Helper for validating RBAC list actions
List RBAC actions typically perform soft authorization checks meaning
that the response bodies omit resources that the user isn't authorized
to see.
For example, if an admin user creates a user, member role might not be
able to see that user when listing all the users in a tenant,
depending on the RBAC rule.
This patch set adds override_role_and_validate_list function to
RbacUtils to validate RBAC flows for API list actions.
Change-Id: I5f39efc8aa0004d4ad435cbd6b8fb037c33832d6
diff --git a/patrole_tempest_plugin/rbac_exceptions.py b/patrole_tempest_plugin/rbac_exceptions.py
index ad697b0..c30961b 100644
--- a/patrole_tempest_plugin/rbac_exceptions.py
+++ b/patrole_tempest_plugin/rbac_exceptions.py
@@ -47,7 +47,7 @@
"""Raised when a list or show action is empty following RBAC authorization
failure.
"""
- message = ("The response body is empty due to policy enforcement failure.")
+ message = "The response body is empty due to policy enforcement failure."
class RbacResourceSetupFailed(BasePatroleException):
@@ -104,3 +104,16 @@
* an exception is raised after ``override_role`` context
"""
message = "Override role failure or incorrect usage"
+
+
+class RbacValidateListException(BasePatroleException):
+ """Raised when override_role_and_validate_list is used incorrectly.
+
+ Specifically, when:
+
+ * Neither ``resource_id`` nor ``resources`` is initialized
+ * Both ``resource_id`` and ``resources`` are initialized
+ * The ``ctx.resources`` variable wasn't set in
+ override_role_and_validate_list context.
+ """
+ message = "Incorrect usage of override_role_and_validate_list: %(reason)s"