.create_test_qos_specs()
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # set key
+ self.client.set_qos_key(qos['id'], iops_bytes='500')['qos_specs']
+
+ @rbac_rule_validation.action(
+ service="cinder", rule="volume_extension:qos_specs_manage:update")
+ @decorators.idempotent_id('6c50c837-de77-4dae-a2ec-30e05c62969c')
+ def test_unset_qos_key(self):
+ # Create a qos
+ qos = self.create_test_qos_specs()
+ # Set key
+ self.client.set_qos_key(qos['id'], iops_bytes='500')['qos_specs']
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # Unset key
+ keys = ['iops_bytes']
+ self.client.unset_qos_key(qos['id'], keys)
+ operation = 'qos-key-unset'
+ waiters.wait_for_qos_operations(self.client, qos['id'],
+ operation, args=keys)
+
+ @rbac_rule_validation.action(
+ service="cinder", rule="volume_extension:qos_specs_manage:update")
+ @decorators.idempotent_id('2047b347-8bbe-405e-bf5a-c75a0d7e3930')
+ def test_associate_qos(self):
+ # Create a qos
+ qos = self.create_test_qos_specs()
+ # create a test volume-type
+ vol_type = self.create_volume_type()['id']
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # associate the qos-specs with volume-types
+ self.client.associate_qos(qos['id'], vol_type)
+ self.addCleanup(self.client.disassociate_qos, qos['id'], vol_type)
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume_extension:qos_specs_manage:read")
+ @decorators.idempotent_id('ff1e98f3-d456-40a9-96d4-c7e4a55dcffa')
+ def test_get_association_qos(self):
+ # create a test volume-type
+ qos = self.create_test_qos_specs()
+ vol_type = self.create_volume_type()['id']
+ # associate the qos-specs with volume-types
+ self.client.associate_qos(qos['id'], vol_type)
+ self.addCleanup(self.client.disassociate_qos, qos['id'], vol_type)
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # get the association of the qos-specs
+ self.client.show_association_qos(qos['id'])
+
+ @rbac_rule_validation.action(
+ service="cinder", rule="volume_extension:qos_specs_manage:update")
+ @decorators.idempotent_id('f12aeca1-0c02-4f33-b805-014171e5b2d4')
+ def test_disassociate_qos(self):
+ # create a test volume-type
+ qos = self.create_test_qos_specs()
+ vol_type = self.create_volume_type()['id']
+ # associate the qos-specs with volume-types
+ self.client.associate_qos(qos['id'], vol_type)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.client.disassociate_qos, qos['id'], vol_type)
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # disassociate a volume-type with qos-specs
+ self.client.disassociate_qos(qos['id'], vol_type)
+ operation = 'disassociate'
+ waiters.wait_for_qos_operations(self.client, qos['id'],
+ operation, args=vol_type)
+
+ @rbac_rule_validation.action(
+ service="cinder", rule="volume_extension:qos_specs_manage:update")
+ @decorators.idempotent_id('9f6e664d-a5d9-4e71-b122-73a3086be1b9')
+ def test_disassociate_all_qos(self):
+ qos = self.create_test_qos_specs()
+ # create a test volume-type
+ vol_type = self.create_volume_type()['id']
+ # associate the qos-specs with volume-types
+ self.client.associate_qos(qos['id'], vol_type)
+ self.addCleanup(test_utils.call_and_ignore_notfound_exc,
+ self.client.disassociate_qos, qos['id'], vol_type)
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ # disassociate all volume-types from qos-specs
+ self.client.disassociate_all_qos(qos['id'])
+ operation = 'disassociate-all'
+ waiters.wait_for_qos_operations(self.client, qos['id'],
+ operation)
diff --git a/patrole_tempest_plugin/tests/api/volume/admin/test_volume_quotas_rbac.py b/patrole_tempest_plugin/tests/api/volume/admin/test_volume_quotas_rbac.py
index 1595eac..c4bd578 100644
--- a/patrole_tempest_plugin/tests/api/volume/admin/test_volume_quotas_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/admin/test_volume_quotas_rbac.py
@@ -1,4 +1,4 @@
-# Copyright 2017 AT&T Corp
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -20,7 +20,7 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.rbac_utils import rbac_utils
-from patrole_tempest_plugin.tests.api import rbac_base
+from patrole_tempest_plugin.tests.api.volume import rbac_base
QUOTA_KEYS = ['gigabytes', 'snapshots', 'volumes']
QUOTA_USAGE_KEYS = ['reserved', 'limit', 'in_use']
@@ -44,7 +44,7 @@
rbac_utils.switch_role(self, switchToRbacRole=False)
super(VolumeQuotasAdminRbacTest, self).tearDown()
- @rbac_rule_validation.action(component="Volume", service="cinder",
+ @rbac_rule_validation.action(service="cinder",
rule="volume_extension:quotas:show")
@decorators.idempotent_id('b3c7177e-b6b1-4d0f-810a-fc95606964dd')
def test_list_default_quotas(self):
@@ -52,7 +52,7 @@
self.client.show_default_quota_set(
self.demo_tenant_id)['quota_set']
- @rbac_rule_validation.action(component="Volume", service="cinder",
+ @rbac_rule_validation.action(service="cinder",
rule="volume_extension:quotas:update")
@decorators.idempotent_id('60f8f421-1630-4953-b449-b22af32265c7')
def test_update_all_quota_resources_for_tenant(self):
diff --git a/patrole_tempest_plugin/tests/api/volume/rbac_base.py b/patrole_tempest_plugin/tests/api/volume/rbac_base.py
new file mode 100644
index 0000000..67953ee
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/rbac_base.py
@@ -0,0 +1,59 @@
+# Copyright 2017 AT&T Corporation.
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.api.volume import base as vol_base
+from tempest import config
+
+CONF = config.CONF
+
+
+class BaseVolumeRbacTest(vol_base.BaseVolumeTest):
+
+ credentials = ['primary', 'admin']
+
+ @classmethod
+ def skip_checks(cls):
+ super(BaseVolumeRbacTest, cls).skip_checks()
+ if not CONF.rbac.rbac_flag:
+ raise cls.skipException(
+ "%s skipped as RBAC Flag not enabled" % cls.__name__)
+ if 'admin' not in CONF.auth.tempest_roles:
+ raise cls.skipException(
+ "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_clients(cls):
+ super(BaseVolumeRbacTest, cls).setup_clients()
+ cls.auth_provider = cls.os.auth_provider
+ cls.admin_client = cls.os_adm.volumes_client
+
+
+class BaseVolumeAdminRbacTest(vol_base.BaseVolumeAdminTest):
+
+ credentials = ['primary', 'admin']
+
+ @classmethod
+ def skip_checks(cls):
+ super(BaseVolumeAdminRbacTest, cls).skip_checks()
+ if not CONF.rbac.rbac_flag:
+ raise cls.skipException(
+ "%s skipped as RBAC Flag not enabled" % cls.__name__)
+ if 'admin' not in CONF.auth.tempest_roles:
+ raise cls.skipException(
+ "%s skipped because tempest roles is not admin" % cls.__name__)
+
+ @classmethod
+ def setup_clients(cls):
+ super(BaseVolumeAdminRbacTest, cls).setup_clients()
+ cls.auth_provider = cls.os.auth_provider
+ cls.admin_client = cls.os_adm.volumes_client
diff --git a/patrole_tempest_plugin/tests/api/volume/test_availability_zone_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_availability_zone_rbac.py
new file mode 100644
index 0000000..d6426dd
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_availability_zone_rbac.py
@@ -0,0 +1,42 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class AvailabilityZoneRbacTest(rbac_base.BaseVolumeRbacTest):
+
+ @classmethod
+ def setup_clients(cls):
+ super(AvailabilityZoneRbacTest, cls).setup_clients()
+ cls.client = cls.availability_zone_client
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(AvailabilityZoneRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:availability_zone_list")
+ @decorators.idempotent_id('8cfd920c-4b6c-402d-b6e2-ede86bedc702')
+ def test_get_availability_zone_list(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_availability_zones()
diff --git a/patrole_tempest_plugin/tests/api/volume/test_extensions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_extensions_rbac.py
new file mode 100644
index 0000000..a0ff55f
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_extensions_rbac.py
@@ -0,0 +1,41 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class ExtensionsRbacTest(rbac_base.BaseVolumeRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(ExtensionsRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:list_extensions")
+ @decorators.idempotent_id('7f2dcc41-e850-493f-a400-82db4e2b50c0')
+ def test_list_extensions(self):
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.volumes_extension_client.list_extensions()
+
+
+class ExtensionsV3RbacTest(ExtensionsRbacTest):
+ _api_version = 3
diff --git a/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
index 9718bfc..c321400 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
@@ -1,4 +1,4 @@
-# Copyright 2016 AT&T Corp
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -20,7 +20,7 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.rbac_utils import rbac_utils
-from patrole_tempest_plugin.tests.api import rbac_base
+from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
LOG = logging.getLogger(__name__)
@@ -53,7 +53,7 @@
cls.snapshot_id = cls.snapshot['id']
@rbac_rule_validation.action(
- component="Volume", service="cinder",
+ service="cinder",
rule="volume_extension:snapshot_admin_actions:reset_status")
@decorators.idempotent_id('ea430145-34ef-408d-b678-95d5ae5f46eb')
def test_reset_snapshot_status(self):
@@ -64,7 +64,7 @@
reset_snapshot_status(self.snapshot['id'], status)
@rbac_rule_validation.action(
- component="Volume", service="cinder",
+ service="cinder",
rule="volume_extension:volume_admin_actions:force_delete")
@decorators.idempotent_id('a8b0f7d8-4c00-4645-b8d5-33ab4eecc6cb')
def test_snapshot_force_delete(self):
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_create_delete_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_create_delete_rbac.py
index e535f96..4814fa7 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_create_delete_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_create_delete_rbac.py
@@ -1,4 +1,4 @@
-# Copyright 2016 AT&T Corp
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -22,7 +22,7 @@
from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.rbac_utils import rbac_utils
-from patrole_tempest_plugin.tests.api import rbac_base
+from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
LOG = logging.getLogger(__name__)
@@ -41,7 +41,7 @@
volume = self.create_volume()
return volume
- @rbac_rule_validation.action(component="Volume", service="cinder",
+ @rbac_rule_validation.action(service="cinder",
rule="volume:create")
@decorators.idempotent_id('426b08ef-6394-4d06-9128-965d5a6c38ef')
def test_create_volume(self):
@@ -49,7 +49,7 @@
# Create a volume
self._create_volume()
- @rbac_rule_validation.action(component="Volume", service="cinder",
+ @rbac_rule_validation.action(service="cinder",
rule="volume:delete")
@decorators.idempotent_id('6de9f9c2-509f-4558-867b-af21c7163be4')
def test_delete_volume(self):
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
index 9c5d2d9..234865c 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
@@ -1,4 +1,4 @@
-# Copyright 2017 AT&T Corp
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -20,7 +20,7 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.rbac_utils import rbac_utils
-from patrole_tempest_plugin.tests.api import rbac_base
+from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
LOG = logging.getLogger(__name__)
@@ -45,7 +45,7 @@
self.volumes_client.create_volume_metadata(volume['id'],
metadata)['metadata']
- @rbac_rule_validation.action(component="Volume", service="cinder",
+ @rbac_rule_validation.action(service="cinder",
rule="volume:update_volume_metadata")
@decorators.idempotent_id('232bbb8b-4c29-44dc-9077-b1398c20b738')
def test_create_volume_metadata(self):
@@ -53,7 +53,7 @@
rbac_utils.switch_role(self, switchToRbacRole=True)
self._add_metadata(volume)
- @rbac_rule_validation.action(component="Volume", service="cinder",
+ @rbac_rule_validation.action(service="cinder",
rule="volume:get")
@decorators.idempotent_id('87ea37d9-23ab-47b2-a59c-16fc4d2c6dfa')
def test_get_volume_metadata(self):
@@ -62,7 +62,7 @@
rbac_utils.switch_role(self, switchToRbacRole=True)
self.volumes_client.show_volume_metadata(volume['id'])['metadata']
- @rbac_rule_validation.action(component="Volume", service="cinder",
+ @rbac_rule_validation.action(service="cinder",
rule="volume:delete_volume_metadata")
@decorators.idempotent_id('7498dfc1-9db2-4423-ad20-e6dcb25d1beb')
def test_delete_volume_metadata(self):
@@ -72,7 +72,7 @@
self.volumes_client.delete_volume_metadata_item(volume['id'],
"key1")
- @rbac_rule_validation.action(component="Volume", service="cinder",
+ @rbac_rule_validation.action(service="cinder",
rule="volume:update_volume_metadata")
@decorators.idempotent_id('8ce2ff80-99ba-49ae-9bb1-7e96729ee5af')
def test_update_volume_metadata(self):
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_extend_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_extend_rbac.py
new file mode 100644
index 0000000..87e98e2
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_extend_rbac.py
@@ -0,0 +1,52 @@
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest.common import waiters
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class VolumesExtendRbacTest(rbac_base.BaseVolumeRbacTest):
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(VolumesExtendRbacTest, self).tearDown()
+
+ @classmethod
+ def resource_setup(cls):
+ super(VolumesExtendRbacTest, cls).resource_setup()
+ # Create a test shared volume for tests
+ cls.volume = cls.create_volume()
+
+ @rbac_rule_validation.action(service="cinder", rule="volume:extend")
+ @decorators.idempotent_id('1627b065-4081-4e14-8340-8e4fb02ceaf2')
+ def test_volume_extend(self):
+ # Extend volume test
+ extend_size = int(self.volume['size']) + 1
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.volumes_client.extend_volume(self.volume['id'],
+ new_size=extend_size)
+ waiters.wait_for_volume_status(self.volumes_client, self.volume['id'],
+ 'available')
+
+
+class VolumesExtendV3RbacTest(VolumesExtendRbacTest):
+ _api_version = 3
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_list_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_list_rbac.py
new file mode 100644
index 0000000..90e238c
--- /dev/null
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_list_rbac.py
@@ -0,0 +1,56 @@
+# Copyright 2017 AT&T Corp
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from tempest import config
+from tempest.lib import decorators
+
+from patrole_tempest_plugin import rbac_rule_validation
+from patrole_tempest_plugin.rbac_utils import rbac_utils
+from patrole_tempest_plugin.tests.api.volume import rbac_base
+
+CONF = config.CONF
+
+
+class VolumesListRbacTest(rbac_base.BaseVolumeRbacTest):
+
+ @classmethod
+ def setup_clients(cls):
+ super(VolumesListRbacTest, cls).setup_clients()
+ cls.client = cls.os.volumes_client
+
+ def tearDown(self):
+ rbac_utils.switch_role(self, switchToRbacRole=False)
+ super(VolumesListRbacTest, self).tearDown()
+
+ @rbac_rule_validation.action(service="cinder",
+ rule="volume:get_all")
+ @decorators.idempotent_id('e3ab7906-b04b-4c45-aa11-1104d302f940')
+ def test_volume_list(self):
+ # Get a list of Volumes
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_volumes()
+
+ @rbac_rule_validation.action(
+ service="cinder",
+ rule="volume_extension:get_volumes_image_metadata")
+ @decorators.idempotent_id('3d48ca91-f02b-4616-a69d-4a8b296c8529')
+ def test_volume_list_image_metadata(self):
+ # Get a list of Volumes
+ rbac_utils.switch_role(self, switchToRbacRole=True)
+ self.client.list_volumes(detail=True)
+
+
+class VolumeListV3RbacTest(VolumesListRbacTest):
+ _api_version = 3
diff --git a/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py b/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
index 632abdd..5d889e8 100644
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
@@ -1,4 +1,4 @@
-# Copyright 2016 AT&T Corp
+# Copyright 2017 AT&T Corporation.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -20,7 +20,7 @@
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.rbac_utils import rbac_utils
-from patrole_tempest_plugin.tests.api import rbac_base
+from patrole_tempest_plugin.tests.api.volume import rbac_base
CONF = config.CONF
LOG = logging.getLogger(__name__)
@@ -38,7 +38,7 @@
super(VolumesRbacTest, self).tearDown()
@rbac_rule_validation.action(
- component="Volume", service="cinder",
+ service="cinder",
rule="volume_extension:volume_admin_actions:reset_status")
@decorators.idempotent_id('4b3dad7d-0e73-4839-8781-796dd3d7af1d')
def test_volume_reset_status(self):
@@ -49,7 +49,7 @@
self.client.reset_volume_status(volume['id'], status='availble')
@rbac_rule_validation.action(
- component="Volume", service="cinder",
+ service="cinder",
rule="volume_extension:volume_admin_actions:force_delete")
@decorators.idempotent_id('a312a937-6abf-4b91-a950-747086cbce48')
def test_volume_force_delete_when_volume_is_error(self):
diff --git a/setup.py b/setup.py
index 3dccac1..f730546 100644
--- a/setup.py
+++ b/setup.py
@@ -1,4 +1,5 @@
-# Copyright (c) 2016 AT&T inc.
+# Copyright 2017 ATT Corporation.
+# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
diff --git a/tests/base.py b/tests/base.py
index 14872ac..d73ff43 100644
--- a/tests/base.py
+++ b/tests/base.py
@@ -1,6 +1,6 @@
# Copyright 2010-2011 OpenStack Foundation
# Copyright (c) 2013 Hewlett-Packard Development Company, L.P.
-# Copyright (c) 2016 AT&T Inc
+# Copyright 2017 AT&T Corporation.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
diff --git a/tests/resources/admin_rbac_policy.json b/tests/resources/admin_rbac_policy.json
new file mode 100644
index 0000000..7828921
--- /dev/null
+++ b/tests/resources/admin_rbac_policy.json
@@ -0,0 +1,6 @@
+{
+ "admin_rule": "role:admin",
+ "is_admin_rule": "is_admin:True",
+ "alt_admin_rule": "is_admin:True or (role:admin and is_project_admin:True)",
+ "non_admin_rule": "role:Member"
+}
diff --git a/tests/custom_rbac_policy.json b/tests/resources/custom_rbac_policy.json
similarity index 100%
rename from tests/custom_rbac_policy.json
rename to tests/resources/custom_rbac_policy.json
diff --git a/tests/test_patrole.py b/tests/test_patrole.py
index 3e85142..d374e20 100644
--- a/tests/test_patrole.py
+++ b/tests/test_patrole.py
@@ -1,4 +1,5 @@
-# Copyright (c) 2016 AT&T Inc
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
diff --git a/tests/test_rbac_role_converter.py b/tests/test_rbac_role_converter.py
index 942d7d0..04eb626 100644
--- a/tests/test_rbac_role_converter.py
+++ b/tests/test_rbac_role_converter.py
@@ -1,4 +1,5 @@
-# Copyright 2017 AT&T Inc.
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
@@ -29,19 +30,18 @@
current_directory = os.path.dirname(os.path.realpath(__file__))
self.custom_policy_file = os.path.join(current_directory,
+ 'resources',
'custom_rbac_policy.json')
+ self.admin_policy_file = os.path.join(current_directory,
+ 'resources',
+ 'admin_rbac_policy.json')
def test_custom_policy(self):
default_roles = ['zero', 'one', 'two', 'three', 'four',
'five', 'six', 'seven', 'eight', 'nine']
- CONF.set_override('rbac_roles', default_roles, group='rbac',
- enforce_type=True)
- self.converter = rbac_role_converter.RbacPolicyConverter(
- "custom",
- self.custom_policy_file
- )
- self.roles_dict = self.converter.rules
+ converter = rbac_role_converter.RbacPolicyConverter(
+ None, "test", self.custom_policy_file)
expected = {
'policy_action_1': ['two', 'four', 'six', 'eight'],
@@ -55,13 +55,49 @@
fake_rule = 'fake_rule'
- self.assertFalse(fake_rule in self.roles_dict.keys())
+ for role in default_roles:
+ self.assertRaises(KeyError, converter.allowed, fake_rule, role)
- for rule in expected.keys():
- self.assertTrue(rule in self.roles_dict.keys())
- expected_roles = expected[rule]
- unexpected_roles = set(default_roles) - set(expected[rule])
- for role in expected_roles:
- self.assertTrue(role in self.roles_dict[rule])
- for role in unexpected_roles:
- self.assertFalse(role in self.roles_dict[rule])
+ for rule, role_list in expected.items():
+ for role in role_list:
+ self.assertTrue(converter.allowed(rule, role))
+ for role in set(default_roles) - set(role_list):
+ self.assertFalse(converter.allowed(rule, role))
+
+ def test_admin_policy_file_with_admin_role(self):
+ converter = rbac_role_converter.RbacPolicyConverter(
+ None, "test", self.admin_policy_file)
+
+ role = 'admin'
+ allowed_rules = [
+ 'admin_rule'
+ ]
+ disallowed_rules = [
+ 'is_admin_rule', 'alt_admin_rule', 'non_admin_rule']
+
+ for rule in allowed_rules:
+ allowed = converter.allowed(rule, role)
+ self.assertTrue(allowed)
+
+ for rule in disallowed_rules:
+ allowed = converter.allowed(rule, role)
+ self.assertFalse(allowed)
+
+ def test_admin_policy_file_with_member_role(self):
+ converter = rbac_role_converter.RbacPolicyConverter(
+ None, "test", self.admin_policy_file)
+
+ role = 'Member'
+ allowed_rules = [
+ 'non_admin_rule'
+ ]
+ disallowed_rules = [
+ 'admin_rule', 'is_admin_rule', 'alt_admin_rule']
+
+ for rule in allowed_rules:
+ allowed = converter.allowed(rule, role)
+ self.assertTrue(allowed)
+
+ for rule in disallowed_rules:
+ allowed = converter.allowed(rule, role)
+ self.assertFalse(allowed)
diff --git a/tests/test_rbac_rule_validation.py b/tests/test_rbac_rule_validation.py
index a8e2be3..edc442e 100644
--- a/tests/test_rbac_rule_validation.py
+++ b/tests/test_rbac_rule_validation.py
@@ -25,31 +25,42 @@
class RBACRuleValidationTest(base.TestCase):
@mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
def test_RBAC_rv_happy_path(self, mock_auth):
- decorator = rbac_rv.action("", "", "")
+ decorator = rbac_rv.action("", "")
mock_function = mock.Mock()
+ mock_args = mock.MagicMock(**{
+ 'auth_provider.credentials.tenant_id': 'tenant_id'
+ })
wrapper = decorator(mock_function)
- wrapper()
+ wrapper((mock_args))
self.assertTrue(mock_function.called)
@mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
def test_RBAC_rv_forbidden(self, mock_auth):
- decorator = rbac_rv.action("", "", "")
+ decorator = rbac_rv.action("", "")
mock_function = mock.Mock()
mock_function.side_effect = exceptions.Forbidden
wrapper = decorator(mock_function)
- self.assertRaises(exceptions.Forbidden, wrapper)
+ mock_args = mock.MagicMock(**{
+ 'auth_provider.credentials.tenant_id': 'tenant_id'
+ })
+
+ self.assertRaises(exceptions.Forbidden, wrapper, mock_args)
@mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
def test_RBAC_rv_rbac_action_failed(self, mock_auth):
- decorator = rbac_rv.action("", "", "")
+ decorator = rbac_rv.action("", "")
mock_function = mock.Mock()
mock_function.side_effect = rbac_exceptions.RbacActionFailed
+ mock_args = mock.MagicMock(**{
+ 'auth_provider.credentials.tenant_id': 'tenant_id'
+ })
+
wrapper = decorator(mock_function)
- self.assertRaises(exceptions.Forbidden, wrapper)
+ self.assertRaises(exceptions.Forbidden, wrapper, mock_args)
@mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
def test_RBAC_rv_not_allowed(self, mock_auth):
- decorator = rbac_rv.action("", "", "")
+ decorator = rbac_rv.action("", "")
mock_function = mock.Mock()
wrapper = decorator(mock_function)
@@ -58,25 +69,33 @@
mock_permission.get_permission.return_value = False
mock_auth.return_value = mock_permission
- self.assertRaises(rbac_exceptions.RbacOverPermission, wrapper)
+ mock_args = mock.MagicMock(**{
+ 'auth_provider.credentials.tenant_id': 'tenant_id'
+ })
+
+ self.assertRaises(rbac_exceptions.RbacOverPermission, wrapper,
+ mock_args)
@mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
def test_RBAC_rv_forbidden_not_allowed(self, mock_auth):
- decorator = rbac_rv.action("", "", "")
+ decorator = rbac_rv.action("", "")
mock_function = mock.Mock()
mock_function.side_effect = exceptions.Forbidden
+ mock_args = mock.MagicMock(**{
+ 'auth_provider.credentials.tenant_id': 'tenant_id'
+ })
wrapper = decorator(mock_function)
mock_permission = mock.Mock()
mock_permission.get_permission.return_value = False
mock_auth.return_value = mock_permission
- self.assertIsNone(wrapper())
+ self.assertIsNone(wrapper(mock_args))
@mock.patch('patrole_tempest_plugin.rbac_auth.RbacAuthority')
def test_RBAC_rv_rbac_action_failed_not_allowed(self, mock_auth):
- decorator = rbac_rv.action("", "", "")
+ decorator = rbac_rv.action("", "")
mock_function = mock.Mock()
mock_function.side_effect = rbac_exceptions.RbacActionFailed
@@ -86,4 +105,8 @@
mock_permission.get_permission.return_value = False
mock_auth.return_value = mock_permission
- self.assertIsNone(wrapper())
+ mock_args = mock.MagicMock(**{
+ 'auth_provider.credentials.tenant_id': 'tenant_id'
+ })
+
+ self.assertIsNone(wrapper(mock_args))
diff --git a/tests/test_rbac_utils.py b/tests/test_rbac_utils.py
index 657b389..3c645f8 100644
--- a/tests/test_rbac_utils.py
+++ b/tests/test_rbac_utils.py
@@ -1,4 +1,5 @@
-# Copyright 2017 AT&T Inc.
+# Copyright 2017 AT&T Corporation.
+# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain