Fix flavor_rxtx_rbac
Updates flavor_rxtx to more thoroughly test policy enforcement
by
- making use of RbacMalformedResponse to ensure rxtx_factor
is included in response body
- adding new flavor_rxtx tests
Currently, POST /flavors is not tested as that action also
enforces os-flavor-manage: create, which is admin-only by
default and would therefore fail due to conflicting policy
restrictions. This test will be added once multi-policy
support is available.
Change-Id: I7fb35212fc6bb817a2b04077c983865e1191f214
Closes-Bug: #1712725
diff --git a/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py b/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
index 33b1564..7340689 100644
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_rxtx_rbac.py
@@ -13,12 +13,17 @@
# License for the specific language governing permissions and limitations
# under the License.
+from oslo_config import cfg
+
from tempest.lib import decorators
from tempest import test
+from patrole_tempest_plugin import rbac_exceptions
from patrole_tempest_plugin import rbac_rule_validation
from patrole_tempest_plugin.tests.api.compute import rbac_base
+CONF = cfg.CONF
+
class FlavorRxtxRbacTest(rbac_base.BaseV2ComputeRbacTest):
@@ -29,11 +34,27 @@
msg = "os-flavor-rxtx extension not enabled."
raise cls.skipException(msg)
- @decorators.idempotent_id('0278677c-6e69-4293-a387-b485781e61a1')
+ @decorators.idempotent_id('5e1fd9f0-9a08-485a-ad9c-0fc66e4d64b7')
@rbac_rule_validation.action(
service="nova",
rule="os_compute_api:os-flavor-rxtx")
- def test_create_flavor_rxtx(self):
+ def test_list_flavors_details_rxtx(self):
self.rbac_utils.switch_role(self, toggle_rbac_role=True)
- # Enforces os_compute_api:os-flavor-rxtx.
- self.flavors_client.list_flavors(detail=True)['flavors']
+ # Enforces os_compute_api:os-flavor-rxtx
+ result = self.flavors_client.list_flavors(detail=True)['flavors']
+ if 'rxtx_factor' not in result[0]:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute='rxtx_factor')
+
+ @decorators.idempotent_id('70c55a07-c843-4627-a29d-ba78673c1e63')
+ @rbac_rule_validation.action(
+ service="nova",
+ rule="os_compute_api:os-flavor-rxtx")
+ def test_get_flavor_rxtx(self):
+ self.rbac_utils.switch_role(self, toggle_rbac_role=True)
+ # Enforces os_compute_api:os-flavor-rxtx
+ result =\
+ self.flavors_client.show_flavor(CONF.compute.flavor_ref)['flavor']
+ if 'rxtx_factor' not in result:
+ raise rbac_exceptions.RbacMalformedResponse(
+ attribute='rxtx_factor')
diff --git a/releasenotes/notes/flavor-rxtx-d7aadbb32a9f232c.yaml b/releasenotes/notes/flavor-rxtx-d7aadbb32a9f232c.yaml
new file mode 100644
index 0000000..083d9b0
--- /dev/null
+++ b/releasenotes/notes/flavor-rxtx-d7aadbb32a9f232c.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ test_flavor_rxtx_rbac now offers complete
+ coverage for the os-flavor-rxtx policy.